@wlfi-agent/cli 1.4.17 → 1.4.19

package/crates/vault-transport-xpc/src/tests.rs

@@ -1,14 +1,92 @@
 use super::{
-    parse_code_sign_requirement, recv_matching_response, validate_wire_lengths,
-    IncomingWireMessage, XpcDaemonClient, XpcDaemonServer, XpcTransportError, MAX_WIRE_BODY_BYTES,
-    MAX_WIRE_REQUEST_ID_BYTES,
+    decode_wire_request, decode_wire_response, encode_wire_request, encode_wire_response,
+    enforce_wire_response_limits, extract_safe_request_id, get_dict_bool, get_dict_string,
+    parse_code_sign_requirement, recv_matching_response, serialize_wire_daemon_error,
+    set_dict_bool, set_dict_string, validate_wire_lengths, IncomingWireMessage, WireDaemonError,
+    WireRequest, WireResponse, XpcDaemonClient, XpcDaemonServer, XpcTransportError,
+    MAX_WIRE_BODY_BYTES, MAX_WIRE_REQUEST_ID_BYTES,
 };
 use std::collections::BTreeSet;
+use std::ptr;
 use std::sync::Arc;
 use std::time::Duration;
+use time::OffsetDateTime;
+use uuid::Uuid;
 use vault_daemon::{DaemonConfig, DaemonError, InMemoryDaemon, KeyManagerDaemonApi};
+use vault_domain::{
+    AdminSession, AgentAction, AgentCredentials, EntityScope, ManualApprovalDecision,
+    ManualApprovalStatus, NonceReleaseRequest, NonceReservationRequest, PolicyAttachment,
+    SignRequest, SpendingPolicy,
+};
+use vault_policy::PolicyError;
 use vault_signer::{KeyCreateRequest, SignerError, SoftwareSignerBackend};
 
+fn test_daemon() -> Arc<InMemoryDaemon<SoftwareSignerBackend>> {
+    Arc::new(
+        InMemoryDaemon::new(
+            "vault-password",
+            SoftwareSignerBackend::default(),
+            DaemonConfig::default(),
+        )
+        .expect("daemon"),
+    )
+}
+
+fn start_test_server(
+    daemon: Arc<InMemoryDaemon<SoftwareSignerBackend>>,
+) -> XpcDaemonServer {
+    #[cfg(debug_assertions)]
+    {
+        XpcDaemonServer::start_inmemory_with_allowed_euid(
+            daemon,
+            tokio::runtime::Handle::current(),
+            unsafe { libc::geteuid() },
+        )
+        .expect("server")
+    }
+    #[cfg(not(debug_assertions))]
+    {
+        XpcDaemonServer::start_inmemory(daemon, tokio::runtime::Handle::current()).expect("server")
+    }
+}
+
+fn connect_test_client(server: &XpcDaemonServer) -> XpcDaemonClient {
+    XpcDaemonClient::connect(&server.endpoint(), Duration::from_secs(5)).expect("client")
+}
+
+async fn admin_session(client: &XpcDaemonClient) -> AdminSession {
+    let lease = client.issue_lease("vault-password").await.expect("lease");
+    AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease,
+    }
+}
+
+fn transfer_action(amount_wei: u128) -> AgentAction {
+    AgentAction::Transfer {
+        chain_id: 1,
+        token: "0x7100000000000000000000000000000000000000"
+            .parse()
+            .expect("token"),
+        to: "0x8100000000000000000000000000000000000000"
+            .parse()
+            .expect("recipient"),
+        amount_wei,
+    }
+}
+
+fn sign_request(agent_credentials: &AgentCredentials, action: AgentAction) -> SignRequest {
+    SignRequest {
+        request_id: Uuid::new_v4(),
+        agent_key_id: agent_credentials.agent_key.id,
+        agent_auth_token: agent_credentials.auth_token.clone(),
+        payload: serde_json::to_vec(&action).expect("payload"),
+        action,
+        requested_at: OffsetDateTime::now_utc(),
+        expires_at: OffsetDateTime::now_utc() + time::Duration::minutes(2),
+    }
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn xpc_round_trip_for_issue_lease() {
     #[cfg(not(debug_assertions))]
@@ -816,3 +894,453 @@ fn receive_loop_times_out_when_only_mismatched_responses_arrive() {
