envseal 0.3.12

Write-only secret vault with process-level access control — post-agent secret management
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375

//! On-disk persistence for [`SecurityConfig`].
//!
//! Canonical layout in 0.3.0+: `<root>/security.sealed` —
//! AES-256-GCM authenticated encryption with an HKDF-derived
//! per-domain key (`b"security_config.v1"`) off the master key.
//! AEAD provides integrity AND confidentiality; an attacker who
//! reads the file learns nothing about which tier you're on, what
//! relay endpoint you've paired with, or which signal IDs you've
//! overridden.
//!
//! Back-compat read path honors the v0.2.x plaintext-with-HMAC
//! layout (`<root>/security.toml` + `# hmac = "..."` comment); the
//! next save migrates by writing `security.sealed` and deleting the
//! plaintext.
//!
//! `/etc/envseal/system.toml` (enterprise-wide override channel)
//! stays plaintext — it's owned by root, not the user, and covers
//! force-lockdown / fleet-management knobs that are themselves
//! public policy.

use serde::Deserialize;
use std::path::{Path, PathBuf};

use super::tiers::{SecurityConfig, SecurityTier};
use crate::error::Error;
use crate::hex;
use crate::vault::sealed_blob;

/// Domain string for the security config sealed blob. Must not
/// collide with any other `sealed_blob::seal` consumer.
const SECURITY_CONFIG_DOMAIN: &[u8] = b"security_config.v1";

/// Legacy plaintext path within a vault root. Read-only on the
/// migration path; writes always target [`security_config_sealed_path`].
#[must_use]
pub fn security_config_path(root: &Path) -> PathBuf {
    root.join("security.toml")
}

/// Canonical sealed-blob path within a vault root.
#[must_use]
pub fn security_config_sealed_path(root: &Path) -> PathBuf {
    root.join("security.sealed")
}

/// Load the system defaults for the vault.
///
/// Returns a baseline configuration upgraded by `/etc/envseal/system.toml` if it exists.
#[must_use]
pub fn load_system_defaults() -> SecurityConfig {
    let mut config = SecurityConfig::default();
    apply_system_overrides(&mut config);
    config
}

/// Load the security config from disk, or return default if not found.
///
/// The config file is HMAC-signed. If the signature is invalid,
/// returns `PolicyTampered` to prevent an attacker from modifying
/// the security config to downgrade protections.
pub fn load_config(root: &Path, master_key: &[u8; 32]) -> Result<SecurityConfig, Error> {
    // Audit L11: cap the sealed-config read at 10 MiB. The actual
    // serialized config is on the order of hundreds of bytes; 10
    // MiB is a 100,000x safety margin and stops a /dev/zero
    // substitution from making envseal allocate unbounded memory.
    const MAX_SEALED_CONFIG_BYTES: u64 = 10 * 1024 * 1024;

    let lock_path = root.join("security.lock");
    crate::guard::verify_not_symlink(&lock_path)?;
    let _lock = advisory_lock::acquire(&lock_path, false)?;
    let mut config = load_system_defaults();

    // Try the canonical sealed file first.
    let sealed_path = security_config_sealed_path(root);
    if sealed_path.exists() {
        crate::guard::verify_not_symlink(&sealed_path)?;
        let meta = std::fs::metadata(&sealed_path)?;
        if meta.len() > MAX_SEALED_CONFIG_BYTES {
            return Err(Error::PolicyTampered(format!(
                "security.sealed at {} is {} bytes (limit {MAX_SEALED_CONFIG_BYTES}); \
                 refusing to read — a real config is on the order of 1 KiB.",
                sealed_path.display(),
                meta.len(),
            )));
        }
        let blob = std::fs::read(&sealed_path)?;
        let plaintext = sealed_blob::unseal(&blob, master_key, SECURITY_CONFIG_DOMAIN)?;
        let body = std::str::from_utf8(&plaintext)
            .map_err(|e| Error::PolicyTampered(format!("security.sealed not utf-8: {e}")))?;
        config = toml::from_str(body)
            .map_err(|e| Error::PolicyTampered(format!("security.sealed parse failed: {e}")))?;
    } else {
        // v0.2.x back-compat: plaintext security.toml + HMAC
        // comment. The next save_config call will migrate by
        // writing security.sealed and deleting this file.
        let path = security_config_path(root);
        crate::guard::verify_not_symlink(&path)?;
        if path.exists() {
            let content = std::fs::read_to_string(&path)?;
            let (body, expected_hmac) = split_signed_content(&content)?;
            let computed = compute_hmac(master_key, body.as_bytes())?;
            if !crate::guard::constant_time_eq(computed.as_bytes(), expected_hmac.as_bytes()) {
                return Err(Error::PolicyTampered(
                    "security.toml HMAC mismatch (tamper detected)".to_string(),
                ));
            }
            config = toml::from_str(body)
                .map_err(|e| Error::PolicyTampered(format!("security.toml parse failed: {e}")))?;
        }
    }

