colmena/src/nix/key.rs

use std::{
    convert::TryFrom,
    io::{self, Cursor},
    path::{Path, PathBuf},
    process::{ExitStatus, Stdio},
};

use regex::Regex;
use serde::{Deserialize, Serialize};
use snafu::Snafu;
use tokio::{
    fs::File,
    io::AsyncRead,
    process::Command,
};
use validator::{Validate, ValidationError};

#[non_exhaustive]
#[derive(Debug, Snafu)]
pub enum KeyError {
    #[snafu(display("I/O Error: {}", error))]
    IoError { error: io::Error },
    #[snafu(display("Key command failed: {}, stderr: {}", status, stderr))]
    KeyCommandStatus { status: ExitStatus, stderr: String },
}

impl From<std::io::Error> for KeyError {
    fn from(error: std::io::Error) -> Self {
        Self::IoError { error }
    }
}

#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(try_from = "KeySources")]
enum KeySource {
    #[serde(rename = "text")]
    Text(String),

    #[serde(rename = "keyCommand")]
    Command(Vec<String>),

    #[serde(rename = "keyFile")]
    File(PathBuf),
}

impl TryFrom<KeySources> for KeySource {
    type Error = String;

    fn try_from(ks: KeySources) -> Result<Self, Self::Error> {
        match (ks.text, ks.command, ks.file) {
            (Some(text), None, None) => {
                Ok(KeySource::Text(text))
            }
            (None, Some(command), None) => {
                Ok(KeySource::Command(command))
            }
            (None, None, Some(file)) => {
                Ok(KeySource::File(file))
            }
            x => {
                Err(format!("Somehow 0 or more than 1 key source was specified: {:?}", x))
            }
        }
    }
}

#[derive(Debug, Clone, Serialize, Deserialize)]
struct KeySources {
    text: Option<String>,

    #[serde(rename = "keyCommand")]
    command: Option<Vec<String>>,

    #[serde(rename = "keyFile")]
    file: Option<PathBuf>,
}

/// When to upload a given key.
#[derive(Debug, Copy, Clone, PartialEq, Serialize, Deserialize)]
pub enum UploadAt {
    /// Before activating the system profile.
    #[serde(rename = "pre-activation")]
    PreActivation,

    /// After successfully activating the system profile.
    #[serde(rename = "post-activation")]
    PostActivation,
}

#[derive(Debug, Clone, Validate, Serialize, Deserialize)]
pub struct Key {
    #[serde(flatten)]
    source: KeySource,

    #[validate(custom = "validate_dest_dir")]
    #[serde(rename = "destDir")]
    dest_dir: PathBuf,

    #[validate(custom = "validate_unix_name")]
    user: String,

    #[validate(custom = "validate_unix_name")]
    group: String,

    permissions: String,

    #[serde(rename = "uploadAt")]
    upload_at: UploadAt,
}

impl Key {
    pub async fn reader(&'_ self) -> Result<Box<dyn AsyncRead + Send + Unpin + '_>, KeyError> {
        match &self.source {
            KeySource::Text(content) => {
                Ok(Box::new(Cursor::new(content)))
            }
            KeySource::Command(command) => {
                let pathname = &command[0];
                let argv = &command[1..];

                let output = Command::new(pathname)
                    .args(argv)
                    .stdin(Stdio::null())
                    .stdout(Stdio::piped())
                    .stderr(Stdio::piped())
                    .spawn()?
                    .wait_with_output().await?;

                if output.status.success() {
                    Ok(Box::new(Cursor::new(output.stdout)))
                } else {
                    Err(KeyError::KeyCommandStatus {
                        status: output.status,
                        stderr: std::str::from_utf8(&output.stderr)
                            .unwrap_or_default()
                            .trim_end()
                            .into(),
                    })
                }
            }
            KeySource::File(path) => {
                Ok(Box::new(File::open(path).await?))
            }
        }
    }

    pub fn dest_dir(&self) -> &Path { &self.dest_dir }
    pub fn user(&self) -> &str { &self.user }
    pub fn group(&self) -> &str { &self.group }
    pub fn permissions(&self) -> &str { &self.permissions }
    pub fn upload_at(&self) -> UploadAt { self.upload_at }
}

fn validate_unix_name(name: &str) -> Result<(), ValidationError> {
    let re = Regex::new(r"^[a-z][-a-z0-9]*$").unwrap();
    if re.is_match(name) {
        Ok(())
    } else {
        Err(ValidationError::new("Invalid user/group name"))
    }
}

