MarketTakers/arbiter
5
0
Fork 0
Code Issues 27 Pull Requests 4 Packages Projects Releases Wiki Activity

style(encryption): suppress clippy unwrap lints with justifications
Some checks failed
ci/woodpecker/pr/server-audit Pipeline was successful
Details
ci/woodpecker/pr/server-vet Pipeline failed
Details
ci/woodpecker/pr/server-lint Pipeline failed
Details
ci/woodpecker/pr/server-test Pipeline was successful
Details

Browse Source
This commit is contained in:
hdbg
2026-03-17 11:30:06 +01:00
parent c56184d30b
commit 712f114763
7 changed files with 42 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
server/crates/arbiter-server/src/actors/keyholder/encryption/v1.rs
View File

@@ -72,6 +72,10 @@ impl TryFrom<SafeCell<Vec<u8>>> for KeyCell {
impl KeyCell { impl KeyCell {
pub fn new_secure_random() -> Self { pub fn new_secure_random() -> Self {
let key = SafeCell::new_inline(|key_buffer: &mut Key| { let key = SafeCell::new_inline(|key_buffer: &mut Key| {
#[allow(
clippy::unwrap_used,
reason = "Rng failure is unrecoverable and should panic"
)]
let mut rng = StdRng::try_from_rng(&mut SysRng).unwrap(); let mut rng = StdRng::try_from_rng(&mut SysRng).unwrap();
rng.fill_bytes(key_buffer); rng.fill_bytes(key_buffer);
}); });
@@ -133,6 +137,10 @@ pub type Salt = [u8; ArgonSalt::RECOMMENDED_LENGTH];
pub fn generate_salt() -> Salt { pub fn generate_salt() -> Salt {
let mut salt = Salt::default(); let mut salt = Salt::default();
#[allow(
clippy::unwrap_used,
reason = "Rng failure is unrecoverable and should panic"
)]
let mut rng = StdRng::try_from_rng(&mut SysRng).unwrap(); let mut rng = StdRng::try_from_rng(&mut SysRng).unwrap();
rng.fill_bytes(&mut salt); rng.fill_bytes(&mut salt);
salt salt
@@ -141,6 +149,7 @@ pub fn generate_salt() -> Salt {
/// User password might be of different length, have not enough entropy, etc... /// User password might be of different length, have not enough entropy, etc...
/// Derive a fixed-length key from the password using Argon2id, which is designed for password hashing and key derivation. /// Derive a fixed-length key from the password using Argon2id, which is designed for password hashing and key derivation.
pub fn derive_seal_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell { pub fn derive_seal_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell {
#[allow(clippy::unwrap_used)]
let params = argon2::Params::new(262_144, 3, 4, None).unwrap(); let params = argon2::Params::new(262_144, 3, 4, None).unwrap();
let hasher = Argon2::new(Algorithm::Argon2id, argon2::Version::V0x13, params); let hasher = Argon2::new(Algorithm::Argon2id, argon2::Version::V0x13, params);
let mut key = SafeCell::new(Key::default()); let mut key = SafeCell::new(Key::default());
@@ -148,6 +157,10 @@ pub fn derive_seal_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell
let mut key_buffer = key.write(); let mut key_buffer = key.write();
let key_buffer: &mut [u8] = key_buffer.as_mut(); let key_buffer: &mut [u8] = key_buffer.as_mut();
#[allow(
clippy::unwrap_used,
reason = "Better fail completely than return a weak key"
)]
hasher hasher
.hash_password_into(password_source.deref(), salt, key_buffer) .hash_password_into(password_source.deref(), salt, key_buffer)
.unwrap(); .unwrap();

2
server/crates/arbiter-server/src/actors/router/mod.rs
View File

@@ -154,7 +154,7 @@ impl MessageRouter {
ctx: &mut Context<Self, DelegatedReply<Result<bool, ApprovalError>>>, ctx: &mut Context<Self, DelegatedReply<Result<bool, ApprovalError>>>,
) -> DelegatedReply<Result<bool, ApprovalError>> { ) -> DelegatedReply<Result<bool, ApprovalError>> {
let (reply, Some(reply_sender)) = ctx.reply_sender() else { let (reply, Some(reply_sender)) = ctx.reply_sender() else {
panic!("Exptected `request_client_approval` to have callback channel"); unreachable!("Expected `request_client_approval` to have callback channel");
}; };
let weak_refs = self let weak_refs = self

