diff --git a/Cargo.toml b/Cargo.toml index 2a5b6bda1cfc334e731950aab2f892d26eb71364..c22074eb82ee1a3cc33ce6f5ff520b2e6b6067a4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -72,6 +72,7 @@ futures = "0.3.26" utoipa = { version = "3", features = ["actix_extras"] } utoipa-swagger-ui = { version ="3.1.3", features = ["actix-web"]} efi_signer = "0.2.0" +regex = "1" [build-dependencies] tonic-build = "0.8.4" diff --git a/src/client/cmd/add.rs b/src/client/cmd/add.rs index e34cd90c3c315c569f67a0b19c41cf578f9a3555..1bf79689f758410db8e1550b3dcb3cf6b29e59f5 100644 --- a/src/client/cmd/add.rs +++ b/src/client/cmd/add.rs @@ -17,6 +17,7 @@ use clap::{Args}; use crate::util::error::Result; use config::{Config}; +use regex::Regex; use std::sync::{Arc, atomic::AtomicBool, RwLock}; use super::traits::SignCommand; use std::path::PathBuf; @@ -40,7 +41,8 @@ use std::sync::atomic::{AtomicI32, Ordering}; lazy_static! { pub static ref FILE_EXTENSION: HashMap> = HashMap::from([ (FileType::Rpm, vec!["rpm", "srpm"]), - (FileType::CheckSum, vec!["txt", "sha256sum"]), + //checksum file can be used for any file + (FileType::CheckSum, vec![".*"]), (FileType::KernelModule, vec!["ko"]), (FileType::EfiImage, vec!["efi"]), ]); @@ -133,11 +135,14 @@ impl CommandAddHandler { fn file_candidates(&self, extension: &str) -> Result { let collections = FILE_EXTENSION.get( &self.file_type).ok_or_else(|| - error::Error::FileNotSupportError(format!("{}", self.file_type)))?; - if collections.contains(&extension) { - return Ok(true) + error::Error::FileNotSupportError(extension.to_string(), self.file_type.to_string()))?; + for value in collections { + let re = Regex::new(format!(r"^{}$", value).as_str()).unwrap(); + if re.is_match(extension) { + return Ok(true) + } } - Ok(false) + Err(error::Error::FileNotSupportError(extension.to_string(), self.file_type.to_string())) } } diff --git a/src/client/file_handler/checksum.rs b/src/client/file_handler/checksum.rs index fdfe5cd578dcd779cc8664daf2f4182a6c39566e..4d1333fb5cb64a97c084b473611c7fabe8a00305 100644 --- a/src/client/file_handler/checksum.rs +++ b/src/client/file_handler/checksum.rs @@ -15,7 +15,7 @@ */ use super::traits::FileHandler; -use crate::util::sign::{SignType, KeyType}; +use crate::util::sign::{KeyType}; use crate::util::error::Result; use async_trait::async_trait; use std::path::PathBuf; @@ -49,14 +49,10 @@ impl FileHandler for CheckSumFileHandler { } if let Some(key_type) = sign_options.get(options::KEY_TYPE) { - if let Some(sign_type) = sign_options.get(options::SIGN_TYPE) { - if sign_type != SignType::Cms.to_string().as_str() - && key_type == KeyType::X509.to_string().as_str() - { - return Err(Error::InvalidArgumentError( - "checksum file only support x509 key with cms sign type".to_string(), - )); - } + if key_type != KeyType::Pgp.to_string().as_str() { + return Err(Error::InvalidArgumentError( + "checksum file only support pgp key type".to_string(), + )); } } Ok(()) @@ -80,3 +76,53 @@ impl FileHandler for CheckSumFileHandler { )) } } + +#[cfg(test)] +mod test { + use super::*; + use std::env; + + #[test] + fn test_validate_options() { + let mut options = HashMap::new(); + options.insert(options::DETACHED.to_string(), "false".to_string()); + let handler = CheckSumFileHandler::new(); + let result = handler.validate_options(&options); + assert!(result.is_err()); + assert_eq!( + result.unwrap_err().to_string(), + "invalid argument: checksum file only support detached signature" + ); + + options.remove(options::DETACHED); + let result = handler.validate_options(&options); + assert!(result.is_ok()); + + options.insert(options::DETACHED.to_string(), "true".to_string()); + options.insert(options::KEY_TYPE.to_string(), KeyType::Pgp.to_string()); + let result = handler.validate_options(&options); + assert!(result.is_ok()); + + options.insert(options::KEY_TYPE.to_string(), KeyType::X509.to_string()); + let result = handler.validate_options(&options); + assert!(result.is_err()); + assert_eq!