cuenv_1password/secrets/

core.rs

//! 1Password WASM SDK `SharedCore` wrapper
//!
//! This module provides a thread-safe wrapper around the 1Password WASM SDK,
//! following the same pattern as the official Go SDK.

// WASM host functions and SDK initialization involve complex setup
#![allow(clippy::too_many_lines)]

use super::wasm;
use cuenv_secrets::SecretError;
use extism::{CurrentPlugin, Function, Manifest, Plugin, UserData, Val, ValType, Wasm};
use std::sync::{LazyLock, Mutex};

/// Global `SharedCore` instance, lazily initialized
static SHARED_CORE: LazyLock<Mutex<Option<SharedCore>>> = LazyLock::new(|| Mutex::new(None));

/// Create host functions required by the 1Password WASM SDK.
///
/// These match the imports expected by the 1Password core WASM module:
/// - `random_fill_imported` (op-extism-core): Generates cryptographically secure random bytes
/// - `unix_time_milliseconds_imported` (op-now): Returns current Unix time in milliseconds
/// - `unix_time_milliseconds_imported` (zxcvbn): Same as above, for password strength checking
/// - `utc_offset_seconds` (op-time): Returns local timezone offset in seconds
#[must_use]
pub fn create_host_functions() -> Vec<Function> {
    use std::time::{SystemTime, UNIX_EPOCH};

    // random_fill_imported: Generate random bytes and return pointer to them in WASM memory
    // Input: i32 (length of bytes to generate)
    // Output: i64 (pointer to the generated bytes in WASM memory)
    let random_fill = Function::new(
        "random_fill_imported",
        [ValType::I32],
        [ValType::I64],
        UserData::new(()),
        |plugin: &mut CurrentPlugin, inputs: &[Val], outputs: &mut [Val], _: UserData<()>| {
            let length = usize::try_from(inputs[0].unwrap_i32()).unwrap_or(0);

            // Generate cryptographically secure random bytes using getrandom (same as Go's crypto/rand)
            let mut bytes = vec![0u8; length];
            getrandom::fill(&mut bytes)
                .map_err(|e| extism::Error::msg(format!("Failed to generate random bytes: {e}")))?;

            // Write bytes to WASM memory using memory_new (equivalent to Go's WriteBytes)
            let handle = plugin
                .memory_new(&bytes)
                .map_err(|e| extism::Error::msg(format!("Failed to write bytes: {e}")))?;

            // WASM memory offsets are always < i64::MAX
            #[expect(clippy::cast_possible_wrap)]
            let offset = handle.offset() as i64;
            outputs[0] = Val::I64(offset);
            Ok(())
        },
    )
    .with_namespace("op-extism-core");

    // unix_time_milliseconds_imported for "op-now" namespace
    // Input: none
    // Output: i64 (current Unix time in milliseconds)
    let time_op_now = Function::new(
        "unix_time_milliseconds_imported",
        [],
        [ValType::I64],
        UserData::new(()),
        |_plugin: &mut CurrentPlugin, _inputs: &[Val], outputs: &mut [Val], _: UserData<()>| {
            // Milliseconds since Unix epoch fits in i64 for foreseeable future
            #[expect(clippy::cast_possible_truncation)]
            let now = SystemTime::now()
                .duration_since(UNIX_EPOCH)
                .unwrap_or_default()
                .as_millis() as i64;
            outputs[0] = Val::I64(now);
            Ok(())
        },
    )
    .with_namespace("op-now");

    // unix_time_milliseconds_imported for "zxcvbn" namespace (password strength)
    let time_zxcvbn = Function::new(
        "unix_time_milliseconds_imported",
        [],
        [ValType::I64],
        UserData::new(()),
        |_plugin: &mut CurrentPlugin, _inputs: &[Val], outputs: &mut [Val], _: UserData<()>| {
            // Milliseconds since Unix epoch fits in i64 for foreseeable future
            #[expect(clippy::cast_possible_truncation)]
            let now = SystemTime::now()
                .duration_since(UNIX_EPOCH)
                .unwrap_or_default()
                .as_millis() as i64;
            outputs[0] = Val::I64(now);
            Ok(())
        },
    )
    .with_namespace("zxcvbn");

