@wlfi-agent/cli 1.4.13 → 1.4.15

package/crates/vault-daemon/src/tests_parts/part4.rs

@@ -0,0 +1,604 @@
+#[tokio::test]
+async fn disable_policy_stops_enforcement() {
+    let daemon = InMemoryDaemon::new(
+        "vault-password",
+        SoftwareSignerBackend::default(),
+        DaemonConfig::default(),
+    )
+    .expect("daemon");
+
+    let lease = daemon.issue_lease("vault-password").await.expect("lease");
+    let session = AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease,
+    };
+
+    let mut strict = policy_all_per_tx(100);
+    strict.priority = 0;
+    let mut permissive = policy_all_per_tx(1_000);
+    permissive.priority = 1;
+    daemon
+        .add_policy(&session, strict.clone())
+        .await
+        .expect("add strict policy");
+    daemon
+        .add_policy(&session, permissive)
+        .await
+        .expect("add permissive policy");
+
+    let key = daemon
+        .create_vault_key(&session, KeyCreateRequest::Generate)
+        .await
+        .expect("key");
+    let agent_credentials = daemon
+        .create_agent_key(&session, key.id, PolicyAttachment::AllPolicies)
+        .await
+        .expect("agent");
+
+    let deny_action = AgentAction::Transfer {
+        chain_id: 1,
+        token: "0x1000000000000000000000000000000000000000"
+            .parse()
+            .expect("token"),
+        to: "0x2000000000000000000000000000000000000000"
+            .parse()
+            .expect("recipient"),
+        amount_wei: 500,
+    };
+    let err = daemon
+        .sign_for_agent(sign_request(&agent_credentials, deny_action.clone()))
+        .await
+        .expect_err("strict policy must deny before disable");
+    assert!(matches!(
+        err,
+        DaemonError::Policy(PolicyError::PerTxLimitExceeded { .. })
+    ));
+
+    daemon
+        .disable_policy(&session, strict.id)
+        .await
+        .expect("disable strict policy");
+
+    let signature = daemon
+        .sign_for_agent(sign_request(&agent_credentials, deny_action))
+        .await
+        .expect("request should pass after strict policy disable");
+    assert!(!signature.bytes.is_empty());
+}
+
+#[tokio::test]
+async fn rotate_agent_auth_token_invalidates_previous_token() {
+    let daemon = InMemoryDaemon::new(
+        "vault-password",
+        SoftwareSignerBackend::default(),
+        DaemonConfig::default(),
+    )
+    .expect("daemon");
+
+    let lease = daemon.issue_lease("vault-password").await.expect("lease");
+    let session = AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease,
+    };
+    daemon
+        .add_policy(&session, policy_all_per_tx(1_000))
+        .await
+        .expect("add policy");
+
+    let key = daemon
+        .create_vault_key(&session, KeyCreateRequest::Generate)
+        .await
+        .expect("key");
+    let agent_credentials = daemon
+        .create_agent_key(&session, key.id, PolicyAttachment::AllPolicies)
+        .await
+        .expect("agent");
+    let old_token = agent_credentials.auth_token.clone();
+
+    let new_token = daemon
+        .rotate_agent_auth_token(&session, agent_credentials.agent_key.id)
+        .await
+        .expect("rotate token");
+    assert_ne!(old_token, new_token);
+
+    let action = AgentAction::Transfer {
+        chain_id: 1,
+        token: "0x3000000000000000000000000000000000000000"
+            .parse()
+            .expect("token"),
+        to: "0x4000000000000000000000000000000000000000"
+            .parse()
+            .expect("recipient"),
+        amount_wei: 1,
+    };
+
+    let old_request = sign_request(&agent_credentials, action.clone());
+    let err = daemon
+        .sign_for_agent(old_request)
+        .await
+        .expect_err("old token must be rejected after rotation");
+    assert!(matches!(err, DaemonError::AgentAuthenticationFailed));
