mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 18:41:30 +00:00
shankar0123
b169f258de
Phase 4 (HTTP API): * internal/api/handler/auth.go: AuthHandler with 12 endpoints under /api/v1/auth/* — ListRoles, GetRole, CreateRole, UpdateRole, DeleteRole, ListPermissions, AddRolePermission, RemoveRolePermission, AssignRoleToKey, RevokeRoleFromKey, Me. callerFromRequest builds an authsvc.Caller from the Phase 3 ActorIDKey/ActorTypeKey/TenantIDKey context values. writeAuthError translates service + repository sentinels into HTTP status codes (401/403/404/409/400/500). 14 handler tests with in-memory fakes pin the HTTP shape + error mapping. * internal/api/router/router.go: HandlerRegistry gains an Auth field; 11 new routes registered. openapi_parity_test SpecParityExceptions extended with the new auth routes (OpenAPI YAML schema land in a Phase 4 follow-up commit so the schema review is its own atomic change; the route shape is fully documented inline via the Go type definitions until then). * cmd/server/main.go: wires the postgres auth repos (RoleRepository, PermissionRepository, ActorRoleRepository) + the Authorizer + RoleService/PermissionService/ActorRoleService into the new AuthHandler. Adds authPermissionCheckerAdapter to bridge the typed-string Authorizer signature to the auth.PermissionChecker interface (avoids an internal/auth → internal/service/auth import cycle). Phase 5 (CLI): * cmd/cli/main.go: adds 'auth' command dispatch with subcommands roles/permissions/keys/me. * internal/cli/auth.go: AuthMe, AuthListRoles, AuthGetRole, AuthListPermissions, AuthAssignRoleToKey, AuthRevokeRoleFromKey methods on Client. Mirrors the Phase 4 HTTP surface. Phase 3.5 (handler IsAdmin → middleware-wrapped RequirePermission) DEFERRED. Honest reasoning: (1) The 5 admin handlers (bulk_revocation, admin_crl_cache, admin_scep_intune, admin_est, intermediate_ca) currently gate via auth.IsAdmin checks INSIDE the handler bodies. Converting cleanly requires moving the gate to the router (auth.RequirePermission middleware wrap) AND removing the in-handler check AND rewriting the existing 3-test triplets per handler (M-008 pinned: _NonAdmin_Returns403 / _AdminExplicitFalse_Returns403 / _AdminPermitted_ForwardsActor) because the existing tests call the handler function directly, bypassing middleware. After conversion, those tests would pass without 403'ing because the gate moved away — the test invariants need to flow through a router-level integration setup instead. (2) Picking the right permission per handler is a security-review-worthy decision. Using existing operator-class perms (cert.revoke, issuer.edit) widens access from admin-only to operator-class; adding new admin-only perms (cert.bulk_revoke, crl.admin, scep.admin, est.admin, ca.hierarchy.manage) requires a migration 000030 plus a coordinated catalogue update in internal/domain/auth/validate.go. Both options are defensible but warrant a focused commit, not a 5-handler sweep mixed in with the API + CLI work. (3) The conversion can be done now without functional regressions IF we leave the in-handler IsAdmin checks in place AND add middleware wraps as defense-in-depth — but that's the worst of both worlds (legacy gate still blocks non-admin operators, defeating the point of RBAC; new gate adds runtime cost with no semantic change). A clean conversion needs the in-handler check removed. Concrete plan for Phase 3.5 (separate commit, next session): (a) add new admin-only perms via migration 000030 OR document the widening to operator-class; (b) wrap each of the 5 admin routes with auth.RequirePermission(checker, perm, nil) in router.go; (c) remove auth.IsAdmin checks from the 5 handler bodies; (d) move the M-008 _NonAdmin/_AdminExplicitFalse tests to router-level integration tests, keep _AdminPermitted as a direct handler test for actor-passthrough; (e) update m008_admin_gate_test.go registry to track auth.RequirePermission middleware wraps in router.go instead of auth.IsAdmin call sites in handler files. Verifications: go vet ./... clean; gofmt clean across all touched files; go test -short -count=1 across internal/auth, internal/service/auth, internal/api/handler, internal/api/router, internal/cli, cmd/server, cmd/cli all green (one transient too-many-open-files retry on internal/cli + internal/api/router; second run clean). Branch: dev/auth-bundle-1. Commit chain:99a012e(Phase 0 extract) ->19497ee(Phase 1 schema + repo) ->bd54d5f(Phase 2 service) ->d473398(Phase 3 primitive) -> THIS (Phase 4 + 5).