     .expect_err("mismatched responses must eventually timeout");
     assert!(matches!(err, XpcTransportError::Timeout));
 }
+
+#[test]
+fn wire_daemon_error_roundtrip_covers_all_variants() {
+    let vault_key_id = Uuid::new_v4();
+    let agent_key_id = Uuid::new_v4();
+    let policy_id = Uuid::new_v4();
+    let approval_request_id = Uuid::new_v4();
+    let reservation_id = Uuid::new_v4();
+
+    macro_rules! assert_roundtrip {
+        ($err:expr, $pat:pat $(if $guard:expr)? ) => {{
+            let roundtrip = WireDaemonError::from($err).into_daemon_error();
+            assert!(matches!(roundtrip, $pat $(if $guard)?));
+        }};
+    }
+
+    assert_roundtrip!(DaemonError::AuthenticationFailed, DaemonError::AuthenticationFailed);
+    assert_roundtrip!(DaemonError::UnknownLease, DaemonError::UnknownLease);
+    assert_roundtrip!(DaemonError::InvalidLease, DaemonError::InvalidLease);
+    assert_roundtrip!(DaemonError::TooManyActiveLeases, DaemonError::TooManyActiveLeases);
+    assert_roundtrip!(
+        DaemonError::UnknownVaultKey(vault_key_id),
+        DaemonError::UnknownVaultKey(id) if id == vault_key_id
+    );
+    assert_roundtrip!(
+        DaemonError::UnknownAgentKey(agent_key_id),
+        DaemonError::UnknownAgentKey(id) if id == agent_key_id
+    );
+    assert_roundtrip!(
+        DaemonError::UnknownPolicy(policy_id),
+        DaemonError::UnknownPolicy(id) if id == policy_id
+    );
+    assert_roundtrip!(
+        DaemonError::UnknownManualApprovalRequest(approval_request_id),
+        DaemonError::UnknownManualApprovalRequest(id) if id == approval_request_id
+    );
+    assert_roundtrip!(
+        DaemonError::AgentAuthenticationFailed,
+        DaemonError::AgentAuthenticationFailed
+    );
+    assert_roundtrip!(
+        DaemonError::PayloadActionMismatch,
+        DaemonError::PayloadActionMismatch
+    );
+    assert_roundtrip!(
+        DaemonError::PayloadTooLarge { max_bytes: 4096 },
+        DaemonError::PayloadTooLarge { max_bytes } if max_bytes == 4096
+    );
+    assert_roundtrip!(
+        DaemonError::InvalidRequestTimestamps,
+        DaemonError::InvalidRequestTimestamps
+    );
+    assert_roundtrip!(DaemonError::RequestExpired, DaemonError::RequestExpired);
+    assert_roundtrip!(
+        DaemonError::RequestReplayDetected,
+        DaemonError::RequestReplayDetected
+    );
+    assert_roundtrip!(
+        DaemonError::InvalidPolicyAttachment("bad attachment".to_string()),
+        DaemonError::InvalidPolicyAttachment(ref msg) if msg == "bad attachment"
+    );
+    assert_roundtrip!(
+        DaemonError::InvalidNonceReservation("bad reservation".to_string()),
+        DaemonError::InvalidNonceReservation(ref msg) if msg == "bad reservation"
+    );
+    assert_roundtrip!(
+        DaemonError::UnknownNonceReservation(reservation_id),
+        DaemonError::UnknownNonceReservation(id) if id == reservation_id
+    );
+    assert_roundtrip!(
+        DaemonError::MissingNonceReservation {
+            chain_id: 1,
+            nonce: 7
+        },
+        DaemonError::MissingNonceReservation { chain_id, nonce } if chain_id == 1 && nonce == 7
+    );
+    assert_roundtrip!(
+        DaemonError::InvalidPolicy("bad policy".to_string()),
+        DaemonError::InvalidPolicy(ref msg) if msg == "bad policy"
+    );
+    assert_roundtrip!(
+        DaemonError::InvalidRelayConfig("bad relay".to_string()),
+        DaemonError::InvalidRelayConfig(ref msg) if msg == "bad relay"
+    );
+    assert_roundtrip!(
+        DaemonError::ManualApprovalRequired {
+            approval_request_id,
+            relay_url: Some("https://relay.example".to_string()),
