Compare commits
11 Commits
f074a4f00b
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| a8e4a710f1 | |||
|
d99c87c473 | ||
|
|
303120c9ac | ||
|
|
32f317384d | ||
|
|
4bb2c062dc | ||
|
|
b0a3f37cea | ||
|
|
58a72da46c | ||
|
|
e287459b10 | ||
|
|
3c482da917 | ||
|
3f801abdff | ||
|
|
5a34463228 |
@@ -22,5 +22,3 @@ run = '''
|
|||||||
dart pub global activate protoc_plugin && \
|
dart pub global activate protoc_plugin && \
|
||||||
protoc --dart_out=grpc:useragent/lib/proto --proto_path=protobufs/ $(find protobufs -name '*.proto' | sort)
|
protoc --dart_out=grpc:useragent/lib/proto --proto_path=protobufs/ $(find protobufs -name '*.proto' | sort)
|
||||||
'''
|
'''
|
||||||
|
|
||||||
[tasks.generate_schema]
|
|
||||||
|
|||||||
446
server/Cargo.lock
generated
446
server/Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
@@ -6,7 +6,7 @@ resolver = "3"
|
|||||||
|
|
||||||
|
|
||||||
[workspace.dependencies]
|
[workspace.dependencies]
|
||||||
alloy = "2.0.0"
|
alloy = "2.0.4"
|
||||||
async-trait = "0.1.89"
|
async-trait = "0.1.89"
|
||||||
base64 = "0.22.1"
|
base64 = "0.22.1"
|
||||||
chrono = { version = "0.4.44", features = ["serde"] }
|
chrono = { version = "0.4.44", features = ["serde"] }
|
||||||
@@ -16,15 +16,15 @@ kameo = {git = "https://github.com/hdbg/kameo.git", rev = "805b417"}
|
|||||||
kameo_actors = {git = "https://github.com/hdbg/kameo.git", rev = "805b417"}
|
kameo_actors = {git = "https://github.com/hdbg/kameo.git", rev = "805b417"}
|
||||||
hmac = "0.13.0"
|
hmac = "0.13.0"
|
||||||
miette = { version = "7.6.0", features = ["fancy", "serde"] }
|
miette = { version = "7.6.0", features = ["fancy", "serde"] }
|
||||||
ml-dsa = { version = "0.1.0-rc.8", features = ["zeroize"] }
|
ml-dsa = { version = "0.1.0-rc.9", features = ["zeroize"] }
|
||||||
mutants = "0.0.4"
|
mutants = "0.0.4"
|
||||||
prost = "0.14.3"
|
prost = "0.14.3"
|
||||||
prost-types = { version = "0.14.3", features = ["chrono"] }
|
prost-types = { version = "0.14.3", features = ["chrono"] }
|
||||||
rand = "0.10.1"
|
rand = "0.10.1"
|
||||||
rcgen = { version = "0.14.7", features = [ "aws_lc_rs", "pem", "x509-parser", "zeroize" ], default-features = false }
|
rcgen = { version = "0.14.7", features = [ "aws_lc_rs", "pem", "x509-parser", "zeroize" ], default-features = false }
|
||||||
rstest = "0.26.1"
|
rstest = "0.26.1"
|
||||||
rustls = { version = "0.23.38", features = ["aws-lc-rs", "logging", "prefer-post-quantum", "std"], default-features = false }
|
rustls = { version = "0.23.40", features = ["aws-lc-rs", "logging", "prefer-post-quantum", "std"], default-features = false }
|
||||||
rustls-pki-types = "1.14.0"
|
rustls-pki-types = "1.14.1"
|
||||||
sha2 = "0.11"
|
sha2 = "0.11"
|
||||||
smlang = "0.8.0"
|
smlang = "0.8.0"
|
||||||
thiserror = "2.0.18"
|
thiserror = "2.0.18"
|
||||||
@@ -76,6 +76,7 @@ needless_pass_by_ref_mut = "allow"
|
|||||||
pub_underscore_fields = "allow"
|
pub_underscore_fields = "allow"
|
||||||
redundant_pub_crate = "allow"
|
redundant_pub_crate = "allow"
|
||||||
uninhabited_references = "allow" # safe with unsafe_code = "forbid" and standard uninhabited pattern (match *self {})
|
uninhabited_references = "allow" # safe with unsafe_code = "forbid" and standard uninhabited pattern (match *self {})
|
||||||
|
too-many-lines = "allow" # this is a very common pattern in server code, and it's not always possible to break it down into smaller modules without hurting readability
|
||||||
|
|
||||||
# restriction lints
|
# restriction lints
|
||||||
alloc_instead_of_core = "warn"
|
alloc_instead_of_core = "warn"
|
||||||
|
|||||||
@@ -21,7 +21,7 @@ tokio.workspace = true
|
|||||||
tokio-stream.workspace = true
|
tokio-stream.workspace = true
|
||||||
thiserror.workspace = true
|
thiserror.workspace = true
|
||||||
http = "1.4.0"
|
http = "1.4.0"
|
||||||
rustls-webpki = { version = "0.103.12", features = ["aws-lc-rs"] }
|
rustls-webpki = { version = "0.103.13", features = ["aws-lc-rs"] }
|
||||||
async-trait.workspace = true
|
async-trait.workspace = true
|
||||||
chrono.workspace = true
|
chrono.workspace = true
|
||||||
|
|
||||||
|
|||||||
@@ -100,7 +100,7 @@ async fn send_auth_challenge_solution(
|
|||||||
key: &SigningKey,
|
key: &SigningKey,
|
||||||
challenge: AuthChallenge,
|
challenge: AuthChallenge,
|
||||||
) -> Result<(), AuthError> {
|
) -> Result<(), AuthError> {
|
||||||
let timestamp = DateTime::from_timestamp_nanos(challenge.timestamp_nanos as i64);
|
let timestamp = DateTime::from_timestamp_nanos(challenge.timestamp_nanos.cast_signed());
|
||||||
let challenge = authn::AuthChallenge {
|
let challenge = authn::AuthChallenge {
|
||||||
nonce: *challenge
|
nonce: *challenge
|
||||||
.random
|
.random
|
||||||
|
|||||||
@@ -9,8 +9,8 @@ license = "Apache-2.0"
|
|||||||
workspace = true
|
workspace = true
|
||||||
|
|
||||||
[dependencies]
|
[dependencies]
|
||||||
diesel = { version = "2.3.7", features = ["chrono", "returning_clauses_for_sqlite_3_35", "serde_json", "time", "uuid"] }
|
diesel = { version = "2.3.9", features = ["chrono", "returning_clauses_for_sqlite_3_35", "serde_json", "time", "uuid"] }
|
||||||
diesel-async = { version = "0.8.0", features = [
|
diesel-async = { version = "0.9.0", features = [
|
||||||
"bb8",
|
"bb8",
|
||||||
"migrations",
|
"migrations",
|
||||||
"sqlite",
|
"sqlite",
|
||||||
@@ -27,7 +27,7 @@ tokio.workspace = true
|
|||||||
rustls.workspace = true
|
rustls.workspace = true
|
||||||
smlang.workspace = true
|
smlang.workspace = true
|
||||||
thiserror.workspace = true
|
thiserror.workspace = true
|
||||||
diesel_migrations = { version = "2.3.1", features = ["sqlite"] }
|
diesel_migrations = { version = "2.3.2", features = ["sqlite"] }
|
||||||
async-trait.workspace = true
|
async-trait.workspace = true
|
||||||
tokio-stream.workspace = true
|
tokio-stream.workspace = true
|
||||||
rand.workspace = true
|
rand.workspace = true
|
||||||
@@ -50,7 +50,6 @@ subtle = "2.6.1"
|
|||||||
x25519-dalek.workspace = true
|
x25519-dalek.workspace = true
|
||||||
k256.workspace = true
|
k256.workspace = true
|
||||||
kameo_actors.workspace = true
|
kameo_actors.workspace = true
|
||||||
blahaj = "0.6.0"
|
|
||||||
|
|
||||||
[dev-dependencies]
|
[dev-dependencies]
|
||||||
proptest = "1.11.0"
|
proptest = "1.11.0"
|
||||||
|
|||||||
@@ -43,24 +43,13 @@ create table if not exists arbiter_settings (
|
|||||||
insert into arbiter_settings (id) values (1) on conflict do nothing;
|
insert into arbiter_settings (id) values (1) on conflict do nothing;
|
||||||
-- ensure singleton row exists
|
-- ensure singleton row exists
|
||||||
|
|
||||||
create table if not exists operator_identity (
|
create table if not exists operator_client (
|
||||||
id integer not null primary key,
|
id integer not null primary key,
|
||||||
public_key blob not null,
|
public_key blob not null,
|
||||||
created_at integer not null default(unixepoch ('now')),
|
created_at integer not null default(unixepoch ('now')),
|
||||||
updated_at integer not null default(unixepoch ('now'))
|
updated_at integer not null default(unixepoch ('now'))
|
||||||
) STRICT;
|
) STRICT;
|
||||||
create unique index if not exists uniq_operator_client_public_key on operator_identity (public_key);
|
create unique index if not exists uniq_operator_client_public_key on operator_client (public_key);
|
||||||
|
|
||||||
create table if not exists operator (
|
|
||||||
id integer primary key references operator_identity(id) on delete restrict, -- same id as operator_identity
|
|
||||||
|
|
||||||
share blob not null,
|
|
||||||
share_nonce blob not null,
|
|
||||||
|
|
||||||
created_at integer not null default(unixepoch ('now')),
|
|
||||||
updated_at integer not null default(unixepoch ('now'))
|
|
||||||
|
|
||||||
) STRICT;
|
|
||||||
|
|
||||||
create table if not exists client_metadata (
|
create table if not exists client_metadata (
|
||||||
id integer not null primary key,
|
id integer not null primary key,
|
||||||
|
|||||||
@@ -48,7 +48,7 @@ impl Bootstrapper {
|
|||||||
let row_count: i64 = {
|
let row_count: i64 = {
|
||||||
let mut conn = db.get().await?;
|
let mut conn = db.get().await?;
|
||||||
|
|
||||||
schema::operator_identity::table
|
schema::operator_client::table
|
||||||
.count()
|
.count()
|
||||||
.get_result(&mut conn)
|
.get_result(&mut conn)
|
||||||
.await?
|
.await?
