Merge pull request #31 from wiktor-k/wiktor/add-project-tools

Add a couple of project quality-of-life improvements

.codespellrc

@@ -1,3 +1,3 @@
 [codespell]
-skip = .cargo,.git,target
+skip = .cargo,.git,target,Cargo.lock
 ignore-words-list = crate,ser

.gitattributes

@@ -0,0 +1 @@
+* text eol=lf

.github/FUNDING.yml

@@ -0,0 +1 @@
+github: wiktor-k

.github/workflows/ci.yml

@@ -17,8 +17,11 @@ jobs:
     name: Check spelling
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/checkout@v4
+      - run: cargo install --locked just
+      - run: sudo apt-get install -y codespell
       - name: Check spelling
-        uses: codespell-project/actions-codespell@master
+        run: just spelling
 
   formatting:
     name: Check formatting
@@ -31,8 +34,11 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
+      - run: cargo install --locked just
+      - run: rustup install nightly
+      - run: rustup component add rustfmt --toolchain nightly
       - name: Check formatting
-        run: cargo fmt --all -- --check
+        run: just formatting
 
   tests:
     name: Unit tests
@@ -45,9 +51,25 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
-      - name: Build and test
-        run: cargo build --verbose --all && cargo test --verbose --all
-
+      - run: cargo install --locked just
+      - name: Run unit tests
+        run: just tests
+
+  deps:
+    name: Check dependencies
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+        - os: macos-latest
+        - os: windows-latest
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+      - run: cargo install --locked just cargo-deny
+      - name: Run unit tests
+        run: just dependencies
+
   lints:
     name: Clippy lints
     strategy:
@@ -59,8 +81,9 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
+      - run: cargo install --locked just
       - name: Check for lints
-        run: cargo clippy -- -D warnings
+        run: just lints
 
   integration:
     name: Integration tests

.justfile

@@ -0,0 +1,66 @@
+#!/usr/bin/env -S just --working-directory . --justfile
+# Since this is a first recipe it's being run by default.
+# Faster checks need to be executed first for better UX.  For example
+
+# codespell is very fast. cargo fmt does not need to download crates etc.
+check: spelling formatting lints dependencies tests
+
+# Checks common spelling mistakes
+spelling:
+    codespell
+
+# Checks source code formatting
+formatting:
+    just --unstable --fmt --check
+    # We're using nightly to properly group imports, see .rustfmt.toml
+    cargo +nightly fmt -- --check
+
+# Lints the source code
+lints:
+    cargo clippy --all -- -D warnings
+
+# Checks for issues with dependencies
+dependencies:
+    cargo deny check
+
+# Runs all unit tests. By default ignored tests are not run. Run with `ignored=true` to run only ignored tests
+tests:
+    cargo test --all
+
+# Checks for commit messages
+check-commits REFS='main..':
+    #!/usr/bin/env bash
+    set -euo pipefail
+    for commit in $(git rev-list "{{ REFS }}"); do
+      MSG="$(git show -s --format=%B "$commit")"
+      CODESPELL_RC="$(mktemp)"
+      git show "$commit:.codespellrc" > "$CODESPELL_RC"
+      if ! grep -q "Signed-off-by: " <<< "$MSG"; then
+        printf "Commit %s lacks \"Signed-off-by\" line.\n" "$commit"
+        printf "%s\n" \
+            "  Please use:" \
+            "    git rebase --signoff main && git push --force-with-lease" \
+            "  See https://developercertificate.org/ for more details."
+        exit 1;
+      elif ! codespell --config "$CODESPELL_RC" - <<< "$MSG"; then
+        printf "The spelling in commit %s needs improvement.\n" "$commit"
+        exit 1;
+      else
+        printf "Commit %s is good.\n" "$commit"
+      fi
+    done
+
+# Fixes common issues. Files need to be git add'ed
+fix:
+    #!/usr/bin/env bash
+    if ! git diff-files --quiet ; then
+        echo "Working tree has changes. Please stage them: git add ."
+        exit 1
+    fi
+
+    codespell --write-changes
+    just --unstable --fmt
+    cargo clippy --fix --allow-staged
+
+    # fmt must be last as clippy's changes may break formatting
+    cargo +nightly fmt

.rustfmt.toml

@@ -0,0 +1,5 @@
+# CHECK: https://github.com/rust-lang/rustfmt/issues/5083 state == open
+group_imports = "StdExternalCrate"
+
+# CHECK: https://github.com/rust-lang/rustfmt/issues/3348 state == open
+format_code_in_doc_comments = true

