pairling 0.0.1 → 0.1.0

package/payload/mac/companiond/pairling_connectd_status.py

@@ -0,0 +1,149 @@
+from __future__ import annotations
+
+import ipaddress
+import json
+import os
+import urllib.parse
+import urllib.request
+from typing import Any
+
+CONNECTD_STATUS_URL = "http://127.0.0.1:7774/status"
+PAIRLING_CONNECT_ROUTE_SOURCE = "pairling_connectd"
+PAIRLING_CONNECT_ROUTE_KIND = "tailnet"
+PAIRLING_CONNECT_PORT = 7773
+
+
+def fetch_connectd_status(timeout_seconds: float = 1.5) -> dict[str, Any]:
+    fixture = os.environ.get("PAIRLING_TEST_CONNECTD_STATUS_JSON")
+    if fixture:
+        payload = json.loads(fixture)
+        return payload if isinstance(payload, dict) else {}
+
+    req = urllib.request.Request(CONNECTD_STATUS_URL, method="GET")
+    try:
+        with urllib.request.urlopen(req, timeout=timeout_seconds) as response:
+            payload = json.loads(response.read().decode("utf-8"))
+    except Exception:
+        return {}
+    return payload if isinstance(payload, dict) else {}
+
+
+def advertised_pairling_connect_routes(status: dict[str, Any]) -> list[dict[str, Any]]:
+    if not isinstance(status, dict) or int(status.get("schema_version") or 0) < 2:
+        return []
+    routes = status.get("advertised_routes") or []
+    if not isinstance(routes, list):
+        return []
+
+    valid_routes: list[dict[str, Any]] = []
+    for route in routes:
+        if not isinstance(route, dict):
+            continue
+        if route.get("source") != PAIRLING_CONNECT_ROUTE_SOURCE:
+            continue
+        if route.get("kind") != PAIRLING_CONNECT_ROUTE_KIND:
+            continue
+        if route.get("status") != "ready":
+            continue
+        host = str(route.get("host") or "").strip()
+        try:
+            port = int(route.get("port") or 0)
+        except (TypeError, ValueError):
+            continue
+        if port != PAIRLING_CONNECT_PORT or not _is_tailnet_host(host):
+            continue
+        base_url = _sanitized_base_url(route.get("base_url"), host, port)
+        if not base_url:
+            continue
+        valid = {
+            "id": str(route.get("id") or "pairling-connect-tailnet"),
+            "kind": PAIRLING_CONNECT_ROUTE_KIND,
+            "source": PAIRLING_CONNECT_ROUTE_SOURCE,
+            "priority": int(route.get("priority") or 100),
+            "base_url": base_url,
+            "host": host,
+            "port": port,
+            "status": "ready",
+        }
+        valid_routes.append(valid)
+    valid_routes.sort(key=lambda item: int(item.get("priority") or 0), reverse=True)
+    return valid_routes
+
+
+def preferred_pairling_connect_base_url(status: dict[str, Any]) -> str | None:
+    routes = advertised_pairling_connect_routes(status)
+    if not routes:
+        return None
+    return str(routes[0]["base_url"])
+
+
+def redacted_connectd_summary(status: dict[str, Any]) -> dict[str, Any]:
+    routes = advertised_pairling_connect_routes(status)
+    return {
+        "schema_version": int(status.get("schema_version") or 0) if isinstance(status, dict) else 0,
+        "status": "ready" if routes else _degraded_status(status),
+        "auth_state": str(status.get("auth_state") or "unknown") if isinstance(status, dict) else "unknown",
+        "route_ready": bool(routes),
+        "route": routes[0] if routes else None,
+        "auth_url_present": bool(status.get("auth_url_present")) if isinstance(status, dict) else False,
+        "tailnet_ip_count": int(status.get("tailnet_ip_count") or 0) if isinstance(status, dict) else 0,
+        "listener_running": bool(status.get("listener_running")) if isinstance(status, dict) else False,
+        "upstream_reachable": bool(status.get("upstream_reachable")) if isinstance(status, dict) else False,
+        "local_pairing_available": True,
+        "next_action": _next_action(status, bool(routes)),
+    }
+
+
+def _degraded_status(status: dict[str, Any]) -> str:
+    if not status:
+        return "connectd_unavailable"
+    if status.get("auth_state") != "authenticated":
+        return "auth_pending" if status.get("auth_url_present") else "auth_unknown"
+    if not status.get("listener_running"):
+        return "listener_down"
+    if not status.get("upstream_reachable"):
+        return "upstream_unreachable"
+    if not status.get("tailnet_ip"):