|
||||||
|
|||||||
@@ -3,7 +3,7 @@ use crate::{
|
|||||||
crypto::integrity,
|
crypto::integrity,
|
||||||
db::{
|
db::{
|
||||||
DatabaseError, DatabasePool,
|
DatabaseError, DatabasePool,
|
||||||
models::{self, EvmWalletId},
|
models::{self},
|
||||||
schema,
|
schema,
|
||||||
},
|
},
|
||||||
evm::{
|
evm::{
|
||||||
@@ -116,7 +116,7 @@ impl EvmActor {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[message]
|
#[message]
|
||||||
pub async fn list_wallets(&self) -> Result<Vec<(EvmWalletId, Address)>, Error> {
|
pub async fn list_wallets(&self) -> Result<Vec<(i32, Address)>, Error> {
|
||||||
let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
|
let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
|
||||||
let rows: Vec<models::EvmWallet> = schema::evm_wallet::table
|
let rows: Vec<models::EvmWallet> = schema::evm_wallet::table
|
||||||
.select(models::EvmWallet::as_select())
|
.select(models::EvmWallet::as_select())
|
||||||
@@ -160,29 +160,14 @@ impl EvmActor {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[message]
|
#[message]
|
||||||
#[expect(clippy::unused_async, reason = "reserved for impl")]
|
pub async fn useragent_delete_grant(
|
||||||
pub async fn operator_delete_grant(&mut self, _grant_id: i32) -> Result<(), Error> {
|
&mut self,
|
||||||
// let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
|
grant_id: i32,
|
||||||
// let vault = self.vault.clone();
|
) -> Result<(), Error> {
|
||||||
|
self.engine
|
||||||
// diesel_async::AsyncConnection::transaction(&mut conn, |conn| {
|
.revoke_grant(grant_id)
|
||||||
// Box::pin(async move {
|
.await
|
||||||
// diesel::update(schema::evm_basic_grant::table)
|
.map_err(Error::from)
|
||||||
// .filter(schema::evm_basic_grant::id.eq(grant_id))
|
|
||||||
// .set(schema::evm_basic_grant::revoked_at.eq(SqliteTimestamp::now()))
|
|
||||||
// .execute(conn)
|
|
||||||
// .await?;
|
|
||||||
|
|
||||||
// let signed = integrity::evm::load_signed_grant_by_basic_id(conn, grant_id).await?;
|
|
||||||
|
|
||||||
// diesel::result::QueryResult::Ok(())
|
|
||||||
// })
|
|
||||||
// })
|
|
||||||
// .await
|
|
||||||
// .map_err(DatabaseError::from)?;
|
|
||||||
|
|
||||||
// Ok(())
|
|
||||||
todo!()
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#[message]
|
#[message]
|
||||||
|
|||||||
@@ -6,7 +6,7 @@ use crate::{
|
|||||||
},
|
},
|
||||||
db::{
|
db::{
|
||||||
self,
|
self,
|
||||||
models::{self, RootKeyHistory, RootKeyHistoryId},
|
models::{self, RootKeyHistory},
|
||||||
schema::{self},
|
schema::{self},
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
@@ -25,6 +25,7 @@ use strum::{EnumDiscriminants, IntoDiscriminant};
|
|||||||
use tracing::{error, info};
|
use tracing::{error, info};
|
||||||
|
|
||||||
pub mod events {
|
pub mod events {
|
||||||
|
|
||||||
#[derive(Clone, Copy)]
|
#[derive(Clone, Copy)]
|
||||||
pub struct Bootstrapped;
|
pub struct Bootstrapped;
|
||||||
|
|
||||||
@@ -63,7 +64,7 @@ pub enum Error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
struct Unsealed {
|
struct Unsealed {
|
||||||
root_key_history_id: RootKeyHistoryId,
|
root_key_history_id: i32,
|
||||||
root_key: KeyCell,
|
root_key: KeyCell,
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -72,9 +73,8 @@ struct Unsealed {
|
|||||||
enum State {
|
enum State {
|
||||||
#[default]
|
#[default]
|
||||||
Unbootstrapped,
|
Unbootstrapped,
|
||||||
|
|
||||||
Sealed {
|
Sealed {
|
||||||
root_key_history_id: RootKeyHistoryId,
|
root_key_history_id: i32,
|
||||||
},
|
},
|
||||||
Unsealed(Unsealed),
|
Unsealed(Unsealed),
|
||||||
}
|
}
|
||||||
@@ -115,38 +115,33 @@ impl Vault {
|
|||||||
|
|
||||||
// Exclusive transaction to avoid race condtions if multiple vaults write
|
// Exclusive transaction to avoid race condtions if multiple vaults write
|
||||||
// additional layer of protection against nonce-reuse
|
// additional layer of protection against nonce-reuse
|
||||||
async fn get_new_nonce(
|
async fn get_new_nonce(pool: &db::DatabasePool, root_key_id: i32) -> Result<Nonce, Error> {
|
||||||
pool: &db::DatabasePool,
|
|
||||||
root_key_id: RootKeyHistoryId,
|
|
||||||
) -> Result<Nonce, Error> {
|
|
||||||
let mut conn = pool.get().await?;
|
let mut conn = pool.get().await?;
|
||||||
|
|
||||||
let nonce = conn
|
let nonce = conn
|
||||||
.exclusive_transaction(|conn| {
|
.exclusive_transaction(async |conn| {
|
||||||
Box::pin(async move {
|
let current_nonce: Vec<u8> = schema::root_key_history::table
|
||||||
let current_nonce: Vec<u8> = schema::root_key_history::table
|
.filter(schema::root_key_history::id.eq(root_key_id))
|
||||||
.filter(schema::root_key_history::id.eq(root_key_id))
|
.select(schema::root_key_history::data_encryption_nonce)
|
||||||
.select(schema::root_key_history::data_encryption_nonce)
|
.first(&mut *conn)
|
||||||
.first(conn)
|
.await?;
|
||||||
.await?;
|
|
||||||
|
|
||||||
let mut nonce = Nonce::try_from(current_nonce.as_slice()).map_err(|()| {
|
let mut nonce = Nonce::try_from(current_nonce.as_slice()).map_err(|()| {
|
||||||
error!(
|
error!(
|
||||||
"Broken database: invalid nonce for root key history id={:#?}",
|
"Broken database: invalid nonce for root key history id={}",
|
||||||
root_key_id
|
root_key_id
|
||||||
);
|
);
|
||||||
Error::BrokenDatabase
|
Error::BrokenDatabase
|
||||||
})?;
|
})?;
|
||||||
nonce.increment();
|
nonce.increment();
|
||||||
|
|
||||||
update(schema::root_key_history::table)
|
update(schema::root_key_history::table)
|
||||||
.filter(schema::root_key_history::id.eq(root_key_id))
|
.filter(schema::root_key_history::id.eq(root_key_id))
|
||||||
.set(schema::root_key_history::data_encryption_nonce.eq(nonce.to_vec()))
|
.set(schema::root_key_history::data_encryption_nonce.eq(nonce.to_vec()))
|
||||||
.execute(conn)
|
.execute(&mut *conn)
|
||||||
.await?;
|
.await?;
|
||||||
|
|
||||||
Result::<_, Error>::Ok(nonce)
|
Result::<_, Error>::Ok(nonce)
|
||||||
})
|
|
||||||
})
|
})
|
||||||
.await?;
|
.await?;
|
||||||
|
|
||||||
@@ -188,29 +183,26 @@ impl Vault {
|
|||||||
|
|
||||||
let data_encryption_nonce_bytes = data_encryption_nonce.to_vec();
|
let data_encryption_nonce_bytes = data_encryption_nonce.to_vec();
|
||||||
let root_key_history_id = conn
|
let root_key_history_id = conn
|
||||||
.transaction(|conn| {
|
.transaction(async |conn| {
|
||||||
Box::pin(async move {
|
let root_key_history_id: i32 = insert_into(schema::root_key_history::table)
|
||||||
let root_key_history_id: RootKeyHistoryId =
|
.values(&models::NewRootKeyHistory {
|
||||||
insert_into(schema::root_key_history::table)
|
ciphertext: root_key_ciphertext.clone(),
|
||||||
.values(&models::NewRootKeyHistory {
|
tag: v1::ROOT_KEY_TAG.to_vec(),
|
||||||
ciphertext: root_key_ciphertext,
|
root_key_encryption_nonce: root_key_nonce.to_vec(),
|
||||||
tag: v1::ROOT_KEY_TAG.to_vec(),
|
data_encryption_nonce: data_encryption_nonce_bytes.clone(),
|
||||||
root_key_encryption_nonce: root_key_nonce.to_vec(),
|
schema_version: 1,
|
||||||
data_encryption_nonce: data_encryption_nonce_bytes,
|
salt: salt.to_vec(),
|
||||||
schema_version: 1,
|
})
|
||||||
salt: salt.to_vec(),
|
.returning(schema::root_key_history::id)
|
||||||
})
|
.get_result(&mut *conn)
|
||||||
.returning(schema::root_key_history::id)
|
.await?;
|
||||||
.get_result(conn)
|
|
||||||
.await?;
|
|
||||||
|
|
||||||
update(schema::arbiter_settings::table)
|
update(schema::arbiter_settings::table)
|
||||||
.set(schema::arbiter_settings::root_key_id.eq(root_key_history_id))
|
.set(schema::arbiter_settings::root_key_id.eq(root_key_history_id))
|
||||||
.execute(conn)
|
.execute(&mut *conn)
|
||||||
.await?;
|
.await?;
|
||||||
|
|
||||||
Result::<_, diesel::result::Error>::Ok(root_key_history_id)
|
Result::<_, diesel::result::Error>::Ok(root_key_history_id)
|
||||||
})
|
|
||||||
})
|
})
|
||||||
.await?;
|
.await?;
|
||||||
|
|
||||||
@@ -348,22 +340,17 @@ impl Vault {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[message]
|
#[message]
|
||||||
pub fn sign_integrity(
|
pub fn sign_integrity(&mut self, mac_input: Vec<u8>) -> Result<(i32, Vec<u8>), Error> {
|
||||||
&mut self,
|
|
||||||
mac_input: Vec<u8>,
|
|
||||||
) -> Result<(RootKeyHistoryId, Vec<u8>), Error> {
|
|
||||||
let Unsealed {
|
let Unsealed {
|
||||||
root_key,
|
root_key,
|
||||||
root_key_history_id,
|
root_key_history_id,
|
||||||
} = Self::expect_unsealed(&mut self.state)?;
|
} = Self::expect_unsealed(&mut self.state)?;
|
||||||
|
|
||||||
let mut hmac = root_key
|
let mut hmac = root_key.0.read_inline(|k| {
|
||||||
.0
|
HmacSha256::new_from_slice(k)
|
||||||
.read_inline(|k| match HmacSha256::new_from_slice(k) {
|
.unwrap_or_else(|_| unreachable!("HMAC accepts keys of any size"))
|
||||||
Ok(v) => v,
|
});
|
||||||
Err(_) => unreachable!("HMAC accepts keys of any size"),
|
hmac.update(&root_key_history_id.to_be_bytes());
|
||||||
});
|
|
||||||
hmac.update(&root_key_history_id.to_raw().to_be_bytes());
|
|
||||||
hmac.update(&mac_input);
|
hmac.update(&mac_input);
|
||||||
|
|
||||||
let mac = hmac.finalize().into_bytes().to_vec();
|
let mac = hmac.finalize().into_bytes().to_vec();
|
||||||
@@ -375,7 +362,7 @@ impl Vault {
|
|||||||
&mut self,
|
&mut self,
|
||||||
mac_input: Vec<u8>,
|
mac_input: Vec<u8>,
|
||||||
expected_mac: Vec<u8>,
|
expected_mac: Vec<u8>,
|
||||||
key_version: RootKeyHistoryId,
|
key_version: i32,
|
||||||
) -> Result<bool, Error> {
|
) -> Result<bool, Error> {
|
||||||
let Unsealed {
|
let Unsealed {
|
||||||
root_key,
|
root_key,
|
||||||
@@ -386,13 +373,11 @@ impl Vault {
|
|||||||
return Ok(false);
|
return Ok(false);
|
||||||
}
|
}
|
||||||
|
|
||||||
let mut hmac = root_key
|
let mut hmac = root_key.0.read_inline(|k| {
|
||||||
.0
|
HmacSha256::new_from_slice(k)
|
||||||
.read_inline(|k| match HmacSha256::new_from_slice(k) {
|
.unwrap_or_else(|_| unreachable!("HMAC accepts keys of any size"))
|
||||||
Ok(v) => v,
|
});
|
||||||
Err(_) => unreachable!("HMAC accepts keys of any size"),
|
hmac.update(&key_version.to_be_bytes());
|
||||||
});
|
|
||||||
hmac.update(&key_version.to_raw().to_be_bytes());
|
|
||||||
hmac.update(&mac_input);
|
hmac.update(&mac_input);
|
||||||
|
|
||||||
Ok(hmac.verify_slice(&expected_mac).is_ok())
|
Ok(hmac.verify_slice(&expected_mac).is_ok())
|
||||||
@@ -415,7 +400,7 @@ impl Vault {
|
|||||||
|
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
mod tests {
|
mod tests {
|
||||||
use crate::{actors::GlobalActors, db::models::RootKeyHistory};
|
use crate::actors::GlobalActors;
|
||||||
use arbiter_crypto::safecell::SafeCellHandle as _;
|
use arbiter_crypto::safecell::SafeCellHandle as _;
|
||||||
|
|
||||||
use super::*;
|
use super::*;
|
||||||
@@ -434,12 +419,13 @@ mod tests {
|
|||||||
async fn nonce_monotonic_even_when_nonce_allocation_interleaves() {
|
async fn nonce_monotonic_even_when_nonce_allocation_interleaves() {
|
||||||
let db = db::create_test_pool().await;
|
let db = db::create_test_pool().await;
|
||||||
let mut actor = bootstrapped_actor(&db).await;
|
let mut actor = bootstrapped_actor(&db).await;
|
||||||
let root_key_history_id = match actor.state {
|
|
||||||
State::Unsealed(Unsealed {
|
let State::Unsealed(Unsealed {
|
||||||
root_key_history_id,
|
root_key_history_id,
|
||||||
..
|
..
