Merge pull request 'security(server): bind grant revocation state (revoked_at) to integrity hash' (#83) from security-hash-revoke_at into main

Reviewed-on: #83

server/Cargo.toml

@@ -76,6 +76,7 @@ needless_pass_by_ref_mut = "allow"
 pub_underscore_fields = "allow"
 redundant_pub_crate = "allow" 
 uninhabited_references = "allow" # safe with unsafe_code = "forbid" and standard uninhabited pattern (match *self {})
+too-many-lines = "allow" # this is a very common pattern in server code, and it's not always possible to break it down into smaller modules without hurting readability
 
 # restriction lints
 alloc_instead_of_core = "warn"

server/crates/arbiter-client/src/auth.rs

@@ -100,7 +100,7 @@ async fn send_auth_challenge_solution(
     key: &SigningKey,
     challenge: AuthChallenge,
 ) -> Result<(), AuthError> {
-    let timestamp = DateTime::from_timestamp_nanos(challenge.timestamp_nanos as i64);
+    let timestamp = DateTime::from_timestamp_nanos(challenge.timestamp_nanos.cast_signed());
     let challenge = authn::AuthChallenge {
         nonce: *challenge
             .random

server/crates/arbiter-server/src/actors/evm/mod.rs

@@ -160,29 +160,14 @@ impl EvmActor {
     }
 
     #[message]
-    #[expect(clippy::unused_async, reason = "reserved for impl")]
+    pub async fn useragent_delete_grant(
-    pub async fn operator_delete_grant(&mut self, _grant_id: i32) -> Result<(), Error> {
+        &mut self,
-        // let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
+        grant_id: i32,
-        // let vault = self.vault.clone();
+    ) -> Result<(), Error> {
-
+        self.engine
-        // diesel_async::AsyncConnection::transaction(&mut conn, |conn| {
+            .revoke_grant(grant_id)
-        //     Box::pin(async move {
+            .await
-        //         diesel::update(schema::evm_basic_grant::table)
+            .map_err(Error::from)
-        //             .filter(schema::evm_basic_grant::id.eq(grant_id))
-        //             .set(schema::evm_basic_grant::revoked_at.eq(SqliteTimestamp::now()))
-        //             .execute(conn)
-        //             .await?;
-
-        //         let signed = integrity::evm::load_signed_grant_by_basic_id(conn, grant_id).await?;
-
-        //         diesel::result::QueryResult::Ok(())
-        //     })
-        // })
-        // .await
-        // .map_err(DatabaseError::from)?;
-
-        // Ok(())
-        todo!()
     }
 
     #[message]

server/crates/arbiter-server/src/actors/vault/mod.rs

@@ -346,12 +346,10 @@ impl Vault {
             root_key_history_id,
         } = Self::expect_unsealed(&mut self.state)?;
 
-        let mut hmac = root_key
+        let mut hmac = root_key.0.read_inline(|k| {
-            .0
+            HmacSha256::new_from_slice(k)
-            .read_inline(|k| match HmacSha256::new_from_slice(k) {
+                .unwrap_or_else(|_| unreachable!("HMAC accepts keys of any size"))
-                Ok(v) => v,
+        });
-                Err(_) => unreachable!("HMAC accepts keys of any size"),
-            });
         hmac.update(&root_key_history_id.to_be_bytes());
         hmac.update(&mac_input);
 
@@ -375,12 +373,10 @@ impl Vault {
             return Ok(false);
         }
 
-        let mut hmac = root_key
+        let mut hmac = root_key.0.read_inline(|k| {
-            .0
+            HmacSha256::new_from_slice(k)
-            .read_inline(|k| match HmacSha256::new_from_slice(k) {
+                .unwrap_or_else(|_| unreachable!("HMAC accepts keys of any size"))
-                Ok(v) => v,
+        });
-                Err(_) => unreachable!("HMAC accepts keys of any size"),
-            });
         hmac.update(&key_version.to_be_bytes());
         hmac.update(&mac_input);
 
