send SaveCredential request to frontend on docker store

package.json

@@ -1,6 +1,6 @@
 {
   "name": "creddy",
-  "version": "0.4.9",
+  "version": "0.5.4",
   "scripts": {
     "dev": "vite",
     "build": "vite build",

src-tauri/Cargo.lock

@@ -110,6 +110,55 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "anstream"
+version = "0.6.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "418c75fa768af9c03be99d17643f93f79bbba589895012a80e3452a19ddda15b"
+dependencies = [
+ "anstyle",
+ "anstyle-parse",
+ "anstyle-query",
+ "anstyle-wincon",
+ "colorchoice",
+ "is_terminal_polyfill",
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "038dfcf04a5feb68e9c60b21c9625a54c2c0616e79b72b0fd87075a056ae1d1b"
+
+[[package]]
+name = "anstyle-parse"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c03a11a9034d92058ceb6ee011ce58af4a9bf61491aa7e1e59ecd24bd40d22d4"
+dependencies = [
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle-query"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ad186efb764318d35165f1758e7dcef3b10628e26d41a44bc5550652e6804391"
+dependencies = [
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "anstyle-wincon"
+version = "3.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "61a38449feb7068f52bb06c12759005cf459ee52bb4adc1d5a7c4322d716fb19"
+dependencies = [
+ "anstyle",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "anyhow"
 version = "1.0.86"
@@ -134,14 +183,13 @@ version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dd884d7c72877a94102c3715f3b1cd09ff4fac28221add3e57cfbe25c236d093"
 dependencies = [
- "async-fs",
- "async-net",
  "enumflags2",
  "futures-channel",
  "futures-util",
  "rand 0.8.5",
  "serde",
  "serde_repr",
+ "tokio",
  "url",
  "zbus",
 ]
@@ -224,17 +272,6 @@ dependencies = [
  "pin-project-lite",
 ]
 
-[[package]]
-name = "async-net"
-version = "2.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b948000fad4873c1c9339d60f2623323a0cfd3816e5181033c6a5cb68b2accf7"
-dependencies = [
- "async-io",
- "blocking",
- "futures-lite",
-]
-
 [[package]]
 name = "async-process"
 version = "2.2.3"
@@ -339,17 +376,6 @@ version = "1.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
 
-[[package]]
-name = "atty"
-version = "0.2.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8"
-dependencies = [
- "hermit-abi 0.1.19",
- "libc",
- "winapi",
-]
-
 [[package]]
 name = "auto-launch"
 version = "0.4.0"
@@ -942,9 +968,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.0.100"
+version = "1.0.101"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c891175c3fb232128f48de6590095e59198bbeb8620c310be349bfc3afd12c7b"
+checksum = "ac367972e516d45567c7eafc73d24e1c193dcf200a8d94e9db7b3d38b349572d"
 
 [[package]]
 name = "cesu8"
@@ -1035,42 +1061,43 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "3.2.25"
+version = "4.5.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4ea181bf566f71cb9a5d17a59e1871af638180a18fb0035c92ae62b705207123"
+checksum = "64acc1846d54c1fe936a78dc189c34e28d3f5afc348403f28ecf53660b9b8462"
 dependencies = [
- "atty",
- "bitflags 1.3.2",
+ "clap_builder",
  "clap_derive",
+]
+
+[[package]]
+name = "clap_builder"
+version = "4.5.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6fb8393d67ba2e7bfaf28a23458e4e2b543cc73a99595511eb207fdb8aede942"
+dependencies = [
+ "anstream",
+ "anstyle",
  "clap_lex",
- "indexmap 1.9.3",
- "once_cell",
- "strsim 0.10.0",
- "termcolor",
- "textwrap",
+ "strsim",
 ]
 
 [[package]]
 name = "clap_derive"
-version = "3.2.25"
+version = "4.5.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ae6371b8bdc8b7d3959e9cf7b22d4435ef3e79e138688421ec654acf8c81b008"
+checksum = "2bac35c6dafb060fd4d275d9a4ffae97917c13a6327903a8be2153cd964f7085"
 dependencies = [
- "heck 0.4.1",
- "proc-macro-error",
+ "heck 0.5.0",
  "proc-macro2",
  "quote",
- "syn 1.0.109",
+ "syn 2.0.68",
 ]
 
 [[package]]
 name = "clap_lex"
-version = "0.2.4"
+version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2850f2f5a82cbf437dd5af4d49848fbdfc27c157c3d010345776f952765261c5"
-dependencies = [
- "os_str_bytes",
-]
+checksum = "4b82cf0babdbd58558212896d1a4272303a57bdb245c2bf1147185fb45640e70"
 
 [[package]]
 name = "cocoa"
@@ -1083,7 +1110,7 @@ dependencies = [
  "cocoa-foundation",
  "core-foundation",
  "core-graphics",
- "foreign-types",
+ "foreign-types 0.5.0",
  "libc",
  "objc",
 ]
@@ -1102,6 +1129,12 @@ dependencies = [
  "objc",
 ]
 
+[[package]]
+name = "colorchoice"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b6a852b24ab71dffc585bcb46eaf7959d175cb865a7152e35b348d1b2960422"
+
 [[package]]
 name = "combine"
 version = "4.6.7"
@@ -1158,7 +1191,7 @@ dependencies = [
  "bitflags 1.3.2",
  "core-foundation",
  "core-graphics-types",
- "foreign-types",
+ "foreign-types 0.5.0",
  "libc",
 ]
 
@@ -1208,7 +1241,7 @@ dependencies = [
 
 [[package]]
 name = "creddy"
-version = "0.4.9"
+version = "0.5.4"
 dependencies = [
  "argon2",
  "auto-launch",
@@ -1217,33 +1250,53 @@ dependencies = [
  "aws-smithy-types",
  "aws-types",
  "chacha20poly1305",
- "clap",
+ "creddy_cli",
  "dirs 5.0.1",
+ "futures",
  "is-terminal",
  "once_cell",
- "rfd",
+ "openssl",
+ "rfd 0.13.0",
+ "rsa",
  "serde",
  "serde_json",
+ "sha2",
  "signature 2.2.0",
  "sodiumoxide",
  "sqlx",
  "ssh-agent-lib",
+ "ssh-encoding",
  "ssh-key",
  "strum",
  "strum_macros",
  "sysinfo",
  "tauri",
  "tauri-build",
+ "tauri-plugin-dialog",
  "tauri-plugin-global-shortcut",
+ "tauri-plugin-os",
  "tauri-plugin-single-instance",
  "thiserror",
  "time",
  "tokio",
  "tokio-stream",
+ "tokio-util",
  "which",
  "windows 0.51.1",
 ]
 
+[[package]]
+name = "creddy_cli"
+version = "0.5.4"
+dependencies = [
+ "anyhow",
+ "clap",
+ "dirs 5.0.1",
+ "serde",
+ "serde_json",
+ "tokio",
+]
+
 [[package]]
 name = "crossbeam-channel"
 version = "0.5.13"
@@ -1402,7 +1455,7 @@ dependencies = [
  "ident_case",
  "proc-macro2",
  "quote",
- "strsim 0.11.1",
+ "strsim",
  "syn 2.0.68",
 ]
 
@@ -1653,9 +1706,9 @@ dependencies = [
 
 [[package]]
 name = "either"
-version = "1.12.0"
+version = "1.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3dca9240753cf90908d7e4aac30f630662b02aebaa1b58a3cadabdb23385b58b"
+checksum = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0"
 dependencies = [
  "serde",
 ]
@@ -1848,6 +1901,15 @@ version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+dependencies = [
+ "foreign-types-shared 0.1.1",
+]
+
 [[package]]
 name = "foreign-types"
 version = "0.5.0"
@@ -1855,7 +1917,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d737d9aa519fb7b749cbc3b962edcf310a8dd1f4b67c91c4f83975dbdd17d965"
 dependencies = [
  "foreign-types-macros",
- "foreign-types-shared",
+ "foreign-types-shared 0.3.1",
 ]
 
 [[package]]
@@ -1869,6 +1931,12 @@ dependencies = [
  "syn 2.0.68",
 ]
 
+[[package]]
+name = "foreign-types-shared"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
 [[package]]
 name = "foreign-types-shared"
 version = "0.3.1"
@@ -2139,6 +2207,16 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "gethostname"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0176e0459c2e4a1fe232f984bca6890e681076abb9934f6cea7c326f3fc47818"
+dependencies = [
+ "libc",
+ "windows-targets 0.48.5",
+]
+
 [[package]]
 name = "getrandom"
 version = "0.1.16"
@@ -2413,15 +2491,6 @@ version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
 
-[[package]]
-name = "hermit-abi"
-version = "0.1.19"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
-dependencies = [
- "libc",
-]
-
 [[package]]
 name = "hermit-abi"
 version = "0.3.9"
@@ -2744,6 +2813,12 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
+[[package]]
+name = "is_terminal_polyfill"
+version = "1.70.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8478577c03552c21db0e2724ffb8986a5ce7af88107e6be5d2ee6e158c12800"
+
 [[package]]
 name = "itoa"
 version = "0.4.8"
@@ -2957,9 +3032,9 @@ dependencies = [
 
 [[package]]
 name = "log"
-version = "0.4.21"
+version = "0.4.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90ed8c1e510134f979dbc4f070f87d4313098b704861a105fe34231c70a3901c"
+checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24"
 
 [[package]]
 name = "loom"
@@ -3423,12 +3498,50 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
 
+[[package]]
+name = "openssl"
+version = "0.10.64"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f"
+dependencies = [
+ "bitflags 2.6.0",
+ "cfg-if",
+ "foreign-types 0.3.2",
+ "libc",
+ "once_cell",
+ "openssl-macros",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.68",
+]
+
 [[package]]
 name = "openssl-probe"
 version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
 
+[[package]]
+name = "openssl-sys"
+version = "0.9.102"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c597637d56fbc83893a35eb0dd04b2b8e7a50c91e64e9493e398b5df4fb45fa2"
+dependencies = [
+ "cc",
+ "libc",
+ "pkg-config",
+ "vcpkg",
+]
+
 [[package]]
 name = "option-ext"
 version = "0.2.0"
@@ -3446,10 +3559,15 @@ dependencies = [
 ]
 
 [[package]]
-name = "os_str_bytes"
-version = "6.6.1"
+name = "os_info"
+version = "3.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2355d85b9a3786f481747ced0e0ff2ba35213a1f9bd406ed906554d7af805a1"
+checksum = "ae99c7fa6dd38c7cafe1ec085e804f8f555a2f8659b0dbe03f1f9963a9b51092"
+dependencies = [
+ "log",
+ "serde",
+ "windows-sys 0.52.0",
+]
 
 [[package]]
 name = "outref"
@@ -3842,12 +3960,6 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
-[[package]]
-name = "pollster"
-version = "0.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22686f4785f02a4fcc856d3b3bb19bf6c8160d103f7a99cc258bddd0251dc7f2"
-
 [[package]]
 name = "poly1305"
 version = "0.8.0"
@@ -4223,6 +4335,29 @@ dependencies = [
  "subtle",
 ]
 
+[[package]]
+name = "rfd"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c0d8ab342bcc5436e04d3a4c1e09e17d74958bfaddf8d5fad6f85607df0f994f"
+dependencies = [
+ "block",
+ "dispatch",
+ "glib-sys",
+ "gobject-sys",
+ "gtk-sys",
+ "js-sys",
+ "log",
+ "objc",
+ "objc-foundation",
+ "objc_id",
+ "raw-window-handle 0.5.2",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "web-sys",
+ "windows-sys 0.48.0",
+]
+
 [[package]]
 name = "rfd"
 version = "0.14.1"
@@ -4232,14 +4367,15 @@ dependencies = [
  "ashpd",
  "block",
  "dispatch",
+ "glib-sys",
+ "gobject-sys",
+ "gtk-sys",
  "js-sys",
  "log",
  "objc",
  "objc-foundation",
  "objc_id",
- "pollster",
  "raw-window-handle 0.6.2",
- "urlencoding",
  "wasm-bindgen",
  "wasm-bindgen-futures",
  "web-sys",
@@ -4530,9 +4666,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.118"
+version = "1.0.120"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d947f6b3163d8857ea16c4fa0dd4840d52f3041039a85decd46867eb1abef2e4"
+checksum = "4e0d21c9a8cae1235ad58a00c11cb40d4b1e5c784f1ef2c537876ed6ffd8b7c5"
 dependencies = [
  "itoa 1.0.11",
  "ryu",
@@ -4756,7 +4892,7 @@ dependencies = [
  "bytemuck",
  "cfg_aliases",
  "core-graphics",
- "foreign-types",
+ "foreign-types 0.5.0",
  "js-sys",
  "log",
  "objc2",
@@ -5149,12 +5285,6 @@ dependencies = [
  "unicode-properties",
 ]
 
-[[package]]
-name = "strsim"
-version = "0.10.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
-
 [[package]]
 name = "strsim"
 version = "0.11.1"
@@ -5225,6 +5355,15 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a7065abeca94b6a8a577f9bd45aa0867a2238b74e8eb67cf10d492bc39351394"
 
+[[package]]
+name = "sys-locale"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e801cf239ecd6ccd71f03d270d67dd53d13e90aab208bf4b8fe4ad957ea949b0"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "sysinfo"
 version = "0.26.9"
@@ -5438,6 +5577,43 @@ dependencies = [
  "walkdir",
 ]
 
+[[package]]
+name = "tauri-plugin-dialog"
+version = "2.0.0-beta.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fed4b22c59f7b04ae2a0bed8241aa715b41973c3f042c84aa67a1f4dc0174a8d"
+dependencies = [
+ "dunce",
+ "log",
+ "raw-window-handle 0.6.2",
+ "rfd 0.14.1",
+ "serde",
+ "serde_json",
+ "tauri",
+ "tauri-plugin",
+ "tauri-plugin-fs",
+ "thiserror",
+]
+
+[[package]]
+name = "tauri-plugin-fs"
+version = "2.0.0-beta.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3aa91955751f329e0aa431b87c199b7378b6f91ec0765d2ad9d4c64e017c3cda"
+dependencies = [
+ "anyhow",
+ "glob",
+ "schemars",
+ "serde",
+ "serde_json",
+ "serde_repr",
+ "tauri",
+ "tauri-plugin",
+ "thiserror",
+ "url",
+ "uuid",
+]
+
 [[package]]
 name = "tauri-plugin-global-shortcut"
 version = "2.0.0-beta.6"
@@ -5453,6 +5629,24 @@ dependencies = [
  "thiserror",
 ]
 
+[[package]]
+name = "tauri-plugin-os"
+version = "2.0.0-beta.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9ae3c8aeb113ce614cc36a43b1061fdf64381f7635d02c390052ce7579ec628"
+dependencies = [
+ "gethostname",
+ "log",
+ "os_info",
+ "serde",
+ "serde_json",
+ "serialize-to-javascript",
+ "sys-locale",
+ "tauri",
+ "tauri-plugin",
+ "thiserror",
+]
+
 [[package]]
 name = "tauri-plugin-single-instance"
 version = "2.0.0-beta.9"
@@ -5578,21 +5772,6 @@ dependencies = [
  "utf-8",
 ]
 
-[[package]]
-name = "termcolor"
-version = "1.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "06794f8f6c5c898b3275aebefa6b8a1cb24cd2c6c79397ab15774837a0bc5755"
-dependencies = [
- "winapi-util",
-]
-
-[[package]]
-name = "textwrap"
-version = "0.16.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "23d434d3f8967a09480fb04132ebe0a3e088c173e6d0ee7897abbdf4eab0f8b9"
-
 [[package]]
 name = "thin-slice"
 version = "0.1.1"
@@ -5691,6 +5870,7 @@ dependencies = [
  "signal-hook-registry",
  "socket2",
  "tokio-macros",
+ "tracing",
  "windows-sys 0.48.0",
 ]
 
@@ -6063,6 +6243,12 @@ version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "09cc8ee72d2a9becf2f2febe0205bbed8fc6615b7cb429ad062dc7b7ddd036a9"
 
+[[package]]
+name = "utf8parse"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
+
 [[package]]
 name = "uuid"
 version = "1.9.1"
@@ -6879,6 +7065,7 @@ dependencies = [
  "serde_repr",
  "sha1",
  "static_assertions",
+ "tokio",
  "tracing",
  "uds_windows",
  "windows-sys 0.52.0",

src-tauri/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "creddy"
-version = "0.4.9"
+version = "0.5.4"
 description = "A friendly AWS credentials manager"
 authors = ["Joseph Montanaro"]
 license = ""
@@ -9,37 +9,40 @@ default-run = "creddy"
 edition = "2021"
 rust-version = "1.57"
 
-[[bin]]
-name = "creddy_cli"
-path = "src/bin/creddy_cli.rs"
-
 [[bin]]
 name = "creddy"
 path = "src/main.rs"
 
+# we use a workspace so that we can split out the CLI and make it possible to build independently
+[workspace]
+members = ["creddy_cli"]
+
+[workspace.dependencies]
+dirs = "5.0"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+tokio = { version = ">=1.19", features = ["full"] }
+
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [build-dependencies]
 tauri-build = { version = "2.0.0-beta", features = [] }
 
 [dependencies]
-serde_json = "1.0"
-serde = { version = "1.0", features = ["derive"] }
+creddy_cli = { path = "./creddy_cli" }
 tauri = { version = "2.0.0-beta", features = ["tray-icon"] }
 sodiumoxide = "0.2.7"
-tokio = { version = ">=1.19", features = ["full"] }
 sysinfo = "0.26.8"
 aws-config = "1.5.3"
 aws-types = "1.3.2"
 aws-sdk-sts = "1.33.0"
 aws-smithy-types = "1.2.0"
+dirs = { workspace = true }
 thiserror = "1.0.38"
 once_cell = "1.16.0"
 strum = "0.24"
 strum_macros = "0.24"
 auto-launch = "0.4.0"
-dirs = "5.0"
-clap = { version = "3.2.23", features = ["derive"] }
 is-terminal = "0.4.7"
 argon2 = { version = "0.5.0", features = ["std"] }
 chacha20poly1305 = { version = "0.10.1", features = ["std"] }
@@ -48,12 +51,23 @@ windows = { version = "0.51.1", features = ["Win32_Foundation", "Win32_System_Pi
 time = "0.3.31"
 tauri-plugin-single-instance = "2.0.0-beta.9"
 tauri-plugin-global-shortcut = "2.0.0-beta.6"
-rfd = "0.14.1"
+tauri-plugin-os = "2.0.0-beta.6"
+tauri-plugin-dialog = "2.0.0-beta.9"
+rfd = "0.13.0"
 ssh-agent-lib = "0.4.0"
 ssh-key = { version = "0.6.6", features = ["rsa", "ed25519", "encryption"] }
 signature = "2.2.0"
 tokio-stream = "0.1.15"
+serde = { workspace = true }
+serde_json = { workspace = true }
 sqlx = { version = "0.7.4", features = ["sqlite", "runtime-tokio", "uuid"] }
+tokio = { workspace = true }
+tokio-util = { version = "0.7.11", features = ["codec"] }
+futures = "0.3.30"
+openssl = "0.10.64"
+rsa = "0.9.6"
+sha2 = "0.10.8"
+ssh-encoding = "0.2.0"
 
 [features]
 # by default Tauri runs in production mode

src-tauri/capabilities/migrated.json

@@ -12,6 +12,8 @@
     "app:default",
     "resources:default",
     "menu:default",
-    "tray:default"
+    "tray:default",
+    "os:allow-os-type",
+    "dialog:allow-open"
   ]
 }

src-tauri/creddy_cli/Cargo.toml

@@ -0,0 +1,12 @@
+[package]
+name = "creddy_cli"
+version = "0.5.4"
+edition = "2021"
+
+[dependencies]
+anyhow = "1.0.86"
+clap = { version = "4", features = ["derive"] }
+dirs = { workspace = true }
+serde = { workspace = true }
+serde_json = { workspace = true }
+tokio = { workspace = true }

src-tauri/creddy_cli/src/cli/docker.rs

@@ -0,0 +1,27 @@
+use std::io;
+
+use anyhow::bail;
+
+use crate::proto::{CliResponse, DockerCredential};
+use super::{
+    CliCredential,
+    CliRequest,
+    GlobalArgs
+};
+
+
+pub fn docker_store(global_args: GlobalArgs) -> anyhow::Result<()> {
+    let input: DockerCredential = serde_json::from_reader(io::stdin())?;
+    dbg!(&input);
+
+    let req = CliRequest::SaveCredential {
+        name: input.username.clone(),
+        is_default: false, // is_default doesn't really mean anything for Docker credentials
+        credential: CliCredential::Docker(input),
+    };
+
+    match super::make_request(global_args.server_addr, &req)?? {
+        CliResponse::Empty => Ok(()),
+        r => bail!("Unexpected response from server: {r}"),
+    }
+}

src-tauri/creddy_cli/src/cli/mod.rs

@@ -0,0 +1,234 @@
+use std::path::PathBuf;
+use std::process::Command as ChildCommand;
+#[cfg(unix)]
+use std::os::unix::process::CommandExt;
+#[cfg(windows)]
+use std::time::Duration;
+
+use anyhow::{bail, Context};
+use clap::{
+    Args,
+    Parser,
+    Subcommand
+};
+use clap::builder::styling::{Styles, AnsiColor};
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+
+use crate::proto::{
+    CliCredential,
+    CliRequest,
+    CliResponse,
+    ServerError,
+    ShortcutAction,
+};
+
+mod docker;
+
+
+#[derive(Debug, Parser)]
+#[command(
+    about,
+    version,
+    name = "creddy",
+    bin_name = "creddy",
+    styles = Styles::styled()
+        .header(AnsiColor::Yellow.on_default())
+        .usage(AnsiColor::Yellow.on_default())
+        .literal(AnsiColor::Green.on_default())
+        .placeholder(AnsiColor::Green.on_default())
+)]
+/// A friendly credential manager
+pub struct Cli {
+    #[command(flatten)]
+    pub global_args: GlobalArgs,
+
+    #[command(subcommand)]
+    pub action: Option<Action>,
+}
+
+impl Cli {
+    // proxy the Parser method so that main crate doesn't have to depend on Clap
+    pub fn parse() -> Self {
+        <Self as Parser>::parse()
+    }
+}
+
+
+#[derive(Debug, Clone, Args)]
+pub struct GlobalArgs {
+    /// Connect to the main Creddy application at this path
+    #[arg(long, short = 'a')]
+    server_addr: Option<PathBuf>,
+}
+
+
+#[derive(Debug, Subcommand)]
+pub enum Action {
+    /// Launch Creddy
+    Run,
+    /// Request credentials from Creddy and output to stdout
+    Get(GetArgs),
+    /// Inject credentials into the environment of another command
+    Exec(ExecArgs),
+    /// Invoke an action normally triggered by hotkey (e.g. launch terminal)
+    Shortcut(InvokeArgs),
+    /// Interact with Docker credentials via the docker-credential-helper protocol
+    #[command(subcommand)]
+    Docker(DockerCmd),
+}
+
+
+#[derive(Debug, Args)]
+pub struct GetArgs {
+    /// If unspecified, use default credentials
+    #[arg(short, long)]
+    name: Option<String>,
+    /// Use base credentials instead of session credentials (only applicable to AWS)
+    #[arg(long, short, default_value_t = false)]
+    base: bool,
+}
+
+
+#[derive(Debug, Args)]
+pub struct ExecArgs {
+    #[command(flatten)]
+    get_args: GetArgs,
+    #[arg(trailing_var_arg = true)]
+    /// Command to be wrapped
+    command: Vec<String>,
+}
+
+
+#[derive(Debug, Args)]
+pub struct InvokeArgs {
+    #[arg(value_name = "ACTION", value_enum)]
+    shortcut_action: ShortcutAction,
+}
+
+
+#[derive(Debug, Subcommand)]
+pub enum DockerCmd {
+    /// Get a stored Docker credential
+    Get,
+    /// Store a new Docker credential
+    Store,
+    /// Remove a stored Docker credential
+    Erase,
+}
+
+
+pub fn get(args: GetArgs, global: GlobalArgs) -> anyhow::Result<()> {
+    let req = CliRequest::GetCredential {
+        name: args.name,
+        base: args.base,
+    };
+
+    let output = match make_request(global.server_addr, &req)?? {
+        CliResponse::Credential(CliCredential::AwsBase(c)) => {
+            serde_json::to_string_pretty(&c).unwrap()
+        },
+        CliResponse::Credential(CliCredential::AwsSession(c)) => {
+            serde_json::to_string_pretty(&c).unwrap()
+        },
+        r => bail!("Unexpected response from server: {r}"),
+    };
+    println!("{output}");
+    Ok(())
+}
+
+
+pub fn exec(args: ExecArgs, global: GlobalArgs) -> anyhow::Result<()> {
+    // Clap guarantees that cmd_line will be a sequence of at least 1 item
+    // test this!
+    let mut cmd_line = args.command.iter();
+    let cmd_name = cmd_line.next().unwrap();
+    let mut cmd = ChildCommand::new(cmd_name);
+    cmd.args(cmd_line);
+
+    let req = CliRequest::GetCredential {
+        name: args.get_args.name,
+        base: args.get_args.base,
+    };
+
+    match make_request(global.server_addr, &req)?? {
+        CliResponse::Credential(CliCredential::AwsBase(creds)) => {
+            cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
+            cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
+        },
+        CliResponse::Credential(CliCredential::AwsSession(creds)) => {
+            cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
+            cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
+            cmd.env("AWS_SESSION_TOKEN", creds.session_token);
+        },
+        r => bail!("Unexpected response from server: {r}"),
+    }
+
+    #[cfg(unix)]
+    {
+        let e = cmd.exec();
+        // cmd.exec() never returns if successful, so we never hit this line unless there's an error
+        Err(e).with_context(|| {
+            // eventually figure out how to display the actual command
+            format!("Failed to execute command: {}", args.command.join(" "))
+        })?;
+        Ok(())
+    }
+
+    #[cfg(windows)]
+    {
+        let mut child = match cmd.spawn() {
+            Ok(c) => c,
+            Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
+                let name: OsString = cmd_name.into();
+                return Err(ExecError::NotFound(name).into());
+            }
+            Err(e) => return Err(ExecError::ExecutionFailed(e).into()),
+        };
+
+        let status = child.wait()
+            .map_err(|e| ExecError::ExecutionFailed(e))?;
+        std::process::exit(status.code().unwrap_or(1));
+    };
+}
+
+
+pub fn invoke_shortcut(args: InvokeArgs, global: GlobalArgs) -> anyhow::Result<()> {
+    let req = CliRequest::InvokeShortcut(args.shortcut_action);
+    match make_request(global.server_addr, &req)?? {
+        CliResponse::Empty => Ok(()),
+        r => bail!("Unexpected response from server: {r}"),
+    }
+}
+
+
+pub fn docker_credential_helper(cmd: DockerCmd, global_args: GlobalArgs) -> anyhow::Result<()> {
+    match cmd {
+        DockerCmd::Get => todo!(),
+        DockerCmd::Store => docker::docker_store(global_args),
+        DockerCmd::Erase => todo!(),
+    }
+}
+
+
+// Explanation for double-result: the server will return a (serialized) Result
+// to indicate when the operation succeeded or failed, which we deserialize.
+// However, the operation may fail to even communicate with the server, in
+// which case we return the outer Result
+// (probably this should be modeled differently)
+#[tokio::main]
+async fn make_request(
+    addr: Option<PathBuf>,
+    req: &CliRequest
+) -> anyhow::Result<Result<CliResponse, ServerError>> {
+    let mut data = serde_json::to_string(req).unwrap();
+    // server expects newline marking end of request
+    data.push('\n');
+
+    let mut stream = crate::connect(addr).await?;
+    stream.write_all(&data.as_bytes()).await?;
+
+    let mut buf = Vec::with_capacity(1024);
+    stream.read_to_end(&mut buf).await?;
+    let res: Result<CliResponse, ServerError> = serde_json::from_slice(&buf)?;
+    Ok(res)
+}

