Port envd from e2b with internalized shared packages and Connect RPC

- Copy envd source from e2b-dev/infra, internalize shared dependencies into envd/internal/shared/ (keys, filesystem, id, smap, utils) - Switch from gRPC to Connect RPC for all envd services - Update module paths to git.omukk.dev/wrenn/{sandbox,sandbox/envd} - Add proto specs (process, filesystem) with buf-based code generation - Implement full envd: process exec, filesystem ops, port forwarding, cgroup management, MMDS integration, and HTTP API - Update main module dependencies (firecracker SDK, pgx, goose, etc.) - Remove placeholder .gitkeep files replaced by real implementations
2026-03-09 21:03:19 +06:00
parent bd78cc068c
commit a3898d68fb
99 changed files with 17185 additions and 24 deletions
--- a/envd/internal/shared/keys/constants.go
+++ b/envd/internal/shared/keys/constants.go
@ -0,0 +1,6 @@
+package keys
+
+const (
+	ApiKeyPrefix      = "wrn_"
+	AccessTokenPrefix = "sk_wrn_"
+)
--- a/envd/internal/shared/keys/hashing.go
+++ b/envd/internal/shared/keys/hashing.go
@ -0,0 +1,5 @@
+package keys
+
+type Hasher interface {
+	Hash(key []byte) string
+}
--- a/envd/internal/shared/keys/hmac_sha256.go
+++ b/envd/internal/shared/keys/hmac_sha256.go
@ -0,0 +1,25 @@
+package keys
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
+)
+
+type HMACSha256Hashing struct {
+	key []byte
+}
+
+func NewHMACSHA256Hashing(key []byte) *HMACSha256Hashing {
+	return &HMACSha256Hashing{key: key}
+}
+
+func (h *HMACSha256Hashing) Hash(content []byte) (string, error) {
+	mac := hmac.New(sha256.New, h.key)
+	_, err := mac.Write(content)
+	if err != nil {
+		return "", err
+	}
+
+	return hex.EncodeToString(mac.Sum(nil)), nil
+}
--- a/envd/internal/shared/keys/hmac_sha256_test.go
+++ b/envd/internal/shared/keys/hmac_sha256_test.go
@ -0,0 +1,74 @@
+package keys
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestHMACSha256Hashing_ValidHash(t *testing.T) {
+	t.Parallel()
+	key := []byte("test-key")
+	hasher := NewHMACSHA256Hashing(key)
+	content := []byte("hello world")
+	expectedHash := "18c4b268f0bbf8471eda56af3e70b1d4613d734dc538b4940b59931c412a1591"
+	actualHash, err := hasher.Hash(content)
+	require.NoError(t, err)
+
+	if actualHash != expectedHash {
+		t.Errorf("expected %s, got %s", expectedHash, actualHash)
+	}
+}
+
+func TestHMACSha256Hashing_EmptyContent(t *testing.T) {
+	t.Parallel()
+	key := []byte("test-key")
+	hasher := NewHMACSHA256Hashing(key)
+	content := []byte("")
+	expectedHash := "2711cc23e9ab1b8a9bc0fe991238da92671624a9ebdaf1c1abec06e7e9a14f9b"
+	actualHash, err := hasher.Hash(content)
+	require.NoError(t, err)
+
+	if actualHash != expectedHash {
+		t.Errorf("expected %s, got %s", expectedHash, actualHash)
+	}
+}
+
+func TestHMACSha256Hashing_DifferentKey(t *testing.T) {
+	t.Parallel()
+	key := []byte("test-key")
+	hasher := NewHMACSHA256Hashing(key)
+	differentKeyHasher := NewHMACSHA256Hashing([]byte("different-key"))
+	content := []byte("hello world")
+
+	hashWithOriginalKey, err := hasher.Hash(content)
+	require.NoError(t, err)
+
+	hashWithDifferentKey, err := differentKeyHasher.Hash(content)
+	require.NoError(t, err)
+
+	if hashWithOriginalKey == hashWithDifferentKey {
+		t.Errorf("hashes with different keys should not match")
+	}
+}
+
+func TestHMACSha256Hashing_IdenticalResult(t *testing.T) {