@@ -423,12 +419,13 @@ mod tests {
     async fn nonce_monotonic_even_when_nonce_allocation_interleaves() {
         let db = db::create_test_pool().await;
         let mut actor = bootstrapped_actor(&db).await;
-        let root_key_history_id = match actor.state {
+
-            State::Unsealed(Unsealed {
+        let State::Unsealed(Unsealed {
-                root_key_history_id,
+            root_key_history_id,
-                ..
+            ..
-            }) => root_key_history_id,
+        }) = actor.state
-            _ => panic!("expected unsealed state"),
+        else {
+            panic!("expected unsealed state")
         };
 
         let n1 = Vault::get_new_nonce(&db, root_key_history_id)
@@ -440,8 +437,8 @@ mod tests {
         assert!(n2.to_vec() > n1.to_vec(), "nonce must increase");
 
         let mut conn = db.get().await.unwrap();
-        let root_row: models::RootKeyHistory = schema::root_key_history::table
+        let root_row: RootKeyHistory = schema::root_key_history::table
-            .select(models::RootKeyHistory::as_select())
+            .select(RootKeyHistory::as_select())
             .first(&mut conn)
             .await
             .unwrap();

server/crates/arbiter-server/src/evm/mod.rs

@@ -1,28 +1,34 @@
+use diesel_async::{AsyncConnection, RunQueryDsl};
+use kameo::actor::ActorRef;
+
 use crate::{
     actors::vault::Vault,
     crypto::integrity,
     db::{
         self, DatabaseError,
         models::{
-            EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
+            EvmBasicGrant, EvmEtherTransferGrant, EvmEtherTransferGrantTarget,
+            EvmEtherTransferLimit, EvmTokenTransferGrant, EvmTokenTransferVolumeLimit,
+            EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
         },
         schema::{self, evm_transaction_log},
     },
     evm::policies::{
         CombinedSettings, DatabaseID, EvalContext, EvalViolation, Grant, Policy,
-        SharedGrantSettings, SpecificGrant, SpecificMeaning, ether_transfer::EtherTransfer,
+        SharedGrantSettings, SpecificGrant, SpecificMeaning, VolumeRateLimit,
-        token_transfers::TokenTransfer,
+        ether_transfer::EtherTransfer, token_transfers::TokenTransfer,
     },
 };
 
 use alloy::{
     consensus::TxEip1559,
-    primitives::{TxKind, U256},
+    primitives::{Address, TxKind, U256},
 };
 use chrono::Utc;
-use diesel::{ExpressionMethods as _, QueryDsl as _, QueryResult, insert_into, sqlite::Sqlite};
+use diesel::{
-use diesel_async::{AsyncConnection, RunQueryDsl};
+    ExpressionMethods as _, OptionalExtension, QueryDsl as _, QueryResult, SelectableHelper,
-use kameo::actor::ActorRef;
+    insert_into, sqlite::Sqlite, update,
+};
 
 pub mod abi;
 pub mod safe_signer;
@@ -272,6 +278,151 @@ impl Engine {
         Ok(id)
     }
 
