refactor(server): reorganized client/user_agent actors into separate module peers and added event MessageBus
This commit is contained in:
hdbg
@@ -1,4 +1,4 @@
|
||||
use crate::{actors::keyholder, crypto::integrity::hashing::Hashable};
|
||||
use crate::{actors::vault, crypto::integrity::hashing::Hashable};
|
||||
use arbiter_crypto::safecell::SafeCellHandle as _;
|
||||
use hmac::{Hmac, Mac as _};
|
||||
use sha2::Sha256;
|
||||
@@ -11,7 +11,7 @@ use sha2::Digest as _;
|
||||
pub mod hashing;
|
||||
|
||||
use crate::{
|
||||
actors::keyholder::{KeyHolder, SignIntegrity, VerifyIntegrity},
|
||||
actors::vault::{SignIntegrity, Vault, VerifyIntegrity},
|
||||
db::{
|
||||
self,
|
||||
models::{IntegrityEnvelope, NewIntegrityEnvelope},
|
||||
@@ -24,11 +24,11 @@ pub enum Error {
|
||||
#[error("Database error: {0}")]
|
||||
Database(#[from] db::DatabaseError),
|
||||
|
||||
#[error("KeyHolder error: {0}")]
|
||||
Keyholder(#[from] keyholder::Error),
|
||||
#[error("Vault error: {0}")]
|
||||
Vault(#[from] vault::Error),
|
||||
|
||||
#[error("KeyHolder mailbox error")]
|
||||
KeyholderSend,
|
||||
#[error("Vault mailbox error")]
|
||||
VaultSend,
|
||||
|
||||
#[error("Integrity envelope is missing for entity {entity_kind}")]
|
||||
MissingEnvelope { entity_kind: &'static str },
|
||||
@@ -105,7 +105,7 @@ impl IntoId for &'_ [u8] {
|
||||
|
||||
pub async fn sign_entity<E: Integrable>(
|
||||
conn: &mut impl AsyncConnection<Backend = Sqlite>,
|
||||
keyholder: &ActorRef<KeyHolder>,
|
||||
vault: &ActorRef<Vault>,
|
||||
entity: &E,
|
||||
entity_id: impl IntoId,
|
||||
) -> Result<(), Error> {
|
||||
@@ -115,13 +115,14 @@ pub async fn sign_entity<E: Integrable>(
|
||||
|
||||
let mac_input = build_mac_input(E::KIND, &entity_id, E::VERSION, &payload_hash);
|
||||
|
||||
let (key_version, mac) = keyholder
|
||||
.ask(SignIntegrity { mac_input })
|
||||
.await
|
||||
.map_err(|err| match err {
|
||||
kameo::error::SendError::HandlerError(inner) => Error::Keyholder(inner),
|
||||
_ => Error::KeyholderSend,
|
||||
})?;
|
||||
let (key_version, mac) =
|
||||
vault
|
||||
.ask(SignIntegrity { mac_input })
|
||||
.await
|
||||
.map_err(|err| match err {
|
||||
kameo::error::SendError::HandlerError(inner) => Error::Vault(inner),
|
||||
_ => Error::VaultSend,
|
||||
})?;
|
||||
|
||||
insert_into(integrity_envelope::table)
|
||||
.values(NewIntegrityEnvelope {
|
||||
@@ -150,7 +151,7 @@ pub async fn sign_entity<E: Integrable>(
|
||||
|
||||
pub async fn verify_entity<E: Integrable>(
|
||||
conn: &mut impl AsyncConnection<Backend = Sqlite>,
|
||||
keyholder: &ActorRef<KeyHolder>,
|
||||
vault: &ActorRef<Vault>,
|
||||
entity: &E,
|
||||
entity_id: impl IntoId,
|
||||
) -> Result<AttestationStatus, Error> {
|
||||
@@ -178,7 +179,7 @@ pub async fn verify_entity<E: Integrable>(
|
||||
let payload_hash = payload_hash(&entity);
|
||||
let mac_input = build_mac_input(E::KIND, &entity_id, envelope.payload_version, &payload_hash);
|
||||
|
||||
let result = keyholder
|
||||
let result = vault
|
||||
.ask(VerifyIntegrity {
|
||||
mac_input,
|
||||
expected_mac: envelope.mac,
|
||||
@@ -191,10 +192,10 @@ pub async fn verify_entity<E: Integrable>(
|
||||
Ok(false) => Err(Error::MacMismatch {
|
||||
entity_kind: E::KIND,
|
||||
}),
|
||||
Err(SendError::HandlerError(keyholder::Error::NotBootstrapped)) => {
|
||||
Err(SendError::HandlerError(vault::Error::NotBootstrapped)) => {
|
||||
Ok(AttestationStatus::Unavailable)
|
||||
}
|
||||
Err(_) => Err(Error::KeyholderSend),
|
||||
Err(_) => Err(Error::VaultSend),
|
||||
}
|
||||
}
|
||||
|
||||
@@ -203,19 +204,17 @@ mod tests {
|
||||
use diesel::{ExpressionMethods as _, QueryDsl};
|
||||
use diesel_async::RunQueryDsl;
|
||||
use kameo::{actor::ActorRef, prelude::Spawn};
|
||||
|
||||
|
||||
use sha2::Digest;
|
||||
|
||||
|
||||
|
||||
use crate::{
|
||||
actors::keyholder::{Bootstrap, KeyHolder},
|