+	t.Parallel()
+	key := []byte("placeholder-hashing-key")
+	content := []byte("test content for hashing")
+
+	mac := hmac.New(sha256.New, key)
+	mac.Write(content)
+	expectedResult := hex.EncodeToString(mac.Sum(nil))
+
+	hasher := NewHMACSHA256Hashing(key)
+	actualResult, err := hasher.Hash(content)
+	require.NoError(t, err)
+
+	if actualResult != expectedResult {
+		t.Errorf("expected %s, got %s", expectedResult, actualResult)
+	}
+}
--- a/envd/internal/shared/keys/key.go
+++ b/envd/internal/shared/keys/key.go
@ -0,0 +1,99 @@
+package keys
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"strings"
+)
+
+const (
+	identifierValueSuffixLength = 4
+	identifierValuePrefixLength = 2
+
+	keyLength = 20
+)
+
+var hasher Hasher = NewSHA256Hashing()
+
+type Key struct {
+	PrefixedRawValue string
+	HashedValue      string
+	Masked           MaskedIdentifier
+}
+
+type MaskedIdentifier struct {
+	Prefix            string
+	ValueLength       int
+	MaskedValuePrefix string
+	MaskedValueSuffix string
+}
+
+// MaskKey returns identifier masking properties in accordance to the OpenAPI response spec
+func MaskKey(prefix, value string) (MaskedIdentifier, error) {
+	valueLength := len(value)
+
+	suffixOffset := valueLength - identifierValueSuffixLength
+	prefixOffset := identifierValuePrefixLength
+
+	if suffixOffset < 0 {
+		return MaskedIdentifier{}, fmt.Errorf("mask value length is less than identifier suffix length (%d)", identifierValueSuffixLength)
+	}
+
+	if suffixOffset == 0 {
+		return MaskedIdentifier{}, fmt.Errorf("mask value length is equal to identifier suffix length (%d), which would expose the entire identifier in the mask", identifierValueSuffixLength)
+	}
+
+	// cap prefixOffset by suffixOffset to prevent overlap with the suffix.
+	if prefixOffset > suffixOffset {
+		prefixOffset = suffixOffset
+	}
+
+	maskPrefix := value[:prefixOffset]
+	maskSuffix := value[suffixOffset:]
+
+	maskedIdentifierProperties := MaskedIdentifier{
+		Prefix:            prefix,
+		ValueLength:       valueLength,
+		MaskedValuePrefix: maskPrefix,
+		MaskedValueSuffix: maskSuffix,
+	}
+
+	return maskedIdentifierProperties, nil
+}
+
+func GenerateKey(prefix string) (Key, error) {
+	keyBytes := make([]byte, keyLength)
+
+	_, err := rand.Read(keyBytes)
+	if err != nil {
+		return Key{}, err
+	}
+
+	generatedIdentifier := hex.EncodeToString(keyBytes)
+
+	mask, err := MaskKey(prefix, generatedIdentifier)
+	if err != nil {
+		return Key{}, err
+	}
+
+	return Key{
+		PrefixedRawValue: prefix + generatedIdentifier,
+		HashedValue:      hasher.Hash(keyBytes),
+		Masked:           mask,
+	}, nil
+}
+
+func VerifyKey(prefix string, key string) (string, error) {
+	if !strings.HasPrefix(key, prefix) {
+		return "", fmt.Errorf("invalid key prefix")
+	}
+
+	keyValue := key[len(prefix):]
+	keyBytes, err := hex.DecodeString(keyValue)
+	if err != nil {
+		return "", fmt.Errorf("invalid key")
+	}
+
+	return hasher.Hash(keyBytes), nil
+}
--- a/envd/internal/shared/keys/key_test.go
+++ b/envd/internal/shared/keys/key_test.go
@ -0,0 +1,160 @@
+package keys
+
+import (
+	"fmt"
+	"strconv"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestMaskKey(t *testing.T) {
+	t.Parallel()
+	t.Run("succeeds: value longer than suffix length", func(t *testing.T) {
