tor_hsservice/config/restricted_discovery.rs
1//! Configuration for hidden service restricted discovery mode.
2//!
3//! By default, hidden services are accessible by anyone that knows their `.onion` address,
4//! this exposure making them vulnerable to DoS attacks.
5//! For added DoS resistance, services can hide their discovery information
6//! (the list of introduction points, recognized handshake types, etc.)
7//! from unauthorized clients by enabling restricted discovery mode.
8//!
9//! Services running in this mode are only discoverable
10//! by the clients configured in the [`RestrictedDiscoveryConfig`].
11//! Everyone else will be unable to reach the service,
12//! as the discovery information from the service's descriptor
13//! is encrypted with the keys of the authorized clients.
14//!
15//! Each authorized client must generate a service discovery keypair ([KS_hsc_desc_enc])
16//! and share the public part of the keypair with the service.
17//! The service can then authorize the client by adding its public key
18//! to the `static_keys` list, or as an entry in one of the `key_dirs` specified
19//! in its [`RestrictedDiscoveryConfig`].
20//!
21//! Restricted discovery mode is only suitable for services that have a known set
22//! of no more than [`MAX_RESTRICTED_DISCOVERY_CLIENTS`] users.
23//! Hidden services that do not have a fixed, well-defined set of users,
24//! or that have more than [`MAX_RESTRICTED_DISCOVERY_CLIENTS`] users,
25//! should use other DoS resistance measures instead.
26//!
27//! # Live reloading
28//!
29//! The restricted discovery configuration is automatically reloaded
30//! if `watch_configuration` is `true`.
31//!
32//! This means that any changes to `static_keys` or to the `.auth` files
33//! from the configured `key_dirs` will be automatically detected,
34//! so you don't need to restart your service in order for them to take effect.
35//!
36//! ## Best practices
37//!
38//! Each change you make to the authorized clients can result in a new descriptor
39//! being published. If you make multiple changes to your restricted discovery configuration
40//! (or to the other parts of the onion service configuration
41//! that trigger the publishing of a new descriptor, such as `anonymity`),
42//! those changes may not take effect immediately due to the descriptor publishing rate limiting.
43//!
44//! To avoid generating unnecessary traffic, you should try to batch
45//! your changes as much as possible, or, alternatively, disable `watch_configuration`
46//! until you are satisfied with your configured authorized clients.
47//!
48//! ## Caveats
49//!
50//! ### Unauthorizing previously authorized clients
51//!
52//! Removing a previously authorized client from `static_keys` or `key_dirs`
53//! does **not** guarantee its access will be revoked.
54//! This is because the client might still be able to reach your service via
55//! its current introduction points (the introduction points are not rotated
56//! when the authorized clients change). Moreover, even if the introduction points
57//! are rotated by chance, your changes are not guaranteed to take effect immediately,
58//! so it is possible for the service to publish its new introduction points
59//! in a descriptor that is readable by the recently unauthorized client.
60//!
61//! **Restricted discovery mode is a DoS resistance mechanism,
62//! _not_ a substitute for conventional access control.**
63//!
64//! ### Moving `key_dir`s
65//!
66//! If you move a `key_dir` (i.e. rename it), all of the authorized clients contained
67//! within it are removed (the descriptor is rebuilt and republished,
68//! without being encrypted for those clients).
69//! Any further changes to the moved directory will be ignored,
70//! unless the directory is moved back or a `key_dir` entry for its new location is added.
71//!
72//! Moving the directory back to its original location (configured in `key_dirs`),
73//! will cause those clients to be added back and a new descriptor to be generated.
74//!
75//! # Key providers
76//!
77//! The [`RestrictedDiscoveryConfig`] supports two key providers:
78//! * [`StaticKeyProvider`], where keys are specified as a static mapping from nicknames to keys
79//! * [`DirectoryKeyProvider`], which represents a directory of client keys.
80//!
81//! # Limitations
82//!
83//! Hidden service descriptors are not allowed to exceed
84//! the maximum size specified in the [`HSV3MaxDescriptorSize`] consensus parameter,
85//! so there is an implicit upper limit for the number of clients you can authorize
86//! (the `encrypted` section of the descriptor is encrypted
87//! for each authorized client, so the more clients there are, the larger the descriptor will be).
