Migrate to clap 4.2, run binaries/examples with --help in CI, and clean up examples

.github/workflows/ci.yml

@@ -53,14 +53,21 @@ jobs:
       - run: cargo build --workspace --exclude webauthn-authenticator-rs
 
       # Don't run clippy on Windows, we only need to run it on Linux
-      #
-      # FIXME: clippy in rust 1.69.0 fails a clap macro expansion
-      # https://github.com/rust-lang/rust-clippy/issues/10421
-      - if: runner.os != 'windows' && matrix.rust_version != 'stable'
+      - if: runner.os != 'windows'
         run: cargo clippy --no-deps --workspace --exclude webauthn-authenticator-rs --all-targets
 
       - run: cargo test --workspace --exclude webauthn-authenticator-rs
 
+      # Some clap errors manifest as panics at runtime. Running tools with
+      # --help should be enough to find an issue.
+      - run: cargo run --bin cable-tunnel-server-backend -- --help
+      - run: cargo run --bin cable-tunnel-server-frontend -- --help
+      # fido-key-manager requires elevation on Windows, which cargo can't
+      # handle.
+      - if: runner.os != 'windows'
+        run: cargo run --bin fido-key-manager -- --help
+      - run: cargo run --bin fido-mds-tool -- --help
+
   authenticator:
     name: webauthn-authenticator-rs test
     strategy:
@@ -119,14 +126,20 @@ jobs:
 
       # Don't run clippy on Windows unless it is using a Windows-specific
       # feature which wasn't checked on Linux.
-      #
-      # FIXME: clippy in rust 1.69.0 fails a clap macro expansion
-      # https://github.com/rust-lang/rust-clippy/issues/10421
-      - if: (contains(matrix.features, 'windows') || runner.os != 'windows') && matrix.rust_version != 'stable'
+      - if: contains(matrix.features, 'windows') || runner.os != 'windows'
         run: cargo clippy --no-deps -p webauthn-authenticator-rs --all-targets ${{ matrix.features }}
 
       - run: cargo test -p webauthn-authenticator-rs ${{ matrix.features }}
 
+      # Some clap errors manifest as panics at runtime. Running tools with
+      # --help should be enough to find an issue.
+      - run: cargo run -p webauthn-authenticator-rs --example authenticate ${{ matrix.features }} -- --help
+      - if: contains(matrix.features, 'cable')
+        run: cargo run -p webauthn-authenticator-rs --example cable_domain ${{ matrix.features }} -- --help
+      - if: contains(matrix.features, 'cable')
+        run: cargo run -p webauthn-authenticator-rs --example cable_tunnel ${{ matrix.features }} -- --help
+      - run: cargo run -p webauthn-authenticator-rs --example softtoken ${{ matrix.features }} -- --help
+
   docs:
     name: Documentation
     strategy:

Cargo.toml

@@ -45,7 +45,7 @@ webauthn-rs-proto = { path = "./webauthn-rs-proto" }
 
 async-std = { version = "1.6", features = ["attributes"] }
 base64 = "0.21"
-clap = { version = "^3.2", features = ["derive", "env"] }
+clap = { version = "^4.2.4", features = ["derive", "env"] }
 compact_jwt = "0.2.3"
 futures = "^0.3.25"
 hex = "0.4.3"

cable-tunnel-server/common/src/tls.rs

@@ -41,7 +41,7 @@ impl From<native_tls::Error> for TlsConfigError {
 pub struct ServerTransportProtocol {
     /// Runs an unencrypted HTTP server, rather than HTTPS. This is not suitable
     /// for use with ordinary caBLE clients.
-    #[clap(long, conflicts_with_all(&["tls-public-key", "tls-private-key"]))]
+    #[clap(long, conflicts_with_all(&["tls_public_key", "tls_private_key"]))]
     insecure_http_server: bool,
 
     /// Path to the server's public key (certificate) in PEM format.
@@ -106,7 +106,7 @@ impl ServerTransportProtocol {
 #[derive(Debug, Clone, Args)]
 pub struct BackendClientOptions {
     /// Uses unencrypted HTTP to connect to backend tasks, rather than HTTPS.
-    #[clap(long, conflicts_with_all(&["trusted-ca", "domain"]))]
+    #[clap(long, conflicts_with_all(&["trusted_ca", "domain"]))]
     insecure_http_backend: bool,
 