+		t.Parallel()
+		masked, err := MaskKey("test_", "1234567890")
+		require.NoError(t, err)
+		assert.Equal(t, "test_", masked.Prefix)
+		assert.Equal(t, "12", masked.MaskedValuePrefix)
+		assert.Equal(t, "7890", masked.MaskedValueSuffix)
+	})
+
+	t.Run("succeeds: empty prefix, value longer than suffix length", func(t *testing.T) {
+		t.Parallel()
+		masked, err := MaskKey("", "1234567890")
+		require.NoError(t, err)
+		assert.Empty(t, masked.Prefix)
+		assert.Equal(t, "12", masked.MaskedValuePrefix)
+		assert.Equal(t, "7890", masked.MaskedValueSuffix)
+	})
+
+	t.Run("error: value length less than suffix length", func(t *testing.T) {
+		t.Parallel()
+		_, err := MaskKey("test", "123")
+		require.Error(t, err)
+		assert.EqualError(t, err, fmt.Sprintf("mask value length is less than identifier suffix length (%d)", identifierValueSuffixLength))
+	})
+
+	t.Run("error: value length equals suffix length", func(t *testing.T) {
+		t.Parallel()
+		_, err := MaskKey("test", "1234")
+		require.Error(t, err)
+		assert.EqualError(t, err, fmt.Sprintf("mask value length is equal to identifier suffix length (%d), which would expose the entire identifier in the mask", identifierValueSuffixLength))
+	})
+}
+
+func TestGenerateKey(t *testing.T) {
+	t.Parallel()
+	keyLength := 40
+
+	t.Run("succeeds", func(t *testing.T) {
+		t.Parallel()
+		key, err := GenerateKey("test_")
+		require.NoError(t, err)
+		assert.Regexp(t, "^test_.*", key.PrefixedRawValue)
+		assert.Equal(t, "test_", key.Masked.Prefix)
+		assert.Equal(t, keyLength, key.Masked.ValueLength)
+		assert.Regexp(t, "^[0-9a-f]{"+strconv.Itoa(identifierValuePrefixLength)+"}$", key.Masked.MaskedValuePrefix)
+		assert.Regexp(t, "^[0-9a-f]{"+strconv.Itoa(identifierValueSuffixLength)+"}$", key.Masked.MaskedValueSuffix)
+		assert.Regexp(t, "^\\$sha256\\$.*", key.HashedValue)
+	})
+
+	t.Run("no prefix", func(t *testing.T) {
+		t.Parallel()
+		key, err := GenerateKey("")
+		require.NoError(t, err)
+		assert.Regexp(t, "^[0-9a-f]{"+strconv.Itoa(keyLength)+"}$", key.PrefixedRawValue)
+		assert.Empty(t, key.Masked.Prefix)
+		assert.Equal(t, keyLength, key.Masked.ValueLength)
+		assert.Regexp(t, "^[0-9a-f]{"+strconv.Itoa(identifierValuePrefixLength)+"}$", key.Masked.MaskedValuePrefix)
+		assert.Regexp(t, "^[0-9a-f]{"+strconv.Itoa(identifierValueSuffixLength)+"}$", key.Masked.MaskedValueSuffix)
+		assert.Regexp(t, "^\\$sha256\\$.*", key.HashedValue)
+	})
+}
+
+func TestGetMaskedIdentifierProperties(t *testing.T) {
+	t.Parallel()
+	type testCase struct {
+		name              string
+		prefix            string
+		value             string
+		expectedResult    MaskedIdentifier
+		expectedErrString string
+	}
+
+	testCases := []testCase{
+		// --- ERROR CASES (value's length <= identifierValueSuffixLength) ---
+		{
+			name:              "error: value length < suffix length (3 vs 4)",
+			prefix:            "pk_",
+			value:             "abc",
+			expectedResult:    MaskedIdentifier{},
+			expectedErrString: fmt.Sprintf("mask value length is less than identifier suffix length (%d)", identifierValueSuffixLength),
+		},
+		{
+			name:              "error: value length == suffix length (4 vs 4)",
+			prefix:            "sk_",
+			value:             "abcd",
+			expectedResult:    MaskedIdentifier{},
