@auths-dev/sdk 0.0.1 → 0.1.0

package/src/artifact.rs

@@ -0,0 +1,217 @@
+use std::io::Read;
+use std::path::PathBuf;
+use std::sync::Arc;
+
+use auths_core::signing::PrefilledPassphraseProvider;
+use auths_core::storage::keychain::{KeyAlias, get_platform_keychain_with_config};
+use auths_sdk::context::AuthsContext;
+use auths_sdk::ports::artifact::{ArtifactDigest, ArtifactError, ArtifactMetadata, ArtifactSource};
+use auths_sdk::signing::{
+    ArtifactSigningParams, SigningKeyMaterial, sign_artifact as sdk_sign_artifact,
+};
+use auths_storage::git::{
+    GitRegistryBackend, RegistryAttestationStorage, RegistryConfig, RegistryIdentityStorage,
+};
+use auths_verifier::clock::SystemClock;
+use napi_derive::napi;
+use sha2::{Digest, Sha256};
+
+use crate::error::format_error;
+use crate::helpers::{make_env_config, resolve_passphrase};
+
+struct FileArtifact {
+    path: PathBuf,
+}
+
+impl ArtifactSource for FileArtifact {
+    fn digest(&self) -> Result<ArtifactDigest, ArtifactError> {
+        let mut file = std::fs::File::open(&self.path)
+            .map_err(|e| ArtifactError::Io(format!("{}: {e}", self.path.display())))?;
+        let mut hasher = Sha256::new();
+        let mut buf = [0u8; 8192];
+        loop {
+            let n = file
+                .read(&mut buf)
+                .map_err(|e| ArtifactError::Io(e.to_string()))?;
+            if n == 0 {
+                break;
+            }
+            hasher.update(&buf[..n]);
+        }
+        Ok(ArtifactDigest {
+            algorithm: "sha256".to_string(),
+            hex: hex::encode(hasher.finalize()),
+        })
+    }
+
+    fn metadata(&self) -> Result<ArtifactMetadata, ArtifactError> {
+        let digest = self.digest()?;
+        let meta = std::fs::metadata(&self.path)
+            .map_err(|e| ArtifactError::Metadata(format!("{}: {e}", self.path.display())))?;
+        Ok(ArtifactMetadata {
+            artifact_type: "file".to_string(),
+            digest,
+            name: self
+                .path
+                .file_name()
+                .map(|n| n.to_string_lossy().to_string()),
+            size: Some(meta.len()),
+        })
+    }
+}
+
+struct BytesArtifact {
+    data: Vec<u8>,
+}
+
+impl ArtifactSource for BytesArtifact {
+    fn digest(&self) -> Result<ArtifactDigest, ArtifactError> {
+        let mut hasher = Sha256::new();
+        hasher.update(&self.data);
+        Ok(ArtifactDigest {
+            algorithm: "sha256".to_string(),
+            hex: hex::encode(hasher.finalize()),
+        })
+    }
+
+    fn metadata(&self) -> Result<ArtifactMetadata, ArtifactError> {
+        let digest = self.digest()?;
+        Ok(ArtifactMetadata {
+            artifact_type: "bytes".to_string(),
+            digest,
+            name: None,
+            size: Some(self.data.len() as u64),
+        })
+    }
+}
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiArtifactResult {
+    pub attestation_json: String,
+    pub rid: String,
+    pub digest: String,
+    pub file_size: i64,
+}
+
+fn build_context_and_sign(
+    artifact: Arc<dyn ArtifactSource>,
+    identity_key_alias: &str,
+    repo_path: &str,
+    passphrase: Option<String>,
+    expires_in: Option<i64>,
+    note: Option<String>,
+) -> napi::Result<NapiArtifactResult> {
+    let passphrase_str = resolve_passphrase(passphrase);
+    let env_config = make_env_config(&passphrase_str, repo_path);
+    let provider = Arc::new(PrefilledPassphraseProvider::new(&passphrase_str));
+    let clock = Arc::new(SystemClock);
+
+    let repo = PathBuf::from(shellexpand::tilde(repo_path).as_ref());
+    let config = RegistryConfig::single_tenant(&repo);
+    let backend = Arc::new(GitRegistryBackend::open_existing(config).map_err(|e| {
+        format_error(
+            "AUTHS_REGISTRY_ERROR",
+            format!("Failed to open registry: {e}"),
+        )
+    })?);
+
+    let keychain = get_platform_keychain_with_config(&env_config)
+        .map_err(|e| format_error("AUTHS_KEYCHAIN_ERROR", format!("Keychain error: {e}")))?;
+    let keychain = Arc::from(keychain);
+
+    let identity_storage = Arc::new(RegistryIdentityStorage::new(&repo));
+    let attestation_storage = Arc::new(RegistryAttestationStorage::new(&repo));
+
+    let alias = KeyAlias::new(identity_key_alias)
+        .map_err(|e| format_error("AUTHS_KEY_NOT_FOUND", format!("Invalid key alias: {e}")))?;
+
+    let ctx = AuthsContext::builder()
+        .registry(backend)
+        .key_storage(keychain)
+        .clock(clock)
+        .identity_storage(identity_storage)
+        .attestation_sink(attestation_storage.clone())
+        .attestation_source(attestation_storage)
+        .passphrase_provider(provider)
+        .build();
+
+    let file_size = artifact
+        .metadata()
+        .map(|m| m.size.unwrap_or(0))
+        .unwrap_or(0) as i64;
+
+    let params = ArtifactSigningParams {
+        artifact,
+        identity_key: Some(SigningKeyMaterial::Alias(alias.clone())),
+        device_key: SigningKeyMaterial::Alias(alias),
+        expires_in: expires_in.map(|s| s as u64),
+        note,
+    };
+
+    let result = sdk_sign_artifact(params, &ctx).map_err(|e| {
+        format_error(
+            "AUTHS_SIGNING_FAILED",
+            format!("Artifact signing failed: {e}"),
+        )
+    })?;
+
+    Ok(NapiArtifactResult {
+        attestation_json: result.attestation_json,
+        rid: result.rid.to_string(),
+        digest: result.digest,
+        file_size,
+    })
+}
+
+#[napi]
+pub fn sign_artifact(
+    file_path: String,
+    identity_key_alias: String,
+    repo_path: String,
+    passphrase: Option<String>,
+    expires_in: Option<i64>,
+    note: Option<String>,
+) -> napi::Result<NapiArtifactResult> {
+    let path = PathBuf::from(shellexpand::tilde(&file_path).as_ref());
+    if !path.exists() {
+        return Err(format_error(
+            "AUTHS_INVALID_INPUT",
+            format!(
+                "Artifact not found: '{file_path}'. Check the path and ensure the file exists."
+            ),
+        ));
+    }
+
+    let artifact = Arc::new(FileArtifact { path });
+    build_context_and_sign(
+        artifact,
+        &identity_key_alias,
+        &repo_path,
+        passphrase,
+        expires_in,
+        note,
+    )
+}
+
+#[napi]
+pub fn sign_artifact_bytes(
+    data: napi::bindgen_prelude::Buffer,
+    identity_key_alias: String,
+    repo_path: String,
+    passphrase: Option<String>,
+    expires_in: Option<i64>,
+    note: Option<String>,
+) -> napi::Result<NapiArtifactResult> {
+    let artifact = Arc::new(BytesArtifact {
+        data: data.to_vec(),
+    });
+    build_context_and_sign(
+        artifact,
+        &identity_key_alias,
+        &repo_path,
+        passphrase,
+        expires_in,
+        note,
+    )
+}