+            frontend_url: Some("https://frontend.example".to_string()),
+        },
+        DaemonError::ManualApprovalRequired {
+            approval_request_id: id,
+            ref relay_url,
+            ref frontend_url,
+        } if id == approval_request_id
+            && relay_url.as_deref() == Some("https://relay.example")
+            && frontend_url.as_deref() == Some("https://frontend.example")
+    );
+    assert_roundtrip!(
+        DaemonError::ManualApprovalRejected { approval_request_id },
+        DaemonError::ManualApprovalRejected { approval_request_id: id } if id == approval_request_id
+    );
+    assert_roundtrip!(
+        DaemonError::ManualApprovalRequestNotPending {
+            approval_request_id,
+            status: ManualApprovalStatus::Completed,
+        },
+        DaemonError::ManualApprovalRequestNotPending {
+            approval_request_id: id,
+            status,
+        } if id == approval_request_id && status == ManualApprovalStatus::Completed
+    );
+    assert_roundtrip!(
+        DaemonError::Policy(PolicyError::NoAttachedPolicies),
+        DaemonError::Policy(PolicyError::NoAttachedPolicies)
+    );
+    assert_roundtrip!(
+        DaemonError::Signer(SignerError::PermissionDenied("no root".to_string())),
+        DaemonError::Signer(SignerError::PermissionDenied(ref msg)) if msg == "no root"
+    );
+    assert_roundtrip!(
+        DaemonError::PasswordHash("bad hash".to_string()),
+        DaemonError::PasswordHash(ref msg) if msg == "bad hash"
+    );
+    assert_roundtrip!(
+        DaemonError::InvalidConfig("bad config".to_string()),
+        DaemonError::InvalidConfig(ref msg) if msg == "bad config"
+    );
+    assert_roundtrip!(DaemonError::LockPoisoned, DaemonError::LockPoisoned);
+    assert_roundtrip!(
+        DaemonError::Transport("wire broken".to_string()),
+        DaemonError::Transport(ref msg) if msg == "wire broken"
+    );
+    assert_roundtrip!(
+        DaemonError::Persistence("disk full".to_string()),
+        DaemonError::Persistence(ref msg) if msg == "disk full"
+    );
+}
+
+#[test]
+fn serialize_wire_daemon_error_and_response_limit_helpers_cover_remaining_paths() {
+    let serialized = serialize_wire_daemon_error(DaemonError::Transport("transport".to_string()));
+    let parsed: WireDaemonError = serde_json::from_str(&serialized).expect("deserialize");
+    assert!(matches!(parsed, WireDaemonError::Transport(msg) if msg == "transport"));
+
+    let passthrough = WireResponse {
+        request_id: "ok-id".to_string(),
+        ok: true,
+        body_json: "{}".to_string(),
+    };
+    let passthrough = enforce_wire_response_limits(passthrough.clone());
+    assert_eq!(passthrough.request_id, "ok-id");
+    assert!(passthrough.ok);
+    assert_eq!(passthrough.body_json, "{}");
+
+    let oversized_body = WireResponse {
+        request_id: "ok-id".to_string(),
+        ok: true,
+        body_json: "x".repeat(MAX_WIRE_BODY_BYTES + 1),
+    };
+    let oversized_body = enforce_wire_response_limits(oversized_body);
+    assert_eq!(oversized_body.request_id, "ok-id");
+    assert!(!oversized_body.ok);
+    assert!(oversized_body.body_json.contains("wire body exceeds max bytes"));
+
+    let oversized_id = WireResponse {
+        request_id: "r".repeat(MAX_WIRE_REQUEST_ID_BYTES + 1),
+        ok: true,
+        body_json: "{}".to_string(),
+    };
+    let oversized_id = enforce_wire_response_limits(oversized_id);
+    assert_eq!(oversized_id.request_id, Uuid::nil().to_string());
+    assert!(!oversized_id.ok);
+    assert!(oversized_id.body_json.contains("wire request id exceeds max bytes"));
+}
+
+#[test]
+fn xpc_dictionary_helpers_roundtrip_and_guard_invalid_fields() {