fn validate_dest_dir(dir: &PathBuf) -> Result<(), ValidationError> {
    if dir.has_root() {
        Ok(())
    } else {
        Err(ValidationError::new("Secret key destination directory must be absolute"))
    }
}
Implement key upload from local file 2021-02-10 20:22:31 +02:00			`use std::{`
key: Serialize KeySource through an intermediate struct Well, still better than `if/else`-ing all the way. Also we definitely need unit tests. See #8. 2021-02-10 18:57:14 -08:00			`convert::TryFrom,`
Implement key upload from local file 2021-02-10 20:22:31 +02:00			`io::{self, Cursor},`
key: Make the key source better typed 2021-02-10 17:34:52 -08:00			`path::{Path, PathBuf},`
keyCommand: on error, do not upload key, report 2021-02-11 21:01:31 +02:00			`process::{ExitStatus, Stdio},`
Implement key upload from local file 2021-02-10 20:22:31 +02:00			`};`
Refactoring and deployment.keys implementation More refactoring of the deployment process, as well as an initial implementation of `deployment.keys`. Fixes #2. 2021-02-08 18:38:14 -08:00
			`use regex::Regex;`
Implement key upload from local file 2021-02-10 20:22:31 +02:00			`use serde::{Deserialize, Serialize};`
keyCommand: on error, do not upload key, report 2021-02-11 21:01:31 +02:00			`use snafu::Snafu;`
Add 'deployment.keys.<key>.keyCommand' support Fixes #3. 2021-02-10 18:08:47 -08:00			`use tokio::{`
			`fs::File,`
			`io::AsyncRead,`
			`process::Command,`
			`};`
Refactoring and deployment.keys implementation More refactoring of the deployment process, as well as an initial implementation of `deployment.keys`. Fixes #2. 2021-02-08 18:38:14 -08:00			`use validator::{Validate, ValidationError};`

keyCommand: on error, do not upload key, report 2021-02-11 21:01:31 +02:00			`#[non_exhaustive]`
			`#[derive(Debug, Snafu)]`
			`pub enum KeyError {`
			`#[snafu(display("I/O Error: {}", error))]`
			`IoError { error: io::Error },`
			`#[snafu(display("Key command failed: {}, stderr: {}", status, stderr))]`
			`KeyCommandStatus { status: ExitStatus, stderr: String },`
			`}`

			`impl From<std::io::Error> for KeyError {`
			`fn from(error: std::io::Error) -> Self {`
			`Self::IoError { error }`
			`}`
			`}`

key: Make the key source better typed 2021-02-10 17:34:52 -08:00			`#[derive(Debug, Clone, Serialize, Deserialize)]`
key: Serialize KeySource through an intermediate struct Well, still better than `if/else`-ing all the way. Also we definitely need unit tests. See #8. 2021-02-10 18:57:14 -08:00			`#[serde(try_from = "KeySources")]`
key: Make the key source better typed 2021-02-10 17:34:52 -08:00			`enum KeySource {`
			`#[serde(rename = "text")]`
			`Text(String),`

			`#[serde(rename = "keyCommand")]`
			`Command(Vec<String>),`

			`#[serde(rename = "keyFile")]`
			`File(PathBuf),`
			`}`

key: Serialize KeySource through an intermediate struct Well, still better than `if/else`-ing all the way. Also we definitely need unit tests. See #8. 2021-02-10 18:57:14 -08:00			`impl TryFrom<KeySources> for KeySource {`
			`type Error = String;`

			`fn try_from(ks: KeySources) -> Result<Self, Self::Error> {`
			`match (ks.text, ks.command, ks.file) {`
			`(Some(text), None, None) => {`
			`Ok(KeySource::Text(text))`
			`}`
			`(None, Some(command), None) => {`
			`Ok(KeySource::Command(command))`
			`}`
			`(None, None, Some(file)) => {`
			`Ok(KeySource::File(file))`
			`}`
			`x => {`
			`Err(format!("Somehow 0 or more than 1 key source was specified: {:?}", x))`
			`}`
			`}`
			`}`
			`}`

			`#[derive(Debug, Clone, Serialize, Deserialize)]`
			`struct KeySources {`
			`text: Option<String>,`

			`#[serde(rename = "keyCommand")]`
			`command: Option<Vec<String>>,`

			`#[serde(rename = "keyFile")]`
			`file: Option<PathBuf>,`
			`}`

Add `deployment.keys.<name>.uploadAt` This mirrors the functionality recently added in morph and allows for the uploading of keys after system profile activation. Fixes #10. 2021-08-24 23:25:46 -07:00			`/// When to upload a given key.`
			`#[derive(Debug, Copy, Clone, PartialEq, Serialize, Deserialize)]`
			`pub enum UploadAt {`
			`/// Before activating the system profile.`
			`#[serde(rename = "pre-activation")]`
			`PreActivation,`

			`/// After successfully activating the system profile.`
			`#[serde(rename = "post-activation")]`
			`PostActivation,`
			`}`

Refactoring and deployment.keys implementation More refactoring of the deployment process, as well as an initial implementation of `deployment.keys`. Fixes #2. 2021-02-08 18:38:14 -08:00			`#[derive(Debug, Clone, Validate, Serialize, Deserialize)]`
			`pub struct Key {`
key: Make the key source better typed 2021-02-10 17:34:52 -08:00			`#[serde(flatten)]`
			`source: KeySource,`

Refactoring and deployment.keys implementation More refactoring of the deployment process, as well as an initial implementation of `deployment.keys`. Fixes #2. 2021-02-08 18:38:14 -08:00			`#[validate(custom = "validate_dest_dir")]`
			`#[serde(rename = "destDir")]`
key: Make the key source better typed 2021-02-10 17:34:52 -08:00			`dest_dir: PathBuf,`