+    pub async fn revoke_grant(
+        &self,
+        basic_grant_id: i32,
+    ) -> Result<(), DatabaseError> {
+        let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
+        let vault = self.vault.clone();
+
+        conn.transaction(async move |conn| {
+            use crate::db::schema::{
+                evm_basic_grant, evm_ether_transfer_grant, evm_ether_transfer_grant_target,
+                evm_ether_transfer_limit, evm_token_transfer_grant,
+                evm_token_transfer_volume_limit,
+            };
+
+            update(evm_basic_grant::table)
+                .filter(evm_basic_grant::id.eq(basic_grant_id))
+                .set(evm_basic_grant::revoked_at.eq(SqliteTimestamp(Utc::now())))
+                .execute(&mut *conn)
+                .await?;
+
+            let basic_grant: EvmBasicGrant = evm_basic_grant::table
+                .filter(evm_basic_grant::id.eq(basic_grant_id))
+                .select(EvmBasicGrant::as_select())
+                .first(&mut *conn)
+                .await?;
+
+            let shared = SharedGrantSettings::try_from_model(basic_grant)?;
+
+            if let Some(ether_grant) = evm_ether_transfer_grant::table
+                .filter(evm_ether_transfer_grant::basic_grant_id.eq(basic_grant_id))
+                .select(EvmEtherTransferGrant::as_select())
+                .first(&mut *conn)
+                .await
+                .optional()?
+            {
+                let target_rows: Vec<EvmEtherTransferGrantTarget> =
+                    evm_ether_transfer_grant_target::table
+                        .filter(evm_ether_transfer_grant_target::grant_id.eq(ether_grant.id))
+                        .select(EvmEtherTransferGrantTarget::as_select())
+                        .load(&mut *conn)
+                        .await?;
+                let targets: Vec<Address> = target_rows
+                    .into_iter()
+                    .filter_map(|target| {
+                        let arr: [u8; 20] = target.address.try_into().ok()?;
+                        Some(Address::from(arr))
+                    })
+                    .collect();
+
+                let limit: EvmEtherTransferLimit = evm_ether_transfer_limit::table
+                    .filter(evm_ether_transfer_limit::id.eq(ether_grant.limit_id))
+                    .select(EvmEtherTransferLimit::as_select())
+                    .first(&mut *conn)
+                    .await?;
+
+                let settings = CombinedSettings {
+                    shared: shared.clone(),
+                    specific: policies::ether_transfer::Settings {
+                        target: targets,
+                        limit: VolumeRateLimit {
+                            max_volume: utils::try_bytes_to_u256(&limit.max_volume).map_err(
+                                |err| {
+                                    diesel::result::Error::DeserializationError(Box::new(err))
+                                },
+                            )?,
+                            window: chrono::Duration::seconds(limit.window_secs.into()),
+                        },
+                    },
+                };
+
+                integrity::sign_entity(&mut *conn, &vault, &settings, basic_grant_id)
+                    .await
+                    .map_err(|_| diesel::result::Error::RollbackTransaction)?;
+
+                return QueryResult::Ok(());
+            }
+
+            if let Some(token_grant) = evm_token_transfer_grant::table
+                .filter(evm_token_transfer_grant::basic_grant_id.eq(basic_grant_id))
+                .select(EvmTokenTransferGrant::as_select())
+                .first(&mut *conn)
+                .await
+                .optional()?
+            {
+                let volume_limit_rows: Vec<EvmTokenTransferVolumeLimit> =
+                    evm_token_transfer_volume_limit::table
+                        .filter(evm_token_transfer_volume_limit::grant_id.eq(token_grant.id))
+                        .select(EvmTokenTransferVolumeLimit::as_select())
+                        .load(&mut *conn)
+                        .await?;
+                let volume_limits: Vec<VolumeRateLimit> = volume_limit_rows
+                    .into_iter()
+                    .map(|row| {
+                        Ok(VolumeRateLimit {
+                            max_volume: utils::try_bytes_to_u256(&row.max_volume).map_err(
+                                |err| {
+                                    diesel::result::Error::DeserializationError(Box::new(err))
+                                },
+                            )?,
+                            window: chrono::Duration::seconds(row.window_secs.into()),
+                        })
+                    })
+                    .collect::<QueryResult<Vec<_>>>()?;
+
+                let target: Option<Address> = match token_grant.receiver {
+                    None => None,
+                    Some(bytes) => {
+                        let arr: [u8; 20] = bytes.try_into().map_err(|_| {
+                            diesel::result::Error::DeserializationError(
+                                "Invalid receiver address length".into(),
+                            )
+                        })?;
+                        Some(Address::from(arr))
+                    }
+                };
+
+                let token_contract: [u8; 20] =
+                    token_grant.token_contract.clone().try_into().map_err(|_| {
+                        diesel::result::Error::DeserializationError(
+                            "Invalid token contract address length".into(),
+                        )
+                    })?;
+
+                let settings = CombinedSettings {
+                    shared,
+                    specific: policies::token_transfers::Settings {
+                        token_contract: Address::from(token_contract),
+                        target,
+                        volume_limits,
+                    },
+                };
+
+                integrity::sign_entity(&mut *conn, &vault, &settings, basic_grant_id)
+                    .await
+                    .map_err(|_| diesel::result::Error::RollbackTransaction)?;
+
+                return QueryResult::Ok(());
+            }
+
+            Err(diesel::result::Error::NotFound)
+        })
+        .await
+        .map_err(DatabaseError::from)
+    }
+
     async fn list_one_kind<Kind: Policy, Y>(
         &self,
         conn: &mut impl AsyncConnection<Backend = Sqlite>,
@@ -351,11 +502,15 @@ impl Engine {
 #[cfg(test)]
 mod tests {
     use alloy::primitives::{Address, Bytes, U256, address};
+    use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
     use chrono::{Duration, Utc};
     use diesel::{SelectableHelper, insert_into};
     use diesel_async::RunQueryDsl;
+    use kameo::{actor::ActorRef, prelude::Spawn};
     use rstest::rstest;
 
