sshenv 0.0.1-alpha.1

SSH-key-backed encrypted vault for environment variables
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216

//! sshenv binary crate. All command dispatch lives under
//! [`commands`]; this module exposes a single [`run`] entry point.

#![allow(clippy::multiple_crate_versions)]

pub mod commands;
pub mod config;
pub mod identity;
pub mod passphrase_cache;
pub mod picker;
pub mod process;
pub mod pubkey;
#[cfg(feature = "rollback-protection")]
pub mod rollback;
pub mod rollback_checkpoint;
#[cfg(feature = "runtime-hardening")]
pub mod runtime_hardening;
pub mod security_state;
pub mod session_registry;

use anyhow::Result;
use sshenv_cli_models::{
    Cli, Command, DeviceCommand, HardwareCommand, PassphraseCacheCommand, ProfilePolicyCommand,
    RecoveryCommand, RemoteCommand, RollbackCommand, SecurityCommand, SessionsCommand,
    ShimsCommand,
};

/// Dispatch a parsed [`Cli`] to the appropriate command handler.
///
/// # Errors
///
/// Propagates the handler's error.
pub fn run(cli: Cli) -> Result<()> {
    let ctx = commands::Context::from_cli(&cli);

    match cli.command {
        Command::Init(args) => commands::init::run(&ctx, args),
        Command::Doctor => commands::doctor::run(&ctx),
        Command::RotateKey(args) => commands::rekey::rotate_key(&ctx, args),
        Command::MigrateVault(args) => commands::migrate::run(&ctx, args),
        Command::Harden(args) => commands::security::harden(&ctx, args),
        Command::Security(sub) => match sub {
            SecurityCommand::Status => commands::security::status(&ctx),
            SecurityCommand::EnablePassphrase(args) => {
                commands::security::enable_passphrase(&ctx, args)
            }
            SecurityCommand::ChangePassphrase(args) => {
                commands::security::change_passphrase(&ctx, args)
            }
            SecurityCommand::DisablePassphrase(args) => {
                commands::security::disable_passphrase(&ctx, args)
            }
            SecurityCommand::EnableDeviceSeal => commands::security::enable_device_seal(&ctx),
            SecurityCommand::Preset(args) => commands::security::preset(&ctx, args),
            SecurityCommand::PassphraseCache(sub) => match sub {
                PassphraseCacheCommand::Status(args) => {
                    commands::security::passphrase_cache_status(args)
                }
                PassphraseCacheCommand::Plan(args) => {
                    commands::security::passphrase_cache_plan(args)
                }
                PassphraseCacheCommand::Clear => commands::security::passphrase_cache_clear(&ctx),
            },
            SecurityCommand::Rollback(sub) => match sub {
                RollbackCommand::Status(args) => commands::security::rollback_status(&ctx, args),
                RollbackCommand::Plan(args) => commands::security::rollback_plan(args),
                RollbackCommand::CheckpointTemplate(args) => {
                    commands::security::rollback_checkpoint_template(&ctx, args)
                }
                RollbackCommand::ValidateCheckpoint(args) => {
                    commands::security::rollback_validate_checkpoint(&ctx, args)
                }
            },
            SecurityCommand::Device(sub) => match sub {
                DeviceCommand::List => commands::security::device_list(&ctx),
                DeviceCommand::Authorize => commands::security::device_authorize(&ctx),
                DeviceCommand::Remove => commands::security::device_remove(&ctx),
                DeviceCommand::Plan(args) => commands::security::device_plan(args),
            },
            SecurityCommand::Hardware(sub) => match sub {
                HardwareCommand::Status(args) => commands::security::hardware_status(args),
                HardwareCommand::Plan(args) => commands::security::hardware_plan(args),
                HardwareCommand::Discover(args) => commands::security::hardware_discover(args),
                HardwareCommand::Enroll(args) => commands::security::hardware_enroll(args),
                HardwareCommand::ValidateRecipient(args) => {
                    commands::security::hardware_validate_recipient(args)
                }
            },
            SecurityCommand::Recovery(sub) => match sub {
                RecoveryCommand::List(args) => commands::security::recovery_list(&ctx, args),
                RecoveryCommand::Import(args) => commands::security::recovery_import(&ctx, args),
                RecoveryCommand::Remove(args) => commands::security::recovery_remove(&ctx, args),
                RecoveryCommand::Split(args) => commands::security::recovery_split(args),
                RecoveryCommand::SplitVaultKey(args) => {
                    commands::security::recovery_split_vault_key(&ctx, args)
                }
                RecoveryCommand::ValidateShare(args) => {
                    commands::security::recovery_validate_share(args)
                }
                RecoveryCommand::Combine(args) => commands::security::recovery_combine(args),
                RecoveryCommand::RecoverRecipient(args) => {
                    commands::security::recovery_recover_recipient(&ctx, args)
                }
                RecoveryCommand::Validate(args) => commands::security::recovery_validate(args),
                RecoveryCommand::Plan(args) => commands::security::recovery_plan(args),
            },
            SecurityCommand::Remote(sub) => match sub {
                RemoteCommand::List(args) => commands::security::remote_list(&ctx, args),
                RemoteCommand::Import(args) => commands::security::remote_import(&ctx, args),
                RemoteCommand::Remove(args) => commands::security::remote_remove(&ctx, args),
                RemoteCommand::Plan(args) => commands::security::remote_plan(args),
                RemoteCommand::RequestTemplate(args) => {
                    commands::security::remote_request_template(args)
                }
                RemoteCommand::ValidateRequest(args) => {
                    commands::security::remote_validate_request(args)
                }
                RemoteCommand::CommandWrap(args) => commands::security::remote_command_wrap(args),
                RemoteCommand::CommandUnwrap(args) => {
                    commands::security::remote_command_unwrap(args)
                }
                RemoteCommand::EnableCommand(args) => {
                    commands::security::remote_enable_command(&ctx, args)
                }
                RemoteCommand::Validate(args) => commands::security::remote_validate(args),
            },
            SecurityCommand::ProfilePolicy(sub) => match sub {
                ProfilePolicyCommand::List => commands::security::profile_policy_list(&ctx),
                ProfilePolicyCommand::Backups(args) => {
                    commands::security::profile_policy_backups(&ctx, args)
                }
                ProfilePolicyCommand::PruneBackups(args) => {
                    commands::security::profile_policy_prune_backups(&ctx, args)
                }
                ProfilePolicyCommand::Status(args) => {
                    commands::security::profile_policy_status(&ctx, args)
                }
                ProfilePolicyCommand::Check(args) => {
                    commands::security::profile_policy_check(&ctx, args)
                }
                ProfilePolicyCommand::Migrate => commands::security::profile_policy_migrate(&ctx),
                ProfilePolicyCommand::RotateKey(args) => {
                    commands::security::profile_policy_rotate_key(&ctx, args)
                }
                ProfilePolicyCommand::RequirePassphrase(args) => {
                    commands::security::profile_policy_require_passphrase(&ctx, args)
                }
                ProfilePolicyCommand::ChangePassphrase(args) => {
                    commands::security::profile_policy_change_passphrase(&ctx, args)
                }
                ProfilePolicyCommand::DisablePassphrase(args) => {
                    commands::security::profile_policy_disable_passphrase(&ctx, args)
                }
                ProfilePolicyCommand::RequireDeviceSeal(args) => {
                    commands::security::profile_policy_require_device_seal(&ctx, args)
                }
                ProfilePolicyCommand::DisableDeviceSeal(args) => {
                    commands::security::profile_policy_disable_device_seal(&ctx, args)
                }
                ProfilePolicyCommand::ClearRequirements(args) => {
                    commands::security::profile_policy_clear_requirements(&ctx, args)
                }
                ProfilePolicyCommand::Apply(args) => {
                    commands::security::profile_policy_apply(&ctx, args)
                }
                ProfilePolicyCommand::ApplyAll(args) => {
                    commands::security::profile_policy_apply_all(&ctx, args)
                }
                ProfilePolicyCommand::Repair(args) => {
                    commands::security::profile_policy_repair(&ctx, args)
                }
                ProfilePolicyCommand::RepairAll(args) => {
                    commands::security::profile_policy_repair_all(&ctx, args)
                }
                ProfilePolicyCommand::RestoreBackup(args) => {
                    commands::security::profile_policy_restore_backup(&ctx, args)
                }
                ProfilePolicyCommand::VerifyBackup(args) => {
                    commands::security::profile_policy_verify_backup(&ctx, args)
                }
                ProfilePolicyCommand::Set(args) => {
                    commands::security::profile_policy_set(&ctx, args)
                }
            },
        },

