From 42924a5ec9d62aaab7d9856dbc0e1141d551b65d Mon Sep 17 00:00:00 2001 From: David Lazarevic Date: Wed, 10 Sep 2025 15:30:06 +0200 Subject: [PATCH] Add PKCS11 related flags: --rsh-pkcs11-label, --rsh-pkcs11-flag --- cli/cli.go | 8 ++++++++ cli/request.go | 10 ++++++++++ docs/configuration.md | 32 +++++++++++++++++--------------- 3 files changed, 35 insertions(+), 15 deletions(-) diff --git a/cli/cli.go b/cli/cli.go index 58b116b..00f5832 100644 --- a/cli/cli.go +++ b/cli/cli.go @@ -549,6 +549,8 @@ Not after (expires): %s (%s) AddGlobalFlag("rsh-insecure", "", "Disable SSL verification", false, false) AddGlobalFlag("rsh-client-cert", "", "Path to a PEM encoded client certificate", "", false) AddGlobalFlag("rsh-client-key", "", "Path to a PEM encoded private key", "", false) + AddGlobalFlag("rsh-pkcs11-label", "", "Label of the PKCS11 token", "", false) + AddGlobalFlag("rsh-pkcs11-path", "", "Path to the PKCS11 library", "", false) AddGlobalFlag("rsh-ca-cert", "", "Path to a PEM encoded CA cert", "", false) AddGlobalFlag("rsh-ignore-status-code", "", "Do not set exit code from HTTP status code", false, false) AddGlobalFlag("rsh-retry", "", "Number of times to retry on certain failures", 2, false) @@ -764,6 +766,12 @@ func Run() (returnErr error) { if caCert, _ := GlobalFlags.GetString("rsh-ca-cert"); caCert != "" { viper.Set("rsh-ca-cert", caCert) } + if pkcs11Label, _ := GlobalFlags.GetString("rsh-pkcs11-label"); pkcs11Label != "" { + viper.Set("rsh-pkcs11-label", pkcs11Label) + } + if pkcs11Path, _ := GlobalFlags.GetString("rsh-pkcs11-path"); pkcs11Path != "" { + viper.Set("rsh-pkcs11-path", pkcs11Path) + } if query, _ := GlobalFlags.GetStringArray("rsh-query"); len(query) > 0 { viper.Set("rsh-query", query) } diff --git a/cli/request.go b/cli/request.go index 7e46938..60fdfbe 100644 --- a/cli/request.go +++ b/cli/request.go @@ -205,6 +205,16 @@ func MakeRequest(req *http.Request, options ...requestOption) (*http.Response, e if caCert := viper.GetString("rsh-ca-cert"); caCert != "" { config.TLS.CACert = caCert } + if pkcs11Label := viper.GetString("rsh-pkcs11-label"); pkcs11Label != "" { + config.TLS.PKCS11 = &PKCS11Config{ + Label: pkcs11Label, + } + } + if pkcs11Path := viper.GetString("rsh-pkcs11-path"); pkcs11Path != "" { + if config.TLS.PKCS11 != nil && config.TLS.PKCS11.Label != "" { + config.TLS.PKCS11.Path = pkcs11Path + } + } if config.TLS.InsecureSkipVerify { LogWarning("Disabling TLS security checks") diff --git a/docs/configuration.md b/docs/configuration.md index 84ddea7..4fca532 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -25,21 +25,23 @@ You can quickly determine which is being used via `restish localhost -v 2>&1 | g The global options in addition to `--help` and `--version` are: -| Argument | Env Var | Example | Description | -| --------------------------- | ------------------- | ------------------- | ------------------------------------------------------------------------------------------ | -| `-f`, `--rsh-filter` | `RSH_FILTER` | `body.users[].id` | Filter response via [Shorthand query](https://github.com/danielgtaylor/shorthand#querying) | -| `-H`, `--rsh-header` | `RSH_HEADER` | `Version:2020-05` | Set a header name/value | -| `--rsh-insecure` | `RSH_INSECURE` | | Disable TLS certificate checks | -| `--rsh-client-cert` | `RSH_CLIENT_CERT` | `/etc/ssl/cert.pem` | Path to a PEM encoded client certificate | -| `--rsh-client-key` | `RSH_CLIENT_KEY` | `/etc/ssl/key.pem` | Path to a PEM encoded private key | -| `--rsh-ca-cert` | `RSH_CA_CERT` | `/etc/ssl/ca.pem` | Path to a PEM encoded CA certificate | -| `--rsh-no-paginate` | `RSH_NO_PAGINATE` | | Disable automatic `next` link pagination | -| `-o`, `--rsh-output-format` | `RSH_OUTPUT_FORMAT` | `json` | [Output format](/output.md), defaults to `auto` | -| `-p`, `--rsh-profile` | `RSH_PROFILE` | `testing` | Auth profile name, defaults to `default` | -| `-q`, `--rsh-query` | `RSH_QUERY` | `search=foo` | Set a query parameter | -| `-r`, `--rsh-raw` | `RSH_RAW` | | Raw output for shell processing | -| `-s`, `--rsh-server` | `RSH_SERVER` | `https://foo.com` | Override API server base URL | -| `-v`, `--rsh-verbose` | `RSH_VERBOSE` | | Enable verbose output | +| Argument | Env Var | Example | Description | +| --------------------------- | ------------------- | --------------------------------------| ------------------------------------------------------------------------------------------ | +| `-f`, `--rsh-filter` | `RSH_FILTER` | `body.users[].id` | Filter response via [Shorthand query](https://github.com/danielgtaylor/shorthand#querying) | +| `-H`, `--rsh-header` | `RSH_HEADER` | `Version:2020-05` | Set a header name/value | +| `--rsh-insecure` | `RSH_INSECURE` | | Disable TLS certificate checks | +| `--rsh-client-cert` | `RSH_CLIENT_CERT` | `/etc/ssl/cert.pem` | Path to a PEM encoded client certificate | +| `--rsh-client-key` | `RSH_CLIENT_KEY` | `/etc/ssl/key.pem` | Path to a PEM encoded private key | +| `--rsh-ca-cert` | `RSH_CA_CERT` | `/etc/ssl/ca.pem` | Path to a PEM encoded CA certificate | +| `--rsh-pkcs11-label` | `RSH_PKCS11_LABEL` | | Label of the PKCS11 token | +| `--rsh-pkcs11-path` | `RSH_PKCS11_PATH` | `/usr/lib/pkcs11/opensc-pkcs11.so` | Path to the PKCS11 library | +| `--rsh-no-paginate` | `RSH_NO_PAGINATE` | | Disable automatic `next` link pagination | +| `-o`, `--rsh-output-format` | `RSH_OUTPUT_FORMAT` | `json` | [Output format](/output.md), defaults to `auto` | +| `-p`, `--rsh-profile` | `RSH_PROFILE` | `testing` | Auth profile name, defaults to `default` | +| `-q`, `--rsh-query` | `RSH_QUERY` | `search=foo` | Set a query parameter | +| `-r`, `--rsh-raw` | `RSH_RAW` | | Raw output for shell processing | +| `-s`, `--rsh-server` | `RSH_SERVER` | `https://foo.com` | Override API server base URL | +| `-v`, `--rsh-verbose` | `RSH_VERBOSE` | | Enable verbose output | Configuration file keys are the same as long-form arguments without the `--` prefix.