From b0872780dd3c6397c27ca6e7a8b193198c53d219 Mon Sep 17 00:00:00 2001
From: core <core@coredoes.dev>
Date: Mon, 27 Feb 2023 18:12:24 -0500
Subject: [PATCH 1/5] MORE TESTS! 95% pki coverage

---
 Cargo.lock                       |   2 +-
 trifid-pki/Cargo.toml            |   2 +-
 trifid-pki/README.md             |   8 ++
 trifid-pki/src/ca.rs             |   1 +
 trifid-pki/src/cert.rs           |  25 ++++-
 trifid-pki/src/lib.rs            |   2 +-
 trifid-pki/src/test.rs           | 152 ++++++++++++++++++++++++++++++-
 trifid-pki/tarpaulin-report.html |   6 +-
 8 files changed, 188 insertions(+), 10 deletions(-)
 create mode 100644 trifid-pki/README.md

diff --git a/Cargo.lock b/Cargo.lock
index 4723dc5..a14c4b2 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2419,7 +2419,7 @@ dependencies = [
 
 [[package]]
 name = "trifid-pki"
-version = "0.1.0"
+version = "0.1.2"
 dependencies = [
  "ed25519-dalek",
  "hex",
diff --git a/trifid-pki/Cargo.toml b/trifid-pki/Cargo.toml
index 780d5d4..2c69fe6 100644
--- a/trifid-pki/Cargo.toml
+++ b/trifid-pki/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "trifid-pki"
-version = "0.1.0"
+version = "0.1.2"
 edition = "2021"
 description = "A rust implementation of the Nebula PKI system"
 license = "GPL-3.0-or-later"
diff --git a/trifid-pki/README.md b/trifid-pki/README.md
new file mode 100644
index 0000000..8e3892d
--- /dev/null
+++ b/trifid-pki/README.md
@@ -0,0 +1,8 @@
+# trifid-pki
+trifid-pki is a crate for interacting with the Nebula PKI system. It was created to prevent the need to make constant CLI calls for signing operations in Nebula. Is is designed to be interoperable with the original Go implementation and as such has some oddities with key management to ensure compatability.
+
+This crate has not received any formal security audits, however the underlying crates used for actual cryptographic operations (ed25519-dalek and curve25519-dalek) have been audited, finding no major issues.
+
+# Examples
+
+See [the documentation](https://docs.rs/trifid-pki) for examples.
\ No newline at end of file
diff --git a/trifid-pki/src/ca.rs b/trifid-pki/src/ca.rs
index a589600..66dc20a 100644
--- a/trifid-pki/src/ca.rs
+++ b/trifid-pki/src/ca.rs
@@ -113,6 +113,7 @@ pub enum CaPoolError {
     NoIssuer
 }
 impl Error for CaPoolError {}
+#[cfg(not(tarpaulin_include))]
 impl Display for CaPoolError {
     fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
         match self {
diff --git a/trifid-pki/src/cert.rs b/trifid-pki/src/cert.rs
index fd1faef..e328307 100644
--- a/trifid-pki/src/cert.rs
+++ b/trifid-pki/src/cert.rs
@@ -83,6 +83,7 @@ pub enum CertificateError {
     /// The public key does not match the expected value
     KeyMismatch
 }
+#[cfg(not(tarpaulin_include))]
 impl Display for CertificateError {
     fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
         match self {
@@ -108,6 +109,7 @@ fn map_cidr_pairs(pairs: &[u32]) -> Result<Vec<Ipv4Net>, Box<dyn Error>> {
     Ok(res_vec)
 }
 
+#[cfg(not(tarpaulin_include))]
 impl Display for NebulaCertificate {
     #[allow(clippy::unwrap_used)]
     fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
@@ -186,12 +188,19 @@ pub fn deserialize_nebula_certificate(bytes: &[u8]) -> Result<NebulaCertificate,
 #[derive(Debug)]
 pub enum KeyError {
     /// Keys should have their associated PEM tags but this had the wrong one
-    WrongPemTag
+    WrongPemTag,
+    /// Ed25519 private keys are 64 bytes
+    Not64Bytes,
+    /// X25519 private keys are 32 bytes
+    Not32Bytes
 }
+#[cfg(not(tarpaulin_include))]
 impl Display for KeyError {
     fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
         match self {
-            Self::WrongPemTag => write!(f, "Keys should have their associated PEM tags but this had the wrong one")
+            Self::WrongPemTag => write!(f, "Keys should have their associated PEM tags but this had the wrong one"),
+            Self::Not64Bytes => write!(f, "Ed25519 private keys are 64 bytes"),
+            Self::Not32Bytes => write!(f, "X25519 private keys are 32 bytes")
         }
     }
 }
@@ -233,6 +242,9 @@ pub fn deserialize_x25519_private(bytes: &[u8]) -> Result<Vec<u8>, Box<dyn Error
     if pem.tag != X25519_PRIVATE_KEY_BANNER {
         return Err(KeyError::WrongPemTag.into())
     }
+    if pem.contents.len() != 32 {
+        return Err(KeyError::Not32Bytes.into())
+    }
     Ok(pem.contents)
 }
 
@@ -244,6 +256,9 @@ pub fn deserialize_x25519_public(bytes: &[u8]) -> Result<Vec<u8>, Box<dyn Error>
     if pem.tag != X25519_PUBLIC_KEY_BANNER {
         return Err(KeyError::WrongPemTag.into())
     }
+    if pem.contents.len() != 32 {
+        return Err(KeyError::Not32Bytes.into())
+    }
     Ok(pem.contents)
 }
 
@@ -271,6 +286,9 @@ pub fn deserialize_ed25519_private(bytes: &[u8]) -> Result<Vec<u8>, Box<dyn Erro
     if pem.tag != ED25519_PRIVATE_KEY_BANNER {
         return Err(KeyError::WrongPemTag.into())
     }
+    if pem.contents.len() != 64 {
+        return Err(KeyError::Not64Bytes.into())
+    }
     Ok(pem.contents)
 }
 
@@ -282,6 +300,9 @@ pub fn deserialize_ed25519_public(bytes: &[u8]) -> Result<Vec<u8>, Box<dyn Error
     if pem.tag != ED25519_PUBLIC_KEY_BANNER {
         return Err(KeyError::WrongPemTag.into())
     }
+    if pem.contents.len() != 64 {
+        return Err(KeyError::Not64Bytes.into())
+    }
     Ok(pem.contents)
 }
 
diff --git a/trifid-pki/src/lib.rs b/trifid-pki/src/lib.rs
index 600d63f..c14db88 100644
--- a/trifid-pki/src/lib.rs
+++ b/trifid-pki/src/lib.rs
@@ -2,7 +2,7 @@
 //! trifid-pki is a crate for interacting with the Nebula PKI system. It was created to prevent the need to make constant CLI calls for signing operations in Nebula.
 //! It is designed to be interoperable with the original Go implementation and as such has some oddities with key management to ensure compatability.
 //!
-//! This crate has not received any format security audits, however the underlying crates used for actual cryptographic operations (ed25519-dalek and curve25519-dalek) have been audited with no major issues.
+//! This crate has not received any formal security audits, however the underlying crates used for actual cryptographic operations (ed25519-dalek and curve25519-dalek) have been audited with no major issues.
 
 #![warn(clippy::pedantic)]
 #![warn(clippy::nursery)]
diff --git a/trifid-pki/src/test.rs b/trifid-pki/src/test.rs
index 55a0461..55f465e 100644
--- a/trifid-pki/src/test.rs
+++ b/trifid-pki/src/test.rs
@@ -295,7 +295,7 @@ fn x25519_serialization() {
 
 #[test]
 fn ed25519_serialization() {
-    let bytes = [0u8; 32];
+    let bytes = [0u8; 64];
     assert_eq!(deserialize_ed25519_private(&serialize_ed25519_private(&bytes)).unwrap(), bytes);
     assert!(deserialize_ed25519_private(&[0u8; 32]).is_err());
     assert_eq!(deserialize_ed25519_public(&serialize_ed25519_public(&bytes)).unwrap(), bytes);
@@ -549,7 +549,7 @@ fn test_ca_cert(before: SystemTime, after: SystemTime, ips: Vec<Ipv4Net>, subnet
             not_after: after,
             public_key: pub_key.to_bytes(),
             is_ca: true,
-            issuer: "".to_string(),
+            issuer: String::new(),
         },
         signature: vec![],
     };
@@ -557,6 +557,154 @@ fn test_ca_cert(before: SystemTime, after: SystemTime, ips: Vec<Ipv4Net>, subnet
     (cert, key, pub_key)
 }
 
+#[test]
+fn test_deserialize_ed25519_private() {
+    let priv_key = b"-----BEGIN NEBULA ED25519 PRIVATE KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
+-----END NEBULA ED25519 PRIVATE KEY-----";
+    let short_key = b"-----BEGIN NEBULA ED25519 PRIVATE KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+-----END NEBULA ED25519 PRIVATE KEY-----";
+    let invalid_banner = b"-----BEGIN NOT A NEBULA PRIVATE KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
+-----END NOT A NEBULA PRIVATE KEY-----";
+    let invalid_pem = b"-BEGIN NEBULA ED25519 PRIVATE KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
+-END NEBULA ED25519 PRIVATE KEY-----";
+
+    deserialize_ed25519_private(priv_key).unwrap();
+
+    deserialize_ed25519_private(short_key).unwrap_err();
+
+    deserialize_ed25519_private(invalid_banner).unwrap_err();
+
+    deserialize_ed25519_private(invalid_pem).unwrap_err();
+}
+
+#[test]
+fn test_deserialize_x25519_private() {
+    let priv_key = b"-----BEGIN NEBULA X25519 PRIVATE KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+-----END NEBULA X25519 PRIVATE KEY-----";
+    let short_key = b"-----BEGIN NEBULA X25519 PRIVATE KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
+-----END NEBULA X25519 PRIVATE KEY-----";
+    let invalid_banner = b"-----BEGIN NOT A NEBULA PRIVATE KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+-----END NOT A NEBULA PRIVATE KEY-----";
+    let invalid_pem = b"-BEGIN NEBULA X25519 PRIVATE KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+-END NEBULA X25519 PRIVATE KEY-----";
+
+    deserialize_x25519_private(priv_key).unwrap();
+
+    deserialize_x25519_private(short_key).unwrap_err();
+
+    deserialize_x25519_private(invalid_banner).unwrap_err();
+
+    deserialize_x25519_private(invalid_pem).unwrap_err();
+}
+
+#[test]
+fn test_pem_deserialization() {
+    let good_cert = b"# A good cert
+-----BEGIN NEBULA CERTIFICATE-----
+CkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL
+vcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv
+bzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB
+-----END NEBULA CERTIFICATE-----";
+    let bad_banner = b"-----BEGIN NOT A NEBULA CERTIFICATE-----
+CkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL
+vcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv
+bzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB
+-----END NOT A NEBULA CERTIFICATE-----";
+    let invalid_pem = b"# Not a valid PEM format
+-BEGIN NEBULA CERTIFICATE-----
+CkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL
+vcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv
+bzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB
+-END NEBULA CERTIFICATE----";
+
+    // success
+    deserialize_nebula_certificate_from_pem(good_cert).unwrap();
+
+    // fail because invalid banner
+    deserialize_nebula_certificate_from_pem(bad_banner).unwrap_err();
+
+    // fail because nonsense pem
+    deserialize_nebula_certificate_from_pem(invalid_pem).unwrap_err();
+}
+
+#[test]
+fn test_deserialize_ed25519_public() {
+    let priv_key = b"-----BEGIN NEBULA ED25519 PUBLIC KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
+-----END NEBULA ED25519 PUBLIC KEY-----";
+    let short_key = b"-----BEGIN NEBULA ED25519 PUBLIC KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+-----END NEBULA ED25519 PUBLIC KEY-----";
+    let invalid_banner = b"-----BEGIN NOT A NEBULA PUBLIC KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
+-----END NOT A NEBULA PUBLIC KEY-----";
+    let invalid_pem = b"-BEGIN NEBULA ED25519 PUBLIC KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
+-END NEBULA ED25519 PUBLIC KEY-----";
+
+    deserialize_ed25519_public(priv_key).unwrap();
+
+    deserialize_ed25519_public(short_key).unwrap_err();
+
+    deserialize_ed25519_public(invalid_banner).unwrap_err();
+
+    deserialize_ed25519_public(invalid_pem).unwrap_err();
+}
+
+#[test]
+// Ensure that trifid-pki produces the *exact same* bit-for-bit representation as nebula does
+// to ensure signature interoperability
+// We use an e3team production certificate for this as it is a known-good certificate.
+fn test_serialization_interoperability() {
+    let known_good_cert = hex::decode("0a650a08636f72652d74777212098184c4508080f8ff0f28ae9fbf9c06309485c4ab063a20304e6279d8722f0fd8d966faa70adaeec08c4649d486457bb038be243753a7474a2056860ded3d14b7f3b77ca2a062ee5d683dd06b35f87446d8d6a7e923b6a7783d1240eb5d6b688eda0d36e925219c098ff2799e42207a093f7d9b7d875823ca05b2e0d3a749dd2fc9cec811ed9a2865d71c4d53cfdfd1bf7e6d5058bd9ecd388ddf0d").unwrap();
+
+    let cert = deserialize_nebula_certificate(&known_good_cert).unwrap();
+    let reserialized_cert_pem = cert.serialize().unwrap();
+    assert_eq!(known_good_cert, reserialized_cert_pem);
+}
+
+#[test]
+fn test_deserialize_x25519_public() {
+    let priv_key = b"-----BEGIN NEBULA X25519 PUBLIC KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+-----END NEBULA X25519 PUBLIC KEY-----";
+    let short_key = b"-----BEGIN NEBULA X25519 PUBLIC KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
+-----END NEBULA X25519 PUBLIC KEY-----";
+    let invalid_banner = b"-----BEGIN NOT A NEBULA PUBLIC KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+-----END NOT A NEBULA PUBLIC KEY-----";
+    let invalid_pem = b"-BEGIN NEBULA X25519 PUBLIC KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+-END NEBULA X25519 PUBLIC KEY-----";
+
+    deserialize_x25519_public(priv_key).unwrap();
+
+    deserialize_x25519_public(short_key).unwrap_err();
+
+    deserialize_x25519_public(invalid_banner).unwrap_err();
+
+    deserialize_x25519_public(invalid_pem).unwrap_err();
+}
+
+#[test]
+fn ca_pool_add_non_ca() {
+    let mut ca_pool = NebulaCAPool::new();
+
+    let (ca, ca_key, _) = test_ca_cert(SystemTime::now(), SystemTime::now() + Duration::from_secs(3600), vec![], vec![], vec![]);
+    let (cert, _, _) = test_cert(&ca, &ca_key, SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);
+
+    ca_pool.add_ca_certificate(&cert.serialize_to_pem().unwrap()).unwrap_err();
+}
+
 fn test_cert(ca: &NebulaCertificate, key: &SigningKey, before: SystemTime, after: SystemTime, ips: Vec<Ipv4Net>, subnets: Vec<Ipv4Net>, groups: Vec<String>) -> (NebulaCertificate, SigningKey, VerifyingKey) {
     let issuer = ca.sha256sum().unwrap();
 
diff --git a/trifid-pki/tarpaulin-report.html b/trifid-pki/tarpaulin-report.html
index 14a8594..15d7ef7 100644
--- a/trifid-pki/tarpaulin-report.html
+++ b/trifid-pki/tarpaulin-report.html
@@ -107,8 +107,8 @@
 <body>
     <div id="root"></div>
     <script>
-        var data = {"files":[{"path":["/","home","core","prj","e3t","trifid","tfclient","src","main.rs"],"content":"fn main() {\n    println!(\"Hello, world!\");\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","build.rs"],"content":"// generated by `sqlx migrate build-script`\nfn main() {\n    // trigger recompilation when a new migration is added\n    println!(\"cargo:rerun-if-changed=migrations\");\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","auth.rs"],"content":"use rocket::http::Status;\nuse rocket::{Request};\nuse rocket::request::{FromRequest, Outcome};\nuse crate::tokens::{validate_auth_token, validate_session_token};\n\npub struct PartialUserInfo {\n    pub user_id: i32,\n    pub created_at: i64,\n    pub email: String,\n    pub has_totp_auth: bool,\n\n    pub session_id: String,\n    pub auth_id: Option\u003cString\u003e\n}\n\n#[derive(Debug)]\npub enum AuthenticationError {\n    MissingToken,\n    InvalidToken(usize),\n    DatabaseError,\n    RequiresTOTP\n}\n\n#[rocket::async_trait]\nimpl\u003c'r\u003e FromRequest\u003c'r\u003e for PartialUserInfo {\n    type Error = AuthenticationError;\n\n    async fn from_request(req: \u0026'r Request\u003c'_\u003e) -\u003e Outcome\u003cSelf, Self::Error\u003e {\n        let headers = req.headers();\n\n        // make sure the bearer token exists\n        if let Some(authorization) = headers.get_one(\"Authorization\") {\n            // parse bearer token\n            let components = authorization.split(' ').collect::\u003cVec\u003c\u0026str\u003e\u003e();\n\n            if components.len() != 2 \u0026\u0026 components.len() != 3 {\n                return Outcome::Failure((Status::Unauthorized, AuthenticationError::MissingToken));\n            }\n\n            if components[0] != \"Bearer\" {\n                return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(0)));\n            }\n\n            if components.len() == 2 \u0026\u0026 !components[1].starts_with(\"st-\") {\n                return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(1)));\n            }\n\n            let st: String;\n            let user_id: i64;\n            let at: Option\u003cString\u003e;\n\n            match \u0026components[1][..3] {\n                \"st-\" =\u003e {\n                    // validate session token\n                    st = components[1].to_string();\n                    match validate_session_token(st.clone(), req.rocket().state().unwrap()).await {\n                        Ok(uid) =\u003e user_id = uid,\n                        Err(_) =\u003e return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(2)))\n                    }\n                },\n                _ =\u003e return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(3)))\n            }\n\n            if components.len() == 3 {\n                match \u0026components[2][..3] {\n                    \"at-\" =\u003e {\n                        // validate auth token\n                        at = Some(components[2].to_string());\n                        match validate_auth_token(at.clone().unwrap().clone(), st.clone(), req.rocket().state().unwrap()).await {\n                            Ok(_) =\u003e (),\n                            Err(_) =\u003e return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(4)))\n                        }\n                    },\n                    _ =\u003e return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(5)))\n                }\n            } else {\n                at = None;\n            }\n\n            // this user is 100% valid and authenticated, fetch their info\n\n            let user = match sqlx::query!(\"SELECT * FROM users WHERE id = $1\", user_id.clone() as i32).fetch_one(req.rocket().state().unwrap()).await {\n                Ok(u) =\u003e u,\n                Err(_) =\u003e return Outcome::Failure((Status::InternalServerError, AuthenticationError::DatabaseError))\n            };\n\n            Outcome::Success(PartialUserInfo {\n                user_id: user_id as i32,\n                created_at: user.created_on as i64,\n                email: user.email,\n                has_totp_auth: at.is_some(),\n                session_id: st,\n                auth_id: at,\n            })\n        } else {\n            Outcome::Failure((Status::Unauthorized, AuthenticationError::MissingToken))\n        }\n    }\n}\n\npub struct TOTPAuthenticatedUserInfo {\n    pub user_id: i32,\n    pub created_at: i64,\n    pub email: String,\n}\n#[rocket::async_trait]\nimpl\u003c'r\u003e FromRequest\u003c'r\u003e for TOTPAuthenticatedUserInfo {\n    type Error = AuthenticationError;\n\n    async fn from_request(request: \u0026'r Request\u003c'_\u003e) -\u003e Outcome\u003cSelf, Self::Error\u003e {\n        let userinfo = PartialUserInfo::from_request(request).await;\n        match userinfo {\n            Outcome::Failure(e) =\u003e Outcome::Failure(e),\n            Outcome::Forward(f) =\u003e Outcome::Forward(f),\n            Outcome::Success(s) =\u003e {\n                if s.has_totp_auth {\n                    Outcome::Success(Self {\n                        user_id: s.user_id,\n                        created_at: s.created_at,\n                        email: s.email,\n                    })\n                } else {\n                    Outcome::Failure((Status::Unauthorized, AuthenticationError::RequiresTOTP))\n                }\n            }\n        }\n    }\n}","traces":[{"line":28,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":29,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":32,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":34,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":36,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":37,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":40,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":41,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":44,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":45,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":48,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":49,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":50,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":52,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":53,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":55,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":56,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":57,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":58,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":61,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":64,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":65,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":66,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":68,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":69,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":70,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":71,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":74,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":77,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":82,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":83,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":84,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":87,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":88,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":89,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":90,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":91,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":92,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":93,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":96,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":110,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":111,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":112,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":113,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":114,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":115,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":116,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":117,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":118,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":119,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":120,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":123,"address":[],"length":0,"stats":{"Line":0},"fn_name":null}],"covered":0,"coverable":52},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","config.rs"],"content":"use serde::Deserialize;\nuse url::Url;\n\n#[derive(Deserialize)]\npub struct TFConfig {\n    pub listen_port: u16,\n    pub db_url: String,\n    pub base: Url,\n    pub web_root: Url,\n    pub magic_links_valid_for: i64,\n    pub session_tokens_valid_for: i64,\n    pub totp_verification_valid_for: i64,\n    pub data_key: String\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","crypto.rs"],"content":"use std::error::Error;\nuse aes_gcm::{Aes256Gcm, KeyInit, Nonce};\nuse aes_gcm::aead::{Aead, Payload};\nuse crate::config::TFConfig;\n\npub fn get_cipher_from_config(config: \u0026TFConfig) -\u003e Result\u003cAes256Gcm, Box\u003cdyn Error\u003e\u003e {\n    let key_slice = hex::decode(\u0026config.data_key)?;\n    Ok(Aes256Gcm::new_from_slice(\u0026key_slice)?)\n}\n\npub fn encrypt_with_nonce(plaintext: \u0026[u8], nonce: [u8; 12], cipher: \u0026Aes256Gcm) -\u003e Result\u003cVec\u003cu8\u003e, aes_gcm::Error\u003e {\n    let nonce = Nonce::from_slice(\u0026nonce);\n    let ciphertext = cipher.encrypt(nonce, plaintext)?;\n    Ok(ciphertext)\n}\n\npub fn decrypt_with_nonce(ciphertext: \u0026[u8], nonce: [u8; 12], cipher: \u0026Aes256Gcm) -\u003e Result\u003cVec\u003cu8\u003e, aes_gcm::Error\u003e {\n    let nonce = Nonce::from_slice(\u0026nonce);\n    let plaintext = cipher.decrypt(nonce, Payload::from(ciphertext))?;\n    Ok(plaintext)\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","db.rs"],"content":"","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","format.rs"],"content":"use std::fmt::{Display, Formatter};\nuse crate::format::PEMValidationError::{IncorrectSegmentLength, InvalidBase64Data, MissingStartSentinel};\nuse crate::util::base64decode;\n\npub const ED_PUBKEY_START_STR: \u0026str = \"-----BEGIN NEBULA ED25519 PUBLIC KEY-----\";\npub const ED_PUBKEY_END_STR: \u0026str = \"-----END NEBULA ED25519 PUBLIC KEY-----\";\n\npub const DH_PUBKEY_START_STR: \u0026str = \"-----BEGIN NEBULA X25519 PUBLIC KEY-----\";\npub const DH_PUBKEY_END_STR: \u0026str = \"-----END NEBULA X25519 PUBLIC KEY-----\";\n\npub enum PEMValidationError {\n    MissingStartSentinel,\n    InvalidBase64Data,\n    MissingEndSentinel,\n    IncorrectSegmentLength(usize, usize)\n}\nimpl Display for PEMValidationError {\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        match self {\n            Self::MissingEndSentinel =\u003e write!(f, \"Missing ending sentinel\"),\n            Self::MissingStartSentinel =\u003e write!(f, \"Missing starting sentinel\"),\n            Self::InvalidBase64Data =\u003e write!(f, \"invalid base64 data\"),\n            Self::IncorrectSegmentLength(expected, got) =\u003e write!(f, \"incorrect number of segments, expected {} got {}\", expected, got)\n        }\n    }\n}\n\npub fn validate_ed_pubkey_pem(pubkey: \u0026str) -\u003e Result\u003c(), PEMValidationError\u003e {\n    let segments = pubkey.split('\\n');\n    let segs = segments.collect::\u003cVec\u003c\u0026str\u003e\u003e();\n    if segs.len() \u003c 3 {\n        return Err(IncorrectSegmentLength(3, segs.len()))\n    }\n    if segs[0] != ED_PUBKEY_START_STR {\n        return Err(MissingStartSentinel)\n    }\n    if base64decode(segs[1]).is_err() {\n        return Err(InvalidBase64Data)\n    }\n    if segs[2] != ED_PUBKEY_END_STR {\n        return Err(MissingStartSentinel)\n    }\n    Ok(())\n}\n\npub fn validate_dh_pubkey_pem(pubkey: \u0026str) -\u003e Result\u003c(), PEMValidationError\u003e {\n    let segments = pubkey.split('\\n');\n    let segs = segments.collect::\u003cVec\u003c\u0026str\u003e\u003e();\n    if segs.len() \u003c 3 {\n        return Err(IncorrectSegmentLength(3, segs.len()))\n    }\n    if segs[0] != DH_PUBKEY_START_STR {\n        return Err(MissingStartSentinel)\n    }\n    if base64decode(segs[1]).is_err() {\n        return Err(InvalidBase64Data)\n    }\n    if segs[2] != DH_PUBKEY_END_STR {\n        return Err(MissingStartSentinel)\n    }\n    Ok(())\n}\n\npub fn validate_ed_pubkey_base64(pubkey: \u0026str) -\u003e Result\u003c(), PEMValidationError\u003e {\n    match base64decode(pubkey) {\n        Ok(k) =\u003e validate_ed_pubkey_pem(match std::str::from_utf8(k.as_ref()) {\n            Ok(k) =\u003e k,\n            Err(_) =\u003e return Err(InvalidBase64Data)\n        }),\n        Err(_) =\u003e Err(InvalidBase64Data)\n    }\n}\n\npub fn validate_dh_pubkey_base64(pubkey: \u0026str) -\u003e Result\u003c(), PEMValidationError\u003e {\n    match base64decode(pubkey) {\n        Ok(k) =\u003e validate_dh_pubkey_pem(match std::str::from_utf8(k.as_ref()) {\n            Ok(k) =\u003e k,\n            Err(_) =\u003e return Err(InvalidBase64Data)\n        }),\n        Err(_) =\u003e Err(InvalidBase64Data)\n    }\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","main.rs"],"content":"extern crate core;\n\nuse std::error::Error;\nuse std::fs;\nuse std::path::Path;\nuse dotenvy::dotenv;\nuse log::{error, info};\nuse rocket::{catchers, Request, Response, routes};\nuse rocket::fairing::{Fairing, Info, Kind};\nuse rocket::http::Header;\nuse sqlx::migrate::Migrator;\nuse sqlx::postgres::PgPoolOptions;\nuse crate::config::TFConfig;\n\npub mod format;\npub mod util;\npub mod db;\npub mod config;\npub mod tokens;\npub mod routes;\npub mod auth;\npub mod crypto;\npub mod org;\n\nstatic MIGRATOR: Migrator = sqlx::migrate!();\n\npub struct CORS;\n\n#[rocket::async_trait]\nimpl Fairing for CORS {\n    fn info(\u0026self) -\u003e Info {\n        Info {\n            name: \"Add CORS headers to responses\",\n            kind: Kind::Response\n        }\n    }\n\n    async fn on_response\u003c'r\u003e(\u0026self, _request: \u0026'r Request\u003c'_\u003e, response: \u0026mut Response\u003c'r\u003e) {\n        response.set_header(Header::new(\"Access-Control-Allow-Origin\", \"*\"));\n        response.set_header(Header::new(\"Access-Control-Allow-Methods\", \"POST, GET, PATCH, OPTIONS\"));\n        response.set_header(Header::new(\"Access-Control-Allow-Headers\", \"*\"));\n        response.set_header(Header::new(\"Access-Control-Allow-Credentials\", \"true\"));\n    }\n}\n\n#[rocket::main]\nasync fn main() -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n    let _ = rocket::build();\n\n    info!(\"[tfapi] loading config\");\n\n    let _ = dotenv();\n\n    if std::env::var(\"CONFIG_FILE\").is_err() \u0026\u0026 !Path::new(\"config.toml\").exists() {\n        error!(\"[tfapi] fatal: the environment variable CONFIG_FILE is not set\");\n        error!(\"[tfapi]  help: try creating a .env file that sets it\");\n        error!(\"[tfapi]  help: or, create a file config.toml with your config, as it is loaded automatically\");\n        std::process::exit(1);\n    }\n\n    let config_file = if Path::new(\"config.toml\").exists() {\n        \"config.toml\".to_string()\n    } else {\n        std::env::var(\"CONFIG_FILE\").unwrap()\n    };\n\n    let config_data = match fs::read_to_string(\u0026config_file) {\n        Ok(d) =\u003e d,\n        Err(e) =\u003e {\n            error!(\"[tfapi] fatal: unable to read config from {}\", config_file);\n            error!(\"[tfapi] fatal: {}\", e);\n            std::process::exit(1);\n        }\n    };\n\n    let config: TFConfig = match toml::from_str(\u0026config_data) {\n        Ok(c) =\u003e c,\n        Err(e) =\u003e {\n            error!(\"[tfapi] fatal: unable to parse config from {}\", config_file);\n            error!(\"[tfapi] fatal: {}\", e);\n            std::process::exit(1);\n        }\n    };\n\n    info!(\"[tfapi] connecting to database pool\");\n\n    let pool = match PgPoolOptions::new().max_connections(5).connect(\u0026config.db_url).await {\n        Ok(p) =\u003e p,\n        Err(e) =\u003e {\n            error!(\"[tfapi] fatal: unable to connect to database pool\");\n            error!(\"[tfapi] fatal: {}\", e);\n            std::process::exit(1);\n        }\n    };\n\n    info!