futu_auth/

machine.rs

//! 软机器绑定（soft machine binding）
//!
//! 将 API Key 与一个稳定的机器指纹绑定，防止 keys.json 被整体复制到别的机器后仍可用。
//!
//! ## 强度说明 — 这是"软"绑定，不是硬件锁
//!
//! - Linux: 读 `/etc/machine-id`（world-readable，只需文件读权限即可拿到）
//! - macOS: 解析 `ioreg` 输出拿 `IOPlatformUUID`（任何用户都能跑 ioreg）
//! - Windows: 暂不支持，跳过校验
//!
//! 能挡住：
//! - 把 `keys.json` 整个拷到别的开发机 / VM / Docker 镜像里直接用
//! - 密钥不小心进了 git，clone 到别的机器也跑不起来
//!
//! 挡不住：
//! - 攻击者已经登上目标机器 → 他能读到 machine-id，就能伪造指纹
//! - 真要强绑定得走 TPM / Secure Enclave，那是未来版本的事
//!
//! ## 指纹公式
//!
//! `SHA-256("futu-machine-bind:v1:" || key_id || ":" || raw_machine_id)` → 64 位 hex
//!
//! key_id 混入哈希的目的是：同一台机器上不同 key 的指纹不同，泄漏一个 key 的指纹
//! 不会暴露别的 key 绑定的是不是同一台机器。

use std::sync::OnceLock;

use sha2::{Digest, Sha256};

#[derive(Debug, thiserror::Error)]
pub enum MachineError {
    #[error("platform not supported for machine binding (only macOS/Linux)")]
    Unsupported,
    #[error("failed to read machine id: {0}")]
    Io(String),
    #[error("machine id empty or malformed")]
    Malformed,
    #[error("key bound to different machine")]
    Mismatch,
}

/// 获取本机原始 machine-id（每进程只调用一次，后续走缓存）
pub fn raw_machine_id() -> Result<String, MachineError> {
    static CACHE: OnceLock<Result<String, String>> = OnceLock::new();
    match CACHE.get_or_init(|| read_raw_machine_id().map_err(|e| e.to_string())) {
        Ok(s) => Ok(s.clone()),
        Err(e) => Err(map_cached_err(e)),
    }
}

fn map_cached_err(s: &str) -> MachineError {
    if s == "platform not supported for machine binding (only macOS/Linux)" {
        MachineError::Unsupported
    } else if s == "machine id empty or malformed" {
        MachineError::Malformed
    } else {
        MachineError::Io(s.to_string())
    }
}

#[cfg(target_os = "linux")]
fn read_raw_machine_id() -> Result<String, MachineError> {
    for path in ["/etc/machine-id", "/var/lib/dbus/machine-id"] {
        if let Ok(s) = std::fs::read_to_string(path) {
            let trimmed = s.trim();
            if !trimmed.is_empty() {
                return Ok(trimmed.to_string());
            }
        }
    }
    Err(MachineError::Io("/etc/machine-id not readable".to_string()))
}

#[cfg(target_os = "macos")]
fn read_raw_machine_id() -> Result<String, MachineError> {
    let out = std::process::Command::new("ioreg")
        .args(["-rd1", "-c", "IOPlatformExpertDevice"])
        .output()
        .map_err(|e| MachineError::Io(format!("ioreg: {e}")))?;
    if !out.status.success() {
        return Err(MachineError::Io(format!("ioreg exit {}", out.status)));
    }
    let text = String::from_utf8_lossy(&out.stdout);
    for line in text.lines() {
        if let Some((_before, after)) = line.split_once("\"IOPlatformUUID\"") {
            // 格式: "IOPlatformUUID" = "XXXX-XXXX-..."
            let after_eq = after.split_once('=').map(|x| x.1).unwrap_or("");
            let start = after_eq.find('"').map(|i| i + 1);
            let end = start.and_then(|s| after_eq[s..].find('"').map(|e| s + e));
            if let (Some(s), Some(e)) = (start, end) {
                let uuid = &after_eq[s..e];
                if !uuid.is_empty() {
                    return Ok(uuid.to_string());
                }
            }
        }
    }
    Err(MachineError::Malformed)
}

#[cfg(not(any(target_os = "linux", target_os = "macos")))]
fn read_raw_machine_id() -> Result<String, MachineError> {
    Err(MachineError::Unsupported)
}

/// 计算指定 key_id 在本机的指纹哈希（64 位 hex）
pub fn fingerprint_for(key_id: &str) -> Result<String, MachineError> {
    let raw = raw_machine_id()?;
    Ok(fingerprint_from_raw(key_id, &raw))
}

/// 纯函数版本（方便单元测试）
pub fn fingerprint_from_raw(key_id: &str, raw: &str) -> String {
    let mut h = Sha256::new();
    h.update(b"futu-machine-bind:v1:");
    h.update(key_id.as_bytes());
    h.update(b":");
    h.update(raw.as_bytes());
    hex::encode(h.finalize())
}

/// 检查本机指纹是否在白名单里
///
/// - `allowed` 为 `None` → 视为未启用机器绑定，始终通过
/// - `allowed` 为空列表 → 视为禁止所有机器（用于"临时冻结"某 key）
/// - 取不到 machine-id（平台不支持 / 文件缺失）→ 视为 Mismatch（宁紧勿松）
pub fn check(key_id: &str, allowed: Option<&[String]>) -> Result<(), MachineError> {
    let Some(list) = allowed else {
        return Ok(());
    };
    let fp = fingerprint_for(key_id)?;
    if list.iter().any(|x| x == &fp) {
        Ok(())
    } else {
        Err(MachineError::Mismatch)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn fingerprint_deterministic() {
        let a = fingerprint_from_raw("k1", "uuid-abc");
        let b = fingerprint_from_raw("k1", "uuid-abc");
        assert_eq!(a, b);
    }

    #[test]
    fn fingerprint_differs_by_key_id() {
        let a = fingerprint_from_raw("k1", "uuid-abc");
        let b = fingerprint_from_raw("k2", "uuid-abc");
        assert_ne!(a, b);
    }

    #[test]
    fn fingerprint_differs_by_machine() {
        let a = fingerprint_from_raw("k1", "uuid-abc");
        let b = fingerprint_from_raw("k1", "uuid-xyz");
        assert_ne!(a, b);
    }

    #[test]
    fn fingerprint_hex_length() {
        let fp = fingerprint_from_raw("k", "r");
        assert_eq!(fp.len(), 64);
        assert!(fp.chars().all(|c| c.is_ascii_hexdigit()));
    }

    #[test]
    fn check_none_passes() {
        assert!(check("any", None).is_ok());
    }

    #[test]
    fn check_empty_list_fails_on_supported_platforms() {
        // 在 macOS/Linux 下应该能拿到 machine-id 并校验失败；其他平台会返回 Unsupported
        match check("any", Some(&[])) {
            Err(MachineError::Mismatch) => {}
            Err(MachineError::Unsupported) => {}
            Err(MachineError::Io(_)) | Err(MachineError::Malformed) => {}
            Ok(()) => panic!("empty allowlist should not pass"),
        }
    }

    #[cfg(any(target_os = "linux", target_os = "macos"))]
    #[test]
    fn raw_machine_id_available() {
        // 这台跑 CI / dev 的机器应该都能拿到 id
        let id = raw_machine_id().expect("machine id");
        assert!(!id.is_empty());
    }
}