453 lines
15 KiB
Go
453 lines
15 KiB
Go
package main
|
|
|
|
import (
|
|
"flag"
|
|
"fmt"
|
|
"net/url"
|
|
"os"
|
|
"strings"
|
|
|
|
"github.com/certctl-io/certctl/internal/cli"
|
|
)
|
|
|
|
func main() {
|
|
// Parse global flags
|
|
fs := flag.NewFlagSet("certctl-cli", flag.ExitOnError)
|
|
fs.Usage = func() {
|
|
fmt.Fprintf(os.Stderr, `certctl-cli — CLI for certificate lifecycle management
|
|
|
|
Usage:
|
|
certctl-cli [global flags] <command> [command flags]
|
|
|
|
Global flags:
|
|
`)
|
|
fs.PrintDefaults()
|
|
fmt.Fprintf(os.Stderr, `
|
|
Commands:
|
|
certs list List certificates
|
|
certs get ID Get certificate details
|
|
certs renew ID Trigger certificate renewal
|
|
certs revoke ID Revoke a certificate
|
|
|
|
agents list List agents (add --retired to list soft-retired agents)
|
|
agents get ID Get agent details
|
|
agents retire ID Soft-retire an agent (add --force --reason "…" to cascade)
|
|
|
|
jobs list List jobs
|
|
jobs get ID Get job details
|
|
jobs cancel ID Cancel a pending job
|
|
|
|
import FILE Bulk import certificates from PEM file(s)
|
|
Required: --owner-id, --team-id, --renewal-policy-id, --issuer-id
|
|
Optional: --name-template (default {cn}), --environment (default imported)
|
|
|
|
est cacerts --profile <p> EST GET cacerts (RFC 7030 §4.1)
|
|
est csrattrs --profile <p> EST GET csrattrs (RFC 7030 §4.5)
|
|
est enroll --profile <p> --csr <path> EST POST simpleenroll (RFC 7030 §4.2)
|
|
est reenroll --profile <p> --csr <path> EST POST simplereenroll (RFC 7030 §4.2.2)
|
|
est serverkeygen --profile <p> --csr <path> --out <prefix>
|
|
EST POST serverkeygen (RFC 7030 §4.4)
|
|
est test --profile <p> Smoke-test cacerts + csrattrs
|
|
|
|
status Show server health + summary stats
|
|
version Show CLI version
|
|
|
|
Examples:
|
|
certctl-cli --server https://localhost:8443 --api-key mykey certs list
|
|
certctl-cli certs renew mc-prod --format json
|
|
certctl-cli import certs.pem
|
|
`)
|
|
}
|
|
|
|
// HTTPS-Everywhere (v2.2): the server is HTTPS-only. The default URL uses
|
|
// https://; plaintext http:// is rejected by validateHTTPSScheme below.
