[dotfiles.git] / etc / zsh / .zprofile

# NOTE:
# our .zprofile can be expensive, so we keep track of what has been run
# already, and only set up what is necessary. this also allows us to re-source
# the file to reinitialize specific parts when desired.
#
# in order to ensure future interactive environments are set up as early as
# possible, we source this file from .zshenv for non-login shells, under some
# specific conditions outlined there.
#
# this file respects non-interactive sessions and will not intentionally emit
# output.

### fix path after system profile scripts have possibly mangled it
if [[ ! -v _sev_setup_path || -o login ]] {
    _sev_setpath
    export _sev_setup_path=
}

### dbus
if [[ ! -v DBUS_SESSION_BUS_ADDRESS && -v commands[dbus-launch] ]] {
    eval $(dbus-launch)
    export DBUS_SESSION_BUS_ADDRESS DBUS_SESSION_BUS_PID
}

### gpg agent + forwarding
# NOTE: while ssh manages its auth sock in-protocol when ForwardSsh is enabled,
#       GPG must be forwarded manually over Unix socket. to support this, we
#       forward the restricted gpg-agent extra socket to the remote host with a
#       RemoteForward rule in ~/.ssh/config that uses the _GNUPG_SOCK_* vars.
#
#       to avoid conflicts with other ssh sessions where the same user is
#       connecting to the same host from different machines, gpg should utilize
#       its own forwarded socket for each session. previously, you could
#       provide a path to the agent socket in GPG_AGENT_INFO, but that was
#       deprecated in GPG v2.1; instead, we must replace the socket in gpg's
#       socket dir.
#
#       gnupg commits fb88f37–aab8a0b moved sockets from GNUPGHOME by default
#       to directories under /run. aab8a0b in particular solidifies the
#       functionality shift to utilize systemd-logind's user runtime
#       directories. if the dir isn't found, gpg will fall back to the homedir.
#       since previous functionality allowed multiple homedirs with multiple
#       sockets, a provision was added where changing GNUPGHOME will also
#       change the socket dir to a hashed dir under the usual runtime dir.
#
#       utilizing this information, we can conclude:
#         - on systems with user runtime dirs, changing GNUPGHOME will also
#           give us a unique socket dir under the user runtime dir;
#         - on other systems, the socket dir follows GNUPGHOME.
#       therefore, the safest way to ensure unique sockets while not having to
#       write specific logic for both scenarios is to simply change GNUPGHOME.
#       the easiest way to do this is to create a new dir and link the contents
#       of GNUPGHOME to the new home. we can then replace all of the agent
#       sockets wherever they now are with the forwarded one. in either case we
#       will be overwriting the session-specific sockets.
#
# NOTE: since Unix sockets are not supported under Windows, this will not work
#       under msys, cygwin, mingw, etc., but may work under wsl2.
#
# HACK: without SendEnv, which is disabled by default in most sshd configs,
#       there is no foolproof way to prevent race conditions via socket
#       filename collisions or to pass the desired forward path to the remote
#       host environment. we just have to guess the path we choose is good on
#       the desination, and assume the newest matching socket is the correct
#       one after connecting. in theory, we could occlude the ssh binary on
#       PATH with an alias or script that would allow us to communicate with
#       the remote host before opening a shell, so that we can have the host
#       communicate back to the client where it wants a socket created or ask
#       the host if the path the client wants to use is writable. however, this
#       would open up too many edge cases where it wouldn't work or be too
#       clunky (e.g. asking for password twice) to make it worth it.
function _gpg_socketpath {
    # dirs are percent-encoded: https://stackoverflow.com/a/64312099
    echo -E - ${1//(#b)%([[:xdigit:]](#c2))/${(#):-0x$match[1]}}
}
if [[ ! -v _sev_setup_gpg_forward && -v commands[gpg] ]] {
    # XXX: assuming /tmp exists and is writable on destination
    export _GNUPG_SOCK_DEST_BASE=/tmp/.gpg-agent-forward
    export _GNUPG_SOCK_DEST_EXT=$(date +%s).$RANDOM
