diff --git a/tough-kms/src/client.rs b/tough-kms/src/client.rs index 0dc78a990..6314be095 100644 --- a/tough-kms/src/client.rs +++ b/tough-kms/src/client.rs @@ -31,4 +31,3 @@ pub(crate) fn build_client_kms(profile: Option<&str>) -> Result { KmsClient::new(Region::default()) }) } - diff --git a/tough-kms/src/error.rs b/tough-kms/src/error.rs index 5f60ced8f..97c287eb7 100644 --- a/tough-kms/src/error.rs +++ b/tough-kms/src/error.rs @@ -9,7 +9,6 @@ pub type Result = std::result::Result; #[derive(Debug, Snafu)] #[snafu(visibility = "pub(crate)")] pub enum Error { - #[snafu(display( "Failed to create customer managed key for aws-kms://{}/{}: {}", profile.as_deref().unwrap_or(""), @@ -20,7 +19,7 @@ pub enum Error { profile: Option, key_id: String, source: rusoto_core::RusotoError, - backtrace: Backtrace + backtrace: Backtrace, }, #[snafu(display( @@ -37,7 +36,7 @@ pub enum Error { profile: Option, key_id: String, source: rusoto_core::RusotoError, - backtrace: Backtrace + backtrace: Backtrace, }, #[snafu(display("Error creating AWS credentials provider: {}", source))] @@ -82,7 +81,7 @@ pub enum Error { profile: Option, key_id: String, source: rusoto_core::RusotoError, - backtrace: Backtrace + backtrace: Backtrace, }, #[snafu(display( @@ -93,7 +92,7 @@ pub enum Error { ))] KmsAliasCheck { profile: Option, - key_id: String + key_id: String, }, #[snafu(display("Public key is none"))] @@ -106,7 +105,7 @@ pub enum Error { ))] WriteNotDefined { profile: Option, - key_id: String + key_id: String, }, #[snafu(display( @@ -117,6 +116,6 @@ pub enum Error { KeyMatadata { profile: Option, key_id: String, - backtrace: Backtrace + backtrace: Backtrace, }, } diff --git a/tough-kms/src/lib.rs b/tough-kms/src/lib.rs index 412d4b2df..53462dd16 100644 --- a/tough-kms/src/lib.rs +++ b/tough-kms/src/lib.rs @@ -1,22 +1,21 @@ // Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: MIT OR Apache-2.0 - -pub mod error; mod client; +pub mod error; use rusoto_kms::{Kms, KmsClient}; use snafu::{OptionExt, ResultExt}; +use std::fmt; use tough::key_source::KeySource; -use tough::sign::{KmsRsaKey, Sign}; use tough::schema::decoded::{Decoded, RsaPem}; -use std::fmt; use tough::schema::key::KmsSigningAlgorithms; +use tough::sign::{KmsRsaKey, Sign}; /// Implements the KeySource trait for keys that live in AWS KMS pub struct KmsKeySource { pub profile: Option, pub key_id: String, - pub client: Option + pub client: Option, } impl fmt::Debug for KmsKeySource { @@ -36,7 +35,7 @@ impl KeySource for KmsKeySource { { let kms_client = match self.client.clone() { Some(value) => value, - None => client::build_client_kms(self.profile.as_deref())? + None => client::build_client_kms(self.profile.as_deref())?, }; // Get the public key from aws kms let fut = kms_client.get_public_key(rusoto_kms::GetPublicKeyRequest { @@ -48,38 +47,42 @@ impl KeySource for KmsKeySource { .block_on(fut) .context(error::KmsGetPublicKey { profile: self.profile.clone(), - key_id : self.key_id.clone() + key_id: self.key_id.clone(), })?; - let pb_key :Decoded = response.public_key.context(error::PublicKeyNone)?.to_vec().into(); + let pb_key: Decoded = response + .public_key + .context(error::PublicKeyNone)? + .to_vec() + .into(); Ok(Box::new(KmsRsaKey { kms_client: kms_client.clone(), key_id: self.key_id.clone(), public_key: pb_key, - signing_algorithm: KmsSigningAlgorithms::Rsa(String::from("RSASSA_PSS_SHA_256")) + signing_algorithm: KmsSigningAlgorithms::Rsa(String::from("RSASSA_PSS_SHA_256")), })) } fn write( &self, - value: &str + value: &str, ) -> std::result::Result<(), Box> { let kms_client = match self.client.clone() { Some(value) => value, - None => client::build_client_kms(self.profile.as_deref())? + None => client::build_client_kms(self.profile.as_deref())?, }; // Assign an alias to the Key let fut = kms_client.create_alias(rusoto_kms::CreateAliasRequest { alias_name: self.key_id.clone(), - target_key_id: value.to_string().clone() + target_key_id: value.to_string(), }); let _response = tokio::runtime::Runtime::new() .context(error::RuntimeCreation)? .block_on(fut) .context(error::KmsCreateAlias { - alias : self.key_id.clone(), - target_key_id : value.to_string().clone(), + alias: self.key_id.clone(), + target_key_id: value.to_string(), profile: self.profile.clone(), - key_id : self.key_id.clone() + key_id: self.key_id.clone(), })?; Ok(()) } @@ -91,7 +94,7 @@ impl KeySource for KmsKeySource { ) -> Result<(), Box> { let kms_client = match self.client.clone() { Some(value) => value, - None => client::build_client_kms(self.profile.as_deref())? + None => client::build_client_kms(self.profile.as_deref())?, }; // Kms currently does not have an API to validate if the alias exist. As a Hack, // or