feat(user-agent): add VaultGate for sealed vault authentication

2026-04-08 18:29:52 +02:00
parent 205227a3df
commit 87ee0fe87b
24 changed files with 900 additions and 625 deletions
--- a/server/crates/arbiter-server/tests/user_agent/auth.rs
+++ b/server/crates/arbiter-server/tests/user_agent/auth.rs
@@ -8,7 +8,7 @@ use arbiter_server::{
    actors::{GlobalActors, bootstrap::GetToken, vault::Bootstrap},
    crypto::integrity,
    db::{self, schema},
-    peers::user_agent::{UserAgentConnection, UserAgentCredentials, auth},
+    peers::user_agent::{AuthCredentials, Credentials, UserAgentConnection, auth},
 };
 use diesel::{ExpressionMethods as _, QueryDsl, insert_into};
 use diesel_async::RunQueryDsl;
@@ -144,9 +144,12 @@ pub async fn test_challenge_auth() {
        integrity::sign_entity(
            &mut conn,
            &actors.vault,
-            &UserAgentCredentials {
-                pubkey: new_key.verifying_key().into(),
-                nonce: 1,
+            &AuthCredentials {
+                creds: Credentials {
+                    id,
+                    pubkey: new_key.verifying_key().into(),
+                },
+                new_nonce: 1,
            },
            id,
        )
@@ -282,9 +285,12 @@ pub async fn test_challenge_auth_rejects_invalid_signature() {
        integrity::sign_entity(
            &mut conn,
            &actors.vault,
-            &UserAgentCredentials {
-                pubkey: new_key.verifying_key().into(),
-                nonce: 1,
+            &AuthCredentials {
+                creds: Credentials {
+                    id,
+                    pubkey: new_key.verifying_key().into(),
+                },
+                new_nonce: 1,
            },
            id,
        )
--- a/server/crates/arbiter-server/tests/user_agent/unseal.rs
+++ b/server/crates/arbiter-server/tests/user_agent/unseal.rs
@@ -1,4 +1,7 @@
-use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
+use arbiter_crypto::{
+    authn,
+    safecell::{SafeCell, SafeCellHandle as _},
+};
 use arbiter_server::{
    actors::{
        GlobalActors,
@@ -6,18 +9,19 @@ use arbiter_server::{
    },
    db,
    peers::user_agent::{
-        UserAgentSession,
-        session::connection::{HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError},
+        AuthCredentials, Credentials,
+        vault_gate::{Error as VaultGateError, HandleHandshake, HandleUnsealEncryptedKey, VaultGate},
    },
 };

 use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
 use kameo::actor::Spawn as _;
+use tokio::sync::oneshot;
 use x25519_dalek::{EphemeralSecret, PublicKey};

-async fn setup_sealed_user_agent(
+async fn setup_sealed_gate(
    seal_key: &[u8],
-) -> (db::DatabasePool, kameo::actor::ActorRef<UserAgentSession>) {
+) -> (db::DatabasePool, kameo::actor::ActorRef<VaultGate>, oneshot::Receiver<Result<Credentials, VaultGateError>>) {
    let db = db::create_test_pool().await;
    let actors = GlobalActors::spawn(db.clone()).await.unwrap();

@@ -30,20 +34,26 @@ async fn setup_sealed_user_agent(
        .unwrap();
    actors.vault.ask(Seal).await.unwrap();

-    let session = UserAgentSession::spawn(UserAgentSession::new_test(db.clone(), actors));
+    let (promotion_tx, promotion_rx) = oneshot::channel();
+    let pubkey = authn::SigningKey::generate().public_key();
+    let auth_creds = AuthCredentials {
+        creds: Credentials { id: 1, pubkey },
+        new_nonce: 1,
+    };
+    let gate = VaultGate::spawn(VaultGate::new(auth_creds, actors, db.clone(), promotion_tx));

-    (db, session)
+    (db, gate, promotion_rx)
 }

 async fn client_dh_encrypt(
-    user_agent: &kameo::actor::ActorRef<UserAgentSession>,
+    gate: &kameo::actor::ActorRef<VaultGate>,
    key_to_send: &[u8],
 ) -> HandleUnsealEncryptedKey {
    let client_secret = EphemeralSecret::random();
    let client_public = PublicKey::from(&client_secret);

