Merge branch 'next' into setMebx

Author: rsdmike

internal/cli/integration_test.go

@@ -22,6 +22,10 @@ func (pr *prMockSuccess) ReadPassword() (string, error) {
 	return utils.TestPassword, nil
 }
 
+func (pr *prMockSuccess) ReadPasswordWithConfirmation(prompt, confirmPrompt string) (string, error) {
+	return utils.TestPassword, nil
+}
+
 func TestCLIIntegration(t *testing.T) {
 	// Always mock password prompts in this test suite to avoid EOF on stdin.
 	oldPR := utils.PR

internal/commands/activate/activate_test.go

@@ -20,12 +20,20 @@ func (mpr *MockPasswordReaderSuccess) ReadPassword() (string, error) {
 	return utils.TestPassword, nil
 }
 
+func (mpr *MockPasswordReaderSuccess) ReadPasswordWithConfirmation(prompt, confirmPrompt string) (string, error) {
+	return utils.TestPassword, nil
+}
+
 type MockPasswordReaderFail struct{}
 
 func (mpr *MockPasswordReaderFail) ReadPassword() (string, error) {
 	return "", errors.New("Read password failed")
 }
 
+func (mpr *MockPasswordReaderFail) ReadPasswordWithConfirmation(prompt, confirmPrompt string) (string, error) {
+	return "", errors.New("Read password failed")
+}
+
 func TestActivateCmd_Structure(t *testing.T) {
 	// Test that ActivateCmd has the correct structure
 	cmd := &ActivateCmd{}

internal/commands/base.go

@@ -41,26 +41,36 @@ type AMTBaseCmd struct {
 	afterApplied bool `kong:"-"`
 }
 
-// ValidatePasswordIfNeeded prompts for password if required and not already provided
-// EnsureAMTPassword prompts (once) if the command requires an AMT password and ctx.AMTPassword is empty.
+// EnsureAMTPassword prompts for an AMT password when required and ctx.AMTPassword is empty.
+// For non-activated devices (control mode 0), it also prompts for password confirmation to prevent typos.
 func (cmd *AMTBaseCmd) EnsureAMTPassword(ctx *Context, requirer PasswordRequirer) error {
 	if !requirer.RequiresAMTPassword() {
 		return nil
 	}
 
 	if strings.TrimSpace(ctx.AMTPassword) != "" {
-		return nil
+		return nil // Password already provided, no prompting
 	}
 
-	fmt.Print("AMT Password: ")
+	var pw string
+
+	var err error
+
+	// If device not activated (control mode 0), require confirmation
+	if cmd.ControlMode == 0 {
+		pw, err = utils.PR.ReadPasswordWithConfirmation("AMT Password: ", "Confirm AMT Password: ")
+	} else {
+		fmt.Print("AMT Password: ")
+
+		pw, err = utils.PR.ReadPassword()
+
+		fmt.Println()
+	}
 
-	pw, err := utils.PR.ReadPassword()
 	if err != nil {
 		return fmt.Errorf("failed to read AMT password: %w", err)
 	}
 
-	fmt.Println()
-
 	if pw == "" {
 		return fmt.Errorf("password cannot be empty")
 	}

internal/commands/base_test.go

@@ -14,12 +14,51 @@ import (
 
 // MockPasswordReader for testing password prompting
 type MockPasswordReader struct {
-	password string
-	err      error
+	passwords []string // passwords to return in sequence
+	index     int
+	err       error
 }
 
 func (m *MockPasswordReader) ReadPassword() (string, error) {
-	return m.password, m.err
+	if m.err != nil {
+		return "", m.err
+	}
+
+	if len(m.passwords) == 0 {
+		return "", nil
+	}
+
+	pw := m.passwords[m.index]
+	if m.index < len(m.passwords)-1 {
+		m.index++
+	}
+
+	return pw, nil
+}
+
+func (m *MockPasswordReader) ReadPasswordWithConfirmation(prompt, confirmPrompt string) (string, error) {
+	if m.err != nil {
+		return "", m.err
+	}
+
+	if len(m.passwords) < 2 {
+		// Single password means both are the same (matching)
+		if len(m.passwords) == 1 {
+			return m.passwords[0], nil
+		}
+
+		return "", nil
+	}
+
+	pw1 := m.passwords[0]
+	pw2 := m.passwords[1]
+	m.index = 2
+
+	if pw1 != pw2 {
+		return "", utils.PasswordsDoNotMatch
+	}
+
+	return pw1, nil
 }
 