+
+    let mut rotated_credentials = agent_credentials;
+    rotated_credentials.auth_token = new_token;
+    let signature = daemon
+        .sign_for_agent(sign_request(&rotated_credentials, action))
+        .await
+        .expect("new token should sign");
+    assert!(!signature.bytes.is_empty());
+}
+
+#[tokio::test]
+async fn revoke_agent_key_blocks_future_signing() {
+    let daemon = InMemoryDaemon::new(
+        "vault-password",
+        SoftwareSignerBackend::default(),
+        DaemonConfig::default(),
+    )
+    .expect("daemon");
+
+    let lease = daemon.issue_lease("vault-password").await.expect("lease");
+    let session = AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease,
+    };
+    daemon
+        .add_policy(&session, policy_all_per_tx(1_000))
+        .await
+        .expect("add policy");
+
+    let key = daemon
+        .create_vault_key(&session, KeyCreateRequest::Generate)
+        .await
+        .expect("key");
+    let agent_credentials = daemon
+        .create_agent_key(&session, key.id, PolicyAttachment::AllPolicies)
+        .await
+        .expect("agent");
+
+    daemon
+        .revoke_agent_key(&session, agent_credentials.agent_key.id)
+        .await
+        .expect("revoke key");
+
+    let err = daemon
+        .sign_for_agent(sign_request(
+            &agent_credentials,
+            AgentAction::Transfer {
+                chain_id: 1,
+                token: "0x1000000000000000000000000000000000000000"
+                    .parse()
+                    .expect("token"),
+                to: "0x2000000000000000000000000000000000000000"
+                    .parse()
+                    .expect("recipient"),
+                amount_wei: 1,
+            },
+        ))
+        .await
+        .expect_err("revoked key must not sign");
+    assert!(matches!(err, DaemonError::AgentAuthenticationFailed));
+
+    let err = daemon
+        .revoke_agent_key(&session, agent_credentials.agent_key.id)
+        .await
+        .expect_err("second revoke should report unknown key");
+    assert!(matches!(err, DaemonError::UnknownAgentKey(_)));
+}
+
+#[tokio::test]
+async fn evaluate_for_agent_has_no_spend_side_effects() {
+    let daemon = InMemoryDaemon::new(
+        "vault-password",
+        SoftwareSignerBackend::default(),
+        DaemonConfig::default(),
+    )
+    .expect("daemon");
+
+    let lease = daemon.issue_lease("vault-password").await.expect("lease");
+    let session = AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease,
+    };
+    daemon
+        .add_policy(&session, policy_all_per_tx(1_000))
+        .await
+        .expect("add spend policy");
+    daemon
+        .add_policy(
+            &session,
+            SpendingPolicy::new(
+                1,
+                PolicyType::DailyMaxTxCount,
+                1,
+                EntityScope::All,
+                EntityScope::All,
+                EntityScope::All,
+            )
+            .expect("daily tx count policy"),
+        )
+        .await
+        .expect("add tx-count policy");
+
+    let key = daemon
+        .create_vault_key(&session, KeyCreateRequest::Generate)
+        .await
+        .expect("key");
+    let agent_credentials = daemon
+        .create_agent_key(&session, key.id, PolicyAttachment::AllPolicies)
+        .await
+        .expect("agent");
+
+    let action = AgentAction::Transfer {
+        chain_id: 1,
+        token: "0x5000000000000000000000000000000000000000"
+            .parse()
+            .expect("token"),
+        to: "0x6000000000000000000000000000000000000000"
+            .parse()
+            .expect("recipient"),
+        amount_wei: 1,
+    };
+    let request = sign_request(&agent_credentials, action.clone());
+
+    let first = daemon
+        .evaluate_for_agent(request.clone())
+        .await
