impl: verify cli signature

CHANGELOG.md

@@ -5,6 +5,7 @@
 ### Added
 
 - support for matching workspace agent in the URI via the agent name
+- support for checking if CLI is signed
 
 ### Removed
 

build.gradle.kts

@@ -63,6 +63,7 @@ dependencies {
     ksp(libs.moshi.codegen)
     implementation(libs.retrofit)
     implementation(libs.retrofit.moshi)
+    implementation(libs.bundles.bouncycastle)
     testImplementation(kotlin("test"))
     testImplementation(libs.mokk)
     testImplementation(libs.bundles.toolbox.plugin.api)

gradle.properties

@@ -1,3 +1,3 @@
-version=0.4.0
+version=0.5.0
 group=com.coder.toolbox
 name=coder-toolbox

gradle/libs.versions.toml

@@ -16,6 +16,7 @@ gettext = "0.7.0"
 plugin-structure = "3.310"
 mockk = "1.14.4"
 detekt = "1.23.7"
+bouncycastle = "1.81"
 
 [libraries]
 toolbox-core-api = { module = "com.jetbrains.toolbox:core-api", version.ref = "toolbox-plugin-api" }
@@ -34,10 +35,13 @@ retrofit-moshi = { module = "com.squareup.retrofit2:converter-moshi", version.re
 plugin-structure = { module = "org.jetbrains.intellij.plugins:structure-toolbox", version.ref = "plugin-structure" }
 mokk = { module = "io.mockk:mockk", version.ref = "mockk" }
 marketplace-client = { module = "org.jetbrains.intellij:plugin-repository-rest-client", version.ref = "marketplace-client" }
+bouncycastle-bcpg = { module = "org.bouncycastle:bcpg-jdk18on", version.ref = "bouncycastle" }
+bouncycastle-bcprov = { module = "org.bouncycastle:bcprov-jdk18on", version.ref = "bouncycastle" }
 
 [bundles]
 serialization = ["serialization-core", "serialization-json", "serialization-json-okio"]
 toolbox-plugin-api = ["toolbox-core-api", "toolbox-ui-api", "toolbox-remote-dev-api"]
+bouncycastle = ["bouncycastle-bcpg", "bouncycastle-bcprov"]
 
 [plugins]
 kotlin = { id = "org.jetbrains.kotlin.jvm", version.ref = "kotlin" }

src/main/kotlin/com/coder/toolbox/cli/downloader/CoderDownloadApi.kt

@@ -0,0 +1,29 @@
+package com.coder.toolbox.cli.downloader
+
+import okhttp3.ResponseBody
+import retrofit2.Response
+import retrofit2.http.GET
+import retrofit2.http.Header
+import retrofit2.http.HeaderMap
+import retrofit2.http.Streaming
+import retrofit2.http.Url
+
+/**
+ * Retrofit API for downloading CLI
+ */
+interface CoderDownloadApi {
+    @GET
+    @Streaming
+    suspend fun downloadCli(
+        @Url url: String,
+        @Header("If-None-Match") eTag: String? = null,
+        @HeaderMap headers: Map<String, String> = emptyMap(),
+        @Header("Accept-Encoding") acceptEncoding: String = "gzip",
+    ): Response<ResponseBody>
+
+    @GET
+    suspend fun downloadSignature(
+        @Url url: String,
+        @HeaderMap headers: Map<String, String> = emptyMap()
+    ): Response<ResponseBody>
+}

