From a3b98ca024fcbdab9b207e032ed8a8cba745ea42 Mon Sep 17 00:00:00 2001 From: CleverWild Date: Fri, 12 Jun 2026 21:11:48 +0200 Subject: [PATCH] fix(server::tests): tighten unseal test seal_key params to &[u8; 32] --- .../arbiter-server/src/crypto/integrity/v1.rs | 2 +- .../crates/arbiter-server/tests/client/auth.rs | 2 +- server/crates/arbiter-server/tests/common/mod.rs | 2 +- .../crates/arbiter-server/tests/operator/auth.rs | 8 ++++---- .../arbiter-server/tests/operator/unseal.rs | 16 ++++++++-------- .../arbiter-server/tests/vault/concurrency.rs | 2 +- .../arbiter-server/tests/vault/lifecycle.rs | 10 +++++----- 7 files changed, 21 insertions(+), 21 deletions(-) diff --git a/server/crates/arbiter-server/src/crypto/integrity/v1.rs b/server/crates/arbiter-server/src/crypto/integrity/v1.rs index edb2274..c777967 100644 --- a/server/crates/arbiter-server/src/crypto/integrity/v1.rs +++ b/server/crates/arbiter-server/src/crypto/integrity/v1.rs @@ -235,7 +235,7 @@ mod tests { ); actor .ask(Bootstrap { - seal_key_raw: SafeCell::new(b"integrity-test-seal-key".to_vec()), + seal_key_raw: SafeCell::new([0u8; 32].to_vec()), }) .await .unwrap(); diff --git a/server/crates/arbiter-server/tests/client/auth.rs b/server/crates/arbiter-server/tests/client/auth.rs index a7320f6..964f282 100644 --- a/server/crates/arbiter-server/tests/client/auth.rs +++ b/server/crates/arbiter-server/tests/client/auth.rs @@ -100,7 +100,7 @@ async fn spawn_test_actors(db: &db::DatabasePool) -> GlobalActors { actors .vault .ask(Bootstrap { - seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()), + seal_key_raw: SafeCell::new([0u8; 32].to_vec()), }) .await .unwrap(); diff --git a/server/crates/arbiter-server/tests/common/mod.rs b/server/crates/arbiter-server/tests/common/mod.rs index 83a2f81..33cca5e 100644 --- a/server/crates/arbiter-server/tests/common/mod.rs +++ b/server/crates/arbiter-server/tests/common/mod.rs @@ -19,7 +19,7 @@ pub(crate) async fn bootstrapped_vault(db: &db::DatabasePool) -> Vault { .await .unwrap(); actor - .bootstrap(SafeCell::new(b"test-seal-key".to_vec())) + .bootstrap(SafeCell::new([0u8; 32].to_vec())) .await .unwrap(); actor diff --git a/server/crates/arbiter-server/tests/operator/auth.rs b/server/crates/arbiter-server/tests/operator/auth.rs index 433c03d..7d91a55 100644 --- a/server/crates/arbiter-server/tests/operator/auth.rs +++ b/server/crates/arbiter-server/tests/operator/auth.rs @@ -157,7 +157,7 @@ pub async fn bootstrap_token_auth() { actors .vault .ask(Bootstrap { - seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()), + seal_key_raw: SafeCell::new([0u8; 32].to_vec()), }) .await .unwrap(); @@ -275,7 +275,7 @@ pub async fn challenge_auth() { actors .vault .ask(Bootstrap { - seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()), + seal_key_raw: SafeCell::new([0u8; 32].to_vec()), }) .await .unwrap(); @@ -361,7 +361,7 @@ pub async fn challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() { actors .vault .ask(Bootstrap { - seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()), + seal_key_raw: SafeCell::new([0u8; 32].to_vec()), }) .await .unwrap(); @@ -434,7 +434,7 @@ pub async fn challenge_auth_rejects_invalid_signature() { actors .vault .ask(Bootstrap { - seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()), + seal_key_raw: SafeCell::new([0u8; 32].to_vec()), }) .await .unwrap(); diff --git a/server/crates/arbiter-server/tests/operator/unseal.rs b/server/crates/arbiter-server/tests/operator/unseal.rs index 365e6ec..c2267d2 100644 --- a/server/crates/arbiter-server/tests/operator/unseal.rs +++ b/server/crates/arbiter-server/tests/operator/unseal.rs @@ -22,7 +22,7 @@ use tokio::sync::oneshot; use x25519_dalek::{EphemeralSecret, PublicKey}; async fn setup_sealed_gate( - seal_key: &[u8], + seal_key: &[u8; 32], ) -> ( db::DatabasePool, kameo::actor::ActorRef, @@ -50,7 +50,7 @@ async fn setup_sealed_gate( async fn client_dh_encrypt( gate: &kameo::actor::ActorRef, - key_to_send: &[u8], + key_to_send: &[u8; 32], ) -> HandleUnsealEncryptedKey { let client_secret = EphemeralSecret::random(); let client_public = PublicKey::from(&client_secret); @@ -83,7 +83,7 @@ async fn client_dh_encrypt( #[tokio::test] #[test_log::test] pub async fn unseal_success() { - let seal_key = b"test-seal-key"; + let seal_key = b"test-seal-key-padded-to-32bytes!"; let (_db, gate, _promotion_rx) = setup_sealed_gate(seal_key).await; let encrypted_key = client_dh_encrypt(&gate, seal_key).await; @@ -95,10 +95,10 @@ pub async fn unseal_success() { #[tokio::test] #[test_log::test] pub async fn unseal_wrong_seal_key() { - let seal_key = b"test-seal-key"; + let seal_key = b"test-seal-key-padded-to-32bytes!"; let (_db, gate, _promotion_rx) = setup_sealed_gate(seal_key).await; - let encrypted_key = client_dh_encrypt(&gate, b"wrong-key").await; + let encrypted_key = client_dh_encrypt(&gate, b"wrong-key-padded-to-32-bytes!!!!").await; let response = gate.ask(encrypted_key).await; assert!(matches!( @@ -112,7 +112,7 @@ pub async fn unseal_wrong_seal_key() { #[tokio::test] #[test_log::test] pub async fn unseal_corrupted_ciphertext() { - let seal_key = b"test-seal-key"; + let seal_key = b"test-seal-key-padded-to-32bytes!"; let (_db, gate, _promotion_rx) = setup_sealed_gate(seal_key).await; let client_secret = EphemeralSecret::random(); @@ -143,11 +143,11 @@ pub async fn unseal_corrupted_ciphertext() { #[tokio::test] #[test_log::test] pub async fn unseal_retry_after_invalid_key() { - let seal_key = b"real-seal-key"; + let seal_key = b"real-seal-key-padded-to-32bytes!"; let (_db, gate, _promotion_rx) = setup_sealed_gate(seal_key).await; { - let encrypted_key = client_dh_encrypt(&gate, b"wrong-key").await; + let encrypted_key = client_dh_encrypt(&gate, b"wrong-key-padded-to-32-bytes!!!!").await; let response = gate.ask(encrypted_key).await; assert!(matches!( diff --git a/server/crates/arbiter-server/tests/vault/concurrency.rs b/server/crates/arbiter-server/tests/vault/concurrency.rs index ee84f4a..48d9a34 100644 --- a/server/crates/arbiter-server/tests/vault/concurrency.rs +++ b/server/crates/arbiter-server/tests/vault/concurrency.rs @@ -166,7 +166,7 @@ async fn decrypt_roundtrip_after_high_concurrency() { .await .unwrap(); decryptor - .try_unseal(SafeCell::new(b"test-seal-key".to_vec())) + .try_unseal(SafeCell::new([0u8; 32].to_vec())) .await .unwrap(); diff --git a/server/crates/arbiter-server/tests/vault/lifecycle.rs b/server/crates/arbiter-server/tests/vault/lifecycle.rs index 25017c4..1f3dc38 100644 --- a/server/crates/arbiter-server/tests/vault/lifecycle.rs +++ b/server/crates/arbiter-server/tests/vault/lifecycle.rs @@ -20,7 +20,7 @@ async fn test_bootstrap() { .await .unwrap(); - let seal_key = SafeCell::new(b"test-seal-key".to_vec()); + let seal_key = SafeCell::new([0u8; 32].to_vec()); actor.bootstrap(seal_key).await.unwrap(); let mut conn = db.get().await.unwrap(); @@ -43,7 +43,7 @@ async fn test_bootstrap_rejects_double() { let db = db::create_test_pool().await; let mut actor = common::bootstrapped_vault(&db).await; - let seal_key2 = SafeCell::new(b"test-seal-key".to_vec()); + let seal_key2 = SafeCell::new([0u8; 32].to_vec()); let err = actor.bootstrap(seal_key2).await.unwrap_err(); assert!(matches!(err, Error::AlreadyBootstrapped)); } @@ -105,7 +105,7 @@ async fn test_unseal_correct_password() { let mut actor = Vault::new(db.clone(), GlobalActors::spawn_message_bus()) .await .unwrap(); - let seal_key = SafeCell::new(b"test-seal-key".to_vec()); + let seal_key = SafeCell::new([0u8; 32].to_vec()); actor.try_unseal(seal_key).await.unwrap(); let mut decrypted = actor.decrypt(aead_id).await.unwrap(); @@ -129,11 +129,11 @@ async fn test_unseal_wrong_then_correct_password() { .await .unwrap(); - let bad_key = SafeCell::new(b"wrong-password".to_vec()); + let bad_key = SafeCell::new([1u8; 32].to_vec()); let err = actor.try_unseal(bad_key).await.unwrap_err(); assert!(matches!(err, Error::InvalidKey)); - let good_key = SafeCell::new(b"test-seal-key".to_vec()); + let good_key = SafeCell::new([0u8; 32].to_vec()); actor.try_unseal(good_key).await.unwrap(); let mut decrypted = actor.decrypt(aead_id).await.unwrap();