src-tauri/creddy_cli/src/lib.rs

@@ -0,0 +1,41 @@
+mod cli;
+pub use cli::{
+    Cli,
+    Action,
+    exec,
+    get,
+    invoke_shortcut,
+    docker_credential_helper,
+};
+
+pub(crate) use platform::connect;
+pub use platform::server_addr;
+
+pub mod proto;
+
+
+#[cfg(unix)]
+mod platform {
+    use std::path::PathBuf;
+    use tokio::net::UnixStream;
+
+    pub async fn connect(addr: Option<PathBuf>) -> Result<UnixStream, std::io::Error> {
+        let path = addr.unwrap_or_else(|| server_addr("creddy-server"));
+        UnixStream::connect(&path).await
+    }
+
+    pub fn server_addr(sock_name: &str) -> PathBuf {
+        let mut path = dirs::runtime_dir()
+            .unwrap_or_else(|| PathBuf::from("/tmp"));
+        path.push(format!("{sock_name}.sock"));
+        path
+    }
+}
+
+
+#[cfg(windows)]
+mod platform {
+    pub fn server_addr(sock_name: &str) -> String {
+        format!(r"\\.\pipe\{sock_name}")
+    }
+}

src-tauri/creddy_cli/src/main.rs

@@ -0,0 +1,36 @@
+use std::env;
+use std::process::{self, Command};
+
+use creddy_cli::{Action, Cli};
+
+
+fn main() {
+    let cli = Cli::parse();
+    let res = match cli.action {
+        None | Some(Action::Run)=> launch_gui(),
+        Some(Action::Get(args)) => creddy_cli::get(args, cli.global_args),
+        Some(Action::Exec(args)) => creddy_cli::exec(args, cli.global_args),
+        Some(Action::Shortcut(args)) => creddy_cli::invoke_shortcut(args, cli.global_args),
+        Some(Action::Docker(cmd)) => creddy_cli::docker_credential_helper(cmd, cli.global_args),
+    };
+
+    if let Err(e) = res {
+        eprintln!("Error: {e:?}");
+        process::exit(1);
+    }
+}
+
+
+fn launch_gui() -> anyhow::Result<()>  {
+    let mut path = env::current_exe()?;
+    path.pop(); // bin dir
+
+    // binaries are colocated in dev, but not in production
+    #[cfg(not(debug_assertions))]
+    path.pop(); // install dir
+
+    path.push("creddy.exe"); // exe in main install dir (aka gui exe)
+
+    Command::new(path).spawn()?;
+    Ok(())
+}

src-tauri/creddy_cli/src/proto.rs

@@ -0,0 +1,108 @@
+use std::fmt::{
+    Display,
+    Formatter,
+    Error as FmtError
+};
+
+use clap::ValueEnum;
+use serde::{Serialize, Deserialize};
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum CliRequest {
+    GetCredential {
+        name: Option<String>,
+        base: bool,
+    },
+    SaveCredential {
+        name: String,
+        is_default: bool,
+        credential: CliCredential,
+    },
+    InvokeShortcut(ShortcutAction),
+}
+
+
+#[derive(Debug, Copy, Clone, Serialize, Deserialize, ValueEnum)]
+pub enum ShortcutAction {
+    ShowWindow,
+    LaunchTerminal,
+}
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum CliResponse {
+    Credential(CliCredential),
+    Empty,
+}
+
+impl Display for CliResponse {
+    fn fmt(&self, f: &mut Formatter) -> Result<(), FmtError> {
+        match self {
+            CliResponse::Credential(CliCredential::AwsBase(_)) => write!(f, "Credential (AwsBase)"),
+            CliResponse::Credential(CliCredential::AwsSession(_)) => write!(f, "Credential (AwsSession)"),
+            CliResponse::Credential(CliCredential::Docker(_)) => write!(f, "Credential (Docker)"),
+            CliResponse::Empty => write!(f, "Empty"),
+        }
+    }
+}
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum CliCredential {
+    AwsBase(AwsBaseCredential),
+    AwsSession(AwsSessionCredential),
+    Docker(DockerCredential),
+}
+
+
+#[derive(Debug, Eq, PartialEq, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct AwsBaseCredential {
+    #[serde(default = "default_aws_version")]
+    pub version: usize,
+    pub access_key_id: String,
+    pub secret_access_key: String,
+}
+
+
+#[derive(Debug, Eq, PartialEq, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct AwsSessionCredential {
+    #[serde(default = "default_aws_version")]
+    pub version: usize,
+    pub access_key_id: String,
+    pub secret_access_key: String,
+    pub session_token: String,
+    // we don't need to know the expiration for the CLI, so just use a string here
+    pub expiration: String,
+}
+
+
+fn default_aws_version() -> usize { 1 }
+
+
+#[derive(Debug, Eq, PartialEq, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct DockerCredential {
+    #[serde(rename = "ServerURL")]
+    pub server_url: String,
+    pub username: String,
+    pub secret: String,
+}
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct ServerError {
+    code: String,
+    msg: String,
+}
+
+impl Display for ServerError {
+    fn fmt(&self, f: &mut Formatter) -> Result<(), FmtError> {
+        write!(f, "Error response ({}) from server: {}", self.code, self.msg)?;
+        Ok(())
+    }
+}
+
+impl std::error::Error for ServerError {}

src-tauri/gen/schemas/capabilities.json

@@ -1 +1 @@
-{"migrated":{"identifier":"migrated","description":"permissions that were migrated from v1","local":true,"windows":["main"],"permissions":["path:default","event:default","window:default","app:default","resources:default","menu:default","tray:default"]}}
+{"migrated":{"identifier":"migrated","description":"permissions that were migrated from v1","local":true,"windows":["main"],"permissions":["path:default","event:default","window:default","app:default","resources:default","menu:default","tray:default","os:allow-os-type","dialog:allow-open"]}}

src-tauri/gen/schemas/desktop-schema.json

@@ -247,6 +247,82 @@
             "app:deny-version"
           ]
         },
+        {
+          "type": "string",
+          "enum": [
+            "dialog:default"
+          ]
+        },
+        {
+          "description": "dialog:allow-ask -> Enables the ask command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:allow-ask"
+          ]
+        },
+        {
+          "description": "dialog:allow-confirm -> Enables the confirm command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:allow-confirm"
+          ]
+        },
+        {
+          "description": "dialog:allow-message -> Enables the message command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:allow-message"
+          ]
+        },
+        {
+          "description": "dialog:allow-open -> Enables the open command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:allow-open"
+          ]
+        },
+        {
+          "description": "dialog:allow-save -> Enables the save command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:allow-save"
+          ]
+        },
+        {
+          "description": "dialog:deny-ask -> Denies the ask command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:deny-ask"
+          ]
+        },
+        {
+          "description": "dialog:deny-confirm -> Denies the confirm command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:deny-confirm"
+          ]
+        },
+        {
+          "description": "dialog:deny-message -> Denies the message command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:deny-message"
+          ]
+        },
+        {
+          "description": "dialog:deny-open -> Denies the open command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:deny-open"
+          ]
+        },
+        {
+          "description": "dialog:deny-save -> Denies the save command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:deny-save"
+          ]
+        },
         {
           "description": "event:default -> Default permissions for the plugin.",
           "type": "string",
@@ -778,6 +854,124 @@
             "menu:deny-text"
           ]
         },
+        {
+          "type": "string",
+          "enum": [
+            "os:default"
+          ]
+        },
+        {
+          "description": "os:allow-arch -> Enables the arch command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-arch"
+          ]
+        },
+        {
+          "description": "os:allow-exe-extension -> Enables the exe_extension command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-exe-extension"
+          ]
+        },
+        {
+          "description": "os:allow-family -> Enables the family command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-family"
+          ]
+        },
+        {
+          "description": "os:allow-hostname -> Enables the hostname command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-hostname"
+          ]
+        },
+        {
+          "description": "os:allow-locale -> Enables the locale command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-locale"
+          ]
+        },
+        {
+          "description": "os:allow-os-type -> Enables the os_type command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-os-type"
+          ]
+        },
+        {
+          "description": "os:allow-platform -> Enables the platform command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-platform"
+          ]
+        },
+        {
+          "description": "os:allow-version -> Enables the version command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-version"
+          ]
+        },
+        {
+          "description": "os:deny-arch -> Denies the arch command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-arch"
+          ]
+        },
+        {
+          "description": "os:deny-exe-extension -> Denies the exe_extension command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-exe-extension"
+          ]
+        },
+        {
+          "description": "os:deny-family -> Denies the family command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-family"
+          ]
+        },
+        {
+          "description": "os:deny-hostname -> Denies the hostname command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-hostname"
+          ]
+        },
+        {
+          "description": "os:deny-locale -> Denies the locale command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-locale"
+          ]
+        },
+        {
+          "description": "os:deny-os-type -> Denies the os_type command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-os-type"
+          ]
+        },
+        {
+          "description": "os:deny-platform -> Denies the platform command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-platform"
+          ]
+        },
+        {
+          "description": "os:deny-version -> Denies the version command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-version"
+          ]
+        },
         {
           "description": "path:default -> Default permissions for the plugin.",
           "type": "string",

src-tauri/gen/schemas/linux-schema.json

@@ -247,6 +247,82 @@
             "app:deny-version"
           ]
         },
+        {
+          "type": "string",
+          "enum": [
+            "dialog:default"
+          ]
+        },
+        {
+          "description": "dialog:allow-ask -> Enables the ask command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:allow-ask"
+          ]
+        },
+        {
+          "description": "dialog:allow-confirm -> Enables the confirm command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:allow-confirm"
+          ]
+        },
+        {
+          "description": "dialog:allow-message -> Enables the message command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:allow-message"
+          ]
+        },
+        {
+          "description": "dialog:allow-open -> Enables the open command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:allow-open"
+          ]
+        },
+        {
+          "description": "dialog:allow-save -> Enables the save command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:allow-save"
+          ]
+        },
+        {
+          "description": "dialog:deny-ask -> Denies the ask command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:deny-ask"
+          ]
+        },
+        {
+          "description": "dialog:deny-confirm -> Denies the confirm command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:deny-confirm"
+          ]
+        },
+        {
+          "description": "dialog:deny-message -> Denies the message command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:deny-message"
+          ]
+        },
+        {
+          "description": "dialog:deny-open -> Denies the open command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:deny-open"
+          ]
+        },
+        {
+          "description": "dialog:deny-save -> Denies the save command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:deny-save"
+          ]
+        },
         {
           "description": "event:default -> Default permissions for the plugin.",
           "type": "string",
@@ -778,6 +854,124 @@
             "menu:deny-text"
           ]
         },
+        {
+          "type": "string",
+          "enum": [
+            "os:default"
+          ]
+        },
+        {
+          "description": "os:allow-arch -> Enables the arch command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-arch"
+          ]
+        },
+        {
+          "description": "os:allow-exe-extension -> Enables the exe_extension command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-exe-extension"
+          ]
+        },
+        {
+          "description": "os:allow-family -> Enables the family command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-family"
+          ]
+        },
+        {
+          "description": "os:allow-hostname -> Enables the hostname command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-hostname"
+          ]
+        },
+        {
+          "description": "os:allow-locale -> Enables the locale command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-locale"
+          ]
+        },
+        {
+          "description": "os:allow-os-type -> Enables the os_type command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-os-type"
+          ]
+        },
+        {
+          "description": "os:allow-platform -> Enables the platform command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-platform"
+          ]
+        },
+        {
+          "description": "os:allow-version -> Enables the version command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-version"
+          ]
+        },
+        {
+          "description": "os:deny-arch -> Denies the arch command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-arch"
+          ]
+        },
+        {
+          "description": "os:deny-exe-extension -> Denies the exe_extension command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-exe-extension"
+          ]
+        },
+        {
+          "description": "os:deny-family -> Denies the family command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-family"
+          ]
+        },
+        {
+          "description": "os:deny-hostname -> Denies the hostname command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-hostname"
+          ]
+        },
+        {
+          "description": "os:deny-locale -> Denies the locale command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-locale"
+          ]
+        },
+        {
+          "description": "os:deny-os-type -> Denies the os_type command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-os-type"
+          ]
+        },
+        {
+          "description": "os:deny-platform -> Denies the platform command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-platform"
+          ]
+        },
+        {
+          "description": "os:deny-version -> Denies the version command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-version"
+          ]
+        },
         {
           "description": "path:default -> Default permissions for the plugin.",
           "type": "string",

src-tauri/migrations/20240617142724_credential_split.sql

@@ -69,9 +69,12 @@ DROP TABLE aws_tmp;
 
 
 -- SSH keys are the new hotness
-CREATE TABLE ssh_keys (
-    name TEXT UNIQUE NOT NULL,
+CREATE TABLE ssh_credentials (
+    id BLOB UNIQUE NOT NULL,
+    algorithm TEXT NOT NULL,
+    comment TEXT NOT NULL,
     public_key BLOB NOT NULL,
     private_key_enc BLOB NOT NULL,
-    nonce BLOB NOT NULL
+    nonce BLOB NOT NULL,
+    FOREIGN KEY(id) REFERENCES credentials(id) ON DELETE CASCADE
 );

src-tauri/migrations/20240919135710_docker_creds.sql

@@ -0,0 +1,11 @@
+CREATE TABLE docker_credentials (
+    id BLOB UNIQUE NOT NULL,
+    -- The Docker credential helper protocol only sends the server_url, so
+    -- we should guarantee that we will only ever have one matching credential.
+    -- Also, it's easier to go from unique -> not-unique than vice versa if we
+    -- decide that's necessary in the future
+    server_url TEXT UNIQUE NOT NULL,
+    username TEXT NOT NULL,
+    secret_enc BLOB NOT NULL,
+    nonce BLOB NOT NULL
+);

src-tauri/src/_credentials.rs

@@ -1,350 +0,0 @@
-use std::fmt::{self, Formatter};
-use std::time::{SystemTime, UNIX_EPOCH};
-
- use aws_smithy_types::date_time::{DateTime, Format};
-use argon2::{
-    Argon2,
-    Algorithm,
-    Version,
-    ParamsBuilder,
-    password_hash::rand_core::{RngCore, OsRng},
-};
-use chacha20poly1305::{
-    XChaCha20Poly1305,
-    XNonce,
-    aead::{
-        Aead,
-        AeadCore,
-        KeyInit,
-        Error as AeadError,
-        generic_array::GenericArray,
-    },
-};
-use serde::{
-    Serialize,
-    Deserialize,
-    Serializer,
-    Deserializer,
-};
-use serde::de::{self, Visitor};
-use sqlx::SqlitePool;
-
-
-use crate::errors::*;
-
-
-#[derive(Clone, Debug)]
-pub enum Session {
-    Unlocked{
-        base: BaseCredentials,
-        session: SessionCredentials,
-    },
-    Locked(LockedCredentials),
-    Empty,
-}
-
-impl Session {
-    pub async fn load(pool: &SqlitePool) -> Result<Self, SetupError> {
-        let res = sqlx::query!("SELECT * FROM credentials ORDER BY created_at desc")
-            .fetch_optional(pool)
-            .await?;
-        let row = match res {
-            Some(r) => r,
-            None => {return Ok(Session::Empty);}
-        };
-
-        let salt: [u8; 32] = row.salt
-            .try_into()
-            .map_err(|_e| SetupError::InvalidRecord)?;
-        let nonce = XNonce::from_exact_iter(row.nonce.into_iter())
-            .ok_or(SetupError::InvalidRecord)?;
-
-        let creds = LockedCredentials {
-            access_key_id: row.access_key_id,
-            secret_key_enc: row.secret_key_enc,
-            salt,
-            nonce,
-        };
-        Ok(Session::Locked(creds))
-    }
-
-    pub async fn renew_if_expired(&mut self) -> Result<bool, GetSessionError> {
-        match self {
-            Session::Unlocked{ref base, ref mut session} => {
-                if !session.is_expired() {
-                    return Ok(false);
-                }
-                *session = SessionCredentials::from_base(base).await?;
-                Ok(true)
-            },
-            Session::Locked(_) => Err(GetSessionError::CredentialsLocked),
-            Session::Empty => Err(GetSessionError::CredentialsEmpty),
-        }
-    }
-
-    pub fn try_get(
-        &self
-    ) -> Result<(&BaseCredentials, &SessionCredentials), GetCredentialsError> {
-        match self {
-            Self::Empty => Err(GetCredentialsError::Empty),
-            Self::Locked(_) => Err(GetCredentialsError::Locked),
-            Self::Unlocked{ ref base, ref session } => Ok((base, session))
-        }
-    }
-}
-
-
-#[derive(Clone, Debug)]
-pub struct LockedCredentials {
-    pub access_key_id: String,
-    pub secret_key_enc: Vec<u8>,
-    pub salt: [u8; 32],
-    pub nonce: XNonce,
-}
-
-impl LockedCredentials {
-    pub async fn save(&self, pool: &SqlitePool) -> Result<(), sqlx::Error> {
-        sqlx::query(
-            "INSERT INTO credentials (access_key_id, secret_key_enc, salt, nonce, created_at)
-            VALUES (?, ?, ?, ?, strftime('%s'))"
-        )
-            .bind(&self.access_key_id)
-            .bind(&self.secret_key_enc)
-            .bind(&self.salt[..])
-            .bind(&self.nonce[..])
-            .execute(pool)
-            .await?;
-
-        Ok(())
-    }
-
-    pub fn decrypt(&self, passphrase: &str) -> Result<BaseCredentials, UnlockError> {
-        let crypto = Crypto::new(passphrase, &self.salt)
-            .map_err(|e| CryptoError::Argon2(e))?;
-        let decrypted = crypto.decrypt(&self.nonce, &self.secret_key_enc)
-            .map_err(|e| CryptoError::Aead(e))?;
-        let secret_access_key = String::from_utf8(decrypted)
-            .map_err(|_| UnlockError::InvalidUtf8)?;
-
-        let creds = BaseCredentials::new(
-            self.access_key_id.clone(),
-            secret_access_key,
-        );
-        Ok(creds)
-    }
-}
-
-
-fn default_credentials_version() -> usize { 1 }
-
-#[derive(Clone, Debug, Serialize, Deserialize)]
-#[serde(rename_all = "PascalCase")]
-pub struct BaseCredentials {
-    #[serde(default = "default_credentials_version")]
-    pub version: usize,
-    pub access_key_id: String,
-    pub secret_access_key: String,
-}
-
-impl BaseCredentials {
-    pub fn new(access_key_id: String, secret_access_key: String) -> Self {
-        Self {version: 1, access_key_id, secret_access_key}
-    }
-
-    pub fn encrypt(&self, passphrase: &str) -> Result<LockedCredentials, CryptoError> {
-        let salt = Crypto::salt();
-        let crypto = Crypto::new(passphrase, &salt)?;
-        let (nonce, secret_key_enc) = crypto.encrypt(self.secret_access_key.as_bytes())?;
-
-        let locked = LockedCredentials {
-            access_key_id: self.access_key_id.clone(),
-            secret_key_enc,
-            salt,
-            nonce,
-        };
-        Ok(locked)
-    }
-}
-
-
-#[derive(Clone, Debug, Serialize, Deserialize)]
-#[serde(rename_all = "PascalCase")]
-pub struct SessionCredentials {
-    #[serde(default = "default_credentials_version")]
-    pub version: usize,
-    pub access_key_id: String,
-    pub secret_access_key: String,
-    pub session_token: String,
-    #[serde(serialize_with = "serialize_expiration")]
-    #[serde(deserialize_with = "deserialize_expiration")]
-    pub expiration: DateTime,
-}
-
-impl SessionCredentials {
-    pub async fn from_base(base: &BaseCredentials) -> Result<Self, GetSessionError> {
-        let req_creds = aws_sdk_sts::Credentials::new(
-            &base.access_key_id,
-            &base.secret_access_key,
-            None, // token
-            None, //expiration
-            "Creddy", // "provider name" apparently
-        );
-        let config = aws_config::from_env()
-            .credentials_provider(req_creds)
-            .load()
-            .await;
-
-        let client = aws_sdk_sts::Client::new(&config);
-        let resp = client.get_session_token()
-            .duration_seconds(43_200)
-            .send()
-            .await?;
-
-        let aws_session = resp.credentials().ok_or(GetSessionError::EmptyResponse)?;
-
-        let access_key_id = aws_session.access_key_id()
-            .ok_or(GetSessionError::EmptyResponse)?
-            .to_string();
-        let secret_access_key = aws_session.secret_access_key()
-            .ok_or(GetSessionError::EmptyResponse)?
-            .to_string();
-        let session_token = aws_session.session_token()
-            .ok_or(GetSessionError::EmptyResponse)?
-            .to_string();
-        let expiration = aws_session.expiration()
-            .ok_or(GetSessionError::EmptyResponse)?
-            .clone();
-
-        let session_creds = SessionCredentials {
-            version: 1,
-            access_key_id,
-            secret_access_key,
-            session_token,
-            expiration,
-        };
-
-        #[cfg(debug_assertions)]
-        println!("Got new session:\n{}", serde_json::to_string(&session_creds).unwrap());
-
-        Ok(session_creds)
-    }
-
-    pub fn is_expired(&self) -> bool {
-        let current_ts = SystemTime::now()
-            .duration_since(UNIX_EPOCH)
-            .unwrap() // doesn't panic because UNIX_EPOCH won't be later than now()
-            .as_secs();
-
-        let expire_ts = self.expiration.secs();
-        let remaining = expire_ts - (current_ts as i64);
-        remaining < 60
-    }
-}
-
-
-#[derive(Debug, Serialize, Deserialize)]
-pub enum Credentials {
-    Base(BaseCredentials),
-    Session(SessionCredentials),
-}
-
-
-fn serialize_expiration<S>(exp: &DateTime, serializer: S) -> Result<S::Ok, S::Error>
-where S: Serializer
-{
-    // this only fails if the d/t is out of range, which it can't be for this format
-    let time_str = exp.fmt(Format::DateTime).unwrap();
-    serializer.serialize_str(&time_str)
-}
-
-
-struct DateTimeVisitor;
-
-impl<'de> Visitor<'de> for DateTimeVisitor {
-    type Value = DateTime;
-
-    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
-        write!(formatter, "an RFC 3339 UTC string, e.g. \"2014-01-05T10:17:34Z\"")
-    }
-
-    fn visit_str<E: de::Error>(self, v: &str) -> Result<DateTime, E> {
-        DateTime::from_str(v, Format::DateTime)
-            .map_err(|_| E::custom(format!("Invalid date/time: {v}")))
-    }
-}
-
-
-fn deserialize_expiration<'de, D>(deserializer: D) -> Result<DateTime, D::Error>
-where D: Deserializer<'de>
-{
-    deserializer.deserialize_str(DateTimeVisitor)
-}
-
-
-struct Crypto {
-    cipher: XChaCha20Poly1305,
-}
-
-impl Crypto {
-    /// Argon2 params rationale:
-    ///
-    /// m_cost is measured in KiB, so 128 * 1024 gives us 128MiB.
-    /// This should roughly double the memory usage of the application
-    /// while deriving the key.
-    ///
-    /// p_cost is irrelevant since (at present) there isn't any parallelism
-    /// implemented, so we leave it at 1.
-    ///
-    /// With the above m_cost, t_cost = 8 results in about 800ms to derive
-    /// a key on my (somewhat older) CPU. This is probably overkill, but
-    /// given that it should only have to happen ~once a day for most 
-    /// usage, it should be acceptable.
-    #[cfg(not(debug_assertions))]
-    const MEM_COST: u32 = 128 * 1024;
-    #[cfg(not(debug_assertions))]
-    const TIME_COST: u32 = 8;
-
-    /// But since this takes a million years without optimizations,
-    /// we turn it way down in debug builds.
-    #[cfg(debug_assertions)]
-    const MEM_COST: u32 = 48 * 1024;
-    #[cfg(debug_assertions)]
-    const TIME_COST: u32 = 1;
-    
-
-    fn new(passphrase: &str, salt: &[u8]) -> argon2::Result<Crypto> {
-        let params = ParamsBuilder::new()
-            .m_cost(Self::MEM_COST)
-            .p_cost(1)
-            .t_cost(Self::TIME_COST)
-            .build()
-            .unwrap(); // only errors if the given params are invalid
-
-        let hasher = Argon2::new(
-            Algorithm::Argon2id,
-            Version::V0x13,
-            params,
-        );
-
-        let mut key = [0; 32];
-        hasher.hash_password_into(passphrase.as_bytes(), &salt, &mut key)?;
-        let cipher = XChaCha20Poly1305::new(GenericArray::from_slice(&key));
-        Ok(Crypto { cipher })
-    }
-
-    fn salt() -> [u8; 32] {
-        let mut salt = [0; 32];
-        OsRng.fill_bytes(&mut salt);
-        salt
-    }
-
-    fn encrypt(&self, data: &[u8]) -> Result<(XNonce, Vec<u8>), AeadError> {
-        let nonce = XChaCha20Poly1305::generate_nonce(&mut OsRng);
-        let ciphertext = self.cipher.encrypt(&nonce, data)?;
-        Ok((nonce, ciphertext))
-    }
-
-    fn decrypt(&self, nonce: &XNonce, data: &[u8]) -> Result<Vec<u8>, AeadError> {
-        self.cipher.decrypt(nonce, data)
-    }
-}

