|
| 1 | +// SPDX-License-Identifier: AGPL-3.0-or-later |
| 2 | + |
| 3 | +package main |
| 4 | + |
| 5 | +import ( |
| 6 | + "encoding/binary" |
| 7 | + "encoding/json" |
| 8 | + "fmt" |
| 9 | + "io" |
| 10 | + "os" |
| 11 | + "strconv" |
| 12 | + "time" |
| 13 | + |
| 14 | + "github.com/pilot-protocol/common/driver" |
| 15 | + "github.com/pilot-protocol/common/protocol" |
| 16 | +) |
| 17 | + |
| 18 | +// verifierRequest / verifierResponse mirror pilot-verify's wire protocol: |
| 19 | +// length-prefixed JSON frames exchanged over a Pilot stream on PortVerify. |
| 20 | +// The verifier serves exactly one request/response per connection. |
| 21 | +type verifierRequest struct { |
| 22 | + Op string `json:"op"` // "begin" | "poll" |
| 23 | + Provider string `json:"provider,omitempty"` // begin: "github" | "google" |
| 24 | + NodeID uint32 `json:"node_id,omitempty"` // begin: address to bind the badge to |
| 25 | + FlowID string `json:"flow_id,omitempty"` // poll: handle from begin |
| 26 | +} |
| 27 | + |
| 28 | +type verifierResponse struct { |
| 29 | + OK bool `json:"ok"` |
| 30 | + Error string `json:"error,omitempty"` |
| 31 | + FlowID string `json:"flow_id,omitempty"` |
| 32 | + UserCode string `json:"user_code,omitempty"` |
| 33 | + VerificationURI string `json:"verification_uri,omitempty"` |
| 34 | + Status string `json:"status,omitempty"` // poll: "pending" | "ready" | "error" |
| 35 | + Badge string `json:"badge,omitempty"` |
| 36 | + BadgeSig string `json:"badge_sig,omitempty"` |
| 37 | +} |
| 38 | + |
| 39 | +const verifierMaxFrame = 64 << 10 |
| 40 | + |
| 41 | +func writeVerifierFrame(w io.Writer, v interface{}) error { |
| 42 | + payload, err := json.Marshal(v) |
| 43 | + if err != nil { |
| 44 | + return err |
| 45 | + } |
| 46 | + if len(payload) > verifierMaxFrame { |
| 47 | + return fmt.Errorf("frame too large: %d", len(payload)) |
| 48 | + } |
| 49 | + var hdr [4]byte |
| 50 | + binary.BigEndian.PutUint32(hdr[:], uint32(len(payload))) |
| 51 | + if _, err := w.Write(hdr[:]); err != nil { |
| 52 | + return err |
| 53 | + } |
| 54 | + _, err = w.Write(payload) |
| 55 | + return err |
| 56 | +} |
| 57 | + |
| 58 | +func readVerifierFrame(r io.Reader, v interface{}) error { |
| 59 | + var hdr [4]byte |
| 60 | + if _, err := io.ReadFull(r, hdr[:]); err != nil { |
| 61 | + return err |
| 62 | + } |
| 63 | + n := binary.BigEndian.Uint32(hdr[:]) |
| 64 | + if n > verifierMaxFrame { |
| 65 | + return fmt.Errorf("frame too large: %d", n) |
| 66 | + } |
| 67 | + buf := make([]byte, n) |
| 68 | + if _, err := io.ReadFull(r, buf); err != nil { |
| 69 | + return err |
| 70 | + } |
| 71 | + return json.Unmarshal(buf, v) |
| 72 | +} |
| 73 | + |
| 74 | +// verifierRoundtrip dials the verifier on PortVerify, sends one request, |
| 75 | +// reads one response, and closes — the verifier serves one op per conn. |
| 76 | +func verifierRoundtrip(d *driver.Driver, vaddr string, req verifierRequest) (verifierResponse, error) { |
| 77 | + conn, err := d.Dial(vaddr + ":" + strconv.Itoa(int(protocol.PortVerify))) |
| 78 | + if err != nil { |
| 79 | + return verifierResponse{}, fmt.Errorf("dial verifier %s: %w", vaddr, err) |
| 80 | + } |
| 81 | + defer conn.Close() |
| 82 | + _ = conn.SetWriteDeadline(time.Now().Add(15 * time.Second)) |
| 83 | + _ = conn.SetReadDeadline(time.Now().Add(20 * time.Second)) |
| 84 | + return verifierExchange(conn, req) |
| 85 | +} |
| 86 | + |
| 87 | +// verifierExchange writes one request frame and reads one response frame on an |
| 88 | +// already-open stream (separated from dialing so it is unit-testable). |
| 89 | +func verifierExchange(conn io.ReadWriter, req verifierRequest) (verifierResponse, error) { |
| 90 | + if err := writeVerifierFrame(conn, req); err != nil { |
| 91 | + return verifierResponse{}, err |
| 92 | + } |
| 93 | + var resp verifierResponse |
| 94 | + if err := readVerifierFrame(conn, &resp); err != nil { |
| 95 | + return verifierResponse{}, err |