(\"[tfapi] running database migrations\");\n\n    MIGRATOR.run(\u0026pool).await?;\n\n    info!(\"[tfapi] building rocket config\");\n\n    let figment = rocket::Config::figment().merge((\"port\", config.listen_port));\n\n    let _ = rocket::custom(figment)\n        .mount(\"/\", routes![\n            crate::routes::v1::auth::magic_link::magiclink_request,\n            crate::routes::v1::auth::magic_link::options,\n            crate::routes::v1::signup::signup_request,\n            crate::routes::v1::signup::options,\n            crate::routes::v1::auth::verify_magic_link::verify_magic_link,\n            crate::routes::v1::auth::verify_magic_link::options,\n            crate::routes::v1::totp_authenticators::totp_authenticators_request,\n            crate::routes::v1::totp_authenticators::options,\n            crate::routes::v1::verify_totp_authenticator::verify_totp_authenticator_request,\n            crate::routes::v1::verify_totp_authenticator::options,\n            crate::routes::v1::auth::totp::totp_request,\n            crate::routes::v1::auth::totp::options,\n            crate::routes::v1::auth::check_session::check_session,\n            crate::routes::v1::auth::check_session::check_session_auth,\n            crate::routes::v1::auth::check_session::options,\n            crate::routes::v1::auth::check_session::options_auth,\n            crate::routes::v2::whoami::whoami_request,\n            crate::routes::v2::whoami::options,\n\n            crate::routes::v1::organization::options,\n            crate::routes::v1::organization::orgidoptions,\n            crate::routes::v1::organization::orginfo_req,\n            crate::routes::v1::organization::orglist_req,\n            crate::routes::v1::organization::create_org\n        ])\n        .register(\"/\", catchers![\n            crate::routes::handler_400,\n            crate::routes::handler_401,\n            crate::routes::handler_403,\n            crate::routes::handler_404,\n            crate::routes::handler_422,\n\n            crate::routes::handler_500,\n            crate::routes::handler_501,\n            crate::routes::handler_502,\n            crate::routes::handler_503,\n            crate::routes::handler_504,\n            crate::routes::handler_505,\n        ])\n        .attach(CORS)\n        .manage(pool)\n        .manage(config)\n        .launch().await?;\n\n    Ok(())\n}","traces":[{"line":38,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":39,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":40,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":41,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":42,"address":[],"length":0,"stats":{"Line":0},"fn_name":null}],"covered":0,"coverable":5},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","org.rs"],"content":"use std::error::Error;\nuse rocket::form::validate::Contains;\nuse sqlx::PgPool;\n\npub async fn get_org_by_owner_id(user: i32, db: \u0026PgPool) -\u003e Result\u003cOption\u003ci32\u003e, Box\u003cdyn Error\u003e\u003e {\n    Ok(match sqlx::query!(\"SELECT id FROM organizations WHERE owner = $1\", user).fetch_optional(db).await? {\n        Some(r) =\u003e Some(r.id),\n        None =\u003e None\n    })\n}\n\npub async fn get_orgs_by_assoc_id(user: i32, db: \u0026PgPool) -\u003e Result\u003cVec\u003ci32\u003e, Box\u003cdyn Error\u003e\u003e {\n    let res: Vec\u003c_\u003e = sqlx::query!(\"SELECT org_id FROM organization_authorized_users WHERE user_id = $1\", user).fetch_all(db).await?;\n\n    let mut ret = vec![];\n\n    for i in res {\n        ret.push(i.org_id);\n    }\n\n    Ok(ret)\n}\n\npub async fn get_users_by_assoc_org(org: i32, db: \u0026PgPool) -\u003e Result\u003cVec\u003ci32\u003e, Box\u003cdyn Error\u003e\u003e {\n    let res: Vec\u003c_\u003e = sqlx::query!(\"SELECT user_id FROM organization_authorized_users WHERE org_id = $1\", org).fetch_all(db).await?;\n\n    let mut ret = vec![];\n\n    for i in res {\n        ret.push(i.org_id);\n    }\n\n    Ok(ret)\n}\n\npub async fn get_associated_orgs(user: i32, db: \u0026PgPool) -\u003e Result\u003cVec\u003ci32\u003e, Box\u003cdyn Error\u003e\u003e {\n    let mut assoc_orgs = vec![];\n\n    if let Some(owned_org) = get_org_by_owner_id(user, db).await? {\n        assoc_orgs.push(owned_org);\n    }\n\n    assoc_orgs.append(\u0026mut get_orgs_by_assoc_id(user, db).await?);\n\n    Ok(assoc_orgs)\n}\n\npub async fn user_has_org_assoc(user: i32, org: i32, db: \u0026PgPool) -\u003e Result\u003cbool, Box\u003cdyn Error\u003e\u003e {\n    Ok(get_associated_orgs(user, db).await?.contains(org))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","mod.rs"],"content":"pub mod v1;\npub mod v2;\n\nuse rocket::catch;\nuse serde::{Serialize};\nuse rocket::http::Status;\n\npub const ERR_MSG_MALFORMED_REQUEST: \u0026str = \"unable to parse the request body - is it valid JSON, using correct types?\";\npub const ERR_MSG_MALFORMED_REQUEST_CODE: \u0026str = \"ERR_MALFORMED_REQUEST\";\n\n/*\nTODO:\n    /v1/auth/magic-link                         [done]\n    /v1/auth/totp                               [done]\n    /v1/auth/verify-magic-link                  [done]\n    /v1/hosts/host-{id}/enrollment-code\n    /v1/hosts/host-{id}/enrollment-code-check\n    /v1/hosts/host-{id}\n    /v1/roles/role-{id}\n    /v1/feature-flags\n    /v1/hosts\n    /v1/networks\n    /v1/roles\n    /v1/signup                                  [done]\n    /v1/totp-authenticators                     [done]\n    /v1/verify-totp-authenticator               [done]\n    /v1/dnclient\n    /v2/enroll\n    /v2/whoami                                  [in-progress]\n */\n\n#[derive(Serialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct APIError {\n    errors: Vec\u003cAPIErrorSingular\u003e\n}\n#[derive(Serialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct APIErrorSingular {\n    code: String,\n    message: String\n}\n\nmacro_rules! error_handler {\n    ($code: expr, $err: expr, $msg: expr) =\u003e {\n        ::paste::paste! {\n            #[catch($code)]\n            pub fn [\u003chandler_ $code\u003e]() -\u003e (Status, String) {\n                (Status::from_code($code).unwrap(), format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", $err, $msg))\n            }\n        }\n    };\n}\nerror_handler!(400, \"ERR_MALFORMED_REQUEST\", \"unable to parse the request body, is it properly formatted?\");\nerror_handler!(401, \"ERR_AUTHENTICATION_REQUIRED\", \"this endpoint requires authentication but it was not provided\");\nerror_handler!(403, \"ERR_UNAUTHORIZED\", \"authorization was provided but it is expired or invalid\");\nerror_handler!(404, \"ERR_NOT_FOUND\", \"resource not found\");\nerror_handler!(405, \"ERR_METHOD_NOT_ALLOWED\", \"method not allowed for this endpoint\");\nerror_handler!(422, \"ERR_MALFORMED_REQUEST\", \"unable to parse the request body, is it properly formatted?\");\n\nerror_handler!(500, \"ERR_QL_QUERY_FAILED\", \"graphql query timed out\");\nerror_handler!(501, \"ERR_NOT_IMPLEMENTED\", \"query not supported by this version of graphql\");\nerror_handler!(502, \"ERR_PROXY_ERR\", \"servers under load, please try again later\");\nerror_handler!(503, \"ERR_SERVER_OVERLOADED\", \"servers under load, please try again later\");\nerror_handler!(504, \"ERR_PROXY_TIMEOUT\", \"servers under load, please try again later\");\nerror_handler!(505, \"ERR_CLIENT_UNSUPPORTED\", \"your version of dnclient is out of date, please update\");\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","check_session.rs"],"content":"use rocket::{post, options};\nuse crate::auth::{PartialUserInfo, TOTPAuthenticatedUserInfo};\n\n#[options(\"/v1/auth/check_session\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n#[post(\"/v1/auth/check_session\")]\npub async fn check_session(_user: PartialUserInfo) -\u003e \u0026'static str {\n    \"ok\"\n}\n\n#[options(\"/v1/auth/check_auth\")]\npub async fn options_auth() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/auth/check_auth\")]\npub async fn check_session_auth(_user: TOTPAuthenticatedUserInfo) -\u003e \u0026'static str {\n    \"ok\"\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","magic_link.rs"],"content":"use rocket::{post, State};\nuse rocket::serde::json::Json;\nuse serde::{Serialize, Deserialize};\nuse rocket::http::{ContentType, Status};\nuse sqlx::PgPool;\nuse crate::config::TFConfig;\nuse crate::tokens::send_magic_link;\nuse rocket::options;\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct MagicLinkRequest {\n    pub email: String,\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct MagicLinkResponseMetadata {}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct MagicLinkResponse {\n    pub data: Option\u003cString\u003e,\n    pub metadata: MagicLinkResponseMetadata,\n}\n\n\n#[options(\"/v1/auth/magic-link\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n#[post(\"/v1/auth/magic-link\", data = \"\u003creq\u003e\")]\npub async fn magiclink_request(req: Json\u003cMagicLinkRequest\u003e, pool: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cMagicLinkResponse\u003e), (Status, String)\u003e {\n    // figure out if the user already exists\n    let mut id = -1;\n    match sqlx::query!(\"SELECT id FROM users WHERE email = $1\", req.email.clone()).fetch_optional(pool.inner()).await {\n        Ok(res) =\u003e if let Some(r) = res { id = r.id as i64 },\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n        }\n    }\n\n    if id == -1 {\n        return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_UNAUTHORIZED\", \"authorization was provided but it is expired or invalid\")))\n    }\n\n    // send magic link to email\n    match send_magic_link(id, req.email.clone(), pool.inner(), config.inner()).await {\n        Ok(_) =\u003e (),\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n        }\n    };\n\n    // this endpoint doesn't actually ever return an error? it will send you the magic link no matter what\n    // this appears to do the exact same thing as /v1/auth/magic-link, but it doesn't check if you have an account (magic-link does)\n    Ok((ContentType::JSON, Json(MagicLinkResponse {\n        data: None,\n        metadata: MagicLinkResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","mod.rs"],"content":"pub mod verify_magic_link;\npub mod magic_link;\npub mod totp;\npub mod check_session;","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","totp.rs"],"content":"use rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse crate::auth::PartialUserInfo;\nuse serde::{Serialize, Deserialize};\nuse rocket::{post, State};\nuse sqlx::PgPool;\nuse rocket::options;\nuse crate::tokens::{generate_auth_token, get_totpmachine, user_has_totp};\n\npub const TOTP_GENERIC_UNAUTHORIZED_ERROR: \u0026str = \"{\\\"errors\\\":[{\\\"code\\\":\\\"ERR_INVALID_TOTP_CODE\\\",\\\"message\\\":\\\"invalid TOTP code (maybe it expired?)\\\",\\\"path\\\":\\\"code\\\"}]}\";\npub const TOTP_NO_TOTP_ERROR: \u0026str = \"{\\\"errors\\\":[{\\\"code\\\":\\\"ERR_NO_TOTP\\\",\\\"message\\\":\\\"logged-in user does not have totp enabled\\\",\\\"path\\\":\\\"code\\\"}]}\";\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpRequest {\n    pub code: String\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpResponseData {\n    #[serde(rename = \"authToken\")]\n    auth_token: String\n}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpResponseMetadata {\n}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpResponse {\n    data: TotpResponseData,\n    metadata: TotpResponseMetadata\n}\n\n#[options(\"/v1/auth/totp\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/auth/totp\", data = \"\u003creq\u003e\")]\npub async fn totp_request(req: Json\u003cTotpRequest\u003e, user: PartialUserInfo, db: \u0026State\u003cPgPool\u003e) -\u003e Result\u003c(ContentType, Json\u003cTotpResponse\u003e), (Status, String)\u003e {\n    if !match user_has_totp(user.user_id, db.inner()).await {\n        Ok(b) =\u003e b,\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n    } {\n        return Err((Status::UnprocessableEntity, TOTP_NO_TOTP_ERROR.to_string()))\n    }\n\n    if user.has_totp_auth {\n        return Err((Status::BadRequest, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_TOTP_ALREADY_AUTHED\", \"user already has valid totp authentication\")))\n    }\n\n    let totpmachine = match get_totpmachine(user.user_id, db.inner()).await {\n        Ok(t) =\u003e t,\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n        }\n    };\n\n    if !totpmachine.check_current(\u0026req.0.code).unwrap_or(false) {\n        return Err((Status::Unauthorized, TOTP_GENERIC_UNAUTHORIZED_ERROR.to_string()))\n    }\n\n    Ok((ContentType::JSON, Json(TotpResponse {\n        data: TotpResponseData { auth_token: match generate_auth_token(user.user_id as i64, user.session_id, db.inner()).await {\n            Ok(t) =\u003e t,\n            Err(e) =\u003e { return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e))) }\n        } },\n        metadata: TotpResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","verify_magic_link.rs"],"content":"use std::time::{SystemTime, UNIX_EPOCH};\nuse rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse serde::{Serialize, Deserialize};\nuse rocket::{post, State};\nuse sqlx::PgPool;\nuse crate::config::TFConfig;\nuse crate::tokens::generate_session_token;\nuse rocket::options;\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct VerifyMagicLinkRequest {\n    #[serde(rename = \"magicLinkToken\")]\n    pub magic_link_token: String,\n}\n\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyMagicLinkResponseMetadata {}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyMagicLinkResponseData {\n    #[serde(rename = \"sessionToken\")]\n    pub session_token: String,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyMagicLinkResponse {\n    pub data: VerifyMagicLinkResponseData,\n    pub metadata: VerifyMagicLinkResponseMetadata,\n}\n\n#[options(\"/v1/auth/verify-magic-link\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/auth/verify-magic-link\", data = \"\u003creq\u003e\")]\npub async fn verify_magic_link(req: Json\u003cVerifyMagicLinkRequest\u003e, db: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cVerifyMagicLinkResponse\u003e), (Status, String)\u003e {\n    // get the current time to check if the token is expired\n    let (user_id, expired_at) = match sqlx::query!(\"SELECT user_id, expires_on FROM magic_links WHERE id = $1\", req.0.magic_link_token).fetch_one(db.inner()).await {\n        Ok(row) =\u003e (row.user_id, row.expires_on),\n        Err(e) =\u003e {\n            return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNAUTHORIZED\", \"this token is invalid\", e)))\n        }\n    };\n    let current_time = SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32;\n    println!(\"expired on {}, currently {}\", expired_at, current_time);\n    if expired_at \u003c current_time {\n        return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_UNAUTHORIZED\", \"valid authorization was provided but it is expired\")))\n    }\n\n    // generate session token\n    let token = match generate_session_token(user_id as i64, db.inner(), config.inner()).await {\n        Ok(t) =\u003e t,\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n        }\n    };\n\n    // delete the token\n    match sqlx::query!(\"DELETE FROM magic_links WHERE id = $1\", req.0.magic_link_token).execute(db.inner()).await {\n        Ok(_) =\u003e (),\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n        }\n    }\n\n    Ok((ContentType::JSON, Json(VerifyMagicLinkResponse {\n        data: VerifyMagicLinkResponseData { session_token: token },\n        metadata: VerifyMagicLinkResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","mod.rs"],"content":"pub mod auth;\npub mod signup;\n\npub mod totp_authenticators;\npub mod verify_totp_authenticator;\npub mod organization;","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","organization.rs"],"content":"use std::slice::from_raw_parts_mut;\nuse rocket::{get, post, options, State};\nuse rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse serde::{Serialize, Deserialize};\nuse sqlx::PgPool;\nuse crate::auth::TOTPAuthenticatedUserInfo;\nuse crate::config::TFConfig;\nuse crate::org::{get_associated_orgs, get_org_by_owner_id, get_users_by_assoc_org, user_has_org_assoc};\n\n#[options(\"/v1/orgs\")]\npub fn options() -\u003e \u0026'static str {\n    \"\"\n}\n#[options(\"/v1/org/\u003c_id\u003e\")]\npub fn orgidoptions(_id: i32) -\u003e \u0026'static str {\n    \"\"\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct OrglistStruct {\n    pub org_ids: Vec\u003ci32\u003e\n}\n\n\n#[get(\"/v1/orgs\")]\npub async fn orglist_req(user: TOTPAuthenticatedUserInfo, db: \u0026State\u003cPgPool\u003e) -\u003e Result\u003c(ContentType, Json\u003cOrglistStruct\u003e), (Status, String)\u003e {\n    // this endpoint lists the associated organizations this user has access to\n    let associated_orgs = match get_associated_orgs(user.user_id, db.inner()).await {\n        Ok(r) =\u003e r,\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_DB_QUERY_FAILED\", \"an error occurred while running the database query\")))\n    };\n\n    Ok((ContentType::JSON, Json(OrglistStruct {\n        org_ids: associated_orgs\n    })))\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct OrginfoStruct {\n    pub org_id: i32,\n    pub owner_id: i32,\n    pub ca_crt: String,\n    pub authorized_users: Vec\u003ci32\u003e\n}\n\n#[get(\"/v1/org/\u003corgid\u003e\")]\npub async fn orginfo_req(orgid: i32, user: TOTPAuthenticatedUserInfo, db: \u0026State\u003cPgPool\u003e) -\u003e Result\u003c(ContentType, Json\u003cOrginfoStruct\u003e), (Status, String)\u003e {\n    if !user_has_org_assoc(orgid, user.user_id, db.inner()).await.map_err(|e| (Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))? {\n        return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_MISSING_ORG_AUTHORIZATION\", \"this user does not have permission to access this org\")));\n    }\n\n    let org = sqlx::query!(\"SELECT id, owner, ca_crt FROM organizations WHERE id = $1\", orgid).fetch_one(orgid).await.map_err(|e| (Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))?;\n    let authorized_users = get_users_by_assoc_org(orgid, db.inner()).await.map_err(|e| (Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))?;\n\n    Ok((ContentType::JSON, Json(\n        OrginfoStruct {\n            org_id: orgid,\n            owner_id: org.owner,\n            ca_crt: org.ca_crt,\n            authorized_users,\n        }\n    )))\n}\n\n#[post(\"/v1/org\")]\npub async fn create_org(user: TOTPAuthenticatedUserInfo, db: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cOrginfoStruct\u003e), (Status, String)\u003e {\n    if get_org_by_owner_id(user.user_id, db.inner()).await.map_err(|e| (Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))?.is_some() {\n        return Err((Status::Conflict, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_USER_OWNS_ORG\", \"a user can only own one organization at a time\")))\n    }\n\n    // we need to generate a keypair and CA certificate for this new org\n\n    Ok((ContentType::JSON, Json(\n        OrginfoStruct {\n            org_id: orgid,\n            owner_id: org.owner,\n            ca_crt: org.ca_crt,\n            authorized_users,\n        }\n    )))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","signup.rs"],"content":"use rocket::{post, State};\nuse rocket::serde::json::Json;\nuse serde::{Serialize, Deserialize};\nuse std::time::{SystemTime, UNIX_EPOCH};\nuse rocket::http::{ContentType, Status};\nuse sqlx::PgPool;\nuse crate::config::TFConfig;\nuse crate::tokens::send_magic_link;\nuse rocket::options;\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct SignupRequest {\n    pub email: String,\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct SignupResponseMetadata {}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct SignupResponse {\n    pub data: Option\u003cString\u003e,\n    pub metadata: SignupResponseMetadata,\n}\n/*\ncreated_on TIMESTAMP NOT NULL,\n\n    banned INTEGER NOT NULL,\n    ban_reason VARCHAR(1024) NOT NULL\n */\n#[options(\"/v1/signup\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n#[post(\"/v1/signup\", data = \"\u003creq\u003e\")]\npub async fn signup_request(req: Json\u003cSignupRequest\u003e, pool: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cSignupResponse\u003e), (Status, String)\u003e {\n    // figure out if the user already exists\n    let mut id = -1;\n    match sqlx::query!(\"SELECT id FROM users WHERE email = $1\", req.email.clone()).fetch_optional(pool.inner()).await {\n        Ok(res) =\u003e if let Some(r) = res { id = r.id as i64 },\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n        }\n    }\n\n    if id == -1 {\n        let id_res = match sqlx::query!(\"INSERT INTO users (email, created_on, banned, ban_reason, totp_secret, totp_otpurl, totp_verified) VALUES ($1, $2, $3, $4, $5, $6, $7) ON CONFLICT DO NOTHING RETURNING id;\", req.email, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i64, 0, \"\", \"\", \"\", 0).fetch_one(pool.inner()).await {\n            Ok(row) =\u003e row.id,\n            Err(e) =\u003e {\n                return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n            }\n        };\n        id = id_res as i64;\n    }\n\n    // send magic link to email\n    match send_magic_link(id, req.email.clone(), pool.inner(), config.inner()).await {\n        Ok(_) =\u003e (),\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n        }\n    };\n\n    // this endpoint doesn't actually ever return an error? it will send you the magic link no matter what\n    // this appears to do the exact same thing as /v1/auth/magic-link, but it doesn't check if you have an account (magic-link does)\n    Ok((ContentType::JSON, Json(SignupResponse {\n        data: None,\n        metadata: SignupResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","totp_authenticators.rs"],"content":"use rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse rocket::{State, post};\nuse sqlx::PgPool;\nuse serde::{Serialize, Deserialize};\nuse crate::auth::PartialUserInfo;\nuse crate::config::TFConfig;\nuse crate::tokens::{create_totp_token, user_has_totp};\nuse rocket::options;\n\n#[derive(Deserialize)]\npub struct TotpAuthenticatorsRequest {}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpAuthenticatorsResponseMetadata {}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpAuthenticatorsResponseData {\n    #[serde(rename = \"totpToken\")]\n    pub totp_token: String,\n    pub secret: String,\n    pub url: String,\n}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpAuthenticatorsResponse {\n    pub data: TotpAuthenticatorsResponseData,\n    pub metadata: TotpAuthenticatorsResponseMetadata,\n}\n\n#[options(\"/v1/totp-authenticators\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/totp-authenticators\", data = \"\u003c_req\u003e\")]\npub async fn totp_authenticators_request(_req: Json\u003cTotpAuthenticatorsRequest\u003e, user: PartialUserInfo, db: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cTotpAuthenticatorsResponse\u003e), (Status, String)\u003e {\n    if match user_has_totp(user.user_id, db.inner()).await {\n        Ok(b) =\u003e b,\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n    } {\n        return Err((Status::BadRequest, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_TOTP_ALREADY_EXISTS\", \"this user already has a totp authenticator on their account\")))\n    }\n\n    // generate a totp token\n    let (totptoken, totpmachine) = match create_totp_token(user.email, db.inner(), config.inner()).await {\n        Ok(t) =\u003e t,\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured issuing a totp token, try again later\", e)))\n    };\n\n    Ok((ContentType::JSON, Json(TotpAuthenticatorsResponse {\n        data: TotpAuthenticatorsResponseData {\n            totp_token: totptoken,\n            secret: totpmachine.get_secret_base32(),\n            url: totpmachine.get_url(),\n        },\n        metadata: TotpAuthenticatorsResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","verify_totp_authenticator.rs"],"content":"/*\n{\"totpToken\":\"totp-mH9eLzA9Q5WB-sg3Fq8CfkP13eTh3DxF25kVK2VEDOk\",\"code\":\"266242\"}\n{\"errors\":[{\"code\":\"ERR_INVALID_TOTP_TOKEN\",\"message\":\"TOTP token does not exist (maybe it expired?)\",\"path\":\"totpToken\"}]}\n\n\n{\"totpToken\":\"totp-gaUDaxPrrIBc8GEQ6z0vPisT8k0MEP1fgI8FA2ztLMw\",\"code\":\"175543\"}\n{\"data\":{\"authToken\":\"auth-O7mugxdYta-RKtLMqDW4j8XCJ85EfZKKezeZZXBYtFQ\"},\"metadata\":{}}\n*/\n\nuse rocket::http::{ContentType, Status};\nuse crate::auth::PartialUserInfo;\nuse rocket::post;\nuse rocket::serde::json::Json;\nuse rocket::State;\nuse serde::{Serialize, Deserialize};\nuse sqlx::PgPool;\nuse crate::tokens::{generate_auth_token, use_totp_token, verify_totp_token};\nuse rocket::options;\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyTotpAuthenticatorRequest {\n    #[serde(rename = \"totpToken\")]\n    pub totp_token: String,\n    pub code: String,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyTotpAuthenticatorResponseMetadata {}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyTotpAuthenticatorResponseData {\n    #[serde(rename = \"authToken\")]\n    pub auth_token: String,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyTotpAuthenticatorResponse {\n    pub data: VerifyTotpAuthenticatorResponseData,\n    pub metadata: VerifyTotpAuthenticatorResponseMetadata,\n}\n\n#[options(\"/v1/verify-totp-authenticator\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/verify-totp-authenticator\", data = \"\u003creq\u003e\")]\npub async fn verify_totp_authenticator_request(req: Json\u003cVerifyTotpAuthenticatorRequest\u003e, db: \u0026State\u003cPgPool\u003e, user: PartialUserInfo) -\u003e Result\u003c(ContentType, Json\u003cVerifyTotpAuthenticatorResponse\u003e), (Status, String)\u003e {\n    let totpmachine = match verify_totp_token(req.0.totp_token.clone(), user.email.clone(), db.inner()).await {\n        Ok(t) =\u003e t,\n        Err(e) =\u003e return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNAUTHORIZED\", \"this token is invalid\", e)))\n    };\n    if !totpmachine.check_current(\u0026req.0.code).unwrap() {\n        return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\",\\\"path\\\":\\\"totpToken\\\"}}]}}\", \"ERR_INVALID_TOTP_CODE\", \"Invalid TOTP code\")))\n    }\n    match use_totp_token(req.0.totp_token, user.email, db.inner()).await {\n        Ok(_) =\u003e (),\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n    }\n    Ok((ContentType::JSON, Json(VerifyTotpAuthenticatorResponse {\n        data: VerifyTotpAuthenticatorResponseData { auth_token: match generate_auth_token(user.user_id as i64, user.session_id, db.inner()).await {\n            Ok(at) =\u003e at,\n            Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n        } },\n        metadata: VerifyTotpAuthenticatorResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v2","mod.rs"],"content":"pub mod whoami;","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v2","whoami.rs"],"content":"use chrono::{NaiveDateTime, Utc};\nuse serde::{Serialize, Deserialize};\nuse rocket::{options, get, State};\nuse rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse sqlx::PgPool;\nuse crate::auth::PartialUserInfo;\nuse crate::tokens::user_has_totp;\n\n#[derive(Serialize, Deserialize)]\npub struct WhoamiMetadata {}\n\n#[derive(Serialize, Deserialize)]\npub struct WhoamiActor {\n    pub id: String,\n    #[serde(rename = \"organizationID\")]\n    pub organization_id: String,\n    pub email: String,\n    #[serde(rename = \"createdAt\")]\n    pub created_at: String,\n    #[serde(rename = \"hasTOTPAuthenticator\")]\n    pub has_totpauthenticator: bool,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct WhoamiData {\n    #[serde(rename = \"actorType\")]\n    pub actor_type: String,\n    pub actor: WhoamiActor,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct WhoamiResponse {\n    pub data: WhoamiData,\n    pub metadata: WhoamiMetadata,\n}\n\n#[options(\"/v2/whoami\")]\npub fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n#[get(\"/v2/whoami\")]\npub async fn whoami_request(user: PartialUserInfo, db: \u0026State\u003cPgPool\u003e) -\u003e Result\u003c(ContentType, Json\u003cWhoamiResponse\u003e), (Status, String)\u003e {\n    Ok((ContentType::JSON, Json(WhoamiResponse {\n        data: WhoamiData {\n            actor_type: \"user\".to_string(),\n            actor: WhoamiActor {\n                id: user.user_id.to_string(),\n                organization_id: \"TEMP_ORG_BECAUSE_THAT_ISNT_IMPLEMENTED_YET\".to_string(),\n                email: user.email,\n                created_at: NaiveDateTime::from_timestamp_opt(user.created_at, 0).unwrap().and_local_timezone(Utc).unwrap().to_rfc3339(),\n                has_totpauthenticator: match user_has_totp(user.user_id, db.inner()).await {\n                    Ok(b) =\u003e b,\n                    Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_DBERROR\", \"an error occured trying to verify your user\", e)))\n                },\n            }\n        },\n        metadata: WhoamiMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","tokens.rs"],"content":"use std::error::Error;\nuse log::info;\nuse sqlx::PgPool;\nuse uuid::Uuid;\nuse crate::config::TFConfig;\nuse std::time::SystemTime;\nuse std::time::UNIX_EPOCH;\nuse totp_rs::{Secret, TOTP};\nuse crate::util::{TOTP_ALGORITHM, TOTP_DIGITS, TOTP_ISSUER, TOTP_SKEW, TOTP_STEP};\n\n// https://admin.defined.net/auth/magic-link?email=coredoescode%40gmail.com\u0026token=ml-ckBsgw_5IdK5VYgseBYcoV_v_cQjtdq1re_RhDu_MKg\npub async fn send_magic_link(id: i64, email: String, db: \u0026PgPool, config: \u0026TFConfig) -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n    let otp = format!(\"ml-{}\", Uuid::new_v4());\n    let otp_url = config.web_root.join(\u0026format!(\"/auth/magic-link?email={}\u0026token={}\", urlencoding::encode(\u0026email.clone()), otp.clone())).unwrap();\n    sqlx::query!(\"INSERT INTO magic_links (id, user_id, expires_on) VALUES ($1, $2, $3) ON CONFLICT DO NOTHING;\", otp, id as i32, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32 + config.magic_links_valid_for as i32).execute(db).await?;\n    // TODO: send email\n    info!