bump version to 0.6.0

package.json

@@ -1,6 +1,6 @@
 {
   "name": "creddy",
-  "version": "0.5.4",
+  "version": "0.6.0",
   "scripts": {
     "dev": "vite",
     "build": "vite build",

src-tauri/Cargo.lock

@@ -1241,7 +1241,7 @@ dependencies = [
 
 [[package]]
 name = "creddy"
-version = "0.5.4"
+version = "0.6.0"
 dependencies = [
  "argon2",
  "auto-launch",
@@ -1287,7 +1287,7 @@ dependencies = [
 
 [[package]]
 name = "creddy_cli"
-version = "0.5.4"
+version = "0.6.0"
 dependencies = [
  "anyhow",
  "clap",

src-tauri/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "creddy"
-version = "0.5.4"
+version = "0.6.0"
 description = "A friendly AWS credentials manager"
 authors = ["Joseph Montanaro"]
 license = ""

src-tauri/creddy_cli/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "creddy_cli"
-version = "0.5.4"
+version = "0.6.0"
 edition = "2021"
 
 [dependencies]

src-tauri/creddy_cli/src/cli/docker.rs

@@ -0,0 +1,53 @@
+use std::io::{self, Read};
+
+use anyhow::bail;
+
+use crate::proto::{CliResponse, DockerCredential};
+use super::{
+    CliCredential,
+    CliRequest,
+    GlobalArgs
+};
+
+
+pub fn docker_store(global_args: GlobalArgs) -> anyhow::Result<()> {
+    let input: DockerCredential = serde_json::from_reader(io::stdin())?;
+
+    let req = CliRequest::StoreDockerCredential(input);
+
+    match super::make_request(global_args.server_addr, &req)?? {
+        CliResponse::Empty => Ok(()),
+        r => bail!("Unexpected response from server: {r}"),
+    }
+}
+
+
+pub fn docker_get(global_args: GlobalArgs) -> anyhow::Result<()> {
+    let mut server_url = String::new();
+    io::stdin().read_to_string(&mut server_url)?;
+    let req = CliRequest::GetDockerCredential {
+       server_url: server_url.trim().to_owned()
+    };
+
+    match super::make_request(global_args.server_addr, &req)?? {
+        CliResponse::Credential(CliCredential::Docker(d)) => {
+            println!("{}", serde_json::to_string(&d)?);
+        },
+        r => bail!("Unexpected response from server: {r}"),
+    }
+    Ok(())
+}
+
+
+pub fn docker_erase(global_args: GlobalArgs) -> anyhow::Result<()> {
+    let mut server_url = String::new();
+    io::stdin().read_to_string(&mut server_url)?;
+    let req = CliRequest::EraseDockerCredential {
+        server_url: server_url.trim().to_owned()
+    };
+
+    match super::make_request(global_args.server_addr, &req)?? {
+        CliResponse::Empty => Ok(()),
+        r => bail!("Unexpected response from server: {r}"),
+    }
+}

src-tauri/creddy_cli/src/cli/mod.rs

@@ -22,6 +22,8 @@ use crate::proto::{
     ShortcutAction,
 };
 
+mod docker;
+
 
 #[derive(Debug, Parser)]
 #[command(
@@ -70,6 +72,9 @@ pub enum Action {
     Exec(ExecArgs),
     /// Invoke an action normally triggered by hotkey (e.g. launch terminal)
     Shortcut(InvokeArgs),
+    /// Interact with Docker credentials via the docker-credential-helper protocol
+    #[command(subcommand)]
+    Docker(DockerCmd),
 }
 
 
@@ -101,8 +106,19 @@ pub struct InvokeArgs {
 }
 
 
+#[derive(Debug, Subcommand)]
+pub enum DockerCmd {
+    /// Get a stored Docker credential
+    Get,
+    /// Store a new Docker credential
+    Store,
+    /// Remove a stored Docker credential
+    Erase,
+}
+
+
 pub fn get(args: GetArgs, global: GlobalArgs) -> anyhow::Result<()> {
-    let req = CliRequest::GetCredential {
+    let req = CliRequest::GetAwsCredential {
         name: args.name,
         base: args.base,
     };
@@ -129,7 +145,7 @@ pub fn exec(args: ExecArgs, global: GlobalArgs) -> anyhow::Result<()> {
     let mut cmd = ChildCommand::new(cmd_name);
     cmd.args(cmd_line);
 
-    let req = CliRequest::GetCredential {
+    let req = CliRequest::GetAwsCredential {
         name: args.get_args.name,
         base: args.get_args.base,
     };
@@ -177,7 +193,7 @@ pub fn exec(args: ExecArgs, global: GlobalArgs) -> anyhow::Result<()> {
 
 
 pub fn invoke_shortcut(args: InvokeArgs, global: GlobalArgs) -> anyhow::Result<()> {
-    let req = CliRequest::InvokeShortcut(args.shortcut_action);
+    let req = CliRequest::InvokeShortcut{action: args.shortcut_action};
     match make_request(global.server_addr, &req)?? {
         CliResponse::Empty => Ok(()),
         r => bail!("Unexpected response from server: {r}"),
@@ -185,10 +201,20 @@ pub fn invoke_shortcut(args: InvokeArgs, global: GlobalArgs) -> anyhow::Result<(
 }
 
 
+pub fn docker_credential_helper(cmd: DockerCmd, global_args: GlobalArgs) -> anyhow::Result<()> {
+    match cmd {
+        DockerCmd::Get => docker::docker_get(global_args),
+        DockerCmd::Store => docker::docker_store(global_args),
+        DockerCmd::Erase => docker::docker_erase(global_args),
+    }
+}
+
+
 // Explanation for double-result: the server will return a (serialized) Result
 // to indicate when the operation succeeded or failed, which we deserialize.
 // However, the operation may fail to even communicate with the server, in
 // which case we return the outer Result
+// (probably this should be modeled differently)
 #[tokio::main]
 async fn make_request(
     addr: Option<PathBuf>,

src-tauri/creddy_cli/src/lib.rs

@@ -5,6 +5,7 @@ pub use cli::{
     exec,
     get,
     invoke_shortcut,
+    docker_credential_helper,
 };
 
 pub(crate) use platform::connect;

src-tauri/creddy_cli/src/main.rs

@@ -11,6 +11,7 @@ fn main() {
         Some(Action::Get(args)) => creddy_cli::get(args, cli.global_args),
         Some(Action::Exec(args)) => creddy_cli::exec(args, cli.global_args),
         Some(Action::Shortcut(args)) => creddy_cli::invoke_shortcut(args, cli.global_args),
+        Some(Action::Docker(cmd)) => creddy_cli::docker_credential_helper(cmd, cli.global_args),
     };
 
     if let Err(e) = res {

src-tauri/creddy_cli/src/proto.rs

@@ -9,12 +9,22 @@ use serde::{Serialize, Deserialize};
 