temporary resolution, we are using the get_public_key API, if it succeeds than @@ -107,8 +110,9 @@ impl KeySource for KmsKeySource { if response.is_ok() { error::KmsAliasCheck { profile: self.profile.clone(), - key_id : self.key_id.clone() - }.fail()?; + key_id: self.key_id.clone(), + } + .fail()?; } // Create a new Customer managed Key in KMS let fut = kms_client.create_key(rusoto_kms::CreateKeyRequest { @@ -122,12 +126,12 @@ impl KeySource for KmsKeySource { .block_on(fut) .context(error::KmsCreateKey { profile: self.profile.clone(), - key_id : self.key_id.clone() + key_id: self.key_id.clone(), })? .key_metadata .context(error::KeyMatadata { profile: self.profile.clone(), - key_id : self.key_id.clone() + key_id: self.key_id.clone(), })? .key_id; self.write(&key_id) diff --git a/tough-kms/tests/all_test.rs b/tough-kms/tests/all_test.rs index bf18685bb..213906975 100644 --- a/tough-kms/tests/all_test.rs +++ b/tough-kms/tests/all_test.rs @@ -1,48 +1,48 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: MIT OR Apache-2.0 mod test_utils; -use rusoto_kms::{KmsClient}; +use rusoto_kms::KmsClient; extern crate rusoto_mock; use self::rusoto_mock::*; -use tough::key_source::KeySource; -use tough::schema::key::{Key, RsaScheme, RsaKey}; +use ring::rand::SystemRandom; +use rusoto_core::signature::SignedRequest; +use rusoto_core::{HttpDispatchError, Region}; +use serde::Deserialize; use std::collections::HashMap; use std::fs::File; use std::io::BufReader; -use serde::Deserialize; -use ring::rand::SystemRandom; -use rusoto_core::{HttpDispatchError, Region}; -use rusoto_core::signature::SignedRequest; +use tough::key_source::KeySource; +use tough::schema::key::{Key, RsaKey, RsaScheme}; #[derive(Default, Debug, Clone, PartialEq, Deserialize)] struct PublicKeyResp { #[serde(rename = "PublicKey")] #[serde( - deserialize_with = "::rusoto_core::serialization::SerdeBlob::deserialize_blob", - serialize_with = "::rusoto_core::serialization::SerdeBlob::serialize_blob", - default + deserialize_with = "::rusoto_core::serialization::SerdeBlob::deserialize_blob", + serialize_with = "::rusoto_core::serialization::SerdeBlob::serialize_blob", + default )] #[serde(skip_serializing_if = "Option::is_none")] - public_key: bytes::Bytes + public_key: bytes::Bytes, } #[derive(Default, Debug, Clone, PartialEq, Deserialize)] struct SignResp { #[serde(rename = "Signature")] #[serde( - deserialize_with = "::rusoto_core::serialization::SerdeBlob::deserialize_blob", - serialize_with = "::rusoto_core::serialization::SerdeBlob::serialize_blob", - default + deserialize_with = "::rusoto_core::serialization::SerdeBlob::deserialize_blob", + serialize_with = "::rusoto_core::serialization::SerdeBlob::serialize_blob", + default )] #[serde(skip_serializing_if = "Option::is_none")] - signature: bytes::Bytes + signature: bytes::Bytes, } #[derive(Default, Debug, Clone, PartialEq, Deserialize)] struct CreateKeyResp { #[serde(rename = "KeyId")] #[serde(skip_serializing_if = "Option::is_none")] - key_id: String + key_id: String, } #[test] @@ -55,20 +55,28 @@ fn check_tuf_key_success() { let expected_key = Key::Rsa { keyval: RsaKey { public: expected_json.public_key.to_vec().into(), - _extra: HashMap::new() + _extra: HashMap::new(), }, scheme: RsaScheme::RsassaPssSha256, _extra: HashMap::new(), }; - let mock = MockRequestDispatcher::default().with_request_checker(|request: &SignedRequest| { - assert!(request.headers.get("x-amz-target").unwrap().contains(&Vec::from("TrentService.GetPublicKey"))); - }).with_body( - MockResponseReader::read_response(test_utils::test_data().to_str().unwrap(), input).as_ref()); + let mock = MockRequestDispatcher::default() + .with_request_checker(|request: &SignedRequest| { + assert!(request + .headers + .get("x-amz-target") + .unwrap() + .contains(&Vec::from("TrentService.GetPublicKey"))); + }) + .with_body( + MockResponseReader::read_response(test_utils::test_data().to_str().unwrap(), input) + .as_ref(), + ); let mock_client = KmsClient::new_with(mock, MockCredentialsProvider, Region::UsEast1); let kms_key = tough_kms::KmsKeySource { - profile : None, - key_id : key_id.clone(), - client: Some(mock_client) + profile: None, + key_id: key_id.clone(), + client: Some(mock_client), }; let sign = kms_key.as_sign().unwrap(); let key = sign.tuf_key(); @@ -80,82 +88,136 @@ fn check_tuf_key_success() { fn check_sign_success() { let resp_public_key = "response_public_key.json"; let resp_signature = "response_signature.json"; - let file = File::open(test_utils::test_data().join(resp_signature).to_str().unwrap()).unwrap(); + let file = File::open( + test_utils::test_data() + .join(resp_signature) + .to_str() + .unwrap(), + ) + .unwrap(); let reader = BufReader::new(file); let expected_json: SignResp = serde_json::from_reader(reader).unwrap(); let expected_signature = expected_json.signature.to_vec(); let mock = MultipleMockRequestDispatcher::new(vec![ - MockRequestDispatcher::with_status(200).with_request_checker(|request: &SignedRequest| { - assert!