+        return "no_tailnet_ip"
+    return "route_missing"
+
+
+def _next_action(status: dict[str, Any], route_ready: bool) -> dict[str, str]:
+    if route_ready:
+        return {
+            "id": "pair_iphone",
+            "label": "Pair iPhone",
+            "message": "Scan the Mac pairing code in Pairling.",
+        }
+    if status and status.get("auth_url_present"):
+        return {
+            "id": "authenticate_pairling_connect",
+            "label": "Authenticate Pairling Connect",
+            "message": "Approve Pairling Connect in the browser, then recheck this Mac.",
+        }
+    return {
+        "id": "use_local_pairing",
+        "label": "Use local pairing",
+        "message": "Pair locally now, or retry Pairling Connect after this Mac is ready.",
+    }
+
+
+def _sanitized_base_url(value: Any, host: str, port: int) -> str | None:
+    raw = str(value or f"http://{host}:{port}").strip()
+    try:
+        parsed = urllib.parse.urlparse(raw)
+    except Exception:
+        return None
+    if parsed.scheme != "http" or parsed.hostname != host or parsed.port != port:
+        return None
+    return urllib.parse.urlunparse(("http", f"{host}:{port}", "", "", "", ""))
+
+
+def _is_tailnet_host(host: str) -> bool:
+    if host.endswith(".ts.net"):
+        return True
+    try:
+        ip = ipaddress.ip_address(host)
+    except ValueError:
+        return False
+    return ip.version == 4 and ip in ipaddress.ip_network("100.64.0.0/10")

package/payload/mac/companiond/pairling_devices.py

@@ -0,0 +1,459 @@
+#!/usr/bin/env python3
+"""Per-device token registry for the Pairling Mac runtime."""
+
+from __future__ import annotations
+
+import hashlib
+import json
+import os
+import secrets
+import sqlite3
+import time
+from contextlib import contextmanager
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any, Iterable
+
+from runtime_contract import DEFAULT_DEVICE_SCOPES
+from runtime_paths import audit_log_path, devices_db_path, install_id_path
+
+
+SQLITE_BUSY_TIMEOUT_MS = int(os.environ.get("PAIRLING_SQLITE_BUSY_TIMEOUT_MS", "5000"))
+
+
+def utc_epoch() -> float:
+    return time.time()
+
+
+def hash_token(token: str) -> str:
+    return hashlib.sha256(token.encode("utf-8")).hexdigest()
+
+
+def generate_token() -> str:
+    return "pld_" + secrets.token_urlsafe(32)
+
+
+def generate_device_id() -> str:
+    return "dev_" + secrets.token_hex(16)
+
+
+def generate_proof_secret() -> str:
+    return "prf_" + secrets.token_urlsafe(32)
+
+
+def _redact_for_audit(value: Any) -> Any:
+    if isinstance(value, dict):
+        redacted: dict[str, Any] = {}
+        for key, item in value.items():
+            lowered = str(key).lower()
+            if any(marker in lowered for marker in ("token", "secret", "proof", "authorization")):
+                redacted[str(key)] = "[redacted]"
+            else:
+                redacted[str(key)] = _redact_for_audit(item)
+        return redacted
+    if isinstance(value, list):
+        return [_redact_for_audit(item) for item in value]
+    return value
+
+
+def _write_private_text(path: Path, text: str) -> None:
+    path.parent.mkdir(parents=True, exist_ok=True)
+    try:
+        os.chmod(path.parent, 0o700)
+    except OSError:
+        pass
+    tmp = path.with_suffix(path.suffix + ".tmp")
+    with tmp.open("w") as fh:
+        fh.write(text)
+        fh.flush()
+        os.fsync(fh.fileno())
+    os.replace(tmp, path)
+    try:
+        os.chmod(path, 0o600)
+    except OSError:
+        pass
+
+
+def load_or_create_install_id(path: Path | None = None) -> str:
+    target = path or install_id_path()
+    try:
+        value = target.read_text().strip()
+        if value:
+            return value
+    except FileNotFoundError:
+        pass
+    value = "inst_" + secrets.token_hex(16)
+    _write_private_text(target, value + "\n")
+    return value
+
+
+@dataclass(frozen=True)
+class DeviceAuthResult:
+    ok: bool
+    status: int
+    reason: str
+    device_id: str | None = None
+    install_id: str | None = None
+    proof_secret: str | None = None
+    scopes: frozenset[str] = frozenset()
+
+    def has_scope(self, scope: str) -> bool:
+        return scope in self.scopes
+
+
+@dataclass(frozen=True)
+class CreatedDevice:
+    device_id: str
+    token: str
+    proof_secret: str
+    scopes: tuple[str, ...]
