From eb3a8ab324bc01b3b0a647d056b2968644810e8e Mon Sep 17 00:00:00 2001
From: Ben Grande <ben.grande.b@gmail.com>
Date: Wed, 26 Jun 2024 12:20:35 +0200
Subject: [PATCH] feat: install Qusal TCP Proxy on updatevm's origin

Document qusal.ConnectTCP in dev's Access Control as it defaults to deny
and causes confusion to users why it doesn't work by default.  This is
an exception of the rule that a formula cannot document the RPC service
of another formula to avoid duplication.
---
 salt/dev/README.md                            | 31 +++++++++++++++++++
 salt/dev/create.sls                           |  1 +
 salt/dev/init.top                             |  3 ++
 salt/sys-net/create.sls                       |  1 +
 .../admin/bin/qusal-report-updatevm-origin    | 21 +++++++++++++
 salt/sys-net/show-updatevm-origin.sls         | 14 +++++++++
 salt/sys-net/show-updatevm-origin.top         | 10 ++++++
 7 files changed, 81 insertions(+)
 create mode 100755 salt/sys-net/files/admin/bin/qusal-report-updatevm-origin
 create mode 100644 salt/sys-net/show-updatevm-origin.sls
 create mode 100644 salt/sys-net/show-updatevm-origin.top

diff --git a/salt/dev/README.md b/salt/dev/README.md
index 9e3c2a1f..f554de69 100644
--- a/salt/dev/README.md
+++ b/salt/dev/README.md
@@ -6,6 +6,7 @@ Development environment in Qubes OS.
 
 * [Description](#description)
 * [Installation](#installation)
+* [Access Control](#access-control)
 * [Usage](#usage)
 
 ## Description
@@ -22,6 +23,10 @@ allows.
 sudo qubesctl top.enable dev
 sudo qubesctl --targets=tpl-dev,dvm-dev,dev state.apply
 sudo qubesctl top.disable dev
+proxy_target="$(qusal-report-updatevm-origin)"
+if test -n "${proxy_target}"; then
+  sudo qubesctl --skip-dom0 --targets="${proxy_target}" state.apply sys-net.install-proxy
+fi
 ```
 
 - State
@@ -31,9 +36,35 @@ sudo qubesctl state.apply dev.create
 sudo qubesctl --skip-dom0 --targets=tpl-dev state.apply dev.install
 sudo qubesctl --skip-dom0 --targets=dvm-dev state.apply dev.configure-dvm
 sudo qubesctl --skip-dom0 --targets=dev state.apply dev.configure
+proxy_target="$(qusal-report-updatevm-origin)"
+if test -n "${proxy_target}"; then
+  sudo qubesctl --skip-dom0 --targets="${proxy_target}" state.apply sys-net.install-proxy
+fi
 ```
 <!-- pkg:end:post-install -->
 
+The installation will make the Qusal TCP Proxy available in the `updatevm`
+(after it is restarted in case it is template based). If you want to have the
+proxy available on a `netvm` that is not deployed by Qusal, install the Qusal
+TCP proxy on the templates of your `netvm`:
+```sh
+sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-net.install-proxy
+```
+
+Remember to restart the `netvms` after the proxy installation for the changes
+to take effect.
+
+## Access Control
+
+_Default policy_: `denies` `all` qubes from calling `qusal.ConnectTCP`
+
+Allow qube `dev` to `connect` to `github.com:22` via `disp-sys-net` but not to
+any other host or via any other qube:
+```qrexecpolicy
+qusal.ConnectTCP +github.com+22 dev @default allow target=disp-sys-net
+qusal.ConnectTCP *              dev @anyvm   deny
+```
+
 ## Usage
 
 The development qube `dev` can be used for:
diff --git a/salt/dev/create.sls b/salt/dev/create.sls
index d87a5e28..8dafc7cc 100644
--- a/salt/dev/create.sls
+++ b/salt/dev/create.sls
@@ -8,6 +8,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 include:
   - .clone
+  - sys-net.show-updatevm-origin
 
 {% load_yaml as defaults -%}
 name: tpl-{{ slsdotpath }}
diff --git a/salt/dev/init.top b/salt/dev/init.top
index 79c4e7ee..5e86a83b 100644
--- a/salt/dev/init.top
+++ b/salt/dev/init.top
@@ -14,3 +14,6 @@ base:
     - dev.configure-dvm
   'dev':
     - dev.configure
+  '(I@qubes:type:template or I@qubes:type:standalone) and (G@kernel:Linux or G@kernel:*BSD)':
+    - match: compound
+    - sys-net.install-proxy
diff --git a/salt/sys-net/create.sls b/salt/sys-net/create.sls
index 25a2b0c4..70b55a9b 100644
--- a/salt/sys-net/create.sls
+++ b/salt/sys-net/create.sls
@@ -10,6 +10,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 include:
   - .clone
+  - .show-updatevm-origin
 
 {% load_yaml as defaults -%}
 name: tpl-{{ slsdotpath }}
diff --git a/salt/sys-net/files/admin/bin/qusal-report-updatevm-origin b/salt/sys-net/files/admin/bin/qusal-report-updatevm-origin
new file mode 100755
index 00000000..0fc0e1f2
--- /dev/null
+++ b/salt/sys-net/files/admin/bin/qusal-report-updatevm-origin
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+## SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+##
+## SPDX-License-Identifier: AGPL-3.0-or-later
+
+set -eu
+
+updatevm="$(qubes-prefs updatevm)"
+updatevm_class="$(qvm-prefs "${updatevm}" klass)"
+proxy_target=""
+case "${updatevm_class}" in
+  StandaloneVM) proxy_target="${updatevm}";;
+  AppVM) proxy_target="$(qvm-prefs "${updatevm}" template)";;
+  DispVM)
+    proxy_target="$(qvm-prefs "$(qvm-prefs "${updatevm}" template)" template)"
+    ;;
+esac
+if test -n "${proxy_target}"; then
+  echo "${proxy_target}"
+fi
diff --git a/salt/sys-net/show-updatevm-origin.sls b/salt/sys-net/show-updatevm-origin.sls
new file mode 100644
index 00000000..d70776e7
--- /dev/null
+++ b/salt/sys-net/show-updatevm-origin.sls
@@ -0,0 +1,14 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+"{{ slsdotpath }}-get-updatevm-origin":
+  file.managed:
+    - name: /usr/local/bin/qusal-report-updatevm-origin
+    - source: salt://{{ slsdotpath }}/files/admin/bin/qusal-report-updatevm-origin
+    - mode: "0755"
+    - user: root
+    - group: root
+    - makedirs: True
diff --git a/salt/sys-net/show-updatevm-origin.top b/salt/sys-net/show-updatevm-origin.top
new file mode 100644
index 00000000..c8ac494e
--- /dev/null
+++ b/salt/sys-net/show-updatevm-origin.top
@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-net.show-updatevm-origin