npm - @attest-it/cli - Versions diffs - 0.6.1 → 0.7.0 - Mend

@attest-it/cli 0.6.1 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/bin/attest-it.js CHANGED Viewed

@@ -6,7 +6,7 @@ import * as path from 'path';
 import { join, dirname } from 'path';
 import { detectTheme } from 'chromaterm';
 import { input, select, confirm, checkbox } from '@inquirer/prompts';
-import { loadConfig, toAttestItConfig, readSealsSync, computeFingerprintSync, verifyGateSeal, verifyAllSeals, computeFingerprint, createAttestation, readAttestations, upsertAttestation, KeyProviderRegistry, getDefaultPrivateKeyPath, FilesystemKeyProvider, writeSignedAttestations, loadLocalConfigSync, getActiveIdentity, isAuthorizedSigner, createSeal, writeSealsSync, checkOpenSSL, getDefaultPublicKeyPath, OnePasswordKeyProvider, MacOSKeychainKeyProvider, generateKeyPair, setKeyPermissions, getGate, loadLocalConfig, YubiKeyProvider, getAttestItConfigDir, generateEd25519KeyPair, saveLocalConfig, findConfigPath, loadPreferences, savePreferences, findAttestation, setAttestItHomeDir } from '@attest-it/core';
+import { loadConfig, toAttestItConfig, readSealsSync, computeFingerprintSync, verifyGateSeal, verifyAllSeals, computeFingerprint, createAttestation, readAttestations, upsertAttestation, KeyProviderRegistry, getDefaultPrivateKeyPath, FilesystemKeyProvider, writeSignedAttestations, loadLocalConfigSync, getActiveIdentity, isAuthorizedSigner, createSeal, writeSealsSync, checkOpenSSL, getDefaultPublicKeyPath, OnePasswordKeyProvider, MacOSKeychainKeyProvider, generateKeyPair, setKeyPermissions, getGate, loadLocalConfig, YubiKeyProvider, getAttestItConfigDir, generateEd25519KeyPair, saveLocalConfig, savePublicKey, findConfigPath, loadPreferences, savePreferences, findAttestation, setAttestItHomeDir, getDefaultYubiKeyEncryptedKeyPath } from '@attest-it/core';
 import tabtab2 from '@pnpm/tabtab';
 import { spawn } from 'child_process';
 import * as os from 'os';
@@ -1639,17 +1639,28 @@ function getKeyRefFromIdentity(identity) {
   }
 }
 function KeygenInteractive(props) {
-  const { onComplete, onError } = props;
+  const { onComplete, onCancel, onError } = props;
   const [step, setStep] = useState("checking-providers");
   const [opAvailable, setOpAvailable] = useState(false);
   const [keychainAvailable, setKeychainAvailable] = useState(false);
+  const [yubiKeyAvailable, setYubiKeyAvailable] = useState(false);
   const [accounts, setAccounts] = useState([]);
   const [vaults, setVaults] = useState([]);
+  const [yubiKeyDevices, setYubiKeyDevices] = useState([]);
   const [_selectedProvider, setSelectedProvider] = useState();
   const [selectedAccount, setSelectedAccount] = useState();
   const [selectedVault, setSelectedVault] = useState();
   const [itemName, setItemName] = useState("attest-it-private-key");
   const [keychainItemName, setKeychainItemName] = useState("attest-it-private-key");
+  const [selectedYubiKeySerial, setSelectedYubiKeySerial] = useState();
+  const [selectedYubiKeySlot, setSelectedYubiKeySlot] = useState(2);
+  const [slot1Configured, setSlot1Configured] = useState(false);
+  const [slot2Configured, setSlot2Configured] = useState(false);
+  useInput((_input, key) => {
+    if (key.escape) {
+      onCancel();
+    }
+  });
   useEffect(() => {
     const checkProviders = async () => {
       try {
@@ -1664,6 +1675,19 @@ function KeygenInteractive(props) {
       }
       const isKeychainAvailable = MacOSKeychainKeyProvider.isAvailable();
       setKeychainAvailable(isKeychainAvailable);
+      try {
+        const isInstalled = await YubiKeyProvider.isInstalled();
+        if (isInstalled) {
+          const isConnected = await YubiKeyProvider.isConnected();
+          if (isConnected) {
+            const devices = await YubiKeyProvider.listDevices();
+            setYubiKeyDevices(devices);
+            setYubiKeyAvailable(devices.length > 0);
+          }
+        }
+      } catch {
+        setYubiKeyAvailable(false);
+      }
       setStep("select-provider");
     };
     void checkProviders();
@@ -1681,6 +1705,27 @@ function KeygenInteractive(props) {
       void fetchVaults();
     }
   }, [step, selectedAccount, onError]);
+  const checkYubiKeySlots = async (serial) => {
+    try {
+      const slot1 = await YubiKeyProvider.isChallengeResponseConfigured(1, serial);
