Merge pull request 'security(server): bind grant revocation state (revoked_at) to integrity hash' (#83 ) from security-hash-revoke_at into main

Reviewed-on: #83
fix: lints
2026-06-11 09:44:28 +00:00 · 2026-06-09 21:07:01 +02:00
10 changed files with 18 additions and 21 deletions
--- a/server/crates/arbiter-client/src/auth.rs
+++ b/server/crates/arbiter-client/src/auth.rs
@@ -100,7 +100,7 @@ async fn send_auth_challenge_solution(
    key: &SigningKey,
    challenge: AuthChallenge,
 ) -> Result<(), AuthError> {
-    let timestamp = DateTime::from_timestamp_nanos(challenge.timestamp_nanos as i64);
+    let timestamp = DateTime::from_timestamp_nanos(challenge.timestamp_nanos.cast_signed());
    let challenge = authn::AuthChallenge {
        nonce: *challenge
            .random
--- a/server/crates/arbiter-server/src/grpc/client/auth.rs
+++ b/server/crates/arbiter-server/src/grpc/client/auth.rs
@@ -200,7 +200,7 @@ impl Convert for auth::Outbound {
                        .timestamp
                        .timestamp_nanos_opt()
                        .expect("timestamp within range")
-                        as u64,
+                        .cast_unsigned(),
                    random: challenge.nonce.to_vec(),
                })
            }
--- a/server/crates/arbiter-server/src/grpc/operator/auth.rs
+++ b/server/crates/arbiter-server/src/grpc/operator/auth.rs
@@ -80,7 +80,7 @@ impl Sender<Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {
                        .timestamp
                        .timestamp_nanos_opt()
                        .expect("timestamp within range")
-                        as u64,
+                        .cast_unsigned(),
                    random: challenge.nonce.to_vec(),
                })
            }
--- a/server/crates/arbiter-server/src/peers/client/auth.rs
+++ b/server/crates/arbiter-server/src/peers/client/auth.rs
@@ -298,7 +298,7 @@ where
    let signature = expect_message(transport, |req: Inbound| match req {
        Inbound::AuthChallengeSolution { signature } => Some(signature),
-        _ => None,
+        Inbound::AuthChallengeRequest { .. } => None,
    })
    .await
    .map_err(|e| {
--- a/server/crates/arbiter-server/src/peers/operator/auth/state.rs
+++ b/server/crates/arbiter-server/src/peers/operator/auth/state.rs
@@ -127,8 +127,6 @@ where
        })
    }
    #[allow(missing_docs)]
    #[allow(clippy::unused_unit)]
    async fn verify_solution(
        &mut self,
        ChallengeContext {
--- a/server/crates/arbiter-server/src/peers/operator/session/handlers.rs
+++ b/server/crates/arbiter-server/src/peers/operator/session/handlers.rs
@@ -212,8 +212,7 @@ impl OperatorSession {
        &mut self,
    ) -> Result<Vec<EvmWalletAccess>, Error> {
        let mut conn = self.props.db.get().await?;
-        use crate::db::schema::evm_wallet_access;
+        let access_entries = crate::db::schema::evm_wallet_access::table
        let access_entries = evm_wallet_access::table
            .select(EvmWalletAccess::as_select())
            .load::<_>(&mut conn)
            .await?;
--- a/server/crates/arbiter-server/src/peers/operator/session/mod.rs
+++ b/server/crates/arbiter-server/src/peers/operator/session/mod.rs
@@ -63,7 +63,7 @@ impl OperatorSession {
        Self {
            props,
            sender,
-            pending_client_approvals: Default::default(),
+            pending_client_approvals: HashMap::default(),
        }
    }
 }
--- a/server/crates/arbiter-server/tests/operator/auth.rs
+++ b/server/crates/arbiter-server/tests/operator/auth.rs
@@ -400,7 +400,7 @@ pub async fn challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() {
    let challenge = match response {
        Ok(resp) => match resp {
            auth::Outbound::AuthChallenge { challenge } => challenge,
-            other => panic!("Expected AuthChallenge, got {other:?}"),
+            other @ auth::Outbound::AuthSuccess => panic!("Expected AuthChallenge, got {other:?}"),
        },
        Err(err) => panic!("Expected Ok response, got Err({err:?})"),
    };
--- a/server/crates/arbiter-server/tests/vault/lifecycle.rs
+++ b/server/crates/arbiter-server/tests/vault/lifecycle.rs
