@lamalibre/portlama-agent 1.0.20 → 1.0.21

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lamalibre/portlama-agent",
-  "version": "1.0.20",
+  "version": "1.0.21",
   "description": "Tunnel agent for Portlama — manages Chisel tunnel client as a system service",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE.md",

package/src/commands/setup.js

@@ -7,7 +7,6 @@ import { Listr } from 'listr2';
 import chalk from 'chalk';
 import {
   assertSupportedPlatform,
-  isDarwin,
   CHISEL_BIN_DIR,
   AGENT_DIR,
   agentDataDir,
@@ -161,9 +160,7 @@ async function runTokenSetup(flags) {
 
   console.log('');
   console.log(chalk.bold('  Portlama Agent Setup (Token-Based Enrollment)'));
-  console.log(chalk.dim(isDarwin()
-    ? '  Connect this Mac to your Portlama server using a Keychain-bound certificate.'
-    : '  Connect this machine to your Portlama server using a certificate.'));
+  console.log(chalk.dim('  Connect this machine to your Portlama server using a certificate.'));
   console.log('');
 
   let panelUrl = flags.panelUrl;
@@ -185,7 +182,6 @@ async function runTokenSetup(flags) {
     explicitLabel: flags.label,
     agentLabel: null,
     resolvedLabel: null,
-    keychainIdentity: null,
     p12Path: null,
     p12Password: null,
     chiselVersion: null,
@@ -247,20 +243,7 @@ async function runTokenSetup(flags) {
         },
       },
       {
-        title: 'Requesting macOS login password',
-        skip: () => !isDarwin() && 'Not macOS',
-        task: async (_ctx, task) => {
-          task.output = chalk.dim('Required to authorize curl access to the Keychain certificate');
-          ctx._keychainPassword = await prompt('macOS login password (for Keychain access)');
-          if (!ctx._keychainPassword) {
-            throw new Error('Keychain password is required on macOS to grant curl access to the certificate.');
-          }
-          task.output = 'Password received';
-        },
-        rendererOptions: { persistentOutput: true },
-      },
-      {
-        title: isDarwin() ? 'Importing certificate into Keychain' : 'Storing certificate',
+        title: 'Storing certificate',
         task: async (_ctx, task) => {
           const result = await storeEnrolledCert(
             ctx._keyData.keyPath,
@@ -268,16 +251,10 @@ async function runTokenSetup(flags) {
             ctx._caCertPem,
             ctx.resolvedLabel,
             console,
-            { keychainPassword: ctx._keychainPassword },
           );
-          if (result.identity) {
-            ctx.keychainIdentity = result.identity;
-            task.output = `Identity "${result.identity}" imported (non-extractable)`;
-          } else {
-            ctx.p12Path = result.p12Path;
-            ctx.p12Password = result.p12Password;
-            task.output = `Certificate stored at ${result.p12Path}`;
-          }
+          ctx.p12Path = result.p12Path;
+          ctx.p12Password = result.p12Password;
+          task.output = `Certificate stored at ${result.p12Path}`;
         },
         rendererOptions: { persistentOutput: true },
       },
@@ -291,9 +268,7 @@ async function runTokenSetup(flags) {
       {
         title: 'Verifying panel connectivity',
         task: async (_ctx, task) => {
-          const authConfig = ctx.keychainIdentity
-            ? { panelUrl: ctx.panelUrl, authMethod: 'keychain', keychainIdentity: ctx.keychainIdentity }
-            : { panelUrl: ctx.panelUrl, authMethod: 'p12', p12Path: ctx.p12Path, p12Password: ctx.p12Password };
+          const authConfig = { panelUrl: ctx.panelUrl, authMethod: 'p12', p12Path: ctx.p12Path, p12Password: ctx.p12Password };
           const health = await fetchHealth(authConfig);
           task.output = `Panel is reachable (status: ${health.status || 'ok'})`;
         },
@@ -315,9 +290,7 @@ async function runTokenSetup(flags) {
       {
         title: 'Fetching tunnel configuration',
         task: async (_ctx, task) => {
-          const authConfig = ctx.keychainIdentity
-            ? { panelUrl: ctx.panelUrl, authMethod: 'keychain', keychainIdentity: ctx.keychainIdentity }
-            : { panelUrl: ctx.panelUrl, authMethod: 'p12', p12Path: ctx.p12Path, p12Password: ctx.p12Password };
+          const authConfig = { panelUrl: ctx.panelUrl, authMethod: 'p12', p12Path: ctx.p12Path, p12Password: ctx.p12Password };
 
           const agentConfig = await fetchAgentConfig(authConfig);
           ctx.domain = agentConfig.domain;
@@ -376,30 +349,24 @@ async function runTokenSetup(flags) {
         task: async () => {
           const configData = {
             panelUrl: ctx.panelUrl,
+            authMethod: 'p12',
+            p12Path: ctx.p12Path,
+            p12Password: ctx.p12Password,
             agentLabel: ctx.agentLabel,
             domain: ctx.domain,
             chiselVersion: ctx.chiselVersion,
             setupAt: new Date().toISOString(),
           };
 
