auths-cli 0.1.2

Command-line interface for Auths decentralized identity system
Documentation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
use crate::ux::format::is_json_mode;
use anyhow::{Context, Result, anyhow};
use auths_keri::witness::SignedReceipt;
use auths_sdk::trust::{PinnedIdentity, PinnedIdentityStore, RootsFile, TrustLevel, TrustPolicy};
use auths_verifier::core::Attestation;
use auths_verifier::verify::{verify_chain_with_witnesses, verify_with_keys};
use auths_verifier::witness::WitnessVerifyConfig;
use chrono::Utc;
use clap::{Parser, ValueEnum};
use serde::Serialize;
use std::fs;
use std::io::{self, IsTerminal, Read};
use std::path::PathBuf;
use std::process;

/// Trust policy for identity verification.
#[derive(Debug, Clone, Copy, Default, ValueEnum)]
pub enum CliTrustPolicy {
    /// Trust-on-first-use: prompt interactively on first encounter.
    #[default]
    Tofu,
    /// Explicit trust: require identity in pinned store or roots.json.
    Explicit,
}

#[derive(Parser, Debug, Clone)]
#[command(about = "Verify device authorization signatures.")]
pub struct VerifyCommand {
    /// Path to authorization JSON file, or "-" to read from stdin.
    #[arg(long, value_parser, required = true)]
    pub attestation: String,

    /// Signer public key in hex format (64 hex chars = 32 bytes).
    ///
    /// If provided, bypasses trust resolution and uses this key directly.
    /// Takes precedence over --signer and trust policy.
    #[arg(long = "signer-key", value_parser)]
    pub issuer_pk: Option<String>,

    /// Signer identity ID for trust-based key resolution.
    ///
    /// Looks up the public key from pinned identity store or roots.json.
    /// Uses --trust policy to determine behavior for unknown identities.
    #[arg(long = "signer", visible_alias = "issuer-did", value_parser)]
    pub issuer_did: Option<String>,

    /// Trust policy for unknown identities.
    ///
    /// Resolution precedence:
    ///   1. --issuer-pk (direct key, bypasses trust)
    ///   2. Pinned identity store (~/.auths/known_identities.json)
    ///   3. Repository roots.json (.auths/roots.json)
    ///   4. TOFU prompt (if TTY) or explicit rejection (if non-TTY)
    ///
    /// Defaults: tofu on TTY, explicit on non-TTY (CI).
    #[arg(long, value_enum)]
    pub trust: Option<CliTrustPolicy>,

    /// Path to roots.json file for explicit trust.
    ///
    /// Overrides default .auths/roots.json lookup.
    #[arg(long = "roots-file", value_parser)]
    pub roots_file: Option<PathBuf>,

    /// Path to witness signatures JSON file.
    #[arg(long = "witness-signatures")]
    pub witness_receipts: Option<PathBuf>,

    /// Number of witnesses required (default: 1).
    #[arg(long = "witnesses-required", default_value = "1")]
    pub witness_threshold: usize,

    /// Witness public keys as DID:hex pairs (e.g., "did:key:z6Mk...:abcd1234...").
    #[arg(long, num_args = 1..)]
    pub witness_keys: Vec<String>,
}

#[derive(Serialize)]
struct VerifyResult {
    valid: bool,
    #[serde(skip_serializing_if = "Option::is_none")]
    error: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    issuer: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    subject: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    witness_quorum: Option<auths_verifier::witness::WitnessQuorum>,
}

