Compare commits
	
		
			40 Commits
		
	
	
		
			v0.3.0
			...
			8c668e51a6
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 8c668e51a6 | |||
| 9928996fab | |||
| d0a2532c27 | |||
| 0491cb5790 | |||
| 816bd7db00 | |||
| b165965289 | |||
| 86896d68c2 | |||
| 64a2927b94 | |||
| 87617a0726 | |||
| 141334f7e2 | |||
| 69f6a39396 | |||
| 70e23c7e20 | |||
| 1df849442e | |||
| 7fdb336c79 | |||
| 46b8d810c5 | |||
| dd40eb379e | |||
|  | 13545ac725 | ||
|  | 040a01536a | ||
|  | 4e2a90b15b | ||
| e0d919ed4a | |||
| 3f4efc5f8f | |||
| 4881b90b0b | |||
| 1b749a857c | |||
| 2079f99d04 | |||
| 5e0ffc1155 | |||
| d4fa8966b2 | |||
| a293d8f92c | |||
|  | 367a140e2a | ||
| 4b06dce7f4 | |||
| 47a3e1cfef | |||
| 1047818fdc | |||
|  | 3d093a3a45 | ||
|  | 992d2a4d06 | ||
|  | 12f0f187a6 | ||
| 997e8b419f | |||
| 1d9132de3b | |||
|  | e1c2618dc8 | ||
|  | a7df7adc8e | ||
|  | 03d164c9d3 | ||
| f522674a1c | 
							
								
								
									
										7
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										7
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @@ -2,7 +2,6 @@ dist | ||||
| **/node_modules | ||||
| src-tauri/target/ | ||||
| **/creddy.db | ||||
|  | ||||
| # just in case | ||||
| credentials* | ||||
| !credentials.rs | ||||
| # .env is system-specific | ||||
| .env | ||||
| .vscode | ||||
|   | ||||
| @@ -9,7 +9,7 @@ The following is a list of security features that I hope to add eventually, in a | ||||
| * To defend against the possibility that an attacker could replace, say, the `aws` executable with a malicious one that snarfs your credentials and then passes the command on to the real one, maybe track the path (and maybe even the hash) of the executable, and raise a warning if this is the first time we've seen that one? Using the hash would be safer, but would also introduce a lot of false positives, since every time the application gets updated it would trigger. On the other hand, users should presumably know when they've updated things, so maybe it would be ok. On the _other_ other hand, if somebody doesn't use `aws` very often then it might be weeks or months in between updating it and actually using the updated executable, in which case they probably won't remember that this is the first time they've used it since updating.   | ||||
| Another possible approach is to _watch_ the files in question, and alert the user whenever any of them changes. Presumably the user will know whether this change is expected or not. | ||||
| * Downgrade privileges after launching. In particular, if possible, disallow any kind of outgoing network access (obviously we have to bind the listening socket, but maybe we can filter that down to _just_ the ability to bind that particular address/port) and filesystem access outside of state db. I think this is doable on Linux, although it may involve high levels of `seccomp` grossness. No idea whether it's possible on Windows. Probably possible on MacOS although it may require lengths to which I am currently unwilling to go (e.g. pay for a certificate from Apple or something.) | ||||
| * "Panic button" - if a potential attack is detected (e.g. the user denies a request but Creddy discovers the request has already succeeded somehow), offer a one-click option to lock out the current IAM user. (Sadly, you can't revoke session tokens, so this is the only way to limit a potential compromise). Not sure how feasible this is, session credentials may be limited with regard to what kind of IAM operations they can carry out.) | ||||
| * "Panic button" - if a potential attack is detected (e.g. the user denies a request but Creddy discovers the request has already succeeded somehow), offer a one-click option to lock out the current IAM user. Sadly, you can't revoke session tokens, so this is the only way to limit a potential compromise. Obviously this would require the current user having the ability to revoke their own IAM permissions.) | ||||
| * Some kind of Yubikey or other HST integration. (Optional, since not everyone will have a HST.) This comes in two flavors: | ||||
|     1. (Probably doable) Store the encryption key for the passphrase on the HST, and ask the HST to decrypt the passphrase instead of asking the user to enter it. This has the advantage of being a) lower-friction, since the user doesn't have to type in the passphrase, and b) more secure, since the application code never sees the encryption key. | ||||
|     2. (Less doable) Store the actual AWS secret key on the HST, and then ask the HST to just sign the whole `GetSessionToken` request. This requires that the HST support the exact signing algorithm required by AWS, which a) it probably doesn't, and b) is subject to change anyway. So this is probably not doable, but it's worth at least double-checking, since it would provide the maximum theoretical level of security. (That is, after initial setup, the application would never again see the long-lived AWS secret key.) | ||||
| @@ -19,9 +19,9 @@ Another possible approach is to _watch_ the files in question, and alert the use | ||||
|  | ||||
| Who exactly are we defending against and why? | ||||
|  | ||||
| The basic idea behind Creddy is that it provides "gap coverage" between two wildly different security boundaries: 1) the older, user-based model, where all code executing as a given user is assumed to have the same level of trust, and 2) the newer, application-based model (most clearly seen on mobile devices) where that bondary instead exists around each _application_.  | ||||
| The basic idea behind Creddy is that it provides "gap coverage" between two wildly different security models: 1) the older, user-based model, where all code executing as a given user is assumed to have the same level of trust, and 2) the newer, application-based model (most clearly seen on mobile devices) where that bondary instead exists around each _application_.  | ||||
|  | ||||
| The unfortunate reality is that desktop environments are unlikely to adopt the latter model any time soon, if ever. This is primarily due to friction: Per-application security is a nightmare to manage. The only reason it works at all on mobile devices is because most mobile apps eschew the local device in favor of cloud-backed services where they can, e.g. for file storage. Arguably, the higher-friction trust model of mobile environments is in part _why_ mobile apps tend to be cloud-first. | ||||
| The unfortunate reality is that desktop environments are unlikely to adopt the latter model any time soon, if ever. This is primarily due to friction: Per-application security is a nightmare to manage. The only reason it works at all on mobile devices is because most mobile apps eschew the local device in favor of cloud-backed services where they can, e.g. for file storage. Arguably, the higher-friction trust model of mobile environments (along with the frequently-replaced nature of mobile devices) is in part _why_ mobile apps tend to be cloud-first. | ||||
|  | ||||
| Regardless, we live in a world where it's difficult to run untrusted code without giving it an inordinate level of access to the machine on which it runs. Creddy attempts to prevent that access from including your AWS credentials. The threat model is thus "untrusted code running under your user". This is especially likely to occur in the form of a supply-chain attack, where the compromised code is not your own but rather a dependency, or a dependency of a dependency, etc. | ||||
|  | ||||
| @@ -31,13 +31,13 @@ There are lots of ways that I can imagine someone might try to circumvent Creddy | ||||
|  | ||||
| ### Tricking Creddy into allowing a request that it shouldn't | ||||
|  | ||||
| If an attacker is able to compromise Creddy's frontend, e.g. via a JS library that Creddy relies on, they could forge "request accepted" responses and cause the backend to hand out credentials to an unauthorized client. Most likely, the user would immediately be alerted to the fact that Something Is Up because as soon as the request came in, Creddy would pop up requesting permission. When the user (presumably) denied the request, Creddy would discover that the request had already been approved - we could make this a high-alert situation because it would be unlikely to happen unless something fishy were going on. Additionally, the request and (hopefully) what executable made it would be logged. | ||||
| If an attacker is able to compromise Creddy's frontend, e.g. via a JS library that Creddy relies on, they could forge "request accepted" responses and cause the backend to hand out credentials to an unauthorized client. Most likely, the user would immediately be alerted to the fact that Something Is Up because Creddy would pop up requesting then permission, and then immediately disappear again because the request had been approved. Additionally, the request and (hopefully) what executable made it would be logged. | ||||
|  | ||||
| ### Tricking the user into allowing a request they didn't intend to | ||||
|  | ||||
| If an attacker can edit the user's .bashrc or similar, they could theoretically insert a function or pre-command hook that wraps, say, the `aws` command, and dump the credentials before continuing on with the user's command. This would most likely alert the user because either a) the attacker is hijacking the original `aws` command and thus it doesn't do what the user told it to, or b) the user's original `aws` command proceeds as normal after the malicious one, and the user is alerted by the second request where there should only have been one. | ||||
| If an attacker can edit the user's .bashrc or similar, they could theoretically insert a function or pre-command hook that wraps, say, the `aws` command, and dump the credentials before continuing on with the user's command. The attacker could inject the credentials into the environment before running the original command, so as to avoid alerting the user by issuing a second credentials request. | ||||
|  | ||||
| A similar but more-difficult-to-detect attack would be replacing the `aws` executable, or any other executable that is always expected to ask for AWS credentials, with a malicious wrapper that snarfs the credentials before passing them through to the original command. Creddy could defend against this to a certain extent by storing the hash of the executable, as discussed above. | ||||
| Another attack along the same lines would be replacing the `aws` executable, or any other executable that is always expected to ask for AWS credentials, with a malicious wrapper that snarfs the credentials before passing them through to the original command. Creddy could defend against this to a certain extent by storing the hash of the executable, as discussed above. | ||||
|  | ||||
| ### Pretending to be the user | ||||
|  | ||||
| @@ -46,3 +46,5 @@ Most desktop environments don't prevent applications from simulating user-input | ||||
| ### Twiddling with Creddy's persistent state | ||||
|  | ||||
| The solutions to or mitigations for a lot of these attacks rely on Creddy being able to assume that its local database hasn't been tampered with. Unfortunately, given that our threat model is "other code running as the same user", this isn't a safe assumption. | ||||
|  | ||||
| The solution to this problem is probably just to encrypt the entire database. This introduces a bit of complexity since certain settings, like `start_on_login` and `start_minimized`, will need to be accessible before the app is unlocked,but these settings can probably just be stashed alongside the database and kept in sync on every config save. | ||||
|   | ||||
							
								
								
									
										25
									
								
								doc/todo.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								doc/todo.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,25 @@ | ||||
| ## Definitely | ||||
|  | ||||
| * ~~Switch to "process" provider for AWS credentials (much less hacky)~~ | ||||
| * ~~Frontend needs to react when request is cancelled from backend~~ | ||||
| * ~~Session timeout~~ | ||||
| * ~~Fix rehide behavior when new request comes in while old one is still being resolved~~ | ||||
| * ~~Switch tray menu item to Hide when window is visible~~ | ||||
| * Clear password input after unlock fails | ||||
| * Indicate on approval screen when additional requests are pending | ||||
| * Additional hotkey configuration (approve/deny at the very least) | ||||
| * Logging | ||||
| * Icon | ||||
| * Auto-updates | ||||
| * SSH key handling | ||||
| * Encrypted sync server | ||||
|  | ||||
| ## Maybe | ||||
|  | ||||
| * Flatten error type hierarchy | ||||
| * Rehide after terminal launch from locked | ||||
|     * Generalize Request across both credentials and terminal launch? | ||||
| * Make hotkey configuration a little more tolerant of slight mistiming | ||||
| * Distinguish between request that was denied and request that was canceled (e.g. due to error) | ||||
| * Use atomic types for primitive state values instead of RwLock'd types | ||||
| * Rework approval flow to be a fullscreen overlay instead of mixing with normal navigation (as more views are added the pain of the current situation will only increase) | ||||
							
								
								
									
										2032
									
								
								package-lock.json
									
									
									
										generated
									
									
									
								
							
							
						
						
									
										2032
									
								
								package-lock.json
									
									
									
										generated
									
									
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @@ -1,6 +1,6 @@ | ||||
| { | ||||
|   "name": "creddy", | ||||
|   "version": "0.3.0", | ||||
|   "version": "0.4.9", | ||||
|   "scripts": { | ||||
|     "dev": "vite", | ||||
|     "build": "vite build", | ||||
| @@ -9,7 +9,7 @@ | ||||
|   }, | ||||
|   "devDependencies": { | ||||
|     "@sveltejs/vite-plugin-svelte": "^1.0.1", | ||||
|     "@tauri-apps/cli": "^1.0.5", | ||||
|     "@tauri-apps/cli": "^2.0.0-beta.20", | ||||
|     "autoprefixer": "^10.4.8", | ||||
|     "postcss": "^8.4.16", | ||||
|     "svelte": "^3.49.0", | ||||
| @@ -17,7 +17,9 @@ | ||||
|     "vite": "^3.0.7" | ||||
|   }, | ||||
|   "dependencies": { | ||||
|     "@tauri-apps/api": "^1.0.2", | ||||
|     "@tauri-apps/api": "^2.0.0-beta.13", | ||||
|     "@tauri-apps/plugin-dialog": "^2.0.0-beta.5", | ||||
|     "@tauri-apps/plugin-os": "^2.0.0-beta.5", | ||||
|     "daisyui": "^2.51.5" | ||||
|   } | ||||
| } | ||||
|   | ||||
| @@ -1 +0,0 @@ | ||||
| DATABASE_URL=sqlite://C:/Users/Joe/AppData/Roaming/creddy/creddy.dev.db | ||||
							
								
								
									
										4351
									
								
								src-tauri/Cargo.lock
									
									
									
										generated
									
									
									
								
							
							
						
						
									
										4351
									
								
								src-tauri/Cargo.lock
									
									
									
										generated
									
									
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @@ -1,6 +1,6 @@ | ||||
| [package] | ||||
| name = "creddy" | ||||
| version = "0.3.0" | ||||
| version = "0.4.9" | ||||
| description = "A friendly AWS credentials manager" | ||||
| authors = ["Joseph Montanaro"] | ||||
| license = "" | ||||
| @@ -20,22 +20,19 @@ path = "src/main.rs" | ||||
| # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html | ||||
|  | ||||
| [build-dependencies] | ||||
| tauri-build = { version = "1.0.4", features = [] } | ||||
| tauri-build = { version = "2.0.0-beta", features = [] } | ||||
|  | ||||
| [dependencies] | ||||
| serde_json = "1.0" | ||||
| serde = { version = "1.0", features = ["derive"] } | ||||
| tauri = { version = "1.2", features = ["dialog", "dialog-open", "global-shortcut", "os-all", "system-tray"] } | ||||
| tauri-plugin-single-instance = { git = "https://github.com/tauri-apps/plugins-workspace", branch = "dev" } | ||||
| tauri = { version = "2.0.0-beta", features = ["tray-icon"] } | ||||
| sodiumoxide = "0.2.7" | ||||
| tokio = { version = ">=1.19", features = ["full"] } | ||||
| sqlx = { version = "0.6.2", features = ["sqlite", "runtime-tokio-rustls"] } | ||||
| netstat2 = "0.9.1" | ||||
| sysinfo = "0.26.8" | ||||
| aws-types = "0.52.0" | ||||
| aws-sdk-sts = "0.22.0" | ||||
| aws-smithy-types = "0.52.0" | ||||
| aws-config = "0.52.0" | ||||
| aws-config = "1.5.3" | ||||
| aws-types = "1.3.2" | ||||
| aws-sdk-sts = "1.33.0" | ||||
| aws-smithy-types = "1.2.0" | ||||
| thiserror = "1.0.38" | ||||
| once_cell = "1.16.0" | ||||
| strum = "0.24" | ||||
| @@ -47,6 +44,16 @@ is-terminal = "0.4.7" | ||||
| argon2 = { version = "0.5.0", features = ["std"] } | ||||
| chacha20poly1305 = { version = "0.10.1", features = ["std"] } | ||||
| which = "4.4.0" | ||||
| windows = { version = "0.51.1", features = ["Win32_Foundation", "Win32_System_Pipes"] } | ||||
| time = "0.3.31" | ||||
| tauri-plugin-single-instance = "2.0.0-beta.9" | ||||
| tauri-plugin-global-shortcut = "2.0.0-beta.6" | ||||
| rfd = "0.14.1" | ||||
| ssh-agent-lib = "0.4.0" | ||||
| ssh-key = { version = "0.6.6", features = ["rsa", "ed25519", "encryption"] } | ||||
| signature = "2.2.0" | ||||
| tokio-stream = "0.1.15" | ||||
| sqlx = { version = "0.7.4", features = ["sqlite", "runtime-tokio", "uuid"] } | ||||
|  | ||||
| [features] | ||||
| # by default Tauri runs in production mode | ||||
|   | ||||
							
								
								
									
										17
									
								
								src-tauri/capabilities/migrated.json
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								src-tauri/capabilities/migrated.json
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| { | ||||
|   "identifier": "migrated", | ||||
|   "description": "permissions that were migrated from v1", | ||||
|   "local": true, | ||||
|   "windows": [ | ||||
|     "main" | ||||
|   ], | ||||
|   "permissions": [ | ||||
|     "path:default", | ||||
|     "event:default", | ||||
|     "window:default", | ||||
|     "app:default", | ||||
|     "resources:default", | ||||
|     "menu:default", | ||||
|     "tray:default" | ||||
|   ] | ||||
| } | ||||
							
								
								
									
										1
									
								
								src-tauri/gen/schemas/acl-manifests.json
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								src-tauri/gen/schemas/acl-manifests.json
									
									
									
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because one or more lines are too long
											
										
									
								
							
							
								
								
									
										1
									
								
								src-tauri/gen/schemas/capabilities.json
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								src-tauri/gen/schemas/capabilities.json
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | ||||
| {"migrated":{"identifier":"migrated","description":"permissions that were migrated from v1","local":true,"windows":["main"],"permissions":["path:default","event:default","window:default","app:default","resources:default","menu:default","tray:default"]}} | ||||
							
								
								
									
										2243
									
								
								src-tauri/gen/schemas/desktop-schema.json
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2243
									
								
								src-tauri/gen/schemas/desktop-schema.json
									
									
									
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										2243
									
								
								src-tauri/gen/schemas/linux-schema.json
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2243
									
								
								src-tauri/gen/schemas/linux-schema.json
									
									
									
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										11
									
								
								src-tauri/migrations/20240612192956_kv.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										11
									
								
								src-tauri/migrations/20240612192956_kv.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,11 @@ | ||||
| -- key-value store, will be used for various one-off values, serialized to bytes | ||||
| CREATE TABLE kv ( | ||||
|     name TEXT PRIMARY KEY, | ||||
|     value BLOB | ||||
| ); | ||||
|  | ||||
| -- config is currently stored in its own table, as text | ||||
| INSERT INTO kv (name, value) | ||||
| SELECT 'config', CAST(data AS BLOB) FROM config; | ||||
|  | ||||
| DROP TABLE config; | ||||
							
								
								
									
										76
									
								
								src-tauri/migrations/20240617142724_credential_split.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										76
									
								
								src-tauri/migrations/20240617142724_credential_split.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,76 @@ | ||||
| -- app structure is changing - instead of passphrase/salt being per credential, | ||||
| -- we now have a single app-wide key, which is generated by hashing the passphrase | ||||
| -- with the known salt. To verify the key thus produced, we store a value previously | ||||
| -- encrypted with that key, and attempt decryption once the key has been re-generated. | ||||
|  | ||||
| -- For migration purposes, we want convert the passphrase for the most recent set of | ||||
| -- AWS credentials and turn it into the app-wide passphrase. The only value that we | ||||
| -- have which is encrypted with that passphrase is the secret key for those credentials, | ||||
| -- so we will just use that as the `verify_blob`. Feels a little weird, but oh well. | ||||
| WITH latest_creds AS ( | ||||
|     SELECT * | ||||
|     FROM credentials | ||||
|     ORDER BY created_at DESC | ||||
|     LIMIT 1 | ||||
| ) | ||||
|  | ||||
| INSERT INTO kv (name, value) | ||||
| SELECT 'salt', salt FROM latest_creds | ||||
| UNION ALL | ||||
| SELECT 'verify_nonce', nonce FROM latest_creds | ||||
| UNION ALL | ||||
| SELECT 'verify_blob', secret_key_enc FROM latest_creds; | ||||
|  | ||||
|  | ||||
| -- Credentials are now going to be stored in a main table | ||||
| -- plus ancillary tables for type-specific data | ||||
|  | ||||
| -- stash existing AWS creds in temporary table so that we can remake it | ||||
| CREATE TABLE aws_tmp (id, access_key_id, secret_key_enc, nonce, created_at); | ||||
|  | ||||
| INSERT INTO aws_tmp  | ||||
| SELECT randomblob(16), access_key_id, secret_key_enc, nonce, created_at | ||||
| FROM credentials | ||||
| ORDER BY created_at DESC | ||||
| -- we only ever used one at a time in the past | ||||
| LIMIT 1; | ||||
|  | ||||
| -- new master credentials table | ||||
| DROP TABLE credentials; | ||||
| CREATE TABLE credentials ( | ||||
|     -- id is a UUID so we can generate it on the frontend | ||||
|     id BLOB UNIQUE NOT NULL, | ||||
|     name TEXT UNIQUE NOT NULL, | ||||
|     type TEXT NOT NULL, | ||||
|     created_at INTEGER NOT NULL | ||||
| ); | ||||
|  | ||||
| -- populate with basic data from existing AWS credential | ||||
| INSERT INTO credentials (id, name, type, created_at) | ||||
| SELECT id, 'default', 'aws', created_at FROM aws_tmp; | ||||
|  | ||||
| -- new AWS-specific table | ||||
| CREATE TABLE aws_credentials ( | ||||
|     id BLOB UNIQUE NOT NULL, | ||||
|     access_key_id TEXT NOT NULL, | ||||
|     secret_key_enc BLOB NOT NULL, | ||||
|     nonce BLOB NOT NULL, | ||||
|     FOREIGN KEY(id) REFERENCES credentials(id) ON DELETE CASCADE | ||||
| ); | ||||
|  | ||||
| -- populate with AWS-specific data from existing credential | ||||
| INSERT INTO aws_credentials (id, access_key_id, secret_key_enc, nonce) | ||||
| SELECT id, access_key_id, secret_key_enc, nonce | ||||
| FROM aws_tmp; | ||||
|  | ||||
| -- done with this now | ||||
| DROP TABLE aws_tmp; | ||||
|  | ||||
|  | ||||
| -- SSH keys are the new hotness | ||||
| CREATE TABLE ssh_keys ( | ||||
|     name TEXT UNIQUE NOT NULL, | ||||
|     public_key BLOB NOT NULL, | ||||
|     private_key_enc BLOB NOT NULL, | ||||
|     nonce BLOB NOT NULL | ||||
| ); | ||||
| @@ -126,23 +126,31 @@ impl LockedCredentials { | ||||
|         let secret_access_key = String::from_utf8(decrypted) | ||||
|             .map_err(|_| UnlockError::InvalidUtf8)?; | ||||
| 
 | ||||
|         let creds = BaseCredentials { | ||||
|             access_key_id: self.access_key_id.clone(), | ||||
|         let creds = BaseCredentials::new( | ||||
|             self.access_key_id.clone(), | ||||
|             secret_access_key, | ||||
|         }; | ||||
|         ); | ||||
|         Ok(creds) | ||||
|     } | ||||
| } | ||||
| 
 | ||||
| 
 | ||||
| fn default_credentials_version() -> usize { 1 } | ||||
| 
 | ||||
| #[derive(Clone, Debug, Serialize, Deserialize)] | ||||
| #[serde(rename_all = "PascalCase")] | ||||
| pub struct BaseCredentials { | ||||
|     #[serde(default = "default_credentials_version")] | ||||
|     pub version: usize, | ||||
|     pub access_key_id: String, | ||||
|     pub secret_access_key: String, | ||||
| } | ||||
| 
 | ||||
| impl BaseCredentials { | ||||
|     pub fn new(access_key_id: String, secret_access_key: String) -> Self { | ||||
|         Self {version: 1, access_key_id, secret_access_key} | ||||
|     } | ||||
| 
 | ||||
|     pub fn encrypt(&self, passphrase: &str) -> Result<LockedCredentials, CryptoError> { | ||||
|         let salt = Crypto::salt(); | ||||
|         let crypto = Crypto::new(passphrase, &salt)?; | ||||
| @@ -162,9 +170,11 @@ impl BaseCredentials { | ||||
| #[derive(Clone, Debug, Serialize, Deserialize)] | ||||
| #[serde(rename_all = "PascalCase")] | ||||
| pub struct SessionCredentials { | ||||
|     #[serde(default = "default_credentials_version")] | ||||
|     pub version: usize, | ||||
|     pub access_key_id: String, | ||||
|     pub secret_access_key: String, | ||||
|     pub token: String, | ||||
|     pub session_token: String, | ||||
|     #[serde(serialize_with = "serialize_expiration")] | ||||
|     #[serde(deserialize_with = "deserialize_expiration")] | ||||
|     pub expiration: DateTime, | ||||
| @@ -198,7 +208,7 @@ impl SessionCredentials { | ||||
|         let secret_access_key = aws_session.secret_access_key() | ||||
|             .ok_or(GetSessionError::EmptyResponse)? | ||||
|             .to_string(); | ||||
|         let token = aws_session.session_token() | ||||
|         let session_token = aws_session.session_token() | ||||
|             .ok_or(GetSessionError::EmptyResponse)? | ||||
|             .to_string(); | ||||
|         let expiration = aws_session.expiration() | ||||
| @@ -206,9 +216,10 @@ impl SessionCredentials { | ||||
|             .clone(); | ||||
| 
 | ||||
|         let session_creds = SessionCredentials { | ||||
|             version: 1, | ||||
|             access_key_id, | ||||
|             secret_access_key, | ||||
|             token, | ||||
|             session_token, | ||||
|             expiration, | ||||
|         }; | ||||
| 
 | ||||
| @@ -230,6 +241,14 @@ impl SessionCredentials { | ||||
|     } | ||||
| } | ||||
| 
 | ||||
| 
 | ||||
| #[derive(Debug, Serialize, Deserialize)] | ||||
| pub enum Credentials { | ||||
|     Base(BaseCredentials), | ||||
|     Session(SessionCredentials), | ||||
| } | ||||
| 
 | ||||
| 
 | ||||
| fn serialize_expiration<S>(exp: &DateTime, serializer: S) -> Result<S::Ok, S::Error> | ||||
| where S: Serializer | ||||
| { | ||||
| @@ -1,6 +1,11 @@ | ||||
| use std::error::Error; | ||||
| use std::time::Duration; | ||||
|  | ||||
| use once_cell::sync::OnceCell; | ||||
| use rfd::{ | ||||
|     MessageDialog, | ||||
|     MessageLevel, | ||||
| }; | ||||
| use sqlx::{ | ||||
|     SqlitePool, | ||||
|     sqlite::SqlitePoolOptions, | ||||
| @@ -9,16 +14,20 @@ use sqlx::{ | ||||
| use tauri::{ | ||||
|     App, | ||||
|     AppHandle, | ||||
|     Manager, | ||||
|     async_runtime as rt, | ||||
|     Manager, | ||||
|     RunEvent, | ||||
|     WindowEvent, | ||||
| }; | ||||
| use tauri::menu::MenuItem; | ||||
|  | ||||
| use crate::{ | ||||
|     config::{self, AppConfig}, | ||||
|     credentials::Session, | ||||
|     credentials::AppSession, | ||||
|     ipc, | ||||
|     server::Server, | ||||
|     errors::*, | ||||
|     shortcuts, | ||||
|     state::AppState, | ||||
|     tray, | ||||
| }; | ||||
| @@ -30,31 +39,44 @@ pub static APP: OnceCell<AppHandle> = OnceCell::new(); | ||||
| pub fn run() -> tauri::Result<()> { | ||||
|     tauri::Builder::default() | ||||
|         .plugin(tauri_plugin_single_instance::init(|app, _argv, _cwd| { | ||||
|             app.get_window("main") | ||||
|                 .map(|w| w.show().error_popup("Failed to show main window")); | ||||
|             show_main_window(app) | ||||
|                 .error_popup("Failed to show main window") | ||||
|         })) | ||||
|         .system_tray(tray::create()) | ||||
|         .on_system_tray_event(tray::handle_event) | ||||
|         .plugin(tauri_plugin_global_shortcut::Builder::default().build()) | ||||
|         .invoke_handler(tauri::generate_handler![ | ||||
|             ipc::unlock, | ||||
|             ipc::lock, | ||||
|             ipc::set_passphrase, | ||||
|             ipc::respond, | ||||
|             ipc::get_session_status, | ||||
|             ipc::save_credentials, | ||||
|             ipc::signal_activity, | ||||
|             ipc::save_credential, | ||||
|             ipc::delete_credential, | ||||
|             ipc::list_credentials, | ||||
|             ipc::get_config, | ||||
|             ipc::save_config, | ||||
|             ipc::launch_terminal, | ||||
|             ipc::get_setup_errors, | ||||
|         ]) | ||||
|         .setup(|app| rt::block_on(setup(app))) | ||||
|         .setup(|app| { | ||||
|             let res = rt::block_on(setup(app)); | ||||
|             if let Err(ref e) = res { | ||||
|                 MessageDialog::new() | ||||
|                     .set_level(MessageLevel::Error) | ||||
|                     .set_title("Creddy failed to start") | ||||
|                     .set_description(format!("{e}")) | ||||
|                     .show(); | ||||
|             } | ||||
|             res | ||||
|         }) | ||||
|         .build(tauri::generate_context!())? | ||||
|         .run(|app, run_event| match run_event { | ||||
|             tauri::RunEvent::WindowEvent { label, event, .. } => match event { | ||||
|                 tauri::WindowEvent::CloseRequested { api, .. } => { | ||||
|                     let _ = app.get_window(&label).map(|w| w.hide()); | ||||
|         .run(|app, run_event| { | ||||
|             if let RunEvent::WindowEvent { event, .. } = run_event { | ||||
|                 if let WindowEvent::CloseRequested { api, .. } = event { | ||||
|                     let _ = hide_main_window(app); | ||||
|                     api.prevent_close(); | ||||
|                 } | ||||
|                 _ => () | ||||
|             } | ||||
|             _ => () | ||||
|         }); | ||||
|  | ||||
|     Ok(()) | ||||
| @@ -73,25 +95,97 @@ pub async fn connect_db() -> Result<SqlitePool, SetupError> { | ||||
|  | ||||
|  | ||||
| async fn setup(app: &mut App) -> Result<(), Box<dyn Error>> { | ||||
|     APP.set(app.handle()).unwrap(); | ||||
|  | ||||
|     let is_first_launch = config::get_or_create_db_path()?.exists(); | ||||
|  | ||||
|     APP.set(app.handle().clone()).unwrap(); | ||||
|     tray::setup(app)?; | ||||
|     // get_or_create_db_path doesn't create the actual db file, just the directory | ||||
|     let is_first_launch = !config::get_or_create_db_path()?.exists(); | ||||
|     let pool = connect_db().await?; | ||||
|     let conf = AppConfig::load(&pool).await?; | ||||
|     let session = Session::load(&pool).await?; | ||||
|     let srv = Server::new(conf.listen_addr, conf.listen_port, app.handle()).await?; | ||||
|     let mut setup_errors: Vec<String> = vec![]; | ||||
|  | ||||
|     let mut conf = match AppConfig::load(&pool).await { | ||||
|         Ok(c) => c, | ||||
|         Err(LoadKvError::Invalid(_)) => { | ||||
|             setup_errors.push( | ||||
|                 "Could not load configuration from database. Reverting to defaults.".into() | ||||
|             ); | ||||
|             AppConfig::default() | ||||
|         }, | ||||
|         err => err?, | ||||
|     }; | ||||
|  | ||||
|     let app_session = AppSession::load(&pool).await?; | ||||
|     Server::start(app.handle().clone())?; | ||||
|  | ||||
|     config::set_auto_launch(conf.start_on_login)?; | ||||
|     config::register_hotkeys(&conf.hotkeys)?; | ||||
|     // if session is empty, this is probably the first launch, so don't autohide | ||||
|     if !conf.start_minimized || is_first_launch { | ||||
|         app.get_window("main") | ||||
|             .ok_or(HandlerError::NoMainWindow)? | ||||
|             .show()?; | ||||
|     if let Err(_e) = config::set_auto_launch(conf.start_on_login) { | ||||
|         setup_errors.push("Error: Failed to manage autolaunch.".into()); | ||||
|     } | ||||
|  | ||||
|     let state = AppState::new(conf, session, srv, pool); | ||||
|     // if hotkeys fail to register, disable them so that this error doesn't have to keep showing up | ||||
|     if let Err(_e) = shortcuts::register_hotkeys(&conf.hotkeys) { | ||||
|         conf.hotkeys.disable_all(); | ||||
|         conf.save(&pool).await?; | ||||
|         setup_errors.push("Failed to register hotkeys. Hotkey settings have been disabled.".into()); | ||||
|     } | ||||
|  | ||||
|     let desktop_is_gnome = std::env::var("XDG_CURRENT_DESKTOP") | ||||
|         .map(|names| names.split(':').any(|n| n == "GNOME")) | ||||
|         .unwrap_or(false); | ||||
|  | ||||
|     if !conf.start_minimized || is_first_launch { | ||||
|         show_main_window(&app.handle())?; | ||||
|     } | ||||
|  | ||||
|     let state = AppState::new(conf, app_session, pool, setup_errors, desktop_is_gnome); | ||||
|     app.manage(state); | ||||
|  | ||||
|     // make sure we do this after managing app state, so that it doesn't panic | ||||
|     start_auto_locker(app.app_handle().clone()); | ||||
|  | ||||
|     Ok(()) | ||||
| } | ||||
|  | ||||
|  | ||||
| fn start_auto_locker(app: AppHandle) { | ||||
|     rt::spawn(async move { | ||||
|         let state = app.state::<AppState>(); | ||||
|         loop { | ||||
|             // this gives our session-timeout a minimum resolution of 10s, which seems fine? | ||||
|             let delay = Duration::from_secs(10); | ||||
|             tokio::time::sleep(delay).await; | ||||
|  | ||||
|             if state.should_auto_lock().await { | ||||
|                 state.lock().await.error_popup("Failed to lock Creddy"); | ||||
|             } | ||||
|         } | ||||
|     }); | ||||
| } | ||||
|  | ||||
|  | ||||
| pub fn show_main_window(app: &AppHandle) -> Result<(), WindowError> { | ||||
|     let w = app.get_webview_window("main").ok_or(WindowError::NoMainWindow)?; | ||||
|     w.show()?; | ||||
|     let show_hide = app.state::<MenuItem<tauri::Wry>>(); | ||||
|     show_hide.set_text("Hide")?; | ||||
|     Ok(()) | ||||
| } | ||||
|  | ||||
|  | ||||
| pub fn hide_main_window(app: &AppHandle) -> Result<(), WindowError> { | ||||
|     let w = app.get_webview_window("main").ok_or(WindowError::NoMainWindow)?; | ||||
|     w.hide()?; | ||||
|     let show_hide = app.state::<MenuItem<tauri::Wry>>(); | ||||
|     show_hide.set_text("Show")?; | ||||
|     Ok(()) | ||||
| } | ||||
|  | ||||
|  | ||||
| pub fn toggle_main_window(app: &AppHandle) -> Result<(), WindowError> { | ||||
|     let w = app.get_webview_window("main").ok_or(WindowError::NoMainWindow)?; | ||||
|     if w.is_visible()? { | ||||
|         hide_main_window(app) | ||||
|     } | ||||
|     else { | ||||
|         show_main_window(app) | ||||
|     } | ||||
| } | ||||
|   | ||||
							
