add CliRequest variants to store/erase docker credentials

working implementation of docker get
send SaveCredential request to frontend on docker store
2024-11-23 13:47:37 -05:00 · 2024-09-21 05:30:25 -04:00 · 2024-09-19 11:35:18 -04:00 · 2024-09-19 11:35:18 -04:00 · 2024-09-19 11:35:18 -04:00
18 changed files with 539 additions and 116 deletions
--- a/src-tauri/creddy_cli/src/cli/docker.rs
+++ b/src-tauri/creddy_cli/src/cli/docker.rs
@ -0,0 +1,43 @@
 use std::io::{self, Read};
 use anyhow::bail;
 use crate::proto::{CliResponse, DockerCredential};
 use super::{
    CliCredential,
    CliRequest,
    GlobalArgs
 };
 pub fn docker_store(global_args: GlobalArgs) -> anyhow::Result<()> {
    let input: DockerCredential = serde_json::from_reader(io::stdin())?;
    let req = CliRequest::SaveCredential {
        name: input.username.clone(),
        is_default: false, // is_default doesn't really mean anything for Docker credentials
        credential: CliCredential::Docker(input),
    };
    match super::make_request(global_args.server_addr, &req)?? {
        CliResponse::Empty => Ok(()),
        r => bail!("Unexpected response from server: {r}"),
    }
 }
 pub fn docker_get(global_args: GlobalArgs) -> anyhow::Result<()> {
    let mut server_url = String::new();
    io::stdin().read_to_string(&mut server_url)?;
    let req = CliRequest::GetDockerCredential {
       server_url: server_url.trim().to_owned()
    };
    match super::make_request(global_args.server_addr, &req)?? {
        CliResponse::Credential(CliCredential::Docker(d)) => {
            println!("{}", serde_json::to_string(&d)?);
        },
        r => bail!("Unexpected response from server: {r}"),
    }
    Ok(())
 }
--- a/src-tauri/creddy_cli/src/cli/mod.rs
+++ b/src-tauri/creddy_cli/src/cli/mod.rs
@ -22,6 +22,8 @@ use crate::proto::{
    ShortcutAction,
 };
 mod docker;
 #[derive(Debug, Parser)]
 #[command(
@ -70,6 +72,9 @@ pub enum Action {
    Exec(ExecArgs),
    /// Invoke an action normally triggered by hotkey (e.g. launch terminal)
    Shortcut(InvokeArgs),
    /// Interact with Docker credentials via the docker-credential-helper protocol
    #[command(subcommand)]
    Docker(DockerCmd),
 }
@ -101,8 +106,19 @@ pub struct InvokeArgs {
 }
 #[derive(Debug, Subcommand)]
 pub enum DockerCmd {
    /// Get a stored Docker credential
    Get,
    /// Store a new Docker credential
    Store,
    /// Remove a stored Docker credential
    Erase,
 }
 pub fn get(args: GetArgs, global: GlobalArgs) -> anyhow::Result<()> {
-    let req = CliRequest::GetCredential {
+    let req = CliRequest::GetAwsCredential {
        name: args.name,
        base: args.base,
    };
@ -129,7 +145,7 @@ pub fn exec(args: ExecArgs, global: GlobalArgs) -> anyhow::Result<()> {
    let mut cmd = ChildCommand::new(cmd_name);
    cmd.args(cmd_line);
-    let req = CliRequest::GetCredential {
+    let req = CliRequest::GetAwsCredential {
        name: args.get_args.name,
        base: args.get_args.base,
    };
@ -185,10 +201,20 @@ pub fn invoke_shortcut(args: InvokeArgs, global: GlobalArgs) -> anyhow::Result<(
 }
 pub fn docker_credential_helper(cmd: DockerCmd, global_args: GlobalArgs) -> anyhow::Result<()> {
    match cmd {
        DockerCmd::Get => docker::docker_get(global_args),
        DockerCmd::Store => docker::docker_store(global_args),
        DockerCmd::Erase => todo!(),
    }
 }
 // Explanation for double-result: the server will return a (serialized) Result
 // to indicate when the operation succeeded or failed, which we deserialize.