88//! While we recommend configuring no more than [`MAX_RESTRICTED_DISCOVERY_CLIENTS`] clients,
89//! the *actual* limit for your service depends on the rest of its configuration
90//! (such as the number of introduction points).
91//!
92//! [KS_hsc_desc_enc]: https://spec.torproject.org/rend-spec/protocol-overview.html#CLIENT-AUTH
93//! [`HSV3MaxDescriptorSize`]: https://spec.torproject.org/param-spec.html?highlight=maximum%20descriptor#onion-service
94
95mod key_provider;
96
97pub use key_provider::{
98 DirectoryKeyProvider, DirectoryKeyProviderBuilder, DirectoryKeyProviderList,
99 DirectoryKeyProviderListBuilder, StaticKeyProvider, StaticKeyProviderBuilder,
100};
101
102use crate::internal_prelude::*;
103use derive_more::From;
104
105use std::collections::BTreeMap;
106use std::collections::btree_map::Entry;
107
108use amplify::Getters;
109use derive_more::{Display, Into};
110
111use tor_config::derive::prelude::*;
112use tor_config_path::CfgPathResolver;
113use tor_error::warn_report;
114use tor_persist::slug::BadSlug;
115
116/// The recommended maximum number of restricted mode clients.
117///
118/// See the [module-level documentation](self) for an explanation of this limitation.
119///
120/// Note: this is an approximate, one-size-fits-all figure.
121/// In practice, the maximum number of clients depends on the rest of the service's configuration,
122/// and may in fact be higher, or lower, than this value.
123//
124// TODO: we should come up with a more accurate upper limit. The actual limit might be even lower,
125// depending on the service's configuration (i.e. number of intro points).
126//
127// This figure is an approximation. It was obtained by filling a descriptor
128// with as much information as possible. The descriptor was built with
129// * `single-onion-service` set
130// * 20 intro points (which is the current upper limit), where each intro point had a
131// single link specifier (I'm not sure if there's a limit for the number of link specifiers)
132// * 165 authorized clients
133// and had a size of 42157 bytes. Adding one more client tipped it over the limit (with 166
134// authorized clients, the size of the descriptor was 56027 bytes).
135//
136// See also tor#29134
137pub const MAX_RESTRICTED_DISCOVERY_CLIENTS: usize = 160;
138
139/// Nickname (local identifier) for a hidden service client.
140///
141/// An `HsClientNickname` must be a valid [`Slug`].
142/// See [slug](tor_persist::slug) for the syntactic requirements.
143//
144// TODO: when we implement the arti hsc CLI for managing the configured client keys,
145// we will use the nicknames to identify individual clients.
146#[derive(Clone, Debug, Hash, Eq, PartialEq, Ord, PartialOrd)] //
147#[derive(Display, From, Into, Serialize, Deserialize)]
148#[serde(transparent)]
149pub struct HsClientNickname(Slug);
150
151/// A list of client discovery keys.
152pub(crate) type RestrictedDiscoveryKeys = BTreeMap<HsClientNickname, HsClientDescEncKey>;
153
154impl FromStr for HsClientNickname {
155 type Err = BadSlug;
156
157 fn from_str(s: &str) -> Result<Self, Self::Err> {
158 let slug = Slug::try_from(s.to_string())?;
159
160 Ok(Self(slug))
161 }
162}
163
164/// Configuration for enabling restricted discovery mode.
165///
166/// # Client nickname uniqueness
167///
168/// The client nicknames specified in `key_dirs` and `static_keys`
169/// **must** be unique. Any nickname occurring in `static_keys` must not
170/// already have an entry in any of the configured `key_dirs`,
171/// and any one nickname must not occur in more than one of the `key_dirs`.
172///
173/// Violating this rule will cause the additional keys to be ignored.
174/// If there are multiple entries for the same nickname,
175/// the entry with the highest precedence will be used, and all the others will be ignored.
176/// The precedence rules are as follows:
177/// * the `static_keys` take precedence over the keys from `key_dirs`
178/// * the ordering of the directories in `key_dirs` represents the order of precedence
179///
180/// # Reloading the configuration
181///
182/// Currently, the `static_keys` and `key_dirs` directories will *not* be monitored for updates,
183/// even when automatic config reload is enabled. We hope to change that in the future.
