Refactor jail architecture with integrated services (#15)

* start

* Refactor jail to use integrated services architecture

- Updated namespace implementations to include environment setup in Command method
- Migrated Execute function logic from namespaces into Command method with proper env, credentials, and I/O setup
- Enhanced jail.Jail to integrate proxy server, certificate manager, rule engine, and auditor
- Simplified CLI to use unified jail.Jail instead of managing separate components
- Maintained all existing functionality while improving code organization
- All tests pass and binary builds successfully

Co-authored-by: f0ssel <[email protected]>

* Move environment setup to Open method in namespace implementations

- Move environment preparation from Command() to Open() method in both Linux and macOS namespaces
- Add preparedEnv field to store the prepared environment once during setup
- Simplify Command() methods to just inject the prepared environment
- Improves performance by avoiding repeated environment setup on each command
- Maintains all existing functionality while improving efficiency

Co-authored-by: f0ssel <[email protected]>

* Move sudo credential setup to Open method in namespace implementations

- Move sudo credential preparation from Command() to Open() method in both Linux and macOS namespaces
- Add procAttr field to store prepared syscall.SysProcAttr with credentials
- Simplify Command() methods to just use the prepared process attributes
- Eliminates repeated sudo environment checks and credential parsing on each command
- Further improves performance and code organization
- All credential handling now happens once during setup phase

Co-authored-by: f0ssel <[email protected]>

* Move construction logic from jail.New to CLI caller

- Simplify jail.Config to only contain dependencies (Commander, ProxyServer, etc)
- Move all component construction logic from jail.New into CLI
- jail.New now only accepts pre-constructed dependencies and assembles them
- CLI handles rule parsing, certificate manager creation, proxy server setup
- Better separation of concerns: jail package focuses on orchestration, CLI handles construction
- Eliminates error handling in jail.New since dependencies are pre-validated
- Makes jail package more testable with dependency injection

Co-authored-by: f0ssel <[email protected]>

* Remove unneeded dependencies from jail.Config

- Remove RuleEngine, Auditor, and CertManager from jail.Config
- These dependencies are only needed by ProxyServer, not by Jail directly
- Simplify jail.Config to only contain CommandExecutor, ProxyServer, and Logger
- Remove GetCACertPEM method since CertManager is no longer available in Jail
- Clean up unused imports (audit, rules, tls packages)
- CA certificate handling remains in CLI where CertManager is constructed
- Further simplifies the Jail orchestration layer

Co-authored-by: f0ssel <[email protected]>

* remove no cleanup

* setenv

* Convert preparedEnv to map and implement SetEnv methods

- Convert preparedEnv from []string to map[string]string for better environment management
- Implement SetEnv methods in both Linux and macOS namespace implementations
- Add CommandExecutor accessor method to Jail for SetEnv access
- Update CLI to use SetEnv method for CA certificate environment variables
- Remove Env field from namespace.Config since SetEnv is used instead
- Environment variables now properly managed through SetEnv interface
- Allows dynamic environment variable setting after initialization
- Better encapsulation and control over environment variables

Co-authored-by: f0ssel <[email protected]>

* fix

* fix

* fix

* fix

* Move TLS setup logic to CertificateManager method

- Add SetupTLSAndWriteCACert method to CertificateManager
- Combines getting TLS config, CA cert PEM, and writing CA cert to file
- Returns TLS config, CA cert path, and CA cert PEM in one call
- Update CLI to use the new method instead of separate calls
- Reduces complexity in CLI Run function
- Better encapsulation of TLS-related setup logic
- Remove unused filepath import from CLI
- Clean separation between TLS setup and CLI orchestration

Co-authored-by: f0ssel <[email protected]>

* Move GetConfigDir call into CertificateManager and remove unused return value

- Update SetupTLSAndWriteCACert to call tls.GetConfigDir() internally
- Return config directory as part of the method's return values
- Remove unused []byte (CA cert PEM) from return values since it's never used
- Update CLI to handle new return signature with configDir
- Remove separate GetConfigDir call from CLI
- Pass empty string to NewCertificateManager since configDir is determined internally
- Further simplifies CLI by removing another external dependency call
- Better encapsulation of config directory management within TLS package