(\"sent magic link {} to {}, valid for {} seconds\", otp_url, email.clone(), config.magic_links_valid_for);\n    Ok(())\n}\n\npub async fn generate_session_token(user_id: i64, db: \u0026PgPool, config: \u0026TFConfig) -\u003e Result\u003cString, Box\u003cdyn Error\u003e\u003e {\n    let token = format!(\"st-{}\", Uuid::new_v4());\n    sqlx::query!(\"INSERT INTO session_tokens (id, user_id, expires_on) VALUES ($1, $2, $3) ON CONFLICT DO NOTHING;\", token, user_id as i32, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32 + config.session_tokens_valid_for as i32).execute(db).await?;\n    Ok(token)\n}\npub async fn validate_session_token(token: String, db: \u0026PgPool) -\u003e Result\u003ci64, Box\u003cdyn Error\u003e\u003e {\n    Ok(sqlx::query!(\"SELECT user_id FROM session_tokens WHERE id = $1 AND expires_on \u003e $2\", token, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32).fetch_one(db).await?.user_id as i64)\n}\n\npub async fn generate_auth_token(user_id: i64, session_id: String, db: \u0026PgPool) -\u003e Result\u003cString, Box\u003cdyn Error\u003e\u003e {\n    let token = format!(\"at-{}\", Uuid::new_v4());\n    sqlx::query!(\"INSERT INTO auth_tokens (id, session_token, user_id) VALUES ($1, $2, $3) ON CONFLICT DO NOTHING;\", token, session_id, user_id as i32).execute(db).await?;\n    Ok(token)\n}\npub async fn validate_auth_token(token: String, session_id: String, db: \u0026PgPool) -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n    validate_session_token(session_id.clone(), db).await?;\n    sqlx::query!(\"SELECT * FROM auth_tokens WHERE id = $1 AND session_token = $2\", token, session_id).fetch_one(db).await?;\n    Ok(())\n}\n\n\n/*\nCREATE TABLE totp_create_tokens (\n    id VARCHAR(39) NOT NULL PRIMARY KEY,\n    expires_on INTEGER NOT NULL,\n    totp_otpurl VARCHAR(3000) NOT NULL,\n    totp_secret VARCHAR(128) NOT NULL\n);\n */\n\npub async fn create_totp_token(email: String, db: \u0026PgPool, config: \u0026TFConfig) -\u003e Result\u003c(String, TOTP), Box\u003cdyn Error\u003e\u003e {\n    // create the TOTP parameters\n\n    let secret = Secret::generate_secret();\n    let totpmachine = TOTP::new(TOTP_ALGORITHM, TOTP_DIGITS, TOTP_SKEW, TOTP_STEP, secret.to_bytes().unwrap(), Some(TOTP_ISSUER.to_string()), email).unwrap();\n    let otpurl = totpmachine.get_url();\n    let otpsecret = totpmachine.get_secret_base32();\n\n    let otpid = format!(\"totp-{}\", Uuid::new_v4());\n\n    sqlx::query!(\"INSERT INTO totp_create_tokens (id, expires_on, totp_otpurl, totp_secret) VALUES ($1, $2, $3, $4);\", otpid.clone(), (SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i64 + config.totp_verification_valid_for) as i32, otpurl, otpsecret).execute(db).await?;\n\n    Ok((otpid, totpmachine))\n}\n\npub async fn verify_totp_token(otpid: String, email: String, db: \u0026PgPool) -\u003e Result\u003cTOTP, Box\u003cdyn Error\u003e\u003e {\n    let totprow = sqlx::query!(\"SELECT * FROM totp_create_tokens WHERE id = $1 AND expires_on \u003e $2\", otpid, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32).fetch_one(db).await?;\n    let secret = Secret::Encoded(totprow.totp_secret);\n    let totpmachine = TOTP::new(TOTP_ALGORITHM, TOTP_DIGITS, TOTP_SKEW, TOTP_STEP, secret.to_bytes().unwrap(), Some(TOTP_ISSUER.to_string()), email).unwrap();\n\n    if totpmachine.get_url() != totprow.totp_otpurl {\n        return Err(\"OTPURLs do not match (email does not match?)\".into())\n    }\n\n    Ok(totpmachine)\n}\n\npub async fn use_totp_token(otpid: String, email: String, db: \u0026PgPool) -\u003e Result\u003cTOTP, Box\u003cdyn Error\u003e\u003e {\n    let totpmachine = verify_totp_token(otpid.clone(), email.clone(), db).await?;\n    sqlx::query!(\"DELETE FROM totp_create_tokens WHERE id = $1\", otpid).execute(db).await?;\n    sqlx::query!(\"UPDATE users SET totp_otpurl = $1, totp_secret = $2, totp_verified = 1 WHERE email = $3\", totpmachine.get_url(), totpmachine.get_secret_base32(), email).execute(db).await?;\n    Ok(totpmachine)\n}\n\npub async fn get_totpmachine(user: i32, db: \u0026PgPool) -\u003e Result\u003cTOTP, Box\u003cdyn Error\u003e\u003e {\n    let user = sqlx::query!(\"SELECT totp_secret, totp_otpurl, email FROM users WHERE id = $1\", user).fetch_one(db).await?;\n    let secret = Secret::Encoded(user.totp_secret);\n    Ok(TOTP::new(TOTP_ALGORITHM, TOTP_DIGITS, TOTP_SKEW, TOTP_STEP, secret.to_bytes().unwrap(), Some(TOTP_ISSUER.to_string()), user.email).unwrap())\n}\n\npub async fn user_has_totp(user: i32, db: \u0026PgPool) -\u003e Result\u003cbool, Box\u003cdyn Error\u003e\u003e {\n    Ok(sqlx::query!(\"SELECT totp_verified FROM users WHERE id = $1\", user).fetch_one(db).await?.totp_verified == 1)\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","util.rs"],"content":"use base64::Engine;\nuse totp_rs::Algorithm;\n\npub const TOTP_ALGORITHM: Algorithm = Algorithm::SHA1;\npub const TOTP_DIGITS: usize = 6;\npub const TOTP_SKEW: u8 = 1;\npub const TOTP_STEP: u64 = 30;\npub const TOTP_ISSUER: \u0026str = \"trifidapi\";\n\npub fn base64decode(val: \u0026str) -\u003e Result\u003cVec\u003cu8\u003e, base64::DecodeError\u003e {\n    base64::engine::general_purpose::STANDARD.decode(val)\n}\npub fn base64encode(val: Vec\u003cu8\u003e) -\u003e String {\n    base64::engine::general_purpose::STANDARD.encode(val)\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","ca.rs"],"content":"//! Structs to represent a pool of CA's and blacklisted certificates\n\nuse std::collections::HashMap;\nuse std::error::Error;\nuse std::fmt::{Display, Formatter};\nuse std::time::SystemTime;\nuse ed25519_dalek::VerifyingKey;\nuse crate::cert::{deserialize_nebula_certificate_from_pem, NebulaCertificate};\n\n/// A pool of trusted CA certificates, and certificates that should be blocked.\n/// This is equivalent to the `pki` section in a typical Nebula config.yml.\n#[derive(Default)]\npub struct NebulaCAPool {\n    /// The list of CA root certificates that should be trusted.\n    pub cas: HashMap\u003cString, NebulaCertificate\u003e,\n    /// The list of blocklisted certificate fingerprints\n    pub cert_blocklist: Vec\u003cString\u003e,\n    /// True if any of the member CAs certificates are expired. Must be handled.\n    pub expired: bool\n}\n\nimpl NebulaCAPool {\n    /// Create a new, blank CA pool\n    pub fn new() -\u003e Self {\n        Self::default()\n    }\n\n    /// Create a new CA pool from a set of PEM encoded CA certificates.\n    /// If any of the certificates are expired, the pool will **still be returned**, with the expired flag set.\n    /// This must be handled properly.\n    /// # Errors\n    /// This function will return an error if PEM data provided was invalid.\n    pub fn new_from_pem(bytes: \u0026[u8]) -\u003e Result\u003cSelf, Box\u003cdyn Error\u003e\u003e {\n        let pems = pem::parse_many(bytes)?;\n\n        let mut pool = Self::new();\n\n        for cert in pems {\n            match pool.add_ca_certificate(pem::encode(\u0026cert).as_bytes()) {\n                Ok(did_expire) =\u003e if did_expire { pool.expired = true },\n                Err(e) =\u003e return Err(e)\n            }\n        }\n\n        Ok(pool)\n    }\n\n    /// Add a given CA certificate to the CA pool. If the certificate is expired, it will **still be added** - the return value will be `true` instead of `false`\n    /// # Errors\n    /// This function will return an error if the certificate is invalid in any way.\n    pub fn add_ca_certificate(\u0026mut self, bytes: \u0026[u8]) -\u003e Result\u003cbool, Box\u003cdyn Error\u003e\u003e {\n        let cert = deserialize_nebula_certificate_from_pem(bytes)?;\n\n        if !cert.details.is_ca {\n            return Err(CaPoolError::NotACA.into())\n        }\n\n        if !cert.check_signature(\u0026VerifyingKey::from_bytes(\u0026cert.details.public_key)?)? {\n            return Err(CaPoolError::NotSelfSigned.into())\n        }\n\n        let fingerprint = cert.sha256sum()?;\n        let expired = cert.expired(SystemTime::now());\n\n        if expired { self.expired = true }\n\n        self.cas.insert(fingerprint, cert);\n\n       Ok(expired)\n    }\n\n    /// Blocklist the given certificate in the CA pool\n    pub fn blocklist_fingerprint(\u0026mut self, fingerprint: \u0026str) {\n        self.cert_blocklist.push(fingerprint.to_string());\n    }\n\n    /// Clears the list of blocklisted fingerprints\n    pub fn reset_blocklist(\u0026mut self) {\n        self.cert_blocklist = vec![];\n    }\n\n    /// Checks if the given certificate is blocklisted\n    pub fn is_blocklisted(\u0026self, cert: \u0026NebulaCertificate) -\u003e bool {\n        let Ok(h) = cert.sha256sum() else { return false };\n        self.cert_blocklist.contains(\u0026h)\n    }\n\n    /// Gets the CA certificate used to sign the given certificate\n    /// # Errors\n    /// This function will return an error if the certificate does not have an issuer attached (it is self-signed)\n    pub fn get_ca_for_cert(\u0026self, cert: \u0026NebulaCertificate) -\u003e Result\u003cOption\u003c\u0026NebulaCertificate\u003e, Box\u003cdyn Error\u003e\u003e {\n        if cert.details.issuer == String::new() {\n            return Err(CaPoolError::NoIssuer.into())\n        }\n\n        Ok(self.cas.get(\u0026cert.details.issuer))\n    }\n\n    /// Get a list of trusted CA fingerprints\n    pub fn get_fingerprints(\u0026self) -\u003e Vec\u003c\u0026String\u003e {\n        self.cas.keys().collect()\n    }\n}\n\n#[derive(Debug)]\n/// A list of errors that can happen when working with a CA Pool\npub enum CaPoolError {\n    /// Tried to add a non-CA cert to the CA pool\n    NotACA,\n    /// Tried to add a non-self-signed cert to the CA pool (all CAs must be root certificates)\n    NotSelfSigned,\n    /// Tried to look up a certificate that does not have an issuer field\n    NoIssuer\n}\nimpl Error for CaPoolError {}\nimpl Display for CaPoolError {\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        match self {\n            Self::NotACA =\u003e write!(f, \"Tried to add a non-CA cert to the CA pool\"),\n            Self::NotSelfSigned =\u003e write!(f, \"Tried to add a non-self-signed cert to the CA pool (all CAs must be root certificates)\"),\n            Self::NoIssuer =\u003e write!(f, \"Tried to look up a certificate with a null issuer field\")\n        }\n    }\n}","traces":[{"line":24,"address":[443744],"length":1,"stats":{"Line":1},"fn_name":"new"},{"line":25,"address":[443752],"length":1,"stats":{"Line":1},"fn_name":null},{"line":33,"address":[444586,443776,444900],"length":1,"stats":{"Line":1},"fn_name":"new_from_pem"},{"line":34,"address":[443809,443943],"length":1,"stats":{"Line":1},"fn_name":null},{"line":36,"address":[443933],"length":1,"stats":{"Line":1},"fn_name":null},{"line":38,"address":[444836,444165,444715,444071],"length":1,"stats":{"Line":3},"fn_name":null},{"line":39,"address":[444387,444548,444466],"length":1,"stats":{"Line":3},"fn_name":null},{"line":40,"address":[444807,444597],"length":1,"stats":{"Line":2},"fn_name":null},{"line":41,"address":[444634],"length":1,"stats":{"Line":0},"fn_name":null},{"line":45,"address":[444841],"length":1,"stats":{"Line":1},"fn_name":null},{"line":51,"address":[446350,444928],"length":1,"stats":{"Line":1},"fn_name":"add_ca_certificate"},{"line":52,"address":[445000,445158],"length":1,"stats":{"Line":1},"fn_name":null},{"line":54,"address":[445138],"length":1,"stats":{"Line":1},"fn_name":null},{"line":55,"address":[445327,445238],"length":1,"stats":{"Line":0},"fn_name":null},{"line":58,"address":[445352,445594,445231],"length":1,"stats":{"Line":3},"fn_name":null},{"line":59,"address":[445763],"length":1,"stats":{"Line":0},"fn_name":null},{"line":62,"address":[445839,445756,445957],"length":1,"stats":{"Line":2},"fn_name":null},{"line":63,"address":[446114,445929],"length":1,"stats":{"Line":2},"fn_name":null},{"line":65,"address":[446264,446141],"length":1,"stats":{"Line":2},"fn_name":null},{"line":67,"address":[446145,446278],"length":1,"stats":{"Line":2},"fn_name":null},{"line":69,"address":[446294],"length":1,"stats":{"Line":1},"fn_name":null},{"line":73,"address":[446400],"length":1,"stats":{"Line":1},"fn_name":"blocklist_fingerprint"},{"line":74,"address":[446419],"length":1,"stats":{"Line":1},"fn_name":null},{"line":78,"address":[446528,446464],"length":1,"stats":{"Line":1},"fn_name":"reset_blocklist"},{"line":79,"address":[446482,446560],"length":1,"stats":{"Line":2},"fn_name":null},{"line":83,"address":[446592,446880,446852],"length":1,"stats":{"Line":1},"fn_name":"is_blocklisted"},{"line":84,"address":[446734,446614,446791],"length":1,"stats":{"Line":1},"fn_name":null},{"line":85,"address":[446761,446813],"length":1,"stats":{"Line":2},"fn_name":null},{"line":91,"address":[446896,447030],"length":1,"stats":{"Line":1},"fn_name":"get_ca_for_cert"},{"line":92,"address":[446929],"length":1,"stats":{"Line":1},"fn_name":null},{"line":93,"address":[447095],"length":1,"stats":{"Line":0},"fn_name":null},{"line":96,"address":[447062],"length":1,"stats":{"Line":1},"fn_name":null},{"line":100,"address":[447136],"length":1,"stats":{"Line":1},"fn_name":"get_fingerprints"},{"line":101,"address":[447155],"length":1,"stats":{"Line":1},"fn_name":null},{"line":117,"address":[447200],"length":1,"stats":{"Line":0},"fn_name":"fmt"},{"line":118,"address":[447227],"length":1,"stats":{"Line":0},"fn_name":null},{"line":119,"address":[447259],"length":1,"stats":{"Line":0},"fn_name":null},{"line":120,"address":[447316],"length":1,"stats":{"Line":0},"fn_name":null},{"line":121,"address":[447373],"length":1,"stats":{"Line":0},"fn_name":null}],"covered":30,"coverable":39},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","cert.rs"],"content":"//! Manage Nebula PKI Certificates\n//! This is pretty much a direct port of nebula/cert/cert.go\n\nuse std::error::Error;\nuse std::fmt::{Display, Formatter};\nuse std::net::Ipv4Addr;\nuse std::ops::Add;\nuse std::time::{Duration, SystemTime, UNIX_EPOCH};\nuse ed25519_dalek::{Signature, Signer, SigningKey, Verifier, VerifyingKey};\nuse ipnet::{Ipv4Net};\nuse pem::Pem;\nuse quick_protobuf::{BytesReader, MessageRead, MessageWrite, Writer};\nuse sha2::Sha256;\nuse crate::ca::NebulaCAPool;\nuse crate::cert_codec::{RawNebulaCertificate, RawNebulaCertificateDetails};\nuse sha2::Digest;\n\n/// The length, in bytes, of public keys\npub const PUBLIC_KEY_LENGTH: i32 = 32;\n\n/// The PEM banner for certificates\npub const CERT_BANNER: \u0026str = \"NEBULA CERTIFICATE\";\n/// The PEM banner for X25519 private keys\npub const X25519_PRIVATE_KEY_BANNER: \u0026str = \"NEBULA X25519 PRIVATE KEY\";\n/// The PEM banner for X25519 public keys\npub const X25519_PUBLIC_KEY_BANNER: \u0026str = \"NEBULA X25519 PUBLIC KEY\";\n/// The PEM banner for Ed25519 private keys\npub const ED25519_PRIVATE_KEY_BANNER: \u0026str = \"NEBULA ED25519 PRIVATE KEY\";\n/// The PEM banner for Ed25519 public keys\npub const ED25519_PUBLIC_KEY_BANNER: \u0026str = \"NEBULA ED25519 PUBLIC KEY\";\n\n/// A Nebula PKI certificate\n#[derive(Debug, Clone)]\npub struct NebulaCertificate {\n    /// The signed data of this certificate\n    pub details: NebulaCertificateDetails,\n    /// The Ed25519 signature of this certificate\n    pub signature: Vec\u003cu8\u003e\n}\n\n/// The signed details contained in a Nebula PKI certificate\n#[derive(Debug, Clone)]\npub struct NebulaCertificateDetails {\n    /// The name of the identity this certificate was issued for\n    pub name: String,\n    /// The IPv4 addresses issued to this node\n    pub ips: Vec\u003cIpv4Net\u003e,\n    /// The IPv4 subnets this node is responsible for routing\n    pub subnets: Vec\u003cIpv4Net\u003e,\n    /// The groups this node is a part of\n    pub groups: Vec\u003cString\u003e,\n    /// Certificate start date and time\n    pub not_before: SystemTime,\n    /// Certificate expiry date and time\n    pub not_after: SystemTime,\n    /// Public key\n    pub public_key: [u8; PUBLIC_KEY_LENGTH as usize],\n    /// Is this node a CA?\n    pub is_ca: bool,\n    /// SHA256 of issuer certificate. If blank, this cert is self-signed.\n    pub issuer: String\n}\n\n/// A list of errors that can occur parsing certificates\n#[derive(Debug)]\npub enum CertificateError {\n    /// Attempted to deserialize a certificate from an empty byte array\n    EmptyByteArray,\n    /// The encoded Details field is null\n    NilDetails,\n    /// The encoded Ips field is not formatted correctly\n    IpsNotPairs,\n    /// The encoded Subnets field is not formatted correctly\n    SubnetsNotPairs,\n    /// Signatures are expected to be 64 bytes but the signature on the certificate was a different length\n    WrongSigLength,\n    /// Public keys are expected to be 32 bytes but the public key on this cert is not\n    WrongKeyLength,\n    /// Certificates should have the PEM tag `NEBULA CERTIFICATE`, but this block did not\n    WrongPemTag,\n    /// This certificate either is not yet valid or has already expired\n    Expired,\n    /// The public key does not match the expected value\n    KeyMismatch\n}\nimpl Display for CertificateError {\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        match self {\n            Self::EmptyByteArray =\u003e write!(f, \"Certificate bytearray is empty\"),\n            Self::NilDetails =\u003e write!(f, \"The encoded Details field is null\"),\n            Self::IpsNotPairs =\u003e write!(f, \"encoded IPs should be in pairs, an odd number was found\"),\n            Self::SubnetsNotPairs =\u003e write!(f, \"encoded subnets should be in pairs, an odd number was found\"),\n            Self::WrongSigLength =\u003e write!(f, \"Signature should be 64 bytes but is a different size\"),\n            Self::WrongKeyLength =\u003e write!(f, \"Public keys are expected to be 32 bytes but the public key on this cert is not\"),\n            Self::WrongPemTag =\u003e write!(f, \"Certificates should have the PEM tag `NEBULA CERTIFICATE`, but this block did not\"),\n            Self::Expired =\u003e write!(f, \"This certificate either is not yet valid or has already expired\"),\n            Self::KeyMismatch =\u003e write!(f, \"Key does not match expected value\")\n        }\n    }\n}\nimpl Error for CertificateError {}\n\nfn map_cidr_pairs(pairs: \u0026[u32]) -\u003e Result\u003cVec\u003cIpv4Net\u003e, Box\u003cdyn Error\u003e\u003e {\n    let mut res_vec = vec![];\n    for pair in pairs.chunks(2) {\n        res_vec.push(Ipv4Net::with_netmask(Ipv4Addr::from(pair[0]), Ipv4Addr::from(pair[1]))?);\n    }\n    Ok(res_vec)\n}\n\nimpl Display for NebulaCertificate {\n    #[allow(clippy::unwrap_used)]\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        writeln!(f, \"NebulaCertificate {{\")?;\n        writeln!(f, \"   Details {{\")?;\n        writeln!(f, \"       Name: {}\", self.details.name)?;\n        writeln!(f, \"       Ips: {:?}\", self.details.ips)?;\n        writeln!(f, \"       Subnets: {:?}\", self.details.subnets)?;\n        writeln!(f, \"       Groups: {:?}\", self.details.groups)?;\n        writeln!(f, \"       Not before: {:?}\", self.details.not_before)?;\n        writeln!(f, \"       Not after: {:?}\", self.details.not_after)?;\n        writeln!(f, \"       Is CA: {}\", self.details.is_ca)?;\n        writeln!(f, \"       Issuer: {}\", self.details.issuer)?;\n        writeln!(f, \"       Public key: {}\", hex::encode(self.details.public_key))?;\n        writeln!(f, \"   }}\")?;\n        writeln!(f, \"   Fingerprint: {}\", self.sha256sum().unwrap())?;\n        writeln!(f, \"   Signature: {}\", hex::encode(self.signature.clone()))?;\n        writeln!(f, \"}}\")\n    }\n}\n\n/// Given a protobuf-encoded certificate bytearray, deserialize it into a `NebulaCertificate` object.\n/// # Errors\n/// This function will return an error if there is a protobuf parsing error, or if the certificate data is invalid.\n/// # Panics\npub fn deserialize_nebula_certificate(bytes: \u0026[u8]) -\u003e Result\u003cNebulaCertificate, Box\u003cdyn Error\u003e\u003e {\n    if bytes.is_empty() {\n        return Err(CertificateError::EmptyByteArray.into())\n    }\n\n    let mut reader = BytesReader::from_bytes(bytes);\n\n    let raw_cert = RawNebulaCertificate::from_reader(\u0026mut reader, bytes)?;\n\n    let details = raw_cert.Details.ok_or(CertificateError::NilDetails)?;\n\n    if details.Ips.len() % 2 != 0 {\n        return Err(CertificateError::IpsNotPairs.into())\n    }\n\n    if details.Subnets.len() % 2 != 0 {\n        return Err(CertificateError::SubnetsNotPairs.into())\n    }\n\n    let mut nebula_cert;\n    #[allow(clippy::cast_sign_loss)]\n    {\n        nebula_cert = NebulaCertificate {\n            details: NebulaCertificateDetails {\n                name: details.Name.to_string(),\n                ips: map_cidr_pairs(\u0026details.Ips)?,\n                subnets: map_cidr_pairs(\u0026details.Subnets)?,\n                groups: details.Groups.iter().map(std::string::ToString::to_string).collect(),\n                not_before: SystemTime::UNIX_EPOCH.add(Duration::from_secs(details.NotBefore as u64)),\n                not_after: SystemTime::UNIX_EPOCH.add(Duration::from_secs(details.NotAfter as u64)),\n                public_key: [0u8; 32],\n                is_ca: details.IsCA,\n                issuer: hex::encode(details.Issuer),\n            },\n            signature: vec![],\n        };\n    }\n\n    nebula_cert.signature = raw_cert.Signature;\n\n    if details.PublicKey.len() != 32 {\n        return Err(CertificateError::WrongKeyLength.into())\n    }\n\n    #[allow(clippy::unwrap_used)] { nebula_cert.details.public_key = details.PublicKey.try_into().unwrap(); }\n\n    Ok(nebula_cert)\n}\n\n/// A list of errors that can occur parsing keys\n#[derive(Debug)]\npub enum KeyError {\n    /// Keys should have their associated PEM tags but this had the wrong one\n    WrongPemTag\n}\nimpl Display for KeyError {\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        match self {\n            Self::WrongPemTag =\u003e write!(f, \"Keys should have their associated PEM tags but this had the wrong one\")\n        }\n    }\n}\nimpl Error for KeyError {}\n\n\n/// Deserialize the first PEM block in the given byte array into a `NebulaCertificate`\n/// # Errors\n/// This function will return an error if the PEM data is invalid, or if there is an error parsing the certificate (see `deserialize_nebula_certificate`)\npub fn deserialize_nebula_certificate_from_pem(bytes: \u0026[u8]) -\u003e Result\u003cNebulaCertificate, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != CERT_BANNER {\n        return Err(CertificateError::WrongPemTag.into())\n    }\n    deserialize_nebula_certificate(\u0026pem.contents)\n}\n\n/// Simple helper to PEM encode an X25519 private key\npub fn serialize_x25519_private(bytes: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    pem::encode(\u0026Pem {\n        tag: X25519_PRIVATE_KEY_BANNER.to_string(),\n        contents: bytes.to_vec(),\n    }).as_bytes().to_vec()\n}\n\n/// Simple helper to PEM encode an X25519 public key\npub fn serialize_x25519_public(bytes: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    pem::encode(\u0026Pem {\n        tag: X25519_PUBLIC_KEY_BANNER.to_string(),\n        contents: bytes.to_vec(),\n    }).as_bytes().to_vec()\n}\n\n/// Attempt to deserialize a PEM encoded X25519 private key\n/// # Errors\n/// This function will return an error if the PEM data is invalid or has the wrong tag\npub fn deserialize_x25519_private(bytes: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != X25519_PRIVATE_KEY_BANNER {\n        return Err(KeyError::WrongPemTag.into())\n    }\n    Ok(pem.contents)\n}\n\n/// Attempt to deserialize a PEM encoded X25519 public key\n/// # Errors\n/// This function will return an error if the PEM data is invalid or has the wrong tag\npub fn deserialize_x25519_public(bytes: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != X25519_PUBLIC_KEY_BANNER {\n        return Err(KeyError::WrongPemTag.into())\n    }\n    Ok(pem.contents)\n}\n\n/// Simple helper to PEM encode an Ed25519 private key\npub fn serialize_ed25519_private(bytes: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    pem::encode(\u0026Pem {\n        tag: ED25519_PRIVATE_KEY_BANNER.to_string(),\n        contents: bytes.to_vec(),\n    }).as_bytes().to_vec()\n}\n\n/// Simple helper to PEM encode an Ed25519 public key\npub fn serialize_ed25519_public(bytes: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    pem::encode(\u0026Pem {\n        tag: ED25519_PUBLIC_KEY_BANNER.to_string(),\n        contents: bytes.to_vec(),\n    }).as_bytes().to_vec()\n}\n\n/// Attempt to deserialize a PEM encoded Ed25519 private key\n/// # Errors\n/// This function will return an error if the PEM data is invalid or has the wrong tag\npub fn deserialize_ed25519_private(bytes: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != ED25519_PRIVATE_KEY_BANNER {\n        return Err(KeyError::WrongPemTag.into())\n    }\n    Ok(pem.contents)\n}\n\n/// Attempt to deserialize a PEM encoded Ed25519 public key\n/// # Errors\n/// This function will return an error if the PEM data is invalid or has the wrong tag\npub fn deserialize_ed25519_public(bytes: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != ED25519_PUBLIC_KEY_BANNER {\n        return Err(KeyError::WrongPemTag.into())\n    }\n    Ok(pem.contents)\n}\n\nimpl NebulaCertificate {\n    /// Sign a nebula certificate with the provided private key\n    /// # Errors\n    /// This function will return an error if the certificate could not be serialized or signed.\n    pub fn sign(\u0026mut self, key: \u0026SigningKey) -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n        let mut out = Vec::new();\n        let mut writer = Writer::new(\u0026mut out);\n        self.get_raw_details().write_message(\u0026mut writer)?;\n\n        self.signature = key.sign(\u0026out).to_vec();\n        Ok(())\n    }\n\n    /// Verify the signature on a certificate with the provided public key\n    /// # Errors\n    /// This function will return an error if the certificate could not be serialized or the signature could not be checked.\n    pub fn check_signature(\u0026self, key: \u0026VerifyingKey) -\u003e Result\u003cbool, Box\u003cdyn Error\u003e\u003e {\n        let mut out = Vec::new();\n        let mut writer = Writer::new(\u0026mut out);\n        self.get_raw_details().write_message(\u0026mut writer)?;\n\n        let sig = Signature::from_slice(\u0026self.signature)?;\n\n        Ok(key.verify(\u0026out, \u0026sig).is_ok())\n    }\n\n    /// Returns true if the signature is too young or too old compared to the provided time\n    pub fn expired(\u0026self, time: SystemTime) -\u003e bool {\n        self.details.not_before \u003e time || self.details.not_after \u003c time\n    }\n\n    /// Verify will ensure a certificate is good in all respects (expiry, group membership, signature, cert blocklist, etc)\n    /// # Errors\n    /// This function will return an error if there is an error parsing the cert or the CA pool.\n    pub fn verify(\u0026self, time: SystemTime, ca_pool: \u0026NebulaCAPool) -\u003e Result\u003cCertificateValidity, Box\u003cdyn Error\u003e\u003e {\n        if ca_pool.is_blocklisted(self) {\n            return Ok(CertificateValidity::Blocklisted);\n        }\n\n        let Some(signer) = ca_pool.get_ca_for_cert(self)? else { return Ok(CertificateValidity::NotSignedByThisCAPool) };\n\n        if signer.expired(time) {\n            return Ok(CertificateValidity::RootCertExpired)\n        }\n\n        if self.expired(time) {\n            return Ok(CertificateValidity::CertExpired)\n        }\n\n        if !self.check_signature(\u0026VerifyingKey::from_bytes(\u0026signer.details.public_key)?)? {\n            return Ok(CertificateValidity::BadSignature)\n        }\n\n        Ok(self.check_root_constraints(signer))\n    }\n\n    /// Make sure that this certificate does not break any of the constraints set by the signing certificate\n    pub fn check_root_constraints(\u0026self, signer: \u0026Self) -\u003e CertificateValidity {\n        // Make sure this cert doesn't expire after the signer\n        println!(\"{:?} {:?}\", signer.details.not_before, self.details.not_before);\n        if signer.details.not_before \u003c self.details.not_before {\n            return CertificateValidity::CertExpiresAfterSigner;\n        }\n\n        // Make sure this cert doesn't come into validity before the root\n        if signer.details.not_before \u003e self.details.not_before {\n            return CertificateValidity::CertValidBeforeSigner;\n        }\n\n        // If the signer contains a limited set of groups, make sure this cert only has a subset of them\n        if !signer.details.groups.is_empty() {\n            println!(\"root groups: {:?}, child groups: {:?}\", signer.details.groups, self.details.groups);\n            for group in \u0026self.details.groups {\n                if !signer.details.groups.contains(group) {\n                    return CertificateValidity::GroupNotPresentOnSigner;\n                }\n            }\n        }\n\n        // If the signer contains a limited set of IP ranges, make sure the cert only contains a subset\n        if !signer.details.ips.is_empty() {\n            for ip in \u0026self.details.ips {\n                if !net_match(*ip, \u0026signer.details.ips) {\n                    return CertificateValidity::IPNotPresentOnSigner;\n                }\n            }\n        }\n\n        // If the signer contains a limited set of subnets, make sure the cert only contains a subset\n        if !signer.details.subnets.is_empty() {\n            for subnet in \u0026self.details.subnets {\n                if !net_match(*subnet, \u0026signer.details.subnets) {\n                    return CertificateValidity::SubnetNotPresentOnSigner;\n                }\n            }\n        }\n\n        CertificateValidity::Ok\n    }\n\n    #[allow(clippy::unwrap_used)]\n    /// Verify if the given private key corresponds to the public key contained in this certificate\n    /// # Errors\n    /// This function will return an error if either keys are invalid.\n    /// # Panics\n    /// This function, while containing calls to unwrap, has proper bounds checking and will not panic.