    export _GNUPG_SOCK_DEST=$_GNUPG_SOCK_DEST_BASE.$_GNUPG_SOCK_DEST_EXT
    export _sev_gpg_forward_dir=$XDG_RUNTIME_DIR/gnupg/.ssh_forward
    _sev_zcleanup gpg-forward

    # find our forwarded socket
    s=($_GNUPG_SOCK_DEST_BASE*(N=oc[1]))
    if [[ -n $s && -v SSH_CLIENT ]] {
        # create new forward dir
        export _sev_setup_gpg_forward=
        h=$_sev_gpg_forward_dir/$$
        mkdir -pm700 $h
        for x (gpg{,-agent}.conf sshcontrol random_seed
               pubring.kbx{,~} trustdb.gpg private-keys-v1.d crls.d) {
            ln -s ${GNUPGHOME:-~/.gnupg}/$x $h
        }
        export GNUPGHOME=$h
        unset h
        for x in $(gpgconf --list-dirs | grep 'agent-.*-\?socket:'); do
            x=$(_gpg_socketpath ${x/#agent-*socket:})
            if [[ ! -v primary ]] {
                # move forwarded socket to first valid agent socket path
                # XXX: if tmp is on different filesystem this may not work
                mv $s $x
                primary=$x
            } else {
                # make links to forwarded socket for any others
                ln -s $primary $x
            }
        done
        unset x primary
    }
    unset s

    # what we will forward if we start a new ssh connection
    # NOTE: do this after setting up GNUPGHOME to pick up new socket path;
    #       if already connected over SSH, extra should be the remote one
    export _GNUPG_SOCK_SRC=$(_gpg_socketpath \
      $(gpgconf --list-dirs agent-extra-socket))
} elif [[ ! -v _sev_setup_gpg_forward ]] {
    # required for RemoteForward to not error out if the vars are unset
    [[ ! -v _GNUPG_SOCK_SRC ]] && export _GNUPG_SOCK_SRC=/nonexistent
    [[ ! -v _GNUPG_SOCK_DEST ]] && export _GNUPG_SOCK_DEST=/nonexistent
}

### gpg agent
if [[ -v commands[gpg-connect-agent] &&
        ( ! -v _sev_setup_gpgagent || -v _sev_refresh_gpgagent ) ]] {
    # avoid printing if we have already set up tty before
    [[ ! -v _sev_setup_gpgagent && -o interactive ]] && p=true || p=false
    if {$p} {
        print -nP '%F{blue}>>>%f GPG: '
        if [[ -v _sev_setup_gpg_forward ]] {
            print -nP '%F{yellow}Forwarded agent '
        } else {
            print -nP '%F{green}Agent '
        }
    }
    gpg-connect-agent /bye >/dev/null 2>&1
    if [[ $? -ne 0 ]] {
        $p && print -P '%F{red}communication error'
    } else {
        if [[ ! -v _sev_setup_gpg_forward ]] {
            if [[ ${+GPG_TTY} -eq 0 && -o interactive ]]
                export GPG_TTY=$(tty)
            if [[ ( -v DISPLAY || -v WAYLAND_DISPLAY ) &&
                  ${PINENTRY_USER_DATA/USE_TTY=0} == $PINENTRY_USER_DATA ]]
                export PINENTRY_USER_DATA=USE_TTY=0
            # XXX: we are assuming this is our pinentry from .local/bin
            sed -Ei 's\1f^([[:space:]]*pinentry-program[[:space:]]).*$\1f\1'$HOME'/.local/bin/pinentry\1f' \
              ${GNUPGHOME:-~/.gnupg}/gpg-agent.conf 2>/dev/null
            # XXX: could check for changes before doing this to save perf
            gpg-connect-agent RELOADAGENT UPDATESTARTUPTTY /bye >/dev/null 2>&1
            if {$p} {
                gpg-connect-agent /subst /serverpid \
                  "/echo pid \${get serverpid} on ${WAYLAND_DISPLAY:-${DISPLAY:-$GPG_TTY}}" /bye 2>/dev/null
                print -nP '%f'
            }
        } elif {$p} {
            print -P '%f'
        }
        export _sev_setup_gpgagent=
    }
    unset p _sev_refresh_gpgagent
}

### ssh agent
if [[ ! -v _sev_setup_ssh ]] {
    # NOTE: preferred order of agents to check: okcagent, gnupg, openssh
    #       first block takes care of okcagent and openssh, second gnupg
    # XXX: doesn't actually check if ssh is enabled in gpg
    [[ -o interactive ]] && print -nP '%F{blue}>>>%f SSH: %F{green}'
    if [[ ! -v SSH_AUTH_SOCK && ( -v commands[okc-ssh-agent] ||
          ( -v commands[ssh-agent] && ! -v commands[gpg] ) ) ]] {
        okc=${commands[okc-ssh-agent]:+okc-}
        e=$_sev_tmp/${okc}ssh-agent-exports
        typeset sock=
        typeset -i pid=
        if [[ -f $e ]] {
            IFS=$'\0' read -r sock pid <$e
        }
        if [[ -S $sock && $pid > 0 ]] && kill -0 $pid >/dev/null 2>&1; then
            [[ -o interactive ]] && print -P "Reusing agent PID $pid%f"
