rpc/natives/

ssh_key.rs

//! SSH-key-domain natives. Wraps `server::command::{ListSshKeys, RemoveSshKey,
//! UserHasSshKey, LookupUserBySshKey}`. `AddSshKey` is deliberately NOT
//! exposed: pubkey upload stays on the dedicated ssh-copy-id `exec` flow so the
//! eval channel can never be used to register impersonation keys.
//!
//! v1 binds `list-ssh-keys` for the authenticated session user. The other
//! three (remove / user-has / lookup) take string arguments and ride the
//! follow-up slice that lands the host-side StringRef-arg plumbing.

#[cfg(test)]
use base64::Engine;
#[cfg(test)]
use base64::engine::general_purpose::STANDARD as BASE64;
use scripting::runtime::{
    alloc_entity_via_export, alloc_pair_chain, alloc_string_ref, read_string_arg,
};
#[cfg(test)]
use server::command::ssh_key::SshKeyRecord;
use server::command::ssh_key::{ListSshKeys, LookupUserBySshKey, RemoveSshKey, UserHasSshKey};
use server::command::{CmdError, CmdResult};
use uuid::Uuid;
use wasmtime::{AnyRef, ArrayRef, Caller, Linker, Rooted, StructRef, Val};

use crate::session::SessionData;

pub const REGISTERED_COMMANDS: &[&str] = &[
    "list-ssh-keys",
    "remove-ssh-key",
    "user-has-ssh-key",
    "lookup-user-by-ssh-key",
];

pub fn register(linker: &mut Linker<SessionData>) -> wasmtime::Result<()> {
    linker.func_wrap_async(
        "nomi",
        "ssh_key_list_ssh_keys",
        |mut caller: Caller<'_, SessionData>,
         ()|
         -> Box<
            dyn std::future::Future<Output = wasmtime::Result<Option<Rooted<StructRef>>>> + Send,
        > {
            Box::new(async move {
                let user_id = caller.data().ctx().user_id;
                let result = ListSshKeys::new().user_id(user_id).run().await;
                let entries = list_ssh_key_entries("list-ssh-keys", result)?;
                alloc_ssh_key_chain(&mut caller, entries).await
            })
        },
    )?;
    linker.func_wrap_async(
        "nomi",
        "ssh_key_user_has_ssh_key",
        |caller: Caller<'_, SessionData>,
         ()|
         -> Box<dyn std::future::Future<Output = wasmtime::Result<i32>> + Send> {
            Box::new(async move {
                let user_id = caller.data().ctx().user_id;
                let result = UserHasSshKey::new().user_id(user_id).run().await;
                bool_from_command_result("user-has-ssh-key", result)
            })
        },
    )?;
    linker.func_wrap_async(
        "nomi",
        "ssh_key_lookup_user_by_ssh_key",
        |mut caller: Caller<'_, SessionData>,
         (fp_arg,): (Option<Rooted<ArrayRef>>,)|
         -> Box<
            dyn std::future::Future<Output = wasmtime::Result<Option<Rooted<ArrayRef>>>> + Send,
        > {
            Box::new(async move {
                let fp = read_string_arg(&mut caller, fp_arg)?;
                match run_lookup_user_by_ssh_key(fp).await? {
                    Some(id) => Ok(Some(alloc_string_ref(&mut caller, id.as_bytes())?)),
                    None => Ok(None),
                }
            })
        },
    )?;
    linker.func_wrap_async(
        "nomi",
        "ssh_key_remove_ssh_key",
        |mut caller: Caller<'_, SessionData>,
         (fp_arg,): (Option<Rooted<ArrayRef>>,)|
         -> Box<dyn std::future::Future<Output = wasmtime::Result<i32>> + Send> {
            Box::new(async move {
                let user_id = caller.data().ctx().user_id;
                let fp = read_string_arg(&mut caller, fp_arg)?;
                run_remove_ssh_key(user_id, fp).await
            })
        },
    )?;
    Ok(())
}

/// Deletes the (user_id, fingerprint) key row. Idempotent on the wire:
/// server's RemoveSshKey returns `Bool(true)` even when no matching row
/// existed. Side effect — if this drains the user's last key,
/// `users.ssh_enabled` flips to false, which the next sshd-auth attempt
/// observes. No user-visible toggle here; just the bool.
async fn run_remove_ssh_key(user_id: Uuid, fp_arg: Option<String>) -> wasmtime::Result<i32> {
    let fingerprint = fp_arg
        .filter(|s| !s.is_empty())
        .ok_or_else(|| wasmtime::Error::msg("remove-ssh-key: missing or empty :fingerprint arg"))?;
    let result = RemoveSshKey::new()
        .user_id(user_id)
        .fingerprint(fingerprint)
        .run()
        .await;
    bool_from_command_result("remove-ssh-key", result)
}

