From 6e6111a1649670d18e2595c50009f2ce793951ce Mon Sep 17 00:00:00 2001
From: shimun <shimun@shimun.net>
Date: Sat, 24 Dec 2022 20:57:55 +0100
Subject: [PATCH] added: prohibit key update flag

---
 client/src/client.rs | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/client/src/client.rs b/client/src/client.rs
index 4e479e1..81f4940 100644
--- a/client/src/client.rs
+++ b/client/src/client.rs
@@ -3,10 +3,10 @@ use axum_extra::routing::TypedPath;
 use clap::{Parser, Subcommand};
 use reqwest::{Client, StatusCode};
 use ssh_key::Certificate;
-use std::io::stdin;
 use std::path::PathBuf;
 use std::time::{Duration, SystemTime};
 use tokio::fs;
+use tokio::io::{stdin, AsyncBufReadExt, BufReader};
 use tracing::{debug, error, info, instrument, trace};
 
 use url::Url;
@@ -27,7 +27,9 @@ pub struct ClientArgs {
 pub struct FetchArgs {
     #[clap(flatten)]
     args: ClientArgs,
-    #[clap(short = 'c', long = "cert-dir",  env = env_key!("CERT_DIR") )]
+    #[clap(short = 'k', long = "key-update", env = env_key!("KEY_UPDATE"))]
+    prohibit_key_update: bool,
+    #[clap(short = 'c', long = "cert-dir", env = env_key!("CERT_DIR"))]
     cert_dir: PathBuf,
     /// minimum time in days between now and expiry to consider checking
     #[clap(short = 'd', long = "days", default_value = "60",  env = env_key!("MIN_DELTA_DAYS"))]
@@ -109,6 +111,7 @@ async fn upload_cert(client: Client, url: Url, cert: Certificate) -> anyhow::Res
 async fn fetch(
     FetchArgs {
         cert_dir,
+        prohibit_key_update,
         min_delta_days: min_delta,
         args: ClientArgs { api, interactive },
     }: FetchArgs,
@@ -134,8 +137,13 @@ async fn fetch(
             let client = client.clone();
             tokio::spawn(async move { fetch_cert(client, url, cert).await })
         });
+    let mut stdin = BufReader::new(stdin()).lines();
     for cert in updates {
         if let Ok(Some((cert, update))) = cert.await? {
+            if prohibit_key_update && cert.public_key() != update.public_key() {
+                debug!(?update, "skipping cert due to key change");
+                continue;
+            }
             if interactive {
                 println!("certificate update: {}", cert.key_id());
                 println!(
@@ -144,9 +152,8 @@ async fn fetch(
                     update.valid_before()
                 );
                 println!("update? : (y/n)");
-                let mut yes = String::with_capacity(3);
-                stdin().read_line(&mut yes)?;
-                if !yes.starts_with(['y', 'Y']) {
+                let yes = stdin.next_line().await?;
+                if !matches!(yes, Some(line) if line.starts_with(['y', 'Y'])) {
                     break;
                 }
             }