CONTRIBUTING.md

@@ -0,0 +1,76 @@
+# Contributing
+
+Thanks for taking the time to contribute to this project!
+
+All changes need to:
+
+- pass basic checks, including tests, formatting and lints,
+- be signed-off.
+
+## Basic checks
+
+We are using standard Rust ecosystem tools including `rustfmt` and `clippy` with one minor difference.
+Due to a couple of `rustfmt` features being available only in nightly (see the `.rustfmt.toml` file) nightly `rustfmt` is necessary.
+
+All of these details are captured in a `.justfile` and can be checked by running [`just`'](https://just.systems/).
+
+To run all checks locally before sending them to CI you can set your git hooks directory:
+
+```sh
+git config core.hooksPath scripts/hooks/
+```
+
+## Developer Certificate of Origin
+
+The sign-off is a simple line at the end of the git commit message, which certifies that you wrote it or otherwise have the right to pass it on as a open-source patch.
+
+The rules are pretty simple: if you can [certify the below][DCO]:
+
+```
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
+```
+
+then you just add a line saying
+
+    Signed-off-by: Random J Developer <[email protected]>
+
+using your name.
+
+If you set your `user.name` and `user.email`, you can sign your commit automatically with [`git commit --signoff`][GSO].
+
+To sign-off your last commit:
+
+    git commit --amend --signoff
+
+[DCO]: https://developercertificate.org
+[GSO]: https://git-scm.com/docs/git-commit#git-commit---signoff
+
+If you want to fix multiple commits use:
+
+    git rebase --signoff main
+
+To check if your commits are correctly signed-off locally use `just check-commits`.

SECURITY.md

@@ -0,0 +1,27 @@
+# Security policy
+
+If you have discovered a security vulnerability in this project, please report it privately.
+Do not disclose it as a public issue.
+This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.
+
+This project is maintained by a team of volunteers on a reasonable-effort basis.
+As such, please give us at least 90 days to work on a fix before public exposure.
+We will contact you back within 2 business days after reporting the issue.
+
+Thanks for helping make the project safe for everyone!
+
+## Reporting a vulnerability
+
+Please, report the vulnerability either through [new security advisory form][ADV] or by directly contacting our security contacts.
+
+[ADV]: https://github.com/wiktor-k/ssh-agent-lib/security/advisories/new
+
+Security contacts:
+  - [Wiktor Kwapisiewicz][WK], preferably encrypted with the following OpenPGP certificate: [`6539 09A2 F0E3 7C10 6F5F AF54 6C88 57E0 D8E8 F074`][KEY].
+
+[WK]: https://github.com/wiktor-k
+[KEY]: https://keys.openpgp.org/vks/v1/by-fingerprint/653909A2F0E37C106F5FAF546C8857E0D8E8F074
+
+## Supported Versions
+
+Security updates are applied only to the most recent release.

deny.toml

@@ -0,0 +1,20 @@
+[advisories]
+version = 2
+yanked = "deny"
+ignore = [
+  "RUSTSEC-2023-0071",  # the vurnerable crate is used in tests only
+]
+
+[bans]
+deny = [
+]
+multiple-versions = "allow"
+
+[licenses]
+version = 2
+allow = [
+  "Apache-2.0",
+  "MIT",
+  "Unicode-DFS-2016",
+  "BSD-3-Clause",
+]

examples/key_storage.rs

@@ -1,28 +1,26 @@
+use std::error::Error;
+use std::sync::{Arc, Mutex};
+
 use async_trait::async_trait;
 use log::info;
+use rsa::pkcs1v15::SigningKey;
+use rsa::sha2::{Sha256, Sha512};
+use rsa::signature::{RandomizedSigner, SignatureEncoding};
+use rsa::BigUint;
+use sha1::Sha1;
 #[cfg(windows)]
 use ssh_agent_lib::agent::NamedPipeListener as Listener;
-use ssh_agent_lib::proto::extension::SessionBind;
-#[cfg(not(windows))]
-use tokio::net::UnixListener as Listener;
-
 use ssh_agent_lib::agent::{Agent, Session};
+use ssh_agent_lib::proto::extension::SessionBind;
 use ssh_agent_lib::proto::message::{self, Message, SignRequest};
 use ssh_agent_lib::proto::{signature, AddIdentityConstrained, KeyConstraint};
 use ssh_key::{
     private::{KeypairData, PrivateKey},
     public::PublicKey,
     Algorithm, Signature,
 };
-
-use std::error::Error;
-use std::sync::{Arc, Mutex};
-
-use rsa::pkcs1v15::SigningKey;
-use rsa::sha2::{Sha256, Sha512};
-use rsa::signature::{RandomizedSigner, SignatureEncoding};
-use rsa::BigUint;
-use sha1::Sha1;
+#[cfg(not(windows))]
+use tokio::net::UnixListener as Listener;
 
 #[derive(Clone, PartialEq, Debug)]
 struct Identity {
@@ -79,9 +77,9 @@ impl KeyStorage {
                     let algorithm;
 
                     let private_key = rsa::RsaPrivateKey::from_components(
-                        BigUint::from_bytes_be(&key.public.n.as_bytes()),
-                        BigUint::from_bytes_be(&key.public.e.as_bytes()),
-                        BigUint::from_bytes_be(&key.private.d.as_bytes()),
+                        BigUint::from_bytes_be(key.public.n.as_bytes()),
+                        BigUint::from_bytes_be(key.public.e.as_bytes()),
+                        BigUint::from_bytes_be(key.private.d.as_bytes()),
                         vec![],
                     )?;
                     let mut rng = rand::thread_rng();