fix(server::user_agent): useragents now self-sign themselves on bootstrap

2026-04-08 12:34:32 +02:00
parent 1585f90cae
commit 6b8da567dd
36 changed files with 352 additions and 229 deletions
--- a/server/crates/arbiter-server/tests/client/auth.rs
+++ b/server/crates/arbiter-server/tests/client/auth.rs
@@ -5,14 +5,10 @@ use arbiter_crypto::{
 use arbiter_proto::ClientMetadata;
 use arbiter_proto::transport::{Receiver, Sender};
 use arbiter_server::{
-    actors::{
-        GlobalActors,
-        
-        vault::Bootstrap,
-    },
-    peers::client::{ClientConnection, ClientCredentials, auth, connect_client},
+    actors::{GlobalActors, vault::Bootstrap},
    crypto::integrity,
    db::{self, schema},
+    peers::client::{ClientConnection, ClientCredentials, auth, connect_client},
 };
 use diesel::{ExpressionMethods as _, NullableExpressionMethods as _, QueryDsl as _, insert_into};
 use diesel_async::RunQueryDsl;
--- a/server/crates/arbiter-server/tests/common/mod.rs
+++ b/server/crates/arbiter-server/tests/common/mod.rs
@@ -12,7 +12,9 @@ use tokio::sync::mpsc;

 #[allow(dead_code)]
 pub async fn bootstrapped_vault(db: &db::DatabasePool) -> Vault {
-    let mut actor = Vault::new(db.clone(), GlobalActors::spawn_message_bus()).await.unwrap();
+    let mut actor = Vault::new(db.clone(), GlobalActors::spawn_message_bus())
+        .await
+        .unwrap();
    actor
        .bootstrap(SafeCell::new(b"test-seal-key".to_vec()))
        .await
--- a/server/crates/arbiter-server/tests/user_agent/auth.rs
+++ b/server/crates/arbiter-server/tests/user_agent/auth.rs
@@ -5,15 +5,10 @@ use arbiter_crypto::{

 use arbiter_proto::transport::{Receiver, Sender};
 use arbiter_server::{
-    actors::{
-        GlobalActors,
-        bootstrap::GetToken,
-        vault::Bootstrap,
-       
-    },
-    peers::user_agent::{UserAgentConnection, UserAgentCredentials, auth},
+    actors::{GlobalActors, bootstrap::GetToken, vault::Bootstrap},
    crypto::integrity,
    db::{self, schema},
+    peers::user_agent::{UserAgentConnection, UserAgentCredentials, auth},
 };
 use diesel::{ExpressionMethods as _, QueryDsl, insert_into};
 use diesel_async::RunQueryDsl;
--- a/server/crates/arbiter-server/tests/user_agent/unseal.rs
+++ b/server/crates/arbiter-server/tests/user_agent/unseal.rs
@@ -3,13 +3,12 @@ use arbiter_server::{
    actors::{
        GlobalActors,
        vault::{Bootstrap, Seal},
-       
    },
-    peers::user_agent::{
-            UserAgentSession,
-            session::connection::{HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError},
-        },
    db,
+    peers::user_agent::{
+        UserAgentSession,
+        session::connection::{HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError},
+    },
 };

 use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
--- a/server/crates/arbiter-server/tests/vault/concurrency.rs
+++ b/server/crates/arbiter-server/tests/vault/concurrency.rs
@@ -2,7 +2,10 @@ use std::collections::{HashMap, HashSet};

 use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
 use arbiter_server::{
-    actors::{GlobalActors, vault::{CreateNew, Error, Vault}},
+    actors::{
+        GlobalActors,
+        vault::{CreateNew, Error, Vault},
+    },
    db::{self, models, schema},
 };

@@ -161,7 +164,9 @@ async fn decrypt_roundtrip_after_high_concurrency() {
    let writes = write_concurrently(actor, "roundtrip", 40).await;
    let expected: HashMap<i32, Vec<u8>> = writes.into_iter().collect();

