fix(server::tests): tighten unseal test seal_key params to &[u8; 32]

2026-06-12 21:11:48 +02:00
parent 0d364d1951
commit a3b98ca024
7 changed files with 21 additions and 21 deletions
--- a/server/crates/arbiter-server/src/crypto/integrity/v1.rs
+++ b/server/crates/arbiter-server/src/crypto/integrity/v1.rs
@@ -235,7 +235,7 @@ mod tests {
        );
        actor
            .ask(Bootstrap {
-                seal_key_raw: SafeCell::new(b"integrity-test-seal-key".to_vec()),
+                seal_key_raw: SafeCell::new([0u8; 32].to_vec()),
            })
            .await
            .unwrap();
--- a/server/crates/arbiter-server/tests/client/auth.rs
+++ b/server/crates/arbiter-server/tests/client/auth.rs
@@ -100,7 +100,7 @@ async fn spawn_test_actors(db: &db::DatabasePool) -> GlobalActors {
    actors
        .vault
        .ask(Bootstrap {
-            seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()),
+            seal_key_raw: SafeCell::new([0u8; 32].to_vec()),
        })
        .await
        .unwrap();
--- a/server/crates/arbiter-server/tests/common/mod.rs
+++ b/server/crates/arbiter-server/tests/common/mod.rs
@@ -19,7 +19,7 @@ pub(crate) async fn bootstrapped_vault(db: &db::DatabasePool) -> Vault {
        .await
        .unwrap();
    actor
-        .bootstrap(SafeCell::new(b"test-seal-key".to_vec()))
+        .bootstrap(SafeCell::new([0u8; 32].to_vec()))
        .await
        .unwrap();
    actor
--- a/server/crates/arbiter-server/tests/operator/auth.rs
+++ b/server/crates/arbiter-server/tests/operator/auth.rs
@@ -157,7 +157,7 @@ pub async fn bootstrap_token_auth() {
    actors
        .vault
        .ask(Bootstrap {
-            seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()),
+            seal_key_raw: SafeCell::new([0u8; 32].to_vec()),
        })
        .await
        .unwrap();
@@ -275,7 +275,7 @@ pub async fn challenge_auth() {
    actors
        .vault
        .ask(Bootstrap {
-            seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()),
+            seal_key_raw: SafeCell::new([0u8; 32].to_vec()),
        })
        .await
        .unwrap();
@@ -361,7 +361,7 @@ pub async fn challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() {
    actors
        .vault
        .ask(Bootstrap {
-            seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()),
+            seal_key_raw: SafeCell::new([0u8; 32].to_vec()),
        })
        .await
        .unwrap();
@@ -434,7 +434,7 @@ pub async fn challenge_auth_rejects_invalid_signature() {
    actors
        .vault
        .ask(Bootstrap {
-            seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()),
+            seal_key_raw: SafeCell::new([0u8; 32].to_vec()),
        })
        .await
        .unwrap();
--- a/server/crates/arbiter-server/tests/operator/unseal.rs
+++ b/server/crates/arbiter-server/tests/operator/unseal.rs
@@ -22,7 +22,7 @@ use tokio::sync::oneshot;
 use x25519_dalek::{EphemeralSecret, PublicKey};

 async fn setup_sealed_gate(
-    seal_key: &[u8],
+    seal_key: &[u8; 32],
 ) -> (
    db::DatabasePool,
    kameo::actor::ActorRef<VaultGate>,
@@ -50,7 +50,7 @@ async fn setup_sealed_gate(

 async fn client_dh_encrypt(
    gate: &kameo::actor::ActorRef<VaultGate>,
-    key_to_send: &[u8],
+    key_to_send: &[u8; 32],
 ) -> HandleUnsealEncryptedKey {
    let client_secret = EphemeralSecret::random();
    let client_public = PublicKey::from(&client_secret);
@@ -83,7 +83,7 @@ async fn client_dh_encrypt(
 #[tokio::test]
 #[test_log::test]
 pub async fn unseal_success() {
-    let seal_key = b"test-seal-key";
+    let seal_key = b"test-seal-key-padded-to-32bytes!";
    let (_db, gate, _promotion_rx) = setup_sealed_gate(seal_key).await;

    let encrypted_key = client_dh_encrypt(&gate, seal_key).await;
@@ -95,10 +95,10 @@ pub async fn unseal_success() {
 #[tokio::test]
 #[test_log::test]
 pub async fn unseal_wrong_seal_key() {
-    let seal_key = b"test-seal-key";
+    let seal_key = b"test-seal-key-padded-to-32bytes!";
    let (_db, gate, _promotion_rx) = setup_sealed_gate(seal_key).await;

