feat(devrun): add initial implementation of devrun tool

See ./devrun/README.md for more details.
2026-05-14 04:20:04 +02:00 · 2026-05-01 22:04:00 +00:00
parent 4a78989d9d
commit b1b991b84e
10 changed files with 1910 additions and 0 deletions
@@ -0,0 +1,240 @@
+package internal
+
+import (
+	"bytes"
+	"encoding/gob"
+	"fmt"
+	"maps"
+	"net/netip"
+	"slices"
+	"strings"
+
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+const credentialsFilename = "credentials"
+
+const (
+	vpnTypeOpenVPN   = "openvpn"
+	vpnTypeWireGuard = "wireguard"
+)
+
+type providerCredentials struct {
+	OpenVPN   *openvpnCredentials
+	WireGuard *wireguardCredentials
+}
+
+type openvpnCredentials struct {
+	Username string
+	Password string
+}
+
+type wireguardCredentials struct {
+	PrivateKey   string
+	Address      string
+	PresharedKey string
+}
+
+func loadCredentials(data []byte) (map[string]providerCredentials, error) {
+	credentials := make(map[string]providerCredentials)
+	err := gob.NewDecoder(bytes.NewReader(data)).Decode(&credentials)
+	if err != nil {
+		return nil, fmt.Errorf("decoding credentials: %w", err)
+	}
+	return credentials, nil
+}
+
+func marshalCredentials(credentials map[string]providerCredentials) ([]byte, error) {
+	buffer := bytes.NewBuffer(nil)
+	err := gob.NewEncoder(buffer).Encode(credentials)
+	if err != nil {
+		return nil, fmt.Errorf("encoding credentials: %w", err)
+	}
+	return buffer.Bytes(), nil
+}
+
+func validateCredentials(providerNameToCredentials map[string]providerCredentials) error {
+	for provider, credentials := range providerNameToCredentials {
+		if credentials.OpenVPN == nil && credentials.WireGuard == nil {
+			return fmt.Errorf("provider %q has no openvpn or wireguard credentials", provider)
+		}
+		if credentials.OpenVPN != nil {
+			err := validateOpenvpnCredentials(provider, credentials.OpenVPN)
+			if err != nil {
+				return err
+			}
+		}
+		if credentials.WireGuard != nil {
+			err := validateWireguardCredentials(provider, credentials.WireGuard)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func validateOpenvpnCredentials(provider string, creds *openvpnCredentials) error {
+	switch {
+	case creds.Username == "":
+		return fmt.Errorf("provider %q openvpn credentials are missing the username", provider)
+	case creds.Password == "":
+		return fmt.Errorf("provider %q openvpn credentials are missing the password", provider)
+	}
+	return nil
+}
+
+func validateWireguardCredentials(provider string, creds *wireguardCredentials) error {
+	if creds.PrivateKey == "" {
+		return fmt.Errorf("provider %q wireguard credentials are missing the private key", provider)
+	} else if _, err := wgtypes.ParseKey(creds.PrivateKey); err != nil {
+		return fmt.Errorf("provider %q wireguard credentials have an invalid private key: %w", provider, err)
+	}
+
+	if creds.Address != "" {
+		_, err := netip.ParsePrefix(creds.Address)
+		if err != nil {
+			return fmt.Errorf("provider %q wireguard credentials have an invalid address %q: %w", provider, creds.Address, err)
+		}
+	}
+
+	if creds.PresharedKey != "" {
+		if _, err := wgtypes.ParseKey(creds.PresharedKey); err != nil {
+			return fmt.Errorf("provider %q wireguard credentials have an invalid preshared key: %w", provider, err)
+		}
+	}
+	return nil
+}
+
+func lookupCredentials(credentials map[string]providerCredentials, provider, vpnType string) ([]string, error) {
+	providerCreds, exists := credentials[provider]
+	if !exists {
+		existing := slices.Collect(maps.Keys(credentials))
+		return nil, fmt.Errorf("no credentials found for provider %q, available providers are: %s",
+			provider, strings.Join(existing, ", "))
+	}
+
+	switch vpnType {
+	case vpnTypeWireGuard:
+		if providerCreds.WireGuard == nil {
+			return nil, fmt.Errorf("no wireguard credentials found for provider %q", provider)
+		}
