style(encryption): suppress clippy unwrap lints with justifications

2026-03-17 11:30:06 +01:00
parent c56184d30b
commit 712f114763
7 changed files with 42 additions and 8 deletions
--- a/server/crates/arbiter-server/src/actors/keyholder/encryption/v1.rs
+++ b/server/crates/arbiter-server/src/actors/keyholder/encryption/v1.rs
@@ -72,6 +72,10 @@ impl TryFrom<SafeCell<Vec<u8>>> for KeyCell {
 impl KeyCell {
    pub fn new_secure_random() -> Self {
        let key = SafeCell::new_inline(|key_buffer: &mut Key| {
+            #[allow(
+                clippy::unwrap_used,
+                reason = "Rng failure is unrecoverable and should panic"
+            )]
            let mut rng = StdRng::try_from_rng(&mut SysRng).unwrap();
            rng.fill_bytes(key_buffer);
        });
@@ -133,6 +137,10 @@ pub type Salt = [u8; ArgonSalt::RECOMMENDED_LENGTH];

 pub fn generate_salt() -> Salt {
    let mut salt = Salt::default();
+    #[allow(
+        clippy::unwrap_used,
+        reason = "Rng failure is unrecoverable and should panic"
+    )]
    let mut rng = StdRng::try_from_rng(&mut SysRng).unwrap();
    rng.fill_bytes(&mut salt);
    salt
@@ -141,6 +149,7 @@ pub fn generate_salt() -> Salt {
 /// User password might be of different length, have not enough entropy, etc...
 /// Derive a fixed-length key from the password using Argon2id, which is designed for password hashing and key derivation.
 pub fn derive_seal_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell {
+    #[allow(clippy::unwrap_used)]
    let params = argon2::Params::new(262_144, 3, 4, None).unwrap();
    let hasher = Argon2::new(Algorithm::Argon2id, argon2::Version::V0x13, params);
    let mut key = SafeCell::new(Key::default());
@@ -148,6 +157,10 @@ pub fn derive_seal_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell
        let mut key_buffer = key.write();
        let key_buffer: &mut [u8] = key_buffer.as_mut();

+        #[allow(
+            clippy::unwrap_used,
+            reason = "Better fail completely than return a weak key"
+        )]
        hasher
            .hash_password_into(password_source.deref(), salt, key_buffer)
            .unwrap();
--- a/server/crates/arbiter-server/src/actors/router/mod.rs
+++ b/server/crates/arbiter-server/src/actors/router/mod.rs
@@ -154,7 +154,7 @@ impl MessageRouter {
        ctx: &mut Context<Self, DelegatedReply<Result<bool, ApprovalError>>>,
    ) -> DelegatedReply<Result<bool, ApprovalError>> {
        let (reply, Some(reply_sender)) = ctx.reply_sender() else {
-            panic!("Exptected `request_client_approval` to have callback channel");
+            unreachable!("Expected `request_client_approval` to have callback channel");
        };

        let weak_refs = self
--- a/server/crates/arbiter-server/src/actors/user_agent/mod.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/mod.rs
@@ -1,12 +1,13 @@
 use alloy::primitives::Address;
-use arbiter_proto::{transport::Bi};
+use arbiter_proto::transport::Bi;
 use kameo::actor::Spawn as _;
 use tracing::{error, info};

 use crate::{
    actors::{GlobalActors, evm, user_agent::session::UserAgentSession},
-    db::{self, models::KeyType}, evm::policies::{Grant, SpecificGrant},
+    db::{self, models::KeyType},
    evm::policies::SharedGrantSettings,
+    evm::policies::{Grant, SpecificGrant},
 };

 #[derive(Debug, thiserror::Error, PartialEq)]
@@ -47,6 +48,7 @@ impl AuthPublicKey {
            AuthPublicKey::EcdsaSecp256k1(k) => k.to_encoded_point(true).as_bytes().to_vec(),
            AuthPublicKey::Rsa(k) => {
                use rsa::pkcs8::EncodePublicKey as _;
+                #[allow(clippy::expect_used)]
                k.to_public_key_der()
                    .expect("rsa SPKI encoding is infallible")
                    .to_vec()
@@ -124,13 +126,19 @@ pub enum Request {