     /// Public key of the root CA to trust when connecting to a backend task,

fido-key-manager/src/main.rs

@@ -69,8 +69,8 @@ pub struct RenameFingerprintOpt {
 
 #[derive(Debug, Args)]
 pub struct RemoveFingerprintOpt {
-    /// The template ID
-    #[clap(min_values(1), required(true))]
+    /// The template ID(s) to remove
+    #[clap(required = true)]
     pub id: Vec<String>,
 }
 

fido-mds-tool/src/main.rs

@@ -26,7 +26,7 @@ pub struct CommonOpt {
     #[clap(short, long)]
     pub debug: bool,
     /// Path to the MDS file
-    #[clap(parse(from_os_str), short = 'p', long = "path")]
+    #[clap(short, long)]
     pub path: PathBuf,
 }
 

webauthn-authenticator-rs/Cargo.toml

@@ -93,3 +93,7 @@ openssl.workspace = true
 [[example]]
 name = "cable_domain"
 required-features = ["cable"]
+
+[[example]]
+name = "cable_tunnel"
+required-features = ["cable"]

webauthn-authenticator-rs/examples/cable_domain.rs

@@ -3,7 +3,7 @@
 //! ```sh
 //! cargo run --example cable_domain --features cable -- --help
 //! ```
-use clap::{ArgGroup, CommandFactory, Parser, ValueHint};
+use clap::{error::ErrorKind, ArgGroup, CommandFactory, Parser, ValueHint};
 use std::net::ToSocketAddrs;
 use webauthn_authenticator_rs::cable::get_domain;
 
@@ -23,7 +23,7 @@ rather than an error."
 #[clap(group(
     ArgGroup::new("ids")
         .required(true)
-        .args(&["tunnel-server-ids", "all"])
+        .args(&["tunnel_server_ids", "all"])
 ))]
 pub struct CliParser {
     /// One or more tunnel server IDs.
@@ -54,9 +54,7 @@ pub struct CliParser {
 /// Returns [None] on resolution failure or no results.
 fn resolver(hostname: &str) -> Option<String> {
     (hostname, 443).to_socket_addrs().ok().and_then(|addrs| {
-        let mut o: String = addrs
-            .map(|addr| format!("{},", addr.ip().to_string()))
-            .collect();
+        let mut o: String = addrs.map(|addr| format!("{},", addr.ip())).collect();
         o.pop();
 
         if o.is_empty() {
@@ -97,7 +95,7 @@ fn main() {
             Some(d) => println!("{d}"),
             None => CliParser::command()
                 .error(
-                    clap::ErrorKind::ValueValidation,
+                    ErrorKind::ValueValidation,
                     format!("unknown tunnel server ID: {domain_id}"),
                 )
                 .exit(),

webauthn-authenticator-rs/examples/cable_tunnel/core.rs → webauthn-authenticator-rs/examples/cable_tunnel.rs

@@ -1,3 +1,7 @@
+//! `cable_tunnel` shares a [Token] over a caBLE connection.
+#[macro_use]
+extern crate tracing;
+
 use bluetooth_hci::{
     host::{
         uart::{CommandHeader, Hci as UartHci, Packet},
@@ -34,7 +38,7 @@ use webauthn_authenticator_rs::{
 #[clap(group(
     ArgGroup::new("url")
         .required(true)
-        .args(&["cable-url", "qr-image"])
+        .args(&["cable_url", "qr_image"])
 ))]
 pub struct CliParser {
     /// Serial port where Bluetooth HCI controller is connected to.
@@ -178,7 +182,9 @@ impl Advertiser for SerialHciAdvertiser {
 }
 
 #[tokio::main]
-pub(super) async fn main() {
+async fn main() {
+    let _ = tracing_subscriber::fmt::try_init();
+
     let opt = CliParser::parse();
     let cable_url = if let Some(u) = opt.cable_url {
         u