reachable_node/server/

mod.rs

// SPDX-FileCopyrightText: 2023—2025 eaon <eaon@posteo.net>
// SPDX-License-Identifier: EUPL-1.2

use axum::{body::Body, http::HeaderValue, response::Response};
use hyper::{StatusCode, header};
use include_dir::{Dir, include_dir};
use rand_core::CryptoRngCore;

use reach_aliases::*;
use reach_core::{AuditAuthenticationAssurance, RandomFromRng, error, storage::*, wire::*};
use reach_signatures::Verifier;

pub mod memory;
use memory::Sealable;

pub mod net;
use net::SessionState;

pub const DIST_DIR: Dir<'_> = include_dir!("$CARGO_MANIFEST_DIR/../reaching-app/dist");

pub fn from_included_dir<A>(directory: &'static Dir<'_>, path: A) -> Response
where
    A: AsRef<str>,
{
    let content_type = mime_guess::from_path(path.as_ref()).first_or_octet_stream();
    let path = path.as_ref().trim_start_matches('/');

    match directory.get_file(path) {
        None => Response::builder()
            .status(StatusCode::NOT_FOUND)
            .body(Body::empty())
            .unwrap(),
        Some(file) => Response::builder()
            .status(StatusCode::OK)
            .header(
                header::CONTENT_TYPE,
                HeaderValue::from_str(content_type.essence_str()).unwrap(),
            )
            .body(Body::from(file.contents()))
            .unwrap(),
    }
}

#[macro_export]
#[doc(hidden)]
macro_rules! _included {
    ($included_dir:tt, $included_path:tt) => {
        || async { reachable_node::server::from_included_dir(&$included_dir, $included_path) }
    };

    ($included_dir:tt) => {
        |axum::extract::Path(path): axum::extract::Path<String>| async {
            reachable_node::server::from_included_dir(&$included_dir, path)
        }
    };
}

#[doc(inline)]
pub use _included as included;

impl Sealable<SealedEnvelopeId> for EnvelopeId {}
impl Sealable<SealedMessageVaultId> for MessageVaultId {}

type AddableEnvelopeMaterial<'a> = (
    SealedEnvelopeId,
    Vec<(BlindedPublicKey, OneSix)>,
    Envelope,
    &'a MessageVaultId,
);

pub fn assign_envelope_id(envelope_seed: EnvelopeSeed, id: EnvelopeId) -> Envelope {
    let EnvelopeSeed {
        blinded_public_keys: _,
        credential_vaults,
        nonce,
        message_vault_passport_ciphertext,
    } = envelope_seed;

    Envelope {
        id,
        credential_vaults,
        nonce,
        message_vault_passport_ciphertext,
    }
}

pub fn assign_message_vault_id(
    message_vault_seed: MessageVaultSeed,
    id: MessageVaultId,
) -> MessageVault {
    MessageVault {
        id,
        message_ciphertext: message_vault_seed.message_ciphertext,
    }
}

pub fn update_reaching_salts(salts: &mut Salts, csprng: &mut impl CryptoRngCore) {
    salts.reaching_previous = salts.reaching_current;
    salts.reaching_current = ThreeTwo::random_from_rng(csprng);
}

pub fn process_envelope_seed<'a>(
    envelope_seed: EnvelopeSeed,
    message_vault_id: &'a MessageVaultId,
    shared_public_keys: &'_ SharedPublicKeys,
    salts: &'_ Salts,
    csprng: &mut impl CryptoRngCore,
) -> Result<AddableEnvelopeMaterial<'a>, error::CryptError> {
    let envelope_id = EnvelopeId::random_from_rng(csprng);
    let sealed_envelope_id = envelope_id.seal(shared_public_keys, salts, csprng)?;
    let blinded_public_key_removal_token_pairs = envelope_seed
        .blinded_public_keys
        .clone()
        .into_iter()
        .map(|blinded_public_key| (blinded_public_key, OneSix::random_from_rng(csprng)))
        .collect();
    let envelope = assign_envelope_id(envelope_seed, envelope_id);

    Ok((
        sealed_envelope_id,
        blinded_public_key_removal_token_pairs,
        envelope,
        message_vault_id,
    ))
}

type AddableMessageVaultMaterial = (SealedMessageVaultId, MessageVault);

pub fn process_message_vault_seed(
    message_vault_seed: MessageVaultSeed,
    shared_public_keys: &SharedPublicKeys,
    salts: &Salts,
    csprng: &mut impl CryptoRngCore,
) -> Result<AddableMessageVaultMaterial, error::CryptError> {
    let message_vault_id = MessageVaultId::random_from_rng(csprng);
    let sealed_message_vault_id = message_vault_id.seal(shared_public_keys, salts, csprng)?;

    Ok((
        sealed_message_vault_id,
        assign_message_vault_id(message_vault_seed, message_vault_id),
    ))
}

pub trait SessionAuthentication {
    const AUTHENTICATED_SESSION_STATE: SessionState;

    fn attempt_session_authentication(
        &self,
        authentication_assurance: &AuthenticationAssurance,
        authentication_challenge: &AuthenticationChallenge,
    ) -> SessionState
    where
        Self: Verifier + AuditAuthenticationAssurance,
    {
        if self.audit_authentication_assurance(authentication_assurance, authentication_challenge) {
            return Self::AUTHENTICATED_SESSION_STATE;
        }

        SessionState::Ready
    }
}

impl SessionAuthentication for ReachableVerifyingKeys {
    const AUTHENTICATED_SESSION_STATE: SessionState = SessionState::AuthenticatedReachable;
}

impl SessionAuthentication for AttestantAuthenticationKeys {
    const AUTHENTICATED_SESSION_STATE: SessionState = SessionState::AuthenticatedAttestant;
}

#[cfg(test)]
mod tests {
    use super::*;

    use ecdh_omr::Decoy;
    use reach_harness::seeded_rng;

    #[test]
    fn salts_update() {
        let mut seeded_rng = seeded_rng(0);
        let mut salts = Salts::random_decoy(&mut seeded_rng);
        let expiring_secret_keys_salt = salts.reaching_current;
        update_reaching_salts(&mut salts, &mut seeded_rng);

        assert_eq!(expiring_secret_keys_salt, salts.reaching_previous);
        assert_ne!(expiring_secret_keys_salt, salts.reaching_current);
    }
}