 // However, the operation may fail to even communicate with the server, in
 // which case we return the outer Result
 // (probably this should be modeled differently)
 #[tokio::main]
 async fn make_request(
    addr: Option<PathBuf>,
--- a/src-tauri/creddy_cli/src/lib.rs
+++ b/src-tauri/creddy_cli/src/lib.rs
@ -5,6 +5,7 @@ pub use cli::{
    exec,
    get,
    invoke_shortcut,
    docker_credential_helper,
 };
 pub(crate) use platform::connect;
--- a/src-tauri/creddy_cli/src/main.rs
+++ b/src-tauri/creddy_cli/src/main.rs
@ -11,6 +11,7 @@ fn main() {
        Some(Action::Get(args)) => creddy_cli::get(args, cli.global_args),
        Some(Action::Exec(args)) => creddy_cli::exec(args, cli.global_args),
        Some(Action::Shortcut(args)) => creddy_cli::invoke_shortcut(args, cli.global_args),
        Some(Action::Docker(cmd)) => creddy_cli::docker_credential_helper(cmd, cli.global_args),
    };
    if let Err(e) = res {
--- a/src-tauri/creddy_cli/src/proto.rs
+++ b/src-tauri/creddy_cli/src/proto.rs
@ -9,12 +9,22 @@ use serde::{Serialize, Deserialize};
 #[derive(Debug, Serialize, Deserialize)]
 #[serde(tag = "type")]
 pub enum CliRequest {
-    GetCredential {
+    GetAwsCredential {
        name: Option<String>,
        base: bool,
    },
-    InvokeShortcut(ShortcutAction),
+    GetDockerCredential {
        server_url: String,
    },
    StoreDockerCredential(DockerCredential),
    EraseDockerCredential {
        server_url: String,
    },
    InvokeShortcut{
        action: ShortcutAction,
    },
 }
@ -36,6 +46,7 @@ impl Display for CliResponse {
        match self {
            CliResponse::Credential(CliCredential::AwsBase(_)) => write!(f, "Credential (AwsBase)"),
            CliResponse::Credential(CliCredential::AwsSession(_)) => write!(f, "Credential (AwsSession)"),
            CliResponse::Credential(CliCredential::Docker(_)) => write!(f, "Credential (Docker)"),
            CliResponse::Empty => write!(f, "Empty"),
        }
    }
@ -46,6 +57,7 @@ impl Display for CliResponse {
 pub enum CliCredential {
    AwsBase(AwsBaseCredential),
    AwsSession(AwsSessionCredential),
    Docker(DockerCredential),
 }
@ -75,6 +87,16 @@ pub struct AwsSessionCredential {
 fn default_aws_version() -> usize { 1 }
 #[derive(Debug, Eq, PartialEq, Serialize, Deserialize)]
 #[serde(rename_all = "PascalCase")]
 pub struct DockerCredential {
    #[serde(rename = "ServerURL")]
    pub server_url: String,
    pub username: String,
    pub secret: String,
 }
 #[derive(Debug, Serialize, Deserialize)]
 pub struct ServerError {
    code: String,
--- a/src-tauri/migrations/20240919135710_docker_creds.sql
+++ b/src-tauri/migrations/20240919135710_docker_creds.sql
@ -0,0 +1,11 @@
 CREATE TABLE docker_credentials (
    id BLOB UNIQUE NOT NULL,
    -- The Docker credential helper protocol only sends the server_url, so
    -- we should guarantee that we will only ever have one matching credential.
    -- Also, it's easier to go from unique -> not-unique than vice versa if we
    -- decide that's necessary in the future
    server_url TEXT UNIQUE NOT NULL,
    username TEXT NOT NULL,
    secret_enc BLOB NOT NULL,
    nonce BLOB NOT NULL
 );
--- a/src-tauri/src/credentials/docker.rs
+++ b/src-tauri/src/credentials/docker.rs
@ -0,0 +1,196 @@
 use chacha20poly1305::XNonce;
 use serde::{Serialize, Deserialize};
 use sqlx::{
    FromRow,
    Sqlite,
    Transaction,
    types::Uuid,
 };
 use super::{Credential, Crypto, PersistentCredential};
 use crate::errors::*;
 #[derive(Debug, Clone, FromRow)]
 pub struct DockerRow {
    id: Uuid,
    server_url: String,
    username: String,
    secret_enc: Vec<u8>,
    nonce: Vec<u8>,
 }
 #[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
 #[serde(rename_all = "PascalCase")]
 pub struct DockerCredential {
    #[serde(rename = "ServerURL")]
    pub server_url: String,
    pub username: String,
    pub secret: String,
 }
 impl PersistentCredential for DockerCredential {
    type Row = DockerRow;
    fn type_name() -> &'static str { "docker" }
    fn into_credential(self) -> Credential { Credential::Docker(self) }
    fn row_id(row: &DockerRow) -> Uuid { row.id }
    fn from_row(row: DockerRow, crypto: &Crypto) -> Result<Self, LoadCredentialsError> {
