sirr-server 2.0.56

Sirr server library — axum HTTP server with redb storage and ChaCha20Poly1305 encryption
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233

//! Webhook delivery tests using wiremock for a real HTTP mock server.

use std::sync::Arc;

use axum_test::TestServer;
use serde_json::{json, Value};
use sirr_server::{
    router,
    store::{crypto, Store, Visibility},
    AppState, WebhookSender,
};
use tempfile::tempdir;
use wiremock::matchers::{method, path};
use wiremock::{Mock, MockServer, ResponseTemplate};

// ── Helpers ───────────────────────────────────────────────────────────────────

fn make_state(store: Arc<Store>) -> AppState {
    let key = Arc::new(crypto::generate_key());
    let visibility = Arc::new(tokio::sync::RwLock::new(Visibility::Both));
    AppState {
        store,
        encryption_key: key,
        visibility,
        webhook_sender: WebhookSender::new(),
        base_url: "http://test".to_string(),
    }
}

fn auth_header(
    token: &str,
) -> (
    axum::http::header::HeaderName,
    axum::http::header::HeaderValue,
) {
    (
        axum::http::header::AUTHORIZATION,
        format!("Bearer {token}").parse().unwrap(),
    )
}

// ── Tests ─────────────────────────────────────────────────────────────────────

/// Creating a keyed secret fires a `secret.created` webhook.
#[tokio::test]
async fn webhook_fires_on_create() {
    let mock_server = MockServer::start().await;

    Mock::given(method("POST"))
        .and(path("/hook"))
        .respond_with(ResponseTemplate::new(200))
        .expect(1)
        .mount(&mock_server)
        .await;

    let dir = tempdir().unwrap();
    let store = Arc::new(Store::open(dir.path().join("test.db")).unwrap());

    // Create a key with the mock server as webhook URL.
    let webhook_url = format!("{}/hook", mock_server.uri());
    let (_key, token) = store
        .create_key("alice", None, None, Some(webhook_url))
        .unwrap();

    let state = make_state(store);
    let server = TestServer::new(router(state));

    let resp = server
        .post("/secret")
        .add_header(auth_header(&token).0, auth_header(&token).1)
        .json(&json!({"value": "top-secret"}))
        .await;

    resp.assert_status_success();

    // Give the background task a moment to fire.
    tokio::time::sleep(std::time::Duration::from_millis(200)).await;

    mock_server.verify().await;
}

/// Reading a keyed secret fires a `secret.read` webhook.
#[tokio::test]
async fn webhook_fires_on_read() {
    let mock_server = MockServer::start().await;

    Mock::given(method("POST"))
        .and(path("/hook"))
        .respond_with(ResponseTemplate::new(200))
        .expect(2) // created + read
        .mount(&mock_server)
        .await;

    let dir = tempdir().unwrap();
    let store = Arc::new(Store::open(dir.path().join("test.db")).unwrap());

    let webhook_url = format!("{}/hook", mock_server.uri());
    let (_key, token) = store
        .create_key("bob", None, None, Some(webhook_url))
        .unwrap();

    let state = make_state(store);
    let server = TestServer::new(router(state));

    // Create the secret with auth.
    let resp = server
        .post("/secret")
        .add_header(auth_header(&token).0, auth_header(&token).1)
        .json(&json!({"value": "read-me"}))
        .await;
    resp.assert_status_success();
    let hash = resp.json::<Value>()["hash"].as_str().unwrap().to_string();

    // Read the secret (no auth needed for reads).
    let _read_resp = server.get(&format!("/secret/{hash}")).await;

    tokio::time::sleep(std::time::Duration::from_millis(200)).await;
    mock_server.verify().await;
}

/// Anonymous secrets do NOT trigger webhooks (no key to attach a webhook to).
#[tokio::test]
async fn webhook_does_not_fire_for_anonymous_secrets() {
    let mock_server = MockServer::start().await;

    // We explicitly expect ZERO webhook calls for anonymous secrets.
    Mock::given(method("POST"))
        .respond_with(ResponseTemplate::new(200))
        .expect(0)
        .mount(&mock_server)
        .await;

    let dir = tempdir().unwrap();
    let store = Arc::new(Store::open(dir.path().join("test.db")).unwrap());
    let state = make_state(store);
    let server = TestServer::new(router(state));

    // Anonymous create in Both mode (anonymous allowed).
    let resp = server
        .post("/secret")
        .json(&json!({"value": "anon-secret"}))
        .await;
    resp.assert_status_success();
    let hash = resp.json::<Value>()["hash"].as_str().unwrap().to_string();

    // Anonymous read.
    let _read_resp = server.get(&format!("/secret/{hash}")).await;

    tokio::time::sleep(std::time::Duration::from_millis(200)).await;
    mock_server.verify().await;
}

/// Keys without a webhook_url configured do not fire any webhooks.
#[tokio::test]
async fn webhook_does_not_fire_when_no_url_configured() {
    let mock_server = MockServer::start().await;

    Mock::given(method("POST"))
        .respond_with(ResponseTemplate::new(200))
        .expect(0)
        .mount(&mock_server)
        .await;

    let dir = tempdir().unwrap();
    let store = Arc::new(Store::open(dir.path().join("test.db")).unwrap());

    // Create a key WITHOUT a webhook URL.
    let (_key, token) = store.create_key("carol", None, None, None).unwrap();

    let state = make_state(store);
    let server = TestServer::new(router(state));

    let resp = server
        .post("/secret")
        .add_header(auth_header(&token).0, auth_header(&token).1)
        .json(&json!({"value": "no-webhook"}))
        .await;
    resp.assert_status_success();

    tokio::time::sleep(std::time::Duration::from_millis(200)).await;
    mock_server.verify().await;
}

/// The webhook payload contains the expected fields.
#[tokio::test]
async fn webhook_payload_shape() {
    let mock_server = MockServer::start().await;

    Mock::given(method("POST"))
        .and(path("/hook"))
        .respond_with(ResponseTemplate::new(200))
        .mount(&mock_server)
        .await;

    let dir = tempdir().unwrap();
    let store = Arc::new(Store::open(dir.path().join("test.db")).unwrap());

    let webhook_url = format!("{}/hook", mock_server.uri());
    let (_key, token) = store
        .create_key("dave", None, None, Some(webhook_url))
        .unwrap();

    let state = make_state(store);
    let server = TestServer::new(router(state));

    let resp = server
        .post("/secret")
        .add_header(auth_header(&token).0, auth_header(&token).1)
        .json(&json!({"value": "payload-check"}))
        .await;
    resp.assert_status_success();
    let hash = resp.json::<Value>()["hash"].as_str().unwrap().to_string();

    tokio::time::sleep(std::time::Duration::from_millis(200)).await;

    // Inspect the captured request bodies.
    let received = mock_server.received_requests().await.unwrap();
    assert!(
        !received.is_empty(),
        "expected at least one webhook request"
    );

    let body: Value =
        serde_json::from_slice(&received[0].body).expect("webhook body should be JSON");

    assert_eq!(body["type"], json!("secret.created"));
    assert_eq!(body["hash"], json!(hash));
    assert!(
        body["at"].as_i64().is_some(),
        "at should be a unix timestamp"
    );
    assert!(body["ip"].is_string(), "ip field should be present");
}