\n    pub fn verify_private_key(\u0026self, key: \u0026[u8]) -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n        if self.details.is_ca {\n            // convert the keys\n            if key.len() != 64 {\n                return Err(\"key not 64-bytes long\".into())\n            }\n\n\n            let secret = SigningKey::from_keypair_bytes(key.try_into().unwrap())?;\n            let pub_key = secret.verifying_key().to_bytes();\n            if pub_key != self.details.public_key {\n                return Err(CertificateError::KeyMismatch.into());\n            }\n\n            return Ok(());\n        }\n\n        if key.len() != 32 {\n            return Err(\"key not 32-bytes long\".into())\n        }\n\n        let pubkey_raw = SigningKey::from_bytes(key.try_into()?).verifying_key();\n        let pubkey = pubkey_raw.as_bytes();\n\n        println!(\"{} {}\", hex::encode(pubkey), hex::encode(self.details.public_key));\n        if *pubkey != self.details.public_key {\n            return Err(CertificateError::KeyMismatch.into());\n        }\n\n        Ok(())\n    }\n\n\n    /// Get a protobuf-ready raw struct, ready for serialization\n    #[allow(clippy::expect_used)]\n    #[allow(clippy::cast_possible_wrap)]\n    /// # Panics\n    /// This function will panic if time went backwards, or if the certificate contains extremely invalid data.\n    pub fn get_raw_details(\u0026self) -\u003e RawNebulaCertificateDetails {\n\n        let mut raw = RawNebulaCertificateDetails {\n            Name: self.details.name.clone(),\n            Ips: vec![],\n            Subnets: vec![],\n            Groups: self.details.groups.iter().map(std::convert::Into::into).collect(),\n            NotBefore: self.details.not_before.duration_since(UNIX_EPOCH).expect(\"Time went backwards\").as_secs() as i64,\n            NotAfter: self.details.not_after.duration_since(UNIX_EPOCH).expect(\"Time went backwards\").as_secs() as i64,\n            PublicKey: self.details.public_key.into(),\n            IsCA: self.details.is_ca,\n            Issuer: hex::decode(\u0026self.details.issuer).expect(\"Issuer was not a hex-encoded value\"),\n        };\n\n        for ip_net in \u0026self.details.ips {\n            raw.Ips.push(ip_net.addr().into());\n            raw.Ips.push(ip_net.netmask().into());\n        }\n\n        for subnet in \u0026self.details.subnets {\n            raw.Subnets.push(subnet.addr().into());\n            raw.Subnets.push(subnet.netmask().into());\n        }\n\n        raw\n    }\n\n    /// Will serialize this cert into a protobuf byte array.\n    /// # Errors\n    /// This function will return an error if protobuf was unable to serialize the data.\n    pub fn serialize(\u0026self) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n        let raw_cert = RawNebulaCertificate {\n            Details: Some(self.get_raw_details()),\n            Signature: self.signature.clone(),\n        };\n\n        let mut out = vec![];\n        let mut writer = Writer::new(\u0026mut out);\n        raw_cert.write_message(\u0026mut writer)?;\n\n        Ok(out)\n    }\n\n    /// Will serialize this cert into a PEM byte array.\n    /// # Errors\n    /// This function will return an error if protobuf was unable to serialize the data.\n    pub fn serialize_to_pem(\u0026self) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n        let pbuf_bytes = self.serialize()?;\n\n        Ok(pem::encode(\u0026Pem {\n            tag: CERT_BANNER.to_string(),\n            contents: pbuf_bytes,\n        }).as_bytes().to_vec())\n    }\n\n    /// Get the fingerprint of this certificate\n    /// # Errors\n    /// This functiom will return an error if protobuf was unable to serialize the cert.\n    pub fn sha256sum(\u0026self) -\u003e Result\u003cString, Box\u003cdyn Error\u003e\u003e {\n        let pbuf_bytes = self.serialize()?;\n\n        let mut hasher = Sha256::new();\n        hasher.update(pbuf_bytes);\n\n        Ok(hex::encode(hasher.finalize()))\n    }\n}\n\n/// A list of possible errors that can happen validating a certificate\n#[derive(Eq, PartialEq, Debug)]\npub enum CertificateValidity {\n    /// There are no issues with this certificate\n    Ok,\n    /// This cert has been blocklisted in the given CA pool\n    Blocklisted,\n    /// The certificate that signed this cert is expired\n    RootCertExpired,\n    /// This cert is expired\n    CertExpired,\n    /// This cert's signature is invalid\n    BadSignature,\n    /// This cert was not signed by any CAs in the CA pool\n    NotSignedByThisCAPool,\n    /// This cert expires after the signer's cert expires\n    CertExpiresAfterSigner,\n    /// This cert enters validity before the signer's cert does\n    CertValidBeforeSigner,\n    /// A group present on this certificate is not present on the signer's certificate\n    GroupNotPresentOnSigner,\n    /// An IP present on this certificate is not present on the signer's certificate\n    IPNotPresentOnSigner,\n    /// A subnet on this certificate is not present on the signer's certificate\n    SubnetNotPresentOnSigner\n}\n\nfn net_match(cert_ip: Ipv4Net, root_ips: \u0026Vec\u003cIpv4Net\u003e) -\u003e bool {\n    for net in root_ips {\n        if net.contains(\u0026cert_ip) {\n            return true;\n        }\n    }\n    false\n}","traces":[{"line":87,"address":[532032],"length":1,"stats":{"Line":0},"fn_name":"fmt"},{"line":88,"address":[532059],"length":1,"stats":{"Line":0},"fn_name":null},{"line":89,"address":[532090],"length":1,"stats":{"Line":0},"fn_name":null},{"line":90,"address":[532150],"length":1,"stats":{"Line":0},"fn_name":null},{"line":91,"address":[532210],"length":1,"stats":{"Line":0},"fn_name":null},{"line":92,"address":[532270],"length":1,"stats":{"Line":0},"fn_name":null},{"line":93,"address":[532336],"length":1,"stats":{"Line":0},"fn_name":null},{"line":94,"address":[532402],"length":1,"stats":{"Line":0},"fn_name":null},{"line":95,"address":[532468],"length":1,"stats":{"Line":0},"fn_name":null},{"line":96,"address":[532531],"length":1,"stats":{"Line":0},"fn_name":null},{"line":97,"address":[532594],"length":1,"stats":{"Line":0},"fn_name":null},{"line":103,"address":[532672,533603],"length":1,"stats":{"Line":1},"fn_name":"map_cidr_pairs"},{"line":104,"address":[532715],"length":1,"stats":{"Line":1},"fn_name":null},{"line":105,"address":[533037,532752,532813],"length":1,"stats":{"Line":3},"fn_name":null},{"line":106,"address":[533598,533079],"length":1,"stats":{"Line":2},"fn_name":null},{"line":108,"address":[532950],"length":1,"stats":{"Line":1},"fn_name":null},{"line":113,"address":[535685,533632],"length":1,"stats":{"Line":1},"fn_name":"fmt"},{"line":114,"address":[533665,533866],"length":1,"stats":{"Line":1},"fn_name":null},{"line":115,"address":[533763,534044],"length":1,"stats":{"Line":1},"fn_name":null},{"line":116,"address":[534206,533913],"length":1,"stats":{"Line":1},"fn_name":null},{"line":117,"address":[534368,534076],"length":1,"stats":{"Line":1},"fn_name":null},{"line":118,"address":[534238,534533],"length":1,"stats":{"Line":1},"fn_name":null},{"line":119,"address":[534400,534695],"length":1,"stats":{"Line":1},"fn_name":null},{"line":120,"address":[534857,534565],"length":1,"stats":{"Line":1},"fn_name":null},{"line":121,"address":[534727,535022],"length":1,"stats":{"Line":1},"fn_name":null},{"line":122,"address":[535185,534889],"length":1,"stats":{"Line":1},"fn_name":null},{"line":123,"address":[535054,535292],"length":1,"stats":{"Line":1},"fn_name":null},{"line":124,"address":[535319,535217,535631],"length":1,"stats":{"Line":1},"fn_name":null},{"line":125,"address":[535790,535528],"length":1,"stats":{"Line":1},"fn_name":null},{"line":126,"address":[536112,535729,535817],"length":1,"stats":{"Line":1},"fn_name":null},{"line":127,"address":[536034,536166,536445],"length":1,"stats":{"Line":1},"fn_name":null},{"line":128,"address":[536375],"length":1,"stats":{"Line":1},"fn_name":null},{"line":136,"address":[541549,536512,538040],"length":1,"stats":{"Line":1},"fn_name":"deserialize_nebula_certificate"},{"line":137,"address":[536589],"length":1,"stats":{"Line":1},"fn_name":null},{"line":138,"address":[536783],"length":1,"stats":{"Line":1},"fn_name":null},{"line":141,"address":[536667],"length":1,"stats":{"Line":1},"fn_name":null},{"line":143,"address":[536897,536711,537046],"length":1,"stats":{"Line":2},"fn_name":null},{"line":145,"address":[537450,537272,536957],"length":1,"stats":{"Line":2},"fn_name":null},{"line":147,"address":[537597,537412],"length":1,"stats":{"Line":2},"fn_name":null},{"line":148,"address":[537634],"length":1,"stats":{"Line":1},"fn_name":null},{"line":151,"address":[537607,537741],"length":1,"stats":{"Line":2},"fn_name":null},{"line":152,"address":[537774],"length":1,"stats":{"Line":1},"fn_name":null},{"line":158,"address":[539558],"length":1,"stats":{"Line":1},"fn_name":null},{"line":159,"address":[539230],"length":1,"stats":{"Line":1},"fn_name":null},{"line":160,"address":[537751],"length":1,"stats":{"Line":1},"fn_name":null},{"line":161,"address":[537897,538051,538161,537997],"length":1,"stats":{"Line":3},"fn_name":null},{"line":162,"address":[538115,538364,538515],"length":1,"stats":{"Line":2},"fn_name":null},{"line":163,"address":[538792,538469],"length":1,"stats":{"Line":2},"fn_name":null},{"line":164,"address":[538974,538885],"length":1,"stats":{"Line":2},"fn_name":null},{"line":165,"address":[539031],"length":1,"stats":{"Line":1},"fn_name":null},{"line":166,"address":[539115],"length":1,"stats":{"Line":1},"fn_name":null},{"line":167,"address":[539134],"length":1,"stats":{"Line":1},"fn_name":null},{"line":168,"address":[539145],"length":1,"stats":{"Line":1},"fn_name":null},{"line":170,"address":[539461],"length":1,"stats":{"Line":1},"fn_name":null},{"line":174,"address":[539633],"length":1,"stats":{"Line":1},"fn_name":null},{"line":176,"address":[539815],"length":1,"stats":{"Line":1},"fn_name":null},{"line":177,"address":[539916],"length":1,"stats":{"Line":1},"fn_name":null},{"line":182,"address":[540877],"length":1,"stats":{"Line":1},"fn_name":null},{"line":192,"address":[541584],"length":1,"stats":{"Line":0},"fn_name":"fmt"},{"line":194,"address":[541602],"length":1,"stats":{"Line":0},"fn_name":null},{"line":204,"address":[541664,542141],"length":1,"stats":{"Line":1},"fn_name":"deserialize_nebula_certificate_from_pem"},{"line":205,"address":[541861,541697],"length":1,"stats":{"Line":2},"fn_name":null},{"line":206,"address":[541993,541835],"length":1,"stats":{"Line":2},"fn_name":null},{"line":207,"address":[542025],"length":1,"stats":{"Line":0},"fn_name":null},{"line":209,"address":[542118,541999],"length":1,"stats":{"Line":2},"fn_name":null},{"line":213,"address":[542387,542176],"length":1,"stats":{"Line":1},"fn_name":"serialize_x25519_private"},{"line":214,"address":[542314,542456,542526],"length":1,"stats":{"Line":3},"fn_name":null},{"line":215,"address":[542219],"length":1,"stats":{"Line":1},"fn_name":null},{"line":216,"address":[542254],"length":1,"stats":{"Line":1},"fn_name":null},{"line":217,"address":[542273],"length":1,"stats":{"Line":0},"fn_name":null},{"line":221,"address":[542592,542803],"length":1,"stats":{"Line":1},"fn_name":"serialize_x25519_public"},{"line":222,"address":[542872,542730,542942],"length":1,"stats":{"Line":3},"fn_name":null},{"line":223,"address":[542635],"length":1,"stats":{"Line":1},"fn_name":null},{"line":224,"address":[542670],"length":1,"stats":{"Line":1},"fn_name":null},{"line":225,"address":[542689],"length":1,"stats":{"Line":0},"fn_name":null},{"line":231,"address":[543008,543506],"length":1,"stats":{"Line":1},"fn_name":"deserialize_x25519_private"},{"line":232,"address":[543202,543041],"length":1,"stats":{"Line":2},"fn_name":null},{"line":233,"address":[543176,543334],"length":1,"stats":{"Line":2},"fn_name":null},{"line":234,"address":[543443],"length":1,"stats":{"Line":0},"fn_name":null},{"line":236,"address":[543345],"length":1,"stats":{"Line":1},"fn_name":null},{"line":242,"address":[544034,543536],"length":1,"stats":{"Line":1},"fn_name":"deserialize_x25519_public"},{"line":243,"address":[543569,543730],"length":1,"stats":{"Line":2},"fn_name":null},{"line":244,"address":[543704,543862],"length":1,"stats":{"Line":2},"fn_name":null},{"line":245,"address":[543971],"length":1,"stats":{"Line":0},"fn_name":null},{"line":247,"address":[543873],"length":1,"stats":{"Line":1},"fn_name":null},{"line":251,"address":[544275,544064],"length":1,"stats":{"Line":1},"fn_name":"serialize_ed25519_private"},{"line":252,"address":[544414,544202,544344],"length":1,"stats":{"Line":3},"fn_name":null},{"line":253,"address":[544107],"length":1,"stats":{"Line":1},"fn_name":null},{"line":254,"address":[544142],"length":1,"stats":{"Line":1},"fn_name":null},{"line":255,"address":[544161],"length":1,"stats":{"Line":0},"fn_name":null},{"line":259,"address":[544480,544691],"length":1,"stats":{"Line":1},"fn_name":"serialize_ed25519_public"},{"line":260,"address":[544618,544760,544830],"length":1,"stats":{"Line":3},"fn_name":null},{"line":261,"address":[544523],"length":1,"stats":{"Line":1},"fn_name":null},{"line":262,"address":[544558],"length":1,"stats":{"Line":1},"fn_name":null},{"line":263,"address":[544577],"length":1,"stats":{"Line":0},"fn_name":null},{"line":269,"address":[545394,544896],"length":1,"stats":{"Line":1},"fn_name":"deserialize_ed25519_private"},{"line":270,"address":[544929,545090],"length":1,"stats":{"Line":2},"fn_name":null},{"line":271,"address":[545222,545064],"length":1,"stats":{"Line":2},"fn_name":null},{"line":272,"address":[545331],"length":1,"stats":{"Line":0},"fn_name":null},{"line":274,"address":[545233],"length":1,"stats":{"Line":1},"fn_name":null},{"line":280,"address":[545922,545424],"length":1,"stats":{"Line":1},"fn_name":"deserialize_ed25519_public"},{"line":281,"address":[545457,545618],"length":1,"stats":{"Line":2},"fn_name":null},{"line":282,"address":[545750,545592],"length":1,"stats":{"Line":2},"fn_name":null},{"line":283,"address":[545859],"length":1,"stats":{"Line":0},"fn_name":null},{"line":285,"address":[545761],"length":1,"stats":{"Line":1},"fn_name":null},{"line":292,"address":[546372,546674,545952],"length":1,"stats":{"Line":1},"fn_name":"sign"},{"line":293,"address":[545985],"length":1,"stats":{"Line":1},"fn_name":null},{"line":294,"address":[546009,546072],"length":1,"stats":{"Line":2},"fn_name":null},{"line":295,"address":[546085],"length":1,"stats":{"Line":1},"fn_name":null},{"line":297,"address":[546412],"length":1,"stats":{"Line":1},"fn_name":null},{"line":298,"address":[546649],"length":1,"stats":{"Line":1},"fn_name":null},{"line":304,"address":[547109,546704,547554],"length":1,"stats":{"Line":1},"fn_name":"check_signature"},{"line":305,"address":[546747],"length":1,"stats":{"Line":1},"fn_name":null},{"line":306,"address":[546834,546771],"length":1,"stats":{"Line":2},"fn_name":null},{"line":307,"address":[546847],"length":1,"stats":{"Line":1},"fn_name":null},{"line":309,"address":[547141,547402],"length":1,"stats":{"Line":2},"fn_name":null},{"line":311,"address":[547371,547616,547508],"length":1,"stats":{"Line":3},"fn_name":null},{"line":315,"address":[547712],"length":1,"stats":{"Line":1},"fn_name":"expired"},{"line":316,"address":[547734],"length":1,"stats":{"Line":1},"fn_name":null},{"line":322,"address":[547808],"length":1,"stats":{"Line":1},"fn_name":"verify"},{"line":323,"address":[547883],"length":1,"stats":{"Line":1},"fn_name":null},{"line":324,"address":[547960],"length":1,"stats":{"Line":1},"fn_name":null},{"line":327,"address":[548117,547984,548084,547902],"length":1,"stats":{"Line":3},"fn_name":null},{"line":329,"address":[548101],"length":1,"stats":{"Line":1},"fn_name":null},{"line":330,"address":[548163],"length":1,"stats":{"Line":1},"fn_name":null},{"line":333,"address":[548147],"length":1,"stats":{"Line":1},"fn_name":null},{"line":334,"address":[548239],"length":1,"stats":{"Line":1},"fn_name":null},{"line":337,"address":[548431,548183,548255],"length":1,"stats":{"Line":3},"fn_name":null},{"line":338,"address":[548541],"length":1,"stats":{"Line":0},"fn_name":null},{"line":341,"address":[548509],"length":1,"stats":{"Line":1},"fn_name":null},{"line":345,"address":[548560],"length":1,"stats":{"Line":1},"fn_name":"check_root_constraints"},{"line":347,"address":[548606],"length":1,"stats":{"Line":1},"fn_name":null},{"line":348,"address":[548732],"length":1,"stats":{"Line":1},"fn_name":null},{"line":349,"address":[548778],"length":1,"stats":{"Line":0},"fn_name":null},{"line":353,"address":[548759],"length":1,"stats":{"Line":1},"fn_name":null},{"line":354,"address":[548820],"length":1,"stats":{"Line":0},"fn_name":null},{"line":358,"address":[548800],"length":1,"stats":{"Line":1},"fn_name":null},{"line":359,"address":[548861],"length":1,"stats":{"Line":1},"fn_name":null},{"line":360,"address":[549000],"length":1,"stats":{"Line":1},"fn_name":null},{"line":361,"address":[549108],"length":1,"stats":{"Line":1},"fn_name":null},{"line":362,"address":[549144],"length":1,"stats":{"Line":1},"fn_name":null},{"line":368,"address":[548832],"length":1,"stats":{"Line":1},"fn_name":null},{"line":369,"address":[549188],"length":1,"stats":{"Line":1},"fn_name":null},{"line":370,"address":[549285],"length":1,"stats":{"Line":1},"fn_name":null},{"line":371,"address":[549348],"length":1,"stats":{"Line":1},"fn_name":null},{"line":377,"address":[549159],"length":1,"stats":{"Line":1},"fn_name":null},{"line":378,"address":[549373],"length":1,"stats":{"Line":1},"fn_name":null},{"line":379,"address":[549470],"length":1,"stats":{"Line":1},"fn_name":null},{"line":380,"address":[549533],"length":1,"stats":{"Line":1},"fn_name":null},{"line":385,"address":[549358],"length":1,"stats":{"Line":1},"fn_name":null},{"line":394,"address":[549552,550149],"length":1,"stats":{"Line":1},"fn_name":"verify_private_key"},{"line":395,"address":[549607],"length":1,"stats":{"Line":1},"fn_name":null},{"line":397,"address":[549647],"length":1,"stats":{"Line":1},"fn_name":null},{"line":398,"address":[549743],"length":1,"stats":{"Line":0},"fn_name":null},{"line":402,"address":[549669,549800,549905],"length":1,"stats":{"Line":2},"fn_name":null},{"line":403,"address":[550030,549886],"length":1,"stats":{"Line":2},"fn_name":null},{"line":404,"address":[550053],"length":1,"stats":{"Line":1},"fn_name":null},{"line":405,"address":[550088],"length":1,"stats":{"Line":1},"fn_name":null},{"line":408,"address":[550074],"length":1,"stats":{"Line":1},"fn_name":null},{"line":411,"address":[549624],"length":1,"stats":{"Line":1},"fn_name":null},{"line":412,"address":[550263],"length":1,"stats":{"Line":0},"fn_name":null},{"line":415,"address":[550301,550210],"length":1,"stats":{"Line":2},"fn_name":null},{"line":416,"address":[550461],"length":1,"stats":{"Line":1},"fn_name":null},{"line":418,"address":[550498],"length":1,"stats":{"Line":1},"fn_name":null},{"line":419,"address":[550878],"length":1,"stats":{"Line":1},"fn_name":null},{"line":420,"address":[550904],"length":1,"stats":{"Line":1},"fn_name":null},{"line":423,"address":[550887],"length":1,"stats":{"Line":1},"fn_name":null},{"line":432,"address":[550960,552081],"length":1,"stats":{"Line":1},"fn_name":"get_raw_details"},{"line":435,"address":[550999],"length":1,"stats":{"Line":1},"fn_name":null},{"line":436,"address":[551028],"length":1,"stats":{"Line":1},"fn_name":null},{"line":437,"address":[551087],"length":1,"stats":{"Line":1},"fn_name":null},{"line":438,"address":[551234,551143],"length":1,"stats":{"Line":2},"fn_name":null},{"line":439,"address":[551335,551415],"length":1,"stats":{"Line":2},"fn_name":null},{"line":440,"address":[551525],"length":1,"stats":{"Line":1},"fn_name":null},{"line":441,"address":[551671],"length":1,"stats":{"Line":1},"fn_name":null},{"line":442,"address":[551725],"length":1,"stats":{"Line":1},"fn_name":null},{"line":443,"address":[551804,551738],"length":1,"stats":{"Line":2},"fn_name":null},{"line":446,"address":[552160,552288,552054],"length":1,"stats":{"Line":3},"fn_name":null},{"line":447,"address":[552309],"length":1,"stats":{"Line":1},"fn_name":null},{"line":448,"address":[552409],"length":1,"stats":{"Line":1},"fn_name":null},{"line":451,"address":[552511,552617,552256],"length":1,"stats":{"Line":3},"fn_name":null},{"line":452,"address":[552638],"length":1,"stats":{"Line":1},"fn_name":null},{"line":453,"address":[552738],"length":1,"stats":{"Line":1},"fn_name":null},{"line":462,"address":[553047,552832],"length":1,"stats":{"Line":1},"fn_name":"serialize"},{"line":464,"address":[552875],"length":1,"stats":{"Line":1},"fn_name":null},{"line":465,"address":[552912],"length":1,"stats":{"Line":1},"fn_name":null},{"line":468,"address":[553028],"length":1,"stats":{"Line":1},"fn_name":null},{"line":469,"address":[553173,553115],"length":1,"stats":{"Line":2},"fn_name":null},{"line":470,"address":[553373,553202],"length":1,"stats":{"Line":1},"fn_name":null},{"line":472,"address":[553262],"length":1,"stats":{"Line":1},"fn_name":null},{"line":478,"address":[553536,553887],"length":1,"stats":{"Line":1},"fn_name":"serialize_to_pem"},{"line":479,"address":[553561,553678],"length":1,"stats":{"Line":1},"fn_name":null},{"line":481,"address":[553962,554028,553796],"length":1,"stats":{"Line":3},"fn_name":null},{"line":482,"address":[553646],"length":1,"stats":{"Line":1},"fn_name":null},{"line":483,"address":[553770],"length":1,"stats":{"Line":1},"fn_name":null},{"line":490,"address":[554641,554672,554128],"length":1,"stats":{"Line":1},"fn_name":"sha256sum"},{"line":491,"address":[554152,554266],"length":1,"stats":{"Line":1},"fn_name":null},{"line":493,"address":[554255],"length":1,"stats":{"Line":1},"fn_name":null},{"line":494,"address":[554366],"length":1,"stats":{"Line":1},"fn_name":null},{"line":496,"address":[554423],"length":1,"stats":{"Line":1},"fn_name":null},{"line":527,"address":[554688],"length":1,"stats":{"Line":1},"fn_name":"net_match"},{"line":528,"address":[554802,554738],"length":1,"stats":{"Line":2},"fn_name":null},{"line":529,"address":[554812],"length":1,"stats":{"Line":1},"fn_name":null},{"line":530,"address":[554829],"length":1,"stats":{"Line":1},"fn_name":null},{"line":533,"address":[554795],"length":1,"stats":{"Line":1},"fn_name":null}],"covered":178,"coverable":205},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","cert_codec.rs"],"content":"// Automatically generated rust module for 'cert_codec.proto' file\n\n#![allow(non_snake_case)]\n#![allow(non_upper_case_globals)]\n#![allow(non_camel_case_types)]\n#![allow(unused_imports)]\n#![allow(unknown_lints)]\n#![allow(clippy::all)]\n#![cfg_attr(rustfmt, rustfmt_skip)]\n#![allow(clippy::pedantic)]\n\nuse quick_protobuf::{MessageInfo, MessageRead, MessageWrite, BytesReader, Writer, WriterBackend, Result};\nuse quick_protobuf::sizeofs::*;\nuse super::*;\n\n#[allow(clippy::derive_partial_eq_without_eq)]\n#[derive(Debug, Default, PartialEq, Clone)]\npub struct RawNebulaCertificate {\n    pub Details: Option\u003ccert_codec::RawNebulaCertificateDetails\u003e,\n    pub Signature: Vec\u003cu8\u003e,\n}\n\nimpl\u003c'a\u003e MessageRead\u003c'a\u003e for RawNebulaCertificate {\n    fn from_reader(r: \u0026mut BytesReader, bytes: \u0026'a [u8]) -\u003e Result\u003cSelf\u003e {\n        let mut msg = Self::default();\n        while !r.is_eof() {\n            match r.next_tag(bytes) {\n                Ok(10) =\u003e msg.Details = Some(r.read_message::\u003ccert_codec::RawNebulaCertificateDetails\u003e(bytes)?),\n                Ok(18) =\u003e msg.Signature = r.read_bytes(bytes)?.to_owned(),\n                Ok(t) =\u003e { r.read_unknown(bytes, t)?; }\n                Err(e) =\u003e return Err(e),\n            }\n        }\n        Ok(msg)\n    }\n}\n\nimpl MessageWrite for RawNebulaCertificate {\n    fn get_size(\u0026self) -\u003e usize {\n        0\n        + self.Details.as_ref().map_or(0, |m| 1 + sizeof_len((m).get_size()))\n        + if self.Signature.is_empty() { 0 } else { 1 + sizeof_len((\u0026self.Signature).len()) }\n    }\n\n    fn write_message\u003cW: WriterBackend\u003e(\u0026self, w: \u0026mut Writer\u003cW\u003e) -\u003e Result\u003c()\u003e {\n        if let Some(ref s) = self.Details { w.write_with_tag(10, |w| w.write_message(s))?; }\n        if !self.Signature.is_empty() { w.write_with_tag(18, |w| w.write_bytes(\u0026**\u0026self.Signature))?; }\n        Ok(())\n    }\n}\n\n#[allow(clippy::derive_partial_eq_without_eq)]\n#[derive(Debug, Default, PartialEq, Clone)]\npub struct RawNebulaCertificateDetails {\n    pub Name: String,\n    pub Ips: Vec\u003cu32\u003e,\n    pub Subnets: Vec\u003cu32\u003e,\n    pub Groups: Vec\u003cString\u003e,\n    pub NotBefore: i64,\n    pub NotAfter: i64,\n    pub PublicKey: Vec\u003cu8\u003e,\n    pub IsCA: bool,\n    pub Issuer: Vec\u003cu8\u003e,\n}\n\nimpl\u003c'a\u003e MessageRead\u003c'a\u003e for RawNebulaCertificateDetails {\n    fn from_reader(r: \u0026mut BytesReader, bytes: \u0026'a [u8]) -\u003e Result\u003cSelf\u003e {\n        let mut msg = Self::default();\n        while !r.is_eof() {\n            match r.next_tag(bytes) {\n                Ok(10) =\u003e msg.Name = r.read_string(bytes)?.to_owned(),\n                Ok(18) =\u003e msg.Ips = r.read_packed(bytes, |r, bytes| Ok(r.read_uint32(bytes)?))?,\n                Ok(26) =\u003e msg.Subnets = r.read_packed(bytes, |r, bytes| Ok(r.read_uint32(bytes)?))?,\n                Ok(34) =\u003e msg.Groups.push(r.read_string(bytes)?.to_owned()),\n                Ok(40) =\u003e msg.NotBefore = r.read_int64(bytes)?,\n                Ok(48) =\u003e msg.NotAfter = r.read_int64(bytes)?,\n                Ok(58) =\u003e msg.PublicKey = r.read_bytes(bytes)?.to_owned(),\n                Ok(64) =\u003e msg.IsCA = r.read_bool(bytes)?,\n                Ok(74) =\u003e msg.Issuer = r.read_bytes(bytes)?.to_owned(),\n                Ok(t) =\u003e { r.read_unknown(bytes, t)?; }\n                Err(e) =\u003e return Err(e),\n            }\n        }\n        Ok(msg)\n    }\n}\n\nimpl MessageWrite for RawNebulaCertificateDetails {\n    fn get_size(\u0026self) -\u003e usize {\n        0\n        + if self.Name == String::default() { 0 } else { 1 + sizeof_len((\u0026self.Name).len()) }\n        + if self.Ips.is_empty() { 0 } else { 1 + sizeof_len(self.Ips.iter().map(|s| sizeof_varint(*(s) as u64)).sum::\u003cusize\u003e()) }\n        + if self.Subnets.is_empty() { 0 } else { 1 + sizeof_len(self.Subnets.iter().map(|s| sizeof_varint(*(s) as u64)).sum::\u003cusize\u003e()) }\n        + self.Groups.iter().map(|s| 1 + sizeof_len((s).len())).sum::\u003cusize\u003e()\n        + if self.NotBefore == 0i64 { 0 } else { 1 + sizeof_varint(*(\u0026self.NotBefore) as u64) }\n        + if self.NotAfter == 0i64 { 0 } else { 1 + sizeof_varint(*(\u0026self.NotAfter) as u64) }\n        + if self.PublicKey.is_empty() { 0 } else { 1 + sizeof_len((\u0026self.PublicKey).len()) }\n        + if self.IsCA == false { 0 } else { 1 + sizeof_varint(*(\u0026self.IsCA) as u64) }\n        + if self.Issuer.is_empty() { 0 } else { 1 + sizeof_len((\u0026self.Issuer).len()) }\n    }\n\n    fn write_message\u003cW: WriterBackend\u003e(\u0026self, w: \u0026mut Writer\u003cW\u003e) -\u003e Result\u003c()\u003e {\n        if self.Name != String::default() { w.write_with_tag(10, |w| w.write_string(\u0026**\u0026self.Name))?; }\n        w.write_packed_with_tag(18, \u0026self.Ips, |w, m| w.write_uint32(*m), \u0026|m| sizeof_varint(*(m) as u64))?;\n        w.write_packed_with_tag(26, \u0026self.Subnets, |w, m| w.write_uint32(*m), \u0026|m| sizeof_varint(*(m) as u64))?;\n        for s in \u0026self.Groups { w.write_with_tag(34, |w| w.write_string(\u0026**s))?; }\n        if self.NotBefore != 0i64 { w.write_with_tag(40, |w| w.write_int64(*\u0026self.NotBefore))?; }\n        if self.NotAfter != 0i64 { w.write_with_tag(48, |w| w.write_int64(*\u0026self.NotAfter))?; }\n        if !self.PublicKey.is_empty() { w.write_with_tag(58, |w| w.write_bytes(\u0026**\u0026self.PublicKey))?; }\n        if self.IsCA != false { w.write_with_tag(64, |w| w.write_bool(*\u0026self.IsCA))?; }\n        if !self.Issuer.is_empty() { w.write_with_tag(74, |w| w.write_bytes(\u0026**\u0026self.Issuer))?; }\n        Ok(())\n    }\n}\n\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","lib.rs"],"content":"//! # trifid-pki\n//! trifid-pki is a crate for interacting with the Nebula PKI system. It was created to prevent the need to make constant CLI calls for signing operations in Nebula.\n//! It is designed to be interoperable with the original Go implementation and as such has some oddities with key management to ensure compatability.\n//!\n//! This crate has not received any format security audits, however the underlying crates used for actual cryptographic operations (ed25519-dalek and curve25519-dalek) have been audited with no major issues.\n\n#![warn(clippy::pedantic)]\n#![warn(clippy::nursery)]\n#![deny(clippy::unwrap_used)]\n#![deny(clippy::expect_used)]\n#![deny(missing_docs)]\n#![deny(clippy::missing_errors_doc)]\n#![deny(clippy::missing_panics_doc)]\n#![deny(clippy::missing_safety_doc)]\n#![allow(clippy::must_use_candidate)]\n#![allow(clippy::too_many_lines)]\n#![allow(clippy::module_name_repetitions)]\n\n\nextern crate core;\n\npub mod ca;\npub mod cert;\n#[cfg(not(tarpaulin_include))]\npub(crate) mod cert_codec;\n#[cfg(test)]\n#[macro_use]\npub mod test;","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","test.rs"],"content":"#![allow(clippy::unwrap_used)]\n#![allow(clippy::expect_used)]\n\nuse crate::netmask;\nuse std::net::Ipv4Addr;\nuse std::ops::{Add, Sub};\nuse std::time::{Duration, SystemTime, SystemTimeError, UNIX_EPOCH};\nuse ipnet::Ipv4Net;\nuse crate::cert::{CertificateValidity, deserialize_ed25519_private, deserialize_ed25519_public, deserialize_nebula_certificate, deserialize_nebula_certificate_from_pem, deserialize_x25519_private, deserialize_x25519_public, NebulaCertificate, NebulaCertificateDetails, serialize_ed25519_private, serialize_ed25519_public, serialize_x25519_private, serialize_x25519_public};\nuse std::str::FromStr;\nuse ed25519_dalek::{SigningKey, VerifyingKey};\nuse quick_protobuf::{MessageWrite, Writer};\nuse rand::rngs::OsRng;\nuse crate::ca::{NebulaCAPool};\nuse crate::cert_codec::{RawNebulaCertificate, RawNebulaCertificateDetails};\n\n/// This is a cert that we (e3team) actually use in production, and it's a known-good certificate.