+    use crate::actors::{GlobalActors, vault::{Bootstrap, Vault}};
+    use crate::crypto::integrity;
     use crate::db::{
         self, DatabaseConnection,
         models::{
@@ -363,8 +518,10 @@ mod tests {
         },
         schema::{evm_basic_grant, evm_transaction_log},
     };
+    use crate::evm::policies::ether_transfer::EtherTransfer;
     use crate::evm::policies::{
-        EvalContext, EvalViolation, SharedGrantSettings, TransactionRateLimit,
+        CombinedSettings, EvalContext, EvalViolation, Policy, SharedGrantSettings,
+        TransactionRateLimit, VolumeRateLimit,
     };
 
     use super::check_shared_constraints;
@@ -396,6 +553,7 @@ mod tests {
             chain: CHAIN_ID,
             valid_from: None,
             valid_until: None,
+            revoked_at: None,
             max_gas_fee_per_gas: None,
             max_priority_fee_per_gas: None,
             rate_limit: None,
@@ -604,4 +762,115 @@ mod tests {
             assert!(violations.is_empty());
         }
     }
+
+    async fn bootstrapped_vault(db: &db::DatabasePool) -> ActorRef<Vault> {
+        let actor = Vault::spawn(
+            Vault::new(db.clone(), GlobalActors::spawn_message_bus())
+                .await
+                .unwrap(),
+        );
+        actor
+            .ask(Bootstrap {
+                seal_key_raw: SafeCell::new(b"integrity-test-seal-key".to_vec()),
+            })
+            .await
+            .unwrap();
+        actor
+    }
+
+    #[tokio::test]
+    async fn revoke_grant_preserves_revoked_integrity() {
+        use crate::db::schema::evm_basic_grant;
+        use diesel::ExpressionMethods as _;
+
+        let db = db::create_test_pool().await;
+        let vault = bootstrapped_vault(&db).await;
+        let engine = super::Engine::new(db.clone(), vault.clone());
+
+        let full_grant = CombinedSettings {
+            shared: SharedGrantSettings {
+                wallet_access_id: WALLET_ACCESS_ID,
+                chain: CHAIN_ID,
+                valid_from: None,
+                valid_until: None,
+                revoked_at: None,
+                max_gas_fee_per_gas: None,
+                max_priority_fee_per_gas: None,
+                rate_limit: None,
+            },
+            specific: super::policies::ether_transfer::Settings {
+                target: vec![RECIPIENT],
+                limit: VolumeRateLimit {
+                    max_volume: U256::from(100u64),
+                    window: Duration::hours(1),
+                },
+            },
+        };
+
+        let grant_id = engine
+            .create_grant::<EtherTransfer>(full_grant)
+            .await
+            .unwrap();
+
+        engine.revoke_grant(grant_id).await.unwrap();
+
+        let mut conn = db.get().await.unwrap();
+        diesel::update(evm_basic_grant::table)
+            .filter(evm_basic_grant::id.eq(grant_id))
+            .set(evm_basic_grant::revoked_at.eq::<Option<SqliteTimestamp>>(None))
+            .execute(&mut conn)
+            .await
+            .unwrap();
+
+        let wallet_access = EvmWalletAccess {
+            id: WALLET_ACCESS_ID,
+            wallet_id: 10,
+            client_id: 20,
+            created_at: SqliteTimestamp(Utc::now()),
+        };
+        let context = EvalContext {
+            target: wallet_access,
+            chain: CHAIN_ID,
+            to: RECIPIENT,
+            value: U256::ONE,
+            calldata: Bytes::new(),
+            max_fee_per_gas: 1,
+            max_priority_fee_per_gas: 1,
+        };
+
+        let grant = EtherTransfer::try_find_grant(
+            &context, &mut conn,
+        )
+        .await
+        .unwrap()
+        .unwrap();
+
+        let result =
+            integrity::verify_entity(&mut conn, &vault, &grant.settings, grant.id).await;
+
+        assert!(matches!(
+            result,
+            Err(integrity::Error::MacMismatch { .. })
+        ));
+    }
+
+    #[test]
+    fn shared_settings_hash_changes_when_revoked_at_changes() {
+        use arbiter_crypto::hashing::Hashable;
+        use sha2::Digest;
+
+        let active = shared_settings();
+        let revoked = SharedGrantSettings {
+            revoked_at: Some(Utc::now()),
+            ..shared_settings()
+        };
+
+        let mut active_hash = sha2::Sha256::new();
+        active.hash(&mut active_hash);
+
+        let mut revoked_hash = sha2::Sha256::new();
+        revoked.hash(&mut revoked_hash);
+
+        assert_ne!(active_hash.finalize(), revoked_hash.finalize());
+    }
 }

