canonical · adombeck · Sep 23, 2025 · Feb 7, 2025 · Feb 7, 2025 · Feb 7, 2025
diff --git a/cmd/authctl/main.go b/cmd/authctl/main.go
@@ -0,0 +1,65 @@
+// Package main implements Cobra commands for management operations on authd.
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+	"github.com/ubuntu/authd/cmd/authctl/user"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+var rootCmd = &cobra.Command{
+	Use:   "authctl",
+	Short: "CLI tool to interact with authd",
+	Long:  "authctl is a command-line tool to interact with the authd service for user and group management.",
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
+		// The command was successfully parsed, so we don't want cobra to print usage information on error.
+		cmd.SilenceUsage = true
+	},
+	CompletionOptions: cobra.CompletionOptions{
+		HiddenDefaultCmd: true,
+	},
+	// We handle errors ourselves
+	SilenceErrors: true,
+	Args:          cobra.NoArgs,
+	RunE:          func(cmd *cobra.Command, args []string) error { return cmd.Usage() },
+}
+
+func init() {
+	// Disable command sorting by name. This makes cobra print the commands in the
+	// order they are added to the root command and adds the `help` and `completion`
+	// commands at the end.
+	cobra.EnableCommandSorting = false
+
+	rootCmd.AddCommand(user.UserCmd)
+}
+
+func main() {
+	if err := rootCmd.Execute(); err != nil {
+		s, ok := status.FromError(err)
+		if !ok {
+			// If the error is not a gRPC status, we print it as is.
+			fmt.Fprintln(os.Stderr, err.Error())
+			os.Exit(1)
+		}
+
+		// If the error is a gRPC status, we print the message and exit with the gRPC status code.
+		switch s.Code() {
+		case codes.PermissionDenied:
+			fmt.Fprintln(os.Stderr, "Permission denied:", s.Message())
+		default:
+			fmt.Fprintln(os.Stderr, "Error:", s.Message())
+		}
+		code := int(s.Code())
+		if code < 0 || code > 255 {
+			// We cannot exit with a negative code or a code greater than 255,
+			// so we map it to 1 in that case.
+			code = 1
+		}
+
+		os.Exit(code)
+	}
+}
diff --git a/cmd/authctl/main_test.go b/cmd/authctl/main_test.go
@@ -0,0 +1,68 @@
+package main_test
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"testing"
+
+	"github.com/ubuntu/authd/internal/testutils"
+	"github.com/ubuntu/authd/internal/testutils/golden"
+)
+
+var authctlPath string
+
+func TestRootCommand(t *testing.T) {
+	t.Parallel()
+
+	tests := map[string]struct {
+		args             []string
+		expectedExitCode int
+	}{
+		"Usage_message_when_no_args": {expectedExitCode: 0},
+		"Help_command":               {args: []string{"help"}, expectedExitCode: 0},
+		"Help_flag":                  {args: []string{"--help"}, expectedExitCode: 0},
+		"Completion_command":         {args: []string{"completion"}, expectedExitCode: 0},
+
+		"Error_on_invalid_command": {args: []string{"invalid-command"}, expectedExitCode: 1},
+		"Error_on_invalid_flag":    {args: []string{"--invalid-flag"}, expectedExitCode: 1},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			//nolint:gosec // G204 it's safe to use exec.Command with a variable here
+			cmd := exec.Command(authctlPath, tc.args...)
+			t.Logf("Running command: %s", cmd.String())
+			outputBytes, err := cmd.CombinedOutput()
+			output := string(outputBytes)
+			exitCode := cmd.ProcessState.ExitCode()
+
+			if tc.expectedExitCode == 0 && err != nil {
+				t.Logf("Command output:\n%s", output)
+				t.Errorf("Expected no error, but got: %v", err)
+			}
+
+			if exitCode != tc.expectedExitCode {
+				t.Logf("Command output:\n%s", output)
+				t.Errorf("Expected exit code %d, got %d", tc.expectedExitCode, exitCode)
+			}
+
+			golden.CheckOrUpdate(t, output)
+		})
+	}
+}
+
+func TestMain(m *testing.M) {
+	var cleanup func()
+	var err error
+	authctlPath, cleanup, err = testutils.BuildAuthctl()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Setup: %v\n", err)
+		os.Exit(1)
+	}
+	defer cleanup()
+
+	m.Run()
+}
diff --git a/cmd/authctl/testdata/golden/TestRootCommand/Completion_command b/cmd/authctl/testdata/golden/TestRootCommand/Completion_command
@@ -0,0 +1,16 @@
+Generate the autocompletion script for authctl for the specified shell.