								
								
									
										7
									
								
								src-tauri/src/bin/agent.rs
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								src-tauri/src/bin/agent.rs
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,7 @@ | ||||
| use creddy::server::ssh_agent; | ||||
|  | ||||
|  | ||||
| #[tokio::main] | ||||
| async fn main() { | ||||
|     ssh_agent::run().await; | ||||
| } | ||||
| @@ -19,13 +19,15 @@ fn main() { | ||||
|  | ||||
|     let res = match args.subcommand() { | ||||
|         None | Some(("run", _)) => launch_gui(), | ||||
|         Some(("show", m)) => cli::show(m), | ||||
|         Some(("get", m)) => cli::get(m), | ||||
|         Some(("exec", m)) => cli::exec(m), | ||||
|         _ => unreachable!(), | ||||
|         Some(("shortcut", m)) => cli::invoke_shortcut(m), | ||||
|         _ => unreachable!("Unknown subcommand"), | ||||
|     }; | ||||
|  | ||||
|     if let Err(e) = res { | ||||
|         eprintln!("Error: {e}"); | ||||
|         process::exit(1); | ||||
|     } | ||||
| } | ||||
|  | ||||
|   | ||||
							
								
								
									
										13
									
								
								src-tauri/src/bin/key.rs
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								src-tauri/src/bin/key.rs
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,13 @@ | ||||
| use ssh_key::private::PrivateKey; | ||||
|  | ||||
|  | ||||
| fn main() { | ||||
|     // let passphrase = std::env::var("PRIVKEY_PASSPHRASE").unwrap(); | ||||
|     let p = AsRef::<std::path::Path>::as_ref("/home/joe/.ssh/test"); | ||||
|     let privkey = PrivateKey::read_openssh_file(p) | ||||
|         .unwrap(); | ||||
|         // .decrypt(passphrase.as_bytes()) | ||||
|         // .unwrap(); | ||||
|  | ||||
|     dbg!(String::from_utf8_lossy(&privkey.to_bytes().unwrap())); | ||||
| } | ||||
| @@ -1,36 +1,45 @@ | ||||
| use std::ffi::OsString; | ||||
| use std::process::Command as ChildCommand; | ||||
| #[cfg(unix)] | ||||
| use std::os::unix::process::CommandExt; | ||||
| #[cfg(windows)] | ||||
| use std::time::Duration; | ||||
|  | ||||
| use clap::{ | ||||
|     Command, | ||||
|      Arg, | ||||
|      ArgMatches, | ||||
|      ArgAction | ||||
|     Arg, | ||||
|     ArgMatches, | ||||
|     ArgAction, | ||||
|     builder::PossibleValuesParser, | ||||
|  }; | ||||
| use tokio::{ | ||||
|     net::TcpStream, | ||||
|     io::{AsyncReadExt, AsyncWriteExt}, | ||||
| use tokio::io::{AsyncReadExt, AsyncWriteExt}; | ||||
|  | ||||
| use crate::errors::*; | ||||
| use crate::server::{Request, Response}; | ||||
| use crate::shortcuts::ShortcutAction; | ||||
|  | ||||
| #[cfg(unix)] | ||||
| use { | ||||
|     std::os::unix::process::CommandExt, | ||||
|     tokio::net::UnixStream, | ||||
| }; | ||||
|  | ||||
|  | ||||
| use crate::app; | ||||
| use crate::config::AppConfig; | ||||
| use crate::credentials::{BaseCredentials, SessionCredentials}; | ||||
| use crate::errors::*; | ||||
| #[cfg(windows)] | ||||
| use { | ||||
|     tokio::net::windows::named_pipe::{NamedPipeClient, ClientOptions}, | ||||
|     windows::Win32::Foundation::ERROR_PIPE_BUSY, | ||||
| }; | ||||
|  | ||||
|  | ||||
| pub fn parser() -> Command<'static> { | ||||
|     Command::new("creddy") | ||||
|         .version(env!("CARGO_PKG_VERSION")) | ||||
|         .about("A friendly AWS credentials manager") | ||||
|         .subcommand( | ||||
|             Command::new("run") | ||||
|                 .about("Launch Creddy") | ||||
|         ) | ||||
|         .subcommand( | ||||
|             Command::new("show") | ||||
|                 .about("Fetch and display AWS credentials") | ||||
|             Command::new("get") | ||||
|                 .about("Request AWS credentials from Creddy and output to stdout") | ||||
|                 .arg( | ||||
|                     Arg::new("base") | ||||
|                         .short('b') | ||||
| @@ -55,13 +64,27 @@ pub fn parser() -> Command<'static> { | ||||
|                         .multiple_values(true) | ||||
|                 ) | ||||
|         ) | ||||
|         .subcommand( | ||||
|             Command::new("shortcut") | ||||
|                 .about("Invoke an action normally trigged by hotkey (e.g. launch terminal)") | ||||
|                 .arg( | ||||
|                     Arg::new("action") | ||||
|                         .value_parser( | ||||
|                             PossibleValuesParser::new(["show_window", "launch_terminal"]) | ||||
|                         ) | ||||
|                 ) | ||||
|         ) | ||||
| } | ||||
|  | ||||
|  | ||||
| pub fn show(args: &ArgMatches) -> Result<(), CliError> { | ||||
| pub fn get(args: &ArgMatches) -> Result<(), CliError> { | ||||
|     let base = args.get_one("base").unwrap_or(&false); | ||||
|     let creds = get_credentials(*base)?; | ||||
|     println!("{creds}"); | ||||
|     let output = match make_request(&Request::GetAwsCredentials { base: *base })? { | ||||
|         Response::AwsBase(creds) => serde_json::to_string(&creds).unwrap(), | ||||
|         Response::AwsSession(creds) => serde_json::to_string(&creds).unwrap(), | ||||
|         r => return Err(RequestError::Unexpected(r).into()), | ||||
|     }; | ||||
|     println!("{output}"); | ||||
|     Ok(()) | ||||
| } | ||||
|  | ||||
| @@ -75,18 +98,17 @@ pub fn exec(args: &ArgMatches) -> Result<(), CliError> { | ||||
|     let mut cmd = ChildCommand::new(cmd_name); | ||||
|     cmd.args(cmd_line); | ||||
|      | ||||
|     if base { | ||||
|         let creds: BaseCredentials = serde_json::from_str(&get_credentials(base)?) | ||||
|             .map_err(|_| RequestError::InvalidJson)?; | ||||
|         cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id); | ||||
|         cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key); | ||||
|     } | ||||
|     else { | ||||
|         let creds: SessionCredentials = serde_json::from_str(&get_credentials(base)?) | ||||
|             .map_err(|_| RequestError::InvalidJson)?; | ||||
|         cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id); | ||||
|         cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key); | ||||
|         cmd.env("AWS_SESSION_TOKEN", creds.token); | ||||
|     match make_request(&Request::GetAwsCredentials { base })? { | ||||
|         Response::AwsBase(creds) => { | ||||
|             cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id); | ||||
|             cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key); | ||||
|         }, | ||||
|         Response::AwsSession(creds) => { | ||||
|             cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id); | ||||
|             cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key); | ||||
|             cmd.env("AWS_SESSION_TOKEN", creds.session_token); | ||||
|         }, | ||||
|         r => return Err(RequestError::Unexpected(r).into()), | ||||
|     } | ||||
|  | ||||
|     #[cfg(unix)] | ||||
| @@ -98,7 +120,7 @@ pub fn exec(args: &ArgMatches) -> Result<(), CliError> { | ||||
|                 let name: OsString = cmd_name.into(); | ||||
|                 Err(ExecError::NotFound(name).into()) | ||||
|             } | ||||
|             e => Err(ExecError::ExecutionFailed(e).into()), | ||||
|             _ => Err(ExecError::ExecutionFailed(e).into()), | ||||
|         } | ||||
|     } | ||||
|  | ||||
| @@ -120,41 +142,53 @@ pub fn exec(args: &ArgMatches) -> Result<(), CliError> { | ||||
| } | ||||
|  | ||||
|  | ||||
| #[tokio::main] | ||||
| async fn get_credentials(base: bool) -> Result<String, RequestError> { | ||||
|     let pool = app::connect_db().await?; | ||||
|     let config = AppConfig::load(&pool).await?; | ||||
|     let path = if base {"/creddy/base-credentials"} else {"/"}; | ||||
| pub fn invoke_shortcut(args: &ArgMatches) -> Result<(), CliError> { | ||||
|     let action = match args.get_one::<String>("action").map(|s| s.as_str()) { | ||||
|         Some("show_window") => ShortcutAction::ShowWindow, | ||||
|         Some("launch_terminal") => ShortcutAction::LaunchTerminal, | ||||
|         Some(&_) | None => unreachable!("Unknown shortcut action"), // guaranteed by clap | ||||
|     }; | ||||
|  | ||||
|     let mut stream = TcpStream::connect((config.listen_addr, config.listen_port)).await?; | ||||
|     let req = format!("GET {path} HTTP/1.0\r\n\r\n"); | ||||
|     stream.write_all(req.as_bytes()).await?; | ||||
|  | ||||
|     // some day we'll have a proper HTTP parser | ||||
|     let mut buf = vec![0; 8192]; | ||||
|     stream.read_to_end(&mut buf).await?; | ||||
|  | ||||
|     let status = buf.split(|&c| &[c] == b" ") | ||||
|         .skip(1) | ||||
|         .next() | ||||
|         .ok_or(RequestError::MalformedHttpResponse)?; | ||||
|  | ||||
|     if status != b"200" { | ||||
|         let s = String::from_utf8_lossy(status).to_string(); | ||||
|         return Err(RequestError::Failed(s)); | ||||
|     let req = Request::InvokeShortcut(action); | ||||
|     match make_request(&req) { | ||||
|         Ok(Response::Empty) => Ok(()), | ||||
|         Ok(r) => Err(RequestError::Unexpected(r).into()), | ||||
|         Err(e) => Err(e.into()), | ||||
|     } | ||||
|  | ||||
|     let break_idx = buf.windows(4) | ||||
|         .position(|w| w == b"\r\n\r\n") | ||||
|         .ok_or(RequestError::MalformedHttpResponse)?; | ||||
|     let body = &buf[(break_idx + 4)..]; | ||||
|  | ||||
|     let creds_str = std::str::from_utf8(body) | ||||
|         .map_err(|_| RequestError::MalformedHttpResponse)? | ||||
|         .to_string(); | ||||
|  | ||||
|     if creds_str == "Denied!" { | ||||
|         return Err(RequestError::Rejected); | ||||
|     } | ||||
|     Ok(creds_str) | ||||
| } | ||||
|  | ||||
|  | ||||
| #[tokio::main] | ||||
| async fn make_request(req: &Request) -> Result<Response, RequestError> { | ||||
|     let mut data = serde_json::to_string(req).unwrap(); | ||||
|     // server expects newline marking end of request | ||||
|     data.push('\n'); | ||||
|  | ||||
|     let mut stream = connect().await?; | ||||
|     stream.write_all(&data.as_bytes()).await?; | ||||
|  | ||||
|     let mut buf = Vec::with_capacity(1024); | ||||
|     stream.read_to_end(&mut buf).await?; | ||||
|     let res: Result<Response, ServerError> = serde_json::from_slice(&buf)?; | ||||
|     Ok(res?) | ||||
| } | ||||
|  | ||||
|  | ||||
| #[cfg(windows)] | ||||
| async fn connect() -> Result<NamedPipeClient, std::io::Error> { | ||||
|     // apparently attempting to connect can fail if there's already a client connected | ||||
|     loop { | ||||
|         match ClientOptions::new().open(r"\\.\pipe\creddy-requests") { | ||||
|             Ok(stream) => return Ok(stream), | ||||
|             Err(e) if e.raw_os_error() == Some(ERROR_PIPE_BUSY.0 as i32) => (), | ||||
|             Err(e) => return Err(e), | ||||
|         } | ||||
|         tokio::time::sleep(Duration::from_millis(10)).await; | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| #[cfg(unix)] | ||||
| async fn connect() -> Result<UnixStream, std::io::Error> { | ||||
|     UnixStream::connect("/tmp/creddy.sock").await | ||||
| } | ||||
|   | ||||
| @@ -1,76 +1,35 @@ | ||||
| use std::path::PathBuf; | ||||
| use std::path::{Path, PathBuf}; | ||||
|  | ||||
| use netstat2::{AddressFamilyFlags, ProtocolFlags, ProtocolSocketInfo}; | ||||
| use tauri::Manager; | ||||
| use sysinfo::{System, SystemExt, Pid, PidExt, ProcessExt}; | ||||
| use serde::{Serialize, Deserialize}; | ||||
|  | ||||
| use crate::{ | ||||
|     app::APP, | ||||
|     errors::*, | ||||
|     config::AppConfig, | ||||
|     state::AppState, | ||||
| }; | ||||
| use crate::errors::*; | ||||
|  | ||||
|  | ||||
| #[derive(Clone, Debug, Serialize, Deserialize, Eq, PartialEq, Hash)] | ||||
| pub struct Client { | ||||
|     pub pid: u32, | ||||
|     pub exe: PathBuf, | ||||
|     pub exe: Option<PathBuf>, | ||||
| } | ||||
|  | ||||
|  | ||||
| async fn get_associated_pids(local_port: u16) -> Result<Vec<u32>, netstat2::error::Error> { | ||||
|     let state = APP.get().unwrap().state::<AppState>(); | ||||
|     let AppConfig { | ||||
|         listen_addr: app_listen_addr, | ||||
|         listen_port: app_listen_port, | ||||
|         .. | ||||
|     } = *state.config.read().await; | ||||
| pub fn get_process_parent_info(pid: u32) -> Result<Client, ClientInfoError> { | ||||
|     let sys_pid = Pid::from_u32(pid); | ||||
|     let mut sys = System::new();    | ||||
|     sys.refresh_process(sys_pid); | ||||
|     let proc = sys.process(sys_pid) | ||||
|         .ok_or(ClientInfoError::ProcessNotFound)?; | ||||
|  | ||||
|     let sockets_iter = netstat2::iterate_sockets_info( | ||||
|         AddressFamilyFlags::IPV4, | ||||
|         ProtocolFlags::TCP | ||||
|     )?; | ||||
|     for item in sockets_iter { | ||||
|         let sock_info = item?; | ||||
|         let proto_info = match sock_info.protocol_socket_info { | ||||
|             ProtocolSocketInfo::Tcp(tcp_info) => tcp_info, | ||||
|             ProtocolSocketInfo::Udp(_) => {continue;} | ||||
|         }; | ||||
|     let parent_pid_sys = proc.parent() | ||||
|         .ok_or(ClientInfoError::ParentPidNotFound)?; | ||||
|     sys.refresh_process(parent_pid_sys); | ||||
|     let parent = sys.process(parent_pid_sys) | ||||
|         .ok_or(ClientInfoError::ParentProcessNotFound)?; | ||||
|  | ||||
|         if proto_info.local_port == local_port | ||||
|             && proto_info.remote_port == app_listen_port | ||||
|             && proto_info.local_addr == app_listen_addr | ||||
|             && proto_info.remote_addr == app_listen_addr | ||||
|         { | ||||
|             return Ok(sock_info.associated_pids) | ||||
|         } | ||||
|     } | ||||
|     Ok(vec![]) | ||||
| } | ||||
|  | ||||
|  | ||||
| // Theoretically, on some systems, multiple processes can share a socket | ||||
| pub async fn get_clients(local_port: u16) -> Result<Vec<Option<Client>>, ClientInfoError> { | ||||
|     let mut clients = Vec::new();     | ||||
|     let mut sys = System::new(); | ||||
|     for p in get_associated_pids(local_port).await? { | ||||
|         let pid = Pid::from_u32(p); | ||||
|         sys.refresh_process(pid); | ||||
|         let proc = sys.process(pid) | ||||
|             .ok_or(ClientInfoError::ProcessNotFound)?; | ||||
|  | ||||
|         let client = Client { | ||||
|             pid: p, | ||||
|             exe: proc.exe().to_path_buf(), | ||||
|         }; | ||||
|         clients.push(Some(client)); | ||||
|     } | ||||
|  | ||||
|     if clients.is_empty() { | ||||
|         clients.push(None);  | ||||
|     } | ||||
|  | ||||
|     Ok(clients) | ||||
|     let exe = match parent.exe() { | ||||
|         p if p == Path::new("") => None, | ||||
|         p => Some(PathBuf::from(p)), | ||||
|     }; | ||||
|  | ||||
|     Ok(Client { pid: parent_pid_sys.as_u32(), exe }) | ||||
| } | ||||
|   | ||||
| @@ -1,17 +1,13 @@ | ||||
| use std::net::Ipv4Addr; | ||||
| use std::path::PathBuf; | ||||
| use std::time::Duration; | ||||
|  | ||||
| use auto_launch::AutoLaunchBuilder; | ||||
| use is_terminal::IsTerminal; | ||||
| use serde::{Serialize, Deserialize}; | ||||
| use sqlx::SqlitePool; | ||||
| use tauri::{ | ||||
|     Manager, | ||||
|     GlobalShortcutManager, | ||||
|     async_runtime as rt, | ||||
| }; | ||||
|  | ||||
| use crate::errors::*; | ||||
| use crate::kv; | ||||
|  | ||||
|  | ||||
| #[derive(Clone, Debug, Serialize, Deserialize)] | ||||
| @@ -39,15 +35,22 @@ pub struct HotkeysConfig { | ||||
|     pub launch_terminal: Hotkey, | ||||
| } | ||||
|  | ||||
| impl HotkeysConfig { | ||||
|     pub fn disable_all(&mut self) { | ||||
|         self.show_window.enabled = false; | ||||
|         self.launch_terminal.enabled = false; | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| #[derive(Clone, Debug, Serialize, Deserialize)] | ||||
| pub struct AppConfig { | ||||
|     #[serde(default = "default_listen_addr")] | ||||
|     pub listen_addr: Ipv4Addr, | ||||
|     #[serde(default = "default_listen_port")] | ||||
|     pub listen_port: u16, | ||||
|     #[serde(default = "default_rehide_ms")] | ||||
|     pub rehide_ms: u64, | ||||
|     #[serde(default = "default_auto_lock")] | ||||
|     pub auto_lock: bool, | ||||
|     #[serde(default = "default_lock_after")] | ||||
|     pub lock_after: Duration, | ||||
|     #[serde(default = "default_start_minimized")] | ||||
|     pub start_minimized: bool, | ||||
|     #[serde(default = "default_start_on_login")] | ||||
| @@ -62,9 +65,9 @@ pub struct AppConfig { | ||||
| impl Default for AppConfig { | ||||
|     fn default() -> Self { | ||||
|         AppConfig { | ||||
|             listen_addr: default_listen_addr(), | ||||
|             listen_port: default_listen_port(), | ||||
|             rehide_ms: default_rehide_ms(), | ||||
|             auto_lock: default_auto_lock(), | ||||
|             lock_after: default_lock_after(), | ||||
|             start_minimized: default_start_minimized(), | ||||
|             start_on_login: default_start_on_login(), | ||||
|             terminal: default_term_config(), | ||||
| @@ -75,31 +78,16 @@ impl Default for AppConfig { | ||||
|  | ||||
|  | ||||
| impl AppConfig { | ||||
|     pub async fn load(pool: &SqlitePool) -> Result<AppConfig, SetupError> { | ||||
|         let res = sqlx::query!("SELECT * from config where name = 'main'") | ||||
|             .fetch_optional(pool) | ||||
|             .await?; | ||||
|     pub async fn load(pool: &SqlitePool) -> Result<AppConfig, LoadKvError> { | ||||
|         let config = kv::load(pool, "config") | ||||
|             .await? | ||||
|             .unwrap_or_else(|| AppConfig::default()); | ||||
|  | ||||
|         let row = match res { | ||||
|             Some(row) => row, | ||||
|             None => return Ok(AppConfig::default()), | ||||
|         }; | ||||
|  | ||||
|         Ok(serde_json::from_str(&row.data)?) | ||||
|         Ok(config) | ||||
|     } | ||||
|  | ||||
|     pub async fn save(&self, pool: &SqlitePool) -> Result<(), sqlx::error::Error> { | ||||
|         let data = serde_json::to_string(self).unwrap(); | ||||
|         sqlx::query( | ||||
|             "INSERT INTO config (name, data) VALUES ('main', ?) | ||||
|             ON CONFLICT (name) DO UPDATE SET data = ?" | ||||
|         ) | ||||
|             .bind(&data) | ||||
|             .bind(&data) | ||||
|             .execute(pool) | ||||
|             .await?; | ||||
|  | ||||
|         Ok(()) | ||||
|         kv::save(pool, "config", self).await | ||||
|     } | ||||
| } | ||||
|  | ||||
| @@ -144,16 +132,6 @@ pub fn get_or_create_db_path() -> Result<PathBuf, DataDirError> { | ||||
| } | ||||
|  | ||||
|  | ||||
| fn default_listen_port() -> u16 { | ||||
|     if cfg!(debug_assertions) { | ||||
|         12_345 | ||||
|     } | ||||
|     else { | ||||
|         19_923 | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| fn default_term_config() -> TermConfig { | ||||
|     #[cfg(windows)] | ||||
|     { | ||||
| @@ -200,46 +178,32 @@ fn default_hotkey_config() -> HotkeysConfig { | ||||
|     } | ||||
| } | ||||
|  | ||||
| // note: will panic if called before APP is set | ||||
| pub fn register_hotkeys(hotkeys: &HotkeysConfig) -> tauri::Result<()> { | ||||
|     let app = crate::app::APP.get().unwrap(); | ||||
|  | ||||
|     let mut manager = app.global_shortcut_manager(); | ||||
|     manager.unregister_all()?; | ||||
|  | ||||
|     if hotkeys.show_window.enabled { | ||||
|         let handle = app.app_handle(); | ||||
|         manager.register( | ||||
|             &hotkeys.show_window.keys, | ||||
|             move || {  | ||||
|                 handle.get_window("main") | ||||
|                     .map(|w| w.show().error_popup("Failed to show")) | ||||
|                     .ok_or(HandlerError::NoMainWindow) | ||||
|                     .error_popup("No main window"); | ||||
|             }, | ||||
|         )?; | ||||
|     } | ||||
|  | ||||
|     if hotkeys.launch_terminal.enabled { | ||||
|         // register() doesn't take an async fn, so we have to use spawn | ||||
|         manager.register( | ||||
|             &hotkeys.launch_terminal.keys, | ||||
|             || {  | ||||
|                 rt::spawn(async { | ||||
|                     crate::terminal::launch(false) | ||||
|                         .await | ||||
|                         .error_popup("Failed to launch"); | ||||
|                 }); | ||||
|             } | ||||
|         )?; | ||||
|     } | ||||
|  | ||||
|     Ok(()) | ||||
| } | ||||
|  | ||||
|  | ||||
| fn default_listen_addr() -> Ipv4Addr { Ipv4Addr::LOCALHOST } | ||||
| fn default_rehide_ms() -> u64 { 1000 } | ||||
| fn default_auto_lock() -> bool { true } | ||||
| fn default_lock_after() -> Duration { Duration::from_secs(43200) } | ||||
| // start minimized and on login only in production mode | ||||
| fn default_start_minimized() -> bool { !cfg!(debug_assertions) } | ||||
| fn default_start_on_login() -> bool { !cfg!(debug_assertions) } | ||||
|  | ||||
|  | ||||
| // struct DurationVisitor; | ||||
|  | ||||
| // impl<'de> Visitor<'de> for DurationVisitor { | ||||
| //     type Value = Duration; | ||||
|  | ||||
| //     fn expecting(&self, formatter: &mut Formatter) -> fmt::Result { | ||||
| //         write!(formatter, "an integer between 0 and 2^64 - 1") | ||||
| //     } | ||||
|  | ||||
| //     fn visit_u64<E: de::Error>(self, v: u64) -> Result<Duration, E> { | ||||
| //         Ok(Duration::from_secs(v)) | ||||
| //     } | ||||
| // } | ||||
|  | ||||
|  | ||||
| // fn duration_from_secs<'de, D>(deserializer: D) -> Result<Duration, D::Error> | ||||
| // where D: Deserializer<'de> | ||||
| // { | ||||
| //     deserializer.deserialize_u64(DurationVisitor) | ||||
| // } | ||||
|   | ||||
							