@@ -14,7 +14,7 @@ use diesel_async::RunQueryDsl;
 #[tokio::test]
 #[test_log::test]
-async fn test_bootstrap() {
+async fn bootstrap() {
    let db = db::create_test_pool().await;
    let mut actor = Vault::new(db.clone(), GlobalActors::spawn_message_bus())
        .await
@@ -39,7 +39,7 @@ async fn test_bootstrap() {
 #[tokio::test]
 #[test_log::test]
-async fn test_bootstrap_rejects_double() {
+async fn bootstrap_rejects_double() {
    let db = db::create_test_pool().await;
    let mut actor = common::bootstrapped_vault(&db).await;
@@ -50,7 +50,7 @@ async fn test_bootstrap_rejects_double() {
 #[tokio::test]
 #[test_log::test]
-async fn test_create_new_before_bootstrap_fails() {
+async fn create_new_before_bootstrap_fails() {
    let db = db::create_test_pool().await;
    let mut actor = Vault::new(db, GlobalActors::spawn_message_bus())
        .await
@@ -65,7 +65,7 @@ async fn test_create_new_before_bootstrap_fails() {
 #[tokio::test]
 #[test_log::test]
-async fn test_decrypt_before_bootstrap_fails() {
+async fn decrypt_before_bootstrap_fails() {
    let db = db::create_test_pool().await;
    let mut actor = Vault::new(db, GlobalActors::spawn_message_bus())
        .await
@@ -77,7 +77,7 @@ async fn test_decrypt_before_bootstrap_fails() {
 #[tokio::test]
 #[test_log::test]
-async fn test_new_restores_sealed_state() {
+async fn new_restores_sealed_state() {
    let db = db::create_test_pool().await;
    let actor = common::bootstrapped_vault(&db).await;
    drop(actor);
@@ -91,7 +91,7 @@ async fn test_new_restores_sealed_state() {
 #[tokio::test]
 #[test_log::test]
-async fn test_unseal_correct_password() {
+async fn unseal_correct_password() {
    let db = db::create_test_pool().await;
    let mut actor = common::bootstrapped_vault(&db).await;
@@ -114,7 +114,7 @@ async fn test_unseal_correct_password() {
 #[tokio::test]
 #[test_log::test]
-async fn test_unseal_wrong_then_correct_password() {
+async fn unseal_wrong_then_correct_password() {
    let db = db::create_test_pool().await;
    let mut actor = common::bootstrapped_vault(&db).await;
--- a/server/crates/arbiter-server/tests/vault/storage.rs
+++ b/server/crates/arbiter-server/tests/vault/storage.rs
@@ -12,7 +12,7 @@ use std::collections::HashSet;
 #[tokio::test]
 #[test_log::test]
-async fn test_create_decrypt_roundtrip() {
+async fn create_decrypt_roundtrip() {
    let db = db::create_test_pool().await;
    let mut actor = common::bootstrapped_vault(&db).await;
@@ -28,7 +28,7 @@ async fn test_create_decrypt_roundtrip() {
 #[tokio::test]
 #[test_log::test]
-async fn test_decrypt_nonexistent_returns_not_found() {
+async fn decrypt_nonexistent_returns_not_found() {
    let db = db::create_test_pool().await;
    let mut actor = common::bootstrapped_vault(&db).await;
@@ -38,7 +38,7 @@ async fn test_decrypt_nonexistent_returns_not_found() {
 #[tokio::test]
 #[test_log::test]
-async fn test_ciphertext_differs_across_entries() {
+async fn ciphertext_differs_across_entries() {
    let db = db::create_test_pool().await;
    let mut actor = common::bootstrapped_vault(&db).await;
@@ -76,7 +76,7 @@ async fn test_ciphertext_differs_across_entries() {
 #[tokio::test]
 #[test_log::test]
-async fn test_nonce_never_reused() {
+async fn nonce_never_reused() {
    let db = db::create_test_pool().await;
    let mut actor = common::bootstrapped_vault(&db).await;
Author	SHA1	Message	Date
Stas	a8e4a710f1	Merge pull request 'security(server): bind grant revocation state (revoked_at) to integrity hash' (#83 ) from security-hash-revoke_at into main Some checks failed ci/woodpecker/push/server-audit Pipeline was successful Details ci/woodpecker/push/server-vet Pipeline failed Details ci/woodpecker/push/server-lint Pipeline was successful Details ci/woodpecker/push/server-test Pipeline was successful Details ci/woodpecker/push/useragent-analyze Pipeline failed Details Reviewed-on: #83	2026-06-11 09:44:28 +00:00
CleverWild	d99c87c473	fix: lints Some checks failed ci/woodpecker/pr/server-audit Pipeline was successful Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-lint Pipeline was successful Details ci/woodpecker/pr/server-test Pipeline was successful Details	2026-06-09 21:07:01 +02:00