            export SSH_AUTH_SOCK=$sock
            export SSH_AGENT_PID=$pid
        else
            # TODO: ensure ssh-agent path looks legit to avoid unsafe eval?
            # XXX: doesn't appear to be any other way to handle redirection.
            #      because eval needs to write to current scope environment
            #      subshells can't be used to capture output and print.
            c='TMPDIR=$_sev_tmp ${okc}ssh-agent'
            if [[ -o interactive ]] {
                [[ -n $okc ]] && echo -n 'OKC-'
                eval $(eval $=c)
                print -nP '%f'
            } else {
                eval $(eval $=c) >/dev/null 2>&1
            }
            echo -En - $SSH_AUTH_SOCK$'\0'$SSH_AGENT_PID >!$e
            unset c
        fi
        unset okc e sock pid
    } elif [[ ! -v SSH_AUTH_SOCK && -v commands[gpg] ]] {
        # since gpg should have been started above, just export and notify
        if [[ -o interactive ]] {
            if [[ -v _sev_setup_gpg_forward ]] {
                echo 'Forwarded GPG agent'
            } else {
                gpg-connect-agent /subst /serverpid \
                  '/echo GPG agent pid ${get serverpid}' /bye
            }
            print -nP '%f'
        }
        export SSH_AUTH_SOCK=$(_gpg_socketpath \
          $(gpgconf --list-dirs agent-ssh-socket))
    } elif [[ -v SSH_AUTH_SOCK ]] {
        [[ -o interactive ]] && print -P 'Preconfigured agent%f'
    } else {
        [[ -o interactive ]] && print -P '%F{red}No agent available%f'
    }

    export _sev_setup_ssh=
}
unfunction _gpg_socketpath

### load site-specific
load-site-dotfile zprofile
Commit	Line	Data
79d4a356	1	# NOTE:
8d4a98e1	2	# our .zprofile can be expensive, so we keep track of what has been run
b31a3fb1	3	# already, and only set up what is necessary. this also allows us to re-source
b31a3fb1	4	# the file to reinitialize specific parts when desired.
79d4a356	5	#
b31a3fb1	6	# in order to ensure future interactive environments are set up as early as
	7	# possible, we source this file from .zshenv for non-login shells, under some
	8	# specific conditions outlined there.
	9	#
	10	# this file respects non-interactive sessions and will not intentionally emit
	11	# output.
79d4a356	12
8a92a2c0	13	### fix path after system profile scripts have possibly mangled it
	14	if [[ ! -v _sev_setup_path \|\| -o login ]] {
	15	_sev_setpath
	16	export _sev_setup_path=
d569f3f7	17	}
79d4a356	18
6d54344e	19	### dbus
	20	if [[ ! -v DBUS_SESSION_BUS_ADDRESS && -v commands[dbus-launch] ]] {
	21	eval $(dbus-launch)
	22	export DBUS_SESSION_BUS_ADDRESS DBUS_SESSION_BUS_PID
	23	}
	24
6d54344e	25	### gpg agent + forwarding
b31a3fb1	26	# NOTE: while ssh manages its auth sock in-protocol when ForwardSsh is enabled,
	27	# GPG must be forwarded manually over Unix socket. to support this, we
	28	# forward the restricted gpg-agent extra socket to the remote host with a
	29	# RemoteForward rule in ~/.ssh/config that uses the _GNUPG_SOCK_* vars.