(request.headers.get("x-amz-target").unwrap().contains(&Vec::from("TrentService.GetPublicKey"))); - }).with_body( - MockResponseReader::read_response(test_utils::test_data().to_str().unwrap(), resp_public_key).as_ref()), - MockRequestDispatcher::with_status(200).with_request_checker(|request: &SignedRequest| { - assert!(request.headers.get("x-amz-target").unwrap().contains(&Vec::from("TrentService.Sign"))); - }).with_body( - MockResponseReader::read_response(test_utils::test_data().to_str().unwrap(), resp_signature).as_ref()) + MockRequestDispatcher::with_status(200) + .with_request_checker(|request: &SignedRequest| { + assert!(request + .headers + .get("x-amz-target") + .unwrap() + .contains(&Vec::from("TrentService.GetPublicKey"))); + }) + .with_body( + MockResponseReader::read_response( + test_utils::test_data().to_str().unwrap(), + resp_public_key, + ) + .as_ref(), + ), + MockRequestDispatcher::with_status(200) + .with_request_checker(|request: &SignedRequest| { + assert!(request + .headers + .get("x-amz-target") + .unwrap() + .contains(&Vec::from("TrentService.Sign"))); + }) + .with_body( + MockResponseReader::read_response( + test_utils::test_data().to_str().unwrap(), + resp_signature, + ) + .as_ref(), + ), ]); let mock_client = KmsClient::new_with(mock, MockCredentialsProvider, Region::UsEast1); let kms_key = tough_kms::KmsKeySource { - profile : None, - key_id : String::from("alias/some_alias"), - client: Some(mock_client) + profile: None, + key_id: String::from("alias/some_alias"), + client: Some(mock_client), }; let rng = SystemRandom::new(); let kms_sign = kms_key.as_sign().unwrap(); - let signature = kms_sign.sign("Some message to sign".as_bytes(), &rng).unwrap(); + let signature = kms_sign + .sign("Some message to sign".as_bytes(), &rng) + .unwrap(); assert_eq!(signature, expected_signature); } #[test] fn check_public_key_failure() { - let error_msg = String::from("The request was rejected because the specified CMK is not enabled."); - let mock = MockRequestDispatcher::with_dispatch_error( - HttpDispatchError::new(error_msg.clone()) - ); + let error_msg = + String::from("The request was rejected because the specified CMK is not enabled."); + let mock = + MockRequestDispatcher::with_dispatch_error(HttpDispatchError::new(error_msg.clone())); let client = KmsClient::new_with(mock, MockCredentialsProvider, Region::UsEast1); let key_id = String::from("alias/some_alias"); let kms_key = tough_kms::KmsKeySource { - profile : None, - key_id : key_id.clone(), - client: Some(client) + profile: None, + key_id: key_id.clone(), + client: Some(client), }; let result = kms_key.as_sign(); assert!(result.is_err()); let err = result.err().unwrap(); assert_eq!( - format!("Failed to get public key for aws-kms:///{} : {}", key_id.clone(), error_msg.clone()), + format!( + "Failed to get public key for aws-kms:///{} : {}", + key_id.clone(), + error_msg.clone() + ), err.to_string() ); } #[test] fn check_sign_request_failure() { - let error_msg = String::from("The request was rejected because the specified CMK is not enabled."); + let error_msg = + String::from("The request was rejected because the specified CMK is not enabled."); let resp_public_key = "response_public_key.json"; let key_id = String::from("alias/some_alias"); let mock = MultipleMockRequestDispatcher::new(vec![ - MockRequestDispatcher::with_status(200).with_request_checker(|request: &SignedRequest| { - assert!(request.headers.get("x-amz-target").unwrap().contains(&Vec::from("TrentService.GetPublicKey"))); - }).with_body( - MockResponseReader::read_response(test_utils::test_data().to_str().unwrap(), resp_public_key).as_ref()), - MockRequestDispatcher::with_dispatch_error( - HttpDispatchError::new(error_msg.clone())).with_request_checker(|request: &SignedRequest| { - assert!(request.headers.get("x-amz-target").unwrap().contains(&Vec::from("TrentService.Sign"))); - }) + MockRequestDispatcher::with_status(200) + .with_request_checker(|request: &SignedRequest| { + assert!(request + .headers + .get("x-amz-target") + .unwrap() + .contains(&Vec::from("TrentService.GetPublicKey"))); + }) + .with_body( + MockResponseReader::read_response( + test_utils::test_data().to_str().unwrap(), + resp_public_key, + ) + .as_ref(), + ), + MockRequestDispatcher::with_dispatch_error(HttpDispatchError::new(error_msg.clone())) + .with_request_checker(|request: &SignedRequest| { + assert!