|
|
defaultServer := os.Getenv("CERTCTL_SERVER_URL")
|
|
if defaultServer == "" {
|
|
defaultServer = "https://localhost:8443"
|
|
}
|
|
serverURL := fs.String("server", defaultServer, "certctl server URL — must be https:// (env: CERTCTL_SERVER_URL)")
|
|
|
|
apiKey := fs.String("api-key", os.Getenv("CERTCTL_API_KEY"), "API key for authentication (env: CERTCTL_API_KEY)")
|
|
format := fs.String("format", "table", "Output format: table, json")
|
|
caBundlePath := fs.String("ca-bundle", os.Getenv("CERTCTL_SERVER_CA_BUNDLE_PATH"), "Path to a PEM-encoded CA bundle that signed the server cert (env: CERTCTL_SERVER_CA_BUNDLE_PATH)")
|
|
insecure := fs.Bool("insecure", strings.EqualFold(os.Getenv("CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY"), "true"), "Skip TLS certificate verification — dev only, never set in production (env: CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY)")
|
|
|
|
fs.Parse(os.Args[1:])
|
|
|
|
if err := validateHTTPSScheme(*serverURL); err != nil {
|
|
fmt.Fprintf(os.Stderr, "Error: %v\n", err)
|
|
fmt.Fprintf(os.Stderr, "\nThe certctl control plane is HTTPS-only as of v2.2.\n")
|
|
fmt.Fprintf(os.Stderr, "See docs/upgrade-to-tls.md for the cutover walkthrough.\n")
|
|
os.Exit(1)
|
|
}
|
|
|
|
args := fs.Args()
|
|
if len(args) == 0 {
|
|
fs.Usage()
|
|
os.Exit(1)
|
|
}
|
|
|
|
// Create client
|
|
client, err := cli.NewClient(*serverURL, *apiKey, *format, *caBundlePath, *insecure)
|
|
if err != nil {
|
|
fmt.Fprintf(os.Stderr, "Error: %v\n", err)
|
|
os.Exit(1)
|
|
}
|
|
|
|
// Dispatch to appropriate command
|
|
command := args[0]
|
|
cmdArgs := args[1:]
|
|
|
|
switch command {
|
|
case "certs":
|
|
err = handleCerts(client, cmdArgs)
|
|
case "agents":
|
|
err = handleAgents(client, cmdArgs)
|
|
case "jobs":
|
|
err = handleJobs(client, cmdArgs)
|
|
case "import":
|
|
err = handleImport(client, cmdArgs)
|
|
case "est":
|
|
err = handleEST(client, cmdArgs)
|
|
case "status":
|
|
err = handleStatus(client)
|
|
case "auth":
|
|
err = handleAuth(client, cmdArgs)
|
|
case "version":
|
|
fmt.Println("certctl-cli version 0.1.0")
|
|
default:
|
|
fmt.Fprintf(os.Stderr, "unknown command: %s\n", command)
|
|
fs.Usage()
|
|
os.Exit(1)
|
|
}
|
|
|
|
if err != nil {
|
|
fmt.Fprintf(os.Stderr, "error: %v\n", err)
|
|
os.Exit(1)
|
|
}
|
|
}
|
|
|
|
func handleCerts(client *cli.Client, args []string) error {
|
|
if len(args) == 0 {
|
|
fmt.Fprintf(os.Stderr, "usage: certs <list|get|renew|revoke> [options]\n")
|
|
return nil
|
|
}
|
|
|
|
subcommand := args[0]
|
|
subArgs := args[1:]
|
|
|
|
switch subcommand {
|
|
case "list":
|
|
return client.ListCertificates(subArgs)
|
|
case "get":
|
|
if len(subArgs) == 0 {
|
|
fmt.Fprintf(os.Stderr, "usage: certs get <id>\n")
|
|
return nil
|
|
}
|
|
return client.GetCertificate(subArgs[0])
|
|
case "renew":
|
|
// 2026-05-05 parity-defaults-cleanup (P3-1): expose --force as an
|
|
// explicit operator flag instead of the historical hardcoded
|
|
// `force=false` body field. force=true overrides the server-side
|
|
// RenewalInProgress block — used to recover stuck in-flight
|
|
// renewals. Archived/Expired remain terminal regardless.
|
|
//
|
|
// CLI convention: `certs renew <id> [--force]` — the ID is a
|
|
// positional arg that precedes the flags. Mirrors `agents retire
|
|
// <id>`'s pattern (Go's flag package stops at the first non-flag
|
|
// token, so we pull subArgs[0] as the ID and hand subArgs[1:] to
|
|
// the flag parser).
|
|
if len(subArgs) == 0 {
|
|
fmt.Fprintf(os.Stderr, "usage: certs renew <id> [--force]\n")
|
|
return nil
|
|
}
|
|
id := subArgs[0]
|
|
fs := flag.NewFlagSet("certs renew", flag.ContinueOnError)
|
|
force := fs.Bool("force", false, "Force renewal even when the cert is currently in RenewalInProgress (clears stuck in-flight renewals; does NOT override Archived/Expired terminal states)")
|
|
if err := fs.Parse(subArgs[1:]); err != nil {
|
|
return err
|
|
}
|
|
return client.RenewCertificate(id, *force)
|
|
case "revoke":
|
|
// 2026-05-05 parity-defaults-cleanup (P3-2, Option A): --reason is
|
|
// strictly required. Empty reason refuses to dispatch and prints
|
|
// the RFC 5280 §5.3.1 reason-code menu so operators pick a real
|
|
// value. The pre-2026-05-05 silent fallback to "unspecified"
|
|
// defeated compliance reporting (PCI-DSS §3.6, HIPAA §164.312)
|
|
// because every revocation looked the same in the audit trail.
