The Nest
Explore
0 
use crate::{
    config::{self, Author},
    identity::{self, choose_identity_name, fix_identities, Complete},
};

use std::io::Write;

use anyhow::bail;
use chrono::{DateTime, Utc};
use clap::Parser;
use dialoguer::Confirm;
use keyring::Entry;
use ptree::{print_tree, TreeBuilder};

mod subcmd {
    use anyhow::bail;
    use chrono::{DateTime, Utc};
    use clap::{ArgGroup, Parser};

    fn validate_email(input: &str) -> Result<String, anyhow::Error> {
        if validator::validate_email(input) {
            Ok(input.to_string())
        } else {
            bail!("Invalid email address");
        }
    }

    fn valid_name(input: &str) -> Result<(), anyhow::Error> {
        if input.is_empty() {
            bail!("Name is empty");
        } else {
            Ok(())
        }
    }

    fn name_does_not_exist(input: &str) -> Result<String, anyhow::Error> {
        valid_name(&input)?;

        if crate::identity::Complete::load(input).is_ok() {
            bail!("Name already exists")
        } else {
            Ok(input.to_string())
        }
    }

    fn name_exists(input: &str) -> Result<String, anyhow::Error> {
        valid_name(&input)?;

        if crate::identity::Complete::load(input).is_err() {
            bail!("Name does not exist");
        } else {
            Ok(input.to_string())
        }
    }

    fn parse_expiry(input: &str) -> Result<DateTime<Utc>, anyhow::Error> {
        let parsed_date = dateparser::parse_with_timezone(input, &chrono::offset::Utc);
        if parsed_date.is_err() {
            bail!("Invalid date");
        }

        let date = parsed_date.unwrap();
        if chrono::offset::Utc::now().timestamp_millis() > date.timestamp_millis() {
            bail!("Date is in the past")
        } else {
            Ok(date)
        }
    }

    #[derive(Clone, Parser, Debug)]
    #[clap(group(
        ArgGroup::new("edit-data")
            .multiple(true)
            .args(&["display-name", "email", "expiry", "username", "remote", "name", "password"]),
    ))]
    pub struct New {
        /// Do not automatically link keys with the remote
        #[clap(long = "no-link", display_order = 1)]
        pub no_link: bool,
        /// Abort rather than prompt for input
        #[clap(long = "no-prompt", requires("edit-data"), display_order = 1)]
        pub no_prompt: bool,
        /// Set the username
        #[clap(long = "username", display_order = 3)]
        pub username: Option<String>,
        /// Set the default remote
        #[clap(long = "remote", display_order = 3)]
        pub remote: Option<String>,
        /// Set the display name
        #[clap(long = "display-name", display_order = 3)]
        pub display_name: Option<String>,
        /// Set the email
        #[clap(long = "email", value_parser = validate_email, display_order = 3)]
        pub email: Option<String>,
        /// Set the new identity name
        #[clap(value_parser = name_does_not_exist)]
        pub name: Option<String>,
        /// Set the expiry
        #[clap(long = "expiry", value_parser = parse_expiry, display_order = 3)]
        pub expiry: Option<DateTime<Utc>>,
        /// Encrypt using a password from standard input
        #[clap(long = "read-password", display_order = 2)]
        pub password: bool,
    }

    #[derive(Clone, Parser, Debug)]
    #[clap(group(
        ArgGroup::new("edit-data")
            .multiple(true)
            .args(&["display-name", "email", "new-name", "expiry", "username", "remote", "password"]),
    ))]
    pub struct Edit {
        /// Set the name of the identity to edit
        #[clap(group("name"), value_parser = name_exists)]
        pub old_name: Option<String>,
        /// Do not automatically link keys with the remote
        #[clap(long = "no-link", display_order = 1)]
        pub no_link: bool,
        /// Abort rather than prompt for input
        #[clap(
            long = "no-prompt",
            requires("name"),
            requires("edit-data"),
            display_order = 1
        )]
        pub no_prompt: bool,
        /// Set the username
        #[clap(long = "username", display_order = 3)]
        pub username: Option<String>,
        /// Set the default remote
        #[clap(long = "remote", display_order = 3)]
        pub remote: Option<String>,
        /// Set the display name
        #[clap(long = "display-name", display_order = 3)]
        pub display_name: Option<String>,
        /// Set the email
        #[clap(long = "email", value_parser = validate_email, display_order = 3)]
        pub email: Option<String>,
        /// Set the identity name
        #[clap(long = "new-name", display_order = 3)]
        pub new_name: Option<String>,
        /// Set the expiry
        #[clap(long = "expiry", value_parser = parse_expiry, display_order = 3)]
        pub expiry: Option<DateTime<Utc>>,
        /// Encrypt using a password from standard input
        #[clap(long = "read-password", display_order = 2)]
        pub password: bool,
    }
}