18
server/crates/arbiter-server/src/actors/user_agent/mod.rs
View File

@@ -1,12 +1,13 @@
use alloy::primitives::Address; use alloy::primitives::Address;
use arbiter_proto::{transport::Bi}; use arbiter_proto::transport::Bi;
use kameo::actor::Spawn as _; use kameo::actor::Spawn as _;
use tracing::{error, info}; use tracing::{error, info};
use crate::{ use crate::{
actors::{GlobalActors, evm, user_agent::session::UserAgentSession}, actors::{GlobalActors, evm, user_agent::session::UserAgentSession},
db::{self, models::KeyType}, evm::policies::{Grant, SpecificGrant}, db::{self, models::KeyType},
evm::policies::SharedGrantSettings, evm::policies::SharedGrantSettings,
evm::policies::{Grant, SpecificGrant},
}; };
#[derive(Debug, thiserror::Error, PartialEq)] #[derive(Debug, thiserror::Error, PartialEq)]
@@ -47,6 +48,7 @@ impl AuthPublicKey {
AuthPublicKey::EcdsaSecp256k1(k) => k.to_encoded_point(true).as_bytes().to_vec(), AuthPublicKey::EcdsaSecp256k1(k) => k.to_encoded_point(true).as_bytes().to_vec(),
AuthPublicKey::Rsa(k) => { AuthPublicKey::Rsa(k) => {
use rsa::pkcs8::EncodePublicKey as _; use rsa::pkcs8::EncodePublicKey as _;
#[allow(clippy::expect_used)]
k.to_public_key_der() k.to_public_key_der()
.expect("rsa SPKI encoding is infallible") .expect("rsa SPKI encoding is infallible")
.to_vec() .to_vec()
@@ -124,13 +126,19 @@ pub enum Request {
#[derive(Debug)] #[derive(Debug)]
pub enum Response { pub enum Response {
AuthChallenge { nonce: i32 }, AuthChallenge {
nonce: i32,
},
AuthOk, AuthOk,
UnsealStartResponse { server_pubkey: x25519_dalek::PublicKey }, UnsealStartResponse {
server_pubkey: x25519_dalek::PublicKey,
},
UnsealResult(Result<(), UnsealError>), UnsealResult(Result<(), UnsealError>),
BootstrapResult(Result<(), BootstrapError>), BootstrapResult(Result<(), BootstrapError>),
VaultState(VaultState), VaultState(VaultState),
ClientConnectionRequest { pubkey: ed25519_dalek::VerifyingKey }, ClientConnectionRequest {
pubkey: ed25519_dalek::VerifyingKey,
},
ClientConnectionCancel, ClientConnectionCancel,
EvmWalletCreate(Result<(), evm::Error>), EvmWalletCreate(Result<(), evm::Error>),
EvmWalletList(Vec<Address>), EvmWalletList(Vec<Address>),

6
server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
View File

@@ -1,4 +1,4 @@
use std::{ops::DerefMut, sync::Mutex}; use std::sync::Mutex;
use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit}; use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
use kameo::error::SendError; use kameo::error::SendError;
@@ -76,6 +76,10 @@ impl UserAgentSession {
}; };
let ephemeral_secret = { let ephemeral_secret = {
#[allow(
clippy::unwrap_used,
reason = "Mutex poison is unrecoverable and should panic"
)]
let mut secret_lock = unseal_context.secret.lock().unwrap(); let mut secret_lock = unseal_context.secret.lock().unwrap();
let secret = secret_lock.take(); let secret = secret_lock.take();
match secret { match secret {

4
server/crates/arbiter-server/src/context/tls.rs
View File

@@ -91,6 +91,10 @@ impl TlsCa {
let cert_key_pem = certified_issuer.key().serialize_pem(); let cert_key_pem = certified_issuer.key().serialize_pem();
#[allow(
clippy::unwrap_used,
reason = "Broken cert couldn't bootstrap server anyway"
)]
let issuer = Issuer::from_ca_cert_pem( let issuer = Issuer::from_ca_cert_pem(
&certified_issuer.pem(), &certified_issuer.pem(),
KeyPair::from_pem(cert_key_pem.as_ref()).unwrap(), KeyPair::from_pem(cert_key_pem.as_ref()).unwrap(),

3
server/crates/arbiter-server/src/db/mod.rs
View File

@@ -92,6 +92,7 @@ fn initialize_database(url: &str) -> Result<(), DatabaseSetupError> {
#[tracing::instrument(level = "info")] #[tracing::instrument(level = "info")]
pub async fn create_pool(url: Option<&str>) -> Result<DatabasePool, DatabaseSetupError> { pub async fn create_pool(url: Option<&str>) -> Result<DatabasePool, DatabaseSetupError> {
let database_url = url.map(String::from).unwrap_or( let database_url = url.map(String::from).unwrap_or(
#[allow(clippy::expect_used)]
database_path()? database_path()?
.to_str() .to_str()
.expect("database path is not valid UTF-8") .expect("database path is not valid UTF-8")
@@ -135,11 +136,13 @@ pub async fn create_test_pool() -> DatabasePool {
let tempfile_name = Alphanumeric.sample_string(&mut rand::rng(), 16); let tempfile_name = Alphanumeric.sample_string(&mut rand::rng(), 16);
let file = std::env::temp_dir().join(tempfile_name); let file = std::env::temp_dir().join(tempfile_name);
#[allow(clippy::expect_used)]
let url = file let url = file
.to_str() .to_str()
.expect("temp file path is not valid UTF-8") .expect("temp file path is not valid UTF-8")
.to_string(); .to_string();
#[allow(clippy::expect_used)]
create_pool(Some(&url)) create_pool(Some(&url))
.await .await
.expect("Failed to create test database pool") .expect("Failed to create test database pool")

4
server/crates/arbiter-server/src/evm/safe_signer.rs
View File

@@ -83,6 +83,7 @@ impl SafeSigner {
} }
fn sign_hash_inner(&self, hash: &B256) -> Result<Signature> { fn sign_hash_inner(&self, hash: &B256) -> Result<Signature> {
#[allow(clippy::expect_used)]
let mut cell = self.key.lock().expect("SafeSigner mutex poisoned"); let mut cell = self.key.lock().expect("SafeSigner mutex poisoned");
let reader = cell.read(); let reader = cell.read();
let sig: (ecdsa::Signature, RecoveryId) = reader.sign_prehash(hash.as_ref())?; let sig: (ecdsa::Signature, RecoveryId) = reader.sign_prehash(hash.as_ref())?;
@@ -95,7 +96,8 @@ impl SafeSigner {
{ {
return Err(Error::TransactionChainIdMismatch { return Err(Error::TransactionChainIdMismatch {
signer: chain_id, signer: chain_id,
tx: tx.chain_id().unwrap(), #[allow(clippy::expect_used)]
tx: tx.chain_id().expect("Chain ID is guaranteed to be set"),
}); });
} }
self.sign_hash_inner(&tx.signature_hash()) self.sign_hash_inner(&tx.signature_hash())