Co-authored-by: f0ssel <[email protected]>

* fix

---------

Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
Co-authored-by: f0ssel <[email protected]>

Author: f0ssel

cli/cli.go

@@ -7,13 +7,12 @@ import (
 	"log/slog"
 	"os"
 	"os/signal"
-	"path/filepath"
 	"strings"
 	"syscall"
-	"time"
 
+	"github.com/coder/jail"
 	"github.com/coder/jail/audit"
-	"github.com/coder/jail/network"
+	"github.com/coder/jail/namespace"
 	"github.com/coder/jail/proxy"
 	"github.com/coder/jail/rules"
 	"github.com/coder/jail/tls"
@@ -25,7 +24,6 @@ type Config struct {
 	AllowStrings   []string
 	NoTLSIntercept bool
 	LogLevel       string
-	NoJailCleanup  bool
 }
 
 // NewCommand creates and returns the root serpent command
@@ -70,14 +68,6 @@ Examples:
 				Default:     "warn",
 				Value:       serpent.StringOf(&config.LogLevel),
 			},
-			{
-				Name:        "no-jail-cleanup",
-				Flag:        "no-jail-cleanup",
-				Env:         "JAIL_NO_JAIL_CLEANUP",
-				Description: "Skip jail cleanup (hidden flag for testing).",
-				Value:       serpent.BoolOf(&config.NoJailCleanup),
-				Hidden:      true,
-			},
 		},
 		Handler: func(inv *serpent.Invocation) error {
 			return Run(config, inv.Args)
@@ -123,90 +113,85 @@ func Run(config Config, args []string) error {
 		logger.Warn("No allow rules specified; all network traffic will be denied by default")
 	}
 
+	// Parse allow rules
 	allowRules, err := rules.ParseAllowSpecs(config.AllowStrings)
 	if err != nil {
 		logger.Error("Failed to parse allow rules", "error", err)
 		return fmt.Errorf("failed to parse allow rules: %v", err)
 	}
 
-	// Implicit final deny-all is handled by the RuleEngine default behavior when no rules match.
-	// Build final rules slice in order: user allows only.
-	ruleList := allowRules
-
 	// Create rule engine
-	ruleEngine := rules.NewRuleEngine(ruleList, logger)
+	ruleEngine := rules.NewRuleEngine(allowRules, logger)
+
+	// Create auditor
+	auditor := audit.NewLoggingAuditor(logger)
 
-	// Get configuration directory
-	configDir, err := tls.GetConfigDir()
+	// Create network namespace configuration
+	nsConfig := namespace.Config{
+		HTTPPort:  8040,
+		HTTPSPort: 8043,
+	}
+
+	// Create commander
+	commander, err := namespace.New(nsConfig, logger)
 	if err != nil {
-		logger.Error("Failed to get config directory", "error", err)
-		return fmt.Errorf("failed to get config directory: %v", err)
+		logger.Error("Failed to create network namespace", "error", err)
+		return fmt.Errorf("failed to create network namespace: %v", err)
 	}
 
 	// Create certificate manager (if TLS interception is enabled)
-	var certManager *tls.CertificateManager
 	var tlsConfig *cryptotls.Config
-	var extraEnv map[string]string = make(map[string]string)
-
 	if !config.NoTLSIntercept {
-		certManager, err = tls.NewCertificateManager(configDir, logger)
+		certManager, err := tls.NewCertificateManager("", logger) // Empty configDir since it will be determined internally
 		if err != nil {
 			logger.Error("Failed to create certificate manager", "error", err)
 			return fmt.Errorf("failed to create certificate manager: %v", err)
 		}
 