\npub const KNOWN_GOOD_CERT: \u0026[u8; 258] = b\"-----BEGIN NEBULA CERTIFICATE-----\\nCkkKF2UzdGVhbSBJbnRlcm5hbCBOZXR3b3JrKJWev5wGMJWFxKsGOiCvpwoHyKY5\\n8Q5+2XxDjtoCf/zlNY/EUdB8bwXQSwEo50ABEkB0Dx76lkMqc3IyH5+ml2dKjTyv\\nB4Jiw6x3abf5YZcf8rDuVEgQpvFdJmo3xJyIb3C9vKZ6kXsUxjw6s1JdWgkA\\n-----END NEBULA CERTIFICATE-----\";\n\n#[test]\nfn certificate_serialization() {\n    let before = round_systime_to_secs(SystemTime::now() - Duration::from_secs(60)).unwrap();\n    let after = round_systime_to_secs(SystemTime::now() + Duration::from_secs(60)).unwrap();\n    let pub_key = b\"1234567890abcedfghij1234567890ab\";\n\n    let cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"testing\".to_string(),\n            ips: vec![\n                netmask!(\"10.1.1.1\", \"255.255.255.0\"),\n                netmask!(\"10.1.1.2\", \"255.255.0.0\"),\n                netmask!(\"10.1.1.3\", \"255.0.0.0\")\n            ],\n            subnets: vec![\n                netmask!(\"9.1.1.1\", \"255.255.255.128\"),\n                netmask!(\"9.1.1.2\", \"255.255.255.0\"),\n                netmask!(\"9.1.1.3\", \"255.255.0.0\")\n            ],\n            groups: vec![\"test-group1\".to_string(), \"test-group2\".to_string(), \"test-group3\".to_string()],\n            not_before: before,\n            not_after: after,\n            public_key: *pub_key,\n            is_ca: false,\n            issuer: \"1234567890abcedfabcd1234567890ab\".to_string(),\n        },\n        signature: b\"1234567890abcedfghij1234567890ab\".to_vec(),\n    };\n\n    let bytes = cert.serialize().unwrap();\n\n    let deserialized = deserialize_nebula_certificate(\u0026bytes).unwrap();\n\n    assert_eq!(cert.signature, deserialized.signature);\n    assert_eq!(cert.details.name, deserialized.details.name);\n    assert_eq!(cert.details.not_before, deserialized.details.not_before);\n    assert_eq!(cert.details.not_after, deserialized.details.not_after);\n    assert_eq!(cert.details.public_key, deserialized.details.public_key);\n    assert_eq!(cert.details.is_ca, deserialized.details.is_ca);\n\n    assert_eq!(cert.details.ips.len(), deserialized.details.ips.len());\n    for item in \u0026cert.details.ips {\n        assert!(deserialized.details.ips.contains(item), \"deserialized does not contain from source\");\n    }\n\n    assert_eq!(cert.details.subnets.len(), deserialized.details.subnets.len());\n    for item in \u0026cert.details.subnets {\n        assert!(deserialized.details.subnets.contains(item), \"deserialized does not contain from source\");\n    }\n\n    assert_eq!(cert.details.groups.len(), deserialized.details.groups.len());\n    for item in \u0026cert.details.groups {\n        assert!(deserialized.details.groups.contains(item), \"deserialized does not contain from source\");\n    }\n}\n\n#[test]\nfn certificate_serialization_pem() {\n    let before = round_systime_to_secs(SystemTime::now() - Duration::from_secs(60)).unwrap();\n    let after = round_systime_to_secs(SystemTime::now() + Duration::from_secs(60)).unwrap();\n    let pub_key = b\"1234567890abcedfghij1234567890ab\";\n\n    let cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"testing\".to_string(),\n            ips: vec![\n                netmask!(\"10.1.1.1\", \"255.255.255.0\"),\n                netmask!(\"10.1.1.2\", \"255.255.0.0\"),\n                netmask!(\"10.1.1.3\", \"255.0.0.0\")\n            ],\n            subnets: vec![\n                netmask!(\"9.1.1.1\", \"255.255.255.128\"),\n                netmask!(\"9.1.1.2\", \"255.255.255.0\"),\n                netmask!(\"9.1.1.3\", \"255.255.0.0\")\n            ],\n            groups: vec![\"test-group1\".to_string(), \"test-group2\".to_string(), \"test-group3\".to_string()],\n            not_before: before,\n            not_after: after,\n            public_key: *pub_key,\n            is_ca: false,\n            issuer: \"1234567890abcedfabcd1234567890ab\".to_string(),\n        },\n        signature: b\"1234567890abcedfghij1234567890ab\".to_vec(),\n    };\n\n    let bytes = cert.serialize_to_pem().unwrap();\n\n    let deserialized = deserialize_nebula_certificate_from_pem(\u0026bytes).unwrap();\n\n    assert_eq!(cert.signature, deserialized.signature);\n    assert_eq!(cert.details.name, deserialized.details.name);\n    assert_eq!(cert.details.not_before, deserialized.details.not_before);\n    assert_eq!(cert.details.not_after, deserialized.details.not_after);\n    assert_eq!(cert.details.public_key, deserialized.details.public_key);\n    assert_eq!(cert.details.is_ca, deserialized.details.is_ca);\n\n    assert_eq!(cert.details.ips.len(), deserialized.details.ips.len());\n    for item in \u0026cert.details.ips {\n        assert!(deserialized.details.ips.contains(item), \"deserialized does not contain from source\");\n    }\n\n    assert_eq!(cert.details.subnets.len(), deserialized.details.subnets.len());\n    for item in \u0026cert.details.subnets {\n        assert!(deserialized.details.subnets.contains(item), \"deserialized does not contain from source\");\n    }\n\n    assert_eq!(cert.details.groups.len(), deserialized.details.groups.len());\n    for item in \u0026cert.details.groups {\n        assert!(deserialized.details.groups.contains(item), \"deserialized does not contain from source\");\n    }\n}\n\n#[test]\nfn cert_signing() {\n    let before = round_systime_to_secs(SystemTime::now() - Duration::from_secs(60)).unwrap();\n    let after = round_systime_to_secs(SystemTime::now() + Duration::from_secs(60)).unwrap();\n    let pub_key = b\"1234567890abcedfghij1234567890ab\";\n\n    let mut cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"testing\".to_string(),\n            ips: vec![\n                netmask!(\"10.1.1.1\", \"255.255.255.0\"),\n                netmask!(\"10.1.1.2\", \"255.255.0.0\"),\n                netmask!(\"10.1.1.3\", \"255.0.0.0\")\n            ],\n            subnets: vec![\n                netmask!(\"9.1.1.1\", \"255.255.255.128\"),\n                netmask!(\"9.1.1.2\", \"255.255.255.0\"),\n                netmask!(\"9.1.1.3\", \"255.255.0.0\")\n            ],\n            groups: vec![\"test-group1\".to_string(), \"test-group2\".to_string(), \"test-group3\".to_string()],\n            not_before: before,\n            not_after: after,\n            public_key: *pub_key,\n            is_ca: false,\n            issuer: \"1234567890abcedfabcd1234567890ab\".to_string(),\n        },\n        signature: b\"1234567890abcedfghij1234567890ab\".to_vec(),\n    };\n\n    let mut csprng = OsRng;\n    let key = SigningKey::generate(\u0026mut csprng);\n\n    assert!(cert.check_signature(\u0026key.verifying_key()).is_err());\n    cert.sign(\u0026key).unwrap();\n    assert!(cert.check_signature(\u0026key.verifying_key()).unwrap());\n}\n\n#[test]\nfn cert_expiry() {\n    let cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: String::new(),\n            ips: vec![],\n            subnets: vec![],\n            groups: vec![],\n            not_before: SystemTime::now().sub(Duration::from_secs(60)),\n            not_after: SystemTime::now().add(Duration::from_secs(60)),\n            public_key: [0u8; 32],\n            is_ca: false,\n            issuer: String::new(),\n        },\n        signature: vec![],\n    };\n\n    assert!(cert.expired(SystemTime::now().add(Duration::from_secs(60 * 60 * 60))));\n    assert!(cert.expired(SystemTime::now().sub(Duration::from_secs(60 * 60 * 60))));\n    assert!(!cert.expired(SystemTime::now()));\n}\n\n#[test]\nfn cert_display() {\n    let cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: String::new(),\n            ips: vec![],\n            subnets: vec![],\n            groups: vec![],\n            not_before: SystemTime::now().sub(Duration::from_secs(60)),\n            not_after: SystemTime::now().add(Duration::from_secs(60)),\n            public_key: [0u8; 32],\n            is_ca: false,\n            issuer: String::new(),\n        },\n        signature: vec![],\n    };\n    println!(\"{cert}\");\n}\n\n#[test]\n#[should_panic]\nfn cert_deserialize_empty_bytes() {\n    deserialize_nebula_certificate(\u0026[]).unwrap();\n}\n\n#[test]\nfn cert_deserialize_unpaired_ips() {\n    let broken_cert = RawNebulaCertificate {\n        Details: Some(RawNebulaCertificateDetails {\n            Name: String::new(),\n            Ips: vec![0],\n            Subnets: vec![],\n            Groups: vec![],\n            NotBefore: 0,\n            NotAfter: 0,\n            PublicKey: vec![],\n            IsCA: false,\n            Issuer: vec![],\n        }),\n        Signature: vec![],\n    };\n    let mut bytes = vec![];\n    let mut writer = Writer::new(\u0026mut bytes);\n    broken_cert.write_message(\u0026mut writer).unwrap();\n\n    deserialize_nebula_certificate(\u0026bytes).unwrap_err();\n}\n\n#[test]\nfn cert_deserialize_unpaired_subnets() {\n    let broken_cert = RawNebulaCertificate {\n        Details: Some(RawNebulaCertificateDetails {\n            Name: String::new(),\n            Ips: vec![],\n            Subnets: vec![0],\n            Groups: vec![],\n            NotBefore: 0,\n            NotAfter: 0,\n            PublicKey: vec![],\n            IsCA: false,\n            Issuer: vec![],\n        }),\n        Signature: vec![],\n    };\n    let mut bytes = vec![];\n    let mut writer = Writer::new(\u0026mut bytes);\n    broken_cert.write_message(\u0026mut writer).unwrap();\n\n    deserialize_nebula_certificate(\u0026bytes).unwrap_err();\n}\n\n#[test]\nfn cert_deserialize_wrong_pubkey_len() {\n    let broken_cert = RawNebulaCertificate {\n        Details: Some(RawNebulaCertificateDetails {\n            Name: String::new(),\n            Ips: vec![],\n            Subnets: vec![],\n            Groups: vec![],\n            NotBefore: 0,\n            NotAfter: 0,\n            PublicKey: vec![0u8; 31],\n            IsCA: false,\n            Issuer: vec![],\n        }),\n        Signature: vec![],\n    };\n    let mut bytes = vec![];\n    let mut writer = Writer::new(\u0026mut bytes);\n    broken_cert.write_message(\u0026mut writer).unwrap();\n\n    deserialize_nebula_certificate(\u0026bytes).unwrap_err();\n\n    assert!(deserialize_nebula_certificate_from_pem(\u0026[0u8; 32]).is_err());\n}\n\n#[test]\nfn x25519_serialization() {\n    let bytes = [0u8; 32];\n    assert_eq!(deserialize_x25519_private(\u0026serialize_x25519_private(\u0026bytes)).unwrap(), bytes);\n    assert!(deserialize_x25519_private(\u0026[0u8; 32]).is_err());\n    assert_eq!(deserialize_x25519_public(\u0026serialize_x25519_public(\u0026bytes)).unwrap(), bytes);\n    assert!(deserialize_x25519_public(\u0026[0u8; 32]).is_err());\n}\n\n#[test]\nfn ed25519_serialization() {\n    let bytes = [0u8; 32];\n    assert_eq!(deserialize_ed25519_private(\u0026serialize_ed25519_private(\u0026bytes)).unwrap(), bytes);\n    assert!(deserialize_ed25519_private(\u0026[0u8; 32]).is_err());\n    assert_eq!(deserialize_ed25519_public(\u0026serialize_ed25519_public(\u0026bytes)).unwrap(), bytes);\n    assert!(deserialize_ed25519_public(\u0026[0u8; 32]).is_err());\n}\n\n#[test]\nfn cert_verify() {\n    let (ca_cert, ca_key, _ca_pub) = test_ca_cert(round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 10)).unwrap(), vec![], vec![], vec![\"groupa\".to_string()]);\n\n    let (cert, _, _) = test_cert(\u0026ca_cert, \u0026ca_key, SystemTime::now(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![], vec![], vec![]);\n\n    let mut ca_pool = NebulaCAPool::new();\n    ca_pool.add_ca_certificate(\u0026ca_cert.serialize_to_pem().unwrap()).unwrap();\n\n    let fingerprint = cert.sha256sum().unwrap();\n    ca_pool.blocklist_fingerprint(\u0026fingerprint);\n\n    assert!(matches!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Blocklisted));\n\n    ca_pool.reset_blocklist();\n\n    assert!(matches!(cert.verify(SystemTime::now() + Duration::from_secs(60 * 60 * 60), \u0026ca_pool).unwrap(), CertificateValidity::RootCertExpired));\n    assert!(matches!(cert.verify(SystemTime::now() + Duration::from_secs(60 * 60 * 6), \u0026ca_pool).unwrap(), CertificateValidity::CertExpired));\n\n    let (cert_with_bad_group, _, _) = test_cert(\u0026ca_cert, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), in_a_minute(), vec![], vec![], vec![\"group-not-present on parent\".to_string()]);\n    assert_eq!(cert_with_bad_group.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::GroupNotPresentOnSigner);\n\n    let (cert_with_good_group, _, _) = test_cert(\u0026ca_cert, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), in_a_minute(), vec![], vec![], vec![\"groupa\".to_string()]);\n    assert_eq!(cert_with_good_group.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n}\n\n#[test]\nfn cert_verify_ip() {\n    let ca_ip_1 = Ipv4Net::from_str(\"10.0.0.0/16\").unwrap();\n    let ca_ip_2 = Ipv4Net::from_str(\"192.168.0.0/24\").unwrap();\n\n    let (ca, ca_key, _ca_pub) = test_ca_cert(round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 10)).unwrap(), vec![ca_ip_1, ca_ip_2], vec![], vec![]);\n\n    let ca_pem = ca.serialize_to_pem().unwrap();\n\n    let mut ca_pool = NebulaCAPool::new();\n    ca_pool.add_ca_certificate(\u0026ca_pem).unwrap();\n\n    // ip is outside the network\n    let cip1 = netmask!(\"10.1.0.0\", \"255.255.255.0\");\n    let cip2 = netmask!(\"192.198.0.1\", \"255.255.0.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::IPNotPresentOnSigner);\n\n    // ip is outside the network - reversed order from above\n    let cip1 = netmask!(\"192.198.0.1\", \"255.255.255.0\");\n    let cip2 = netmask!(\"10.1.0.0\", \"255.255.255.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::IPNotPresentOnSigner);\n\n    // ip is within the network but mask is outside\n    let cip1 = netmask!(\"10.0.1.0\", \"255.254.0.0\");\n    let cip2 = netmask!(\"192.168.0.1\", \"255.255.255.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::IPNotPresentOnSigner);\n\n    // ip is within the network but mask is outside - reversed order from above\n    let cip1 = netmask!(\"192.168.0.1\", \"255.255.255.0\");\n    let cip2 = netmask!(\"10.0.1.0\", \"255.254.0.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::IPNotPresentOnSigner);\n\n    // ip and mask are within the network\n    let cip1 = netmask!(\"10.0.1.0\", \"255.255.0.0\");\n    let cip2 = netmask!(\"192.168.0.1\", \"255.255.255.128\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![ca_ip_1, ca_ip_2], vec![], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches reversed\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![ca_ip_2, ca_ip_1], vec![], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches reversed with just one\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![ca_ip_2], vec![], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n}\n\n#[test]\nfn cert_verify_subnet() {\n    let ca_ip_1 = Ipv4Net::from_str(\"10.0.0.0/16\").unwrap();\n    let ca_ip_2 = Ipv4Net::from_str(\"192.168.0.0/24\").unwrap();\n\n    let (ca, ca_key, _ca_pub) = test_ca_cert(round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 10)).unwrap(), vec![],vec![ca_ip_1, ca_ip_2], vec![]);\n\n    let ca_pem = ca.serialize_to_pem().unwrap();\n\n    let mut ca_pool = NebulaCAPool::new();\n    ca_pool.add_ca_certificate(\u0026ca_pem).unwrap();\n\n    // ip is outside the network\n    let cip1 = netmask!(\"10.1.0.0\", \"255.255.255.0\");\n    let cip2 = netmask!(\"192.198.0.1\", \"255.255.0.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![],vec![cip1, cip2], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::SubnetNotPresentOnSigner);\n\n    // ip is outside the network - reversed order from above\n    let cip1 = netmask!(\"192.198.0.1\", \"255.255.255.0\");\n    let cip2 = netmask!(\"10.1.0.0\", \"255.255.255.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![],vec![cip1, cip2], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::SubnetNotPresentOnSigner);\n\n    // ip is within the network but mask is outside\n    let cip1 = netmask!(\"10.0.1.0\", \"255.254.0.0\");\n    let cip2 = netmask!(\"192.168.0.1\", \"255.255.255.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![],vec![cip1, cip2], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::SubnetNotPresentOnSigner);\n\n    // ip is within the network but mask is outside - reversed order from above\n    let cip1 = netmask!(\"192.168.0.1\", \"255.255.255.0\");\n    let cip2 = netmask!(\"10.0.1.0\", \"255.254.0.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::SubnetNotPresentOnSigner);\n\n    // ip and mask are within the network\n    let cip1 = netmask!(\"10.0.1.0\", \"255.255.0.0\");\n    let cip2 = netmask!(\"192.168.0.1\", \"255.255.255.128\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![], vec![cip1, cip2], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![],vec![ca_ip_1, ca_ip_2], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches reversed\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![], vec![ca_ip_2, ca_ip_1], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches reversed with just one\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![], vec![ca_ip_2], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n}\n\n#[test]\nfn cert_private_key() {\n    let (ca, ca_key, _) = test_ca_cert(SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n    ca.verify_private_key(\u0026ca_key.to_keypair_bytes()).unwrap();\n\n    let (_, ca_key2, _) = test_ca_cert(SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n    ca.verify_private_key(\u0026ca_key2.to_keypair_bytes()).unwrap_err();\n\n    let (cert, priv_key, _) = test_cert(\u0026ca, \u0026ca_key, SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n    cert.verify_private_key(\u0026priv_key.to_bytes()).unwrap();\n\n    let (cert2, _, _) = test_cert(\u0026ca, \u0026ca_key, SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n    cert2.verify_private_key(\u0026priv_key.to_bytes()).unwrap_err();\n}\n\n#[test]\nfn capool_from_pem() {\n    let no_newlines = b\"# Current provisional, Remove once everything moves over to the real root.\n-----BEGIN NEBULA CERTIFICATE-----\nCkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL\nvcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv\nbzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB\n-----END NEBULA CERTIFICATE-----\n# root-ca01\n-----BEGIN NEBULA CERTIFICATE-----\nCkMKEW5lYnVsYSByb290IGNhIDAxKJL2u9EFMJL86+cGOiDPXMH4oU6HZTk/CqTG\nBVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf\n8/phAUt+FLzqTECzQKisYswKvE3pl9mbEYKbOdIHrxdIp95mo4sF\n-----END NEBULA CERTIFICATE-----\";\n    let with_newlines = b\"# Current provisional, Remove once everything moves over to the real root.\n-----BEGIN NEBULA CERTIFICATE-----\nCkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL\nvcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv\nbzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB\n-----END NEBULA CERTIFICATE-----\n# root-ca01\n-----BEGIN NEBULA CERTIFICATE-----\nCkMKEW5lYnVsYSByb290IGNhIDAxKJL2u9EFMJL86+cGOiDPXMH4oU6HZTk/CqTG\nBVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf\n8/phAUt+FLzqTECzQKisYswKvE3pl9mbEYKbOdIHrxdIp95mo4sF\n-----END NEBULA CERTIFICATE-----\n\n\";\n    let expired = b\"# expired certificate\n-----BEGIN NEBULA CERTIFICATE-----\nCjkKB2V4cGlyZWQouPmWjQYwufmWjQY6ILCRaoCkJlqHgv5jfDN4lzLHBvDzaQm4\nvZxfu144hmgjQAESQG4qlnZi8DncvD/LDZnLgJHOaX1DWCHHEh59epVsC+BNgTie\nWH1M9n4O7cFtGlM6sJJOS+rCVVEJ3ABS7+MPdQs=\n-----END NEBULA CERTIFICATE-----\";\n\n    let pool_a = NebulaCAPool::new_from_pem(no_newlines).unwrap();\n    assert_eq!(pool_a.cas[\"c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522\"].details.name, \"nebula root ca\".to_string());\n    assert_eq!(pool_a.cas[\"5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd\"].details.name, \"nebula root ca 01\".to_string());\n    assert!(!pool_a.expired);\n\n    let pool_b = NebulaCAPool::new_from_pem(with_newlines).unwrap();\n    assert_eq!(pool_b.cas[\"c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522\"].details.name, \"nebula root ca\".to_string());\n    assert_eq!(pool_b.cas[\"5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd\"].details.name, \"nebula root ca 01\".to_string());\n    assert!(!pool_b.expired);\n\n    let pool_c = NebulaCAPool::new_from_pem(expired).unwrap();\n    assert!(pool_c.expired);\n    assert_eq!(pool_c.cas[\"152070be6bb19bc9e3bde4c2f0e7d8f4ff5448b4c9856b8eccb314fade0229b0\"].details.name, \"expired\");\n\n    let mut pool_d = NebulaCAPool::new_from_pem(with_newlines).unwrap();\n    pool_d.add_ca_certificate(expired).unwrap();\n    assert_eq!(pool_d.cas[\"c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522\"].details.name, \"nebula root ca\".to_string());\n    assert_eq!(pool_d.cas[\"5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd\"].details.name, \"nebula root ca 01\".to_string());\n    assert_eq!(pool_d.cas[\"152070be6bb19bc9e3bde4c2f0e7d8f4ff5448b4c9856b8eccb314fade0229b0\"].details.name, \"expired\");\n    assert!(pool_d.expired);\n    assert_eq!(pool_d.get_fingerprints().len(), 3);\n}\n\n#[macro_export]\nmacro_rules! netmask {\n    ($ip:expr,$mask:expr) =\u003e {\n        Ipv4Net::with_netmask(Ipv4Addr::from_str($ip).unwrap(), Ipv4Addr::from_str($mask).unwrap()).unwrap()\n    };\n}\n\nfn round_systime_to_secs(time: SystemTime) -\u003e Result\u003cSystemTime, SystemTimeError\u003e {\n    let secs = time.duration_since(UNIX_EPOCH)?.as_secs();\n    Ok(SystemTime::UNIX_EPOCH.add(Duration::from_secs(secs)))\n}\n\nfn test_ca_cert(before: SystemTime, after: SystemTime, ips: Vec\u003cIpv4Net\u003e, subnets: Vec\u003cIpv4Net\u003e, groups: Vec\u003cString\u003e) -\u003e (NebulaCertificate, SigningKey, VerifyingKey) {\n    let mut csprng = OsRng;\n    let key = SigningKey::generate(\u0026mut csprng);\n    let pub_key = key.verifying_key();\n\n    let mut cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"TEST_CA\".to_string(),\n            ips,\n            subnets,\n            groups,\n            not_before: before,\n            not_after: after,\n            public_key: pub_key.to_bytes(),\n            is_ca: true,\n            issuer: \"\".to_string(),\n        },\n        signature: vec![],\n    };\n    cert.sign(\u0026key).unwrap();\n    (cert, key, pub_key)\n}\n\nfn test_cert(ca: \u0026NebulaCertificate, key: \u0026SigningKey, before: SystemTime, after: SystemTime, ips: Vec\u003cIpv4Net\u003e, subnets: Vec\u003cIpv4Net\u003e, groups: Vec\u003cString\u003e) -\u003e (NebulaCertificate, SigningKey, VerifyingKey) {\n    let issuer = ca.sha256sum().unwrap();\n\n    let real_groups = if groups.is_empty() {\n        vec![\"test-group1\".to_string(), \"test-group2\".to_string(), \"test-group3\".to_string()]\n    } else {\n        groups\n    };\n\n    let real_ips = if ips.is_empty() {\n        vec![\n            netmask!(\"10.1.1.1\", \"255.255.255.0\"),\n            netmask!(\"10.1.1.2\", \"255.255.0.0\"),\n            netmask!(\"10.1.1.3\", \"255.0.0.0\")\n        ]\n    } else {\n        ips\n    };\n\n    let real_subnets = if subnets.is_empty() {\n        vec![\n            netmask!(\"9.1.1.1\", \"255.255.255.128\"),\n            netmask!(\"9.1.1.2\", \"255.255.255.0\"),\n            netmask!(\"9.1.1.3\", \"255.255.0.0\")\n        ]\n    } else {\n        subnets\n    };\n\n    let mut csprng = OsRng;\n    let cert_key = SigningKey::generate(\u0026mut csprng);\n    let pub_key = cert_key.verifying_key();\n\n    let mut cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"TEST_CA\".to_string(),\n            ips: real_ips,\n            subnets: real_subnets,\n            groups: real_groups,\n            not_before: before,\n            not_after: after,\n            public_key: pub_key.to_bytes(),\n            is_ca: false,\n            issuer,\n        },\n        signature: vec![],\n    };\n    cert.sign(key).unwrap();\n    (cert, cert_key, pub_key)\n}\n\n#[allow(dead_code)]\nfn in_a_minute() -\u003e SystemTime {\n    round_systime_to_secs(SystemTime::now().add(Duration::from_secs(60))).unwrap()\n}\n#[allow(dead_code)]\nfn a_minute_ago() -\u003e SystemTime {\n    round_systime_to_secs(SystemTime::now().sub(Duration::from_secs(60))).unwrap()\n}","traces":[],"covered":0,"coverable":0}]};
-        var previousData = {"files":[{"path":["/","home","core","prj","e3t","trifid","tfclient","src","main.rs"],"content":"fn main() {\n    println!(\"Hello, world!\");\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","build.rs"],"content":"// generated by `sqlx migrate build-script`\nfn main() {\n    // trigger recompilation when a new migration is added\n    println!(\"cargo:rerun-if-changed=migrations\");\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","auth.rs"],"content":"use rocket::http::Status;\nuse rocket::{Request};\nuse rocket::request::{FromRequest, Outcome};\nuse crate::tokens::{validate_auth_token, validate_session_token};\n\npub struct PartialUserInfo {\n    pub user_id: i32,\n    pub created_at: i64,\n    pub email: String,\n    pub has_totp_auth: bool,\n\n    pub session_id: String,\n    pub auth_id: Option\u003cString\u003e\n}\n\n#[derive(Debug)]\npub enum AuthenticationError {\n    MissingToken,\n    InvalidToken(usize),\n    DatabaseError,\n    RequiresTOTP\n}\n\n#[rocket::async_trait]\nimpl\u003c'r\u003e FromRequest\u003c'r\u003e for PartialUserInfo {\n    type Error = AuthenticationError;\n\n    async fn from_request(req: \u0026'r Request\u003c'_\u003e) -\u003e Outcome\u003cSelf, Self::Error\u003e {\n        let headers = req.headers();\n\n        // make sure the bearer token exists\n        if let Some(authorization) = headers.get_one(\"Authorization\") {\n            // parse bearer token\n            let components = authorization.split(' ').collect::\u003cVec\u003c\u0026str\u003e\u003e();\n\n            if components.len() != 2 \u0026\u0026 components.len() != 3 {\n                return Outcome::Failure((Status::Unauthorized, AuthenticationError::MissingToken));\n            }\n\n            if components[0] != \"Bearer\" {\n                return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(0)));\n            }\n\n            if components.len() == 2 \u0026\u0026 !components[1].starts_with(\"st-\") {\n                return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(1)));\n            }\n\n            let st: String;\n            let user_id: i64;\n            let at: Option\u003cString\u003e;\n\n            match \u0026components[1][..3] {\n                \"st-\" =\u003e {\n                    // validate session token\n                    st = components[1].to_string();\n                    match validate_session_token(st.clone(), req.rocket().state().unwrap()).await {\n                        Ok(uid) =\u003e user_id = uid,\n                        Err(_) =\u003e return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(2)))\n                    }\n                },\n                _ =\u003e return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(3)))\n            }\n\n            if components.len() == 3 {\n                match \u0026components[2][..3] {\n                    \"at-\" =\u003e {\n                        // validate auth token\n                        at = Some(components[2].to_string());\n                        match validate_auth_token(at.clone().unwrap().clone(), st.clone(), req.rocket().state().unwrap()).await {\n                            Ok(_) =\u003e (),\n                            Err(_) =\u003e return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(4)))\n                        }\n                    },\n                    _ =\u003e return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(5)))\n                }\n            } else {\n                at = None;\n            }\n\n            // this user is 100% valid and authenticated, fetch their info\n\n            let user = match sqlx::query!