package/src/attestation_query.rs

@@ -0,0 +1,104 @@
+use std::path::PathBuf;
+use std::sync::Arc;
+
+use auths_id::attestation::group::AttestationGroup;
+use auths_id::storage::attestation::AttestationSource;
+use auths_storage::git::{GitRegistryBackend, RegistryAttestationStorage, RegistryConfig};
+use auths_verifier::core::Attestation;
+use auths_verifier::types::DeviceDID;
+use napi_derive::napi;
+
+use crate::error::format_error;
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiAttestation {
+    pub rid: String,
+    pub issuer: String,
+    pub subject: String,
+    pub device_did: String,
+    pub capabilities: Vec<String>,
+    pub signer_type: Option<String>,
+    pub expires_at: Option<String>,
+    pub revoked_at: Option<String>,
+    pub created_at: Option<String>,
+    pub delegated_by: Option<String>,
+    pub json: String,
+}
+
+fn attestation_to_napi(att: &Attestation) -> NapiAttestation {
+    let json = serde_json::to_string(att).unwrap_or_default();
+    NapiAttestation {
+        rid: att.rid.to_string(),
+        issuer: att.issuer.to_string(),
+        subject: att.subject.to_string(),
+        device_did: att.subject.to_string(),
+        capabilities: att.capabilities.iter().map(|c| c.to_string()).collect(),
+        signer_type: att.signer_type.as_ref().map(|s| format!("{s:?}")),
+        expires_at: att.expires_at.map(|t| t.to_rfc3339()),
+        revoked_at: att.revoked_at.map(|t| t.to_rfc3339()),
+        created_at: att.timestamp.map(|t| t.to_rfc3339()),
+        delegated_by: att.delegated_by.as_ref().map(|d| d.to_string()),
+        json,
+    }
+}
+
+fn open_attestation_storage(repo_path: &str) -> napi::Result<Arc<RegistryAttestationStorage>> {
+    let repo = PathBuf::from(shellexpand::tilde(repo_path).as_ref());
+    let config = RegistryConfig::single_tenant(&repo);
+    let _backend = GitRegistryBackend::open_existing(config).map_err(|e| {
+        format_error(
+            "AUTHS_REGISTRY_ERROR",
+            format!("Failed to open registry: {e}"),
+        )
+    })?;
+    Ok(Arc::new(RegistryAttestationStorage::new(&repo)))
+}
+
+#[napi]
+pub fn list_attestations(repo_path: String) -> napi::Result<Vec<NapiAttestation>> {
+    let storage = open_attestation_storage(&repo_path)?;
+    let all = storage.load_all_attestations().map_err(|e| {
+        format_error(
+            "AUTHS_REGISTRY_ERROR",
+            format!("Failed to load attestations: {e}"),
+        )
+    })?;
+    Ok(all.iter().map(attestation_to_napi).collect())
+}
+
+#[napi]
+pub fn list_attestations_by_device(
+    repo_path: String,
+    device_did: String,
+) -> napi::Result<Vec<NapiAttestation>> {
+    let storage = open_attestation_storage(&repo_path)?;
+    let all = storage.load_all_attestations().map_err(|e| {
+        format_error(
+            "AUTHS_REGISTRY_ERROR",
+            format!("Failed to load attestations: {e}"),
+        )
+    })?;
+    let group = AttestationGroup::from_list(all);
+    Ok(group
+        .get(&device_did)
+        .map(|atts| atts.iter().map(attestation_to_napi).collect())
+        .unwrap_or_default())
+}
+
+#[napi]
+pub fn get_latest_attestation(
+    repo_path: String,
+    device_did: String,
+) -> napi::Result<Option<NapiAttestation>> {
+    let storage = open_attestation_storage(&repo_path)?;
+    let all = storage.load_all_attestations().map_err(|e| {
+        format_error(
+            "AUTHS_REGISTRY_ERROR",
+            format!("Failed to load attestations: {e}"),
+        )
+    })?;
+    let group = AttestationGroup::from_list(all);
+    let did = DeviceDID::parse(&device_did).map_err(|e| format_error("AUTHS_INVALID_INPUT", e))?;
+    Ok(group.latest(&did).map(attestation_to_napi))
+}

package/src/audit.rs

@@ -0,0 +1,128 @@
+use std::path::PathBuf;
+
+use auths_infra_git::audit::Git2LogProvider;
+use auths_sdk::ports::git::SignatureStatus;
+use auths_sdk::workflows::audit::AuditWorkflow;
+use napi_derive::napi;
+
+use crate::error::format_error;
+
+fn resolve_repo(repo_path: &str) -> PathBuf {
+    PathBuf::from(shellexpand::tilde(repo_path).as_ref())
+}
+
