tests(server): fixed for new integrity checks
This commit is contained in:
hdbg
@@ -102,13 +102,7 @@ async fn verify_integrity(
|
|||||||
Error::internal("Integrity verification failed")
|
Error::internal("Integrity verification failed")
|
||||||
})?;
|
})?;
|
||||||
|
|
||||||
match result {
|
Ok(())
|
||||||
AttestationStatus::Attested | AttestationStatus::Unavailable => Ok(()),
|
|
||||||
AttestationStatus::NotAttested => {
|
|
||||||
error!(?pubkey, "Integrity verification failed: not attested");
|
|
||||||
Err(Error::internal("Database tampering detected"))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -51,7 +51,6 @@ pub enum Error {
|
|||||||
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
|
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
|
||||||
pub enum AttestationStatus {
|
pub enum AttestationStatus {
|
||||||
Attested,
|
Attested,
|
||||||
NotAttested,
|
|
||||||
Unavailable,
|
Unavailable,
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -195,7 +194,7 @@ pub async fn verify_entity<E: Integrable>(
|
|||||||
|
|
||||||
match result {
|
match result {
|
||||||
Ok(true) => Ok(AttestationStatus::Attested),
|
Ok(true) => Ok(AttestationStatus::Attested),
|
||||||
Ok(false) => Ok(AttestationStatus::NotAttested),
|
Ok(false) => Err(Error::MacMismatch { entity_kind: E::KIND }),
|
||||||
Err(SendError::HandlerError(keyholder::Error::NotBootstrapped)) => Ok(AttestationStatus::Unavailable),
|
Err(SendError::HandlerError(keyholder::Error::NotBootstrapped)) => Ok(AttestationStatus::Unavailable),
|
||||||
Err(_) => Err(Error::KeyholderSend),
|
Err(_) => Err(Error::KeyholderSend),
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -4,8 +4,9 @@ use arbiter_server::{
|
|||||||
GlobalActors,
|
GlobalActors,
|
||||||
bootstrap::GetToken,
|
bootstrap::GetToken,
|
||||||
keyholder::Bootstrap,
|
keyholder::Bootstrap,
|
||||||
user_agent::{AuthPublicKey, UserAgentConnection, auth},
|
user_agent::{AuthPublicKey, UserAgentConnection, UserAgentCredentials, auth},
|
||||||
},
|
},
|
||||||
|
crypto::integrity,
|
||||||
db::{self, schema},
|
db::{self, schema},
|
||||||
safe_cell::{SafeCell, SafeCellHandle as _},
|
safe_cell::{SafeCell, SafeCellHandle as _},
|
||||||
};
|
};
|
||||||
@@ -20,6 +21,13 @@ use super::common::ChannelTransport;
|
|||||||
pub async fn test_bootstrap_token_auth() {
|
pub async fn test_bootstrap_token_auth() {
|
||||||
let db = db::create_test_pool().await;
|
let db = db::create_test_pool().await;
|
||||||
let actors = GlobalActors::spawn(db.clone()).await.unwrap();
|
let actors = GlobalActors::spawn(db.clone()).await.unwrap();
|
||||||
|
actors
|
||||||
|
.key_holder
|
||||||
|
.ask(Bootstrap {
|
||||||
|
seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()),
|
||||||
|
})
|
||||||
|
.await
|
||||||
|
.unwrap();
|
||||||
let token = actors.bootstrapper.ask(GetToken).await.unwrap().unwrap();
|
let token = actors.bootstrapper.ask(GetToken).await.unwrap().unwrap();
|
||||||
|
|
||||||
let (server_transport, mut test_transport) = ChannelTransport::new();
|
let (server_transport, mut test_transport) = ChannelTransport::new();
|
||||||
@@ -99,18 +107,37 @@ pub async fn test_bootstrap_invalid_token_auth() {
|
|||||||
pub async fn test_challenge_auth() {
|
pub async fn test_challenge_auth() {
|
||||||
let db = db::create_test_pool().await;
|
let db = db::create_test_pool().await;
|
||||||
let actors = GlobalActors::spawn(db.clone()).await.unwrap();
|
let actors = GlobalActors::spawn(db.clone()).await.unwrap();
|
||||||
|
actors
|
||||||
|
.key_holder
|
||||||
|
.ask(Bootstrap {
|
||||||
|
seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()),