+    let wire_request = WireRequest {
+        request_id: "request-1".to_string(),
+        body_json: "{\"hello\":true}".to_string(),
+    };
+    let encoded_request = encode_wire_request(&wire_request).expect("encode request");
+    let decoded_request = decode_wire_request(encoded_request).expect("decode request");
+    assert_eq!(decoded_request.request_id, wire_request.request_id);
+    assert_eq!(decoded_request.body_json, wire_request.body_json);
+    unsafe {
+        super::xpc_release(encoded_request);
+    }
+
+    let wire_response = WireResponse {
+        request_id: "response-1".to_string(),
+        ok: true,
+        body_json: "{\"ok\":true}".to_string(),
+    };
+    let encoded_response = encode_wire_response(&wire_response).expect("encode response");
+    let decoded_response = decode_wire_response(encoded_response).expect("decode response");
+    assert_eq!(decoded_response.request_id, wire_response.request_id);
+    assert!(decoded_response.ok);
+    assert_eq!(decoded_response.body_json, wire_response.body_json);
+    unsafe {
+        super::xpc_release(encoded_response);
+    }
+
+    let dict = unsafe { super::xpc_dictionary_create(ptr::null(), ptr::null(), 0) };
+    assert!(!dict.is_null());
+    set_dict_string(dict, "wlfi_request_id", "request-2").expect("request id");
+    set_dict_string(dict, "wlfi_kind", "response").expect("kind");
+    set_dict_bool(dict, "wlfi_ok", false).expect("bool");
+    assert_eq!(
+        get_dict_string(dict, "wlfi_request_id").expect("read string"),
+        "request-2"
+    );
+    assert!(!get_dict_bool(dict, "wlfi_ok").expect("read bool"));
+    assert!(matches!(
+        get_dict_string(dict, "missing"),
+        Err(XpcTransportError::Protocol(_))
+    ));
+    unsafe {
+        super::xpc_release(dict);
+    }
+
+    let wrong_kind = unsafe { super::xpc_dictionary_create(ptr::null(), ptr::null(), 0) };
+    assert!(!wrong_kind.is_null());
+    set_dict_string(wrong_kind, "wlfi_kind", "wrong").expect("kind");
+    set_dict_string(wrong_kind, "wlfi_request_id", "request-3").expect("request id");
+    set_dict_string(wrong_kind, "wlfi_body", "{}").expect("body");
+    assert!(matches!(
+        decode_wire_request(wrong_kind),
+        Err(XpcTransportError::Protocol(_))
+    ));
+    unsafe {
+        super::xpc_release(wrong_kind);
+    }
+
+    let wrong_response_kind = unsafe { super::xpc_dictionary_create(ptr::null(), ptr::null(), 0) };
+    assert!(!wrong_response_kind.is_null());
+    set_dict_string(wrong_response_kind, "wlfi_kind", "request").expect("kind");
+    set_dict_string(wrong_response_kind, "wlfi_request_id", "request-4").expect("request id");
+    set_dict_string(wrong_response_kind, "wlfi_body", "{}").expect("body");
+    set_dict_bool(wrong_response_kind, "wlfi_ok", true).expect("bool");
+    assert!(matches!(
+        decode_wire_response(wrong_response_kind),
+        Err(XpcTransportError::Protocol(_))
+    ));
+    unsafe {
+        super::xpc_release(wrong_response_kind);
+    }
+
+    let missing_id = unsafe { super::xpc_dictionary_create(ptr::null(), ptr::null(), 0) };
+    assert_eq!(extract_safe_request_id(missing_id), Uuid::nil().to_string());
+    unsafe {
+        super::xpc_release(missing_id);
+    }
+
+    let oversized_id = unsafe { super::xpc_dictionary_create(ptr::null(), ptr::null(), 0) };
+    set_dict_string(
+        oversized_id,
+        "wlfi_request_id",
+        &"r".repeat(MAX_WIRE_REQUEST_ID_BYTES + 1),
+    )
+    .expect("oversized id");
+    assert_eq!(extract_safe_request_id(oversized_id), Uuid::nil().to_string());
+    unsafe {
+        super::xpc_release(oversized_id);
+    }