+fn parse_timestamp(ts: &str) -> Option<chrono::NaiveDateTime> {
+    chrono::NaiveDateTime::parse_from_str(&ts[..19], "%Y-%m-%dT%H:%M:%S").ok()
+}
+
+#[napi]
+pub fn generate_audit_report(
+    target_repo_path: String,
+    auths_repo_path: String,
+    since: Option<String>,
+    until: Option<String>,
+    author: Option<String>,
+    limit: Option<u32>,
+) -> napi::Result<String> {
+    let target = resolve_repo(&target_repo_path);
+    let _auths = resolve_repo(&auths_repo_path);
+    let limit = limit.unwrap_or(500) as usize;
+
+    let provider =
+        Git2LogProvider::open(&target).map_err(|e| format_error("AUTHS_AUDIT_ERROR", e))?;
+
+    let workflow = AuditWorkflow::new(&provider);
+    let report = workflow
+        .generate_report(None, Some(limit))
+        .map_err(|e| format_error("AUTHS_AUDIT_ERROR", e))?;
+
+    let since_filter = since.and_then(|s| {
+        chrono::NaiveDate::parse_from_str(&s, "%Y-%m-%d")
+            .ok()
+            .and_then(|d| d.and_hms_opt(0, 0, 0))
+    });
+    let until_filter = until.and_then(|u| {
+        chrono::NaiveDate::parse_from_str(&u, "%Y-%m-%d")
+            .ok()
+            .and_then(|d| d.and_hms_opt(23, 59, 59))
+    });
+
+    let commits: Vec<serde_json::Value> = report
+        .commits
+        .iter()
+        .filter(|c| {
+            if author.as_ref().is_some_and(|a| c.author_email != *a) {
+                return false;
+            }
+            if since_filter.is_some_and(|since_dt| {
+                parse_timestamp(&c.timestamp).is_some_and(|ct| ct < since_dt)
+            }) {
+                return false;
+            }
+            if until_filter.is_some_and(|until_dt| {
+                parse_timestamp(&c.timestamp).is_some_and(|ct| ct > until_dt)
+            }) {
+                return false;
+            }
+            true
+        })
+        .map(|c| {
+            let (sig_type, signer_did, verified) = match &c.signature_status {
+                SignatureStatus::AuthsSigned { signer_did } => {
+                    (Some("auths"), Some(signer_did.as_str()), Some(true))
+                }
+                SignatureStatus::SshSigned => (Some("ssh"), None, None),
+                SignatureStatus::GpgSigned { verified } => (Some("gpg"), None, Some(*verified)),
+                SignatureStatus::InvalidSignature { .. } => (Some("invalid"), None, Some(false)),
+                SignatureStatus::Unsigned => (None, None, None),
+            };
+            serde_json::json!({
+                "oid": c.hash,
+                "author_name": c.author_name,
+                "author_email": c.author_email,
+                "date": c.timestamp,
+                "message": c.message,
+                "signature_type": sig_type,
+                "signer_did": signer_did,
+                "verified": verified,
+            })
+        })
+        .collect();
+
+    let total = commits.len();
+    let signed = commits
+        .iter()
+        .filter(|c| c["signature_type"] != serde_json::Value::Null)
+        .count();
+    let unsigned = total - signed;
+    let auths_signed = commits
+        .iter()
+        .filter(|c| c["signature_type"] == "auths")
+        .count();
+    let gpg_signed = commits
+        .iter()
+        .filter(|c| c["signature_type"] == "gpg")
+        .count();
+    let ssh_signed = commits
+        .iter()
+        .filter(|c| c["signature_type"] == "ssh")
+        .count();
+    let verification_passed = commits.iter().filter(|c| c["verified"] == true).count();
+    let verification_failed = signed - verification_passed;
+
+    let result = serde_json::json!({
+        "commits": commits,
+        "summary": {
+            "total_commits": total,
+            "signed_commits": signed,
+            "unsigned_commits": unsigned,
+            "auths_signed": auths_signed,
+            "gpg_signed": gpg_signed,
+            "ssh_signed": ssh_signed,
+            "verification_passed": verification_passed,
+            "verification_failed": verification_failed,
+        },
+    });
+
+    serde_json::to_string(&result).map_err(|e| format_error("AUTHS_AUDIT_ERROR", e))
+}