+        .expect("first evaluation should pass");
+    assert_eq!(first.evaluated_policy_ids.len(), 2);
+    assert_eq!(daemon.spend_log.read().expect("log read").len(), 0);
+
+    let second = daemon
+        .evaluate_for_agent(request.clone())
+        .await
+        .expect("second evaluation should also pass (no spend side effects)");
+    assert_eq!(first.evaluated_policy_ids, second.evaluated_policy_ids);
+    assert_eq!(daemon.spend_log.read().expect("log read").len(), 0);
+
+    daemon
+        .sign_for_agent(sign_request(&agent_credentials, action.clone()))
+        .await
+        .expect("sign should pass once");
+    let err = daemon
+        .evaluate_for_agent(sign_request(&agent_credentials, action))
+        .await
+        .expect_err("tx-count policy should deny after signed spend is recorded");
+    assert!(matches!(
+        err,
+        DaemonError::Policy(PolicyError::TxCountLimitExceeded { .. })
+    ));
+}
+
+#[tokio::test]
+async fn daily_spend_limit_counts_in_scope_history_across_assets_and_chains() {
+    let daemon = InMemoryDaemon::new(
+        "vault-password",
+        SoftwareSignerBackend::default(),
+        DaemonConfig::default(),
+    )
+    .expect("daemon");
+
+    let lease = daemon.issue_lease("vault-password").await.expect("lease");
+    let session = AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease,
+    };
+    daemon
+        .add_policy(
+            &session,
+            SpendingPolicy::new(
+                0,
+                PolicyType::DailyMaxSpending,
+                100,
+                EntityScope::All,
+                EntityScope::All,
+                EntityScope::All,
+            )
+            .expect("daily spend policy"),
+        )
+        .await
+        .expect("add daily spend policy");
+
+    let key = daemon
+        .create_vault_key(&session, KeyCreateRequest::Generate)
+        .await
+        .expect("key");
+    let agent_credentials = daemon
+        .create_agent_key(&session, key.id, PolicyAttachment::AllPolicies)
+        .await
+        .expect("agent");
+
+    daemon
+        .sign_for_agent(sign_request(
+            &agent_credentials,
+            AgentAction::Transfer {
+                chain_id: 1,
+                token: "0x5100000000000000000000000000000000000000"
+                    .parse()
+                    .expect("token"),
+                to: "0x6100000000000000000000000000000000000000"
+                    .parse()
+                    .expect("recipient"),
+                amount_wei: 70,
+            },
+        ))
+        .await
+        .expect("first spend should pass");
+
+    daemon
+        .sign_for_agent(sign_request(
+            &agent_credentials,
+            AgentAction::TransferNative {
+                chain_id: 10,
+                to: "0x6200000000000000000000000000000000000000"
+                    .parse()
+                    .expect("recipient"),
+                amount_wei: 20,
+            },
+        ))
+        .await
+        .expect("second spend should pass");
+
+    let err = daemon
+        .sign_for_agent(sign_request(
+            &agent_credentials,
+            AgentAction::Transfer {
+                chain_id: 137,
+                token: "0x5200000000000000000000000000000000000000"
+                    .parse()
+                    .expect("token"),
+                to: "0x6200000000000000000000000000000000000000"
+                    .parse()
+                    .expect("recipient"),
+                amount_wei: 15,
+            },
+        ))
+        .await
+        .expect_err("daily limit should deny after aggregate usage reaches 90");
+    assert!(matches!(
+        err,
+        DaemonError::Policy(PolicyError::WindowLimitExceeded {
+            used_amount_wei: 90,
+            requested_amount_wei: 15,
+            ..
