Use install-action for installing just

wiktor-k · wiktor-k · commit 81105ce8767d · 2024-05-06T11:16:52.000+02:00
See: casey/just#2013 Signed-off-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
diff --git a/.github/workflows/misc.yml b/.github/workflows/misc.yml
@@ -27,7 +27,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
-      - run: cargo install --locked just
+      - uses: taiki-e/install-action@just
       - run: just install-packages
       # If the example doesn't compile the integration test will
       # be stuck. Check for compilation issues earlier to abort the job
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -32,7 +32,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
-      - uses: wiktor-k/setup-just@v1
+      - uses: taiki-e/install-action@just
       - run: rustup install nightly
       - run: rustup component add rustfmt --toolchain nightly
       - name: Check formatting
@@ -49,7 +49,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
-      - uses: wiktor-k/setup-just@v1
+      - uses: taiki-e/install-action@just
       - run: just install-packages
       - name: Run unit tests
         run: just tests
@@ -73,7 +73,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
-      - uses: wiktor-k/setup-just@v1
+      - uses: taiki-e/install-action@just
       - run: just install-packages
       - name: Check for lints
         run: just lints
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -57,3 +57,5 @@ rstest = "0.18.2"
 openpgp-card = "0.4.2"
 card-backend-pcsc = "0.5.0"
 clap = { version = "4.5.4", features = ["derive"] }
+secrecy = "0.8.0"
+retainer = "0.3.0"
diff --git a/examples/openpgp-card-agent.rs b/examples/openpgp-card-agent.rs
@@ -14,10 +14,7 @@
 //! - storing PIN for one of the cards: `SSH_AUTH_SOCK=/tmp/sock ssh-add -s 0006:15422467` (the agent will validate the PIN before storing it)
 //! - and that's it! You can use the agent to login to your SSH servers.
 
-use std::{
-    collections::HashMap,
-    sync::{Arc, Mutex},
-};
+use std::{sync::Arc, time::Duration};
 
 use card_backend_pcsc::PcscBackend;
 use clap::Parser;
@@ -26,11 +23,13 @@ use openpgp_card::{
     crypto_data::{EccType, PublicKeyMaterial},
     Card, KeyType,
 };
+use retainer::{Cache, CacheExpiration};
+use secrecy::{ExposeSecret, SecretString};
 use service_binding::Binding;
 use ssh_agent_lib::{
     agent::Session,
     error::AgentError,
-    proto::{Identity, SignRequest, SmartcardKey},
+    proto::{AddSmartcardKeyConstrained, Identity, KeyConstraint, SignRequest, SmartcardKey},
     Agent,
 };
 use ssh_key::{
@@ -39,9 +38,17 @@ use ssh_key::{
 };
 use testresult::TestResult;
 
-#[derive(Default)]
 struct CardAgent {
-    pwds: Arc<Mutex<HashMap<String, String>>>,
+    pwds: Arc<Cache<String, SecretString>>,
+}
+
+impl CardAgent {
+    pub fn new() -> Self {
+        let pwds: Arc<Cache<String, SecretString>> = Arc::new(Default::default());
+        let clone = Arc::clone(&pwds);
+        tokio::spawn(async move { clone.monitor(4, 0.25, Duration::from_secs(3)).await });
+        Self { pwds }
+    }
 }
 
 impl Agent for CardAgent {
@@ -53,7 +60,74 @@ impl Agent for CardAgent {
 }
 
 struct CardSession {
-    pwds: Arc<Mutex<HashMap<String, String>>>,
+    pwds: Arc<Cache<String, SecretString>>,
+}
+
+impl CardSession {
+    async fn handle_sign(
+        &self,
+        request: SignRequest,
+    ) -> Result<ssh_key::Signature, Box<dyn std::error::Error + Send + Sync>> {
+        let cards = PcscBackend::cards(None).map_err(AgentError::other)?;
+        for card in cards {
+            let mut card = Card::new(card?)?;
+            let mut tx = card.transaction()?;
+            let ident = tx.application_identifier()?.ident();
+            if let PublicKeyMaterial::E(e) = tx.public_key(KeyType::Authentication)? {
+                if let AlgorithmAttributes::Ecc(ecc) = e.algo() {
+                    if ecc.ecc_type() == EccType::EdDSA {
+                        let pubkey = KeyData::Ed25519(Ed25519PublicKey(e.data().try_into()?));
+                        if pubkey == request.pubkey {
+                            let pin = self.pwds.get(&ident).await;
+                            return if let Some(pin) = pin {
+                                tx.verify_pw1_user(pin.expose_secret().as_bytes())?;
+                                let signature = tx.internal_authenticate(request.data.clone())?;
+
+                                Ok(Signature::new(Algorithm::Ed25519, signature)?)
+                            } else {
+                                // no pin saved, use "ssh-add -s ..."
+                                Err(std::io::Error::other("no pin saved").into())
+                            };
+                        }
+                    }
+                }
+            }
+        }
+        Err(std::io::Error::other("no applicable card found").into())
+    }
+
+    async fn handle_add_smartcard_key(
+        &mut self,
+        key: SmartcardKey,
+        expiration: impl Into<CacheExpiration>,
+    ) -> Result<(), AgentError> {
+        match PcscBackend::cards(None) {
+            Ok(cards) => {
+                let card_pin_matches = cards
+                    .flat_map(|card| {
+                        let mut card = Card::new(card?)?;
+                        let mut tx = card.transaction()?;
+                        let ident = tx.application_identifier()?.ident();
+                        if ident == key.id {
+                            tx.verify_pw1_user(key.pin.as_bytes())?;
+                            Ok::<_, Box<dyn std::error::Error>>(true)
+                        } else {
+                            Ok(false)
+                        }
+                    })
+                    .any(|x| x);
+                if card_pin_matches {
+                    self.pwds.insert(key.id, key.pin.into(), expiration).await;
+                    Ok(())
+                } else {
+                    Err(AgentError::IO(std::io::Error::other(
+                        "Card/PIN combination is not valid",
+                    )))
+                }
+            }
+            Err(error) => Err(AgentError::other(error)),
+        }
+    }
 }
 