|
||||||
}) => root_key_history_id,
|
}) = actor.state
|
||||||
_ => panic!("expected unsealed state"),
|
else {
|
||||||
|
panic!("expected unsealed state")
|
||||||
};
|
};
|
||||||
|
|
||||||
let n1 = Vault::get_new_nonce(&db, root_key_history_id)
|
let n1 = Vault::get_new_nonce(&db, root_key_history_id)
|
||||||
|
|||||||
@@ -174,28 +174,26 @@ impl TlsManager {
|
|||||||
|
|
||||||
{
|
{
|
||||||
let mut conn = db.get().await?;
|
let mut conn = db.get().await?;
|
||||||
conn.transaction(|conn| {
|
conn.transaction(async |conn| {
|
||||||
Box::pin(async {
|
let new_tls_history = NewTlsHistory {
|
||||||
let new_tls_history = NewTlsHistory {
|
cert: new_cert.cert.pem(),
|
||||||
cert: new_cert.cert.pem(),
|
cert_key: new_cert.cert_key.serialize_pem(),
|
||||||
cert_key: new_cert.cert_key.serialize_pem(),
|
ca_cert: encode_cert_to_pem(&ca.cert),
|
||||||
ca_cert: encode_cert_to_pem(&ca.cert),
|
ca_key: ca.issuer.key().serialize_pem(),
|
||||||
ca_key: ca.issuer.key().serialize_pem(),
|
};
|
||||||
};
|
|
||||||
|
|
||||||
let inserted_tls_history: i32 = diesel::insert_into(tls_history::table)
|
let inserted_tls_history: i32 = diesel::insert_into(tls_history::table)
|
||||||
.values(&new_tls_history)
|
.values(&new_tls_history)
|
||||||
.returning(tls_history::id)
|
.returning(tls_history::id)
|
||||||
.get_result(conn)
|
.get_result(&mut *conn)
|
||||||
.await?;
|
.await?;
|
||||||
|
|
||||||
diesel::update(arbiter_settings::table)
|
diesel::update(arbiter_settings::table)
|
||||||
.set(arbiter_settings::tls_id.eq(inserted_tls_history))
|
.set(arbiter_settings::tls_id.eq(inserted_tls_history))
|
||||||
.execute(conn)
|
.execute(&mut *conn)
|
||||||
.await?;
|
.await?;
|
||||||
|
|
||||||
Result::<_, diesel::result::Error>::Ok(())
|
Result::<_, diesel::result::Error>::Ok(())
|
||||||
})
|
|
||||||
})
|
})
|
||||||
.await?;
|
.await?;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -79,41 +79,10 @@ pub mod types {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
macro_rules! declare_id {
|
#[derive(Debug, FromSqlRow, AsExpression, Clone)]
|
||||||
($name:ident) => {
|
#[diesel(sql_type = Integer)]
|
||||||
#[derive(Debug, FromSqlRow, AsExpression, Clone, Hash, Copy, PartialEq, Eq)]
|
#[repr(transparent)] // hint compiler to optimize the wrapper struct away
|
||||||
#[diesel(sql_type = Integer)]
|
pub struct ChainId(pub i32);
|
||||||
#[repr(transparent)] // hint compiler to optimize the wrapper struct away
|
|
||||||
pub struct $name(i32);
|
|
||||||
|
|
||||||
impl $name {
|
|
||||||
pub const fn to_raw(self) -> i32 {
|
|
||||||
self.0
|
|
||||||
}
|
|
||||||
pub const fn from_raw(raw: i32) -> Self {
|
|
||||||
Self(raw)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
impl FromSql<Integer, Sqlite> for $name {
|
|
||||||
fn from_sql(
|
|
||||||
bytes: <Sqlite as diesel::backend::Backend>::RawValue<'_>,
|
|
||||||
) -> diesel::deserialize::Result<Self> {
|
|
||||||
FromSql::<Integer, Sqlite>::from_sql(bytes).map(Self)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
impl ToSql<Integer, Sqlite> for $name {
|
|
||||||
fn to_sql<'b>(
|
|
||||||
&'b self,
|
|
||||||
out: &mut diesel::serialize::Output<'b, '_, Sqlite>,
|
|
||||||
) -> diesel::serialize::Result {
|
|
||||||
ToSql::<Integer, Sqlite>::to_sql(&self.0, out)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
declare_id!(ChainId);
|
|
||||||
|
|
||||||
#[expect(
|
#[expect(
|
||||||
clippy::cast_sign_loss,
|
clippy::cast_sign_loss,
|
||||||
@@ -134,13 +103,21 @@ pub mod types {
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
declare_id!(OperatorId);
|
impl FromSql<Integer, Sqlite> for ChainId {
|
||||||
declare_id!(OperatorIdentityId);
|
fn from_sql(
|
||||||
declare_id!(AeadEncryptedId);
|
bytes: <Sqlite as diesel::backend::Backend>::RawValue<'_>,
|
||||||
declare_id!(RootKeyHistoryId);
|
) -> diesel::deserialize::Result<Self> {
|
||||||
declare_id!(TlsHistoryId);
|
FromSql::<Integer, Sqlite>::from_sql(bytes).map(Self)
|
||||||
declare_id!(EvmWalletId);
|
}
|
||||||
declare_id!(ClientId);
|
}
|
||||||
|
impl ToSql<Integer, Sqlite> for ChainId {
|
||||||
|
fn to_sql<'b>(
|
||||||
|
&'b self,
|
||||||
|
out: &mut diesel::serialize::Output<'b, '_, Sqlite>,
|
||||||
|
) -> diesel::serialize::Result {
|
||||||
|
ToSql::<Integer, Sqlite>::to_sql(&self.0, out)
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
pub use types::*;
|
pub use types::*;
|
||||||
|
|
||||||
@@ -153,12 +130,12 @@ pub use types::*;
|
|||||||
)]
|
)]
|
||||||
#[diesel(table_name = aead_encrypted, check_for_backend(Sqlite))]
|
#[diesel(table_name = aead_encrypted, check_for_backend(Sqlite))]
|
||||||
pub struct AeadEncrypted {
|
pub struct AeadEncrypted {
|
||||||
pub id: AeadEncryptedId,
|
pub id: i32,
|
||||||
pub ciphertext: Vec<u8>,
|
pub ciphertext: Vec<u8>,
|
||||||
pub tag: Vec<u8>,
|
pub tag: Vec<u8>,
|
||||||
pub current_nonce: Vec<u8>,
|
pub current_nonce: Vec<u8>,
|
||||||
pub schema_version: i32,
|
pub schema_version: i32,
|
||||||
pub associated_root_key_id: RootKeyHistoryId,
|
pub associated_root_key_id: i32, // references root_key_history.id
|
||||||
pub created_at: SqliteTimestamp,
|
pub created_at: SqliteTimestamp,
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -171,7 +148,7 @@ pub struct AeadEncrypted {
|
|||||||
attributes_with = "deriveless"
|
attributes_with = "deriveless"
|
||||||
)]
|
)]
|
||||||
pub struct RootKeyHistory {
|
pub struct RootKeyHistory {
|
||||||
pub id: RootKeyHistoryId,
|
pub id: i32,
|
||||||
pub ciphertext: Vec<u8>,
|
pub ciphertext: Vec<u8>,
|
||||||
pub tag: Vec<u8>,
|
pub tag: Vec<u8>,
|
||||||
pub root_key_encryption_nonce: Vec<u8>,
|
pub root_key_encryption_nonce: Vec<u8>,
|
||||||
@@ -189,7 +166,7 @@ pub struct RootKeyHistory {
|
|||||||
attributes_with = "deriveless"
|
attributes_with = "deriveless"
|
||||||
)]
|
)]
|
||||||
pub struct TlsHistory {
|
pub struct TlsHistory {
|
||||||
pub id: TlsHistoryId,
|
pub id: i32,
|
||||||
pub cert: String,
|
pub cert: String,
|
||||||
pub cert_key: String, // PEM Encoded private key
|
pub cert_key: String, // PEM Encoded private key
|
||||||
pub ca_cert: String, // PEM Encoded certificate for cert signing
|
pub ca_cert: String, // PEM Encoded certificate for cert signing
|
||||||
@@ -214,7 +191,7 @@ pub struct ArbiterSettings {
|
|||||||
attributes_with = "deriveless"
|
attributes_with = "deriveless"
|
||||||
)]
|
)]
|
||||||
pub struct EvmWallet {
|
pub struct EvmWallet {
|
||||||
pub id: EvmWalletId,
|
pub id: i32,
|
||||||
pub address: Vec<u8>,
|
pub address: Vec<u8>,
|
||||||
pub aead_encrypted_id: i32,
|
pub aead_encrypted_id: i32,
|
||||||
pub created_at: SqliteTimestamp,
|
pub created_at: SqliteTimestamp,
|
||||||
@@ -236,7 +213,7 @@ pub struct EvmWallet {
|
|||||||
)]
|
)]
|
||||||
pub struct EvmWalletAccess {
|
pub struct EvmWalletAccess {
|
||||||
pub id: i32,
|
pub id: i32,
|
||||||
pub wallet_id: EvmWalletId,
|
pub wallet_id: i32,
|
||||||
pub client_id: i32,
|
pub client_id: i32,
|
||||||
pub created_at: SqliteTimestamp,
|
pub created_at: SqliteTimestamp,
|
||||||
}
|
}
|
||||||
@@ -263,7 +240,7 @@ pub struct ProgramClientMetadataHistory {
|
|||||||
#[derive(Models, Queryable, Debug, Insertable, Selectable)]
|
#[derive(Models, Queryable, Debug, Insertable, Selectable)]
|
||||||
#[diesel(table_name = schema::program_client, check_for_backend(Sqlite))]
|
#[diesel(table_name = schema::program_client, check_for_backend(Sqlite))]
|
||||||
pub struct ProgramClient {
|
pub struct ProgramClient {
|
||||||
pub id: ClientId,
|
pub id: i32,
|
||||||
pub public_key: Vec<u8>,
|
pub public_key: Vec<u8>,
|
||||||
pub metadata_id: i32,
|
pub metadata_id: i32,
|
||||||
pub created_at: SqliteTimestamp,
|
pub created_at: SqliteTimestamp,
|
||||||
@@ -271,24 +248,14 @@ pub struct ProgramClient {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Queryable, Debug)]
|
#[derive(Queryable, Debug)]
|
||||||
#[diesel(table_name = schema::operator_identity, check_for_backend(Sqlite))]
|
#[diesel(table_name = schema::operator_client, check_for_backend(Sqlite))]
|
||||||
pub struct OperatorIdentity {
|
pub struct OperatorClient {
|
||||||
pub id: OperatorIdentityId,
|
pub id: i32,
|
||||||
pub public_key: Vec<u8>,
|
pub public_key: Vec<u8>,
|
||||||
pub created_at: SqliteTimestamp,
|
pub created_at: SqliteTimestamp,
|
||||||
pub updated_at: SqliteTimestamp,
|
pub updated_at: SqliteTimestamp,
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Queryable, Debug)]
|
|
||||||
#[diesel(table_name = schema::operator, check_for_backend(Sqlite))]
|
|
||||||
pub struct Operator {
|
|
||||||
pub id: OperatorId,
|
|
||||||
pub share: Vec<u8>,
|
|
||||||
pub share_nonce: Vec<u8>,
|
|
||||||
pub created_at: SqliteTimestamp,
|
|
||||||
pub updated_at: SqliteTimestamp,
|
|
||||||
}
|
|
||||||
|
|
||||||
#[derive(Models, Queryable, Debug, Insertable, Selectable)]
|
#[derive(Models, Queryable, Debug, Insertable, Selectable)]
|
||||||
#[diesel(table_name = evm_ether_transfer_limit, check_for_backend(Sqlite))]
|
#[diesel(table_name = evm_ether_transfer_limit, check_for_backend(Sqlite))]
|
||||||
#[view(
|
#[view(
|
||||||
@@ -432,7 +399,7 @@ pub struct IntegrityEnvelope {
|
|||||||
pub entity_kind: String,
|
pub entity_kind: String,
|
||||||
pub entity_id: Vec<u8>,
|
pub entity_id: Vec<u8>,
|
||||||
pub payload_version: i32,
|
pub payload_version: i32,
|
||||||
pub key_version: RootKeyHistoryId,
|
pub key_version: i32,
|
||||||
pub mac: Vec<u8>,
|
pub mac: Vec<u8>,
|
||||||
pub signed_at: SqliteTimestamp,
|
pub signed_at: SqliteTimestamp,
|
||||||
pub created_at: SqliteTimestamp,
|
pub created_at: SqliteTimestamp,
|
||||||
|
|||||||
@@ -152,25 +152,6 @@ diesel::table! {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
diesel::table! {
|
|
||||||
operator (id) {
|
|
||||||
id -> Nullable<Integer>,
|
|
||||||
share -> Binary,
|
|
||||||
share_nonce -> Binary,
|
|
||||||
created_at -> Integer,
|
|
||||||
updated_at -> Integer,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
diesel::table! {
|
|
||||||
operator_identity (id) {
|
|
||||||
id -> Integer,
|
|
||||||
public_key -> Binary,
|
|
||||||
created_at -> Integer,
|
|
||||||
updated_at -> Integer,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
diesel::table! {
|
diesel::table! {
|
||||||
program_client (id) {
|
program_client (id) {
|
||||||
id -> Integer,
|
id -> Integer,
|
||||||
@@ -204,6 +185,15 @@ diesel::table! {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
diesel::table! {
|
||||||
|
operator_client (id) {
|
||||||
|
id -> Integer,
|
||||||
|
public_key -> Binary,
|
||||||
|
created_at -> Integer,
|
||||||
|
updated_at -> Integer,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
diesel::joinable!(aead_encrypted -> root_key_history (associated_root_key_id));
|
diesel::joinable!(aead_encrypted -> root_key_history (associated_root_key_id));
|
||||||
diesel::joinable!(arbiter_settings -> root_key_history (root_key_id));
|
diesel::joinable!(arbiter_settings -> root_key_history (root_key_id));
|
||||||
diesel::joinable!(arbiter_settings -> tls_history (tls_id));
|
diesel::joinable!(arbiter_settings -> tls_history (tls_id));
|
||||||
@@ -222,7 +212,6 @@ diesel::joinable!(evm_transaction_log -> evm_wallet_access (wallet_access_id));
|
|||||||