 
 #[derive(Debug, Serialize, Deserialize)]
+#[serde(tag = "type")]
 pub enum CliRequest {
-    GetCredential {
+    GetAwsCredential {
         name: Option<String>,
         base: bool,
     },
-    InvokeShortcut(ShortcutAction),
+    GetDockerCredential {
+        server_url: String,
+    },
+    StoreDockerCredential(DockerCredential),
+    EraseDockerCredential {
+        server_url: String,
+    },
+    InvokeShortcut{
+        action: ShortcutAction,
+    },
 }
 
 
@@ -36,6 +46,7 @@ impl Display for CliResponse {
         match self {
             CliResponse::Credential(CliCredential::AwsBase(_)) => write!(f, "Credential (AwsBase)"),
             CliResponse::Credential(CliCredential::AwsSession(_)) => write!(f, "Credential (AwsSession)"),
+            CliResponse::Credential(CliCredential::Docker(_)) => write!(f, "Credential (Docker)"),
             CliResponse::Empty => write!(f, "Empty"),
         }
     }
@@ -46,6 +57,7 @@ impl Display for CliResponse {
 pub enum CliCredential {
     AwsBase(AwsBaseCredential),
     AwsSession(AwsSessionCredential),
+    Docker(DockerCredential),
 }
 
 
@@ -75,6 +87,16 @@ pub struct AwsSessionCredential {
 fn default_aws_version() -> usize { 1 }
 
 
+#[derive(Debug, Eq, PartialEq, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct DockerCredential {
+    #[serde(rename = "ServerURL")]
+    pub server_url: String,
+    pub username: String,
+    pub secret: String,
+}
+
+
 #[derive(Debug, Serialize, Deserialize)]
 pub struct ServerError {
     code: String,

src-tauri/migrations/20240919135710_docker_creds.sql

@@ -0,0 +1,12 @@
+CREATE TABLE docker_credentials (
+    id BLOB UNIQUE NOT NULL,
+    -- The Docker credential helper protocol only sends the server_url, so
+    -- we should guarantee that we will only ever have one matching credential.
+    -- Also, it's easier to go from unique -> not-unique than vice versa if we
+    -- decide that's necessary in the future
+    server_url TEXT UNIQUE NOT NULL,
+    username TEXT NOT NULL,
+    secret_enc BLOB NOT NULL,
+    nonce BLOB NOT NULL,
+    FOREIGN KEY(id) REFERENCES credentials(id) ON DELETE CASCADE
+);

src-tauri/src/clientinfo.rs

@@ -5,7 +5,8 @@ use sysinfo::{
     SystemExt,
     Pid,
     PidExt,
-    ProcessExt
+    ProcessExt,
+    UserExt,
 };
 use serde::{Serialize, Deserialize};
 
@@ -16,6 +17,7 @@ use crate::errors::*;
 pub struct Client {
     pub pid: u32,
     pub exe: Option<PathBuf>,
+    pub username: Option<String>,
 }
 
 
@@ -23,6 +25,8 @@ pub fn get_client(pid: u32, parent: bool) -> Result<Client, ClientInfoError> {
     let sys_pid = Pid::from_u32(pid);
     let mut sys = System::new();
     sys.refresh_process(sys_pid);
+    sys.refresh_users_list();
+
     let mut proc = sys.process(sys_pid)
         .ok_or(ClientInfoError::ProcessNotFound)?;
 
@@ -34,10 +38,15 @@ pub fn get_client(pid: u32, parent: bool) -> Result<Client, ClientInfoError> {
             .ok_or(ClientInfoError::ParentProcessNotFound)?;
     }
 
+    let username = proc.user_id()
+        .map(|uid| sys.get_user_by_id(uid))
+        .flatten()
+        .map(|u| u.name().to_owned());
+
     let exe = match proc.exe() {
         p if p == Path::new("") => None,
         p => Some(PathBuf::from(p)),
     };
 
-    Ok(Client { pid: proc.pid().as_u32(), exe })
+    Ok(Client { pid: proc.pid().as_u32(), exe, username })
 }