/// Resolves a public-key fingerprint to a user UUID. Server short-circuits
/// to `Ok(None)` when the key is unknown OR the matching user has
/// `ssh_enabled=false` — both surface here as `None` (which the caller maps
/// to a null `ref null $i8_array`) so clients can't probe the row table to
/// distinguish absent-key from disabled-user.
async fn run_lookup_user_by_ssh_key(fp_arg: Option<String>) -> wasmtime::Result<Option<String>> {
    let fingerprint = fp_arg.filter(|s| !s.is_empty()).ok_or_else(|| {
        wasmtime::Error::msg("lookup-user-by-ssh-key: missing or empty :fingerprint arg")
    })?;
    match LookupUserBySshKey::new()
        .fingerprint(fingerprint)
        .run()
        .await
    {
        Ok(Some(CmdResult::Uuid(id))) => Ok(Some(id.to_string())),
        Ok(Some(other)) => Err(wasmtime::Error::msg(format!(
            "lookup-user-by-ssh-key: expected Uuid, got {other:?}"
        ))),
        Ok(None) => Ok(None),
        Err(err) => Err(wasmtime::Error::msg(format!(
            "lookup-user-by-ssh-key: {err}"
        ))),
    }
}

/// Maps the server's typestate `Bool` result (or absent row) into the i32
/// wire form the wasm signature expects: 1 = true, 0 = false. Any other
/// `CmdResult` variant is a contract violation and surfaces as a trap.
fn bool_from_command_result(
    name: &str,
    result: Result<Option<CmdResult>, CmdError>,
) -> wasmtime::Result<i32> {
    match result {
        Ok(Some(CmdResult::Bool(b))) => Ok(i32::from(b)),
        Ok(Some(other)) => Err(wasmtime::Error::msg(format!(
            "{name}: expected Bool, got {other:?}"
        ))),
        Ok(None) => Ok(0),
        Err(err) => Err(wasmtime::Error::msg(format!("{name}: {err}"))),
    }
}

/// Pulls the (id, fingerprint, annotation) triple per SSH key out of the
/// `CmdResult::SshKeys` variant. Surrounding fields (key-type, blob,
/// created-at, last-used-at) are dropped for v1 — `$ssh_key` carries only
/// the human-facing strings the emacs client renders. Reinstate richer
/// shapes by extending the struct + macro declaration.
fn list_ssh_key_entries(
    name: &str,
    result: Result<Option<CmdResult>, CmdError>,
) -> wasmtime::Result<Vec<(String, String, String)>> {
    match result {
        Ok(Some(CmdResult::SshKeys(keys))) => Ok(keys
            .into_iter()
            .map(|k| (k.id.to_string(), k.fingerprint, k.annotation))
            .collect()),
        Ok(Some(other)) => Err(wasmtime::Error::msg(format!(
            "{name}: expected SshKeys, got {other:?}"
        ))),
        Ok(None) => Ok(Vec::new()),
        Err(err) => Err(wasmtime::Error::msg(format!("{name}: {err}"))),
    }
}

async fn alloc_ssh_key_entity(
    caller: &mut Caller<'_, SessionData>,
    id: &str,
    fingerprint: &str,
    annotation: &str,
) -> wasmtime::Result<Rooted<StructRef>> {
    let id_ref = alloc_string_ref(caller, id.as_bytes())?;
    let fp_ref = alloc_string_ref(caller, fingerprint.as_bytes())?;
    let name_ref = alloc_string_ref(caller, annotation.as_bytes())?;
    let args = [
        Val::AnyRef(Some(id_ref.to_anyref())),
        Val::AnyRef(Some(fp_ref.to_anyref())),
        Val::AnyRef(Some(name_ref.to_anyref())),
    ];
    alloc_entity_via_export(caller, "alloc_ssh_key", &args).await
}

async fn alloc_ssh_key_chain(
    caller: &mut Caller<'_, SessionData>,
    entries: Vec<(String, String, String)>,
) -> wasmtime::Result<Option<Rooted<StructRef>>> {
    let mut anyrefs: Vec<Rooted<AnyRef>> = Vec::with_capacity(entries.len());
    for (id, fingerprint, annotation) in entries {
        let entity_ref = alloc_ssh_key_entity(caller, &id, &fingerprint, &annotation).await?;
        anyrefs.push(entity_ref.to_anyref());
    }
    alloc_pair_chain(caller, anyrefs).await
}

