atproto-devtool 0.1.1

A multitool for the atproto developer ecosystem
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199

//! `atproto-devtool test labeler <target>` command.

pub mod create_report;
pub mod crypto;
pub mod http;
pub mod identity;
pub mod pipeline;
pub mod report;
pub mod subscription;

use std::io;
use std::process::ExitCode;
use std::time::Duration;

use clap::Args;
use miette::Report;

use crate::commands::test::labeler::create_report::self_mint::{SelfMintCurve, SelfMintSigner};
use crate::common::{
    APP_USER_AGENT,
    identity::{Did, RealDnsResolver, RealHttpClient, is_local_labeler_hostname},
};
use pipeline::{LabelerOptions, parse_target, run_pipeline};
use report::RenderConfig;

/// Run the labeler conformance suite against a handle, DID, or endpoint URL.
#[derive(Debug, Args)]
pub struct LabelerCmd {
    /// Handle (`alice.example`), DID (`did:plc:...` / `did:web:...`), or labeler endpoint URL.
    pub target: String,

    /// Explicit DID override. Required (and combined with the target URL) when
    /// `target` is a raw endpoint URL and you want identity/crypto checks to run.
    #[arg(long)]
    pub did: Option<String>,

    /// Per-connection time budget for the subscription-layer checks.
    ///
    /// Minimum 1 second; values below 1 second are rejected at parse time.
    #[arg(
        long,
        default_value = "5s",
        value_parser = parse_subscribe_timeout,
    )]
    pub subscribe_timeout: Duration,

    /// Whether to suppress colored output.
    #[arg(long)]
    pub no_color: bool,

    /// Whether to emit verbose diagnostics.
    #[arg(long)]
    pub verbose: bool,

    /// Commit: opt in to actually POSTing report bodies to the labeler and
    /// assert reporting conformance (missing `LabelerPolicies` becomes a
    /// SpecViolation rather than a stage-skip).
    #[arg(long)]
    pub commit_report: bool,

    /// Force self-mint checks to run even when the labeler endpoint is
    /// classified as non-local by the hostname heuristic. Use when
    /// running against a LAN-reachable labeler that the heuristic misses.
    #[arg(long)]
    pub force_self_mint: bool,

    /// Curve to use for self-mint JWTs.
    #[arg(long, value_enum, default_value_t = SelfMintCurve::default())]
    pub self_mint_curve: SelfMintCurve,

    /// Override the default computed subject DID for committing checks.
    /// Passed through to `self_mint_accepted`, `pds_service_auth_accepted`,
    /// and `pds_proxied_accepted` bodies.
    #[arg(long)]
    pub report_subject_did: Option<String>,

    /// User handle for PDS-mediated report modes. Must be supplied together
    /// with --app-password; enables `pds_service_auth_accepted` and
    /// `pds_proxied_accepted` checks when combined with --commit-report.
    #[arg(long, requires = "app_password")]
    pub handle: Option<String>,

    /// App password for PDS-mediated report modes. Must be supplied
    /// together with --handle.
    #[arg(long, requires = "handle")]
    pub app_password: Option<String>,
}

impl LabelerCmd {
    pub async fn run(self, no_color: bool) -> Result<ExitCode, Report> {
        // Parse the target.
        let target =
            parse_target(&self.target, self.did.as_deref()).map_err(|e| miette::miette!("{e}"))?;

        // Determine tentative endpoint for the locality check. When the target is a
        // DID or handle, the endpoint is known only after identity stage; for the
        // self-mint signer construction we need it now. We construct the signer
        // pessimistically (endpoint unknown) only when --force-self-mint is set.
        let tentative_endpoint: Option<url::Url> = match &target {
            pipeline::LabelerTarget::Endpoint { url, .. } => Some(url.clone()),
            pipeline::LabelerTarget::Identified { .. } => None,
        };

        let tentative_local = tentative_endpoint
            .as_ref()
            .map(is_local_labeler_hostname)
            .unwrap_or(false);

        // Build a single shared HTTP client.
        let reqwest_client = reqwest::Client::builder()
            .use_rustls_tls()
            .user_agent(APP_USER_AGENT)
            .timeout(std::time::Duration::from_secs(10))
            .build()
            .map_err(|e| miette::miette!("Failed to initialize HTTP client: {}", e))?;

        // Build HTTP and DNS clients using the shared client.
        let http = RealHttpClient::from_client(reqwest_client.clone());
        let dns = RealDnsResolver::new();

        // Build the subject DID override if provided.
        let report_subject_override = self.report_subject_did.clone().map(Did);

        // Construct the stable run-id for the sentinel reason string.
        let run_id = create_report::sentinel::new_run_id();

        // Pre-construct the self-mint signer (binds the DidDocServer) when:
        //   - --force-self-mint is set, OR
        //   - tentative endpoint is known and classified local.
        // Otherwise we skip the allocation and let the stage see
        // `self_mint_signer == None` → skip all self-mint checks.
        let self_mint_signer_opt = if self.force_self_mint || tentative_local {
            Some(
                SelfMintSigner::spawn(self.self_mint_curve)
                    .await
                    .map_err(|e| miette::miette!("Failed to bind self-mint DID server: {e}"))?,
            )
        } else {
            None
        };
        let self_mint_signer_ref = self_mint_signer_opt.as_ref();

        // Construct PDS credentials when both handle and app_password are supplied.
        let pds_credentials = match (self.handle.as_deref(), self.app_password.as_deref()) {
            (Some(h), Some(p)) => Some(pipeline::PdsCredentials {
                handle: h.to_string(),
                app_password: p.to_string(),
            }),
            _ => None,
        };
        let pds_credentials_ref = pds_credentials.as_ref();

        // Run the pipeline.
        let opts = LabelerOptions {
            http: &http,
            dns: &dns,
            http_tee: pipeline::HttpTee::Real(&reqwest_client),
            ws_client: None,
            subscribe_timeout: self.subscribe_timeout,
            verbose: self.verbose,

            create_report_tee: pipeline::CreateReportTeeKind::Real(&reqwest_client),
            commit_report: self.commit_report,
            force_self_mint: self.force_self_mint,
            self_mint_curve: self.self_mint_curve,
            report_subject_override: report_subject_override.as_ref(),
            self_mint_signer: self_mint_signer_ref,
            pds_credentials: pds_credentials_ref,
            pds_xrpc_client: None,
            pds_xrpc_client_override: None,
            run_id: &run_id,
        };

        let report = run_pipeline(target, opts).await;

        // Render the report to stdout.
        let mut stdout = io::stdout().lock();
        report
            .render(&mut stdout, &RenderConfig { no_color })
            .map_err(|e| miette::miette!("Failed to render report: {}", e))?;

        // Return appropriate exit code.
        let exit_code = report.exit_code();
        Ok(ExitCode::from(exit_code as u8))
    }
}

pub fn parse_subscribe_timeout(raw: &str) -> Result<Duration, String> {
    let parsed = humantime::parse_duration(raw)
        .map_err(|e| format!("invalid --subscribe-timeout value `{raw}`: {e}"))?;

    if parsed < Duration::from_secs(1) {
        return Err(format!(
            "--subscribe-timeout must be at least 1 second (got {parsed:?})"
        ));
    }

    Ok(parsed)
}