( + result.unwrap_err().to_string(), + "invalid argument: checksum file only support pgp key type" + ); + } + + #[tokio::test] + async fn test_assemble_data() { + let handler = CheckSumFileHandler::new(); + let options = HashMap::new(); + let path = PathBuf::from("./test_data/test.txt"); + let data = vec![vec![1, 2, 3]]; + let temp_dir = env::temp_dir(); + let result = handler.assemble_data(&path, data, &temp_dir, &options).await; + assert!(result.is_ok()); + let (temp_file, file_name) = result.expect("invoke assemble data should work"); + assert_eq!(temp_file.starts_with(temp_dir.to_str().unwrap()), true); + assert_eq!(file_name, "./test_data/test.txt.asc"); + } +} diff --git a/src/client/file_handler/kernel_module.rs b/src/client/file_handler/kernel_module.rs index 1a52f65f6f070978134baedf096cc0c2ccca226b..809b851301d76a88a55918addc22bd1428a0ec75 100644 --- a/src/client/file_handler/kernel_module.rs +++ b/src/client/file_handler/kernel_module.rs @@ -102,7 +102,7 @@ impl KernelModuleFileHandler { pub fn get_raw_content(&self, path: &PathBuf, sign_options: &mut HashMap) -> Result> { let raw_content = fs::read(path)?; let mut file = fs::File::open(path)?; - if file.metadata()?.len() <= MAGIC_NUMBER_SIZE as u64 { + if file.metadata()?.len() <= SIGNATURE_SIZE as u64 { return Ok(raw_content); } //identify magic string and end of the file @@ -207,3 +207,168 @@ impl FileHandler for KernelModuleFileHandler { )); } } + +#[cfg(test)] +mod test { + use super::*; + use std::env; + use rand::Rng; + + fn generate_signed_kernel_module(length: usize, incorrect_length: bool) -> Result<(String, Vec)> { + let mut rng = rand::thread_rng(); + let temp_file = env::temp_dir().join(Uuid::new_v4().to_string()); + let mut file = fs::File::create(temp_file.clone())?; + let raw_content: Vec = (0..length).map(|_| rng.gen_range(0..=255)).collect(); + file.write_all(&raw_content)?; + //append fake signature + let signature = vec![1,2,3,4,5,6]; + file.write_all(&signature)?; + let mut size = signature.len(); + if incorrect_length { + size = size + length + 2; + } + //append signature metadata + let signature = ModuleSignature::new(size as c_uint); + file.write_all(&bincode::encode_to_vec( + signature, + config::standard() + .with_fixed_int_encoding() + .with_big_endian())?)?; + file.write_all(MAGIC_NUMBER.as_bytes())?; + Ok((temp_file.display().to_string(), raw_content)) + } + + fn generate_unsigned_kernel_module(length: usize) -> Result<(String, Vec)> { + let mut rng = rand::thread_rng(); + let temp_file = env::temp_dir().join(Uuid::new_v4().to_string()); + let mut file = fs::File::create(temp_file.clone())?; + let raw_content: Vec = (0..length).map(|_| rng.gen_range(0..=255)).collect(); + file.write_all(&raw_content)?; + Ok((temp_file.display().to_string(), raw_content)) + } + + #[test] + fn test_get_raw_content_with_small_unsigned_content() { + let mut sign_options = HashMap::new(); + let file_handler = KernelModuleFileHandler::new(); + let (name, original_content) = generate_unsigned_kernel_module(SIGNATURE_SIZE-1).expect("generate unsigned kernel module failed"); + let path = PathBuf::from(name); + let raw_content = file_handler.get_raw_content(&path, &mut sign_options).expect("get raw content failed"); + assert_eq!(raw_content.len(), SIGNATURE_SIZE-1); + assert_eq!(original_content, raw_content); + } + + #[test] + fn test_get_raw_content_with_large_unsigned_content() { + let mut sign_options = HashMap::new(); + let file_handler = KernelModuleFileHandler::new(); + let (name, original_content) = generate_unsigned_kernel_module(SIGNATURE_SIZE+100).expect("generate unsigned kernel module failed"); + let path = PathBuf::from(name); + let raw_content = file_handler.get_raw_content(&path, &mut sign_options).expect("get raw content failed"); + assert_eq!(raw_content.len(), SIGNATURE_SIZE+100); + assert_eq!(original_content, raw_content); + } + + #[test] + fn test_get_raw_content_with_signed_content() { + let mut sign_options = HashMap::new(); + let file_handler = KernelModuleFileHandler::new(); + let (name, original_content) = generate_signed_kernel_module(100,false).expect("generate signed kernel module failed"); + let path = PathBuf::from(name); + let raw_content = file_handler.get_raw_content(&path, &mut sign_options).expect("get raw content failed"); + assert_eq!