    // utc_offset_seconds: Return local timezone offset from UTC in seconds
    // Input: none
    // Output: i64 (offset in seconds)
    let utc_offset = Function::new(
        "utc_offset_seconds",
        [],
        [ValType::I64],
        UserData::new(()),
        |_plugin: &mut CurrentPlugin, _inputs: &[Val], outputs: &mut [Val], _: UserData<()>| {
            // Get local timezone offset using chrono
            let offset_seconds = i64::from(chrono::Local::now().offset().local_minus_utc());
            outputs[0] = Val::I64(offset_seconds);
            Ok(())
        },
    )
    .with_namespace("op-time");

    vec![random_fill, time_op_now, time_zxcvbn, utc_offset]
}

/// `SharedCore` wraps the 1Password WASM plugin for thread-safe access.
///
/// The WASM runtime is single-threaded, so we use a mutex to serialize access.
/// This follows the same pattern as the official 1Password Go SDK.
pub struct SharedCore {
    plugin: Plugin,
}

impl SharedCore {
    /// Get or initialize the shared core.
    ///
    /// On first call, loads the WASM from disk and initializes the plugin.
    /// Subsequent calls return the cached instance.
    ///
    /// # Errors
    ///
    /// Returns an error if:
    /// - The shared core lock cannot be acquired
    /// - The WASM file cannot be loaded
    /// - The Extism plugin fails to initialize
    pub fn get_or_init() -> Result<&'static Mutex<Option<Self>>, SecretError> {
        let mut guard = SHARED_CORE
            .lock()
            .map_err(|_| SecretError::ResolutionFailed {
                name: "onepassword".to_string(),
                message: "Failed to acquire shared core lock".to_string(),
            })?;

        if guard.is_none() {
            let wasm_bytes = wasm::load_onepassword_wasm()?;

            let manifest = Manifest::new([Wasm::data(wasm_bytes)]).with_allowed_hosts(
                ["*.1password.com", "*.1password.ca", "*.1password.eu"]
                    .into_iter()
                    .map(String::from),
            );

            let host_functions = create_host_functions();
            let plugin = Plugin::new(&manifest, host_functions, true).map_err(|e| {
                SecretError::ResolutionFailed {
                    name: "onepassword".to_string(),
                    message: format!("Failed to initialize WASM plugin: {e}"),
                }
            })?;

            *guard = Some(Self { plugin });
            tracing::debug!("1Password WASM plugin initialized");
        }

        // Drop guard before returning static reference
        drop(guard);
        Ok(&SHARED_CORE)
    }

    /// Initialize a new 1Password client.
    ///
    /// Returns a client ID that can be used for subsequent `invoke` calls.
    ///
    /// # Errors
    ///
    /// Returns an error if:
    /// - The client configuration cannot be serialized
    /// - The WASM `init_client` call fails
    /// - The response cannot be parsed
    /// - 1Password returns an authentication error
    pub fn init_client(&mut self, token: &str) -> Result<u64, SecretError> {
        // Map Rust OS/arch names to Go equivalents (what 1Password SDK expects)
        let os = match std::env::consts::OS {
            "macos" => "darwin",
            other => other,
        };
        let arch = match std::env::consts::ARCH {
            "aarch64" => "arm64",
            "x86_64" => "amd64",
            other => other,
        };

        // Note: Go SDK uses "0030101" from version-build file
        let config = serde_json::json!({
            "serviceAccountToken": token,
            "programmingLanguage": "Go",  // WASM was compiled from Go SDK
            "sdkVersion": "0030101",  // Must match WASM SDK version file exactly
            "integrationName": "cuenv",
            "integrationVersion": env!("CARGO_PKG_VERSION"),
            "requestLibraryName": "net/http",
            "requestLibraryVersion": "go1.23.0",
            "os": os,
            "osVersion": "0.0.0",
            "architecture": arch,
        });

        let config_bytes =
            serde_json::to_vec(&config).map_err(|e| SecretError::ResolutionFailed {
                name: "onepassword".to_string(),
                message: format!("Failed to serialize config: {e}"),
            })?;

        let result = self
            .plugin
            .call::<_, String>("init_client", config_bytes)
            .map_err(|e| SecretError::ResolutionFailed {
                name: "onepassword".to_string(),
                message: format!("Failed to initialize client: {e}"),
            })?;