184/// In the meantime, you will need to restart your service every time you update
185/// its restricted discovery settings in order for the changes to be applied.
186///
187/// See the [module-level documentation](self) for more details.
188#[derive(Debug, Clone, Deftly, Eq, PartialEq, Getters)]
189#[derive_deftly(TorConfig)]
190#[deftly(tor_config(post_build = "Self::post_build_validate"))]
191pub struct RestrictedDiscoveryConfig {
192 /// Whether to enable restricted discovery mode.
193 ///
194 /// Services running in restricted discovery mode are only discoverable
195 /// by the configured clients.
196 ///
197 /// Can only be enabled if the `restricted-discovery` feature is enabled.
198 ///
199 /// If you enable this, you must also specify the authorized clients (via `static_keys`),
200 /// or the directories where the authorized client keys should be read from (via `key_dirs`).
201 ///
202 /// Restricted discovery mode is disabled by default.
203 #[deftly(tor_config(default))]
204 pub(crate) enabled: bool,
205
206 /// If true, the provided `key_dirs` will be watched for changes.
207 #[deftly(tor_config(default, serde = "skip"))]
208 #[getter(as_mut, as_copy)]
209 watch_configuration: bool,
210
211 /// Directories containing the client keys, each in the
212 /// `descriptor:x25519:<base32-encoded-x25519-public-key>` format.
213 ///
214 /// Each file in this directory must have a file name of the form `<nickname>.auth`,
215 /// where `<nickname>` is a valid [`HsClientNickname`].
216 //
217 // TODO: Use the list-builder pattern instead. (Right now this uses the sub_builder pattern
218 // directly, since before migration to TorConfig, this builder didn't declare list accessors.)
219 #[deftly(tor_config(sub_builder, no_magic))]
220 key_dirs: DirectoryKeyProviderList,
221
222 /// A static mapping from client nicknames to keys.
223 ///
224 /// Each client key must be in the `descriptor:x25519:<base32-encoded-x25519-public-key>`
225 /// format.
226 //
227 // TODO: We could eventually migrate to use the map-builder pattern, but that would
228 // be a breaking change.
229 #[deftly(tor_config(sub_builder))]
230 static_keys: StaticKeyProvider,
231}
232
233impl RestrictedDiscoveryConfig {
234 /// Read the client keys from all the configured key providers.
235 ///
236 /// Returns `None` if restricted mode is disabled.
237 ///
238 // TODO: this is not currently implemented (reconfigure() doesn't call read_keys)
239 /// When reconfiguring a [`RunningOnionService`](crate::RunningOnionService),
240 /// call this function to obtain an up-to-date view of the authorized clients.
241 ///
242 // TODO: this is a footgun. We might want to rethink this before we make
243 // the restricted-discovery feature non-experimental:
244 /// Note: if there are multiple entries for the same [`HsClientNickname`],
245 /// only one of them will be used (the others are ignored).
246 /// The deduplication logic is as follows:
247 /// * the `static_keys` take precedence over the keys from `key_dirs`
248 /// * the ordering of the directories in `key_dirs` represents the order of precedence
249 pub(crate) fn read_keys(
250 &self,
251 path_resolver: &CfgPathResolver,
252 ) -> Option<RestrictedDiscoveryKeys> {
253 if !self.enabled {
254 return None;
255 }
256
257 let mut authorized_clients = BTreeMap::new();
258
259 // The static_keys are inserted first, so they have precedence over
260 // the keys from key_dirs.
261 extend_key_map(
262 &mut authorized_clients,
263 RestrictedDiscoveryKeys::from(self.static_keys.clone()),
264 );
265
266 // The key_dirs are read in order of appearance,
267 // which is also the order of precedence.