(\"SELECT * FROM users WHERE id = $1\", user_id.clone() as i32).fetch_one(req.rocket().state().unwrap()).await {\n                Ok(u) =\u003e u,\n                Err(_) =\u003e return Outcome::Failure((Status::InternalServerError, AuthenticationError::DatabaseError))\n            };\n\n            Outcome::Success(PartialUserInfo {\n                user_id: user_id as i32,\n                created_at: user.created_on as i64,\n                email: user.email,\n                has_totp_auth: at.is_some(),\n                session_id: st,\n                auth_id: at,\n            })\n        } else {\n            Outcome::Failure((Status::Unauthorized, AuthenticationError::MissingToken))\n        }\n    }\n}\n\npub struct TOTPAuthenticatedUserInfo {\n    pub user_id: i32,\n    pub created_at: i64,\n    pub email: String,\n}\n#[rocket::async_trait]\nimpl\u003c'r\u003e FromRequest\u003c'r\u003e for TOTPAuthenticatedUserInfo {\n    type Error = AuthenticationError;\n\n    async fn from_request(request: \u0026'r Request\u003c'_\u003e) -\u003e Outcome\u003cSelf, Self::Error\u003e {\n        let userinfo = PartialUserInfo::from_request(request).await;\n        match userinfo {\n            Outcome::Failure(e) =\u003e Outcome::Failure(e),\n            Outcome::Forward(f) =\u003e Outcome::Forward(f),\n            Outcome::Success(s) =\u003e {\n                if s.has_totp_auth {\n                    Outcome::Success(Self {\n                        user_id: s.user_id,\n                        created_at: s.created_at,\n                        email: s.email,\n                    })\n                } else {\n                    Outcome::Failure((Status::Unauthorized, AuthenticationError::RequiresTOTP))\n                }\n            }\n        }\n    }\n}","traces":[{"line":28,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":29,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":32,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":34,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":36,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":37,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":40,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":41,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":44,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":45,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":48,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":49,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":50,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":52,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":53,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":55,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":56,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":57,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":58,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":61,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":64,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":65,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":66,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":68,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":69,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":70,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":71,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":74,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":77,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":82,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":83,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":84,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":87,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":88,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":89,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":90,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":91,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":92,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":93,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":96,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":110,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":111,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":112,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":113,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":114,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":115,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":116,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":117,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":118,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":119,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":120,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":123,"address":[],"length":0,"stats":{"Line":0},"fn_name":null}],"covered":0,"coverable":52},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","config.rs"],"content":"use serde::Deserialize;\nuse url::Url;\n\n#[derive(Deserialize)]\npub struct TFConfig {\n    pub listen_port: u16,\n    pub db_url: String,\n    pub base: Url,\n    pub web_root: Url,\n    pub magic_links_valid_for: i64,\n    pub session_tokens_valid_for: i64,\n    pub totp_verification_valid_for: i64,\n    pub data_key: String\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","crypto.rs"],"content":"use std::error::Error;\nuse aes_gcm::{Aes256Gcm, KeyInit, Nonce};\nuse aes_gcm::aead::{Aead, Payload};\nuse crate::config::TFConfig;\n\npub fn get_cipher_from_config(config: \u0026TFConfig) -\u003e Result\u003cAes256Gcm, Box\u003cdyn Error\u003e\u003e {\n    let key_slice = hex::decode(\u0026config.data_key)?;\n    Ok(Aes256Gcm::new_from_slice(\u0026key_slice)?)\n}\n\npub fn encrypt_with_nonce(plaintext: \u0026[u8], nonce: [u8; 12], cipher: \u0026Aes256Gcm) -\u003e Result\u003cVec\u003cu8\u003e, aes_gcm::Error\u003e {\n    let nonce = Nonce::from_slice(\u0026nonce);\n    let ciphertext = cipher.encrypt(nonce, plaintext)?;\n    Ok(ciphertext)\n}\n\npub fn decrypt_with_nonce(ciphertext: \u0026[u8], nonce: [u8; 12], cipher: \u0026Aes256Gcm) -\u003e Result\u003cVec\u003cu8\u003e, aes_gcm::Error\u003e {\n    let nonce = Nonce::from_slice(\u0026nonce);\n    let plaintext = cipher.decrypt(nonce, Payload::from(ciphertext))?;\n    Ok(plaintext)\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","db.rs"],"content":"","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","format.rs"],"content":"use std::fmt::{Display, Formatter};\nuse crate::format::PEMValidationError::{IncorrectSegmentLength, InvalidBase64Data, MissingStartSentinel};\nuse crate::util::base64decode;\n\npub const ED_PUBKEY_START_STR: \u0026str = \"-----BEGIN NEBULA ED25519 PUBLIC KEY-----\";\npub const ED_PUBKEY_END_STR: \u0026str = \"-----END NEBULA ED25519 PUBLIC KEY-----\";\n\npub const DH_PUBKEY_START_STR: \u0026str = \"-----BEGIN NEBULA X25519 PUBLIC KEY-----\";\npub const DH_PUBKEY_END_STR: \u0026str = \"-----END NEBULA X25519 PUBLIC KEY-----\";\n\npub enum PEMValidationError {\n    MissingStartSentinel,\n    InvalidBase64Data,\n    MissingEndSentinel,\n    IncorrectSegmentLength(usize, usize)\n}\nimpl Display for PEMValidationError {\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        match self {\n            Self::MissingEndSentinel =\u003e write!(f, \"Missing ending sentinel\"),\n            Self::MissingStartSentinel =\u003e write!(f, \"Missing starting sentinel\"),\n            Self::InvalidBase64Data =\u003e write!(f, \"invalid base64 data\"),\n            Self::IncorrectSegmentLength(expected, got) =\u003e write!(f, \"incorrect number of segments, expected {} got {}\", expected, got)\n        }\n    }\n}\n\npub fn validate_ed_pubkey_pem(pubkey: \u0026str) -\u003e Result\u003c(), PEMValidationError\u003e {\n    let segments = pubkey.split('\\n');\n    let segs = segments.collect::\u003cVec\u003c\u0026str\u003e\u003e();\n    if segs.len() \u003c 3 {\n        return Err(IncorrectSegmentLength(3, segs.len()))\n    }\n    if segs[0] != ED_PUBKEY_START_STR {\n        return Err(MissingStartSentinel)\n    }\n    if base64decode(segs[1]).is_err() {\n        return Err(InvalidBase64Data)\n    }\n    if segs[2] != ED_PUBKEY_END_STR {\n        return Err(MissingStartSentinel)\n    }\n    Ok(())\n}\n\npub fn validate_dh_pubkey_pem(pubkey: \u0026str) -\u003e Result\u003c(), PEMValidationError\u003e {\n    let segments = pubkey.split('\\n');\n    let segs = segments.collect::\u003cVec\u003c\u0026str\u003e\u003e();\n    if segs.len() \u003c 3 {\n        return Err(IncorrectSegmentLength(3, segs.len()))\n    }\n    if segs[0] != DH_PUBKEY_START_STR {\n        return Err(MissingStartSentinel)\n    }\n    if base64decode(segs[1]).is_err() {\n        return Err(InvalidBase64Data)\n    }\n    if segs[2] != DH_PUBKEY_END_STR {\n        return Err(MissingStartSentinel)\n    }\n    Ok(())\n}\n\npub fn validate_ed_pubkey_base64(pubkey: \u0026str) -\u003e Result\u003c(), PEMValidationError\u003e {\n    match base64decode(pubkey) {\n        Ok(k) =\u003e validate_ed_pubkey_pem(match std::str::from_utf8(k.as_ref()) {\n            Ok(k) =\u003e k,\n            Err(_) =\u003e return Err(InvalidBase64Data)\n        }),\n        Err(_) =\u003e Err(InvalidBase64Data)\n    }\n}\n\npub fn validate_dh_pubkey_base64(pubkey: \u0026str) -\u003e Result\u003c(), PEMValidationError\u003e {\n    match base64decode(pubkey) {\n        Ok(k) =\u003e validate_dh_pubkey_pem(match std::str::from_utf8(k.as_ref()) {\n            Ok(k) =\u003e k,\n            Err(_) =\u003e return Err(InvalidBase64Data)\n        }),\n        Err(_) =\u003e Err(InvalidBase64Data)\n    }\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","main.rs"],"content":"extern crate core;\n\nuse std::error::Error;\nuse std::fs;\nuse std::path::Path;\nuse dotenvy::dotenv;\nuse log::{error, info};\nuse rocket::{catchers, Request, Response, routes};\nuse rocket::fairing::{Fairing, Info, Kind};\nuse rocket::http::Header;\nuse sqlx::migrate::Migrator;\nuse sqlx::postgres::PgPoolOptions;\nuse crate::config::TFConfig;\n\npub mod format;\npub mod util;\npub mod db;\npub mod config;\npub mod tokens;\npub mod routes;\npub mod auth;\npub mod crypto;\npub mod org;\n\nstatic MIGRATOR: Migrator = sqlx::migrate!();\n\npub struct CORS;\n\n#[rocket::async_trait]\nimpl Fairing for CORS {\n    fn info(\u0026self) -\u003e Info {\n        Info {\n            name: \"Add CORS headers to responses\",\n            kind: Kind::Response\n        }\n    }\n\n    async fn on_response\u003c'r\u003e(\u0026self, _request: \u0026'r Request\u003c'_\u003e, response: \u0026mut Response\u003c'r\u003e) {\n        response.set_header(Header::new(\"Access-Control-Allow-Origin\", \"*\"));\n        response.set_header(Header::new(\"Access-Control-Allow-Methods\", \"POST, GET, PATCH, OPTIONS\"));\n        response.set_header(Header::new(\"Access-Control-Allow-Headers\", \"*\"));\n        response.set_header(Header::new(\"Access-Control-Allow-Credentials\", \"true\"));\n    }\n}\n\n#[rocket::main]\nasync fn main() -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n    let _ = rocket::build();\n\n    info!(\"[tfapi] loading config\");\n\n    let _ = dotenv();\n\n    if std::env::var(\"CONFIG_FILE\").is_err() \u0026\u0026 !Path::new(\"config.toml\").exists() {\n        error!(\"[tfapi] fatal: the environment variable CONFIG_FILE is not set\");\n        error!(\"[tfapi]  help: try creating a .env file that sets it\");\n        error!(\"[tfapi]  help: or, create a file config.toml with your config, as it is loaded automatically\");\n        std::process::exit(1);\n    }\n\n    let config_file = if Path::new(\"config.toml\").exists() {\n        \"config.toml\".to_string()\n    } else {\n        std::env::var(\"CONFIG_FILE\").unwrap()\n    };\n\n    let config_data = match fs::read_to_string(\u0026config_file) {\n        Ok(d) =\u003e d,\n        Err(e) =\u003e {\n            error!(\"[tfapi] fatal: unable to read config from {}\", config_file);\n            error!(\"[tfapi] fatal: {}\", e);\n            std::process::exit(1);\n        }\n    };\n\n    let config: TFConfig = match toml::from_str(\u0026config_data) {\n        Ok(c) =\u003e c,\n        Err(e) =\u003e {\n            error!(\"[tfapi] fatal: unable to parse config from {}\", config_file);\n            error!(\"[tfapi] fatal: {}\", e);\n            std::process::exit(1);\n        }\n    };\n\n    info!(\"[tfapi] connecting to database pool\");\n\n    let pool = match PgPoolOptions::new().max_connections(5).connect(\u0026config.db_url).await {\n        Ok(p) =\u003e p,\n        Err(e) =\u003e {\n            error!(\"[tfapi] fatal: unable to connect to database pool\");\n            error!(\"[tfapi] fatal: {}\", e);\n            std::process::exit(1);\n        }\n    };\n\n    info!(\"[tfapi] running database migrations\");\n\n    MIGRATOR.run(\u0026pool).await?;\n\n    info!(\"[tfapi] building rocket config\");\n\n    let figment = rocket::Config::figment().merge((\"port\", config.listen_port));\n\n    let _ = rocket::custom(figment)\n        .mount(\"/\", routes![\n            crate::routes::v1::auth::magic_link::magiclink_request,\n            crate::routes::v1::auth::magic_link::options,\n            crate::routes::v1::signup::signup_request,\n            crate::routes::v1::signup::options,\n            crate::routes::v1::auth::verify_magic_link::verify_magic_link,\n            crate::routes::v1::auth::verify_magic_link::options,\n            crate::routes::v1::totp_authenticators::totp_authenticators_request,\n            crate::routes::v1::totp_authenticators::options,\n            crate::routes::v1::verify_totp_authenticator::verify_totp_authenticator_request,\n            crate::routes::v1::verify_totp_authenticator::options,\n            crate::routes::v1::auth::totp::totp_request,\n            crate::routes::v1::auth::totp::options,\n            crate::routes::v1::auth::check_session::check_session,\n            crate::routes::v1::auth::check_session::check_session_auth,\n            crate::routes::v1::auth::check_session::options,\n            crate::routes::v1::auth::check_session::options_auth,\n            crate::routes::v2::whoami::whoami_request,\n            crate::routes::v2::whoami::options,\n\n            crate::routes::v1::organization::options,\n            crate::routes::v1::organization::orgidoptions,\n            crate::routes::v1::organization::orginfo_req,\n            crate::routes::v1::organization::orglist_req,\n            crate::routes::v1::organization::create_org\n        ])\n        .register(\"/\", catchers![\n            crate::routes::handler_400,\n            crate::routes::handler_401,\n            crate::routes::handler_403,\n            crate::routes::handler_404,\n            crate::routes::handler_422,\n\n            crate::routes::handler_500,\n            crate::routes::handler_501,\n            crate::routes::handler_502,\n            crate::routes::handler_503,\n            crate::routes::handler_504,\n            crate::routes::handler_505,\n        ])\n        .attach(CORS)\n        .manage(pool)\n        .manage(config)\n        .launch().await?;\n\n    Ok(())\n}","traces":[{"line":38,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":39,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":40,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":41,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":42,"address":[],"length":0,"stats":{"Line":0},"fn_name":null}],"covered":0,"coverable":5},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","org.rs"],"content":"use std::error::Error;\nuse rocket::form::validate::Contains;\nuse sqlx::PgPool;\n\npub async fn get_org_by_owner_id(user: i32, db: \u0026PgPool) -\u003e Result\u003cOption\u003ci32\u003e, Box\u003cdyn Error\u003e\u003e {\n    Ok(match sqlx::query!(\"SELECT id FROM organizations WHERE owner = $1\", user).fetch_optional(db).await? {\n        Some(r) =\u003e Some(r.id),\n        None =\u003e None\n    })\n}\n\npub async fn get_orgs_by_assoc_id(user: i32, db: \u0026PgPool) -\u003e Result\u003cVec\u003ci32\u003e, Box\u003cdyn Error\u003e\u003e {\n    let res: Vec\u003c_\u003e = sqlx::query!(\"SELECT org_id FROM organization_authorized_users WHERE user_id = $1\", user).fetch_all(db).await?;\n\n    let mut ret = vec![];\n\n    for i in res {\n        ret.push(i.org_id);\n    }\n\n    Ok(ret)\n}\n\npub async fn get_users_by_assoc_org(org: i32, db: \u0026PgPool) -\u003e Result\u003cVec\u003ci32\u003e, Box\u003cdyn Error\u003e\u003e {\n    let res: Vec\u003c_\u003e = sqlx::query!(\"SELECT user_id FROM organization_authorized_users WHERE org_id = $1\", org).fetch_all(db).await?;\n\n    let mut ret = vec![];\n\n    for i in res {\n        ret.push(i.org_id);\n    }\n\n    Ok(ret)\n}\n\npub async fn get_associated_orgs(user: i32, db: \u0026PgPool) -\u003e Result\u003cVec\u003ci32\u003e, Box\u003cdyn Error\u003e\u003e {\n    let mut assoc_orgs = vec![];\n\n    if let Some(owned_org) = get_org_by_owner_id(user, db).await? {\n        assoc_orgs.push(owned_org);\n    }\n\n    assoc_orgs.append(\u0026mut get_orgs_by_assoc_id(user, db).await?);\n\n    Ok(assoc_orgs)\n}\n\npub async fn user_has_org_assoc(user: i32, org: i32, db: \u0026PgPool) -\u003e Result\u003cbool, Box\u003cdyn Error\u003e\u003e {\n    Ok(get_associated_orgs(user, db).await?.contains(org))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","mod.rs"],"content":"pub mod v1;\npub mod v2;\n\nuse rocket::catch;\nuse serde::{Serialize};\nuse rocket::http::Status;\n\npub const ERR_MSG_MALFORMED_REQUEST: \u0026str = \"unable to parse the request body - is it valid JSON, using correct types?\";\npub const ERR_MSG_MALFORMED_REQUEST_CODE: \u0026str = \"ERR_MALFORMED_REQUEST\";\n\n/*\nTODO:\n    /v1/auth/magic-link                         [done]\n    /v1/auth/totp                               [done]\n    /v1/auth/verify-magic-link                  [done]\n    /v1/hosts/host-{id}/enrollment-code\n    /v1/hosts/host-{id}/enrollment-code-check\n    /v1/hosts/host-{id}\n    /v1/roles/role-{id}\n    /v1/feature-flags\n    /v1/hosts\n    /v1/networks\n    /v1/roles\n    /v1/signup                                  [done]\n    /v1/totp-authenticators                     [done]\n    /v1/verify-totp-authenticator               [done]\n    /v1/dnclient\n    /v2/enroll\n    /v2/whoami                                  [in-progress]\n */\n\n#[derive(Serialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct APIError {\n    errors: Vec\u003cAPIErrorSingular\u003e\n}\n#[derive(Serialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct APIErrorSingular {\n    code: String,\n    message: String\n}\n\nmacro_rules! error_handler {\n    ($code: expr, $err: expr, $msg: expr) =\u003e {\n        ::paste::paste! {\n            #[catch($code)]\n            pub fn [\u003chandler_ $code\u003e]() -\u003e (Status, String) {\n                (Status::from_code($code).unwrap(), format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", $err, $msg))\n            }\n        }\n    };\n}\nerror_handler!(400, \"ERR_MALFORMED_REQUEST\", \"unable to parse the request body, is it properly formatted?\");\nerror_handler!(401, \"ERR_AUTHENTICATION_REQUIRED\", \"this endpoint requires authentication but it was not provided\");\nerror_handler!(403, \"ERR_UNAUTHORIZED\", \"authorization was provided but it is expired or invalid\");\nerror_handler!(404, \"ERR_NOT_FOUND\", \"resource not found\");\nerror_handler!(405, \"ERR_METHOD_NOT_ALLOWED\", \"method not allowed for this endpoint\");\nerror_handler!(422, \"ERR_MALFORMED_REQUEST\", \"unable to parse the request body, is it properly formatted?\");\n\nerror_handler!(500, \"ERR_QL_QUERY_FAILED\", \"graphql query timed out\");\nerror_handler!(501, \"ERR_NOT_IMPLEMENTED\", \"query not supported by this version of graphql\");\nerror_handler!(502, \"ERR_PROXY_ERR\", \"servers under load, please try again later\");\nerror_handler!(503, \"ERR_SERVER_OVERLOADED\", \"servers under load, please try again later\");\nerror_handler!(504, \"ERR_PROXY_TIMEOUT\", \"servers under load, please try again later\");\nerror_handler!(505, \"ERR_CLIENT_UNSUPPORTED\", \"your version of dnclient is out of date, please update\");\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","check_session.rs"],"content":"use rocket::{post, options};\nuse crate::auth::{PartialUserInfo, TOTPAuthenticatedUserInfo};\n\n#[options(\"/v1/auth/check_session\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n#[post(\"/v1/auth/check_session\")]\npub async fn check_session(_user: PartialUserInfo) -\u003e \u0026'static str {\n    \"ok\"\n}\n\n#[options(\"/v1/auth/check_auth\")]\npub async fn options_auth() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/auth/check_auth\")]\npub async fn check_session_auth(_user: TOTPAuthenticatedUserInfo) -\u003e \u0026'static str {\n    \"ok\"\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","magic_link.rs"],"content":"use rocket::{post, State};\nuse rocket::serde::json::Json;\nuse serde::{Serialize, Deserialize};\nuse rocket::http::{ContentType, Status};\nuse sqlx::PgPool;\nuse crate::config::TFConfig;\nuse crate::tokens::send_magic_link;\nuse rocket::options;\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct MagicLinkRequest {\n    pub email: String,\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct MagicLinkResponseMetadata {}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct MagicLinkResponse {\n    pub data: Option\u003cString\u003e,\n    pub metadata: MagicLinkResponseMetadata,\n}\n\n\n#[options(\"/v1/auth/magic-link\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n#[post(\"/v1/auth/magic-link\", data = \"\u003creq\u003e\")]\npub async fn magiclink_request(req: Json\u003cMagicLinkRequest\u003e, pool: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cMagicLinkResponse\u003e), (Status, String)\u003e {\n    // figure out if the user already exists\n    let mut id = -1;\n    match sqlx::query!(\"SELECT id FROM users WHERE email = $1\", req.email.clone()).fetch_optional(pool.inner()).await {\n        Ok(res) =\u003e if let Some(r) = res { id = r.id as i64 },\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n        }\n    }\n\n    if id == -1 {\n        return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_UNAUTHORIZED\", \"authorization was provided but it is expired or invalid\")))\n    }\n\n    // send magic link to email\n    match send_magic_link(id, req.email.clone(), pool.inner(), config.inner()).await {\n        Ok(_) =\u003e (),\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n        }\n    };\n\n    // this endpoint doesn't actually ever return an error? it will send you the magic link no matter what\n    // this appears to do the exact same thing as /v1/auth/magic-link, but it doesn't check if you have an account (magic-link does)\n    Ok((ContentType::JSON, Json(MagicLinkResponse {\n        data: None,\n        metadata: MagicLinkResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","mod.rs"],"content":"pub mod verify_magic_link;\npub mod magic_link;\npub mod totp;\npub mod check_session;","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","totp.rs"],"content":"use rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse crate::auth::PartialUserInfo;\nuse serde::{Serialize, Deserialize};\nuse rocket::{post, State};\nuse sqlx::PgPool;\nuse rocket::options;\nuse crate::tokens::{generate_auth_token, get_totpmachine, user_has_totp};\n\npub const TOTP_GENERIC_UNAUTHORIZED_ERROR: \u0026str = \"{\\\"errors\\\":[{\\\"code\\\":\\\"ERR_INVALID_TOTP_CODE\\\",\\\"message\\\":\\\"invalid TOTP code (maybe it expired?)\\\",\\\"path\\\":\\\"code\\\"}]}\";\npub const TOTP_NO_TOTP_ERROR: \u0026str = \"{\\\"errors\\\":[{\\\"code\\\":\\\"ERR_NO_TOTP\\\",\\\"message\\\":\\\"logged-in user does not have totp enabled\\\",\\\"path\\\":\\\"code\\\"}]}\";\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpRequest {\n    pub code: String\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpResponseData {\n    #[serde(rename = \"authToken\")]\n    auth_token: String\n}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpResponseMetadata {\n}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpResponse {\n    data: TotpResponseData,\n    metadata: TotpResponseMetadata\n}\n\n#[options(\"/v1/auth/totp\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/auth/totp\", data = \"\u003creq\u003e\")]\npub async fn totp_request(req: Json\u003cTotpRequest\u003e, user: PartialUserInfo, db: \u0026State\u003cPgPool\u003e) -\u003e Result\u003c(ContentType, Json\u003cTotpResponse\u003e), (Status, String)\u003e {\n    if !match user_has_totp(user.user_id, db.inner()).await {\n        Ok(b) =\u003e b,\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n    } {\n        return Err((Status::UnprocessableEntity, TOTP_NO_TOTP_ERROR.to_string()))\n    }\n\n    if user.has_totp_auth {\n        return Err((Status::BadRequest, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_TOTP_ALREADY_AUTHED\", \"user already has valid totp authentication\")))\n    }\n\n    let totpmachine = match get_totpmachine(user.user_id, db.inner()).await {\n        Ok(t) =\u003e t,\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n        }\n    };\n\n    if !totpmachine.check_current(\u0026req.0.code).unwrap_or(false) {\n        return Err((Status::Unauthorized, TOTP_GENERIC_UNAUTHORIZED_ERROR.to_string()))\n    }\n\n    Ok((ContentType::JSON, Json(TotpResponse {\n        data: TotpResponseData { auth_token: match generate_auth_token(user.user_id as i64, user.session_id, db.inner()).await {\n            Ok(t) =\u003e t,\n            Err(e) =\u003e { return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e))) }\n        } },\n        metadata: TotpResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","verify_magic_link.rs"],"content":"use std::time::{SystemTime, UNIX_EPOCH};\nuse rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse serde::{Serialize, Deserialize};\nuse rocket::{post, State};\nuse sqlx::PgPool;\nuse crate::config::TFConfig;\nuse crate::tokens::generate_session_token;\nuse rocket::options;\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct VerifyMagicLinkRequest {\n    #[serde(rename = \"magicLinkToken\")]\n    pub magic_link_token: String,\n}\n\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyMagicLinkResponseMetadata {}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyMagicLinkResponseData {\n    #[serde(rename = \"sessionToken\")]\n    pub session_token: String,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyMagicLinkResponse {\n    pub data: VerifyMagicLinkResponseData,\n    pub metadata: VerifyMagicLinkResponseMetadata,\n}\n\n#[options(\"/v1/auth/verify-magic-link\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/auth/verify-magic-link\", data = \"\u003creq\u003e\")]\npub async fn verify_magic_link(req: Json\u003cVerifyMagicLinkRequest\u003e, db: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cVerifyMagicLinkResponse\u003e), (Status, String)\u003e {\n    // get the current time to check if the token is expired\n    let (user_id, expired_at) = match sqlx::query!(\"SELECT user_id, expires_on FROM magic_links WHERE id = $1\", req.0.magic_link_token).fetch_one(db.inner()).await {\n        Ok(row) =\u003e (row.user_id, row.expires_on),\n        Err(e) =\u003e {\n            return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNAUTHORIZED\", \"this token is invalid\", e)))\n        }\n    };\n    let current_time = SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32;\n    println!(\"expired on {}, currently {}\", expired_at, current_time);\n    if expired_at \u003c current_time {\n        return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_UNAUTHORIZED\", \"valid authorization was provided but it is expired\")))\n    }\n\n    // generate session token\n    let token = match generate_session_token(user_id as i64, db.inner(), config.inner()).await {\n        Ok(t) =\u003e t,\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n        }\n    };\n\n    // delete the token\n    match sqlx::query!(\"DELETE FROM magic_links WHERE id = $1\", req.0.magic_link_token).execute(db.inner()).await {\n        Ok(_) =\u003e (),\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n        }\n    }\n\n    Ok((ContentType::JSON, Json(VerifyMagicLinkResponse {\n        data: VerifyMagicLinkResponseData { session_token: token },\n        metadata: VerifyMagicLinkResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","mod.rs"],"content":"pub mod auth;\npub mod signup;\n\npub mod totp_authenticators;\npub mod verify_totp_authenticator;\npub mod organization;","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","organization.rs"],"content":"use std::slice::from_raw_parts_mut;\nuse rocket::{get, post, options, State};\nuse rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse serde::{Serialize, Deserialize};\nuse sqlx::PgPool;\nuse crate::auth::TOTPAuthenticatedUserInfo;\nuse crate::config::TFConfig;\nuse crate::org::{get_associated_orgs, get_org_by_owner_id, get_users_by_assoc_org, user_has_org_assoc};\n\n#[options(\"/v1/orgs\")]\npub fn options() -\u003e \u0026'static str {\n    \"\"\n}\n#[options(\"/v1/org/\u003c_id\u003e\")]\npub fn orgidoptions(_id: i32) -\u003e \u0026'static str {\n    \"\"\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct OrglistStruct {\n    pub org_ids: Vec\u003ci32\u003e\n}\n\n\n#[get(\"/v1/orgs\")]\npub async fn orglist_req(user: TOTPAuthenticatedUserInfo, db: \u0026State\u003cPgPool\u003e) -\u003e Result\u003c(ContentType, Json\u003cOrglistStruct\u003e), (Status, String)\u003e {\n    // this endpoint lists the associated organizations this user has access to\n    let associated_orgs = match get_associated_orgs(user.user_id, db.inner()).await {\n        Ok(r) =\u003e r,\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_DB_QUERY_FAILED\", \"an error occurred while running the database query\")))\n    };\n\n    Ok((ContentType::JSON, Json(OrglistStruct {\n        org_ids: associated_orgs\n    })))\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct OrginfoStruct {\n    pub org_id: i32,\n    pub owner_id: i32,\n    pub ca_crt: String,\n    pub authorized_users: Vec\u003ci32\u003e\n}\n\n#[get(\"/v1/org/\u003corgid\u003e\")]\npub async fn orginfo_req(orgid: i32, user: TOTPAuthenticatedUserInfo, db: \u0026State\u003cPgPool\u003e) -\u003e Result\u003c(ContentType, Json\u003cOrginfoStruct\u003e), (Status, String)\u003e {\n    if !user_has_org_assoc(orgid, user.user_id, db.inner()).await.map_err(|e| (Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))? {\n        return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_MISSING_ORG_AUTHORIZATION\", \"this user does not have permission to access this org\")));\n    }\n\n    let org = sqlx::query!(\"SELECT id, owner, ca_crt FROM organizations WHERE id = $1\", orgid).fetch_one(orgid).await.map_err(|e| (Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))?;\n    let authorized_users = get_users_by_assoc_org(orgid, db.inner()).await.map_err(|e| (Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))?;\n\n    Ok((ContentType::JSON, Json(\n        OrginfoStruct {\n            org_id: orgid,\n            owner_id: org.owner,\n            ca_crt: org.ca_crt,\n            authorized_users,\n        }\n    )))\n}\n\n#[post(\"/v1/org\")]\npub async fn create_org(user: TOTPAuthenticatedUserInfo, db: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cOrginfoStruct\u003e), (Status, String)\u003e {\n    if get_org_by_owner_id(user.user_id, db.inner()).await.map_err(|e| (Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))?.is_some() {\n        return Err((Status::Conflict, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_USER_OWNS_ORG\", \"a user can only own one organization at a time\")))\n    }\n\n    // we need to generate a keypair and CA certificate for this new org\n\n    Ok((ContentType::JSON, Json(\n        OrginfoStruct {\n            org_id: orgid,\n            owner_id: org.owner,\n            ca_crt: org.ca_crt,\n            authorized_users,\n        }\n    )))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","signup.rs"],"content":"use rocket::{post, State};\nuse rocket::serde::json::Json;\nuse serde::{Serialize, Deserialize};\nuse std::time::{SystemTime, UNIX_EPOCH};\nuse rocket::http::{ContentType, Status};\nuse sqlx::PgPool;\nuse crate::config::TFConfig;\nuse crate::tokens::send_magic_link;\nuse rocket::options;\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct SignupRequest {\n    pub email: String,\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct SignupResponseMetadata {}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct SignupResponse {\n    pub data: Option\u003cString\u003e,\n    pub metadata: SignupResponseMetadata,\n}\n/*\ncreated_on TIMESTAMP NOT NULL,\n\n    banned INTEGER NOT NULL,\n    ban_reason VARCHAR(1024) NOT NULL\n */\n#[options(\"/v1/signup\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n#[post(\"/v1/signup\", data = \"\u003creq\u003e\")]\npub async fn signup_request(req: Json\u003cSignupRequest\u003e, pool: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cSignupResponse\u003e), (Status, String)\u003e {\n    // figure out if the user already exists\n    let mut id = -1;\n    match sqlx::query!