src-tauri/src/app.rs

@@ -2,10 +2,6 @@ use std::error::Error;
 use std::time::Duration;
 
 use once_cell::sync::OnceCell;
-use rfd::{
-    MessageDialog,
-    MessageLevel,
-};
 use sqlx::{
     SqlitePool,
     sqlite::SqlitePoolOptions,
@@ -25,7 +21,7 @@ use crate::{
     config::{self, AppConfig},
     credentials::AppSession,
     ipc,
-    server::Server,
+    srv::{creddy_server, agent},
     errors::*,
     shortcuts,
     state::AppState,
@@ -43,6 +39,8 @@ pub fn run() -> tauri::Result<()> {
                 .error_popup("Failed to show main window")
         }))
         .plugin(tauri_plugin_global_shortcut::Builder::default().build())
+        .plugin(tauri_plugin_os::init())
+        .plugin(tauri_plugin_dialog::init())
         .invoke_handler(tauri::generate_handler![
             ipc::unlock,
             ipc::lock,
@@ -54,23 +52,15 @@ pub fn run() -> tauri::Result<()> {
             ipc::save_credential,
             ipc::delete_credential,
             ipc::list_credentials,
+            ipc::sshkey_from_file,
+            ipc::sshkey_from_private_key,
             ipc::get_config,
             ipc::save_config,
             ipc::launch_terminal,
             ipc::get_setup_errors,
             ipc::exit,
         ])
-        .setup(|app| {
-            let res = rt::block_on(setup(app));
-            if let Err(ref e) = res {
-                MessageDialog::new()
-                    .set_level(MessageLevel::Error)
-                    .set_title("Creddy failed to start")
-                    .set_description(format!("{e}"))
-                    .show();
-            }
-            res
-        })
+        .setup(|app| rt::block_on(setup(app)))
         .build(tauri::generate_context!())?
         .run(|app, run_event| {
             if let RunEvent::WindowEvent { event, .. } = run_event {
@@ -116,7 +106,8 @@ async fn setup(app: &mut App) -> Result<(), Box<dyn Error>> {
     };
 
     let app_session = AppSession::load(&pool).await?;
-    Server::start(app.handle().clone())?;
+    creddy_server::serve(app.handle().clone())?;
+    agent::serve(app.handle().clone())?;
 
     config::set_auto_launch(conf.start_on_login)?;
     if let Err(_e) = config::set_auto_launch(conf.start_on_login) {

src-tauri/src/bin/agent.rs

@@ -1,7 +0,0 @@
-use creddy::server::ssh_agent;
-
-
-#[tokio::main]
-async fn main() {
-    ssh_agent::run().await;
-}

src-tauri/src/bin/creddy_cli.rs

@@ -1,47 +0,0 @@
-// Windows isn't really amenable to having a single executable work as both a CLI and GUI app,
-// so we just have a second binary for CLI usage
-use creddy::{
-    cli,
-    errors::CliError,
-};
-use std::{
-    env,
-    process::{self, Command},
-};
-
-
-fn main() {
-    let args = cli::parser().get_matches();
-    if let Some(true) = args.get_one::<bool>("help") {
-        cli::parser().print_help().unwrap(); // if we can't print help we can't print an error
-        process::exit(0);
-    }
-
-    let res = match args.subcommand() {
-        None | Some(("run", _)) => launch_gui(),
-        Some(("get", m)) => cli::get(m),
-        Some(("exec", m)) => cli::exec(m),
-        Some(("shortcut", m)) => cli::invoke_shortcut(m),
-        _ => unreachable!("Unknown subcommand"),
-    };
-
-    if let Err(e) = res {
-        eprintln!("Error: {e}");
-        process::exit(1);
-    }
-}
-
-
-fn launch_gui() -> Result<(), CliError>  {
-    let mut path = env::current_exe()?;
-    path.pop(); // bin dir
-    
-    // binaries are colocated in dev, but not in production
-    #[cfg(not(debug_assertions))]
-    path.pop(); // install dir
-
-    path.push("creddy.exe"); // exe in main install dir (aka gui exe)
-
-    Command::new(path).spawn()?;
-    Ok(())
-}

src-tauri/src/bin/key.rs

@@ -1,13 +0,0 @@
-use ssh_key::private::PrivateKey;
-
-
-fn main() {
-    // let passphrase = std::env::var("PRIVKEY_PASSPHRASE").unwrap();
-    let p = AsRef::<std::path::Path>::as_ref("/home/joe/.ssh/test");
-    let privkey = PrivateKey::read_openssh_file(p)
-        .unwrap();
-        // .decrypt(passphrase.as_bytes())
-        // .unwrap();
-
-    dbg!(String::from_utf8_lossy(&privkey.to_bytes().unwrap()));
-}

src-tauri/src/cli.rs

@@ -1,194 +0,0 @@
-use std::ffi::OsString;
-use std::process::Command as ChildCommand;
-#[cfg(windows)]
-use std::time::Duration;
-
-use clap::{
-    Command,
-    Arg,
-    ArgMatches,
-    ArgAction,
-    builder::PossibleValuesParser,
- };
-use tokio::io::{AsyncReadExt, AsyncWriteExt};
-
-use crate::errors::*;
-use crate::server::{Request, Response};
-use crate::shortcuts::ShortcutAction;
-
-#[cfg(unix)]
-use {
-    std::os::unix::process::CommandExt,
-    tokio::net::UnixStream,
-};
-
-#[cfg(windows)]
-use {
-    tokio::net::windows::named_pipe::{NamedPipeClient, ClientOptions},
-    windows::Win32::Foundation::ERROR_PIPE_BUSY,
-};
-
-
-pub fn parser() -> Command<'static> {
-    Command::new("creddy")
-        .version(env!("CARGO_PKG_VERSION"))
-        .about("A friendly AWS credentials manager")
-        .subcommand(
-            Command::new("run")
-                .about("Launch Creddy")
-        )
-        .subcommand(
-            Command::new("get")
-                .about("Request AWS credentials from Creddy and output to stdout")
-                .arg(
-                    Arg::new("base")
-                        .short('b')
-                        .long("base")
-                        .action(ArgAction::SetTrue)
-                        .help("Use base credentials instead of session credentials")
-                )
-        )
-        .subcommand(
-            Command::new("exec")
-                .about("Inject AWS credentials into the environment of another command")
-                .trailing_var_arg(true)
-                .arg(
-                    Arg::new("base")
-                        .short('b')
-                        .long("base")
-                        .action(ArgAction::SetTrue)
-                        .help("Use base credentials instead of session credentials")
-                )
-                .arg(
-                    Arg::new("command")
-                        .multiple_values(true)
-                )
-        )
-        .subcommand(
-            Command::new("shortcut")
-                .about("Invoke an action normally trigged by hotkey (e.g. launch terminal)")
-                .arg(
-                    Arg::new("action")
-                        .value_parser(
-                            PossibleValuesParser::new(["show_window", "launch_terminal"])
-                        )
-                )
-        )
-}
-
-
-pub fn get(args: &ArgMatches) -> Result<(), CliError> {
-    let base = args.get_one("base").unwrap_or(&false);
-    let output = match make_request(&Request::GetAwsCredentials { base: *base })? {
-        Response::AwsBase(creds) => serde_json::to_string(&creds).unwrap(),
-        Response::AwsSession(creds) => serde_json::to_string(&creds).unwrap(),
-        r => return Err(RequestError::Unexpected(r).into()),
-    };
-    println!("{output}");
-    Ok(())
-}
-
-
-pub fn exec(args: &ArgMatches) -> Result<(), CliError> {
-    let base = *args.get_one("base").unwrap_or(&false);
-    let mut cmd_line = args.get_many("command")
-        .ok_or(ExecError::NoCommand)?;
-
-    let cmd_name: &String = cmd_line.next().unwrap(); // Clap guarantees that there will be at least one
-    let mut cmd = ChildCommand::new(cmd_name);
-    cmd.args(cmd_line);
-    
-    match make_request(&Request::GetAwsCredentials { base })? {
-        Response::AwsBase(creds) => {
-            cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
-            cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
-        },
-        Response::AwsSession(creds) => {
-            cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
-            cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
-            cmd.env("AWS_SESSION_TOKEN", creds.session_token);
-        },
-        r => return Err(RequestError::Unexpected(r).into()),
-    }
-
-    #[cfg(unix)]
-    {
-        // cmd.exec() never returns if successful
-        let e = cmd.exec();
-        match e.kind() {
-            std::io::ErrorKind::NotFound => {
-                let name: OsString = cmd_name.into();
-                Err(ExecError::NotFound(name).into())
-            }
-            _ => Err(ExecError::ExecutionFailed(e).into()),
-        }
-    }
-
-    #[cfg(windows)]
-    {
-        let mut child = match cmd.spawn() {
-            Ok(c) => c,
-            Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
-                let name: OsString = cmd_name.into();
-                return Err(ExecError::NotFound(name).into());
-            }
-            Err(e) => return Err(ExecError::ExecutionFailed(e).into()),
-        };
-
-        let status = child.wait()
-            .map_err(|e| ExecError::ExecutionFailed(e))?;
-        std::process::exit(status.code().unwrap_or(1));
-    };
-}
-
-
-pub fn invoke_shortcut(args: &ArgMatches) -> Result<(), CliError> {
-    let action = match args.get_one::<String>("action").map(|s| s.as_str()) {
-        Some("show_window") => ShortcutAction::ShowWindow,
-        Some("launch_terminal") => ShortcutAction::LaunchTerminal,
-        Some(&_) | None => unreachable!("Unknown shortcut action"), // guaranteed by clap
-    };
-
-    let req = Request::InvokeShortcut(action);
-    match make_request(&req) {
-        Ok(Response::Empty) => Ok(()),
-        Ok(r) => Err(RequestError::Unexpected(r).into()),
-        Err(e) => Err(e.into()),
-    }
-}
-
-
-#[tokio::main]
-async fn make_request(req: &Request) -> Result<Response, RequestError> {
-    let mut data = serde_json::to_string(req).unwrap();
-    // server expects newline marking end of request
-    data.push('\n');
-
-    let mut stream = connect().await?;
-    stream.write_all(&data.as_bytes()).await?;
-
-    let mut buf = Vec::with_capacity(1024);
-    stream.read_to_end(&mut buf).await?;
-    let res: Result<Response, ServerError> = serde_json::from_slice(&buf)?;
-    Ok(res?)
-}
-
-
-#[cfg(windows)]
-async fn connect() -> Result<NamedPipeClient, std::io::Error> {
-    // apparently attempting to connect can fail if there's already a client connected
-    loop {
-        match ClientOptions::new().open(r"\\.\pipe\creddy-requests") {
-            Ok(stream) => return Ok(stream),
-            Err(e) if e.raw_os_error() == Some(ERROR_PIPE_BUSY.0 as i32) => (),
-            Err(e) => return Err(e),
-        }
-        tokio::time::sleep(Duration::from_millis(10)).await;
-    }
-}
-
-
-#[cfg(unix)]
-async fn connect() -> Result<UnixStream, std::io::Error> {
-    UnixStream::connect("/tmp/creddy.sock").await
-}

src-tauri/src/clientinfo.rs

@@ -1,6 +1,12 @@
 use std::path::{Path, PathBuf};
 
-use sysinfo::{System, SystemExt, Pid, PidExt, ProcessExt};
+use sysinfo::{
+    System,
+    SystemExt,
+    Pid,
+    PidExt,
+    ProcessExt
+};
 use serde::{Serialize, Deserialize};
 
 use crate::errors::*;
@@ -13,23 +19,25 @@ pub struct Client {
 }
 
 
-pub fn get_process_parent_info(pid: u32) -> Result<Client, ClientInfoError> {
+pub fn get_client(pid: u32, parent: bool) -> Result<Client, ClientInfoError> {
     let sys_pid = Pid::from_u32(pid);
     let mut sys = System::new();   
     sys.refresh_process(sys_pid);
-    let proc = sys.process(sys_pid)
+    let mut proc = sys.process(sys_pid)
         .ok_or(ClientInfoError::ProcessNotFound)?;
 
-    let parent_pid_sys = proc.parent()
-        .ok_or(ClientInfoError::ParentPidNotFound)?;
-    sys.refresh_process(parent_pid_sys);
-    let parent = sys.process(parent_pid_sys)
-        .ok_or(ClientInfoError::ParentProcessNotFound)?;
+    if parent {
+        let parent_pid_sys = proc.parent()
+            .ok_or(ClientInfoError::ParentPidNotFound)?;
+        sys.refresh_process(parent_pid_sys);
+        proc = sys.process(parent_pid_sys)
+            .ok_or(ClientInfoError::ParentProcessNotFound)?;
+    }
 
-    let exe = match parent.exe() {
+    let exe = match proc.exe() {
         p if p == Path::new("") => None,
         p => Some(PathBuf::from(p)),
     };
 
-    Ok(Client { pid: parent_pid_sys.as_u32(), exe })
+    Ok(Client { pid: proc.pid().as_u32(), exe })
 }

src-tauri/src/credentials/aws.rs

@@ -76,7 +76,7 @@ impl PersistentCredential for AwsBaseCredential {
                 access_key_id,
                 secret_key_enc,
                 nonce
-            ) 
+            )
             VALUES (?, ?, ?, ?);",
             id, self.access_key_id, ciphertext, nonce_bytes,
         ).execute(&mut **txn).await?;
@@ -185,10 +185,16 @@ where S: Serializer
 #[cfg(test)]
 mod tests {
     use super::*;
+    use aws_sdk_sts::primitives::DateTimeFormat;
+    use creddy_cli::proto::{
+        AwsBaseCredential as CliBase,
+        AwsSessionCredential as CliSession,
+    };
     use sqlx::SqlitePool;
     use sqlx::types::uuid::uuid;
 
 
+
     fn creds() -> AwsBaseCredential {
         AwsBaseCredential::new(
             "AKIAIOSFODNN7EXAMPLE".into(),
@@ -203,19 +209,6 @@ mod tests {
         )
     }
 
-    fn test_uuid() -> Uuid {
-        Uuid::try_parse("00000000-0000-0000-0000-000000000000").unwrap()
-    }
-
-    fn test_uuid_2() -> Uuid {
-        Uuid::try_parse("ffffffff-ffff-ffff-ffff-ffffffffffff").unwrap()
-    }
-
-    fn test_uuid_random() -> Uuid {
-        let bytes = Crypto::salt();
-        Uuid::from_slice(&bytes[..16]).unwrap()
-    }
-
 
     #[sqlx::test(fixtures("aws_credentials"))]
     async fn test_load(pool: SqlitePool) {
@@ -254,5 +247,99 @@ mod tests {
 
         assert_eq!(&creds().into_credential(), &list[0]);
         assert_eq!(&creds_2().into_credential(), &list[1]);
-    }   
+    }
+
+
+    // In order to avoid the CLI depending on the main app (and thus defeating the purpose
+    // of having a separate CLI at all) it re-defines the credentials that need to be sent
+    // back and forth. To prevent the separate definitions from drifting aprt, we test
+    // serializing/deserializing in both directions.
+
+    #[test]
+    fn test_cli_to_app_base() {
+        let cli_base = CliBase {
+            version: 1,
+            access_key_id: "AKIAIOSFODNN7EXAMPLE".into(),
+            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
+        };
+
+        let json = serde_json::to_string(&cli_base).unwrap();
+        let computed: AwsBaseCredential = serde_json::from_str(&json)
+            .expect("Failed to deserialize base credentials from CLI -> main app");
+
+        assert_eq!(creds(), computed);
+    }
+
+    #[test]
+    fn test_app_to_cli_base() {
+        let base = creds();
+        let json = serde_json::to_string(&base).unwrap();
+
+        let computed: CliBase = serde_json::from_str(&json)
+            .expect("Failed to deserialize base credentials from main app -> CLI");
+
+        let expected = CliBase {
+            version: 1,
+            access_key_id: "AKIAIOSFODNN7EXAMPLE".into(),
+            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
+        };
+
+        assert_eq!(expected, computed);
+    }
+
+    #[test]
+    fn test_cli_to_app_session() {
+        let cli_session = CliSession {
+            version: 1,
+            access_key_id: "ASIAIOSFODNN7EXAMPLE".into(),
+            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
+            session_token: "JQ70sxbqnOGKu7+krevstYCLCaX2+alUAT60ARTBBnQ=ETC.".into(),
+            expiration: "2024-07-21T00:00:00Z".into(),
+        };
+
+        let json = serde_json::to_string(&cli_session).unwrap();
+        let computed: AwsSessionCredential = serde_json::from_str(&json)
+            .expect("Failed to deserialize session credentials from CLI -> main app");
+
+        let expected = AwsSessionCredential {
+            version: 1,
+            access_key_id: "ASIAIOSFODNN7EXAMPLE".into(),
+            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
+            session_token: "JQ70sxbqnOGKu7+krevstYCLCaX2+alUAT60ARTBBnQ=ETC.".into(),
+            expiration: DateTime::from_str(
+                "2024-07-21T00:00:00Z",
+                DateTimeFormat::DateTimeWithOffset
+            ).unwrap(),
+        };
+
+        assert_eq!(expected, computed);
+    }
+
+    #[test]
+    fn test_app_to_cli_session() {
+        let session = AwsSessionCredential {
+            version: 1,
+            access_key_id: "ASIAIOSFODNN7EXAMPLE".into(),
+            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
+            session_token: "JQ70sxbqnOGKu7+krevstYCLCaX2+alUAT60ARTBBnQ=ETC.".into(),
+            expiration: DateTime::from_str(
+                "2024-07-21T00:00:00Z",
+                DateTimeFormat::DateTimeWithOffset
+            ).unwrap(),
+        };
+
+        let json = serde_json::to_string(&session).unwrap();
+        let computed: CliSession = serde_json::from_str(&json)
+            .expect("Failed to deserialize session credentials from main app -> CLI");
+
+        let expected = CliSession {
+            version: 1,
+            access_key_id: "ASIAIOSFODNN7EXAMPLE".into(),
+            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
+            session_token: "JQ70sxbqnOGKu7+krevstYCLCaX2+alUAT60ARTBBnQ=ETC.".into(),
+            expiration: "2024-07-21T00:00:00Z".into(),
+        };
+
+        assert_eq!(expected, computed);
+    }
 }

src-tauri/src/credentials/docker.rs

@@ -0,0 +1,197 @@
+use chacha20poly1305::XNonce;
+use serde::{Serialize, Deserialize};
+use sqlx::{
+    FromRow,
+    Sqlite,
+    Transaction,
+    types::Uuid,
+};
+
+use super::{Credential, Crypto, PersistentCredential};
+
+use crate::errors::*;
+
+
+#[derive(Debug, Clone, FromRow)]
+pub struct DockerRow {
+    id: Uuid,
+    server_url: String,
+    username: String,
+    secret_enc: Vec<u8>,
+    nonce: Vec<u8>,
+}
+
+
+#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct DockerCredential {
+    #[serde(rename = "ServerURL")]
+    pub server_url: String,
+    pub username: String,
+    pub secret: String,
+}
+
+
+impl PersistentCredential for DockerCredential {
+    type Row = DockerRow;
+
+    fn type_name() -> &'static str { "docker" }
+
+    fn into_credential(self) -> Credential { Credential::Docker(self) }
+
+    fn row_id(row: &DockerRow) -> Uuid { row.id }
+
+    fn from_row(row: DockerRow, crypto: &Crypto) -> Result<Self, LoadCredentialsError> {
+        let nonce = XNonce::clone_from_slice(&row.nonce);
+        let secret_bytes = crypto.decrypt(&nonce, &row.secret_enc)?;
+        let secret = String::from_utf8(secret_bytes)
+            .map_err(|_| LoadCredentialsError::InvalidData)?;
+
+        Ok(DockerCredential {
+            server_url: row.server_url,
+            username: row.username,
+            secret
+        })
+    }
+
+    async fn save_details(&self, id: &Uuid, crypto: &Crypto, txn: &mut Transaction<'_, Sqlite>) -> Result<(), SaveCredentialsError> {
+        let (nonce, ciphertext) = crypto.encrypt(self.secret.as_bytes())?;
+        let nonce_bytes = &nonce.as_slice();
+
+        sqlx::query!(
+            "INSERT OR REPLACE INTO docker_credentials (
+                id,
+                server_url,
+                username,
+                secret_enc,
+                nonce
+            )
+            VALUES (?, ?, ?, ?, ?)",
+            id, self.server_url, self.username, ciphertext, nonce_bytes,
+        ).execute(&mut **txn).await?;
+
+        Ok(())
+    }
+}
+
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::credentials::CredentialRecord;
+    use creddy_cli::proto::DockerCredential as CliDockerCredential;
+    use sqlx::SqlitePool;
+    use sqlx::types::uuid::uuid;
+
+
+
+    fn test_credential() -> DockerCredential {
+        DockerCredential {
+            server_url: "https://registry.jfmonty2.com".into(),
+            username: "joe@jfmonty2.com".into(),
+            secret: "correct horse battery staple".into(),
+        }
+    }
+
+    fn test_credential_2() -> DockerCredential {
+        DockerCredential {
+            server_url: "https://index.docker.io/v1".into(),
+            username: "test@example.com".into(),
+            secret: "a very secure passphrase".into(),
+        }
+    }
+
+    fn test_record() -> CredentialRecord {
+        CredentialRecord {
+            id: uuid!("00000000-0000-0000-0000-000000000000"),
+            name: "docker_test".into(),
+            is_default: false,
+            credential: Credential::Docker(test_credential()),
+        }
+    }
+
+    fn test_record_2() -> CredentialRecord {
+        CredentialRecord {
+            id: uuid!("ffffffff-ffff-ffff-ffff-ffffffffffff"),
+            name: "docker_test_2".into(),
+            is_default: false,
+            credential: Credential::Docker(test_credential_2()),
+        }
+    }
+
+
+    #[sqlx::test]
+    fn test_save(pool: SqlitePool) {
+        let crypt = Crypto::random();
+        test_record().save(&crypt, &pool).await
+            .expect("Failed to save record");
+    }
+
+    #[sqlx::test(fixtures("docker_credentials"))]
+    fn test_load(pool: SqlitePool) {
+        let crypt = Crypto::fixed();
+        let id = uuid!("00000000-0000-0000-0000-000000000000");
+        let loaded = DockerCredential::load(&id, &crypt, &pool).await
+            .expect("Failed to load record");
+
+        assert_eq!(test_credential(), loaded);
+    }
+
+    #[sqlx::test(fixtures("docker_credentials"))]
+    async fn test_overwrite(pool: SqlitePool) {
+        let crypt = Crypto::fixed();
+        let mut record = test_record_2();
+        // give it the same id as test_record so that it overwrites
+        let id = uuid!("00000000-0000-0000-0000-000000000000");
+        record.id = id;
+        record.save(&crypt, &pool).await
+            .expect("Failed to overwrite original record with second record");
+
+        let loaded = DockerCredential::load(&id, &crypt, &pool).await
+            .expect("Failed to load again after overwriting");
+
+        assert_eq!(test_credential_2(), loaded);
+    }
+
+    #[sqlx::test(fixtures("docker_credentials"))]
+    async fn test_list(pool: SqlitePool) {
+        let crypt = Crypto::fixed();
+        let records = CredentialRecord::list(&crypt, &pool).await
+            .expect("Failed to list credentials");
+
+        assert_eq!(test_record(), records[0]);
+    }
+
+
+    // make sure that CLI credentials and app credentials don't drift apart
+    #[test]
+    fn test_cli_to_app() {
+        let cli_creds = CliDockerCredential {
+            server_url: "https://registry.jfmonty2.com".into(),
+            username: "joe@jfmonty2.com".into(),
+            secret: "correct horse battery staple".into(),
+        };
+
+        let json = serde_json::to_string(&cli_creds).unwrap();
+        let computed: DockerCredential = serde_json::from_str(&json)
+            .expect("Failed to deserialize Docker credentials from CLI -> main app");
+
+        assert_eq!(test_credential(), computed);
+    }
+
+    #[test]
+    fn test_app_to_cli() {
+        let app_creds = test_credential();
+        let json = serde_json::to_string(&app_creds).unwrap();
+
+        let computed: CliDockerCredential = serde_json::from_str(&json)
+            .expect("Failed to deserialize Docker credentials from main app -> CLI");
+
+        let expected = CliDockerCredential {
+            server_url: "https://registry.jfmonty2.com".into(),
+            username: "joe@jfmonty2.com".into(),
+            secret: "correct horse battery staple".into(),
+        };
+        assert_eq!(expected, computed);
+    }
+}

