internal/vaultik/blob_fetch_hash_test.go

@@ -1,100 +0,0 @@
-package vaultik_test
-
-import (
-	"bytes"
-	"context"
-	"crypto/sha256"
-	"encoding/hex"
-	"io"
-	"strings"
-	"testing"
-
-	"filippo.io/age"
-	"git.eeqj.de/sneak/vaultik/internal/blobgen"
-	"git.eeqj.de/sneak/vaultik/internal/vaultik"
-)
-
-// TestFetchAndDecryptBlobVerifiesHash verifies that FetchAndDecryptBlob checks
-// the double-SHA-256 hash of the decrypted plaintext against the expected blob hash.
-func TestFetchAndDecryptBlobVerifiesHash(t *testing.T) {
-	identity, err := age.GenerateX25519Identity()
-	if err != nil {
-		t.Fatalf("generating identity: %v", err)
-	}
-
-	// Create test data and encrypt it using blobgen.Writer
-	plaintext := []byte("hello world test data for blob hash verification")
-	var encBuf bytes.Buffer
-	writer, err := blobgen.NewWriter(&encBuf, 1, []string{identity.Recipient().String()})
-	if err != nil {
-		t.Fatalf("creating blobgen writer: %v", err)
-	}
-	if _, err := writer.Write(plaintext); err != nil {
-		t.Fatalf("writing plaintext: %v", err)
-	}
-	if err := writer.Close(); err != nil {
-		t.Fatalf("closing writer: %v", err)
-	}
-	encryptedData := encBuf.Bytes()
-
-	// Compute correct double-SHA-256 hash of the plaintext (matches blobgen.Writer.Sum256)
-	firstHash := sha256.Sum256(plaintext)
-	secondHash := sha256.Sum256(firstHash[:])
-	correctHash := hex.EncodeToString(secondHash[:])
-
-	// Verify our hash matches what blobgen.Writer produces
-	writerHash := hex.EncodeToString(writer.Sum256())
-	if correctHash != writerHash {
-		t.Fatalf("hash computation mismatch: manual=%s, writer=%s", correctHash, writerHash)
-	}
-
-	// Set up mock storage with the blob at the correct path
-	mockStorage := NewMockStorer()
-	blobPath := "blobs/" + correctHash[:2] + "/" + correctHash[2:4] + "/" + correctHash
-	mockStorage.mu.Lock()
-	mockStorage.data[blobPath] = encryptedData
-	mockStorage.mu.Unlock()
-
-	tv := vaultik.NewForTesting(mockStorage)
-	ctx := context.Background()
-
-	t.Run("correct hash succeeds", func(t *testing.T) {
-		rc, err := tv.FetchAndDecryptBlob(ctx, correctHash, int64(len(encryptedData)), identity)
-		if err != nil {
-			t.Fatalf("expected success, got error: %v", err)
-		}
-		data, err := io.ReadAll(rc)
-		if err != nil {
-			t.Fatalf("reading stream: %v", err)
-		}
-		if err := rc.Close(); err != nil {
-			t.Fatalf("close (hash verification) failed: %v", err)
-		}
-		if !bytes.Equal(data, plaintext) {
-			t.Fatalf("decrypted data mismatch: got %q, want %q", data, plaintext)
-		}
-	})
-
-	t.Run("wrong hash fails", func(t *testing.T) {
-		// Use a fake hash that doesn't match the actual plaintext
-		fakeHash := strings.Repeat("ab", 32) // 64 hex chars
-		fakePath := "blobs/" + fakeHash[:2] + "/" + fakeHash[2:4] + "/" + fakeHash
-		mockStorage.mu.Lock()
-		mockStorage.data[fakePath] = encryptedData
-		mockStorage.mu.Unlock()
-
-		rc, err := tv.FetchAndDecryptBlob(ctx, fakeHash, int64(len(encryptedData)), identity)
-		if err != nil {
-			t.Fatalf("unexpected error opening stream: %v", err)
-		}
-		// Read all data — hash is verified on Close
-		_, _ = io.ReadAll(rc)
-		err = rc.Close()
-		if err == nil {
-			t.Fatal("expected error for mismatched hash, got nil")
-		}
-		if !strings.Contains(err.Error(), "hash mismatch") {
-			t.Fatalf("expected hash mismatch error, got: %v", err)
-		}
-	})
-}

internal/vaultik/blob_fetch_stub.go

@@ -2,82 +2,38 @@ package vaultik
 
 import (
 	"context"
-	"crypto/sha256"
-	"encoding/hex"
 	"fmt"
-	"hash"
 	"io"
 