|
||||||
|
})
|
||||||
|
.await
|
||||||
|
.unwrap();
|
||||||
|
|
||||||
let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
|
let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
|
||||||
let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec();
|
let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec();
|
||||||
|
|
||||||
{
|
{
|
||||||
let mut conn = db.get().await.unwrap();
|
let mut conn = db.get().await.unwrap();
|
||||||
insert_into(schema::useragent_client::table)
|
let id: i32 = insert_into(schema::useragent_client::table)
|
||||||
.values((
|
.values((
|
||||||
schema::useragent_client::public_key.eq(pubkey_bytes.clone()),
|
schema::useragent_client::public_key.eq(pubkey_bytes.clone()),
|
||||||
schema::useragent_client::key_type.eq(1i32),
|
schema::useragent_client::key_type.eq(1i32),
|
||||||
))
|
))
|
||||||
.execute(&mut conn)
|
.returning(schema::useragent_client::id)
|
||||||
|
.get_result(&mut conn)
|
||||||
|
.await
|
||||||
|
.unwrap();
|
||||||
|
integrity::sign_entity(
|
||||||
|
&mut conn,
|
||||||
|
&actors.key_holder,
|
||||||
|
&UserAgentCredentials {
|
||||||
|
pubkey: AuthPublicKey::Ed25519(new_key.verifying_key()),
|
||||||
|
nonce: 1,
|
||||||
|
},
|
||||||
|
id,
|
||||||
|
)
|
||||||
.await
|
.await
|
||||||
.unwrap();
|
.unwrap();
|
||||||
}
|
}
|
||||||
@@ -210,7 +237,7 @@ pub async fn test_challenge_auth_rejects_integrity_tag_mismatch_when_unsealed()
|
|||||||
|
|
||||||
assert!(matches!(
|
assert!(matches!(
|
||||||
task.await.unwrap(),
|
task.await.unwrap(),
|
||||||
Err(auth::Error::InvalidChallengeSolution)
|
Err(auth::Error::Internal { .. })
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -219,18 +246,37 @@ pub async fn test_challenge_auth_rejects_integrity_tag_mismatch_when_unsealed()
|
|||||||
pub async fn test_challenge_auth_rejects_invalid_signature() {
|
pub async fn test_challenge_auth_rejects_invalid_signature() {
|
||||||
let db = db::create_test_pool().await;
|
let db = db::create_test_pool().await;
|
||||||
let actors = GlobalActors::spawn(db.clone()).await.unwrap();
|
let actors = GlobalActors::spawn(db.clone()).await.unwrap();
|
||||||
|
actors
|
||||||
|
.key_holder
|
||||||
|
.ask(Bootstrap {
|
||||||
|
seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()),
|
||||||
|
})
|
||||||
|
.await
|
||||||
|
.unwrap();
|
||||||
|
|
||||||
let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
|
let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
|
||||||
let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec();
|
let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec();
|
||||||
|
|
||||||
{
|
{
|
||||||
let mut conn = db.get().await.unwrap();
|
let mut conn = db.get().await.unwrap();
|
||||||
insert_into(schema::useragent_client::table)
|
let id: i32 = insert_into(schema::useragent_client::table)
|
||||||
.values((
|
.values((
|
||||||
schema::useragent_client::public_key.eq(pubkey_bytes.clone()),
|
schema::useragent_client::public_key.eq(pubkey_bytes.clone()),
|
||||||
schema::useragent_client::key_type.eq(1i32),
|
schema::useragent_client::key_type.eq(1i32),
|
||||||
))
|
))
|
||||||
.execute(&mut conn)
|
.returning(schema::useragent_client::id)
|
||||||
|
.get_result(&mut conn)
|
||||||
|
.await
|
||||||
|
.unwrap();
|
||||||
|
integrity::sign_entity(
|
||||||
|
&mut conn,
|
||||||
|
&actors.key_holder,
|
||||||
|
&UserAgentCredentials {
|
||||||
|
pubkey: AuthPublicKey::Ed25519(new_key.verifying_key()),
|
||||||
|
nonce: 1,
|
||||||
|
},
|
||||||
|
id,
|
||||||
|
)
|
||||||
.await
|
.await
|
||||||
.unwrap();
|
.unwrap();
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user