								
								
									
										345
									
								
								src-tauri/src/credentials/aws.rs
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										345
									
								
								src-tauri/src/credentials/aws.rs
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,345 @@ | ||||
| use std::fmt::{self, Formatter}; | ||||
| use std::time::{SystemTime, UNIX_EPOCH}; | ||||
|  | ||||
| use aws_config::BehaviorVersion; | ||||
| use aws_smithy_types::date_time::{DateTime, Format}; | ||||
| use chacha20poly1305::XNonce; | ||||
| use serde::{ | ||||
|     Serialize, | ||||
|     Deserialize, | ||||
|     Serializer, | ||||
|     Deserializer, | ||||
| }; | ||||
| use serde::de::{self, Visitor}; | ||||
| use sqlx::{ | ||||
|     SqlitePool, | ||||
|     types::Uuid, | ||||
| }; | ||||
| use sqlx::error::{ | ||||
|     Error as SqlxError, | ||||
| }; | ||||
| use tokio_stream::StreamExt; | ||||
|  | ||||
| use super::{Credential, Crypto, SaveCredential, PersistentCredential}; | ||||
|  | ||||
| use crate::errors::*; | ||||
|  | ||||
|  | ||||
| #[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)] | ||||
| #[serde(rename_all = "PascalCase")] | ||||
| pub struct AwsBaseCredential { | ||||
|     #[serde(default = "default_credentials_version")] | ||||
|     pub version: usize, | ||||
|     pub access_key_id: String, | ||||
|     pub secret_access_key: String, | ||||
| } | ||||
|  | ||||
|  | ||||
| impl AwsBaseCredential { | ||||
|     pub fn new(access_key_id: String, secret_access_key: String) -> Self { | ||||
|         Self {version: 1, access_key_id, secret_access_key} | ||||
|     } | ||||
| } | ||||
|  | ||||
| impl PersistentCredential for AwsBaseCredential { | ||||
|     async fn save(&self, id: &Uuid, name: &str, crypto: &Crypto, pool: &SqlitePool) -> Result<(), SaveCredentialsError> { | ||||
|         let (nonce, ciphertext) = crypto.encrypt(self.secret_access_key.as_bytes())?; | ||||
|         let nonce_bytes = &nonce.as_slice(); | ||||
|         let res = sqlx::query!( | ||||
|             "INSERT INTO credentials (id, name, type, created_at) | ||||
|             VALUES (?, ?, 'aws', strftime('%s')) | ||||
|             ON CONFLICT(id) DO UPDATE SET | ||||
|                 name = excluded.name, | ||||
|                 type = excluded.type, | ||||
|                 created_at = excluded.created_at; | ||||
|              | ||||
|             INSERT OR REPLACE INTO aws_credentials ( | ||||
|                 id, | ||||
|                 access_key_id, | ||||
|                 secret_key_enc, | ||||
|                 nonce | ||||
|             )  | ||||
|             VALUES (?, ?, ?, ?);", | ||||
|             id, | ||||
|             name, | ||||
|             id, // for the second query | ||||
|             self.access_key_id, | ||||
|             ciphertext, | ||||
|             nonce_bytes, | ||||
|         ).execute(pool).await; | ||||
|  | ||||
|         match res { | ||||
|             Err(SqlxError::Database(e)) if e.code().as_deref() == Some("2067") => Err(SaveCredentialsError::Duplicate), | ||||
|             Err(e) => Err(SaveCredentialsError::DbError(e)), | ||||
|             Ok(_) => Ok(()) | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     async fn load(name: &str, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> { | ||||
|         let row = sqlx::query!( | ||||
|             "SELECT c.name, a.access_key_id, a.secret_key_enc, a.nonce | ||||
|             FROM credentials c JOIN aws_credentials a ON a.id = c.id | ||||
|             WHERE c.name = ?", | ||||
|             name | ||||
|             ).fetch_optional(pool) | ||||
|             .await? | ||||
|             .ok_or(LoadCredentialsError::NoCredentials)?; | ||||
|  | ||||
|         let nonce = XNonce::clone_from_slice(&row.nonce); | ||||
|         let secret_key_bytes = crypto.decrypt(&nonce, &row.secret_key_enc)?; | ||||
|         let secret_key = String::from_utf8(secret_key_bytes) | ||||
|             .map_err(|_| LoadCredentialsError::InvalidData)?; | ||||
|  | ||||
|         Ok(AwsBaseCredential::new(row.access_key_id, secret_key)) | ||||
|     } | ||||
|  | ||||
|     async fn list(crypto: &Crypto, pool: &SqlitePool) -> Result<Vec<SaveCredential>, LoadCredentialsError> { | ||||
|         let mut rows = sqlx::query!( | ||||
|             "SELECT c.id, c.name, a.access_key_id, a.secret_key_enc, a.nonce | ||||
|             FROM credentials c JOIN aws_credentials a ON a.id = c.id" | ||||
|         ).fetch(pool); | ||||
|  | ||||
|         let mut creds = Vec::new(); | ||||
|  | ||||
|         while let Some(row) = rows.try_next().await? { | ||||
|             let nonce = XNonce::clone_from_slice(&row.nonce); | ||||
|             let secret_key_bytes = crypto.decrypt(&nonce, &row.secret_key_enc)?; | ||||
|             let secret_key = String::from_utf8(secret_key_bytes) | ||||
|                 .map_err(|_| LoadCredentialsError::InvalidData)?; | ||||
|             let aws = AwsBaseCredential::new(row.access_key_id, secret_key); | ||||
|  | ||||
|             let id = Uuid::from_slice(&row.id) | ||||
|                 .map_err(|_| LoadCredentialsError::InvalidData)?; | ||||
|  | ||||
|             let cred = SaveCredential { | ||||
|                 id, | ||||
|                 name: row.name, | ||||
|                 credential: Credential::AwsBase(aws), | ||||
|             }; | ||||
|             creds.push(cred); | ||||
|         } | ||||
|  | ||||
|         Ok(creds) | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| #[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)] | ||||
| #[serde(rename_all = "PascalCase")] | ||||
| pub struct AwsSessionCredential { | ||||
|     #[serde(default = "default_credentials_version")] | ||||
|     pub version: usize, | ||||
|     pub access_key_id: String, | ||||
|     pub secret_access_key: String, | ||||
|     pub session_token: String, | ||||
|     #[serde(serialize_with = "serialize_expiration")] | ||||
|     #[serde(deserialize_with = "deserialize_expiration")] | ||||
|     pub expiration: DateTime, | ||||
| } | ||||
|  | ||||
| impl AwsSessionCredential { | ||||
|     pub async fn from_base(base: &AwsBaseCredential) -> Result<Self, GetSessionError> { | ||||
|         let req_creds = aws_sdk_sts::config::Credentials::new( | ||||
|             &base.access_key_id, | ||||
|             &base.secret_access_key, | ||||
|             None, // token | ||||
|             None, //expiration | ||||
|             "Creddy", // "provider name" apparently | ||||
|         ); | ||||
|         let config = aws_config::defaults(BehaviorVersion::latest()) | ||||
|             .credentials_provider(req_creds) | ||||
|             .load() | ||||
|             .await; | ||||
|  | ||||
|         let client = aws_sdk_sts::Client::new(&config); | ||||
|         let resp = client.get_session_token() | ||||
|             .duration_seconds(43_200) | ||||
|             .send() | ||||
|             .await?; | ||||
|  | ||||
|         let aws_session = resp.credentials.ok_or(GetSessionError::EmptyResponse)?; | ||||
|  | ||||
|         let session_creds = AwsSessionCredential { | ||||
|             version: 1, | ||||
|             access_key_id: aws_session.access_key_id, | ||||
|             secret_access_key: aws_session.secret_access_key, | ||||
|             session_token: aws_session.session_token, | ||||
|             expiration: aws_session.expiration, | ||||
|         }; | ||||
|  | ||||
|         #[cfg(debug_assertions)] | ||||
|         println!("Got new session:\n{}", serde_json::to_string(&session_creds).unwrap()); | ||||
|  | ||||
|         Ok(session_creds) | ||||
|     } | ||||
|  | ||||
|     pub fn is_expired(&self) -> bool { | ||||
|         let current_ts = SystemTime::now() | ||||
|             .duration_since(UNIX_EPOCH) | ||||
|             .unwrap() // doesn't panic because UNIX_EPOCH won't be later than now() | ||||
|             .as_secs(); | ||||
|  | ||||
|         let expire_ts = self.expiration.secs(); | ||||
|         let remaining = expire_ts - (current_ts as i64); | ||||
|         remaining < 60 | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| fn default_credentials_version() -> usize { 1 } | ||||
|  | ||||
|  | ||||
| struct DateTimeVisitor; | ||||
|  | ||||
| impl<'de> Visitor<'de> for DateTimeVisitor { | ||||
|     type Value = DateTime; | ||||
|  | ||||
|     fn expecting(&self, formatter: &mut Formatter) -> fmt::Result { | ||||
|         write!(formatter, "an RFC 3339 UTC string, e.g. \"2014-01-05T10:17:34Z\"") | ||||
|     } | ||||
|  | ||||
|     fn visit_str<E: de::Error>(self, v: &str) -> Result<DateTime, E> { | ||||
|         DateTime::from_str(v, Format::DateTime) | ||||
|             .map_err(|_| E::custom(format!("Invalid date/time: {v}"))) | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| fn deserialize_expiration<'de, D>(deserializer: D) -> Result<DateTime, D::Error> | ||||
| where D: Deserializer<'de> | ||||
| { | ||||
|     deserializer.deserialize_str(DateTimeVisitor) | ||||
| } | ||||
|  | ||||
| fn serialize_expiration<S>(exp: &DateTime, serializer: S) -> Result<S::Ok, S::Error> | ||||
| where S: Serializer | ||||
| { | ||||
|     // this only fails if the d/t is out of range, which it can't be for this format | ||||
|     let time_str = exp.fmt(Format::DateTime).unwrap(); | ||||
|     serializer.serialize_str(&time_str) | ||||
| } | ||||
|  | ||||
|  | ||||
| #[cfg(test)] | ||||
| mod tests { | ||||
|     use super::*; | ||||
|  | ||||
|  | ||||
|     fn test_creds() -> AwsBaseCredential { | ||||
|         AwsBaseCredential::new( | ||||
|             "AKIAIOSFODNN7EXAMPLE".into(), | ||||
|             "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(), | ||||
|         ) | ||||
|     } | ||||
|  | ||||
|     fn test_creds_2() -> AwsBaseCredential { | ||||
|         AwsBaseCredential::new( | ||||
|             "AKIAIOSFODNN7EXAMPL2".into(), | ||||
|             "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKE2".into(), | ||||
|         ) | ||||
|     } | ||||
|  | ||||
|     fn test_uuid() -> Uuid { | ||||
|         Uuid::try_parse("00000000-0000-0000-0000-000000000000").unwrap() | ||||
|     } | ||||
|  | ||||
|     fn test_uuid_2() -> Uuid { | ||||
|         Uuid::try_parse("ffffffff-ffff-ffff-ffff-ffffffffffff").unwrap() | ||||
|     } | ||||
|  | ||||
|     fn test_uuid_random() -> Uuid { | ||||
|         let bytes = Crypto::salt(); | ||||
|         Uuid::from_slice(&bytes[..16]).unwrap() | ||||
|     } | ||||
|  | ||||
|  | ||||
|     #[sqlx::test] | ||||
|     async fn test_save(pool: SqlitePool) { | ||||
|         let crypt = Crypto::random(); | ||||
|         test_creds().save(&test_uuid_random(), "test", &crypt, &pool).await | ||||
|             .expect("Failed to save AWS credentials"); | ||||
|     } | ||||
|  | ||||
|  | ||||
|     #[sqlx::test(fixtures("aws_credentials"))] | ||||
|     async fn test_overwrite(pool: SqlitePool) { | ||||
|         let crypt = Crypto::fixed(); | ||||
|  | ||||
|         let creds = test_creds_2(); | ||||
|         // overwite original creds with different test data | ||||
|         creds.save(&test_uuid(), "test", &crypt, &pool).await | ||||
|             .expect("Failed to update AWS credentials"); | ||||
|  | ||||
|         // make sure update went through | ||||
|         let loaded = AwsBaseCredential::load("test", &crypt, &pool).await.unwrap(); | ||||
|         assert_eq!(creds, loaded); | ||||
|     } | ||||
|  | ||||
|  | ||||
|     #[sqlx::test(fixtures("aws_credentials"))] | ||||
|     async fn test_duplicate_name(pool: SqlitePool) { | ||||
|         let crypt = Crypto::random(); | ||||
|  | ||||
|         let id = test_uuid_random(); | ||||
|         let resp = test_creds().save(&id, "test", &crypt, &pool).await; | ||||
|  | ||||
|         if !matches!(resp, Err(SaveCredentialsError::Duplicate)) { | ||||
|             panic!("Attempt to create duplicate entry returned {resp:?}") | ||||
|         } | ||||
|     } | ||||
|  | ||||
|  | ||||
|     #[sqlx::test(fixtures("aws_credentials"))] | ||||
|     async fn test_load(pool: SqlitePool) { | ||||
|         let crypt = Crypto::fixed(); | ||||
|         let loaded = AwsBaseCredential::load("test", &crypt, &pool).await.unwrap(); | ||||
|         assert_eq!(test_creds(), loaded); | ||||
|     } | ||||
|  | ||||
|  | ||||
|     #[sqlx::test] | ||||
|     async fn test_save_load(pool: SqlitePool) { | ||||
|         let crypt = Crypto::random(); | ||||
|         let creds = test_creds(); | ||||
|         creds.save(&test_uuid_random(), "test", &crypt, &pool).await.unwrap(); | ||||
|         let loaded = AwsBaseCredential::load("test", &crypt, &pool).await.unwrap(); | ||||
|  | ||||
|         assert_eq!(creds, loaded); | ||||
|     } | ||||
|  | ||||
|     #[sqlx::test(fixtures("aws_credentials"))] | ||||
|     async fn test_list(pool: SqlitePool) { | ||||
|         let crypt = Crypto::fixed(); | ||||
|         let list = AwsBaseCredential::list(&crypt, &pool).await | ||||
|             .expect("Failed to list AWS credentials"); | ||||
|  | ||||
|         let first = SaveCredential { | ||||
|             id: test_uuid(), | ||||
|             name: "test".into(), | ||||
|             credential: Credential::AwsBase(test_creds()), | ||||
|         }; | ||||
|         assert_eq!(&first, &list[0]); | ||||
|  | ||||
|         let second = SaveCredential { | ||||
|             id: test_uuid_2(), | ||||
|             name: "test2".into(), | ||||
|             credential: Credential::AwsBase(test_creds_2()), | ||||
|         }; | ||||
|         assert_eq!(&second, &list[1]); | ||||
|     } | ||||
|  | ||||
|     #[sqlx::test(fixtures("aws_credentials"))] | ||||
|     async fn test_rekey(pool: SqlitePool) { | ||||
|         let old_crypt = Crypto::fixed(); | ||||
|         let orig = AwsBaseCredential::list(&old_crypt, &pool).await.unwrap(); | ||||
|  | ||||
|         let new_crypt = Crypto::random(); | ||||
|         AwsBaseCredential::rekey(&old_crypt, &new_crypt, &pool).await | ||||
|             .expect("Failed to re-key AWS credentials"); | ||||
|          | ||||
|         let rekeyed = AwsBaseCredential::list(&new_crypt, &pool).await.unwrap(); | ||||
|         for (before, after) in orig.iter().zip(rekeyed.iter()) { | ||||
|             assert_eq!(before, after); | ||||
|         } | ||||
|     } | ||||
| } | ||||
							
								
								
									
										19
									
								
								src-tauri/src/credentials/fixtures/aws_credentials.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								src-tauri/src/credentials/fixtures/aws_credentials.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | ||||
| INSERT INTO credentials (id, name, type, created_at) | ||||
| VALUES | ||||
|     (X'00000000000000000000000000000000', 'test', 'aws', strftime('%s')), | ||||
|     (X'ffffffffffffffffffffffffffffffff', 'test2', 'aws', strftime('%s')); | ||||
|  | ||||
| INSERT INTO aws_credentials (id, access_key_id, secret_key_enc, nonce) | ||||
| VALUES  | ||||
|     ( | ||||
|         X'00000000000000000000000000000000', | ||||
|         'AKIAIOSFODNN7EXAMPLE', | ||||
|         X'B09ACDADD07E295A3FD9146D8D3672FA5C2518BFB15CF039E68820C42EFD3BC3BE3156ACF438C2C957EC113EF8617DBC71790EAFE39B3DE8', | ||||
|         X'DB777F2C6315DC0E12ADF322256E69D09D7FB586AAE614A6' | ||||
|     ), | ||||
|     ( | ||||
|         X'ffffffffffffffffffffffffffffffff', | ||||
|         'AKIAIOSFODNN7EXAMPL2', | ||||
|         X'ED6125FF40EF6F61929DF5FFD7141CD2B5A302A51C20152156477F8CC77980C614AB1B212AC06983F3CED35C4F3C54D4EE38964859930FBF', | ||||
|         X'962396B78DAA98DFDCC0AC0C9B7D688EC121F5759EBA790A' | ||||
|     ); | ||||
							
								
								
									
										313
									
								
								src-tauri/src/credentials/mod.rs
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										313
									