src-tauri/src/credentials/docker.rs

@@ -0,0 +1,196 @@
+use chacha20poly1305::XNonce;
+use serde::{Serialize, Deserialize};
+use sqlx::{
+    FromRow,
+    Sqlite,
+    Transaction,
+    types::Uuid,
+};
+
+use super::{Credential, Crypto, PersistentCredential};
+
+use crate::errors::*;
+
+
+#[derive(Debug, Clone, FromRow)]
+pub struct DockerRow {
+    id: Uuid,
+    server_url: String,
+    username: String,
+    secret_enc: Vec<u8>,
+    nonce: Vec<u8>,
+}
+
+
+#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct DockerCredential {
+    #[serde(rename = "ServerURL")]
+    pub server_url: String,
+    pub username: String,
+    pub secret: String,
+}
+
+impl PersistentCredential for DockerCredential {
+    type Row = DockerRow;
+
+    fn type_name() -> &'static str { "docker" }
+
+    fn into_credential(self) -> Credential { Credential::Docker(self) }
+
+    fn row_id(row: &DockerRow) -> Uuid { row.id }
+
+    fn from_row(row: DockerRow, crypto: &Crypto) -> Result<Self, LoadCredentialsError> {
+        let nonce = XNonce::clone_from_slice(&row.nonce);
+        let secret_bytes = crypto.decrypt(&nonce, &row.secret_enc)?;
+        let secret = String::from_utf8(secret_bytes)
+            .map_err(|_| LoadCredentialsError::InvalidData)?;
+
+        Ok(DockerCredential {
+            server_url: row.server_url,
+            username: row.username,
+            secret
+        })
+    }
+
+    async fn save_details(&self, id: &Uuid, crypto: &Crypto, txn: &mut Transaction<'_, Sqlite>) -> Result<(), SaveCredentialsError> {
+        let (nonce, ciphertext) = crypto.encrypt(self.secret.as_bytes())?;
+        let nonce_bytes = &nonce.as_slice();
+
+        sqlx::query!(
+            "INSERT OR REPLACE INTO docker_credentials (
+                id,
+                server_url,
+                username,
+                secret_enc,
+                nonce
+            )
+            VALUES (?, ?, ?, ?, ?)",
+            id, self.server_url, self.username, ciphertext, nonce_bytes,
+        ).execute(&mut **txn).await?;
+
+        Ok(())
+    }
+}
+
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::credentials::CredentialRecord;
+    use creddy_cli::proto::DockerCredential as CliDockerCredential;
+    use sqlx::SqlitePool;
+    use sqlx::types::uuid::uuid;
+
+
+
+    fn test_credential() -> DockerCredential {
+        DockerCredential {
+            server_url: "https://registry.jfmonty2.com".into(),
+            username: "joe@jfmonty2.com".into(),
+            secret: "correct horse battery staple".into(),
+        }
+    }
+
+    fn test_credential_2() -> DockerCredential {
+        DockerCredential {
+            server_url: "https://index.docker.io/v1".into(),
+            username: "test@example.com".into(),
+            secret: "a very secure passphrase".into(),
+        }
+    }
+
+    fn test_record() -> CredentialRecord {
+        CredentialRecord {
+            id: uuid!("00000000-0000-0000-0000-000000000000"),
+            name: "docker_test".into(),
+            is_default: false,
+            credential: Credential::Docker(test_credential()),
+        }
+    }
+
+    fn test_record_2() -> CredentialRecord {
+        CredentialRecord {
+            id: uuid!("ffffffff-ffff-ffff-ffff-ffffffffffff"),
+            name: "docker_test_2".into(),
+            is_default: false,
+            credential: Credential::Docker(test_credential_2()),
+        }
+    }
+
+
+    #[sqlx::test]
+    fn test_save(pool: SqlitePool) {
+        let crypt = Crypto::random();
+        test_record().save(&crypt, &pool).await
+            .expect("Failed to save record");
+    }
+
+    #[sqlx::test(fixtures("docker_credentials"))]
+    fn test_load(pool: SqlitePool) {
+        let crypt = Crypto::fixed();
+        let id = uuid!("00000000-0000-0000-0000-000000000000");
+        let loaded = DockerCredential::load(&id, &crypt, &pool).await
+            .expect("Failed to load record");
+
+        assert_eq!(test_credential(), loaded);
+    }
+
+    #[sqlx::test(fixtures("docker_credentials"))]
+    async fn test_overwrite(pool: SqlitePool) {
+        let crypt = Crypto::fixed();
+        let mut record = test_record_2();
+        // give it the same id as test_record so that it overwrites
+        let id = uuid!("00000000-0000-0000-0000-000000000000");
+        record.id = id;
+        record.save(&crypt, &pool).await
+            .expect("Failed to overwrite original record with second record");
+
+        let loaded = DockerCredential::load(&id, &crypt, &pool).await
+            .expect("Failed to load again after overwriting");
+
+        assert_eq!(test_credential_2(), loaded);
+    }
+
+    #[sqlx::test(fixtures("docker_credentials"))]
+    async fn test_list(pool: SqlitePool) {
+        let crypt = Crypto::fixed();
+        let records = CredentialRecord::list(&crypt, &pool).await
+            .expect("Failed to list credentials");
+
+        assert_eq!(test_record(), records[0]);
+    }
+
+
+    // make sure that CLI credentials and app credentials don't drift apart
+    #[test]
+    fn test_cli_to_app() {
+        let cli_creds = CliDockerCredential {
+            server_url: "https://registry.jfmonty2.com".into(),
+            username: "joe@jfmonty2.com".into(),
+            secret: "correct horse battery staple".into(),
+        };
+
+        let json = serde_json::to_string(&cli_creds).unwrap();
+        let computed: DockerCredential = serde_json::from_str(&json)
+            .expect("Failed to deserialize Docker credentials from CLI -> main app");
+
+        assert_eq!(test_credential(), computed);
+    }
+
+    #[test]
+    fn test_app_to_cli() {
+        let app_creds = test_credential();
+        let json = serde_json::to_string(&app_creds).unwrap();
+
+        let computed: CliDockerCredential = serde_json::from_str(&json)
+            .expect("Failed to deserialize Docker credentials from main app -> CLI");
+
+        let expected = CliDockerCredential {
+            server_url: "https://registry.jfmonty2.com".into(),
+            username: "joe@jfmonty2.com".into(),
+            secret: "correct horse battery staple".into(),
+        };
+        assert_eq!(expected, computed);
+    }
+}

src-tauri/src/credentials/fixtures/docker_credentials.sql

@@ -0,0 +1,11 @@
+INSERT INTO credentials (id, name, credential_type, is_default, created_at)
+VALUES (X'00000000000000000000000000000000', 'docker_test', 'docker', 0, 1726756380);
+
+INSERT INTO docker_credentials (id, server_url, username, secret_enc, nonce)
+VALUES (
+    X'00000000000000000000000000000000',
+    'https://registry.jfmonty2.com',
+    'joe@jfmonty2.com',
+    X'C0B36EE54539D4113A8F73E99FB96B2BF4D87E91F7C3B48256C07E83E3E7EC738888B2FDE2B4DB0BE48BEFDE',
+    X'C5F7F627BBE09A1BB275BE8D2390596C76143881A7766E60'
+);

src-tauri/src/credentials/mod.rs

@@ -17,6 +17,9 @@ pub use aws::{AwsBaseCredential, AwsSessionCredential};
 mod crypto;
 pub use crypto::Crypto;
 