+
+    let valid_id = unsafe { super::xpc_dictionary_create(ptr::null(), ptr::null(), 0) };
+    set_dict_string(valid_id, "wlfi_request_id", "request-5").expect("request id");
+    assert_eq!(extract_safe_request_id(valid_id), "request-5");
+    unsafe {
+        super::xpc_release(valid_id);
+    }
+
+    let dict = unsafe { super::xpc_dictionary_create(ptr::null(), ptr::null(), 0) };
+    assert!(matches!(
+        set_dict_string(dict, "bad\0key", "value"),
+        Err(XpcTransportError::Protocol(_))
+    ));
+    assert!(matches!(
+        set_dict_string(dict, "ok-key", "bad\0value"),
+        Err(XpcTransportError::Protocol(_))
+    ));
+    assert!(matches!(
+        set_dict_bool(dict, "bad\0key", true),
+        Err(XpcTransportError::Protocol(_))
+    ));
+    assert!(matches!(
+        get_dict_bool(dict, "bad\0key"),
+        Err(XpcTransportError::Protocol(_))
+    ));
+    unsafe {
+        super::xpc_release(dict);
+    }
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn remaining_admin_methods_roundtrip_over_xpc() {
+    #[cfg(not(debug_assertions))]
+    if unsafe { libc::geteuid() } != 0 {
+        return;
+    }
+
+    let daemon = test_daemon();
+    let server = start_test_server(daemon);
+    let client = connect_test_client(&server);
+    let admin = admin_session(&client).await;
+
+    let imported_key = client
+        .create_vault_key(
+            &admin,
+            KeyCreateRequest::Import {
+                private_key_hex:
+                    "0x1111111111111111111111111111111111111111111111111111111111111111"
+                        .to_string(),
+            },
+        )
+        .await
+        .expect("imported key");
+    let exported = client
+        .export_vault_private_key(&admin, imported_key.id)
+        .await
+        .expect("export key");
+    assert!(exported.is_some());
+
+    let relay_config = client
+        .set_relay_config(
+            &admin,
+            Some("https://relay.example".to_string()),
+            Some("https://frontend.example".to_string()),
+        )
+        .await
+        .expect("set relay config");
+    assert_eq!(relay_config.relay_url.as_deref(), Some("https://relay.example"));
+    assert_eq!(
+        relay_config.frontend_url.as_deref(),
+        Some("https://frontend.example")
+    );
+
+    let fetched_relay_config = client
+        .get_relay_config(&admin)
+        .await
+        .expect("get relay config");
+    assert_eq!(fetched_relay_config, relay_config);
+
+    let manual_policy = SpendingPolicy::new_manual_approval(
+        0,
+        1,
+        100,
+        EntityScope::All,
+        EntityScope::All,
+        EntityScope::All,
+    )
+    .expect("manual policy");
+    client
+        .add_policy(&admin, manual_policy.clone())
+        .await
+        .expect("add manual approval policy");
+
+    let vault_key = client
+        .create_vault_key(&admin, KeyCreateRequest::Generate)
+        .await
+        .expect("vault key");
+    let agent_credentials = client
+        .create_agent_key(&admin, vault_key.id, PolicyAttachment::AllPolicies)
+        .await
+        .expect("agent credentials");
+
+    let request = sign_request(&agent_credentials, transfer_action(42));
+    let explanation = client
+        .explain_for_agent(request.clone())
+        .await
+        .expect("explain");
+    assert!(
+        explanation
+            .evaluated_policy_ids
+            .iter()
+            .any(|entry| *entry == manual_policy.id),
+        "manual approval policy must be part of explanation"
+    );
+
+    let reservation = client
+        .reserve_nonce(NonceReservationRequest {
