age_plugin/lib.rs
1//! This crate provides an API for building age plugins.
2//!
3//! # Introduction
4//!
5//! The [age file encryption format] follows the "one well-oiled joint" design philosophy.
6//! The mechanism for extensibility (within a particular format version) is the recipient
7//! stanzas within the age header: file keys can be wrapped in any number of ways, and age
8//! clients are required to ignore stanzas that they do not understand.
9//!
10//! The core APIs that exercise this mechanism are:
11//! - A recipient that wraps a file key and returns a stanza.
12//! - An identity that unwraps a stanza and returns a file key.
13//!
14//! The age plugin system provides a mechanism for exposing these core APIs across process
15//! boundaries. It has two main components:
16//!
17//! - A map from recipients and identities to plugin binaries.
18//! - State machines for wrapping and unwrapping file keys.
19//!
20//! With this composable design, you can implement a recipient or identity that you might
21//! use directly with the [`age`] library crate, and also deploy it as a plugin binary for
22//! use with clients like [`rage`].
23//!
24//! [age file encryption format]: https://age-encryption.org/v1
25//! [`age`]: https://crates.io/crates/age
26//! [`rage`]: https://crates.io/crates/rage
27//!
28//! # Mapping recipients and identities to plugin binaries
29//!
30//! age plugins are identified by an arbitrary case-insensitive string `NAME`. This string
31//! is used in three places:
32//!
33//! - Plugin-compatible recipients are encoded using Bech32 with the HRP `age1name`
34//! (lowercase).
35//! - Plugin-compatible identities are encoded using Bech32 with the HRP
36//! `AGE-PLUGIN-NAME-` (uppercase).
37//! - Plugin binaries (to be started by age clients) are named `age-plugin-name`.
38//!
39//! Users interact with age clients by providing either recipients for file encryption, or
40//! identities for file decryption. When a plugin recipient or identity is provided, the
41//! age client searches the `PATH` for a binary with the corresponding plugin name.
42//!
43//! Recipient stanza types are not required to be correlated to specific plugin names.
44//! When decrypting, age clients will pass all recipient stanzas to every connected
45//! plugin. Plugins MUST ignore stanzas that they do not know about.
46//!
47//! A plugin binary may handle multiple recipient or identity types by being present in
48//! the `PATH` under multiple names. This can be implemented with symlinks or aliases to
49//! the canonical binary.
50//!
51//! Multiple plugin binaries can support the same recipient and identity types; the first
52//! binary found in the `PATH` will be used by age clients. Some Unix OSs support
53//! "alternatives", which plugin binaries should leverage if they provide support for a
54//! common recipient or identity type.
55//!
56//! Note that the identity specified by a user doesn't need to point to a specific
57//! decryption key, or indeed contain any key material at all. It only needs to contain
58//! sufficient information for the plugin to locate the necessary key material.
59//!
60//! ## Standard age keys
61//!
62//! A plugin MAY support decrypting files encrypted to native age recipients, by including
63//! support for the `x25519` recipient stanza. Such plugins will pick their own name, and
64//! users will use identity files containing identities that specify that plugin name.
65//!
66//! # Example plugin binary
67//!
68//! The following example uses `clap` to parse CLI arguments, but any argument parsing
69//! logic will work as long as it can detect the `--age-plugin=STATE_MACHINE` flag.
70//!
71//! ```
72//! use age_core::format::{FileKey, Stanza};
73//! use age_plugin::{
74//! identity::{self, IdentityPluginV1},
75//! print_new_identity,
76//! recipient::{self, RecipientPluginV1},
77//! Callbacks, PluginHandler, run_state_machine,
78//! };
79//! use clap::Parser;
80//!
81//! use std::collections::{HashMap, HashSet};
82//! use std::io;
83//!
84//! struct Handler;
85//!
86//! impl PluginHandler for Handler {
87//! type RecipientV1 = RecipientPlugin;
88//! type IdentityV1 = IdentityPlugin;
89//!
90//! fn recipient_v1(self) -> io::Result<Self::RecipientV1> {
91//! Ok(RecipientPlugin)
92//! }
93//!
94//! fn identity_v1(self) -> io::Result<Self::IdentityV1> {
95//! Ok(IdentityPlugin)
96//! }
97//! }
98//!
99//! struct RecipientPlugin;
100//!
101//! impl RecipientPluginV1 for RecipientPlugin {
102//! fn add_recipient(
103//! &mut self,
104//! index: usize,
105//! plugin_name: &str,
106//! bytes: &[u8],
107//! ) -> Result<(), recipient::Error> {
108//! todo!()
109//! }
110//!
111//! fn add_identity(
112//! &mut self,
113//! index: usize,
114//! plugin_name: &str,
115//! bytes: &[u8]
116//! ) -> Result<(), recipient::Error> {
117//! todo!()
118//! }
119//!