268 for dir in &self.key_dirs {
269 match dir.read_keys(path_resolver) {
270 Ok(keys) => extend_key_map(&mut authorized_clients, keys),
271 Err(e) => {
272 warn_report!(e, "Failed to read keys at {}", dir.path());
273 }
274 }
275 }
276
277 if authorized_clients.len() > MAX_RESTRICTED_DISCOVERY_CLIENTS {
278 warn!(
279 "You have configured over {} restricted discovery clients. Your service's descriptor is likely to exceed the 50kB limit",
280 MAX_RESTRICTED_DISCOVERY_CLIENTS
281 );
282 }
283
284 Some(authorized_clients)
285 }
286}
287
288/// Helper for extending a key map with additional keys.
289///
290/// Logs a warning if any of the keys are already present in the map.
291fn extend_key_map(
292 key_map: &mut RestrictedDiscoveryKeys,
293 keys: impl IntoIterator<Item = (HsClientNickname, HsClientDescEncKey)>,
294) {
295 for (nickname, key) in keys.into_iter() {
296 match key_map.entry(nickname.clone()) {
297 Entry::Vacant(v) => {
298 let _: &mut HsClientDescEncKey = v.insert(key);
299 }
300 Entry::Occupied(_) => {
301 warn!(
302 client_nickname=%nickname,
303 "Ignoring duplicate client key"
304 );
305 }
306 }
307 }
308}
309
310impl RestrictedDiscoveryConfigBuilder {
311 /// Build the [`RestrictedDiscoveryConfig`].
312 ///
313 /// Returns an error if:
314 /// - restricted mode is enabled but the `restricted-discovery` feature is not enabled
315 /// - restricted mode is enabled but no client key providers are configured
316 /// - restricted mode is disabled, but some client key providers are configured
317 fn post_build_validate(
318 config: RestrictedDiscoveryConfig,
319 ) -> Result<RestrictedDiscoveryConfig, ConfigBuildError> {
320 let RestrictedDiscoveryConfig {
321 enabled,
322 key_dirs,
323 static_keys,
324 watch_configuration,
325 } = config;
326 let key_list = static_keys.as_ref().iter().collect_vec();
327
328 cfg_if::cfg_if! {
329 if #[cfg(feature = "restricted-discovery")] {
330 match (enabled, key_dirs.as_slice(), key_list.as_slice()) {
331 (true, &[], &[]) => {
332 return Err(ConfigBuildError::Inconsistent {
333 fields: vec!["key_dirs".into(), "static_keys".into(), "enabled".into()],
334 problem: "restricted_discovery not configured, but enabled is true"
335 .into(),
336 });
337 },
338 (false, &[_, ..], _) => {
339 return Err(ConfigBuildError::Inconsistent {
340 fields: vec!["key_dirs".into(), "enabled".into()],
341 problem: "restricted_discovery.key_dirs configured, but enabled is false"
342 .into(),
343 });
344
345 },
346 (false, _, &[_, ..])=> {
347 return Err(ConfigBuildError::Inconsistent {
348 fields: vec!["static_keys".into(), "enabled".into()],
349 problem: "restricted_discovery.static_keys configured, but enabled is false"
350 .into(),
351 });
352 }
353 (true, &[_, ..], _) | (true, _, &[_, ..]) | (false, &[], &[]) => {
354 // The config is valid.
355 }
356 }
357 } else {
358 // Restricted mode can only be enabled if the `experimental` feature is enabled.
359
360 // TODO: This could migrate to use tor_config(cfg) instead, but that would change
361 // these errors into warnings. We could add error support for this into
362 // tor_config.
363 if enabled {
364 return Err(ConfigBuildError::NoCompileTimeSupport {
365 field: "enabled".into(),
366 problem:
367 "restricted_discovery.enabled=true, but restricted-discovery feature not enabled"
368 .into(),
369 });
370 }
371
372 match (key_dirs.as_slice(), key_list.as_slice()) {
373 (&[_, ..], _) => {
374 return Err(ConfigBuildError::NoCompileTimeSupport {
375 field: "key_dirs".into(),
376 problem:
377 "restricted_discovery.key_dirs set, but restricted-discovery feature not enabled"
378 .into(),
379 });
380 },
381 (_, &[_, ..]) => {
382 return Err(ConfigBuildError::NoCompileTimeSupport {
383 field: "static_keys".into(),
384 problem:
385 "restricted_discovery.static_keys set, but restricted-discovery feature not enabled"
386 .into(),
387 });
388 },
389 (&[], &[]) => {
390 // The config is valid.