+        })
+    ));
+}
+
+#[tokio::test]
+async fn persistent_store_restores_policies_and_agent_auth_state() {
+    let state_path = unique_state_path("restore");
+    let config = DaemonConfig::default();
+
+    let daemon = InMemoryDaemon::new_with_persistent_store(
+        "vault-password",
+        SoftwareSignerBackend::default(),
+        config.clone(),
+        PersistentStoreConfig::new(state_path.clone()),
+    )
+    .expect("daemon");
+
+    let lease = daemon.issue_lease("vault-password").await.expect("lease");
+    let session = AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease,
+    };
+
+    let policy = policy_all_per_tx(1_000);
+    daemon
+        .add_policy(&session, policy.clone())
+        .await
+        .expect("add policy");
+
+    let key = daemon
+        .create_vault_key(&session, KeyCreateRequest::Generate)
+        .await
+        .expect("key");
+    let agent_credentials = daemon
+        .create_agent_key(&session, key.id, PolicyAttachment::AllPolicies)
+        .await
+        .expect("agent");
+
+    let action = AgentAction::Transfer {
+        chain_id: 1,
+        token: "0x1500000000000000000000000000000000000000"
+            .parse()
+            .expect("token"),
+        to: "0x2500000000000000000000000000000000000000"
+            .parse()
+            .expect("recipient"),
+        amount_wei: 1,
+    };
+    let request = sign_request(&agent_credentials, action);
+    daemon
+        .evaluate_for_agent(request.clone())
+        .await
+        .expect("evaluate before restart");
+    drop(daemon);
+
+    let restarted = InMemoryDaemon::new_with_persistent_store(
+        "vault-password",
+        SoftwareSignerBackend::default(),
+        config,
+        PersistentStoreConfig::new(state_path.clone()),
+    )
+    .expect("restarted daemon");
+    let lease = restarted
+        .issue_lease("vault-password")
+        .await
+        .expect("lease after restart");
+    let session = AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease,
+    };
+    let listed = restarted
+        .list_policies(&session)
+        .await
+        .expect("list policies");
+    assert!(
+        listed.iter().any(|item| item.id == policy.id),
+        "policy should persist across restart"
+    );
+    restarted
+        .evaluate_for_agent(request)
+        .await
+        .expect("evaluate after restart");
+    restarted
+        .sign_for_agent(sign_request(
+            &agent_credentials,
+            AgentAction::Transfer {
+                chain_id: 1,
+                token: "0x1500000000000000000000000000000000000000"
+                    .parse()
+                    .expect("token"),
+                to: "0x2500000000000000000000000000000000000000"
+                    .parse()
+                    .expect("recipient"),
+                amount_wei: 1,
+            },
+        ))
+        .await
+        .expect("sign after restart");
+
+    std::fs::remove_file(&state_path).expect("cleanup");
+}
+
+#[tokio::test]
+async fn persistent_store_rejects_wrong_password() {
+    let state_path = unique_state_path("wrong-password");
+    let config = DaemonConfig::default();
+
+    let daemon = InMemoryDaemon::new_with_persistent_store(
+        "vault-password",
+        SoftwareSignerBackend::default(),
+        config.clone(),
+        PersistentStoreConfig::new(state_path.clone()),
+    )
+    .expect("daemon");
+    let lease = daemon.issue_lease("vault-password").await.expect("lease");
+    let session = AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease,
+    };
+    daemon
+        .add_policy(&session, policy_all_per_tx(10))
+        .await
+        .expect("add policy");
+    drop(daemon);
+
+    let err = match InMemoryDaemon::new_with_persistent_store(
+        "wrong-password",
+        SoftwareSignerBackend::default(),
+        config,
+        PersistentStoreConfig::new(state_path.clone()),
+    ) {
+        Ok(_) => panic!("wrong password must fail state load"),
+        Err(err) => err,
+    };
+    assert!(matches!(err, DaemonError::Persistence(_)));
+
+    std::fs::remove_file(&state_path).expect("cleanup");
+}
+
+#[test]
+fn validate_loaded_state_rejects_insecure_remote_http_relay_url() {