+See each sub-command's help for details on how to use the generated script.
+
+Usage:
+  authctl completion [command]
+
+Available Commands:
+  bash        Generate the autocompletion script for bash
+  zsh         Generate the autocompletion script for zsh
+  fish        Generate the autocompletion script for fish
+  powershell  Generate the autocompletion script for powershell
+
+Flags:
+  -h, --help   help for completion
+
+Use "authctl completion [command] --help" for more information about a command.
diff --git a/cmd/authctl/testdata/golden/TestRootCommand/Error_on_invalid_command b/cmd/authctl/testdata/golden/TestRootCommand/Error_on_invalid_command
@@ -0,0 +1,14 @@
+Usage:
+  authctl [flags]
+  authctl [command]
+
+Available Commands:
+  user        Commands related to users
+  help        Help about any command
+
+Flags:
+  -h, --help   help for authctl
+
+Use "authctl [command] --help" for more information about a command.
+
+unknown command "invalid-command" for "authctl"
diff --git a/cmd/authctl/testdata/golden/TestRootCommand/Error_on_invalid_flag b/cmd/authctl/testdata/golden/TestRootCommand/Error_on_invalid_flag
@@ -0,0 +1,14 @@
+Usage:
+  authctl [flags]
+  authctl [command]
+
+Available Commands:
+  user        Commands related to users
+  help        Help about any command
+
+Flags:
+  -h, --help   help for authctl
+
+Use "authctl [command] --help" for more information about a command.
+
+unknown flag: --invalid-flag
diff --git a/cmd/authctl/testdata/golden/TestRootCommand/Help_command b/cmd/authctl/testdata/golden/TestRootCommand/Help_command
@@ -0,0 +1,14 @@
+authctl is a command-line tool to interact with the authd service for user and group management.
+
+Usage:
+  authctl [flags]
+  authctl [command]
+
+Available Commands:
+  user        Commands related to users
+  help        Help about any command
+
+Flags:
+  -h, --help   help for authctl
+
+Use "authctl [command] --help" for more information about a command.
diff --git a/cmd/authctl/testdata/golden/TestRootCommand/Help_flag b/cmd/authctl/testdata/golden/TestRootCommand/Help_flag
@@ -0,0 +1,14 @@
+authctl is a command-line tool to interact with the authd service for user and group management.
+
+Usage:
+  authctl [flags]
+  authctl [command]
+
+Available Commands:
+  user        Commands related to users
+  help        Help about any command
+
+Flags:
+  -h, --help   help for authctl
+
+Use "authctl [command] --help" for more information about a command.
diff --git a/cmd/authctl/testdata/golden/TestRootCommand/Usage_message_when_no_args b/cmd/authctl/testdata/golden/TestRootCommand/Usage_message_when_no_args
@@ -0,0 +1,12 @@
+Usage:
+  authctl [flags]
+  authctl [command]
+
+Available Commands:
+  user        Commands related to users
+  help        Help about any command
+
+Flags:
+  -h, --help   help for authctl
+
+Use "authctl [command] --help" for more information about a command.
diff --git a/cmd/authctl/user/lock.go b/cmd/authctl/user/lock.go
@@ -0,0 +1,28 @@
+package user
+
+import (
+	"context"
+
+	"github.com/spf13/cobra"
+	"github.com/ubuntu/authd/internal/proto/authd"
+)
+
+// lockCmd is a command to lock (disable) a user.