        let nonce = XNonce::clone_from_slice(&row.nonce);
        let secret_bytes = crypto.decrypt(&nonce, &row.secret_enc)?;
        let secret = String::from_utf8(secret_bytes)
            .map_err(|_| LoadCredentialsError::InvalidData)?;
        Ok(DockerCredential {
            server_url: row.server_url,
            username: row.username,
            secret
        })
    }
    async fn save_details(&self, id: &Uuid, crypto: &Crypto, txn: &mut Transaction<'_, Sqlite>) -> Result<(), SaveCredentialsError> {
        let (nonce, ciphertext) = crypto.encrypt(self.secret.as_bytes())?;
        let nonce_bytes = &nonce.as_slice();
        sqlx::query!(
            "INSERT OR REPLACE INTO docker_credentials (
                id,
                server_url,
                username,
                secret_enc,
                nonce
            )
            VALUES (?, ?, ?, ?, ?)",
            id, self.server_url, self.username, ciphertext, nonce_bytes,
        ).execute(&mut **txn).await?;
        Ok(())
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    use crate::credentials::CredentialRecord;
    use creddy_cli::proto::DockerCredential as CliDockerCredential;
    use sqlx::SqlitePool;
    use sqlx::types::uuid::uuid;
    fn test_credential() -> DockerCredential {
        DockerCredential {
            server_url: "https://registry.jfmonty2.com".into(),
            username: "joe@jfmonty2.com".into(),
            secret: "correct horse battery staple".into(),
        }
    }
    fn test_credential_2() -> DockerCredential {
        DockerCredential {
            server_url: "https://index.docker.io/v1".into(),
            username: "test@example.com".into(),
            secret: "a very secure passphrase".into(),
        }
    }
    fn test_record() -> CredentialRecord {
        CredentialRecord {
            id: uuid!("00000000-0000-0000-0000-000000000000"),
            name: "docker_test".into(),
            is_default: false,
            credential: Credential::Docker(test_credential()),
        }
    }
    fn test_record_2() -> CredentialRecord {
        CredentialRecord {
            id: uuid!("ffffffff-ffff-ffff-ffff-ffffffffffff"),
            name: "docker_test_2".into(),
            is_default: false,
            credential: Credential::Docker(test_credential_2()),
        }
    }
    #[sqlx::test]
    fn test_save(pool: SqlitePool) {
        let crypt = Crypto::random();
        test_record().save(&crypt, &pool).await
            .expect("Failed to save record");
    }
    #[sqlx::test(fixtures("docker_credentials"))]
    fn test_load(pool: SqlitePool) {
        let crypt = Crypto::fixed();
        let id = uuid!("00000000-0000-0000-0000-000000000000");
        let loaded = DockerCredential::load(&id, &crypt, &pool).await
            .expect("Failed to load record");
        assert_eq!(test_credential(), loaded);
    }
    #[sqlx::test(fixtures("docker_credentials"))]
    async fn test_overwrite(pool: SqlitePool) {
        let crypt = Crypto::fixed();
        let mut record = test_record_2();
        // give it the same id as test_record so that it overwrites
        let id = uuid!("00000000-0000-0000-0000-000000000000");
        record.id = id;
        record.save(&crypt, &pool).await
            .expect("Failed to overwrite original record with second record");
        let loaded = DockerCredential::load(&id, &crypt, &pool).await
            .expect("Failed to load again after overwriting");
        assert_eq!(test_credential_2(), loaded);
    }
    #[sqlx::test(fixtures("docker_credentials"))]
    async fn test_list(pool: SqlitePool) {
        let crypt = Crypto::fixed();
        let records = CredentialRecord::list(&crypt, &pool).await
            .expect("Failed to list credentials");
        assert_eq!(test_record(), records[0]);
    }
    // make sure that CLI credentials and app credentials don't drift apart
    #[test]
    fn test_cli_to_app() {
        let cli_creds = CliDockerCredential {
            server_url: "https://registry.jfmonty2.com".into(),
            username: "joe@jfmonty2.com".into(),
            secret: "correct horse battery staple".into(),
        };
        let json = serde_json::to_string(&cli_creds).unwrap();
        let computed: DockerCredential = serde_json::from_str(&json)