-		tlsConfig = certManager.GetTLSConfig()
-
-		// Get CA certificate for environment
-		caCertPEM, err := certManager.GetCACertPEM()
-		if err != nil {
-			logger.Error("Failed to get CA certificate", "error", err)
-			return fmt.Errorf("failed to get CA certificate: %v", err)
-		}
-
-		// Write CA certificate to a temporary file for tools that need a file path
-		caCertPath := filepath.Join(configDir, "ca-cert.pem")
-		err = os.WriteFile(caCertPath, caCertPEM, 0644)
+		// Setup TLS config and write CA certificate to file
+		var caCertPath, configDir string
+		tlsConfig, caCertPath, configDir, err = certManager.SetupTLSAndWriteCACert()
 		if err != nil {
-			logger.Error("Failed to write CA certificate file", "error", err)
-			return fmt.Errorf("failed to write CA certificate file: %v", err)
+			logger.Error("Failed to setup TLS and CA certificate", "error", err)
+			return fmt.Errorf("failed to setup TLS and CA certificate: %v", err)
 		}
 
 		// Set standard CA certificate environment variables for common tools
 		// This makes tools like curl, git, etc. trust our dynamically generated CA
-		extraEnv["SSL_CERT_FILE"] = caCertPath       // OpenSSL/LibreSSL-based tools
-		extraEnv["SSL_CERT_DIR"] = configDir         // OpenSSL certificate directory
-		extraEnv["CURL_CA_BUNDLE"] = caCertPath      // curl
-		extraEnv["GIT_SSL_CAINFO"] = caCertPath      // Git
-		extraEnv["REQUESTS_CA_BUNDLE"] = caCertPath  // Python requests
-		extraEnv["NODE_EXTRA_CA_CERTS"] = caCertPath // Node.js
-		extraEnv["JAIL_CA_CERT"] = string(caCertPEM) // Keep for backward compatibility
+		commander.SetEnv("SSL_CERT_FILE", caCertPath)       // OpenSSL/LibreSSL-based tools
+		commander.SetEnv("SSL_CERT_DIR", configDir)         // OpenSSL certificate directory
+		commander.SetEnv("CURL_CA_BUNDLE", caCertPath)      // curl
+		commander.SetEnv("GIT_SSL_CAINFO", caCertPath)      // Git
+		commander.SetEnv("REQUESTS_CA_BUNDLE", caCertPath)  // Python requests
+		commander.SetEnv("NODE_EXTRA_CA_CERTS", caCertPath) // Node.js
 	}
 
-	// Create network jail configuration
-	networkConfig := network.JailConfig{
-		HTTPPort:    8040,
-		HTTPSPort:   8043,
-		NetJailName: "jail",
-		SkipCleanup: config.NoJailCleanup,
-	}
+	// Create proxy server
+	proxyServer := proxy.NewProxyServer(proxy.Config{
+		HTTPPort:   8040,
+		HTTPSPort:  8043,
+		RuleEngine: ruleEngine,
+		Auditor:    auditor,
+		Logger:     logger,
+		TLSConfig:  tlsConfig,
+	})
 
-	// Create network jail
-	networkInstance, err := network.NewJail(networkConfig, logger)
-	if err != nil {
-		logger.Error("Failed to create network jail", "error", err)
-		return fmt.Errorf("failed to create network jail: %v", err)
-	}
+	// Create jail instance
+	jailInstance := jail.New(jail.Config{
+		Commander:   commander,
+		ProxyServer: proxyServer,
+		Logger:      logger,
+	})
 
-	// Setup signal handling BEFORE any network setup
+	// Setup signal handling BEFORE any setup
 	sigChan := make(chan os.Signal, 1)
 	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
 
 	// Handle signals immediately in background
 	go func() {
 		sig := <-sigChan
 		logger.Info("Received signal during setup, cleaning up...", "signal", sig)
-		err := networkInstance.Cleanup()
+		err := jailInstance.Close()
 		if err != nil {
 			logger.Error("Emergency cleanup failed", "error", err)
 		}
@@ -216,55 +201,29 @@ func Run(config Config, args []string) error {
 	// Ensure cleanup happens no matter what
 	defer func() {
 		logger.Debug("Starting cleanup process")
-		err := networkInstance.Cleanup()
+		err := jailInstance.Close()
 		if err != nil {
-			logger.Error("Failed to cleanup network jail", "error", err)
+			logger.Error("Failed to cleanup jail", "error", err)
 		} else {
 			logger.Debug("Cleanup completed successfully")
 		}
 	}()
 