+    let daemon = InMemoryDaemon::new(
+        "vault-password",
+        SoftwareSignerBackend::default(),
+        DaemonConfig::default(),
+    )
+    .expect("daemon");
+
+    let mut state = daemon.snapshot_state().expect("state snapshot");
+    state.relay_config.relay_url = Some("http://relay.example".to_string());
+
+    let err = validate_loaded_state(&state).expect_err("insecure persisted relay URL must fail");
+    assert!(
+        matches!(err, DaemonError::InvalidRelayConfig(message) if message.contains("must use https unless it targets localhost or a loopback address"))
+    );
+}
+
+#[cfg(unix)]
+#[tokio::test]
+async fn persistent_store_rejects_group_writable_ancestor_directory() {
+    use std::os::unix::fs::PermissionsExt;
+
+    let unique = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .expect("time")
+        .as_nanos();
+    let root = std::env::temp_dir().join(format!(
+        "wlfi-daemon-persistence-parent-{}-{}",
+        std::process::id(),
+        unique
+    ));
+    let insecure = root.join("insecure");
+    let leaf = insecure.join("leaf");
+    std::fs::create_dir_all(&leaf).expect("create test directories");
+    std::fs::set_permissions(&insecure, std::fs::Permissions::from_mode(0o770))
+        .expect("set insecure ancestor permissions");
+
+    let err = match InMemoryDaemon::new_with_persistent_store(
+        "vault-password",
+        SoftwareSignerBackend::default(),
+        DaemonConfig::default(),
+        PersistentStoreConfig::new(leaf.join("daemon-state.enc")),
+    ) {
+        Ok(_) => panic!("group-writable ancestor must be rejected"),
+        Err(err) => err,
+    };
+    assert!(
+        matches!(err, DaemonError::Persistence(message) if message.contains("state directory") && message.contains("must not be writable by group/other"))
+    );
+
+    std::fs::set_permissions(&insecure, std::fs::Permissions::from_mode(0o700))
+        .expect("restore ancestor permissions for cleanup");
+    std::fs::remove_dir_all(&root).expect("cleanup directories");
+}
+
+#[cfg(unix)]
+#[tokio::test]
+async fn persistent_store_rejects_group_readable_state_file() {
+    use std::os::unix::fs::PermissionsExt;
+
+    let state_path = unique_state_path("group-readable");
+    let config = DaemonConfig::default();
+
+    let daemon = InMemoryDaemon::new_with_persistent_store(
+        "vault-password",
+        SoftwareSignerBackend::default(),
+        config.clone(),
+        PersistentStoreConfig::new(state_path.clone()),
+    )
+    .expect("daemon");
+    let lease = daemon.issue_lease("vault-password").await.expect("lease");
+    let session = AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease,
+    };
+    daemon
+        .add_policy(&session, policy_all_per_tx(10))
+        .await
+        .expect("add policy");
+    drop(daemon);
+
+    std::fs::set_permissions(&state_path, std::fs::Permissions::from_mode(0o640))
+        .expect("set insecure state file permissions");
+
+    let err = match InMemoryDaemon::new_with_persistent_store(
+        "vault-password",
+        SoftwareSignerBackend::default(),
+        config,
+        PersistentStoreConfig::new(state_path.clone()),
+    ) {
+        Ok(_) => panic!("group-readable state file must be rejected"),
+        Err(err) => err,
+    };
+    assert!(
+        matches!(err, DaemonError::Persistence(message) if message.contains("state file") && message.contains("must not grant group/other permissions"))
+    );
+
+    std::fs::set_permissions(&state_path, std::fs::Permissions::from_mode(0o600))
+        .expect("restore state file permissions for cleanup");
+    std::fs::remove_file(&state_path).expect("cleanup state file");
+}

package/crates/vault-domain/Cargo.toml

@@ -0,0 +1,20 @@
+[package]
+name = "vault-domain"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+authors.workspace = true
+
+[dependencies]
+alloy-primitives.workspace = true
+alloy-sol-types.workspace = true
+hex.workspace = true
+serde.workspace = true
+sha2.workspace = true
+thiserror.workspace = true
+time.workspace = true
+uuid.workspace = true
+zeroize.workspace = true
+
+[dev-dependencies]
+serde_json.workspace = true