server/crates/arbiter-server/src/evm/policies.rs

@@ -144,6 +144,7 @@ pub struct SharedGrantSettings {
 
     pub valid_from: Option<DateTime<Utc>>,
     pub valid_until: Option<DateTime<Utc>>,
+    pub revoked_at: Option<DateTime<Utc>>,
 
     pub max_gas_fee_per_gas: Option<U256>,
     pub max_priority_fee_per_gas: Option<U256>,
@@ -158,6 +159,7 @@ impl SharedGrantSettings {
             chain: model.chain_id.into(),
             valid_from: model.valid_from.map(Into::into),
             valid_until: model.valid_until.map(Into::into),
+            revoked_at: model.revoked_at.map(Into::into),
             max_gas_fee_per_gas: model
                 .max_gas_fee_per_gas
                 .map(|b| utils::try_bytes_to_u256(&b))

server/crates/arbiter-server/src/evm/policies/ether_transfer/tests.rs

@@ -79,6 +79,7 @@ fn shared() -> SharedGrantSettings {
         chain: CHAIN_ID,
         valid_from: None,
         valid_until: None,
+        revoked_at: None,
         max_gas_fee_per_gas: None,
         max_priority_fee_per_gas: None,
         rate_limit: None,

server/crates/arbiter-server/src/evm/policies/token_transfers/tests.rs

@@ -98,6 +98,7 @@ fn shared() -> SharedGrantSettings {
         chain: CHAIN_ID,
         valid_from: None,
         valid_until: None,
+        revoked_at: None,
         max_gas_fee_per_gas: None,
         max_priority_fee_per_gas: None,
         rate_limit: None,

server/crates/arbiter-server/src/grpc/client/auth.rs

@@ -200,7 +200,7 @@ impl Convert for auth::Outbound {
                         .timestamp
                         .timestamp_nanos_opt()
                         .expect("timestamp within range")
-                        as u64,
+                        .cast_unsigned(),
                     random: challenge.nonce.to_vec(),
                 })
             }

server/crates/arbiter-server/src/grpc/operator/auth.rs

@@ -80,7 +80,7 @@ impl Sender<Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {
                         .timestamp
                         .timestamp_nanos_opt()
                         .expect("timestamp within range")
-                        as u64,
+                        .cast_unsigned(),
                     random: challenge.nonce.to_vec(),
                 })
             }

server/crates/arbiter-server/src/grpc/operator/inbound.rs

@@ -87,6 +87,7 @@ impl TryConvert for ProtoSharedSettings {
                 .valid_until
                 .map(ProtoTimestamp::try_convert)
                 .transpose()?,
+            revoked_at: None,
             max_gas_fee_per_gas: self
                 .max_gas_fee_per_gas
                 .as_deref()

server/crates/arbiter-server/src/peers/client/auth.rs

@@ -298,7 +298,7 @@ where
 
     let signature = expect_message(transport, |req: Inbound| match req {
         Inbound::AuthChallengeSolution { signature } => Some(signature),
-        _ => None,
+        Inbound::AuthChallengeRequest { .. } => None,
     })
     .await
     .map_err(|e| {

server/crates/arbiter-server/src/peers/operator/auth/state.rs

@@ -19,7 +19,7 @@ pub(super) struct ChallengeRequest {
     pub(super) bootstrap_token: Option<String>,
 }
 
-pub(super) struct ChallengeContext {
+pub struct ChallengeContext {
     pub(super) challenge: AuthChallenge,
     pub(super) pubkey: authn::PublicKey,
     pub(super) bootstrap_token: Option<String>,
@@ -127,8 +127,6 @@ where
         })
     }
 