+    install_id: str
+    relay_device_id: str | None = None
+    attestation_status: str = "none"
+
+
+class DeviceRegistry:
+    def __init__(self, db_path: Path | None = None, audit_path: Path | None = None):
+        self.db_path = db_path or devices_db_path()
+        self.audit_path = audit_path or audit_log_path()
+
+    @contextmanager
+    def connect(self):
+        self.db_path.parent.mkdir(parents=True, exist_ok=True)
+        try:
+            os.chmod(self.db_path.parent, 0o700)
+        except OSError:
+            pass
+        conn = sqlite3.connect(
+            str(self.db_path),
+            timeout=max(SQLITE_BUSY_TIMEOUT_MS, 1) / 1000,
+        )
+        try:
+            conn.row_factory = sqlite3.Row
+            conn.execute("PRAGMA journal_mode=WAL")
+            self._ensure_schema(conn)
+            yield conn
+            conn.commit()
+        except Exception:
+            conn.rollback()
+            raise
+        finally:
+            conn.close()
+        try:
+            os.chmod(self.db_path, 0o600)
+        except OSError:
+            pass
+
+    def _ensure_schema(self, conn: sqlite3.Connection) -> None:
+        conn.execute(
+            """
+            CREATE TABLE IF NOT EXISTS devices (
+                device_id TEXT PRIMARY KEY,
+                device_name TEXT NOT NULL,
+                token_hash TEXT NOT NULL UNIQUE,
+                scopes_json TEXT NOT NULL,
+                install_id TEXT NOT NULL,
+                created_at REAL NOT NULL,
+                last_seen_at REAL,
+                revoked_at REAL
+            )
+            """
+        )
+        existing = {
+            row["name"]
+            for row in conn.execute("PRAGMA table_info(devices)").fetchall()
+        }
+        additive_columns = {
+            "relay_device_id": "ALTER TABLE devices ADD COLUMN relay_device_id TEXT",
+            "attestation_status": "ALTER TABLE devices ADD COLUMN attestation_status TEXT DEFAULT 'none'",
+            "apns_registered_at": "ALTER TABLE devices ADD COLUMN apns_registered_at REAL",
+            "relay_pair_secret_ref": "ALTER TABLE devices ADD COLUMN relay_pair_secret_ref TEXT",
+            "device_display_name": "ALTER TABLE devices ADD COLUMN device_display_name TEXT",
+            "superseded_by_device_id": "ALTER TABLE devices ADD COLUMN superseded_by_device_id TEXT",
+            "proof_secret": "ALTER TABLE devices ADD COLUMN proof_secret TEXT",
+        }
+        for column, statement in additive_columns.items():
+            if column not in existing:
+                conn.execute(statement)
+        conn.execute("CREATE INDEX IF NOT EXISTS idx_devices_token_hash ON devices(token_hash)")
+        conn.execute("CREATE INDEX IF NOT EXISTS idx_devices_relay_device_id ON devices(relay_device_id)")
+        conn.execute(
+            """
+            CREATE TABLE IF NOT EXISTS audit_events (
+                id INTEGER PRIMARY KEY AUTOINCREMENT,
+                ts REAL NOT NULL,
+                event TEXT NOT NULL,
+                device_id TEXT,
+                outcome TEXT NOT NULL,
+                path TEXT,
+                detail_json TEXT NOT NULL
+            )
+            """
+        )
+
+    def create_device(
+        self,
+        *,
+        device_name: str,
+        scopes: Iterable[str] | None = None,
+        install_id: str | None = None,
+        token: str | None = None,
+        proof_secret: str | None = None,
+        device_id: str | None = None,
+        relay_device_id: str | None = None,
+        attestation_status: str = "none",
+        device_display_name: str | None = None,
+        relay_pair_secret_ref: str | None = None,
+    ) -> CreatedDevice:
+        normalized_scopes = tuple(sorted(set(scopes or DEFAULT_DEVICE_SCOPES)))
+        token_value = token or generate_token()
+        proof_secret_value = proof_secret or generate_proof_secret()
+        device_id_value = device_id or generate_device_id()
+        install_id_value = install_id or load_or_create_install_id()
+        attestation_value = attestation_status if attestation_status in {
+            "none",
+            "development",
+            "production",
+            "unsupported",
+            "failed",
+        } else "failed"
+        now = utc_epoch()
+        with self.connect() as conn:
+            if relay_device_id:
+                superseded = conn.execute(
+                    """
+                    SELECT device_id FROM devices
+                    WHERE relay_device_id = ?