-	// Setup network jail
-	err = networkInstance.Setup(networkConfig.HTTPPort, networkConfig.HTTPSPort)
+	// Open jail (starts network namespace and proxy server)
+	err = jailInstance.Open()
 	if err != nil {
-		logger.Error("Failed to setup network jail", "error", err)
-		return fmt.Errorf("failed to setup network jail: %v", err)
-	}
-
-	// Create auditor
-	auditor := audit.NewLoggingAuditor(logger)
-
-	// Create proxy server
-	proxyConfig := proxy.Config{
-		HTTPPort:   networkConfig.HTTPPort,
-		HTTPSPort:  networkConfig.HTTPSPort,
-		RuleEngine: ruleEngine,
-		Auditor:    auditor,
-		Logger:     logger,
-		TLSConfig:  tlsConfig,
+		logger.Error("Failed to open jail", "error", err)
+		return fmt.Errorf("failed to open jail: %v", err)
 	}
 
-	proxyServer := proxy.NewProxyServer(proxyConfig)
-
 	// Create context for graceful shutdown
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	// Start proxy server in background
-	go func() {
-		err := proxyServer.Start(ctx)
-		if err != nil {
-			logger.Error("Proxy server error", "error", err)
-		}
-	}()
-
-	// Give proxy time to start
-	time.Sleep(100 * time.Millisecond)
-
-	// Execute command in network jail
+	// Execute command in jail
 	go func() {
 		defer cancel()
-		err := networkInstance.Execute(args, extraEnv)
+		err := jailInstance.Command(args).Run()
 		if err != nil {
 			logger.Error("Command execution failed", "error", err)
 		}
@@ -277,12 +236,7 @@ func Run(config Config, args []string) error {
 		cancel()
 	case <-ctx.Done():
 		// Context cancelled by command completion
-	}
-
-	// Stop proxy server
-	err = proxyServer.Stop()
-	if err != nil {
-		logger.Error("Failed to stop proxy server", "error", err)
+		logger.Info("Command completed, shutting down...")
 	}
 
 	return nil

jail.go

@@ -0,0 +1,87 @@
+package jail
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os/exec"
+	"time"
+
+	"github.com/coder/jail/proxy"
+)
+
+type Commander interface {
+	Open() error
+	SetEnv(key string, value string)
+	Command(command []string) *exec.Cmd
+	Close() error
+}
+
+type Config struct {
+	Commander   Commander
+	ProxyServer *proxy.ProxyServer
+	Logger      *slog.Logger
+}
+
+type Jail struct {
+	commandExecutor Commander
+	proxyServer     *proxy.ProxyServer
+	logger          *slog.Logger
+	cancel          context.CancelFunc
+	ctx             context.Context
+}
+
+func New(config Config) *Jail {
+	ctx, cancel := context.WithCancel(context.Background())
+
+	return &Jail{
+		commandExecutor: config.Commander,
+		proxyServer:     config.ProxyServer,
+		logger:          config.Logger,
+		ctx:             ctx,
+		cancel:          cancel,
+	}
+}
+
+func (j *Jail) Open() error {
+	// Open the command executor (network namespace)
+	err := j.commandExecutor.Open()
+	if err != nil {
+		return fmt.Errorf("failed to open command executor: %v", err)
+	}
+
+	// Start proxy server in background
+	go func() {
+		err := j.proxyServer.Start(j.ctx)
+		if err != nil {
+			j.logger.Error("Proxy server error", "error", err)
+		}
+	}()
+
+	// Give proxy time to start
+	time.Sleep(100 * time.Millisecond)
+
+	return nil
+}
+
+func (j *Jail) Command(command []string) *exec.Cmd {
+	return j.commandExecutor.Command(command)
+}
+
+func (j *Jail) Close() error {
+	// Cancel context to stop proxy server
+	if j.cancel != nil {
+		j.cancel()
+	}
+
+	// Stop proxy server
+	if j.proxyServer != nil {
+		err := j.proxyServer.Stop()
+		if err != nil {
+			j.logger.Error("Failed to stop proxy server", "error", err)
+		}
+	}
+
+	// Close command executor
+	return j.commandExecutor.Close()
+}