src/main/kotlin/com/coder/toolbox/cli/downloader/CoderDownloadService.kt

@@ -0,0 +1,194 @@
+package com.coder.toolbox.cli.downloader
+
+import com.coder.toolbox.CoderToolboxContext
+import com.coder.toolbox.cli.ex.ResponseException
+import com.coder.toolbox.util.OS
+import com.coder.toolbox.util.getHeaders
+import com.coder.toolbox.util.getOS
+import com.coder.toolbox.util.sha1
+import com.coder.toolbox.util.withLastSegment
+import okhttp3.ResponseBody
+import retrofit2.Response
+import java.io.FileInputStream
+import java.net.HttpURLConnection.HTTP_NOT_FOUND
+import java.net.HttpURLConnection.HTTP_NOT_MODIFIED
+import java.net.HttpURLConnection.HTTP_OK
+import java.net.URI
+import java.net.URL
+import java.nio.file.Files
+import java.nio.file.Path
+import java.nio.file.StandardOpenOption
+import java.util.zip.GZIPInputStream
+import kotlin.io.path.name
+import kotlin.io.path.notExists
+
+/**
+ * Handles the download steps of Coder CLI
+ */
+class CoderDownloadService(
+    private val context: CoderToolboxContext,
+    private val downloadApi: CoderDownloadApi,
+    private val deploymentUrl: URL,
+    forceDownloadToData: Boolean,
+) {
+    val remoteBinaryURL: URL = context.settingsStore.binSource(deploymentUrl)
+    val localBinaryPath: Path = context.settingsStore.binPath(deploymentUrl, forceDownloadToData)
+
+    suspend fun downloadCli(buildVersion: String, showTextProgress: (String) -> Unit): DownloadResult {
+        val eTag = calculateLocalETag()
+        if (eTag != null) {
+            context.logger.info("Found existing binary at $localBinaryPath; calculated hash as $eTag")
+        }
+        val response = downloadApi.downloadCli(
+            url = remoteBinaryURL.toString(),
+            eTag = eTag?.let { "\"$it\"" },
+            headers = getRequestHeaders()
+        )
+
+        return when (response.code()) {
+            HTTP_OK -> {
+                context.logger.info("Downloading binary to $localBinaryPath")
+                response.saveToDisk(localBinaryPath, showTextProgress, buildVersion)?.makeExecutable()
+                DownloadResult.Downloaded(remoteBinaryURL, localBinaryPath)
+            }
+
+            HTTP_NOT_MODIFIED -> {
+                context.logger.info("Using cached binary at $localBinaryPath")
+                showTextProgress("Using cached binary")
+                DownloadResult.Skipped
+            }
+
+            else -> {
+                throw ResponseException(
+                    "Unexpected response from $remoteBinaryURL",
+                    response.code()
+                )
+            }
+        }
+    }
+
+    private fun calculateLocalETag(): String? {
+        return try {
+            if (localBinaryPath.notExists()) {
+                return null
+            }
+            sha1(FileInputStream(localBinaryPath.toFile()))
+        } catch (e: Exception) {
+            context.logger.warn(e, "Unable to calculate hash for $localBinaryPath")
+            null
+        }
+    }
+
+    private fun getRequestHeaders(): Map<String, String> {
+        return if (context.settingsStore.headerCommand.isNullOrBlank()) {
+            emptyMap()
+        } else {
+            getHeaders(deploymentUrl, context.settingsStore.headerCommand)
+        }
+    }
+
+    private fun Response<ResponseBody>.saveToDisk(
+        localPath: Path,
+        showTextProgress: (String) -> Unit,
+        buildVersion: String? = null
+    ): Path? {
+        val responseBody = this.body() ?: return null
+        Files.deleteIfExists(localPath)
+        Files.createDirectories(localPath.parent)
+
+        val outputStream = Files.newOutputStream(
+            localPath,
+            StandardOpenOption.CREATE,
+            StandardOpenOption.TRUNCATE_EXISTING
+        )
+        val contentEncoding = this.headers()["Content-Encoding"]
+        val sourceStream = if (contentEncoding?.contains("gzip", ignoreCase = true) == true) {
+            GZIPInputStream(responseBody.byteStream())
+        } else {
+            responseBody.byteStream()
+        }
+
+        val buffer = ByteArray(DEFAULT_BUFFER_SIZE)