/// Handle verify command. Returns Ok(()) on success, Err on error.
/// Uses exit codes: 0=valid, 1=invalid, 2=error
pub async fn handle_verify(cmd: VerifyCommand) -> Result<()> {
    #[allow(clippy::disallowed_methods)]
    let now = Utc::now();
    let result = run_verify(now, &cmd).await;

    match result {
        Ok(verify_result) => {
            if is_json_mode() {
                println!("{}", serde_json::to_string(&verify_result)?);
            }

            if verify_result.valid {
                // Exit code 0 for valid
                Ok(())
            } else {
                // Exit code 1 for invalid attestation
                if !is_json_mode() {
                    eprintln!(
                        "Attestation verification failed: {}",
                        verify_result.error.as_deref().unwrap_or("unknown error")
                    );
                }
                process::exit(1);
            }
        }
        Err(e) => {
            // Exit code 2 for errors (file not found, parse error, etc.)
            if is_json_mode() {
                let error_result = VerifyResult {
                    valid: false,
                    error: Some(e.to_string()),
                    issuer: None,
                    subject: None,
                    witness_quorum: None,
                };
                println!("{}", serde_json::to_string(&error_result)?);
            } else {
                eprintln!("Error: {}", e);
            }
            process::exit(2);
        }
    }
}

/// Determine effective trust policy.
///
/// If explicitly set via --trust, use that.
/// Otherwise: TOFU on TTY, Explicit on non-TTY (CI).
fn effective_trust_policy(cmd: &VerifyCommand) -> TrustPolicy {
    match cmd.trust {
        Some(CliTrustPolicy::Tofu) => TrustPolicy::Tofu,
        Some(CliTrustPolicy::Explicit) => TrustPolicy::Explicit,
        None => {
            if io::stdin().is_terminal() {
                TrustPolicy::Tofu
            } else {
                TrustPolicy::Explicit
            }
        }
    }
}

/// Wrap raw pubkey bytes into a curve-tagged `DevicePublicKey`.
fn bytes_to_device_public_key(
    bytes: &[u8],
    curve: auths_crypto::CurveType,
    source: &str,
) -> Result<auths_verifier::DevicePublicKey> {
    auths_verifier::DevicePublicKey::try_new(curve, bytes)
        .map_err(|e| anyhow!("Invalid {} public key: {e}", source))
}

/// Resolve the issuer public key from various sources.
///
/// Resolution precedence:
/// 1. `--issuer-pk` (direct key, bypasses trust)
/// 2. Pinned identity store
/// 3. `roots.json` file
/// 4. Trust policy (TOFU prompt or explicit rejection)
fn resolve_issuer_key(
    now: chrono::DateTime<Utc>,
    cmd: &VerifyCommand,
    att: &Attestation,
) -> Result<auths_verifier::DevicePublicKey> {
    // 1. Direct key takes precedence
    if let Some(ref pk_hex) = cmd.issuer_pk {
        let pk_bytes =
            hex::decode(pk_hex).context("Invalid hex string provided for issuer public key")?;
        let issuer_did = cmd.issuer_did.as_deref().unwrap_or(att.issuer.as_str());
        let curve = auths_crypto::did_key_decode(issuer_did)
            .map(|d| d.curve())
            .unwrap_or_default();
        return auths_verifier::DevicePublicKey::try_new(curve, &pk_bytes)
            .map_err(|e| anyhow!("Invalid issuer public key: {e}"));
    }

    // Determine the DID to look up
    let did = cmd.issuer_did.as_deref().unwrap_or(att.issuer.as_str());

    // Get trust policy
    let policy = effective_trust_policy(cmd);
    let store = PinnedIdentityStore::new(PinnedIdentityStore::default_path());

    // 2. Check pinned identity store first
    if let Some(pin) = store.lookup(did)? {
        if !is_json_mode() {
            println!("Using pinned identity: {}", did);
        }
        return bytes_to_device_public_key(&pin.public_key_bytes()?, pin.curve, "pinned identity");
    }