        // Parse the response - Go SDK expects either:
        // - On success: a JSON number (uint64 client ID)
        // - On error: a JSON object like {"name": "Auth", "message": "..."}
        let response: serde_json::Value =
            serde_json::from_str(&result).map_err(|e| SecretError::ResolutionFailed {
                name: "onepassword".to_string(),
                message: format!("Failed to parse init_client response: {e}"),
            })?;

        // Check if response is an error object
        if let Some(error_name) = response.get("name") {
            let message = response
                .get("message")
                .and_then(|m| m.as_str())
                .unwrap_or("unknown error");
            return Err(SecretError::ResolutionFailed {
                name: "onepassword".to_string(),
                message: format!("1Password error ({error_name}): {message}"),
            });
        }

        // On success, response is just the client ID as a number
        let client_id = response
            .as_u64()
            .ok_or_else(|| SecretError::ResolutionFailed {
                name: "onepassword".to_string(),
                message: format!("Expected client ID number, got: {result}"),
            })?;

        tracing::debug!(client_id, "1Password client initialized");
        Ok(client_id)
    }

    /// Invoke a method on the 1Password client.
    ///
    /// The method name and parameters depend on the specific operation.
    /// For resolving secrets, use method `SecretsResolve` with the secret reference.
    ///
    /// The `context` parameter is used for error messages to identify which secret failed.
    ///
    /// # Errors
    ///
    /// Returns an error if:
    /// - The invoke request cannot be serialized
    /// - The WASM invoke call fails
    /// - The response cannot be parsed
    /// - 1Password returns an error for the operation
    pub fn invoke(
        &mut self,
        client_id: u64,
        method: &str,
        params: &serde_json::Map<String, serde_json::Value>,
        context: &str,
    ) -> Result<String, SecretError> {
        // Structure matches Go SDK's InvokeConfig exactly:
        // InvokeConfig { Invocation { ClientID, Parameters { MethodName, SerializedParams } } }
        let request = serde_json::json!({
            "invocation": {
                "clientId": client_id,
                "parameters": {
                    "name": method,
                    "parameters": params
                }
            }
        });

        let request_bytes =
            serde_json::to_vec(&request).map_err(|e| SecretError::ResolutionFailed {
                name: context.to_string(),
                message: format!("Failed to serialize invoke request: {e}"),
            })?;

        let result = self
            .plugin
            .call::<_, String>("invoke", request_bytes)
            .map_err(|e| SecretError::ResolutionFailed {
                name: context.to_string(),
                message: format!("1Password invoke failed: {e}"),
            })?;

        // Parse response to check for errors
        let response: serde_json::Value =
            serde_json::from_str(&result).map_err(|e| SecretError::ResolutionFailed {
                name: context.to_string(),
                message: format!("Failed to parse invoke response: {e}"),
            })?;

        // Check if response is an error object
        if let Some(error_name) = response.get("name") {
            let message = response
                .get("message")
                .and_then(|m| m.as_str())
                .unwrap_or("unknown error");
            return Err(SecretError::ResolutionFailed {
                name: context.to_string(),
                message: format!("1Password error ({error_name}): {message}"),
            });
        }

        Ok(result)
    }

    /// Release a 1Password client.
    ///
    /// This should be called when the client is no longer needed.
    pub fn release_client(&mut self, client_id: u64) {
        // Go SDK marshals the client ID to JSON (produces a number like "0")
        if let Ok(client_id_bytes) = serde_json::to_vec(&client_id) {
            let _ = self
                .plugin
                .call::<_, String>("release_client", client_id_bytes);
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_shared_core_lazy_init() {
        // This test just verifies the lazy static compiles
        // Actual WASM loading requires the file to exist
        let _ = &SHARED_CORE;
    }