|
|
//
|
|
// CLI convention: `certs revoke <id> --reason <reason>` — same
|
|
// ID-first ordering as `certs renew`.
|
|
if len(subArgs) == 0 {
|
|
fmt.Fprintf(os.Stderr, "usage: certs revoke <id> --reason <reason>\n")
|
|
fmt.Fprintf(os.Stderr, "\nValid RFC 5280 §5.3.1 reasons:\n")
|
|
for _, r := range cli.ValidRevokeReasons() {
|
|
fmt.Fprintf(os.Stderr, " %s\n", r)
|
|
}
|
|
return nil
|
|
}
|
|
id := subArgs[0]
|
|
fs := flag.NewFlagSet("certs revoke", flag.ContinueOnError)
|
|
reason := fs.String("reason", "", "RFC 5280 revocation reason (required). Valid values: keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, removeFromCRL, privilegeWithdrawn, aaCompromise, unspecified")
|
|
if err := fs.Parse(subArgs[1:]); err != nil {
|
|
return err
|
|
}
|
|
if *reason == "" {
|
|
fmt.Fprintf(os.Stderr, "error: --reason is required (no silent fallback to 'unspecified' — pick a real RFC 5280 §5.3.1 code).\n\n")
|
|
fmt.Fprintf(os.Stderr, "Valid reasons:\n")
|
|
for _, r := range cli.ValidRevokeReasons() {
|
|
fmt.Fprintf(os.Stderr, " %s\n", r)
|
|
}
|
|
return fmt.Errorf("--reason is required")
|
|
}
|
|
canonical, ok := cli.NormalizeRevokeReason(*reason)
|
|
if !ok {
|
|
fmt.Fprintf(os.Stderr, "error: %q is not a valid RFC 5280 §5.3.1 reason code.\n\n", *reason)
|
|
fmt.Fprintf(os.Stderr, "Valid reasons (camelCase or snake_case both accepted):\n")
|
|
for _, r := range cli.ValidRevokeReasons() {
|
|
fmt.Fprintf(os.Stderr, " %s\n", r)
|
|
}
|
|
return fmt.Errorf("invalid --reason: %q", *reason)
|
|
}
|
|
return client.RevokeCertificate(id, canonical)
|
|
case "bulk-revoke":
|
|
return client.BulkRevokeCertificates(subArgs)
|
|
default:
|
|
fmt.Fprintf(os.Stderr, "unknown subcommand: certs %s\n", subcommand)
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// handleAgents dispatches the `agents` subcommands.
|
|
//
|
|
// I-004 additions:
|
|
//
|
|
// agents list --retired — hit the opt-in /agents/retired endpoint
|
|
// instead of the default listing (which
|
|
// filters retired rows out).
|
|
// agents retire <id> — soft-retire an agent (DELETE /agents/{id}).
|
|
// --force cascades; --reason is required with
|
|
// --force (mirrors ErrForceReasonRequired).
|
|
func handleAgents(client *cli.Client, args []string) error {
|
|
if len(args) == 0 {
|
|
fmt.Fprintf(os.Stderr, "usage: agents <list|get|retire> [options]\n")
|
|
return nil
|
|
}
|
|
|
|
subcommand := args[0]
|
|
subArgs := args[1:]
|
|
|
|
switch subcommand {
|
|
case "list":
|
|
// --retired flag splits to a separate endpoint. We intercept it
|
|
// client-side and strip it before delegating, so both code paths
|
|
// share the --page/--per-page flag parsing inside the client.