-    let mut decryptor = Vault::new(db.clone(), GlobalActors::spawn_message_bus()).await.unwrap();
+    let mut decryptor = Vault::new(db.clone(), GlobalActors::spawn_message_bus())
+        .await
+        .unwrap();
    decryptor
        .try_unseal(SafeCell::new(b"test-seal-key".to_vec()))
        .await
--- a/server/crates/arbiter-server/tests/vault/lifecycle.rs
+++ b/server/crates/arbiter-server/tests/vault/lifecycle.rs
@@ -1,12 +1,11 @@
 use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
 use arbiter_server::{
-    actors::{GlobalActors, vault::{Error, Vault}},
+    actors::{
+        GlobalActors,
+        vault::{Error, Vault},
+    },
    crypto::encryption::v1::{Nonce, ROOT_KEY_TAG},
    db::{self, models, schema},
-    peers::user_agent::{
-        UserAgentSession,
-        session::connection::{HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError},
-    },
 };

 use diesel::{QueryDsl, SelectableHelper};
@@ -18,7 +17,9 @@ use crate::common;
 #[test_log::test]
 async fn test_bootstrap() {
    let db = db::create_test_pool().await;
-    let mut actor = Vault::new(db.clone(), GlobalActors::spawn_message_bus()).await.unwrap();
+    let mut actor = Vault::new(db.clone(), GlobalActors::spawn_message_bus())
+        .await
+        .unwrap();

    let seal_key = SafeCell::new(b"test-seal-key".to_vec());
    actor.bootstrap(seal_key).await.unwrap();
@@ -52,7 +53,9 @@ async fn test_bootstrap_rejects_double() {
 #[test_log::test]
 async fn test_create_new_before_bootstrap_fails() {
    let db = db::create_test_pool().await;
-    let mut actor = Vault::new(db, GlobalActors::spawn_message_bus()).await.unwrap();
+    let mut actor = Vault::new(db, GlobalActors::spawn_message_bus())
+        .await
+        .unwrap();

    let err = actor
        .create_new(SafeCell::new(b"data".to_vec()))
@@ -65,7 +68,9 @@ async fn test_create_new_before_bootstrap_fails() {
 #[test_log::test]
 async fn test_decrypt_before_bootstrap_fails() {
    let db = db::create_test_pool().await;
-    let mut actor = Vault::new(db, GlobalActors::spawn_message_bus()).await.unwrap();
+    let mut actor = Vault::new(db, GlobalActors::spawn_message_bus())
+        .await
+        .unwrap();

    let err = actor.decrypt(1).await.unwrap_err();
    assert!(matches!(err, Error::NotBootstrapped));
@@ -78,7 +83,9 @@ async fn test_new_restores_sealed_state() {
    let actor = common::bootstrapped_vault(&db).await;
    drop(actor);

-    let mut actor2 = Vault::new(db, GlobalActors::spawn_message_bus()).await.unwrap();
+    let mut actor2 = Vault::new(db, GlobalActors::spawn_message_bus())
+        .await
+        .unwrap();
    let err = actor2.decrypt(1).await.unwrap_err();
    assert!(matches!(err, Error::NotBootstrapped));
 }
@@ -96,7 +103,9 @@ async fn test_unseal_correct_password() {
        .unwrap();
    drop(actor);

-    let mut actor = Vault::new(db.clone(), GlobalActors::spawn_message_bus()).await.unwrap();
+    let mut actor = Vault::new(db.clone(), GlobalActors::spawn_message_bus())
+        .await
+        .unwrap();
    let seal_key = SafeCell::new(b"test-seal-key".to_vec());
    actor.try_unseal(seal_key).await.unwrap();

@@ -117,7 +126,9 @@ async fn test_unseal_wrong_then_correct_password() {
        .unwrap();
    drop(actor);

-    let mut actor = Vault::new(db.clone(), GlobalActors::spawn_message_bus()).await.unwrap();
+    let mut actor = Vault::new(db.clone(), GlobalActors::spawn_message_bus())
+        .await
+        .unwrap();

    let bad_key = SafeCell::new(b"wrong-password".to_vec());
    let err = actor.try_unseal(bad_key).await.unwrap_err();