+            request_id: Uuid::new_v4(),
+            agent_key_id: agent_credentials.agent_key.id,
+            agent_auth_token: agent_credentials.auth_token.clone(),
+            chain_id: 1,
+            min_nonce: 0,
+            exact_nonce: false,
+            requested_at: OffsetDateTime::now_utc(),
+            expires_at: OffsetDateTime::now_utc() + time::Duration::minutes(2),
+        })
+        .await
+        .expect("reserve nonce");
+    client
+        .release_nonce(NonceReleaseRequest {
+            request_id: Uuid::new_v4(),
+            agent_key_id: agent_credentials.agent_key.id,
+            agent_auth_token: agent_credentials.auth_token.clone(),
+            reservation_id: reservation.reservation_id,
+            requested_at: OffsetDateTime::now_utc(),
+            expires_at: OffsetDateTime::now_utc() + time::Duration::minutes(2),
+        })
+        .await
+        .expect("release nonce");
+
+    let approval_request_id = match client.sign_for_agent(request.clone()).await {
+        Err(DaemonError::ManualApprovalRequired {
+            approval_request_id, ..
+        }) => approval_request_id,
+        other => panic!("expected manual approval request, got {other:?}"),
+    };
+
+    let approval_requests = client
+        .list_manual_approval_requests(&admin)
+        .await
+        .expect("list manual approvals");
+    assert!(approval_requests.iter().any(|item| item.id == approval_request_id));
+
+    let approved = client
+        .decide_manual_approval_request(
+            &admin,
+            approval_request_id,
+            ManualApprovalDecision::Approve,
+            None,
+        )
+        .await
+        .expect("approve manual approval");
+    assert_eq!(approved.id, approval_request_id);
+    assert_eq!(approved.status, ManualApprovalStatus::Approved);
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn xpc_endpoint_debug_and_code_sign_server_paths_are_exercised() {
+    let daemon = test_daemon();
+
+    let root_gated = XpcDaemonServer::start_inmemory_with_code_sign_requirement(
+        daemon.clone(),
+        tokio::runtime::Handle::current(),
+        "anchor apple",
+    );
+    if unsafe { libc::geteuid() } != 0 {
+        assert!(matches!(root_gated, Err(XpcTransportError::RequiresRoot)));
+        return;
+    }
+
+    let server = root_gated.expect("root should start code-sign-gated server");
+    let endpoint_debug = format!("{:?}", server.endpoint());
+    assert!(endpoint_debug.contains("XpcEndpoint"));
+}

package/crates/vault-transport-xpc/tests/e2e_flow.rs

@@ -104,6 +104,7 @@ async fn e2e_policy_enforced_over_xpc() {
             agent_auth_token: agent_credentials.auth_token.clone(),
             chain_id: 1,
             min_nonce: 0,
+            exact_nonce: false,
             requested_at: OffsetDateTime::now_utc(),
             expires_at: OffsetDateTime::now_utc() + time::Duration::minutes(2),
         })
@@ -338,6 +339,7 @@ async fn e2e_broadcast_gas_policy_enforced_over_xpc() {
             agent_auth_token: agent_credentials.auth_token.clone(),
             chain_id: 1,
             min_nonce: 0,
+            exact_nonce: false,
             requested_at: OffsetDateTime::now_utc(),
             expires_at: OffsetDateTime::now_utc() + time::Duration::minutes(2),
         })
@@ -384,6 +386,7 @@ async fn e2e_broadcast_gas_policy_enforced_over_xpc() {
             agent_auth_token: agent_credentials.auth_token.clone(),
             chain_id: 1,
             min_nonce: 1,
+            exact_nonce: false,
             requested_at: OffsetDateTime::now_utc(),
             expires_at: OffsetDateTime::now_utc() + time::Duration::minutes(2),
         })