src-tauri/src/credentials/fixtures/docker_credentials.sql

@@ -0,0 +1,11 @@
+INSERT INTO credentials (id, name, credential_type, is_default, created_at)
+VALUES (X'00000000000000000000000000000000', 'docker_test', 'docker', 0, 1726756380);
+
+INSERT INTO docker_credentials (id, server_url, username, secret_enc, nonce)
+VALUES (
+    X'00000000000000000000000000000000',
+    'https://registry.jfmonty2.com',
+    'joe@jfmonty2.com',
+    X'C0B36EE54539D4113A8F73E99FB96B2BF4D87E91F7C3B48256C07E83E3E7EC738888B2FDE2B4DB0BE48BEFDE',
+    X'C5F7F627BBE09A1BB275BE8D2390596C76143881A7766E60'
+);

src-tauri/src/credentials/fixtures/ssh_credentials.sql

@@ -0,0 +1,42 @@
+INSERT INTO credentials (id, name, credential_type, is_default, created_at)
+VALUES
+    (X'11111111111111111111111111111111', 'ssh-plain', 'ssh', 1, 1721557273),
+    (X'22222222222222222222222222222222', 'ssh-enc', 'ssh', 0, 1721557274),
+    (X'33333333333333333333333333333333', 'ed25519-plain', 'ssh', 0, 1721557275),
+    (X'44444444444444444444444444444444', 'ed25519-enc', 'ssh', 0, 1721557276);
+
+
+INSERT INTO ssh_credentials (id, algorithm, comment, public_key, private_key_enc, nonce)
+VALUES
+    (
+        X'11111111111111111111111111111111',
+        'ssh-rsa',
+        'hello world',
+        X'000000077373682D727361000000030100010000018100C4ABCE6D69400912EBAD527733401E30EBF3DC9433B79C8E343D7AFBE19A9F309934822577D9807346B48D4FB0604D022DA826E5624635E4CE19851AA5D30DFD2007DE99B04AE4C2F00823DFFC3C8DDE62F074831C1F8903067C83DCCD7D9CEE8643C93C5291F6B5047F53646A37C84098934FFDE5882B5DD7696CDDC4421C39E2894768CFD6650CE585E35A3F739B015650AA469ABDEFC6987E55DAFEC7D40B4388654ED3205D18528D881927C42CBE210CCF6F49A90619AD6E6ACBF1768D7EC52FF9CB85BE607B9414961566292016875164C1C1D1FBD4C3569D4424A7F19D043ABCDEE50573DFC4FC7F2C2718AA76528FA226C0DD5530DC705C30901E1BDE88FE5CC35CAE5AB8826D1E7F970DBED0A0F7E9833CFC7323A1F1323528D5CC3C00AEB98165D677CAF64BD69729132264D971B5C491D0AEAF53AAD22D03756B2E43754502E84488117EEBB962CCDF5DF59682C1E9BA472D5AB9B83DB2862E7EA380E8FD20DE9368CABCBBC5C95C233A52DE5DFE5E91CB59019D00B529C70C4305',
+        X'DB9B6A3B97FBAE6AC12BDAF9DA57DBEE4DDF6A92DD682958AF147FF5EF64C18255D2A1714D543F2D16BEFD7ED4C419C7A0E9C18754C4CAA251BCFA5AA46508B006CDB08A7C0DB63D8A7FE27F99CCC2F351203B36D2BC3D02302318ECC741574CEF70D956C5CCA41E538F2CA29B20E04778A596B0C3E5CD991A423443B01E3F811E004E2547C5D3DDAEBCFBFB68CDB03D0C16538224BBAA0A80767D64D8F3D2840975DD12B4F648F81B4D4B541CB500BAA99F9808F450A02688D583A924B8AE2B0BE777BC35CE808FD53B5DB8C0838D24A6CE31C3973880CF3174E63E3404F2E77783140A62DDBA06F9CD89ADE448A54FBCBD6C0EC8C0641724CDDEF2A8126EC0D0F5BDF89EB8112366D7EB6D3CE3565DF9E4036EAF3109E50BED5D7BD3558FFF69AD823F6522C5701CE26BCAFCC03D27D87547728A3C700719FF564EAEC961FA209252B113B404D75AD67CA4E40C5DAA36E9B0FB4ECDD6E5F853C81682123E8DF311A3C495F61A2CEE6A2B04C7FD3D0906583B9C724BC0D00D71106B7167983D6A0FBD3EA7361EE063A0B05E5A6B5CD82D0F795820BFC90E4F422E7CE2BDEBEAEE9493F5408F38732EB41741F15632185131CD6160433DD286869DF38679F6797A268EDE8ED0F442C4394FF52EFDE82EBEC5871A087288F7A12964615DA5AA02149FB661B0F76551CD53771B0DD180837A9D52A2BDF4757C4CF56DCD90B968F32B9F9EE5EE09EF5B791DB0366A4E6CCBBF0AF7D9CB5B7760BABAF4DE16BCC971DC95DCBD068A92DB8E8C709C0FBE9E2AB5B770EDFBCC6FB5045B706FB31DDEB6C52647618CD3B222CEF2DFD8D08ABAE6333A2E3C8768B8DB970BFF1777B75AE6DCE54DA7063F76846EFBDB92E55192A031DBA889D9DEDB0BF0FAA2FA6B4A0B0151B6F03D142D6B140EBB874CAF0A44D67AAD121127946DA90A14176EBB7B6C03DD2034987A100855E23F440CF6A404DEE46617B52581C7A248B7393FF56D8652855B23D19C35E1B535E5EC5EE87F3FF455458A740A55CDCB806053D4BCF44CDC2D76A1998418A60E11728BBC69F12C7E52A539E3834362C47A3E1863D265B3A7C2A41FA1953BB0FC64508679BB5F068DAF84C394A1497D564A3D6023B90D9A1C50E30FDC3E1C9B925EB0C19F960E7377B0678D662362129677E4B9AA515D2E4408A17A260D862F3C5D4291841855B91FE6EEA11C8E8EC19449CD9C31E6505BA364A45E7E3B89C5FA1C55708AF521F97440CED0ED0FAF06B7930E6A6F3A2B547E33EF73163D4C2E75B1AFA24BEB3129FFA978BC4EC43D0919ED262C0BE29AB78A87A57EAA55D51BE479A9E4015F9C3F2381745808AECF3783DEF5AB82E37C6EF68B97485CD36F7018B59C37E0EB93EAA32385E5E8CB95A5A3818B70F4CBE6102FC197946AAAAAABAD8B93750031CAC73C3F1B6B2F825B29435F2426B6AFABE35B1F8468E5A1CF73CC78E2FBB639AEFC171B7AD5D1728A536AB384B3F4AE924D5CEFA3F5EE5412094AE97303B8E728C7ACBCD9F9FB7C4FE7893145A55D96B7EDC1DD6257368C03AAC98B4F23D9AF15EF730BFD3FF09C2A11747035C8FD58EF97003503F568090C02A63117F3304989CFBAF20A281A729C8A8A4470524B3FDD2B4183E78BDE58BBB0B58B16D1E81702E58E225F7EED1A8E7F3920870FC9EE44D1433EEB39248A38108000EC1E151A26399A3F36CC41F6D272B3441198E8B56616E9A6C5A16303E562A62B4E6C27D16E9FADAF7E5A4AC7EFBD912883474302D5C9BB7D35C671DDECE68482A9472DAFA56B9AFF4E811A5BE7462FA6A988FED04178786DDB490A2010B8C178BD5601C23BBF5E3B1D13E86BB9980892B9999A6511FE2ECDAC681123745F676C155BB4627EFFAA65B1110B590A7FEE6D3359AED898D73C1B51AC8D534E94731934CCA9514F89E74C2BE5A799D8072C52399A7A647AF8F37F2D536C1B29D64214C490FE00565D912772256BF5E68F888E02FB704017F4D9FDD22E1C007A5FB4FCB51BC7A101DCAA56529231A59ACE14368268B7820C7C2BFBB0F5F78625E442C6EA83C88A9DEE318B2323AF0F3687ACF7B2B791D0B42B0576F0FF73E046DE1A56A5C2CBF6731E8D9485A02E9AD67D7752EBDBF3EBE703A760264363650CB9639B75985A9D00D210FFEBC93894E8E4BEAE7053FB6619BA9A8F0ECC4F822CF27606A6E58A8D5DAF55B519E7729B65A83FB859A3A028477BFBB7C8C01ABBE38EEDAAE11AA10ECC75868A281281792FA8D4EBDCC47DEB03868779A84D992D56612A8F46CAFADF65C5B32CFEA2974ECE34E4EDE9AF0AB4365C55D1A95FE551453BCFA5DF28CAF5AFA025CD5BD1CF86FB19AEB581135BFE2CBAA78643F209DE6A4D58206B0B236ADDD5A9122E8A21630907D0C5F23E86C151B8BFD8EA874DFF37DA7DE49D520DDAB7D074B37A726883211A788684A74D4E13A80CBC7655D8BBFF901CC44EF0A0368A3A69200695E277857AD620F2872D83224405A4DDD1E34AF68B72145AA442278C02DB7453AA8C184893AEBBCD4E15252CB8AF5972C49E047318362322CFAE99C38C5989A76C57E9D997BAACF6E13C19F66FCD618878D218DE7846C3D042E7E631B9AC126935AD6A3E15A659A3C4B9B5E521545A5A9B8A3CDFD21EADC2A5A74DBFA0769D63EC4F758D',
+        X'1A44F10CBD2579B378EF1ECE61005DBD0ED6189512B41293'
+    ),
+    (
+        X'22222222222222222222222222222222',
+        'ssh-rsa',
+        'hello world',
+        X'000000077373682D727361000000030100010000018100B021E0FE494231E75D4CFC9CED6DF524122F0E86717710BB066236D1ABF001CB4C7CB58964E998E5385836912300129A1334E549A7EF5E0EC4115D97E099038ACFBBA0AD2FE5D574F7F3FF122A97B59F75D8B62DCD921FF1A5BBFDCB55D77779A41ABD46528AEF8B2C0DA96370FCEC79387EED6AC1C0CED041AE979CBB880BEC6C17917711143F1C4D035548D273773D01E3F643463811B7339D9F4B3FC8D1FECF761C8878C135E2E600D9D230F11A3AD8E0415D1A923A398D108E9043F630A9B7BB1310927CA8A46455096E1A272BA56B6F06FEE5764E3C8AC85EA5DE408AED8EC549BE749FB231C1A2CC95DA0035DB009A9DFB2C622833A54CFCCB9FFB173159065F3335C6DDAFBB52A82CD5C327198C496C2A4404F1A544D82175F915954492A4488954B37C78C1F81B467A05F96CCC26146CDF517AF71674046947B11CE80B0E277B2ABA23915AF11E9A9F9D05717E1F0ED70341F470085569F88D8F5CBB8179605A0BF88537A57893329D15F1F8CA3582BE3612410F06568533F801602F',
+        X'AD54C319103CFBA088A4B70AEC743CDED7B0A3EE3DDE370BBD14AA4FA4EACBDD1BBE2FCEF499BB4EC4DDEA9D472F27BBF93453C612BF1689B714C9718212E78C0E1B2133AEB0E7C954413F6EBFC4155CC975A252962AB7C1BBEAE8DA8C6F990B9DE96313F0158AA8DD7896000AE2A4406080B81C37605B3986E463D5DEC01AC0BC4981A74BAF6413DF99119F65A337692885E9C5FBA9B483AA83783823981A0E66105083EB6CDB07AB93714AAF6AAF9A6239D256D8C9C56992AC846CF104E2B1B9DF96D0E67DF2EC9258E914EDFAA5AC36ABE3E9D5D641C92C6188D90D9B083DC3AFA9409B7809718279B52399145FE3173DA8E8A7E5C21715E0B140B22BFF8A0116E102B55C9BCB19B5B4FCCA88FBC5A2844E7E2AEC84ACA303BE8AC9448F93BB35366DFC2E38CEE31C66748847DA11CBB8A31F2CA4DD905362A8C513B6B8E3040EFCEC5BCFEB2E52902F33BF6DFEF911E56A00E51274C1548546DCA62261F94F580DCBAF7357F0C8F5058D2D1D5C91E0AAAB396A305E79350FC0F9879CAFD33316DB77586C36A8246F4D5A14EEC495CFCFA108B70A00008CE64ABC2EBC656DFE760612194B526BC1AE8C08325E3FE76999E6341D6C2BA35BA87CB9FB30A269891A0013E989246E80D5CF7590A66D8494CA79D5E2FD6A8FF7ECA1169379C2D45F4108BA5A796309D4CBDBEE6F45A0F6536B45666E1CF977B26612BC8108FCF32FF0D9296C9C414812C221032B2E5107CFCE1E4FCC2E07C5D31F1A1492732D0ECEB3920E50DFBCAA89561CE52436D23DA40D8678CE901BDC57C3F80233BBAF7AE5CA432547EB51DFBABF5B8BC94C0F6EAE47C94649CECE192D6436D609EE040A3AC059529E7CAAFA45D1B2E331E0E73BAFB1C6E05F71EBF28E222D2B15E724D5EBB3B9C3A709F0F9BCD41C87DF158BDCD3C1FCA86A8D4B57B98F4386AA6956BC3DC6BC2AF6A479560C1598B866935795C29F22CB93072E9D8D4D110AAC2B0F22CD8662354BF5D509750068613C052E88629EFF9488BD1C0B3E6FFD010A5B739F943234AA456F998B4DC7FA7B877961DE1CC744760712337B70971EED7AA4B97121F26298DCFDC2282D721CAB90098585ACFD31EC776EEE2C0211AB711BE94F31ED0D2BA4A9D8EFFC155FC68AB02EA1DC380A1525EF2BD14B55CC71210B54E5F55A8C3C876A6667EFA271095B1280B9ED6FAE9E73601A698FE2732756780BF453F927FD171F497F9C1FA6ADE7DC8187FEDA309E807E2E7895E1763DE1758E50035CE24D54A814745F05446FFD91F8E27770577384BBDC6E11E435658404533D32C461A0DB1CC6AE0847ABB744FB61C524CF9162E3660941CA3DA96F56EA5C036BF5E633C6CA0F033335AB5B623D08A024E87235FF8324B284FB981A9998DD0028A0DE54B4D6BE04C51E8D71DD09B3563C84E5C43826418365FB7912DFABDC5BB25BDE2C558DAC14AEED79F705F34E2D04F17829515C725675571EE1E4BDD21D8EBAA9C6075DE48EF8F2ED7814E20836A2721E46B5C71EE365CFE996A07ADABD84FE5B1E25EF5D9CC66B945084A4207004372AA792BA1BE97B67397635EA7DCC2F99C6AD5C394A8F4C0B7CBC87C38DE52F120993E6DC6BEA27D5B90D90E1C8F7626C860386121E53BE3D4F7B4005A69EB0334E118E70B7207CEDFCEE1EC2A30C789174AAA6531EAAD2E0BED7400CA44911E896E4C82DCA85ADBA92CA01B2CE75924AE81FE286C4CBD8073B7546313A75E52CA1882D8935D2F6058FECEBA4626B4445FCED2E9986632F9F5597C7BBD44F375027727D51B0033B87D23395EEC26EE06378B247B0C1469286F868828C942FCE2BF1BFFDC07CAEC1E214D37ADE737A7DFF082972C6E8411591BEE4B54BED231A7F856C022B26887ADD115A252807D3C58DCD8FB5D7D71DC3766C288438DB3D9D98FC8A22FEC92A7E6E3855ACD36BBEA79C5F98C7ABD9CCECB37C18C3315E5CC7B3BFF699FD201419F8EA402E422EFE62A25D4A76B2CCA0F6D43313BA7DF6537619FD2AE8ACF55B17F709961228076DBBB3592B6B7A1C3C271D54C06403902B0384492AE486E931DD63F68E739769E174D97EA46E7D780D03529EA21B418E0A68E44ED15AB9471B5F139E29EA25C7AE881E216A2863D6E908790002B0B1CC23B1DB3266CEACA2771BD661941AEDEE196316E8D8D7CE361C23E7C1BFFBFD0467329E948CD936B54C7313DC053F96BAFD139500ACB0CCDCA7C0AFBFEC02CFD31FECF4193C1E13F8E59378959BE3360C3B57BD325E5D87CA3D9CE08EFD00980200004D01EE4C6D4450C545A82BE0E1A527AE3432AD6500AF6C8B4400095D9CA7DAA0AA956DC8CD6A4336B876988128119997DB4847AFEFDF2CB8E3F88D5B66CC1E5A32229F79324063584C95C775C5D8D3B05956F0BC8432B9FB28D006247F1DF22C431515BDB4234C91B10CA20B5C05924CAAF82094C8C49123776F1C7170218FEC6C1D2D94F242277765EB9A6C48BE8751D92FFC4C3314155C7685940CA07BB70722D0B65585BC50253A9A6F793CD7A3269657B234C72EC8F2DD4F3B61A7260B3028FFB2B866A311E027C3D8D56592AB4795AA22452CBE37AEE68D7952EE473BB67CE6839E0F5DAA7C9B09F26CBF99CF5BF1181A41B683B9EA939A1823C3733B1EE8066614D3A692C99E5F9EA22231',
+        X'B9DF74AE34E4E7E17EA2EABECE5FD85B14ADB53EDB5BF27C'
+    ),
+    (
+        X'33333333333333333333333333333333',
+        'ssh-ed25519',
+        'hello world',
+        X'0000000B7373682D6564323535313900000020BBB05846908A7F4819CA69BE50E94658FD6F51D24FFECED678566D43E1DD6BF2',
+        X'7E3719254AB02100F159D971C17322CF51ECB60AC9E2CDA511EDFD88E75D9828A5A308F1F6A7D6919ED080FD0E6D3FAB64583A946334EE8870006AB7EDC57E6D7BCD145485D1F2A06D946B4DB69591467F289A5CD3BBF922FAAF5B54275F56CF81CC450DE4C8C0F24078C395BA02E8C646731FA6A50480392B13784FD2A85D094DDB8E73C56120936C02C3F94E910C23787FC307369239E264600BBE799EA851CE16FD653BE71D024AA73A582AACC390DD1F341C095788ECE6F4CC37D045A2BFFEC9F14AEBE73E43C6E78E00A9645C6A46D03F2847355DBCD33DA09C76148089A0FC1B3793AB5DA577B879D25EF7B8A8661387F19F392522CFD2886F6FEB65584841',
+        x'58E67EEE49A11FFDD9D32F63ED99053008091B415F87F1BA'
+    ),
+    (
+        X'44444444444444444444444444444444',
+        'ssh-ed25519',
+        'hello world',
+        X'0000000B7373682D65643235353139000000200491C64AD1D7E9C20D989937677C32EBE5FB35BCBA77422550A8FAA54C023923',
+        X'6BA994C263935729D807579173B377323F6353A88F660143EA92DE1E1A92F00682B8A1FAD838F0D211BD69855E8E34AE84D5A7B3C23F23A822B2AFF6E861BC81D89AFDDEB0DED063C84644B3EFEF2612DA1DA9C3C12EDAEFCBEA3542EA0ED1903FC1922E5F56E19FAD8CC75A2A30D64C83BF27ADE00E66BCCFE1CA67E95A00819F7BF91DDD22C4A1FB419E91B5D61544175D8D69EB5B416E6547DFD55CD386B62293B778322FB840D1F4DBBDCE2364A6FE4A7B090425031E7DB347314CEBD9BA09F85CC45CF3B4D02FE78B7F365D5C7E95331AA7A6F91A619E8A8663B77A31BAF639652D72B4FD11C8D430C8A1C5542C69DF4ACA74BAB7608B7E9ADD15BAF4674AFB',
+        X'46F31DCF22250039168D80F26D50C129C9AFDA166682C89A'
+    );

src-tauri/src/credentials/fixtures/ssh_ed25519_enc

@@ -0,0 +1,8 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAWtYanP1
+TBKT8lBL4IzKpYAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIASRxkrR1+nCDZiZ
+N2d8Muvl+zW8undCJVCo+qVMAjkjAAAAkI021XFPzB9VnO8uGAQ8f3bwP/ki5fDVuWD7Fc
+crN+yfT8Ugjhc7IL2dIt/xj9iJIa9fJDw0pg1Y8issqp9C8HVhasyWpf2iwJIalUHTOekn
+WdoxA+/OQBstRBKSv43sI801+9OC8dXCMNM2QzpiGNs0QxdLJpcJQhHEvqq/yDIODF0p7M
+h3e9eYGVPOR0CjlQ==
+-----END OPENSSH PRIVATE KEY-----

src-tauri/src/credentials/fixtures/ssh_ed25519_enc.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASRxkrR1+nCDZiZN2d8Muvl+zW8undCJVCo+qVMAjkj hello world

src-tauri/src/credentials/fixtures/ssh_ed25519_plain

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8gAAAJAwEcgHMBHI
+BwAAAAtzc2gtZWQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8g
+AAAEB9VXgjePmpl6Q3Y1t2a4DZhsdRf+183vWAJWAonDOneLuwWEaQin9IGcppvlDpRlj9
+b1HST/7O1nhWbUPh3WvyAAAAC2hlbGxvIHdvcmxkAQI=
+-----END OPENSSH PRIVATE KEY-----

src-tauri/src/credentials/fixtures/ssh_ed25519_plain.json

@@ -0,0 +1 @@
+{"algorithm":"ssh-ed25519","comment":"hello world","public_key":"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuwWEaQin9IGcppvlDpRlj9b1HST/7O1nhWbUPh3Wvy hello world","private_key":"-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\nQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8gAAAJAwEcgHMBHI\nBwAAAAtzc2gtZWQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8g\nAAAEB9VXgjePmpl6Q3Y1t2a4DZhsdRf+183vWAJWAonDOneLuwWEaQin9IGcppvlDpRlj9\nb1HST/7O1nhWbUPh3WvyAAAAC2hlbGxvIHdvcmxkAQI=\n-----END OPENSSH PRIVATE KEY-----\n"}

src-tauri/src/credentials/fixtures/ssh_ed25519_plain.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuwWEaQin9IGcppvlDpRlj9b1HST/7O1nhWbUPh3Wvy hello world

src-tauri/src/credentials/fixtures/ssh_rsa_enc

@@ -0,0 +1,39 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAanK91R1
+FN66oOcvNyslkhAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCwIeD+SUIx
+511M/JztbfUkEi8OhnF3ELsGYjbRq/ABy0x8tYlk6ZjlOFg2kSMAEpoTNOVJp+9eDsQRXZ
+fgmQOKz7ugrS/l1XT38/8SKpe1n3XYti3Nkh/xpbv9y1XXd3mkGr1GUorviywNqWNw/Ox5
+OH7tasHAztBBrpecu4gL7GwXkXcRFD8cTQNVSNJzdz0B4/ZDRjgRtzOdn0s/yNH+z3YciH
+jBNeLmANnSMPEaOtjgQV0akjo5jRCOkEP2MKm3uxMQknyopGRVCW4aJyula28G/uV2TjyK
+yF6l3kCK7Y7FSb50n7IxwaLMldoANdsAmp37LGIoM6VM/Muf+xcxWQZfMzXG3a+7Uqgs1c
+MnGYxJbCpEBPGlRNghdfkVlUSSpEiJVLN8eMH4G0Z6BflszCYUbN9RevcWdARpR7Ec6AsO
+J3squiORWvEemp+dBXF+Hw7XA0H0cAhVafiNj1y7gXlgWgv4hTeleJMynRXx+Mo1gr42Ek
+EPBlaFM/gBYC8AAAWQf6woBjAp1r47e3HsH4DyTDNF+u98eyCXLb86Lf8G9IFzOACMx4Bh
+auNdB2dZ/Re2FZ6bdzb+h9snQf0PY4y4zJ7bmJ5VbRcYAM/XnVcKP+Q2254te15DLAsKXA
+rzGVdEB8vshTloEHZTBVGiWRSFvn/rzPTNRhw5X/OMX21EAFR2yFXFHSxKwuPTWRCTTan3
+PA7BqJX8k6XtzwafPo9as0ui3jds/aL9VBlxlQB3x5uWfo7Kw73qReDzaIS94VVsm667tI
+KIN/0/e3mDpfXmWLH2Xc7BLZcs5eSHztwakYDPc5VzFTdAfb4juVdVmiLUs0ttj+aXnJo9
+6p/kX5ISSs5gzAaL2yGmPjNeeEXgV38ysYnNUB0fIoceuda54oM8kYAeZnQGpgV0Rh6ku+
+KNWajrJF22cH6QQ61VO4ymoDrw+oxyTog/M5n7IhCROGAJOQV4CRYKELHwMIt6niiihDfI
++YbIs7Qs0ap4mHeVKbLS3WsSK7mZI70yCeLzT+ilNaqW28RLHxAEM86lRfuH1vmABKdy8D
+3e1K0WivbY5zmGvFGP1DIl3NXr6M7ZaFg5bgohssOXzMucAOR9mZpzMg20jF4SOt7IC9SU
+pWg+OIIP7pVfS2FjATMrh25xgeqD2BcDSoJWEH4xrlviyBS1wVA9W35npHiJSQptppn8cj
+EhwuS916OMhWOsXHPssqHFA+DrLByCZKcORD/mFPpsnI4/3TvA4PL6pqv2Kup0YBDqkyko
+wIyZQMjr4DjR6xYR3W0Mjzn2UG0Grn96QGrjnj1l/LAXAw00NeYktI4m5YX4wIIdhP/RT8
+RL9d4SE0YicneoDPtcLaaa4TTIvcbHJsP8aUP723reUzyxvw9Bdo9wC2bzE1xlOhm/WCmF
+0SNvEl6H/kivTjQkI2HQuGVq037eIAB5rToT6cVD3TiNmN6UuOX7Ec+8kw4JPGgLA/l+AB
+w3gCsyK7MyZoeWNw2+b1utkjMcqG0bjju0yTdjSho6KazGtoBQ4P+Jx9KIwiJT13Nr1WMz
+KBW98YojZCfCxPeNx6RPsp6PzM673R9DVRNXSs3yYhEZDXJEHCS7jDptR8r8uScogIIUEx
+YShJU0/WSVHgHZ4Ef2S7MDX1RLU4WGoUtbwxnTEQ26iNLjskYzV9/O88PajJSc2Wcz5vES
+I4BFROg2px+ViLlWqiegXIZc5NnN2HSJQ7ucTObSL0+oT5SzQiRfHy2TLa4w+c5hgO1VNx
+Xmq0doKjMW9DmU2ygwzFgnaQp9S8NlIIA/4mKkAODbCgWFqXz99gMgfL+dnUhwo4WHN3lU
+D/uVxRxwTKWWNp39z/p5hBYLKpqJbDCp+ysM9VpyllAkjk9aDihUq5dQVzpA1iTFH2DdbM
+TrclBWaXr9QQiH+F73mZvJPhP2//gT9qped6XumkSpuNXFrXoZ/P49xKgQ/51rg8Ri5ZJ7
+cIiofoppfat5ex20oBqAnumrM0JrhUrVxzhSd5tPPH5JGeZYml3sK1rM4pV7K7bnugXg9f
+C6HVxe/l2klAOvg0U9yJAvR35mS0+F0dpwvjRrFS/+JxG6RzzAAunDJHjADNne5FhKFNLB
+WRzsXHTCT+wGp497Nq8uS/0sgZAMHsy2KMK6n5h8V6kHL9t5VgsD18g0neu9ytwYrjvAuM
+AoDdwpuUkCJVNOiMHumxPvivGRNhSHwW7fTDHX+yI6/j1i/Wl1unjCxNgNCbgCMRCg1+dN
+wRw/wqs4mQyGf70AUA5JIVx/W7gAxlt3YWCFHfTRiK5A/BHa0qs+RPMzVlIJhAx0TGAOze
+BBJIg2kH26rWLV2aosOx8FFH/rZVj6gyYLw0JlsoTCva383SkifvlfiLY3DxfU+bwvJ9p0
+bnzyMMiKRuZb16OucNli84FIAuI=
+-----END OPENSSH PRIVATE KEY-----