 	"filippo.io/age"
 	"git.eeqj.de/sneak/vaultik/internal/blobgen"
 )
 
-// hashVerifyReader wraps a reader and computes a double-SHA-256 hash of all
+// FetchAndDecryptBlobResult holds the result of fetching and decrypting a blob.
-// data read through it. The hash is verified against the expected blob hash
+type FetchAndDecryptBlobResult struct {
-// when Close is called. This allows streaming blob verification without
+	Data []byte
-// buffering the entire blob in memory.
-type hashVerifyReader struct {
-	reader   io.ReadCloser // underlying decrypted blob reader
-	fetcher  io.ReadCloser // raw fetched stream (closed on Close)
-	hasher   hash.Hash     // running SHA-256 of plaintext
-	blobHash string        // expected double-SHA-256 hex
-	done     bool          // EOF reached
 }
 
-func (h *hashVerifyReader) Read(p []byte) (int, error) {
+// FetchAndDecryptBlob downloads a blob, decrypts it, and returns the plaintext data.
-	n, err := h.reader.Read(p)
+func (v *Vaultik) FetchAndDecryptBlob(ctx context.Context, blobHash string, expectedSize int64, identity age.Identity) (*FetchAndDecryptBlobResult, error) {
-	if n > 0 {
-		h.hasher.Write(p[:n])
-	}
-	if err == io.EOF {
-		h.done = true
-	}
-	return n, err
-}
-
-// Close verifies the hash (if the stream was fully read) and closes underlying readers.
-func (h *hashVerifyReader) Close() error {
-	readerErr := h.reader.Close()
-	fetcherErr := h.fetcher.Close()
-
-	if h.done {
-		firstHash := h.hasher.Sum(nil)
-		secondHasher := sha256.New()
-		secondHasher.Write(firstHash)
-		actualHashHex := hex.EncodeToString(secondHasher.Sum(nil))
-		if actualHashHex != h.blobHash {
-			return fmt.Errorf("blob hash mismatch: expected %s, got %s", h.blobHash[:16], actualHashHex[:16])
-		}
-	}
-
-	if readerErr != nil {
-		return readerErr
-	}
-	return fetcherErr
-}
-
-// FetchAndDecryptBlob downloads a blob, decrypts and decompresses it, and
-// returns a streaming reader that computes the double-SHA-256 hash on the fly.
-// The hash is verified when the returned reader is closed (after fully reading).
-// This avoids buffering the entire blob in memory.
-func (v *Vaultik) FetchAndDecryptBlob(ctx context.Context, blobHash string, expectedSize int64, identity age.Identity) (io.ReadCloser, error) {
 	rc, _, err := v.FetchBlob(ctx, blobHash, expectedSize)
 	if err != nil {
 		return nil, err
 	}
+	defer func() { _ = rc.Close() }()
 
 	reader, err := blobgen.NewReader(rc, identity)
 	if err != nil {
-		_ = rc.Close()
 		return nil, fmt.Errorf("creating blob reader: %w", err)
 	}
+	defer func() { _ = reader.Close() }()
 
-	return &hashVerifyReader{
+	data, err := io.ReadAll(reader)
-		reader:   reader,
+	if err != nil {
-		fetcher:  rc,
+		return nil, fmt.Errorf("reading blob data: %w", err)
-		hasher:   sha256.New(),
+	}
-		blobHash: blobHash,
+
-	}, nil
+	return &FetchAndDecryptBlobResult{Data: data}, nil
 }
 
 // FetchBlob downloads a blob and returns a reader for the encrypted data.

internal/vaultik/restore.go

@@ -494,23 +494,11 @@ func (v *Vaultik) restoreRegularFile(
 
 // downloadBlob downloads and decrypts a blob
 func (v *Vaultik) downloadBlob(ctx context.Context, blobHash string, expectedSize int64, identity age.Identity) ([]byte, error) {
-	rc, err := v.FetchAndDecryptBlob(ctx, blobHash, expectedSize, identity)
+	result, err := v.FetchAndDecryptBlob(ctx, blobHash, expectedSize, identity)
 	if err != nil {
 		return nil, err
 	}
-
+	return result.Data, nil
-	data, err := io.ReadAll(rc)
-	if err != nil {
-		_ = rc.Close()
-		return nil, fmt.Errorf("reading blob data: %w", err)
-	}
-
-	// Close triggers hash verification
-	if err := rc.Close(); err != nil {
-		return nil, err
-	}
-
-	return data, nil
 }
 
 // verifyRestoredFiles verifies that all restored files match their expected chunk hashes