nono 0.42.0

Capability-based sandboxing library using Landlock (Linux) and Seatbelt (macOS)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

//! SHA-256 digest computation for instruction file verification
//!
//! Provides functions for computing hex-encoded SHA-256 digests of files and
//! byte slices. Used for blocklist checking and as the subject digest in
//! DSSE/in-toto attestation statements.

use crate::error::{NonoError, Result};
use sha2::{Digest, Sha256};
use std::io::Read;
use std::path::Path;

/// Compute the SHA-256 hex digest of a file.
///
/// Reads the file in 8 KiB chunks to avoid loading large files into memory.
///
/// # Errors
///
/// Returns `NonoError::Io` if the file cannot be opened or read.
pub fn file_digest<P: AsRef<Path>>(path: P) -> Result<String> {
    let path = path.as_ref();
    let mut file = std::fs::File::open(path).map_err(NonoError::Io)?;
    let mut hasher = Sha256::new();
    let mut buf = [0u8; 8192];
    loop {
        let n = file.read(&mut buf).map_err(NonoError::Io)?;
        if n == 0 {
            break;
        }
        hasher.update(&buf[..n]);
    }
    Ok(hex_encode(&hasher.finalize()))
}

/// Compute the SHA-256 hex digest of a byte slice.
#[must_use]
pub fn bytes_digest(data: &[u8]) -> String {
    let hash = Sha256::digest(data);
    hex_encode(&hash)
}

/// Encode bytes as a lowercase hex string.
fn hex_encode(bytes: &[u8]) -> String {
    let mut s = String::with_capacity(bytes.len() * 2);
    for b in bytes {
        s.push_str(&format!("{b:02x}"));
    }
    s
}

#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
    use super::*;
    use std::io::Write;

    #[test]
    fn bytes_digest_empty() {
        // SHA-256 of empty input is well-known
        let digest = bytes_digest(b"");
        assert_eq!(
            digest,
            "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
        );
    }

    #[test]
    fn bytes_digest_hello_world() {
        let digest = bytes_digest(b"hello world");
        assert_eq!(
            digest,
            "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
        );
    }

    #[test]
    fn bytes_digest_deterministic() {
        let d1 = bytes_digest(b"test data");
        let d2 = bytes_digest(b"test data");
        assert_eq!(d1, d2);
    }

    #[test]
    fn bytes_digest_different_inputs() {
        let d1 = bytes_digest(b"input a");
        let d2 = bytes_digest(b"input b");
        assert_ne!(d1, d2);
    }

    #[test]
    fn bytes_digest_length() {
        let digest = bytes_digest(b"any input");
        assert_eq!(digest.len(), 64); // 32 bytes = 64 hex chars
    }

    #[test]
    fn file_digest_matches_bytes_digest() {
        let dir = tempfile::tempdir().unwrap();
        let path = dir.path().join("test.txt");
        let content = b"instruction file content";
        {
            let mut f = std::fs::File::create(&path).unwrap();
            f.write_all(content).unwrap();
        }
        let fd = file_digest(&path).unwrap();
        let bd = bytes_digest(content);
        assert_eq!(fd, bd);
    }

    #[test]
    fn file_digest_empty_file() {
        let dir = tempfile::tempdir().unwrap();
        let path = dir.path().join("empty.txt");
        std::fs::File::create(&path).unwrap();
        let digest = file_digest(&path).unwrap();
        assert_eq!(
            digest,
            "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
        );
    }

    #[test]
    fn file_digest_nonexistent() {
        let result = file_digest("/nonexistent/path/to/file.txt");
        assert!(result.is_err());
    }

    #[test]
    fn file_digest_large_file() {
        // Test with data larger than the 8 KiB buffer
        let dir = tempfile::tempdir().unwrap();
        let path = dir.path().join("large.bin");
        let content = vec![0x42u8; 32768]; // 32 KiB
        std::fs::write(&path, &content).unwrap();
        let fd = file_digest(&path).unwrap();
        let bd = bytes_digest(&content);
        assert_eq!(fd, bd);
    }

    #[test]
    fn hex_encode_correctness() {
        assert_eq!(hex_encode(&[0x00, 0xff, 0xab, 0x01]), "00ffab01");
    }
}