-          if (ctx.keychainIdentity) {
-            configData.authMethod = 'keychain';
-            configData.keychainIdentity = ctx.keychainIdentity;
-          } else {
-            configData.authMethod = 'p12';
-            configData.p12Path = ctx.p12Path;
-            configData.p12Password = ctx.p12Password;
-          }
-
           await saveAgentConfig(ctx.resolvedLabel, configData);
 
           // Add or update registry entry
           await upsertAgent({
             label: ctx.resolvedLabel,
             panelUrl: ctx.panelUrl,
-            authMethod: configData.authMethod,
-            p12Path: configData.p12Path || null,
-            keychainIdentity: configData.keychainIdentity || null,
+            authMethod: 'p12',
+            p12Path: ctx.p12Path,
+            keychainIdentity: null,
             agentLabel: ctx.agentLabel,
             domain: ctx.domain,
             chiselVersion: ctx.chiselVersion,
@@ -454,7 +421,6 @@ async function runTokenSetupJson(flags) {
     explicitLabel: flags.label,
     agentLabel: null,
     resolvedLabel: null,
-    keychainIdentity: null,
     p12Path: null,
     p12Password: null,
     chiselVersion: null,
@@ -513,7 +479,7 @@ async function runTokenSetupJson(flags) {
     },
     {
       key: 'import_cert',
-      title: isDarwin() ? 'Importing certificate into Keychain' : 'Storing certificate',
+      title: 'Storing certificate',
       fn: async () => {
         const result = await storeEnrolledCert(
           ctx._keyData.keyPath,
@@ -522,12 +488,8 @@ async function runTokenSetupJson(flags) {
           ctx.resolvedLabel,
           { log: () => {}, warn: () => {}, error: () => {} },
         );
-        if (result.identity) {
-          ctx.keychainIdentity = result.identity;
-        } else {
-          ctx.p12Path = result.p12Path;
-          ctx.p12Password = result.p12Password;
-        }
+        ctx.p12Path = result.p12Path;
+        ctx.p12Password = result.p12Password;
       },
     },
     {
@@ -542,9 +504,7 @@ async function runTokenSetupJson(flags) {
       key: 'verify_connectivity',
       title: 'Verifying panel connectivity',
       fn: async () => {
-        const authConfig = ctx.keychainIdentity
-          ? { panelUrl: ctx.panelUrl, authMethod: 'keychain', keychainIdentity: ctx.keychainIdentity }
-          : { panelUrl: ctx.panelUrl, authMethod: 'p12', p12Path: ctx.p12Path, p12Password: ctx.p12Password };
+        const authConfig = { panelUrl: ctx.panelUrl, authMethod: 'p12', p12Path: ctx.p12Path, p12Password: ctx.p12Password };
         await fetchHealth(authConfig);
       },
     },
@@ -560,9 +520,7 @@ async function runTokenSetupJson(flags) {
       key: 'fetch_config',
       title: 'Fetching tunnel configuration',
       fn: async () => {
-        const authConfig = ctx.keychainIdentity
-          ? { panelUrl: ctx.panelUrl, authMethod: 'keychain', keychainIdentity: ctx.keychainIdentity }
-          : { panelUrl: ctx.panelUrl, authMethod: 'p12', p12Path: ctx.p12Path, p12Password: ctx.p12Password };
+        const authConfig = { panelUrl: ctx.panelUrl, authMethod: 'p12', p12Path: ctx.p12Path, p12Password: ctx.p12Password };
 
         const agentConfig = await fetchAgentConfig(authConfig);
         ctx.domain = agentConfig.domain;
@@ -619,29 +577,23 @@ async function runTokenSetupJson(flags) {
       fn: async () => {
         const configData = {
           panelUrl: ctx.panelUrl,
+          authMethod: 'p12',
+          p12Path: ctx.p12Path,
+          p12Password: ctx.p12Password,
           agentLabel: ctx.agentLabel,
           domain: ctx.domain,
           chiselVersion: ctx.chiselVersion,
           setupAt: new Date().toISOString(),
         };
 
