From 00745bb381133e8430a1d939d787919c807f891c Mon Sep 17 00:00:00 2001 From: hdbg Date: Sun, 5 Apr 2026 14:35:41 +0200 Subject: [PATCH] tests(server): fixed for new integrity checks --- .../src/actors/user_agent/auth/state.rs | 8 +-- .../arbiter-server/src/crypto/integrity/v1.rs | 3 +- .../arbiter-server/tests/user_agent/auth.rs | 58 +++++++++++++++++-- 3 files changed, 54 insertions(+), 15 deletions(-) diff --git a/server/crates/arbiter-server/src/actors/user_agent/auth/state.rs b/server/crates/arbiter-server/src/actors/user_agent/auth/state.rs index a5e212b..5ce6374 100644 --- a/server/crates/arbiter-server/src/actors/user_agent/auth/state.rs +++ b/server/crates/arbiter-server/src/actors/user_agent/auth/state.rs @@ -102,13 +102,7 @@ async fn verify_integrity( Error::internal("Integrity verification failed") })?; - match result { - AttestationStatus::Attested | AttestationStatus::Unavailable => Ok(()), - AttestationStatus::NotAttested => { - error!(?pubkey, "Integrity verification failed: not attested"); - Err(Error::internal("Database tampering detected")) - } - } + Ok(()) } diff --git a/server/crates/arbiter-server/src/crypto/integrity/v1.rs b/server/crates/arbiter-server/src/crypto/integrity/v1.rs index 9a7b923..3fa7d17 100644 --- a/server/crates/arbiter-server/src/crypto/integrity/v1.rs +++ b/server/crates/arbiter-server/src/crypto/integrity/v1.rs @@ -51,7 +51,6 @@ pub enum Error { #[derive(Debug, Clone, Copy, PartialEq, Eq)] pub enum AttestationStatus { Attested, - NotAttested, Unavailable, } @@ -195,7 +194,7 @@ pub async fn verify_entity( match result { Ok(true) => Ok(AttestationStatus::Attested), - Ok(false) => Ok(AttestationStatus::NotAttested), + Ok(false) => Err(Error::MacMismatch { entity_kind: E::KIND }), Err(SendError::HandlerError(keyholder::Error::NotBootstrapped)) => Ok(AttestationStatus::Unavailable), Err(_) => Err(Error::KeyholderSend), } diff --git a/server/crates/arbiter-server/tests/user_agent/auth.rs b/server/crates/arbiter-server/tests/user_agent/auth.rs index 1812785..660fae4 100644 --- a/server/crates/arbiter-server/tests/user_agent/auth.rs +++ b/server/crates/arbiter-server/tests/user_agent/auth.rs @@ -4,8 +4,9 @@ use arbiter_server::{ GlobalActors, bootstrap::GetToken, keyholder::Bootstrap, - user_agent::{AuthPublicKey, UserAgentConnection, auth}, + user_agent::{AuthPublicKey, UserAgentConnection, UserAgentCredentials, auth}, }, + crypto::integrity, db::{self, schema}, safe_cell::{SafeCell, SafeCellHandle as _}, }; @@ -20,6 +21,13 @@ use super::common::ChannelTransport; pub async fn test_bootstrap_token_auth() { let db = db::create_test_pool().await; let actors = GlobalActors::spawn(db.clone()).await.unwrap(); + actors + .key_holder + .ask(Bootstrap { + seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()), + }) + .await + .unwrap(); let token = actors.bootstrapper.ask(GetToken).await.unwrap().unwrap(); let (server_transport, mut test_transport) = ChannelTransport::new(); @@ -99,20 +107,39 @@ pub async fn test_bootstrap_invalid_token_auth() { pub async fn test_challenge_auth() { let db = db::create_test_pool().await; let actors = GlobalActors::spawn(db.clone()).await.unwrap(); + actors + .key_holder + .ask(Bootstrap { + seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()), + }) + .await + .unwrap(); let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng()); let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec(); { let mut conn = db.get().await.unwrap(); - insert_into(schema::useragent_client::table) + let id: i32 = insert_into(schema::useragent_client::table) .values(( schema::useragent_client::public_key.eq(pubkey_bytes.clone()), schema::useragent_client::key_type.eq(1i32), )) - .execute(&mut conn) + .returning(schema::useragent_client::id) + .get_result(&mut conn) .await .unwrap(); + integrity::sign_entity( + &mut conn, + &actors.key_holder, + &UserAgentCredentials { + pubkey: AuthPublicKey::Ed25519(new_key.verifying_key()), + nonce: 1, + }, + id, + ) + .await + .unwrap(); } let (server_transport, mut test_transport) = ChannelTransport::new(); @@ -210,7 +237,7 @@ pub async fn test_challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() assert!(matches!( task.await.unwrap(), - Err(auth::Error::InvalidChallengeSolution) + Err(auth::Error::Internal { .. }) )); } @@ -219,20 +246,39 @@ pub async fn test_challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() pub async fn test_challenge_auth_rejects_invalid_signature() { let db = db::create_test_pool().await; let actors = GlobalActors::spawn(db.clone()).await.unwrap(); + actors + .key_holder + .ask(Bootstrap { + seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()), + }) + .await + .unwrap(); let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng()); let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec(); { let mut conn = db.get().await.unwrap(); - insert_into(schema::useragent_client::table) + let id: i32 = insert_into(schema::useragent_client::table) .values(( schema::useragent_client::public_key.eq(pubkey_bytes.clone()), schema::useragent_client::key_type.eq(1i32), )) - .execute(&mut conn) + .returning(schema::useragent_client::id) + .get_result(&mut conn) .await .unwrap(); + integrity::sign_entity( + &mut conn, + &actors.key_holder, + &UserAgentCredentials { + pubkey: AuthPublicKey::Ed25519(new_key.verifying_key()), + nonce: 1, + }, + id, + ) + .await + .unwrap(); } let (server_transport, mut test_transport) = ChannelTransport::new();