+                      AND revoked_at IS NULL
+                    """,
+                    (relay_device_id,),
+                ).fetchall()
+                for row in superseded:
+                    old_device_id = row["device_id"]
+                    conn.execute(
+                        """
+                        UPDATE devices
+                        SET revoked_at = ?, superseded_by_device_id = ?
+                        WHERE device_id = ?
+                        """,
+                        (now, device_id_value, old_device_id),
+                    )
+                    self.record_audit(
+                        "device.superseded",
+                        device_id=old_device_id,
+                        outcome="ok",
+                        detail={
+                            "relay_device_id": relay_device_id,
+                            "new_device_id": device_id_value,
+                            "policy": "relay_repair_supersedes_old_local_token",
+                        },
+                        conn=conn,
+                    )
+            conn.execute(
+                """
+                INSERT INTO devices
+                    (device_id, device_name, token_hash, scopes_json, install_id,
+                     created_at, last_seen_at, revoked_at, relay_device_id,
+                     attestation_status, apns_registered_at, relay_pair_secret_ref,
+                     device_display_name, proof_secret)
+                VALUES (?, ?, ?, ?, ?, ?, NULL, NULL, ?, ?, NULL, ?, ?, ?)
+                """,
+                (
+                    device_id_value,
+                    device_name,
+                    hash_token(token_value),
+                    json.dumps(normalized_scopes),
+                    install_id_value,
+                    now,
+                    relay_device_id,
+                    attestation_value,
+                    relay_pair_secret_ref,
+                    device_display_name or device_name,
+                    proof_secret_value,
+                ),
+            )
+            self.record_audit(
+                "device.created",
+                device_id=device_id_value,
+                outcome="ok",
+                detail={
+                    "scopes": list(normalized_scopes),
+                    "attestation_status": attestation_value,
+                    "relay_device_id": relay_device_id,
+                },
+                conn=conn,
+            )
+        return CreatedDevice(
+            device_id_value,
+            token_value,
+            proof_secret_value,
+            normalized_scopes,
+            install_id_value,
+            relay_device_id,
+            attestation_value,
+        )
+
+    def authenticate(
+        self,
+        token: str | None,
+        *,
+        required_scopes: Iterable[str] = (),
+        path: str | None = None,
+    ) -> DeviceAuthResult:
+        if not token:
+            return DeviceAuthResult(False, 401, "missing_token")
+        required = set(required_scopes)
+        token_hash = hash_token(token)
+        with self.connect() as conn:
+            row = conn.execute(
+                "SELECT * FROM devices WHERE token_hash = ?",
+                (token_hash,),
+            ).fetchone()
+            if row is None:
+                self.record_audit(
+                    "auth.denied",
+                    device_id=None,
+                    outcome="invalid_token",
+                    path=path,
+                    conn=conn,
+                )
+                return DeviceAuthResult(False, 403, "invalid_token")
+            if row["revoked_at"] is not None:
+                self.record_audit(
+                    "auth.denied",
+                    device_id=row["device_id"],
+                    outcome="revoked",
+                    path=path,
+                    conn=conn,
+                )
+                return DeviceAuthResult(False, 403, "revoked")
+            scopes = frozenset(json.loads(row["scopes_json"] or "[]"))
+            missing = sorted(required.difference(scopes))
+            if missing:
+                self.record_audit(
+                    "auth.denied",
+                    device_id=row["device_id"],
+                    outcome="missing_scope",
+                    path=path,