								
								src-tauri/src/credentials/mod.rs
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,313 @@ | ||||
| use std::fmt::{self, Debug, Formatter}; | ||||
|  | ||||
| use argon2::{ | ||||
|     Argon2, | ||||
|     Algorithm, | ||||
|     Version, | ||||
|     ParamsBuilder, | ||||
|     password_hash::rand_core::{RngCore, OsRng}, | ||||
| }; | ||||
| use chacha20poly1305::{ | ||||
|     XChaCha20Poly1305, | ||||
|     XNonce, | ||||
|     aead::{ | ||||
|         Aead, | ||||
|         AeadCore, | ||||
|         KeyInit, | ||||
|         generic_array::GenericArray, | ||||
|     }, | ||||
| }; | ||||
| use serde::{ | ||||
|     Serialize, | ||||
|     Deserialize, | ||||
|     Serializer, | ||||
|     Deserializer, | ||||
| }; | ||||
| use serde::de::{self, Visitor}; | ||||
| use sqlx::SqlitePool; | ||||
| use sqlx::types::Uuid; | ||||
|  | ||||
| use crate::errors::*; | ||||
| use crate::kv; | ||||
|  | ||||
| mod aws; | ||||
| pub use aws::{AwsBaseCredential, AwsSessionCredential}; | ||||
|  | ||||
|  | ||||
| #[derive(Debug, Clone, Eq, PartialEq, Serialize, Deserialize)] | ||||
| pub enum Credential { | ||||
|     AwsBase(AwsBaseCredential), | ||||
|     AwsSession(AwsSessionCredential), | ||||
| } | ||||
|  | ||||
|  | ||||
| // we need a special type for listing structs because  | ||||
| #[derive(Debug, Clone, Eq, PartialEq, Serialize, Deserialize)] | ||||
| pub struct SaveCredential { | ||||
|     #[serde(serialize_with = "serialize_uuid")] | ||||
|     #[serde(deserialize_with = "deserialize_uuid")] | ||||
|     id: Uuid, // UUID so it can be generated on the frontend | ||||
|     name: String, // user-facing identifier so it can be changed | ||||
|     credential: Credential, | ||||
| } | ||||
|  | ||||
| impl SaveCredential { | ||||
|     pub async fn save(&self, crypt: &Crypto, pool: &SqlitePool) -> Result<(), SaveCredentialsError> { | ||||
|         let cred = match &self.credential { | ||||
|             Credential::AwsBase(b) => b, | ||||
|             Credential::AwsSession(_) => return Err(SaveCredentialsError::NotPersistent), | ||||
|         }; | ||||
|  | ||||
|         cred.save(&self.id, &self.name, crypt, pool).await | ||||
|     } | ||||
| } | ||||
|  | ||||
| fn serialize_uuid<S: Serializer>(u: &Uuid, s: S) -> Result<S::Ok, S::Error> { | ||||
|     let mut buf = Vec::new(); | ||||
|     s.serialize_str(u.as_hyphenated().encode_lower(&mut buf)) | ||||
| } | ||||
|  | ||||
| struct UuidVisitor; | ||||
|  | ||||
| impl<'de> Visitor<'de> for UuidVisitor { | ||||
|     type Value = Uuid; | ||||
|  | ||||
|     fn expecting(&self, formatter: &mut Formatter) -> fmt::Result { | ||||
|         write!(formatter, "a hyphenated UUID") | ||||
|     } | ||||
|  | ||||
|     fn visit_str<E: de::Error>(self, v: &str) -> Result<Uuid, E> { | ||||
|         Uuid::try_parse(v) | ||||
|             .map_err(|_| E::custom(format!("Could not interpret string as UUID: {v}"))) | ||||
|     } | ||||
| } | ||||
|  | ||||
| fn deserialize_uuid<'de, D: Deserializer<'de>>(ds: D) -> Result<Uuid, D::Error> { | ||||
|     ds.deserialize_str(UuidVisitor) | ||||
| } | ||||
|  | ||||
|  | ||||
| pub trait PersistentCredential: for<'a> Deserialize<'a> + Sized { | ||||
|     async fn load(name: &str, crypt: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError>; | ||||
|     async fn list(crypt: &Crypto, pool: &SqlitePool) -> Result<Vec<SaveCredential>, LoadCredentialsError>; | ||||
|     async fn save(&self, id: &Uuid, name: &str, crypt: &Crypto, pool: &SqlitePool) -> Result<(), SaveCredentialsError>; | ||||
|  | ||||
|     async fn rekey(old: &Crypto, new: &Crypto, pool: &SqlitePool) -> Result<(), SaveCredentialsError> { | ||||
|         for cred in Self::list(old, pool).await? { | ||||
|             cred.save(new, pool).await?; | ||||
|         } | ||||
|         Ok(()) | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| #[derive(Clone, Debug)] | ||||
| pub enum AppSession { | ||||
|     Unlocked { | ||||
|         salt: [u8; 32], | ||||
|         crypto: Crypto, | ||||
|     }, | ||||
|     Locked { | ||||
|         salt: [u8; 32], | ||||
|         verify_nonce: XNonce, | ||||
|         verify_blob: Vec<u8> | ||||
|     }, | ||||
|     Empty, | ||||
| } | ||||
|  | ||||
| impl AppSession { | ||||
|     pub fn new(passphrase: &str) -> Result<Self, CryptoError> { | ||||
|         let salt = Crypto::salt(); | ||||
|         let crypto = Crypto::new(passphrase, &salt)?; | ||||
|         Ok(Self::Unlocked {salt, crypto}) | ||||
|     } | ||||
|  | ||||
|     pub fn unlock(&mut self, passphrase: &str) -> Result<(), UnlockError> { | ||||
|         let (salt, nonce, blob) = match self { | ||||
|             Self::Empty => return Err(UnlockError::NoCredentials), | ||||
|             Self::Unlocked {..} => return Err(UnlockError::NotLocked), | ||||
|             Self::Locked {salt, verify_nonce, verify_blob} => (salt, verify_nonce, verify_blob), | ||||
|         }; | ||||
|  | ||||
|         let crypto = Crypto::new(passphrase, salt) | ||||
|             .map_err(|e| CryptoError::Argon2(e))?; | ||||
|  | ||||
|         // if passphrase is incorrect, this will fail | ||||
|         let _verify = crypto.decrypt(&nonce, &blob)?; | ||||
|  | ||||
|         *self = Self::Unlocked {crypto, salt: *salt}; | ||||
|         Ok(()) | ||||
|     } | ||||
|  | ||||
|     pub async fn load(pool: &SqlitePool) -> Result<Self, LoadCredentialsError> { | ||||
|         match kv::load_bytes_multi!(pool, "salt", "verify_nonce", "verify_blob").await? { | ||||
|             Some((salt, nonce, blob)) => { | ||||
|  | ||||
|                 Ok(Self::Locked { | ||||
|                     salt: salt.try_into().map_err(|_| LoadCredentialsError::InvalidData)?, | ||||
|                     // note: replace this with try_from at some point | ||||
|                     verify_nonce: XNonce::clone_from_slice(&nonce), | ||||
|                     verify_blob: blob, | ||||
|                 }) | ||||
|             }, | ||||
|             None => Ok(Self::Empty), | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     pub async fn save(&self, pool: &SqlitePool) -> Result<(), SaveCredentialsError> { | ||||
|         match self { | ||||
|             Self::Unlocked {salt, crypto} => { | ||||
|                 let (nonce, blob) = crypto.encrypt(b"correct horse battery staple")?; | ||||
|                 kv::save_bytes(pool, "salt", salt).await?; | ||||
|                 kv::save_bytes(pool, "verify_nonce", &nonce.as_slice()).await?; | ||||
|                 kv::save_bytes(pool, "verify_blob", &blob).await?; | ||||
|             }, | ||||
|             Self::Locked {salt, verify_nonce, verify_blob} => { | ||||
|                 kv::save_bytes(pool, "salt", salt).await?; | ||||
|                 kv::save_bytes(pool, "verify_nonce", &verify_nonce.as_slice()).await?; | ||||
|                 kv::save_bytes(pool, "verify_blob", verify_blob).await?; | ||||
|             }, | ||||
|             // "saving" an empty session just means doing nothing | ||||
|             Self::Empty => (), | ||||
|         }; | ||||
|  | ||||
|         Ok(()) | ||||
|     } | ||||
|  | ||||
|     pub fn try_get_crypto(&self) -> Result<&Crypto, GetCredentialsError> { | ||||
|         match self { | ||||
|             Self::Empty => Err(GetCredentialsError::Empty), | ||||
|             Self::Locked {..} => Err(GetCredentialsError::Locked), | ||||
|             Self::Unlocked {crypto, ..} => Ok(crypto), | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     pub fn try_encrypt(&self, data: &[u8]) -> Result<(XNonce, Vec<u8>), GetCredentialsError> { | ||||
|         let crypto = match self { | ||||
|             Self::Empty => return Err(GetCredentialsError::Empty), | ||||
|             Self::Locked {..} => return Err(GetCredentialsError::Locked), | ||||
|             Self::Unlocked {crypto, ..} => crypto, | ||||
|         }; | ||||
|         let res = crypto.encrypt(data)?; | ||||
|         Ok(res) | ||||
|     } | ||||
|  | ||||
|     pub fn try_decrypt(&self, nonce: XNonce, data: &[u8]) -> Result<Vec<u8>, GetCredentialsError> { | ||||
|         let crypto = match self { | ||||
|             Self::Empty => return Err(GetCredentialsError::Empty), | ||||
|             Self::Locked {..} => return Err(GetCredentialsError::Locked), | ||||
|             Self::Unlocked {crypto, ..} => crypto, | ||||
|         }; | ||||
|         let res = crypto.decrypt(&nonce, data)?; | ||||
|         Ok(res) | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| #[derive(Clone)] | ||||
| pub struct Crypto { | ||||
|     cipher: XChaCha20Poly1305, | ||||
| } | ||||
|  | ||||
| impl Crypto { | ||||
|     /// Argon2 params rationale: | ||||
|     /// | ||||
|     /// m_cost is measured in KiB, so 128 * 1024 gives us 128MiB. | ||||
|     /// This should roughly double the memory usage of the application | ||||
|     /// while deriving the key. | ||||
|     /// | ||||
|     /// p_cost is irrelevant since (at present) there isn't any parallelism | ||||
|     /// implemented, so we leave it at 1. | ||||
|     /// | ||||
|     /// With the above m_cost, t_cost = 8 results in about 800ms to derive | ||||
|     /// a key on my (somewhat older) CPU. This is probably overkill, but | ||||
|     /// given that it should only have to happen ~once a day for most  | ||||
|     /// usage, it should be acceptable. | ||||
|     #[cfg(not(debug_assertions))] | ||||
|     const MEM_COST: u32 = 128 * 1024; | ||||
|     #[cfg(not(debug_assertions))] | ||||
|     const TIME_COST: u32 = 8; | ||||
|  | ||||
|     /// But since this takes a million years without optimizations, | ||||
|     /// we turn it way down in debug builds. | ||||
|     #[cfg(debug_assertions)] | ||||
|     const MEM_COST: u32 = 48 * 1024; | ||||
|     #[cfg(debug_assertions)] | ||||
|     const TIME_COST: u32 = 1; | ||||
|      | ||||
|  | ||||
|     fn new(passphrase: &str, salt: &[u8]) -> argon2::Result<Crypto> { | ||||
|         let params = ParamsBuilder::new() | ||||
|             .m_cost(Self::MEM_COST) | ||||
|             .p_cost(1) | ||||
|             .t_cost(Self::TIME_COST) | ||||
|             .build() | ||||
|             .unwrap(); // only errors if the given params are invalid | ||||
|  | ||||
|         let hasher = Argon2::new( | ||||
|             Algorithm::Argon2id, | ||||
|             Version::V0x13, | ||||
|             params, | ||||
|         ); | ||||
|  | ||||
|         let mut key = [0; 32]; | ||||
|         hasher.hash_password_into(passphrase.as_bytes(), &salt, &mut key)?; | ||||
|         let cipher = XChaCha20Poly1305::new(GenericArray::from_slice(&key)); | ||||
|         Ok(Crypto { cipher }) | ||||
|     } | ||||
|  | ||||
|     #[cfg(test)] | ||||
|     pub fn random() -> Crypto { | ||||
|         // salt and key are the same length, so we can just use this | ||||
|         let key = Crypto::salt(); | ||||
|         let cipher = XChaCha20Poly1305::new(GenericArray::from_slice(&key)); | ||||
|         Crypto { cipher } | ||||
|     } | ||||
|  | ||||
|     #[cfg(test)] | ||||
|     pub fn fixed() -> Crypto { | ||||
|         let key = [ | ||||
|             1u8, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, | ||||
|             17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, | ||||
|         ]; | ||||
|  | ||||
|         let cipher = XChaCha20Poly1305::new(GenericArray::from_slice(&key)); | ||||
|         Crypto { cipher } | ||||
|     } | ||||
|  | ||||
|     fn salt() -> [u8; 32] { | ||||
|         let mut salt = [0; 32]; | ||||
|         OsRng.fill_bytes(&mut salt); | ||||
|         salt | ||||
|     } | ||||
|  | ||||
|     fn encrypt(&self, data: &[u8]) -> Result<(XNonce, Vec<u8>), CryptoError> { | ||||
|         let nonce = XChaCha20Poly1305::generate_nonce(&mut OsRng); | ||||
|         let ciphertext = self.cipher.encrypt(&nonce, data)?; | ||||
|         Ok((nonce, ciphertext)) | ||||
|     } | ||||
|  | ||||
|     fn decrypt(&self, nonce: &XNonce, data: &[u8]) -> Result<Vec<u8>, CryptoError> { | ||||
|         let plaintext = self.cipher.decrypt(nonce, data)?; | ||||
|         Ok(plaintext) | ||||
|     } | ||||
| } | ||||
|  | ||||
| impl Debug for Crypto { | ||||
|     fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), std::fmt::Error> { | ||||
|         write!(f, "Crypto {{ [...] }}") | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| // #[cfg(test)] | ||||
| // mod tests { | ||||
| //     use super::*; | ||||
|  | ||||
| //     #[sqlx::test(fixtures("uuid_test"))] | ||||
| //     async fn save_uuid(pool: SqlitePool) { | ||||
| //         let u = Uuid::try_parse("7140b90c-bfbd-4394-9008-01b94f94ecf8").unwrap(); | ||||
| //         sqlx::query!("INSERT INTO uuids (uuid) VALUES (?)", u).execute(pool).unwrap(); | ||||
| //         panic!("done, go check db"); | ||||
| //     } | ||||
| // } | ||||
| @@ -1,38 +1,63 @@ | ||||
| use std::error::Error; | ||||
| use std::convert::AsRef; | ||||
| use std::ffi::OsString; | ||||
| use std::sync::mpsc; | ||||
| use std::string::FromUtf8Error; | ||||
| use strum_macros::AsRefStr; | ||||
|  | ||||
| use thiserror::Error as ThisError; | ||||
| use aws_sdk_sts::{ | ||||
|     types::SdkError as AwsSdkError,  | ||||
|     error::GetSessionTokenError, | ||||
|     error::SdkError as AwsSdkError, | ||||
|     operation::get_session_token::GetSessionTokenError, | ||||
|     error::ProvideErrorMetadata, | ||||
| }; | ||||
| use rfd::{ | ||||
|     AsyncMessageDialog, | ||||
|     MessageLevel, | ||||
| }; | ||||
| use sqlx::{ | ||||
|     error::Error as SqlxError, | ||||
|     migrate::MigrateError, | ||||
| }; | ||||
| use tauri::api::dialog::{ | ||||
|     MessageDialogBuilder,  | ||||
|     MessageDialogKind, | ||||
| use tauri::async_runtime as rt; | ||||
| use tauri_plugin_global_shortcut::Error as ShortcutError; | ||||
| use tokio::sync::oneshot::error::RecvError; | ||||
| use serde::{ | ||||
|     Serialize, | ||||
|     Serializer, | ||||
|     ser::SerializeMap, | ||||
|     Deserialize, | ||||
| }; | ||||
| use serde::{Serialize, Serializer, ser::SerializeMap}; | ||||
|  | ||||
|  | ||||
| pub trait ErrorPopup { | ||||
| pub trait ShowError<T, E> | ||||
| { | ||||
|     fn error_popup(self, title: &str); | ||||
|     fn error_print(self); | ||||
|     fn error_print_prefix(self, prefix: &str); | ||||
| } | ||||
|  | ||||
| impl<E: Error> ErrorPopup for Result<(), E> { | ||||
| impl<T, E> ShowError<T, E> for Result<T, E>  | ||||
| where E: std::fmt::Display | ||||
| { | ||||
|     fn error_popup(self, title: &str) { | ||||
|         if let Err(e) = self { | ||||
|             let (tx, rx) = mpsc::channel(); | ||||
|             MessageDialogBuilder::new(title, format!("{e}")) | ||||
|                 .kind(MessageDialogKind::Error) | ||||
|                 .show(move |_| tx.send(true).unwrap()); | ||||
|             let dialog = AsyncMessageDialog::new() | ||||
|                 .set_level(MessageLevel::Error) | ||||
|                 .set_title(title) | ||||
|                 .set_description(format!("{e}")); | ||||
|             rt::spawn(async move {dialog.show().await}); | ||||
|         } | ||||
|     } | ||||
|  | ||||
|             rx.recv().unwrap(); | ||||
|     fn error_print(self) { | ||||
|         if let Err(e) = self { | ||||
|             eprintln!("{e}"); | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     fn error_print_prefix(self, prefix: &str) { | ||||
|         if let Err(e) = self { | ||||
|             eprintln!("{prefix}: {e}"); | ||||
|         } | ||||
|     } | ||||
| } | ||||
| @@ -53,15 +78,33 @@ where | ||||
| } | ||||
|  | ||||
|  | ||||
| struct SerializeUpstream<E>(pub E); | ||||
|  | ||||
| impl<E: Error> Serialize for SerializeUpstream<E> { | ||||
|     fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> { | ||||
|         let msg = format!("{}", self.0); | ||||
|         let mut map = serializer.serialize_map(None)?; | ||||
|         map.serialize_entry("msg", &msg)?; | ||||
|         map.serialize_entry("code", &None::<&str>)?; | ||||
|         map.serialize_entry("source", &None::<&str>)?; | ||||
|         map.end() | ||||
|     } | ||||
| } | ||||
|  | ||||
| fn serialize_upstream_err<E, M>(err: &E, map: &mut M) -> Result<(), M::Error>  | ||||
| where | ||||
|     E: Error, | ||||
|     M: serde::ser::SerializeMap, | ||||
| { | ||||
|     let msg = err.source().map(|s| format!("{s}")); | ||||
|     map.serialize_entry("msg", &msg)?; | ||||
|     map.serialize_entry("code", &None::<&str>)?; | ||||
|     map.serialize_entry("source", &None::<&str>)?; | ||||
|     // let msg = err.source().map(|s| format!("{s}")); | ||||
|     // map.serialize_entry("msg", &msg)?; | ||||
|     // map.serialize_entry("code", &None::<&str>)?; | ||||
|     // map.serialize_entry("source", &None::<&str>)?; | ||||
|  | ||||
|     match err.source() { | ||||
|         Some(src) => map.serialize_entry("source", &SerializeUpstream(src))?, | ||||
|         None => map.serialize_entry("source", &None::<&str>)?, | ||||
|     } | ||||
|  | ||||
|     Ok(()) | ||||
| } | ||||
| @@ -85,10 +128,10 @@ pub enum SetupError { | ||||
|     InvalidRecord, // e.g. wrong size blob for nonce or salt | ||||
|     #[error("Error from database: {0}")] | ||||
|     DbError(#[from] SqlxError), | ||||
|     #[error("Error loading data: {0}")] | ||||
|     KvError(#[from] LoadKvError), | ||||
|     #[error("Error running migrations: {0}")] | ||||
|     MigrationError(#[from] MigrateError), | ||||
|     #[error("Error parsing configuration from database")] | ||||
|     ConfigParseError(#[from] serde_json::Error), | ||||
|     #[error("Failed to set up start-on-login: {0}")] | ||||
|     AutoLaunchError(#[from] auto_launch::Error), | ||||
|     #[error("Failed to start listener: {0}")] | ||||
| @@ -96,7 +139,7 @@ pub enum SetupError { | ||||
|     #[error("Failed to resolve data directory: {0}")] | ||||
|     DataDir(#[from] DataDirError), | ||||
|     #[error("Failed to register hotkeys: {0}")] | ||||
|     RegisterHotkeys(#[from] tauri::Error), | ||||
|     RegisterHotkeys(#[from] ShortcutError), | ||||
| } | ||||
|  | ||||
|  | ||||
| @@ -116,22 +159,28 @@ pub enum SendResponseError { | ||||
|     NotFound, | ||||
|     #[error("The specified request was already closed by the client")] | ||||
|     Abandoned, | ||||
|     #[error("A response has already been received for the specified request")] | ||||
|     Fulfilled, | ||||
|     #[error("Could not renew AWS sesssion: {0}")] | ||||
|     SessionRenew(#[from] GetSessionError), | ||||
| } | ||||
|  | ||||
|  | ||||
| // errors encountered while handling an HTTP request | ||||
| // errors encountered while handling a client request | ||||
| #[derive(Debug, ThisError, AsRefStr)] | ||||
| pub enum HandlerError { | ||||
|     #[error("Error writing to stream: {0}")] | ||||
|     StreamIOError(#[from] std::io::Error), | ||||
|     // #[error("Received invalid UTF-8 in request")] | ||||
|     // InvalidUtf8, | ||||
|     #[error("Received invalid UTF-8 in request")] | ||||
|     InvalidUtf8(#[from] FromUtf8Error), | ||||
|     #[error("HTTP request malformed")] | ||||
|     BadRequest(Vec<u8>), | ||||
|     BadRequest(#[from] serde_json::Error), | ||||
|     #[error("HTTP request too large")] | ||||
|     RequestTooLarge, | ||||
|     #[error("Connection closed early by client")] | ||||
|     Abandoned, | ||||
|     #[error("Internal server error")] | ||||
|     Internal(#[from] RecvError), | ||||
|     #[error("Error accessing credentials: {0}")] | ||||
|     NoCredentials(#[from] GetCredentialsError), | ||||
|     #[error("Error getting client details: {0}")] | ||||
| @@ -140,6 +189,17 @@ pub enum HandlerError { | ||||
|     Tauri(#[from] tauri::Error), | ||||
|     #[error("No main application window found")] | ||||
|     NoMainWindow, | ||||
|     #[error("Request was denied")] | ||||
|     Denied, | ||||
| } | ||||
|  | ||||
|  | ||||
| #[derive(Debug, ThisError, AsRefStr)] | ||||
| pub enum WindowError { | ||||
|     #[error("Failed to find main application window")] | ||||
|     NoMainWindow, | ||||
|     #[error(transparent)] | ||||
|     ManageFailure(#[from] tauri::Error), | ||||
| } | ||||
|  | ||||
|  | ||||
| @@ -149,6 +209,12 @@ pub enum GetCredentialsError { | ||||
|     Locked, | ||||
|     #[error("No credentials are known")] | ||||
|     Empty, | ||||
|     #[error(transparent)] | ||||
|     Crypto(#[from] CryptoError), | ||||
|     #[error(transparent)] | ||||
|     Load(#[from] LoadCredentialsError), | ||||
|     #[error(transparent)] | ||||
|     GetSession(#[from] GetSessionError), | ||||
| } | ||||
|  | ||||
|  | ||||
| @@ -158,7 +224,7 @@ pub enum GetSessionError { | ||||
|     EmptyResponse, // SDK returned successfully but credentials are None | ||||
|     #[error("Error response from AWS SDK: {0}")] | ||||
|     SdkError(#[from] AwsSdkError<GetSessionTokenError>), | ||||
|     #[error("Could not construt session: credentials are locked")] | ||||
|     #[error("Could not construct session: credentials are locked")] | ||||
|     CredentialsLocked, | ||||
|     #[error("Could not construct session: no credentials are known")] | ||||
|     CredentialsEmpty, | ||||
| @@ -182,12 +248,75 @@ pub enum UnlockError { | ||||
| } | ||||
|  | ||||
|  | ||||
| #[derive(Debug, ThisError, AsRefStr)] | ||||
| pub enum LockError { | ||||
|     #[error("App is not unlocked")] | ||||
|     NotUnlocked, | ||||
|     #[error(transparent)] | ||||
|     LoadCredentials(#[from] LoadCredentialsError), | ||||
|     #[error(transparent)] | ||||
|     Setup(#[from] SetupError), | ||||
|     #[error(transparent)] | ||||
|     TauriError(#[from] tauri::Error), | ||||
|     #[error(transparent)] | ||||
|     Crypto(#[from] CryptoError), | ||||
| } | ||||
|  | ||||
|  | ||||
| #[derive(Debug, ThisError, AsRefStr)] | ||||
| pub enum SaveCredentialsError { | ||||
|     #[error("Database error: {0}")] | ||||
|     DbError(#[from] SqlxError), | ||||
|     #[error("Encryption error: {0}")] | ||||
|     Crypto(#[from] CryptoError), | ||||
|     #[error(transparent)] | ||||
|     Session(#[from] GetCredentialsError), | ||||
|     #[error("App is locked")] | ||||
|     Locked, | ||||
|     #[error("Credential is temporary and cannot be saved")] | ||||
|     NotPersistent, | ||||
|     #[error("A credential with that name already exists")] | ||||
|     Duplicate, | ||||
|     // rekeying is fundamentally a save operation, | ||||
|     // but involves loading in order to re-save | ||||
|     #[error(transparent)] | ||||
|     LoadCredentials(#[from] LoadCredentialsError), | ||||
| } | ||||
|  | ||||
| #[derive(Debug, ThisError, AsRefStr)] | ||||
| pub enum LoadCredentialsError { | ||||
|     #[error("Database error: {0}")] | ||||
|     DbError(#[from] SqlxError), | ||||
|     #[error("Invalid passphrase")] // pretty sure this is the only way decryption fails | ||||
|     Encryption(#[from] CryptoError), | ||||
|     #[error("Credentials not found")] | ||||
|     NoCredentials, | ||||
|     #[error("Could not decode credential data")] | ||||
|     InvalidData, | ||||
|     #[error(transparent)] | ||||
|     LoadKv(#[from] LoadKvError), | ||||
| } | ||||
|  | ||||
|  | ||||
| #[derive(Debug, ThisError, AsRefStr)] | ||||
| pub enum LoadKvError { | ||||
|     #[error("Database error: {0}")] | ||||
|     DbError(#[from] SqlxError), | ||||
|     #[error("Could not parse value from database: {0}")] | ||||
|     Invalid(#[from] serde_json::Error), | ||||
| } | ||||
|  | ||||
|  | ||||
| #[derive(Debug, ThisError, AsRefStr)] | ||||
| pub enum CryptoError { | ||||
|     #[error(transparent)] | ||||
|     Argon2(#[from] argon2::Error), | ||||
|     #[error("Invalid passphrase")] // I think this is the only way decryption fails | ||||
|     Aead(#[from] chacha20poly1305::aead::Error), | ||||
|     #[error("App is currently locked")] | ||||
|     Locked, | ||||
|     #[error("No passphrase has been specified")] | ||||
|     Empty, | ||||
| } | ||||
|  | ||||
|  | ||||
| @@ -196,26 +325,50 @@ pub enum CryptoError { | ||||
| pub enum ClientInfoError { | ||||
|     #[error("Found PID for client socket, but no corresponding process")] | ||||
|     ProcessNotFound, | ||||
|     #[error("Couldn't get client socket details: {0}")] | ||||
|     NetstatError(#[from] netstat2::error::Error), | ||||
|     #[error("Could not determine parent PID of connected client")] | ||||
|     ParentPidNotFound, | ||||
|     #[error("Found PID for parent process of client, but no corresponding process")] | ||||
|     ParentProcessNotFound, | ||||
|     #[cfg(windows)] | ||||
|     #[error("Could not determine PID of connected client")] | ||||
|     WindowsError(#[from] windows::core::Error), | ||||
|     #[error(transparent)] | ||||
|     Io(#[from] std::io::Error), | ||||
| } | ||||
|  | ||||
|  | ||||
| // Technically also an error, but formatted as a struct for easy deserialization | ||||
| #[derive(Debug, Serialize, Deserialize)] | ||||
| pub struct ServerError { | ||||
|     code: String, | ||||
|     msg: String, | ||||
| } | ||||
|  | ||||
| impl std::fmt::Display for ServerError { | ||||
|     fn fmt(&self, f: &mut std::fmt::Formatter) -> Result<(), std::fmt::Error> { | ||||
|         write!(f, "{} ({})", self.msg, self.code)?; | ||||
|         Ok(()) | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| // Errors encountered while requesting credentials via CLI (creddy show, creddy exec) | ||||
| #[derive(Debug, ThisError, AsRefStr)] | ||||
| pub enum RequestError { | ||||
|     #[error("Credentials request failed: HTTP {0}")] | ||||
|     Failed(String), | ||||
|     #[error("Credentials request was rejected")] | ||||
|     Rejected, | ||||
|     #[error("Couldn't interpret the server's response")] | ||||
|     MalformedHttpResponse, | ||||
|     #[error("Error response from server: {0}")] | ||||
|     Server(ServerError), | ||||
|     #[error("Unexpected response from server")] | ||||
|     Unexpected(crate::server::Response), | ||||
|     #[error("The server did not respond with valid JSON")] | ||||
|     InvalidJson, | ||||
|     InvalidJson(#[from] serde_json::Error), | ||||
|     #[error("Error reading/writing stream: {0}")] | ||||
|     StreamIOError(#[from] std::io::Error), | ||||
|     #[error("Error loading configuration data: {0}")] | ||||
|     Setup(#[from] SetupError), | ||||
| } | ||||
|  | ||||
| impl From<ServerError> for RequestError { | ||||
|     fn from(s: ServerError) -> Self { | ||||
|         Self::Server(s) | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| @@ -276,10 +429,13 @@ impl Serialize for SerializeWrapper<&GetSessionTokenError> { | ||||
| } | ||||
|  | ||||
|  | ||||
|  | ||||
| impl_serialize_basic!(SetupError); | ||||
| impl_serialize_basic!(GetCredentialsError); | ||||
| impl_serialize_basic!(ClientInfoError); | ||||
| impl_serialize_basic!(WindowError); | ||||
| impl_serialize_basic!(LockError); | ||||
| impl_serialize_basic!(SaveCredentialsError); | ||||
| impl_serialize_basic!(LoadCredentialsError); | ||||
|  | ||||
|  | ||||
| impl Serialize for HandlerError { | ||||
| @@ -287,13 +443,6 @@ impl Serialize for HandlerError { | ||||
|         let mut map = serializer.serialize_map(None)?; | ||||
|         map.serialize_entry("code", self.as_ref())?; | ||||
|         map.serialize_entry("msg", &format!("{self}"))?; | ||||
|  | ||||
|         match self { | ||||
|             HandlerError::NoCredentials(src) => map.serialize_entry("source", &src)?, | ||||
|             HandlerError::ClientInfo(src) => map.serialize_entry("source", &src)?, | ||||
|             _ => serialize_upstream_err(self, &mut map)?, | ||||
|         } | ||||
|  | ||||
|         map.end() | ||||
|     } | ||||
| } | ||||
| @@ -342,6 +491,8 @@ impl Serialize for UnlockError { | ||||
|  | ||||
|         match self { | ||||
|             UnlockError::GetSession(src) => map.serialize_entry("source", &src)?, | ||||
|             // The string representation of the AEAD error is not very helpful, so skip it | ||||
|             UnlockError::Crypto(_src) => map.serialize_entry("source", &None::<&str>)?, | ||||
|             _ => serialize_upstream_err(self, &mut map)?, | ||||
|         } | ||||
|         map.end() | ||||
|   | ||||
| @@ -1,8 +1,12 @@ | ||||
| use serde::{Serialize, Deserialize}; | ||||
| use sqlx::types::Uuid; | ||||
| use tauri::State; | ||||
|  | ||||
| use crate::config::AppConfig; | ||||
| use crate::credentials::{Session,BaseCredentials}; | ||||
| use crate::credentials::{ | ||||
|     AppSession, | ||||
|     SaveCredential | ||||
| }; | ||||
| use crate::errors::*; | ||||
| use crate::clientinfo::Client; | ||||
| use crate::state::AppState; | ||||
| @@ -10,17 +14,44 @@ use crate::terminal; | ||||
|  | ||||
|  | ||||
| #[derive(Clone, Debug, Serialize, Deserialize)] | ||||
| pub struct Request { | ||||
| pub struct AwsRequestNotification { | ||||
|     pub id: u64, | ||||
|     pub clients: Vec<Option<Client>>, | ||||
|     pub client: Client, | ||||
|     pub base: bool, | ||||
| } | ||||
|  | ||||
|  | ||||
| #[derive(Clone, Debug, Serialize, Deserialize)] | ||||
| pub struct SshRequestNotification { | ||||
|     pub id: u64, | ||||
|     pub client: Client, | ||||
|     pub key_name: String, | ||||
| } | ||||
|  | ||||
|  | ||||
| #[derive(Clone, Debug, Serialize, Deserialize)] | ||||
| #[serde(tag = "type")] | ||||
| pub enum RequestNotification { | ||||
|     Aws(AwsRequestNotification), | ||||
|     Ssh(SshRequestNotification), | ||||
| } | ||||
|  | ||||
| impl RequestNotification { | ||||
|     pub fn new_aws(id: u64, client: Client, base: bool) -> Self { | ||||
|         Self::Aws(AwsRequestNotification {id, client, base}) | ||||
|     } | ||||
|  | ||||
|     pub fn new_ssh(id: u64, client: Client, key_name: String) -> Self { | ||||
|         Self::Ssh(SshRequestNotification {id, client, key_name}) | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| #[derive(Debug, Serialize, Deserialize)] | ||||
| pub struct RequestResponse { | ||||
|     pub id: u64, | ||||
|     pub approval: Approval, | ||||
|     pub base: bool, | ||||
| } | ||||
|  | ||||
|  | ||||
| @@ -43,25 +74,57 @@ pub async fn unlock(passphrase: String, app_state: State<'_, AppState>) -> Resul | ||||
| } | ||||
|  | ||||
|  | ||||
| #[tauri::command] | ||||
| pub async fn lock(app_state: State<'_, AppState>) -> Result<(), LockError> { | ||||
|     app_state.lock().await | ||||
| } | ||||
|  | ||||
|  | ||||
| #[tauri::command] | ||||
| pub async fn set_passphrase(passphrase: &str, app_state: State<'_, AppState>) -> Result<(), SaveCredentialsError> { | ||||
|     app_state.set_passphrase(passphrase).await | ||||
| } | ||||
|  | ||||
|  | ||||
| #[tauri::command] | ||||
| pub async fn get_session_status(app_state: State<'_, AppState>) -> Result<String, ()> { | ||||
|     let session = app_state.session.read().await; | ||||
|     let session = app_state.app_session.read().await; | ||||
|     let status = match *session { | ||||
|         Session::Locked(_) => "locked".into(), | ||||
|         Session::Unlocked{..} => "unlocked".into(), | ||||
|         Session::Empty => "empty".into() | ||||
|         AppSession::Locked{..} => "locked".into(), | ||||
|         AppSession::Unlocked{..} => "unlocked".into(), | ||||
|         AppSession::Empty => "empty".into(), | ||||
|     }; | ||||
|     Ok(status) | ||||
| } | ||||
|  | ||||
|  | ||||
| #[tauri::command] | ||||
| pub async fn save_credentials( | ||||
|     credentials: BaseCredentials, | ||||
|     passphrase: String, | ||||
| pub async fn signal_activity(app_state: State<'_, AppState>) -> Result<(), ()> { | ||||
|     app_state.signal_activity().await; | ||||
|     Ok(()) | ||||
| } | ||||
|  | ||||
|  | ||||
| #[tauri::command] | ||||
| pub async fn save_credential( | ||||
|     cred: SaveCredential, | ||||
|     app_state: State<'_, AppState> | ||||
| ) -> Result<(), UnlockError> { | ||||
|     app_state.new_creds(credentials, &passphrase).await | ||||
| ) -> Result<(), SaveCredentialsError> { | ||||
|     app_state.save_credential(cred).await | ||||
| } | ||||
|  | ||||
|  | ||||
| #[tauri::command] | ||||
| pub async fn delete_credential(id: &str, app_state: State<'_, AppState>) -> Result<(), SaveCredentialsError> { | ||||
|     let id = Uuid::try_parse(id) | ||||
|         .map_err(|_| LoadCredentialsError::NoCredentials)?; | ||||
|     app_state.delete_credential(&id).await | ||||
| } | ||||
|  | ||||
|  | ||||
| #[tauri::command] | ||||
| pub async fn list_credentials(app_state: State<'_, AppState>) -> Result<Vec<SaveCredential>, GetCredentialsError> { | ||||
|     app_state.list_credentials().await | ||||
| } | ||||
|  | ||||
|  | ||||
| @@ -85,3 +148,9 @@ pub async fn save_config(config: AppConfig, app_state: State<'_, AppState>) -> R | ||||
| pub async fn launch_terminal(base: bool) -> Result<(), LaunchTerminalError> { | ||||
|     terminal::launch(base).await | ||||
| } | ||||
|  | ||||
|  | ||||
| #[tauri::command] | ||||
| pub async fn get_setup_errors(app_state: State<'_, AppState>) -> Result<Vec<String>, ()> { | ||||
|     Ok(app_state.setup_errors.clone()) | ||||
| } | ||||
|   | ||||
							