        Command::AddRecipient(args) => commands::recipient::add(&ctx, args),
        Command::ListRecipients(args) => commands::recipient::list(&ctx, args),
        Command::RemoveRecipient(args) => commands::recipient::remove(&ctx, args),

        Command::Set(args) => commands::profile::set(&ctx, args),
        Command::Unset(args) => commands::profile::unset(&ctx, args),
        Command::List(args) => commands::profile::list(&ctx, args),
        Command::Show(args) => commands::profile::show(&ctx, args),
        Command::RmProfile(args) => commands::profile::rm(&ctx, args),
        Command::RenameProfile(args) => commands::profile::rename(&ctx, args),

        Command::Run(args) => commands::run::run(&ctx, args),
        Command::Export(args) => commands::export::run(&ctx, args),

        Command::Sessions(sub) => match sub {
            SessionsCommand::List(args) => commands::sessions::list(&ctx, args),
            SessionsCommand::Kill(args) => commands::sessions::kill(&ctx, args),
        },

        Command::Shims(sub) => match sub {
            ShimsCommand::Bind(args) => commands::shims::bind(&ctx, args),
            ShimsCommand::Unbind(args) => commands::shims::unbind(&ctx, args),
            ShimsCommand::Rename(args) => commands::shims::rename(&ctx, args),
            ShimsCommand::List => commands::shims::list(&ctx),
            ShimsCommand::Sync => commands::shims::sync(&ctx),
            ShimsCommand::Dir => commands::shims::dir(&ctx),
            ShimsCommand::Path => commands::shims::path(&ctx),
        },
    }
}