| 96 | + } |
| 97 | + if !resp.OK { |
| 98 | + return resp, fmt.Errorf("verifier: %s", resp.Error) |
| 99 | + } |
| 100 | + return resp, nil |
| 101 | +} |
| 102 | + |
| 103 | +// resolveVerifierAddr accepts either a literal Pilot address or a hostname to |
| 104 | +// resolve (default "verify"). |
| 105 | +func resolveVerifierAddr(d *driver.Driver, ref string) string { |
| 106 | + if _, err := protocol.ParseAddr(ref); err == nil { |
| 107 | + return ref |
| 108 | + } |
| 109 | + res, err := d.ResolveHostname(ref) |
| 110 | + if err != nil { |
| 111 | + fatalHint("not_found", |
| 112 | + "pass --verifier <address|hostname>, or check the verifier service is registered", |
| 113 | + "cannot resolve verifier %q: %v", ref, err) |
| 114 | + } |
| 115 | + addr, _ := res["address"].(string) |
| 116 | + if addr == "" { |
| 117 | + fatalCode("not_found", "verifier %q resolved with no address", ref) |
| 118 | + } |
| 119 | + return addr |
| 120 | +} |
| 121 | + |
| 122 | +// cmdVerifyProvider runs the self-service device-flow end to end: dial the |
| 123 | +// verifier, start a verification bound to our own address, show the user the |
| 124 | +// device code, poll until they authorize in their browser, then submit the |
| 125 | +// minted badge to the registry through the daemon (proving key ownership). |
| 126 | +// |
| 127 | +// pilotctl verify --provider github [--verifier <address|hostname>] |
| 128 | +func cmdVerifyProvider(flags map[string]string, provider string) { |
| 129 | + verifierRef := flagString(flags, "verifier", "verify") |
| 130 | + |
| 131 | + d := connectDriver() |
| 132 | + defer d.Close() |
| 133 | + info, err := d.Info() |
| 134 | + if err != nil { |
| 135 | + fatalCode("connection_failed", "verify: cannot reach the daemon (is it running?): %v", err) |
| 136 | + } |
| 137 | + nodeF, _ := info["node_id"].(float64) |
| 138 | + if nodeF == 0 { |
| 139 | + fatalCode("internal_error", "verify: daemon has no node id yet (not registered?)") |
| 140 | + } |
| 141 | + |
| 142 | + vaddr := resolveVerifierAddr(d, verifierRef) |
| 143 | + |
| 144 | + begin, err := verifierRoundtrip(d, vaddr, verifierRequest{Op: "begin", Provider: provider, NodeID: uint32(nodeF)}) |
| 145 | + if err != nil { |
| 146 | + fatalCode("connection_failed", "verify begin: %v", err) |
| 147 | + } |
| 148 | + if begin.UserCode == "" || begin.VerificationURI == "" { |
| 149 | + fatalCode("internal_error", "verifier returned no device code") |
| 150 | + } |
| 151 | + |
| 152 | + // Device-code instructions go to stderr so JSON stdout stays clean. |
| 153 | + fmt.Fprintf(os.Stderr, "\nTo verify your address via %s:\n 1. open %s\n 2. enter code: %s\n\nWaiting for authorization (Ctrl-C to cancel)...\n", |
| 154 | + provider, begin.VerificationURI, begin.UserCode) |
| 155 | + |
| 156 | + deadline := time.Now().Add(10 * time.Minute) |
| 157 | + var badge, badgeSig string |
| 158 | + for time.Now().Before(deadline) { |
| 159 | + time.Sleep(5 * time.Second) |
| 160 | + poll, err := verifierRoundtrip(d, vaddr, verifierRequest{Op: "poll", FlowID: begin.FlowID}) |
| 161 | + if err != nil { |
| 162 | + fatalCode("connection_failed", "verify poll: %v", err) |
| 163 | + } |
| 164 | + switch poll.Status { |
| 165 | + case "ready": |
| 166 | + badge, badgeSig = poll.Badge, poll.BadgeSig |
| 167 | + case "error": |
| 168 | + fatalCode("permission_denied", "verification failed: %s", poll.Error) |
| 169 | + } |
| 170 | + if badge != "" { |
| 171 | + break |
| 172 | + } |
| 173 | + } |
| 174 | + if badge == "" { |
| 175 | + fatalCode("deadline_exceeded", "verification timed out; no authorization received") |
| 176 | + } |
| 177 | + |
| 178 | + resp, err := d.SubmitBadge(badge, badgeSig) |
| 179 | + if err != nil { |
| 180 | + fatalCode("connection_failed", "submit badge: %v", err) |
| 181 | + } |
| 182 | + fmt.Fprintf(os.Stderr, "\n✓ Verified via %s — badge submitted.\n", provider) |
| 183 | + output(resp) |
| 184 | +} |
0 commit comments