120//! fn labels(&mut self) -> HashSet<String> {
121//! todo!()
122//! }
123//!
124//! fn wrap_file_keys(
125//! &mut self,
126//! file_keys: Vec<FileKey>,
127//! mut callbacks: impl Callbacks<recipient::Error>,
128//! ) -> io::Result<Result<Vec<Vec<Stanza>>, Vec<recipient::Error>>> {
129//! todo!()
130//! }
131//! }
132//!
133//! struct IdentityPlugin;
134//!
135//! impl IdentityPluginV1 for IdentityPlugin {
136//! fn add_identity(
137//! &mut self,
138//! index: usize,
139//! plugin_name: &str,
140//! bytes: &[u8]
141//! ) -> Result<(), identity::Error> {
142//! todo!()
143//! }
144//!
145//! fn unwrap_file_keys(
146//! &mut self,
147//! files: Vec<Vec<Stanza>>,
148//! mut callbacks: impl Callbacks<identity::Error>,
149//! ) -> io::Result<HashMap<usize, Result<FileKey, Vec<identity::Error>>>> {
150//! todo!()
151//! }
152//! }
153//!
154//! #[derive(Debug, Parser)]
155//! struct PluginOptions {
156//! #[arg(help = "run the given age plugin state machine", long)]
157//! age_plugin: Option<String>,
158//! }
159//!
160//! fn main() -> io::Result<()> {
161//! let opts = PluginOptions::parse();
162//!
163//! if let Some(state_machine) = opts.age_plugin {
164//! // The plugin was started by an age client; run the state machine.
165//! run_state_machine(&state_machine, Handler)?;
166//! return Ok(());
167//! }
168//!
169//! // Here you can assume the binary is being run directly by a user,
170//! // and perform administrative tasks like generating keys.
171//!
172//! Ok(())
173//! }
174//! ```
175
176#![forbid(unsafe_code)]
177// Catch documentation errors caused by code changes.
178#![deny(rustdoc::broken_intra_doc_links)]
179#![deny(missing_docs)]
180
181use age_core::{
182 primitives::bech32_encode,
183 secrecy::{zeroize::Zeroize, SecretString},
184};
185use bech32::Hrp;
186use std::io;
187
188pub mod identity;
189pub mod recipient;
190
191// Plugin HRPs are age1[name] and AGE-PLUGIN-[NAME]-
192const PLUGIN_RECIPIENT_PREFIX: &str = "age1";
193const PLUGIN_IDENTITY_PREFIX: &str = "AGE-PLUGIN-";
194
195/// Prints the newly-created identity and corresponding recipient to standard out.
196///
197/// A "created" time is included in the output, set to the current local time.
198pub fn print_new_identity(plugin_name: &str, identity: &[u8], recipient: &[u8]) {
199 let mut identity_lower = bech32_encode(
200 Hrp::parse_unchecked(&format!("{}{}-", PLUGIN_IDENTITY_PREFIX, plugin_name)),
201 identity,
202 );
203
204 println!(
205 "# created: {}",
206 chrono::Local::now().to_rfc3339_opts(chrono::SecondsFormat::Secs, true)
207 );
208 println!(
209 "# recipient: {}",
210 bech32_encode(
211 Hrp::parse_unchecked(&format!("{}{}", PLUGIN_RECIPIENT_PREFIX, plugin_name)),
212 recipient,
213 )
214 );
215 println!("{}", identity_lower.to_uppercase());
216
217 identity_lower.zeroize();
218}
219
220/// Runs the plugin state machine defined by `state_machine`.
221///
222/// This should be triggered if the `--age-plugin=state_machine` flag is provided as an
223/// argument when starting the plugin.
224///
225/// # Panics
226///
227/// The state machine will panic if the `PluginHandler` implementation violates any
228/// **MUST** requirements of the [age plugin specification]. Examples include:
229/// - Returning fewer stanzas from [`RecipientPluginV1::wrap_file_keys`] than the number
230/// of recipients and identities that were provided (instead of returning an error if
231/// any could not be encrypted to).
232/// - Note that this currently prohibits plugins from automatically deduplicating
233/// provided recipients and identities; either duplicate stanzas must be produced, or
234/// an error returned. This prohibition might be lifted in a future release.
235///
236/// [age plugin specification]: https://c2sp.org/age-plugin
237/// [`RecipientPluginV1::wrap_file_keys`]: crate::recipient::RecipientPluginV1::wrap_file_keys
238pub fn run_state_machine(state_machine: &str, handler: impl PluginHandler) -> io::Result<()> {
239 use age_core::plugin::{IDENTITY_V1, RECIPIENT_V1};
240
241 match state_machine {
242 RECIPIENT_V1 => recipient::run_v1(handler.recipient_v1()?),
243 IDENTITY_V1 => identity::run_v1(handler.identity_v1()?),
244 _ => Err(io::Error::new(
245 io::ErrorKind::InvalidInput,
246 "unknown plugin state machine",
247 )),
248 }
249}
250
251/// The interfaces that age implementations will use to interact with an age plugin.
