Merge branch 'master' of git.shimun.net:shimun/ssh-cert-dist

2022-12-07 20:45:11 +01:00 · 2022-12-07 20:45:11 +01:00 · cd82dd9deb
commit cd82dd9deb
parent 4b8b946640 7b0a17dd54
7 changed files with 108 additions and 71 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1496,6 +1496,7 @@ dependencies = [
 "rand_core 0.6.4",
 "rsa",
 "sec1",
+ "serde",
 "sha2 0.10.6",
 "signature",
 "ssh-encoding",
@ -1696,6 +1697,7 @@ dependencies = [
 "tower",
 "tower-layer",
 "tower-service",
+ "tracing",
 ]

 [[package]]
--- a/Cargo.toml
+++ b/Cargo.toml
@ -7,8 +7,9 @@ edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

 [features]
-default = [ "client", "reload" ]
+default = [ "client", "reload", "info" ]
 reload = []
+info = [ "axum/json", "ssh-key/serde" ]
 client = [ "dep:url", "dep:reqwest" ]


@ -24,7 +25,7 @@ ssh-key = { version = "0.5.1", features = ["ed25519", "p256", "p384", "rsa", "si
 thiserror = "1.0.37"
 tokio = { version = "1.22.0", features = ["io-std", "test-util", "tracing", "macros", "fs"] }
 tower = { version = "0.4.13", features = ["util"] }
-tower-http = { version = "0.3.4", features = ["map-request-body"] }
+tower-http = { version = "0.3.4", features = ["map-request-body", "trace"] }
 tracing = { version = "0.1.37", features = ["release_max_level_debug"] }
 tracing-subscriber = "0.3.16"
 url = { version = "2.3.1", optional = true }
--- a/modules/home-manager.nix
+++ b/modules/home-manager.nix
@ -1,38 +1,10 @@
 { config, pkgs, lib, ... }: with lib; let
  cfg = config.services.ssh-cert-dist;
-  directoryModule = { name, ... }: {
-    options = {
-      name = mkOption {
-        type = types.str;
-        default = last (splitString "/" name);
-      };
-      fetch = mkOption {
-        type = types.bool;
-        default = true;
-      };
-      upload = mkOption {
-        type = types.bool;
-        default = false;
-      };
-    };
-  };
 in
 {
-  options.services.ssh-cert-dist = {
-    enable = mkEnableOption "ssh-cert-dist";
-    endpoint = mkOption {
-      type = types.str;
-      description = "API endpoint url";
-    };
-    package = mkOption {
-      type = types.package;
-      default = pkgs.ssh-cert-dist;
-    };
-    directories = mkOption {
-      type = with types; attrsOf (submodule directoryModule);
-      default = { };
-    };
-  };
+  config.imports = [
+    ./options.nix
+  ];
  config.systemd.user.services = mkIf cfg.enable (mapAttrs'
    (path: options: {
      inherit (options) name; value = {
@ -41,7 +13,7 @@ in
        Environment = "RUST_LOG=debug";
        ExecStart = toString (pkgs.writeShellApplication {
          name = "ssh-cert-dist-${options.name}";
-          runtimeInputs = [ cfg.package ];
+          runtimeInputs = [ pkgs.ssh-cert-dist ];
          text = ''
            ${optionalString options.fetch ''
             ssh-cert-dist client fetch --cert-dir '${path}' --api-endpoint '${cfg.endpoint}' 
@ -56,20 +28,4 @@ in
    };
    })
    cfg.directories);
-
-  options.programs.ssh-cert-dist = {
-    enable = mkEnableOption "ssh-cert-dist";
-    package = mkOption {
-      type = types.package;
-      default = pkgs.ssh-cert-dist;
-    };
-    endpoint = mkOption {
-      type = types.str;
-      description = "API endpoint url";
-    };
-  };
-  config.home = let cfg = config.programs.ssh-cert-dist; in mkIf cfg.enable {
-    packages = [ cfg.package ];
-    sessionVariables.SSH_CD_API = cfg.endpoint;
-  };
 }
--- a/modules/nixos.nix
+++ b/modules/nixos.nix
@ -1,6 +1,5 @@
 { config, pkgs, lib, ... }: with lib; let
  cfg = config.services.ssh-cert-dist;
-  ca = if isPath cfg.ca then cfg.ca else pkgs.writeText "ssh-ca" cfg.ca;
 in
 {
  options.services.ssh-cert-dist = {
@ -18,7 +17,7 @@ in
      default = pkgs.ssh-cert-dist;
    };
    ca = mkOption {
-      type = with types; either str path;
+      type = types.path;
    };
    dataDir = mkOption {
      type = types.path;
@ -47,9 +46,9 @@ in
      environment = {
        SSH_CD_SOCKET_ADDRESS = "${cfg.host}:${toString cfg.port}";
        SSH_CD_CERT_DIR = cfg.dataDir;
-        SSH_CD_VALIDATE_EXPIRY = true;
-        SSH_CD_VALIDATE_SERIAL = false;
-        SSH_CD_CA = ca;
+        SSH_CD_VALIDATE_EXPIRY = "true";
+        SSH_CD_VALIDATE_SERIAL = "false";
+        SSH_CD_CA = cfg.ca;
        RUST_LOG = "debug";
      };
      serviceConfig = {
--- a/modules/options.nix
+++ b/modules/options.nix
@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }: with lib; let
+  directoryModule = { name, ... }: {
+    options = {
+      name = mkOption {
+        type = types.str;
+        default = last (splitString "/" name);
+      };
+      fetch = mkOption {
+        type = types.bool;
+        default = true;
+      };
+      upload = mkOption {
+        type = types.bool;
+        default = false;
+      };
+    };
+  };
+  endpointOption = mkOption {
+    type = types.str;
+    description = "API endpoint url";
+    default = "https://pki.shimun.net";
+  };
+
+
+in
+{
+  options = {
+    services.ssh-cert-dist = {
+      enable = mkEnableOption "ssh-cert-dist";
+      endpoint = endpointOption;
+      directories = mkOption {
+        type = with types; attrsOf (submodule directoryModule);
+        default = { };
+      };
+    };
+    programs.ssh-cert-dist = {
+      enable = mkEnableOption "ssh-cert-dist client";
+      endpoint = endpointOption;
+    };
+  };
+
+}
--- a/src/api.rs
+++ b/src/api.rs
@ -11,8 +11,8 @@ use crate::env_key;
 use anyhow::Context;
 use axum::body;
 use axum::extract::{Path, State};
-use axum::routing::post;
-use axum::{http::StatusCode, response::IntoResponse, Router};
+
+use axum::{http::StatusCode, response::IntoResponse, Json, Router};
 use axum_extra::routing::{
    RouterExt, // for `Router::typed_*`
    TypedPath,
@ -22,8 +22,8 @@ use serde::Deserialize;
 use ssh_key::{Certificate, PublicKey};
 use tokio::sync::Mutex;
 use tower::ServiceBuilder;
-use tower_http::ServiceBuilderExt;
-use tracing::{debug, instrument, trace};
+use tower_http::{trace::TraceLayer, ServiceBuilderExt};
+use tracing::{debug, trace};

