feat: Login with Internet Identity

Cargo.toml

@@ -21,6 +21,8 @@ assert_cmd = "2"
 async-dropper = { version = "0.3.0", features = ["tokio", "simple"] }
 async-trait = "0.1.88"
 axoupdater = "0.10.0"
+axum = "0.8"
+base64 = "0.22"
 backoff = { version = "0.4", features = ["tokio"] }
 bigdecimal = "0.4.10"
 bip32 = "0.5.0"
@@ -67,6 +69,7 @@ mockall = "0.14.0"
 nix = { version = "0.31.2", features = ["process", "signal"] }
 notify = "8.2.0"
 num-bigint = "0.4.6"
+open = "5"
 num-integer = "0.1.46"
 num-traits = "0.2.19"
 p256 = { version = "0.13.2", features = ["pem", "pkcs8", "std"] }

crates/icp-cli/Cargo.toml

@@ -15,7 +15,9 @@ anstyle.workspace = true
 anyhow.workspace = true
 async-trait.workspace = true
 axoupdater.workspace = true
+axum.workspace = true
 backoff.workspace = true
+base64.workspace = true
 bigdecimal.workspace = true
 bip32.workspace = true
 byte-unit.workspace = true
@@ -47,6 +49,7 @@ lazy_static.workspace = true
 num-bigint.workspace = true
 num-integer.workspace = true
 num-traits.workspace = true
+open.workspace = true
 p256.workspace = true
 pem.workspace = true
 phf.workspace = true

crates/icp-cli/src/commands/identity/import.rs

@@ -106,7 +106,7 @@ pub(crate) async fn exec(ctx: &Context, args: &ImportArgs) -> Result<(), anyhow:
         unreachable!();
     }
 
-    info!("Identity \"{}\" created", args.name);
+    info!("Identity `{}` created", args.name);
 
     if matches!(args.storage, StorageMode::Plaintext) {
         warn!(

crates/icp-cli/src/commands/identity/link/hsm.rs

@@ -60,7 +60,7 @@ pub(crate) async fn exec(ctx: &Context, args: &HsmArgs) -> Result<(), HsmError>
         .await?
         .context(LinkHsmSnafu)?;
 
-    info!("Identity \"{}\" linked to HSM", args.name);
+    info!("Identity `{}` linked to HSM", args.name);
 
     Ok(())
 }

crates/icp-cli/src/commands/identity/link/ii.rs

@@ -0,0 +1,106 @@
+use clap::Args;
+use dialoguer::Password;
+use elliptic_curve::zeroize::Zeroizing;
+use ic_agent::{Identity as _, export::Principal, identity::BasicIdentity};
+use icp::{context::Context, fs::read_to_string, identity::key, prelude::*};
+use snafu::{ResultExt, Snafu};
+use tracing::{info, warn};
+
+use crate::{commands::identity::StorageMode, operations::ii_poll};
+
+/// Link an Internet Identity to a new identity
+#[derive(Debug, Args)]
+pub(crate) struct IiArgs {
+    /// Name for the linked identity
+    name: String,
+
+    /// Where to store the session private key
+    #[arg(long, value_enum, default_value_t)]
+    storage: StorageMode,
+
+    /// Read the storage password from a file instead of prompting (for --storage password)
+    #[arg(long, value_name = "FILE")]
+    storage_password_file: Option<PathBuf>,
+}
+
+pub(crate) async fn exec(ctx: &Context, args: &IiArgs) -> Result<(), IiError> {
+    let create_format = match args.storage {
+        StorageMode::Plaintext => key::CreateFormat::Plaintext,
+        StorageMode::Keyring => key::CreateFormat::Keyring,
+        StorageMode::Password => {
+            let password = if let Some(path) = &args.storage_password_file {
+                read_to_string(path)
+                    .context(ReadStoragePasswordFileSnafu)?
+                    .trim()
+                    .to_string()
+            } else {
+                Password::new()
+                    .with_prompt("Enter password to encrypt identity")
+                    .with_confirmation("Confirm password", "Passwords do not match")
+                    .interact()
+                    .context(StoragePasswordTermReadSnafu)?
+            };
+            key::CreateFormat::Pbes2 {
+                password: Zeroizing::new(password),
+            }
+        }
+    };
+
+    let secret_key = ic_ed25519::PrivateKey::generate();
+    let identity_key = key::IdentityKey::Ed25519(secret_key.clone());
+    let basic = BasicIdentity::from_raw_key(&secret_key.serialize_raw());
+    let der_public_key = basic.public_key().expect("ed25519 always has a public key");
+
+    let chain = ii_poll::poll_for_delegation(&der_public_key)
+        .await
+        .context(PollSnafu)?;
+
+    let from_key = hex::decode(&chain.public_key).context(DecodeFromKeySnafu)?;
+    let ii_principal = Principal::self_authenticating(&from_key);
+
+    ctx.dirs
+        .identity()?
+        .with_write(async |dirs| {
+            key::link_ii_identity(
+                dirs,
+                &args.name,
+                identity_key,
+                &chain,
+                ii_principal,
+                create_format,
+            )
+        })
+        .await?
+        .context(LinkSnafu)?;
+
+    info!("Identity `{}` linked to Internet Identity", args.name);
+
+    if matches!(args.storage, StorageMode::Plaintext) {
+        warn!(
+            "This identity is stored in plaintext and is not secure. Do not use it for anything of significant value."
+        );
+    }
+
+    Ok(())
+}
+
+#[derive(Debug, Snafu)]
+pub(crate) enum IiError {
+    #[snafu(display("failed to read storage password file"))]
+    ReadStoragePasswordFile { source: icp::fs::IoError },
+
+    #[snafu(display("failed to read storage password from terminal"))]
+    StoragePasswordTermRead { source: dialoguer::Error },
+
+    #[snafu(display("failed during II authentication"))]
+    Poll { source: ii_poll::IiPollError },
+
+    #[snafu(display("invalid public key in delegation chain"))]
+    DecodeFromKey { source: hex::FromHexError },
+
+    #[snafu(transparent)]
+    LockIdentityDir { source: icp::fs::lock::LockError },
+
+    #[snafu(display("failed to link II identity"))]
+    Link { source: key::LinkIiIdentityError },
+}

crates/icp-cli/src/commands/identity/link/mod.rs

@@ -1,9 +1,11 @@
 use clap::Subcommand;
 
 pub(crate) mod hsm;
+pub(crate) mod ii;
 
 /// Link an external key to a new identity
 #[derive(Debug, Subcommand)]
 pub(crate) enum Command {
     Hsm(hsm::HsmArgs),
+    Ii(ii::IiArgs),
 }