+mod docker;
+pub use docker::DockerCredential;
+
 mod record;
 pub use record::CredentialRecord;
 
@@ -32,6 +35,7 @@ pub use ssh::SshKey;
 pub enum Credential {
     AwsBase(AwsBaseCredential),
     AwsSession(AwsSessionCredential),
+    Docker(DockerCredential),
     Ssh(SshKey),
 }
 
@@ -79,6 +83,23 @@ pub trait PersistentCredential: for<'a> Deserialize<'a> + Sized {
         Self::from_row(row, crypto)
     }
 
+    async fn load_by<T>(column: &str, value: T, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError>
+    where T: Send + for<'q> sqlx::Encode<'q, Sqlite> + sqlx::Type<Sqlite>
+    {
+        let query = format!(
+            "SELECT * FROM {} where {} = ?",
+            Self::table_name(),
+            column,
+        );
+        let row: Self::Row = sqlx::query_as(&query)
+            .bind(value)
+            .fetch_optional(pool)
+            .await?
+            .ok_or(LoadCredentialsError::NoCredentials)?;
+
+        Self::from_row(row, crypto)
+    }
+
     async fn load_default(crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> {
         let q = format!(
             "SELECT details.*
@@ -118,3 +139,10 @@ pub trait PersistentCredential: for<'a> Deserialize<'a> + Sized {
         Ok(creds)
     }
 }
+
+
+pub fn random_uuid() -> Uuid {
+    // a bit weird to use salt() for this, but it's convenient
+    let random_bytes = Crypto::salt();
+    Uuid::from_slice(&random_bytes[..16]).unwrap()
+}

src-tauri/src/credentials/record.rs

@@ -20,6 +20,7 @@ use super::{
     AwsBaseCredential,
     Credential,
     Crypto,
+    DockerCredential,
     PersistentCredential,
     SshKey,
 };
@@ -51,6 +52,7 @@ impl CredentialRecord {
         let type_name = match &self.credential {
             Credential::AwsBase(_) => AwsBaseCredential::type_name(),
             Credential::Ssh(_) => SshKey::type_name(),
+            Credential::Docker(_) => DockerCredential::type_name(),
             _ => return Err(SaveCredentialsError::NotPersistent),
         };
 
@@ -86,6 +88,7 @@ impl CredentialRecord {
         match &self.credential {
             Credential::AwsBase(b) => b.save_details(&self.id, crypto, &mut txn).await,
             Credential::Ssh(s) => s.save_details(&self.id, crypto, &mut txn).await,
+            Credential::Docker(d) => d.save_details(&self.id, crypto, &mut txn).await,
             _ => Err(SaveCredentialsError::NotPersistent),
         }?;
 
@@ -167,6 +170,11 @@ impl CredentialRecord {
                 .ok_or(LoadCredentialsError::InvalidData)?;
             records.push(Self::from_parts(parent, credential));
         }
+        for (id, credential) in DockerCredential::list(crypto, pool).await? {
+            let parent = parent_map.remove(&id)
+                .ok_or(LoadCredentialsError::InvalidData)?;
+            records.push(Self::from_parts(parent, credential));
+        }
 
         Ok(records)
     }

src-tauri/src/errors.rs

@@ -173,7 +173,7 @@ pub enum HandlerError {
     StreamIOError(#[from] std::io::Error),
     #[error("Received invalid UTF-8 in request")]
     InvalidUtf8(#[from] FromUtf8Error),
-    #[error("HTTP request malformed")]
+    #[error("Request malformed: {0}")]
     BadRequest(#[from] serde_json::Error),
     #[error("HTTP request too large")]
     RequestTooLarge,
@@ -183,6 +183,8 @@ pub enum HandlerError {
     Internal(#[from] RecvError),
     #[error("Error accessing credentials: {0}")]
     NoCredentials(#[from] GetCredentialsError),
+    #[error("Error saving credentials: {0}")]
+    SaveCredentials(#[from] SaveCredentialsError),
     #[error("Error getting client details: {0}")]
     ClientInfo(#[from] ClientInfoError),
     #[error("Error from Tauri: {0}")]

src-tauri/src/ipc.rs

@@ -14,9 +14,16 @@ use crate::state::AppState;
 use crate::terminal;
 
 
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub enum RequestAction {
+    Access,
+    Delete,
+    Save,
+}
+
+
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct AwsRequestNotification {
-    pub id: u64,
     pub client: Client,
     pub name: Option<String>,
     pub base: bool,
@@ -25,27 +32,47 @@ pub struct AwsRequestNotification {
 
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct SshRequestNotification {
-    pub id: u64,
     pub client: Client,
     pub key_name: String,
 }
 
 
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct DockerRequestNotification {
+    pub action: RequestAction,
+    pub client: Client,
+    pub server_url: String,
+}
+
+
 #[derive(Clone, Debug, Serialize, Deserialize)]
 #[serde(tag = "type")]
-pub enum RequestNotification {
+pub enum RequestNotificationDetail {
     Aws(AwsRequestNotification),
     Ssh(SshRequestNotification),
+    Docker(DockerRequestNotification),
 }
 
-impl RequestNotification {
-    pub fn new_aws(id: u64, client: Client, name: Option<String>, base: bool) -> Self {
-        Self::Aws(AwsRequestNotification {id, client, name, base})
+impl RequestNotificationDetail {
+    pub fn new_aws(client: Client, name: Option<String>, base: bool) -> Self {
+        Self::Aws(AwsRequestNotification {client, name, base})
     }
 
-    pub fn new_ssh(id: u64, client: Client, key_name: String) -> Self {
-        Self::Ssh(SshRequestNotification {id, client, key_name})
+    pub fn new_ssh(client: Client, key_name: String) -> Self {
+        Self::Ssh(SshRequestNotification {client, key_name})
     }
+
+    pub fn new_docker(action: RequestAction, client: Client, server_url: String) -> Self {
+        Self::Docker(DockerRequestNotification {action, client, server_url})
+    }
+}
+
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct RequestNotification {
+    pub id: u64,
+    #[serde(flatten)]
+    pub detail: RequestNotificationDetail,
 }
 