	30	#
	31	# to avoid conflicts with other ssh sessions where the same user is
	32	# connecting to the same host from different machines, gpg should utilize
	33	# its own forwarded socket for each session. previously, you could
	34	# provide a path to the agent socket in GPG_AGENT_INFO, but that was
	35	# deprecated in GPG v2.1; instead, we must replace the socket in gpg's
	36	# socket dir.
	37	#
	38	# gnupg commits fb88f37–aab8a0b moved sockets from GNUPGHOME by default
	39	# to directories under /run. aab8a0b in particular solidifies the
	40	# functionality shift to utilize systemd-logind's user runtime
	41	# directories. if the dir isn't found, gpg will fall back to the homedir.
	42	# since previous functionality allowed multiple homedirs with multiple
	43	# sockets, a provision was added where changing GNUPGHOME will also
	44	# change the socket dir to a hashed dir under the usual runtime dir.
	45	#
	46	# utilizing this information, we can conclude:
	47	# - on systems with user runtime dirs, changing GNUPGHOME will also
	48	# give us a unique socket dir under the user runtime dir;
	49	# - on other systems, the socket dir follows GNUPGHOME.
	50	# therefore, the safest way to ensure unique sockets while not having to
	51	# write specific logic for both scenarios is to simply change GNUPGHOME.
	52	# the easiest way to do this is to create a new dir and link the contents
6d4ce4aa	53	# of GNUPGHOME to the new home. we can then replace all of the agent
	54	# sockets wherever they now are with the forwarded one. in either case we
	55	# will be overwriting the session-specific sockets.
b31a3fb1	56	#
79d4a356	57	# NOTE: since Unix sockets are not supported under Windows, this will not work
833b2af3	58	# under msys, cygwin, mingw, etc., but may work under wsl2.
b31a3fb1	59	#
79d4a356	60	# HACK: without SendEnv, which is disabled by default in most sshd configs,
b31a3fb1	61	# there is no foolproof way to prevent race conditions via socket
	62	# filename collisions or to pass the desired forward path to the remote
	63	# host environment. we just have to guess the path we choose is good on
	64	# the desination, and assume the newest matching socket is the correct
	65	# one after connecting. in theory, we could occlude the ssh binary on
	66	# PATH with an alias or script that would allow us to communicate with
	67	# the remote host before opening a shell, so that we can have the host
79d4a356	68	# communicate back to the client where it wants a socket created or ask
79d4a356	69	# the host if the path the client wants to use is writable. however, this
8d4a98e1	70	# would open up too many edge cases where it wouldn't work or be too
8d4a98e1	71	# clunky (e.g. asking for password twice) to make it worth it.
6d54344e	72	function _gpg_socketpath {
6d54344e	73	# dirs are percent-encoded: https://stackoverflow.com/a/64312099
294ed44e	74	echo -E - ${1//(#b)%([[:xdigit:]](#c2))/${(#):-0x$match[1]}}
6d54344e	75	}
6d54344e	76	if [[ ! -v _sev_setup_gpg_forward && -v commands[gpg] ]] {
b31a3fb1	77	# XXX: assuming /tmp exists and is writable on destination