(\"SELECT id FROM users WHERE email = $1\", req.email.clone()).fetch_optional(pool.inner()).await {\n        Ok(res) =\u003e if let Some(r) = res { id = r.id as i64 },\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n        }\n    }\n\n    if id == -1 {\n        let id_res = match sqlx::query!(\"INSERT INTO users (email, created_on, banned, ban_reason, totp_secret, totp_otpurl, totp_verified) VALUES ($1, $2, $3, $4, $5, $6, $7) ON CONFLICT DO NOTHING RETURNING id;\", req.email, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i64, 0, \"\", \"\", \"\", 0).fetch_one(pool.inner()).await {\n            Ok(row) =\u003e row.id,\n            Err(e) =\u003e {\n                return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n            }\n        };\n        id = id_res as i64;\n    }\n\n    // send magic link to email\n    match send_magic_link(id, req.email.clone(), pool.inner(), config.inner()).await {\n        Ok(_) =\u003e (),\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n        }\n    };\n\n    // this endpoint doesn't actually ever return an error? it will send you the magic link no matter what\n    // this appears to do the exact same thing as /v1/auth/magic-link, but it doesn't check if you have an account (magic-link does)\n    Ok((ContentType::JSON, Json(SignupResponse {\n        data: None,\n        metadata: SignupResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","totp_authenticators.rs"],"content":"use rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse rocket::{State, post};\nuse sqlx::PgPool;\nuse serde::{Serialize, Deserialize};\nuse crate::auth::PartialUserInfo;\nuse crate::config::TFConfig;\nuse crate::tokens::{create_totp_token, user_has_totp};\nuse rocket::options;\n\n#[derive(Deserialize)]\npub struct TotpAuthenticatorsRequest {}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpAuthenticatorsResponseMetadata {}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpAuthenticatorsResponseData {\n    #[serde(rename = \"totpToken\")]\n    pub totp_token: String,\n    pub secret: String,\n    pub url: String,\n}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpAuthenticatorsResponse {\n    pub data: TotpAuthenticatorsResponseData,\n    pub metadata: TotpAuthenticatorsResponseMetadata,\n}\n\n#[options(\"/v1/totp-authenticators\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/totp-authenticators\", data = \"\u003c_req\u003e\")]\npub async fn totp_authenticators_request(_req: Json\u003cTotpAuthenticatorsRequest\u003e, user: PartialUserInfo, db: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cTotpAuthenticatorsResponse\u003e), (Status, String)\u003e {\n    if match user_has_totp(user.user_id, db.inner()).await {\n        Ok(b) =\u003e b,\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n    } {\n        return Err((Status::BadRequest, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_TOTP_ALREADY_EXISTS\", \"this user already has a totp authenticator on their account\")))\n    }\n\n    // generate a totp token\n    let (totptoken, totpmachine) = match create_totp_token(user.email, db.inner(), config.inner()).await {\n        Ok(t) =\u003e t,\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured issuing a totp token, try again later\", e)))\n    };\n\n    Ok((ContentType::JSON, Json(TotpAuthenticatorsResponse {\n        data: TotpAuthenticatorsResponseData {\n            totp_token: totptoken,\n            secret: totpmachine.get_secret_base32(),\n            url: totpmachine.get_url(),\n        },\n        metadata: TotpAuthenticatorsResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","verify_totp_authenticator.rs"],"content":"/*\n{\"totpToken\":\"totp-mH9eLzA9Q5WB-sg3Fq8CfkP13eTh3DxF25kVK2VEDOk\",\"code\":\"266242\"}\n{\"errors\":[{\"code\":\"ERR_INVALID_TOTP_TOKEN\",\"message\":\"TOTP token does not exist (maybe it expired?)\",\"path\":\"totpToken\"}]}\n\n\n{\"totpToken\":\"totp-gaUDaxPrrIBc8GEQ6z0vPisT8k0MEP1fgI8FA2ztLMw\",\"code\":\"175543\"}\n{\"data\":{\"authToken\":\"auth-O7mugxdYta-RKtLMqDW4j8XCJ85EfZKKezeZZXBYtFQ\"},\"metadata\":{}}\n*/\n\nuse rocket::http::{ContentType, Status};\nuse crate::auth::PartialUserInfo;\nuse rocket::post;\nuse rocket::serde::json::Json;\nuse rocket::State;\nuse serde::{Serialize, Deserialize};\nuse sqlx::PgPool;\nuse crate::tokens::{generate_auth_token, use_totp_token, verify_totp_token};\nuse rocket::options;\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyTotpAuthenticatorRequest {\n    #[serde(rename = \"totpToken\")]\n    pub totp_token: String,\n    pub code: String,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyTotpAuthenticatorResponseMetadata {}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyTotpAuthenticatorResponseData {\n    #[serde(rename = \"authToken\")]\n    pub auth_token: String,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyTotpAuthenticatorResponse {\n    pub data: VerifyTotpAuthenticatorResponseData,\n    pub metadata: VerifyTotpAuthenticatorResponseMetadata,\n}\n\n#[options(\"/v1/verify-totp-authenticator\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/verify-totp-authenticator\", data = \"\u003creq\u003e\")]\npub async fn verify_totp_authenticator_request(req: Json\u003cVerifyTotpAuthenticatorRequest\u003e, db: \u0026State\u003cPgPool\u003e, user: PartialUserInfo) -\u003e Result\u003c(ContentType, Json\u003cVerifyTotpAuthenticatorResponse\u003e), (Status, String)\u003e {\n    let totpmachine = match verify_totp_token(req.0.totp_token.clone(), user.email.clone(), db.inner()).await {\n        Ok(t) =\u003e t,\n        Err(e) =\u003e return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNAUTHORIZED\", \"this token is invalid\", e)))\n    };\n    if !totpmachine.check_current(\u0026req.0.code).unwrap() {\n        return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\",\\\"path\\\":\\\"totpToken\\\"}}]}}\", \"ERR_INVALID_TOTP_CODE\", \"Invalid TOTP code\")))\n    }\n    match use_totp_token(req.0.totp_token, user.email, db.inner()).await {\n        Ok(_) =\u003e (),\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n    }\n    Ok((ContentType::JSON, Json(VerifyTotpAuthenticatorResponse {\n        data: VerifyTotpAuthenticatorResponseData { auth_token: match generate_auth_token(user.user_id as i64, user.session_id, db.inner()).await {\n            Ok(at) =\u003e at,\n            Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n        } },\n        metadata: VerifyTotpAuthenticatorResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v2","mod.rs"],"content":"pub mod whoami;","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v2","whoami.rs"],"content":"use chrono::{NaiveDateTime, Utc};\nuse serde::{Serialize, Deserialize};\nuse rocket::{options, get, State};\nuse rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse sqlx::PgPool;\nuse crate::auth::PartialUserInfo;\nuse crate::tokens::user_has_totp;\n\n#[derive(Serialize, Deserialize)]\npub struct WhoamiMetadata {}\n\n#[derive(Serialize, Deserialize)]\npub struct WhoamiActor {\n    pub id: String,\n    #[serde(rename = \"organizationID\")]\n    pub organization_id: String,\n    pub email: String,\n    #[serde(rename = \"createdAt\")]\n    pub created_at: String,\n    #[serde(rename = \"hasTOTPAuthenticator\")]\n    pub has_totpauthenticator: bool,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct WhoamiData {\n    #[serde(rename = \"actorType\")]\n    pub actor_type: String,\n    pub actor: WhoamiActor,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct WhoamiResponse {\n    pub data: WhoamiData,\n    pub metadata: WhoamiMetadata,\n}\n\n#[options(\"/v2/whoami\")]\npub fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n#[get(\"/v2/whoami\")]\npub async fn whoami_request(user: PartialUserInfo, db: \u0026State\u003cPgPool\u003e) -\u003e Result\u003c(ContentType, Json\u003cWhoamiResponse\u003e), (Status, String)\u003e {\n    Ok((ContentType::JSON, Json(WhoamiResponse {\n        data: WhoamiData {\n            actor_type: \"user\".to_string(),\n            actor: WhoamiActor {\n                id: user.user_id.to_string(),\n                organization_id: \"TEMP_ORG_BECAUSE_THAT_ISNT_IMPLEMENTED_YET\".to_string(),\n                email: user.email,\n                created_at: NaiveDateTime::from_timestamp_opt(user.created_at, 0).unwrap().and_local_timezone(Utc).unwrap().to_rfc3339(),\n                has_totpauthenticator: match user_has_totp(user.user_id, db.inner()).await {\n                    Ok(b) =\u003e b,\n                    Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_DBERROR\", \"an error occured trying to verify your user\", e)))\n                },\n            }\n        },\n        metadata: WhoamiMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","tokens.rs"],"content":"use std::error::Error;\nuse log::info;\nuse sqlx::PgPool;\nuse uuid::Uuid;\nuse crate::config::TFConfig;\nuse std::time::SystemTime;\nuse std::time::UNIX_EPOCH;\nuse totp_rs::{Secret, TOTP};\nuse crate::util::{TOTP_ALGORITHM, TOTP_DIGITS, TOTP_ISSUER, TOTP_SKEW, TOTP_STEP};\n\n// https://admin.defined.net/auth/magic-link?email=coredoescode%40gmail.com\u0026token=ml-ckBsgw_5IdK5VYgseBYcoV_v_cQjtdq1re_RhDu_MKg\npub async fn send_magic_link(id: i64, email: String, db: \u0026PgPool, config: \u0026TFConfig) -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n    let otp = format!(\"ml-{}\", Uuid::new_v4());\n    let otp_url = config.web_root.join(\u0026format!(\"/auth/magic-link?email={}\u0026token={}\", urlencoding::encode(\u0026email.clone()), otp.clone())).unwrap();\n    sqlx::query!(\"INSERT INTO magic_links (id, user_id, expires_on) VALUES ($1, $2, $3) ON CONFLICT DO NOTHING;\", otp, id as i32, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32 + config.magic_links_valid_for as i32).execute(db).await?;\n    // TODO: send email\n    info!(\"sent magic link {} to {}, valid for {} seconds\", otp_url, email.clone(), config.magic_links_valid_for);\n    Ok(())\n}\n\npub async fn generate_session_token(user_id: i64, db: \u0026PgPool, config: \u0026TFConfig) -\u003e Result\u003cString, Box\u003cdyn Error\u003e\u003e {\n    let token = format!(\"st-{}\", Uuid::new_v4());\n    sqlx::query!(\"INSERT INTO session_tokens (id, user_id, expires_on) VALUES ($1, $2, $3) ON CONFLICT DO NOTHING;\", token, user_id as i32, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32 + config.session_tokens_valid_for as i32).execute(db).await?;\n    Ok(token)\n}\npub async fn validate_session_token(token: String, db: \u0026PgPool) -\u003e Result\u003ci64, Box\u003cdyn Error\u003e\u003e {\n    Ok(sqlx::query!(\"SELECT user_id FROM session_tokens WHERE id = $1 AND expires_on \u003e $2\", token, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32).fetch_one(db).await?.user_id as i64)\n}\n\npub async fn generate_auth_token(user_id: i64, session_id: String, db: \u0026PgPool) -\u003e Result\u003cString, Box\u003cdyn Error\u003e\u003e {\n    let token = format!(\"at-{}\", Uuid::new_v4());\n    sqlx::query!(\"INSERT INTO auth_tokens (id, session_token, user_id) VALUES ($1, $2, $3) ON CONFLICT DO NOTHING;\", token, session_id, user_id as i32).execute(db).await?;\n    Ok(token)\n}\npub async fn validate_auth_token(token: String, session_id: String, db: \u0026PgPool) -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n    validate_session_token(session_id.clone(), db).await?;\n    sqlx::query!(\"SELECT * FROM auth_tokens WHERE id = $1 AND session_token = $2\", token, session_id).fetch_one(db).await?;\n    Ok(())\n}\n\n\n/*\nCREATE TABLE totp_create_tokens (\n    id VARCHAR(39) NOT NULL PRIMARY KEY,\n    expires_on INTEGER NOT NULL,\n    totp_otpurl VARCHAR(3000) NOT NULL,\n    totp_secret VARCHAR(128) NOT NULL\n);\n */\n\npub async fn create_totp_token(email: String, db: \u0026PgPool, config: \u0026TFConfig) -\u003e Result\u003c(String, TOTP), Box\u003cdyn Error\u003e\u003e {\n    // create the TOTP parameters\n\n    let secret = Secret::generate_secret();\n    let totpmachine = TOTP::new(TOTP_ALGORITHM, TOTP_DIGITS, TOTP_SKEW, TOTP_STEP, secret.to_bytes().unwrap(), Some(TOTP_ISSUER.to_string()), email).unwrap();\n    let otpurl = totpmachine.get_url();\n    let otpsecret = totpmachine.get_secret_base32();\n\n    let otpid = format!(\"totp-{}\", Uuid::new_v4());\n\n    sqlx::query!(\"INSERT INTO totp_create_tokens (id, expires_on, totp_otpurl, totp_secret) VALUES ($1, $2, $3, $4);\", otpid.clone(), (SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i64 + config.totp_verification_valid_for) as i32, otpurl, otpsecret).execute(db).await?;\n\n    Ok((otpid, totpmachine))\n}\n\npub async fn verify_totp_token(otpid: String, email: String, db: \u0026PgPool) -\u003e Result\u003cTOTP, Box\u003cdyn Error\u003e\u003e {\n    let totprow = sqlx::query!(\"SELECT * FROM totp_create_tokens WHERE id = $1 AND expires_on \u003e $2\", otpid, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32).fetch_one(db).await?;\n    let secret = Secret::Encoded(totprow.totp_secret);\n    let totpmachine = TOTP::new(TOTP_ALGORITHM, TOTP_DIGITS, TOTP_SKEW, TOTP_STEP, secret.to_bytes().unwrap(), Some(TOTP_ISSUER.to_string()), email).unwrap();\n\n    if totpmachine.get_url() != totprow.totp_otpurl {\n        return Err(\"OTPURLs do not match (email does not match?)\".into())\n    }\n\n    Ok(totpmachine)\n}\n\npub async fn use_totp_token(otpid: String, email: String, db: \u0026PgPool) -\u003e Result\u003cTOTP, Box\u003cdyn Error\u003e\u003e {\n    let totpmachine = verify_totp_token(otpid.clone(), email.clone(), db).await?;\n    sqlx::query!(\"DELETE FROM totp_create_tokens WHERE id = $1\", otpid).execute(db).await?;\n    sqlx::query!(\"UPDATE users SET totp_otpurl = $1, totp_secret = $2, totp_verified = 1 WHERE email = $3\", totpmachine.get_url(), totpmachine.get_secret_base32(), email).execute(db).await?;\n    Ok(totpmachine)\n}\n\npub async fn get_totpmachine(user: i32, db: \u0026PgPool) -\u003e Result\u003cTOTP, Box\u003cdyn Error\u003e\u003e {\n    let user = sqlx::query!(\"SELECT totp_secret, totp_otpurl, email FROM users WHERE id = $1\", user).fetch_one(db).await?;\n    let secret = Secret::Encoded(user.totp_secret);\n    Ok(TOTP::new(TOTP_ALGORITHM, TOTP_DIGITS, TOTP_SKEW, TOTP_STEP, secret.to_bytes().unwrap(), Some(TOTP_ISSUER.to_string()), user.email).unwrap())\n}\n\npub async fn user_has_totp(user: i32, db: \u0026PgPool) -\u003e Result\u003cbool, Box\u003cdyn Error\u003e\u003e {\n    Ok(sqlx::query!(\"SELECT totp_verified FROM users WHERE id = $1\", user).fetch_one(db).await?.totp_verified == 1)\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","util.rs"],"content":"use base64::Engine;\nuse totp_rs::Algorithm;\n\npub const TOTP_ALGORITHM: Algorithm = Algorithm::SHA1;\npub const TOTP_DIGITS: usize = 6;\npub const TOTP_SKEW: u8 = 1;\npub const TOTP_STEP: u64 = 30;\npub const TOTP_ISSUER: \u0026str = \"trifidapi\";\n\npub fn base64decode(val: \u0026str) -\u003e Result\u003cVec\u003cu8\u003e, base64::DecodeError\u003e {\n    base64::engine::general_purpose::STANDARD.decode(val)\n}\npub fn base64encode(val: Vec\u003cu8\u003e) -\u003e String {\n    base64::engine::general_purpose::STANDARD.encode(val)\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","ca.rs"],"content":"//! Structs to represent a pool of CA's and blacklisted certificates\n\nuse std::collections::HashMap;\nuse std::error::Error;\nuse std::fmt::{Display, Formatter};\nuse std::time::SystemTime;\nuse ed25519_dalek::VerifyingKey;\nuse crate::cert::{deserialize_nebula_certificate_from_pem, NebulaCertificate};\n\n/// A pool of trusted CA certificates, and certificates that should be blocked.\n/// This is equivalent to the `pki` section in a typical Nebula config.yml.\n#[derive(Default)]\npub struct NebulaCAPool {\n    /// The list of CA root certificates that should be trusted.\n    pub cas: HashMap\u003cString, NebulaCertificate\u003e,\n    /// The list of blocklisted certificate fingerprints\n    pub cert_blocklist: Vec\u003cString\u003e,\n    /// True if any of the member CAs certificates are expired. Must be handled.\n    pub expired: bool\n}\n\nimpl NebulaCAPool {\n    /// Create a new, blank CA pool\n    pub fn new() -\u003e Self {\n        Self::default()\n    }\n\n    /// Create a new CA pool from a set of PEM encoded CA certificates.\n    /// If any of the certificates are expired, the pool will **still be returned**, with the expired flag set.\n    /// This must be handled properly.\n    /// # Errors\n    /// This function will return an error if PEM data provided was invalid.\n    pub fn new_from_pem(bytes: \u0026[u8]) -\u003e Result\u003cSelf, Box\u003cdyn Error\u003e\u003e {\n        let pems = pem::parse_many(bytes)?;\n\n        let mut pool = Self::new();\n\n        for cert in pems {\n            match pool.add_ca_certificate(pem::encode(\u0026cert).as_bytes()) {\n                Ok(did_expire) =\u003e if did_expire { pool.expired = true },\n                Err(e) =\u003e return Err(e)\n            }\n        }\n\n        Ok(pool)\n    }\n\n    /// Add a given CA certificate to the CA pool. If the certificate is expired, it will **still be added** - the return value will be `true` instead of `false`\n    /// # Errors\n    /// This function will return an error if the certificate is invalid in any way.\n    pub fn add_ca_certificate(\u0026mut self, bytes: \u0026[u8]) -\u003e Result\u003cbool, Box\u003cdyn Error\u003e\u003e {\n        let cert = deserialize_nebula_certificate_from_pem(bytes)?;\n\n        if !cert.details.is_ca {\n            return Err(CaPoolError::NotACA.into())\n        }\n\n        if !cert.check_signature(\u0026VerifyingKey::from_bytes(\u0026cert.details.public_key)?)? {\n            return Err(CaPoolError::NotSelfSigned.into())\n        }\n\n        let fingerprint = cert.sha256sum()?;\n        let expired = cert.expired(SystemTime::now());\n\n        if expired { self.expired = true }\n\n        self.cas.insert(fingerprint, cert);\n\n       Ok(expired)\n    }\n\n    /// Blocklist the given certificate in the CA pool\n    pub fn blocklist_fingerprint(\u0026mut self, fingerprint: \u0026str) {\n        self.cert_blocklist.push(fingerprint.to_string());\n    }\n\n    /// Clears the list of blocklisted fingerprints\n    pub fn reset_blocklist(\u0026mut self) {\n        self.cert_blocklist = vec![];\n    }\n\n    /// Checks if the given certificate is blocklisted\n    pub fn is_blocklisted(\u0026self, cert: \u0026NebulaCertificate) -\u003e bool {\n        let Ok(h) = cert.sha256sum() else { return false };\n        self.cert_blocklist.contains(\u0026h)\n    }\n\n    /// Gets the CA certificate used to sign the given certificate\n    /// # Errors\n    /// This function will return an error if the certificate does not have an issuer attached (it is self-signed)\n    pub fn get_ca_for_cert(\u0026self, cert: \u0026NebulaCertificate) -\u003e Result\u003cOption\u003c\u0026NebulaCertificate\u003e, Box\u003cdyn Error\u003e\u003e {\n        if cert.details.issuer == String::new() {\n            return Err(CaPoolError::NoIssuer.into())\n        }\n\n        Ok(self.cas.get(\u0026cert.details.issuer))\n    }\n\n    /// Get a list of trusted CA fingerprints\n    pub fn get_fingerprints(\u0026self) -\u003e Vec\u003c\u0026String\u003e {\n        self.cas.keys().collect()\n    }\n}\n\n#[derive(Debug)]\n/// A list of errors that can happen when working with a CA Pool\npub enum CaPoolError {\n    /// Tried to add a non-CA cert to the CA pool\n    NotACA,\n    /// Tried to add a non-self-signed cert to the CA pool (all CAs must be root certificates)\n    NotSelfSigned,\n    /// Tried to look up a certificate that does not have an issuer field\n    NoIssuer\n}\nimpl Error for CaPoolError {}\nimpl Display for CaPoolError {\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        match self {\n            Self::NotACA =\u003e write!(f, \"Tried to add a non-CA cert to the CA pool\"),\n            Self::NotSelfSigned =\u003e write!(f, \"Tried to add a non-self-signed cert to the CA pool (all CAs must be root certificates)\"),\n            Self::NoIssuer =\u003e write!(f, \"Tried to look up a certificate with a null issuer field\")\n        }\n    }\n}","traces":[{"line":24,"address":[439120],"length":1,"stats":{"Line":1},"fn_name":"new"},{"line":25,"address":[439128],"length":1,"stats":{"Line":1},"fn_name":null},{"line":33,"address":[439962,440276,439152],"length":1,"stats":{"Line":0},"fn_name":"new_from_pem"},{"line":34,"address":[439319,439185],"length":1,"stats":{"Line":0},"fn_name":null},{"line":36,"address":[439309],"length":1,"stats":{"Line":0},"fn_name":null},{"line":38,"address":[440212,439541,440091,439447],"length":1,"stats":{"Line":0},"fn_name":null},{"line":39,"address":[439842,439763,439924],"length":1,"stats":{"Line":0},"fn_name":null},{"line":40,"address":[439973,440183],"length":1,"stats":{"Line":0},"fn_name":null},{"line":41,"address":[440010],"length":1,"stats":{"Line":0},"fn_name":null},{"line":45,"address":[440217],"length":1,"stats":{"Line":0},"fn_name":null},{"line":51,"address":[441708,440304],"length":1,"stats":{"Line":1},"fn_name":"add_ca_certificate"},{"line":52,"address":[440376,440534],"length":1,"stats":{"Line":1},"fn_name":null},{"line":54,"address":[440514],"length":1,"stats":{"Line":1},"fn_name":null},{"line":55,"address":[440614,440703],"length":1,"stats":{"Line":0},"fn_name":null},{"line":58,"address":[440728,440607,440970],"length":1,"stats":{"Line":3},"fn_name":null},{"line":59,"address":[441139],"length":1,"stats":{"Line":0},"fn_name":null},{"line":62,"address":[441215,441132,441333],"length":1,"stats":{"Line":2},"fn_name":null},{"line":63,"address":[441490,441305],"length":1,"stats":{"Line":2},"fn_name":null},{"line":65,"address":[441514],"length":1,"stats":{"Line":1},"fn_name":null},{"line":67,"address":[441652],"length":1,"stats":{"Line":1},"fn_name":null},{"line":71,"address":[441760],"length":1,"stats":{"Line":1},"fn_name":"blocklist_fingerprint"},{"line":72,"address":[441779],"length":1,"stats":{"Line":1},"fn_name":null},{"line":76,"address":[441824,441888],"length":1,"stats":{"Line":1},"fn_name":"reset_blocklist"},{"line":77,"address":[441842,441920],"length":1,"stats":{"Line":2},"fn_name":null},{"line":81,"address":[442212,442240,441952],"length":1,"stats":{"Line":1},"fn_name":"is_blocklisted"},{"line":82,"address":[442094,441974,442151],"length":1,"stats":{"Line":1},"fn_name":null},{"line":83,"address":[442173,442121],"length":1,"stats":{"Line":2},"fn_name":null},{"line":89,"address":[442256,442390],"length":1,"stats":{"Line":1},"fn_name":"get_ca_for_cert"},{"line":90,"address":[442289],"length":1,"stats":{"Line":1},"fn_name":null},{"line":91,"address":[442455],"length":1,"stats":{"Line":0},"fn_name":null},{"line":94,"address":[442422],"length":1,"stats":{"Line":1},"fn_name":null},{"line":98,"address":[442496],"length":1,"stats":{"Line":0},"fn_name":"get_fingerprints"},{"line":99,"address":[442515],"length":1,"stats":{"Line":0},"fn_name":null},{"line":115,"address":[442560],"length":1,"stats":{"Line":0},"fn_name":"fmt"},{"line":116,"address":[442587],"length":1,"stats":{"Line":0},"fn_name":null},{"line":117,"address":[442619],"length":1,"stats":{"Line":0},"fn_name":null},{"line":118,"address":[442676],"length":1,"stats":{"Line":0},"fn_name":null},{"line":119,"address":[442733],"length":1,"stats":{"Line":0},"fn_name":null}],"covered":20,"coverable":38},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","cert.rs"],"content":"//! Manage Nebula PKI Certificates\n//! This is pretty much a direct port of nebula/cert/cert.go\n\nuse std::error::Error;\nuse std::fmt::{Display, Formatter};\nuse std::net::Ipv4Addr;\nuse std::ops::Add;\nuse std::time::{Duration, SystemTime, UNIX_EPOCH};\nuse ed25519_dalek::{Signature, Signer, SigningKey, Verifier, VerifyingKey};\nuse ipnet::{Ipv4Net};\nuse pem::Pem;\nuse quick_protobuf::{BytesReader, MessageRead, MessageWrite, Writer};\nuse sha2::Sha256;\nuse crate::ca::NebulaCAPool;\nuse crate::cert_codec::{RawNebulaCertificate, RawNebulaCertificateDetails};\nuse sha2::Digest;\n\n/// The length, in bytes, of public keys\npub const PUBLIC_KEY_LENGTH: i32 = 32;\n\n/// The PEM banner for certificates\npub const CERT_BANNER: \u0026str = \"NEBULA CERTIFICATE\";\n/// The PEM banner for X25519 private keys\npub const X25519_PRIVATE_KEY_BANNER: \u0026str = \"NEBULA X25519 PRIVATE KEY\";\n/// The PEM banner for X25519 public keys\npub const X25519_PUBLIC_KEY_BANNER: \u0026str = \"NEBULA X25519 PUBLIC KEY\";\n/// The PEM banner for Ed25519 private keys\npub const ED25519_PRIVATE_KEY_BANNER: \u0026str = \"NEBULA ED25519 PRIVATE KEY\";\n/// The PEM banner for Ed25519 public keys\npub const ED25519_PUBLIC_KEY_BANNER: \u0026str = \"NEBULA ED25519 PUBLIC KEY\";\n\n/// A Nebula PKI certificate\n#[derive(Debug, Clone)]\npub struct NebulaCertificate {\n    /// The signed data of this certificate\n    pub details: NebulaCertificateDetails,\n    /// The Ed25519 signature of this certificate\n    pub signature: Vec\u003cu8\u003e\n}\n\n/// The signed details contained in a Nebula PKI certificate\n#[derive(Debug, Clone)]\npub struct NebulaCertificateDetails {\n    /// The name of the identity this certificate was issued for\n    pub name: String,\n    /// The IPv4 addresses issued to this node\n    pub ips: Vec\u003cIpv4Net\u003e,\n    /// The IPv4 subnets this node is responsible for routing\n    pub subnets: Vec\u003cIpv4Net\u003e,\n    /// The groups this node is a part of\n    pub groups: Vec\u003cString\u003e,\n    /// Certificate start date and time\n    pub not_before: SystemTime,\n    /// Certificate expiry date and time\n    pub not_after: SystemTime,\n    /// Public key\n    pub public_key: [u8; PUBLIC_KEY_LENGTH as usize],\n    /// Is this node a CA?\n    pub is_ca: bool,\n    /// SHA256 of issuer certificate. If blank, this cert is self-signed.\n    pub issuer: String\n}\n\n/// A list of errors that can occur parsing certificates\n#[derive(Debug)]\npub enum CertificateError {\n    /// Attempted to deserialize a certificate from an empty byte array\n    EmptyByteArray,\n    /// The encoded Details field is null\n    NilDetails,\n    /// The encoded Ips field is not formatted correctly\n    IpsNotPairs,\n    /// The encoded Subnets field is not formatted correctly\n    SubnetsNotPairs,\n    /// Signatures are expected to be 64 bytes but the signature on the certificate was a different length\n    WrongSigLength,\n    /// Public keys are expected to be 32 bytes but the public key on this cert is not\n    WrongKeyLength,\n    /// Certificates should have the PEM tag `NEBULA CERTIFICATE`, but this block did not\n    WrongPemTag,\n    /// This certificate either is not yet valid or has already expired\n    Expired,\n    /// The public key does not match the expected value\n    KeyMismatch\n}\nimpl Display for CertificateError {\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        match self {\n            Self::EmptyByteArray =\u003e write!(f, \"Certificate bytearray is empty\"),\n            Self::NilDetails =\u003e write!(f, \"The encoded Details field is null\"),\n            Self::IpsNotPairs =\u003e write!(f, \"encoded IPs should be in pairs, an odd number was found\"),\n            Self::SubnetsNotPairs =\u003e write!(f, \"encoded subnets should be in pairs, an odd number was found\"),\n            Self::WrongSigLength =\u003e write!(f, \"Signature should be 64 bytes but is a different size\"),\n            Self::WrongKeyLength =\u003e write!(f, \"Public keys are expected to be 32 bytes but the public key on this cert is not\"),\n            Self::WrongPemTag =\u003e write!(f, \"Certificates should have the PEM tag `NEBULA CERTIFICATE`, but this block did not\"),\n            Self::Expired =\u003e write!(f, \"This certificate either is not yet valid or has already expired\"),\n            Self::KeyMismatch =\u003e write!(f, \"Key does not match expected value\")\n        }\n    }\n}\nimpl Error for CertificateError {}\n\nfn map_cidr_pairs(pairs: \u0026[u32]) -\u003e Result\u003cVec\u003cIpv4Net\u003e, Box\u003cdyn Error\u003e\u003e {\n    let mut res_vec = vec![];\n    for pair in pairs.chunks(2) {\n        res_vec.push(Ipv4Net::with_netmask(Ipv4Addr::from(pair[0]), Ipv4Addr::from(pair[1]))?);\n    }\n    Ok(res_vec)\n}\n\nimpl Display for NebulaCertificate {\n    #[allow(clippy::unwrap_used)]\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        writeln!(f, \"NebulaCertificate {{\")?;\n        writeln!(f, \"   Details {{\")?;\n        writeln!(f, \"       Name: {}\", self.details.name)?;\n        writeln!(f, \"       Ips: {:?}\", self.details.ips)?;\n        writeln!(f, \"       Subnets: {:?}\", self.details.subnets)?;\n        writeln!(f, \"       Groups: {:?}\", self.details.groups)?;\n        writeln!(f, \"       Not before: {:?}\", self.details.not_before)?;\n        writeln!(f, \"       Not after: {:?}\", self.details.not_after)?;\n        writeln!(f, \"       Is CA: {}\", self.details.is_ca)?;\n        writeln!(f, \"       Issuer: {}\", self.details.issuer)?;\n        writeln!(f, \"       Public key: {}\", hex::encode(self.details.public_key))?;\n        writeln!(f, \"   }}\")?;\n        writeln!(f, \"   Fingerprint: {}\", self.sha256sum().unwrap())?;\n        writeln!(f, \"   Signature: {}\", hex::encode(self.signature.clone()))?;\n        writeln!(f, \"}}\")\n    }\n}\n\n/// Given a protobuf-encoded certificate bytearray, deserialize it into a `NebulaCertificate` object.\n/// # Errors\n/// This function will return an error if there is a protobuf parsing error, or if the certificate data is invalid.