-    #[allow(missing_docs)]
-    #[allow(clippy::unused_unit)]
     async fn verify_solution(
         &mut self,
         ChallengeContext {

server/crates/arbiter-server/src/peers/operator/session/handlers.rs

@@ -212,8 +212,7 @@ impl OperatorSession {
         &mut self,
     ) -> Result<Vec<EvmWalletAccess>, Error> {
         let mut conn = self.props.db.get().await?;
-        use crate::db::schema::evm_wallet_access;
+        let access_entries = crate::db::schema::evm_wallet_access::table
-        let access_entries = evm_wallet_access::table
             .select(EvmWalletAccess::as_select())
             .load::<_>(&mut conn)
             .await?;

server/crates/arbiter-server/src/peers/operator/session/mod.rs

@@ -63,7 +63,7 @@ impl OperatorSession {
         Self {
             props,
             sender,
-            pending_client_approvals: Default::default(),
+            pending_client_approvals: HashMap::default(),
         }
     }
 }

server/crates/arbiter-server/tests/operator/auth.rs

@@ -400,7 +400,7 @@ pub async fn challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() {
     let challenge = match response {
         Ok(resp) => match resp {
             auth::Outbound::AuthChallenge { challenge } => challenge,
-            other => panic!("Expected AuthChallenge, got {other:?}"),
+            other @ auth::Outbound::AuthSuccess => panic!("Expected AuthChallenge, got {other:?}"),
         },
         Err(err) => panic!("Expected Ok response, got Err({err:?})"),
     };

server/crates/arbiter-server/tests/vault/lifecycle.rs

@@ -14,7 +14,7 @@ use diesel_async::RunQueryDsl;
 
 #[tokio::test]
 #[test_log::test]
-async fn test_bootstrap() {
+async fn bootstrap() {
     let db = db::create_test_pool().await;
     let mut actor = Vault::new(db.clone(), GlobalActors::spawn_message_bus())
         .await
@@ -39,7 +39,7 @@ async fn test_bootstrap() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_bootstrap_rejects_double() {
+async fn bootstrap_rejects_double() {
     let db = db::create_test_pool().await;
     let mut actor = common::bootstrapped_vault(&db).await;
 
@@ -50,7 +50,7 @@ async fn test_bootstrap_rejects_double() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_create_new_before_bootstrap_fails() {
+async fn create_new_before_bootstrap_fails() {
     let db = db::create_test_pool().await;
     let mut actor = Vault::new(db, GlobalActors::spawn_message_bus())
         .await
@@ -65,7 +65,7 @@ async fn test_create_new_before_bootstrap_fails() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_decrypt_before_bootstrap_fails() {
+async fn decrypt_before_bootstrap_fails() {
     let db = db::create_test_pool().await;
     let mut actor = Vault::new(db, GlobalActors::spawn_message_bus())
         .await
@@ -77,7 +77,7 @@ async fn test_decrypt_before_bootstrap_fails() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_new_restores_sealed_state() {
+async fn new_restores_sealed_state() {
     let db = db::create_test_pool().await;
     let actor = common::bootstrapped_vault(&db).await;
     drop(actor);
@@ -91,7 +91,7 @@ async fn test_new_restores_sealed_state() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_unseal_correct_password() {
+async fn unseal_correct_password() {
     let db = db::create_test_pool().await;
     let mut actor = common::bootstrapped_vault(&db).await;
 
@@ -114,7 +114,7 @@ async fn test_unseal_correct_password() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_unseal_wrong_then_correct_password() {
+async fn unseal_wrong_then_correct_password() {
     let db = db::create_test_pool().await;
     let mut actor = common::bootstrapped_vault(&db).await;
 

server/crates/arbiter-server/tests/vault/storage.rs

@@ -12,7 +12,7 @@ use std::collections::HashSet;
 
 #[tokio::test]
 #[test_log::test]
-async fn test_create_decrypt_roundtrip() {
+async fn create_decrypt_roundtrip() {
     let db = db::create_test_pool().await;
     let mut actor = common::bootstrapped_vault(&db).await;
 
@@ -28,7 +28,7 @@ async fn test_create_decrypt_roundtrip() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_decrypt_nonexistent_returns_not_found() {
+async fn decrypt_nonexistent_returns_not_found() {
     let db = db::create_test_pool().await;
     let mut actor = common::bootstrapped_vault(&db).await;
 
@@ -38,7 +38,7 @@ async fn test_decrypt_nonexistent_returns_not_found() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_ciphertext_differs_across_entries() {
+async fn ciphertext_differs_across_entries() {
     let db = db::create_test_pool().await;
     let mut actor = common::bootstrapped_vault(&db).await;
 
@@ -76,7 +76,7 @@ async fn test_ciphertext_differs_across_entries() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_nonce_never_reused() {
+async fn nonce_never_reused() {
     let db = db::create_test_pool().await;
     let mut actor = common::bootstrapped_vault(&db).await;