6d54344e	78	export _GNUPG_SOCK_DEST_BASE=/tmp/.gpg-agent-forward
	79	export _GNUPG_SOCK_DEST_EXT=$(date +%s).$RANDOM
	80	export _GNUPG_SOCK_DEST=$_GNUPG_SOCK_DEST_BASE.$_GNUPG_SOCK_DEST_EXT
b31a3fb1	81	export _sev_gpg_forward_dir=$XDG_RUNTIME_DIR/gnupg/.ssh_forward
6d54344e	82	_sev_zcleanup gpg-forward
79d4a356	83
6d54344e	84	# find our forwarded socket
	85	s=($_GNUPG_SOCK_DEST_BASE*(N=oc[1]))
	86	if [[ -n $s && -v SSH_CLIENT ]] {
	87	# create new forward dir
	88	export _sev_setup_gpg_forward=
	89	h=$_sev_gpg_forward_dir/$$
	90	mkdir -pm700 $h
b31a3fb1	91	for x (gpg{,-agent}.conf sshcontrol random_seed
d9cf4c48	92	pubring.kbx{,~} trustdb.gpg private-keys-v1.d crls.d) {
6d54344e	93	ln -s ${GNUPGHOME:-~/.gnupg}/$x $h
79d4a356	94	}
6d54344e	95	export GNUPGHOME=$h
	96	unset h
	97	for x in $(gpgconf --list-dirs \| grep 'agent-.*-\?socket:'); do
	98	x=$(_gpg_socketpath ${x/#agent-*socket:})
b31a3fb1	99	if [[ ! -v primary ]] {
6d54344e	100	# move forwarded socket to first valid agent socket path
	101	# XXX: if tmp is on different filesystem this may not work
	102	mv $s $x
b31a3fb1	103	primary=$x
6d54344e	104	} else {
6d54344e	105	# make links to forwarded socket for any others
b31a3fb1	106	ln -s $primary $x
6d54344e	107	}
6d54344e	108	done
b31a3fb1	109	unset x primary
6d54344e	110	}
6d54344e	111	unset s
79d4a356	112
6d54344e	113	# what we will forward if we start a new ssh connection
	114	# NOTE: do this after setting up GNUPGHOME to pick up new socket path;
	115	# if already connected over SSH, extra should be the remote one
	116	export _GNUPG_SOCK_SRC=$(_gpg_socketpath \
	117	$(gpgconf --list-dirs agent-extra-socket))
	118	} elif [[ ! -v _sev_setup_gpg_forward ]] {
	119	# required for RemoteForward to not error out if the vars are unset
	120	[[ ! -v _GNUPG_SOCK_SRC ]] && export _GNUPG_SOCK_SRC=/nonexistent
	121	[[ ! -v _GNUPG_SOCK_DEST ]] && export _GNUPG_SOCK_DEST=/nonexistent
	122	}
79d4a356	123
6d54344e	124	### gpg agent
8d4a98e1	125	if [[ -v commands[gpg-connect-agent] &&
8d4a98e1	126	( ! -v _sev_setup_gpgagent \|\| -v _sev_refresh_gpgagent ) ]] {
6d54344e	127	# avoid printing if we have already set up tty before
	128	[[ ! -v _sev_setup_gpgagent && -o interactive ]] && p=true \|\| p=false
	129	if {$p} {
	130	print -nP '%F{blue}>>>%f GPG: '
	131	if [[ -v _sev_setup_gpg_forward ]] {
d42865fe	132	print -nP '%F{yellow}Forwarded agent '
	133	} else {
	134	print -nP '%F{green}Agent '
	135	}
79d4a356	136	}
6d54344e	137	gpg-connect-agent /bye >/dev/null 2>&1
6d54344e	138	if [[ $? -ne 0 ]] {
d42865fe	139	$p && print -P '%F{red}communication error'
6d54344e	140	} else {
d42865fe	141	if [[ ! -v _sev_setup_gpg_forward ]] {
	142	if [[ ${+GPG_TTY} -eq 0 && -o interactive ]]
	143	export GPG_TTY=$(tty)
	144	if [[ ( -v DISPLAY \|\| -v WAYLAND_DISPLAY ) &&
	145	${PINENTRY_USER_DATA/USE_TTY=0} == $PINENTRY_USER_DATA ]]
29b45f3c	146	export PINENTRY_USER_DATA=USE_TTY=0
54a85d6c	147	# XXX: we are assuming this is our pinentry from .local/bin
29b45f3c	148	sed -Ei 's\1f^([[:space:]]pinentry-program[[:space:]]).$\1f\1'$HOME'/.local/bin/pinentry\1f' \
54a85d6c	149	${GNUPGHOME:-~/.gnupg}/gpg-agent.conf 2>/dev/null