-    let response = user_agent
-        .ask(HandleUnsealRequest {
+    let response = gate
+        .ask(HandleHandshake {
            client_pubkey: client_public,
        })
        .await
@@ -71,26 +81,26 @@ async fn client_dh_encrypt(
 #[test_log::test]
 pub async fn test_unseal_success() {
    let seal_key = b"test-seal-key";
-    let (_db, user_agent) = setup_sealed_user_agent(seal_key).await;
+    let (_db, gate, _promotion_rx) = setup_sealed_gate(seal_key).await;

-    let encrypted_key = client_dh_encrypt(&user_agent, seal_key).await;
+    let encrypted_key = client_dh_encrypt(&gate, seal_key).await;

-    let response = user_agent.ask(encrypted_key).await;
+    let response = gate.ask(encrypted_key).await;
    assert!(matches!(response, Ok(())));
 }

 #[tokio::test]
 #[test_log::test]
 pub async fn test_unseal_wrong_seal_key() {
-    let (_db, user_agent) = setup_sealed_user_agent(b"correct-key").await;
+    let (_db, gate, _promotion_rx) = setup_sealed_gate(b"correct-key").await;

-    let encrypted_key = client_dh_encrypt(&user_agent, b"wrong-key").await;
+    let encrypted_key = client_dh_encrypt(&gate, b"wrong-key").await;

-    let response = user_agent.ask(encrypted_key).await;
+    let response = gate.ask(encrypted_key).await;
    assert!(matches!(
        response,
        Err(kameo::error::SendError::HandlerError(
-            UnsealError::InvalidKey
+            VaultGateError::InvalidKey
        ))
    ));
 }
@@ -98,19 +108,18 @@ pub async fn test_unseal_wrong_seal_key() {
 #[tokio::test]
 #[test_log::test]
 pub async fn test_unseal_corrupted_ciphertext() {
-    let (_db, user_agent) = setup_sealed_user_agent(b"test-key").await;
+    let (_db, gate, _promotion_rx) = setup_sealed_gate(b"test-key").await;

    let client_secret = EphemeralSecret::random();
    let client_public = PublicKey::from(&client_secret);

-    user_agent
-        .ask(HandleUnsealRequest {
-            client_pubkey: client_public,
-        })
-        .await
-        .unwrap();
+    gate.ask(HandleHandshake {
+        client_pubkey: client_public,
+    })
+    .await
+    .unwrap();

-    let response = user_agent
+    let response = gate
        .ask(HandleUnsealEncryptedKey {
            nonce: vec![0u8; 24],
            ciphertext: vec![0u8; 32],
@@ -121,7 +130,7 @@ pub async fn test_unseal_corrupted_ciphertext() {
    assert!(matches!(
        response,
        Err(kameo::error::SendError::HandlerError(
-            UnsealError::InvalidKey
+            VaultGateError::InvalidKey
        ))
    ));
 }
@@ -130,24 +139,24 @@ pub async fn test_unseal_corrupted_ciphertext() {
 #[test_log::test]
 pub async fn test_unseal_retry_after_invalid_key() {
    let seal_key = b"real-seal-key";
-    let (_db, user_agent) = setup_sealed_user_agent(seal_key).await;
+    let (_db, gate, _promotion_rx) = setup_sealed_gate(seal_key).await;

    {
-        let encrypted_key = client_dh_encrypt(&user_agent, b"wrong-key").await;
+        let encrypted_key = client_dh_encrypt(&gate, b"wrong-key").await;

-        let response = user_agent.ask(encrypted_key).await;
+        let response = gate.ask(encrypted_key).await;
        assert!(matches!(
            response,
            Err(kameo::error::SendError::HandlerError(
-                UnsealError::InvalidKey
+                VaultGateError::InvalidKey
            ))
        ));
    }

    {
-        let encrypted_key = client_dh_encrypt(&user_agent, seal_key).await;
+        let encrypted_key = client_dh_encrypt(&gate, seal_key).await;

-        let response = user_agent.ask(encrypted_key).await;
+        let response = gate.ask(encrypted_key).await;
        assert!(matches!(response, Ok(())));
    }
 }