391 }
392 };
393 }
394 }
395
396 Ok(RestrictedDiscoveryConfig {
397 enabled,
398 key_dirs,
399 static_keys,
400 watch_configuration,
401 })
402 }
403}
404
405#[cfg(test)]
406mod test {
407 // @@ begin test lint list maintained by maint/add_warning @@
408 #![allow(clippy::bool_assert_comparison)]
409 #![allow(clippy::clone_on_copy)]
410 #![allow(clippy::dbg_macro)]
411 #![allow(clippy::mixed_attributes_style)]
412 #![allow(clippy::print_stderr)]
413 #![allow(clippy::print_stdout)]
414 #![allow(clippy::single_char_pattern)]
415 #![allow(clippy::unwrap_used)]
416 #![allow(clippy::unchecked_time_subtraction)]
417 #![allow(clippy::useless_vec)]
418 #![allow(clippy::needless_pass_by_value)]
419 //! <!-- @@ end test lint list maintained by maint/add_warning @@ -->
420
421 use super::*;
422
423 use std::ops::Index;
424
425 use tor_basic_utils::test_rng::Config;
426 use tor_config::assert_config_error;
427 use tor_config_path::CfgPath;
428 use tor_hscrypto::pk::HsClientDescEncKeypair;
429
430 /// A helper for creating a test (`HsClientNickname`, `HsClientDescEncKey`) pair.
431 fn make_authorized_client(nickname: &str) -> (HsClientNickname, HsClientDescEncKey) {
432 let mut rng = Config::Deterministic.into_rng();
433 let nickname: HsClientNickname = nickname.parse().unwrap();
434 let keypair = HsClientDescEncKeypair::generate(&mut rng);
435 let pk = keypair.public();
436
437 (nickname, pk.clone())
438 }
439
440 fn write_key_to_file(dir: &Path, nickname: &HsClientNickname, key: impl fmt::Display) {
441 let path = dir.join(nickname.to_string()).with_extension("auth");
442 fs::write(path, key.to_string()).unwrap();
443 }
444
445 #[test]
446 #[cfg(feature = "restricted-discovery")]
447 fn invalid_config() {
448 let err = RestrictedDiscoveryConfigBuilder::default()
449 .enabled(true)
450 .build()
451 .unwrap_err();
452
453 assert_config_error!(
454 err,
455 Inconsistent,
456 "restricted_discovery not configured, but enabled is true"
457 );
458
459 let mut builder = RestrictedDiscoveryConfigBuilder::default();
460 builder.static_keys().access().push((
461 HsClientNickname::from_str("alice").unwrap(),
462 HsClientDescEncKey::from_str(
463 "descriptor:x25519:zprrmiv6dv6sjfl7sfbsvlj5vunpgcdfevz7m23ltlvtccxjqbka",
464 )
465 .unwrap(),
466 ));
467
468 let err = builder.build().unwrap_err();
469
470 assert_config_error!(
471 err,
472 Inconsistent,
473 "restricted_discovery.static_keys configured, but enabled is false"
474 );
475
476 let mut dir_provider = DirectoryKeyProviderBuilder::default();
477 dir_provider.path(CfgPath::new("/foo".to_string()));
478 let mut builder = RestrictedDiscoveryConfigBuilder::default();
479 builder.key_dirs().access().push(dir_provider);
480
481 let err = builder.build().unwrap_err();
482
483 assert_config_error!(
484 err,
485 Inconsistent,
486 "restricted_discovery.key_dirs configured, but enabled is false"
487 );
488 }
489
490 #[test]
491 #[cfg(feature = "restricted-discovery")]
492 fn empty_providers() {
493 // It's not a configuration error to enable restricted mode is enabled
494 // without configuring any keys, but this would make the service unreachable
495 // (a different part of the code will issue a warning about this).