+                    detail={"missing": missing},
+                    conn=conn,
+                )
+                return DeviceAuthResult(
+                    False,
+                    403,
+                    "missing_scope",
+                    device_id=row["device_id"],
+                    install_id=row["install_id"],
+                    proof_secret=row["proof_secret"],
+                    scopes=scopes,
+                )
+            return DeviceAuthResult(
+                True,
+                200,
+                "ok",
+                device_id=row["device_id"],
+                install_id=row["install_id"],
+                proof_secret=row["proof_secret"],
+                scopes=scopes,
+            )
+
+    def revoke_device(self, device_id: str, *, reason: str = "revoked") -> bool:
+        with self.connect() as conn:
+            cur = conn.execute(
+                "UPDATE devices SET revoked_at = ? WHERE device_id = ? AND revoked_at IS NULL",
+                (utc_epoch(), device_id),
+            )
+            changed = cur.rowcount > 0
+            self.record_audit(
+                "device.revoked",
+                device_id=device_id,
+                outcome="ok" if changed else "not_found",
+                detail={"reason": reason},
+                conn=conn,
+            )
+            return changed
+
+    def revoke_devices_named(self, device_name: str, *, reason: str = "revoked") -> int:
+        now = utc_epoch()
+        with self.connect() as conn:
+            rows = conn.execute(
+                "SELECT device_id FROM devices WHERE device_name = ? AND revoked_at IS NULL",
+                (device_name,),
+            ).fetchall()
+            for row in rows:
+                device_id = row["device_id"]
+                conn.execute(
+                    "UPDATE devices SET revoked_at = ? WHERE device_id = ?",
+                    (now, device_id),
+                )
+                self.record_audit(
+                    "device.revoked",
+                    device_id=device_id,
+                    outcome="ok",
+                    detail={"reason": reason, "device_name": device_name},
+                    conn=conn,
+                )
+            return len(rows)
+
+    def rotate_token(self, device_id: str) -> str | None:
+        token = generate_token()
+        with self.connect() as conn:
+            cur = conn.execute(
+                """
+                UPDATE devices
+                SET token_hash = ?, revoked_at = NULL
+                WHERE device_id = ?
+                """,
+                (hash_token(token), device_id),
+            )
+            if cur.rowcount <= 0:
+                self.record_audit(
+                    "device.rotate_token",
+                    device_id=device_id,
+                    outcome="not_found",
+                    conn=conn,
+                )
+                return None
+            self.record_audit(
+                "device.rotate_token",
+                device_id=device_id,
+                outcome="ok",
+                conn=conn,
+            )
+            return token
+
+    def record_audit(
+        self,
+        event: str,
+        *,
+        device_id: str | None,
+        outcome: str,
+        path: str | None = None,
+        detail: dict[str, Any] | None = None,
+        conn: sqlite3.Connection | None = None,
+    ) -> None:
+        audit_detail = _redact_for_audit(detail or {})
+        payload = json.dumps(audit_detail, sort_keys=True)
+        if conn is not None:
+            conn.execute(
+                """
+                INSERT INTO audit_events (ts, event, device_id, outcome, path, detail_json)
+                VALUES (?, ?, ?, ?, ?, ?)
+                """,
+                (utc_epoch(), event, device_id, outcome, path, payload),
+            )
+        self.audit_path.parent.mkdir(parents=True, exist_ok=True)
+        line = json.dumps({
+            "ts": utc_epoch(),
+            "event": event,
+            "device_id": device_id,
+            "outcome": outcome,
+            "path": path,
+            "detail": audit_detail,
+        }, sort_keys=True)
+        with self.audit_path.open("a") as fh:
+            fh.write(line + "\n")
+        try:
+            os.chmod(self.audit_path, 0o600)
+        except OSError:
+            pass