								
								
									
										95
									
								
								src-tauri/src/kv.rs
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										95
									
								
								src-tauri/src/kv.rs
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,95 @@ | ||||
| use serde::Serialize; | ||||
| use serde::de::DeserializeOwned; | ||||
| use sqlx::SqlitePool; | ||||
|  | ||||
| use crate::errors::*; | ||||
|  | ||||
|  | ||||
| pub async fn save<T>(pool: &SqlitePool, name: &str, value: &T) -> Result<(), sqlx::Error> | ||||
|     where T: Serialize | ||||
| { | ||||
|     let bytes = serde_json::to_vec(value).unwrap(); | ||||
|     save_bytes(pool, name, &bytes).await | ||||
| } | ||||
|  | ||||
|  | ||||
| pub async fn save_bytes(pool: &SqlitePool, name: &str, bytes: &[u8]) -> Result<(), sqlx::Error> { | ||||
|     sqlx::query!( | ||||
|         "INSERT INTO kv (name, value) VALUES (?, ?) | ||||
|         ON CONFLICT(name) DO UPDATE SET value = excluded.value;", | ||||
|         name, | ||||
|         bytes, | ||||
|     ).execute(pool).await?; | ||||
|     Ok(()) | ||||
| } | ||||
|  | ||||
|  | ||||
| pub async fn load<T>(pool: &SqlitePool, name: &str) -> Result<Option<T>, LoadKvError> | ||||
|     where T: DeserializeOwned | ||||
| { | ||||
|     let v = load_bytes(pool, name) | ||||
|         .await? | ||||
|         .map(|bytes| serde_json::from_slice(&bytes)) | ||||
|         .transpose()?; | ||||
|     Ok(v) | ||||
| } | ||||
|  | ||||
|  | ||||
| pub async fn load_bytes(pool: &SqlitePool, name: &str) -> Result<Option<Vec<u8>>, sqlx::Error> { | ||||
|     sqlx::query!("SELECT name, value FROM kv WHERE name = ?", name) | ||||
|         .map(|row| row.value) | ||||
|         .fetch_optional(pool) | ||||
|         .await | ||||
|         .map(|o| o.flatten()) | ||||
| } | ||||
|  | ||||
|  | ||||
| macro_rules! load_bytes_multi { | ||||
|     ( | ||||
|         $pool:ident, | ||||
|         $($name:literal),* | ||||
|     ) => { | ||||
|         // wrap everything up in an async block for easy short-circuiting... | ||||
|         async { | ||||
|             // ...returning a Result... | ||||
|             Ok::<_, sqlx::Error>( | ||||
|                 //containing an Option... | ||||
|                 Some( | ||||
|                     // containing a tuple... | ||||
|                     ( | ||||
|                         // ...with one item for each repetition of $name | ||||
|                         $( | ||||
|                             // load_bytes returns Result<Option<_>>, the Result is handled by  | ||||
|                             // the ? and we match on the Option | ||||
|                             match crate::kv::load_bytes($pool, $name).await? { | ||||
|                                 Some(v) => v, | ||||
|                                 None => return Ok(None) | ||||
|                             }, | ||||
|                         )* | ||||
|                     ) | ||||
|                 ) | ||||
|             ) | ||||
|         } | ||||
|     } | ||||
| } | ||||
|  | ||||
| pub(crate) use load_bytes_multi; | ||||
|  | ||||
|  | ||||
| // macro_rules! load_multi { | ||||
| //     ( | ||||
| //         $pool:ident, | ||||
| //         $($name:literal),* | ||||
| //     ) => { | ||||
| //         (|| { | ||||
| //             ( | ||||
| //                 $( | ||||
| //                     match load(pool, $name)? { | ||||
| //                         Some(v) => v, | ||||
| //                         None => return Ok(None) | ||||
| //                     }, | ||||
| //                 )* | ||||
| //             ) | ||||
| //         })() | ||||
| //     } | ||||
| // } | ||||
| @@ -5,7 +5,9 @@ mod credentials; | ||||
| pub mod errors; | ||||
| mod clientinfo; | ||||
| mod ipc; | ||||
| mod kv; | ||||
| mod state; | ||||
| mod server; | ||||
| pub mod server; | ||||
| mod shortcuts; | ||||
| mod terminal; | ||||
| mod tray; | ||||
|   | ||||
| @@ -6,22 +6,24 @@ | ||||
| use creddy::{ | ||||
|     app, | ||||
|     cli, | ||||
|     errors::ErrorPopup, | ||||
|     errors::ShowError, | ||||
| }; | ||||
|  | ||||
|  | ||||
| fn main() { | ||||
|     let res = match cli::parser().get_matches().subcommand() { | ||||
|         None | Some(("run", _)) => { | ||||
|             app::run().error_popup("Creddy failed to start"); | ||||
|             app::run().error_popup("Creddy encountered an error"); | ||||
|             Ok(()) | ||||
|         }, | ||||
|         Some(("show", m)) => cli::show(m), | ||||
|         Some(("get", m)) => cli::get(m), | ||||
|         Some(("exec", m)) => cli::exec(m), | ||||
|         Some(("shortcut", m)) => cli::invoke_shortcut(m), | ||||
|         _ => unreachable!(), | ||||
|     }; | ||||
|  | ||||
|     if let Err(e) = res { | ||||
|         eprintln!("Error: {e}"); | ||||
|         std::process::exit(1); | ||||
|     } | ||||
| } | ||||
|   | ||||
| @@ -1,243 +0,0 @@ | ||||
| use core::time::Duration; | ||||
| use std::io; | ||||
| use std::net::{ | ||||
|     Ipv4Addr, | ||||
|     SocketAddr, | ||||
|     SocketAddrV4, | ||||
| }; | ||||
| use tokio::net::{ | ||||
|     TcpListener,  | ||||
|     TcpStream, | ||||
| }; | ||||
| use tokio::io::{AsyncReadExt, AsyncWriteExt}; | ||||
| use tokio::sync::oneshot; | ||||
| use tokio::time::sleep; | ||||
|  | ||||
| use tauri::{AppHandle, Manager}; | ||||
| use tauri::async_runtime as rt; | ||||
| use tauri::async_runtime::JoinHandle; | ||||
|  | ||||
| use crate::{clientinfo, clientinfo::Client}; | ||||
| use crate::errors::*; | ||||
| use crate::ipc::{Request, Approval}; | ||||
| use crate::state::AppState; | ||||
|  | ||||
|  | ||||
| struct Handler { | ||||
|     request_id: u64, | ||||
|     stream: TcpStream, | ||||
|     receiver: Option<oneshot::Receiver<Approval>>, | ||||
|     app: AppHandle, | ||||
| } | ||||
|  | ||||
| impl Handler { | ||||
|     async fn new(stream: TcpStream, app: AppHandle) -> Self { | ||||
|         let state = app.state::<AppState>(); | ||||
|         let (chan_send, chan_recv) = oneshot::channel(); | ||||
|         let request_id = state.register_request(chan_send).await; | ||||
|         Handler {  | ||||
|             request_id, | ||||
|             stream, | ||||
|             receiver: Some(chan_recv), | ||||
|             app | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     async fn handle(mut self) { | ||||
|         if let Err(e) = self.try_handle().await { | ||||
|             eprintln!("{e}"); | ||||
|         } | ||||
|         let state = self.app.state::<AppState>(); | ||||
|         state.unregister_request(self.request_id).await; | ||||
|     } | ||||
|  | ||||
|     async fn try_handle(&mut self) -> Result<(), HandlerError> { | ||||
|         let req_path = self.recv_request().await?; | ||||
|         let clients = self.get_clients().await?; | ||||
|         if self.includes_banned(&clients).await { | ||||
|             self.stream.write(b"HTTP/1.0 403 Access Denied\r\n\r\n").await?; | ||||
|             return Ok(()) | ||||
|         } | ||||
|         let base = req_path == b"/creddy/base-credentials"; | ||||
|          | ||||
|         let req = Request {id: self.request_id, clients, base}; | ||||
|         self.app.emit_all("credentials-request", &req)?; | ||||
|         let starting_visibility = self.show_window()?; | ||||
|  | ||||
|         match self.wait_for_response().await? { | ||||
|             Approval::Approved => { | ||||
|                 let state = self.app.state::<AppState>(); | ||||
|                 let creds = if base { | ||||
|                     state.serialize_base_creds().await? | ||||
|                 } | ||||
|                 else { | ||||
|                     state.serialize_session_creds().await? | ||||
|                 }; | ||||
|                 self.send_body(creds.as_bytes()).await?; | ||||
|             }, | ||||
|             Approval::Denied => { | ||||
|                 let state = self.app.state::<AppState>(); | ||||
|                 for client in req.clients { | ||||
|                     state.add_ban(client).await; | ||||
|                 } | ||||
|                 self.send_body(b"Denied!").await?; | ||||
|                 self.stream.shutdown().await?; | ||||
|             } | ||||
|         } | ||||
|  | ||||
|         // only hide the window if a) it was hidden to start with | ||||
|         // and b) there are no other pending requests | ||||
|         let state = self.app.state::<AppState>(); | ||||
|         let delay = { | ||||
|             let config = state.config.read().await; | ||||
|             Duration::from_millis(config.rehide_ms) | ||||
|         }; | ||||
|         sleep(delay).await; | ||||
|  | ||||
|         if !starting_visibility && state.req_count().await == 0 { | ||||
|             let window = self.app.get_window("main").ok_or(HandlerError::NoMainWindow)?; | ||||
|             window.hide()?; | ||||
|         } | ||||
|  | ||||
|         Ok(()) | ||||
|     } | ||||
|  | ||||
|     async fn recv_request(&mut self) -> Result<Vec<u8>, HandlerError> { | ||||
|         let mut buf = vec![0; 8192]; // it's what tokio's BufReader uses | ||||
|         let mut n = 0; | ||||
|         loop { | ||||
|             n += self.stream.read(&mut buf[n..]).await?; | ||||
|             if n >= 4 && &buf[(n - 4)..n] == b"\r\n\r\n" {break;} | ||||
|             if n == buf.len() {return Err(HandlerError::RequestTooLarge);} | ||||
|         } | ||||
|  | ||||
|         let path = buf.split(|&c| &[c] == b" ") | ||||
|             .skip(1) | ||||
|             .next() | ||||
|             .ok_or(HandlerError::BadRequest(buf.clone()))?; | ||||
|  | ||||
|         #[cfg(debug_assertions)] { | ||||
|             println!("Path: {}", std::str::from_utf8(&path).unwrap()); | ||||
|             println!("{}", std::str::from_utf8(&buf).unwrap()); | ||||
|         } | ||||
|  | ||||
|         Ok(path.into()) | ||||
|     } | ||||
|  | ||||
|     async fn get_clients(&self) -> Result<Vec<Option<Client>>, HandlerError> { | ||||
|         let peer_addr = match self.stream.peer_addr()? { | ||||
|             SocketAddr::V4(addr) => addr, | ||||
|             _ => unreachable!(), // we only listen on IPv4 | ||||
|         }; | ||||
|         let clients = clientinfo::get_clients(peer_addr.port()).await?; | ||||
|         Ok(clients) | ||||
|     } | ||||
|  | ||||
|     async fn includes_banned(&self, clients: &Vec<Option<Client>>) -> bool { | ||||
|         let state = self.app.state::<AppState>(); | ||||
|         for client in clients { | ||||
|             if state.is_banned(client).await { | ||||
|                 return true; | ||||
|             } | ||||
|         } | ||||
|         false | ||||
|     } | ||||
|  | ||||
|     fn show_window(&self) -> Result<bool, HandlerError> { | ||||
|         let window = self.app.get_window("main").ok_or(HandlerError::NoMainWindow)?; | ||||
|         let starting_visibility = window.is_visible()?; | ||||
|         if !starting_visibility { | ||||
|             window.unminimize()?; | ||||
|             window.show()?; | ||||
|         } | ||||
|         window.set_focus()?; | ||||
|         Ok(starting_visibility) | ||||
|     } | ||||
|  | ||||
|     async fn wait_for_response(&mut self) -> Result<Approval, HandlerError> { | ||||
|         self.stream.write(b"HTTP/1.0 200 OK\r\n").await?; | ||||
|         self.stream.write(b"Content-Type: application/json\r\n").await?; | ||||
|         self.stream.write(b"X-Creddy-delaying-tactic: ").await?; | ||||
|  | ||||
|         #[allow(unreachable_code)] // seems necessary for type inference | ||||
|         let stall = async { | ||||
|             let delay = std::time::Duration::from_secs(1); | ||||
|             loop { | ||||
|                 tokio::time::sleep(delay).await; | ||||
|                 self.stream.write(b"x").await?; | ||||
|             } | ||||
|             Ok(Approval::Denied) | ||||
|         }; | ||||
|  | ||||
|         // this is the only place we even read this field, so it's safe to unwrap | ||||
|         let receiver = self.receiver.take().unwrap(); | ||||
|         tokio::select!{ | ||||
|             r = receiver => Ok(r.unwrap()), // only panics if the sender is dropped without sending, which shouldn't be possible | ||||
|             e = stall => e, | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     async fn send_body(&mut self, body: &[u8]) -> Result<(), HandlerError> { | ||||
|         self.stream.write(b"\r\nContent-Length: ").await?; | ||||
|         self.stream.write(body.len().to_string().as_bytes()).await?; | ||||
|         self.stream.write(b"\r\n\r\n").await?; | ||||
|         self.stream.write(body).await?; | ||||
|         self.stream.shutdown().await?; | ||||
|         Ok(()) | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| #[derive(Debug)] | ||||
| pub struct Server { | ||||
|     addr: Ipv4Addr, | ||||
|     port: u16, | ||||
|     app_handle: AppHandle, | ||||
|     task: JoinHandle<()>, | ||||
| } | ||||
|  | ||||
|  | ||||
| impl Server { | ||||
|     pub async fn new(addr: Ipv4Addr, port: u16, app_handle: AppHandle) -> io::Result<Server> { | ||||
|         let task = Self::start_server(addr, port, app_handle.app_handle()).await?; | ||||
|         Ok(Server { addr, port, app_handle, task}) | ||||
|     } | ||||
|  | ||||
|     pub async fn rebind(&mut self, addr: Ipv4Addr, port: u16) -> io::Result<()> { | ||||
|         if addr == self.addr && port == self.port { | ||||
|             return Ok(()) | ||||
|         } | ||||
|  | ||||
|         let new_task = Self::start_server(addr, port, self.app_handle.app_handle()).await?; | ||||
|         self.task.abort(); | ||||
|  | ||||
|         self.addr = addr; | ||||
|         self.port = port; | ||||
|         self.task = new_task; | ||||
|         Ok(()) | ||||
|     } | ||||
|  | ||||
|     // construct the listener before spawning the task so that we can return early if it fails | ||||
|     async fn start_server(addr: Ipv4Addr, port: u16, app_handle: AppHandle) -> io::Result<JoinHandle<()>> { | ||||
|         let sock_addr = SocketAddrV4::new(addr, port); | ||||
|         let listener = TcpListener::bind(&sock_addr).await?; | ||||
|         let task = rt::spawn( | ||||
|             Self::serve(listener, app_handle.app_handle()) | ||||
|         ); | ||||
|         Ok(task) | ||||
|     } | ||||
|  | ||||
|     async fn serve(listener: TcpListener, app_handle: AppHandle) { | ||||
|         loop { | ||||
|             match listener.accept().await { | ||||
|                 Ok((stream, _)) => { | ||||
|                     let handler = Handler::new(stream, app_handle.app_handle()).await; | ||||
|                     rt::spawn(handler.handle()); | ||||
|                 }, | ||||
|                 Err(e) => { | ||||
|                     eprintln!("Error accepting connection: {e}"); | ||||
|                 } | ||||
|             } | ||||
|         } | ||||
|     } | ||||
| } | ||||
							
								
								
									
										170
									
								
								src-tauri/src/server/mod.rs
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										170
									
								
								src-tauri/src/server/mod.rs
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,170 @@ | ||||
| use tokio::io::{AsyncReadExt, AsyncWriteExt}; | ||||
| use tokio::sync::oneshot; | ||||
|  | ||||
| use serde::{Serialize, Deserialize}; | ||||
|  | ||||
| use tauri::{AppHandle, Manager}; | ||||
|  | ||||
| use crate::errors::*; | ||||
| use crate::clientinfo::{self, Client}; | ||||
| use crate::credentials::{ | ||||
|     AwsBaseCredential, | ||||
|     AwsSessionCredential, | ||||
| }; | ||||
| use crate::ipc::{Approval, RequestNotification}; | ||||
| use crate::state::AppState; | ||||
| use crate::shortcuts::{self, ShortcutAction}; | ||||
|  | ||||
| #[cfg(windows)] | ||||
| mod server_win; | ||||
| #[cfg(windows)] | ||||
| pub use server_win::Server; | ||||
| #[cfg(windows)] | ||||
| use server_win::Stream; | ||||
|  | ||||
| #[cfg(unix)] | ||||
| mod server_unix; | ||||
| #[cfg(unix)] | ||||
| pub use server_unix::Server; | ||||
| #[cfg(unix)] | ||||
| use server_unix::Stream; | ||||
|  | ||||
| pub mod ssh_agent; | ||||
|  | ||||
|  | ||||
| #[derive(Serialize, Deserialize)] | ||||
| pub enum Request { | ||||
|     GetAwsCredentials{  | ||||
|         base: bool, | ||||
|     }, | ||||
|     InvokeShortcut(ShortcutAction), | ||||
| } | ||||
|  | ||||
|  | ||||
| #[derive(Debug, Serialize, Deserialize)] | ||||
| pub enum Response { | ||||
|     AwsBase(AwsBaseCredential), | ||||
|     AwsSession(AwsSessionCredential), | ||||
|     Empty, | ||||
| } | ||||
|  | ||||
|  | ||||
| struct CloseWaiter<'s> { | ||||
|     stream: &'s mut Stream, | ||||
| } | ||||
|  | ||||
| impl<'s> CloseWaiter<'s> { | ||||
|     async fn wait_for_close(&mut self) -> std::io::Result<()> { | ||||
|         let mut buf = [0u8; 8]; | ||||
|         loop { | ||||
|             match self.stream.read(&mut buf).await { | ||||
|                 Ok(0) => break Ok(()), | ||||
|                 Ok(_) => (), | ||||
|                 Err(e) => break Err(e), | ||||
|             } | ||||
|         } | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| async fn handle(mut stream: Stream, app_handle: AppHandle, client_pid: u32) -> Result<(), HandlerError>  | ||||
| { | ||||
|     // read from stream until delimiter is reached | ||||
|     let mut buf: Vec<u8> = Vec::with_capacity(1024); // requests are small, 1KiB is more than enough | ||||
|     let mut n = 0; | ||||
|     loop { | ||||
|         n += stream.read_buf(&mut buf).await?; | ||||
|         if let Some(&b'\n') = buf.last() { | ||||
|             break; | ||||
|         } | ||||
|         else if n >= 1024 { | ||||
|             return Err(HandlerError::RequestTooLarge); | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     let client = clientinfo::get_process_parent_info(client_pid)?; | ||||
|     let waiter = CloseWaiter { stream: &mut stream }; | ||||
|  | ||||
|     let req: Request = serde_json::from_slice(&buf)?; | ||||
|     let res = match req { | ||||
|         Request::GetAwsCredentials{ base } => get_aws_credentials( | ||||
|             base, client, app_handle, waiter | ||||
|         ).await, | ||||
|         Request::InvokeShortcut(action) => invoke_shortcut(action).await, | ||||
|     }; | ||||
|  | ||||
|     // doesn't make sense to send the error to the client if the client has already left | ||||
|     if let Err(HandlerError::Abandoned) = res { | ||||
|         return Err(HandlerError::Abandoned); | ||||
|     } | ||||
|  | ||||
|     let res = serde_json::to_vec(&res).unwrap(); | ||||
|     stream.write_all(&res).await?; | ||||
|     Ok(()) | ||||
| } | ||||
|  | ||||
|  | ||||
| async fn invoke_shortcut(action: ShortcutAction) -> Result<Response, HandlerError> { | ||||
|     shortcuts::exec_shortcut(action); | ||||
|     Ok(Response::Empty) | ||||
| } | ||||
|  | ||||
|  | ||||
| async fn get_aws_credentials( | ||||
|     base: bool, | ||||
|     client: Client, | ||||
|     app_handle: AppHandle, | ||||
|     mut waiter: CloseWaiter<'_>, | ||||
| ) -> Result<Response, HandlerError> { | ||||
|     let state = app_handle.state::<AppState>(); | ||||
|     let rehide_ms = { | ||||
|         let config = state.config.read().await; | ||||
|         config.rehide_ms | ||||
|     }; | ||||
|     let lease = state.acquire_visibility_lease(rehide_ms).await | ||||
|         .map_err(|_e| HandlerError::NoMainWindow)?; // automate this conversion eventually? | ||||
|  | ||||
|     let (chan_send, chan_recv) = oneshot::channel(); | ||||
|     let request_id = state.register_request(chan_send).await; | ||||
|  | ||||
|     // if an error occurs in any of the following, we want to abort the operation | ||||
|     // but ? returns immediately, and we want to unregister the request before returning | ||||
|     // so we bundle it all up in an async block and return a Result so we can handle errors | ||||
|     let proceed = async { | ||||
|         let notification = RequestNotification::new_aws(request_id, client, base); | ||||
|         app_handle.emit("credential-request", ¬ification)?; | ||||
|  | ||||
|         let response = tokio::select! { | ||||
|             r = chan_recv => r?, | ||||
|             _ = waiter.wait_for_close() => { | ||||
|                 app_handle.emit("request-cancelled", request_id)?; | ||||
|                 return Err(HandlerError::Abandoned); | ||||
|             }, | ||||
|         }; | ||||
|  | ||||
|         match response.approval { | ||||
|             Approval::Approved => { | ||||
|                 if response.base { | ||||
|                     let creds = state.get_aws_base("default").await?; | ||||
|                     Ok(Response::AwsBase(creds)) | ||||
|                 } | ||||
|                 else { | ||||
|                     let creds = state.get_aws_session("default").await?; | ||||
|                     Ok(Response::AwsSession(creds.clone())) | ||||
|                 } | ||||
|             }, | ||||
|             Approval::Denied => Err(HandlerError::Denied), | ||||
|         } | ||||
|     }; | ||||
|  | ||||
|     let result = match proceed.await { | ||||
|         Ok(r) => Ok(r), | ||||
|         Err(e) => { | ||||
|             state.unregister_request(request_id).await; | ||||
|             Err(e) | ||||
|         } | ||||
|     }; | ||||
|  | ||||
|     lease.release(); | ||||
|     result | ||||
| } | ||||
							
								
								
									
										58
									
								
								src-tauri/src/server/server_unix.rs
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										58
									
								
								src-tauri/src/server/server_unix.rs
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,58 @@ | ||||
| use std::io::ErrorKind; | ||||
| use tokio::net::{UnixListener, UnixStream}; | ||||
| use tauri::{ | ||||
|     AppHandle, | ||||
|     async_runtime as rt, | ||||
| }; | ||||
|  | ||||
| use crate::errors::*; | ||||
|  | ||||
|  | ||||
| pub type Stream = UnixStream; | ||||
|  | ||||
|  | ||||
| pub struct Server { | ||||
|     listener: UnixListener, | ||||
|     app_handle: AppHandle, | ||||
| } | ||||
|  | ||||
| impl Server { | ||||
|     pub fn start(app_handle: AppHandle) -> std::io::Result<()> { | ||||
|         match std::fs::remove_file("/tmp/creddy.sock") { | ||||
|             Ok(_) => (), | ||||
|             Err(e) if e.kind() == ErrorKind::NotFound => (), | ||||
|             Err(e) => return Err(e), | ||||
|         } | ||||
|  | ||||
|         let listener = UnixListener::bind("/tmp/creddy.sock")?; | ||||
|         let srv = Server { listener, app_handle }; | ||||
|         rt::spawn(srv.serve()); | ||||
|         Ok(()) | ||||
|     } | ||||
|  | ||||
|     async fn serve(self) { | ||||
|         loop { | ||||
|             self.try_serve() | ||||
|                 .await | ||||
|                 .error_print_prefix("Error accepting request: "); | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     async fn try_serve(&self) -> Result<(), HandlerError> { | ||||
|         let (stream, _addr) = self.listener.accept().await?; | ||||
|         let new_handle = self.app_handle.clone(); | ||||
|         let client_pid = get_client_pid(&stream)?; | ||||
|         rt::spawn(async move { | ||||
|             super::handle(stream, new_handle, client_pid) | ||||
|                 .await | ||||
|                 .error_print_prefix("Error responding to request: "); | ||||
|         }); | ||||
|         Ok(()) | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| fn get_client_pid(stream: &UnixStream) -> std::io::Result<u32> { | ||||
|     let cred = stream.peer_cred()?; | ||||
|     Ok(cred.pid().unwrap() as u32) | ||||
| } | ||||
							
								
								
