[cli] feat: allow for ANTI_SSH_KEY_SELECTOR to be missing

paolino · paolino · commit a4e888198e16 · 2025-09-16T12:30:29.000+01:00
diff --git a/cli/docs/requester-role.md b/cli/docs/requester-role.md
@@ -104,28 +104,44 @@ Then commit and push the changes to your repository.
 
 ### Requesting a test-run
 
+#### SSH key setup
 Before proceding be careful to set the necessary signing assets in your environment variables.
-```bash
-  Which key selector to use from the SSH file
-  env: ANTI_SSH_KEY_SELECTOR STRING
 
-  Path to the SSH private key file
-  env: ANTI_SSH_FILE FILEPATH
+- `anti` will use the SSH private key to sign the request
+- The private key has to be an ed25519 key.
+- The public key corresponding to the private key has to be registered in your github account [see above](#registering-a-user-public-key).
+
+Multiple keys file are supported, in this case you have to specify which key to use with the `ANTI_SSH_KEY_SELECTOR` environment variable or the `--ssh-key-selector` option.
+In case you don't know the selector, you can inspect the keys in your file with
+
+```bash
+anti ssh-selectors --ssh-file PATH_TO_YOUR_SSH_FILE --ask-ssh-passphrase
 ```
 
-As with the wallet passphrase you can set the password in the environment variable
+If multiple keys are present in the file and you don't specify a selector, the first key in the file will be used.
+
+To link to your private key file, set the `ANTI_SSH_FILE` environment variable to point to it.
+
+
+As with the wallet passphrase you can set the password in the environment variable (not recommended)
 
 ```bash
-read -s -p "Enter password to decrypt the SSH private key: " ANTI_INTERACTIVE_SECRETS
-export ANTI_INTERACTIVE_SECRETS
+read -s -p "Enter password to decrypt the SSH private key: " ANTI_SSH_PASSWORD
+export ANTI_SSH_PASSWORD
 ```
 
-Or better paste it from a password manager each time you need it using the 'ask-password' option
+Or better paste it from a password manager each time you need it using the `--ask-ssh-password` option
 
-Or set the `ANTI_INTERACTIVE_SECRETS` environment variable to any value.
+Or set the `ANTI_INTERACTIVE_SECRETS` environment variable to any value to imply the `--ask-ssh-password` option
+
+```bash
+export ANTI_INTERACTIVE_SECRETS=1
+```
 
 > The file at ANTI_SSH_FILE path has to be the encrypted ssh private key matching the user registration [see above](#registering-a-user-public-key).
 
+#### Requesting the test-run
+
 To request a test-run, you can use the `anti requester create-test` command.
 
 ```bash
@@ -135,7 +151,7 @@ anti requester create-test --platform github --username alice --repository youro
 
 You can request multiple test-runs for the same commit but you have to specify a different `--try` number for each request.
 
-### Checking the test-run status
+#### Checking the test-run status
 
 You can check the status of your test-run requests with the `anti facts test-runs` command.
 
@@ -146,5 +162,5 @@ anti facts test-runs -i <your_test_run_id>
 You can find all running test-runs for a user with
 
 ```bash
-anti facts test-runs running --whose cfhal 
+anti facts test-runs running --whose alice
 ```
diff --git a/cli/justfile b/cli/justfile
@@ -67,9 +67,7 @@ E2E match="":
     export ANTI_TEST_REQUESTER_WALLET=tmp/test.json
     export ANTI_TEST_ORACLE_WALLET=tmp/test.json
     export ANTI_TEST_AGENT_WALLET=tmp/test.json
-
     export ANTI_SSH_FILE=test-E2E/fixtures/cfhal_ed25519
-    export ANTI_SSH_KEY_SELECTOR=cfhal
     export ANTI_WAIT=2
     while [[ "$(curl -s "localhost:$MPFS_PORT/tokens" | jq -r '.indexerStatus.ready')" != "true" ]]; do
         echo "Waiting for indexer to be ready..."
diff --git a/cli/src/Cli.hs b/cli/src/Cli.hs
@@ -15,7 +15,12 @@ import Data.Functor.Identity (Identity (..))
 import Facts (FactsSelection, factsCmd)
 import GitHub (Auth)
 import Lib.JSON.Canonical.Extra
-import Lib.SSH.Private (SSHClient, WithSelector (..), sshKeySelectors)
+import Lib.SSH.Private
+    ( SSHClient
+    , Selection
+    , WithSelector (..)
+    , sshKeySelectors
+    )
 import MPFS.API
     ( MPFS (..)
     , mpfsClient
@@ -70,7 +75,7 @@ data Command a where
         -> TokenId
         -> Command
             (AValidationResult TokenInfoFailure (Token WithValidation))
-    SSHSelectors :: SSHClient 'WithoutSelector -> Command [String]
+    SSHSelectors :: SSHClient 'WithoutSelector -> Command [Selection]
 