package/src/commit_sign.rs

@@ -0,0 +1,63 @@
+use std::path::PathBuf;
+use std::sync::Arc;
+
+use auths_core::signing::PrefilledPassphraseProvider;
+use auths_core::storage::keychain::get_platform_keychain_with_config;
+use auths_sdk::workflows::signing::{
+    CommitSigningContext, CommitSigningParams, CommitSigningWorkflow,
+};
+use napi_derive::napi;
+
+use crate::error::format_error;
+use crate::helpers::{make_env_config, resolve_passphrase};
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiCommitSignPemResult {
+    pub signature_pem: String,
+    pub method: String,
+    pub namespace: String,
+}
+
+#[napi]
+pub fn sign_commit(
+    data: napi::bindgen_prelude::Buffer,
+    identity_key_alias: String,
+    repo_path: String,
+    passphrase: Option<String>,
+) -> napi::Result<NapiCommitSignPemResult> {
+    let passphrase_str = resolve_passphrase(passphrase);
+    let env_config = make_env_config(&passphrase_str, &repo_path);
+    let provider = Arc::new(PrefilledPassphraseProvider::new(&passphrase_str));
+
+    let keychain = get_platform_keychain_with_config(&env_config)
+        .map_err(|e| format_error("AUTHS_KEYCHAIN_ERROR", format!("Keychain error: {e}")))?;
+    let keychain = Arc::from(keychain);
+
+    let repo = PathBuf::from(shellexpand::tilde(&repo_path).as_ref());
+
+    let params =
+        CommitSigningParams::new(&identity_key_alias, "git", data.to_vec()).with_repo_path(repo);
+
+    let signing_ctx = CommitSigningContext {
+        key_storage: keychain,
+        passphrase_provider: provider,
+        agent_signing: Arc::new(auths_sdk::ports::agent::NoopAgentProvider),
+    };
+
+    #[allow(clippy::disallowed_methods)] // Presentation boundary
+    let now = chrono::Utc::now();
+
+    let pem = CommitSigningWorkflow::execute(&signing_ctx, params, now).map_err(|e| {
+        format_error(
+            "AUTHS_SIGNING_FAILED",
+            format!("Commit signing failed: {e}"),
+        )
+    })?;
+
+    Ok(NapiCommitSignPemResult {
+        signature_pem: pem,
+        method: "direct".to_string(),
+        namespace: "git".to_string(),
+    })
+}