 #[derive(Debug)]
 pub enum Response {
-    AuthChallenge { nonce: i32 },
+    AuthChallenge {
+        nonce: i32,
+    },
    AuthOk,
-    UnsealStartResponse { server_pubkey: x25519_dalek::PublicKey },
+    UnsealStartResponse {
+        server_pubkey: x25519_dalek::PublicKey,
+    },
    UnsealResult(Result<(), UnsealError>),
    BootstrapResult(Result<(), BootstrapError>),
    VaultState(VaultState),
-    ClientConnectionRequest { pubkey: ed25519_dalek::VerifyingKey },
+    ClientConnectionRequest {
+        pubkey: ed25519_dalek::VerifyingKey,
+    },
    ClientConnectionCancel,
    EvmWalletCreate(Result<(), evm::Error>),
    EvmWalletList(Vec<Address>),
--- a/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
@@ -1,4 +1,4 @@
-use std::{ops::DerefMut, sync::Mutex};
+use std::sync::Mutex;

 use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
 use kameo::error::SendError;
@@ -76,6 +76,10 @@ impl UserAgentSession {
        };

        let ephemeral_secret = {
+            #[allow(
+                clippy::unwrap_used,
+                reason = "Mutex poison is unrecoverable and should panic"
+            )]
            let mut secret_lock = unseal_context.secret.lock().unwrap();
            let secret = secret_lock.take();
            match secret {
--- a/server/crates/arbiter-server/src/context/tls.rs
+++ b/server/crates/arbiter-server/src/context/tls.rs
@@ -91,6 +91,10 @@ impl TlsCa {

        let cert_key_pem = certified_issuer.key().serialize_pem();

+        #[allow(
+            clippy::unwrap_used,
+            reason = "Broken cert couldn't bootstrap server anyway"
+        )]
        let issuer = Issuer::from_ca_cert_pem(
            &certified_issuer.pem(),
            KeyPair::from_pem(cert_key_pem.as_ref()).unwrap(),
--- a/server/crates/arbiter-server/src/db/mod.rs
+++ b/server/crates/arbiter-server/src/db/mod.rs
@@ -92,6 +92,7 @@ fn initialize_database(url: &str) -> Result<(), DatabaseSetupError> {
 #[tracing::instrument(level = "info")]
 pub async fn create_pool(url: Option<&str>) -> Result<DatabasePool, DatabaseSetupError> {
    let database_url = url.map(String::from).unwrap_or(
+        #[allow(clippy::expect_used)]
        database_path()?
            .to_str()
            .expect("database path is not valid UTF-8")
@@ -135,11 +136,13 @@ pub async fn create_test_pool() -> DatabasePool {
    let tempfile_name = Alphanumeric.sample_string(&mut rand::rng(), 16);

    let file = std::env::temp_dir().join(tempfile_name);
+    #[allow(clippy::expect_used)]
    let url = file
        .to_str()
        .expect("temp file path is not valid UTF-8")
        .to_string();

+    #[allow(clippy::expect_used)]
    create_pool(Some(&url))
        .await
        .expect("Failed to create test database pool")
--- a/server/crates/arbiter-server/src/evm/safe_signer.rs
+++ b/server/crates/arbiter-server/src/evm/safe_signer.rs
@@ -83,6 +83,7 @@ impl SafeSigner {
    }

    fn sign_hash_inner(&self, hash: &B256) -> Result<Signature> {
+        #[allow(clippy::expect_used)]
        let mut cell = self.key.lock().expect("SafeSigner mutex poisoned");
        let reader = cell.read();
        let sig: (ecdsa::Signature, RecoveryId) = reader.sign_prehash(hash.as_ref())?;
@@ -95,7 +96,8 @@ impl SafeSigner {
        {
            return Err(Error::TransactionChainIdMismatch {
                signer: chain_id,
-                tx: tx.chain_id().unwrap(),
+                #[allow(clippy::expect_used)]
+                tx: tx.chain_id().expect("Chain ID is guaranteed to be set"),
            });
        }
        self.sign_hash_inner(&tx.signature_hash())