#[derive(Clone, Parser, Debug)]
pub enum SubCommand {
    /// Create a new identity
    New(subcmd::New),
    /// Repair the identity state on disk, including migration from older versions of Pijul
    Repair {
        /// Abort rather than prompt for input
        #[clap(long = "no-prompt")]
        no_prompt: bool,
    },
    /// Prove an identity to the server
    Prove {
        /// Set the name used to prove the identity
        #[clap(long = "name")]
        identity_name: Option<String>,
        /// Abort rather than prompt for input
        #[clap(long = "no-prompt")]
        no_prompt: bool,
    },
    /// Pretty-print all valid identities on disk
    List,
    /// Edit an existing identity
    Edit(subcmd::Edit),
    /// Remove an existing identity
    #[clap(alias = "rm")]
    Remove {
        /// Set the name of the identity to remove
        #[clap(long = "name")]
        identity_name: Option<String>,
        /// Remove the matching identity without confirmation
        #[clap(long = "no-confirm")]
        no_confirm: bool,
    },
}

#[derive(Clone, Parser, Debug)]
pub struct IdentityCommand {
    #[clap(subcommand)]
    subcmd: SubCommand,
    /// Do not verify certificates (use with caution)
    #[clap(long = "no-cert-check", short = 'k')]
    no_cert_check: bool,
}

fn unwrap_args(
    default: Complete,
    identity_name: Option<String>,
    login: Option<String>,
    display_name: Option<String>,
    origin: Option<String>,
    email: Option<String>,
    expiry: Option<DateTime<Utc>>,
    password: bool,
) -> Result<Complete, anyhow::Error> {
    let pw = if password {
        Some(
            dialoguer::Password::with_theme(config::load_theme()?.as_ref())
                .with_prompt("New password")
                .with_confirmation("Confirm password", "Password mismatch")
                .interact()?,
        )
    } else {
        None
    };

    let secret_key = libpijul::key::SKey::generate(expiry);

    Ok(Complete::new(
        identity_name.unwrap_or(default.name),
        identity::Config {
            key_path: None,
            author: Author {
                username: login.unwrap_or(default.config.author.username),
                display_name: display_name.unwrap_or(default.config.author.display_name),
                email: email.unwrap_or(default.config.author.email),
                origin: origin.unwrap_or(default.config.author.origin),
                key_path: None,
            },
        },
        secret_key.public_key(),
        Some(identity::Credentials::new(
            secret_key.save(pw.as_deref()),
            pw,
        )),
    ))
}

impl IdentityCommand {
    pub async fn run(self) -> Result<(), anyhow::Error> {
        let mut stderr = std::io::stderr();
        crate::identity::NO_CERT_CHECK
            .set(self.no_cert_check)
            .unwrap();

        match self.subcmd {
            SubCommand::New(options) => {
                let identity = unwrap_args(
                    Complete::default()?,
                    options.name,
                    options.username,
                    options.display_name,
                    options.remote,
                    options.email,
                    options.expiry,
                    options.password,
                )?;

                identity.create(options.no_prompt, !options.no_link).await?;
            }
            SubCommand::Repair { no_prompt } => fix_identities(no_prompt).await?,
            SubCommand::Prove {
                identity_name,
                no_prompt,
            } => {
                Complete::load(&identity_name.unwrap_or(choose_identity_name(no_prompt).await?))?
                    .prove(self.no_cert_check)
                    .await?;
            }
            SubCommand::List => {
                let identities = Complete::load_all()?;

                if identities.is_empty() {
                    let mut stderr = std::io::stderr();
                    writeln!(
                        stderr,
                        "No identities found. Use `pijul identity new` to create one."
                    )?;
                    writeln!(stderr, "If you have created a key in the past, you may need to migrate via `pijul identity repair`")?;

                    return Ok(());
                }

                let mut tree = TreeBuilder::new("Identities".to_string());
                for identity in identities {
                    tree.begin_child(identity.name.clone());