    // SECURITY: If the loaded config is weaker than the system's
    // default (e.g., files were deleted by an attacker), the
    // enterprise override replay below will re-apply force_lockdown.
    // We also clamp tier so it can never silently drop below
    // Standard without explicit user action.
    if config.tier < SecurityTier::Standard {
        config.tier = SecurityTier::Standard;
    }

    // Replay enterprise-level System Configuration overrides to ensure
    // they supersede the user's local security config.
    // This is the defense against Catch-22 UI Configuration Splitting.
    apply_system_overrides(&mut config);

    Ok(config)
}

/// Persist the security config to disk as an AES-256-GCM sealed
/// blob at `<root>/security.sealed`. AEAD covers both integrity
/// (replaces HMAC) and confidentiality (defeats the v0.2.x leak
/// where reading the file revealed your tier / relay endpoint /
/// signal overrides).
///
/// Migration: if a legacy `security.toml` exists, it is removed
/// AFTER the sealed write succeeds.
pub fn save_config(
    root: &Path,
    config: &SecurityConfig,
    master_key: &[u8; 32],
) -> Result<(), Error> {
    let lock_path = root.join("security.lock");
    crate::guard::verify_not_symlink(&lock_path)?;
    let _lock = advisory_lock::acquire(&lock_path, true)?;
    let body = toml::to_string_pretty(config)
        .map_err(|e| Error::CryptoFailure(format!("failed to serialize security config: {e}")))?;
    let blob = sealed_blob::seal(body.as_bytes(), master_key, SECURITY_CONFIG_DOMAIN)?;

    let sealed_path = security_config_sealed_path(root);
    // Atomic write: temp file + rename so crashes or concurrent
    // writers never leave a truncated config on disk.
    let rnd = rand::random::<u64>();
    let tmp_path = sealed_path.with_extension(format!("sealed.{rnd:016x}.tmp"));
    #[cfg(unix)]
    {
        use std::io::Write;
        use std::os::unix::fs::OpenOptionsExt;
        let mut f = std::fs::OpenOptions::new()
            .create_new(true)
            .write(true)
            .mode(0o600)
            .open(&tmp_path)
            .map_err(Error::StorageIo)?;
        f.write_all(&blob).map_err(Error::StorageIo)?;
        f.sync_all().map_err(Error::StorageIo)?;
    }
    #[cfg(not(unix))]
    {
        // Audit M18: Windows had used `std::fs::write`, which
        // creates the file with whatever ACL the parent directory
        // hands down. On a multi-user box that could leave the
        // sealed config readable by other accounts during the
        // brief window before the rename. We now open with
        // `create_new(true)` (refuses any pre-existing file) and
        // write through that handle. The parent directory's ACL on
        // a per-user `~/.config/envseal/` is already user-only;
        // explicitly setting a DACL with windows_sys is left for a
        // follow-up commit because the std-only path is already a
        // strict improvement over the previous behavior.
        use std::io::Write;
        let mut f = std::fs::OpenOptions::new()
            .create_new(true)
            .write(true)
            .open(&tmp_path)
            .map_err(Error::StorageIo)?;
        f.write_all(&blob).map_err(Error::StorageIo)?;
        f.sync_all().map_err(Error::StorageIo)?;
    }

    std::fs::rename(&tmp_path, &sealed_path)?;

    // Migration: drop the legacy plaintext now that the sealed file
    // is durably on disk. Best-effort — a permission failure here
    // doesn't lose data because the sealed file is canonical.
    let legacy_path = security_config_path(root);
    if legacy_path.exists() {
        let _ = std::fs::remove_file(&legacy_path);
    }

    Ok(())
}

/// Subset of `/etc/envseal/system.toml` we honor. Adding a field
/// here is the entire diff for a new enterprise override.
#[derive(Deserialize)]
struct SysOverride {
    force_lockdown: Option<bool>,
    custom_ui_cmd: Option<String>,
}