    // 3. Check roots.json file
    let roots_path = cmd.roots_file.clone().unwrap_or_else(|| {
        std::env::current_dir()
            .unwrap_or_default()
            .join(".auths/roots.json")
    });

    if roots_path.exists() {
        let roots = RootsFile::load(&roots_path)?;
        if let Some(root) = roots.find(did) {
            if !is_json_mode() {
                println!(
                    "Using root from {}: {}",
                    roots_path.display(),
                    root.note.as_deref().unwrap_or(did)
                );
            }
            // Pin from roots.json for future use
            let pin = PinnedIdentity {
                did: did.to_string(),
                public_key_hex: root.public_key_hex.clone(),
                curve: root.curve,
                kel_tip_said: root.kel_tip_said.clone(),
                kel_sequence: None,
                first_seen: now,
                origin: format!("roots.json:{}", roots_path.display()),
                trust_level: TrustLevel::OrgPolicy,
            };
            store.pin(pin)?;
            return bytes_to_device_public_key(&root.public_key_bytes()?, root.curve, "roots.json");
        }
    }

    // 4. Apply trust policy
    match policy {
        TrustPolicy::Tofu => {
            // Need to extract key from attestation for TOFU
            // The attestation itself doesn't contain the issuer's public key directly,
            // so we need it from --issuer-pk or the user needs to provide it
            anyhow::bail!(
                "Unknown identity '{}'. Provide --signer-key to trust on first use, \
                 or add to .auths/roots.json for explicit trust.",
                did
            );
        }
        TrustPolicy::Explicit => {
            anyhow::bail!(
                "Unknown identity '{}' and trust policy is 'explicit'.\n\
                 Options:\n  \
                 1. Add to .auths/roots.json in the repository\n  \
                 2. Pin manually: auths trust pin --did {} --key <hex>\n  \
                 3. Provide --signer-key <hex> to bypass trust resolution",
                did,
                did
            );
        }
    }
}

use crate::commands::verify_helpers::parse_witness_keys;

async fn run_verify(now: chrono::DateTime<Utc>, cmd: &VerifyCommand) -> Result<VerifyResult> {
    // 1. Read attestation from file or stdin
    let attestation_bytes = if cmd.attestation == "-" {
        let mut buffer = Vec::new();
        io::stdin()
            .read_to_end(&mut buffer)
            .context("Failed to read attestation from stdin")?;
        buffer
    } else {
        let path = PathBuf::from(&cmd.attestation);
        fs::read(&path).with_context(|| format!("Failed to read attestation file: {:?}", path))?
    };

    // 2. Deserialize attestation JSON
    let att: Attestation =
        serde_json::from_slice(&attestation_bytes).context("Failed to parse JSON attestation")?;

    if !is_json_mode() {
        println!(
            "Verifying attestation: issuer={}, subject={}",
            att.issuer, att.subject
        );
    }

    // 3. Resolve issuer public key
    let issuer_pk = resolve_issuer_key(now, cmd, &att)?;

    // 4. Verify the attestation's authenticity (signatures, expiry, linkage).
    //    Capability authority is no longer gated here: a capability grant must come
    //    from a holder-verified ACDC credential, not the attestation's caps field.
    let verify_result = verify_with_keys(&att, &issuer_pk).await;

    match verify_result {
        Ok(_) => {
            // 6. If witness receipts are provided, do witness chain verification
            let witness_quorum = if let Some(ref receipts_path) = cmd.witness_receipts {
                let receipts_bytes = fs::read(receipts_path).with_context(|| {
                    format!("Failed to read witness receipts: {:?}", receipts_path)
                })?;
                let receipts: Vec<SignedReceipt> = serde_json::from_slice(&receipts_bytes)
                    .context("Failed to parse witness receipts JSON")?;
                let witness_keys = parse_witness_keys(&cmd.witness_keys)?;

                let config = WitnessVerifyConfig {
                    receipts: &receipts,
                    witness_keys: &witness_keys,
                    threshold: cmd.witness_threshold,
                };

                let report =
                    verify_chain_with_witnesses(std::slice::from_ref(&att), &issuer_pk, &config)
                        .await
                        .context("Witness chain verification failed")?;

