move ConnectionHash into Connection

Author: brianm

cmd/epithet/match.go

@@ -51,8 +51,8 @@ func (m *MatchCLI) Run(logger *slog.Logger) error {
 			RemoteUser: m.User,
 			Port:       m.Port,
 			ProxyJump:  m.ProxyJump,
+			Hash:       m.Hash,
 		},
-		ConnectionHash: m.Hash,
 	}
 
 	// Call broker

pkg/broker/agent_test.go

@@ -48,8 +48,8 @@ func TestBroker_NoAgentReturnsNotAllowed(t *testing.T) {
 	req := MatchRequest{
 		Connection: policy.Connection{
 			RemoteHost: "server.example.com",
+			Hash:       "nonexistent-hash",
 		},
-		ConnectionHash: "nonexistent-hash",
 	}
 	var resp MatchResponse
 

pkg/broker/broker.go

@@ -75,8 +75,7 @@ func (b *Broker) startBrokerListener() error {
 }
 
 type MatchRequest struct {
-	Connection     policy.Connection
-	ConnectionHash string
+	Connection policy.Connection
 }
 
 type MatchResponse struct {
@@ -93,17 +92,17 @@ func (b *Broker) Match(input MatchRequest, output *MatchResponse) error {
 	defer b.lock.Unlock()
 
 	// Check if agent already exists for this connection hash
-	if entry, exists := b.agents[input.ConnectionHash]; exists {
+	if entry, exists := b.agents[input.Connection.Hash]; exists {
 		// Check if agent's certificate is still valid (with buffer)
 		if time.Now().Add(expiryBuffer).Before(entry.expiresAt) {
-			b.log.Debug("found existing valid agent", "hash", input.ConnectionHash, "expires", entry.expiresAt)
+			b.log.Debug("found existing valid agent", "hash", input.Connection.Hash, "expires", entry.expiresAt)
 			output.Allow = true
 			return nil
 		}
 		// Agent expired - clean it up
-		b.log.Debug("cleaning up expired agent", "hash", input.ConnectionHash, "expired", entry.expiresAt)
+		b.log.Debug("cleaning up expired agent", "hash", input.Connection.Hash, "expired", entry.expiresAt)
 		entry.agent.Close()
-		delete(b.agents, input.ConnectionHash)
+		delete(b.agents, input.Connection.Hash)
 	}
 
 	// Check if we have an auth token, if not authenticate
@@ -126,7 +125,7 @@ func (b *Broker) Match(input MatchRequest, output *MatchResponse) error {
 	// TODO(epithet-25): Create agent with credential
 
 	// For now, just return false (no agent available)
-	b.log.Debug("no valid agent found for connection", "hash", input.ConnectionHash, "host", input.Connection.RemoteHost)
+	b.log.Debug("no valid agent found for connection", "hash", input.Connection.Hash, "host", input.Connection.RemoteHost)
 	output.Allow = false
 	return nil
 }

pkg/broker/broker_test.go

@@ -78,8 +78,8 @@ printf '%s' "6:thello,"
 			RemoteUser: "root",
 			Port:       22,
 			ProxyJump:  "bastion.example.com",
+			Hash:       "abc123def456",
 		},
-		ConnectionHash: "abc123def456",
 	}
 
 	resp := MatchResponse{}

pkg/policy/policy.go

@@ -5,13 +5,15 @@ import "path/filepath"
 // Connection represents the complete tuple of SSH connection parameters.
 // This matches the parameters available in OpenSSH Match exec via %C hash:
 // local hostname (%l), remote hostname (%h), port (%p), remote user (%r), and ProxyJump (%j).
+// The Hash field contains the %C hash value computed by OpenSSH from these parameters.
 type Connection struct {
 	LocalHost  string `json:"localHost"`
 	LocalUser  string `json:"localUser"`
 	RemoteHost string `json:"remoteHost"`
 	RemoteUser string `json:"remoteUser"`
 	Port       uint   `json:"port"`
 	ProxyJump  string `json:"proxyJump"`
+	Hash       string `json:"hash"` // %C - hash of connection tuple
 }
 
 // Policy represents the policy rules for certificate usage