(request + .headers + .get("x-amz-target") + .unwrap() + .contains(&Vec::from("TrentService.Sign"))); + }), ]); let mock_client = KmsClient::new_with(mock, MockCredentialsProvider, Region::UsEast1); let kms_key = tough_kms::KmsKeySource { - profile : None, - key_id : key_id.clone(), - client: Some(mock_client) + profile: None, + key_id: key_id.clone(), + client: Some(mock_client), }; let rng = SystemRandom::new(); let kms_sign = kms_key.as_sign().unwrap(); - let result = kms_sign.sign("Some message to sign".as_bytes(), &rng); + let result = kms_sign.sign("Some message to sign".as_bytes(), &rng); assert!(result.is_err()); let err = result.err().unwrap(); assert_eq!( - format!("Not able to Sign message for key-id {} : {}", key_id.clone(), error_msg.clone()), + format!( + "Not able to Sign message for key-id {} : {}", + key_id.clone(), + error_msg.clone() + ), err.to_string() ); } @@ -166,42 +228,66 @@ fn check_signature_failure() { let resp_signature = "response_signature_empty.json"; let key_id = String::from("alias/some_alias"); let mock = MultipleMockRequestDispatcher::new(vec![ - MockRequestDispatcher::with_status(200).with_request_checker(|request: &SignedRequest| { - assert!(request.headers.get("x-amz-target").unwrap().contains(&Vec::from("TrentService.GetPublicKey"))); - }).with_body( - MockResponseReader::read_response(test_utils::test_data().to_str().unwrap(), resp_public_key).as_ref()), - MockRequestDispatcher::with_status(200).with_request_checker(|request: &SignedRequest| { - assert!(request.headers.get("x-amz-target").unwrap().contains(&Vec::from("TrentService.Sign"))); - }).with_body( - MockResponseReader::read_response(test_utils::test_data().to_str().unwrap(), resp_signature).as_ref()), + MockRequestDispatcher::with_status(200) + .with_request_checker(|request: &SignedRequest| { + assert!(request + .headers + .get("x-amz-target") + .unwrap() + .contains(&Vec::from("TrentService.GetPublicKey"))); + }) + .with_body( + MockResponseReader::read_response( + test_utils::test_data().to_str().unwrap(), + resp_public_key, + ) + .as_ref(), + ), + MockRequestDispatcher::with_status(200) + .with_request_checker(|request: &SignedRequest| { + assert!(request + .headers + .get("x-amz-target") + .unwrap() + .contains(&Vec::from("TrentService.Sign"))); + }) + .with_body( + MockResponseReader::read_response( + test_utils::test_data().to_str().unwrap(), + resp_signature, + ) + .as_ref(), + ), ]); let mock_client = KmsClient::new_with(mock, MockCredentialsProvider, Region::UsEast1); let kms_key = tough_kms::KmsKeySource { - profile : None, - key_id : key_id.clone(), - client: Some(mock_client) + profile: None, + key_id: key_id.clone(), + client: Some(mock_client), }; let rng = SystemRandom::new(); let kms_sign = kms_key.as_sign().unwrap(); - let result = kms_sign.sign("Some message to sign".as_bytes(), &rng); + let result = kms_sign.sign("Some message to sign".as_bytes(), &rng); assert!(result.is_err()); let err = result.err().unwrap(); - assert_eq!( - format!("Signature is None"), - err.to_string() - ); + assert_eq!(format!("Signature is None"), err.to_string()); } #[test] fn check_write_success() { - let mock = MockRequestDispatcher::with_status(200).with_request_checker(|request: &SignedRequest| { - assert!(request.headers.get("x-amz-target").unwrap().contains(&Vec::from("TrentService.CreateAlias"))); - }); + let mock = + MockRequestDispatcher::with_status(200).with_request_checker(|request: &SignedRequest| { + assert!(request + .headers + .get("x-amz-target") + .unwrap() + .contains(&Vec::from("TrentService.CreateAlias"))); + }); let mock_client = KmsClient::new_with(mock, MockCredentialsProvider, Region::UsEast1); let kms_key = tough_kms::KmsKeySource { - profile : None, - key_id : String::from("alias/some_alias"), - client: Some(mock_client) + profile: None, + key_id: String::from("alias/some_alias"), + client: Some(mock_client), }; let result = kms_key.write("key_id"); assert!(result.is_ok()); @@ -211,16 +297,22 @@ fn check_write_success() { #[test] fn check_write_failure() { let error_msg = String::from("Some Error message"); - let key_alias= String::from("alias/some_alias"); + let key_alias = String::from("alias/some_alias"); let profile = Some(String::from("Some profile")); - let mock = MockRequestDispatcher::with_dispatch_error(HttpDispatchError::new(error_msg.clone())).with_request_checker(|request: &SignedRequest| { - assert!(request.headers.get("x-amz-target").unwrap().contains(&Vec::from("TrentService.CreateAlias"))); - }); + let mock = + MockRequestDispatcher::with_dispatch_error(HttpDispatchError::new(error_msg.clone())) + .with_request_checker(|request: &SignedRequest| { + assert!