 

src-tauri/src/main.rs

@@ -21,6 +21,7 @@ fn main() {
         Some(Action::Get(args)) => creddy_cli::get(args, cli.global_args),
         Some(Action::Exec(args)) => creddy_cli::exec(args, cli.global_args),
         Some(Action::Shortcut(args)) => creddy_cli::invoke_shortcut(args, cli.global_args),
+        Some(Action::Docker(cmd)) => creddy_cli::docker_credential_helper(cmd, cli.global_args),
     };
 
     if let Err(e) = res {

src-tauri/src/srv/agent.rs

@@ -6,12 +6,11 @@ use ssh_agent_lib::proto::message::{
 };
 use tauri::{AppHandle, Manager};
 use tokio_stream::StreamExt;
-use tokio::sync::oneshot;
 use tokio_util::codec::Framed;
 
 use crate::clientinfo;
 use crate::errors::*;
-use crate::ipc::{Approval, RequestNotification};
+use crate::ipc::{Approval, RequestNotificationDetail};
 use crate::state::AppState;
 
 use super::{CloseWaiter, Stream};
@@ -69,47 +68,21 @@ async fn sign_request(
     req: SignRequest,
     app_handle: AppHandle,
     client_pid: u32,
-    mut waiter: CloseWaiter<'_>,
+    waiter: CloseWaiter<'_>,
 ) -> Result<Message, HandlerError> {
     let state = app_handle.state::<AppState>();
-        let rehide_ms = {
-        let config = state.config.read().await;
-        config.rehide_ms
-    };
+
     let client = clientinfo::get_client(client_pid, false)?;
-    let lease = state.acquire_visibility_lease(rehide_ms).await
-        .map_err(|_e| HandlerError::NoMainWindow)?;
-
-    let (chan_send, chan_recv) = oneshot::channel();
-    let request_id = state.register_request(chan_send).await;
-
-    let proceed = async {
     let key_name = state.ssh_name_from_pubkey(&req.pubkey_blob).await?;
-        let notification = RequestNotification::new_ssh(request_id, client, key_name.clone());
-        app_handle.emit("credential-request", &notification)?;
-
-        let response = tokio::select! {
-            r = chan_recv => r?,
-            _ = waiter.wait_for_close() => {
-                app_handle.emit("request-cancelled", request_id)?;
-                return Err(HandlerError::Abandoned);
-            },
-        };
-
-        if let Approval::Denied = response.approval {
-            return Ok(Message::Failure);
-        }
+    let detail = RequestNotificationDetail::new_ssh(client, key_name.clone());
 
+    let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
+    match response.approval {
+        Approval::Approved => {
             let key = state.sshkey_by_name(&key_name).await?;
             let sig = key.sign_request(&req)?;
             Ok(Message::SignResponse(sig))
-    };
-
-    let res = proceed.await;
-    if let Err(_) = &res {
-        state.unregister_request(request_id).await;
+        },
+        Approval::Denied => Err(HandlerError::Abandoned),
     }
-
-    lease.release();
-    res
 }

src-tauri/src/srv/creddy_server.rs

@@ -1,10 +1,19 @@
 use tauri::{AppHandle, Manager};
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
-use tokio::sync::oneshot;
 
 use crate::clientinfo::{self, Client};
+use crate::credentials::{
+    self,
+    Credential,
+    CredentialRecord,
+    DockerCredential,
+};
 use crate::errors::*;
-use crate::ipc::{Approval, RequestNotification};
+use crate::ipc::{
+    Approval,
+    RequestAction,
+    RequestNotificationDetail
+};
 use crate::shortcuts::{self, ShortcutAction};
 use crate::state::AppState;
 use super::{
@@ -46,10 +55,19 @@ async fn handle(
 
     let req: CliRequest = serde_json::from_slice(&buf)?;
     let res = match req {
-        CliRequest::GetCredential{ name, base } => get_aws_credentials(
+        CliRequest::GetAwsCredential{ name, base } => get_aws_credentials(
             name, base, client, app_handle, waiter
         ).await,
-        CliRequest::InvokeShortcut(action) => invoke_shortcut(action).await,
+        CliRequest::GetDockerCredential{ server_url } => get_docker_credential (
+            server_url, client, app_handle, waiter
+        ).await,
+        CliRequest::StoreDockerCredential(docker_credential) => store_docker_credential(
+             docker_credential, app_handle, client, waiter
+        ).await,
+        CliRequest::EraseDockerCredential { server_url } => erase_docker_credential(
+            server_url, app_handle, client, waiter
+        ).await,
+        CliRequest::InvokeShortcut{ action } => invoke_shortcut(action).await,
     };
 