 // MockPasswordRequirer for testing password requirements
@@ -35,9 +74,10 @@ func TestAMTBaseCmd_EnsureAMTPassword(t *testing.T) {
 	tests := []struct {
 		name          string
 		ctxPassword   string
-		mockPassword  string
+		mockPasswords []string
 		mockError     error
 		requiresPass  bool
+		controlMode   int
 		expectedError bool
 		expectedPass  string
 	}{
@@ -48,10 +88,25 @@ func TestAMTBaseCmd_EnsureAMTPassword(t *testing.T) {
 			expectedPass: "existing-password",
 		},
 		{
-			name:         "password prompted successfully",
-			mockPassword: "prompted-password",
-			requiresPass: true,
-			expectedPass: "prompted-password",
+			name:          "password prompted successfully - activated device",
+			mockPasswords: []string{"prompted-password"},
+			requiresPass:  true,
+			controlMode:   1, // activated (CCM)
+			expectedPass:  "prompted-password",
+		},
+		{
+			name:          "password prompted successfully - not activated with matching confirmation",
+			mockPasswords: []string{"new-password", "new-password"},
+			requiresPass:  true,
+			controlMode:   0, // not activated
+			expectedPass:  "new-password",
+		},
+		{
+			name:          "password mismatch - not activated device",
+			mockPasswords: []string{"password1", "password2"},
+			requiresPass:  true,
+			controlMode:   0, // not activated
+			expectedError: true,
 		},
 		{
 			name:          "password prompting fails",
@@ -64,6 +119,13 @@ func TestAMTBaseCmd_EnsureAMTPassword(t *testing.T) {
 			requiresPass: false,
 			expectedPass: "",
 		},
+		{
+			name:          "activated device ACM - single prompt",
+			mockPasswords: []string{"acm-password"},
+			requiresPass:  true,
+			controlMode:   2, // activated (ACM)
+			expectedPass:  "acm-password",
+		},
 	}
 
 	for _, tt := range tests {
@@ -72,9 +134,9 @@ func TestAMTBaseCmd_EnsureAMTPassword(t *testing.T) {
 
 			defer func() { utils.PR = originalPR }()
 
-			utils.PR = &MockPasswordReader{password: tt.mockPassword, err: tt.mockError}
+			utils.PR = &MockPasswordReader{passwords: tt.mockPasswords, err: tt.mockError}
 
-			cmd := &AMTBaseCmd{}
+			cmd := &AMTBaseCmd{ControlMode: tt.controlMode}
 			ctx := &Context{AMTPassword: tt.ctxPassword}
 			requirer := &MockPasswordRequirer{requiresPassword: tt.requiresPass}
 
@@ -89,6 +151,22 @@ func TestAMTBaseCmd_EnsureAMTPassword(t *testing.T) {
 	}
 }
 
+func TestAMTBaseCmd_EnsureAMTPassword_PasswordsDoNotMatch(t *testing.T) {
+	originalPR := utils.PR
+
+	defer func() { utils.PR = originalPR }()
+
+	utils.PR = &MockPasswordReader{passwords: []string{"pass1", "pass2"}}
+
+	cmd := &AMTBaseCmd{ControlMode: 0} // not activated
+	ctx := &Context{}
+	requirer := &MockPasswordRequirer{requiresPassword: true}
+
+	err := cmd.EnsureAMTPassword(ctx, requirer)
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, utils.PasswordsDoNotMatch)
+}
+
 func TestAMTBaseCmd_RequiresAMTPassword(t *testing.T) {
 	cmd := &AMTBaseCmd{}
 	assert.True(t, cmd.RequiresAMTPassword(), "AMTBaseCmd should require password by default")

internal/commands/configure/cira_test.go

@@ -109,6 +109,10 @@ type mockPasswordReader struct {
 
 func (m *mockPasswordReader) ReadPassword() (string, error) { return m.password, m.err }
 
+func (m *mockPasswordReader) ReadPasswordWithConfirmation(prompt, confirmPrompt string) (string, error) {
+	return m.password, m.err
+}
+
 func TestCIRACmd_Run(t *testing.T) {
 	t.Run("successful_cira_configuration", func(t *testing.T) {
 		ctrl := gomock.NewController(t)

internal/commands/deactivate_test.go

@@ -22,18 +22,30 @@ func (mpr *MockPasswordReaderSuccess) ReadPassword() (string, error) {
 	return utils.TestPassword, nil
 }
 
