v0.1.6 (#45)

## What's New? Performance updates for large capsules, admin panel enhancement and bug fixes ### Envd - Fixed bug with sandbox metrics calculation - Page cache drop and balloon inflation to reduce memfile snapshot - Updated rpc timeout logic for better control - Added tests ### Admin Panel - Add/Remove platform admin - Updated template deletion logic for fine grained permission ### Others - Minor frontend visual improvement - Minor bugfixes - Version bump Co-authored-by: Tasnim Kabir Sadik <tksadik92@gmail.com> Reviewed-on: wrenn/wrenn#45 Co-authored-by: pptx704 <rafeed@omukk.dev> Co-committed-by: pptx704 <rafeed@omukk.dev>
2026-05-13 05:05:35 +00:00
parent f5a23c1fa0
commit 4707f16c76
55 changed files with 2042 additions and 238 deletions
--- a/envd-rs/src/auth/signing.rs
+++ b/envd-rs/src/auth/signing.rs
@ -83,3 +83,128 @@ pub fn validate_signing(

    Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    fn test_token(val: &[u8]) -> SecureToken {
+        let t = SecureToken::new();
+        t.set(val).unwrap();
+        t
+    }
+
+    fn far_future() -> i64 {
+        std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .unwrap()
+            .as_secs() as i64
+            + 3600
+    }
+
+    #[test]
+    fn generate_starts_with_v1() {
+        let token = test_token(b"secret");
+        let sig = generate_signature(&token, "/file", "root", READ_OPERATION, None).unwrap();
+        assert!(sig.starts_with("v1_"));
+    }
+
+    #[test]
+    fn generate_deterministic() {
+        let token = test_token(b"secret");
+        let s1 = generate_signature(&token, "/file", "root", READ_OPERATION, None).unwrap();
+        let s2 = generate_signature(&token, "/file", "root", READ_OPERATION, None).unwrap();
+        assert_eq!(s1, s2);
+    }
+
+    #[test]
+    fn generate_with_expiration_differs() {
+        let token = test_token(b"secret");
+        let without = generate_signature(&token, "/f", "u", READ_OPERATION, None).unwrap();
+        let with = generate_signature(&token, "/f", "u", READ_OPERATION, Some(9999)).unwrap();
+        assert_ne!(without, with);
+    }
+
+    #[test]
+    fn generate_unset_token_errors() {
+        let token = SecureToken::new();
+        assert!(generate_signature(&token, "/f", "u", READ_OPERATION, None).is_err());
+    }
+
+    #[test]
+    fn validate_no_token_set_passes() {
+        let token = SecureToken::new();
+        assert!(validate_signing(&token, None, None, None, "root", "/f", READ_OPERATION).is_ok());
+    }
+
+    #[test]
+    fn validate_correct_header_token() {
+        let token = test_token(b"secret");
+        assert!(validate_signing(&token, Some("secret"), None, None, "root", "/f", READ_OPERATION).is_ok());
+    }
+
+    #[test]
+    fn validate_wrong_header_token() {
+        let token = test_token(b"secret");
+        let result = validate_signing(&token, Some("wrong"), None, None, "root", "/f", READ_OPERATION);
+        assert!(result.is_err());
+        assert!(result.unwrap_err().contains("does not match"));
+    }
+
+    #[test]
+    fn validate_valid_signature() {
+        let token = test_token(b"secret");
+        let exp = far_future();
+        let sig = generate_signature(&token, "/file", "root", READ_OPERATION, Some(exp)).unwrap();
+        assert!(validate_signing(&token, None, Some(&sig), Some(exp), "root", "/file", READ_OPERATION).is_ok());
+    }
+
+    #[test]
+    fn validate_invalid_signature() {
+        let token = test_token(b"secret");
+        let result = validate_signing(&token, None, Some("v1_bad"), Some(far_future()), "root", "/f", READ_OPERATION);
+        assert!(result.is_err());
+        assert!(result.unwrap_err().contains("invalid signature"));
+    }
+
+    #[test]
+    fn validate_expired_signature() {
+        let token = test_token(b"secret");
+        let expired: i64 = 1_000_000;
+        let sig = generate_signature(&token, "/f", "root", READ_OPERATION, Some(expired)).unwrap();
+        let result = validate_signing(&token, None, Some(&sig), Some(expired), "root", "/f", READ_OPERATION);
+        assert!(result.is_err());
+        assert!(result.unwrap_err().contains("expired"));
+    }
+
+    #[test]
+    fn validate_missing_signature() {
+        let token = test_token(b"secret");
+        let result = validate_signing(&token, None, None, None, "root", "/f", READ_OPERATION);
+        assert!(result.is_err());
+        assert!(result.unwrap_err().contains("missing signature"));
+    }
+
+    #[test]
+    fn validate_empty_header_token_falls_through_to_signature() {
+        let token = test_token(b"secret");
+        let result = validate_signing(&token, Some(""), None, None, "root", "/f", READ_OPERATION);
+        assert!(result.is_err());
+        assert!(result.unwrap_err().contains("missing signature"));
+    }
+
+    #[test]
+    fn validate_valid_signature_no_expiration() {
+        let token = test_token(b"secret");
+        let sig = generate_signature(&token, "/file", "root", READ_OPERATION, None).unwrap();
+        assert!(validate_signing(&token, None, Some(&sig), None, "root", "/file", READ_OPERATION).is_ok());
+    }
+
+    #[test]
+    fn different_operations_produce_different_signatures() {
+        let token = test_token(b"secret");
+        let r = generate_signature(&token, "/f", "root", READ_OPERATION, None).unwrap();
+        let w = generate_signature(&token, "/f", "root", WRITE_OPERATION, None).unwrap();
+        assert_ne!(r, w);
+    }
+}