src-tauri/src/credentials/fixtures/ssh_rsa_enc.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwIeD+SUIx511M/JztbfUkEi8OhnF3ELsGYjbRq/ABy0x8tYlk6ZjlOFg2kSMAEpoTNOVJp+9eDsQRXZfgmQOKz7ugrS/l1XT38/8SKpe1n3XYti3Nkh/xpbv9y1XXd3mkGr1GUorviywNqWNw/Ox5OH7tasHAztBBrpecu4gL7GwXkXcRFD8cTQNVSNJzdz0B4/ZDRjgRtzOdn0s/yNH+z3YciHjBNeLmANnSMPEaOtjgQV0akjo5jRCOkEP2MKm3uxMQknyopGRVCW4aJyula28G/uV2TjyKyF6l3kCK7Y7FSb50n7IxwaLMldoANdsAmp37LGIoM6VM/Muf+xcxWQZfMzXG3a+7Uqgs1cMnGYxJbCpEBPGlRNghdfkVlUSSpEiJVLN8eMH4G0Z6BflszCYUbN9RevcWdARpR7Ec6AsOJ3squiORWvEemp+dBXF+Hw7XA0H0cAhVafiNj1y7gXlgWgv4hTeleJMynRXx+Mo1gr42EkEPBlaFM/gBYC8= hello world

src-tauri/src/credentials/fixtures/ssh_rsa_plain

@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEAxKvObWlACRLrrVJ3M0AeMOvz3JQzt5yOND16++GanzCZNIIld9mA
+c0a0jU+wYE0CLagm5WJGNeTOGYUapdMN/SAH3pmwSuTC8Agj3/w8jd5i8HSDHB+JAwZ8g9
+zNfZzuhkPJPFKR9rUEf1NkajfIQJiTT/3liCtd12ls3cRCHDniiUdoz9ZlDOWF41o/c5sB
+VlCqRpq978aYflXa/sfUC0OIZU7TIF0YUo2IGSfELL4hDM9vSakGGa1uasvxdo1+xS/5y4
+W+YHuUFJYVZikgFodRZMHB0fvUw1adRCSn8Z0EOrze5QVz38T8fywnGKp2Uo+iJsDdVTDc
+cFwwkB4b3oj+XMNcrlq4gm0ef5cNvtCg9+mDPPxzI6HxMjUo1cw8AK65gWXWd8r2S9aXKR
+MiZNlxtcSR0K6vU6rSLQN1ay5DdUUC6ESIEX7ruWLM3131loLB6bpHLVq5uD2yhi5+o4Do
+/SDek2jKvLvFyVwjOlLeXf5ekctZAZ0AtSnHDEMFAAAFgMFqGjPBahozAAAAB3NzaC1yc2
+EAAAGBAMSrzm1pQAkS661SdzNAHjDr89yUM7ecjjQ9evvhmp8wmTSCJXfZgHNGtI1PsGBN
+Ai2oJuViRjXkzhmFGqXTDf0gB96ZsErkwvAII9/8PI3eYvB0gxwfiQMGfIPczX2c7oZDyT
+xSkfa1BH9TZGo3yECYk0/95YgrXddpbN3EQhw54olHaM/WZQzlheNaP3ObAVZQqkaave/G
+mH5V2v7H1AtDiGVO0yBdGFKNiBknxCy+IQzPb0mpBhmtbmrL8XaNfsUv+cuFvmB7lBSWFW
+YpIBaHUWTBwdH71MNWnUQkp/GdBDq83uUFc9/E/H8sJxiqdlKPoibA3VUw3HBcMJAeG96I
+/lzDXK5auIJtHn+XDb7QoPfpgzz8cyOh8TI1KNXMPACuuYFl1nfK9kvWlykTImTZcbXEkd
+Cur1Oq0i0DdWsuQ3VFAuhEiBF+67lizN9d9ZaCwem6Ry1aubg9soYufqOA6P0g3pNoyry7
+xclcIzpS3l3+XpHLWQGdALUpxwxDBQAAAAMBAAEAAAGABsfTnKMR0Z5E4Ntkf7BYuiAQbs
+zvQYfUwUlTWabMEWv4BD7ucsTdcFwCMpMKRi+xgQh4mtT6DbafQnL72ba+lzkI/Gw5D0P2
+0pa9QeYs4klGCPtDX+9YZnHNTjCJJykHcjqZEAravHI+PvONlTnqHgwEnC/pP3obSKd6WO
+UA0H9QZ6I+I1hFcJ3jMVT1thMkhyjNzhRcsw0aSdTE8Z7LGT5RUAjZL5b2FTaK+C8OTOqb
+MhlewV/h9XWsxmLUpt0277I8ShvjJbJg6TEPJh6D7FRTU+tY4rjGK12DP9lVq6M7Md4ULV
+JW3aW350xVV2p9031HLDUfWs7dqZ5ufoD3EopOVZGvfGAE3C4aHvJB5D6K7wG7ptWsPgte
+EcCz84DpsoJ7KICTs8QoXt5bl68qnW3YvzCcqZc7DjLdKNh/wzjdMdzx8AMS4yBF2ceOSE
+I7Og9UZZtmGzZ0g4Dhg3jMUyWBA++sUayJUqg0izzA/htt+tVd9ABMkJOufcCpnuPRAAAA
+wCdCy66KXCLx5HCMIsd2/TdbGAZnuirYCn9ee3T5xhJyZjmwIfmZEXUuENKq8e+vYldwey
+EjdnevM+OCTc8xo77yowgYRBzguDa2R9UH3bg9cWZIpQGzXmnL35Dux4nZPUKs69WMht92
+bpRh9roPs2M5tSAcSpmfohFYhMwRxqVooSeSg+kGE4dCXnVqK1tURExnqKy8CkoDW4fhbH
+HNmPsBnbdTNtfAlg8MO1v1Hk+/+6mpNhiJ7bKF4au9lm+QHgAAAMEA11frEHqordrzlTRg
+kmqGq9qaORev2g/7n719DlXb2HjGfy5gK9iUCxsgGN6GiFF0mUD7hMY6UMIVfsC/Rm07aE
+700u7OJAm8AcnFkEANlZ3ucWltnumVtxyMBlKq7PxkcIG5X+nJ6N8oVw3zZTsjaYCMe1s1
+806oE5D3GZk10pnfVIrY9DFZBtT3+mBpF2uQZk0ZSwh8Hh9xGFGxsm6blkgpcip7v+26PR
+hqA88WlXAPMnvFpXthr0mny+cy7Q59AAAAwQDpzWi1Prhi3JtVolyac/ygvzje4lhuz5ei
+3pC7b1cepdFoQCS33tixwfzqKCp6RfHrtrKzZMqREaX5sor1Hha7S+Vo+KLtZWkFUONTHR
+987wmXIu8ziRWKBeuk6g9OSXI5w8hyLwn4XLEeVri4fAUIUwpi4B0Eazp4P/9AUf1188xz
+a4ACWXDYkUFoLQo9J07HWDhKbEKFZVlIznyfmLVXc8JEzwrPThW+viGK1AFi9FxeLB4QmK
+PkAC2GY5AmhSkAAAALaGVsbG8gd29ybGQ=
+-----END OPENSSH PRIVATE KEY-----

src-tauri/src/credentials/fixtures/ssh_rsa_plain.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEq85taUAJEuutUnczQB4w6/PclDO3nI40PXr74ZqfMJk0giV32YBzRrSNT7BgTQItqCblYkY15M4ZhRql0w39IAfembBK5MLwCCPf/DyN3mLwdIMcH4kDBnyD3M19nO6GQ8k8UpH2tQR/U2RqN8hAmJNP/eWIK13XaWzdxEIcOeKJR2jP1mUM5YXjWj9zmwFWUKpGmr3vxph+Vdr+x9QLQ4hlTtMgXRhSjYgZJ8QsviEMz29JqQYZrW5qy/F2jX7FL/nLhb5ge5QUlhVmKSAWh1FkwcHR+9TDVp1EJKfxnQQ6vN7lBXPfxPx/LCcYqnZSj6ImwN1VMNxwXDCQHhveiP5cw1yuWriCbR5/lw2+0KD36YM8/HMjofEyNSjVzDwArrmBZdZ3yvZL1pcpEyJk2XG1xJHQrq9TqtItA3VrLkN1RQLoRIgRfuu5YszfXfWWgsHpukctWrm4PbKGLn6jgOj9IN6TaMq8u8XJXCM6Ut5d/l6Ry1kBnQC1KccMQwU= hello world

src-tauri/src/credentials/mod.rs

@@ -14,14 +14,20 @@ use crate::errors::*;
 mod aws;
 pub use aws::{AwsBaseCredential, AwsSessionCredential};
 
+mod crypto;
+pub use crypto::Crypto;
+
+mod docker;
+pub use docker::DockerCredential;
+
 mod record;
 pub use record::CredentialRecord;
 
 mod session;
 pub use session::AppSession;
 
-mod crypto;
-pub use crypto::Crypto;
+mod ssh;
+pub use ssh::SshKey;
 
 
 #[derive(Debug, Clone, Eq, PartialEq, Serialize, Deserialize)]
@@ -29,6 +35,8 @@ pub use crypto::Crypto;
 pub enum Credential {
     AwsBase(AwsBaseCredential),
     AwsSession(AwsSessionCredential),
+    Docker(DockerCredential),
+    Ssh(SshKey),
 }
 
 
@@ -95,15 +103,15 @@ pub trait PersistentCredential: for<'a> Deserialize<'a> + Sized {
     async fn list(crypto: &Crypto, pool: &SqlitePool) -> Result<Vec<(Uuid, Credential)>, LoadCredentialsError> {
         let q = format!(
             "SELECT details.*
-            FROM 
+            FROM
                 {} details
                 JOIN credentials c
                     ON c.id = details.id
-             ORDER BY c.created_at", 
+             ORDER BY c.created_at",
              Self::table_name(),
         );
         let mut rows = sqlx::query_as::<_, Self::Row>(&q).fetch(pool);
-        
+
         let mut creds = Vec::new();
         while let Some(row) = rows.try_next().await? {
             let id = Self::row_id(&row);

src-tauri/src/credentials/record.rs

@@ -20,11 +20,14 @@ use super::{
     AwsBaseCredential,
     Credential,
     Crypto,
+    DockerCredential,
     PersistentCredential,
+    SshKey,
 };
 
 
 #[derive(Debug, Clone, FromRow)]
+#[allow(dead_code)]
 struct CredentialRow {
     id: Uuid,
     name: String,
@@ -38,16 +41,18 @@ struct CredentialRow {
 pub struct CredentialRecord {
     #[serde(serialize_with = "serialize_uuid")]
     #[serde(deserialize_with = "deserialize_uuid")]
-    id: Uuid, // UUID so it can be generated on the frontend
-    name: String, // user-facing identifier so it can be changed
-    is_default: bool,
-    credential: Credential,
+    pub id: Uuid, // UUID so it can be generated on the frontend
+    pub name: String, // user-facing identifier so it can be changed
+    pub is_default: bool,
+    pub credential: Credential,
 }
 
 impl CredentialRecord {
     pub async fn save(&self, crypto: &Crypto, pool: &SqlitePool) -> Result<(), SaveCredentialsError> {
         let type_name = match &self.credential {
             Credential::AwsBase(_) => AwsBaseCredential::type_name(),
+            Credential::Ssh(_) => SshKey::type_name(),
+            Credential::Docker(_) => DockerCredential::type_name(),
             _ => return Err(SaveCredentialsError::NotPersistent),
         };
 
@@ -82,6 +87,8 @@ impl CredentialRecord {
         // save credential details to child table
         match &self.credential {
             Credential::AwsBase(b) => b.save_details(&self.id, crypto, &mut txn).await,
+            Credential::Ssh(s) => s.save_details(&self.id, crypto, &mut txn).await,
+            Credential::Docker(d) => d.save_details(&self.id, crypto, &mut txn).await,
             _ => Err(SaveCredentialsError::NotPersistent),
         }?;
 
@@ -108,6 +115,7 @@ impl CredentialRecord {
         Ok(Self::from_parts(row, credential))
     }
 
+    #[cfg(test)]
     pub async fn load(id: &Uuid, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> {
         let row: CredentialRow = sqlx::query_as("SELECT * FROM credentials WHERE id = ?")
             .bind(id)
@@ -118,9 +126,19 @@ impl CredentialRecord {
         Self::load_credential(row, crypto, pool).await
     }
 
+    pub async fn load_by_name(name: &str, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> {
+        let row: CredentialRow = sqlx::query_as("SELECT * FROM credentials WHERE name = ?")
+            .bind(name)
+            .fetch_optional(pool)
+            .await?
+            .ok_or(LoadCredentialsError::NoCredentials)?;
+
+        Self::load_credential(row, crypto, pool).await
+    }
+
     pub async fn load_default(credential_type: &str, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> {
         let row: CredentialRow = sqlx::query_as(
-            "SELECT * FROM credentials 
+            "SELECT * FROM credentials
             WHERE credential_type = ? AND is_default = 1"
         ).bind(credential_type)
             .fetch_optional(pool)
@@ -147,6 +165,16 @@ impl CredentialRecord {
                 .ok_or(LoadCredentialsError::InvalidData)?;
             records.push(Self::from_parts(parent, credential));
         }
+        for (id, credential) in SshKey::list(crypto, pool).await? {
+            let parent = parent_map.remove(&id)
+                .ok_or(LoadCredentialsError::InvalidData)?;
+            records.push(Self::from_parts(parent, credential));
+        }
+        for (id, credential) in DockerCredential::list(crypto, pool).await? {
+            let parent = parent_map.remove(&id)
+                .ok_or(LoadCredentialsError::InvalidData)?;
+            records.push(Self::from_parts(parent, credential));
+        }
 
         Ok(records)
     }
@@ -260,7 +288,7 @@ mod tests {
 
 
     #[sqlx::test]
-    async fn test_save_load(pool: SqlitePool) {
+    async fn test_save_load_aws(pool: SqlitePool) {
         let crypt = Crypto::random();
         let mut record = aws_record();
         record.id = random_uuid();
@@ -400,7 +428,7 @@ mod uuid_tests {
     #[test]
     fn test_serialize_deserialize_uuid() {
         let buf = Crypto::salt();
-        let expected = UuidWrapper{ 
+        let expected = UuidWrapper{
             id: Uuid::from_slice(&buf[..16]).unwrap()
         };
         let serialized = serde_json::to_string(&expected).unwrap();

src-tauri/src/credentials/session.rs

@@ -97,24 +97,4 @@ impl AppSession {
             Self::Unlocked {crypto, ..} => Ok(crypto),
         }
     }
-
-    pub fn try_encrypt(&self, data: &[u8]) -> Result<(XNonce, Vec<u8>), GetCredentialsError> {
-        let crypto = match self {
-            Self::Empty => return Err(GetCredentialsError::Empty),
-            Self::Locked {..} => return Err(GetCredentialsError::Locked),
-            Self::Unlocked {crypto, ..} => crypto,
-        };
-        let res = crypto.encrypt(data)?;
-        Ok(res)
-    }
-
-    pub fn try_decrypt(&self, nonce: XNonce, data: &[u8]) -> Result<Vec<u8>, GetCredentialsError> {
-        let crypto = match self {
-            Self::Empty => return Err(GetCredentialsError::Empty),
-            Self::Locked {..} => return Err(GetCredentialsError::Locked),
-            Self::Unlocked {crypto, ..} => crypto,
-        };
-        let res = crypto.decrypt(&nonce, data)?;
-        Ok(res)
-    }
 }

src-tauri/src/credentials/ssh.rs

@@ -0,0 +1,481 @@
+use std::fmt::{self, Formatter};
+
+use chacha20poly1305::XNonce;
+use serde::{
+    Deserialize,
+    Deserializer,
+    Serialize,
+    Serializer,
+};
+use serde::ser::{
+    Error as SerError,
+    SerializeStruct,
+};
+use serde::de::{self, Visitor};
+use sha2::{Sha256, Sha512};
+use signature::{Signer, SignatureEncoding};
+use sqlx::{
+    FromRow,
+    Sqlite,
+    SqlitePool,
+    Transaction,
+    types::Uuid,
+};
+use ssh_agent_lib::proto::message::{
+    Identity,
+    SignRequest,
+};
+use ssh_encoding::Encode;
+use ssh_key::{
+    Algorithm,
+    LineEnding,
+    private::{PrivateKey, KeypairData},
+    public::PublicKey,
+};
+use tokio_stream::StreamExt;
+
+use crate::errors::*;
+use super::{
+    Credential,
+    Crypto,
+    PersistentCredential,
+};
+
+
+#[derive(Debug, Clone, FromRow)]
+pub struct SshRow {
+    id: Uuid,
+    algorithm: String,
+    comment: String,
+    public_key: Vec<u8>,
+    private_key_enc: Vec<u8>,
+    nonce: Vec<u8>,
+}
+
+
+#[derive(Debug, Clone, Eq, PartialEq, Deserialize)]
+pub struct SshKey {
+    #[serde(deserialize_with = "deserialize_algorithm")]
+    pub algorithm: Algorithm,
+    pub comment: String,
+    #[serde(deserialize_with = "deserialize_pubkey")]
+    pub public_key: PublicKey,
+    #[serde(deserialize_with = "deserialize_privkey")]
+    pub private_key: PrivateKey,
+}
+
+impl SshKey {
+    pub fn from_file(path: &str, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
+        let mut privkey = PrivateKey::read_openssh_file(path.as_ref())?;
+        if privkey.is_encrypted() {
+            privkey = privkey.decrypt(passphrase)
+                .map_err(|_| LoadSshKeyError::InvalidPassphrase)?;
+        }
+
+        Ok(SshKey {
+            algorithm: privkey.algorithm(),
+            comment: privkey.comment().into(),
+            public_key: privkey.public_key().clone(),
+            private_key: privkey,
+        })
+    }
+
+    pub fn from_private_key(private_key: &str, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
+        let mut privkey = PrivateKey::from_openssh(private_key)?;
+        if privkey.is_encrypted() {
+            privkey = privkey.decrypt(passphrase)
+                .map_err(|_| LoadSshKeyError::InvalidPassphrase)?;
+        }
+
+        Ok(SshKey {
+            algorithm: privkey.algorithm(),
+            comment: privkey.comment().into(),
+            public_key: privkey.public_key().clone(),
+            private_key: privkey,
+        })
+    }
+
+    pub async fn name_from_pubkey(pubkey: &[u8], pool: &SqlitePool) -> Result<String, LoadCredentialsError> {
+        let row = sqlx::query!(
+            "SELECT c.name
+            FROM credentials c
+            JOIN ssh_credentials s
+                ON s.id = c.id
+            WHERE s.public_key = ?",
+            pubkey
+        ).fetch_optional(pool)
+            .await?
+            .ok_or(LoadCredentialsError::NoCredentials)?;
+
+        Ok(row.name)
+    }
+
+    pub async fn list_identities(pool: &SqlitePool) -> Result<Vec<Identity>, LoadCredentialsError> {
+        let mut rows = sqlx::query!(
+            "SELECT public_key, comment FROM ssh_credentials"
+        ).fetch(pool);
+
+        let mut identities = Vec::new();
+        while let Some(row) = rows.try_next().await? {
+            identities.push(Identity {
+                pubkey_blob: row.public_key,
+                comment: row.comment,
+            });
+        }
+
+        Ok(identities)
+    }
+
+    pub fn sign_request(&self, req: &SignRequest) -> Result<Vec<u8>, HandlerError> {
+        let mut sig = Vec::new();
+        match self.private_key.key_data() {
+            KeypairData::Rsa(keypair) => {
+                // 2 is the flag value for `SSH_AGENT_RSA_SHA2_256`
+                if req.flags & 2 > 0 {
+                    let signer = rsa::pkcs1v15::SigningKey::<Sha256>::try_from(keypair)?;
+                    let sig_data = signer.try_sign(&req.data)?.to_vec();
+                    "rsa-sha-256".encode(&mut sig)?;
+                    sig_data.encode(&mut sig)?;
+                }
+                else {
+                    let signer = rsa::pkcs1v15::SigningKey::<Sha512>::try_from(keypair)?;
+                    let sig_data = signer.try_sign(&req.data)?.to_vec();
+                    "rsa-sha2-512".encode(&mut sig)?;
+                    sig_data.encode(&mut sig)?;
+                }
+            },
+            _ => {
+                let sig_data = self.private_key.try_sign(&req.data)?;
+                self.algorithm.as_str().encode(&mut sig)?;
+                sig_data.as_bytes().encode(&mut sig)?;
+            },
+        }
+        Ok(sig)
+    }
+}
+
+
+impl PersistentCredential for SshKey {
+    type Row = SshRow;
+
+    fn type_name() -> &'static str { "ssh" }
+
+    fn into_credential(self) -> Credential { Credential::Ssh(self) }
+
+    fn row_id(row: &SshRow) -> Uuid { row.id }
+
+    fn from_row(row: SshRow, crypto: &Crypto) -> Result<Self, LoadCredentialsError> {
+        let nonce = XNonce::clone_from_slice(&row.nonce);
+        let privkey_bytes = crypto.decrypt(&nonce, &row.private_key_enc)?;
+
+
+        let algorithm = Algorithm::new(&row.algorithm)
+            .map_err(|_| LoadCredentialsError::InvalidData)?;
+        let public_key = PublicKey::from_bytes(&row.public_key)
+            .map_err(|_| LoadCredentialsError::InvalidData)?;
+        let private_key = PrivateKey::from_bytes(&privkey_bytes)
+            .map_err(|_| LoadCredentialsError::InvalidData)?;
+
+        Ok(SshKey {
+            algorithm,
+            comment: row.comment,
+            public_key,
+            private_key,
+        })
+    }
+
+    async fn save_details(&self, id: &Uuid, crypto: &Crypto, txn: &mut Transaction<'_, Sqlite>) -> Result<(), SaveCredentialsError> {
+        let alg = self.algorithm.as_str();
+        let pubkey_bytes = self.public_key.to_bytes()?;
+        let privkey_bytes = self.private_key.to_bytes()?;
+        let (nonce, ciphertext) = crypto.encrypt(privkey_bytes.as_ref())?;
+        let nonce_bytes = nonce.as_slice();
+
+        sqlx::query!(
+            "INSERT OR REPLACE INTO ssh_credentials (
+                id,
+                algorithm,
+                comment,
+                public_key,
+                private_key_enc,
+                nonce
+            )
+            VALUES (?, ?, ?, ?, ?, ?)",
+            id, alg, self.comment, pubkey_bytes, ciphertext, nonce_bytes,
+        ).execute(&mut **txn).await?;
+
+        Ok(())
+    }
+}
+
+
+impl Serialize for SshKey {
+    fn serialize<S: Serializer>(&self, s: S) -> Result<S::Ok, S::Error> {
+        let mut key = s.serialize_struct("SshKey", 5)?;
+        key.serialize_field("algorithm", self.algorithm.as_str())?;
+        key.serialize_field("comment", &self.comment)?;
+
+        let pubkey_str = self.public_key.to_openssh()
+            .map_err(|e| S::Error::custom(format!("Failed to encode SSH public key: {e}")))?;
+        key.serialize_field("public_key", &pubkey_str)?;
+
+        let privkey_str = self.private_key.to_openssh(LineEnding::LF)
+            .map_err(|e| S::Error::custom(format!("Failed to encode SSH private key: {e}")))?;
+        key.serialize_field::<str>("private_key", privkey_str.as_ref())?;
+
+        key.end()
+    }
+}
+
+
+struct PubkeyVisitor;
+
+impl<'de> Visitor<'de> for PubkeyVisitor {
+    type Value = PublicKey;
+
+    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
+        write!(formatter, "an OpenSSH-encoded public key, e.g. `ssh-rsa ...`")
+    }
+
+    fn visit_str<E: de::Error>(self, v: &str) -> Result<Self::Value, E> {
+        PublicKey::from_openssh(v)
+            .map_err(|e| E::custom(format!("{e}")))
+    }
+}
+
+fn deserialize_pubkey<'de, D>(deserializer: D) -> Result<PublicKey, D::Error>
+    where D: Deserializer<'de>
+{
+    deserializer.deserialize_str(PubkeyVisitor)
+}
+
+
+struct PrivkeyVisitor;
+
+impl<'de> Visitor<'de> for PrivkeyVisitor {
+    type Value = PrivateKey;
+
+    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
+        write!(formatter, "an OpenSSH-encoded private key")
+    }
+
+    fn visit_str<E: de::Error>(self, v: &str) -> Result<Self::Value, E> {
+        PrivateKey::from_openssh(v)
+            .map_err(|e| E::custom(format!("{e}")))
+    }
+}
+
+fn deserialize_privkey<'de, D>(deserializer: D) -> Result<PrivateKey, D::Error>
+    where D: Deserializer<'de>
+{
+    deserializer.deserialize_str(PrivkeyVisitor)
+}
+
+
+struct AlgorithmVisitor;
+
+impl<'de> Visitor<'de> for AlgorithmVisitor {
+    type Value = Algorithm;
+
+    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
+        write!(formatter, "an SSH key algorithm identifier, e.g. `ssh-rsa`")
+    }
+
+    fn visit_str<E: de::Error>(self, v: &str) -> Result<Self::Value, E> {
+        Algorithm::new(v)
+            .map_err(|e| E::custom(format!("{e}")))
+    }
+}
+
+fn deserialize_algorithm<'de, D>(deserializer: D) -> Result<Algorithm, D::Error>
+    where D: Deserializer<'de>
+{
+    deserializer.deserialize_str(AlgorithmVisitor)
+}
+
+
+
+#[cfg(test)]
+mod tests {
+    use std::fs::{self, File};
+    use sqlx::types::uuid::uuid;
+    use crate::credentials::CredentialRecord;
+
+    use super::*;
+
+    fn path(name: &str) -> String {
+        format!("./src/credentials/fixtures/{name}")
+    }
+
+    fn random_uuid() -> Uuid {
+        let bytes = Crypto::salt();
+        Uuid::from_slice(&bytes[..16]).unwrap()
+    }
+
+    fn rsa_plain() -> SshKey {
+        SshKey::from_file(&path("ssh_rsa_plain"), "")
+            .expect("Failed to load SSH key")
+    }
+
+    fn rsa_enc() -> SshKey {
+        SshKey::from_file(
+            &path("ssh_rsa_enc"),
+            "correct horse battery staple"
+        ).expect("Failed to load SSH key")
+    }
+
+    fn ed25519_plain() -> SshKey {
+        SshKey::from_file(&path("ssh_ed25519_plain"), "")
+            .expect("Failed to load SSH key")
+    }
+
+    fn ed25519_enc() -> SshKey {
+        SshKey::from_file(
+            &path("ssh_ed25519_enc"),
+            "correct horse battery staple"
+        ).expect("Failed to load SSH key")
+    }
+
+
+    #[test]
+    fn test_from_file_rsa_plain() {
+        let k = rsa_plain();
+        assert_eq!(k.algorithm.as_str(), "ssh-rsa");
+        assert_eq!(&k.comment, "hello world");
+
+        assert_eq!(
+            k.public_key.fingerprint(Default::default()),
+            k.private_key.fingerprint(Default::default()),
+        );
+        assert_eq!(
+            k.private_key.fingerprint(Default::default()).as_bytes(),
+            [90,162,92,235,160,164,88,179,144,234,84,135,1,249,9,206,
+            201,172,233,129,82,11,145,191,186,144,209,43,81,119,197,18],
+        );
+    }
+
+
+    #[test]
+    fn test_from_file_rsa_enc() {
+        let k = rsa_enc();
+        assert_eq!(k.algorithm.as_str(), "ssh-rsa");
+        assert_eq!(&k.comment, "hello world");
+
+        assert_eq!(
+            k.public_key.fingerprint(Default::default()),
+            k.private_key.fingerprint(Default::default()),
+        );
+        assert_eq!(
+            k.private_key.fingerprint(Default::default()).as_bytes(),
+            [254,147,219,185,96,234,125,190,195,128,37,243,214,193,8,162,
+            34,237,126,199,241,91,195,251,232,84,144,120,25,63,224,157],
+        );
+    }
+
+
+    #[test]
+    fn test_from_file_ed25519_plain() {
+        let k = ed25519_plain();
+        assert_eq!(k.algorithm.as_str(),"ssh-ed25519");
+        assert_eq!(&k.comment, "hello world");
+
+        assert_eq!(
+            k.public_key.fingerprint(Default::default()),
+            k.private_key.fingerprint(Default::default()),
+        );
+        assert_eq!(
+            k.private_key.fingerprint(Default::default()).as_bytes(),
+            [29,30,193,72,239,167,35,89,1,206,126,186,123,112,78,187,
+            240,59,1,15,107,189,72,30,44,64,114,216,32,195,22,201],
+        );
+    }
+
+
+    #[test]
+    fn test_from_file_ed25519_enc() {
+        let k = ed25519_enc();
+        assert_eq!(k.algorithm.as_str(), "ssh-ed25519");
+        assert_eq!(&k.comment, "hello world");
+
+        assert_eq!(
+            k.public_key.fingerprint(Default::default()),
+            k.private_key.fingerprint(Default::default()),
+        );
+        assert_eq!(
+            k.private_key.fingerprint(Default::default()).as_bytes(),
+            [87,233,161,170,18,47,245,116,30,177,120,211,248,54,65,255,
+            41,45,113,107,182,221,189,167,110,9,245,254,44,6,118,141],
+        );
+    }
+
+
+    #[test]
+    fn test_serialize() {
+        let expected = fs::read_to_string(path("ssh_ed25519_plain.json")).unwrap();
+
+        let k = ed25519_plain();
+        let computed = serde_json::to_string(&k)
+            .expect("Failed to serialize SshKey");
+
+        assert_eq!(expected, computed);
+    }
+
+
+    #[test]
+    fn test_deserialize() {
+        let expected = ed25519_plain();
+
+        let json_file = File::open(path("ssh_ed25519_plain.json")).unwrap();
+        let computed = serde_json::from_reader(json_file)
+            .expect("Failed to deserialize json file");
+
+        assert_eq!(expected, computed);
+    }
+
+
+    #[sqlx::test]
+    async fn test_save_db(pool: SqlitePool) {
+        let crypto = Crypto::random();
+        let record = CredentialRecord {
+            id: random_uuid(),
+            name: "save_test".into(),
+            is_default: false,
+            credential: Credential::Ssh(rsa_plain()),
+        };
+        record.save(&crypto, &pool).await
+            .expect("Failed to save SSH key CredentialRecord to database");
+    }
+
+
+    #[sqlx::test(fixtures("ssh_credentials"))]
+    async fn test_load_db(pool: SqlitePool) {
+        let crypto = Crypto::fixed();
+        let id = uuid!("11111111-1111-1111-1111-111111111111");
+        SshKey::load(&id, &crypto, &pool).await
+            .expect("Failed to load SSH key from database");
+    }
+
+
+    #[sqlx::test]
+    async fn test_save_load_db(pool: SqlitePool) {
+        let crypto = Crypto::random();
+
+        let id = random_uuid();
+        let record = CredentialRecord {
+            id,
+            name: "save_load_test".into(),
+            is_default: false,
+            credential: Credential::Ssh(ed25519_plain()),
+        };
+
+        record.save(&crypto, &pool).await.unwrap();
+        let loaded = SshKey::load(&id, &crypto, &pool).await.unwrap();
+        let known = ed25519_plain();
+
+        assert_eq!(known.algorithm, loaded.algorithm);
+        assert_eq!(known.comment, loaded.comment);
+        // comment gets stripped by saving as bytes, so we just compare raw key data
+        assert_eq!(known.public_key.key_data(), loaded.public_key.key_data());
+        assert_eq!(known.private_key, loaded.private_key);
+    }
+}

