oxidecomputer · augustuswm · Apr 28, 2026 · Apr 29, 2026 · Apr 29, 2026 · Apr 30, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -4,6 +4,7 @@ members = [
   "v-api-installer",
   "v-api-param",
   "v-api-permission-derive",
+  "v-cli-sdk",
   "v-model",
   "xtask"
 ]
@@ -34,14 +35,16 @@ hex = "0.4.3"
 http = "1"
 http-body-util = "0.1.3"
 hyper = "1.9.0"
+hyper-util = "0.1"
 jsonwebtoken = { version = "10.2", features = ["aws_lc_rs"] }
 mockall = "0.14.0"
 newtype-uuid = { version = "1.3.2", features = ["schemars08", "serde", "v4"] }
 oauth2 = { version = "5.0.0", default-features = false }
 oauth2-reqwest = "0.1.0-alpha.3"
+owo-colors = "4.2.3"
 partial-struct = { git = "https://github.com/oxidecomputer/partial-struct" }
-percent-encoding = "2.3.2"
 proc-macro2 = "1"
+progenitor-client = "0.14.0"
 quote = "1"
 rand = "0.10.1"
 rand_core = "0.10.1"
@@ -58,6 +61,7 @@ sha2 = "0.11.0"
 slog = "2.8.2"
 steno = { git = "https://github.com/oxidecomputer/steno" }
 syn = "2"
+tabwriter = "1.4.1"
 tap = "1.0.1"
 tempfile = "3"
 thiserror = "2"

diff --git a/v-api-permission-derive/src/lib.rs b/v-api-permission-derive/src/lib.rs
@@ -496,6 +496,7 @@ fn from_system_permission_tokens(
                         VPermission::ManageMagicLinkClientsAll => Self::ManageMagicLinkClientsAll,
 
                         VPermission::CreateAccessToken => Self::CreateAccessToken,
+                        VPermission::RetrieveRemoteAccessToken => Self::RetrieveRemoteAccessToken,
 
                         #saga_permission_from_tokens
 
@@ -852,6 +853,7 @@ fn system_permission_tokens() -> TokenStream {
             ManageMagicLinkClientsAll,
 
             CreateAccessToken,
+            RetrieveRemoteAccessToken,
 
             #saga_permission_tokens
 

diff --git a/v-api/Cargo.toml b/v-api/Cargo.toml
@@ -29,7 +29,6 @@ oauth2 = { workspace = true }
 oauth2-reqwest = { workspace = true }
 newtype-uuid = { workspace = true }
 partial-struct = { workspace = true }
-percent-encoding = { workspace = true }
 rand = { workspace = true, features = ["std"] }
 reqwest = { workspace = true }
 rsa = { workspace = true, features = ["sha2"] }
@@ -46,7 +45,7 @@ thiserror = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread", "macros"] }
 tracing = { workspace = true }
 url = { workspace = true }
-uuid = { workspace = true, features = ["v4", "serde"]  }
+uuid = { workspace = true, features = ["v4", "v5", "serde"]  }
 v-api-param = { path = "../v-api-param" }
 v-api-permission-derive = { path = "../v-api-permission-derive" }
 v-model = { path = "../v-model" }

diff --git a/v-api/src/authn/jwt.rs b/v-api/src/authn/jwt.rs
@@ -117,6 +117,7 @@ where
         let mut validation = Validation::new(algorithm?);
         validation.set_audience(&[ctx.public_url()]);
         validation.set_issuer(&[ctx.public_url()]);
+        validation.validate_nbf = true;
 
         let data = decode(token, &key, &validation).map_err(JwtError::Decode)?;
 

diff --git a/v-api/src/authn/mod.rs b/v-api/src/authn/mod.rs
@@ -174,6 +174,8 @@ pub enum CloudKmsError {
     ClientError(#[from] google_cloudkms1::Error),
     #[error("Signature received failed CRC check")]
     CorruptedSignature,
+    #[error("CloudKMS did not verify the digest CRC32C sent with the request")]
+    DigestCrc32cNotVerified,
     #[error("Failed to decode signature: {0}")]
     FailedToDecodeSignature(#[from] base64::DecodeError),
     #[error("Failed to deserialize response: {0}")]
@@ -280,9 +282,26 @@ impl Signer {
                 let signature = match response {
                     Ok((_, response)) => {
                         tracing::info!("Library deserialization succeeded");
-                        response
-                            .signature
-                            .ok_or_else(|| Box::new(CloudKmsError::MissingSignature))
+
+                        // Google should always be verifying our input
+                        if response.verified_digest_crc32c != Some(true) {
+                            Err(Box::new(CloudKmsError::DigestCrc32cNotVerified))
+                        } else {
+                            let signature = response
+                                .signature
+                                .ok_or_else(|| Box::new(CloudKmsError::MissingSignature))?;
+
+                            // Verify the CRC32C of the returned signature to detect corruption
+                            // in transit
+                            if let Some(expected_crc) = response.signature_crc32c {
+                                let actual_crc = crc32c(&signature);
+                                if actual_crc as i64 != expected_crc {
+                                    return Err(Box::new(CloudKmsError::CorruptedSignature).into());
+                                }
+                            }
+
+                            Ok(signature)
+                        }
                     }
                     Err(google_cloudkms1::Error::JsonDecodeError(body, _)) => {
                         tracing::info!("Using fallback deserialization");