-        if (ctx.keychainIdentity) {
-          configData.authMethod = 'keychain';
-          configData.keychainIdentity = ctx.keychainIdentity;
-        } else {
-          configData.authMethod = 'p12';
-          configData.p12Path = ctx.p12Path;
-          configData.p12Password = ctx.p12Password;
-        }
-
         await saveAgentConfig(ctx.resolvedLabel, configData);
 
         await upsertAgent({
           label: ctx.resolvedLabel,
           panelUrl: ctx.panelUrl,
-          authMethod: configData.authMethod,
-          p12Path: configData.p12Path || null,
-          keychainIdentity: configData.keychainIdentity || null,
+          authMethod: 'p12',
+          p12Path: ctx.p12Path,
+          keychainIdentity: null,
           agentLabel: ctx.agentLabel,
           domain: ctx.domain,
           chiselVersion: ctx.chiselVersion,
@@ -664,12 +616,17 @@ async function runTokenSetupJson(flags) {
     process.exit(1);
   }
 
+  // The p12Password transits via stdout pipe to the parent process (Tauri desktop app),
+  // which stores it in the OS credential store. Pipes are not visible in process listings.
+  // This is the same trust boundary as the server provisioner's SCP-based P12 transfer.
   emitJson({
     event: 'complete',
     agent: {
       label: ctx.resolvedLabel,
       panelUrl: ctx.panelUrl,
-      authMethod: ctx.keychainIdentity ? 'keychain' : 'p12',
+      authMethod: 'p12',
+      p12Path: ctx.p12Path,
+      p12Password: ctx.p12Password,
       domain: ctx.domain,
       chiselVersion: ctx.chiselVersion,
     },
@@ -690,9 +647,7 @@ async function runP12Setup(options = {}) {
 
   console.log('');
   console.log(chalk.bold('  Portlama Agent Setup'));
-  console.log(chalk.dim(isDarwin()
-    ? '  Connect this Mac to your Portlama server.'
-    : '  Connect this machine to your Portlama server.'));
+  console.log(chalk.dim('  Connect this machine to your Portlama server.'));
   console.log('');
   console.log(chalk.dim('  The admin must generate an agent certificate from the panel first:'));
   console.log(chalk.dim('    Panel → Certificates → Agent Certificates → Generate'));

package/src/lib/cert-store.js

@@ -1,75 +1,32 @@
 /**
  * Portable certificate storage for token-based enrollment.
  *
- * Dispatches to macOS Keychain or Linux P12 file storage based on process.platform.
+ * Stores enrolled certificates as P12 files on all platforms.
+ * The P12 password is returned to the caller for secure storage
+ * (e.g., macOS Keychain via security-framework, Linux libsecret).
  */
 
 import crypto from 'node:crypto';
 import { writeFile, access, constants } from 'node:fs/promises';
 import path from 'node:path';
 import { execa } from 'execa';
-import { isDarwin, agentDataDir } from './platform.js';
+import { agentDataDir } from './platform.js';
 import { secureDelete } from './keychain.js';
 
 /**
- * Store an enrolled certificate using the platform-appropriate mechanism.
+ * Store an enrolled certificate as a P12 file.
  *
- * - macOS: imports identity into Keychain (non-extractable)
- * - Linux: creates a P12 file at ~/.portlama/client.p12 with mode 0600
+ * Creates a P12 bundle from key + cert + CA at
+ * ~/.portlama/agents/<label>/client.p12 with mode 0600.
  *
  * @param {string} keyPath - Path to the temporary private key PEM
  * @param {string} certPem - PEM-encoded signed certificate
  * @param {string} caCertPem - PEM-encoded CA certificate
  * @param {string} label - Agent label
  * @param {import('pino').Logger | Console} logger
- * @param {{ keychainPassword?: string }} [options]
- * @returns {Promise<{ identity?: string, p12Path?: string, p12Password?: string }>}
+ * @returns {Promise<{ p12Path: string, p12Password: string }>}
  */
-export async function storeEnrolledCert(keyPath, certPem, caCertPem, label, logger, options = {}) {
-  if (isDarwin()) {
-    const { importIdentityToKeychain } = await import('./keychain.js');
-    const { identity } = await importIdentityToKeychain(keyPath, certPem, caCertPem, label, logger, options);
-    return { identity };
-  }
-  return storeP12Linux(keyPath, certPem, caCertPem, label, logger);
-}
-
-/**
- * Check if an enrolled certificate exists.
- * @param {string} label - Agent label
- * @returns {Promise<boolean>}
- */
-export async function enrolledCertExists(label) {
-  if (isDarwin()) {
-    const { keychainIdentityExists } = await import('./keychain.js');
-    return keychainIdentityExists(label);
-  }
-  return linuxP12Exists(label);
-}
-
-/**
- * Remove an enrolled certificate.
- * @param {string} label - Agent label
- */
-export async function removeEnrolledCert(label) {
-  if (isDarwin()) {
-    const { removeKeychainIdentity } = await import('./keychain.js');
-    return removeKeychainIdentity(label);
-  }
-  return removeLinuxP12(label);
-}
-
-// ---------------------------------------------------------------------------
-// Linux — P12 file storage
-// ---------------------------------------------------------------------------
-
-/**
- * Create a P12 from key + cert + CA and store at ~/.portlama/client.p12.
- *
- * Uses the same `-keypbe PBE-SHA1-3DES` parameters as keychain.js for
- * maximum curl compatibility.
- */
-async function storeP12Linux(keyPath, certPem, caCertPem, label, logger) {
+export async function storeEnrolledCert(keyPath, certPem, caCertPem, label, logger) {
   const dataDir = agentDataDir(label);
   const p12Path = path.join(dataDir, 'client.p12');
   const suffix = crypto.randomBytes(8).toString('hex');
@@ -125,7 +82,12 @@ async function storeP12Linux(keyPath, certPem, caCertPem, label, logger) {
   }
 }
 