+var lockCmd = &cobra.Command{
+	Use:   "lock <user>",
+	Short: "Lock (disable) a user managed by authd",
+	Args:  cobra.ExactArgs(1),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		client, err := NewUserServiceClient()
+		if err != nil {
+			return err
+		}
+
+		_, err = client.LockUser(context.Background(), &authd.LockUserRequest{Name: args[0]})
+		if err != nil {
+			return err
+		}
+
+		return nil
+	},
+}
diff --git a/cmd/authctl/user/testdata/db/one_user_and_group.db.yaml b/cmd/authctl/user/testdata/db/one_user_and_group.db.yaml
@@ -0,0 +1,17 @@
+users:
+    - name: user1
+      uid: 1111
+      gid: 11111
+      gecos: |-
+        User1 gecos
+        On multiple lines
+      dir: /home/user1
+      shell: /bin/bash
+      broker_id: broker-id
+groups:
+    - name: group1
+      gid: 11111
+      ugid: "12345678"
+users_to_groups:
+    - uid: 1111
+      gid: 11111
diff --git a/cmd/authctl/user/testdata/empty.group b/cmd/authctl/user/testdata/empty.group
diff --git a/cmd/authctl/user/testdata/golden/TestUserCommand/Error_on_invalid_command b/cmd/authctl/user/testdata/golden/TestUserCommand/Error_on_invalid_command
@@ -0,0 +1,14 @@
+Usage:
+  authctl user [flags]
+  authctl user [command]
+
+Available Commands:
+  lock        Lock (disable) a user managed by authd
+  unlock      Unlock (enable) a user managed by authd
+
+Flags:
+  -h, --help   help for user
+
+Use "authctl user [command] --help" for more information about a command.
+
+unknown command "invalid-command" for "authctl user"
diff --git a/cmd/authctl/user/testdata/golden/TestUserCommand/Error_on_invalid_flag b/cmd/authctl/user/testdata/golden/TestUserCommand/Error_on_invalid_flag
@@ -0,0 +1,14 @@
+Usage:
+  authctl user [flags]
+  authctl user [command]
+
+Available Commands:
+  lock        Lock (disable) a user managed by authd
+  unlock      Unlock (enable) a user managed by authd
+
+Flags:
+  -h, --help   help for user
+
+Use "authctl user [command] --help" for more information about a command.
+
+unknown flag: --invalid-flag
diff --git a/cmd/authctl/user/testdata/golden/TestUserCommand/Help_flag b/cmd/authctl/user/testdata/golden/TestUserCommand/Help_flag
@@ -0,0 +1,14 @@
+Commands related to users
+
+Usage:
+  authctl user [flags]
+  authctl user [command]
+
+Available Commands:
+  lock        Lock (disable) a user managed by authd
+  unlock      Unlock (enable) a user managed by authd
+
+Flags:
+  -h, --help   help for user
+
+Use "authctl user [command] --help" for more information about a command.
diff --git a/cmd/authctl/user/testdata/golden/TestUserCommand/Usage_message_when_no_args b/cmd/authctl/user/testdata/golden/TestUserCommand/Usage_message_when_no_args
@@ -0,0 +1,12 @@
+Usage:
+  authctl user [flags]
+  authctl user [command]
+
+Available Commands:
+  lock        Lock (disable) a user managed by authd
+  unlock      Unlock (enable) a user managed by authd
+
+Flags:
+  -h, --help   help for user
+
+Use "authctl user [command] --help" for more information about a command.
diff --git a/cmd/authctl/user/testdata/golden/TestUserLockCommand/Error_locking_invalid_user b/cmd/authctl/user/testdata/golden/TestUserLockCommand/Error_locking_invalid_user
@@ -0,0 +1 @@
+Error: user "invaliduser" not found
diff --git a/cmd/authctl/user/testdata/golden/TestUserLockCommand/Lock_user_success b/cmd/authctl/user/testdata/golden/TestUserLockCommand/Lock_user_success
diff --git a/cmd/authctl/user/unlock.go b/cmd/authctl/user/unlock.go
@@ -0,0 +1,28 @@
+package user
+
+import (
+	"context"
+
+	"github.com/spf13/cobra"
+	"github.com/ubuntu/authd/internal/proto/authd"
+)
+
+// unlockCmd is a command to unlock (enable) a user.
+var unlockCmd = &cobra.Command{
+	Use:   "unlock <user>",
+	Short: "Unlock (enable) a user managed by authd",
+	Args:  cobra.ExactArgs(1),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		client, err := NewUserServiceClient()
+		if err != nil {
+			return err
+		}
+
+		_, err = client.UnlockUser(context.Background(), &authd.UnlockUserRequest{Name: args[0]})
+		if err != nil {
+			return err
+		}
+
+		return nil
+	},
+}