actr-hyper 0.3.0

Hyper — Actor platform infrastructure: sandbox, transport, scheduler, WASM engine, signing, AIS bootstrap, persistence & crypto primitives
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242

//! Production mode MFR public key cache
//!
//! `MfrCertCache` fetches manufacturer Ed25519 public keys on demand from
//! AIS `GET /mfr/{name}/verifying_key`, caching locally (TTL 1 hour).
//!
//! Uses `std::sync::RwLock` (not tokio) internally because:
//! - Cache reads/writes are extremely short memory operations that won't block the tokio executor
//! - Provides a synchronous read path for `RegistryTrust::verify_package` to call directly

use std::collections::HashMap;
use std::sync::{Arc, RwLock};
use std::time::{Duration, Instant};

use base64::Engine;
use ed25519_dalek::VerifyingKey;

use crate::error::{HyperError, HyperResult};

/// MFR public key cache entry
struct CacheEntry {
    key: VerifyingKey,
    fetched_at: Instant,
}

/// Production mode MFR Ed25519 public key cache
///
/// Fetches manufacturer public keys on demand from the AIS endpoint, cache TTL defaults to 1 hour.
/// Shared across tasks via `Arc<MfrCertCache>`.
pub struct MfrCertCache {
    ais_endpoint: String,
    http: reqwest::Client,
    ttl: Duration,
    cache: RwLock<HashMap<String, CacheEntry>>,
}

impl std::fmt::Debug for MfrCertCache {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("MfrCertCache")
            .field("ais_endpoint", &self.ais_endpoint)
            .field("ttl", &self.ttl)
            .finish_non_exhaustive()
    }
}

impl MfrCertCache {
    pub fn new(ais_endpoint: impl Into<String>) -> Arc<Self> {
        Arc::new(Self {
            ais_endpoint: ais_endpoint.into(),
            http: reqwest::Client::new(),
            ttl: Duration::from_secs(3600),
            cache: RwLock::new(HashMap::new()),
        })
    }

    /// Used in `RegistryTrust::verify_package` synchronous path;
    /// caller must ensure the cache has been warmed via `get_or_fetch` beforehand.
    pub fn get_from_cache(&self, manufacturer: &str, key_id: Option<&str>) -> Option<VerifyingKey> {
        let cache_key = match key_id {
            Some(id) => format!("{}:{}", manufacturer, id),
            None => manufacturer.to_string(),
        };
        let cache = self.cache.read().expect("cert_cache read lock poisoned");
        cache.get(&cache_key).and_then(|entry| {
            if entry.fetched_at.elapsed() < self.ttl {
                Some(entry.key)
            } else {
                None
            }
        })
    }

    /// Get the Ed25519 verifying key for the specified manufacturer
    ///
    /// Reads from cache first (if not expired); on miss, fetches from AIS and updates cache.
    pub async fn get_or_fetch(
        &self,
        manufacturer: &str,
        key_id: Option<&str>,
    ) -> HyperResult<VerifyingKey> {
        // fast path: read cache
        if let Some(key) = self.get_from_cache(manufacturer, key_id) {
            tracing::debug!(manufacturer, ?key_id, "MFR pubkey cache hit");
            return Ok(key);
        }

        tracing::debug!(
            manufacturer,
            ?key_id,
            "MFR pubkey cache miss, fetching from AIS"
        );

        // slow path: HTTP fetch
        let key = self.fetch_from_ais(manufacturer, key_id).await?;

        // write to cache (brief blocking lock, just a HashMap insert)
        let cache_key = match key_id {
            Some(id) => format!("{}:{}", manufacturer, id),
            None => manufacturer.to_string(),
        };
        {
            let mut cache = self.cache.write().expect("cert_cache write lock poisoned");
            cache.insert(
                cache_key,
                CacheEntry {
                    key,
                    fetched_at: Instant::now(),
                },
            );
        }

        tracing::info!(
            manufacturer,
            ?key_id,
            "MFR pubkey fetched from AIS and cached"
        );
        Ok(key)
    }