(request + .headers + .get("x-amz-target") + .unwrap() + .contains(&Vec::from("TrentService.CreateAlias"))); + }); let mock_client = KmsClient::new_with(mock, MockCredentialsProvider, Region::UsEast1); let kms_key = tough_kms::KmsKeySource { - profile : profile.clone(), - key_id : key_alias.clone(), - client: Some(mock_client) + profile: profile.clone(), + key_id: key_alias.clone(), + client: Some(mock_client), }; let result = kms_key.write("Some Key Id"); assert!(result.is_err()); @@ -236,23 +328,44 @@ fn check_create_success() { let public_key_error = String::from("Key id is not available"); let resp_create_key = "response_create_key.json"; let mock = MultipleMockRequestDispatcher::new(vec![ - MockRequestDispatcher::with_dispatch_error( - HttpDispatchError::new(public_key_error.clone())).with_request_checker(|request: &SignedRequest| { - assert!(request.headers.get("x-amz-target").unwrap().contains(&Vec::from("TrentService.GetPublicKey"))); + MockRequestDispatcher::with_dispatch_error(HttpDispatchError::new( + public_key_error.clone(), + )) + .with_request_checker(|request: &SignedRequest| { + assert!(request + .headers + .get("x-amz-target") + .unwrap() + .contains(&Vec::from("TrentService.GetPublicKey"))); }), + MockRequestDispatcher::with_status(200) + .with_request_checker(|request: &SignedRequest| { + assert!(request + .headers + .get("x-amz-target") + .unwrap() + .contains(&Vec::from("TrentService.CreateKey"))); + }) + .with_body( + MockResponseReader::read_response( + test_utils::test_data().to_str().unwrap(), + resp_create_key, + ) + .as_ref(), + ), MockRequestDispatcher::with_status(200).with_request_checker(|request: &SignedRequest| { - assert!(request.headers.get("x-amz-target").unwrap().contains(&Vec::from("TrentService.CreateKey"))); - }).with_body( - MockResponseReader::read_response(test_utils::test_data().to_str().unwrap(), resp_create_key).as_ref()), - MockRequestDispatcher::with_status(200).with_request_checker(|request: &SignedRequest| { - assert!(request.headers.get("x-amz-target").unwrap().contains(&Vec::from("TrentService.CreateAlias"))); - }) + assert!(request + .headers + .get("x-amz-target") + .unwrap() + .contains(&Vec::from("TrentService.CreateAlias"))); + }), ]); let mock_client = KmsClient::new_with(mock, MockCredentialsProvider, Region::UsEast1); let kms_key = tough_kms::KmsKeySource { - profile : None, - key_id : String::from("alias/some_alias"), - client: Some(mock_client) + profile: None, + key_id: String::from("alias/some_alias"), + client: Some(mock_client), }; let result = kms_key.create(3072, 2048); assert!(result.is_ok()); @@ -261,54 +374,78 @@ fn check_create_success() { #[test] fn check_create_failure() { - let key_alias= String::from("alias/some_alias"); + let key_alias = String::from("alias/some_alias"); let profile = Some(String::from("Some profile")); let public_key_error = String::from("Key id is not available"); let create_error = String::from("Some error message"); let mock = MultipleMockRequestDispatcher::new(vec![ - MockRequestDispatcher::with_dispatch_error( - HttpDispatchError::new(public_key_error.clone())).with_request_checker(|request: &SignedRequest| { - assert!(request.headers.get("x-amz-target").unwrap().contains(&Vec::from("TrentService.GetPublicKey"))); + MockRequestDispatcher::with_dispatch_error(HttpDispatchError::new( + public_key_error.clone(), + )) + .with_request_checker(|request: &SignedRequest| { + assert!(request + .headers + .get("x-amz-target") + .unwrap() + .contains(&Vec::from("TrentService.GetPublicKey"))); }), - MockRequestDispatcher::with_dispatch_error( - HttpDispatchError::new(create_error.clone())).with_request_checker(|request: &SignedRequest| { - assert!(request.headers.get("x-amz-target").unwrap().contains(&Vec::from("TrentService.CreateKey"))); - }) + MockRequestDispatcher::with_dispatch_error(HttpDispatchError::new(create_error.clone())) + .with_request_checker(|request: &SignedRequest| { + assert!(request + .headers + .get("x-amz-target") + .unwrap() + .contains(&Vec::from("TrentService.CreateKey"))); + }), ]); let mock_client = KmsClient::new_with(mock, MockCredentialsProvider, Region::UsEast1); let kms_key = tough_kms::KmsKeySource { - profile : profile.clone(), - key_id : key_alias.clone(), - client: Some(mock_client) + profile: profile.clone(), + key_id: key_alias.clone(), + client: Some(mock_client), }; let result = kms_key.create(3072, 2048); assert!(result.is_err()); let err = result.err().unwrap(); assert_eq!( - format!("Failed to create customer managed key for aws-kms://{}/{}: {}", profile.as_deref().unwrap_or(""), key_alias.clone(), create_error.clone()), + format!