diesel::joinable!(evm_wallet -> aead_encrypted (aead_encrypted_id));
|
diesel::joinable!(evm_wallet -> aead_encrypted (aead_encrypted_id));
|
||||||
diesel::joinable!(evm_wallet_access -> evm_wallet (wallet_id));
|
diesel::joinable!(evm_wallet_access -> evm_wallet (wallet_id));
|
||||||
diesel::joinable!(evm_wallet_access -> program_client (client_id));
|
diesel::joinable!(evm_wallet_access -> program_client (client_id));
|
||||||
diesel::joinable!(operator -> operator_identity (id));
|
|
||||||
diesel::joinable!(program_client -> client_metadata (metadata_id));
|
diesel::joinable!(program_client -> client_metadata (metadata_id));
|
||||||
|
|
||||||
diesel::allow_tables_to_appear_in_same_query!(
|
diesel::allow_tables_to_appear_in_same_query!(
|
||||||
@@ -241,9 +230,8 @@ diesel::allow_tables_to_appear_in_same_query!(
|
|||||||
evm_wallet,
|
evm_wallet,
|
||||||
evm_wallet_access,
|
evm_wallet_access,
|
||||||
integrity_envelope,
|
integrity_envelope,
|
||||||
operator,
|
|
||||||
operator_identity,
|
|
||||||
program_client,
|
program_client,
|
||||||
root_key_history,
|
root_key_history,
|
||||||
tls_history,
|
tls_history,
|
||||||
|
operator_client,
|
||||||
);
|
);
|
||||||
|
|||||||
@@ -1,28 +1,34 @@
|
|||||||
|
use diesel_async::{AsyncConnection, RunQueryDsl};
|
||||||
|
use kameo::actor::ActorRef;
|
||||||
|
|
||||||
use crate::{
|
use crate::{
|
||||||
actors::vault::Vault,
|
actors::vault::Vault,
|
||||||
crypto::integrity,
|
crypto::integrity,
|
||||||
db::{
|
db::{
|
||||||
self, DatabaseError,
|
self, DatabaseError,
|
||||||
models::{
|
models::{
|
||||||
EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
|
EvmBasicGrant, EvmEtherTransferGrant, EvmEtherTransferGrantTarget,
|
||||||
|
EvmEtherTransferLimit, EvmTokenTransferGrant, EvmTokenTransferVolumeLimit,
|
||||||
|
EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
|
||||||
},
|
},
|
||||||
schema::{self, evm_transaction_log},
|
schema::{self, evm_transaction_log},
|
||||||
},
|
},
|
||||||
evm::policies::{
|
evm::policies::{
|
||||||
CombinedSettings, DatabaseID, EvalContext, EvalViolation, Grant, Policy,
|
CombinedSettings, DatabaseID, EvalContext, EvalViolation, Grant, Policy,
|
||||||
SharedGrantSettings, SpecificGrant, SpecificMeaning, ether_transfer::EtherTransfer,
|
SharedGrantSettings, SpecificGrant, SpecificMeaning, VolumeRateLimit,
|
||||||
token_transfers::TokenTransfer,
|
ether_transfer::EtherTransfer, token_transfers::TokenTransfer,
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
use alloy::{
|
use alloy::{
|
||||||
consensus::TxEip1559,
|
consensus::TxEip1559,
|
||||||
primitives::{TxKind, U256},
|
primitives::{Address, TxKind, U256},
|
||||||
};
|
};
|
||||||
use chrono::Utc;
|
use chrono::Utc;
|
||||||
use diesel::{ExpressionMethods as _, QueryDsl as _, QueryResult, insert_into, sqlite::Sqlite};
|
use diesel::{
|
||||||
use diesel_async::{AsyncConnection, RunQueryDsl};
|
ExpressionMethods as _, OptionalExtension, QueryDsl as _, QueryResult, SelectableHelper,
|
||||||
use kameo::actor::ActorRef;
|
insert_into, sqlite::Sqlite, update,
|
||||||
|
};
|
||||||
|
|
||||||
pub mod abi;
|
pub mod abi;
|
||||||
pub mod safe_signer;
|
pub mod safe_signer;
|
||||||
@@ -179,24 +185,22 @@ impl Engine {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if run_kind == RunKind::Execution {
|
if run_kind == RunKind::Execution {
|
||||||
conn.transaction(|conn| {
|
conn.transaction(async |conn| {
|
||||||
Box::pin(async move {
|
let log_id: i32 = insert_into(evm_transaction_log::table)
|
||||||
let log_id: i32 = insert_into(evm_transaction_log::table)
|
.values(&NewEvmTransactionLog {
|
||||||
.values(&NewEvmTransactionLog {
|
grant_id: grant.common_settings_id,
|
||||||
grant_id: grant.common_settings_id,
|
wallet_access_id: context.target.id,
|
||||||
wallet_access_id: context.target.id,
|
chain_id: context.chain.into(),
|
||||||
chain_id: context.chain.into(),
|
eth_value: utils::u256_to_bytes(context.value).to_vec(),
|
||||||
eth_value: utils::u256_to_bytes(context.value).to_vec(),
|
signed_at: Utc::now().into(),
|
||||||
signed_at: Utc::now().into(),
|
})
|
||||||
})
|
.returning(evm_transaction_log::id)
|
||||||
.returning(evm_transaction_log::id)
|
.get_result(&mut *conn)
|
||||||
.get_result(conn)
|
.await?;
|
||||||
.await?;
|
|
||||||
|
|
||||||
P::record_transaction(&context, meaning, log_id, &grant, conn).await?;
|
P::record_transaction(&context, meaning, log_id, &grant, &mut *conn).await?;
|
||||||
|
|
||||||
QueryResult::Ok(())
|
QueryResult::Ok(())
|
||||||
})
|
|
||||||
})
|
})
|
||||||
.await
|
.await
|
||||||
.map_err(DatabaseError::from)?;
|
.map_err(DatabaseError::from)?;
|
||||||
@@ -222,60 +226,203 @@ impl Engine {
|
|||||||
let vault = self.vault.clone();
|
let vault = self.vault.clone();
|
||||||
|
|
||||||
let id = conn
|
let id = conn
|
||||||
.transaction(|conn| {
|
.transaction(async |conn| {
|
||||||
Box::pin(async move {
|
use schema::evm_basic_grant;
|
||||||
use schema::evm_basic_grant;
|
|
||||||
|
|
||||||
#[expect(
|
#[expect(
|
||||||
clippy::cast_possible_truncation,
|
clippy::cast_possible_truncation,
|
||||||
clippy::cast_possible_wrap,
|
clippy::cast_possible_wrap,
|
||||||
clippy::as_conversions,
|
clippy::as_conversions,
|
||||||
reason = "fixme! #86"
|
reason = "fixme! #86"
|
||||||
)]
|
)]
|
||||||
let basic_grant: EvmBasicGrant = insert_into(evm_basic_grant::table)
|
let basic_grant: EvmBasicGrant = insert_into(evm_basic_grant::table)
|
||||||
.values(&NewEvmBasicGrant {
|
.values(&NewEvmBasicGrant {
|
||||||
chain_id: full_grant.shared.chain.into(),
|
chain_id: full_grant.shared.chain.into(),
|
||||||
wallet_access_id: full_grant.shared.wallet_access_id,
|
wallet_access_id: full_grant.shared.wallet_access_id,
|
||||||
valid_from: full_grant.shared.valid_from.map(SqliteTimestamp),
|
valid_from: full_grant.shared.valid_from.map(SqliteTimestamp),
|
||||||
valid_until: full_grant.shared.valid_until.map(SqliteTimestamp),
|
valid_until: full_grant.shared.valid_until.map(SqliteTimestamp),
|
||||||
max_gas_fee_per_gas: full_grant
|
max_gas_fee_per_gas: full_grant
|
||||||
.shared
|
.shared
|
||||||
.max_gas_fee_per_gas
|
.max_gas_fee_per_gas
|
||||||
.map(|fee| utils::u256_to_bytes(fee).to_vec()),
|
.map(|fee| utils::u256_to_bytes(fee).to_vec()),
|
||||||
max_priority_fee_per_gas: full_grant
|
max_priority_fee_per_gas: full_grant
|
||||||
.shared
|
.shared
|
||||||
.max_priority_fee_per_gas
|
.max_priority_fee_per_gas
|
||||||
.map(|fee| utils::u256_to_bytes(fee).to_vec()),
|
.map(|fee| utils::u256_to_bytes(fee).to_vec()),
|
||||||
rate_limit_count: full_grant
|
rate_limit_count: full_grant
|
||||||
.shared
|
.shared
|
||||||
.rate_limit
|
.rate_limit
|
||||||
.as_ref()
|
.as_ref()
|
||||||
.map(|rl| rl.count as i32),
|
.map(|rl| rl.count as i32),
|
||||||
rate_limit_window_secs: full_grant
|
rate_limit_window_secs: full_grant
|
||||||
.shared
|
.shared
|
||||||
.rate_limit
|
.rate_limit
|
||||||
.as_ref()
|
.as_ref()
|
||||||
.map(|rl| rl.window.num_seconds() as i32),
|
.map(|rl| rl.window.num_seconds() as i32),
|
||||||
revoked_at: None,
|
revoked_at: None,
|
||||||
})
|
})
|
||||||
.returning(evm_basic_grant::all_columns)
|
.returning(evm_basic_grant::all_columns)
|
||||||
.get_result(conn)
|
.get_result(&mut *conn)
|
||||||
.await?;
|
.await?;
|
||||||
|
|
||||||
P::create_grant(&basic_grant, &full_grant.specific, conn).await?;
|
P::create_grant(&basic_grant, &full_grant.specific, &mut *conn).await?;
|
||||||
|
|
||||||
integrity::sign_entity(conn, &vault, &full_grant, basic_grant.id)
|
integrity::sign_entity(&mut *conn, &vault, &full_grant, basic_grant.id)
|
||||||
.await
|
.await
|
||||||
.map_err(|_| diesel::result::Error::RollbackTransaction)?;
|
.map_err(|_| diesel::result::Error::RollbackTransaction)?;
|
||||||
|
|
||||||
QueryResult::Ok(basic_grant.id)
|
QueryResult::Ok(basic_grant.id)
|
||||||
})
|
|
||||||
})
|
})
|
||||||
.await?;
|
.await?;
|
||||||
|
|
||||||
Ok(id)
|
Ok(id)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub async fn revoke_grant(
|
||||||
|
&self,
|
||||||
|
basic_grant_id: i32,
|
||||||
|
) -> Result<(), DatabaseError> {
|
||||||
|
let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
|
||||||
|
let vault = self.vault.clone();
|
||||||
|
|
||||||
|
conn.transaction(async move |conn| {
|
||||||
|
use crate::db::schema::{
|
||||||
|
evm_basic_grant, evm_ether_transfer_grant, evm_ether_transfer_grant_target,
|
||||||
|
evm_ether_transfer_limit, evm_token_transfer_grant,
|
||||||
|
evm_token_transfer_volume_limit,
|
||||||
|
};
|
||||||
|
|
||||||
|
update(evm_basic_grant::table)
|
||||||
|
.filter(evm_basic_grant::id.eq(basic_grant_id))
|
||||||
|
.set(evm_basic_grant::revoked_at.eq(SqliteTimestamp(Utc::now())))
|
||||||
|
.execute(&mut *conn)
|
||||||
|
.await?;
|
||||||
|
|
||||||
|
let basic_grant: EvmBasicGrant = evm_basic_grant::table
|
||||||
|
.filter(evm_basic_grant::id.eq(basic_grant_id))
|
||||||
|
.select(EvmBasicGrant::as_select())
|
||||||
|
.first(&mut *conn)
|
||||||
|
.await?;
|
||||||
|
|
||||||
|
let shared = SharedGrantSettings::try_from_model(basic_grant)?;
|
||||||
|
|
||||||
|
if let Some(ether_grant) = evm_ether_transfer_grant::table
|
||||||
|
.filter(evm_ether_transfer_grant::basic_grant_id.eq(basic_grant_id))
|
||||||
|
.select(EvmEtherTransferGrant::as_select())
|
||||||
|
.first(&mut *conn)
|
||||||
|
.await
|
||||||
|
.optional()?
|
||||||
|
{
|
||||||
|
let target_rows: Vec<EvmEtherTransferGrantTarget> =
|
||||||
|
evm_ether_transfer_grant_target::table
|
||||||
|
.filter(evm_ether_transfer_grant_target::grant_id.eq(ether_grant.id))
|
||||||
|
.select(EvmEtherTransferGrantTarget::as_select())
|
||||||
|
.load(&mut *conn)
|
||||||
|
.await?;
|
||||||
|
let targets: Vec<Address> = target_rows
|
||||||
|
.into_iter()
|
||||||
|
.filter_map(|target| {
|
||||||
|
let arr: [u8; 20] = target.address.try_into().ok()?;
|
||||||
|
Some(Address::from(arr))
|
||||||
|
})
|
||||||
|
.collect();
|
||||||
|
|
||||||
|
let limit: EvmEtherTransferLimit = evm_ether_transfer_limit::table
|
||||||
|
.filter(evm_ether_transfer_limit::id.eq(ether_grant.limit_id))
|
||||||
|
.select(EvmEtherTransferLimit::as_select())
|
||||||
|
.first(&mut *conn)
|
||||||
|
.await?;
|
||||||
|
|
||||||
|
let settings = CombinedSettings {
|
||||||
|
shared: shared.clone(),
|
||||||
|
specific: policies::ether_transfer::Settings {
|
||||||
|
target: targets,
|
||||||
|
limit: VolumeRateLimit {
|
||||||
|
max_volume: utils::try_bytes_to_u256(&limit.max_volume).map_err(
|
||||||
|
|err| {
|
||||||
|
diesel::result::Error::DeserializationError(Box::new(err))
|
||||||
|
},
|
||||||
|
)?,
|
||||||
|
window: chrono::Duration::seconds(limit.window_secs.into()),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
};
|
||||||
|
|
||||||
|
integrity::sign_entity(&mut *conn, &vault, &settings, basic_grant_id)
|
||||||
|
.await
|
||||||
|
.map_err(|_| diesel::result::Error::RollbackTransaction)?;
|
||||||
|
|
||||||
|
return QueryResult::Ok(());
|
||||||
|
}
|
||||||
|
|
||||||
|
if let Some(token_grant) = evm_token_transfer_grant::table
|
||||||
|
.filter(evm_token_transfer_grant::basic_grant_id.eq(basic_grant_id))
|
||||||
|
.select(EvmTokenTransferGrant::as_select())
|
||||||
|
.first(&mut *conn)
|
||||||
|
.await
|
||||||
|
.optional()?