            .expect("Failed to deserialize Docker credentials from CLI -> main app");
        assert_eq!(test_credential(), computed);
    }
    #[test]
    fn test_app_to_cli() {
        let app_creds = test_credential();
        let json = serde_json::to_string(&app_creds).unwrap();
        let computed: CliDockerCredential = serde_json::from_str(&json)
            .expect("Failed to deserialize Docker credentials from main app -> CLI");
        let expected = CliDockerCredential {
            server_url: "https://registry.jfmonty2.com".into(),
            username: "joe@jfmonty2.com".into(),
            secret: "correct horse battery staple".into(),
        };
        assert_eq!(expected, computed);
    }
 }
--- a/src-tauri/src/credentials/fixtures/docker_credentials.sql
+++ b/src-tauri/src/credentials/fixtures/docker_credentials.sql
@ -0,0 +1,11 @@
 INSERT INTO credentials (id, name, credential_type, is_default, created_at)
 VALUES (X'00000000000000000000000000000000', 'docker_test', 'docker', 0, 1726756380);
 INSERT INTO docker_credentials (id, server_url, username, secret_enc, nonce)
 VALUES (
    X'00000000000000000000000000000000',
    'https://registry.jfmonty2.com',
    'joe@jfmonty2.com',
    X'C0B36EE54539D4113A8F73E99FB96B2BF4D87E91F7C3B48256C07E83E3E7EC738888B2FDE2B4DB0BE48BEFDE',
    X'C5F7F627BBE09A1BB275BE8D2390596C76143881A7766E60'
 );
--- a/src-tauri/src/credentials/mod.rs
+++ b/src-tauri/src/credentials/mod.rs
@ -17,6 +17,9 @@ pub use aws::{AwsBaseCredential, AwsSessionCredential};
 mod crypto;
 pub use crypto::Crypto;
 mod docker;
 pub use docker::DockerCredential;
 mod record;
 pub use record::CredentialRecord;
@ -32,6 +35,7 @@ pub use ssh::SshKey;
 pub enum Credential {
    AwsBase(AwsBaseCredential),
    AwsSession(AwsSessionCredential),
    Docker(DockerCredential),
    Ssh(SshKey),
 }
@ -79,6 +83,23 @@ pub trait PersistentCredential: for<'a> Deserialize<'a> + Sized {
        Self::from_row(row, crypto)
    }
    async fn load_by<T>(column: &str, value: T, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError>
    where T: Send + for<'q> sqlx::Encode<'q, Sqlite> + sqlx::Type<Sqlite>
    {
        let query = format!(
            "SELECT * FROM {} where {} = ?",
            Self::table_name(),
            column,
        );
        let row: Self::Row = sqlx::query_as(&query)
            .bind(value)
            .fetch_optional(pool)
            .await?
            .ok_or(LoadCredentialsError::NoCredentials)?;
        Self::from_row(row, crypto)
    }
    async fn load_default(crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> {
        let q = format!(
            "SELECT details.*
@ -99,15 +120,15 @@ pub trait PersistentCredential: for<'a> Deserialize<'a> + Sized {
    async fn list(crypto: &Crypto, pool: &SqlitePool) -> Result<Vec<(Uuid, Credential)>, LoadCredentialsError> {
        let q = format!(
            "SELECT details.*
-            FROM 
+            FROM
                {} details
                JOIN credentials c
                    ON c.id = details.id
-             ORDER BY c.created_at", 
+             ORDER BY c.created_at",
             Self::table_name(),
        );
        let mut rows = sqlx::query_as::<_, Self::Row>(&q).fetch(pool);
-        
+
        let mut creds = Vec::new();
        while let Some(row) = rows.try_next().await? {
            let id = Self::row_id(&row);
--- a/src-tauri/src/credentials/record.rs
+++ b/src-tauri/src/credentials/record.rs
@ -20,6 +20,7 @@ use super::{
    AwsBaseCredential,
    Credential,
    Crypto,
    DockerCredential,
    PersistentCredential,
    SshKey,
 };
@ -51,6 +52,7 @@ impl CredentialRecord {
        let type_name = match &self.credential {
            Credential::AwsBase(_) => AwsBaseCredential::type_name(),
            Credential::Ssh(_) => SshKey::type_name(),
            Credential::Docker(_) => DockerCredential::type_name(),
            _ => return Err(SaveCredentialsError::NotPersistent),
        };
@ -86,6 +88,7 @@ impl CredentialRecord {
        match &self.credential {
            Credential::AwsBase(b) => b.save_details(&self.id, crypto, &mut txn).await,
            Credential::Ssh(s) => s.save_details(&self.id, crypto, &mut txn).await,