+      const slot2 = await YubiKeyProvider.isChallengeResponseConfigured(2, serial);
+      setSlot1Configured(slot1);
+      setSlot2Configured(slot2);
+      if (slot1 && slot2) {
+        setStep("select-yubikey-slot");
+      } else if (slot2) {
+        setSelectedYubiKeySlot(2);
+        void generateKeys("yubikey");
+      } else if (slot1) {
+        setSelectedYubiKeySlot(1);
+        void generateKeys("yubikey");
+      } else {
+        setStep("yubikey-offer-setup");
+      }
+    } catch (err) {
+      onError(err instanceof Error ? err : new Error("Failed to check YubiKey slots"));
+    }
+  };
   const handleProviderSelect = (value) => {
     if (value === "filesystem") {
       setSelectedProvider("filesystem");
@@ -1696,6 +1741,14 @@ function KeygenInteractive(props) {
     } else if (value === "macos-keychain") {
       setSelectedProvider("macos-keychain");
       setStep("enter-keychain-item-name");
+    } else if (value === "yubikey") {
+      setSelectedProvider("yubikey");
+      if (yubiKeyDevices.length > 1) {
+        setStep("select-yubikey-device");
+      } else if (yubiKeyDevices.length === 1 && yubiKeyDevices[0]) {
+        setSelectedYubiKeySerial(yubiKeyDevices[0].serial);
+        void checkYubiKeySlots(yubiKeyDevices[0].serial);
+      }
     }
   };
   const handleAccountSelect = (value) => {
@@ -1714,6 +1767,47 @@ function KeygenInteractive(props) {
     setKeychainItemName(value);
     void generateKeys("macos-keychain");
   };
+  const handleYubiKeyDeviceSelect = (value) => {
+    setSelectedYubiKeySerial(value);
+    void checkYubiKeySlots(value);
+  };
+  const handleYubiKeySlotSelect = (value) => {
+    const slot = value === "1" ? 1 : 2;
+    setSelectedYubiKeySlot(slot);
+    void generateKeys("yubikey");
+  };
+  const handleYubiKeySetupConfirm = (value) => {
+    if (value === "yes") {
+      void setupYubiKeySlot();
+    } else {
+      onError(new Error("YubiKey setup cancelled"));
+    }
+  };
+  const setupYubiKeySlot = async () => {
+    setStep("yubikey-configuring");
+    try {
+      const { spawn: spawn3 } = await import('child_process');
+      const args = ["otp", "chalresp", "--touch", "--generate", "2"];
+      if (selectedYubiKeySerial) {
+        args.unshift("--device", selectedYubiKeySerial);
+      }
+      await new Promise((resolve2, reject) => {
+        const proc = spawn3("ykman", args, { stdio: "inherit" });
+        proc.on("close", (code) => {
+          if (code === 0) {
+            resolve2();
+          } else {
+            reject(new Error(`ykman exited with code ${String(code)}`));
+          }
+        });
+        proc.on("error", reject);
+      });
+      setSelectedYubiKeySlot(2);
+      void generateKeys("yubikey");
+    } catch (err) {
+      onError(err instanceof Error ? err : new Error("Failed to configure YubiKey"));
+    }
+  };
   const generateKeys = async (provider) => {
     setStep("generating");
     try {
@@ -1764,7 +1858,7 @@ function KeygenInteractive(props) {
           completionResult.account = selectedAccount;
         }
         onComplete(completionResult);
-      } else {
+      } else if (provider === "macos-keychain") {
         if (!keychainItemName) {
           throw new Error("Item name is required for macOS Keychain");
         }
@@ -1783,6 +1877,33 @@ function KeygenInteractive(props) {
           storageDescription: result.storageDescription,
           itemName: keychainItemName
         });
+      } else {
+        const encryptedKeyPath = getDefaultYubiKeyEncryptedKeyPath();
+        const providerOptions = {
+          encryptedKeyPath,
+          slot: selectedYubiKeySlot
+        };
+        if (selectedYubiKeySerial !== void 0) {
+          providerOptions.serial = selectedYubiKeySerial;
+        }
+        const ykProvider = new YubiKeyProvider(providerOptions);
+        const genOptions = { publicKeyPath };
+        if (props.force !== void 0) {
+          genOptions.force = props.force;
+        }
+        const result = await ykProvider.generateKeyPair(genOptions);
+        const completionResult = {
+          provider: "yubikey",
+          publicKeyPath: result.publicKeyPath,
+          privateKeyRef: result.privateKeyRef,
+          storageDescription: result.storageDescription,