 #[ssh_agent_lib::async_trait]
@@ -87,70 +161,32 @@ impl Session for CardSession {
     }
 
     async fn add_smartcard_key(&mut self, key: SmartcardKey) -> Result<(), AgentError> {
-        match PcscBackend::cards(None) {
-            Ok(cards) => {
-                let card_pin_matches = cards
-                    .flat_map(|card| {
-                        let mut card = Card::new(card?)?;
-                        let mut tx = card.transaction()?;
-                        let ident = tx.application_identifier()?.ident();
-                        if ident == key.id {
-                            tx.verify_pw1_user(key.pin.as_bytes())?;
-                            Ok::<_, Box<dyn std::error::Error>>(true)
-                        } else {
-                            Ok(false)
-                        }
-                    })
-                    .any(|x| x);
-                if card_pin_matches {
-                    self.pwds
-                        .lock()
-                        .expect("lock not to be poisoned")
-                        .insert(key.id, key.pin);
-                    Ok(())
-                } else {
-                    Err(AgentError::IO(std::io::Error::other(
-                        "Card/PIN combination is not valid",
-                    )))
-                }
-            }
-            Err(error) => Err(AgentError::other(error)),
+        self.handle_add_smartcard_key(key, CacheExpiration::none())
+            .await
+    }
+
+    async fn add_smartcard_key_constrained(
+        &mut self,
+        key: AddSmartcardKeyConstrained,
+    ) -> Result<(), AgentError> {
+        if key.constraints.len() > 1 {
+            return Err(AgentError::other(std::io::Error::other(
+                "Only one lifetime constraint supported.",
+            )));
         }
+        let expiration_in_seconds = if let KeyConstraint::Lifetime(seconds) = key.constraints[0] {
+            Duration::from_secs(seconds as u64)
+        } else {
+            return Err(AgentError::other(std::io::Error::other(
+                "Only one lifetime constraint supported.",
+            )));
+        };
+        self.handle_add_smartcard_key(key.key, expiration_in_seconds)
+            .await
     }
 
     async fn sign(&mut self, request: SignRequest) -> Result<Signature, AgentError> {
-        let cards = PcscBackend::cards(None).map_err(AgentError::other)?;
-        cards
-            .flat_map(|card| -> Result<_, Box<dyn std::error::Error>> {
-                let mut card = Card::new(card?)?;
-                let mut tx = card.transaction()?;
-                let ident = tx.application_identifier()?.ident();
-                if let PublicKeyMaterial::E(e) = tx.public_key(KeyType::Authentication)? {
-                    if let AlgorithmAttributes::Ecc(ecc) = e.algo() {
-                        if ecc.ecc_type() == EccType::EdDSA {
-                            let pubkey = KeyData::Ed25519(Ed25519PublicKey(e.data().try_into()?));
-                            if pubkey == request.pubkey {
-                                let pwds = self.pwds.lock().expect("mutex not to be poisoned");
-                                let pin = pwds.get(&ident);
-                                return if let Some(pin) = pin {
-                                    tx.verify_pw1_user(pin.as_bytes())?;
-                                    let signature =
-                                        tx.internal_authenticate(request.data.clone())?;
-
-                                    Ok(Signature::new(Algorithm::Ed25519, signature))
-                                } else {
-                                    // no pin saved, use "ssh-add -s ..."
-                                    Err(std::io::Error::other("no pin saved").into())
-                                };
-                            }
-                        }
-                    }
-                }
-                Err(std::io::Error::other("no applicable card found").into())
-            })
-            .flatten()
-            .next()
-            .ok_or(std::io::Error::other("no applicable card found").into())
+        self.handle_sign(request).await.map_err(AgentError::Other)
     }
 }
 
@@ -162,7 +198,9 @@ struct Args {
 
 #[tokio::main]
 async fn main() -> TestResult {
+    env_logger::init();
+
     let args = Args::parse();
-    CardAgent::default().bind(args.host.try_into()?).await?;
+    CardAgent::new().bind(args.host.try_into()?).await?;
     Ok(())
 }