+func (mpr *MockPasswordReaderSuccess) ReadPasswordWithConfirmation(prompt, confirmPrompt string) (string, error) {
+	return utils.TestPassword, nil
+}
+
 type MockPasswordReaderFail struct{}
 
 func (mpr *MockPasswordReaderFail) ReadPassword() (string, error) {
 	return "", errors.New("Read password failed")
 }
 
+func (mpr *MockPasswordReaderFail) ReadPasswordWithConfirmation(prompt, confirmPrompt string) (string, error) {
+	return "", errors.New("Read password failed")
+}
+
 type MockPasswordReaderEmpty struct{}
 
 func (mpr *MockPasswordReaderEmpty) ReadPassword() (string, error) {
 	return "", nil
 }
 
+func (mpr *MockPasswordReaderEmpty) ReadPasswordWithConfirmation(prompt, confirmPrompt string) (string, error) {
+	return "", nil
+}
+
 func TestDeactivateCmd_Validate(t *testing.T) {
 	tests := []struct {
 		name    string

internal/rps/message_test.go

@@ -27,12 +27,20 @@ func (mpr *MockPasswordReaderSuccess) ReadPassword() (string, error) {
 	return utils.TestPassword, nil
 }
 
+func (mpr *MockPasswordReaderSuccess) ReadPasswordWithConfirmation(prompt, confirmPrompt string) (string, error) {
+	return utils.TestPassword, nil
+}
+
 type MockPasswordReaderFail struct{}
 
 func (mpr *MockPasswordReaderFail) ReadPassword() (string, error) {
 	return "", errors.New("Read password failed")
 }
 
+func (mpr *MockPasswordReaderFail) ReadPasswordWithConfirmation(prompt, confirmPrompt string) (string, error) {
+	return "", errors.New("Read password failed")
+}
+
 // Mock the AMT Hardware
 type MockAMT struct{}
 

pkg/smb/samba_test.go

@@ -25,12 +25,20 @@ func (mpr *MockPasswordReaderSuccess) ReadPassword() (string, error) {
 	return utils.TestPassword, nil
 }
 
+func (mpr *MockPasswordReaderSuccess) ReadPasswordWithConfirmation(prompt, confirmPrompt string) (string, error) {
+	return utils.TestPassword, nil
+}
+
 type MockPasswordReaderFail struct{}
 
 func (mpr *MockPasswordReaderFail) ReadPassword() (string, error) {
 	return "", errors.New("Read password failed")
 }
 
+func (mpr *MockPasswordReaderFail) ReadPasswordWithConfirmation(prompt, confirmPrompt string) (string, error) {
+	return "", errors.New("Read password failed")
+}
+
 func TestParseURL(t *testing.T) {
 	service := NewSambaService(MockPRSuccess)
 	curUser, err := user.Current()

pkg/utils/passwordReader.go

@@ -6,6 +6,7 @@ package utils
 
 import (
 	"bufio"
+	"fmt"
 	"os"
 
 	"golang.org/x/term"
@@ -17,6 +18,7 @@ var PR PasswordReader = new(RealPasswordReader)
 
 type PasswordReader interface {
 	ReadPassword() (string, error)
+	ReadPasswordWithConfirmation(prompt, confirmPrompt string) (string, error)
 }
 
 type RealPasswordReader struct{}
@@ -37,3 +39,29 @@ func (pr *RealPasswordReader) ReadPassword() (string, error) {
 		return pass, nil
 	}
 }
+
+func (pr *RealPasswordReader) ReadPasswordWithConfirmation(prompt, confirmPrompt string) (string, error) {
+	fmt.Print(prompt)
+
+	pw1, err := pr.ReadPassword()
+	if err != nil {
+		return "", err
+	}
+
+	fmt.Println()
+
+	fmt.Print(confirmPrompt)
+
+	pw2, err := pr.ReadPassword()
+	if err != nil {
+		return "", err
+	}
+
+	fmt.Println()
+
+	if pw1 != pw2 {
+		return "", PasswordsDoNotMatch
+	}
+
+	return pw1, nil
+}