+          slot: selectedYubiKeySlot,
+          encryptedKeyPath
+        };
+        if (selectedYubiKeySerial !== void 0) {
+          completionResult.serial = selectedYubiKeySerial;
+        }
+        onComplete(completionResult);
       }
       setStep("done");
     } catch (err) {
@@ -1808,6 +1929,12 @@ function KeygenInteractive(props) {
         value: "macos-keychain"
       });
     }
+    if (yubiKeyAvailable) {
+      options.push({
+        label: "YubiKey (hardware security key)",
+        value: "yubikey"
+      });
+    }
     if (opAvailable) {
       options.push({
         label: "1Password (requires op CLI)",
@@ -1822,7 +1949,7 @@ function KeygenInteractive(props) {
   }
   if (step === "select-account") {
     const options = accounts.map((account) => ({
-      label: account.email,
+      label: account.name ? `${account.name} (${account.email})` : account.email,
       value: account.user_uuid
     }));
     return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
@@ -1864,6 +1991,65 @@ function KeygenInteractive(props) {
       /* @__PURE__ */ jsx(TextInput, { defaultValue: keychainItemName, onSubmit: handleKeychainItemNameSubmit })
     ] });
   }
+  if (step === "select-yubikey-device") {
+    const options = yubiKeyDevices.map((device) => ({
+      label: `${device.type} (Serial: ${device.serial})`,
+      value: device.serial
+    }));
+    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsx(Text, { bold: true, children: "Select YubiKey device:" }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsx(Select, { options, onChange: handleYubiKeyDeviceSelect })
+    ] });
+  }
+  if (step === "select-yubikey-slot") {
+    const options = [];
+    if (slot2Configured) {
+      options.push({
+        label: "Slot 2 (recommended)",
+        value: "2"
+      });
+    }
+    if (slot1Configured) {
+      options.push({
+        label: "Slot 1",
+        value: "1"
+      });
+    }
+    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsx(Text, { bold: true, children: "Select YubiKey slot for challenge-response:" }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsx(Select, { options, onChange: handleYubiKeySlotSelect })
+    ] });
+  }
+  if (step === "yubikey-offer-setup") {
+    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsx(Text, { bold: true, children: "Your YubiKey is not configured for challenge-response." }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsx(Text, { children: "Would you like to configure slot 2 for challenge-response now?" }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "This will enable touch-to-sign functionality." }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsx(
+        Select,
+        {
+          options: [
+            { label: "Yes, configure my YubiKey", value: "yes" },
+            { label: "No, cancel", value: "no" }
+          ],
+          onChange: handleYubiKeySetupConfirm
+        }
+      )
+    ] });
+  }
+  if (step === "yubikey-configuring") {
+    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsxs(Box, { flexDirection: "row", gap: 1, children: [
+        /* @__PURE__ */ jsx(Spinner, {}),
+        /* @__PURE__ */ jsx(Text, { children: "Configuring YubiKey slot 2 for challenge-response..." })
+      ] }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "Touch your YubiKey when it flashes." })
+    ] });
+  }
   if (step === "generating") {
     return /* @__PURE__ */ jsx(Box, { flexDirection: "column", children: /* @__PURE__ */ jsxs(Box, { flexDirection: "row", gap: 1, children: [
       /* @__PURE__ */ jsx(Spinner, {}),
@@ -2948,6 +3134,7 @@ async function runCreate() {
       };
     }
     await saveLocalConfig(newConfig);
+    const publicKeyResult = await savePublicKey(slug, keyPair.publicKey);
     log("");
     success("Identity created successfully");
     log("");
@@ -2962,6 +3149,12 @@ async function runCreate() {
     log(`  Public Key:  ${keyPair.publicKey.slice(0, 32)}...`);
     log(`  Private Key: ${keyStorageDescription}`);
     log("");
+    log(theme3.blue.bold()("Public key saved to:"));
+    log(`  ${publicKeyResult.homePath}`);
+    if (publicKeyResult.projectPath) {
+      log(`  ${publicKeyResult.projectPath}`);
+    }
+    log("");
     if (!existingConfig) {
       success(`Set as active identity`);
       log("");