 data SetupError = TokenNotSpecified
     deriving (Show, Eq)
diff --git a/cli/src/Lib/SSH/Private.hs b/cli/src/Lib/SSH/Private.hs
@@ -15,6 +15,7 @@ module Lib.SSH.Private
     , mkKeyAPI
     , WithSelector (..)
     , SelectorField
+    , Selection (..)
     ) where
 
 import Control.Applicative (many, (<|>))
@@ -51,11 +52,14 @@ import Data.ByteString.Char8 qualified as BC
 import Data.ByteString.Lazy qualified as BL
 import Data.Map.Strict qualified as Map
 import Data.Word (Word8)
+import Lib.JSON.Canonical.Extra (object, (.=))
+import Lib.SSH.Public (SSHPublicKey (..), encodeSSHPublicKey)
+import Text.JSON.Canonical (ToJSON (..))
 
 data WithSelector = WithSelector | WithoutSelector
 
 type family SelectorField (w :: WithSelector) where
-    SelectorField 'WithSelector = String
+    SelectorField 'WithSelector = Maybe String
     SelectorField 'WithoutSelector = ()
 
 data SSHClient sel = SSHClient
@@ -74,7 +78,7 @@ type Sign = BC.ByteString -> Ed25519.Signature
 sign :: KeyPair -> Sign
 sign (KeyPair pk sk) = Ed25519.sign sk pk
 
-mkKeyAPI :: String -> ByteString -> String -> Maybe KeyPair
+mkKeyAPI :: String -> ByteString -> Maybe String -> Maybe KeyPair
 mkKeyAPI passPhrase content sshKeySelector =
     let
         ks = decodePrivateKeyFile (BC.pack passPhrase) content
@@ -85,7 +89,8 @@ mkKeyAPI passPhrase content sshKeySelector =
                     , privateKey = sk
                     }
     in
-        Map.lookup sshKeySelector $ foldMap mkMap ks
+        maybe (fmap snd <$> Map.lookupMin) Map.lookup sshKeySelector
+            $ foldMap mkMap ks
 
 sshKeyPair
     :: SSHClient 'WithSelector
@@ -94,11 +99,27 @@ sshKeyPair SSHClient{sshKeySelector, sshKeyFile, sshKeyPassphrase} = do
     content <- B.readFile sshKeyFile
     pure $ mkKeyAPI sshKeyPassphrase content sshKeySelector
 
-sshKeySelectors :: SSHClient 'WithoutSelector -> IO [String]
+data Selection = Selection
+    { selectorName :: String
+    , selectorKey :: String
+    }
+    deriving (Show, Eq)
+
+instance Monad m => ToJSON m Selection where
+    toJSON (Selection name key) =
+        object
+            [ "name" .= name
+            , "publicKey" .= key
+            ]
+
+sshKeySelectors :: SSHClient 'WithoutSelector -> IO [Selection]
 sshKeySelectors SSHClient{sshKeyFile, sshKeyPassphrase} = do
     content <- B.readFile sshKeyFile
     let ks = decodePrivateKeyFile (BC.pack sshKeyPassphrase) content
-    pure $ fmap (BC.unpack . snd) ks
+    let f (KeyPair k _, comment) = Selection (BC.unpack comment) render
+          where
+            SSHPublicKey render = encodeSSHPublicKey k
+    pure $ fmap f ks
 
 data KeyPair
     = KeyPair
diff --git a/cli/src/User/Requester/Options.hs b/cli/src/User/Requester/Options.hs
@@ -34,6 +34,7 @@ import OptEnvConf
     , long
     , metavar
     , option
+    , optional
     , reader
     , setting
     , str
@@ -129,7 +130,7 @@ sshClientOption
     :: Parser (SSHClient 'WithSelector)
 sshClientOption =
     SSHClient
-        <$> keySelectorOption
+        <$> optional keySelectorOption
         <*> keyFileOption
         <*> keyPasswordOption
 