    /// Fetch public key from AIS `GET /mfr/{manufacturer}/verifying_key`
    async fn fetch_from_ais(
        &self,
        manufacturer: &str,
        key_id: Option<&str>,
    ) -> HyperResult<VerifyingKey> {
        let url = if let Some(id) = key_id {
            format!(
                "{}/mfr/{}/verifying_key?key_id={}",
                self.ais_endpoint, manufacturer, id
            )
        } else {
            format!("{}/mfr/{}/verifying_key", self.ais_endpoint, manufacturer)
        };
        tracing::debug!(url, "fetching MFR pubkey from AIS");

        let resp = self.http.get(&url).send().await.map_err(|e| {
            HyperError::UntrustedManufacturer(format!(
                "failed to fetch MFR pubkey ({manufacturer}): {e}"
            ))
        })?;

        if !resp.status().is_success() {
            let status = resp.status();
            let body = resp.text().await.unwrap_or_default();
            tracing::warn!(
                manufacturer,
                status = status.as_u16(),
                body,
                "AIS returned non-2xx, MFR pubkey fetch failed"
            );
            return Err(HyperError::UntrustedManufacturer(format!(
                "AIS refused to provide MFR pubkey ({manufacturer}), status={status}"
            )));
        }

        #[derive(serde::Deserialize)]
        struct VerifyingKeyResp {
            /// Base64-encoded Ed25519 verifying key (32 bytes)
            public_key: String,
        }

        let body: VerifyingKeyResp = resp.json().await.map_err(|e| {
            HyperError::UntrustedManufacturer(format!(
                "failed to parse MFR pubkey response ({manufacturer}): {e}"
            ))
        })?;

        let key_bytes = base64::engine::general_purpose::STANDARD
            .decode(&body.public_key)
            .map_err(|e| {
                HyperError::UntrustedManufacturer(format!(
                    "MFR pubkey base64 decode failed ({manufacturer}): {e}"
                ))
            })?;

        let key_arr: [u8; 32] = key_bytes.try_into().map_err(|v: Vec<u8>| {
            HyperError::UntrustedManufacturer(format!(
                "MFR pubkey length incorrect ({manufacturer}), expected 32 bytes, got {} bytes",
                v.len()
            ))
        })?;

        VerifyingKey::from_bytes(&key_arr).map_err(|e| {
            HyperError::UntrustedManufacturer(format!(
                "MFR pubkey format invalid ({manufacturer}): {e}"
            ))
        })
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[tokio::test]
    async fn cache_returns_cached_key_without_http() {
        use ed25519_dalek::SigningKey;
        use rand::rngs::OsRng;

        let signing_key = SigningKey::generate(&mut OsRng);
        let verifying_key = signing_key.verifying_key();
        let key_b64 = base64::engine::general_purpose::STANDARD.encode(verifying_key.to_bytes());

        let mut server = mockito::Server::new_async().await;
        let mock = server
            .mock("GET", "/mfr/test-mfr/verifying_key")
            .with_status(200)
            .with_header("content-type", "application/json")
            .with_body(format!(r#"{{"public_key":"{key_b64}"}}"#))
            .expect(1) // only called once, second time hits cache
            .create_async()
            .await;

        let cache = MfrCertCache::new(server.url());

        // first miss -> calls HTTP
        let k1 = cache.get_or_fetch("test-mfr", None).await.unwrap();
        // second hit -> no HTTP call
        let k2 = cache.get_or_fetch("test-mfr", None).await.unwrap();

        mock.assert_async().await;
        assert_eq!(k1.to_bytes(), k2.to_bytes());
        assert_eq!(k1.to_bytes(), verifying_key.to_bytes());
    }

    #[tokio::test]
    async fn fetch_fails_on_404() {
        let mut server = mockito::Server::new_async().await;
        let _mock = server
            .mock("GET", "/mfr/unknown-mfr/verifying_key")
            .with_status(404)
            .create_async()
            .await;

        let cache = MfrCertCache::new(server.url());
        let result = cache.get_or_fetch("unknown-mfr", None).await;

        assert!(
            matches!(result, Err(HyperError::UntrustedManufacturer(_))),
            "404 should return UntrustedManufacturer, actual: {result:?}"
        );
    }
}