gatewarden 0.3.0

Hardened Keygen.sh license validation infrastructure
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293

//! Live integration tests against real Keygen.sh API.
//!
//! These tests are `#[ignore]`d by default — they require real credentials.
//!
//! To run:
//! ```bash
//! source ~/.config/shimmy/secrets.env
//! cargo test --test integration_live -- --ignored
//! ```
//!
//! Required environment variables:
//! - GATEWARDEN_TEST_ACCOUNT_ID: Keygen account UUID
//! - GATEWARDEN_TEST_PUBLIC_KEY_HEX: Ed25519 verify key (64 hex chars)
//! - GATEWARDEN_TEST_LICENSE_KEY: A valid license key to validate
//! - GATEWARDEN_TEST_ENTITLEMENT: An entitlement code on that license (optional)

use gatewarden::{GatewardenConfig, GatewardenError, LicenseManager};
use std::time::Duration;

fn load_config() -> Option<(GatewardenConfig, String)> {
    let account_id = std::env::var("GATEWARDEN_TEST_ACCOUNT_ID").ok()?;
    let public_key_hex = std::env::var("GATEWARDEN_TEST_PUBLIC_KEY_HEX").ok()?;
    let license_key = std::env::var("GATEWARDEN_TEST_LICENSE_KEY").ok()?;
    let entitlement = std::env::var("GATEWARDEN_TEST_ENTITLEMENT").unwrap_or_default();

    let entitlements = if entitlement.is_empty() {
        vec![]
    } else {
        vec![entitlement]
    };

    let config = GatewardenConfig {
        app_name: "gatewarden-integration-test".to_string(),
        feature_name: "live-test".to_string(),
        account_id,
        public_key_hex,
        required_entitlements: entitlements,
        user_agent_product: "gatewarden-test".to_string(),
        cache_namespace: format!(
            "gatewarden-live-test-{}",
            std::time::SystemTime::now()
                .duration_since(std::time::UNIX_EPOCH)
                .unwrap()
                .as_nanos()
        ),
        offline_grace: Duration::from_secs(3600),
    };

    Some((config, license_key))
}

#[test]
#[ignore]
fn live_validate_key_succeeds_with_valid_license() {
    let (config, license_key) = load_config()
        .expect("Set GATEWARDEN_TEST_ACCOUNT_ID, GATEWARDEN_TEST_PUBLIC_KEY_HEX, GATEWARDEN_TEST_LICENSE_KEY");

    let manager = LicenseManager::new(config).expect("LicenseManager should initialize");
    let result = manager.validate_key(&license_key);

    match &result {
        Ok(r) => {
            println!("  valid: {}", r.valid);
            println!("  from_cache: {}", r.from_cache);
            println!("  state.code: {}", r.state.code);
            println!("  entitlements: {:?}", r.state.entitlements);
            assert!(r.valid, "License should be valid");
            assert!(!r.from_cache, "First call should not be cached");
        }
        Err(e) => {
            panic!("validate_key failed: {:?}", e);
        }
    }
}

#[test]
#[ignore]
fn live_validate_key_verifies_signature() {
    // This test confirms the Ed25519 signature verification is working
    // against real Keygen responses. If the public key is wrong, this fails
    // with SignatureInvalid.
    let (config, license_key) = load_config()
        .expect("Set GATEWARDEN_TEST_ACCOUNT_ID, GATEWARDEN_TEST_PUBLIC_KEY_HEX, GATEWARDEN_TEST_LICENSE_KEY");

    let manager = LicenseManager::new(config).expect("LicenseManager should initialize");
    let result = manager.validate_key(&license_key);

    // Should NOT get SignatureInvalid or SignatureMissing
    match &result {
        Err(GatewardenError::SignatureInvalid) => {
            panic!("Signature verification failed — is GATEWARDEN_TEST_PUBLIC_KEY_HEX correct?");
        }
        Err(GatewardenError::SignatureMissing) => {
            panic!("Signature header missing from Keygen response — unexpected");
        }
        _ => {
            // Any other result (including Ok or non-signature errors) means
            // the signature verification pipeline didn't reject.
            println!("  Signature verification passed (or error is non-crypto)");
        }
    }
}

#[test]
#[ignore]
fn live_fse_selectors_scanned_metric() {
    // Verify that the selectors_scanned metric is present in validation result
    // and has a reasonable value (not zero, not excessive).
    let (config, license_key) = load_config()
        .expect("Set GATEWARDEN_TEST_ACCOUNT_ID, GATEWARDEN_TEST_PUBLIC_KEY_HEX, GATEWARDEN_TEST_LICENSE_KEY");

    let manager = LicenseManager::new(config).expect("LicenseManager should initialize");
    let result = manager
        .validate_key(&license_key)
        .expect("validate_key should succeed");

    assert!(result.valid, "License should be valid");

    // FSE should scan at least SignaturePresent, StateValid, and Entitlements (3 selectors)
    assert!(
        result.selectors_scanned >= 3,
        "Expected at least 3 selectors scanned (SignaturePresent, StateValid, Entitlements), got {}",
        result.selectors_scanned
    );

    // Sanity check: shouldn't scan an unreasonable number
    assert!(
        result.selectors_scanned <= 10,
        "Selector scan count seems excessive: {}",
        result.selectors_scanned
    );

    println!("  FSE selectors_scanned: {}", result.selectors_scanned);
}

#[test]
#[ignore]
fn live_fse_o1_behavior_with_multiple_entitlements() {
    // Confirm O(1) behavior: adding entitlement RULES doesn't increase scan count.
    // This is the FSE proof metric — extra rules on shared selectors don't
    // increase selector extraction cost.