            Credential::Docker(d) => d.save_details(&self.id, crypto, &mut txn).await,
            _ => Err(SaveCredentialsError::NotPersistent),
        }?;
@ -167,6 +170,11 @@ impl CredentialRecord {
                .ok_or(LoadCredentialsError::InvalidData)?;
            records.push(Self::from_parts(parent, credential));
        }
        for (id, credential) in DockerCredential::list(crypto, pool).await? {
            let parent = parent_map.remove(&id)
                .ok_or(LoadCredentialsError::InvalidData)?;
            records.push(Self::from_parts(parent, credential));
        }
        Ok(records)
    }
--- a/src-tauri/src/errors.rs
+++ b/src-tauri/src/errors.rs
@ -173,7 +173,7 @@ pub enum HandlerError {
    StreamIOError(#[from] std::io::Error),
    #[error("Received invalid UTF-8 in request")]
    InvalidUtf8(#[from] FromUtf8Error),
-    #[error("HTTP request malformed")]
+    #[error("Request malformed: {0}")]
    BadRequest(#[from] serde_json::Error),
    #[error("HTTP request too large")]
    RequestTooLarge,
@ -183,6 +183,8 @@ pub enum HandlerError {
    Internal(#[from] RecvError),
    #[error("Error accessing credentials: {0}")]
    NoCredentials(#[from] GetCredentialsError),
    #[error("Error saving credentials: {0}")]
    SaveCredentials(#[from] SaveCredentialsError),
    #[error("Error getting client details: {0}")]
    ClientInfo(#[from] ClientInfoError),
    #[error("Error from Tauri: {0}")]
--- a/src-tauri/src/ipc.rs
+++ b/src-tauri/src/ipc.rs
@ -16,7 +16,6 @@ use crate::terminal;
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct AwsRequestNotification {
    pub id: u64,
    pub client: Client,
    pub name: Option<String>,
    pub base: bool,
@ -25,27 +24,46 @@ pub struct AwsRequestNotification {
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct SshRequestNotification {
    pub id: u64,
    pub client: Client,
    pub key_name: String,
 }
 #[derive(Clone, Debug, Serialize, Deserialize)]
-#[serde(tag = "type")]
+pub struct DockerRequestNotification {
-pub enum RequestNotification {
+    pub client: Client,
-    Aws(AwsRequestNotification),
+    pub server_url: String,
    Ssh(SshRequestNotification),
 }
-impl RequestNotification {
+
-    pub fn new_aws(id: u64, client: Client, name: Option<String>, base: bool) -> Self {
+#[derive(Clone, Debug, Serialize, Deserialize)]
-        Self::Aws(AwsRequestNotification {id, client, name, base})
+#[serde(tag = "type")]
 pub enum RequestNotificationDetail {
    Aws(AwsRequestNotification),
    Ssh(SshRequestNotification),
    Docker(DockerRequestNotification),
 }
 impl RequestNotificationDetail {
    pub fn new_aws(client: Client, name: Option<String>, base: bool) -> Self {
        Self::Aws(AwsRequestNotification {client, name, base})
    }
-    pub fn new_ssh(id: u64, client: Client, key_name: String) -> Self {
+    pub fn new_ssh(client: Client, key_name: String) -> Self {
-        Self::Ssh(SshRequestNotification {id, client, key_name})
+        Self::Ssh(SshRequestNotification {client, key_name})
    }
    pub fn new_docker(client: Client, server_url: String) -> Self {
        Self::Docker(DockerRequestNotification {client, server_url})
    }
 }
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct RequestNotification {
    pub id: u64,
    #[serde(flatten)]
    pub detail: RequestNotificationDetail,
 }
--- a/src-tauri/src/main.rs
+++ b/src-tauri/src/main.rs
@ -21,6 +21,7 @@ fn main() {
        Some(Action::Get(args)) => creddy_cli::get(args, cli.global_args),
        Some(Action::Exec(args)) => creddy_cli::exec(args, cli.global_args),
        Some(Action::Shortcut(args)) => creddy_cli::invoke_shortcut(args, cli.global_args),
        Some(Action::Docker(cmd)) => creddy_cli::docker_credential_helper(cmd, cli.global_args),
    };
    if let Err(e) = res {
--- a/src-tauri/src/srv/agent.rs
+++ b/src-tauri/src/srv/agent.rs
@ -11,7 +11,7 @@ use tokio_util::codec::Framed;
 use crate::clientinfo;
 use crate::errors::*;
-use crate::ipc::{Approval, RequestNotification};
+use crate::ipc::{Approval, RequestNotification, RequestNotificationDetail};
 use crate::state::AppState;
 use super::{CloseWaiter, Stream};
@ -40,7 +40,7 @@ async fn handle(
                // corrupt the framing. Clients don't seem to behave that way though?
