Merge #92

92: feat: allow minting NUCs in `nillion` cli r=mfontanini a=mfontanini

This allows minting NUCs in the `nillion` cli. As part of this I restructured the cli code because it was becoming insane; now there's different "handlers" for every subset of commands we have. This otherwise was causing issues where some commands needed some things (e.g. nilvm client), others needed others (nilauth client) and the initialization of these was hell-ish.

Now you can do something like this:

```bash
nillion nuc mint --audience did:nil:03e3ba1eb887b4e972fbf395d479ff6cdb2cec91ba477ffc287b2b9cb5ec2161aa \
                 --delegation '[["==", ".foo", "hi"]]' \
                 --extending "$(nillion nilauth token | jq .token -r)" \
                 --command /nil/bar \
                 --metadata '{"arg": 42}' \
                 --expires-in 60m | \
    jq .token -r | \
    nillion nuc validate --root-public-key 03e3ba1eb887b4e972fbf395d479ff6cdb2cec91ba477ffc287b2b9cb5ec2161aa -
```

And it does what you're expect. I also added a couple of extras like being able to do `nillion nuc validate -` and have it read from stdin, and a `nillion nilauth about` that returns the pubkey/did to easily test stuff.

PS: I should have moved the code in one commit and added this in another #sorry. The new code is in handlers/nuc.rs.

Co-authored-by: Matias Fontanini <[email protected]>

Author: nilogy-bors[bot]

Cargo.lock

@@ -8,7 +8,7 @@ use chrono::{DateTime, Utc};
 use k256::ecdsa::{Signature, SigningKey, VerifyingKey};
 use serde::Serialize;
 use signature::Signer;
-use std::ops::Deref;
+use std::{ops::Deref, time::Duration};
 
 // Helper to simplify unwrapping options in the builder
 macro_rules! try_get {
@@ -97,6 +97,12 @@ impl NucTokenBuilder {
         self
     }
 
+    /// Set the expiration time for this token based on an offset from the current time.
+    pub fn expires_in(mut self, offset: Duration) -> Self {
+        self.expires_at = Some(Utc::now() + offset);
+        self
+    }
+
     /// Set the timestamp when this token first becomes valid for this token.
     pub fn not_before(mut self, timestamp: DateTime<Utc>) -> Self {
         self.not_before = Some(timestamp);

libs/nucs/src/builder.rs

@@ -10,6 +10,7 @@ config = { version = "0.14", default-features = false, features = ["yaml"] }
 env_logger = "0.11.5"
 chrono = { version = "0.4", features = ["serde"] }
 hex = { version = "0.4", features = ["serde"] }
+humantime = "2.2"
 futures = "0.3.30"
 log = "0.4"
 nillion-nucs = { path = "../../libs/nucs" }

tools/nillion/Cargo.toml

@@ -4,6 +4,7 @@ use clap_utils::shell_completions::ShellCompletionsArgs;
 use hex::FromHexError;
 use nada_values_args::NadaValueArgs;
 use nillion_client::{grpc::membership::NodeId, Clear, NadaValue, UserId, Uuid};
+use nillion_nucs::token::Did;
 use serde::Deserialize;
 use serde_with::{serde_as, DisplayFromStr};
 use std::{collections::HashMap, path::PathBuf, str::FromStr};
@@ -97,7 +98,7 @@ pub enum Command {
     #[clap(subcommand)]
     Config(ConfigCommand),
 
-    /// Mint or inspect a NUC.
+    /// NUC token utilities.
     #[clap(subcommand)]
     Nuc(NucCommand),
 
@@ -555,13 +556,17 @@ pub struct ClusterConfigArgs {
 }
 
 /// The NUC command.
+#[allow(clippy::large_enum_variant)]
 #[derive(Subcommand)]
 pub enum NucCommand {
     /// Inspect a NUC.
     Inspect(InspectNucArgs),
 
     /// Validate a NUC.
     Validate(ValidateNucArgs),
+
+    /// Mint a NUC.
+    Mint(MintNucArgs),
 }
 
 /// Inspect a NUC.
@@ -582,6 +587,58 @@ pub struct ValidateNucArgs {
     pub root_public_keys: Vec<HexBytes>,
 }
 