|
||||||
|
{
|
||||||
|
let volume_limit_rows: Vec<EvmTokenTransferVolumeLimit> =
|
||||||
|
evm_token_transfer_volume_limit::table
|
||||||
|
.filter(evm_token_transfer_volume_limit::grant_id.eq(token_grant.id))
|
||||||
|
.select(EvmTokenTransferVolumeLimit::as_select())
|
||||||
|
.load(&mut *conn)
|
||||||
|
.await?;
|
||||||
|
let volume_limits: Vec<VolumeRateLimit> = volume_limit_rows
|
||||||
|
.into_iter()
|
||||||
|
.map(|row| {
|
||||||
|
Ok(VolumeRateLimit {
|
||||||
|
max_volume: utils::try_bytes_to_u256(&row.max_volume).map_err(
|
||||||
|
|err| {
|
||||||
|
diesel::result::Error::DeserializationError(Box::new(err))
|
||||||
|
},
|
||||||
|
)?,
|
||||||
|
window: chrono::Duration::seconds(row.window_secs.into()),
|
||||||
|
})
|
||||||
|
})
|
||||||
|
.collect::<QueryResult<Vec<_>>>()?;
|
||||||
|
|
||||||
|
let target: Option<Address> = match token_grant.receiver {
|
||||||
|
None => None,
|
||||||
|
Some(bytes) => {
|
||||||
|
let arr: [u8; 20] = bytes.try_into().map_err(|_| {
|
||||||
|
diesel::result::Error::DeserializationError(
|
||||||
|
"Invalid receiver address length".into(),
|
||||||
|
)
|
||||||
|
})?;
|
||||||
|
Some(Address::from(arr))
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
let token_contract: [u8; 20] =
|
||||||
|
token_grant.token_contract.clone().try_into().map_err(|_| {
|
||||||
|
diesel::result::Error::DeserializationError(
|
||||||
|
"Invalid token contract address length".into(),
|
||||||
|
)
|
||||||
|
})?;
|
||||||
|
|
||||||
|
let settings = CombinedSettings {
|
||||||
|
shared,
|
||||||
|
specific: policies::token_transfers::Settings {
|
||||||
|
token_contract: Address::from(token_contract),
|
||||||
|
target,
|
||||||
|
volume_limits,
|
||||||
|
},
|
||||||
|
};
|
||||||
|
|
||||||
|
integrity::sign_entity(&mut *conn, &vault, &settings, basic_grant_id)
|
||||||
|
.await
|
||||||
|
.map_err(|_| diesel::result::Error::RollbackTransaction)?;
|
||||||
|
|
||||||
|
return QueryResult::Ok(());
|
||||||
|
}
|
||||||
|
|
||||||
|
Err(diesel::result::Error::NotFound)
|
||||||
|
})
|
||||||
|
.await
|
||||||
|
.map_err(DatabaseError::from)
|
||||||
|
}
|
||||||
|
|
||||||
async fn list_one_kind<Kind: Policy, Y>(
|
async fn list_one_kind<Kind: Policy, Y>(
|
||||||
&self,
|
&self,
|
||||||
conn: &mut impl AsyncConnection<Backend = Sqlite>,
|
conn: &mut impl AsyncConnection<Backend = Sqlite>,
|
||||||
@@ -355,21 +502,26 @@ impl Engine {
|
|||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
mod tests {
|
mod tests {
|
||||||
use alloy::primitives::{Address, Bytes, U256, address};
|
use alloy::primitives::{Address, Bytes, U256, address};
|
||||||
|
use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
|
||||||
use chrono::{Duration, Utc};
|
use chrono::{Duration, Utc};
|
||||||
use diesel::{SelectableHelper, insert_into};
|
use diesel::{SelectableHelper, insert_into};
|
||||||
use diesel_async::RunQueryDsl;
|
use diesel_async::RunQueryDsl;
|
||||||
|
use kameo::{actor::ActorRef, prelude::Spawn};
|
||||||
use rstest::rstest;
|
use rstest::rstest;
|
||||||
|
|
||||||
|
use crate::actors::{GlobalActors, vault::{Bootstrap, Vault}};
|
||||||
|
use crate::crypto::integrity;
|
||||||
use crate::db::{
|
use crate::db::{
|
||||||
self, DatabaseConnection,
|
self, DatabaseConnection,
|
||||||
models::{
|
models::{
|
||||||
EvmBasicGrant, EvmWalletAccess, EvmWalletId, NewEvmBasicGrant, NewEvmTransactionLog,
|
EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
|
||||||
SqliteTimestamp,
|
|
||||||
},
|
},
|
||||||
schema::{evm_basic_grant, evm_transaction_log},
|
schema::{evm_basic_grant, evm_transaction_log},
|
||||||
};
|
};
|
||||||
|
use crate::evm::policies::ether_transfer::EtherTransfer;
|
||||||
use crate::evm::policies::{
|
use crate::evm::policies::{
|
||||||
EvalContext, EvalViolation, SharedGrantSettings, TransactionRateLimit,
|
CombinedSettings, EvalContext, EvalViolation, Policy, SharedGrantSettings,
|
||||||
|
TransactionRateLimit, VolumeRateLimit,
|
||||||
};
|
};
|
||||||
|
|
||||||
use super::check_shared_constraints;
|
use super::check_shared_constraints;
|
||||||
@@ -382,7 +534,7 @@ mod tests {
|
|||||||
EvalContext {
|
EvalContext {
|
||||||
target: EvmWalletAccess {
|
target: EvmWalletAccess {
|
||||||
id: WALLET_ACCESS_ID,
|
id: WALLET_ACCESS_ID,
|
||||||
wallet_id: EvmWalletId::from_raw(5),
|
wallet_id: 10,
|
||||||
client_id: 20,
|
client_id: 20,
|
||||||
created_at: SqliteTimestamp(Utc::now()),
|
created_at: SqliteTimestamp(Utc::now()),
|
||||||
},
|
},
|
||||||
@@ -401,6 +553,7 @@ mod tests {
|
|||||||
chain: CHAIN_ID,
|
chain: CHAIN_ID,
|
||||||
valid_from: None,
|
valid_from: None,
|
||||||
valid_until: None,
|
valid_until: None,
|
||||||
|
revoked_at: None,
|
||||||
max_gas_fee_per_gas: None,
|
max_gas_fee_per_gas: None,
|
||||||
max_priority_fee_per_gas: None,
|
max_priority_fee_per_gas: None,
|
||||||
rate_limit: None,
|
rate_limit: None,
|
||||||
@@ -609,4 +762,115 @@ mod tests {
|
|||||||
assert!(violations.is_empty());
|
assert!(violations.is_empty());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
async fn bootstrapped_vault(db: &db::DatabasePool) -> ActorRef<Vault> {
|
||||||
|
let actor = Vault::spawn(
|
||||||
|
Vault::new(db.clone(), GlobalActors::spawn_message_bus())
|
||||||
|
.await
|
||||||
|
.unwrap(),
|
||||||
|
);
|
||||||
|
actor
|
||||||
|
.ask(Bootstrap {
|
||||||
|
seal_key_raw: SafeCell::new(b"integrity-test-seal-key".to_vec()),
|
||||||
|
})
|
||||||
|
.await
|
||||||
|
.unwrap();
|
||||||
|
actor
|
||||||
|
}
|
||||||
|
|
||||||
|
#[tokio::test]
|
||||||
|
async fn revoke_grant_preserves_revoked_integrity() {
|
||||||
|
use crate::db::schema::evm_basic_grant;
|
||||||
|
use diesel::ExpressionMethods as _;
|
||||||
|
|
||||||
|
let db = db::create_test_pool().await;
|
||||||
|
let vault = bootstrapped_vault(&db).await;
|
||||||
|
let engine = super::Engine::new(db.clone(), vault.clone());
|
||||||
|
|
||||||
|
let full_grant = CombinedSettings {
|
||||||
|
shared: SharedGrantSettings {
|
||||||
|
wallet_access_id: WALLET_ACCESS_ID,
|
||||||
|
chain: CHAIN_ID,
|
||||||
|
valid_from: None,
|
||||||
|
valid_until: None,
|
||||||
|
revoked_at: None,
|
||||||
|
max_gas_fee_per_gas: None,
|
||||||
|
max_priority_fee_per_gas: None,
|
||||||
|
rate_limit: None,
|
||||||
|
},
|
||||||
|
specific: super::policies::ether_transfer::Settings {
|
||||||
|
target: vec![RECIPIENT],
|
||||||
|
limit: VolumeRateLimit {
|
||||||
|
max_volume: U256::from(100u64),
|
||||||
|
window: Duration::hours(1),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
};
|
||||||
|
|
||||||
|
let grant_id = engine
|
||||||
|
.create_grant::<EtherTransfer>(full_grant)
|
||||||
|
.await
|
||||||
|
.unwrap();
|
||||||
|
|
||||||
|
engine.revoke_grant(grant_id).await.unwrap();
|
||||||
|
|
||||||
|
let mut conn = db.get().await.unwrap();
|
||||||
|
diesel::update(evm_basic_grant::table)
|
||||||
|
.filter(evm_basic_grant::id.eq(grant_id))
|
||||||
|
.set(evm_basic_grant::revoked_at.eq::<Option<SqliteTimestamp>>(None))
|
||||||
|
.execute(&mut conn)
|
||||||
|
.await
|
||||||
|
.unwrap();
|
||||||
|
|
||||||
|
let wallet_access = EvmWalletAccess {
|
||||||
|
id: WALLET_ACCESS_ID,
|
||||||
|
wallet_id: 10,
|
||||||
|
client_id: 20,
|
||||||
|
created_at: SqliteTimestamp(Utc::now()),
|
||||||
|
};
|
||||||
|
let context = EvalContext {
|
||||||
|
target: wallet_access,
|
||||||
|
chain: CHAIN_ID,
|
||||||
|
to: RECIPIENT,
|
||||||
|
value: U256::ONE,
|
||||||
|
calldata: Bytes::new(),
|
||||||
|
max_fee_per_gas: 1,
|
||||||
|
max_priority_fee_per_gas: 1,
|
||||||
|
};
|
||||||
|
|
||||||
|
let grant = EtherTransfer::try_find_grant(
|
||||||
|
&context, &mut conn,
|
||||||
|
)
|
||||||
|
.await
|
||||||
|
.unwrap()
|
||||||
|
.unwrap();
|
||||||
|
|
||||||
|
let result =
|
||||||
|
integrity::verify_entity(&mut conn, &vault, &grant.settings, grant.id).await;
|
||||||
|
|
||||||
|
assert!(matches!(
|
||||||
|
result,
|
||||||
|
Err(integrity::Error::MacMismatch { .. })
|
||||||
|
));
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn shared_settings_hash_changes_when_revoked_at_changes() {
|
||||||
|
use arbiter_crypto::hashing::Hashable;
|
||||||
|
use sha2::Digest;
|
||||||
|
|
||||||
|
let active = shared_settings();
|
||||||
|
let revoked = SharedGrantSettings {
|
||||||
|
revoked_at: Some(Utc::now()),
|
||||||
|
..shared_settings()
|
||||||
|
};
|
||||||
|
|
||||||
|
let mut active_hash = sha2::Sha256::new();
|
||||||
|
active.hash(&mut active_hash);
|
||||||
|
|
||||||
|
let mut revoked_hash = sha2::Sha256::new();
|
||||||
|
revoked.hash(&mut revoked_hash);
|
||||||
|
|
||||||
|
assert_ne!(active_hash.finalize(), revoked_hash.finalize());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -144,6 +144,7 @@ pub struct SharedGrantSettings {
|
|||||||
|
|
||||||
pub valid_from: Option<DateTime<Utc>>,
|
pub valid_from: Option<DateTime<Utc>>,
|
||||||
pub valid_until: Option<DateTime<Utc>>,
|
pub valid_until: Option<DateTime<Utc>>,
|
||||||
|
pub revoked_at: Option<DateTime<Utc>>,
|
||||||
|
|
||||||
pub max_gas_fee_per_gas: Option<U256>,
|
pub max_gas_fee_per_gas: Option<U256>,
|
||||||
pub max_priority_fee_per_gas: Option<U256>,
|
pub max_priority_fee_per_gas: Option<U256>,
|
||||||
@@ -158,6 +159,7 @@ impl SharedGrantSettings {
|
|||||||
chain: model.chain_id.into(),
|
chain: model.chain_id.into(),
|
||||||
valid_from: model.valid_from.map(Into::into),
|
valid_from: model.valid_from.map(Into::into),
|
||||||
valid_until: model.valid_until.map(Into::into),
|
valid_until: model.valid_until.map(Into::into),
|
||||||
|
revoked_at: model.revoked_at.map(Into::into),
|
||||||
max_gas_fee_per_gas: model
|
max_gas_fee_per_gas: model
|
||||||
.max_gas_fee_per_gas
|
.max_gas_fee_per_gas
|
||||||
.map(|b| utils::try_bytes_to_u256(&b))
|
.map(|b| utils::try_bytes_to_u256(&b))
|
||||||
|
|||||||
@@ -3,8 +3,7 @@ use crate::{
|
|||||||
db::{
|
db::{
|
||||||
self, DatabaseConnection,
|
self, DatabaseConnection,
|
||||||
models::{
|
models::{
|
||||||
EvmBasicGrant, EvmWalletAccess, EvmWalletId, NewEvmBasicGrant, NewEvmTransactionLog,
|
EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
|
||||||
SqliteTimestamp,
|
|
||||||
},
|
},
|
||||||
schema::{evm_basic_grant, evm_transaction_log},
|
schema::{evm_basic_grant, evm_transaction_log},
|
||||||
},
|
},
|
||||||
@@ -32,7 +31,7 @@ fn ctx(to: Address, value: U256) -> EvalContext {
|
|||||||
EvalContext {
|
EvalContext {
|
||||||
target: EvmWalletAccess {
|
target: EvmWalletAccess {
|
||||||