                    tree.add_empty_child(format!(
                        "Display name: {}",
                        if identity.config.author.display_name.is_empty() {
                            "<NO NAME>"
                        } else {
                            &identity.config.author.display_name
                        }
                    ));

                    tree.add_empty_child(format!(
                        "Email: {}",
                        if identity.config.author.email.is_empty() {
                            "<NO EMAIL>"
                        } else {
                            &identity.config.author.email
                        }
                    ));

                    let username = if identity.config.author.username.is_empty() {
                        "<NO USERNAME>"
                    } else {
                        &identity.config.author.username
                    };

                    let origin = if identity.config.author.origin.is_empty() {
                        "<NO ORIGIN>"
                    } else {
                        &identity.config.author.origin
                    };
                    tree.add_empty_child(format!("Login: {username}@{origin}"));

                    tree.begin_child("Public key".to_string());
                    tree.add_empty_child(format!("Key: {}", identity.public_key.key));
                    tree.add_empty_child(format!("Version: {}", identity.public_key.version));
                    tree.add_empty_child(format!(
                        "Algorithm: {:#?}",
                        identity.public_key.algorithm
                    ));
                    tree.add_empty_child(format!(
                        "Expiry: {}",
                        identity
                            .public_key
                            .expires
                            .map(|date| date.format("%Y-%m-%d %H:%M:%S (UTC)").to_string())
                            .unwrap_or_else(|| "Never".to_string())
                    ));
                    tree.end_child();

                    tree.begin_child("Secret key".to_string());
                    tree.add_empty_child(format!(
                        "Version: {}",
                        identity.secret_key().unwrap().version
                    ));
                    tree.add_empty_child(format!(
                        "Algorithm: {:#?}",
                        identity.secret_key().unwrap().algorithm
                    ));

                    let encryption_message =
                        if let Some(encryption) = identity.secret_key().unwrap().encryption {
                            format!(
                                "{} (Stored in keyring: {})",
                                match encryption {
                                    libpijul::key::Encryption::Aes128(_) => "AES 128-bit",
                                },
                                keyring::Entry::new("pijul", &identity.name)
                                    .get_password()
                                    .is_ok()
                            )
                        } else {
                            String::from("None")
                        };

                    tree.add_empty_child(format!("Encryption: {encryption_message}"));
                    tree.end_child();

                    tree.add_empty_child(format!(
                        "Last updated: {}",
                        identity.last_modified.format("%Y-%m-%d %H:%M:%S (UTC)")
                    ));
                    tree.end_child();
                }

                print_tree(&tree.build())?;
            }
            SubCommand::Edit(options) => {
                let old_id_name = if let Some(id_name) = options.old_name {
                    id_name
                } else {
                    choose_identity_name(options.no_prompt).await?
                };
                writeln!(std::io::stderr(), "Editing identity: {old_id_name}")?;

                let old_identity = Complete::load(&old_id_name)?;
                let cli_args = unwrap_args(
                    old_identity.clone(),
                    options.new_name,
                    options.username,
                    options.display_name,
                    options.remote,
                    options.email,
                    options.expiry,
                    options.password,
                )?;

                let new_identity = if options.no_prompt {
                    cli_args
                } else {
                    cli_args.prompt_changes(true, !options.no_link).await?
                };

                old_identity.replace_with(new_identity)?;
            }
            SubCommand::Remove {
                identity_name,
                no_confirm: no_prompt,
            } => {
                let identity = Complete::load(
                    &identity_name.unwrap_or(choose_identity_name(no_prompt).await?),
                )?;
                let path = config::global_config_dir()
                    .unwrap()
                    .join("identities")
                    .join(&identity.name);

                writeln!(stderr, "Removing identity: {identity} at {path:?}")?;

                // Ask the user to confirm
                if !no_prompt
                    && !Confirm::with_theme(config::load_theme()?.as_ref())
                        .with_prompt("Do you wish to continue?")
                        .default(false)
                        .interact()?
                {
                    bail!("User did not wish to continue");
                }

                // The user has confirmed, safe to continue
                std::fs::remove_dir_all(path)?;
                writeln!(stderr, "Identity removed.")?;

                if identity.secret_key().unwrap().encryption.is_some() {
                    Entry::new("pijul", &identity.name).delete_password()?;
                }
            }
        }

        Ok(())
    }
}