496 let mut builder = RestrictedDiscoveryConfigBuilder::default();
497 let dir = tempfile::TempDir::new().unwrap();
498 let mut dir_prov_builder = DirectoryKeyProviderBuilder::default();
499 dir_prov_builder
500 .path(CfgPath::new_literal(dir.path()))
501 .permissions()
502 .dangerously_trust_everyone();
503 builder
504 .enabled(true)
505 .key_dirs()
506 .access()
507 // Push a directory provider that has no keys
508 .push(dir_prov_builder);
509
510 let restricted_config = builder.build().unwrap();
511 let path_resolver = CfgPathResolver::default();
512 assert!(
513 restricted_config
514 .read_keys(&path_resolver)
515 .unwrap()
516 .is_empty()
517 );
518 }
519
520 #[test]
521 #[cfg(not(feature = "restricted-discovery"))]
522 fn invalid_config() {
523 let mut builder = RestrictedDiscoveryConfigBuilder::default();
524 let err = builder.enabled(true).build().unwrap_err();
525
526 assert_config_error!(
527 err,
528 NoCompileTimeSupport,
529 "restricted_discovery.enabled=true, but restricted-discovery feature not enabled"
530 );
531
532 let mut builder = RestrictedDiscoveryConfigBuilder::default();
533 builder.static_keys().access().push((
534 HsClientNickname::from_str("alice").unwrap(),
535 HsClientDescEncKey::from_str(
536 "descriptor:x25519:zprrmiv6dv6sjfl7sfbsvlj5vunpgcdfevz7m23ltlvtccxjqbka",
537 )
538 .unwrap(),
539 ));
540
541 let err = builder.build().unwrap_err();
542
543 assert_config_error!(
544 err,
545 NoCompileTimeSupport,
546 "restricted_discovery.static_keys set, but restricted-discovery feature not enabled"
547 );
548 }
549
550 #[test]
551 #[cfg(feature = "restricted-discovery")]
552 fn valid_config() {
553 /// The total number of clients.
554 const CLIENT_COUNT: usize = 10;
555 /// The number of client keys configured using a static provider.
556 const STATIC_CLIENT_COUNT: usize = 5;
557
558 let mut all_keys = vec![];
559 let dir = tempfile::TempDir::new().unwrap();
560
561 // A builder that only has static keys.
562 let mut builder_static_keys = RestrictedDiscoveryConfigBuilder::default();
563 builder_static_keys.enabled(true);
564
565 // A builder that only a key dir.
566 let mut builder_key_dir = RestrictedDiscoveryConfigBuilder::default();
567 builder_key_dir.enabled(true);
568
569 // A builder that has both static keys and a key dir
570 let mut builder_static_and_key_dir = RestrictedDiscoveryConfigBuilder::default();
571 builder_static_and_key_dir.enabled(true);
572
573 for i in 0..CLIENT_COUNT {
574 let (nickname, key) = make_authorized_client(&format!("client-{i}"));
575 all_keys.push((nickname.clone(), key.clone()));
576
577 if i < STATIC_CLIENT_COUNT {
578 builder_static_keys
579 .static_keys()
580 .access()
581 .push((nickname.clone(), key.clone()));
582 builder_static_and_key_dir
583 .static_keys()
584 .access()
585 .push((nickname, key.clone()));
586 } else {
587 let path = dir.path().join(nickname.to_string()).with_extension("auth");
588 fs::write(path, key.to_string()).unwrap();
589 }
590 }
591
592 let mut dir_builder = DirectoryKeyProviderBuilder::default();
593 dir_builder
594 .path(CfgPath::new_literal(dir.path()))
595 .permissions()
596 .dangerously_trust_everyone();
597
598 for b in &mut [&mut builder_key_dir, &mut builder_static_and_key_dir] {
599 b.key_dirs().access().push(dir_builder.clone());
600 }
601
602 let test_cases = [
603 (0..STATIC_CLIENT_COUNT, builder_static_keys),
604 (STATIC_CLIENT_COUNT..CLIENT_COUNT, builder_key_dir),
605 (0..CLIENT_COUNT, builder_static_and_key_dir),
606 ];
607
608 for (range, builder) in test_cases {
609 let config = builder.build().unwrap();
610 let path_resolver = CfgPathResolver::default();
611
612 let mut authorized_clients = config
613 .read_keys(&path_resolver)
614 .unwrap()
615 .into_iter()
616 .collect_vec();
617 authorized_clients.sort_by(|k1, k2| k1.0.cmp(&k2.0));
618
619 assert_eq!(authorized_clients.as_slice(), all_keys.index(range));
620 }
621 }
622
623 #[test]
624 #[cfg(feature = "restricted-discovery")]
625 fn key_precedence() {
626 // A builder with static keys, and two key dirs.