(raw_content.len(), 100); + assert_eq!(original_content, raw_content); + } + + #[test] + fn test_get_raw_content_with_invalid_signed_content() { + let mut sign_options = HashMap::new(); + let file_handler = KernelModuleFileHandler::new(); + let (name, _) = generate_signed_kernel_module(100,true).expect("generate signed kernel module failed"); + let path = PathBuf::from(name); + let result = file_handler.get_raw_content(&path, &mut sign_options); + assert_eq!( + result.unwrap_err().to_string(), + "failed to split file: invalid kernel module signature size found" + ); + } + + #[test] + fn test_validate_options() { + let mut options = HashMap::new(); + options.insert(options::KEY_TYPE.to_string(), KeyType::Pgp.to_string()); + let handler = KernelModuleFileHandler::new(); + let result = handler.validate_options(&options); + assert!(result.is_err()); + assert_eq!( + result.unwrap_err().to_string(), + "invalid argument: kernel module file only support x509 signature" + ); + + options.insert(options::KEY_TYPE.to_string(), KeyType::X509.to_string()); + options.insert(options::SIGN_TYPE.to_string(), SignType::Authenticode.to_string()); + let result = handler.validate_options(&options); + assert!(result.is_err()); + assert_eq!( + result.unwrap_err().to_string(), + "invalid argument: kernel module file only support cms or pkcs7 sign type" + ); + + + options.insert(options::SIGN_TYPE.to_string(), SignType::Cms.to_string()); + let result = handler.validate_options(&options); + assert!(result.is_ok()); + + options.insert(options::SIGN_TYPE.to_string(), SignType::PKCS7.to_string()); + let result = handler.validate_options(&options); + assert!(result.is_ok()); + } + + #[tokio::test] + async fn test_assemble_data_with_detached_true() { + let handler = KernelModuleFileHandler::new(); + let mut options = HashMap::new(); + options.insert(options::DETACHED.to_string(), "true".to_string()); + let path = PathBuf::from("./test_data/test.ko"); + let data = vec![vec![1, 2, 3]]; + let temp_dir = env::temp_dir(); + let result = handler.assemble_data(&path, data, &temp_dir, &options).await; + assert!(result.is_ok()); + let (temp_file, file_name) = result.expect("invoke assemble data should work"); + assert_eq!(temp_file.starts_with(temp_dir.to_str().unwrap()), true); + assert_eq!(file_name, "./test_data/test.ko.p7s"); + let result = fs::read(temp_file).expect("read temp file failed"); + assert_eq!(result, vec![1, 2, 3]); + } + + #[tokio::test] + async fn test_assemble_data_with_detached_false() { + let handler = KernelModuleFileHandler::new(); + let mut options = HashMap::new(); + options.insert(options::DETACHED.to_string(), "false".to_string()); + let (name, raw_content) = generate_signed_kernel_module(100,false).expect("generate signed kernel module failed"); + let path = PathBuf::from(name.clone()); + let data = vec![vec![1, 2, 3]]; + let temp_dir = env::temp_dir(); + let result = handler.assemble_data(&path, data, &temp_dir, &options).await; + assert!(result.is_ok()); + let (temp_file, file_name) = result.expect("invoke assemble data should work"); + assert_eq!(temp_file.starts_with(temp_dir.to_str().unwrap()), true); + assert_eq!(file_name, name); + let result = handler.get_raw_content(&PathBuf::from(temp_file), &mut options).expect("get raw content failed"); + assert_eq!(result, raw_content); + } + + #[tokio::test] + async fn test_split_content() { + let mut sign_options = HashMap::new(); + let file_handler = KernelModuleFileHandler::new(); + let (name, original_content) = generate_unsigned_kernel_module(SIGNATURE_SIZE-1).expect("generate unsigned kernel module failed"); + let path = PathBuf::from(name); + let raw_content = file_handler.split_data(&path, &mut sign_options).await.expect("get raw content failed"); + assert_eq!(raw_content[0].len(), SIGNATURE_SIZE-1); + assert_eq!