( + "Failed to create customer managed key for aws-kms://{}/{}: {}", + profile.as_deref().unwrap_or(""), + key_alias.clone(), + create_error.clone() + ), err.to_string() ); } #[test] fn check_create_failure_alias_exist() { - let key_alias= String::from("alias/some_alias"); + let key_alias = String::from("alias/some_alias"); let profile = Some(String::from("Some profile")); - let mock = MockRequestDispatcher::with_status(200).with_request_checker(|request: &SignedRequest| { - assert!(request.headers.get("x-amz-target").unwrap().contains(&Vec::from("TrentService.GetPublicKey"))); - }); + let mock = + MockRequestDispatcher::with_status(200).with_request_checker(|request: &SignedRequest| { + assert!(request + .headers + .get("x-amz-target") + .unwrap() + .contains(&Vec::from("TrentService.GetPublicKey"))); + }); let mock_client = KmsClient::new_with(mock, MockCredentialsProvider, Region::UsEast1); let kms_key = tough_kms::KmsKeySource { - profile : profile.clone(), - key_id : key_alias.clone(), - client: Some(mock_client) + profile: profile.clone(), + key_id: key_alias.clone(), + client: Some(mock_client), }; let result = kms_key.create(3072, 2048); assert!(result.is_err()); let err = result.err().unwrap(); assert_eq!( - format!("Alias {} exist for aws-kms:://{}/{}",key_alias.clone(), profile.as_deref().unwrap_or(""), key_alias.clone()), + format!( + "Alias {} exist for aws-kms:://{}/{}", + key_alias.clone(), + profile.as_deref().unwrap_or(""), + key_alias.clone() + ), err.to_string() ); } - diff --git a/tough-kms/tests/data/response_create_key.json b/tough-kms/tests/data/response_create_key.json index a15783a77..4315e1142 100644 --- a/tough-kms/tests/data/response_create_key.json +++ b/tough-kms/tests/data/response_create_key.json @@ -2,4 +2,4 @@ "KeyMetadata" : { "KeyId": "SomeKeyId" } -} \ No newline at end of file +} diff --git a/tough-kms/tests/data/response_public_key.json b/tough-kms/tests/data/response_public_key.json index 64bd8f97b..609af474b 100644 --- a/tough-kms/tests/data/response_public_key.json +++ b/tough-kms/tests/data/response_public_key.json @@ -1,3 +1,3 @@ { "PublicKey" : "Ii0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NSUlCb2pBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVk4QU1JSUJpZ0tDQVlFQW5MNnU2UTlRNnBnMUc1MDIwYTgzXG5HbEgvYUZVTzBQUTVsZUlwd1dMOGtXZ3BhV3VVRzdvUmxPVUcyLzRjd041RkN2SkpHWHFVNUF0U0txMmZaNDJKXG41WFI5UU1pcDRQZzBRNm1FOFhDdkFYQW9NbmtXU2NoZHpnVDJHb0VudGFPZVJSVENVR2IvRHNWb3hzVlhqVjZtXG5GYVJNeDduaDhnZ3NoTVdnVFlnVFVESytDU0lCQ2NCV2FwQ0ZxMUJyTTYwWFptR1RxZUF1SFNIYVVVdUY5RzNiXG5nT2ZsSDVMOUlwUWthSFdiSnRHdnlLTHI1M21oV08ycjhCUFIzK0N0TlpvakFua3dtdTRsQTk0azhDN1RMTWRjXG51dHpVNE96T0RlOVVQRVJjMzNsUnY4REJnc0gzRjA3N1pRd3YvaWtaWFdTbEFDVERXWndlbm5jQ0V3cWRlRGQ0XG4rcTJBSHlxeFJON2JVQWg1N21VTitrRmQzU1MvNFQ0NHNmQnJKdzZONEpWL21FKy9ZZlJMV3RwSUtJc1huQkNiXG5yQytkdDk2VnF6Nmc2ZVZWdnFQd2hPQ1NLY1lzbXAvaVM2cXdWbjBEcTJTQ3JHRzFGVG1CamVBOVprY2paaFVHXG5RRU15TU5ob1MrVTJOeDVvSUVJcTJrUkVwdXUrS3NCU1RVYU9nUjA3V05VeEFnTUJBQUU9XG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiI=" -} \ No newline at end of file +} diff --git a/tough-kms/tests/data/response_signature.json b/tough-kms/tests/data/response_signature.json index afbe598b6..ba0d01c21 100644 --- a/tough-kms/tests/data/response_signature.json +++ b/tough-kms/tests/data/response_signature.json @@ -1,3 +1,3 @@ { "Signature" : "U29tZSBtZXNzYWdlIHRvIHNpZ24=" -} \ No newline at end of file +} diff --git a/tough-kms/tests/data/response_signature_empty.json b/tough-kms/tests/data/response_signature_empty.json index 7a73a41bf..2c63c0851 100644 --- a/tough-kms/tests/data/response_signature_empty.json +++ b/tough-kms/tests/data/response_signature_empty.json @@ -1,2 +1,2 @@ { -} \ No newline at end of file +} diff --git a/tough-kms/tests/test_utils.rs b/tough-kms/tests/test_utils.rs index 1293afd9f..f4c6d47ce 100644 --- a/tough-kms/tests/test_utils.rs +++ b/tough-kms/tests/test_utils.rs @@ -9,4 +9,3 @@ pub fn test_data() -> PathBuf { p.pop(); p.join("tough-kms").join("tests").join("data") } - diff --git a/tough-ssm/src/lib.rs b/tough-ssm/src/lib.rs index 1548f4c32..c95ae2df4 100644 --- a/tough-ssm/src/lib.rs +++ b/tough-ssm/src/lib.rs @@ -54,7 +54,7 @@ impl KeySource for SsmKeySource { fn write( &self, - value: &str + value: &str, ) -> std::result::Result<(), Box> { let ssm_client = client::build_client(self.profile.as_deref())?; let fut = ssm_client.put_parameter(rusoto_ssm::PutParameterRequest { diff --git a/tough/src/error.rs b/tough/src/error.rs index fb82d5ceb..3f0a3f709 100644 --- a/tough/src/error.rs +++ b/tough/src/error.rs @@ -11,7 +11,6 @@ use snafu::{Backtrace, Snafu}; use std::io; use std::path::PathBuf; use url::Url; -use rusoto_core; /// Alias for `Result`. pub type Result = std::result::Result; @@ -494,10 +493,10 @@ pub enum Error { }, #[snafu(display("Not able to Sign message