                let waiter = CloseWaiter { stream: adapter.get_mut() };
                let resp = sign_request(req, app_handle.clone(), client_pid, waiter).await?;
-                
+
                // have to do this before we send since we can't inspect the message after
                let is_failure = matches!(resp, Message::Failure);
                adapter.send(resp).await?;
@ -69,47 +69,21 @@ async fn sign_request(
    req: SignRequest,
    app_handle: AppHandle,
    client_pid: u32,
-    mut waiter: CloseWaiter<'_>,
+    waiter: CloseWaiter<'_>,
 ) -> Result<Message, HandlerError> {
    let state = app_handle.state::<AppState>();
-        let rehide_ms = {
+
        let config = state.config.read().await;
        config.rehide_ms
    };
    let client = clientinfo::get_client(client_pid, false)?;
-    let lease = state.acquire_visibility_lease(rehide_ms).await
+    let key_name = state.ssh_name_from_pubkey(&req.pubkey_blob).await?;
-        .map_err(|_e| HandlerError::NoMainWindow)?;
+    let detail = RequestNotificationDetail::new_ssh(client, key_name.clone());
-    let (chan_send, chan_recv) = oneshot::channel();
+    let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
-    let request_id = state.register_request(chan_send).await;
+    match response.approval {
-
+        Approval::Approved => {
-    let proceed = async {
+            let key = state.sshkey_by_name(&key_name).await?;
-        let key_name = state.ssh_name_from_pubkey(&req.pubkey_blob).await?;
+            let sig = key.sign_request(&req)?;
-        let notification = RequestNotification::new_ssh(request_id, client, key_name.clone());
+            Ok(Message::SignResponse(sig))
-        app_handle.emit("credential-request", &notification)?;
+        },
-
+        Approval::Denied => Err(HandlerError::Abandoned),
        let response = tokio::select! {
            r = chan_recv => r?,
            _ = waiter.wait_for_close() => {
                app_handle.emit("request-cancelled", request_id)?;
                return Err(HandlerError::Abandoned);
            },
        };
        if let Approval::Denied = response.approval {
            return Ok(Message::Failure);
        }
        let key = state.sshkey_by_name(&key_name).await?;
        let sig = key.sign_request(&req)?;
        Ok(Message::SignResponse(sig))
    };
    let res = proceed.await;
    if let Err(_) = &res {
        state.unregister_request(request_id).await;
    }
    lease.release();
    res
 }
--- a/src-tauri/src/srv/creddy_server.rs
+++ b/src-tauri/src/srv/creddy_server.rs
@ -1,10 +1,16 @@
 use sqlx::types::uuid::Uuid;
 use tauri::{AppHandle, Manager};
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::sync::oneshot;
 use crate::clientinfo::{self, Client};
 use crate::credentials::{
    Credential,
    CredentialRecord,
    Crypto
 };
 use crate::errors::*;
-use crate::ipc::{Approval, RequestNotification};
+use crate::ipc::{Approval, AwsRequestNotification, RequestNotificationDetail, RequestResponse};
 use crate::shortcuts::{self, ShortcutAction};
 use crate::state::AppState;
 use super::{
@ -46,9 +52,15 @@ async fn handle(
    let req: CliRequest = serde_json::from_slice(&buf)?;
    let res = match req {
-        CliRequest::GetCredential{ name, base } => get_aws_credentials(
+        CliRequest::GetAwsCredential{ name, base } => get_aws_credentials(
            name, base, client, app_handle, waiter
        ).await,
        CliRequest::GetDockerCredential{ server_url } => get_docker_credentials (
            server_url, client, app_handle, waiter
        ).await,
        CliRequest::SaveCredential{ name, is_default, credential } => save_credential(
            name, is_default, credential, app_handle
        ).await,
        CliRequest::InvokeShortcut(action) => invoke_shortcut(action).await,
    };
@ -74,59 +86,64 @@ async fn get_aws_credentials(
    base: bool,
    client: Client,
    app_handle: AppHandle,
-    mut waiter: CloseWaiter<'_>,
+    waiter: CloseWaiter<'_>,
 ) -> Result<CliResponse, HandlerError> {
    let detail = RequestNotificationDetail::new_aws(client, name.clone(), base);
    let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
    match response.approval {
        Approval::Approved => {
            let state = app_handle.state::<AppState>();
            if response.base {
                let creds = state.get_aws_base(name).await?;
                Ok(CliResponse::Credential(CliCredential::AwsBase(creds)))
            }
            else {