||||
actors::{GlobalActors, vault::{Bootstrap, Vault}},
|
||||
db::{self, schema},
|
||||
};
|
||||
use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
|
||||
|
||||
use super::{Error, Integrable, sign_entity, verify_entity};
|
||||
use super::hashing::Hashable;
|
||||
use super::{Error, Integrable, sign_entity, verify_entity};
|
||||
|
||||
#[derive(Clone)]
|
||||
struct DummyEntity {
|
||||
@@ -233,8 +232,12 @@ mod tests {
|
||||
const KIND: &'static str = "dummy_entity";
|
||||
}
|
||||
|
||||
async fn bootstrapped_keyholder(db: &db::DatabasePool) -> ActorRef<KeyHolder> {
|
||||
let actor = KeyHolder::spawn(KeyHolder::new(db.clone()).await.unwrap());
|
||||
async fn bootstrapped_vault(db: &db::DatabasePool) -> ActorRef<Vault> {
|
||||
let actor = Vault::spawn(
|
||||
Vault::new(db.clone(), GlobalActors::spawn_message_bus())
|
||||
.await
|
||||
.unwrap(),
|
||||
);
|
||||
actor
|
||||
.ask(Bootstrap {
|
||||
seal_key_raw: SafeCell::new(b"integrity-test-seal-key".to_vec()),
|
||||
@@ -247,7 +250,7 @@ mod tests {
|
||||
#[tokio::test]
|
||||
async fn sign_writes_envelope_and_verify_passes() {
|
||||
let db = db::create_test_pool().await;
|
||||
let keyholder = bootstrapped_keyholder(&db).await;
|
||||
let vault = bootstrapped_vault(&db).await;
|
||||
let mut conn = db.get().await.unwrap();
|
||||
|
||||
const ENTITY_ID: &[u8] = b"entity-id-7";
|
||||
@@ -257,7 +260,7 @@ mod tests {
|
||||
payload: b"payload-v1".to_vec(),
|
||||
};
|
||||
|
||||
sign_entity(&mut conn, &keyholder, &entity, ENTITY_ID)
|
||||
sign_entity(&mut conn, &vault, &entity, ENTITY_ID)
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
@@ -270,7 +273,7 @@ mod tests {
|
||||
.unwrap();
|
||||
|
||||
assert_eq!(count, 1, "envelope row must be created exactly once");
|
||||
verify_entity(&mut conn, &keyholder, &entity, ENTITY_ID)
|
||||
verify_entity(&mut conn, &vault, &entity, ENTITY_ID)
|
||||
.await
|
||||
.unwrap();
|
||||
}
|
||||
@@ -278,7 +281,7 @@ mod tests {
|
||||
#[tokio::test]
|
||||
async fn tampered_mac_fails_verification() {
|
||||
let db = db::create_test_pool().await;
|
||||
let keyholder = bootstrapped_keyholder(&db).await;
|
||||
let vault = bootstrapped_vault(&db).await;
|
||||
let mut conn = db.get().await.unwrap();
|
||||
|
||||
const ENTITY_ID: &[u8] = b"entity-id-11";
|
||||
@@ -288,7 +291,7 @@ mod tests {
|
||||
payload: b"payload-v1".to_vec(),
|
||||
};
|
||||
|
||||
sign_entity(&mut conn, &keyholder, &entity, ENTITY_ID)
|
||||
sign_entity(&mut conn, &vault, &entity, ENTITY_ID)
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
@@ -300,7 +303,7 @@ mod tests {
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
let err = verify_entity(&mut conn, &keyholder, &entity, ENTITY_ID)
|
||||
let err = verify_entity(&mut conn, &vault, &entity, ENTITY_ID)
|
||||
.await
|
||||
.unwrap_err();
|
||||
assert!(matches!(err, Error::MacMismatch { .. }));
|
||||
@@ -309,7 +312,7 @@ mod tests {
|
||||
#[tokio::test]
|
||||
async fn changed_payload_fails_verification() {
|
||||
let db = db::create_test_pool().await;
|
||||
let keyholder = bootstrapped_keyholder(&db).await;
|
||||
let vault = bootstrapped_vault(&db).await;
|
||||
let mut conn = db.get().await.unwrap();
|
||||
|
||||
const ENTITY_ID: &[u8] = b"entity-id-21";
|
||||
@@ -319,7 +322,7 @@ mod tests {
|
||||
payload: b"payload-v1".to_vec(),
|
||||
};
|
||||
|
||||
sign_entity(&mut conn, &keyholder, &entity, ENTITY_ID)
|
||||
sign_entity(&mut conn, &vault, &entity, ENTITY_ID)
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
@@ -328,7 +331,7 @@ mod tests {
|
||||
..entity
|
||||
};
|
||||
|
||||
let err = verify_entity(&mut conn, &keyholder, &tampered, ENTITY_ID)
|
||||
let err = verify_entity(&mut conn, &vault, &tampered, ENTITY_ID)
|
||||
.await
|
||||
.unwrap_err();
|
||||
assert!(matches!(err, Error::MacMismatch { .. }));
|
||||
|
||||
Reference in New Issue
Block a user