									
										74
									
								
								src-tauri/src/server/server_win.rs
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										74
									
								
								src-tauri/src/server/server_win.rs
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,74 @@ | ||||
| use tokio::net::windows::named_pipe::{ | ||||
|     NamedPipeServer, | ||||
|     ServerOptions, | ||||
| }; | ||||
|  | ||||
| use tauri::{AppHandle, Manager}; | ||||
|  | ||||
| use windows::Win32:: { | ||||
|     Foundation::HANDLE, | ||||
|     System::Pipes::GetNamedPipeClientProcessId, | ||||
| }; | ||||
|  | ||||
| use std::os::windows::io::AsRawHandle; | ||||
|  | ||||
| use tauri::async_runtime as rt; | ||||
|  | ||||
| use crate::errors::*; | ||||
|  | ||||
|  | ||||
| // used by parent module | ||||
| pub type Stream = NamedPipeServer; | ||||
|  | ||||
|  | ||||
| pub struct Server { | ||||
|     listener: NamedPipeServer, | ||||
|     app_handle: AppHandle, | ||||
| } | ||||
|  | ||||
| impl Server { | ||||
|     pub fn start(app_handle: AppHandle) -> std::io::Result<()> { | ||||
|         let listener = ServerOptions::new() | ||||
|             .first_pipe_instance(true) | ||||
|             .create(r"\\.\pipe\creddy-requests")?; | ||||
|  | ||||
|         let srv = Server {listener, app_handle}; | ||||
|         rt::spawn(srv.serve()); | ||||
|         Ok(()) | ||||
|     } | ||||
|  | ||||
|     async fn serve(mut self) { | ||||
|         loop { | ||||
|             if let Err(e) = self.try_serve().await { | ||||
|                 eprintln!("Error accepting connection: {e}"); | ||||
|             } | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     async fn try_serve(&mut self) -> Result<(), HandlerError> { | ||||
|         // connect() just waits for a client to connect, it doesn't return anything | ||||
|         self.listener.connect().await?; | ||||
|  | ||||
|         // create a new pipe instance to listen for the next client, and swap it in | ||||
|         let new_listener = ServerOptions::new().create(r"\\.\pipe\creddy-requests")?; | ||||
|         let stream = std::mem::replace(&mut self.listener, new_listener); | ||||
|         let new_handle = self.app_handle.clone(); | ||||
|         let client_pid = get_client_pid(&stream)?; | ||||
|         rt::spawn(async move { | ||||
|             super::handle(stream, new_handle, client_pid) | ||||
|                 .await | ||||
|                 .error_print_prefix("Error responding to request: "); | ||||
|         }); | ||||
|  | ||||
|         Ok(()) | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| fn get_client_pid(pipe: &NamedPipeServer) -> Result<u32, ClientInfoError> { | ||||
|     let raw_handle = pipe.as_raw_handle(); | ||||
|     let mut pid = 0u32; | ||||
|     let handle = HANDLE(raw_handle as _); | ||||
|     unsafe { GetNamedPipeClientProcessId(handle, &mut pid as *mut u32)? }; | ||||
|     Ok(pid) | ||||
| } | ||||
							
								
								
									
										77
									
								
								src-tauri/src/server/ssh_agent.rs
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										77
									
								
								src-tauri/src/server/ssh_agent.rs
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,77 @@ | ||||
| use signature::Signer; | ||||
| use ssh_agent_lib::agent::{Agent, Session}; | ||||
| use ssh_agent_lib::proto::message::Message; | ||||
| use ssh_key::public::PublicKey; | ||||
| use ssh_key::private::PrivateKey; | ||||
| use tokio::net::UnixListener; | ||||
|  | ||||
|  | ||||
| struct SshAgent; | ||||
|  | ||||
| impl std::default::Default for SshAgent { | ||||
|     fn default() -> Self { | ||||
|         SshAgent {} | ||||
|     } | ||||
| } | ||||
|  | ||||
| #[ssh_agent_lib::async_trait] | ||||
| impl Session for SshAgent { | ||||
|     async fn handle(&mut self, message: Message) -> Result<Message, Box<dyn std::error::Error>> { | ||||
|         println!("Received message"); | ||||
|         match message { | ||||
|             Message::RequestIdentities => { | ||||
|                 let p = std::path::PathBuf::from("/home/joe/.ssh/id_ed25519.pub"); | ||||
|                 let pubkey = PublicKey::read_openssh_file(&p).unwrap(); | ||||
|                 let id = ssh_agent_lib::proto::message::Identity { | ||||
|                     pubkey_blob: pubkey.to_bytes().unwrap(), | ||||
|                     comment: pubkey.comment().to_owned(), | ||||
|                 }; | ||||
|                 Ok(Message::IdentitiesAnswer(vec![id])) | ||||
|             }, | ||||
|             Message::SignRequest(req) => { | ||||
|                 println!("Received sign request"); | ||||
|                 let mut req_bytes = vec![13]; | ||||
|                 encode_string(&mut req_bytes, &req.pubkey_blob); | ||||
|                 encode_string(&mut req_bytes, &req.data); | ||||
|                 req_bytes.extend(req.flags.to_be_bytes()); | ||||
|                 std::fs::File::create("/tmp/signreq").unwrap().write(&req_bytes).unwrap(); | ||||
|  | ||||
|                 let p = std::path::PathBuf::from("/home/joe/.ssh/id_ed25519"); | ||||
|                 let passphrase = std::env::var("PRIVKEY_PASSPHRASE").unwrap(); | ||||
|                 let privkey = PrivateKey::read_openssh_file(&p) | ||||
|                     .unwrap() | ||||
|                     .decrypt(passphrase.as_bytes()) | ||||
|                     .unwrap(); | ||||
|  | ||||
|  | ||||
|  | ||||
|                 let sig = Signer::sign(&privkey, &req.data); | ||||
|                 use std::io::Write; | ||||
|                 std::fs::File::create("/tmp/sig").unwrap().write(sig.as_bytes()).unwrap(); | ||||
|  | ||||
|                 let mut payload = Vec::with_capacity(128); | ||||
|                 encode_string(&mut payload, "ssh-ed25519".as_bytes()); | ||||
|                 encode_string(&mut payload, sig.as_bytes()); | ||||
|                 println!("Payload length: {}", payload.len()); | ||||
|                 std::fs::File::create("/tmp/payload").unwrap().write(&payload).unwrap(); | ||||
|                 Ok(Message::SignResponse(payload)) | ||||
|             }, | ||||
|             _ => Ok(Message::Failure), | ||||
|         } | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| fn encode_string(buf: &mut Vec<u8>, s: &[u8]) { | ||||
|     let len = s.len() as u32; | ||||
|     buf.extend(len.to_be_bytes()); | ||||
|     buf.extend(s); | ||||
| } | ||||
|  | ||||
|  | ||||
| pub async fn run() { | ||||
|     let socket = "/tmp/creddy-agent.sock"; | ||||
|     let _ = std::fs::remove_file(socket); | ||||
|     let listener = UnixListener::bind(socket).unwrap(); | ||||
|     SshAgent.listen(listener).await.unwrap(); | ||||
| } | ||||
							
								
								
									
										69
									
								
								src-tauri/src/shortcuts.rs
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										69
									