+/// Mint a NUC.
+#[derive(Args)]
+pub struct MintNucArgs {
+    /// The token to extend as a base for the newly minted token.
+    #[clap(long)]
+    pub extending: Option<String>,
+
+    /// The audience of the token.
+    #[clap(long)]
+    pub audience: Did,
+
+    /// The subject of the token.
+    #[clap(long)]
+    pub subject: Option<Did>,
+
+    /// The UNIX epoch timestamp to set as an expiration time for the token.
+    #[clap(long, group = "expires")]
+    pub expires_at: Option<i64>,
+
+    /// The amount of time in which the token will expire.
+    #[clap(long, group = "expires")]
+    pub expires_in: Option<humantime::Duration>,
+
+    /// The UNIT epoch timestamp at which this token can start being used.
+    #[clap(long)]
+    pub not_before: Option<i64>,
+
+    /// The command to be used in the token.
+    #[clap(long)]
+    pub command: Option<nillion_nucs::token::Command>,
+
+    /// A JSON map that contains metadata about the generated token.
+    #[clap(long)]
+    pub metadata: Option<String>,
+
+    /// The nonce to be used. Defaults to a random 16 byte sequence.
+    #[clap(long)]
+    pub nonce: Option<HexBytes>,
+
+    /// A token to be used as proof. Not needed when using `extending`.
+    #[clap(long)]
+    pub proof: Option<String>,
+
+    /// Make this an invocation token with the given policy.
+    #[clap(long, group = "body")]
+    pub invocation: Option<String>,
+
+    /// Make this a delegation token with the given arguments.
+    #[clap(long, group = "body")]
+    pub delegation: Option<String>,
+}
+
 /// A nilauth command.
 #[derive(Subcommand)]
 pub enum NilauthCommand {
@@ -597,6 +654,9 @@ pub enum NilauthCommand {
 
     /// Check whether a token is revoked.
     CheckRevoked(CheckRevokedArgs),
+
+    /// Get information about the server.
+    About,
 }
 
 /// A nilauth subscription command.

tools/nillion/src/args.rs

@@ -0,0 +1,75 @@
+use super::HandlerResult;
+use crate::{
+    args::{
+        ContextCommand, IdentitiesCommand, NetworksCommand, ShowContextArgs, ShowIdentityArgs, ShowNetworkArgs,
+        UseContextArgs,
+    },
+    context::ContextConfig,
+    handlers::{identities::IdentitiesHandler, networks::NetworksHandler},
+    serialize::SerializeAsAny,
+};
+use anyhow::bail;
+use serde::Serialize;
+use std::collections::HashMap;
+use tools_config::{identities::Identity, networks::NetworkConfig, ToolConfig};
+
+pub struct ContextHandler;
+
+impl ContextHandler {
+    pub fn handle(command: ContextCommand) -> HandlerResult {
+        match command {
+            ContextCommand::Use(args) => Self::use_context(args),
+            ContextCommand::Show(ShowContextArgs { verbose: true }) => Self::show_detailed(),
+            ContextCommand::Show(ShowContextArgs { verbose: false }) => Self::show(),
+        }
+    }
+
+    pub fn use_context(args: UseContextArgs) -> HandlerResult {
+        #[derive(Serialize)]
+        struct Output {
+            identity: String,
+            network: String,
+        }
+
+        let UseContextArgs { identity, network }: UseContextArgs = args;
+        if let Err(e) = Identity::read_from_config(&identity) {
+            bail!("Invalid identity: {e}");
+        }
+        if let Err(e) = NetworkConfig::read_from_config(&network) {
+            bail!("Invalid network: {e}");
+        }
+        let config = ContextConfig { identity: identity.clone(), network: network.clone() };
+        config.store()?;
+        Ok(Box::new(Output { identity, network }))
+    }
+
+    pub fn show() -> HandlerResult {
+        #[derive(Serialize)]
+        struct Output {
+            identity: String,
+            network: String,
+        }
+
+        let Some(context) = ContextConfig::load() else {
+            return Ok(Box::new(HashMap::<(), ()>::new()));
+        };
+        let ContextConfig { identity, network } = context;
+        Ok(Box::new(Output { identity, network }))
+    }
+
+    pub fn show_detailed() -> HandlerResult {
+        #[derive(Serialize)]
+        struct Output {
+            identity: Box<dyn SerializeAsAny>,
+            network: Box<dyn SerializeAsAny>,
+        }
+
+        let Some(context) = ContextConfig::load() else {
+            return Ok(Box::new(HashMap::<(), ()>::new()));
+        };
+        let ContextConfig { identity, network } = context;
+        let identity = IdentitiesHandler::handle(IdentitiesCommand::Show(ShowIdentityArgs { name: identity }))?;
+        let network = NetworksHandler::handle(NetworksCommand::Show(ShowNetworkArgs { name: network }))?;
+        Ok(Box::new(Output { identity, network }))
+    }
+}