(original_content, raw_content[0]); + } + +} + diff --git a/src/client_entrypoint.rs b/src/client_entrypoint.rs index 61caab57d5bba5209d8a54e3052d869f08f16f20..395dee24887558ad180d8b58b5bb1f6c016f310a 100644 --- a/src/client_entrypoint.rs +++ b/src/client_entrypoint.rs @@ -74,8 +74,13 @@ fn main() -> Result<()> { }; //handler and quit if let Some(handler) = command { - handler.validate().expect("failed to validate command option"); - if !handler.handle().expect("failed to perform command") { + if let Err(err) = handler.validate() { + error!("failed to validate command: {}", err); + return Err(err); + } + + if let Err(err) = handler.handle() { + error!("failed to handle command: {}", err); return Err(Error::PartialSuccessError) } } diff --git a/src/infra/sign_plugin/openpgp.rs b/src/infra/sign_plugin/openpgp.rs index eee3bc4f5e43dc2b5171e5ad144c63cc5578e46c..0fa57ce789f9b75889b0a43c781c7d74525dbe64 100644 --- a/src/infra/sign_plugin/openpgp.rs +++ b/src/infra/sign_plugin/openpgp.rs @@ -35,11 +35,12 @@ use std::io::{Cursor}; use std::str::from_utf8; use validator::{Validate, ValidationError}; use pgp::composed::StandaloneSignature; -use crate::domain::datakey::entity::{DataKey, DataKeyContent, SecDataKey, KeyType as DataKeyType}; +use crate::domain::datakey::entity::{DataKey, DataKeyContent, SecDataKey}; use crate::util::key::encode_u8_to_hex_string; use super::util::{validate_utc_time_not_expire, validate_utc_time, attributes_validate}; -const VALID_KEY_TYPE: [&str; 2] = ["rsa", "eddsa"]; +// NOTE: `eddsa` will be supported only when it's supported in rpm library, check https://github.com/rpm-rs/rpm/pull/146 +const VALID_KEY_TYPE: [&str; 1] = ["rsa"]; const VALID_KEY_SIZE: [&str; 3] = ["2048", "3072", "4096"]; const VALID_DIGEST_ALGORITHM: [&str; 10] = ["none", "md5", "sha1", "sha1", "sha2_256", "sha2_384","sha2_512","sha2_224","sha3_256", "sha3_512"]; @@ -293,6 +294,7 @@ mod test { use rand::Rng; use secstr::SecVec; use crate::domain::datakey::entity::{KeyState, Visibility}; + use crate::domain::datakey::entity::{KeyType}; use crate::util::options::DETACHED; fn get_default_parameter() -> HashMap { @@ -317,7 +319,7 @@ mod test { description: "fake description".to_string(), user: 1, attributes: get_default_parameter(), - key_type: DataKeyType::OpenPGP, + key_type: KeyType::OpenPGP, fingerprint: "".to_string(), private_key: vec![], public_key: vec![], diff --git a/src/infra/sign_plugin/x509.rs b/src/infra/sign_plugin/x509.rs index eaa0689addf8709f4ace5e915b76b689b5b62957..6fb9d8106b5a277ae74a4884a6e816cc145acd79 100644 --- a/src/infra/sign_plugin/x509.rs +++ b/src/infra/sign_plugin/x509.rs @@ -34,7 +34,7 @@ use serde::Deserialize; use validator::{Validate, ValidationError}; use crate::util::options; use crate::util::sign::SignType; -use crate::domain::datakey::entity::{DataKey, DataKeyContent, SecDataKey, KeyType as DataKeyType}; +use crate::domain::datakey::entity::{DataKey, DataKeyContent, SecDataKey}; use crate::util::error::{Error, Result}; use crate::domain::sign_plugin::SignPlugins; use crate::util::key::encode_u8_to_hex_string; @@ -264,6 +264,7 @@ mod test { use chrono::{Duration, Utc}; use secstr::SecVec; use crate::domain::datakey::entity::{KeyState, Visibility}; + use crate::domain::datakey::entity::{KeyType}; use crate::util::options::{DETACHED, SIGN_TYPE}; fn get_default_parameter() -> HashMap { @@ -292,7 +293,7 @@ mod test { description: "fake description".to_string(), user: 1, attributes: get_default_parameter(), - key_type: DataKeyType::X509, + key_type: KeyType::X509, fingerprint: "".to_string(), private_key: vec![], public_key: vec![], diff --git a/src/util/error.rs b/src/util/error.rs index 09e861dc3abb6803967bc02c33a2410c287fac26..083ff98818066b513671c943d90e030d7cc6acd5 100644 --- a/src/util/error.rs +++ b/src/util/error.rs @@ -96,8 +96,8 @@ pub enum Error { UnprivilegedError, //client error - #[error("file type not supported {0}")] - FileNotSupportError(String), + #[error("file extension {0} not supported for file {1}")] + FileNotSupportError(String, String), #[error("not any valid file found")] NoFileCandidateError, #[error("failed to split file: {0}")]