for key-id {} : {}", key_id, source))] - SignError { + KmsSign { key_id: String, source: rusoto_core::RusotoError, - backtrace: Backtrace + backtrace: Backtrace, }, #[snafu(display("Unable to create tokio runtime: {}", source))] @@ -510,10 +509,7 @@ pub enum Error { SignatureNotFound, #[snafu(display("Key Id: {} is not sign and verify key", key_id))] - NotSignVerifyKeyType { - key_id: String - }, - + NotSignVerifyKeyType { key_id: String }, #[snafu(display("Failed to run {}: {}", command_str, source))] CommandExec { diff --git a/tough/src/key_source.rs b/tough/src/key_source.rs index fb9a1aa9c..e15d28589 100644 --- a/tough/src/key_source.rs +++ b/tough/src/key_source.rs @@ -17,16 +17,13 @@ pub trait KeySource: Debug + Send + Sync { fn as_sign(&self) -> Result, Box>; /// Writes a key back to the `KeySource` - fn write( - &self, - value: &str - ) -> Result<(), Box>; - /// Creates a key for KeySource, default implementation creates rsa key pair which can - /// be override by individual KeySource implementation + fn write(&self, value: &str) -> Result<(), Box>; + /// Creates a key for key source, default implementation creates rsa key pair which can + /// be override by individual `KeySource` implementation fn create( &self, bits: u16, - exponent: u32 + exponent: u32, ) -> Result<(), Box> { // ring doesn't support RSA key generation yet // https://github.com/briansmith/ring/issues/219 @@ -68,10 +65,7 @@ impl KeySource for LocalKeySource { Ok(Box::new(parse_keypair(&data)?)) } - fn write( - &self, - value: &str - ) -> Result<(), Box> { + fn write(&self, value: &str) -> Result<(), Box> { Ok(std::fs::write(&self.path, value.as_bytes()) .context(error::FileWrite { path: &self.path })?) } diff --git a/tough/src/sign.rs b/tough/src/sign.rs index 41dc2acd9..8210eea64 100644 --- a/tough/src/sign.rs +++ b/tough/src/sign.rs @@ -4,13 +4,13 @@ //! Provides the `Sign` trait which abstracts over the method of signing with different key types. use crate::error::{self, Result}; +use crate::schema::decoded::{Decoded, RsaPem}; use crate::schema::key::{Key, KmsSigningAlgorithms}; use ring::rand::SecureRandom; use ring::signature::{KeyPair, RsaKeyPair}; +use rusoto_kms::{Kms, KmsClient, SignRequest}; use snafu::{OptionExt, ResultExt}; -use rusoto_kms::{KmsClient, SignRequest, Kms}; use std::collections::HashMap; -use crate::schema::decoded::{Decoded, RsaPem}; use std::fmt; /// This trait must be implemented for each type of key with which you will @@ -73,17 +73,17 @@ pub struct KmsRsaKey { /// Key Id of Customer Managed Key in KMS used to sign the message pub key_id: String, /// KmsClient Object to query AWS KMS - pub kms_client : KmsClient, + pub kms_client: KmsClient, /// Public Key corresponding to Customer Managed Key - pub public_key : Decoded, + pub public_key: Decoded, /// Signing Algorithm to be used for the Customer Managed Key - pub signing_algorithm: KmsSigningAlgorithms + pub signing_algorithm: KmsSigningAlgorithms, } impl fmt::Debug for KmsRsaKey { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { f.debug_struct("KmsRsaKey") - .field("key_id", &self.key_id) + .field("key_id", &self.key_id) .field("signing_algorithm", &self.signing_algorithm) .field("public_key", &self.public_key) .finish() @@ -117,8 +117,8 @@ impl Sign for KmsRsaKey { let response = tokio::runtime::Runtime::new() .context(error::RuntimeCreation)? .block_on(sign_fut) - .context(error::SignError { - key_id : self.key_id.clone() + .context(error::KmsSign { + key_id: self.key_id.clone(), })?; let signature = response.signature.context(error::SignatureNotFound)?; Ok(signature.to_vec()) diff --git a/tuftool/src/root.rs b/tuftool/src/root.rs index c19e49a05..862be69b7 100644 --- a/tuftool/src/root.rs +++ b/tuftool/src/root.rs @@ -241,7 +241,9 @@ impl Command { exponent: u32, ) -> Result<()> { let mut root: Signed = load_file(path)?; - key_source.create(bits.to_owned(), exponent.to_owned()).context(error::CreateKeySource)?; + key_source + .create(bits.to_owned(), exponent.to_owned()) + .context(error::CreateKeySource)?; let key_sign = key_source.as_sign().context(error::KeyPairFromKeySource)?; let key_id = hex::encode(add_key(&mut root.signed, roles, key_sign.tuf_key())?); clear_sigs(&mut root); diff --git a/tuftool/src/source.rs b/tuftool/src/source.rs index 49b2ba926..43c803eee 100644 --- a/tuftool/src/source.rs +++ b/tuftool/src/source.rs @@ -37,8 +37,8 @@ use crate::error::{self, Result}; use snafu::ResultExt; use std::path::PathBuf; use tough::key_source::{KeySource, LocalKeySource}; -use tough_ssm::SsmKeySource; use tough_kms::KmsKeySource; +use tough_ssm::SsmKeySource; use url::Url; /// Parses a user-specified source of signing keys. @@ -91,7 +91,7 @@ pub(crate) fn parse_key_source(input: &str) -> Result> { } }), key_id: format!