vta-service 0.7.0

Service for Verifiable Trust Agents operating in Verifiable Trust Communities
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292

use serde::{Deserialize, Serialize};
use vta_sdk::webvh::{WebvhDidRecord, WebvhServerRecord};
use zeroize::ZeroizeOnDrop;

use crate::error::AppError;
use crate::store::KeyspaceHandle;

fn server_key(id: &str) -> String {
    format!("server:{id}")
}

fn server_auth_key(id: &str) -> String {
    format!("server-auth:{id}")
}

fn did_key(did: &str) -> String {
    format!("did:{did}")
}

fn log_key(did: &str) -> String {
    format!("log:{did}")
}

/// Cached daemon REST auth state for a single webvh server. Kept in
/// a service-private keyspace prefix (`server-auth:`) — never on the
/// public [`WebvhServerRecord`] type — so bearer tokens cannot leak
/// to REST `list` endpoints, DIDComm `list` responses, SDK consumers,
/// or backup exports.
///
/// Three hygiene measures on this type, in increasing strength:
///
/// 1. **Storage isolation** — service-private keyspace prefix, never
///    serialised on a public wire surface (see module-level doc).
/// 2. **Redacted `Debug`** — manual impl below so accidental
///    `tracing::info!(?record, …)` doesn't dump tokens to logs.
/// 3. **`ZeroizeOnDrop`** — when an instance falls out of scope the
///    token bytes are overwritten with zeros before the allocation
///    is freed. Helps against post-drop forensics and accidental
///    memory reuse; doesn't help against an attacker with concurrent
///    read access (in which case tokens leak regardless of disposal
///    semantics).
///
/// `Clone` is intentionally kept — operations occasionally need to
/// fan out a working copy. Each clone is independently zeroised on
/// drop, so the lifetime semantics stay correct.
#[derive(Clone, Serialize, Deserialize, ZeroizeOnDrop)]
pub struct WebvhServerAuthRecord {
    /// Server id this auth state is for. Redundant with the
    /// keyspace key but kept on the record for self-description in
    /// diagnostics dumps.
    pub server_id: String,
    pub access_token: String,
    /// Unix-seconds expiry of `access_token`. The auth layer treats
    /// "fresh" as `now + skew < access_expires_at` so a 401 from the
    /// daemon mid-window is still expected to be rare; on a 401 the
    /// caller should clear the cache and re-authenticate.
    pub access_expires_at: u64,
    pub refresh_token: String,
    pub refresh_expires_at: u64,
}

impl std::fmt::Debug for WebvhServerAuthRecord {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        // Redact secret material. Operators occasionally `?record` in
        // tracing — without this, the token would land in logs. The
        // expiry timestamps are not secret and are useful for
        // diagnosing freshness questions, so they remain visible.
        f.debug_struct("WebvhServerAuthRecord")
            .field("server_id", &self.server_id)
            .field("access_token", &"<redacted>")
            .field("access_expires_at", &self.access_expires_at)
            .field("refresh_token", &"<redacted>")
            .field("refresh_expires_at", &self.refresh_expires_at)
            .finish()
    }
}

pub async fn get_server(
    ks: &KeyspaceHandle,
    id: &str,
) -> Result<Option<WebvhServerRecord>, AppError> {
    ks.get(server_key(id)).await
}

pub async fn store_server(ks: &KeyspaceHandle, record: &WebvhServerRecord) -> Result<(), AppError> {
    ks.insert(server_key(&record.id), record).await
}

/// Delete a webvh server record and, atomically from the caller's
/// perspective, its associated daemon auth cache. The two are stored
/// under different prefixes so deletion is two writes — keeping
/// them paired here means callers can't accidentally remove the
/// server but leave a stale auth record that would be reused if
/// the same `id` were ever re-added.
pub async fn delete_server(ks: &KeyspaceHandle, id: &str) -> Result<(), AppError> {
    ks.remove(server_key(id)).await?;
    ks.remove(server_auth_key(id)).await?;
    Ok(())
}

pub async fn get_server_auth(
    ks: &KeyspaceHandle,
    id: &str,
) -> Result<Option<WebvhServerAuthRecord>, AppError> {
    ks.get(server_auth_key(id)).await
}

pub async fn store_server_auth(
    ks: &KeyspaceHandle,
    record: &WebvhServerAuthRecord,
) -> Result<(), AppError> {
    ks.insert(server_auth_key(&record.server_id), record).await
}

pub async fn delete_server_auth(ks: &KeyspaceHandle, id: &str) -> Result<(), AppError> {
    ks.remove(server_auth_key(id)).await
}

pub async fn list_servers(ks: &KeyspaceHandle) -> Result<Vec<WebvhServerRecord>, AppError> {
    let raw = ks.prefix_iter_raw("server:").await?;
    let mut servers = Vec::with_capacity(raw.len());
    for (_key, value) in raw {
        let record: WebvhServerRecord = serde_json::from_slice(&value)?;
        servers.push(record);
    }
    Ok(servers)
}

pub async fn get_did(ks: &KeyspaceHandle, did: &str) -> Result<Option<WebvhDidRecord>, AppError> {
    ks.get(did_key(did)).await
}

pub async fn store_did(ks: &KeyspaceHandle, record: &WebvhDidRecord) -> Result<(), AppError> {
    ks.insert(did_key(&record.did), record).await
}

pub async fn delete_did(ks: &KeyspaceHandle, did: &str) -> Result<(), AppError> {
    ks.remove(did_key(did)).await
}

