miniroon

cmd_verify.c (3196B)

---

 #include <errno.h>
 #include <assert.h>
 #include <stdbool.h>
 #include <unistd.h>
 #include <sys/select.h>
 
 // for debug prints
 #include <stdio.h>
 
 #include <skalibs/types.h>
 #include <skalibs/strerr.h>
 #include <skalibs/djbunix.h>
 #include <skalibs/exec.h>
 #include <skalibs/netstring.h>
 #include <skalibs/uint64.h>
 #include <skalibs/stralloc.h>
 #include <skalibs/env.h>
 
 #include "errors.h"
 #include "verify_common.h"
 #include "bytebuffer.h"
 #include "netstring.h"
 #include "header.h"
 #include "caveats.h"
 #include "miniroon_data.h"
 #include "decode.h"
 #include "fd_util.h"
 
 /* declarations */
 void process_payload(const bytebuffer payload);
 void validate_and_exec(miniroon_data *data);
 void die_on_error(miniroon_error e);
 
 /* definitions */
 #include "die_impl.h"
 
 void validate_and_exec(miniroon_data *md) {
   miniroon_caveats_state state;
   miniroon_caveats_state_init(&state);
   // stralloc env_modif;
 
   for(size_t i=0; i < md->caveat_count; i++) {
     dbg_print_bb1("Validate[1] caveat", md->caveats[i]);
     miniroon_caveat_prepare(md->caveats[i], &state);
   }
   for(size_t i=0; i < md->caveat_count; i++) {
     dbg_print_bb1("Validate[2] caveat", md->caveats[i]);
     miniroon_caveat_validate(md->caveats[i], &state);
   }
 
   /* iff everything validated correctly */
   // TODO: pass unused argv from main() ?
   char cmd[] = "./run";
   const char *cmd_argv[2] = {cmd, 0};
   miniroon_caveats_state_exec(&state, cmd_argv);
 }
 
 void process_payload(const bytebuffer payload) {
   miniroon_data md;
   die_on_error(miniroon_decode(&md, payload));
   validate_and_exec(&md);
   strerr_dief1x(110, "Internal logic error, should not get here");
 }
 
 void read_payload(int payload_fd, const bytebuffer bb) {
   fd_block(payload_fd);
 
   ssize_t payload_read = fd_read(payload_fd, bb.data, bb.len);
   if(payload_read < 0 ) {
     strerr_dief1sys(111, "read(payload)");
   }
   if(payload_read != bb.len) {
     strerr_dief1x(111, "could not read whole payload");
   }
 }
 
 bool parse_fd(char const *arg, int *fd) {
   size_t arg_size = strlen(arg);
   return int_scan(arg, fd) == arg_size;
 }
 
 bool parse_size(char const *arg, size_t *size) {
   size_t arg_size = strlen(arg);
   return size_scan(arg, size) == arg_size;
 }
 
 int main (int argc, char const *const *argv)
 {
   if (argc != 3) {
     strerr_dieusage(100, USAGE);
   }
 
   int payload_fd;
   size_t payload_size;
 
   if(!parse_fd(argv[1], &payload_fd)) {
     strerr_dief1x(100, "could not parse payload fd");
   }
 
   if(!parse_size(argv[2], &payload_size)) {
     strerr_dief1x(100, "could not parse payload length");
   }
 
   char payload_data[payload_size];
   bytebuffer payload = {payload_data, payload_size};
   read_payload(payload_fd, payload);
   fd_close(payload_fd);
 
   dbg_print_bb1("Got payload", payload);
   process_payload(payload);
   strerr_dief1x(110, "Internal logic error, should not get here");
   return 110;
 }
 /*
 capability ```
 container/bzr.ccx/123456
 login/tty1/7890
 ```
 - secret
 - execline command
 - env allowlist (re?)
 - max execution count/id (uuidv7?)
 
 ```
 caphdr = [capv0;name;invoke-once]
 c1 = [caphdr;;h1=hmac(secret, caphdr)]
 c2 = [caphdr;[att1];h2=hmac(h1, att1)]
 c3 = [caphdr;[att1;att2];h3=hmac(h2, att2)]
 ```
 */
 
 /*  vim: sts=2 sw=2 et
 */