("{}{}", "alias", url.path().to_owned()), - client: None + client: None, })), _ => error::UnrecognizedScheme { scheme: url.scheme(), diff --git a/tuftool/tests/create_repository_integration.rs b/tuftool/tests/create_repository_integration.rs index 437305ac8..83522bc57 100644 --- a/tuftool/tests/create_repository_integration.rs +++ b/tuftool/tests/create_repository_integration.rs @@ -14,59 +14,37 @@ use tough::{ExpirationEnforcement, Limits, Repository, Settings}; // Refer https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html to configure named profile. // To run test include feature flag 'integration-tests' like : "cargo test --features=integration-tests" - fn initialie_root_json(root_json: &str) { Command::cargo_bin("tuftool") .unwrap() - .args(&[ - "root", - "init", - root_json.clone(), - ]).assert().success(); + .args(&["root", "init", root_json.clone()]) + .assert() + .success(); Command::cargo_bin("tuftool") .unwrap() - .args(&[ - "root", - "expire", - root_json.clone(), - "2020-09-22T00:00:00Z" - ]).assert().success(); + .args(&["root", "expire", root_json.clone(), "2020-09-22T00:00:00Z"]) + .assert() + .success(); Command::cargo_bin("tuftool") .unwrap() - .args(&[ - "root", - "set-threshold", - root_json.clone(), - "root", - "1" - ]).assert().success(); + .args(&["root", "set-threshold", root_json.clone(), "root", "1"]) + .assert() + .success(); Command::cargo_bin("tuftool") .unwrap() - .args(&[ - "root", - "set-threshold", - root_json.clone(), - "snapshot", - "1" - ]).assert().success(); + .args(&["root", "set-threshold", root_json.clone(), "snapshot", "1"]) + .assert() + .success(); Command::cargo_bin("tuftool") .unwrap() - .args(&[ - "root", - "set-threshold", - root_json.clone(), - "targets", - "1" - ]).assert().success(); + .args(&["root", "set-threshold", root_json.clone(), "targets", "1"]) + .assert() + .success(); Command::cargo_bin("tuftool") .unwrap() - .args(&[ - "root", - "set-threshold", - root_json.clone(), - "timestamp", - "1" - ]).assert().success(); + .args(&["root", "set-threshold", root_json.clone(), "timestamp", "1"]) + .assert() + .success(); } fn gen_key(key: &str, root_json: &str) { @@ -80,8 +58,10 @@ fn gen_key(key: &str, root_json: &str) { "--role", "root", "-b", - "3072" - ]).assert().success(); + "3072", + ]) + .assert() + .success(); } fn add_key_all_role(key: &str, root_json: &str) { @@ -93,8 +73,10 @@ fn add_key_all_role(key: &str, root_json: &str) { root_json.clone(), key.clone(), "--role", - "snapshot" - ]).assert().success(); + "snapshot", + ]) + .assert() + .success(); Command::cargo_bin("tuftool") .unwrap() .args(&[ @@ -103,8 +85,10 @@ fn add_key_all_role(key: &str, root_json: &str) { root_json.clone(), key.clone(), "--role", - "targets" - ]).assert().success(); + "targets", + ]) + .assert() + .success(); Command::cargo_bin("tuftool") .unwrap() .args(&[ @@ -113,19 +97,18 @@ fn add_key_all_role(key: &str, root_json: &str) { root_json.clone(), key.clone(), "--role", - "timestamp" - ]).assert().success(); + "timestamp", + ]) + .assert() + .success(); } fn sign_root_json(key: &str, root_json: &str) { Command::cargo_bin("tuftool") .unwrap() - .args(&[ - "root", - "sign", - root_json.clone(), - key - ]).assert().success(); + .args(&["root", "sign", root_json.clone(), key]) + .assert() + .success(); } fn create_repository(root_key: &str) { @@ -143,7 +126,9 @@ fn create_repository(root_key: &str) { let snapshot_version: u64 = 5432; let targets_expiration = Utc::now().checked_add_signed(Duration::days(13)).unwrap(); let targets_version: u64 = 789; - let targets_input_dir = test_utils::test_data().join("tuf-reference-impl").join("targets"); + let targets_input_dir = test_utils::test_data() + .join("tuf-reference-impl") + .join("targets"); let repo_dir = TempDir::new().unwrap(); let load_dir = TempDir::new().unwrap(); // Create a repo using tuftool and the reference tuf implementation targets @@ -188,7 +173,8 @@ fn create_repository(root_key: &str) { limits: Limits::default(), expiration_enforcement: ExpirationEnforcement::Safe, }, - ).unwrap(); + ) + .unwrap(); // Ensure we can read the targets assert_eq!( @@ -241,7 +227,7 @@ fn create_repository(root_key: &str) { fn create_repository_local_key() { let root_key_dir = TempDir::new().unwrap(); let root_key_path = root_key_dir.path().join("local_key.pem"); - let root_key = &format!("file://{}",root_key_path.to_str().unwrap()); + let root_key = &format!("file://{}", root_key_path.to_str().unwrap()); create_repository(root_key); } @@ -260,4 +246,3 @@ fn create_repository_kms_key() { let root_key = "aws-kms://thar-signing-root-pdx/test_key"; create_repository(root_key); } -