src-tauri/src/errors.rs

@@ -36,7 +36,7 @@ pub trait ShowError<T, E>
     fn error_print_prefix(self, prefix: &str);
 }
 
-impl<T, E> ShowError<T, E> for Result<T, E> 
+impl<T, E> ShowError<T, E> for Result<T, E>
 where E: std::fmt::Display
 {
     fn error_popup(self, title: &str) {
@@ -91,7 +91,7 @@ impl<E: Error> Serialize for SerializeUpstream<E> {
     }
 }
 
-fn serialize_upstream_err<E, M>(err: &E, map: &mut M) -> Result<(), M::Error> 
+fn serialize_upstream_err<E, M>(err: &E, map: &mut M) -> Result<(), M::Error>
 where
     E: Error,
     M: serde::ser::SerializeMap,
@@ -191,6 +191,14 @@ pub enum HandlerError {
     NoMainWindow,
     #[error("Request was denied")]
     Denied,
+    #[error(transparent)]
+    SshAgent(#[from] ssh_agent_lib::error::AgentError),
+    #[error(transparent)]
+    SshKey(#[from] ssh_key::Error),
+    #[error(transparent)]
+    Signature(#[from] signature::Error),
+    #[error(transparent)]
+    Encoding(#[from] ssh_encoding::Error),
 }
 
 
@@ -277,6 +285,8 @@ pub enum SaveCredentialsError {
     NotPersistent,
     #[error("A credential with that name already exists")]
     Duplicate,
+    #[error("Failed to save credentials: {0}")]
+    Encode(#[from] ssh_key::Error),
     // rekeying is fundamentally a save operation,
     // but involves loading in order to re-save
     #[error(transparent)]
@@ -332,6 +342,8 @@ pub enum ClientInfoError {
     #[cfg(windows)]
     #[error("Could not determine PID of connected client")]
     WindowsError(#[from] windows::core::Error),
+    #[error("Could not determine PID of connected client")]
+    PidNotFound,
     #[error(transparent)]
     Io(#[from] std::io::Error),
 }
@@ -358,7 +370,7 @@ pub enum RequestError {
     #[error("Error response from server: {0}")]
     Server(ServerError),
     #[error("Unexpected response from server")]
-    Unexpected(crate::server::Response),
+    Unexpected(crate::srv::CliResponse),
     #[error("The server did not respond with valid JSON")]
     InvalidJson(#[from] serde_json::Error),
     #[error("Error reading/writing stream: {0}")]
@@ -410,6 +422,17 @@ pub enum LaunchTerminalError {
 }
 
 
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum LoadSshKeyError {
+    #[error("Passphrase is invalid")]
+    InvalidPassphrase,
+    #[error("Could not parse SSH private key data")]
+    InvalidData(#[from] ssh_key::Error),
+    #[error(transparent)]
+    Io(#[from] std::io::Error),
+}
+
+
 // =========================
 // Serialize implementations
 // =========================
@@ -436,6 +459,7 @@ impl_serialize_basic!(WindowError);
 impl_serialize_basic!(LockError);
 impl_serialize_basic!(SaveCredentialsError);
 impl_serialize_basic!(LoadCredentialsError);
+impl_serialize_basic!(LoadSshKeyError);
 
 
 impl Serialize for HandlerError {

src-tauri/src/ipc.rs

@@ -5,7 +5,8 @@ use tauri::{AppHandle, State};
 use crate::config::AppConfig;
 use crate::credentials::{
     AppSession,
-    CredentialRecord
+    CredentialRecord,
+    SshKey,
 };
 use crate::errors::*;
 use crate::clientinfo::Client;
@@ -17,6 +18,7 @@ use crate::terminal;
 pub struct AwsRequestNotification {
     pub id: u64,
     pub client: Client,
+    pub name: Option<String>,
     pub base: bool,
 }
 
@@ -37,8 +39,8 @@ pub enum RequestNotification {
 }
 
 impl RequestNotification {
-    pub fn new_aws(id: u64, client: Client, base: bool) -> Self {
-        Self::Aws(AwsRequestNotification {id, client, base})
+    pub fn new_aws(id: u64, client: Client, name: Option<String>, base: bool) -> Self {
+        Self::Aws(AwsRequestNotification {id, client, name, base})
     }
 
     pub fn new_ssh(id: u64, client: Client, key_name: String) -> Self {
@@ -134,6 +136,18 @@ pub async fn list_credentials(app_state: State<'_, AppState>) -> Result<Vec<Cred
 }
 
 
+#[tauri::command]
+pub async fn sshkey_from_file(path: &str, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
+    SshKey::from_file(path, passphrase)
+}
+
+
+#[tauri::command]
+pub async fn sshkey_from_private_key(private_key: &str, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
+    SshKey::from_private_key(private_key, passphrase)
+}
+
+
 #[tauri::command]
 pub async fn get_config(app_state: State<'_, AppState>) -> Result<AppConfig, ()> {
     let config = app_state.config.read().await;
@@ -152,7 +166,8 @@ pub async fn save_config(config: AppConfig, app_state: State<'_, AppState>) -> R
 
 #[tauri::command]
 pub async fn launch_terminal(base: bool) -> Result<(), LaunchTerminalError> {
-    terminal::launch(base).await
+    let res = terminal::launch(base).await;
+    res
 }
 
 

src-tauri/src/kv.rs

@@ -44,6 +44,8 @@ pub async fn load_bytes(pool: &SqlitePool, name: &str) -> Result<Option<Vec<u8>>
 }
 
 
+// we don't have a need for this right now, but we will some day
+#[cfg(test)]
 pub async fn delete(pool: &SqlitePool, name: &str) -> Result<(), sqlx::Error> {
     sqlx::query!("DELETE FROM kv WHERE name = ?", name)
         .execute(pool)
@@ -52,13 +54,13 @@ pub async fn delete(pool: &SqlitePool, name: &str) -> Result<(), sqlx::Error> {
 }
 
 
-pub async fn delete_multi(pool: &SqlitePool, names: &[&str]) -> Result<(), sqlx::Error> {    
+pub async fn delete_multi(pool: &SqlitePool, names: &[&str]) -> Result<(), sqlx::Error> {
     let placeholder = names.iter()
         .map(|_| "?")
         .collect::<Vec<&str>>()
         .join(",");
     let query = format!("DELETE FROM kv WHERE name IN ({})", placeholder);
-    
+
     let mut q = sqlx::query(&query);
     for name in names {
         q = q.bind(name);
@@ -83,7 +85,7 @@ macro_rules! load_bytes_multi {
                     (
                         // ...with one item for each repetition of $name
                         $(
-                            // load_bytes returns Result<Option<_>>, the Result is handled by 
+                            // load_bytes returns Result<Option<_>>, the Result is handled by
                             // the ? and we match on the Option
                             match crate::kv::load_bytes($pool, $name).await? {
                                 Some(v) => v,
@@ -187,7 +189,7 @@ mod tests {
     async fn test_delete(pool: SqlitePool) {
         delete(&pool, "test_bytes").await
             .expect("Failed to delete data");
-        
+
         let loaded = load_bytes(&pool, "test_bytes").await
             .expect("Failed to load data");
         assert_eq!(loaded, None);

src-tauri/src/lib.rs

@@ -1,5 +1,4 @@
 pub mod app;
-pub mod cli;
 mod config;
 mod credentials;
 pub mod errors;
@@ -7,7 +6,7 @@ mod clientinfo;
 mod ipc;
 mod kv;
 mod state;
-pub mod server;
+mod srv;
 mod shortcuts;
 mod terminal;
 mod tray;

src-tauri/src/main.rs

@@ -3,23 +3,25 @@
     windows_subsystem = "windows"
 )]
 
+
 use creddy::{
     app,
-    cli,
     errors::ShowError,
 };
+use creddy_cli::{Action, Cli};
 
 
 fn main() {
-    let res = match cli::parser().get_matches().subcommand() {
-        None | Some(("run", _)) => {
+    let cli = Cli::parse();
+    let res = match cli.action {
+        None | Some(Action::Run) => {
             app::run().error_popup("Creddy encountered an error");
             Ok(())
         },
-        Some(("get", m)) => cli::get(m),
-        Some(("exec", m)) => cli::exec(m),
-        Some(("shortcut", m)) => cli::invoke_shortcut(m),
-        _ => unreachable!(),
+        Some(Action::Get(args)) => creddy_cli::get(args, cli.global_args),
+        Some(Action::Exec(args)) => creddy_cli::exec(args, cli.global_args),
+        Some(Action::Shortcut(args)) => creddy_cli::invoke_shortcut(args, cli.global_args),
+        Some(Action::Docker(cmd)) => creddy_cli::docker_credential_helper(cmd, cli.global_args),
     };
 
     if let Err(e) = res {

src-tauri/src/server/server_unix.rs

@@ -1,58 +0,0 @@
-use std::io::ErrorKind;
-use tokio::net::{UnixListener, UnixStream};
-use tauri::{
-    AppHandle,
-    async_runtime as rt,
-};
-
-use crate::errors::*;
-
-
-pub type Stream = UnixStream;
-
-
-pub struct Server {
-    listener: UnixListener,
-    app_handle: AppHandle,
-}
-
-impl Server {
-    pub fn start(app_handle: AppHandle) -> std::io::Result<()> {
-        match std::fs::remove_file("/tmp/creddy.sock") {
-            Ok(_) => (),
-            Err(e) if e.kind() == ErrorKind::NotFound => (),
-            Err(e) => return Err(e),
-        }
-
-        let listener = UnixListener::bind("/tmp/creddy.sock")?;
-        let srv = Server { listener, app_handle };
-        rt::spawn(srv.serve());
-        Ok(())
-    }
-
-    async fn serve(self) {
-        loop {
-            self.try_serve()
-                .await
-                .error_print_prefix("Error accepting request: ");
-        }
-    }
-
-    async fn try_serve(&self) -> Result<(), HandlerError> {
-        let (stream, _addr) = self.listener.accept().await?;
-        let new_handle = self.app_handle.clone();
-        let client_pid = get_client_pid(&stream)?;
-        rt::spawn(async move {
-            super::handle(stream, new_handle, client_pid)
-                .await
-                .error_print_prefix("Error responding to request: ");
-        });
-        Ok(())
-    }
-}
-
-
-fn get_client_pid(stream: &UnixStream) -> std::io::Result<u32> {
-    let cred = stream.peer_cred()?;
-    Ok(cred.pid().unwrap() as u32)
-}

src-tauri/src/server/server_win.rs

@@ -1,74 +0,0 @@
-use tokio::net::windows::named_pipe::{
-    NamedPipeServer,
-    ServerOptions,
-};
-
-use tauri::{AppHandle, Manager};
-
-use windows::Win32:: {
-    Foundation::HANDLE,
-    System::Pipes::GetNamedPipeClientProcessId,
-};
-
-use std::os::windows::io::AsRawHandle;
-
-use tauri::async_runtime as rt;
-
-use crate::errors::*;
-
-
-// used by parent module
-pub type Stream = NamedPipeServer;
-
-
-pub struct Server {
-    listener: NamedPipeServer,
-    app_handle: AppHandle,
-}
-
-impl Server {
-    pub fn start(app_handle: AppHandle) -> std::io::Result<()> {
-        let listener = ServerOptions::new()
-            .first_pipe_instance(true)
-            .create(r"\\.\pipe\creddy-requests")?;
-
-        let srv = Server {listener, app_handle};
-        rt::spawn(srv.serve());
-        Ok(())
-    }
-
-    async fn serve(mut self) {
-        loop {
-            if let Err(e) = self.try_serve().await {
-                eprintln!("Error accepting connection: {e}");
-            }
-        }
-    }
-
-    async fn try_serve(&mut self) -> Result<(), HandlerError> {
-        // connect() just waits for a client to connect, it doesn't return anything
-        self.listener.connect().await?;
-
-        // create a new pipe instance to listen for the next client, and swap it in
-        let new_listener = ServerOptions::new().create(r"\\.\pipe\creddy-requests")?;
-        let stream = std::mem::replace(&mut self.listener, new_listener);
-        let new_handle = self.app_handle.clone();
-        let client_pid = get_client_pid(&stream)?;
-        rt::spawn(async move {
-            super::handle(stream, new_handle, client_pid)
-                .await
-                .error_print_prefix("Error responding to request: ");
-        });
-
-        Ok(())
-    }
-}
-
-
-fn get_client_pid(pipe: &NamedPipeServer) -> Result<u32, ClientInfoError> {
-    let raw_handle = pipe.as_raw_handle();
-    let mut pid = 0u32;
-    let handle = HANDLE(raw_handle as _);
-    unsafe { GetNamedPipeClientProcessId(handle, &mut pid as *mut u32)? };
-    Ok(pid)
-}

src-tauri/src/server/ssh_agent.rs

@@ -1,77 +0,0 @@
-use signature::Signer;
-use ssh_agent_lib::agent::{Agent, Session};
-use ssh_agent_lib::proto::message::Message;
-use ssh_key::public::PublicKey;
-use ssh_key::private::PrivateKey;
-use tokio::net::UnixListener;
-
-
-struct SshAgent;
-
-impl std::default::Default for SshAgent {
-    fn default() -> Self {
-        SshAgent {}
-    }
-}
-
-#[ssh_agent_lib::async_trait]
-impl Session for SshAgent {
-    async fn handle(&mut self, message: Message) -> Result<Message, Box<dyn std::error::Error>> {
-        println!("Received message");
-        match message {
-            Message::RequestIdentities => {
-                let p = std::path::PathBuf::from("/home/joe/.ssh/id_ed25519.pub");
-                let pubkey = PublicKey::read_openssh_file(&p).unwrap();
-                let id = ssh_agent_lib::proto::message::Identity {
-                    pubkey_blob: pubkey.to_bytes().unwrap(),
-                    comment: pubkey.comment().to_owned(),
-                };
-                Ok(Message::IdentitiesAnswer(vec![id]))
-            },
-            Message::SignRequest(req) => {
-                println!("Received sign request");
-                let mut req_bytes = vec![13];
-                encode_string(&mut req_bytes, &req.pubkey_blob);
-                encode_string(&mut req_bytes, &req.data);
-                req_bytes.extend(req.flags.to_be_bytes());
-                std::fs::File::create("/tmp/signreq").unwrap().write(&req_bytes).unwrap();
-
-                let p = std::path::PathBuf::from("/home/joe/.ssh/id_ed25519");
-                let passphrase = std::env::var("PRIVKEY_PASSPHRASE").unwrap();
-                let privkey = PrivateKey::read_openssh_file(&p)
-                    .unwrap()
-                    .decrypt(passphrase.as_bytes())
-                    .unwrap();
-
-
-
-                let sig = Signer::sign(&privkey, &req.data);
-                use std::io::Write;
-                std::fs::File::create("/tmp/sig").unwrap().write(sig.as_bytes()).unwrap();
-
-                let mut payload = Vec::with_capacity(128);
-                encode_string(&mut payload, "ssh-ed25519".as_bytes());
-                encode_string(&mut payload, sig.as_bytes());
-                println!("Payload length: {}", payload.len());
-                std::fs::File::create("/tmp/payload").unwrap().write(&payload).unwrap();
-                Ok(Message::SignResponse(payload))
-            },
-            _ => Ok(Message::Failure),
-        }
-    }
-}
-
-
-fn encode_string(buf: &mut Vec<u8>, s: &[u8]) {
-    let len = s.len() as u32;
-    buf.extend(len.to_be_bytes());
-    buf.extend(s);
-}
-
-
-pub async fn run() {
-    let socket = "/tmp/creddy-agent.sock";
-    let _ = std::fs::remove_file(socket);
-    let listener = UnixListener::bind(socket).unwrap();
-    SshAgent.listen(listener).await.unwrap();
-}

src-tauri/src/srv/agent.rs

@@ -0,0 +1,115 @@
+use futures::SinkExt;
+use ssh_agent_lib::agent::MessageCodec;
+use ssh_agent_lib::proto::message::{
+    Message,
+    SignRequest,
+};
+use tauri::{AppHandle, Manager};
+use tokio_stream::StreamExt;
+use tokio::sync::oneshot;
+use tokio_util::codec::Framed;
+
+use crate::clientinfo;
+use crate::errors::*;
+use crate::ipc::{Approval, RequestNotification};
+use crate::state::AppState;
+
+use super::{CloseWaiter, Stream};
+
+
+pub fn serve(app_handle: AppHandle) -> std::io::Result<()> {
+    super::serve("creddy-agent", app_handle, handle)
+}
+
+
+async fn handle(
+    stream: Stream,
+    app_handle: AppHandle,
+    client_pid: u32
+) -> Result<(), HandlerError> {
+    let mut adapter = Framed::new(stream, MessageCodec);
+    while let Some(message) = adapter.try_next().await? {
+        match message {
+            Message::RequestIdentities => {
+                let resp = list_identities(app_handle.clone()).await?;
+                adapter.send(resp).await?;
+            },
+            Message::SignRequest(req) => {
+                // Note: If the client writes more data to the stream *while* at the
+                // same time waiting for a resopnse to a previous request, this will
+                // corrupt the framing. Clients don't seem to behave that way though?
+                let waiter = CloseWaiter { stream: adapter.get_mut() };
+                let resp = sign_request(req, app_handle.clone(), client_pid, waiter).await?;
+                
+                // have to do this before we send since we can't inspect the message after
+                let is_failure = matches!(resp, Message::Failure);
+                adapter.send(resp).await?;
+
+                if is_failure {
+                    // this way we don't get spammed with requests for other keys
+                    // after denying the first
+                    break
+                }
+            },
+            _ => adapter.send(Message::Failure).await?,
+        };
+    }
+    Ok(())
+}
+
+
+async fn list_identities(app_handle: AppHandle) -> Result<Message, HandlerError> {
+    let state = app_handle.state::<AppState>();
+    let identities = state.list_ssh_identities().await?;
+    Ok(Message::IdentitiesAnswer(identities))
+}
+
+
+async fn sign_request(
+    req: SignRequest,
+    app_handle: AppHandle,
+    client_pid: u32,
+    mut waiter: CloseWaiter<'_>,
+) -> Result<Message, HandlerError> {
+    let state = app_handle.state::<AppState>();
+        let rehide_ms = {
+        let config = state.config.read().await;
+        config.rehide_ms
+    };
+    let client = clientinfo::get_client(client_pid, false)?;
+    let lease = state.acquire_visibility_lease(rehide_ms).await
+        .map_err(|_e| HandlerError::NoMainWindow)?;
+
+    let (chan_send, chan_recv) = oneshot::channel();
+    let request_id = state.register_request(chan_send).await;
+
+    let proceed = async {
+        let key_name = state.ssh_name_from_pubkey(&req.pubkey_blob).await?;
+        let notification = RequestNotification::new_ssh(request_id, client, key_name.clone());
+        app_handle.emit("credential-request", &notification)?;
+
+        let response = tokio::select! {
+            r = chan_recv => r?,
+            _ = waiter.wait_for_close() => {
+                app_handle.emit("request-cancelled", request_id)?;
+                return Err(HandlerError::Abandoned);
+            },
+        };
+
+        if let Approval::Denied = response.approval {
+            return Ok(Message::Failure);
+        }
+
+        let key = state.sshkey_by_name(&key_name).await?;
+        let sig = key.sign_request(&req)?;
+        Ok(Message::SignResponse(sig))
+    };
+
+    let res = proceed.await;
+    if let Err(_) = &res {
+        state.unregister_request(request_id).await;
+    }
+
+    lease.release();
+    res
+}

src-tauri/src/srv/creddy_server.rs

@@ -1,74 +1,31 @@
+use tauri::{AppHandle, Manager};
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::sync::oneshot;
 