                let creds = state.get_aws_session(name).await?.clone();
                Ok(CliResponse::Credential(CliCredential::AwsSession(creds)))
            }
        },
        Approval::Denied => Err(HandlerError::Denied),
    }
 }
 async fn get_docker_credentials(
    server_url: String,
    client: Client,
    app_handle: AppHandle,
    waiter: CloseWaiter<'_>,
 ) -> Result<CliResponse, HandlerError> {
    let detail = RequestNotificationDetail::new_docker(client, server_url.clone());
    let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
    match response.approval {
        Approval::Approved => {
            let state = app_handle.state::<AppState>();
            let creds = state.get_docker_credential(&server_url).await?;
            Ok(CliResponse::Credential(CliCredential::Docker(creds)))
        },
        Approval::Denied => {
            Err(HandlerError::Denied)
        },
    }
 }
 pub async fn save_credential(
    name: String,
    is_default: bool,
    credential: Credential,
    app_handle: AppHandle,
 ) -> Result<CliResponse, HandlerError> {
    let state = app_handle.state::<AppState>();
-    let rehide_ms = {
+
-        let config = state.config.read().await;
+    // eventually ask the frontend to unlock here
-        config.rehide_ms
+
    // a bit weird but convenient
    let random_bytes = Crypto::salt();
    let id = Uuid::from_slice(&random_bytes[..16]).unwrap();
    let record = CredentialRecord {
        id, name, is_default, credential
    };
-    let lease = state.acquire_visibility_lease(rehide_ms).await
+    state.save_credential(record).await?;
        .map_err(|_e| HandlerError::NoMainWindow)?; // automate this conversion eventually?
-    let (chan_send, chan_recv) = oneshot::channel();
+    Ok(CliResponse::Empty)
    let request_id = state.register_request(chan_send).await;
    // if an error occurs in any of the following, we want to abort the operation
    // but ? returns immediately, and we want to unregister the request before returning
    // so we bundle it all up in an async block and return a Result so we can handle errors
    let proceed = async {
        let notification = RequestNotification::new_aws(
            request_id, client, name.clone(), base
        );
        app_handle.emit("credential-request", &notification)?;
        let response = tokio::select! {
            r = chan_recv => r?,
            _ = waiter.wait_for_close() => {
                app_handle.emit("request-cancelled", request_id)?;
                return Err(HandlerError::Abandoned);
            },
        };
        match response.approval {
            Approval::Approved => {
                if response.base {
                    let creds = state.get_aws_base(name).await?;
                    Ok(CliResponse::Credential(CliCredential::AwsBase(creds)))
                }
                else {
                    let creds = state.get_aws_session(name).await?.clone();
                    Ok(CliResponse::Credential(CliCredential::AwsSession(creds)))
                }
            },
            Approval::Denied => Err(HandlerError::Denied),
        }
    };
    let result = match proceed.await {
        Ok(r) => Ok(r),
        Err(e) => {
            state.unregister_request(request_id).await;
            Err(e)
        },
    };
    lease.release();
    result
 }
--- a/src-tauri/src/srv/mod.rs
+++ b/src-tauri/src/srv/mod.rs
@ -3,13 +3,23 @@ use std::future::Future;
 use tauri::{
    AppHandle,
    async_runtime as rt,
    Manager,
 };
 use tokio::io::AsyncReadExt;
 use tokio::sync::oneshot;
 use serde::{Serialize, Deserialize};
-use crate::credentials::{AwsBaseCredential, AwsSessionCredential};
+use crate::clientinfo::Client;
 use crate::credentials::{
    AwsBaseCredential,
    AwsSessionCredential,
    Credential,
    DockerCredential,
 };
 use crate::errors::*;
 use crate::ipc::{RequestNotification, RequestNotificationDetail, RequestResponse};
 use crate::shortcuts::ShortcutAction;
 use crate::state::AppState;
 pub mod creddy_server;
 pub mod agent;
@ -21,10 +31,18 @@ use platform::Stream;
 // that would make it impossible to build a completely static-linked version
 #[derive(Debug, Serialize, Deserialize)]
 pub enum CliRequest {
-    GetCredential {
+    GetAwsCredential {
        name: Option<String>,
        base: bool,
    },
    GetDockerCredential {
        server_url: String,
    },
    SaveCredential {
        name: String,
        is_default: bool,
        credential: Credential,