252///
253/// This trait exists to encapsulate the set of arguments to [`run_state_machine`] that
254/// different plugins may want to provide.
255///
256/// # How to implement this trait
257///
258/// ## Full plugins
259///
260/// - Set all associated types to your plugin's implementations.
261/// - Override all default methods of the trait.
262///
263/// ## Recipient-only plugins
264///
265/// - Set [`PluginHandler::RecipientV1`] to your plugin's implementation.
266/// - Override [`PluginHandler::recipient_v1`] to return an instance of your type.
267/// - Set [`PluginHandler::IdentityV1`] to [`std::convert::Infallible`].
268/// - Don't override [`PluginHandler::identity_v1`].
269///
270/// ## Identity-only plugins
271///
272/// - Set [`PluginHandler::RecipientV1`] to [`std::convert::Infallible`].
273/// - Don't override [`PluginHandler::recipient_v1`].
274/// - Set [`PluginHandler::IdentityV1`] to your plugin's implementation.
275/// - Override [`PluginHandler::identity_v1`] to return an instance of your type.
276pub trait PluginHandler: Sized {
277 /// The plugin's [`recipient-v1`] implementation.
278 ///
279 /// [`recipient-v1`]: https://c2sp.org/age-plugin#wrapping-with-recipient-v1
280 type RecipientV1: recipient::RecipientPluginV1;
281
282 /// The plugin's [`identity-v1`] implementation.
283 ///
284 /// [`identity-v1`]: https://c2sp.org/age-plugin#unwrapping-with-identity-v1
285 type IdentityV1: identity::IdentityPluginV1;
286
287 /// Returns an instance of the plugin's [`recipient-v1`] implementation.
288 ///
289 /// [`recipient-v1`]: https://c2sp.org/age-plugin#wrapping-with-recipient-v1
290 fn recipient_v1(self) -> io::Result<Self::RecipientV1> {
291 Err(io::Error::new(
292 io::ErrorKind::InvalidInput,
293 "plugin doesn't support recipient-v1 state machine",
294 ))
295 }
296
297 /// Returns an instance of the plugin's [`identity-v1`] implementation.
298 ///
299 /// [`identity-v1`]: https://c2sp.org/age-plugin#unwrapping-with-identity-v1
300 fn identity_v1(self) -> io::Result<Self::IdentityV1> {
301 Err(io::Error::new(
302 io::ErrorKind::InvalidInput,
303 "plugin doesn't support identity-v1 state machine",
304 ))
305 }
306}
307
308/// The interface that age plugins can use to interact with an age implementation.
309pub trait Callbacks<E> {
310 /// Shows a message to the user.
311 ///
312 /// This can be used to prompt the user to take some physical action, such as
313 /// inserting a hardware key.
314 fn message(&mut self, message: &str) -> age_core::plugin::Result<()>;
315
316 /// Requests that the user provides confirmation for some action.
317 ///
318 /// This can be used to, for example, request that a hardware key the plugin wants to
319 /// try either be plugged in, or skipped.
320 ///
321 /// - `message` is the request or call-to-action to be displayed to the user.
322 /// - `yes_string` and (optionally) `no_string` will be displayed on buttons or next
323 /// to selection options in the user's UI.
324 ///
325 /// Returns:
326 /// - `Ok(true)` if the user selected the option marked with `yes_string`.
327 /// - `Ok(false)` if the user selected the option marked with `no_string` (or the
328 /// default negative confirmation label).
329 /// - `Err(Error::Fail)` if the confirmation request could not be given to the user
330 /// (for example, if there is no UI for displaying messages).
331 /// - `Err(Error::Unsupported)` if the user's client does not support this callback.
332 fn confirm(
333 &mut self,
334 message: &str,
335 yes_string: &str,
336 no_string: Option<&str>,
337 ) -> age_core::plugin::Result<bool>;
338
339 /// Requests a non-secret value from the user.
340 ///
341 /// `message` will be displayed to the user, providing context for the request.
342 ///
343 /// To request secrets, use [`Callbacks::request_secret`].
344 fn request_public(&mut self, message: &str) -> age_core::plugin::Result<String>;
345
346 /// Requests a secret value from the user, such as a passphrase.
347 ///
348 /// `message` will be displayed to the user, providing context for the request.
349 fn request_secret(&mut self, message: &str) -> age_core::plugin::Result<SecretString>;
350
351 /// Sends an error.
352 ///
353 /// Note: This API may be removed in a subsequent API refactor, after we've figured
354 /// out how errors should be handled overall, and how to distinguish between hard and
355 /// soft errors.
356 fn error(&mut self, error: E) -> age_core::plugin::Result<()>;
357}