tools/nillion/src/handlers/context.rs

@@ -0,0 +1,120 @@
+use super::{open_in_editor, HandlerResult};
+use crate::{
+    args::{
+        AddIdentityArgs, EditIdentityArgs, IdentitiesCommand, IdentityGenArgs, RemoveIdentityArgs, ShowIdentityArgs,
+    },
+    serialize::NoOutput,
+};
+use anyhow::{bail, Result};
+use nillion_client::{Ed25519SigningKey, Secp256k1SigningKey, UserId};
+use serde::Serialize;
+use serde_with::{serde_as, DisplayFromStr};
+use std::fs;
+use tools_config::{
+    identities::{Identity, Kind},
+    NamedConfig, ToolConfig,
+};
+use tracing::info;
+use user_keypair::SigningKey;
+
+pub struct IdentitiesHandler;
+
+impl IdentitiesHandler {
+    pub fn handle(command: IdentitiesCommand) -> HandlerResult {
+        match command {
+            IdentitiesCommand::Add(args) => Self::add(args),
+            IdentitiesCommand::Edit(args) => Self::edit(args),
+            IdentitiesCommand::List => Self::list(),
+            IdentitiesCommand::Show(args) => Self::show(args),
+            IdentitiesCommand::Remove(args) => Self::remove(args),
+        }
+    }
+
+    pub fn identities_gen(args: IdentityGenArgs) -> HandlerResult {
+        info!("Generating user identities");
+        let user_key = Self::generate_key(args.seed, &args.curve)?.as_bytes();
+        let identity = Identity { private_key: user_key, kind: args.curve };
+        identity.write_to_file(&args.name)?;
+        Ok(Box::new(format!("Identity {} generated", args.name)))
+    }
+
+    fn add(args: AddIdentityArgs) -> HandlerResult {
+        let kind = Kind::Secp256k1;
+        let user_key = Self::generate_key(args.seed, &kind)?.as_bytes();
+        let identity = Identity { private_key: user_key, kind };
+        identity.write_to_file(&args.name)?;
+        Ok(Box::new(format!("Identity {} added", args.name)))
+    }
+
+    fn list() -> HandlerResult {
+        #[derive(Serialize)]
+        struct Output {
+            identities: Vec<String>,
+        }
+
+        let identities = Identity::read_all()?;
+        let identities = identities.into_iter().map(|NamedConfig { name, .. }| name).collect::<Vec<_>>();
+        Ok(Box::new(Output { identities }))
+    }
+
+    fn edit(args: EditIdentityArgs) -> HandlerResult {
+        let EditIdentityArgs { name } = args;
+        let path = Identity::config_path(&name)?;
+        if !fs::exists(&path).unwrap_or(false) {
+            bail!("identity file does not exist");
+        }
+        open_in_editor(&path)?;
+        Ok(Box::new(NoOutput))
+    }
+
+    fn show(args: ShowIdentityArgs) -> HandlerResult {
+        #[serde_as]
+        #[derive(Serialize)]
+        struct Output {
+            #[serde_as(as = "DisplayFromStr")]
+            user_id: UserId,
+
+            #[serde(serialize_with = "hex::serde::serialize")]
+            public_key: Vec<u8>,
+
+            #[serde_as(as = "DisplayFromStr")]
+            kind: Kind,
+        }
+
+        let Identity { private_key: user_key, kind } = Identity::read_from_config(&args.name)?;
+        let private_key = match kind {
+            Kind::Ed25519 => SigningKey::from(Ed25519SigningKey::try_from(user_key.as_ref())?),
+            Kind::Secp256k1 => SigningKey::from(Secp256k1SigningKey::try_from(user_key.as_ref())?),
+        };
+        let public_key = private_key.public_key().as_bytes();
+        let user_id = UserId::from_bytes(&public_key);
+        Ok(Box::new(Output { public_key, user_id, kind }))
+    }
+
+    fn remove(args: RemoveIdentityArgs) -> HandlerResult {
+        Identity::remove_config(&args.name)?;
+        Ok(Box::new(format!("Identity {} removed", args.name)))
+    }
+
+    fn generate_key(seed: Option<String>, curve: &Kind) -> Result<SigningKey> {
+        let key = match (seed, curve) {
+            (Some(seed), Kind::Ed25519) => {
+                info!("Generating ed25519 key using provided seed");
+                Ed25519SigningKey::from_seed(&seed).into()
+            }
+            (None, Kind::Ed25519) => {
+                info!("Generating random ed25519 key");
+                Ed25519SigningKey::generate().into()
+            }
+            (Some(seed), Kind::Secp256k1) => {
+                info!("Generating secp256k1 key using provided seed");
+                Secp256k1SigningKey::try_from_seed(&seed)?.into()
+            }
+            (None, Kind::Secp256k1) => {
+                info!("Generating random secp256k1 key");
+                Secp256k1SigningKey::generate().into()
+            }
+        };
+        Ok(key)
+    }
+}

tools/nillion/src/handlers/identities.rs

@@ -0,0 +1,21 @@
+use crate::serialize::SerializeAsAny;
+use anyhow::{anyhow, Result};
+use std::{env, path::Path};
+
+pub mod context;
+pub mod identities;
+pub mod networks;
+pub mod nilauth;
+pub mod nilvm;
+pub mod nuc;
+
+pub type HandlerResult = Result<Box<dyn SerializeAsAny>>;
+
+pub(crate) fn open_in_editor(path: &Path) -> Result<()> {
+    // Use the editor specified in VISUAL, otherwise EDITOR, otherwise default to vim.
+    let editor = env::var("VISUAL").or_else(|_| env::var("EDITOR")).unwrap_or_else(|_| "vim".into());
+    let mut child =
+        std::process::Command::new(&editor).arg(path).spawn().map_err(|e| anyhow!("failed to run {editor}: {e}"))?;
+    child.wait().map_err(|e| anyhow!("failed to wait for {editor}: {e}"))?;
+    Ok(())
+}