|
|
retired := false
|
|
rest := make([]string, 0, len(subArgs))
|
|
for _, a := range subArgs {
|
|
if a == "--retired" {
|
|
retired = true
|
|
continue
|
|
}
|
|
rest = append(rest, a)
|
|
}
|
|
if retired {
|
|
return client.ListRetiredAgents(rest)
|
|
}
|
|
return client.ListAgents(rest)
|
|
case "get":
|
|
if len(subArgs) == 0 {
|
|
fmt.Fprintf(os.Stderr, "usage: agents get <id>\n")
|
|
return nil
|
|
}
|
|
return client.GetAgent(subArgs[0])
|
|
case "retire":
|
|
if len(subArgs) == 0 {
|
|
fmt.Fprintf(os.Stderr, "usage: agents retire <id> [--force] [--reason <reason>]\n")
|
|
return nil
|
|
}
|
|
return client.RetireAgent(subArgs)
|
|
default:
|
|
fmt.Fprintf(os.Stderr, "unknown subcommand: agents %s\n", subcommand)
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func handleJobs(client *cli.Client, args []string) error {
|
|
if len(args) == 0 {
|
|
fmt.Fprintf(os.Stderr, "usage: jobs <list|get|cancel> [options]\n")
|
|
return nil
|
|
}
|
|
|
|
subcommand := args[0]
|
|
subArgs := args[1:]
|
|
|
|
switch subcommand {
|
|
case "list":
|
|
return client.ListJobs(subArgs)
|
|
case "get":
|
|
if len(subArgs) == 0 {
|
|
fmt.Fprintf(os.Stderr, "usage: jobs get <id>\n")
|
|
return nil
|
|
}
|
|
return client.GetJob(subArgs[0])
|
|
case "cancel":
|
|
if len(subArgs) == 0 {
|
|
fmt.Fprintf(os.Stderr, "usage: jobs cancel <id>\n")
|
|
return nil
|
|
}
|
|
return client.CancelJob(subArgs[0])
|
|
default:
|
|
fmt.Fprintf(os.Stderr, "unknown subcommand: jobs %s\n", subcommand)
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func handleImport(client *cli.Client, args []string) error {
|
|
if len(args) == 0 {
|
|
fmt.Fprintf(os.Stderr, "usage: import <file> [file2 ...]\n")
|
|
return nil
|
|
}
|
|
return client.ImportCertificates(args)
|
|
}
|
|
|
|
func handleStatus(client *cli.Client) error {
|
|
return client.GetStatus()
|
|
}
|
|
|
|
// handleEST dispatches the `est` subcommands. Mirrors the existing
|
|
// handleCerts / handleAgents pattern verbatim. EST RFC 7030 hardening
|
|
// master bundle Phase 9.1.
|
|
func handleEST(client *cli.Client, args []string) error {
|
|
if len(args) == 0 {
|
|
fmt.Fprintf(os.Stderr, "usage: est <cacerts|csrattrs|enroll|reenroll|serverkeygen|test> [options]\n")
|
|
return nil
|
|
}
|
|
subcommand := args[0]
|
|
subArgs := args[1:]
|
|
switch subcommand {
|
|
case "cacerts":
|
|
return client.EstCacerts(subArgs)
|
|
case "csrattrs":
|
|
return client.EstCsrattrs(subArgs)
|
|
case "enroll":
|
|
return client.EstEnroll(subArgs)
|
|
case "reenroll":
|
|
return client.EstReEnroll(subArgs)
|
|
case "serverkeygen":
|
|
return client.EstServerKeygen(subArgs)
|
|
case "test":
|
|
return client.EstTest(subArgs)
|
|
default:
|
|
fmt.Fprintf(os.Stderr, "unknown subcommand: est %s\n", subcommand)
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// validateHTTPSScheme rejects plaintext and empty-scheme server URLs at
|
|
// startup so operators get a fail-loud diagnostic before any network call,
|
|
// not a TCP-refused or TLS-handshake-error downstream. See docs/upgrade-to-tls.md.
