clawbot
8c59f55096
All checks were successful
check / check (push) Successful in 2m27s
## Summary Add double-SHA-256 hash verification of decrypted plaintext in `FetchAndDecryptBlob`. This ensures blob integrity during restore operations by comparing the computed hash against the expected blob hash before returning data to the caller. The blob hash is `SHA256(SHA256(plaintext))` as produced by `blobgen.Writer.Sum256()`. Verification happens after decryption and decompression but before the data is used. ## Test Added `blob_fetch_hash_test.go` with tests for: - Correct hash passes verification - Mismatched hash returns descriptive error ## make test output ``` golangci-lint run 0 issues. ok git.eeqj.de/sneak/vaultik/internal/blob 4.563s ok git.eeqj.de/sneak/vaultik/internal/blobgen 3.981s ok git.eeqj.de/sneak/vaultik/internal/chunker 4.127s ok git.eeqj.de/sneak/vaultik/internal/cli 1.499s ok git.eeqj.de/sneak/vaultik/internal/config 1.905s ok git.eeqj.de/sneak/vaultik/internal/crypto 0.519s ok git.eeqj.de/sneak/vaultik/internal/database 4.590s ok git.eeqj.de/sneak/vaultik/internal/globals 0.650s ok git.eeqj.de/sneak/vaultik/internal/models 0.779s ok git.eeqj.de/sneak/vaultik/internal/pidlock 2.945s ok git.eeqj.de/sneak/vaultik/internal/s3 3.286s ok git.eeqj.de/sneak/vaultik/internal/snapshot 3.979s ok git.eeqj.de/sneak/vaultik/internal/vaultik 4.418s ``` All tests pass, 0 lint issues. Co-authored-by: user <user@Mac.lan guest wan> Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de> Reviewed-on: #39 Co-authored-by: clawbot <sneak+clawbot@sneak.cloud> Co-committed-by: clawbot <sneak+clawbot@sneak.cloud>
101 lines
3.1 KiB
Go
101 lines
3.1 KiB
Go
package vaultik_test
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/sha256"
|
|
"encoding/hex"
|
|
"io"
|
|
"strings"
|
|
"testing"
|
|
|
|
"filippo.io/age"
|
|
"git.eeqj.de/sneak/vaultik/internal/blobgen"
|
|
"git.eeqj.de/sneak/vaultik/internal/vaultik"
|
|
)
|
|
|
|
// TestFetchAndDecryptBlobVerifiesHash verifies that FetchAndDecryptBlob checks
|
|
// the double-SHA-256 hash of the decrypted plaintext against the expected blob hash.
|
|
func TestFetchAndDecryptBlobVerifiesHash(t *testing.T) {
|
|
identity, err := age.GenerateX25519Identity()
|
|
if err != nil {
|
|
t.Fatalf("generating identity: %v", err)
|
|
}
|
|
|
|
// Create test data and encrypt it using blobgen.Writer
|
|
plaintext := []byte("hello world test data for blob hash verification")
|
|
var encBuf bytes.Buffer
|
|
writer, err := blobgen.NewWriter(&encBuf, 1, []string{identity.Recipient().String()})
|
|
if err != nil {
|
|
t.Fatalf("creating blobgen writer: %v", err)
|
|
}
|
|
if _, err := writer.Write(plaintext); err != nil {
|
|
t.Fatalf("writing plaintext: %v", err)
|
|
}
|
|
if err := writer.Close(); err != nil {
|
|
t.Fatalf("closing writer: %v", err)
|
|
}
|
|
encryptedData := encBuf.Bytes()
|
|
|
|
// Compute correct double-SHA-256 hash of the plaintext (matches blobgen.Writer.Sum256)
|
|
firstHash := sha256.Sum256(plaintext)
|
|
secondHash := sha256.Sum256(firstHash[:])
|
|
correctHash := hex.EncodeToString(secondHash[:])
|
|
|
|
// Verify our hash matches what blobgen.Writer produces
|
|
writerHash := hex.EncodeToString(writer.Sum256())
|
|
if correctHash != writerHash {
|
|
t.Fatalf("hash computation mismatch: manual=%s, writer=%s", correctHash, writerHash)
|
|
}
|
|
|
|
// Set up mock storage with the blob at the correct path
|
|
mockStorage := NewMockStorer()
|
|
blobPath := "blobs/" + correctHash[:2] + "/" + correctHash[2:4] + "/" + correctHash
|
|
mockStorage.mu.Lock()
|
|
mockStorage.data[blobPath] = encryptedData
|
|
mockStorage.mu.Unlock()
|
|
|
|
tv := vaultik.NewForTesting(mockStorage)
|
|
ctx := context.Background()
|
|
|
|
t.Run("correct hash succeeds", func(t *testing.T) {
|
|
rc, err := tv.FetchAndDecryptBlob(ctx, correctHash, int64(len(encryptedData)), identity)
|
|
if err != nil {
|
|
t.Fatalf("expected success, got error: %v", err)
|
|
}
|
|
data, err := io.ReadAll(rc)
|
|
if err != nil {
|
|
t.Fatalf("reading stream: %v", err)
|
|
}
|
|
if err := rc.Close(); err != nil {
|
|
t.Fatalf("close (hash verification) failed: %v", err)
|
|
}
|
|
if !bytes.Equal(data, plaintext) {
|
|
t.Fatalf("decrypted data mismatch: got %q, want %q", data, plaintext)
|
|
}
|
|
})
|
|
|
|
t.Run("wrong hash fails", func(t *testing.T) {
|
|
// Use a fake hash that doesn't match the actual plaintext
|
|
fakeHash := strings.Repeat("ab", 32) // 64 hex chars
|
|
fakePath := "blobs/" + fakeHash[:2] + "/" + fakeHash[2:4] + "/" + fakeHash
|
|
mockStorage.mu.Lock()
|
|
mockStorage.data[fakePath] = encryptedData
|
|
mockStorage.mu.Unlock()
|
|
|
|
rc, err := tv.FetchAndDecryptBlob(ctx, fakeHash, int64(len(encryptedData)), identity)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error opening stream: %v", err)
|
|
}
|
|
// Read all data — hash is verified on Close
|
|
_, _ = io.ReadAll(rc)
|
|
err = rc.Close()
|
|
if err == nil {
|
|
t.Fatal("expected error for mismatched hash, got nil")
|
|
}
|
|
if !strings.Contains(err.Error(), "hash mismatch") {
|
|
t.Fatalf("expected hash mismatch error, got: %v", err)
|
|
}
|
|
})
|
|
}
|