-use serde::{Serialize, Deserialize};
-
-use tauri::{AppHandle, Manager};
-
-use crate::errors::*;
 use crate::clientinfo::{self, Client};
-use crate::credentials::{
-    AwsBaseCredential,
-    AwsSessionCredential,
-};
+use crate::errors::*;
 use crate::ipc::{Approval, RequestNotification};
-use crate::state::AppState;
 use crate::shortcuts::{self, ShortcutAction};
-
-#[cfg(windows)]
-mod server_win;
-#[cfg(windows)]
-pub use server_win::Server;
-#[cfg(windows)]
-use server_win::Stream;
-
-#[cfg(unix)]
-mod server_unix;
-#[cfg(unix)]
-pub use server_unix::Server;
-#[cfg(unix)]
-use server_unix::Stream;
-
-pub mod ssh_agent;
+use crate::state::AppState;
+use super::{
+    CloseWaiter,
+    CliCredential,
+    CliRequest,
+    CliResponse,
+    Stream,
+};
 
 
-#[derive(Serialize, Deserialize)]
-pub enum Request {
-    GetAwsCredentials{ 
-        base: bool,
-    },
-    InvokeShortcut(ShortcutAction),
+pub fn serve(app_handle: AppHandle) -> std::io::Result<()> {
+    super::serve("creddy-server", app_handle, handle)
 }
 
 
-#[derive(Debug, Serialize, Deserialize)]
-pub enum Response {
-    AwsBase(AwsBaseCredential),
-    AwsSession(AwsSessionCredential),
-    Empty,
-}
-
-
-struct CloseWaiter<'s> {
-    stream: &'s mut Stream,
-}
-
-impl<'s> CloseWaiter<'s> {
-    async fn wait_for_close(&mut self) -> std::io::Result<()> {
-        let mut buf = [0u8; 8];
-        loop {
-            match self.stream.read(&mut buf).await {
-                Ok(0) => break Ok(()),
-                Ok(_) => (),
-                Err(e) => break Err(e),
-            }
-        }
-    }
-}
-
-
-async fn handle(mut stream: Stream, app_handle: AppHandle, client_pid: u32) -> Result<(), HandlerError> 
-{
+async fn handle(
+    mut stream: Stream,
+    app_handle: AppHandle,
+    client_pid: u32
+) -> Result<(), HandlerError> {
     // read from stream until delimiter is reached
     let mut buf: Vec<u8> = Vec::with_capacity(1024); // requests are small, 1KiB is more than enough
     let mut n = 0;
@@ -77,20 +34,22 @@ async fn handle(mut stream: Stream, app_handle: AppHandle, client_pid: u32) -> R
         if let Some(&b'\n') = buf.last() {
             break;
         }
-        else if n >= 1024 {
+        // sanity check, no request should ever be within a mile of 1MB
+        else if n >= (1024 * 1024) {
             return Err(HandlerError::RequestTooLarge);
         }
     }
 
-    let client = clientinfo::get_process_parent_info(client_pid)?;
+    let client = clientinfo::get_client(client_pid, true)?;
     let waiter = CloseWaiter { stream: &mut stream };
 
-    let req: Request = serde_json::from_slice(&buf)?;
+
+    let req: CliRequest = serde_json::from_slice(&buf)?;
     let res = match req {
-        Request::GetAwsCredentials{ base } => get_aws_credentials(
-            base, client, app_handle, waiter
+        CliRequest::GetCredential{ name, base } => get_aws_credentials(
+            name, base, client, app_handle, waiter
         ).await,
-        Request::InvokeShortcut(action) => invoke_shortcut(action).await,
+        CliRequest::InvokeShortcut(action) => invoke_shortcut(action).await,
     };
 
     // doesn't make sense to send the error to the client if the client has already left
@@ -104,18 +63,19 @@ async fn handle(mut stream: Stream, app_handle: AppHandle, client_pid: u32) -> R
 }
 
 
-async fn invoke_shortcut(action: ShortcutAction) -> Result<Response, HandlerError> {
+async fn invoke_shortcut(action: ShortcutAction) -> Result<CliResponse, HandlerError> {
     shortcuts::exec_shortcut(action);
-    Ok(Response::Empty)
+    Ok(CliResponse::Empty)
 }
 
 
 async fn get_aws_credentials(
+    name: Option<String>,
     base: bool,
     client: Client,
     app_handle: AppHandle,
     mut waiter: CloseWaiter<'_>,
-) -> Result<Response, HandlerError> {
+) -> Result<CliResponse, HandlerError> {
     let state = app_handle.state::<AppState>();
     let rehide_ms = {
         let config = state.config.read().await;
@@ -131,7 +91,9 @@ async fn get_aws_credentials(
     // but ? returns immediately, and we want to unregister the request before returning
     // so we bundle it all up in an async block and return a Result so we can handle errors
     let proceed = async {
-        let notification = RequestNotification::new_aws(request_id, client, base);
+        let notification = RequestNotification::new_aws(
+            request_id, client, name.clone(), base
+        );
         app_handle.emit("credential-request", &notification)?;
 
         let response = tokio::select! {
@@ -145,12 +107,12 @@ async fn get_aws_credentials(
         match response.approval {
             Approval::Approved => {
                 if response.base {
-                    let creds = state.get_aws_base("default").await?;
-                    Ok(Response::AwsBase(creds))
+                    let creds = state.get_aws_base(name).await?;
+                    Ok(CliResponse::Credential(CliCredential::AwsBase(creds)))
                 }
                 else {
-                    let creds = state.get_aws_session("default").await?;
-                    Ok(Response::AwsSession(creds.clone()))
+                    let creds = state.get_aws_session(name).await?.clone();
+                    Ok(CliResponse::Credential(CliCredential::AwsSession(creds)))
                 }
             },
             Approval::Denied => Err(HandlerError::Denied),
@@ -162,7 +124,7 @@ async fn get_aws_credentials(
         Err(e) => {
             state.unregister_request(request_id).await;
             Err(e)
-        }
+        },
     };
 
     lease.release();

src-tauri/src/srv/mod.rs

@@ -0,0 +1,164 @@
+use std::future::Future;
+
+use tauri::{
+    AppHandle,
+    async_runtime as rt,
+};
+use tokio::io::AsyncReadExt;
+use serde::{Serialize, Deserialize};
+
+use crate::credentials::{AwsBaseCredential, AwsSessionCredential};
+use crate::errors::*;
+use crate::shortcuts::ShortcutAction;
+
+pub mod creddy_server;
+pub mod agent;
+use platform::Stream;
+
+
+// These types match what's defined in creddy_cli, but they are separate types
+// so that we avoid polluting the standalone CLI with a bunch of dependencies
+// that would make it impossible to build a completely static-linked version
+#[derive(Debug, Serialize, Deserialize)]
+pub enum CliRequest {
+    GetCredential {
+        name: Option<String>,
+        base: bool,
+    },
+    InvokeShortcut(ShortcutAction),
+}
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum CliResponse {
+    Credential(CliCredential),
+    Empty,
+}
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum CliCredential {
+    AwsBase(AwsBaseCredential),
+    AwsSession(AwsSessionCredential),
+}
+
+
+struct CloseWaiter<'s> {
+    stream: &'s mut Stream,
+}
+
+impl<'s> CloseWaiter<'s> {
+    async fn wait_for_close(&mut self) -> std::io::Result<()> {
+        let mut buf = [0u8; 8];
+        loop {
+            match self.stream.read(&mut buf).await {
+                Ok(0) => break Ok(()),
+                Ok(_) => (),
+                Err(e) => break Err(e),
+            }
+        }
+    }
+}
+
+
+fn serve<H, F>(sock_name: &str, app_handle: AppHandle, handler: H) -> std::io::Result<()>
+    where H: Copy + Send + Fn(Stream, AppHandle, u32) -> F + 'static,
+          F: Send + Future<Output = Result<(), HandlerError>>,
+{
+    let (mut listener, addr) = platform::bind(sock_name)?;
+    rt::spawn(async move {
+        loop {
+            let (stream, client_pid) = match platform::accept(&mut listener, &addr).await {
+                Ok((s, c)) => (s, c),
+                Err(e) => {
+                    eprintln!("Error accepting request: {e}");
+                    continue;
+                },
+            };
+            let new_handle = app_handle.clone();
+            rt::spawn(async move {
+                handler(stream, new_handle, client_pid)
+                    .await
+                    .error_print_prefix("Error responding to request: ");
+            });
+        }
+    });
+    Ok(())
+}
+
+
+#[cfg(unix)]
+mod platform {
+    use std::io::ErrorKind;
+    use std::path::PathBuf;
+    use tokio::net::{UnixListener, UnixStream};
+    use super::*;
+
+
+    pub type Stream = UnixStream;
+
+    pub fn bind(sock_name: &str) -> std::io::Result<(UnixListener, PathBuf)> {
+        let path = creddy_cli::server_addr(sock_name);
+        match std::fs::remove_file(&path) {
+            Ok(_) => (),
+            Err(e) if e.kind() == ErrorKind::NotFound => (),
+            Err(e) => return Err(e),
+        }
+
+        let listener = UnixListener::bind(&path)?;
+        Ok((listener, path))
+    }
+
+    pub async fn accept(listener: &mut UnixListener, _addr: &PathBuf) -> Result<(UnixStream, u32), HandlerError> {
+        let (stream, _addr) = listener.accept().await?;
+        let pid = stream.peer_cred()?
+            .pid()
+            .ok_or(ClientInfoError::PidNotFound)?
+            as u32;
+
+        Ok((stream, pid))
+    }
+}
+
+
+#[cfg(windows)]
+mod platform {
+    use std::os::windows::io::AsRawHandle;
+    use tokio::net::windows::named_pipe::{
+        NamedPipeServer,
+        ServerOptions,
+    };
+    use windows::Win32::{
+        Foundation::HANDLE,
+        System::Pipes::GetNamedPipeClientProcessId,
+    };
+    use super::*;
+
+
+    pub type Stream = NamedPipeServer;
+
+    pub fn bind(sock_name: &str) -> std::io::Result<(String, NamedPipeServer)> {
+        let addr = creddy_cli::server_addr(sock_name);
+        let listener = ServerOptions::new()
+            .first_pipe_instance(true)
+            .create(&addr)?;
+        Ok((listener, addr))
+    }
+
+    pub async fn accept(listener: &mut NamedPipeServer, addr: &String) -> Result<(NamedPipeServer, u32), HandlerError> {
+        // connect() just waits for a client to connect, it doesn't return anything
+        listener.connect().await?;
+
+        // unlike Unix sockets, a Windows NamedPipeServer *becomes* the open stream
+        // once a client connects. If we want to keep listening, we have to construct
+        // a new server and swap it in.
+        let new_listener = ServerOptions::new().create(addr)?;
+        let stream = std::mem::replace(listener, new_listener);
+
+        let raw_handle = stream.as_raw_handle();
+        let mut pid = 0u32;
+        let handle = HANDLE(raw_handle as _);
+        unsafe { GetNamedPipeClientProcessId(handle, &mut pid as *mut u32)? };
+        Ok((stream, pid))
+    }
+}

src-tauri/src/state.rs

@@ -1,4 +1,5 @@
 use std::collections::HashMap;
+use std::collections::hash_map::Entry;
 use std::time::Duration;
 use time::OffsetDateTime;
 
@@ -6,6 +7,7 @@ use tokio::{
     sync::{RwLock, RwLockReadGuard},
     sync::oneshot::{self, Sender},
 };
+use ssh_agent_lib::proto::message::Identity;
 use sqlx::SqlitePool;
 use sqlx::types::Uuid;
 use tauri::{
@@ -17,10 +19,12 @@ use crate::app;
 use crate::credentials::{
     AppSession,
     AwsSessionCredential,
+    SshKey,
 };
 use crate::{config, config::AppConfig};
 use crate::credentials::{
     AwsBaseCredential,
+    Credential,
     CredentialRecord,
     PersistentCredential
 };
@@ -107,7 +111,8 @@ impl VisibilityLease {
 pub struct AppState {
     pub config: RwLock<AppConfig>,
     pub app_session: RwLock<AppSession>,
-    pub aws_session: RwLock<Option<AwsSessionCredential>>,
+    // session cache is keyed on id rather than name because names can change
+    pub aws_sessions: RwLock<HashMap<Uuid, AwsSessionCredential>>,
     pub last_activity: RwLock<OffsetDateTime>,
     pub request_count: RwLock<u64>,
     pub waiting_requests: RwLock<HashMap<u64, Sender<RequestResponse>>>,
@@ -130,7 +135,7 @@ impl AppState {
         AppState {
             config: RwLock::new(config),
             app_session: RwLock::new(app_session),
-            aws_session: RwLock::new(None),
+            aws_sessions: RwLock::new(HashMap::new()),
             last_activity: RwLock::new(OffsetDateTime::now_utc()),
             request_count: RwLock::new(0),
             waiting_requests: RwLock::new(HashMap::new()),
@@ -162,6 +167,10 @@ impl AppState {
         Ok(list)
     }
 
+    pub async fn list_ssh_identities(&self) -> Result<Vec<Identity>, GetCredentialsError> {
+        Ok(SshKey::list_identities(&self.pool).await?)
+    }
+
     pub async fn set_passphrase(&self, passphrase: &str) -> Result<(), SaveCredentialsError> {
         let mut cur_session = self.app_session.write().await;
         if let AppSession::Locked {..} = *cur_session {
@@ -261,29 +270,58 @@ impl AppState {
         Ok(())
     }
 
-    pub async fn get_aws_base(&self, name: &str) -> Result<AwsBaseCredential, GetCredentialsError> {
+    pub async fn get_aws_base(&self, name: Option<String>) -> Result<AwsBaseCredential, GetCredentialsError> {
         let app_session = self.app_session.read().await;
         let crypto = app_session.try_get_crypto()?;
-        let creds = AwsBaseCredential::load_by_name(name, crypto, &self.pool).await?;
+        let creds = match name {
+            Some(n) => AwsBaseCredential::load_by_name(&n, crypto, &self.pool).await?,
+            None => AwsBaseCredential::load_default(crypto, &self.pool).await?,
+        };
         Ok(creds)
     }
 
-    pub async fn get_aws_session(&self, name: &str) -> Result<RwLockReadGuard<'_, AwsSessionCredential>, GetCredentialsError> {
-        // yes, this sometimes results in double-fetching base credentials from disk
-        // I'm done trying to be optimal
+    pub async fn get_aws_session(&self, name: Option<String>) -> Result<RwLockReadGuard<'_, AwsSessionCredential>, GetCredentialsError> {
+        let app_session = self.app_session.read().await;
+        let crypto = app_session.try_get_crypto()?;
+        let record = match name {
+            Some(n) => CredentialRecord::load_by_name(&n, crypto, &self.pool).await?,
+            None => CredentialRecord::load_default("aws", crypto, &self.pool).await?,
+        };
+        let base = match &record.credential {
+            Credential::AwsBase(b) => Ok(b),
+            _ => Err(LoadCredentialsError::NoCredentials)
+        }?;
+
         {
-            let mut aws_session = self.aws_session.write().await;
-            if aws_session.is_none() || aws_session.as_ref().unwrap().is_expired() {
-                let base_creds = self.get_aws_base(name).await?;
-                *aws_session = Some(AwsSessionCredential::from_base(&base_creds).await?);
+            let mut aws_sessions = self.aws_sessions.write().await;
+            match aws_sessions.entry(record.id) {
+                Entry::Vacant(e) => {
+                    e.insert(AwsSessionCredential::from_base(&base).await?);
+                },
+                Entry::Occupied(mut e) if e.get().is_expired() => {
+                    *(e.get_mut()) = AwsSessionCredential::from_base(&base).await?;
+                },
+                _ => ()
             }
         }
 
-        // we know this is safe, because we juse made sure of it
-        let s = RwLockReadGuard::map(self.aws_session.read().await, |opt| opt.as_ref().unwrap());
+        // we know the unwrap is safe, because we just made sure of it
+        let s = RwLockReadGuard::map(self.aws_sessions.read().await, |map| map.get(&record.id).unwrap());
         Ok(s)
     }
 
+    pub async fn ssh_name_from_pubkey(&self, pubkey: &[u8]) -> Result<String, GetCredentialsError> {
+        let k = SshKey::name_from_pubkey(pubkey, &self.pool).await?;
+        Ok(k)
+    }
+
+    pub async fn sshkey_by_name(&self, name: &str) -> Result<SshKey, GetCredentialsError> {
+        let app_session = self.app_session.read().await;
+        let crypto = app_session.try_get_crypto()?;
+        let k = SshKey::load_by_name(name, crypto, &self.pool).await?;
+        Ok(k)
+    }
+
     pub async fn signal_activity(&self) {
         let mut last_activity = self.last_activity.write().await;
         *last_activity = OffsetDateTime::now_utc();

src-tauri/src/terminal.rs

@@ -1,7 +1,7 @@
 use std::process::Command;
 use std::time::Duration;
 
-use tauri::Manager;
+use tauri::{AppHandle, Manager};
 use tokio::time::sleep;
 
 use crate::app::APP;
@@ -18,6 +18,18 @@ pub async fn launch(use_base: bool) -> Result<(), LaunchTerminalError> {
         return Ok(());
     }
 
+    let res = do_launch(app, use_base).await;
+
+    state.unregister_terminal_request().await;
+    res
+}
+
+
+// this handles most of the work, the outer function is just to ensure we properly
+// unregister the request if there's an error
+async fn do_launch(app: &AppHandle, use_base: bool) -> Result<(), LaunchTerminalError> {
+    let state = app.state::<AppState>();
+
     let mut cmd = {
         let config = state.config.read().await;
         let mut cmd = Command::new(&config.terminal.exec);
@@ -41,7 +53,6 @@ pub async fn launch(use_base: bool) -> Result<(), LaunchTerminalError> {
             _ = rx => lease.release(),
             // otherwise, dump this request, but return Ok so we don't get an error popup
             _ = sleep(timeout) => {
-                state.unregister_terminal_request().await;
                 eprintln!("WARNING: Request to launch terminal timed out after 60 seconds.");
                 return Ok(());
             },
@@ -52,27 +63,24 @@ pub async fn launch(use_base: bool) -> Result<(), LaunchTerminalError> {
     // (i.e. lies about unlocking) we could end up here with a locked session
     // this will result in an error popup to the user (see main hotkey handler)
     if use_base {
-        let base_creds = state.get_aws_base("default").await?;
+        let base_creds = state.get_aws_base(None).await?;
         cmd.env("AWS_ACCESS_KEY_ID", &base_creds.access_key_id);
         cmd.env("AWS_SECRET_ACCESS_KEY", &base_creds.secret_access_key);
     }
     else {
-        let session_creds = state.get_aws_session("default").await?;
+        let session_creds = state.get_aws_session(None).await?;
         cmd.env("AWS_ACCESS_KEY_ID", &session_creds.access_key_id);
         cmd.env("AWS_SECRET_ACCESS_KEY", &session_creds.secret_access_key);
         cmd.env("AWS_SESSION_TOKEN", &session_creds.session_token);
     }
 
-    let res = match cmd.spawn() {
+    match cmd.spawn() {
         Ok(_) => Ok(()),
         Err(e) if std::io::ErrorKind::NotFound == e.kind() => {
             Err(ExecError::NotFound(cmd.get_program().to_owned()))
         },
         Err(e) => Err(ExecError::ExecutionFailed(e)),
-    };
+    }?;
 
-    state.unregister_terminal_request().await;
-
-    res?; // ? auto-conversion is more liberal than .into()
     Ok(())
 }

src-tauri/tauri.conf.json

@@ -50,7 +50,7 @@
     }
   },
   "productName": "creddy",
-  "version": "0.4.9",
+  "version": "0.5.4",
   "identifier": "creddy",
   "plugins": {},
   "app": {
@@ -85,4 +85,4 @@
       }
     }
   }
-}
+}

src/lib/errors.js

@@ -6,3 +6,12 @@ export function getRootCause(error) {
         return error;
     }
 }
+
+
+export function fullMessage(error) {
+    let msg = error?.msg ? error.msg : error;
+    if (error.source) {
+        msg = `${msg}: ${fullMessage(error.source)}`;
+    }
+    return msg
+}

src/ui/ErrorAlert.svelte

@@ -2,6 +2,9 @@
     import { onMount } from 'svelte';
     import { slide } from 'svelte/transition';
 
+    import { fullMessage } from '../lib/errors.js';
+
+
     let extraClasses = "";
     export {extraClasses as class};
     export let slideDuration = 150;
@@ -78,7 +81,7 @@
     <div transition:slide="{{duration: slideDuration}}" class="alert alert-error shadow-lg {animationClass} {extraClasses}">
         <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current flex-shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" /></svg>
         <span>
-            <slot {error}>{error.msg || error}</slot>
+            <slot {error}>{fullMessage(error)}</slot>
         </span>
 
         {#if $$slots.buttons}

src/ui/FileInput.svelte

@@ -0,0 +1,53 @@
+<script>
+    // import { listen } from '@tauri-apps/api/event';
+    import { open } from '@tauri-apps/plugin-dialog';
+    import { sep } from '@tauri-apps/api/path';
+    import { createEventDispatcher } from 'svelte';
+
+    import Icon from './Icon.svelte';
+
+
+    export let value = {};
+    export let params = {};
+    let displayValue = value?.name || '';
+
+    const dispatch = createEventDispatcher();
+
+    async function chooseFile() {
+        let file = await open(params);
+        if (file) {
+            value = file;
+            displayValue = file.name;
+            dispatch('update', value);
+        }
+    }
+
+    function handleInput(evt) {
+        const segments = evt.target.value.split(sep());
+        const name = segments[segments.length - 1];
+        value = {name, path: evt.target.value};
+    }
+
+    // some day, figure out drag-and-drop
+    // let drag = null;
+    // listen('tauri://drag', e => drag = e);
+    // listen('tauri://drop', e => console.log(e));
+    // listen('tauri://drag-cancelled', e => console.log(e));
+    // listen('tauri://drop-over', e => console.log(e));
+
+</script>
+
+
+<div class="relative flex join has-[:focus]:outline outline-2 outline-offset-2 outline-base-content/20">
+    <button type="button" class="btn btn-neutral join-item" on:click={chooseFile}>
+        Choose file
+    </button>
+    <input 
+        type="text"
+        class="join-item grow input input-bordered border-l-0 bg-transparent focus:outline-none"
+        value={displayValue}
+        on:input={handleInput}
+        on:change={() => dispatch('update', value)}
+        on:focus on:blur
+    >
+</div>

src/ui/PassphraseInput.svelte

@@ -8,6 +8,11 @@
     export {classes as class};
 
     let show = false;
+    let input;
+
+    export function focus() {
+        input.focus();
+    }
 </script>
 
 
@@ -19,13 +24,14 @@
 </style>
 
 
-<div class="join w-full">
+<div class="join w-full has-[:focus]:outline outline-2 outline-offset-2 outline-base-content/20">
     <input
+        bind:this={input}
         type={show ? 'text' : 'password'}
         {value} {placeholder} {autofocus}
         on:input={e => value = e.target.value}
         on:input on:change on:focus on:blur
-        class="input input-bordered flex-grow join-item placeholder:text-gray-500 {classes}"
+        class="input input-bordered flex-grow join-item placeholder:text-gray-500 focus:outline-none {classes}"
     />
 
     <button

src/ui/settings/FileSetting.svelte

@@ -7,6 +7,13 @@
     export let value;
 
     const dispatch = createEventDispatcher();
+
+    async function pickFile() {
+        let file = await open();
+        if (file) {
+            value = file.path
+        }
+    }
 </script>
 
 
@@ -18,9 +25,10 @@
             bind:value
             on:change={() => dispatch('update', {value})}
         >
-        <button 
+        <button
+            type="button"
             class="btn btn-sm btn-primary"
-            on:click={async () => value = await open()}
+            on:click={pickFile}
         >Browse</button>
     </div>
     <slot name="description" slot="description"></slot>

src/views/Approve.svelte

@@ -9,7 +9,7 @@
 
 
     // Extra 50ms so the window can finish disappearing before the redraw
-    const rehideDelay = Math.min(5000, $appState.config.rehide_ms + 50);
+    const rehideDelay = Math.min(5000, $appState.config.rehide_ms + 100);
 
     let alert;
     let success = false;

src/views/Home.svelte

@@ -8,11 +8,15 @@
     import Icon from '../ui/Icon.svelte';
     import Link from '../ui/Link.svelte';
 