@@ -144,7 +145,8 @@ keySelectorOption :: Parser String
 keySelectorOption =
     setting
         [ env "ANTI_SSH_KEY_SELECTOR"
-        , help "Which key selector to use from the SSH file"
+        , help
+            "Which key selector to use from the SSH file, it will use the first one if not specified"
         , metavar "STRING"
         , reader str
         , long "ssh-key-selector"
diff --git a/cli/test/Lib/SSH/KeySpec.hs b/cli/test/Lib/SSH/KeySpec.hs
@@ -8,31 +8,64 @@ import Data.ByteString qualified as B
 import Lib.SSH.Private
     ( KeyPair (..)
     , SSHClient (..)
+    , Selection (..)
     , WithSelector (..)
     , sign
     , sshKeyPair
+    , sshKeySelectors
     )
-import Test.Hspec (Spec, beforeAll, describe, it)
-import Test.QuickCheck (Testable (property))
+import Test.Hspec (Spec, beforeAll, describe, it, shouldBe)
+import Test.QuickCheck
+    ( Testable (property)
+    , ioProperty
+    , withMaxSuccess
+    )
+
+clientWithSelector :: Maybe String -> SSHClient 'WithSelector
+clientWithSelector sel =
+    SSHClient
+        { sshKeySelector = sel
+        , sshKeyFile = "test-E2E/fixtures/test_ed25519"
+        , sshKeyPassphrase = "pw"
+        }
 
-client :: SSHClient 'WithSelector
-client =
+clientWithoutSelector :: SSHClient 'WithoutSelector
+clientWithoutSelector =
     SSHClient
-        { sshKeySelector = "test_user"
+        { sshKeySelector = ()
         , sshKeyFile = "test-E2E/fixtures/test_ed25519"
         , sshKeyPassphrase = "pw"
         }
 
-readKey :: IO KeyPair
-readKey = do
-    Just api <- sshKeyPair client
+readKey :: Maybe String -> IO KeyPair
+readKey user = do
+    Just api <- sshKeyPair $ clientWithSelector user
     pure api
 
+readSelectors :: IO [Selection]
+readSelectors = sshKeySelectors clientWithoutSelector
+
 spec :: Spec
 spec = do
-    describe "SSH Key" $ beforeAll readKey $ do
-        it "should sign and verify a message" $ \k@KeyPair{publicKey} -> do
-            property $ \msgb -> do
+    describe "SSH Key with selector" $ do
+        it "should sign and verify a message" $ ioProperty $ do
+            k@KeyPair{publicKey} <- readKey $ Just "test_user"
+            pure $ property $ withMaxSuccess 10 $ \msgb -> do
+                let msg = B.pack msgb
+                let signed = sign k msg
+                Ed25519.verify publicKey msg signed
+        it "should sign and verify a message with the first key" $ ioProperty $ do
+            k@KeyPair{publicKey} <- readKey Nothing
+            pure $ property $ withMaxSuccess 10 $ \msgb -> do
                 let msg = B.pack msgb
                 let signed = sign k msg
                 Ed25519.verify publicKey msg signed
+    describe "SSH Key without selector" $ beforeAll readSelectors $ do
+        it "should read all selectors" $ \sels -> do
+            sels
+                `shouldBe` [ Selection
+                                { selectorName = "test_user"
+                                , selectorKey =
+                                    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIITaA+1gRPR3BMWGwF5ppDvQDyjqJ1VJNCQTlErA9ot"
+                                }
+                           ]
diff --git a/cli/test/User/Requester/CliSpec.hs b/cli/test/User/Requester/CliSpec.hs
@@ -84,7 +84,7 @@ wallet = case readWallet (True, mnemonics) of
 sshClient :: SSHClient 'WithSelector
 sshClient =
     SSHClient
-        { sshKeySelector = "alice"
+        { sshKeySelector = Just "alice"
         , sshKeyFile = "alice_id_ed25519"
         , sshKeyPassphrase = "testpassphrase"
         }
@@ -178,7 +178,7 @@ wUKzoj1GlS881w5d1K9cXgaTNg2jXmtV3Mm/nYAZtxPXAp/9gxzUE2wWhQdi9NubBHIotl
     |]
 
 keyPair :: KeyPair
-keyPair = case mkKeyAPI "testpassphrase" aliceKey "alice" of
+keyPair = case mkKeyAPI "testpassphrase" aliceKey (Just "alice") of
     Nothing -> error "Failed to create KeyPair"
     Just k -> k
 