id: WALLET_ACCESS_ID,
|
id: WALLET_ACCESS_ID,
|
||||||
wallet_id: EvmWalletId::from_raw(10),
|
wallet_id: 10,
|
||||||
client_id: 20,
|
client_id: 20,
|
||||||
created_at: SqliteTimestamp(Utc::now()),
|
created_at: SqliteTimestamp(Utc::now()),
|
||||||
},
|
},
|
||||||
@@ -80,6 +79,7 @@ fn shared() -> SharedGrantSettings {
|
|||||||
chain: CHAIN_ID,
|
chain: CHAIN_ID,
|
||||||
valid_from: None,
|
valid_from: None,
|
||||||
valid_until: None,
|
valid_until: None,
|
||||||
|
revoked_at: None,
|
||||||
max_gas_fee_per_gas: None,
|
max_gas_fee_per_gas: None,
|
||||||
max_priority_fee_per_gas: None,
|
max_priority_fee_per_gas: None,
|
||||||
rate_limit: None,
|
rate_limit: None,
|
||||||
|
|||||||
@@ -2,7 +2,7 @@ use super::{Settings, TokenTransfer};
|
|||||||
use crate::{
|
use crate::{
|
||||||
db::{
|
db::{
|
||||||
self, DatabaseConnection,
|
self, DatabaseConnection,
|
||||||
models::{EvmBasicGrant, EvmWalletAccess, EvmWalletId, NewEvmBasicGrant, SqliteTimestamp},
|
models::{EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, SqliteTimestamp},
|
||||||
schema::evm_basic_grant,
|
schema::evm_basic_grant,
|
||||||
},
|
},
|
||||||
evm::{
|
evm::{
|
||||||
@@ -45,7 +45,7 @@ fn ctx(to: Address, calldata: Bytes) -> EvalContext {
|
|||||||
EvalContext {
|
EvalContext {
|
||||||
target: EvmWalletAccess {
|
target: EvmWalletAccess {
|
||||||
id: WALLET_ACCESS_ID,
|
id: WALLET_ACCESS_ID,
|
||||||
wallet_id: EvmWalletId::from_raw(10),
|
wallet_id: 10,
|
||||||
client_id: 20,
|
client_id: 20,
|
||||||
created_at: SqliteTimestamp(Utc::now()),
|
created_at: SqliteTimestamp(Utc::now()),
|
||||||
},
|
},
|
||||||
@@ -98,6 +98,7 @@ fn shared() -> SharedGrantSettings {
|
|||||||
chain: CHAIN_ID,
|
chain: CHAIN_ID,
|
||||||
valid_from: None,
|
valid_from: None,
|
||||||
valid_until: None,
|
valid_until: None,
|
||||||
|
revoked_at: None,
|
||||||
max_gas_fee_per_gas: None,
|
max_gas_fee_per_gas: None,
|
||||||
max_priority_fee_per_gas: None,
|
max_priority_fee_per_gas: None,
|
||||||
rate_limit: None,
|
rate_limit: None,
|
||||||
|
|||||||
@@ -200,7 +200,7 @@ impl Convert for auth::Outbound {
|
|||||||
.timestamp
|
.timestamp
|
||||||
.timestamp_nanos_opt()
|
.timestamp_nanos_opt()
|
||||||
.expect("timestamp within range")
|
.expect("timestamp within range")
|
||||||
as u64,
|
.cast_unsigned(),
|
||||||
random: challenge.nonce.to_vec(),
|
random: challenge.nonce.to_vec(),
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -80,7 +80,7 @@ impl Sender<Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {
|
|||||||
.timestamp
|
.timestamp
|
||||||
.timestamp_nanos_opt()
|
.timestamp_nanos_opt()
|
||||||
.expect("timestamp within range")
|
.expect("timestamp within range")
|
||||||
as u64,
|
.cast_unsigned(),
|
||||||
random: challenge.nonce.to_vec(),
|
random: challenge.nonce.to_vec(),
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -90,7 +90,7 @@ async fn handle_wallet_list(
|
|||||||
.into_iter()
|
.into_iter()
|
||||||
.map(|(id, address)| WalletEntry {
|
.map(|(id, address)| WalletEntry {
|
||||||
address: address.to_vec(),
|
address: address.to_vec(),
|
||||||
id: id.to_raw(),
|
id,
|
||||||
})
|
})
|
||||||
.collect(),
|
.collect(),
|
||||||
}),
|
}),
|
||||||
|
|||||||
@@ -1,10 +1,11 @@
|
|||||||
use crate::{
|
use crate::{
|
||||||
db::models::{CoreEvmWalletAccess, EvmWalletId, NewEvmWalletAccess},
|
db::models::{CoreEvmWalletAccess, NewEvmWalletAccess},
|
||||||
evm::policies::{
|
evm::policies::{
|
||||||
SharedGrantSettings, SpecificGrant, TransactionRateLimit, VolumeRateLimit, ether_transfer,
|
SharedGrantSettings, SpecificGrant, TransactionRateLimit, VolumeRateLimit, ether_transfer,
|
||||||
token_transfers,
|
token_transfers,
|
||||||
},
|
},
|
||||||
grpc::{Convert, TryConvert},
|
grpc::Convert,
|
||||||
|
grpc::TryConvert,
|
||||||
};
|
};
|
||||||
use arbiter_proto::{
|
use arbiter_proto::{
|
||||||
proto::evm::{
|
proto::evm::{
|
||||||
@@ -86,6 +87,7 @@ impl TryConvert for ProtoSharedSettings {
|
|||||||
.valid_until
|
.valid_until
|
||||||
.map(ProtoTimestamp::try_convert)
|
.map(ProtoTimestamp::try_convert)
|
||||||
.transpose()?,
|
.transpose()?,
|
||||||
|
revoked_at: None,
|
||||||
max_gas_fee_per_gas: self
|
max_gas_fee_per_gas: self
|
||||||
.max_gas_fee_per_gas
|
.max_gas_fee_per_gas
|
||||||
.as_deref()
|
.as_deref()
|
||||||
@@ -149,7 +151,7 @@ impl Convert for WalletAccess {
|
|||||||
|
|
||||||
fn convert(self) -> Self::Output {
|
fn convert(self) -> Self::Output {
|
||||||
NewEvmWalletAccess {
|
NewEvmWalletAccess {
|
||||||
wallet_id: EvmWalletId::from_raw(self.wallet_id),
|
wallet_id: self.wallet_id,
|
||||||
client_id: self.sdk_client_id,
|
client_id: self.sdk_client_id,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -164,7 +166,7 @@ impl TryConvert for SdkClientWalletAccess {
|
|||||||
return Err(Status::invalid_argument("Missing wallet access entry"));
|
return Err(Status::invalid_argument("Missing wallet access entry"));
|
||||||
};
|
};
|
||||||
Ok(CoreEvmWalletAccess {
|
Ok(CoreEvmWalletAccess {
|
||||||
wallet_id: EvmWalletId::from_raw(access.wallet_id),
|
wallet_id: access.wallet_id,
|
||||||
client_id: access.sdk_client_id,
|
client_id: access.sdk_client_id,
|
||||||
id: self.id,
|
id: self.id,
|
||||||
})
|
})
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
use crate::{
|
use crate::{
|
||||||
db::models::{EvmWalletAccess, EvmWalletId},
|
db::models::EvmWalletAccess,
|
||||||
evm::policies::{SharedGrantSettings, SpecificGrant, TransactionRateLimit, VolumeRateLimit},
|
evm::policies::{SharedGrantSettings, SpecificGrant, TransactionRateLimit, VolumeRateLimit},
|
||||||
grpc::Convert,
|
grpc::Convert,
|
||||||
};
|
};
|
||||||
@@ -103,7 +103,7 @@ impl Convert for EvmWalletAccess {
|
|||||||
Self::Output {
|
Self::Output {
|
||||||
id: self.id,
|
id: self.id,
|
||||||
access: Some(WalletAccess {
|
access: Some(WalletAccess {
|
||||||
wallet_id: self.wallet_id.to_raw(),
|
wallet_id: self.wallet_id,
|
||||||
sdk_client_id: self.client_id,
|
sdk_client_id: self.client_id,
|
||||||
}),
|
}),
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
use crate::{
|
use crate::{
|
||||||
db::models::{ClientId, NewEvmWalletAccess},
|
db::models::NewEvmWalletAccess,
|
||||||
grpc::Convert,
|
grpc::Convert,
|
||||||
peers::operator::{
|
peers::operator::{
|
||||||
OperatorSession, OutOfBand,
|
OutOfBand, OperatorSession,
|
||||||
session::handlers::{
|
session::handlers::{
|
||||||
HandleGrantEvmWalletAccess, HandleListWalletAccess, HandleNewClientApprove,
|
HandleGrantEvmWalletAccess, HandleListWalletAccess, HandleNewClientApprove,
|
||||||
HandleRevokeEvmWalletAccess, HandleSdkClientList,
|
HandleRevokeEvmWalletAccess, HandleSdkClientList,
|
||||||
@@ -11,8 +11,8 @@ use crate::{
|
|||||||
};
|
};
|
||||||
use arbiter_crypto::authn;
|
use arbiter_crypto::authn;
|
||||||
use arbiter_proto::proto::{
|
use arbiter_proto::proto::{
|
||||||
|
shared::ClientInfo as ProtoClientMetadata,
|
||||||
operator::{
|
operator::{
|
||||||
operator_response::Payload as OperatorResponsePayload,
|
|
||||||
sdk_client::{
|
sdk_client::{
|
||||||
self as proto_sdk_client, ConnectionCancel as ProtoSdkClientConnectionCancel,
|
self as proto_sdk_client, ConnectionCancel as ProtoSdkClientConnectionCancel,
|
||||||
ConnectionRequest as ProtoSdkClientConnectionRequest,
|
ConnectionRequest as ProtoSdkClientConnectionRequest,
|
||||||
@@ -24,8 +24,8 @@ use arbiter_proto::proto::{
|
|||||||
request::Payload as SdkClientRequestPayload,
|
request::Payload as SdkClientRequestPayload,
|
||||||
response::Payload as SdkClientResponsePayload,
|
response::Payload as SdkClientResponsePayload,
|
||||||
},
|
},
|
||||||
|
operator_response::Payload as OperatorResponsePayload,
|
||||||
},
|
},
|
||||||
shared::ClientInfo as ProtoClientMetadata,
|
|
||||||
};
|
};
|
||||||
|
|
||||||
use kameo::actor::ActorRef;
|
use kameo::actor::ActorRef;
|
||||||
@@ -115,7 +115,7 @@ async fn handle_list(
|
|||||||
clients: clients
|
clients: clients
|
||||||
.into_iter()
|
.into_iter()
|
||||||
.map(|(client, metadata)| ProtoSdkClientEntry {
|
.map(|(client, metadata)| ProtoSdkClientEntry {
|
||||||
id: client.id.to_raw(),
|
id: client.id,
|
||||||
pubkey: client.public_key.clone(),
|
pubkey: client.public_key.clone(),
|
||||||
info: Some(ProtoClientMetadata {
|
info: Some(ProtoClientMetadata {
|
||||||
name: metadata.name,
|
name: metadata.name,
|
||||||
|
|||||||
@@ -171,46 +171,42 @@ async fn insert_client(
|
|||||||
Error::DatabasePoolUnavailable
|
Error::DatabasePoolUnavailable
|
||||||
})?;
|
})?;
|
||||||
|
|
||||||
conn.exclusive_transaction(|conn| {
|
conn.exclusive_transaction(async |conn| {
|
||||||
let vault = vault.clone();
|
let metadata_id = insert_into(client_metadata::table)
|
||||||
let pubkey = pubkey.clone();
|
.values((
|
||||||
Box::pin(async move {
|
client_metadata::name.eq(&metadata.name),
|
||||||
let metadata_id = insert_into(client_metadata::table)
|
client_metadata::description.eq(&metadata.description),
|
||||||
.values((
|
client_metadata::version.eq(&metadata.version),
|
||||||
client_metadata::name.eq(&metadata.name),
|
))
|
||||||
client_metadata::description.eq(&metadata.description),
|
.returning(client_metadata::id)
|
||||||
client_metadata::version.eq(&metadata.version),
|
.get_result::<i32>(&mut *conn)
|
||||||
))
|
.await?;
|
||||||
.returning(client_metadata::id)
|
|
||||||
.get_result::<i32>(conn)
|
|
||||||
.await?;
|
|
||||||
|
|
||||||
let client_id = insert_into(program_client::table)
|
let client_id = insert_into(program_client::table)
|
||||||
.values((
|
.values((
|
||||||
program_client::public_key.eq(pubkey.to_bytes()),
|
program_client::public_key.eq(pubkey.to_bytes()),
|
||||||
program_client::metadata_id.eq(metadata_id),
|
program_client::metadata_id.eq(metadata_id),
|
||||||
))
|
))
|
||||||
.on_conflict_do_nothing()
|
.on_conflict_do_nothing()
|
||||||
.returning(program_client::id)
|
.returning(program_client::id)
|
||||||
.get_result::<i32>(conn)
|
.get_result::<i32>(&mut *conn)
|
||||||
.await?;
|
.await?;
|
||||||
|
|
||||||
integrity::sign_entity(
|
integrity::sign_entity(
|
||||||
conn,
|
&mut *conn,
|
||||||
&vault,
|
vault,
|
||||||
&ClientCredentials {
|
&ClientCredentials {
|
||||||
pubkey: pubkey.clone(),
|
pubkey: pubkey.clone(),
|
||||||
},
|
},
|
||||||
client_id,
|
client_id,
|
||||||
)
|
)
|
||||||
.await
|
.await
|
||||||
.map_err(|e| {
|
.map_err(|e| {
|
||||||
error!(error = ?e, "Failed to sign integrity tag for new client key");
|