								
								src-tauri/src/shortcuts.rs
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,69 @@ | ||||
| use serde::{Serialize, Deserialize}; | ||||
|  | ||||
| use tauri::async_runtime as rt; | ||||
|  | ||||
| use tauri_plugin_global_shortcut::{ | ||||
|     GlobalShortcutExt, | ||||
|     Error as ShortcutError, | ||||
| }; | ||||
|  | ||||
| use crate::app::{self, APP}; | ||||
| use crate::config::HotkeysConfig; | ||||
| use crate::errors::*; | ||||
| use crate::terminal; | ||||
|  | ||||
|  | ||||
| #[derive(Debug, Serialize, Deserialize)] | ||||
| pub enum ShortcutAction { | ||||
|     ShowWindow, | ||||
|     LaunchTerminal, | ||||
| } | ||||
|  | ||||
|  | ||||
| pub fn exec_shortcut(action: ShortcutAction) { | ||||
|     match action { | ||||
|         ShortcutAction::LaunchTerminal => launch_terminal(), | ||||
|         ShortcutAction::ShowWindow => { | ||||
|             let app = APP.get().unwrap(); | ||||
|             app::show_main_window(app) | ||||
|                 .error_popup("Failed to show Creddy"); | ||||
|         }, | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| fn launch_terminal() { | ||||
|     rt::spawn(async { | ||||
|         terminal::launch(false) | ||||
|             .await | ||||
|             .error_popup("Failed to launch terminal") | ||||
|     }); | ||||
| } | ||||
|  | ||||
|  | ||||
| pub fn register_hotkeys(hotkeys: &HotkeysConfig) -> Result<(), ShortcutError> { | ||||
|     let app = APP.get().unwrap(); | ||||
|     let shortcuts = app.global_shortcut(); | ||||
|     shortcuts.unregister_all([ | ||||
|         hotkeys.show_window.keys.as_str(), | ||||
|         hotkeys.launch_terminal.keys.as_str(), | ||||
|     ])?; | ||||
|  | ||||
|     if hotkeys.show_window.enabled { | ||||
|         shortcuts.on_shortcut( | ||||
|             hotkeys.show_window.keys.as_str(), | ||||
|             |app, _shortcut, _event| { | ||||
|                 app::show_main_window(app).error_popup("Failed to show Creddy") | ||||
|             } | ||||
|         )?; | ||||
|     } | ||||
|  | ||||
|     if hotkeys.launch_terminal.enabled { | ||||
|         shortcuts.on_shortcut( | ||||
|             hotkeys.launch_terminal.keys.as_str(), | ||||
|             |_app, _shortcut, _event| launch_terminal() | ||||
|         )?; | ||||
|     } | ||||
|  | ||||
|     Ok(()) | ||||
| } | ||||
| @@ -1,60 +1,185 @@ | ||||
| use std::collections::{HashMap, HashSet}; | ||||
| use std::collections::HashMap; | ||||
| use std::time::Duration; | ||||
| use time::OffsetDateTime; | ||||
|  | ||||
| use tokio::{ | ||||
|     sync::oneshot::Sender, | ||||
|     sync::RwLock, | ||||
|     time::sleep, | ||||
|     sync::{RwLock, RwLockReadGuard}, | ||||
|     sync::oneshot::{self, Sender}, | ||||
| }; | ||||
| use sqlx::SqlitePool; | ||||
| use tauri::async_runtime as runtime; | ||||
| use tauri::Manager; | ||||
| use sqlx::types::Uuid; | ||||
| use tauri::{ | ||||
|     Manager, | ||||
|     async_runtime as rt, | ||||
| }; | ||||
|  | ||||
| use crate::app::APP; | ||||
| use crate::app; | ||||
| use crate::credentials::{ | ||||
|     Session, | ||||
|     BaseCredentials, | ||||
|     SessionCredentials, | ||||
|     AppSession, | ||||
|     AwsSessionCredential, | ||||
| }; | ||||
| use crate::{config, config::AppConfig}; | ||||
| use crate::ipc::{self, Approval}; | ||||
| use crate::clientinfo::Client; | ||||
| use crate::credentials::{ | ||||
|     AwsBaseCredential, | ||||
|     SaveCredential, | ||||
|     PersistentCredential | ||||
| }; | ||||
| use crate::ipc::{self, RequestResponse}; | ||||
| use crate::errors::*; | ||||
| use crate::server::Server; | ||||
| use crate::shortcuts; | ||||
|  | ||||
|  | ||||
| #[derive(Debug)] | ||||
| struct Visibility { | ||||
|     leases: usize, | ||||
|     original: Option<bool>, | ||||
| } | ||||
|  | ||||
| impl Visibility { | ||||
|     fn new() -> Self { | ||||
|         Visibility { leases: 0, original: None } | ||||
|     } | ||||
|  | ||||
|     fn acquire(&mut self, delay_ms: u64) -> Result<VisibilityLease, WindowError> { | ||||
|         let app = crate::app::APP.get().unwrap(); | ||||
|         let window = app.get_webview_window("main") | ||||
|             .ok_or(WindowError::NoMainWindow)?; | ||||
|  | ||||
|         self.leases += 1; | ||||
|         // `original` represents the visibility of the window before any leases were acquired | ||||
|         // None means we don't know, Some(false) means it was previously hidden, | ||||
|         // Some(true) means it was previously visible | ||||
|         let is_visible = window.is_visible()?; | ||||
|         if self.original.is_none() { | ||||
|             self.original = Some(is_visible); | ||||
|         } | ||||
|  | ||||
|         let state = app.state::<AppState>(); | ||||
|         if is_visible && state.desktop_is_gnome { | ||||
|             // Gnome has a really annoying "focus-stealing prevention" behavior means we | ||||
|             // can't just pop up when the window is already visible, so to work around it | ||||
|             // we hide and then immediately unhide the window | ||||
|             window.hide()?; | ||||
|         } | ||||
|         app::show_main_window(&app)?; | ||||
|         window.set_focus()?; | ||||
|  | ||||
|         let (tx, rx) = oneshot::channel(); | ||||
|         let lease = VisibilityLease { notify: tx }; | ||||
|  | ||||
|         let delay = Duration::from_millis(delay_ms); | ||||
|         rt::spawn(async move { | ||||
|             // We don't care if it's an error; lease being dropped should be handled identically | ||||
|             let _ = rx.await; | ||||
|             tokio::time::sleep(delay).await; | ||||
|             // we can't use `self` here because we would have to move it into the async block | ||||
|             let state = app.state::<AppState>(); | ||||
|             let mut visibility = state.visibility.write().await; | ||||
|             visibility.leases -= 1; | ||||
|             if visibility.leases == 0 { | ||||
|                 if let Some(false) = visibility.original { | ||||
|                     app::hide_main_window(app).error_print(); | ||||
|                 } | ||||
|                 visibility.original = None; | ||||
|             } | ||||
|         }); | ||||
|  | ||||
|         Ok(lease) | ||||
|     } | ||||
| } | ||||
|  | ||||
| pub struct VisibilityLease { | ||||
|     notify: Sender<()>, | ||||
| } | ||||
|  | ||||
| impl VisibilityLease { | ||||
|     pub fn release(self) { | ||||
|         rt::spawn(async move { | ||||
|             if let Err(_) = self.notify.send(()) { | ||||
|                 eprintln!("Error releasing visibility lease") | ||||
|             } | ||||
|         }); | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| #[derive(Debug)] | ||||
| pub struct AppState { | ||||
|     pub config: RwLock<AppConfig>, | ||||
|     pub session: RwLock<Session>, | ||||
|     pub app_session: RwLock<AppSession>, | ||||
|     pub aws_session: RwLock<Option<AwsSessionCredential>>, | ||||
|     pub last_activity: RwLock<OffsetDateTime>, | ||||
|     pub request_count: RwLock<u64>, | ||||
|     pub open_requests: RwLock<HashMap<u64, Sender<ipc::Approval>>>, | ||||
|     pub waiting_requests: RwLock<HashMap<u64, Sender<RequestResponse>>>, | ||||
|     pub pending_terminal_request: RwLock<bool>, | ||||
|     pub bans: RwLock<std::collections::HashSet<Option<Client>>>, | ||||
|     server: RwLock<Server>, | ||||
|     // these are never modified and so don't need to be wrapped in RwLocks | ||||
|     pub setup_errors: Vec<String>, | ||||
|     pub desktop_is_gnome: bool, | ||||
|     pool: sqlx::SqlitePool, | ||||
|     visibility: RwLock<Visibility>, | ||||
| } | ||||
|  | ||||
| impl AppState { | ||||
|     pub fn new(config: AppConfig, session: Session, server: Server, pool: SqlitePool) -> AppState { | ||||
|     pub fn new( | ||||
|         config: AppConfig, | ||||
|         app_session: AppSession, | ||||
|         pool: SqlitePool, | ||||
|         setup_errors: Vec<String>, | ||||
|         desktop_is_gnome: bool, | ||||
|     ) -> AppState { | ||||
|         AppState { | ||||
|             config: RwLock::new(config), | ||||
|             session: RwLock::new(session), | ||||
|             app_session: RwLock::new(app_session), | ||||
|             aws_session: RwLock::new(None), | ||||
|             last_activity: RwLock::new(OffsetDateTime::now_utc()), | ||||
|             request_count: RwLock::new(0), | ||||
|             open_requests: RwLock::new(HashMap::new()), | ||||
|             waiting_requests: RwLock::new(HashMap::new()), | ||||
|             pending_terminal_request: RwLock::new(false), | ||||
|             bans: RwLock::new(HashSet::new()), | ||||
|             server: RwLock::new(server), | ||||
|             setup_errors, | ||||
|             desktop_is_gnome, | ||||
|             pool, | ||||
|             visibility: RwLock::new(Visibility::new()), | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     pub async fn new_creds(&self, base_creds: BaseCredentials, passphrase: &str) -> Result<(), UnlockError> { | ||||
|         let locked = base_creds.encrypt(passphrase)?; | ||||
|         // do this first so that if it fails we don't save bad credentials | ||||
|         self.new_session(base_creds).await?; | ||||
|         locked.save(&self.pool).await?; | ||||
|     pub async fn save_credential(&self, cred: SaveCredential) -> Result<(), SaveCredentialsError> { | ||||
|         let session = self.app_session.read().await; | ||||
|         let crypto = session.try_get_crypto()?; | ||||
|         cred.save(crypto, &self.pool).await | ||||
|     } | ||||
|  | ||||
|     pub async fn delete_credential(&self, id: &Uuid) -> Result<(), SaveCredentialsError> { | ||||
|         sqlx::query!("DELETE FROM credentials WHERE id = ?", id) | ||||
|             .execute(&self.pool) | ||||
|             .await?; | ||||
|         Ok(()) | ||||
|     } | ||||
|  | ||||
|     pub async fn list_credentials(&self) -> Result<Vec<SaveCredential>, GetCredentialsError> { | ||||
|         let session = self.app_session.read().await; | ||||
|         let crypto = session.try_get_crypto()?; | ||||
|         let creds = AwsBaseCredential::list(crypto, &self.pool).await?; | ||||
|         // eventual extend this vec with other credential types | ||||
|         Ok(creds) | ||||
|     } | ||||
|  | ||||
|     pub async fn set_passphrase(&self, passphrase: &str) -> Result<(), SaveCredentialsError> { | ||||
|         let mut cur_session = self.app_session.write().await; | ||||
|         if let AppSession::Locked {..} = *cur_session { | ||||
|             return Err(SaveCredentialsError::Locked); | ||||
|         } | ||||
|  | ||||
|         let new_session = AppSession::new(passphrase)?; | ||||
|         if let AppSession::Unlocked {salt: _, ref crypto} = *cur_session { | ||||
|             AwsBaseCredential::rekey( | ||||
|                 crypto, | ||||
|                 new_session.try_get_crypto().expect("AppSession::new() should always return Unlocked"), | ||||
|                 &self.pool, | ||||
|             ).await?; | ||||
|         } | ||||
|  | ||||
|         new_session.save(&self.pool).await?; | ||||
|         *cur_session = new_session; | ||||
|         Ok(()) | ||||
|     } | ||||
|  | ||||
| @@ -65,18 +190,12 @@ impl AppState { | ||||
|         if new_config.start_on_login != live_config.start_on_login { | ||||
|             config::set_auto_launch(new_config.start_on_login)?; | ||||
|         } | ||||
|         // rebind socket if necessary | ||||
|         if new_config.listen_addr != live_config.listen_addr  | ||||
|             || new_config.listen_port != live_config.listen_port  | ||||
|         { | ||||
|             let mut sv = self.server.write().await; | ||||
|             sv.rebind(new_config.listen_addr, new_config.listen_port).await?; | ||||
|         } | ||||
|  | ||||
|         // re-register hotkeys if necessary | ||||
|         if new_config.hotkeys.show_window != live_config.hotkeys.show_window | ||||
|             || new_config.hotkeys.launch_terminal != live_config.hotkeys.launch_terminal | ||||
|         { | ||||
|             config::register_hotkeys(&new_config.hotkeys)?; | ||||
|             shortcuts::register_hotkeys(&new_config.hotkeys)?; | ||||
|         } | ||||
|  | ||||
|         new_config.save(&self.pool).await?; | ||||
| @@ -84,95 +203,100 @@ impl AppState { | ||||
|         Ok(()) | ||||
|     } | ||||
|  | ||||
|     pub async fn register_request(&self, chan: Sender<ipc::Approval>) -> u64 { | ||||
|     pub async fn register_request(&self, sender: Sender<RequestResponse>) -> u64 { | ||||
|         let count = { | ||||
|             let mut c = self.request_count.write().await; | ||||
|             *c += 1; | ||||
|             c | ||||
|         }; | ||||
|  | ||||
|         let mut open_requests = self.open_requests.write().await; | ||||
|         open_requests.insert(*count, chan); // `count` is the request id | ||||
|         let mut waiting_requests = self.waiting_requests.write().await; | ||||
|         waiting_requests.insert(*count, sender); // `count` is the request id | ||||
|         *count | ||||
|     } | ||||
|  | ||||
|     pub async fn unregister_request(&self, id: u64) { | ||||
|         let mut open_requests = self.open_requests.write().await; | ||||
|         open_requests.remove(&id); | ||||
|         let mut waiting_requests = self.waiting_requests.write().await; | ||||
|         waiting_requests.remove(&id); | ||||
|     } | ||||
|  | ||||
|     pub async fn req_count(&self) -> usize { | ||||
|         let open_requests = self.open_requests.read().await; | ||||
|         open_requests.len() | ||||
|     pub async fn acquire_visibility_lease(&self, delay: u64) -> Result<VisibilityLease, WindowError> { | ||||
|         let mut visibility = self.visibility.write().await; | ||||
|         visibility.acquire(delay) | ||||
|     } | ||||
|  | ||||
|     pub async fn send_response(&self, response: ipc::RequestResponse) -> Result<(), SendResponseError> { | ||||
|         if let Approval::Approved = response.approval { | ||||
|             let mut session = self.session.write().await; | ||||
|             session.renew_if_expired().await?; | ||||
|         } | ||||
|  | ||||
|         let mut open_requests = self.open_requests.write().await; | ||||
|         let chan = open_requests | ||||
|         let mut waiting_requests = self.waiting_requests.write().await; | ||||
|         waiting_requests | ||||
|             .remove(&response.id) | ||||
|             .ok_or(SendResponseError::NotFound) | ||||
|             ?; | ||||
|  | ||||
|         chan.send(response.approval) | ||||
|             .map_err(|_e| SendResponseError::Abandoned) | ||||
|     } | ||||
|  | ||||
|     pub async fn add_ban(&self, client: Option<Client>) { | ||||
|         let mut bans = self.bans.write().await; | ||||
|         bans.insert(client.clone()); | ||||
|  | ||||
|         runtime::spawn(async move { | ||||
|             sleep(Duration::from_secs(5)).await; | ||||
|             let app = APP.get().unwrap(); | ||||
|             let state = app.state::<AppState>(); | ||||
|             let mut bans = state.bans.write().await; | ||||
|             bans.remove(&client); | ||||
|         }); | ||||
|     } | ||||
|  | ||||
|     pub async fn is_banned(&self, client: &Option<Client>) -> bool { | ||||
|         self.bans.read().await.contains(&client) | ||||
|             .ok_or(SendResponseError::NotFound)? | ||||
|             .send(response) | ||||
|             .map_err(|_| SendResponseError::Abandoned) | ||||
|     } | ||||
|  | ||||
|     pub async fn unlock(&self, passphrase: &str) -> Result<(), UnlockError> { | ||||
|         let base_creds = match *self.session.read().await { | ||||
|             Session::Empty => {return Err(UnlockError::NoCredentials);}, | ||||
|             Session::Unlocked{..} => {return Err(UnlockError::NotLocked);}, | ||||
|             Session::Locked(ref locked) => locked.decrypt(passphrase)?, | ||||
|         }; | ||||
|         // Read lock is dropped here, so this doesn't deadlock | ||||
|         self.new_session(base_creds).await?; | ||||
|  | ||||
|         Ok(()) | ||||
|         let mut session = self.app_session.write().await; | ||||
|         session.unlock(passphrase) | ||||
|     } | ||||
|  | ||||
|     pub async fn is_unlocked(&self) -> bool { | ||||
|         let session = self.session.read().await; | ||||
|         matches!(*session, Session::Unlocked{..}) | ||||
|     pub async fn lock(&self) -> Result<(), LockError> { | ||||
|         let mut session = self.app_session.write().await; | ||||
|         match *session { | ||||
|             AppSession::Empty => Err(LockError::NotUnlocked), | ||||
|             AppSession::Locked{..} => Err(LockError::NotUnlocked), | ||||
|             AppSession::Unlocked{..} => { | ||||
|                 *session = AppSession::load(&self.pool).await?; | ||||
|  | ||||
|                 let app_handle = app::APP.get().unwrap(); | ||||
|                 app_handle.emit("locked", None::<usize>)?; | ||||
|  | ||||
|                 Ok(()) | ||||
|             } | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     pub async fn serialize_base_creds(&self) -> Result<String, GetCredentialsError> { | ||||
|         let app_session = self.session.read().await; | ||||
|         let (base, _session) = app_session.try_get()?; | ||||
|         Ok(serde_json::to_string(base).unwrap()) | ||||
|     pub async fn get_aws_base(&self, name: &str) -> Result<AwsBaseCredential, GetCredentialsError> { | ||||
|         let app_session = self.app_session.read().await; | ||||
|         let crypto = app_session.try_get_crypto()?; | ||||
|         let creds = AwsBaseCredential::load(name, crypto, &self.pool).await?; | ||||
|         Ok(creds) | ||||
|     } | ||||
|  | ||||
|     pub async fn serialize_session_creds(&self) -> Result<String, GetCredentialsError> { | ||||
|         let app_session = self.session.read().await; | ||||
|         let (_bsae, session) = app_session.try_get()?; | ||||
|         Ok(serde_json::to_string(session).unwrap()) | ||||
|     pub async fn get_aws_session(&self, name: &str) -> Result<RwLockReadGuard<'_, AwsSessionCredential>, GetCredentialsError> { | ||||
|         // yes, this sometimes results in double-fetching base credentials from disk | ||||
|         // I'm done trying to be optimal | ||||
|         { | ||||
|             let mut aws_session = self.aws_session.write().await; | ||||
|             if aws_session.is_none() || aws_session.as_ref().unwrap().is_expired() { | ||||
|                 let base_creds = self.get_aws_base(name).await?; | ||||
|                 *aws_session = Some(AwsSessionCredential::from_base(&base_creds).await?); | ||||
|             } | ||||
|         } | ||||
|  | ||||
|         // we know this is safe, because we juse made sure of it | ||||
|         let s = RwLockReadGuard::map(self.aws_session.read().await, |opt| opt.as_ref().unwrap()); | ||||
|         Ok(s) | ||||
|     } | ||||
|  | ||||
|     async fn new_session(&self, base: BaseCredentials) -> Result<(), GetSessionError> { | ||||
|         let session = SessionCredentials::from_base(&base).await?; | ||||
|         let mut app_session = self.session.write().await; | ||||
|         *app_session = Session::Unlocked {base, session}; | ||||
|         Ok(()) | ||||
|     pub async fn signal_activity(&self) { | ||||
|         let mut last_activity = self.last_activity.write().await; | ||||
|         *last_activity = OffsetDateTime::now_utc(); | ||||
|     } | ||||
|  | ||||
|     pub async fn should_auto_lock(&self) -> bool { | ||||
|         let config = self.config.read().await; | ||||
|         if !config.auto_lock || self.is_locked().await { | ||||
|             return false; | ||||
|         } | ||||
|  | ||||
|         let last_activity = self.last_activity.read().await; | ||||
|         let elapsed = OffsetDateTime::now_utc() - *last_activity; | ||||
|         elapsed >= config.lock_after | ||||
|     } | ||||
|  | ||||
|     pub async fn is_locked(&self) -> bool { | ||||
|         let session = self.app_session.read().await; | ||||
|         matches!(*session, AppSession::Locked {..}) | ||||
|     } | ||||
|  | ||||
|     pub async fn register_terminal_request(&self) -> Result<(), ()> { | ||||
| @@ -192,3 +316,41 @@ impl AppState { | ||||
|         *req = false; | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| #[cfg(test)] | ||||
| mod tests { | ||||
|     use super::*; | ||||
|     use crate::credentials::Crypto; | ||||
|     use sqlx::types::Uuid; | ||||
|  | ||||
|  | ||||
|     fn test_state(pool: SqlitePool) -> AppState { | ||||
|         let salt = [0u8; 32]; | ||||
|         let crypto = Crypto::fixed(); | ||||
|         AppState::new( | ||||
|             AppConfig::default(), | ||||
|             AppSession::Unlocked { salt, crypto }, | ||||
|             pool, | ||||
|             vec![], | ||||
|             false, | ||||
|         ) | ||||
|     } | ||||
|  | ||||
|  | ||||
|     #[sqlx::test(fixtures("./credentials/fixtures/aws_credentials.sql"))] | ||||
|     fn test_delete_credential(pool: SqlitePool) { | ||||
|         let state = test_state(pool); | ||||
|         let id = Uuid::try_parse("00000000-0000-0000-0000-000000000000").unwrap(); | ||||
|         state.delete_credential(&id).await.unwrap(); | ||||
|  | ||||
|         // ensure delete-cascade went through correctly | ||||
|         let res = AwsBaseCredential::load( | ||||
|             "test", | ||||
|             &Crypto::fixed(), | ||||
|             &state.pool, | ||||
|         ).await; | ||||
|  | ||||
|         assert!(matches!(res, Err(LoadCredentialsError::NoCredentials))); | ||||
|     } | ||||
| } | ||||
|   | ||||
| @@ -1,6 +1,8 @@ | ||||
| use std::process::Command; | ||||
| use std::time::Duration; | ||||
|  | ||||
| use tauri::Manager; | ||||
| use tokio::time::sleep; | ||||
|  | ||||
| use crate::app::APP; | ||||
| use crate::errors::*; | ||||
| @@ -23,48 +25,42 @@ pub async fn launch(use_base: bool) -> Result<(), LaunchTerminalError> { | ||||
|         cmd | ||||
|     }; | ||||
|  | ||||
|     // if session is unlocked or empty, wait for credentials from frontend | ||||
|     if !state.is_unlocked().await { | ||||
|         app.emit_all("launch-terminal-request", ())?; | ||||
|         let window = app.get_window("main") | ||||
|             .ok_or(LaunchTerminalError::NoMainWindow)?; | ||||
|         if !window.is_visible()? { | ||||
|             window.unminimize()?; | ||||
|             window.show()?; | ||||
|         } | ||||
|         window.set_focus()?; | ||||
|     // if session is locked, wait for credentials from frontend | ||||
|     if state.is_locked().await { | ||||
|         let lease = state.acquire_visibility_lease(0).await | ||||
|             .map_err(|_e| LaunchTerminalError::NoMainWindow)?; // automate conversion eventually? | ||||
|  | ||||
|         let (tx, rx) = tokio::sync::oneshot::channel(); | ||||
|         app.once_global("credentials-event", move |e| { | ||||
|             let success = match e.payload() { | ||||
|                 Some("\"unlocked\"") | Some("\"entered\"") => true, | ||||
|                 _ => false, | ||||
|             }; | ||||
|             let _ = tx.send(success); | ||||
|         app.once("unlocked", move |_| { | ||||
|             let _ = tx.send(()); | ||||
|         }); | ||||
|  | ||||
|         if !rx.await.unwrap_or(false) { | ||||
|             state.unregister_terminal_request().await; | ||||
|             return Ok(()); // request was canceled by user | ||||
|         let timeout = Duration::from_secs(60); | ||||
|         tokio::select! { | ||||
|             // if the frontend is unlocked within 60 seconds, release visibility lock and proceed | ||||
|             _ = rx => lease.release(), | ||||
|             // otherwise, dump this request, but return Ok so we don't get an error popup | ||||
|             _ = sleep(timeout) => { | ||||
|                 state.unregister_terminal_request().await; | ||||
|                 eprintln!("WARNING: Request to launch terminal timed out after 60 seconds."); | ||||
|                 return Ok(()); | ||||
|             }, | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     // more lock-management | ||||
|     { | ||||
|         let app_session = state.session.read().await; | ||||
|         // session should really be unlocked at this point, but if the frontend misbehaves | ||||
|         // (i.e. lies about unlocking) we could end up here with a locked session | ||||
|         // this will result in an error popup to the user (see main hotkey handler) | ||||
|         let (base_creds, session_creds) = app_session.try_get()?; | ||||
|         if use_base { | ||||
|             cmd.env("AWS_ACCESS_KEY_ID", &base_creds.access_key_id); | ||||
|             cmd.env("AWS_SECRET_ACCESS_KEY", &base_creds.secret_access_key); | ||||
|         } | ||||
|         else { | ||||
|             cmd.env("AWS_ACCESS_KEY_ID", &session_creds.access_key_id); | ||||
|             cmd.env("AWS_SECRET_ACCESS_KEY", &session_creds.secret_access_key); | ||||
|             cmd.env("AWS_SESSION_TOKEN", &session_creds.token); | ||||
|         } | ||||
|     // session should really be unlocked at this point, but if the frontend misbehaves | ||||
|     // (i.e. lies about unlocking) we could end up here with a locked session | ||||
|     // this will result in an error popup to the user (see main hotkey handler) | ||||
|     if use_base { | ||||
|         let base_creds = state.get_aws_base("default").await?; | ||||
|         cmd.env("AWS_ACCESS_KEY_ID", &base_creds.access_key_id); | ||||
|         cmd.env("AWS_SECRET_ACCESS_KEY", &base_creds.secret_access_key); | ||||
|     } | ||||
|     else { | ||||
|         let session_creds = state.get_aws_session("default").await?; | ||||
|         cmd.env("AWS_ACCESS_KEY_ID", &session_creds.access_key_id); | ||||
|         cmd.env("AWS_SECRET_ACCESS_KEY", &session_creds.secret_access_key); | ||||
|         cmd.env("AWS_SESSION_TOKEN", &session_creds.session_token); | ||||
|     } | ||||
|  | ||||
|     let res = match cmd.spawn() { | ||||
|   | ||||
| @@ -1,36 +1,49 @@ | ||||
| use tauri::{ | ||||
|     App, | ||||
|     AppHandle, | ||||
|     Manager, | ||||
|     SystemTray, | ||||
|     SystemTrayEvent, | ||||
|     SystemTrayMenu, | ||||
|     CustomMenuItem, | ||||
|     async_runtime as rt, | ||||
| }; | ||||
| use tauri::menu::{ | ||||
|     MenuBuilder, | ||||
|     MenuEvent, | ||||
|     MenuItemBuilder, | ||||
| }; | ||||
|  | ||||
| use crate::app; | ||||
| use crate::state::AppState; | ||||
|  | ||||
| pub fn create() -> SystemTray { | ||||
|     let show = CustomMenuItem::new("show".to_string(), "Show"); | ||||
|     let quit = CustomMenuItem::new("exit".to_string(), "Exit"); | ||||
|  | ||||
|     let menu = SystemTrayMenu::new() | ||||
|         .add_item(show) | ||||
|         .add_item(quit); | ||||
| pub fn setup(app: &App) -> tauri::Result<()> { | ||||
|     let show_hide = MenuItemBuilder::with_id("show_hide", "Show").build(app)?; | ||||
|     let exit = MenuItemBuilder::with_id("exit", "Exit").build(app)?; | ||||
|  | ||||
|     SystemTray::new().with_menu(menu) | ||||
|     let menu = MenuBuilder::new(app) | ||||
|         .items(&[&show_hide, &exit]) | ||||
|         .build()?; | ||||
|  | ||||
|     let tray = app.tray_by_id("main").unwrap(); | ||||
|     tray.set_menu(Some(menu))?; | ||||
|     tray.on_menu_event(handle_event); | ||||
|  | ||||
|     // stash this so we can find it later to change the text | ||||
|     app.manage(show_hide); | ||||
|  | ||||
|     Ok(()) | ||||
| } | ||||
|  | ||||
|  | ||||
| pub fn handle_event(app: &AppHandle, event: SystemTrayEvent) { | ||||
|     match event { | ||||
|         SystemTrayEvent::MenuItemClick{ id, .. } => { | ||||
|             match id.as_str() { | ||||
|                 "exit" => app.exit(0), | ||||
|                 "show" => { | ||||
|                     let _ = app.get_window("main").map(|w| w.show()); | ||||
|                 } | ||||
|                 _ => (), | ||||
|             } | ||||
|         } | ||||
| fn handle_event(app_handle: &AppHandle, event: MenuEvent) { | ||||
|     match event.id.0.as_str() { | ||||
|         "exit" => app_handle.exit(0), | ||||
|         "show_hide" => { | ||||
|             let _ = app::toggle_main_window(app_handle); | ||||
|             let new_handle = app_handle.clone(); | ||||
|             rt::spawn(async move { | ||||
|                 let state = new_handle.state::<AppState>(); | ||||
|                 state.signal_activity().await; | ||||
|             }); | ||||
|         }, | ||||
|         _ => (), | ||||
|     } | ||||
| } | ||||
|   | ||||
| @@ -3,64 +3,57 @@ | ||||
|   "build": { | ||||
|     "beforeBuildCommand": "npm run build", | ||||
|     "beforeDevCommand": "npm run dev", | ||||
|     "devPath": "http://localhost:5173", | ||||
|     "distDir": "../dist" | ||||
|     "frontendDist": "../dist", | ||||
|     "devUrl": "http://localhost:5173" | ||||
|   }, | ||||
|   "package": { | ||||
|     "productName": "creddy", | ||||
|     "version": "0.3.0" | ||||
|   }, | ||||
|   "tauri": { | ||||
|     "allowlist": { | ||||
|       "os": {"all": true}, | ||||
|       "dialog": {"open": true} | ||||
|   "bundle": { | ||||
|     "active": true, | ||||
|     "category": "DeveloperTool", | ||||
|     "copyright": "", | ||||
|     "targets": "all", | ||||
|     "externalBin": [], | ||||
|     "icon": [ | ||||
|       "icons/32x32.png", | ||||
|       "icons/128x128.png", | ||||
|       "icons/128x128@2x.png", | ||||
|       "icons/icon.icns", | ||||
|       "icons/icon.ico" | ||||
|     ], | ||||
|     "windows": { | ||||
|       "certificateThumbprint": null, | ||||
|       "digestAlgorithm": "sha256", | ||||
|       "timestampUrl": "", | ||||
|       "wix": { | ||||
|         "fragmentPaths": [ | ||||
|           "conf/cli.wxs" | ||||
|         ], | ||||
|         "componentRefs": [ | ||||
|           "CliBinary", | ||||
|           "AddToPath" | ||||
|         ] | ||||
|       } | ||||
|     }, | ||||
|     "bundle": { | ||||
|       "active": true, | ||||
|       "category": "DeveloperTool", | ||||
|       "copyright": "", | ||||
|     "longDescription": "", | ||||
|     "macOS": { | ||||
|       "entitlements": null, | ||||
|       "exceptionDomain": "", | ||||
|       "frameworks": [], | ||||
|       "providerShortName": null, | ||||
|       "signingIdentity": null | ||||
|     }, | ||||
|     "resources": [], | ||||
|     "shortDescription": "", | ||||
|     "linux": { | ||||
|       "deb": { | ||||
|         "depends": [] | ||||
|       }, | ||||
|       "externalBin": [], | ||||
|       "icon": [ | ||||
|         "icons/32x32.png", | ||||
|         "icons/128x128.png", | ||||
|         "icons/128x128@2x.png", | ||||
|         "icons/icon.icns", | ||||
|         "icons/icon.ico" | ||||
|       ], | ||||
|       "identifier": "creddy", | ||||
|       "longDescription": "", | ||||
|       "macOS": { | ||||
|         "entitlements": null, | ||||
|         "exceptionDomain": "", | ||||
|         "frameworks": [], | ||||
|         "providerShortName": null, | ||||
|         "signingIdentity": null | ||||
|       }, | ||||
|       "resources": [], | ||||
|       "shortDescription": "", | ||||
|       "targets": "all", | ||||
|       "windows": { | ||||
|         "certificateThumbprint": null, | ||||
|         "digestAlgorithm": "sha256", | ||||
|         "timestampUrl": "", | ||||
|         "wix": { | ||||
|           "fragmentPaths": ["conf/cli.wxs"], | ||||
|           "componentRefs": ["CliBinary", "AddToPath"] | ||||
|         } | ||||
|       } | ||||
|     }, | ||||
|     "security": { | ||||
|       "csp": { | ||||
|         "default-src": ["'self'"], | ||||
|         "style-src": ["'self'", "'unsafe-inline'"] | ||||
|       } | ||||
|     }, | ||||
|     "updater": { | ||||
|       "active": false | ||||
|     }, | ||||
|     } | ||||
|   }, | ||||
|   "productName": "creddy", | ||||
|   "version": "0.4.9", | ||||
|   "identifier": "creddy", | ||||
|   "plugins": {}, | ||||
|   "app": { | ||||
|     "windows": [ | ||||
|       { | ||||
|         "fullscreen": false, | ||||
| @@ -72,9 +65,24 @@ | ||||
|         "visible": false | ||||
|       } | ||||
|     ], | ||||
|     "systemTray": { | ||||
|     "trayIcon": { | ||||
|       "id": "main", | ||||
|       "iconPath": "icons/icon.png", | ||||
|       "iconAsTemplate": true | ||||
|     }, | ||||
|     "security": { | ||||
|       "csp": { | ||||
|         "style-src": [ | ||||
|           "'self'", | ||||
|           "'unsafe-inline'" | ||||
|         ], | ||||
|         "default-src": [ | ||||
|           "'self'" | ||||
|         ], | ||||
|         "connect-src": [ | ||||
|           "ipc: http://ipc.localhost" | ||||
|         ] | ||||
|       } | ||||
|     } | ||||
|   } | ||||
| } | ||||
| @@ -1,9 +1,10 @@ | ||||
| <script> | ||||
| import { onMount } from 'svelte'; | ||||
| import { listen } from '@tauri-apps/api/event'; | ||||
| import { invoke } from '@tauri-apps/api/tauri'; | ||||
| import { invoke } from '@tauri-apps/api/core'; | ||||
| import { getVersion } from '@tauri-apps/api/app'; | ||||
|  | ||||
| import { appState, acceptRequest } from './lib/state.js'; | ||||
| import { appState, acceptRequest, cleanupRequest } from './lib/state.js'; | ||||
| import { views, currentView, navigate } from './lib/routing.js'; | ||||
|  | ||||
|  | ||||
| @@ -11,11 +12,23 @@ $views = import.meta.glob('./views/*.svelte', {eager: true}); | ||||
| navigate('Home'); | ||||
|  | ||||
| invoke('get_config').then(config => $appState.config = config); | ||||
| invoke('get_session_status').then(status => $appState.credentialStatus = status); | ||||
| getVersion().then(version => $appState.appVersion = version); | ||||
|  | ||||
| listen('credentials-request', (tauriEvent) => { | ||||
|     $appState.pendingRequests.put(tauriEvent.payload); | ||||
| }); | ||||
|  | ||||
| listen('request-cancelled', (tauriEvent) => { | ||||
|     const id = tauriEvent.payload; | ||||
|     if (id === $appState.currentRequest?.id) { | ||||
|         cleanupRequest(); | ||||
|     } | ||||
|     else { | ||||
|         const found = $appState.pendingRequests.find_remove(r => r.id === id); | ||||
|     } | ||||
| }); | ||||
|  | ||||
| listen('launch-terminal-request', async (tauriEvent) => { | ||||
|     if ($appState.currentRequest === null) { | ||||
|         let status = await invoke('get_session_status'); | ||||
| @@ -28,10 +41,24 @@ listen('launch-terminal-request', async (tauriEvent) => { | ||||
|         // else, session is unlocked, so do nothing | ||||
|         // (although we shouldn't even get the event in that case) | ||||
|     } | ||||
| }) | ||||
| }); | ||||
|  | ||||
| listen('locked', () => { | ||||
|     $appState.credentialStatus = 'locked'; | ||||
| }); | ||||
|  | ||||
| invoke('get_setup_errors') | ||||
|     .then(errs => { | ||||
|         $appState.setupErrors = errs.map(e => ({msg: e, show: true})); | ||||
|     }); | ||||
|  | ||||
| acceptRequest(); | ||||
| </script> | ||||
|  | ||||
|  | ||||
| <svelte:window  | ||||
|     on:click={() => invoke('signal_activity')} | ||||
|     on:keydown={() => invoke('signal_activity')} | ||||
| /> | ||||
|  | ||||
| <svelte:component this="{$currentView}" /> | ||||
|   | ||||
| @@ -30,5 +30,15 @@ export default function() { | ||||
|              | ||||
|             return this.items.shift(); | ||||
|         }, | ||||
|  | ||||
|         find_remove(pred) { | ||||
|             for (let i=0; i<this.items.length; i++) { | ||||
|                 if (pred(this.items[i])) { | ||||
|                     this.items.splice(i, 1); | ||||
|                     return true; | ||||
|                 } | ||||
|             } | ||||
|             return false; | ||||
|         }, | ||||
|     } | ||||
| } | ||||
| @@ -8,6 +8,8 @@ export let appState = writable({ | ||||
|     currentRequest: null, | ||||
|     pendingRequests: queue(), | ||||
|     credentialStatus: 'locked', | ||||
|     setupErrors: [], | ||||
|     appVersion: '', | ||||
| }); | ||||
|  | ||||
|  | ||||
| @@ -22,7 +24,7 @@ export async function acceptRequest() { | ||||
| } | ||||
|  | ||||
|  | ||||
| export function completeRequest() { | ||||
| export function cleanupRequest() { | ||||
|     appState.update($appState => { | ||||
|         $appState.currentRequest = null; | ||||
|         return $appState; | ||||
|   | ||||
| @@ -5,3 +5,8 @@ | ||||
| .btn-alert-error { | ||||
|     @apply bg-transparent hover:bg-[#cd5a5a] border border-error-content text-error-content | ||||
| } | ||||
|  | ||||
| /* I like alert icons to be top-aligned */ | ||||
| .alert > :where(*) { | ||||
|     align-items: flex-start; | ||||
| } | ||||
|   | ||||
| @@ -1,13 +1,15 @@ | ||||
| <script> | ||||
|     export let keys; | ||||
|     let classes = ''; | ||||
|     export {classes as class}; | ||||
| </script> | ||||
|  | ||||
|  | ||||
| <div class="flex gap-x-[0.2em] items-center"> | ||||
| <span class="inline-flex gap-x-[0.2em] items-center {classes}"> | ||||
|     {#each keys as key, i} | ||||
|         {#if i > 0} | ||||
|             <span class="mt-[-0.1em]">+</span> | ||||
|         {/if} | ||||
|         <kbd class="normal-case px-1 py-0.5 rounded border border-neutral">{key}</kbd> | ||||
|     {/each} | ||||
| </div> | ||||
| </span> | ||||
|   | ||||
| @@ -21,15 +21,15 @@ | ||||
|             throw(`Link target is not a string or a function: ${target}`) | ||||
|         } | ||||
|     } | ||||
|  | ||||
|          | ||||
|  | ||||
|     function handleHotkey(event) { | ||||
|         if (!hotkey) return; | ||||
|         if (ctrl && !event.ctrlKey) return; | ||||
|         if (alt && !event.altKey) return; | ||||
|         if (shift && !event.shiftKey) return; | ||||
|  | ||||
|         if (event.key === hotkey) { | ||||
|         if ( | ||||
|             hotkey === event.key | ||||
|             && ctrl === event.ctrlKey | ||||
|             && alt === event.altKey | ||||
|             && shift === event.shiftKey | ||||
|         ) { | ||||
|             click(); | ||||
|         } | ||||
|     } | ||||
|   | ||||
| @@ -1,6 +1,6 @@ | ||||
| <script> | ||||
|     import { createEventDispatcher } from 'svelte'; | ||||
|     import { open } from '@tauri-apps/api/dialog'; | ||||
|     import { open } from '@tauri-apps/plugin-dialog'; | ||||
|     import Setting from './Setting.svelte'; | ||||
|  | ||||
|     export let title; | ||||
|   | ||||
| @@ -7,38 +7,49 @@ | ||||
|  | ||||
|     const id = Math.random().toString().slice(2); | ||||
|     const dispatch = createEventDispatcher(); | ||||
|     const MODIFIERS = new Set(['Alt', 'AltGraph', 'Control', 'Fn', 'FnLock', 'Meta', 'Shift', 'Super', ]); | ||||
|  | ||||
|  | ||||
|     let listening = false; | ||||
|     let keysPressed = []; | ||||
|  | ||||
|     function addModifiers(event) { | ||||
|         // add modifier key if it isn't already present | ||||
|         if (MODIFIERS.has(event.key) && keysPressed.indexOf(event.key) === -1) { | ||||
|             keysPressed.push(event.key); | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     function addMainKey(event) { | ||||
|         if (!MODIFIERS.has(event.key)) { | ||||
|             keysPressed.push(event.key); | ||||
|              | ||||
|             value.keys = keysPressed.join('+'); | ||||
|             dispatch('update', {value}); | ||||
|             event.preventDefault(); | ||||
|             event.stopPropagation(); | ||||
|  | ||||
|             unlisten(); | ||||
|         } | ||||
|     } | ||||
|      | ||||
|     function listen() { | ||||
|         // don't re-listen if we already are | ||||
|         if (listening) return; | ||||
|  | ||||
|         listening = true; | ||||
|         window.addEventListener('keyup', setKeybind, {once: true}); | ||||
|         window.addEventListener('keydown', addModifiers); | ||||
|         window.addEventListener('keyup', addMainKey); | ||||
|         // setTimeout avoids reacting to the click event that we are currently processing | ||||
|         setTimeout(() => window.addEventListener('click', cancel, {once: true}), 0); | ||||
|         setTimeout(() => window.addEventListener('click', unlisten), 0); | ||||
|     } | ||||
|  | ||||
|     function setKeybind(event) { | ||||
|         console.log(event); | ||||
|         let keys = []; | ||||
|         if (event.ctrlKey) keys.push('ctrl'); | ||||
|         if (event.altKey) keys.push('alt'); | ||||
|         if (event.metaKey) keys.push('meta'); | ||||
|         if (event.shiftKey) keys.push('shift'); | ||||
|         keys.push(event.key); | ||||
|  | ||||
|         value.keys = keys.join('+'); | ||||
|         dispatch('update', {value}); | ||||
|     function unlisten() { | ||||
|         listening = false; | ||||
|         window.removeEventListener('click', cancel, {once: true}); | ||||
|         event.preventDefault(); | ||||
|         event.stopPropagation(); | ||||
|     } | ||||
|  | ||||
|     function cancel() { | ||||
|         listening = false; | ||||
|         window.removeEventListener('keyup', setKeybind, {once: true}); | ||||
|         keysPressed = []; | ||||
|         window.removeEventListener('keydown', addModifiers); | ||||
|         window.removeEventListener('keyup', addMainKey); | ||||
|         window.removeEventListener('click', unlisten); | ||||
|     } | ||||
| </script> | ||||
|  | ||||
|   | ||||
| @@ -10,15 +10,21 @@ | ||||
|     export let min = null; | ||||
|     export let max = null; | ||||
|     export let decimal = false; | ||||
|     export let debounceInterval = 0; | ||||
|  | ||||
|     const dispatch = createEventDispatcher(); | ||||
|  | ||||
|     $: localValue = value.toString(); | ||||
|     let lastInputTime = null; | ||||
|     function debounce(event) { | ||||
|         lastInputTime = Date.now(); | ||||
|         localValue = localValue.replace(/[^-0-9.]/g, ''); | ||||
|  | ||||
|         if (debounceInterval === 0) { | ||||
|             updateValue(localValue); | ||||
|             return; | ||||
|         } | ||||
|  | ||||
|         lastInputTime = Date.now(); | ||||
|         const eventTime = lastInputTime; | ||||
|         const pendingValue = localValue; | ||||
|         window.setTimeout( | ||||
| @@ -28,7 +34,7 @@ | ||||
|                     updateValue(pendingValue); | ||||
|                 } | ||||
|             }, | ||||
|             500 | ||||
|             debounceInterval, | ||||
|         ) | ||||
|     } | ||||
|  | ||||
|   | ||||
							
								
								