diff --git a/v-api/src/config.rs b/v-api/src/config.rs
@@ -8,20 +8,23 @@ use jsonwebtoken::jwk::{
     AlgorithmParameters, CommonParameters, Jwk, KeyAlgorithm, PublicKeyUse, RSAKeyParameters,
     RSAKeyType,
 };
+use newtype_uuid::TypedUuid;
+use partial_struct::partial;
 use rsa::{
     RsaPrivateKey, RsaPublicKey,
     pkcs1v15::{SigningKey, VerifyingKey},
     pkcs8::{DecodePrivateKey, DecodePublicKey},
     traits::PublicKeyParts,
 };
-use secrecy::ExposeSecret;
+use secrecy::{ExposeSecret, SecretString};
 use serde::{
     Deserialize, Deserializer,
     de::{self, Visitor},
 };
 use std::path::PathBuf;
 use thiserror::Error;
-use v_api_param::StringParam;
+use v_api_param::{ParamResolutionError, StringParam};
+use v_model::OAuthClientId;
 
 use crate::{
     authn::{
@@ -151,25 +154,108 @@ pub struct SendGridConfig {
 pub struct OAuthProviders {
     pub github: Option<OAuthConfig>,
     pub google: Option<OAuthConfig>,
+    pub zendesk: Option<OAuthConfig>,
 }
 
-#[derive(Debug, Deserialize)]
+#[partial(ResolvedOAuthConfig)]
+#[derive(Clone, Debug, Deserialize)]
 pub struct OAuthConfig {
-    pub device: OAuthDeviceConfig,
-    pub web: OAuthWebConfig,
+    #[partial(ResolvedOAuthConfig(retype = Option<ResolvedOAuthDeviceConfig>))]
+    pub device: Option<OAuthDeviceConfig>,
+    #[partial(ResolvedOAuthConfig(retype = Option<ResolvedOAuthWebConfig>))]
+    pub web: Option<OAuthWebConfig>,
+    #[partial(ResolvedOAuthConfig(retype = Option<ResolvedOAuthWebProxyConfig>))]
+    pub proxy_web: Option<OAuthWebProxyConfig>,
 }
 
-#[derive(Debug, Deserialize)]
+#[partial(ResolvedOAuthDeviceConfig)]
+#[derive(Clone, Debug, Deserialize)]
 pub struct OAuthDeviceConfig {
-    pub client_id: String,
-    pub client_secret: StringParam,
+    pub client_id: TypedUuid<OAuthClientId>,
+    pub remote_client_id: String,
+    #[partial(ResolvedOAuthDeviceConfig(retype = SecretString))]
+    pub remote_client_secret: StringParam,
 }
 
-#[derive(Debug, Deserialize)]
+#[partial(ResolvedOAuthWebConfig)]
+#[derive(Clone, Debug, Deserialize)]
 pub struct OAuthWebConfig {
-    pub client_id: String,
-    pub client_secret: StringParam,
+    pub remote_client_id: String,
+    #[partial(ResolvedOAuthWebConfig(retype = SecretString))]
+    pub remote_client_secret: StringParam,
+}
+
+#[partial(ResolvedOAuthWebProxyConfig)]
+#[derive(Clone, Debug, Deserialize)]
+pub struct OAuthWebProxyConfig {
+    pub client_id: TypedUuid<OAuthClientId>,
     pub redirect_uri: String,
+    pub proxy_port: u16,
+}
+
+impl OAuthConfig {
+    pub fn resolve(
+        &self,
+        base: Option<PathBuf>,
+    ) -> Result<ResolvedOAuthConfig, ParamResolutionError> {
+        let device = self
+            .device
+            .as_ref()
+            .map(|d| d.resolve(base.clone()))
+            .transpose()?;
+        let web = self
+            .web
+            .as_ref()
+            .map(|w| w.resolve(base.clone()))
+            .transpose()?;
+        let proxy_web = self
+            .proxy_web
+            .as_ref()
+            .map(|p| p.resolve(base))
+            .transpose()?;
+        Ok(ResolvedOAuthConfig {
+            device,
+            web,
+            proxy_web,
+        })
+    }
+}
+impl OAuthDeviceConfig {
+    pub fn resolve(
+        &self,
+        base: Option<PathBuf>,
+    ) -> Result<ResolvedOAuthDeviceConfig, ParamResolutionError> {
+        let remote_client_secret = self.remote_client_secret.resolve(base)?;
+        Ok(ResolvedOAuthDeviceConfig {
+            client_id: self.client_id,
+            remote_client_id: self.remote_client_id.clone(),
+            remote_client_secret,
+        })
+    }
+}
+impl OAuthWebConfig {
+    pub fn resolve(
+        &self,
+        base: Option<PathBuf>,
+    ) -> Result<ResolvedOAuthWebConfig, ParamResolutionError> {
+        let remote_client_secret = self.remote_client_secret.resolve(base)?;
+        Ok(ResolvedOAuthWebConfig {
+            remote_client_id: self.remote_client_id.clone(),
+            remote_client_secret,
+        })
+    }
+}
+impl OAuthWebProxyConfig {
+    pub fn resolve(
+        &self,
+        _base: Option<PathBuf>,
+    ) -> Result<ResolvedOAuthWebProxyConfig, ParamResolutionError> {
+        Ok(ResolvedOAuthWebProxyConfig {
+            client_id: self.client_id,
+            redirect_uri: self.redirect_uri.clone(),
+            proxy_port: self.proxy_port,
+        })
+    }
 }
 
 impl AsymmetricKey {