error!(error = ?e, "Failed to sign integrity tag for new client key");
|
||||||
Error::DatabaseOperationFailed
|
Error::DatabaseOperationFailed
|
||||||
})?;
|
})?;
|
||||||
|
|
||||||
Ok(client_id)
|
Ok(client_id)
|
||||||
})
|
|
||||||
})
|
})
|
||||||
.await
|
.await
|
||||||
}
|
}
|
||||||
@@ -229,55 +225,51 @@ async fn sync_client_metadata(
|
|||||||
Error::DatabasePoolUnavailable
|
Error::DatabasePoolUnavailable
|
||||||
})?;
|
})?;
|
||||||
|
|
||||||
conn.exclusive_transaction(|conn| {
|
conn.exclusive_transaction(async |conn| {
|
||||||
let metadata = metadata.clone();
|
let (current_metadata_id, current): (i32, ProgramClientMetadata) = program_client::table
|
||||||
Box::pin(async move {
|
.find(client_id)
|
||||||
let (current_metadata_id, current): (i32, ProgramClientMetadata) =
|
.inner_join(client_metadata::table)
|
||||||
program_client::table
|
.select((
|
||||||
.find(client_id)
|
program_client::metadata_id,
|
||||||
.inner_join(client_metadata::table)
|
ProgramClientMetadata::as_select(),
|
||||||
.select((
|
))
|
||||||
program_client::metadata_id,
|
.first(&mut *conn)
|
||||||
ProgramClientMetadata::as_select(),
|
.await?;
|
||||||
))
|
|
||||||
.first(conn)
|
|
||||||
.await?;
|
|
||||||
|
|
||||||
let unchanged = current.name == metadata.name
|
let unchanged = current.name == metadata.name
|
||||||
&& current.description == metadata.description
|
&& current.description == metadata.description
|
||||||
&& current.version == metadata.version;
|
&& current.version == metadata.version;
|
||||||
if unchanged {
|
if unchanged {
|
||||||
return Ok(());
|
return Ok(());
|
||||||
}
|
}
|
||||||
|
|
||||||
insert_into(client_metadata_history::table)
|
insert_into(client_metadata_history::table)
|
||||||
.values((
|
.values((
|
||||||
client_metadata_history::metadata_id.eq(current_metadata_id),
|
client_metadata_history::metadata_id.eq(current_metadata_id),
|
||||||
client_metadata_history::client_id.eq(client_id),
|
client_metadata_history::client_id.eq(client_id),
|
||||||
))
|
))
|
||||||
.execute(conn)
|
.execute(&mut *conn)
|
||||||
.await?;
|
.await?;
|
||||||
|
|
||||||
let metadata_id = insert_into(client_metadata::table)
|
let metadata_id = insert_into(client_metadata::table)
|
||||||
.values((
|
.values((
|
||||||
client_metadata::name.eq(&metadata.name),
|
client_metadata::name.eq(&metadata.name),
|
||||||
client_metadata::description.eq(&metadata.description),
|
client_metadata::description.eq(&metadata.description),
|
||||||
client_metadata::version.eq(&metadata.version),
|
client_metadata::version.eq(&metadata.version),
|
||||||
))
|
))
|
||||||
.returning(client_metadata::id)
|
.returning(client_metadata::id)
|
||||||
.get_result::<i32>(conn)
|
.get_result::<i32>(&mut *conn)
|
||||||
.await?;
|
.await?;
|
||||||
|
|
||||||
update(program_client::table.find(client_id))
|
update(program_client::table.find(client_id))
|
||||||
.set((
|
.set((
|
||||||
program_client::metadata_id.eq(metadata_id),
|
program_client::metadata_id.eq(metadata_id),
|
||||||
program_client::updated_at.eq(now),
|
program_client::updated_at.eq(now),
|
||||||
))
|
))
|
||||||
.execute(conn)
|
.execute(&mut *conn)
|
||||||
.await?;
|
.await?;
|
||||||
|
|
||||||
Ok::<(), diesel::result::Error>(())
|
Ok::<(), diesel::result::Error>(())
|
||||||
})
|
|
||||||
})
|
})
|
||||||
.await
|
.await
|
||||||
.map_err(|e| {
|
.map_err(|e| {
|
||||||
@@ -306,7 +298,7 @@ where
|
|||||||
|
|
||||||
let signature = expect_message(transport, |req: Inbound| match req {
|
let signature = expect_message(transport, |req: Inbound| match req {
|
||||||
Inbound::AuthChallengeSolution { signature } => Some(signature),
|
Inbound::AuthChallengeSolution { signature } => Some(signature),
|
||||||
_ => None,
|
Inbound::AuthChallengeRequest { .. } => None,
|
||||||
})
|
})
|
||||||
.await
|
.await
|
||||||
.map_err(|e| {
|
.map_err(|e| {
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ use super::{
|
|||||||
};
|
};
|
||||||
use crate::{
|
use crate::{
|
||||||
actors::bootstrap::ConsumeToken,
|
actors::bootstrap::ConsumeToken,
|
||||||
db::{DatabasePool, schema::operator_identity},
|
db::{DatabasePool, schema::operator_client},
|
||||||
peers::operator::auth::Outbound,
|
peers::operator::auth::Outbound,
|
||||||
};
|
};
|
||||||
use arbiter_crypto::authn::{self, AuthChallenge, OPERATOR_CONTEXT};
|
use arbiter_crypto::authn::{self, AuthChallenge, OPERATOR_CONTEXT};
|
||||||
@@ -19,7 +19,7 @@ pub(super) struct ChallengeRequest {
|
|||||||
pub(super) bootstrap_token: Option<String>,
|
pub(super) bootstrap_token: Option<String>,
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(super) struct ChallengeContext {
|
pub struct ChallengeContext {
|
||||||
pub(super) challenge: AuthChallenge,
|
pub(super) challenge: AuthChallenge,
|
||||||
pub(super) pubkey: authn::PublicKey,
|
pub(super) pubkey: authn::PublicKey,
|
||||||
pub(super) bootstrap_token: Option<String>,
|
pub(super) bootstrap_token: Option<String>,
|
||||||
@@ -44,9 +44,9 @@ async fn get_client_id(db: &DatabasePool, pubkey: &authn::PublicKey) -> Result<O
|
|||||||
Error::internal("Database unavailable")
|
Error::internal("Database unavailable")
|
||||||
})?;
|
})?;
|
||||||
|
|
||||||
operator_identity::table
|
operator_client::table
|
||||||
.filter(operator_identity::public_key.eq(pubkey.to_bytes()))
|
.filter(operator_client::public_key.eq(pubkey.to_bytes()))
|
||||||
.select(operator_identity::id)
|
.select(operator_client::id)
|
||||||
.first::<i32>(&mut conn)
|
.first::<i32>(&mut conn)
|
||||||
.await
|
.await
|
||||||
.optional()
|
.optional()
|
||||||
@@ -63,9 +63,9 @@ async fn register_key(db: &DatabasePool, pubkey: &authn::PublicKey) -> Result<i3
|
|||||||
Error::internal("Database unavailable")
|
Error::internal("Database unavailable")
|
||||||
})?;
|
})?;
|
||||||
|
|
||||||
let id: i32 = diesel::insert_into(operator_identity::table)
|
let id: i32 = diesel::insert_into(operator_client::table)
|
||||||
.values((operator_identity::public_key.eq(pubkey_bytes),))
|
.values((operator_client::public_key.eq(pubkey_bytes),))
|
||||||
.returning(operator_identity::id)
|
.returning(operator_client::id)
|
||||||
.get_result(&mut conn)
|
.get_result(&mut conn)
|
||||||
.await
|
.await
|
||||||
.map_err(|e| {
|
.map_err(|e| {
|
||||||
@@ -127,8 +127,6 @@ where
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
#[allow(missing_docs)]
|
|
||||||
#[allow(clippy::unused_unit)]
|
|
||||||
async fn verify_solution(
|
async fn verify_solution(
|
||||||
&mut self,
|
&mut self,
|
||||||
ChallengeContext {
|
ChallengeContext {
|
||||||
|
|||||||
@@ -1,16 +1,12 @@
|
|||||||
use super::{Error, OperatorSession};
|
use super::{Error, OperatorSession};
|
||||||
use crate::{
|
use crate::{
|
||||||
actors::{
|
actors::evm::{
|
||||||
evm::{
|
ClientSignTransaction, Generate, ListWallets, OperatorCreateGrant, OperatorListGrants,
|
||||||
ClientSignTransaction, Generate, ListWallets, OperatorCreateGrant, OperatorListGrants,
|
SignTransactionError as EvmSignError,
|
||||||
SignTransactionError as EvmSignError,
|
|
||||||
},
|
|
||||||
flow_coordinator::client_connect_approval::ClientApprovalAnswer,
|
|
||||||
vault::VaultState,
|
|
||||||
},
|
|
||||||
db::models::{
|
|
||||||
EvmWalletAccess, EvmWalletId, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata,
|
|
||||||
},
|
},
|
||||||
|
actors::flow_coordinator::client_connect_approval::ClientApprovalAnswer,
|
||||||
|
actors::vault::VaultState,
|
||||||
|
db::models::{EvmWalletAccess, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata},
|
||||||
evm::policies::{Grant, SpecificGrant},
|
evm::policies::{Grant, SpecificGrant},
|
||||||
};
|
};
|
||||||
use arbiter_crypto::authn;
|
use arbiter_crypto::authn;
|
||||||
@@ -74,9 +70,7 @@ impl OperatorSession {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[message]
|
#[message]
|
||||||
pub(crate) async fn handle_evm_wallet_list(
|
pub(crate) async fn handle_evm_wallet_list(&mut self) -> Result<Vec<(i32, Address)>, Error> {
|
||||||
&mut self,
|
|
||||||
) -> Result<Vec<(EvmWalletId, Address)>, Error> {
|
|
||||||
match self.props.actors.evm.ask(ListWallets {}).await {
|
match self.props.actors.evm.ask(ListWallets {}).await {
|
||||||
Ok(wallets) => Ok(wallets),
|
Ok(wallets) => Ok(wallets),
|
||||||
Err(err) => {
|
Err(err) => {
|
||||||
@@ -175,20 +169,18 @@ impl OperatorSession {
|
|||||||
entries: Vec<NewEvmWalletAccess>,
|
entries: Vec<NewEvmWalletAccess>,
|
||||||
) -> Result<(), Error> {
|
) -> Result<(), Error> {
|
||||||
let mut conn = self.props.db.get().await?;
|
let mut conn = self.props.db.get().await?;
|
||||||
conn.transaction(|conn| {
|
conn.transaction(async |conn| {
|
||||||
Box::pin(async move {
|
use crate::db::schema::evm_wallet_access;
|
||||||
use crate::db::schema::evm_wallet_access;
|
|
||||||
|
|
||||||
for entry in entries {
|
for entry in entries {
|
||||||
diesel::insert_into(evm_wallet_access::table)
|
diesel::insert_into(evm_wallet_access::table)
|
||||||
.values(&entry)
|
.values(&entry)
|
||||||
.on_conflict_do_nothing()
|
.on_conflict_do_nothing()
|
||||||
.execute(conn)
|
.execute(&mut *conn)
|
||||||
.await?;
|
.await?;
|
||||||
}
|
}
|
||||||
|
|
||||||
Result::<_, Error>::Ok(())
|
Result::<_, Error>::Ok(())
|
||||||
})
|
|
||||||
})
|
})
|
||||||
.await?;
|
.await?;
|
||||||
Ok(())
|
Ok(())
|
||||||
@@ -200,18 +192,16 @@ impl OperatorSession {
|
|||||||
entries: Vec<i32>,
|
entries: Vec<i32>,
|
||||||
) -> Result<(), Error> {
|
) -> Result<(), Error> {
|
||||||
let mut conn = self.props.db.get().await?;
|
let mut conn = self.props.db.get().await?;
|
||||||
conn.transaction(|conn| {
|
conn.transaction(async |conn| {
|
||||||
Box::pin(async move {
|
use crate::db::schema::evm_wallet_access;
|
||||||
use crate::db::schema::evm_wallet_access;
|
for entry in entries {
|
||||||
for entry in entries {
|
diesel::delete(evm_wallet_access::table)
|
||||||
diesel::delete(evm_wallet_access::table)
|
.filter(evm_wallet_access::wallet_id.eq(entry))
|
||||||
.filter(evm_wallet_access::wallet_id.eq(entry))
|
.execute(&mut *conn)
|
||||||
.execute(conn)
|
.await?;
|
||||||
.await?;
|
}
|
||||||
}
|
|
||||||
|
|
||||||
Result::<_, Error>::Ok(())
|
Result::<_, Error>::Ok(())
|
||||||
})
|
|
||||||
})
|
})
|
||||||
.await?;
|
.await?;
|
||||||
Ok(())
|
Ok(())
|
||||||
@@ -222,8 +212,7 @@ impl OperatorSession {
|
|||||||
&mut self,
|
&mut self,
|
||||||
) -> Result<Vec<EvmWalletAccess>, Error> {
|
) -> Result<Vec<EvmWalletAccess>, Error> {
|
||||||