+        var bytesRead: Int
+        var totalRead = 0L
+        // caching this because the settings store recomputes it every time
+        val binaryName = localPath.name
+        sourceStream.use { source ->
+            outputStream.use { sink ->
+                while (source.read(buffer).also { bytesRead = it } != -1) {
+                    sink.write(buffer, 0, bytesRead)
+                    totalRead += bytesRead
+                    showTextProgress(
+                        "$binaryName $buildVersion - ${totalRead.toHumanReadableSize()} downloaded"
+                    )
+                }
+            }
+        }
+        return localBinaryPath
+    }
+
+
+    private fun Path.makeExecutable() {
+        if (getOS() != OS.WINDOWS) {
+            context.logger.info("Making $this executable...")
+            this.toFile().setExecutable(true)
+        }
+    }
+
+    private fun Long.toHumanReadableSize(): String {
+        if (this < 1024) return "$this B"
+
+        val kb = this / 1024.0
+        if (kb < 1024) return String.format("%.1f KB", kb)
+
+        val mb = kb / 1024.0
+        if (mb < 1024) return String.format("%.1f MB", mb)
+
+        val gb = mb / 1024.0
+        return String.format("%.1f GB", gb)
+    }
+
+    suspend fun downloadSignature(showTextProgress: (String) -> Unit): DownloadResult {
+        return downloadSignature(remoteBinaryURL, showTextProgress)
+    }
+
+    private suspend fun downloadSignature(url: URL, showTextProgress: (String) -> Unit): DownloadResult {
+        val defaultCliNameWithoutExt = context.settingsStore.defaultCliBinaryNameByOsAndArch.split('.').first()
+        val signatureName = "$defaultCliNameWithoutExt.asc"
+
+        val signatureURL = url.withLastSegment(signatureName)
+        val localSignaturePath = localBinaryPath.parent.resolve(signatureName)
+        context.logger.info("Downloading signature from $signatureURL")
+
+        val response = downloadApi.downloadSignature(
+            url = signatureURL.toString(),
+            headers = getRequestHeaders()
+        )
+
+        return when (response.code()) {
+            HTTP_OK -> {
+                response.saveToDisk(localSignaturePath, showTextProgress)
+                DownloadResult.Downloaded(signatureURL, localSignaturePath)
+            }
+
+            HTTP_NOT_FOUND -> {
+                context.logger.warn("Signature file not found at $signatureURL")
+                DownloadResult.NotFound
+            }
+
+            else -> {
+                DownloadResult.Failed(
+                    ResponseException(
+                        "Failed to download signature from $signatureURL",
+                        response.code()
+                    )
+                )
+            }
+        }
+
+    }
+
+    suspend fun downloadReleasesSignature(showTextProgress: (String) -> Unit): DownloadResult {
+        return downloadSignature(URI.create("https://releases.coder.com/bin").toURL(), showTextProgress)
+    }
+}

src/main/kotlin/com/coder/toolbox/cli/downloader/DownloadResult.kt

@@ -0,0 +1,23 @@
+package com.coder.toolbox.cli.downloader
+
+import java.net.URL
+import java.nio.file.Path
+
+
+/**
+ * Result of a download operation
+ */
+sealed class DownloadResult {
+    object Skipped : DownloadResult()
+    object NotFound : DownloadResult()
+    data class Downloaded(val source: URL, val dst: Path) : DownloadResult()
+    data class Failed(val error: Exception) : DownloadResult()
+
+    fun isSkipped(): Boolean = this is Skipped
+
+    fun isNotFoundOrFailed(): Boolean = this is NotFound || this is Failed
+
+    fun isDownloaded(): Boolean = this is Downloaded
+
+    fun isNotDownloaded(): Boolean = this !is Downloaded
+}

src/main/kotlin/com/coder/toolbox/cli/ex/Exceptions.kt

@@ -5,3 +5,5 @@ class ResponseException(message: String, val code: Int) : Exception(message)
 class SSHConfigFormatException(message: String) : Exception(message)
 
 class MissingVersionException(message: String) : Exception(message)
+
+class UnsignedBinaryExecutionDeniedException(message: String?) : Exception(message)