Skip to main content

auths_cli/adapters/
agent.rs

1//! CLI adapter for agent-based signing operations.
2//!
3//! Wraps the Unix-only agent client from `auths-core` behind the
4//! `AgentSigningPort` trait, producing SSHSIG PEM output compatible
5//! with `sign_with_seed()`.
6
7#[cfg(unix)]
8use auths_sdk::agent_core::{AgentStatus, add_identity, agent_sign, check_agent_status};
9#[cfg(unix)]
10use auths_sdk::crypto::{construct_sshsig_pem, construct_sshsig_signed_data};
11use auths_sdk::ports::agent::{AgentSigningError, AgentSigningPort};
12
13#[cfg(unix)]
14use crate::commands::agent::{ensure_agent_running, get_default_socket_path};
15
16/// CLI adapter that delegates signing to the Unix SSH agent.
17///
18/// On non-Unix platforms this struct is not compiled; the CLI wires
19/// `NoopAgentProvider` instead.
20///
21/// Usage:
22/// ```ignore
23/// let adapter = CliAgentAdapter;
24/// let pem = adapter.try_sign("git", &pubkey, &data)?;
25/// ```
26#[cfg(unix)]
27pub struct CliAgentAdapter;
28
29#[cfg(unix)]
30impl AgentSigningPort for CliAgentAdapter {
31    fn try_sign(
32        &self,
33        namespace: &str,
34        pubkey: &auths_verifier::DevicePublicKey,
35        data: &[u8],
36    ) -> Result<String, AgentSigningError> {
37        let socket_path =
38            get_default_socket_path().map_err(|e| AgentSigningError::Unavailable(e.to_string()))?;
39
40        match check_agent_status(&socket_path) {
41            AgentStatus::Running { key_count } if key_count > 0 => {}
42            AgentStatus::Running { .. } => {
43                return Err(AgentSigningError::Unavailable(
44                    "agent running but no keys loaded".into(),
45                ));
46            }
47            AgentStatus::ConnectionFailed => {
48                return Err(AgentSigningError::ConnectionFailed(
49                    "agent socket unreachable".into(),
50                ));
51            }
52            AgentStatus::NotRunning => {
53                return Err(AgentSigningError::Unavailable("agent not running".into()));
54            }
55        }
56
57        let sig_data = construct_sshsig_signed_data(data, namespace)
58            .map_err(|e| AgentSigningError::SigningFailed(e.to_string()))?;
59
60        let raw_sig = agent_sign(&socket_path, pubkey.as_bytes(), &sig_data)
61            .map_err(|e| AgentSigningError::SigningFailed(e.to_string()))?;
62
63        construct_sshsig_pem(pubkey.as_bytes(), &raw_sig, namespace, pubkey.curve())
64            .map_err(|e| AgentSigningError::SigningFailed(e.to_string()))
65    }
66
67    fn ensure_running(&self) -> Result<(), AgentSigningError> {
68        ensure_agent_running(true)
69            .map(|_| ())
70            .map_err(|e| AgentSigningError::StartupFailed(e.to_string()))
71    }
72
73    fn add_identity(&self, _namespace: &str, pkcs8_der: &[u8]) -> Result<(), AgentSigningError> {
74        let socket_path = get_default_socket_path()
75            .map_err(|e| AgentSigningError::ConnectionFailed(e.to_string()))?;
76
77        add_identity(&socket_path, pkcs8_der)
78            .map(|_| ())
79            .map_err(|e| AgentSigningError::SigningFailed(e.to_string()))
80    }
81}