let mut conn = self.props.db.get().await?;
|
let mut conn = self.props.db.get().await?;
|
||||||
use crate::db::schema::evm_wallet_access;
|
let access_entries = crate::db::schema::evm_wallet_access::table
|
||||||
let access_entries = evm_wallet_access::table
|
|
||||||
.select(EvmWalletAccess::as_select())
|
.select(EvmWalletAccess::as_select())
|
||||||
.load::<_>(&mut conn)
|
.load::<_>(&mut conn)
|
||||||
.await?;
|
.await?;
|
||||||
|
|||||||
@@ -63,7 +63,7 @@ impl OperatorSession {
|
|||||||
Self {
|
Self {
|
||||||
props,
|
props,
|
||||||
sender,
|
sender,
|
||||||
pending_client_approvals: Default::default(),
|
pending_client_approvals: HashMap::default(),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -86,8 +86,8 @@ async fn insert_bootstrap_sentinel_operator(db: &db::DatabasePool) {
|
|||||||
.0
|
.0
|
||||||
.to_vec();
|
.to_vec();
|
||||||
|
|
||||||
insert_into(schema::operator_identity::table)
|
insert_into(schema::operator_client::table)
|
||||||
.values((schema::operator_identity::public_key.eq(sentinel_key),))
|
.values((schema::operator_client::public_key.eq(sentinel_key),))
|
||||||
.execute(&mut conn)
|
.execute(&mut conn)
|
||||||
.await
|
.await
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
|||||||
@@ -206,8 +206,8 @@ pub async fn bootstrap_token_auth() {
|
|||||||
task.await.unwrap().unwrap();
|
task.await.unwrap().unwrap();
|
||||||
|
|
||||||
let mut conn = db.get().await.unwrap();
|
let mut conn = db.get().await.unwrap();
|
||||||
let stored_pubkey: Vec<u8> = schema::operator_identity::table
|
let stored_pubkey: Vec<u8> = schema::operator_client::table
|
||||||
.select(schema::operator_identity::public_key)
|
.select(schema::operator_client::public_key)
|
||||||
.first::<Vec<u8>>(&mut conn)
|
.first::<Vec<u8>>(&mut conn)
|
||||||
.await
|
.await
|
||||||
.unwrap();
|
.unwrap();
|
||||||
@@ -259,7 +259,7 @@ pub async fn bootstrap_invalid_token_auth() {
|
|||||||
));
|
));
|
||||||
|
|
||||||
let mut conn = db.get().await.unwrap();
|
let mut conn = db.get().await.unwrap();
|
||||||
let count: i64 = schema::operator_identity::table
|
let count: i64 = schema::operator_client::table
|
||||||
.count()
|
.count()
|
||||||
.get_result::<i64>(&mut conn)
|
.get_result::<i64>(&mut conn)
|
||||||
.await
|
.await
|
||||||
@@ -285,9 +285,9 @@ pub async fn challenge_auth() {
|
|||||||
|
|
||||||
{
|
{
|
||||||
let mut conn = db.get().await.unwrap();
|
let mut conn = db.get().await.unwrap();
|
||||||
let id: i32 = insert_into(schema::operator_identity::table)
|
let id: i32 = insert_into(schema::operator_client::table)
|
||||||
.values((schema::operator_identity::public_key.eq(pubkey_bytes.clone()),))
|
.values((schema::operator_client::public_key.eq(pubkey_bytes.clone()),))
|
||||||
.returning(schema::operator_identity::id)
|
.returning(schema::operator_client::id)
|
||||||
.get_result(&mut conn)
|
.get_result(&mut conn)
|
||||||
.await
|
.await
|
||||||
.unwrap();
|
.unwrap();
|
||||||
@@ -371,8 +371,8 @@ pub async fn challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() {
|
|||||||
|
|
||||||
{
|
{
|
||||||
let mut conn = db.get().await.unwrap();
|
let mut conn = db.get().await.unwrap();
|
||||||
insert_into(schema::operator_identity::table)
|
insert_into(schema::operator_client::table)
|
||||||
.values((schema::operator_identity::public_key.eq(pubkey_bytes.clone()),))
|
.values((schema::operator_client::public_key.eq(pubkey_bytes.clone()),))
|
||||||
.execute(&mut conn)
|
.execute(&mut conn)
|
||||||
.await
|
.await
|
||||||
.unwrap();
|
.unwrap();
|
||||||
@@ -400,7 +400,7 @@ pub async fn challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() {
|
|||||||
let challenge = match response {
|
let challenge = match response {
|
||||||
Ok(resp) => match resp {
|
Ok(resp) => match resp {
|
||||||
auth::Outbound::AuthChallenge { challenge } => challenge,
|
auth::Outbound::AuthChallenge { challenge } => challenge,
|
||||||
other => panic!("Expected AuthChallenge, got {other:?}"),
|
other @ auth::Outbound::AuthSuccess => panic!("Expected AuthChallenge, got {other:?}"),
|
||||||
},
|
},
|
||||||
Err(err) => panic!("Expected Ok response, got Err({err:?})"),
|
Err(err) => panic!("Expected Ok response, got Err({err:?})"),
|
||||||
};
|
};
|
||||||
@@ -444,9 +444,9 @@ pub async fn challenge_auth_rejects_invalid_signature() {
|
|||||||
|
|
||||||
{
|
{
|
||||||
let mut conn = db.get().await.unwrap();
|
let mut conn = db.get().await.unwrap();
|
||||||
let id: i32 = insert_into(schema::operator_identity::table)
|
let id: i32 = insert_into(schema::operator_client::table)
|
||||||
.values((schema::operator_identity::public_key.eq(pubkey_bytes.clone()),))
|
.values((schema::operator_client::public_key.eq(pubkey_bytes.clone()),))
|
||||||
.returning(schema::operator_identity::id)
|
.returning(schema::operator_client::id)
|
||||||
.get_result(&mut conn)
|
.get_result(&mut conn)
|
||||||
.await
|
.await
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
|||||||
@@ -14,7 +14,7 @@ use diesel_async::RunQueryDsl;
|
|||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
#[test_log::test]
|
#[test_log::test]
|
||||||
async fn test_bootstrap() {
|
async fn bootstrap() {
|
||||||
let db = db::create_test_pool().await;
|
let db = db::create_test_pool().await;
|
||||||
let mut actor = Vault::new(db.clone(), GlobalActors::spawn_message_bus())
|
let mut actor = Vault::new(db.clone(), GlobalActors::spawn_message_bus())
|
||||||
.await
|
.await
|
||||||
@@ -39,7 +39,7 @@ async fn test_bootstrap() {
|
|||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
#[test_log::test]
|
#[test_log::test]
|
||||||
async fn test_bootstrap_rejects_double() {
|
async fn bootstrap_rejects_double() {
|
||||||
let db = db::create_test_pool().await;
|
let db = db::create_test_pool().await;
|
||||||
let mut actor = common::bootstrapped_vault(&db).await;
|
let mut actor = common::bootstrapped_vault(&db).await;
|
||||||
|
|
||||||
@@ -50,7 +50,7 @@ async fn test_bootstrap_rejects_double() {
|
|||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
#[test_log::test]
|
#[test_log::test]
|
||||||
async fn test_create_new_before_bootstrap_fails() {
|
async fn create_new_before_bootstrap_fails() {
|
||||||
let db = db::create_test_pool().await;
|
let db = db::create_test_pool().await;
|
||||||
let mut actor = Vault::new(db, GlobalActors::spawn_message_bus())
|
let mut actor = Vault::new(db, GlobalActors::spawn_message_bus())
|
||||||
.await
|
.await
|
||||||
@@ -65,7 +65,7 @@ async fn test_create_new_before_bootstrap_fails() {
|
|||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
#[test_log::test]
|
#[test_log::test]
|
||||||
async fn test_decrypt_before_bootstrap_fails() {
|
async fn decrypt_before_bootstrap_fails() {
|
||||||
let db = db::create_test_pool().await;
|
let db = db::create_test_pool().await;
|
||||||
let mut actor = Vault::new(db, GlobalActors::spawn_message_bus())
|
let mut actor = Vault::new(db, GlobalActors::spawn_message_bus())
|
||||||
.await
|
.await
|
||||||
@@ -77,7 +77,7 @@ async fn test_decrypt_before_bootstrap_fails() {
|
|||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
#[test_log::test]
|
#[test_log::test]
|
||||||
async fn test_new_restores_sealed_state() {
|
async fn new_restores_sealed_state() {
|
||||||
let db = db::create_test_pool().await;
|
let db = db::create_test_pool().await;
|
||||||
let actor = common::bootstrapped_vault(&db).await;
|
let actor = common::bootstrapped_vault(&db).await;
|
||||||
drop(actor);
|
drop(actor);
|
||||||
@@ -91,7 +91,7 @@ async fn test_new_restores_sealed_state() {
|
|||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
#[test_log::test]
|
#[test_log::test]
|
||||||
async fn test_unseal_correct_password() {
|
async fn unseal_correct_password() {
|
||||||
let db = db::create_test_pool().await;
|
let db = db::create_test_pool().await;
|
||||||
let mut actor = common::bootstrapped_vault(&db).await;
|
let mut actor = common::bootstrapped_vault(&db).await;
|
||||||
|
|
||||||
@@ -114,7 +114,7 @@ async fn test_unseal_correct_password() {
|
|||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
#[test_log::test]
|
#[test_log::test]
|
||||||
async fn test_unseal_wrong_then_correct_password() {
|
async fn unseal_wrong_then_correct_password() {
|
||||||
let db = db::create_test_pool().await;
|
let db = db::create_test_pool().await;
|
||||||
let mut actor = common::bootstrapped_vault(&db).await;
|
let mut actor = common::bootstrapped_vault(&db).await;
|
||||||
|
|
||||||
|
|||||||
@@ -12,7 +12,7 @@ use std::collections::HashSet;
|
|||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
#[test_log::test]
|
#[test_log::test]
|
||||||
async fn test_create_decrypt_roundtrip() {
|
async fn create_decrypt_roundtrip() {
|
||||||
let db = db::create_test_pool().await;
|
let db = db::create_test_pool().await;
|
||||||
let mut actor = common::bootstrapped_vault(&db).await;
|
let mut actor = common::bootstrapped_vault(&db).await;
|
||||||
|
|
||||||
@@ -28,7 +28,7 @@ async fn test_create_decrypt_roundtrip() {
|
|||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
#[test_log::test]
|
#[test_log::test]
|
||||||
async fn test_decrypt_nonexistent_returns_not_found() {
|
async fn decrypt_nonexistent_returns_not_found() {
|
||||||
let db = db::create_test_pool().await;
|
let db = db::create_test_pool().await;
|
||||||
let mut actor = common::bootstrapped_vault(&db).await;
|
let mut actor = common::bootstrapped_vault(&db).await;
|
||||||
|
|
||||||
@@ -38,7 +38,7 @@ async fn test_decrypt_nonexistent_returns_not_found() {
|
|||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
#[test_log::test]
|
#[test_log::test]
|
||||||
async fn test_ciphertext_differs_across_entries() {
|
async fn ciphertext_differs_across_entries() {
|
||||||
let db = db::create_test_pool().await;
|
let db = db::create_test_pool().await;
|
||||||
let mut actor = common::bootstrapped_vault(&db).await;
|
let mut actor = common::bootstrapped_vault(&db).await;
|
||||||
|
|
||||||
@@ -76,7 +76,7 @@ async fn test_ciphertext_differs_across_entries() {
|
|||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
#[test_log::test]
|
#[test_log::test]
|
||||||
async fn test_nonce_never_reused() {
|
async fn nonce_never_reused() {
|
||||||
let db = db::create_test_pool().await;
|
let db = db::create_test_pool().await;
|
||||||
let mut actor = common::bootstrapped_vault(&db).await;
|
let mut actor = common::bootstrapped_vault(&db).await;
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user