#[cfg(test)]
fn format_ssh_keys(keys: &[SshKeyRecord]) -> String {
    // Kept under #[cfg(test)] solely so the legacy test assertions
    // (round-trip / quote-escape) continue to exercise the renderer until
    // A6 collapses the streaming-string envelope; production now ships
    // typed `pair<ssh-key>` returns built via `alloc_ssh_key_chain`.
    let mut out = String::from("(:ssh-keys (");
    for (idx, key) in keys.iter().enumerate() {
        if idx > 0 {
            out.push(' ');
        }
        out.push_str(&format!(
            "(:id \"{}\" :key-type {} :fingerprint {} :annotation {} :created-at \"{}\" :last-used-at {} :blob #\"{}\")",
            key.id,
            quote_string(&key.key_type),
            quote_string(&key.fingerprint),
            quote_string(&key.annotation),
            key.created_at.to_rfc3339(),
            match key.last_used_at {
                Some(ts) => format!("\"{}\"", ts.to_rfc3339()),
                None => "nil".to_string(),
            },
            BASE64.encode(&key.key_blob),
        ));
    }
    out.push_str("))");
    out
}

#[cfg(test)]
fn quote_string(s: &str) -> String {
    let mut q = String::with_capacity(s.len() + 2);
    q.push('"');
    for ch in s.chars() {
        match ch {
            '"' => q.push_str("\\\""),
            '\\' => q.push_str("\\\\"),
            other => q.push(other),
        }
    }
    q.push('"');
    q
}

#[cfg(test)]
mod tests {
    use super::*;
    use chrono::TimeZone;
    use uuid::Uuid;

    fn record(annotation: &str, last_used: bool) -> SshKeyRecord {
        let created = chrono::Utc.with_ymd_and_hms(2026, 5, 1, 12, 0, 0).unwrap();
        SshKeyRecord {
            id: Uuid::parse_str("550e8400-e29b-41d4-a716-446655440000").unwrap(),
            user_id: Uuid::nil(),
            key_type: "ssh-ed25519".into(),
            key_blob: vec![0xab, 0xcd, 0xef],
            fingerprint: "SHA256:abc".into(),
            annotation: annotation.into(),
            created_at: created,
            last_used_at: last_used
                .then(|| chrono::Utc.with_ymd_and_hms(2026, 5, 5, 9, 30, 0).unwrap()),
        }
    }

    #[test]
    fn format_empty_list() {
        assert_eq!(format_ssh_keys(&[]), "(:ssh-keys ())");
    }

    #[test]
    fn format_single_key_with_last_used() {
        let out = format_ssh_keys(&[record("laptop", true)]);
        assert!(out.contains(":id \"550e8400-e29b-41d4-a716-446655440000\""));
        assert!(out.contains(":key-type \"ssh-ed25519\""));
        assert!(out.contains(":fingerprint \"SHA256:abc\""));
        assert!(out.contains(":annotation \"laptop\""));
        assert!(out.contains(":created-at \"2026-05-01T12:00:00+00:00\""));
        assert!(out.contains(":last-used-at \"2026-05-05T09:30:00+00:00\""));
        assert!(out.contains(":blob #\"q83v\""));
    }

    #[test]
    fn format_unused_key_emits_nil_for_last_used() {
        let out = format_ssh_keys(&[record("", false)]);
        assert!(out.contains(":last-used-at nil"));
        assert!(out.contains(":annotation \"\""));
    }

    #[test]
    fn bool_from_command_result_maps_variants() {
        assert_eq!(
            bool_from_command_result("x", Ok(Some(CmdResult::Bool(true)))).unwrap(),
            1
        );
        assert_eq!(
            bool_from_command_result("x", Ok(Some(CmdResult::Bool(false)))).unwrap(),
            0
        );
        assert_eq!(bool_from_command_result("x", Ok(None)).unwrap(), 0);
        assert!(bool_from_command_result("x", Err(CmdError::Args("oops".into()))).is_err());
    }

    #[tokio::test]
    async fn run_lookup_user_by_ssh_key_no_arg_emits_error() {
        let err = run_lookup_user_by_ssh_key(None).await.unwrap_err();
        assert!(err.to_string().contains("missing or empty"));
    }

    #[tokio::test]
    async fn run_lookup_user_by_ssh_key_empty_arg_emits_error() {
        let err = run_lookup_user_by_ssh_key(Some(String::new()))
            .await
            .unwrap_err();
        assert!(err.to_string().contains("missing or empty"));
    }

    #[tokio::test]
    async fn run_remove_ssh_key_no_arg_emits_error() {
        let err = run_remove_ssh_key(Uuid::nil(), None).await.unwrap_err();
        assert!(err.to_string().contains("missing or empty"));
    }

    #[tokio::test]
    async fn run_remove_ssh_key_empty_arg_emits_error() {
        let err = run_remove_ssh_key(Uuid::nil(), Some(String::new()))
            .await
            .unwrap_err();
        assert!(err.to_string().contains("missing or empty"));
    }

    #[test]
    fn format_quotes_embedded_specials_in_annotation() {
        let key = SshKeyRecord {
            annotation: r#"weird\"name"#.into(),
            ..record("", false)
        };
        let out = format_ssh_keys(&[key]);
        assert!(out.contains(r#":annotation "weird\\\"name""#), "got: {out}");
    }
}