irosh 0.2.0

SSH sessions over Iroh peer-to-peer transport
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373

//! Trust on First Use (TOFU) and peer authorization storage.

use std::fs;
use std::path::{Path, PathBuf};

use russh::keys::ssh_key::PublicKey;

use crate::config::StateConfig;
use crate::error::{Result, StorageError};

use serde::{Deserialize, Serialize};

/// The specific occurrence in the trust layer.
#[derive(Clone, Copy, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub enum TrustEventKind {
    /// A new server host key was permanently saved.
    ServerKeyLearned,
    /// A client identity was permanently authorized.
    ClientKeyAuthorized,
}

/// Indicates the result of a trust action.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct TrustEvent {
    /// The kind of trust event that occurred.
    pub kind: TrustEventKind,
    /// The file path where the trust record was recorded.
    pub path: PathBuf,
}

/// Represents the state of a single trust record.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct TrustRecord {
    /// True if the record is present on disk.
    pub exists: bool,
    /// The path monitored for the record.
    pub path: PathBuf,
    /// The raw OpenSSH formatted string of the key, if it exists.
    pub public_key_openssh: Option<String>,
}

/// A comprehensive view of the current trust store.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct TrustSummary {
    /// The state of all known server trust records.
    pub known_servers: Vec<TrustRecord>,
    /// The state of all authorized client trust records.
    pub authorized_clients: Vec<TrustRecord>,
}

/// Ensures the required trust subdirectories exist.
fn ensure_trust_dirs(state: &StateConfig) -> Result<()> {
    let trust_dir = state.root().join("trust");
    let servers_dir = trust_dir.join("servers");
    let clients_dir = trust_dir.join("clients");
    for dir in [&trust_dir, &servers_dir, &clients_dir] {
        if !dir.exists() {
            fs::create_dir_all(dir).map_err(|source| StorageError::DirectoryCreate {
                path: dir.clone(),
                source,
            })?;
        }
    }

    // Legacy migration: if the old single files exist, we don't know the Node ID yet,
    // so we leave them intact. In the future, we could attempt to migrate them.
    Ok(())
}

fn server_key_path(state: &StateConfig, node_id: &str) -> PathBuf {
    let safe_id = node_id.replace(['/', '\\', '.', ':'], "_");
    state
        .root()
        .join("trust")
        .join("servers")
        .join(format!("{}.pub", safe_id))
}

fn client_key_path(state: &StateConfig, node_id: &str) -> PathBuf {
    let safe_id = node_id.replace(['/', '\\', '.', ':'], "_");
    state
        .root()
        .join("trust")
        .join("clients")
        .join(format!("{}.pub", safe_id))
}

fn write_public_key(path: &Path, key: &PublicKey) -> Result<()> {
    let content = key
        .to_openssh()
        .map_err(|source| StorageError::PublicKeyFormat { source })?;
    crate::storage::utils::atomic_write_secure(path, content.as_bytes())
}

/// Loads the pinned server public key for a specific node ID, if one has been trusted in the past.
///
/// This function also checks the legacy single-tenant trust file for backward
/// compatibility.
///
/// # Errors
///
/// Returns an error if a trust file exists but cannot be read or parsed.
pub fn load_known_server(state: &StateConfig, node_id: &str) -> Result<Option<PublicKey>> {
    let path = server_key_path(state, node_id);
    if path.exists() {
        PublicKey::read_openssh_file(&path)
            .map(Some)
            .map_err(|source| {
                StorageError::PublicKeyRead {
                    path: path.clone(),
                    source,
                }
                .into()
            })
    } else {
        // Fallback for legacy single-tenant file
        let legacy_path = state.root().join("trust/known_server.pub");
        if legacy_path.exists() {
            PublicKey::read_openssh_file(&legacy_path)
                .map(Some)
                .map_err(|source| {
                    StorageError::PublicKeyRead {
                        path: legacy_path.clone(),
                        source,
                    }
                    .into()
                })
        } else {
            Ok(None)
        }
    }
}

/// Loads the authorized client public key for a specific node ID, if one has been trusted in the past.
///
/// This function also checks the legacy single-tenant trust file for backward
/// compatibility.
///
/// # Errors
///
/// Returns an error if a trust file exists but cannot be read or parsed.
pub fn load_authorized_client(state: &StateConfig, node_id: &str) -> Result<Option<PublicKey>> {
    let path = client_key_path(state, node_id);
    if path.exists() {
        PublicKey::read_openssh_file(&path)
            .map(Some)
            .map_err(|source| {
                StorageError::PublicKeyRead {
                    path: path.clone(),
                    source,
                }
                .into()
            })
    } else {
        // Fallback for legacy single-tenant file
        let legacy_path = state.root().join("trust/authorized_client.pub");
        if legacy_path.exists() {
            PublicKey::read_openssh_file(&legacy_path)
                .map(Some)
                .map_err(|source| {
                    StorageError::PublicKeyRead {
                        path: legacy_path.clone(),
                        source,
                    }
                    .into()
                })
        } else {
            Ok(None)
        }
    }
}