     // doesn't make sense to send the error to the client if the client has already left
@@ -74,38 +92,13 @@ async fn get_aws_credentials(
     base: bool,
     client: Client,
     app_handle: AppHandle,
-    mut waiter: CloseWaiter<'_>,
+    waiter: CloseWaiter<'_>,
 ) -> Result<CliResponse, HandlerError> {
-    let state = app_handle.state::<AppState>();
-    let rehide_ms = {
-        let config = state.config.read().await;
-        config.rehide_ms
-    };
-    let lease = state.acquire_visibility_lease(rehide_ms).await
-        .map_err(|_e| HandlerError::NoMainWindow)?; // automate this conversion eventually?
-
-    let (chan_send, chan_recv) = oneshot::channel();
-    let request_id = state.register_request(chan_send).await;
-
-    // if an error occurs in any of the following, we want to abort the operation
-    // but ? returns immediately, and we want to unregister the request before returning
-    // so we bundle it all up in an async block and return a Result so we can handle errors
-    let proceed = async {
-        let notification = RequestNotification::new_aws(
-            request_id, client, name.clone(), base
-        );
-        app_handle.emit("credential-request", &notification)?;
-
-        let response = tokio::select! {
-            r = chan_recv => r?,
-            _ = waiter.wait_for_close() => {
-                app_handle.emit("request-cancelled", request_id)?;
-                return Err(HandlerError::Abandoned);
-            },
-        };
-
+    let detail = RequestNotificationDetail::new_aws(client, name.clone(), base);
+    let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
     match response.approval {
         Approval::Approved => {
+            let state = app_handle.state::<AppState>();
             if response.base {
                 let creds = state.get_aws_base(name).await?;
                 Ok(CliResponse::Credential(CliCredential::AwsBase(creds)))
@@ -117,16 +110,114 @@ async fn get_aws_credentials(
         },
         Approval::Denied => Err(HandlerError::Denied),
     }
-    };
-
-    let result = match proceed.await {
-        Ok(r) => Ok(r),
-        Err(e) => {
-            state.unregister_request(request_id).await;
-            Err(e)
-        },
-    };
-
-    lease.release();
-    result
+}
+
+async fn get_docker_credential(
+    server_url: String,
+    client: Client,
+    app_handle: AppHandle,
+    waiter: CloseWaiter<'_>,
+) -> Result<CliResponse, HandlerError> {
+    let state = app_handle.state::<AppState>();
+    let meta = state.docker_credential_meta(&server_url).await.unwrap_or(None);
+    if  meta.is_none() {
+        return Err(
+            HandlerError::NoCredentials(
+                GetCredentialsError::Load(
+                    LoadCredentialsError::NoCredentials
+                )
+            )
+        );
+    }
+
+    let detail = RequestNotificationDetail::new_docker(
+        RequestAction::Access,
+        client,
+        server_url.clone()
+    );
+    let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
+    match response.approval {
+        Approval::Approved => {
+            let creds = state.get_docker_credential(&server_url).await?;
+            Ok(CliResponse::Credential(CliCredential::Docker(creds)))
+        },
+        Approval::Denied => {
+            Err(HandlerError::Denied)
+        },
+    }
+}
+
+async fn store_docker_credential(
+    docker_credential: DockerCredential,
+    app_handle: AppHandle,
+    client: Client,
+    waiter: CloseWaiter<'_>,
+) -> Result<CliResponse, HandlerError> {
+    let state = app_handle.state::<AppState>();
+
+    // We want to do this before asking for confirmation from the user, because Docker has an annoying
+    // habit of calling `get` and then immediately turning around and calling `store` with the same
+    // data. In that case we want to avoid asking for confirmation at all.
+    match state.get_docker_credential(&docker_credential.server_url).await {
+        // if there is already a credential with this server_url, and it is unchanged, we're done
+        Ok(c) if c == docker_credential => return Ok(CliResponse::Empty),
+        // otherwise we are making an update, so proceed
+        Ok(_) => (),
+        // if the app is locked, then this isn't the situation described above, so proceed
+        Err(GetCredentialsError::Locked) => (),
+        // if the app is unlocked, and there is no matching credential, proceed
+        Err(GetCredentialsError::Load(LoadCredentialsError::NoCredentials)) => (),
+        // any other error is a failure
+        Err(e) => return Err(e.into()),
+    };
+
+    let detail = RequestNotificationDetail::new_docker(
+        RequestAction::Save,
+        client,
+        docker_credential.server_url.clone(),
+    );
+    let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
+    if matches!(response.approval, Approval::Denied) {
+        return Err(HandlerError::Denied);
+    }
+
+    let (id, name) = state.docker_credential_meta(&docker_credential.server_url)
+        .await
+        .map_err(|e| GetCredentialsError::Load(e))?
+        .unwrap_or_else(|| (credentials::random_uuid(), docker_credential.server_url.clone()));
+
+    let record = CredentialRecord {
+        id,
+        name,
+        is_default: false,
+        credential: Credential::Docker(docker_credential)
+    };
+    state.save_credential(record).await?;
+
+    Ok(CliResponse::Empty)
+}
+
+async fn erase_docker_credential(
+    server_url: String,
+    app_handle: AppHandle,
+    client: Client,
+    waiter: CloseWaiter<'_>
+) -> Result<CliResponse, HandlerError> {
+    let state = app_handle.state::<AppState>();
+
+    let detail = RequestNotificationDetail::new_docker(
+        RequestAction::Delete,
+        client,
+        server_url.clone(),
+    );
+    let resp = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
+    match resp.approval {
+        Approval::Approved => {
+            state.delete_credential_by_name(&server_url).await?;
+            Ok(CliResponse::Empty)
+        }
+        Approval::Denied => {
+            Err(HandlerError::Denied)
+        }
+    }
 }

src-tauri/src/srv/mod.rs

@@ -3,13 +3,21 @@ use std::future::Future;
 use tauri::{
     AppHandle,
     async_runtime as rt,
+    Manager,
 };
 use tokio::io::AsyncReadExt;
+use tokio::sync::oneshot;
 use serde::{Serialize, Deserialize};
 
-use crate::credentials::{AwsBaseCredential, AwsSessionCredential};
+use crate::credentials::{
+    AwsBaseCredential,
+    AwsSessionCredential,
+    DockerCredential,
+};
 use crate::errors::*;
+use crate::ipc::{RequestNotification, RequestNotificationDetail, RequestResponse};
 use crate::shortcuts::ShortcutAction;
+use crate::state::AppState;
 
 pub mod creddy_server;
 pub mod agent;
@@ -20,12 +28,22 @@ use platform::Stream;
 // so that we avoid polluting the standalone CLI with a bunch of dependencies
 // that would make it impossible to build a completely static-linked version
 #[derive(Debug, Serialize, Deserialize)]
+#[serde(tag = "type")]
 pub enum CliRequest {
-    GetCredential {
+    GetAwsCredential {
         name: Option<String>,
         base: bool,
     },
-    InvokeShortcut(ShortcutAction),
+    GetDockerCredential {
+        server_url: String,
+    },
+    StoreDockerCredential(DockerCredential),
+    EraseDockerCredential {
+        server_url: String,
+    },
+    InvokeShortcut{
+        action: ShortcutAction,
+    },
 }
 
 
@@ -40,6 +58,7 @@ pub enum CliResponse {
 pub enum CliCredential {
     AwsBase(AwsBaseCredential),
     AwsSession(AwsSessionCredential),
+    Docker(DockerCredential),
 }
 
 
@@ -87,6 +106,48 @@ fn serve<H, F>(sock_name: &str, app_handle: AppHandle, handler: H) -> std::io::R
 }
 