+		return buildWireGuardEnv(providerCreds.WireGuard), nil
+	case vpnTypeOpenVPN:
+		if providerCreds.OpenVPN == nil {
+			return nil, fmt.Errorf("no openvpn credentials found for provider %q", provider)
+		}
+		return buildOpenvpnEnv(providerCreds.OpenVPN), nil
+	default:
+		return nil, fmt.Errorf("unknown vpn type %q, must be wireguard or openvpn", vpnType)
+	}
+}
+
+func buildWireGuardEnv(creds *wireguardCredentials) []string {
+	envVars := []string{
+		"WIREGUARD_PRIVATE_KEY=" + creds.PrivateKey,
+	}
+	if creds.Address != "" {
+		envVars = append(envVars, "WIREGUARD_ADDRESSES="+creds.Address)
+	}
+	if creds.PresharedKey != "" {
+		envVars = append(envVars, "WIREGUARD_PRESHARED_KEY="+creds.PresharedKey)
+	}
+	return envVars
+}
+
+func buildOpenvpnEnv(creds *openvpnCredentials) []string {
+	return []string{
+		"OPENVPN_USER=" + creds.Username,
+		"OPENVPN_PASSWORD=" + creds.Password,
+	}
+}
+
+func addCredential(credentials map[string]providerCredentials, provider, vpnType string,
+	openvpnCredentials *openvpnCredentials, wireguardCredentials *wireguardCredentials,
+) error {
+	providerCredentials := credentials[provider]
+
+	switch vpnType {
+	case vpnTypeOpenVPN:
+		providerCredentials.OpenVPN = openvpnCredentials
+	case vpnTypeWireGuard:
+		providerCredentials.WireGuard = wireguardCredentials
+	default:
+		return fmt.Errorf("unknown vpn type %q, must be wireguard or openvpn", vpnType)
+	}
+
+	credentials[provider] = providerCredentials
+	return nil
+}
+
+func deleteCredential(credentials map[string]providerCredentials, provider, vpnType string) error {
+	providerCredentials, exists := credentials[provider]
+	if !exists {
+		return fmt.Errorf("provider %q does not exist", provider)
+	}
+
+	switch vpnType {
+	case vpnTypeOpenVPN:
+		if providerCredentials.OpenVPN == nil {
+			return fmt.Errorf("provider %q has no openvpn credentials", provider)
+		}
+		providerCredentials.OpenVPN = nil
+	case vpnTypeWireGuard:
+		if providerCredentials.WireGuard == nil {
+			return fmt.Errorf("provider %q has no wireguard credentials", provider)
+		}
+		providerCredentials.WireGuard = nil
+	default:
+		return fmt.Errorf("unknown vpn type %q, must be wireguard or openvpn", vpnType)
+	}
+
+	if providerCredentials.OpenVPN == nil && providerCredentials.WireGuard == nil {
+		delete(credentials, provider)
+		return nil
+	}
+
+	credentials[provider] = providerCredentials
+	return nil
+}
+
+func formatCredentialForDump(provider, vpnType string,
+	providerCredentials providerCredentials,
+) (output string, err error) {
+	var builder strings.Builder
+
+	builder.WriteString("provider: ")
+	builder.WriteString(provider)
+	builder.WriteString("\n")
+	builder.WriteString("vpn_type: ")
+	builder.WriteString(vpnType)
+	builder.WriteString("\n")
+
+	switch vpnType {
+	case vpnTypeOpenVPN:
+		if providerCredentials.OpenVPN == nil {
+			return "", fmt.Errorf("no openvpn credentials found for provider %q", provider)
+		}
+		builder.WriteString("username: ")
+		builder.WriteString(providerCredentials.OpenVPN.Username)
+		builder.WriteString("\n")
+		builder.WriteString("password: ")
+		builder.WriteString(providerCredentials.OpenVPN.Password)
+	case vpnTypeWireGuard:
+		if providerCredentials.WireGuard == nil {
+			return "", fmt.Errorf("no wireguard credentials found for provider %q", provider)
+		}
+		builder.WriteString("private_key: ")
+		builder.WriteString(providerCredentials.WireGuard.PrivateKey)
+		builder.WriteString("\n")
+		builder.WriteString("address: ")
+		builder.WriteString(providerCredentials.WireGuard.Address)
+		builder.WriteString("\n")
+		builder.WriteString("preshared_key: ")
+		builder.WriteString(providerCredentials.WireGuard.PresharedKey)
+	default:
+		return "", fmt.Errorf("unknown vpn type %q, must be wireguard or openvpn", vpnType)
+	}
+
+	return builder.String(), nil
+}