pub async fn list_dids(ks: &KeyspaceHandle) -> Result<Vec<WebvhDidRecord>, AppError> {
    let raw = ks.prefix_iter_raw("did:").await?;
    let mut dids = Vec::with_capacity(raw.len());
    for (_key, value) in raw {
        let record: WebvhDidRecord = serde_json::from_slice(&value)?;
        dids.push(record);
    }
    Ok(dids)
}

pub async fn get_did_log(ks: &KeyspaceHandle, did: &str) -> Result<Option<String>, AppError> {
    let bytes = ks.get_raw(log_key(did)).await?;
    Ok(bytes.map(|b| String::from_utf8_lossy(&b).into_owned()))
}

pub async fn store_did_log(
    ks: &KeyspaceHandle,
    did: &str,
    log_content: &str,
) -> Result<(), AppError> {
    ks.insert_raw(log_key(did), log_content.as_bytes().to_vec())
        .await
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::store::Store;
    use chrono::Utc;
    use vti_common::config::StoreConfig as VtiStoreConfig;

    async fn setup_ks() -> (tempfile::TempDir, KeyspaceHandle) {
        let dir = tempfile::tempdir().unwrap();
        let store = Store::open(&VtiStoreConfig {
            data_dir: dir.path().into(),
        })
        .unwrap();
        let ks = store.keyspace("webvh").unwrap();
        (dir, ks)
    }

    fn sample_server(id: &str) -> WebvhServerRecord {
        let now = Utc::now();
        WebvhServerRecord {
            id: id.into(),
            did: format!("did:web:{id}.example"),
            label: None,
            created_at: now,
            updated_at: now,
        }
    }

    fn sample_auth(id: &str) -> WebvhServerAuthRecord {
        WebvhServerAuthRecord {
            server_id: id.into(),
            access_token: "test-access-token".into(),
            access_expires_at: 9_999_999_999,
            refresh_token: "test-refresh-token".into(),
            refresh_expires_at: 9_999_999_999,
        }
    }

    #[tokio::test]
    async fn auth_record_round_trips_through_keyspace() {
        let (_dir, ks) = setup_ks().await;
        let auth = sample_auth("prod");
        store_server_auth(&ks, &auth).await.unwrap();
        let loaded = get_server_auth(&ks, "prod").await.unwrap().unwrap();
        assert_eq!(loaded.access_token, "test-access-token");
        assert_eq!(loaded.refresh_token, "test-refresh-token");
    }

    #[tokio::test]
    async fn auth_record_uses_distinct_keyspace_prefix_from_server() {
        // Server metadata and auth state must not share a key —
        // `list_servers` does a `prefix_iter_raw("server:")` and would
        // try to deserialise auth records as `WebvhServerRecord` if
        // they collided. The `-auth` suffix on the prefix prevents
        // that: prefix scanning `server:` does not match `server-auth:`.
        let (_dir, ks) = setup_ks().await;
        store_server(&ks, &sample_server("prod")).await.unwrap();
        store_server_auth(&ks, &sample_auth("prod")).await.unwrap();
        let servers = list_servers(&ks).await.unwrap();
        assert_eq!(servers.len(), 1);
        assert_eq!(servers[0].id, "prod");
    }

    #[tokio::test]
    async fn delete_server_cascades_to_auth_record() {
        // The lifecycle invariant: removing a server must also remove
        // its cached auth state, so re-adding a server with the same
        // id doesn't silently inherit stale tokens.
        let (_dir, ks) = setup_ks().await;
        store_server(&ks, &sample_server("prod")).await.unwrap();
        store_server_auth(&ks, &sample_auth("prod")).await.unwrap();
        assert!(get_server_auth(&ks, "prod").await.unwrap().is_some());

        delete_server(&ks, "prod").await.unwrap();
        assert!(get_server(&ks, "prod").await.unwrap().is_none());
        assert!(
            get_server_auth(&ks, "prod").await.unwrap().is_none(),
            "delete_server must cascade to the auth record"
        );
    }

    #[tokio::test]
    async fn explicit_delete_server_auth_works_independently() {
        // Some flows (refresh failure, token rotation reset) want to
        // wipe just the auth state without touching the server record.
        let (_dir, ks) = setup_ks().await;
        store_server(&ks, &sample_server("prod")).await.unwrap();
        store_server_auth(&ks, &sample_auth("prod")).await.unwrap();

        delete_server_auth(&ks, "prod").await.unwrap();
        assert!(get_server(&ks, "prod").await.unwrap().is_some());
        assert!(get_server_auth(&ks, "prod").await.unwrap().is_none());
    }

    #[test]
    fn auth_record_debug_redacts_secret_fields() {
        // tracing::info!(?record, "...") is a likely future site
        // that would log tokens without this redaction. Pin the
        // invariant.
        let auth = WebvhServerAuthRecord {
            server_id: "prod".into(),
            access_token: "should-not-appear-in-logs-XXXX".into(),
            access_expires_at: 1234,
            refresh_token: "also-not-here-YYYY".into(),
            refresh_expires_at: 5678,
        };
        let dbg = format!("{auth:?}");
        assert!(
            !dbg.contains("XXXX"),
            "access_token must not appear in Debug: {dbg}"
        );
        assert!(
            !dbg.contains("YYYY"),
            "refresh_token must not appear in Debug: {dbg}"
        );
        assert!(
            dbg.contains("<redacted>"),
            "Debug should mark redactions explicitly: {dbg}"
        );
        // Non-secret fields should still be visible — operators
        // diagnosing freshness questions need to see expiry.
        assert!(dbg.contains("1234"), "non-secret expiry must remain: {dbg}");
        assert!(
            dbg.contains("prod"),
            "non-secret server_id must remain: {dbg}"
        );
    }
}