Enforce minimum length for padlock generation secret

2024-02-15 20:58:41 +00:00 · 2024-02-15 20:58:41 +00:00 · ead1c7ebad
commit ead1c7ebad
parent 32d76be0fd
1 changed files with 28 additions and 4 deletions
--- a/src/secrets.rs
+++ b/src/secrets.rs
@ -1,8 +1,10 @@
-use std::{convert::Infallible, fmt::Debug};
+use std::fmt::Debug;

 use hex::FromHex;
+use rand::{thread_rng, Rng};
 use secrecy::{ExposeSecret, SecretString, SecretVec};
 use serde::{Deserialize, Serialize};
+use thiserror::Error;

 #[derive(Debug, Clone, Deserialize)]
 pub struct Password(pub SecretString);
@ -52,8 +54,18 @@ impl From<String> for ServerPadlock {
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ServerHash(pub String);

-#[derive(Deserialize)]
 pub struct PadlockGenerationSecret(pub SecretVec<u8>);
+
+impl PadlockGenerationSecret {
+    /// Entirely arbitrary
+    const MIN_LENGTH_BYTES: usize = 32;
+
+    fn get_random_secret() -> Vec<u8> {
+        let mut rng = thread_rng();
+        (0..Self::MIN_LENGTH_BYTES).map(|_| rng.gen()).collect()
+    }
+}
+
 impl Debug for PadlockGenerationSecret {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_tuple("PadlockGenerationSecret")
@ -67,10 +79,22 @@ impl Clone for PadlockGenerationSecret {
    }
 }

+#[derive(Debug, Clone, Error)]
+#[error(
+    "Padlock secret too short, must be at least {} bytes - here's a fresh secret for you: {}",
+    PadlockGenerationSecret::MIN_LENGTH_BYTES,
+    hex::encode(PadlockGenerationSecret::get_random_secret())
+)]
+pub struct PadlockSecretTooShort;
 impl FromHex for PadlockGenerationSecret {
-    type Error = Infallible;
+    type Error = PadlockSecretTooShort;

    fn from_hex<T: AsRef<[u8]>>(hex: T) -> Result<Self, Self::Error> {
-        Ok(Self(hex.as_ref().to_vec().into()))
+        let hex = hex.as_ref();
+        if hex.len() < Self::MIN_LENGTH_BYTES {
+            Err(PadlockSecretTooShort)
+        } else {
+            Ok(Self(hex.to_vec().into()))
+        }
    }
 }