+			expectedErrString: fmt.Sprintf("mask value length is equal to identifier suffix length (%d), which would expose the entire identifier in the mask", identifierValueSuffixLength),
+		},
+		{
+			name:              "error: value length < suffix length (0 vs 4, empty value)",
+			prefix:            "err_",
+			value:             "",
+			expectedResult:    MaskedIdentifier{},
+			expectedErrString: fmt.Sprintf("mask value length is less than identifier suffix length (%d)", identifierValueSuffixLength),
+		},
+
+		// --- SUCCESS CASES (value's length > identifierValueSuffixLength) ---
+		{
+			name:   "success: value long (10), prefix val len fully used",
+			prefix: "pk_",
+			value:  "abcdefghij",
+			expectedResult: MaskedIdentifier{
+				Prefix:            "pk_",
+				ValueLength:       10,
+				MaskedValuePrefix: "ab",
+				MaskedValueSuffix: "ghij",
+			},
+		},
+		{
+			name:   "success: value medium (5), prefix val len truncated by overlap",
+			prefix: "",
+			value:  "abcde",
+			expectedResult: MaskedIdentifier{
+				Prefix:            "",
+				ValueLength:       5,
+				MaskedValuePrefix: "a",
+				MaskedValueSuffix: "bcde",
+			},
+		},
+		{
+			name:   "success: value medium (6), prefix val len fits exactly",
+			prefix: "pk_",
+			value:  "abcdef",
+			expectedResult: MaskedIdentifier{
+				Prefix:            "pk_",
+				ValueLength:       6,
+				MaskedValuePrefix: "ab",
+				MaskedValueSuffix: "cdef",
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			result, err := MaskKey(tc.prefix, tc.value)
+
+			if tc.expectedErrString != "" {
+				require.EqualError(t, err, tc.expectedErrString)
+				assert.Equal(t, tc.expectedResult, result)
+			} else {
+				require.NoError(t, err)
+				assert.Equal(t, tc.expectedResult, result)
+			}
+		})
+	}
+}
--- a/envd/internal/shared/keys/sha256.go
+++ b/envd/internal/shared/keys/sha256.go
@ -0,0 +1,30 @@
+package keys
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+)
+
+type Sha256Hashing struct{}
+
+func NewSHA256Hashing() *Sha256Hashing {
+	return &Sha256Hashing{}
+}
+
+func (h *Sha256Hashing) Hash(key []byte) string {
+	hashBytes := sha256.Sum256(key)
+
+	hash64 := base64.RawStdEncoding.EncodeToString(hashBytes[:])
+
+	return fmt.Sprintf(
+		"$sha256$%s",
+		hash64,
+	)
+}
+
+func (h *Sha256Hashing) HashWithoutPrefix(key []byte) string {
+	hashBytes := sha256.Sum256(key)
+
+	return base64.RawStdEncoding.EncodeToString(hashBytes[:])
+}
--- a/envd/internal/shared/keys/sha256_test.go
+++ b/envd/internal/shared/keys/sha256_test.go
@ -0,0 +1,15 @@
+package keys
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSHA256Hashing(t *testing.T) {
+	t.Parallel()
+	hasher := NewSHA256Hashing()
+
+	hashed := hasher.Hash([]byte("test"))
+	assert.Regexp(t, "^\\$sha256\\$.*", hashed)
+}
--- a/envd/internal/shared/keys/sha512.go
+++ b/envd/internal/shared/keys/sha512.go
@ -0,0 +1,20 @@
+package keys
+
+import (
+	"crypto/sha512"
+	"encoding/hex"
+)
+
+// HashAccessToken computes the SHA-512 hash of an access token.
+func HashAccessToken(token string) string {
+	h := sha512.Sum512([]byte(token))
+
+	return hex.EncodeToString(h[:])
+}
+
+// HashAccessTokenBytes computes the SHA-512 hash of an access token from bytes.
+func HashAccessTokenBytes(token []byte) string {
+	h := sha512.Sum512(token)
+
+	return hex.EncodeToString(h[:])
+}