									
										92
									
								
								src/ui/settings/TimeSetting.svelte
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										92
									
								
								src/ui/settings/TimeSetting.svelte
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,92 @@ | ||||
| <script> | ||||
|     import Setting from './Setting.svelte'; | ||||
|  | ||||
|     import { createEventDispatcher } from 'svelte'; | ||||
|     const dispatch = createEventDispatcher(); | ||||
|  | ||||
|  | ||||
|     export let title; | ||||
|     // seconds are required | ||||
|     export let seconds; | ||||
|  | ||||
|     export let min = 0; | ||||
|     export let max = null; | ||||
|  | ||||
|     // best unit is the unit that results in the smallest non-fractional number | ||||
|     let unit = null; | ||||
|  | ||||
|     const UNITS = { | ||||
|         Seconds: 1, | ||||
|         Minutes: 60, | ||||
|         Hours: 3600, | ||||
|         Days: 86400, | ||||
|     }; | ||||
|  | ||||
|     if (unit === null) { | ||||
|         let min = Infinity; | ||||
|         let bestUnit = null; | ||||
|         for (const [u, multiplier] of Object.entries(UNITS)) { | ||||
|             const v = seconds / multiplier; | ||||
|             if (v < min && v >= 1) { | ||||
|                 min = v; | ||||
|                 bestUnit = u; | ||||
|             } | ||||
|         } | ||||
|         unit = bestUnit; | ||||
|     } | ||||
|  | ||||
|  | ||||
|     // local value is only one-way synced to value so that we can better handle changes | ||||
|     $: localValue = (seconds / UNITS[unit]).toString(); | ||||
|     let error = null; | ||||
|  | ||||
|     function updateValue() { | ||||
|         localValue = localValue.replace(/[^0-9.]/g, ''); | ||||
|         // Don't update the value, but also don't error, if it's empty, | ||||
|         // or if it could be the start of a float | ||||
|         if (localValue === '' || localValue === '.') { | ||||
|             error = null; | ||||
|             return; | ||||
|         } | ||||
|  | ||||
|         const num = parseFloat(localValue); | ||||
|         if (num < 0) { | ||||
|             error = `${num} is not a valid duration` | ||||
|         } | ||||
|         else if (min !== null && num < min) { | ||||
|             error = `Too low (minimum ${min * UNITS[unit]}`; | ||||
|         } | ||||
|         else if (max !== null & num > max) { | ||||
|             error = `Too high (maximum ${max * UNITS[unit]}`; | ||||
|         } | ||||
|         else { | ||||
|             error = null; | ||||
|             seconds = Math.round(num * UNITS[unit]); | ||||
|             dispatch('update', {seconds}); | ||||
|         } | ||||
|     } | ||||
| </script>  | ||||
|  | ||||
|  | ||||
| <Setting {title}> | ||||
|     <div slot="input"> | ||||
|         <select class="select select-bordered select-sm mr-2" bind:value={unit}> | ||||
|             {#each Object.keys(UNITS) as u} | ||||
|                 <option selected={u === unit || null}>{u}</option> | ||||
|             {/each} | ||||
|         </select> | ||||
|  | ||||
|         <div class="tooltip tooltip-error" class:tooltip-open={error !== null} data-tip={error}> | ||||
|             <input | ||||
|                 type="text" | ||||
|                 class="input input-sm input-bordered text-right" | ||||
|                 size={Math.max(5, localValue.length)} | ||||
|                 class:input-error={error} | ||||
|                 bind:value={localValue} | ||||
|                 on:input={updateValue} | ||||
|             > | ||||
|         </div> | ||||
|     </div> | ||||
|  | ||||
|     <slot name="description" slot="description"></slot> | ||||
| </Setting> | ||||
| @@ -3,3 +3,4 @@ export { default as ToggleSetting } from './ToggleSetting.svelte'; | ||||
| export { default as NumericSetting } from './NumericSetting.svelte'; | ||||
| export { default as FileSetting } from './FileSetting.svelte'; | ||||
| export { default as TextSetting } from './TextSetting.svelte'; | ||||
| export { default as TimeSetting } from './TimeSetting.svelte'; | ||||
|   | ||||
| @@ -1,9 +1,9 @@ | ||||
| <script> | ||||
|     import { onMount } from 'svelte'; | ||||
|     import { invoke } from '@tauri-apps/api/tauri'; | ||||
|     import { invoke } from '@tauri-apps/api/core'; | ||||
|  | ||||
|     import { navigate } from '../lib/routing.js'; | ||||
|     import { appState, completeRequest } from '../lib/state.js'; | ||||
|     import { appState, cleanupRequest } from '../lib/state.js'; | ||||
|     import ErrorAlert from '../ui/ErrorAlert.svelte'; | ||||
|     import Link from '../ui/Link.svelte'; | ||||
|     import KeyCombo from '../ui/KeyCombo.svelte'; | ||||
| @@ -12,9 +12,12 @@ | ||||
|     // Send response to backend, display error if applicable | ||||
|     let error, alert; | ||||
|     async function respond() { | ||||
|         let {id, approval} = $appState.currentRequest; | ||||
|         const response = { | ||||
|             id: $appState.currentRequest.id, | ||||
|             ...$appState.currentRequest.response, | ||||
|         }; | ||||
|         try { | ||||
|             await invoke('respond', {response: {id, approval}}); | ||||
|             await invoke('respond', {response}); | ||||
|             navigate('ShowResponse'); | ||||
|         } | ||||
|         catch (e) { | ||||
| @@ -26,8 +29,8 @@ | ||||
|     } | ||||
|  | ||||
|     // Approval has one of several outcomes depending on current credential state | ||||
|     async function approve() { | ||||
|         $appState.currentRequest.approval = 'Approved'; | ||||
|     async function approve(base) { | ||||
|         $appState.currentRequest.response = {approval: 'Approved', base}; | ||||
|         let status = await invoke('get_session_status'); | ||||
|         if (status === 'unlocked') { | ||||
|             await respond(); | ||||
| @@ -42,51 +45,48 @@ | ||||
|  | ||||
|     // Denial has only one | ||||
|     async function deny() { | ||||
|         $appState.currentRequest.approval = 'Denied'; | ||||
|         $appState.currentRequest.response = {approval: 'Denied', base: false}; | ||||
|         await respond(); | ||||
|     } | ||||
|  | ||||
|     // Extract executable name from full path | ||||
|     let appName = null; | ||||
|     if ($appState.currentRequest.clients.length === 1) { | ||||
|         let path = $appState.currentRequest.clients[0].exe; | ||||
|         let m = path.match(/\/([^/]+?$)|\\([^\\]+?$)/); | ||||
|         appName = m[1] || m[2]; | ||||
|     } | ||||
|     const client = $appState.currentRequest.client; | ||||
|     const m = client.exe?.match(/\/([^/]+?$)|\\([^\\]+?$)/); | ||||
|     const appName = m[1] || m[2]; | ||||
|  | ||||
|     // Executable paths can be long, so ensure they only break on \ or / | ||||
|     function breakPath(client) { | ||||
|         return client.exe.replace(/(\\|\/)/g, '$1<wbr>'); | ||||
|     function breakPath(path) { | ||||
|         return path.replace(/(\\|\/)/g, '$1<wbr>'); | ||||
|     } | ||||
|  | ||||
|     // if the request has already been approved/denied, send response immediately | ||||
|     onMount(async () => { | ||||
|         if ($appState.currentRequest.approval) { | ||||
|         if ($appState.currentRequest.response) { | ||||
|             await respond(); | ||||
|         } | ||||
|     }) | ||||
|     }); | ||||
| </script> | ||||
|  | ||||
|  | ||||
| <!-- Don't render at all if we're just going to immediately proceed to the next screen --> | ||||
| {#if error || !$appState.currentRequest.approval} | ||||
| {#if error || !$appState.currentRequest?.response} | ||||
|     <div class="flex flex-col space-y-4 p-4 m-auto max-w-xl h-screen items-center justify-center"> | ||||
|         {#if error} | ||||
|             <ErrorAlert bind:this={alert}> | ||||
|                 {error} | ||||
|                 {error.msg} | ||||
|                 <svelte:fragment slot="buttons"> | ||||
|                     <button class="btn btn-sm btn-alert-error" on:click={completeRequest}>Cancel</button> | ||||
|                     <button class="btn btn-sm btn-alert-error" on:click={cleanupRequest}>Cancel</button> | ||||
|                     <button class="btn btn-sm btn-alert-error" on:click={respond}>Retry</button> | ||||
|                 </svelte:fragment> | ||||
|             </ErrorAlert> | ||||
|         {/if} | ||||
|  | ||||
|         {#if $appState.currentRequest.base} | ||||
|         {#if $appState.currentRequest?.base} | ||||
|             <div class="alert alert-warning shadow-lg"> | ||||
|                 <div> | ||||
|                     <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current flex-shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" /></svg> | ||||
|                     <span> | ||||
|                         WARNING: This application is requesting your base (long-lived) AWS credentials.  | ||||
|                         WARNING: This application is requesting your base AWS credentials.  | ||||
|                         These credentials are less secure than session credentials, since they don't expire automatically. | ||||
|                     </span> | ||||
|                 </div> | ||||
| @@ -97,29 +97,49 @@ | ||||
|             <h2 class="text-xl font-bold">{appName ? `"${appName}"` : 'An appplication'} would like to access your AWS credentials.</h2> | ||||
|  | ||||
|             <div class="grid grid-cols-[auto_1fr] gap-x-3"> | ||||
|                 {#each $appState.currentRequest.clients as client} | ||||
|                     <div class="text-right">Path:</div> | ||||
|                     <code class="">{@html client ? breakPath(client) : 'Unknown'}</code> | ||||
|                     <div class="text-right">PID:</div> | ||||
|                     <code>{client ? client.pid : 'Unknown'}</code> | ||||
|                 {/each} | ||||
|                 <div class="text-right">Path:</div> | ||||
|                 <code class="">{@html client.exe ? breakPath(client.exe) : 'Unknown'}</code> | ||||
|                 <div class="text-right">PID:</div> | ||||
|                 <code>{client.pid}</code> | ||||
|             </div> | ||||
|         </div> | ||||
|  | ||||
|         <div class="w-full flex justify-between"> | ||||
|             <Link target={deny} hotkey="Escape"> | ||||
|                 <button class="btn btn-error justify-self-start"> | ||||
|                     <span class="mr-2">Deny</span> | ||||
|                     <KeyCombo keys={['Esc']} /> | ||||
|                 </button> | ||||
|             </Link> | ||||
|         <div class="w-full grid grid-cols-[1fr_auto] items-center gap-y-6"> | ||||
|                 <!-- Don't display the option to approve with session credentials if base was specifically requested --> | ||||
|                 {#if !$appState.currentRequest?.base} | ||||
|                     <h3 class="font-semibold"> | ||||
|                         Approve with session credentials | ||||
|                     </h3> | ||||
|                     <Link target={() => approve(false)} hotkey="Enter" shift={true}> | ||||
|                         <button class="w-full btn btn-success"> | ||||
|                             <KeyCombo keys={['Shift', 'Enter']} /> | ||||
|                         </button> | ||||
|                     </Link> | ||||
|                 {/if} | ||||
|  | ||||
|             <Link target={approve} hotkey="Enter" shift="{true}"> | ||||
|                 <button class="btn btn-success justify-self-end"> | ||||
|                     <span class="mr-2">Approve</span> | ||||
|                     <KeyCombo keys={['Shift', 'Enter']} /> | ||||
|                 </button> | ||||
|             </Link> | ||||
|                 <h3 class="font-semibold"> | ||||
|                     <span class="mr-2"> | ||||
|                         {#if $appState.currentRequest?.base} | ||||
|                             Approve | ||||
|                         {:else} | ||||
|                             Approve with base credentials | ||||
|                         {/if} | ||||
|                     </span> | ||||
|                 </h3> | ||||
|                 <Link target={() => approve(true)} hotkey="Enter" shift={true} ctrl={true}> | ||||
|                     <button class="w-full btn btn-warning"> | ||||
|                         <KeyCombo keys={['Ctrl', 'Shift', 'Enter']} /> | ||||
|                     </button> | ||||
|                 </Link> | ||||
|  | ||||
|                 <h3 class="font-semibold"> | ||||
|                     <span class="mr-2">Deny</span> | ||||
|                 </h3> | ||||
|                 <Link target={deny} hotkey="Escape"> | ||||
|                     <button class="w-full btn btn-error"> | ||||
|                         <KeyCombo keys={['Esc']} /> | ||||
|                     </button> | ||||
|                 </Link> | ||||
|         </div> | ||||
|     </div> | ||||
| {/if} | ||||
| {/if} | ||||
|   | ||||
| @@ -1,6 +1,7 @@ | ||||
| <script> | ||||
|     import { onMount } from 'svelte'; | ||||
|     import { invoke } from '@tauri-apps/api/tauri'; | ||||
|     import { invoke } from '@tauri-apps/api/core'; | ||||
|     import { emit } from '@tauri-apps/api/event'; | ||||
|     import { getRootCause } from '../lib/errors.js'; | ||||
|  | ||||
|     import { appState } from '../lib/state.js'; | ||||
| @@ -32,6 +33,7 @@ | ||||
|             saving = true; | ||||
|             await invoke('save_credentials', {credentials, passphrase}); | ||||
|             emit('credentials-event', 'entered'); | ||||
|             $appState.credentialStatus = 'unlocked'; | ||||
|             if ($appState.currentRequest) { | ||||
|                 navigate('Approve'); | ||||
|             } | ||||
| @@ -40,13 +42,14 @@ | ||||
|             } | ||||
|         } | ||||
|         catch (e) { | ||||
|             window.error = e; | ||||
|             const root = getRootCause(e); | ||||
|             if (e.code === 'GetSession' && root.code) { | ||||
|                 errorMsg = `Error response from AWS (${root.code}): ${root.msg}`; | ||||
|             } | ||||
|             else { | ||||
|                 errorMsg = e.msg; | ||||
|                 // some of the built-in Tauri errors are plain strings, | ||||
|                 // so fall back to e if e.msg doesn't exist | ||||
|                 errorMsg = e.msg || e; | ||||
|             } | ||||
|  | ||||
|             // if the alert already existed, shake it | ||||
|   | ||||
| @@ -1,6 +1,6 @@ | ||||
| <script> | ||||
|     import { onMount } from 'svelte'; | ||||
|     import { invoke } from '@tauri-apps/api/tauri'; | ||||
|     import { invoke } from '@tauri-apps/api/core'; | ||||
|  | ||||
|     import { appState } from '../lib/state.js'; | ||||
|     import { navigate } from '../lib/routing.js'; | ||||
| @@ -25,30 +25,41 @@ | ||||
| <div class="flex flex-col h-screen items-center justify-center p-4 space-y-4"> | ||||
|     <div class="flex flex-col items-center space-y-4"> | ||||
|         {@html vaultDoorSvg} | ||||
|         {#await invoke('get_session_status') then status} | ||||
|             {#if status === 'locked'} | ||||
|         {#if $appState.credentialStatus === 'locked'} | ||||
|  | ||||
|                 <h2 class="text-2xl font-bold">Creddy is locked</h2> | ||||
|                 <Link target="Unlock" hotkey="Enter" class="w-64"> | ||||
|                     <button class="btn btn-primary w-full">Unlock</button> | ||||
|                 </Link> | ||||
|             <h2 class="text-2xl font-bold">Creddy is locked</h2> | ||||
|             <Link target="Unlock" hotkey="Enter" class="w-64"> | ||||
|                 <button class="btn btn-primary w-full">Unlock</button> | ||||
|             </Link> | ||||
|  | ||||
|             {:else if status === 'unlocked'} | ||||
|                 <h2 class="text-2xl font-bold">Waiting for requests</h2> | ||||
|                 <button class="btn btn-primary w-full" on:click={launchTerminal}> | ||||
|                     Launch Terminal | ||||
|                 </button> | ||||
|                 <label class="label cursor-pointer flex items-center space-x-2"> | ||||
|                     <input type="checkbox" class="checkbox checkbox-sm" bind:checked={launchBase}> | ||||
|                     <span class="label-text">Launch with base credentials</span> | ||||
|                 </label> | ||||
|         {:else if $appState.credentialStatus === 'unlocked'} | ||||
|             <h2 class="text-2xl font-bold">Waiting for requests</h2> | ||||
|             <button class="btn btn-primary w-full" on:click={launchTerminal}> | ||||
|                 Launch Terminal | ||||
|             </button> | ||||
|             <label class="label cursor-pointer flex items-center space-x-2"> | ||||
|                 <span class="label-text">Launch with long-lived credentials</span> | ||||
|                 <input type="checkbox" class="checkbox checkbox-sm" bind:checked={launchBase}> | ||||
|             </label> | ||||
|  | ||||
|             {:else if status === 'empty'} | ||||
|                 <h2 class="text-2xl font-bold">No credentials found</h2> | ||||
|                 <Link target="EnterCredentials" hotkey="Enter" class="w-64"> | ||||
|                     <button class="btn btn-primary w-full">Enter Credentials</button> | ||||
|                 </Link> | ||||
|             {/if} | ||||
|         {/await} | ||||
|         {:else if $appState.credentialStatus === 'empty'} | ||||
|             <h2 class="text-2xl font-bold">No credentials found</h2> | ||||
|             <Link target="EnterCredentials" hotkey="Enter" class="w-64"> | ||||
|                 <button class="btn btn-primary w-full">Enter Credentials</button> | ||||
|             </Link> | ||||
|         {/if} | ||||
|     </div> | ||||
| </div> | ||||
| </div> | ||||
|  | ||||
| {#if $appState.setupErrors.some(e => e.show)} | ||||
|     <div class="toast"> | ||||
|         {#each $appState.setupErrors as error} | ||||
|             {#if error.show} | ||||
|                 <div class="alert alert-error shadow-lg"> | ||||
|                     {error.msg} | ||||
|                     <button class="btn btn-sm btn-alert-error" on:click={() => error.show = false}>Ok</button> | ||||
|                 </div> | ||||
|             {/if} | ||||
|         {/each} | ||||
|     </div> | ||||
| {/if} | ||||
| @@ -1,6 +1,6 @@ | ||||
| <script> | ||||
|     import { invoke } from '@tauri-apps/api/tauri'; | ||||
|     import { type } from '@tauri-apps/api/os'; | ||||
|     import { invoke } from '@tauri-apps/api/core'; | ||||
|     import { type } from '@tauri-apps/plugin-os'; | ||||
|  | ||||
|     import { appState } from '../lib/state.js'; | ||||
|     import Nav from '../ui/Nav.svelte'; | ||||
| @@ -8,21 +8,24 @@ | ||||
|     import ErrorAlert from '../ui/ErrorAlert.svelte'; | ||||
|     import SettingsGroup from '../ui/settings/SettingsGroup.svelte'; | ||||
|     import Keybind from '../ui/settings/Keybind.svelte'; | ||||
|     import { Setting, ToggleSetting, NumericSetting, FileSetting, TextSetting } from '../ui/settings'; | ||||
|     import { Setting, ToggleSetting, NumericSetting, FileSetting, TextSetting, TimeSetting } from '../ui/settings'; | ||||
|  | ||||
|     import { fly } from 'svelte/transition'; | ||||
|     import { backInOut } from 'svelte/easing'; | ||||
|  | ||||
|  | ||||
|     // make an independent copy so it can differ from the main config object | ||||
|     let config = JSON.parse(JSON.stringify($appState.config)); | ||||
|     $: configModified = JSON.stringify(config) !== JSON.stringify($appState.config); | ||||
|  | ||||
|     let error = null; | ||||
|     async function save() { | ||||
|         console.log('updating config'); | ||||
|         try { | ||||
|             await invoke('save_config', {config: $appState.config}); | ||||
|             await invoke('save_config', {config}); | ||||
|             $appState.config = await invoke('get_config'); | ||||
|         } | ||||
|         catch (e) { | ||||
|             error = e; | ||||
|             $appState.config = await invoke('get_config'); | ||||
|         } | ||||
|     } | ||||
|  | ||||
| @@ -35,74 +38,77 @@ | ||||
|     <h1 slot="title" class="text-2xl font-bold">Settings</h1> | ||||
| </Nav> | ||||
|  | ||||
| {#await invoke('get_config') then config} | ||||
|     <div class="max-w-lg mx-auto mt-1.5 p-4 space-y-16"> | ||||
|         <SettingsGroup name="General">             | ||||
|             <ToggleSetting title="Start on login" bind:value={$appState.config.start_on_login} on:update={save}> | ||||
| <div class="max-w-lg mx-auto my-1.5 p-4 space-y-16"> | ||||
|     <SettingsGroup name="General">             | ||||
|         <ToggleSetting title="Start on login" bind:value={config.start_on_login}> | ||||
|             <svelte:fragment slot="description"> | ||||
|                 Start Creddy when you log in to your computer. | ||||
|             </svelte:fragment> | ||||
|         </ToggleSetting> | ||||
|  | ||||
|         <ToggleSetting title="Start minimized" bind:value={config.start_minimized}> | ||||
|             <svelte:fragment slot="description"> | ||||
|                 Minimize to the system tray at startup. | ||||
|             </svelte:fragment> | ||||
|         </ToggleSetting> | ||||
|  | ||||
|         <NumericSetting title="Re-hide delay" bind:value={config.rehide_ms} min={0} unit="Milliseconds"> | ||||
|             <svelte:fragment slot="description"> | ||||
|                 How long to wait after a request is approved/denied before minimizing | ||||
|                 the window to tray. Only applicable if the window was minimized | ||||
|                 to tray before the request was received. | ||||
|             </svelte:fragment> | ||||
|         </NumericSetting> | ||||
|  | ||||
|         <ToggleSetting title="Lock when idle" bind:value={config.auto_lock}> | ||||
|             <svelte:fragment slot="description"> | ||||
|                 Automatically lock Creddy after a period of inactivity. | ||||
|             </svelte:fragment> | ||||
|         </ToggleSetting> | ||||
|  | ||||
|         {#if config.auto_lock} | ||||
|             <TimeSetting title="Idle timeout" bind:seconds={config.lock_after.secs}> | ||||
|                 <svelte:fragment slot="description"> | ||||
|                     Start Creddy when you log in to your computer. | ||||
|                     How long to wait before automatically locking. | ||||
|                 </svelte:fragment> | ||||
|             </ToggleSetting> | ||||
|             </TimeSetting> | ||||
|         {/if} | ||||
|  | ||||
|             <ToggleSetting title="Start minimized" bind:value={$appState.config.start_minimized} on:update={save}> | ||||
|                 <svelte:fragment slot="description"> | ||||
|                     Minimize to the system tray at startup. | ||||
|                 </svelte:fragment> | ||||
|             </ToggleSetting> | ||||
|         <Setting title="Update credentials"> | ||||
|             <Link slot="input" target="EnterCredentials"> | ||||
|                 <button class="btn btn-sm btn-primary">Update</button> | ||||
|             </Link> | ||||
|             <svelte:fragment slot="description"> | ||||
|                 Update or re-enter your encrypted credentials. | ||||
|             </svelte:fragment> | ||||
|         </Setting> | ||||
|  | ||||
|             <NumericSetting title="Re-hide delay" bind:value={$appState.config.rehide_ms} min={0} unit="Milliseconds" on:update={save}> | ||||
|                 <svelte:fragment slot="description"> | ||||
|                     How long to wait after a request is approved/denied before minimizing | ||||
|                     the window to tray. Only applicable if the window was minimized | ||||
|                     to tray before the request was received. | ||||
|                 </svelte:fragment> | ||||
|             </NumericSetting> | ||||
|         <FileSetting | ||||
|             title="Terminal emulator" | ||||
|             bind:value={config.terminal.exec} | ||||
|          | ||||
|         > | ||||
|             <svelte:fragment slot="description"> | ||||
|                 Choose your preferred terminal emulator (e.g. <code>gnome-terminal</code> or <code>wt.exe</code>.) May be an absolute path or an executable discoverable on <code>$PATH</code>. | ||||
|             </svelte:fragment> | ||||
|         </FileSetting> | ||||
|     </SettingsGroup> | ||||
|  | ||||
|             <NumericSetting | ||||
|                 title="Listen port" | ||||
|                 bind:value={$appState.config.listen_port} | ||||
|                 min={osType === 'Windows_NT' ? 1 : 0} | ||||
|                 on:update={save} | ||||
|             > | ||||
|                 <svelte:fragment slot="description"> | ||||
|                     Listen for credentials requests on this port.  | ||||
|                     (Should be used with <code>$AWS_CONTAINER_CREDENTIALS_FULL_URI</code>) | ||||
|                 </svelte:fragment> | ||||
|             </NumericSetting> | ||||
|     <SettingsGroup name="Hotkeys"> | ||||
|         <div class="space-y-4"> | ||||
|             <p>Click on a keybinding to modify it. Use the checkbox to enable or disable a keybinding entirely.</p> | ||||
|  | ||||
|             <Setting title="Update credentials"> | ||||
|                 <Link slot="input" target="EnterCredentials"> | ||||
|                     <button class="btn btn-sm btn-primary">Update</button> | ||||
|                 </Link> | ||||
|                 <svelte:fragment slot="description"> | ||||
|                     Update or re-enter your encrypted credentials. | ||||
|                 </svelte:fragment> | ||||
|             </Setting> | ||||
|  | ||||
|             <FileSetting | ||||
|                 title="Terminal emulator" | ||||
|                 bind:value={$appState.config.terminal.exec} | ||||
|                 on:update={save} | ||||
|             > | ||||
|                 <svelte:fragment slot="description"> | ||||
|                     Choose your preferred terminal emulator (e.g. <code>gnome-terminal</code> or <code>wt.exe</code>.) May be an absolute path or an executable discoverable on <code>$PATH</code>. | ||||
|                 </svelte:fragment> | ||||
|             </FileSetting> | ||||
|         </SettingsGroup> | ||||
|  | ||||
|         <SettingsGroup name="Hotkeys"> | ||||
|             <div class="space-y-4"> | ||||
|                 <p>Click on a keybinding to modify it. Use the checkbox to enable or disable a keybinding entirely.</p> | ||||
|  | ||||
|                 <div class="grid grid-cols-[auto_1fr_auto] gap-y-3 items-center"> | ||||
|                     <Keybind description="Show Creddy" value={$appState.config.hotkeys.show_window} on:update={save} /> | ||||
|                     <Keybind description="Launch terminal" value={$appState.config.hotkeys.launch_terminal} on:update={save} /> | ||||
|                 </div> | ||||
|             <div class="grid grid-cols-[auto_1fr_auto] gap-y-3 items-center"> | ||||
|                 <Keybind description="Show Creddy" bind:value={config.hotkeys.show_window} /> | ||||
|                 <Keybind description="Launch terminal" bind:value={config.hotkeys.launch_terminal} /> | ||||
|             </div> | ||||
|         </SettingsGroup> | ||||
|         </div> | ||||
|     </SettingsGroup> | ||||
|  | ||||
|     </div> | ||||
| {/await} | ||||
|     <p class="text-sm text-right"> | ||||
|         Creddy {$appState.appVersion} | ||||
|     </p> | ||||
| </div> | ||||
|  | ||||
| {#if error} | ||||
|     <div transition:fly={{y: 100, easing: backInOut, duration: 400}} class="toast"> | ||||
| @@ -116,4 +122,15 @@ | ||||
|             </div> | ||||
|         </div> | ||||
|     </div> | ||||
| {:else if configModified} | ||||
|     <div transition:fly={{y: 100, easing: backInOut, duration: 400}} class="toast"> | ||||
|         <div class="alert shadow-lg no-animation"> | ||||
|             <span>You have unsaved changes.</span> | ||||
|  | ||||
|             <div> | ||||
|                 <!-- <button class="btn btn-sm btn-ghost">Cancel</button> --> | ||||
|                 <button class="btn btn-sm btn-primary" on:click={save}>Save</button> | ||||
|             </div> | ||||
|         </div> | ||||
|     </div> | ||||
| {/if} | ||||
|   | ||||
| @@ -2,7 +2,7 @@ | ||||
|     import { onMount } from 'svelte'; | ||||
|     import { draw, fade } from 'svelte/transition'; | ||||
|  | ||||
|     import { appState, completeRequest } from '../lib/state.js'; | ||||
|     import { appState, cleanupRequest } from '../lib/state.js'; | ||||
|      | ||||
|     let success = false; | ||||
|     let error = null; | ||||
| @@ -13,7 +13,7 @@ | ||||
|  | ||||
|     onMount(() => { | ||||
|         window.setTimeout( | ||||
|             completeRequest, | ||||
|             cleanupRequest, | ||||
|             // Extra 50ms so the window can finish disappearing before the redraw | ||||
|             Math.min(5000, $appState.config.rehide_ms + 50), | ||||
|         ) | ||||
| @@ -22,7 +22,7 @@ | ||||
|  | ||||
|  | ||||
| <div class="flex flex-col h-screen items-center justify-center max-w-max m-auto"> | ||||
|     {#if $appState.currentRequest.approval === 'Approved'} | ||||
|     {#if $appState.currentRequest.response.approval === 'Approved'} | ||||
|         <svg xmlns="http://www.w3.org/2000/svg" class="w-36 h-36" fill="none" viewBox="0 0 24 24" stroke-width="1" stroke="currentColor"> | ||||
|           <path in:draw="{{duration: drawDuration}}" stroke-linecap="round" stroke-linejoin="round" d="M9 12.75L11.25 15 15 9.75M21 12a9 9 0 11-18 0 9 9 0 0118 0z" /> | ||||
|         </svg> | ||||
| @@ -33,6 +33,6 @@ | ||||
|     {/if} | ||||
|  | ||||
|     <div in:fade="{{duration: fadeDuration, delay: fadeDelay}}" class="text-2xl font-bold"> | ||||
|         {$appState.currentRequest.approval}! | ||||
|         {$appState.currentRequest.response.approval}! | ||||
|     </div> | ||||
| </div> | ||||
|   | ||||
| @@ -1,5 +1,5 @@ | ||||
| <script> | ||||
|     import { invoke } from '@tauri-apps/api/tauri'; | ||||
|     import { invoke } from '@tauri-apps/api/core'; | ||||
|     import { emit } from '@tauri-apps/api/event'; | ||||
|     import { onMount } from 'svelte'; | ||||
|  | ||||
| @@ -55,7 +55,14 @@ | ||||
|  | ||||
|     function cancel() { | ||||
|         emit('credentials-event', 'unlock-canceled'); | ||||
|         navigate('Home'); | ||||
|         if ($appState.currentRequest !== null) { | ||||
|             // dirty hack to prevent spurious error when returning to approve screen | ||||
|             delete $appState.currentRequest.response; | ||||
|             navigate('Approve'); | ||||
|         } | ||||
|         else { | ||||
|             navigate('Home'); | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     onMount(() => { | ||||
|   | ||||
							
								
								
									
										16
									
								
								todo.md
									
									
									
									
									
								
							
							
						
						
									
										16
									
								
								todo.md
									
									
									
									
									
								
							| @@ -1,16 +0,0 @@ | ||||
| ## Definitely | ||||
|  | ||||
| * Switch to "process" provider for AWS credentials (much less hacky) | ||||
| * Session timeout (plain duration, or activity-based?) | ||||
| * Fix rehide behavior when new request comes in while old one is still being resolved | ||||
| * Additional hotkey configuration (approve/deny at the very least) | ||||
| * Logging | ||||
| * Icon | ||||
| * SSH key handling | ||||
|  | ||||
| ## Maybe | ||||
|  | ||||
| * Flatten error type hierarchy | ||||
| * Rehide after terminal launch from locked | ||||
|     * Generalize Request across both credentials and terminal launch? | ||||
| * Make hotkey configuration a little more tolerant of slight mistiming | ||||
		Reference in New Issue
	
	Block a user