Merge branch 'next/patch' of github.com:Start9Labs/start-os into next/minor

core/startos/src/net/keys.rs

@@ -1,14 +1,22 @@
+use std::collections::BTreeMap;
+
+use clap::ArgMatches;
 use color_eyre::eyre::eyre;
 use models::{Id, InterfaceId, PackageId};
 use openssl::pkey::{PKey, Private};
 use openssl::sha::Sha256;
 use openssl::x509::X509;
 use p256::elliptic_curve::pkcs8::EncodePrivateKey;
-use sqlx::PgExecutor;
+use rpc_toolkit::command;
+use sqlx::{Acquire, PgExecutor};
 use ssh_key::private::Ed25519PrivateKey;
 use torut::onion::{OnionAddressV3, TorSecretKeyV3};
 use zeroize::Zeroize;
 
+use crate::config::{configure, ConfigureContext};
+use crate::context::RpcContext;
+use crate::control::restart;
+use crate::disk::fsck::RequiresReboot;
 use crate::net::ssl::CertPair;
 use crate::prelude::*;
 use crate::util::crypto::ed25519_expand_key;
@@ -271,3 +279,107 @@ pub fn test_keygen() {
     key.tor_key();
     key.openssl_key_nistp256();
 }
+
+fn display_requires_reboot(arg: RequiresReboot, matches: &ArgMatches) {
+    if arg.0 {
+        println!("Server must be restarted for changes to take effect");
+    }
+}
+
+#[command(rename = "rotate-key", display(display_requires_reboot))]
+pub async fn rotate_key(
+    #[context] ctx: RpcContext,
+    #[arg] package: Option<PackageId>,
+    #[arg] interface: Option<InterfaceId>,
+) -> Result<RequiresReboot, Error> {
+    let mut pgcon = ctx.secret_store.acquire().await?;
+    let mut tx = pgcon.begin().await?;
+    if let Some(package) = package {
+        let Some(interface) = interface else {
+            return Err(Error::new(
+                eyre!("Must specify interface"),
+                ErrorKind::InvalidRequest,
+            ));
+        };
+        sqlx::query!(
+            "DELETE FROM tor WHERE package = $1 AND interface = $2",
+            &package,
+            &interface,
+        )
+        .execute(&mut *tx)
+        .await?;
+        sqlx::query!(
+            "DELETE FROM network_keys WHERE package = $1 AND interface = $2",
+            &package,
+            &interface,
+        )
+        .execute(&mut *tx)
+        .await?;
+        let new_key =
+            Key::for_interface(&mut *tx, Some((package.clone(), interface.clone()))).await?;
+        let needs_config = ctx
+            .db
+            .mutate(|v| {
+                let installed = v
+                    .as_package_data_mut()
+                    .as_idx_mut(&package)
+                    .or_not_found(&package)?
+                    .as_installed_mut()
+                    .or_not_found("installed")?;
+                let addrs = installed
+                    .as_interface_addresses_mut()
+                    .as_idx_mut(&interface)
+                    .or_not_found(&interface)?;
+                if let Some(lan) = addrs.as_lan_address_mut().transpose_mut() {
+                    lan.ser(&new_key.local_address())?;
+                }
+                if let Some(lan) = addrs.as_tor_address_mut().transpose_mut() {
+                    lan.ser(&new_key.tor_address().to_string())?;
+                }
+
+                if installed
+                    .as_manifest()
+                    .as_config()
+                    .transpose_ref()
+                    .is_some()
+                {
+                    installed
+                        .as_status_mut()
+                        .as_configured_mut()
+                        .replace(&false)
+                } else {
+                    Ok(false)
+                }
+            })
+            .await?;
+        tx.commit().await?;
+        if needs_config {
+            configure(
+                &ctx,
+                &package,
+                ConfigureContext {
+                    breakages: BTreeMap::new(),
+                    timeout: None,
+                    config: None,
+                    overrides: BTreeMap::new(),
+                    dry_run: false,
+                },
+            )
+            .await?;
+        } else {
+            restart(ctx, package).await?;
+        }
+        Ok(RequiresReboot(false))
+    } else {
+        sqlx::query!("UPDATE account SET tor_key = NULL, network_key = gen_random_bytes(32)")
+            .execute(&mut *tx)
+            .await?;
+        let new_key = Key::for_interface(&mut *tx, None).await?;
+        let url = format!("https://{}", new_key.tor_address()).parse()?;
+        ctx.db
+            .mutate(|v| v.as_server_info_mut().as_tor_address_mut().ser(&url))
+            .await?;
+        tx.commit().await?;
+        Ok(RequiresReboot(true))
+    }
+}

core/startos/src/net/mod.rs

@@ -22,7 +22,7 @@ pub mod wifi;
 
 pub const PACKAGE_CERT_PATH: &str = "/var/lib/embassy/ssl";
 
-#[command(subcommands(tor::tor, dhcp::dhcp, ssl::ssl))]
+#[command(subcommands(tor::tor, dhcp::dhcp, ssl::ssl, keys::rotate_key))]
 pub fn net() -> Result<(), Error> {
     Ok(())
 }

core/startos/src/net/tor.rs

@@ -53,11 +53,6 @@ lazy_static! {
     static ref PROGRESS_REGEX: Regex = Regex::new("PROGRESS=([0-9]+)").unwrap();
 }
 
-#[test]
-fn random_key() {
-    println!("x'{}'", hex::encode(rand::random::<[u8; 32]>()));
-}
-
 #[command(subcommands(list_services, logs, reset))]
 pub fn tor() -> Result<(), Error> {
     Ok(())

core/startos/src/shutdown.rs

@@ -54,6 +54,17 @@ impl Shutdown {
                     tracing::error!("Error Stopping Docker: {}", e);
                     tracing::debug!("{:?}", e);
                 }
+            } else if CONTAINER_TOOL == "podman" {
+                if let Err(e) = Command::new("podman")
+                    .arg("rm")
+                    .arg("-f")
+                    .arg("netdummy")
+                    .invoke(crate::ErrorKind::Docker)
+                    .await
+                {
+                    tracing::error!("Error Stopping Podman: {}", e);
+                    tracing::debug!("{:?}", e);
+                }
             }
             if let Some((guid, datadir)) = &self.export_args {
                 if let Err(e) = export(guid, datadir).await {