 
+async fn send_credentials_request(
+    detail: RequestNotificationDetail,
+    app_handle: AppHandle,
+    mut waiter: CloseWaiter<'_>
+) -> Result<RequestResponse, HandlerError> {
+    let state = app_handle.state::<AppState>();
+    let rehide_ms = {
+        let config = state.config.read().await;
+        config.rehide_ms
+    };
+
+    let lease = state.acquire_visibility_lease(rehide_ms).await
+        .map_err(|_e| HandlerError::NoMainWindow)?;
+
+    let (chan_send, chan_recv) = oneshot::channel();
+    let request_id = state.register_request(chan_send).await;
+    let notification = RequestNotification { id: request_id, detail };
+
+    // the following could fail in various ways, but we want to make sure
+    // the request gets unregistered on any failure, so we wrap this all
+    // up in an async block so that we only have to handle the error case once
+    let proceed = async {
+        app_handle.emit("credential-request", &notification)?;
+        tokio::select! {
+            r = chan_recv => Ok(r?),
+            _ = waiter.wait_for_close() => {
+                app_handle.emit("request-cancelled", request_id)?;
+                Err(HandlerError::Abandoned)
+            },
+        }
+    };
+
+    let res = proceed.await;
+    if let Err(_) = &res {
+        state.unregister_request(request_id).await;
+    }
+
+    lease.release();
+    res
+}
+
+
 #[cfg(unix)]
 mod platform {
     use std::io::ErrorKind;

src-tauri/src/state.rs

@@ -19,6 +19,7 @@ use crate::app;
 use crate::credentials::{
     AppSession,
     AwsSessionCredential,
+    DockerCredential,
     SshKey,
 };
 use crate::{config, config::AppConfig};
@@ -160,6 +161,13 @@ impl AppState {
         Ok(())
     }
 
+    pub async fn delete_credential_by_name(&self, name: &str) -> Result<(), SaveCredentialsError> {
+        sqlx::query!("DELETE FROM credentials WHERE name = ?", name)
+            .execute(&self.pool)
+            .await?;
+        Ok(())
+    }
+
     pub async fn list_credentials(&self) -> Result<Vec<CredentialRecord>, GetCredentialsError> {
         let session = self.app_session.read().await;
         let crypto = session.try_get_crypto()?;
@@ -322,6 +330,30 @@ impl AppState {
         Ok(k)
     }
 
+    pub async fn docker_credential_meta(
+        &self, server_url: &str
+    ) -> Result<Option<(Uuid, String)>, LoadCredentialsError> {
+        let res = sqlx::query!(
+            r#"SELECT
+                c.id as "id: Uuid",
+                c.name
+            FROM
+                credentials c
+                JOIN docker_credentials d
+                    ON d.id = c.id
+            WHERE d.server_url = ?"#,
+            server_url
+        ).fetch_optional(&self.pool).await?;
+        Ok(res.map(|row| (row.id, row.name)))
+    }
+
+    pub async fn get_docker_credential(&self, server_url: &str) -> Result<DockerCredential, GetCredentialsError> {
+        let app_session = self.app_session.read().await;
+        let crypto = app_session.try_get_crypto()?;
+        let d = DockerCredential::load_by("server_url", server_url.to_owned(), crypto, &self.pool).await?;
+        Ok(d)
+    }
+
     pub async fn signal_activity(&self) {
         let mut last_activity = self.last_activity.write().await;
         *last_activity = OffsetDateTime::now_utc();

src-tauri/tauri.conf.json

@@ -50,7 +50,7 @@
     }
   },
   "productName": "creddy",
-  "version": "0.5.4",
+  "version": "0.6.0",
   "identifier": "creddy",
   "plugins": {},
   "app": {

src/views/Approve.svelte

@@ -7,6 +7,7 @@
     import ShowResponse from './approve/ShowResponse.svelte';
     import Unlock from './Unlock.svelte';
 
+    console.log($appState.currentRequest);
 
     // Extra 50ms so the window can finish disappearing before the redraw
     const rehideDelay = Math.min(5000, $appState.config.rehide_ms + 100);

src/views/ManageCredentials.svelte

@@ -6,9 +6,8 @@
 
     import AwsCredential from './credentials/AwsCredential.svelte';
     import ConfirmDelete from './credentials/ConfirmDelete.svelte';
+    import DockerCredential from './credentials/DockerCredential.svelte';
     import SshKey from './credentials/SshKey.svelte';
-    // import NewSshKey from './credentials/NewSshKey.svelte';
-    // import EditSshKey from './credentials/EditSshKey.svelte';
     import Icon from '../ui/Icon.svelte';
     import Nav from '../ui/Nav.svelte';
 
@@ -16,6 +15,7 @@
     let records = null
     $: awsRecords = (records || []).filter(r => r.credential.type === 'AwsBase');
     $: sshRecords = (records || []).filter(r => r.credential.type === 'Ssh');
+    $: dockerRecords = (records || []).filter(r => r.credential.type === 'Docker');
 
     let defaults = writable({});
     async function loadCreds() {
@@ -47,6 +47,17 @@
         records = records;
     }
 
+    function newDocker() {
+        records.push({
+            id: crypto.randomUUID(),
+            name: null,
+            is_default: false,
+            credential: {type: 'Docker', ServerURL: '', Username: '', Secret: ''},
+            isNew: true,
+        });
+        records = records;
+    }
+
     let confirmDelete;
     function handleDelete(evt) {
         const record = evt.detail;
@@ -117,6 +128,29 @@
         {/if}
     </div>
 
+    <div class="flex flex-col gap-y-4">
+        <div class="divider">
+            <h2 class="text-xl font-bold">Docker credentials</h2>
+        </div>
+
+        {#if dockerRecords.length > 0}
+            {#each dockerRecords as record (record.id)}
+                <DockerCredential {record} on:save={loadCreds} on:delete={handleDelete} />
+            {/each}
+            <button class="btn btn-primary btn-wide mx-auto" on:click={newDocker}>
+                <Icon name="plus-circle-mini" class="size-5" />
+                Add
+            </button>
+        {:else if records !== null}
+            <div class="flex flex-col gap-6 items-center rounded-box border-2 border-dashed border-neutral-content/30 p-6">
+                <div>You have no saved Docker credentials.</div>
+                <button class="btn btn-primary btn-wide mx-auto" on:click={newDocker}>
+                    <Icon name="plus-circle-mini" class="size-5" />
+                    Add
+                </button>
+            </div>
+        {/if}
+    </div>
 </div>
 