    #[test]
    fn test_create_host_functions_returns_four_functions() {
        let functions = create_host_functions();
        assert_eq!(functions.len(), 4, "Should create 4 host functions");
    }

    #[test]
    fn test_host_functions_are_valid() {
        // Creating host functions should not panic
        let functions = create_host_functions();

        // We should have exactly 4 functions:
        // 1. random_fill_imported (op-extism-core)
        // 2. unix_time_milliseconds_imported (op-now)
        // 3. unix_time_milliseconds_imported (zxcvbn)
        // 4. utc_offset_seconds (op-time)
        assert_eq!(functions.len(), 4, "Should create exactly 4 host functions");
    }

    #[test]
    fn test_create_host_functions_can_be_created_multiple_times() {
        // Creating host functions should be idempotent
        let first = create_host_functions();
        let second = create_host_functions();
        assert_eq!(first.len(), second.len());
    }

    #[test]
    fn test_shared_core_static_is_mutex() {
        // Verify the static is a mutex (compile-time check)
        let guard = SHARED_CORE.lock();
        assert!(guard.is_ok(), "Should be able to lock the mutex");
        // Guard should be None initially (before get_or_init is called with WASM)
    }

    #[test]
    fn test_os_mapping() {
        // Test the OS mapping logic used in init_client
        let os = match std::env::consts::OS {
            "macos" => "darwin",
            other => other,
        };

        // Should map macos to darwin
        if std::env::consts::OS == "macos" {
            assert_eq!(os, "darwin");
        }
    }

    #[test]
    fn test_arch_mapping() {
        // Test the arch mapping logic used in init_client
        let arch = match std::env::consts::ARCH {
            "aarch64" => "arm64",
            "x86_64" => "amd64",
            other => other,
        };

        // Should map aarch64 to arm64
        if std::env::consts::ARCH == "aarch64" {
            assert_eq!(arch, "arm64");
        }
        // Should map x86_64 to amd64
        if std::env::consts::ARCH == "x86_64" {
            assert_eq!(arch, "amd64");
        }
    }

    #[test]
    fn test_os_mapping_linux() {
        // Test that linux stays as linux
        let os = match "linux" {
            "macos" => "darwin",
            other => other,
        };
        assert_eq!(os, "linux");
    }

    #[test]
    fn test_os_mapping_windows() {
        // Test that windows stays as windows
        let os = match "windows" {
            "macos" => "darwin",
            other => other,
        };
        assert_eq!(os, "windows");
    }

    #[test]
    fn test_arch_mapping_arm() {
        // Test other arch mappings
        let arch = match "arm" {
            "aarch64" => "arm64",
            "x86_64" => "amd64",
            other => other,
        };
        assert_eq!(arch, "arm");
    }

    #[test]
    fn test_arch_mapping_riscv() {
        let arch = match "riscv64" {
            "aarch64" => "arm64",
            "x86_64" => "amd64",
            other => other,
        };
        assert_eq!(arch, "riscv64");
    }

    #[test]
    fn test_host_functions_creates_random_fill() {
        // Verify host functions are created successfully
        let functions = create_host_functions();
        // The functions list should contain 4 entries
        assert_eq!(functions.len(), 4);
    }

    #[test]
    fn test_create_host_functions_no_side_effects() {
        // Creating host functions should not have side effects
        let _functions1 = create_host_functions();
        let _functions2 = create_host_functions();
        // Both should succeed without issues
    }

    #[test]
    fn test_shared_core_mutex_initial_state() {
        // The shared core mutex should be lockable
        let guard = SHARED_CORE.lock();
        assert!(guard.is_ok());
        let inner = guard.unwrap();
        // Initially None until get_or_init is called with valid WASM
        // We just verify it's accessible
        let _ = inner.is_none() || inner.is_some();
    }

    #[test]
    fn test_get_or_init_without_wasm_returns_error() {
        // If WASM is not available and ONEPASSWORD_WASM_PATH is not set,
        // get_or_init should fail. But we can't guarantee state here,
        // so we just verify it doesn't panic
        let result = SharedCore::get_or_init();
        // Result is either Ok (WASM available) or Err (not available)
        let _ = result.is_ok() || result.is_err();
    }
}