Refactoring and deployment.keys implementation More refactoring of the deployment process, as well as an initial implementation of `deployment.keys`. Fixes #2. 2021-02-08 18:38:14 -08:00			`#[validate(custom = "validate_unix_name")]`
key: Make the key source better typed 2021-02-10 17:34:52 -08:00			`user: String,`

Refactoring and deployment.keys implementation More refactoring of the deployment process, as well as an initial implementation of `deployment.keys`. Fixes #2. 2021-02-08 18:38:14 -08:00			`#[validate(custom = "validate_unix_name")]`
key: Make the key source better typed 2021-02-10 17:34:52 -08:00			`group: String,`

			`permissions: String,`
Add `deployment.keys.<name>.uploadAt` This mirrors the functionality recently added in morph and allows for the uploading of keys after system profile activation. Fixes #10. 2021-08-24 23:25:46 -07:00
			`#[serde(rename = "uploadAt")]`
			`upload_at: UploadAt,`
Refactoring and deployment.keys implementation More refactoring of the deployment process, as well as an initial implementation of `deployment.keys`. Fixes #2. 2021-02-08 18:38:14 -08:00			`}`

Implement key upload from local file 2021-02-10 20:22:31 +02:00			`impl Key {`
keyCommand: on error, do not upload key, report 2021-02-11 21:01:31 +02:00			`pub async fn reader(&'_ self) -> Result<Box<dyn AsyncRead + Send + Unpin + '_>, KeyError> {`
key: Make the key source better typed 2021-02-10 17:34:52 -08:00			`match &self.source {`
			`KeySource::Text(content) => {`
			`Ok(Box::new(Cursor::new(content)))`
			`}`
Add 'deployment.keys.<key>.keyCommand' support Fixes #3. 2021-02-10 18:08:47 -08:00			`KeySource::Command(command) => {`
			`let pathname = &command[0];`
			`let argv = &command[1..];`

keyCommand: on error, do not upload key, report 2021-02-11 21:01:31 +02:00			`let output = Command::new(pathname)`
Add 'deployment.keys.<key>.keyCommand' support Fixes #3. 2021-02-10 18:08:47 -08:00			`.args(argv)`
			`.stdin(Stdio::null())`
			`.stdout(Stdio::piped())`
keyCommand: on error, do not upload key, report 2021-02-11 21:01:31 +02:00			`.stderr(Stdio::piped())`
Add 'deployment.keys.<key>.keyCommand' support Fixes #3. 2021-02-10 18:08:47 -08:00			`.spawn()?`
keyCommand: on error, do not upload key, report 2021-02-11 21:01:31 +02:00			`.wait_with_output().await?;`

			`if output.status.success() {`
			`Ok(Box::new(Cursor::new(output.stdout)))`
			`} else {`
			`Err(KeyError::KeyCommandStatus {`
			`status: output.status,`
			`stderr: std::str::from_utf8(&output.stderr)`
			`.unwrap_or_default()`
			`.trim_end()`
			`.into(),`
			`})`
			`}`
key: Make the key source better typed 2021-02-10 17:34:52 -08:00			`}`
			`KeySource::File(path) => {`
			`Ok(Box::new(File::open(path).await?))`
			`}`
Implement key upload from local file 2021-02-10 20:22:31 +02:00			`}`
			`}`
key: Make the key source better typed 2021-02-10 17:34:52 -08:00
			`pub fn dest_dir(&self) -> &Path { &self.dest_dir }`
			`pub fn user(&self) -> &str { &self.user }`
key.rs: Fix typo (user -> group) Fixes #22. 2021-04-19 15:40:17 -07:00			`pub fn group(&self) -> &str { &self.group }`
key: Make the key source better typed 2021-02-10 17:34:52 -08:00			`pub fn permissions(&self) -> &str { &self.permissions }`
Add `deployment.keys.<name>.uploadAt` This mirrors the functionality recently added in morph and allows for the uploading of keys after system profile activation. Fixes #10. 2021-08-24 23:25:46 -07:00			`pub fn upload_at(&self) -> UploadAt { self.upload_at }`
Implement key upload from local file 2021-02-10 20:22:31 +02:00			`}`

Refactoring and deployment.keys implementation More refactoring of the deployment process, as well as an initial implementation of `deployment.keys`. Fixes #2. 2021-02-08 18:38:14 -08:00			`fn validate_unix_name(name: &str) -> Result<(), ValidationError> {`
			`let re = Regex::new(r"^[a-z][-a-z0-9]*$").unwrap();`
			`if re.is_match(name) {`
			`Ok(())`
			`} else {`
			`Err(ValidationError::new("Invalid user/group name"))`
			`}`
			`}`

			`fn validate_dest_dir(dir: &PathBuf) -> Result<(), ValidationError> {`
			`if dir.has_root() {`
			`Ok(())`
			`} else {`
			`Err(ValidationError::new("Secret key destination directory must be absolute"))`
			`}`
			`}`