    },
    InvokeShortcut(ShortcutAction),
 }
@ -40,6 +58,7 @@ pub enum CliResponse {
 pub enum CliCredential {
    AwsBase(AwsBaseCredential),
    AwsSession(AwsSessionCredential),
    Docker(DockerCredential),
 }
@ -87,6 +106,48 @@ fn serve<H, F>(sock_name: &str, app_handle: AppHandle, handler: H) -> std::io::R
 }
 async fn send_credentials_request(
    detail: RequestNotificationDetail,
    app_handle: AppHandle,
    mut waiter: CloseWaiter<'_>
 ) -> Result<RequestResponse, HandlerError> {
    let state = app_handle.state::<AppState>();
    let rehide_ms = {
        let config = state.config.read().await;
        config.rehide_ms
    };
    let lease = state.acquire_visibility_lease(rehide_ms).await
        .map_err(|_e| HandlerError::NoMainWindow)?;
    let (chan_send, chan_recv) = oneshot::channel();
    let request_id = state.register_request(chan_send).await;
    let notification = RequestNotification { id: request_id, detail };
    // the following could fail in various ways, but we want to make sure
    // the request gets unregistered on any failure, so we wrap this all
    // up in an async block so that we only have to handle the error case once
    let proceed = async {
        app_handle.emit("credential-request", &notification)?;
        tokio::select! {
            r = chan_recv => Ok(r?),
            _ = waiter.wait_for_close() => {
                app_handle.emit("request-cancelled", request_id)?;
                Err(HandlerError::Abandoned)
            },
        }
    };
    let res = proceed.await;
    if let Err(_) = &res {
        state.unregister_request(request_id).await;
    }
    lease.release();
    res
 }
 #[cfg(unix)]
 mod platform {
    use std::io::ErrorKind;
--- a/src-tauri/src/state.rs
+++ b/src-tauri/src/state.rs
@ -19,6 +19,7 @@ use crate::app;
 use crate::credentials::{
    AppSession,
    AwsSessionCredential,
    DockerCredential,
    SshKey,
 };
 use crate::{config, config::AppConfig};
@ -193,7 +194,7 @@ impl AppState {
    pub async fn update_config(&self, new_config: AppConfig) -> Result<(), SetupError> {
        let mut live_config = self.config.write().await;
-        
+
        // update autostart if necessary
        if new_config.start_on_login != live_config.start_on_login {
            config::set_auto_launch(new_config.start_on_login)?;
@ -322,6 +323,13 @@ impl AppState {
        Ok(k)
    }
    pub async fn get_docker_credential(&self, server_url: &str) -> Result<DockerCredential, GetCredentialsError> {
        let app_session = self.app_session.read().await;
        let crypto = app_session.try_get_crypto()?;
        let d = DockerCredential::load_by("server_url", server_url.to_owned(), crypto, &self.pool).await?;
        Ok(d)
    }
    pub async fn signal_activity(&self) {
        let mut last_activity = self.last_activity.write().await;
        *last_activity = OffsetDateTime::now_utc();
--- a/src/views/approve/CollectResponse.svelte
+++ b/src/views/approve/CollectResponse.svelte
@ -34,7 +34,7 @@
        <div>
            <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current flex-shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" /></svg>
            <span>
-                WARNING: This application is requesting your base AWS credentials. 
+                WARNING: This application is requesting your base AWS credentials.
                These credentials are less secure than session credentials, since they don't expire automatically.
            </span>
        </div>
@ -51,6 +51,8 @@
            {/if}
        {:else if $appState.currentRequest.type === 'Ssh'}
            {appName ? `"${appName}"` : 'An application'} would like to use your SSH key "{$appState.currentRequest.key_name}".
        {:else if $appState.currentRequest.type === 'Docker'}
            {appName ? `"${appName}"` : 'An application'} would like to use your Docker credentials for <code>{$appState.currentRequest.server_url}</code>.
        {/if}
    </h2>
Author	SHA1	Message	Date
Joseph Montanaro	064cc03573	add CliRequest variants to store/erase docker credentials	2024-11-23 13:47:37 -05:00
Joseph Montanaro	c7a7b45468	working implementation of docker get	2024-09-21 05:30:25 -04:00
Joseph Montanaro	e4a7c62828	send SaveCredential request to frontend on docker store	2024-09-19 11:35:18 -04:00
Joseph Montanaro	0fc97d28e0	add Docker credentials to app and CLI	2024-09-19 11:35:18 -04:00
Joseph Montanaro	b1a5f9f11a	start working on docker helper	2024-09-19 11:35:18 -04:00