                if !report.is_valid() {
                    if !is_json_mode()
                        && let auths_verifier::VerificationStatus::InsufficientWitnesses {
                            required,
                            verified,
                        } = &report.status
                    {
                        eprintln!("Witness quorum not met: {}/{} verified", verified, required);
                    }
                    return Ok(VerifyResult {
                        valid: false,
                        error: Some(format!(
                            "Witness quorum not met: {}/{} verified",
                            report.witness_quorum.as_ref().map_or(0, |q| q.verified),
                            cmd.witness_threshold
                        )),
                        issuer: Some(att.issuer.to_string()),
                        subject: Some(att.subject.to_string()),
                        witness_quorum: report.witness_quorum,
                    });
                }

                if !is_json_mode()
                    && let Some(ref q) = report.witness_quorum
                {
                    println!("Witness quorum met: {}/{} verified", q.verified, q.required);
                }

                report.witness_quorum
            } else {
                None
            };

            if !is_json_mode() {
                println!("Attestation verified successfully.");
            }
            Ok(VerifyResult {
                valid: true,
                error: None,
                issuer: Some(att.issuer.to_string()),
                subject: Some(att.subject.to_string()),
                witness_quorum,
            })
        }
        Err(e) => Ok(VerifyResult {
            valid: false,
            error: Some(e.to_string()),
            issuer: Some(att.issuer.to_string()),
            subject: Some(att.subject.to_string()),
            witness_quorum: None,
        }),
    }
}

/// Legacy handler for backward compatibility (kept for potential internal use).
pub async fn handle_verify_attestation(
    attestation_path: &PathBuf,
    issuer_pubkey_hex: &str,
) -> Result<()> {
    println!("Verifying attestation from file: {:?}", attestation_path);
    println!(
        "   Using issuer public key (hex): {}...",
        &issuer_pubkey_hex[..8.min(issuer_pubkey_hex.len())]
    );

    let attestation_bytes = fs::read(attestation_path)
        .with_context(|| format!("Failed to read attestation file: {:?}", attestation_path))?;

    let att: Attestation = serde_json::from_slice(&attestation_bytes).with_context(|| {
        format!(
            "Failed to parse JSON attestation from file: {:?}",
            attestation_path
        )
    })?;
    println!(
        "   Attestation loaded successfully. Issuer: {}, Subject: {}",
        att.issuer, att.subject
    );

    let issuer_pk_bytes = hex::decode(issuer_pubkey_hex)
        .context("Invalid hex string provided for issuer public key")?;
    let issuer_curve = auths_crypto::did_key_decode(att.issuer.as_str())
        .map(|d| d.curve())
        .unwrap_or_default();
    let issuer_pk = bytes_to_device_public_key(&issuer_pk_bytes, issuer_curve, "issuer")?;

    match verify_with_keys(&att, &issuer_pk).await {
        Ok(_) => {
            println!("Attestation verified successfully.");
            Ok(())
        }
        Err(e) => Err(anyhow!("Attestation verification failed: {}", e)),
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn verify_result_serializes_correctly() {
        let result = VerifyResult {
            valid: true,
            error: None,
            issuer: Some("did:key:issuer".to_string()),
            subject: Some("did:key:subject".to_string()),
            witness_quorum: None,
        };
        let json = serde_json::to_string(&result).unwrap();
        assert!(json.contains("\"valid\":true"));
        assert!(json.contains("\"issuer\":\"did:key:issuer\""));
    }

    #[test]
    fn verify_result_error_serializes_correctly() {
        let result = VerifyResult {
            valid: false,
            error: Some("signature mismatch".to_string()),
            issuer: None,
            subject: None,
            witness_quorum: None,
        };
        let json = serde_json::to_string(&result).unwrap();
        assert!(json.contains("\"valid\":false"));
        assert!(json.contains("\"error\":\"signature mismatch\""));
    }
}