627 let mut builder = RestrictedDiscoveryConfigBuilder::default();
628 builder.enabled(true);
629 let (foo_nick, foo_key1) = make_authorized_client("foo");
630 builder
631 .static_keys()
632 .access()
633 .push((foo_nick.clone(), foo_key1.clone()));
634
635 // Make another client key with the same nickname
636 let (_foo_nick, foo_key2) = make_authorized_client("foo");
637
638 let dir1 = tempfile::TempDir::new().unwrap();
639 let dir2 = tempfile::TempDir::new().unwrap();
640
641 // Write a different key with the same nickname to dir1
642 // (we will check that the entry from static_keys takes precedence over it)
643 write_key_to_file(dir1.path(), &foo_nick, foo_key2);
644
645 // Write two keys sharing the same nickname to dir1 and dir2
646 // (we will check that the first dir_keys entry takes precedence over the second)
647 let (bar_nick, bar_key1) = make_authorized_client("bar");
648 write_key_to_file(dir1.path(), &bar_nick, &bar_key1);
649
650 let (_bar_nick, bar_key2) = make_authorized_client("bar");
651 write_key_to_file(dir2.path(), &bar_nick, bar_key2);
652
653 let mut key_dir1 = DirectoryKeyProviderBuilder::default();
654 key_dir1
655 .path(CfgPath::new_literal(dir1.path()))
656 .permissions()
657 .dangerously_trust_everyone();
658
659 let mut key_dir2 = DirectoryKeyProviderBuilder::default();
660 key_dir2
661 .path(CfgPath::new_literal(dir2.path()))
662 .permissions()
663 .dangerously_trust_everyone();
664
665 builder.key_dirs().access().extend([key_dir1, key_dir2]);
666 let config = builder.build().unwrap();
667 let path_resolver = CfgPathResolver::default();
668 let keys = config.read_keys(&path_resolver).unwrap();
669
670 // Check that foo is the entry we inserted into static_keys:
671 let foo_key_found = keys.get(&foo_nick).unwrap();
672 assert_eq!(foo_key_found, &foo_key1);
673
674 // Check that bar is the entry from key_dir1
675 // (dir1 takes precedence over dir2)
676 let bar_key_found = keys.get(&bar_nick).unwrap();
677 assert_eq!(bar_key_found, &bar_key1);
678 }
679
680 #[test]
681 #[cfg(feature = "restricted-discovery")]
682 fn ignore_invalid() {
683 /// The number of valid keys.
684 const VALID_COUNT: usize = 5;
685
686 let dir = tempfile::TempDir::new().unwrap();
687 for i in 0..VALID_COUNT {
688 let (nickname, key) = make_authorized_client(&format!("client-{i}"));
689 write_key_to_file(dir.path(), &nickname, &key);
690 }
691
692 // Add some malformed keys
693 let nickname: HsClientNickname = "foo".parse().unwrap();
694
695 write_key_to_file(dir.path(), &nickname, "descriptor:x25519:foobar");
696
697 let (nickname, key) = make_authorized_client("bar");
698 let path = dir
699 .path()
700 .join(nickname.to_string())
701 .with_extension("not_auth");
702 fs::write(path, key.to_string()).unwrap();
703
704 let mut dir_prov_builder = DirectoryKeyProviderBuilder::default();
705 dir_prov_builder
706 .path(CfgPath::new_literal(dir.path()))
707 .permissions()
708 .dangerously_trust_everyone();
709
710 let mut builder = RestrictedDiscoveryConfigBuilder::default();
711 builder
712 .enabled(true)
713 .key_dirs()
714 .access()
715 .push(dir_prov_builder);
716 let config = builder.build().unwrap();
717
718 let path_resolver = CfgPathResolver::default();
719 assert_eq!(config.read_keys(&path_resolver).unwrap().len(), VALID_COUNT);
720 }
721}