 <ConfirmDelete bind:this={confirmDelete} on:confirm={loadCreds} />

src/views/approve/CollectResponse.svelte

@@ -14,7 +14,7 @@
     // Extract executable name from full path
     const client = $appState.currentRequest.client;
     const m = client.exe?.match(/\/([^/]+?$)|\\([^\\]+?$)/);
-    const appName = m[1] || m[2];
+    const appName = m ? m[1] || m[2] : '';
 
     const dispatch = createEventDispatcher();
 
@@ -26,6 +26,12 @@
         };
         dispatch('response');
     }
+
+    const actionDescriptions = {
+        Access: 'access your',
+        Delete: 'delete your',
+        Save: 'create new',
+    };
 </script>
 
 
@@ -51,6 +57,8 @@
             {/if}
         {:else if $appState.currentRequest.type === 'Ssh'}
             {appName ? `"${appName}"` : 'An application'} would like to use your SSH key "{$appState.currentRequest.key_name}".
+        {:else if $appState.currentRequest.type === 'Docker'}
+            {appName ? `"${appName}"` : 'An application'} would like to {actionDescriptions[$appState.currentRequest.action]} Docker credentials for <code>{$appState.currentRequest.server_url}</code>.
         {/if}
     </h2>
 
@@ -59,6 +67,8 @@
         <code class="">{@html client.exe ? breakPath(client.exe) : 'Unknown'}</code>
         <div class="text-right">PID:</div>
         <code>{client.pid}</code>
+        <div class="text-right">User:</div>
+        <code>{client.username ?? 'Unknown'}</code>
     </div>
 </div>
 

src/views/credentials/AwsCredential.svelte

@@ -5,13 +5,12 @@
 
     import ErrorAlert from '../../ui/ErrorAlert.svelte';
     import Icon from '../../ui/Icon.svelte';
+    import PassphraseInput from '../../ui/PassphraseInput.svelte';
+
 
     export let record;
     export let defaults;
 
-    import PassphraseInput from '../../ui/PassphraseInput.svelte';
-
-
     const dispatch = createEventDispatcher();
 
     let showDetails = record.isNew ? true : false;

src/views/credentials/ConfirmDelete.svelte

@@ -26,9 +26,12 @@
         if (record.credential.type === 'AwsBase') {
             return 'AWS credential';
         }
-        if (record.credential.type === 'Ssh') {
+        else if (record.credential.type === 'Ssh') {
             return 'SSH key';
         }
+        else {
+            return `${record.credential.type} credential`;
+        }
     }
 </script>
 

src/views/credentials/DockerCredential.svelte

@@ -0,0 +1,112 @@
+<script>
+
+    import { createEventDispatcher } from 'svelte';
+    import { fade, slide } from 'svelte/transition';
+    import { invoke } from '@tauri-apps/api/core';
+
+    import ErrorAlert from '../../ui/ErrorAlert.svelte';
+    import Icon from '../../ui/Icon.svelte';
+    import PassphraseInput from '../../ui/PassphraseInput.svelte';
+
+
+    export let record;
+
+    let local = JSON.parse(JSON.stringify(record));
+    $: isModified = JSON.stringify(local) !== JSON.stringify(record);
+    let showDetails = record?.isNew;
+
+    let alert;
+    const dispatch = createEventDispatcher();
+    async function saveCredential() {
+        await invoke('save_credential', {record: local});
+        dispatch('save', local);
+        showDetails = false;
+    }
+</script>
+
+<div class="rounded-box space-y-4 bg-base-200">
+    <div class="flex items-center px-6 py-4 gap-x-4">
+        {#if !record.isNew}
+            {#if showDetails}
+                <input
+                    type="text"
+                    class="input input-bordered bg-transparent text-lg font-bold grow"
+                    bind:value={local.name}
+                >
+            {:else}
+                <h3 class="text-lg font-bold break-all">
+                    {record.name}
+                </h3>
+            {/if}
+        {/if}
+
+        <div class="join ml-auto">
+            <button
+                type="button"
+                class="btn btn-outline join-item"
+                on:click={() => showDetails = !showDetails}
+            >
+                <Icon name="pencil" class="size-6" />
+            </button>
+            <button
+                type="button"
+                class="btn btn-outline btn-error join-item"
+                on:click={() => dispatch('delete', record)}
+            >
+                <Icon name="trash" class="size-6" />
+            </button>
+        </div>
+    </div>
+
+    {#if showDetails}
+        <form
+            transition:slide|local={{duration: 200}}
+            class=" px-6 pb-4 space-y-4"
+            on:submit|preventDefault={() => alert.run(saveCredential)}
+        >
+            <ErrorAlert bind:this={alert} />
+
+            <div class="grid grid-cols-[auto_1fr] items-center gap-4">
+                {#if record.isNew}
+                    <span class="justify-self-end">Name</span>
+                    <input
+                        type="text"
+                        class="input input-bordered bg-transparent"
+                        bind:value={local.name}
+                    >
+                {/if}
+
+                <span class="justify-self-end">Server URL</span>
+                <input
+                    type="text"
+                    class="input input-bordered font-mono bg-transparent"
+                    bind:value={local.credential.ServerURL}
+                >
+
+                <span class="justify-self-end">Username</span>
+                <input
+                    type="text"
+                    class="input input-bordered font-mono bg-transparent"
+                    bind:value={local.credential.Username}
+                >
+
+                <span>Password</span>
+                <div class="font-mono">
+                    <PassphraseInput class="bg-transparent" bind:value={local.credential.Secret} />
+                </div>
+            </div>
+
+            <div class="flex justify-end">
+                {#if isModified}
+                    <button
+                        transition:fade={{duration: 100}}
+                        type="submit"
+                        class="btn btn-primary"
+                    >
+                        Save
+                    </button>
+                {/if}
+            </div>
+        </form>
+    {/if}
+</div>