sortedcord/bootstrap
1
0
Fork 0
Code Issues 18 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

feat: Add Client Authentication and Provisioning Plugin #22

Open
sortedcord wants to merge 2 commits from feat/auth-plugin into master
pull from: feat/auth-plugin
merge into: sortedcord:master
Conversation 0 Commits 2 Files Changed 5 +263 -1
sortedcord commented 2026-06-27 09:08:04 +05:30
Owner
Copy Link

This Pull Request implements the Client Authentication and Provisioning flow. It enables secure onboarding of new client devices and authorization by administrators using SSH Ed25519 key verification and age encryption.

Closes #20

Changes Proposed

1. Cryptographic Client Plugin (plugins/auth.sh)

  • Implemented plugins/auth.sh handling both requester (me) and approver (trust) roles.
  • Requester Flow (b me):
    • Generates SSH Ed25519 keys securely without passphrase under ~/.config/bootstrap-client/.
    • Submits hardware metrics (hostname, os) alongside the public key to /api/register.
    • Obtains user_code and challenge_nonce.
    • Polls /api/challenge/poll by signing the nonce using ssh-keygen -Y sign (namespace: bootstrap).
    • Decrypts the payload dynamically using age -d -i ~/.config/bootstrap-client/id_ed25519 and writes it to secrets.decrypted.
  • Approver Flow (b trust <user_code>):
    • Resolves pending public keys via /api/pending/<user_code>.
    • Prompts the administrator for verification.
    • Digitally signs the public key using the admin's private key (ssh-keygen -Y sign) and submits the base64 signature alongside the fingerprint to /api/approve.

2. Router Integration (lib/routes.sh)

  • Intercepts me and trust commands to lazy-load the auth plugin via run_plugin "auth".

3. Autocompletion (b.sh)

  • Updated autocomplete options to support completing the me and trust commands after b.

4. Local Installation Updates (bootstrap.sh)

  • Updated the local installation routine to copy the plugins/ directory (similar to installers/) to $BOOTSTRAP_DIR during local development bootstrapping.

5. Plugin Manifest (plugins.json)

  • Registered auth in the local plugin catalog.

Verification & Testing

  1. Run bootstrap.sh to sync the changes locally.
  2. Initiated the requester flow: 
    $ b me
[INFO] Running plugin 'auth'...
[INFO] Registering device with https://b.adityagupta.dev/auth...
--------------------------------------------------------
[SUCCESS] Device registration initiated successfully!
Please authorize this device on your administrator machine using:
  b trust Oi1r2P --server https://b.adityagupta.dev/auth
--------------------------------------------------------
Verification Code: Oi1r2P
--------------------------------------------------------
[INFO] Waiting for administrator approval (polling every 5s)...
  3. Verified that all generated signature files are securely removed from /tmp upon script termination.
This Pull Request implements the Client Authentication and Provisioning flow. It enables secure onboarding of new client devices and authorization by administrators using SSH Ed25519 key verification and `age` encryption. Closes #20 ## Changes Proposed ### 1. Cryptographic Client Plugin (`plugins/auth.sh`) - Implemented `plugins/auth.sh` handling both requester (`me`) and approver (`trust`) roles. - **Requester Flow (`b me`)**: - Generates SSH Ed25519 keys securely without passphrase under `~/.config/bootstrap-client/`. - Submits hardware metrics (`hostname`, `os`) alongside the public key to `/api/register`. - Obtains `user_code` and `challenge_nonce`. - Polls `/api/challenge/poll` by signing the nonce using `ssh-keygen -Y sign` (namespace: `bootstrap`). - Decrypts the payload dynamically using `age -d -i ~/.config/bootstrap-client/id_ed25519` and writes it to `secrets.decrypted`. - **Approver Flow (`b trust <user_code>`)**: - Resolves pending public keys via `/api/pending/<user_code>`. - Prompts the administrator for verification. - Digitally signs the public key using the admin's private key (`ssh-keygen -Y sign`) and submits the base64 signature alongside the fingerprint to `/api/approve`. ### 2. Router Integration (`lib/routes.sh`) - Intercepts `me` and `trust` commands to lazy-load the `auth` plugin via `run_plugin "auth"`. ### 3. Autocompletion (`b.sh`) - Updated autocomplete options to support completing the `me` and `trust` commands after `b`. ### 4. Local Installation Updates (`bootstrap.sh`) - Updated the local installation routine to copy the `plugins/` directory (similar to `installers/`) to `$BOOTSTRAP_DIR` during local development bootstrapping. ### 5. Plugin Manifest (`plugins.json`) - Registered `auth` in the local plugin catalog. ## Verification & Testing 1. Run `bootstrap.sh` to sync the changes locally. 2. Initiated the requester flow: ```bash $ b me [INFO] Running plugin 'auth'... [INFO] Registering device with https://b.adityagupta.dev/auth... -------------------------------------------------------- [SUCCESS] Device registration initiated successfully! Please authorize this device on your administrator machine using: b trust Oi1r2P --server https://b.adityagupta.dev/auth -------------------------------------------------------- Verification Code: Oi1r2P -------------------------------------------------------- [INFO] Waiting for administrator approval (polling every 5s)... ``` 4. Verified that all generated signature files are securely removed from `/tmp` upon script termination.
sortedcord added 1 commit 2026-06-27 09:08:04 +05:30
feat: Implemented client spec for bootstrap-auth-server with b me and b trust
Some checks failed
Lint / lint (push) Failing after 17s
Details
Lint / lint (pull_request) Failing after 12s
Details
ed56ef95a9
sortedcord added 1 commit 2026-06-27 09:36:38 +05:30
refactor(plugin:auth): Removed dependency loop in favour of pkg_install
Some checks failed
Lint / lint (push) Failing after 14s
Details
Lint / lint (pull_request) Failing after 12s
Details
db6ec1c1c8
Some checks failed
Lint / lint (push) Failing after 14s
Details
Lint / lint (pull_request) Failing after 12s
Details
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin feat/auth-plugin:feat/auth-plugin
git checkout feat/auth-plugin
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
sortedcord
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: sortedcord/bootstrap#22
Delete Branch "feat/auth-plugin"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?