kaish_kernel/
nonce.rs

1//! Confirmation nonce store for dangerous operations.
2//!
3//! Used by the latch system (`set -o latch`) to gate destructive commands
4//! behind a nonce-based confirmation flow. Nonces are time-limited and
5//! reusable within their TTL for idempotent retries.
6//!
7//! Nonces are path-scoped: a nonce issued for `rm fileA` cannot confirm
8//! `rm fileB`. Validation checks both the command and that confirmed paths
9//! are a subset of the authorized paths.
10
11use std::collections::{BTreeSet, HashMap};
12use std::hash::{BuildHasher, Hasher};
13use std::sync::{Arc, Mutex};
14use std::time::{Duration, Instant, SystemTime};
15
16/// What a nonce authorizes: a command and a set of paths.
17#[derive(Debug, Clone)]
18pub struct NonceScope {
19    /// Command name (e.g. "rm", "kaish-trash empty").
20    command: String,
21    /// Authorized paths. Empty means no path constraint (command-only ops).
22    paths: BTreeSet<String>,
23}
24
25impl NonceScope {
26    /// The command this nonce authorizes (e.g. "rm").
27    pub fn command(&self) -> &str {
28        &self.command
29    }
30
31    /// The paths this nonce authorizes. Empty means command-only (no path constraint).
32    pub fn paths(&self) -> &BTreeSet<String> {
33        &self.paths
34    }
35}
36
37/// A store for confirmation nonces with TTL-based expiration.
38///
39/// Nonces are 8-character hex strings that gate dangerous operations.
40/// They remain valid until their TTL expires — not consumed on validation —
41/// making operations idempotent: a retried `rm --confirm=abc123 bigdir/`
42/// works if the nonce hasn't expired.
43#[derive(Clone, Debug)]
44pub struct NonceStore {
45    inner: Arc<Mutex<NonceStoreInner>>,
46    ttl: Duration,
47}
48
49#[derive(Debug)]
50struct NonceStoreInner {
51    /// Map from nonce string to (created_at, scope).
52    nonces: HashMap<String, (Instant, NonceScope)>,
53}
54
55impl NonceStore {
56    /// Create a new nonce store with the default TTL (60 seconds).
57    pub fn new() -> Self {
58        Self::with_ttl(Duration::from_secs(60))
59    }
60
61    /// Create a new nonce store with a custom TTL.
62    pub fn with_ttl(ttl: Duration) -> Self {
63        Self {
64            inner: Arc::new(Mutex::new(NonceStoreInner {
65                nonces: HashMap::new(),
66            })),
67            ttl,
68        }
69    }
70
71    /// Look up a nonce's scope without validating against a command/path.
72    ///
73    /// Returns the scope if the nonce exists and hasn't expired, or an error.
74    /// Useful for embedders building custom confirmation UIs.
75    pub fn lookup(&self, nonce: &str) -> Result<NonceScope, String> {
76        let now = Instant::now();
77        let ttl = self.ttl;
78
79        #[allow(clippy::expect_used)]
80        let inner = self.inner.lock().expect("nonce store poisoned");
81
82        match inner.nonces.get(nonce) {
83            Some((created, scope)) => {
84                if now.duration_since(*created) >= ttl {
85                    Err("nonce expired".to_string())
86                } else {
87                    Ok(scope.clone())
88                }
89            }
90            None => Err("invalid nonce".to_string()),
91        }
92    }
93
94    /// Issue a new nonce for the given command and paths.
95    ///
96    /// Returns an 8-character hex string. Opportunistically GCs expired nonces.
97    pub fn issue(&self, command: &str, paths: &[&str]) -> String {
98        let nonce = generate_nonce();
99        let now = Instant::now();
100        let ttl = self.ttl;
101
102        let scope = NonceScope {
103            command: command.to_string(),
104            paths: paths.iter().map(|p| p.to_string()).collect(),
105        };
106
107        #[allow(clippy::expect_used)]
108        let mut inner = self.inner.lock().expect("nonce store poisoned");
109
110        // Opportunistic GC: remove expired nonces
111        inner.nonces.retain(|_, (created, _)| now.duration_since(*created) < ttl);
112
113        inner.nonces.insert(nonce.clone(), (now, scope));
114        nonce
115    }
116
117    /// Validate a nonce against a command and paths.