-async function linuxP12Exists(label) {
+/**
+ * Check if an enrolled certificate exists.
+ * @param {string} label - Agent label
+ * @returns {Promise<boolean>}
+ */
+export async function enrolledCertExists(label) {
   try {
     const p12Path = path.join(agentDataDir(label), 'client.p12');
     await access(p12Path, constants.F_OK);
@@ -135,7 +97,11 @@ async function linuxP12Exists(label) {
   }
 }
 
-async function removeLinuxP12(label) {
+/**
+ * Remove an enrolled certificate.
+ * @param {string} label - Agent label
+ */
+export async function removeEnrolledCert(label) {
   try {
     const p12Path = path.join(agentDataDir(label), 'client.p12');
     await secureDelete(p12Path);

package/src/lib/keychain.js

@@ -4,6 +4,23 @@ import path from 'node:path';
 import { execa } from 'execa';
 import { AGENT_DIR } from './platform.js';
 
+/**
+ * Prompt for the macOS login Keychain password via a native OS dialog.
+ * Uses osascript to display a secure input dialog (hidden answer).
+ * Throws if the user cancels.
+ *
+ * @returns {Promise<string>}
+ */
+async function promptKeychainPassword() {
+  const { stdout } = await execa('osascript', [
+    '-e',
+    'display dialog "Portlama needs your macOS login password to store the agent certificate in your Keychain." default answer "" with hidden answer buttons {"Cancel", "OK"} default button "OK" with title "Portlama — Keychain Access" with icon caution',
+    '-e',
+    'text returned of result',
+  ]);
+  return stdout.trim();
+}
+
 /**
  * Overwrite a file with random bytes, then unlink it.
  * Provides defense-in-depth against key recovery from disk.
@@ -82,10 +99,9 @@ export async function generateKeypairAndCSR(label) {
  * @param {string} caCertPem - PEM-encoded CA certificate
  * @param {string} label - Agent label
  * @param {import('pino').Logger | Console} logger
- * @param {{ keychainPassword?: string }} [options]
  * @returns {Promise<{ identity: string }>}
  */
-export async function importIdentityToKeychain(keyPath, certPem, caCertPem, label, logger, options = {}) {
+export async function importIdentityToKeychain(keyPath, certPem, caCertPem, label, logger) {
   const suffix = crypto.randomBytes(8).toString('hex');
   const certPath = path.join(AGENT_DIR, `.tmp-cert-${suffix}.pem`);
   const caPath = path.join(AGENT_DIR, `.tmp-ca-${suffix}.pem`);
@@ -160,8 +176,8 @@ export async function importIdentityToKeychain(keyPath, certPem, caCertPem, labe
     }
 
     // Set the key partition list so curl can access the identity without prompts.
-    // Requires the login Keychain password — callers should prompt the user for it.
-    const keychainPassword = options.keychainPassword ?? '';
+    // Requires the login Keychain password — prompt via native macOS dialog.
+    const keychainPassword = await promptKeychainPassword();
     try {
       await execa('security', [
         'set-key-partition-list',
@@ -172,11 +188,10 @@ export async function importIdentityToKeychain(keyPath, certPem, caCertPem, labe
         '-l',                  // match by Label (friendly name from -name), not -D (Description)
         identityName,
       ]);
-    } catch (err) {
-      // This can fail if the Keychain is locked or the password is wrong.
-      // The import still succeeded — the user may need to authorize curl manually.
-      logger.warn?.({ err, label }, 'Could not set key partition list — curl may prompt for access') ??
-        logger.log?.(`Warning: Could not set key partition list for ${label}`);
+    } catch {
+      throw new Error(
+        'Could not authorize Keychain access. The macOS login password may be incorrect.',
+      );
     }
 
     return { identity: identityName };