d42865fe	150	# XXX: could check for changes before doing this to save perf
	151	gpg-connect-agent RELOADAGENT UPDATESTARTUPTTY /bye >/dev/null 2>&1
	152	if {$p} {
	153	gpg-connect-agent /subst /serverpid \
29b45f3c	154	"/echo pid \${get serverpid} on ${WAYLAND_DISPLAY:-${DISPLAY:-$GPG_TTY}}" /bye 2>/dev/null
d42865fe	155	print -nP '%f'
	156	}
	157	} elif {$p} {
	158	print -P '%f'
	159	}
6d54344e	160	export _sev_setup_gpgagent=
79d4a356	161	}
8d4a98e1	162	unset p _sev_refresh_gpgagent
6d54344e	163	}
79d4a356	164
6d54344e	165	### ssh agent
6d54344e	166	if [[ ! -v _sev_setup_ssh ]] {
79d4a356	167	# NOTE: preferred order of agents to check: okcagent, gnupg, openssh
79d4a356	168	# first block takes care of okcagent and openssh, second gnupg
6d54344e	169	# XXX: doesn't actually check if ssh is enabled in gpg
79d4a356	170	[[ -o interactive ]] && print -nP '%F{blue}>>>%f SSH: %F{green}'
	171	if [[ ! -v SSH_AUTH_SOCK && ( -v commands[okc-ssh-agent] \|\|
	172	( -v commands[ssh-agent] && ! -v commands[gpg] ) ) ]] {
	173	okc=${commands[okc-ssh-agent]:+okc-}
e6e7ad69	174	e=$_sev_tmp/${okc}ssh-agent-exports
79d4a356	175	typeset sock=
79d4a356	176	typeset -i pid=
6d54344e	177	if [[ -f $e ]] {
6d54344e	178	IFS=$'\0' read -r sock pid <$e
79d4a356	179	}
4f87b9b9	180	if [[ -S $sock && $pid > 0 ]] && kill -0 $pid >/dev/null 2>&1; then
79d4a356	181	[[ -o interactive ]] && print -P "Reusing agent PID $pid%f"
	182	export SSH_AUTH_SOCK=$sock
	183	export SSH_AGENT_PID=$pid
	184	else
79d4a356	185	# TODO: ensure ssh-agent path looks legit to avoid unsafe eval?
	186	# XXX: doesn't appear to be any other way to handle redirection.
	187	# because eval needs to write to current scope environment
	188	# subshells can't be used to capture output and print.
e6e7ad69	189	c='TMPDIR=$_sev_tmp ${okc}ssh-agent'
79d4a356	190	if [[ -o interactive ]] {
db6ae8c1	191	[[ -n $okc ]] && echo -n 'OKC-'
e6e7ad69	192	eval $(eval $=c)
79d4a356	193	print -nP '%f'
79d4a356	194	} else {
e6e7ad69	195	eval $(eval $=c) >/dev/null 2>&1
79d4a356	196	}
294ed44e	197	echo -En - $SSH_AUTH_SOCK$'\0'$SSH_AGENT_PID >!$e
e6e7ad69	198	unset c
79d4a356	199	fi
e6e7ad69	200	unset okc e sock pid
79d4a356	201	} elif [[ ! -v SSH_AUTH_SOCK && -v commands[gpg] ]] {
6d54344e	202	# since gpg should have been started above, just export and notify
79d4a356	203	if [[ -o interactive ]] {
6d54344e	204	if [[ -v _sev_setup_gpg_forward ]] {
6d54344e	205	echo 'Forwarded GPG agent'
79d4a356	206	} else {
79d4a356	207	gpg-connect-agent /subst /serverpid \
6d54344e	208	'/echo GPG agent pid ${get serverpid}' /bye
79d4a356	209	}
	210	print -nP '%f'
	211	}
6d54344e	212	export SSH_AUTH_SOCK=$(_gpg_socketpath \
79d4a356	213	$(gpgconf --list-dirs agent-ssh-socket))
	214	} elif [[ -v SSH_AUTH_SOCK ]] {
	215	[[ -o interactive ]] && print -P 'Preconfigured agent%f'
	216	} else {
	217	[[ -o interactive ]] && print -P '%F{red}No agent available%f'
	218	}
	219
6d54344e	220	export _sev_setup_ssh=
79d4a356	221	}
6d54344e	222	unfunction _gpg_socketpath
79d4a356	223
833b2af3	224	### load site-specific
4ced48ed	225	load-site-dotfile zprofile