|
|
func validateHTTPSScheme(serverURL string) error {
|
|
if serverURL == "" {
|
|
return fmt.Errorf("server URL is empty — set --server (or CERTCTL_SERVER_URL) to an https:// URL (e.g., https://certctl-server:8443)")
|
|
}
|
|
u, err := url.Parse(serverURL)
|
|
if err != nil {
|
|
return fmt.Errorf("server URL %q is not a valid URL: %w", serverURL, err)
|
|
}
|
|
switch strings.ToLower(u.Scheme) {
|
|
case "https":
|
|
return nil
|
|
case "http":
|
|
return fmt.Errorf("server URL %q uses plaintext http:// — the certctl control plane is HTTPS-only", serverURL)
|
|
case "":
|
|
return fmt.Errorf("server URL %q is missing a scheme — expected https://", serverURL)
|
|
default:
|
|
return fmt.Errorf("server URL %q uses unsupported scheme %q — expected https://", serverURL, u.Scheme)
|
|
}
|
|
}
|
|
|
|
// handleAuth dispatches the `certctl-cli auth ...` subcommand tree.
|
|
// Bundle 1 Phase 5: ships read + grant operations against the
|
|
// /api/v1/auth/* surface introduced in Phase 4. Mutations like role
|
|
// create / update / delete can be added in a Phase 5.5 follow-up; this
|
|
// commit ships the operator-facing subset most useful for migration
|
|
// and day-2 scope-down (`auth keys list` + `auth keys assign` +
|
|
// `auth me`).
|
|
func handleAuth(client *cli.Client, args []string) error {
|
|
if len(args) == 0 {
|
|
fmt.Fprintf(os.Stderr, "usage: auth <roles|permissions|keys|me> [...]\n")
|
|
return nil
|
|
}
|
|
subcommand := args[0]
|
|
subArgs := args[1:]
|
|
|
|
switch subcommand {
|
|
case "roles":
|
|
return handleAuthRoles(client, subArgs)
|
|
case "permissions":
|
|
return handleAuthPermissions(client, subArgs)
|
|
case "keys":
|
|
return handleAuthKeys(client, subArgs)
|
|
case "me":
|
|
return client.AuthMe()
|
|
default:
|
|
fmt.Fprintf(os.Stderr, "unknown auth subcommand: %s\n", subcommand)
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func handleAuthRoles(client *cli.Client, args []string) error {
|
|
if len(args) == 0 {
|
|
fmt.Fprintf(os.Stderr, "usage: auth roles <list|get> [id]\n")
|
|
return nil
|
|
}
|
|
switch args[0] {
|
|
case "list":
|
|
return client.AuthListRoles()
|
|
case "get":
|
|
if len(args) < 2 {
|
|
fmt.Fprintf(os.Stderr, "usage: auth roles get <id>\n")
|
|
return nil
|
|
}
|
|
return client.AuthGetRole(args[1])
|
|
default:
|
|
fmt.Fprintf(os.Stderr, "unknown roles subcommand: %s\n", args[0])
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func handleAuthPermissions(client *cli.Client, args []string) error {
|
|
if len(args) == 0 || args[0] != "list" {
|
|
fmt.Fprintf(os.Stderr, "usage: auth permissions list\n")
|
|
return nil
|
|
}
|
|
return client.AuthListPermissions()
|
|
}
|
|
|
|
func handleAuthKeys(client *cli.Client, args []string) error {
|
|
if len(args) == 0 {
|
|
fmt.Fprintf(os.Stderr, "usage: auth keys <assign|revoke> [...]\n")
|
|
return nil
|
|
}
|
|
switch args[0] {
|
|
case "assign":
|
|
// auth keys assign <key-id> --role <role-id>
|
|
if len(args) < 4 || args[2] != "--role" {
|
|
fmt.Fprintf(os.Stderr, "usage: auth keys assign <key-id> --role <role-id>\n")
|
|
return nil
|
|
}
|
|
return client.AuthAssignRoleToKey(args[1], args[3])
|
|
case "revoke":
|
|
// auth keys revoke <key-id> --role <role-id>
|
|
if len(args) < 4 || args[2] != "--role" {
|
|
fmt.Fprintf(os.Stderr, "usage: auth keys revoke <key-id> --role <role-id>\n")
|
|
return nil
|
|
}
|
|
return client.AuthRevokeRoleFromKey(args[1], args[3])
|
|
default:
|
|
fmt.Fprintf(os.Stderr, "unknown keys subcommand: %s\n", args[0])
|
|
return nil
|
|
}
|
|
}
|