    let base_entitlement = std::env::var("GATEWARDEN_TEST_ENTITLEMENT").unwrap_or_default();

    if base_entitlement.is_empty() {
        println!("  Skipping O(1) test: GATEWARDEN_TEST_ENTITLEMENT not set");
        return;
    }

    // Config 1: Single entitlement (creates 1 rule checking Entitlements selector)
    let (mut config1, license_key) = load_config()
        .expect("Set GATEWARDEN_TEST_ACCOUNT_ID, GATEWARDEN_TEST_PUBLIC_KEY_HEX, GATEWARDEN_TEST_LICENSE_KEY");
    config1.required_entitlements = vec![base_entitlement.clone()];
    config1.cache_namespace = format!(
        "gatewarden-live-test-o1-single-{}",
        std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)
            .unwrap()
            .as_nanos()
    );

    let manager1 = LicenseManager::new(config1).expect("LicenseManager should initialize");
    let result1 = manager1
        .validate_key(&license_key)
        .expect("validate_key should succeed");

    // Config 2: Multiple entitlement rules (3 rules, all checking same Entitlements selector)
    let (mut config2, _) = load_config().unwrap();
    config2.required_entitlements = vec![
        base_entitlement.clone(),
        base_entitlement.clone(), // Duplicate intentionally - creates additional rule
        base_entitlement.clone(), // Another duplicate - third rule
    ];
    config2.cache_namespace = format!(
        "gatewarden-live-test-o1-triple-{}",
        std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)
            .unwrap()
            .as_nanos()
    );

    let manager2 = LicenseManager::new(config2).expect("LicenseManager should initialize");
    let result2 = manager2
        .validate_key(&license_key)
        .expect("validate_key should succeed with duplicate entitlements");

    // FSE O(1) invariant: adding rules that share selectors doesn't increase scan count
    // Both configs check SignaturePresent, StateValid, and Entitlements = 3 selectors
    // The second config has 3x more entitlement rules, but still scans Entitlements once
    println!(
        "  Config 1 (1 entitlement rule): selectors_scanned = {}",
        result1.selectors_scanned
    );
    println!(
        "  Config 2 (3 entitlement rules): selectors_scanned = {}",
        result2.selectors_scanned
    );

    assert_eq!(
        result1.selectors_scanned, result2.selectors_scanned,
        "FSE O(1) invariant violated: adding entitlement rules increased scan count from {} to {}",
        result1.selectors_scanned, result2.selectors_scanned
    );

    assert_eq!(
        result1.selectors_scanned, 3,
        "Expected 3 selectors (SignaturePresent, StateValid, Entitlements), got {}",
        result1.selectors_scanned
    );

    println!(
        "  ✓ FSE O(1) property confirmed: {} selectors scanned regardless of rule count",
        result1.selectors_scanned
    );
}

#[test]
#[ignore]
fn live_check_access_after_validate_uses_cache() {
    let (config, license_key) = load_config()
        .expect("Set GATEWARDEN_TEST_ACCOUNT_ID, GATEWARDEN_TEST_PUBLIC_KEY_HEX, GATEWARDEN_TEST_LICENSE_KEY");

    let manager = LicenseManager::new(config).expect("LicenseManager should initialize");

    // First: online validation (populates cache)
    let result1 = manager
        .validate_key(&license_key)
        .expect("First validate_key should succeed");
    assert!(result1.valid, "License should be valid");
    assert!(!result1.from_cache, "First call should hit Keygen");

    // Second: check_access should use cache
    let result2 = manager
        .check_access(&license_key)
        .expect("check_access should succeed after validate_key");
    assert!(result2.valid, "Cached result should still be valid");
    assert!(result2.from_cache, "check_access should use the cache");
}

#[test]
#[ignore]
fn live_validate_key_rejects_bogus_key() {
    let (config, _) = load_config()
        .expect("Set GATEWARDEN_TEST_ACCOUNT_ID, GATEWARDEN_TEST_PUBLIC_KEY_HEX, GATEWARDEN_TEST_LICENSE_KEY");

    let manager = LicenseManager::new(config).expect("LicenseManager should initialize");
    let result = manager.validate_key("BOGUS-NOT-A-REAL-KEY-1234");

    match result {
        Ok(r) => {
            assert!(!r.valid, "Bogus key should not be valid");
            println!("  Bogus key correctly rejected: code={}", r.state.code);
        }
        Err(GatewardenError::InvalidLicense) => {
            println!("  Bogus key correctly rejected with InvalidLicense error");
        }
        Err(e) => {
            // Transport errors are acceptable (means Keygen responded but
            // the key doesn't exist)
            println!("  Bogus key error: {:?}", e);
        }
    }
}

#[test]
#[ignore]
fn live_wrong_public_key_fails_signature() {
    let (mut config, license_key) = load_config()
        .expect("Set GATEWARDEN_TEST_ACCOUNT_ID, GATEWARDEN_TEST_PUBLIC_KEY_HEX, GATEWARDEN_TEST_LICENSE_KEY");

    // Use a valid-format but WRONG public key
    config.public_key_hex =
        "0000000000000000000000000000000000000000000000000000000000000000".to_string();

    let manager = LicenseManager::new(config).expect("LicenseManager should initialize");
    let result = manager.validate_key(&license_key);

    match result {
        Err(GatewardenError::SignatureInvalid) => {
            println!("  Correctly rejected: wrong public key → SignatureInvalid");
        }
        Err(GatewardenError::ConfigError(msg)) => {
            // Some keys are rejected at the Ed25519 level as invalid points
            println!("  Correctly rejected at key decode: {}", msg);
        }
        other => {
            panic!(
                "Wrong public key should fail with SignatureInvalid, got: {:?}",
                other
            );
        }
    }
}