-    let encrypted_key = client_dh_encrypt(&gate, b"wrong-key").await;
+    let encrypted_key = client_dh_encrypt(&gate, b"wrong-key-padded-to-32-bytes!!!!").await;

    let response = gate.ask(encrypted_key).await;
    assert!(matches!(
@@ -112,7 +112,7 @@ pub async fn unseal_wrong_seal_key() {
 #[tokio::test]
 #[test_log::test]
 pub async fn unseal_corrupted_ciphertext() {
-    let seal_key = b"test-seal-key";
+    let seal_key = b"test-seal-key-padded-to-32bytes!";
    let (_db, gate, _promotion_rx) = setup_sealed_gate(seal_key).await;

    let client_secret = EphemeralSecret::random();
@@ -143,11 +143,11 @@ pub async fn unseal_corrupted_ciphertext() {
 #[tokio::test]
 #[test_log::test]
 pub async fn unseal_retry_after_invalid_key() {
-    let seal_key = b"real-seal-key";
+    let seal_key = b"real-seal-key-padded-to-32bytes!";
    let (_db, gate, _promotion_rx) = setup_sealed_gate(seal_key).await;

    {
-        let encrypted_key = client_dh_encrypt(&gate, b"wrong-key").await;
+        let encrypted_key = client_dh_encrypt(&gate, b"wrong-key-padded-to-32-bytes!!!!").await;

        let response = gate.ask(encrypted_key).await;
        assert!(matches!(
--- a/server/crates/arbiter-server/tests/vault/concurrency.rs
+++ b/server/crates/arbiter-server/tests/vault/concurrency.rs
@@ -166,7 +166,7 @@ async fn decrypt_roundtrip_after_high_concurrency() {
        .await
        .unwrap();
    decryptor
-        .try_unseal(SafeCell::new(b"test-seal-key".to_vec()))
+        .try_unseal(SafeCell::new([0u8; 32].to_vec()))
        .await
        .unwrap();

--- a/server/crates/arbiter-server/tests/vault/lifecycle.rs
+++ b/server/crates/arbiter-server/tests/vault/lifecycle.rs
@@ -20,7 +20,7 @@ async fn test_bootstrap() {
        .await
        .unwrap();

-    let seal_key = SafeCell::new(b"test-seal-key".to_vec());
+    let seal_key = SafeCell::new([0u8; 32].to_vec());
    actor.bootstrap(seal_key).await.unwrap();

    let mut conn = db.get().await.unwrap();
@@ -43,7 +43,7 @@ async fn test_bootstrap_rejects_double() {
    let db = db::create_test_pool().await;
    let mut actor = common::bootstrapped_vault(&db).await;

-    let seal_key2 = SafeCell::new(b"test-seal-key".to_vec());
+    let seal_key2 = SafeCell::new([0u8; 32].to_vec());
    let err = actor.bootstrap(seal_key2).await.unwrap_err();
    assert!(matches!(err, Error::AlreadyBootstrapped));
 }
@@ -105,7 +105,7 @@ async fn test_unseal_correct_password() {
    let mut actor = Vault::new(db.clone(), GlobalActors::spawn_message_bus())
        .await
        .unwrap();
-    let seal_key = SafeCell::new(b"test-seal-key".to_vec());
+    let seal_key = SafeCell::new([0u8; 32].to_vec());
    actor.try_unseal(seal_key).await.unwrap();

    let mut decrypted = actor.decrypt(aead_id).await.unwrap();
@@ -129,11 +129,11 @@ async fn test_unseal_wrong_then_correct_password() {
        .await
        .unwrap();

-    let bad_key = SafeCell::new(b"wrong-password".to_vec());
+    let bad_key = SafeCell::new([1u8; 32].to_vec());
    let err = actor.try_unseal(bad_key).await.unwrap_err();
    assert!(matches!(err, Error::InvalidKey));

-    let good_key = SafeCell::new(b"test-seal-key".to_vec());
+    let good_key = SafeCell::new([0u8; 32].to_vec());
    actor.try_unseal(good_key).await.unwrap();

    let mut decrypted = actor.decrypt(aead_id).await.unwrap();