/// Apply the enterprise system overrides (`/etc/envseal/system.toml`)
/// onto an existing [`SecurityConfig`]. Used by both initial load and
/// the post-user-config replay so deployment-level decisions can't be
/// silently undone by a per-vault `security.toml`.
fn apply_system_overrides(config: &mut SecurityConfig) {
    let sys_path = Path::new("/etc/envseal/system.toml");
    if !sys_path.exists() {
        return;
    }
    if crate::guard::verify_not_symlink(sys_path).is_err() {
        return;
    }
    // Audit L13: refuse to honor /etc/envseal/system.toml unless it
    // is owned by root (uid 0) and not group/world writable. This
    // is a *system-wide enterprise override* — its whole purpose is
    // to be authoritative over per-user config. If a non-privileged
    // user can modify it, the privilege gradient is inverted.
    #[cfg(unix)]
    {
        use std::os::unix::fs::MetadataExt;
        let Ok(meta) = std::fs::metadata(sys_path) else {
            return;
        };
        if meta.uid() != 0 {
            // Not root-owned. Treat as missing.
            return;
        }
        // 0o022 = group-write or world-write. Either makes the file
        // forgeable by a non-root local user, defeating the override.
        if meta.mode() & 0o022 != 0 {
            return;
        }
    }
    let Ok(content) = std::fs::read_to_string(sys_path) else {
        return;
    };
    let Ok(sys_overrides) = toml::from_str::<SysOverride>(&content) else {
        return;
    };

    if sys_overrides.force_lockdown == Some(true) {
        config.apply_preset(SecurityTier::Lockdown);
    }
    if sys_overrides.custom_ui_cmd.is_some() {
        config.custom_ui_cmd = sys_overrides.custom_ui_cmd;
    }
}

/// Compute HMAC-SHA256 for content signing.
fn compute_hmac(key: &[u8; 32], data: &[u8]) -> Result<String, Error> {
    use hmac::{Hmac, Mac};
    use sha2::Sha256;

    type HmacSha256 = Hmac<Sha256>;

    let hmac_key = crate::keychain::derive_hmac_key(key)?;
    let mut mac = HmacSha256::new_from_slice(&hmac_key)
        .map_err(|e| Error::CryptoFailure(format!("HMAC init failed (unexpected): {e}")))?;
    mac.update(data);
    let result = mac.finalize();
    Ok(hex::encode(result.into_bytes()))
}

/// Split signed content into body and HMAC.
fn split_signed_content(content: &str) -> Result<(&str, &str), Error> {
    // HMAC is on the last line: # hmac = "..."
    if let Some(pos) = content.rfind("\n# hmac = \"") {
        let body = &content[..pos];
        let hmac_line = &content[pos..];

        // Extract the hex string between quotes
        if let Some(start) = hmac_line.find('"') {
            if let Some(end) = hmac_line.rfind('"') {
                if start < end {
                    return Ok((body, &hmac_line[start + 1..end]));
                }
            }
        }
    }

    Err(Error::PolicyTampered(
        "security.toml missing HMAC signature".to_string(),
    ))
}

/// Advisory file-locking helper — prevents lost-update races when
/// multiple envseal processes read-modify-write the security config
/// concurrently. Uses `flock` on Unix and `LockFile` on Windows.
///
/// Audit M19: also reused by `execution::context::prepare_execution`
/// for the policy.toml read-modify-save sequence, which had the
/// same lost-update problem.
pub(crate) mod advisory_lock {
    use crate::error::Error;
    use std::fs::File;
    use std::path::Path;

    pub fn acquire(path: &Path, exclusive: bool) -> Result<LockGuard, Error> {
        let file = File::options()
            .create(true)
            .truncate(false)
            .read(true)
            .write(true)
            .open(path)
            .map_err(Error::StorageIo)?;

        #[cfg(unix)]
        {
            use std::os::unix::io::AsRawFd;
            let op = if exclusive {
                libc::LOCK_EX
            } else {
                libc::LOCK_SH
            };
            let rc = unsafe { libc::flock(file.as_raw_fd(), op) };
            if rc != 0 {
                return Err(Error::StorageIo(std::io::Error::last_os_error()));
            }
        }

        #[cfg(windows)]
        {
            use std::os::windows::io::AsRawHandle;
            use windows_sys::Win32::Storage::FileSystem::LockFile;
            unsafe {
                let handle = file.as_raw_handle();
                if LockFile(handle, 0, 0, 0xFFFF_FFFF, 0xFFFF_FFFF) == 0 {
                    return Err(Error::StorageIo(std::io::Error::last_os_error()));
                }
            }
            let _ = exclusive; // Windows LockFile is always exclusive for our range
        }

        #[cfg(not(any(unix, windows)))]
        {
            let _ = exclusive;
        }

        Ok(LockGuard(file))
    }

    pub struct LockGuard(File);

    impl Drop for LockGuard {
        fn drop(&mut self) {
            #[cfg(unix)]
            {
                use std::os::unix::io::AsRawFd;
                unsafe {
                    libc::flock(self.0.as_raw_fd(), libc::LOCK_UN);
                }
            }

            #[cfg(windows)]
            {
                use std::os::windows::io::AsRawHandle;
                use windows_sys::Win32::Storage::FileSystem::UnlockFile;
                unsafe {
                    let handle = self.0.as_raw_handle();
                    UnlockFile(handle, 0, 0, 0xFFFF_FFFF, 0xFFFF_FFFF);
                }
            }
        }
    }
}