 use self::extract::CertificateBody;

@ -133,9 +133,11 @@ pub async fn run(
    let app = Router::new()
        .typed_get(get_certs_identifier)
        .typed_put(put_cert_update)
-        .route("/certs/:identifier", post(post_certs_identifier))
+        .typed_get(get_cert_info)
+        .typed_post(post_certs_identifier)
        .fallback(fallback_404)
        .layer(ServiceBuilder::new().map_request_body(body::boxed))
+        .layer(TraceLayer::new_for_http())
        .with_state(state);

    // run our app with hyper
@ -193,7 +195,6 @@ pub struct GetCert {
 /// return Unauthorized with an challenge
 /// upon which the client will ssh-keysign
 /// the challenge an issue an post request
-#[instrument(skip_all, ret)]
 async fn get_certs_identifier(
    GetCert { identifier }: GetCert,
    State(ApiState { certs, .. }): State<ApiState>,
@ -205,9 +206,41 @@ async fn get_certs_identifier(
    Ok(cert.to_openssh().context("to openssh")?)
 }

+#[derive(TypedPath, Deserialize)]
+#[typed_path("/certs/:identifier/info")]
+pub struct GetCertInfo {
+    pub identifier: String,
+}
+
+#[cfg(feature = "info")]
+async fn get_cert_info(
+    GetCertInfo { identifier }: GetCertInfo,
+    State(ApiState { certs, .. }): State<ApiState>,
+) -> ApiResult<Json<Certificate>> {
+    let certs = certs.lock().await;
+    let cert = certs
+        .get(&identifier)
+        .ok_or(ApiError::CertificateNotFound)?;
+    Ok(Json(cert.clone()))
+}
+
+#[cfg(not(feature = "info"))]
+async fn get_cert_info(
+    GetCertInfo { identifier: _ }: GetCertInfo,
+    State(ApiState { certs: _, .. }): State<ApiState>,
+) -> ApiResult<()> {
+    unimplemented!()
+}
+
+#[derive(TypedPath, Deserialize)]
+#[typed_path("/certs/:identifier")]
+pub struct PostCertInfo {
+    pub identifier: String,
+}
+
 /// POST with signed challenge
-#[instrument(skip_all, ret)]
 async fn post_certs_identifier(
+    PostCertInfo { identifier: _ }: PostCertInfo,
    State(ApiState { .. }): State<ApiState>,
    Path(_identifier): Path<String>,
 ) -> ApiResult<String> {
@ -219,7 +252,6 @@ async fn post_certs_identifier(
 pub struct PutCert;

 /// Upload an cert with an higher serial than the previous
-#[instrument(skip_all, ret)]
 async fn put_cert_update(
    _: PutCert,
    State(ApiState {
@ -235,9 +267,17 @@ async fn put_cert_update(
    }): State<ApiState>,
    CertificateBody(cert): CertificateBody,
 ) -> ApiResult<String> {
+    let cert = {
+        let ca = ca.clone();
+        tokio::task::spawn_blocking(move || -> ApiResult<Certificate> {
+            let cert = cert;
            cert.validate(&[ca.fingerprint(Default::default())])
                .map_err(|_| ApiError::CertificateInvalid)?;
-    let _string_repr = cert.to_openssh();
+            Ok(cert)
+        })
+        .await
+        .context("signature verification")??
+    };
    let prev = load_cert_by_id(&cert_dir, &ca, cert.key_id()).await?;
    let mut prev_serial = 0;
    let serial = cert.serial();
--- a/src/client.rs
+++ b/src/client.rs
@ -1,4 +1,4 @@
-use anyhow::{bail};
+use anyhow::bail;
 use axum_extra::routing::TypedPath;
 use clap::{Args, Parser, Subcommand};
 use reqwest::{Client, StatusCode};
@ -13,10 +13,7 @@ use url::Url;
 use crate::api::PutCert;
 use crate::certs::load_cert;
 use crate::env_key;
-use crate::{
-    api::GetCert,
-    certs::{read_dir},
-};
+use crate::{api::GetCert, certs::read_dir};

 #[derive(Parser)]
 pub struct ClientArgs {