118    ///
119    /// Checks that the nonce exists, hasn't expired, the command matches,
120    /// and the confirmed paths are a subset of the authorized paths.
121    ///
122    /// Does NOT consume the nonce — it stays valid until TTL expires.
123    pub fn validate(&self, nonce: &str, command: &str, paths: &[&str]) -> Result<(), String> {
124        let now = Instant::now();
125        let ttl = self.ttl;
126
127        #[allow(clippy::expect_used)]
128        let inner = self.inner.lock().expect("nonce store poisoned");
129
130        match inner.nonces.get(nonce) {
131            Some((created, scope)) => {
132                if now.duration_since(*created) >= ttl {
133                    return Err("nonce expired".to_string());
134                }
135
136                if scope.command != command {
137                    return Err(format!(
138                        "nonce scope mismatch: issued for command '{}', got '{}'",
139                        scope.command, command
140                    ));
141                }
142
143                // Every confirmed path must be in the authorized set.
144                // Short-circuit on first unauthorized path — slices are typically 0-1 elements.
145                if let Some(unauthorized) = paths.iter().find(|p| !scope.paths.contains(**p)) {
146                    return Err(format!(
147                        "nonce scope mismatch: unauthorized path '{}' (authorized: {:?})",
148                        unauthorized,
149                        scope.paths.iter().collect::<Vec<_>>()
150                    ));
151                }
152
153                Ok(())
154            }
155            None => Err("invalid nonce".to_string()),
156        }
157    }
158
159    /// Get the TTL for nonces in this store.
160    pub fn ttl(&self) -> Duration {
161        self.ttl
162    }
163}
164
165impl Default for NonceStore {
166    fn default() -> Self {
167        Self::new()
168    }
169}
170
171/// Generate an 8-character hex nonce using RandomState + SystemTime.
172fn generate_nonce() -> String {
173    let hasher_state = std::collections::hash_map::RandomState::new();
174    let mut hasher = hasher_state.build_hasher();
175
176    // Mix in current time for uniqueness
177    let now = SystemTime::now()
178        .duration_since(SystemTime::UNIX_EPOCH)
179        .unwrap_or_default();
180    hasher.write_u128(now.as_nanos());
181
182    // Mix in a second RandomState for additional entropy
183    let hasher_state2 = std::collections::hash_map::RandomState::new();
184    let mut hasher2 = hasher_state2.build_hasher();
185    hasher2.write_u64(0xdeadbeef);
186    hasher.write_u64(hasher2.finish());
187
188    format!("{:08x}", hasher.finish() as u32)
189}
190
191#[cfg(test)]
192mod tests {
193    use super::*;
194
195    #[test]
196    fn issue_and_validate() {
197        let store = NonceStore::new();
198        let nonce = store.issue("rm", &["/tmp/important"]);
199        assert_eq!(nonce.len(), 8);
200        assert!(nonce.chars().all(|c| c.is_ascii_hexdigit()));
201
202        let result = store.validate(&nonce, "rm", &["/tmp/important"]);
203        assert!(result.is_ok());
204    }
205
206    #[test]
207    fn idempotent_reuse() {
208        let store = NonceStore::new();
209        let nonce = store.issue("rm", &["bigdir/"]);
210
211        let first = store.validate(&nonce, "rm", &["bigdir/"]);
212        let second = store.validate(&nonce, "rm", &["bigdir/"]);
213        assert!(first.is_ok());
214        assert!(second.is_ok());
215    }
216
217    #[test]
218    fn expired_nonce_fails() {
219        let store = NonceStore::with_ttl(Duration::from_millis(0));
220        let nonce = store.issue("rm", &["ephemeral"]);