-
-    let launchBase = false;
-    function launchTerminal() {
-        invoke('launch_terminal', {base: launchBase});
-        launchBase = false;
+    let launchTerminalError;
+    async function launchTerminal() {
+        try {
+            await invoke('launch_terminal', {base: false});
+        }
+        catch (e) {
+            console.log(e);
+            launchTerminalError = e;
+        }
     }
 
     async function lock() {
@@ -32,37 +36,41 @@
 
 <div class="flex flex-col h-screen items-center justify-center p-4 space-y-4">
     <div class="grid grid-cols-2 gap-6">
-        <Link target="ManageCredentials">
-            <div class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-primary hover:bg-base-200 transition-colors">
-                <Icon name="key" class="size-12 stroke-1 stroke-primary" />
-                <h3 class="text-lg font-bold">Credentials</h3>
-                <p class="text-sm">Add, remove, and change defaults credentials.</p>
-            </div>
-        </Link>
+        <button
+            on:click={() => navigate('ManageCredentials')}
+            class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-primary hover:bg-base-200 transition-transform active:scale-[.98] transition-transform"
+        >
+            <Icon name="key" class="size-12 stroke-1 stroke-primary" />
+            <h3 class="text-lg font-bold">Credentials</h3>
+            <p class="text-sm">Add, remove, and change default credentials.</p>
+        </button>
         
-        <Link target={launchTerminal}>
-            <div class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-secondary hover:bg-base-200 transition-colors">
-                <Icon name="command-line" class="size-12 stroke-1 stroke-secondary" />
-                <h3 class="text-lg font-bold">Terminal</h3>
-                <p class="text-sm">Launch a terminal pre-configured with AWS credentials.</p>
-            </div>
-        </Link>
+        <button 
+            on:click={launchTerminal}
+            class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-secondary hover:bg-base-200 transition-colors active:scale-[.98] transition-transform"
+        >
+            <Icon name="command-line" class="size-12 stroke-1 stroke-secondary" />
+            <h3 class="text-lg font-bold">Terminal</h3>
+            <p class="text-sm">Launch a terminal pre-configured with AWS credentials.</p>
+        </button>
 
-        <Link target={lock}>
-            <div class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-accent hover:bg-base-200 transition-colors">
-                <Icon name="shield-check" class="size-12 stroke-1 stroke-accent" />
-                <h3 class="text-lg font-bold">Lock</h3>
-                <p class="text-sm">Lock Creddy.</p>
-            </div>
-        </Link>
+        <button 
+            on:click={lock}
+            class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-warning hover:bg-base-200 transition-colors active:scale-[.98] transition-transform"
+        >
+            <Icon name="shield-check" class="size-12 stroke-1 stroke-warning" />
+            <h3 class="text-lg font-bold">Lock</h3>
+            <p class="text-sm">Lock Creddy.</p>
+        </button>
 
-        <Link target={() => invoke('exit')}>
-            <div class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-warning hover:bg-base-200 transition-colors">
-                <Icon name="arrow-right-start-on-rectangle" class="size-12 stroke-1 stroke-warning" />
-                <h3 class="text-lg font-bold">Exit</h3>
-                <p class="text-sm">Close Creddy.</p>
-            </div>
-        </Link>
+        <button 
+            on:click={() => invoke('exit')}
+            class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-accent hover:bg-base-200 transition-colors active:scale-[.98] transition-transform"
+        >
+            <Icon name="arrow-right-start-on-rectangle" class="size-12 stroke-1 stroke-accent" />
+            <h3 class="text-lg font-bold">Exit</h3>
+            <p class="text-sm">Close Creddy.</p>
+        </button>
     </div>
 </div>
 
@@ -71,10 +79,25 @@
         {#each $appState.setupErrors as error}
             {#if error.show}
                 <div class="alert alert-error shadow-lg">
-                    {error.msg}
-                    <button class="btn btn-sm btn-alert-error" on:click={() => error.show = false}>Ok</button>
+                    <span>{error.msg}</span>
+                    <div>
+                        <button class="btn btn-sm btn-alert-error" on:click={() => error.show = false}>Ok</button>
+                    </div>
                 </div>
             {/if}
         {/each}
     </div>
+{/if}
+
+{#if launchTerminalError}
+    <div class="toast">
+        <div class="alert alert-error shadow-lg">
+            <span>{launchTerminalError.msg || launchTerminalError}</span>
+            <div>
+                <button class="btn btn-alert-error" on:click={() => launchTerminalError = null}>
+                    Ok
+                </button>
+            </div>
+        </div>
+    </div>
 {/if}

src/views/ManageCredentials.svelte

@@ -5,12 +5,18 @@
     import { invoke } from '@tauri-apps/api/core';
 
     import AwsCredential from './credentials/AwsCredential.svelte';
+    import ConfirmDelete from './credentials/ConfirmDelete.svelte';
+    import SshKey from './credentials/SshKey.svelte';
+    // import NewSshKey from './credentials/NewSshKey.svelte';
+    // import EditSshKey from './credentials/EditSshKey.svelte';
     import Icon from '../ui/Icon.svelte';
     import Nav from '../ui/Nav.svelte';
 
-    let show = false;
 
-    let records = []
+    let records = null
+    $: awsRecords = (records || []).filter(r => r.credential.type === 'AwsBase');
+    $: sshRecords = (records || []).filter(r => r.credential.type === 'Ssh');
+
     let defaults = writable({});
     async function loadCreds() {
         records = await invoke('list_credentials');
@@ -24,11 +30,33 @@
             id: crypto.randomUUID(),
             name: null,
             is_default: false,
-            credential: {type: 'AwsBase', AccessKeyId: null, SecretAccessKey: null},
+            credential: {type: 'AwsBase', AccessKeyId: '', SecretAccessKey: ''},
             isNew: true,
         });
         records = records;
     }
+
+    function newSsh() {
+        records.push({
+            id: crypto.randomUUID(),
+            name: null,
+            is_default: false,
+            credential: {type: 'Ssh', algorithm: '', comment: '', private_key: '', public_key: '',},
+            isNew: true,
+        });
+        records = records;
+    }
+
+    let confirmDelete;
+    function handleDelete(evt) {
+        const record = evt.detail;
+        if (record.isNew) {
+            records = records.filter(r => r.id !== record.id);
+        }
+        else {
+            confirmDelete.confirm(record);
+        }
+    }
 </script>
 
 
@@ -36,27 +64,59 @@
     <h1 slot="title" class="text-2xl font-bold">Credentials</h1>
 </Nav>
 
-<div class="max-w-xl mx-auto mb-12 flex flex-col gap-y-4 justify-center">
-    <div class="divider">
-        <h2 class="text-xl font-bold">AWS Access Keys</h2>
-    </div>
+<div class="max-w-xl mx-auto mb-12 flex flex-col gap-y-12 justify-center">
+    <div class="flex flex-col gap-y-4">
+        <div class="divider">
+            <h2 class="text-xl font-bold">AWS Access Keys</h2>
+        </div>
 
-    {#if records.length > 0}
-        {#each records as record (record.id)}
-            <AwsCredential {record} {defaults} on:update={loadCreds} />
-        {/each}
-        <button class="btn btn-primary btn-wide mx-auto" on:click={newAws}>
-            <Icon name="plus-circle-mini" class="size-5" />
-            Add
-        </button>
-    {:else}
-        <div class="flex flex-col gap-6 items-center rounded-box border-2 border-dashed border-neutral-content/30 p-6">
-            <div>You have no saved AWS credentials.</div>
+        {#if awsRecords.length > 0}
+            {#each awsRecords as record (record.id)}
+                <AwsCredential
+                    {record} {defaults}
+                    on:update={loadCreds}
+                    on:delete={handleDelete}
+                />
+            {/each}
             <button class="btn btn-primary btn-wide mx-auto" on:click={newAws}>
                 <Icon name="plus-circle-mini" class="size-5" />
                 Add
             </button>
+        {:else if records !== null}
+            <div class="flex flex-col gap-6 items-center rounded-box border-2 border-dashed border-neutral-content/30 p-6">
+                <div>You have no saved AWS credentials.</div>
+                <button class="btn btn-primary btn-wide mx-auto" on:click={newAws}>
+                    <Icon name="plus-circle-mini" class="size-5" />
+                    Add
+                </button>
+            </div>
+        {/if}
+    </div>
+
+    <div class="flex flex-col gap-y-4">
+        <div class="divider">
+            <h2 class="text-xl font-bold">SSH Keys</h2>
         </div>
-    {/if}
+
+        {#if sshRecords.length > 0}
+            {#each sshRecords as record (record.id)}
+                <SshKey {record} on:save={loadCreds} on:delete={handleDelete} />
+            {/each}
+            <button class="btn btn-primary btn-wide mx-auto" on:click={newSsh}>
+                <Icon name="plus-circle-mini" class="size-5" />
+                Add
+            </button>
+        {:else if records !== null}
+            <div class="flex flex-col gap-6 items-center rounded-box border-2 border-dashed border-neutral-content/30 p-6">
+                <div>You have no saved SSH keys.</div>
+                <button class="btn btn-primary btn-wide mx-auto" on:click={newSsh}>
+                    <Icon name="plus-circle-mini" class="size-5" />
+                    Add
+                </button>
+            </div>
+        {/if}
+    </div>
 
 </div>
+
+<ConfirmDelete bind:this={confirmDelete} on:confirm={loadCreds} />

src/views/Settings.svelte

@@ -29,6 +29,7 @@
         }
     }
 
+    window.getOsType = type;
     let osType = null;
     type().then(t => osType = t);
 </script>

src/views/Unlock.svelte

@@ -19,7 +19,7 @@
 
     let alert;
     let passphrase = '';
-    
+
     let saving = false;
     async function unlock() {
         saving = true;
@@ -34,9 +34,14 @@
         }
 
     }
+
+    let input;
+    onMount(() => input.focus());
 </script>
 
 
+<svelte:window on:focus={input.focus} />
+
 <div class="fixed top-0 w-full p-2 text-center">
     <h1 class="text-3xl font-bold">Creddy is locked</h1>
 </div>
@@ -52,7 +57,11 @@
         <ErrorAlert bind:this="{alert}" />
 
         <!-- svelte-ignore a11y-autofocus -->
-        <PassphraseInput autofocus="true" bind:value={passphrase} placeholder="correct horse battery staple" />
+        <PassphraseInput
+            bind:this={input}
+            bind:value={passphrase}
+            placeholder="correct horse battery staple"
+        />
     </label>
 
     <button type="submit" class="btn btn-primary">

src/views/approve/CollectResponse.svelte

@@ -42,7 +42,17 @@
 {/if}
 
 <div class="space-y-1 mb-4">
-    <h2 class="text-xl font-bold">{appName ? `"${appName}"` : 'An appplication'} would like to access your AWS credentials.</h2>
+    <h2 class="text-xl font-bold">
+        {#if $appState.currentRequest.type === 'Aws'}
+            {#if $appState.currentRequest.name}
+                {appName ? `"${appName}"` : 'An appplication'} would like to access your AWS access key "{$appState.currentRequest.name}".
+            {:else}
+                {appName ? `"${appName}"` : 'An appplication'} would like to access your default AWS access key
+            {/if}
+        {:else if $appState.currentRequest.type === 'Ssh'}
+            {appName ? `"${appName}"` : 'An application'} would like to use your SSH key "{$appState.currentRequest.key_name}".
+        {/if}
+    </h2>
 
     <div class="grid grid-cols-[auto_1fr] gap-x-3">
         <div class="text-right">Path:</div>
@@ -56,7 +66,11 @@
         <!-- Don't display the option to approve with session credentials if base was specifically requested -->
         {#if !$appState.currentRequest?.base}
             <h3 class="font-semibold">
-                Approve with session credentials
+                {#if $appState.currentRequest.type === 'Aws'}
+                    Approve with session credentials
+                {:else}
+                    Approve
+                {/if}
             </h3>
             <Link target={() => setResponse('Approved', false)} hotkey="Enter" shift={true}>
                 <button class="w-full btn btn-success">
@@ -65,20 +79,22 @@
             </Link>
         {/if}
 
-        <h3 class="font-semibold">
-            <span class="mr-2">
-                {#if $appState.currentRequest?.base}
-                    Approve
-                {:else}
-                    Approve with base credentials
-                {/if}
-            </span>
-        </h3>
-        <Link target={() => setResponse('Approved', true)} hotkey="Enter" shift={true} ctrl={true}>
-            <button class="w-full btn btn-warning">
-                <KeyCombo keys={['Ctrl', 'Shift', 'Enter']} />
-            </button>
-        </Link>
+        {#if $appState.currentRequest.type === 'Aws'}
+            <h3 class="font-semibold">
+                <span class="mr-2">
+                    {#if $appState.currentRequest?.base}
+                        Approve
+                    {:else}
+                        Approve with base credentials
+                    {/if}
+                </span>
+            </h3>
+            <Link target={() => setResponse('Approved', true)} hotkey="Enter" shift={true} ctrl={true}>
+                <button class="w-full btn btn-warning">
+                    <KeyCombo keys={['Ctrl', 'Shift', 'Enter']} />
+                </button>
+            </Link>
+        {/if}
 
         <h3 class="font-semibold">
             <span class="mr-2">Deny</span>

src/views/credentials/AwsCredential.svelte

@@ -16,7 +16,6 @@
 
     let showDetails = record.isNew ? true : false;
 
-    let localName = name;
     let local = JSON.parse(JSON.stringify(record));
     $: isModified = JSON.stringify(local) !== JSON.stringify(record);
     
@@ -32,38 +31,19 @@
         showDetails = false;
     }
 
-    let deleteModal;
-    function conditionalDelete() {
-        if (!record.isNew) {
-            deleteModal.showModal();
-        }
-        else {
-            deleteCredential();
-        }
-    }
-
-    async function deleteCredential() {
-        try {
-            if (!record.isNew) {
-                await invoke('delete_credential', {id: record.id});
-            }
-            dispatch('update');
-        }
-        catch (e) {
-            showDetails = true;
-            // wait for showDetails to take effect and the alert to be rendered
-            window.setTimeout(() => alert.setError(e), 0);
-        }
-    }
+    
 </script>
 
 
-<div 
-    transition:slide|local={{duration: record.isNew ? 300 : 0}}
-    class="rounded-box space-y-4 bg-base-200 {record.is_default ? 'border border-accent' : ''}"
->
+<div class="rounded-box space-y-4 bg-base-200 {record.is_default ? 'border border-accent' : ''}">
     <div class="flex items-center px-6 py-4 gap-x-4">
-        <h3 class="text-lg font-bold">{record.name || ''}</h3>
+        <h3 class="text-lg font-bold">
+            {#if !record?.isNew && showDetails}
+                <input type="text" class="input input-bordered bg-transparent" bind:value={local.name}>
+            {:else}
+                {record.name || ''}
+            {/if}
+        </h3>
 
         {#if record.is_default}
             <span class="badge badge-accent">Default</span>
@@ -80,7 +60,7 @@
             <button
                 type="button"
                 class="btn btn-outline btn-error join-item"
-                on:click={conditionalDelete}
+                on:click={() => dispatch('delete', record)}
             >
                 <Icon name="trash" class="size-6" />
             </button>
@@ -129,27 +109,11 @@
                         transition:fade={{duration: 100}}
                         type="submit"
                         class="btn btn-primary"
-                        >
-                            Save
-                        </button>
+                    >
+                        Save
+                    </button>
                 {/if}
             </div>
         </form>
     {/if}
-
-    <dialog bind:this={deleteModal} class="modal">
-        <div class="modal-box">
-            <h3 class="text-lg font-bold">Delete AWS credential "{record.name}"?</h3>
-            <div class="modal-action">
-                <form method="dialog" class="flex gap-x-4">
-                    <button class="btn btn-outline">Cancel</button>
-                    <button 
-                        autofocus
-                        class="btn btn-error"
-                        on:click={deleteCredential}
-                    >Delete</button>
-                </form>
-            </div>
-        </div>
-    </dialog>
 </div>

src/views/credentials/ConfirmDelete.svelte

@@ -0,0 +1,62 @@
+<script>
+    import { invoke } from '@tauri-apps/api/core';
+    import { createEventDispatcher } from 'svelte';
+
+    import ErrorAlert from '../../ui/ErrorAlert.svelte';
+
+    let record;
+    let modal;
+    let alert;
+
+    const dispatch = createEventDispatcher();
+
+    export function confirm(r) {
+        record = r;
+        modal.showModal();
+    }
+
+    async function deleteCredential() {
+        await invoke('delete_credential', {id: record.id})
+        // closing the modal is dependent on the previous step succeeding
+        modal.close();
+        dispatch('confirm');
+    }
+
+    function credentialDescription(record) {
+        if (record.credential.type === 'AwsBase') {
+            return 'AWS credential';
+        }
+        if (record.credential.type === 'Ssh') {
+            return 'SSH key';
+        }
+    }
+</script>
+
+<dialog bind:this={modal} class="modal">
+    <div class="modal-box space-y-6">
+        <ErrorAlert bind:this={alert} />
+        <h3 class="text-lg font-bold">
+            {#if record}
+                Delete {credentialDescription(record)} "{record.name}"?
+            {/if}
+        </h3>
+        <div class="modal-action">
+            <form method="dialog" class="flex gap-x-4">
+                <button
+                    class="btn btn-outline"
+                    on:click={() => alert.setError(null)}
+                >
+                    Cancel
+                </button>
+
+                <button
+                    autofocus
+                    class="btn btn-error"
+                    on:click|preventDefault={() => alert.run(deleteCredential)}
+                >
+                    Delete
+                </button>
+            </form>
+        </div>
+    </div>
+</dialog>

src/views/credentials/EditSshKey.svelte

@@ -0,0 +1,84 @@
+<script>
+    import { invoke } from '@tauri-apps/api/core';
+    import { createEventDispatcher } from 'svelte';
+    import { fade } from 'svelte/transition';
+
+    import ErrorAlert from '../../ui/ErrorAlert.svelte';
+
+
+    export let local;
+    export let isModified;
+
+    const dispatch = createEventDispatcher();
+    let alert;
+
+    async function saveCredential() {
+        await invoke('save_credential', {record: local});
+        dispatch('save', local);
+    }
+
+    async function copyText(evt) {
+        const tooltip = event.currentTarget;
+        await navigator.clipboard.writeText(tooltip.dataset.copyText);
+        const prevText = tooltip.dataset.tip;
+        tooltip.dataset.tip = 'Copied!';
+        window.setTimeout(() => tooltip.dataset.tip = prevText, 2000);
+    }
+</script>
+
+
+<style>
+    .grid {
+        grid-template-columns: auto minmax(0, 1fr);
+    }
+</style>
+
+
+<form class="space-y-4" on:submit|preventDefault={() => alert.run(saveCredential)}>
+    <ErrorAlert bind:this={alert} />
+
+    <div class="grid items-baseline gap-4">
+        <span class="justify-self-end">Comment</span>
+        <input
+            type="text"
+            class="input input-bordered bg-transparent"
+            bind:value={local.credential.comment}
+        >
+
+        <span class="justify-self-end">Public key</span>
+        <div
+            class="tooltip tooltip-right"
+            data-tip="Click to copy"
+            data-copy-text={local.credential.public_key}
+            on:click={copyText}
+        >
+            <div class="cursor-pointer text-left textarea textarea-bordered bg-transparent font-mono break-all">
+                {local.credential.public_key}
+            </div>
+        </div>
+
+        <span class="justify-self-end">Private key</span>
+        <div
+            class="tooltip tooltip-right"
+            data-tip="Click to copy"
+            data-copy-text={local.credential.private_key}
+            on:click={copyText}
+        >
+            <div class="cursor-pointer text-left textarea textarea-bordered bg-transparent font-mono whitespace-pre overflow-x-auto">
+                {local.credential.private_key}
+            </div>
+        </div>
+    </div>
+
+    <div class="flex justify-end">
+        {#if isModified}
+            <button
+                transition:fade={{duration: 100}}
+                type="submit"
+                class="btn btn-primary"
+            >
+                Save
+            </button>
+        {/if}
+    </div>
+</form>

src/views/credentials/NewSshKey.svelte

@@ -0,0 +1,119 @@
+<script>
+    import { createEventDispatcher } from 'svelte';
+    import { invoke } from '@tauri-apps/api/core';
+    import { homeDir } from '@tauri-apps/api/path';
+    import { fade } from 'svelte/transition';
+
+    import ErrorAlert from '../../ui/ErrorAlert.svelte';
+    import FileInput from '../../ui/FileInput.svelte';
+    import PassphraseInput from '../../ui/PassphraseInput.svelte';
+    import Spinner from '../../ui/Spinner.svelte';
+
+    export let record;
+
+    let name;
+    let file;
+    let privateKey = '';
+    let passphrase = '';
+    let showDetails = true;
+    let mode = 'file';
+
+    const dispatch = createEventDispatcher();
+
+    let defaultPath = null;
+    homeDir().then(d => defaultPath = `${d}/.ssh`);
+
+
+    let alert;
+    let saving = false;
+    async function saveCredential() {
+        saving = true;
+        try {
+            let key = await getKey();
+            const payload = {
+                id: record.id,
+                name,
+                is_default: false, // ssh keys don't care about defaults
+                credential: {type: 'Ssh', ...key},
+            };
+            await invoke('save_credential', {record: payload});
+            dispatch('save', payload);
+        }
+        finally {
+            saving = false;
+        }
+    }
+
+    async function getKey() {
+        if (mode === 'file') {
+            return await invoke('sshkey_from_file', {path: file.path, passphrase});
+        }
+        else {
+            return await invoke('sshkey_from_private_key', {privateKey, passphrase});
+        }
+    }
+
+</script>
+
+
+<div role="tablist" class="join max-w-sm mx-auto flex justify-center">
+        <button
+            type="button"
+            role="tab"
+            class="join-item flex-1 btn border border-primary hover:border-primary"
+            class:btn-primary={mode === 'file'}
+            on:click={() => mode = 'file'}
+        >
+            From file
+        </button>
+        <button
+            type="button"
+            role="tab"
+            class="join-item flex-1 btn border border-primary hover:border-primary"
+            class:btn-primary={mode === 'direct'}
+            on:click={() => mode = 'direct'}
+        >
+            From private key
+        </button>
+</div>
+
+
+<form class="space-y-4" on:submit|preventDefault={alert.run(saveCredential)}>
+    <ErrorAlert bind:this={alert} />
+
+    <div class="grid grid-cols-[auto_1fr] items-center gap-4">
+        <span class="justify-self-end">Name</span>
+        <input
+            type="text"
+            class="input input-bordered bg-transparent"
+            bind:value={name}
+        >
+
+        {#if mode === 'file'}
+            <span class="justify-self-end">File</span>
+            <FileInput params={{defaultPath}} bind:value={file} on:update={() => name = file.name} />
+        {:else}
+            <span class="justify-self-end">Private key</span>
+            <textarea bind:value={privateKey} rows="5" class="textarea textarea-bordered bg-transparent font-mono whitespace-pre overflow-x-auto"></textarea>
+        {/if}
+
+        <span class="justify-self-end">Passphrase</span>
+        <PassphraseInput class="bg-transparent" bind:value={passphrase} />
+    </div>
+
+    <div class="flex justify-end">
+        {#if file?.path || privateKey !== ''}
+            <button
+                transition:fade={{duration: 100}}
+                type="submit"
+                class="btn btn-primary"
+            >
+                {#if saving}
+                    <Spinner class="size-5 min-w-16" thickness="12" />
+                {:else}
+                    <span class="min-w-16">Save</span>
+                {/if}
+            </button>
+        {/if}
+    </div>
+</form>

src/views/credentials/SshKey.svelte

@@ -0,0 +1,71 @@
+<script>
+    import { createEventDispatcher } from 'svelte';
+    import { slide } from 'svelte/transition';
+
+    import NewSshKey from './NewSshKey.svelte';
+    import EditSshKey from './EditSshKey.svelte';
+    import Icon from '../../ui/Icon.svelte';
+
+    export let record;
+
+    const dispatch = createEventDispatcher();
+
+    function copy(obj) {
+        return JSON.parse(JSON.stringify(obj));
+    }
+
+    let local = copy(record);
+    $: isModified = JSON.stringify(local) !== JSON.stringify(record);
+    let showDetails = record?.isNew;
+
+    function handleSave(evt) {
+        local = copy(evt.detail);
+        showDetails = false;
+    }
+</script>
+
+
+<div class="rounded-box space-y-4 bg-base-200">
+    <div class="flex items-center px-6 py-4 gap-x-4">
+        {#if !record.isNew}
+            {#if showDetails}
+                <input 
+                    type="text"
+                    class="input input-bordered bg-transparent text-lg font-bold"
+                    bind:value={local.name}
+                >
+            {:else}
+                <h3 class="text-lg font-bold">
+                    {record.name}
+                </h3>
+            {/if}
+        {/if}
+
+        <div class="join ml-auto">
+            <button
+                type="button"
+                class="btn btn-outline join-item"
+                on:click={() => showDetails = !showDetails}
+            >
+                <Icon name="pencil" class="size-6" />
+            </button>
+            <button
+                type="button"
+                class="btn btn-outline btn-error join-item"
+                on:click={() => dispatch('delete', record)}
+            >
+                <Icon name="trash" class="size-6" />
+            </button>
+        </div>
+    </div>
+
+    {#if record && showDetails}
+        <div transition:slide|local={{duration: 200}} class="px-6 pb-4 space-y-4">
+            {#if record.isNew}
+                <NewSshKey {record} on:save on:save={handleSave} />
+            {:else}
+                <EditSshKey bind:local={local} {isModified} on:save={handleSave} on:save />
+            {/if}
+        </div>
+    {/if}
+</div>

tailwind.config.js

@@ -17,7 +17,7 @@ module.exports = {
           "primary": "#0ea5e9",
           "secondary": "#fb923c",
           "accent": "#8b5cf6",
-          "neutral": "#2f292c",
+          "neutral": "#374151",
           "base-100": "#252e3a",
           "info": "#66cccc",
           "success": "#52bf73",