/// Loads all previously authorized client public keys.
///
/// Invalid individual records are skipped when reading the directory.
///
/// # Errors
///
/// Returns an error if the trust directory itself cannot be read.
/// Loads all previously authorized client public keys along with their Node IDs.
pub fn load_all_authorized_clients(state: &StateConfig) -> Result<Vec<(String, PublicKey)>> {
    let mut keys = Vec::new();

    let clients_dir = state.root().join("trust").join("clients");
    if clients_dir.exists() {
        let entries = fs::read_dir(&clients_dir).map_err(|source| StorageError::DirectoryRead {
            path: clients_dir.clone(),
            source,
        })?;

        for entry in entries {
            let entry = entry.map_err(|source| StorageError::DirectoryEntryRead {
                path: clients_dir.clone(),
                source,
            })?;
            let path = entry.path();
            if path.extension().is_some_and(|ext| ext == "pub") {
                if let Some(stem) = path.file_stem() {
                    let node_id = stem.to_string_lossy().to_string();
                    if let Ok(key) = PublicKey::read_openssh_file(&path) {
                        keys.push((node_id, key));
                    }
                }
            }
        }
    }

    // Fallback for legacy single-tenant file
    let legacy_path = state.root().join("trust/authorized_client.pub");
    if legacy_path.exists() {
        if let Ok(key) = PublicKey::read_openssh_file(&legacy_path) {
            keys.push(("legacy".to_string(), key));
        }
    }

    Ok(keys)
}

/// Saves a server public key permanently, implicitly trusting it for future connections.
///
/// # Errors
///
/// Returns an error if the trust directories cannot be created or if the key
/// cannot be written in OpenSSH format.
pub fn write_known_server(
    state: &StateConfig,
    node_id: &str,
    key: &PublicKey,
) -> Result<TrustEvent> {
    ensure_trust_dirs(state)?;
    let path = server_key_path(state, node_id);
    write_public_key(&path, key)?;
    Ok(TrustEvent {
        kind: TrustEventKind::ServerKeyLearned,
        path,
    })
}

/// Saves a client public key permanently, permitting it to connect.
///
/// # Errors
///
/// Returns an error if the trust directories cannot be created or if the key
/// cannot be written in OpenSSH format.
pub fn write_authorized_client(
    state: &StateConfig,
    node_id: &str,
    key: &PublicKey,
) -> Result<TrustEvent> {
    ensure_trust_dirs(state)?;
    let path = client_key_path(state, node_id);
    write_public_key(&path, key)?;
    Ok(TrustEvent {
        kind: TrustEventKind::ClientKeyAuthorized,
        path,
    })
}

/// Clears the known server trust record for a specific node ID.
///
/// Returns `Ok(false)` if no such record exists.
///
/// # Errors
///
/// Returns an error if removing an existing record fails.
pub fn reset_known_server(state: &StateConfig, node_id: &str) -> Result<bool> {
    remove_if_exists(&server_key_path(state, node_id))
}

/// Clears the authorized client trust record for a specific node ID.
///
/// Returns `Ok(false)` if no such record exists.
///
/// # Errors
///
/// Returns an error if removing an existing record fails.
pub fn reset_authorized_client(state: &StateConfig, node_id: &str) -> Result<bool> {
    remove_if_exists(&client_key_path(state, node_id))
}

fn remove_if_exists(path: &Path) -> Result<bool> {
    match fs::remove_file(path) {
        Ok(()) => Ok(true),
        Err(err) if err.kind() == std::io::ErrorKind::NotFound => Ok(false),
        Err(source) => Err(StorageError::FileDelete {
            path: path.to_path_buf(),
            source,
        }
        .into()),
    }
}

/// Analyzes and returns the state of all current trust records on disk.
///
/// Both per-node trust files and legacy single-tenant files are included when
/// present.
///
/// # Errors
///
/// Returns an error if trust directories or trust files cannot be inspected.
pub fn inspect_trust(state: &StateConfig) -> Result<TrustSummary> {
    let servers_dir = state.root().join("trust").join("servers");
    let clients_dir = state.root().join("trust").join("clients");

    let mut known_servers = read_trust_dir(&servers_dir)?;
    let mut authorized_clients = read_trust_dir(&clients_dir)?;

    // Also inspect legacy files if they exist
    let legacy_server = state.root().join("trust/known_server.pub");
    if legacy_server.exists() {
        known_servers.push(inspect_public_key_record(legacy_server)?);
    }

    let legacy_client = state.root().join("trust/authorized_client.pub");
    if legacy_client.exists() {
        authorized_clients.push(inspect_public_key_record(legacy_client)?);
    }

    Ok(TrustSummary {
        known_servers,
        authorized_clients,
    })
}

fn read_trust_dir(dir: &Path) -> Result<Vec<TrustRecord>> {
    if !dir.exists() {
        return Ok(Vec::new());
    }

    let mut records = Vec::new();
    let entries = fs::read_dir(dir).map_err(|source| StorageError::DirectoryRead {
        path: dir.to_path_buf(),
        source,
    })?;

    for entry in entries {
        let entry = entry.map_err(|source| StorageError::DirectoryEntryRead {
            path: dir.to_path_buf(),
            source,
        })?;
        let path = entry.path();
        if path.extension().is_some_and(|ext| ext == "pub") {
            records.push(inspect_public_key_record(path)?);
        }
    }

    Ok(records)
}

fn inspect_public_key_record(path: PathBuf) -> Result<TrustRecord> {
    if !path.exists() {
        return Ok(TrustRecord {
            exists: false,
            path,
            public_key_openssh: None,
        });
    }

    let key =
        PublicKey::read_openssh_file(&path).map_err(|source| StorageError::PublicKeyRead {
            path: path.clone(),
            source,
        })?;

    Ok(TrustRecord {
        exists: true,
        path,
        public_key_openssh: Some(
            key.to_openssh()
                .map_err(|source| StorageError::PublicKeyFormat { source })?,
        ),
    })
}