221
222        // With 0ms TTL, nonce is immediately expired
223        std::thread::sleep(Duration::from_millis(1));
224        let result = store.validate(&nonce, "rm", &["ephemeral"]);
225        assert_eq!(result, Err("nonce expired".to_string()));
226    }
227
228    #[test]
229    fn invalid_nonce_fails() {
230        let store = NonceStore::new();
231        let result = store.validate("bogus123", "rm", &["anything"]);
232        assert_eq!(result, Err("invalid nonce".to_string()));
233    }
234
235    #[test]
236    fn nonces_are_unique() {
237        let store = NonceStore::new();
238        let a = store.issue("rm", &["first"]);
239        let b = store.issue("rm", &["second"]);
240        assert_ne!(a, b);
241    }
242
243    #[test]
244    fn clone_shares_state() {
245        let store = NonceStore::new();
246        let cloned = store.clone();
247        let nonce = store.issue("rm", &["/shared"]);
248
249        let result = cloned.validate(&nonce, "rm", &["/shared"]);
250        assert!(result.is_ok());
251    }
252
253    #[test]
254    fn gc_cleans_expired() {
255        let store = NonceStore::with_ttl(Duration::from_millis(10));
256        let old_nonce = store.issue("rm", &["old"]);
257
258        std::thread::sleep(Duration::from_millis(20));
259
260        // This issue() triggers GC
261        let _new = store.issue("rm", &["new"]);
262
263        // Old nonce should be gone (GC'd)
264        let result = store.validate(&old_nonce, "rm", &["old"]);
265        assert!(result.is_err());
266    }
267
268    // ── Path-scoping tests ──
269
270    #[test]
271    fn path_mismatch_rejected() {
272        let store = NonceStore::new();
273        let nonce = store.issue("rm", &["fileA.txt"]);
274
275        let result = store.validate(&nonce, "rm", &["fileB.txt"]);
276        assert!(result.is_err());
277        assert!(result.unwrap_err().contains("nonce scope mismatch"));
278    }
279
280    #[test]
281    fn subset_accepted() {
282        let store = NonceStore::new();
283        let nonce = store.issue("rm", &["a.txt", "b.txt", "c.txt"]);
284
285        // Subset of authorized paths — should succeed
286        let result = store.validate(&nonce, "rm", &["a.txt", "b.txt"]);
287        assert!(result.is_ok());
288    }
289
290    #[test]
291    fn superset_rejected() {
292        let store = NonceStore::new();
293        let nonce = store.issue("rm", &["a.txt", "b.txt"]);
294
295        // Superset — c.txt not authorized
296        let result = store.validate(&nonce, "rm", &["a.txt", "b.txt", "c.txt"]);
297        assert!(result.is_err());
298        assert!(result.unwrap_err().contains("unauthorized"));
299    }
300
301    #[test]
302    fn command_mismatch_rejected() {
303        let store = NonceStore::new();
304        let nonce = store.issue("rm", &["file.txt"]);
305
306        let result = store.validate(&nonce, "kaish-trash empty", &[]);
307        assert!(result.is_err());
308        assert!(result.unwrap_err().contains("command"));
309    }
310
311    #[test]
312    fn empty_paths_command_only() {
313        let store = NonceStore::new();
314        let nonce = store.issue("kaish-trash empty", &[]);
315
316        let result = store.validate(&nonce, "kaish-trash empty", &[]);
317        assert!(result.is_ok());
318    }
319
320    #[test]
321    fn empty_paths_rejects_nonempty() {
322        let store = NonceStore::new();
323        let nonce = store.issue("kaish-trash empty", &[]);
324
325        // Nonce was issued with no paths — can't use it to authorize a path
326        let result = store.validate(&nonce, "kaish-trash empty", &["sneaky.txt"]);
327        assert!(result.is_err());
328    }
329
330}
kaish_kernel/nonce.rs

kaish_kernel/
nonce.rs
