commit 082d06f7e872d368ec03a183f09efdcf52bc2987
parent ef72b2499c9a1fefdf3b8813eedd8bac6608173b
Author: Sean Enck <sean@ttypty.com>
Date: Mon, 9 Jun 2025 15:43:15 -0400
early exit from readonly mode (invalid op)
Diffstat:
4 files changed, 16 insertions(+), 0 deletions(-)
diff --git a/cmd/lb/main.go b/cmd/lb/main.go
@@ -7,6 +7,7 @@ import (
"os"
"os/exec"
"runtime/debug"
+ "slices"
"strings"
"time"
@@ -79,6 +80,11 @@ func run() error {
if err != nil {
return err
}
+ if slices.Contains(commands.IsReadOnly, command) {
+ if config.EnvReadOnly.Get() {
+ return fmt.Errorf("%s is not allowed in read-only", command)
+ }
+ }
switch command {
case commands.ReKey:
return app.ReKey(p)
diff --git a/cmd/lb/main_test.go b/cmd/lb/main_test.go
@@ -189,6 +189,12 @@ func test(profile string) error {
c["credentials.password_mode"] = c.quoteString("none")
}
}
+
+ c["readonly"] = "true"
+ r.writeConfig(c)
+ r.run("echo testing |", "insert test1/key1/password")
+
+ delete(c, "readonly")
c["totp.timeout"] = "1"
r.writeConfig(c)
for _, k := range []string{"test2/key1/password", "test2/key1/notes", "test3", "test3/invalid/", "test3/invalid/still"} {
diff --git a/cmd/lb/tests/expected.log b/cmd/lb/tests/expected.log
@@ -1,3 +1,4 @@
+insert is not allowed in read-only
'test3' is not an allowed field name
'' is not an allowed field name
'still' is not an allowed field name
diff --git a/internal/app/commands/core.go b/internal/app/commands/core.go
@@ -72,6 +72,9 @@ var (
}{"keyfile", "nokey"}
)
+// IsReadOnly are commands blocked in readonly mode
+var IsReadOnly = []string{Move, Insert, Unset, Remove}
+
// ReKeyArgs is the base definition of re-keying args
type ReKeyArgs struct {
KeyFile string