\n/// # Panics\npub fn deserialize_nebula_certificate(bytes: \u0026[u8]) -\u003e Result\u003cNebulaCertificate, Box\u003cdyn Error\u003e\u003e {\n    if bytes.is_empty() {\n        return Err(CertificateError::EmptyByteArray.into())\n    }\n\n    let mut reader = BytesReader::from_bytes(bytes);\n\n    let raw_cert = RawNebulaCertificate::from_reader(\u0026mut reader, bytes)?;\n\n    let details = raw_cert.Details.ok_or(CertificateError::NilDetails)?;\n\n    if details.Ips.len() % 2 != 0 {\n        return Err(CertificateError::IpsNotPairs.into())\n    }\n\n    if details.Subnets.len() % 2 != 0 {\n        return Err(CertificateError::SubnetsNotPairs.into())\n    }\n\n    let mut nebula_cert;\n    #[allow(clippy::cast_sign_loss)]\n    {\n        nebula_cert = NebulaCertificate {\n            details: NebulaCertificateDetails {\n                name: details.Name.to_string(),\n                ips: map_cidr_pairs(\u0026details.Ips)?,\n                subnets: map_cidr_pairs(\u0026details.Subnets)?,\n                groups: details.Groups.iter().map(std::string::ToString::to_string).collect(),\n                not_before: SystemTime::UNIX_EPOCH.add(Duration::from_secs(details.NotBefore as u64)),\n                not_after: SystemTime::UNIX_EPOCH.add(Duration::from_secs(details.NotAfter as u64)),\n                public_key: [0u8; 32],\n                is_ca: details.IsCA,\n                issuer: hex::encode(details.Issuer),\n            },\n            signature: vec![],\n        };\n    }\n\n    nebula_cert.signature = raw_cert.Signature;\n\n    if details.PublicKey.len() != 32 {\n        return Err(CertificateError::WrongKeyLength.into())\n    }\n\n    #[allow(clippy::unwrap_used)] { nebula_cert.details.public_key = details.PublicKey.try_into().unwrap(); }\n\n    Ok(nebula_cert)\n}\n\n/// A list of errors that can occur parsing keys\n#[derive(Debug)]\npub enum KeyError {\n    /// Keys should have their associated PEM tags but this had the wrong one\n    WrongPemTag\n}\nimpl Display for KeyError {\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        match self {\n            Self::WrongPemTag =\u003e write!(f, \"Keys should have their associated PEM tags but this had the wrong one\")\n        }\n    }\n}\nimpl Error for KeyError {}\n\n\n/// Deserialize the first PEM block in the given byte array into a `NebulaCertificate`\n/// # Errors\n/// This function will return an error if the PEM data is invalid, or if there is an error parsing the certificate (see `deserialize_nebula_certificate`)\npub fn deserialize_nebula_certificate_from_pem(bytes: \u0026[u8]) -\u003e Result\u003cNebulaCertificate, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != CERT_BANNER {\n        return Err(CertificateError::WrongPemTag.into())\n    }\n    deserialize_nebula_certificate(\u0026pem.contents)\n}\n\n/// Simple helper to PEM encode an X25519 private key\npub fn serialize_x25519_private(bytes: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    pem::encode(\u0026Pem {\n        tag: X25519_PRIVATE_KEY_BANNER.to_string(),\n        contents: bytes.to_vec(),\n    }).as_bytes().to_vec()\n}\n\n/// Simple helper to PEM encode an X25519 public key\npub fn serialize_x25519_public(bytes: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    pem::encode(\u0026Pem {\n        tag: X25519_PUBLIC_KEY_BANNER.to_string(),\n        contents: bytes.to_vec(),\n    }).as_bytes().to_vec()\n}\n\n/// Attempt to deserialize a PEM encoded X25519 private key\n/// # Errors\n/// This function will return an error if the PEM data is invalid or has the wrong tag\npub fn deserialize_x25519_private(bytes: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != X25519_PRIVATE_KEY_BANNER {\n        return Err(KeyError::WrongPemTag.into())\n    }\n    Ok(pem.contents)\n}\n\n/// Attempt to deserialize a PEM encoded X25519 public key\n/// # Errors\n/// This function will return an error if the PEM data is invalid or has the wrong tag\npub fn deserialize_x25519_public(bytes: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != X25519_PUBLIC_KEY_BANNER {\n        return Err(KeyError::WrongPemTag.into())\n    }\n    Ok(pem.contents)\n}\n\n/// Simple helper to PEM encode an Ed25519 private key\npub fn serialize_ed25519_private(bytes: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    pem::encode(\u0026Pem {\n        tag: ED25519_PRIVATE_KEY_BANNER.to_string(),\n        contents: bytes.to_vec(),\n    }).as_bytes().to_vec()\n}\n\n/// Simple helper to PEM encode an Ed25519 public key\npub fn serialize_ed25519_public(bytes: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    pem::encode(\u0026Pem {\n        tag: ED25519_PUBLIC_KEY_BANNER.to_string(),\n        contents: bytes.to_vec(),\n    }).as_bytes().to_vec()\n}\n\n/// Attempt to deserialize a PEM encoded Ed25519 private key\n/// # Errors\n/// This function will return an error if the PEM data is invalid or has the wrong tag\npub fn deserialize_ed25519_private(bytes: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != ED25519_PRIVATE_KEY_BANNER {\n        return Err(KeyError::WrongPemTag.into())\n    }\n    Ok(pem.contents)\n}\n\n/// Attempt to deserialize a PEM encoded Ed25519 public key\n/// # Errors\n/// This function will return an error if the PEM data is invalid or has the wrong tag\npub fn deserialize_ed25519_public(bytes: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != ED25519_PUBLIC_KEY_BANNER {\n        return Err(KeyError::WrongPemTag.into())\n    }\n    Ok(pem.contents)\n}\n\nimpl NebulaCertificate {\n    /// Sign a nebula certificate with the provided private key\n    /// # Errors\n    /// This function will return an error if the certificate could not be serialized or signed.\n    pub fn sign(\u0026mut self, key: \u0026SigningKey) -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n        let mut out = Vec::new();\n        let mut writer = Writer::new(\u0026mut out);\n        self.get_raw_details().write_message(\u0026mut writer)?;\n\n        self.signature = key.sign(\u0026out).to_vec();\n        Ok(())\n    }\n\n    /// Verify the signature on a certificate with the provided public key\n    /// # Errors\n    /// This function will return an error if the certificate could not be serialized or the signature could not be checked.\n    pub fn check_signature(\u0026self, key: \u0026VerifyingKey) -\u003e Result\u003cbool, Box\u003cdyn Error\u003e\u003e {\n        let mut out = Vec::new();\n        let mut writer = Writer::new(\u0026mut out);\n        self.get_raw_details().write_message(\u0026mut writer)?;\n\n        let sig = Signature::from_slice(\u0026self.signature)?;\n\n        Ok(key.verify(\u0026out, \u0026sig).is_ok())\n    }\n\n    /// Returns true if the signature is too young or too old compared to the provided time\n    pub fn expired(\u0026self, time: SystemTime) -\u003e bool {\n        self.details.not_before \u003e time || self.details.not_after \u003c time\n    }\n\n    /// Verify will ensure a certificate is good in all respects (expiry, group membership, signature, cert blocklist, etc)\n    /// # Errors\n    /// This function will return an error if there is an error parsing the cert or the CA pool.\n    pub fn verify(\u0026self, time: SystemTime, ca_pool: \u0026NebulaCAPool) -\u003e Result\u003cCertificateValidity, Box\u003cdyn Error\u003e\u003e {\n        if ca_pool.is_blocklisted(self) {\n            return Ok(CertificateValidity::Blocklisted);\n        }\n\n        let Some(signer) = ca_pool.get_ca_for_cert(self)? else { return Ok(CertificateValidity::NotSignedByThisCAPool) };\n\n        if signer.expired(time) {\n            return Ok(CertificateValidity::RootCertExpired)\n        }\n\n        if self.expired(time) {\n            return Ok(CertificateValidity::CertExpired)\n        }\n\n        if !self.check_signature(\u0026VerifyingKey::from_bytes(\u0026signer.details.public_key)?)? {\n            return Ok(CertificateValidity::BadSignature)\n        }\n\n        Ok(self.check_root_constraints(signer))\n    }\n\n    /// Make sure that this certificate does not break any of the constraints set by the signing certificate\n    pub fn check_root_constraints(\u0026self, signer: \u0026Self) -\u003e CertificateValidity {\n        // Make sure this cert doesn't expire after the signer\n        println!(\"{:?} {:?}\", signer.details.not_before, self.details.not_before);\n        if signer.details.not_before \u003c self.details.not_before {\n            return CertificateValidity::CertExpiresAfterSigner;\n        }\n\n        // Make sure this cert doesn't come into validity before the root\n        if signer.details.not_before \u003e self.details.not_before {\n            return CertificateValidity::CertValidBeforeSigner;\n        }\n\n        // If the signer contains a limited set of groups, make sure this cert only has a subset of them\n        if !signer.details.groups.is_empty() {\n            println!(\"root groups: {:?}, child groups: {:?}\", signer.details.groups, self.details.groups);\n            for group in \u0026self.details.groups {\n                if !signer.details.groups.contains(group) {\n                    return CertificateValidity::GroupNotPresentOnSigner;\n                }\n            }\n        }\n\n        // If the signer contains a limited set of IP ranges, make sure the cert only contains a subset\n        if !signer.details.ips.is_empty() {\n            for ip in \u0026self.details.ips {\n                if !net_match(*ip, \u0026signer.details.ips) {\n                    return CertificateValidity::IPNotPresentOnSigner;\n                }\n            }\n        }\n\n        // If the signer contains a limited set of subnets, make sure the cert only contains a subset\n        if !signer.details.subnets.is_empty() {\n            for subnet in \u0026self.details.subnets {\n                if !net_match(*subnet, \u0026signer.details.subnets) {\n                    return CertificateValidity::SubnetNotPresentOnSigner;\n                }\n            }\n        }\n\n        CertificateValidity::Ok\n    }\n\n    #[allow(clippy::unwrap_used)]\n    /// Verify if the given private key corresponds to the public key contained in this certificate\n    /// # Errors\n    /// This function will return an error if either keys are invalid.\n    /// # Panics\n    /// This function, while containing calls to unwrap, has proper bounds checking and will not panic.\n    pub fn verify_private_key(\u0026self, key: \u0026[u8]) -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n        if self.details.is_ca {\n            // convert the keys\n            if key.len() != 64 {\n                return Err(\"key not 64-bytes long\".into())\n            }\n\n\n            let secret = SigningKey::from_keypair_bytes(key.try_into().unwrap())?;\n            let pub_key = secret.verifying_key().to_bytes();\n            if pub_key != self.details.public_key {\n                return Err(CertificateError::KeyMismatch.into());\n            }\n\n            return Ok(());\n        }\n\n        if key.len() != 32 {\n            return Err(\"key not 32-bytes long\".into())\n        }\n\n        let pubkey_raw = SigningKey::from_bytes(key.try_into()?).verifying_key();\n        let pubkey = pubkey_raw.as_bytes();\n\n        println!(\"{} {}\", hex::encode(pubkey), hex::encode(self.details.public_key));\n        if *pubkey != self.details.public_key {\n            return Err(CertificateError::KeyMismatch.into());\n        }\n\n        Ok(())\n    }\n\n\n    /// Get a protobuf-ready raw struct, ready for serialization\n    #[allow(clippy::expect_used)]\n    #[allow(clippy::cast_possible_wrap)]\n    /// # Panics\n    /// This function will panic if time went backwards, or if the certificate contains extremely invalid data.\n    pub fn get_raw_details(\u0026self) -\u003e RawNebulaCertificateDetails {\n\n        let mut raw = RawNebulaCertificateDetails {\n            Name: self.details.name.clone(),\n            Ips: vec![],\n            Subnets: vec![],\n            Groups: self.details.groups.iter().map(std::convert::Into::into).collect(),\n            NotBefore: self.details.not_before.duration_since(UNIX_EPOCH).expect(\"Time went backwards\").as_secs() as i64,\n            NotAfter: self.details.not_after.duration_since(UNIX_EPOCH).expect(\"Time went backwards\").as_secs() as i64,\n            PublicKey: self.details.public_key.into(),\n            IsCA: self.details.is_ca,\n            Issuer: hex::decode(\u0026self.details.issuer).expect(\"Issuer was not a hex-encoded value\"),\n        };\n\n        for ip_net in \u0026self.details.ips {\n            raw.Ips.push(ip_net.addr().into());\n            raw.Ips.push(ip_net.netmask().into());\n        }\n\n        for subnet in \u0026self.details.subnets {\n            raw.Subnets.push(subnet.addr().into());\n            raw.Subnets.push(subnet.netmask().into());\n        }\n\n        raw\n    }\n\n    /// Will serialize this cert into a protobuf byte array.\n    /// # Errors\n    /// This function will return an error if protobuf was unable to serialize the data.\n    pub fn serialize(\u0026self) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n        let raw_cert = RawNebulaCertificate {\n            Details: Some(self.get_raw_details()),\n            Signature: self.signature.clone(),\n        };\n\n        let mut out = vec![];\n        let mut writer = Writer::new(\u0026mut out);\n        raw_cert.write_message(\u0026mut writer)?;\n\n        Ok(out)\n    }\n\n    /// Will serialize this cert into a PEM byte array.\n    /// # Errors\n    /// This function will return an error if protobuf was unable to serialize the data.\n    pub fn serialize_to_pem(\u0026self) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n        let pbuf_bytes = self.serialize()?;\n\n        Ok(pem::encode(\u0026Pem {\n            tag: CERT_BANNER.to_string(),\n            contents: pbuf_bytes,\n        }).as_bytes().to_vec())\n    }\n\n    /// Get the fingerprint of this certificate\n    /// # Errors\n    /// This functiom will return an error if protobuf was unable to serialize the cert.\n    pub fn sha256sum(\u0026self) -\u003e Result\u003cString, Box\u003cdyn Error\u003e\u003e {\n        let pbuf_bytes = self.serialize()?;\n\n        let mut hasher = Sha256::new();\n        hasher.update(pbuf_bytes);\n\n        Ok(hex::encode(hasher.finalize()))\n    }\n}\n\n/// A list of possible errors that can happen validating a certificate\n#[derive(Eq, PartialEq, Debug)]\npub enum CertificateValidity {\n    /// There are no issues with this certificate\n    Ok,\n    /// This cert has been blocklisted in the given CA pool\n    Blocklisted,\n    /// The certificate that signed this cert is expired\n    RootCertExpired,\n    /// This cert is expired\n    CertExpired,\n    /// This cert's signature is invalid\n    BadSignature,\n    /// This cert was not signed by any CAs in the CA pool\n    NotSignedByThisCAPool,\n    /// This cert expires after the signer's cert expires\n    CertExpiresAfterSigner,\n    /// This cert enters validity before the signer's cert does\n    CertValidBeforeSigner,\n    /// A group present on this certificate is not present on the signer's certificate\n    GroupNotPresentOnSigner,\n    /// An IP present on this certificate is not present on the signer's certificate\n    IPNotPresentOnSigner,\n    /// A subnet on this certificate is not present on the signer's certificate\n    SubnetNotPresentOnSigner\n}\n\nfn net_match(cert_ip: Ipv4Net, root_ips: \u0026Vec\u003cIpv4Net\u003e) -\u003e bool {\n    for net in root_ips {\n        if net.contains(\u0026cert_ip) {\n            return true;\n        }\n    }\n    false\n}","traces":[{"line":87,"address":[527088],"length":1,"stats":{"Line":0},"fn_name":"fmt"},{"line":88,"address":[527115],"length":1,"stats":{"Line":0},"fn_name":null},{"line":89,"address":[527146],"length":1,"stats":{"Line":0},"fn_name":null},{"line":90,"address":[527206],"length":1,"stats":{"Line":0},"fn_name":null},{"line":91,"address":[527266],"length":1,"stats":{"Line":0},"fn_name":null},{"line":92,"address":[527326],"length":1,"stats":{"Line":0},"fn_name":null},{"line":93,"address":[527392],"length":1,"stats":{"Line":0},"fn_name":null},{"line":94,"address":[527458],"length":1,"stats":{"Line":0},"fn_name":null},{"line":95,"address":[527524],"length":1,"stats":{"Line":0},"fn_name":null},{"line":96,"address":[527587],"length":1,"stats":{"Line":0},"fn_name":null},{"line":97,"address":[527650],"length":1,"stats":{"Line":0},"fn_name":null},{"line":103,"address":[528659,527728],"length":1,"stats":{"Line":1},"fn_name":"map_cidr_pairs"},{"line":104,"address":[527771],"length":1,"stats":{"Line":1},"fn_name":null},{"line":105,"address":[528093,527808,527869],"length":1,"stats":{"Line":3},"fn_name":null},{"line":106,"address":[528654,528135],"length":1,"stats":{"Line":2},"fn_name":null},{"line":108,"address":[528006],"length":1,"stats":{"Line":1},"fn_name":null},{"line":113,"address":[530741,528688],"length":1,"stats":{"Line":1},"fn_name":"fmt"},{"line":114,"address":[528922,528721],"length":1,"stats":{"Line":1},"fn_name":null},{"line":115,"address":[528819,529100],"length":1,"stats":{"Line":1},"fn_name":null},{"line":116,"address":[529262,528969],"length":1,"stats":{"Line":1},"fn_name":null},{"line":117,"address":[529424,529132],"length":1,"stats":{"Line":1},"fn_name":null},{"line":118,"address":[529589,529294],"length":1,"stats":{"Line":1},"fn_name":null},{"line":119,"address":[529751,529456],"length":1,"stats":{"Line":1},"fn_name":null},{"line":120,"address":[529913,529621],"length":1,"stats":{"Line":1},"fn_name":null},{"line":121,"address":[530078,529783],"length":1,"stats":{"Line":1},"fn_name":null},{"line":122,"address":[530241,529945],"length":1,"stats":{"Line":1},"fn_name":null},{"line":123,"address":[530110,530348],"length":1,"stats":{"Line":1},"fn_name":null},{"line":124,"address":[530375,530687,530273],"length":1,"stats":{"Line":1},"fn_name":null},{"line":125,"address":[530846,530584],"length":1,"stats":{"Line":1},"fn_name":null},{"line":126,"address":[530785,530873,531168],"length":1,"stats":{"Line":1},"fn_name":null},{"line":127,"address":[531090,531222,531501],"length":1,"stats":{"Line":1},"fn_name":null},{"line":128,"address":[531431],"length":1,"stats":{"Line":1},"fn_name":null},{"line":136,"address":[536605,533096,531568],"length":1,"stats":{"Line":1},"fn_name":"deserialize_nebula_certificate"},{"line":137,"address":[531645],"length":1,"stats":{"Line":1},"fn_name":null},{"line":138,"address":[531839],"length":1,"stats":{"Line":1},"fn_name":null},{"line":141,"address":[531723],"length":1,"stats":{"Line":1},"fn_name":null},{"line":143,"address":[532102,531767,531953],"length":1,"stats":{"Line":2},"fn_name":null},{"line":145,"address":[532013,532506,532328],"length":1,"stats":{"Line":2},"fn_name":null},{"line":147,"address":[532653,532468],"length":1,"stats":{"Line":2},"fn_name":null},{"line":148,"address":[532690],"length":1,"stats":{"Line":1},"fn_name":null},{"line":151,"address":[532663,532797],"length":1,"stats":{"Line":2},"fn_name":null},{"line":152,"address":[532830],"length":1,"stats":{"Line":1},"fn_name":null},{"line":158,"address":[534614],"length":1,"stats":{"Line":1},"fn_name":null},{"line":159,"address":[534286],"length":1,"stats":{"Line":1},"fn_name":null},{"line":160,"address":[532807],"length":1,"stats":{"Line":1},"fn_name":null},{"line":161,"address":[532953,533217,533107,533053],"length":1,"stats":{"Line":3},"fn_name":null},{"line":162,"address":[533571,533171,533420],"length":1,"stats":{"Line":2},"fn_name":null},{"line":163,"address":[533525,533848],"length":1,"stats":{"Line":2},"fn_name":null},{"line":164,"address":[534030,533941],"length":1,"stats":{"Line":2},"fn_name":null},{"line":165,"address":[534087],"length":1,"stats":{"Line":1},"fn_name":null},{"line":166,"address":[534171],"length":1,"stats":{"Line":1},"fn_name":null},{"line":167,"address":[534190],"length":1,"stats":{"Line":1},"fn_name":null},{"line":168,"address":[534201],"length":1,"stats":{"Line":1},"fn_name":null},{"line":170,"address":[534517],"length":1,"stats":{"Line":1},"fn_name":null},{"line":174,"address":[534689],"length":1,"stats":{"Line":1},"fn_name":null},{"line":176,"address":[534871],"length":1,"stats":{"Line":1},"fn_name":null},{"line":177,"address":[534972],"length":1,"stats":{"Line":1},"fn_name":null},{"line":182,"address":[535933],"length":1,"stats":{"Line":1},"fn_name":null},{"line":192,"address":[536640],"length":1,"stats":{"Line":0},"fn_name":"fmt"},{"line":194,"address":[536658],"length":1,"stats":{"Line":0},"fn_name":null},{"line":204,"address":[537197,536720],"length":1,"stats":{"Line":1},"fn_name":"deserialize_nebula_certificate_from_pem"},{"line":205,"address":[536753,536917],"length":1,"stats":{"Line":2},"fn_name":null},{"line":206,"address":[536891,537049],"length":1,"stats":{"Line":2},"fn_name":null},{"line":207,"address":[537081],"length":1,"stats":{"Line":0},"fn_name":null},{"line":209,"address":[537174,537055],"length":1,"stats":{"Line":2},"fn_name":null},{"line":213,"address":[537443,537232],"length":1,"stats":{"Line":1},"fn_name":"serialize_x25519_private"},{"line":214,"address":[537582,537512,537370],"length":1,"stats":{"Line":3},"fn_name":null},{"line":215,"address":[537275],"length":1,"stats":{"Line":1},"fn_name":null},{"line":216,"address":[537310],"length":1,"stats":{"Line":1},"fn_name":null},{"line":217,"address":[537329],"length":1,"stats":{"Line":0},"fn_name":null},{"line":221,"address":[537859,537648],"length":1,"stats":{"Line":1},"fn_name":"serialize_x25519_public"},{"line":222,"address":[537786,537928,537998],"length":1,"stats":{"Line":3},"fn_name":null},{"line":223,"address":[537691],"length":1,"stats":{"Line":1},"fn_name":null},{"line":224,"address":[537726],"length":1,"stats":{"Line":1},"fn_name":null},{"line":225,"address":[537745],"length":1,"stats":{"Line":0},"fn_name":null},{"line":231,"address":[538562,538064],"length":1,"stats":{"Line":1},"fn_name":"deserialize_x25519_private"},{"line":232,"address":[538258,538097],"length":1,"stats":{"Line":2},"fn_name":null},{"line":233,"address":[538232,538390],"length":1,"stats":{"Line":2},"fn_name":null},{"line":234,"address":[538499],"length":1,"stats":{"Line":0},"fn_name":null},{"line":236,"address":[538401],"length":1,"stats":{"Line":1},"fn_name":null},{"line":242,"address":[539090,538592],"length":1,"stats":{"Line":1},"fn_name":"deserialize_x25519_public"},{"line":243,"address":[538786,538625],"length":1,"stats":{"Line":2},"fn_name":null},{"line":244,"address":[538918,538760],"length":1,"stats":{"Line":2},"fn_name":null},{"line":245,"address":[539027],"length":1,"stats":{"Line":0},"fn_name":null},{"line":247,"address":[538929],"length":1,"stats":{"Line":1},"fn_name":null},{"line":251,"address":[539331,539120],"length":1,"stats":{"Line":1},"fn_name":"serialize_ed25519_private"},{"line":252,"address":[539400,539470,539258],"length":1,"stats":{"Line":3},"fn_name":null},{"line":253,"address":[539163],"length":1,"stats":{"Line":1},"fn_name":null},{"line":254,"address":[539198],"length":1,"stats":{"Line":1},"fn_name":null},{"line":255,"address":[539217],"length":1,"stats":{"Line":0},"fn_name":null},{"line":259,"address":[539536,539747],"length":1,"stats":{"Line":1},"fn_name":"serialize_ed25519_public"},{"line":260,"address":[539674,539816,539886],"length":1,"stats":{"Line":3},"fn_name":null},{"line":261,"address":[539579],"length":1,"stats":{"Line":1},"fn_name":null},{"line":262,"address":[539614],"length":1,"stats":{"Line":1},"fn_name":null},{"line":263,"address":[539633],"length":1,"stats":{"Line":0},"fn_name":null},{"line":269,"address":[539952,540450],"length":1,"stats":{"Line":1},"fn_name":"deserialize_ed25519_private"},{"line":270,"address":[539985,540146],"length":1,"stats":{"Line":2},"fn_name":null},{"line":271,"address":[540120,540278],"length":1,"stats":{"Line":2},"fn_name":null},{"line":272,"address":[540387],"length":1,"stats":{"Line":0},"fn_name":null},{"line":274,"address":[540289],"length":1,"stats":{"Line":1},"fn_name":null},{"line":280,"address":[540480,540978],"length":1,"stats":{"Line":1},"fn_name":"deserialize_ed25519_public"},{"line":281,"address":[540513,540674],"length":1,"stats":{"Line":2},"fn_name":null},{"line":282,"address":[540648,540806],"length":1,"stats":{"Line":2},"fn_name":null},{"line":283,"address":[540915],"length":1,"stats":{"Line":0},"fn_name":null},{"line":285,"address":[540817],"length":1,"stats":{"Line":1},"fn_name":null},{"line":292,"address":[541008,541428,541730],"length":1,"stats":{"Line":1},"fn_name":"sign"},{"line":293,"address":[541041],"length":1,"stats":{"Line":1},"fn_name":null},{"line":294,"address":[541065,541128],"length":1,"stats":{"Line":2},"fn_name":null},{"line":295,"address":[541141],"length":1,"stats":{"Line":1},"fn_name":null},{"line":297,"address":[541468],"length":1,"stats":{"Line":1},"fn_name":null},{"line":298,"address":[541705],"length":1,"stats":{"Line":1},"fn_name":null},{"line":304,"address":[542610,541760,542165],"length":1,"stats":{"Line":1},"fn_name":"check_signature"},{"line":305,"address":[541803],"length":1,"stats":{"Line":1},"fn_name":null},{"line":306,"address":[541890,541827],"length":1,"stats":{"Line":2},"fn_name":null},{"line":307,"address":[541903],"length":1,"stats":{"Line":1},"fn_name":null},{"line":309,"address":[542458,542197],"length":1,"stats":{"Line":2},"fn_name":null},{"line":311,"address":[542672,542427,542564],"length":1,"stats":{"Line":3},"fn_name":null},{"line":315,"address":[542768],"length":1,"stats":{"Line":1},"fn_name":"expired"},{"line":316,"address":[542790],"length":1,"stats":{"Line":1},"fn_name":null},{"line":322,"address":[542864],"length":1,"stats":{"Line":1},"fn_name":"verify"},{"line":323,"address":[542939],"length":1,"stats":{"Line":1},"fn_name":null},{"line":324,"address":[543016],"length":1,"stats":{"Line":1},"fn_name":null},{"line":327,"address":[543173,543040,542958,543140],"length":1,"stats":{"Line":3},"fn_name":null},{"line":329,"address":[543157],"length":1,"stats":{"Line":1},"fn_name":null},{"line":330,"address":[543219],"length":1,"stats":{"Line":1},"fn_name":null},{"line":333,"address":[543203],"length":1,"stats":{"Line":1},"fn_name":null},{"line":334,"address":[543295],"length":1,"stats":{"Line":1},"fn_name":null},{"line":337,"address":[543487,543311,543239],"length":1,"stats":{"Line":3},"fn_name":null},{"line":338,"address":[543597],"length":1,"stats":{"Line":0},"fn_name":null},{"line":341,"address":[543565],"length":1,"stats":{"Line":1},"fn_name":null},{"line":345,"address":[543616],"length":1,"stats":{"Line":1},"fn_name":"check_root_constraints"},{"line":347,"address":[543662],"length":1,"stats":{"Line":1},"fn_name":null},{"line":348,"address":[543788],"length":1,"stats":{"Line":1},"fn_name":null},{"line":349,"address":[543834],"length":1,"stats":{"Line":0},"fn_name":null},{"line":353,"address":[543815],"length":1,"stats":{"Line":1},"fn_name":null},{"line":354,"address":[543876],"length":1,"stats":{"Line":0},"fn_name":null},{"line":358,"address":[543856],"length":1,"stats":{"Line":1},"fn_name":null},{"line":359,"address":[543917],"length":1,"stats":{"Line":1},"fn_name":null},{"line":360,"address":[544056],"length":1,"stats":{"Line":1},"fn_name":null},{"line":361,"address":[544164],"length":1,"stats":{"Line":1},"fn_name":null},{"line":362,"address":[544200],"length":1,"stats":{"Line":1},"fn_name":null},{"line":368,"address":[543888],"length":1,"stats":{"Line":1},"fn_name":null},{"line":369,"address":[544244],"length":1,"stats":{"Line":1},"fn_name":null},{"line":370,"address":[544341],"length":1,"stats":{"Line":1},"fn_name":null},{"line":371,"address":[544404],"length":1,"stats":{"Line":1},"fn_name":null},{"line":377,"address":[544215],"length":1,"stats":{"Line":1},"fn_name":null},{"line":378,"address":[544429],"length":1,"stats":{"Line":1},"fn_name":null},{"line":379,"address":[544526],"length":1,"stats":{"Line":1},"fn_name":null},{"line":380,"address":[544589],"length":1,"stats":{"Line":1},"fn_name":null},{"line":385,"address":[544414],"length":1,"stats":{"Line":1},"fn_name":null},{"line":394,"address":[545205,544608],"length":1,"stats":{"Line":1},"fn_name":"verify_private_key"},{"line":395,"address":[544663],"length":1,"stats":{"Line":1},"fn_name":null},{"line":397,"address":[544703],"length":1,"stats":{"Line":1},"fn_name":null},{"line":398,"address":[544799],"length":1,"stats":{"Line":0},"fn_name":null},{"line":402,"address":[544856,544725,544961],"length":1,"stats":{"Line":2},"fn_name":null},{"line":403,"address":[545086,544942],"length":1,"stats":{"Line":2},"fn_name":null},{"line":404,"address":[545109],"length":1,"stats":{"Line":1},"fn_name":null},{"line":405,"address":[545144],"length":1,"stats":{"Line":1},"fn_name":null},{"line":408,"address":[545130],"length":1,"stats":{"Line":1},"fn_name":null},{"line":411,"address":[544680],"length":1,"stats":{"Line":1},"fn_name":null},{"line":412,"address":[545319],"length":1,"stats":{"Line":0},"fn_name":null},{"line":415,"address":[545357,545266],"length":1,"stats":{"Line":2},"fn_name":null},{"line":416,"address":[545517],"length":1,"stats":{"Line":1},"fn_name":null},{"line":418,"address":[545554],"length":1,"stats":{"Line":1},"fn_name":null},{"line":419,"address":[545934],"length":1,"stats":{"Line":1},"fn_name":null},{"line":420,"address":[545960],"length":1,"stats":{"Line":1},"fn_name":null},{"line":423,"address":[545943],"length":1,"stats":{"Line":1},"fn_name":null},{"line":432,"address":[547137,546016],"length":1,"stats":{"Line":1},"fn_name":"get_raw_details"},{"line":435,"address":[546055],"length":1,"stats":{"Line":1},"fn_name":null},{"line":436,"address":[546084],"length":1,"stats":{"Line":1},"fn_name":null},{"line":437,"address":[546143],"length":1,"stats":{"Line":1},"fn_name":null},{"line":438,"address":[546290,546199],"length":1,"stats":{"Line":2},"fn_name":null},{"line":439,"address":[546391,546471],"length":1,"stats":{"Line":2},"fn_name":null},{"line":440,"address":[546581],"length":1,"stats":{"Line":1},"fn_name":null},{"line":441,"address":[546727],"length":1,"stats":{"Line":1},"fn_name":null},{"line":442,"address":[546781],"length":1,"stats":{"Line":1},"fn_name":null},{"line":443,"address":[546860,546794],"length":1,"stats":{"Line":2},"fn_name":null},{"line":446,"address":[547110,547344,547216],"length":1,"stats":{"Line":3},"fn_name":null},{"line":447,"address":[547365],"length":1,"stats":{"Line":1},"fn_name":null},{"line":448,"address":[547465],"length":1,"stats":{"Line":1},"fn_name":null},{"line":451,"address":[547312,547567,547673],"length":1,"stats":{"Line":3},"fn_name":null},{"line":452,"address":[547694],"length":1,"stats":{"Line":1},"fn_name":null},{"line":453,"address":[547794],"length":1,"stats":{"Line":1},"fn_name":null},{"line":462,"address":[547888,548103],"length":1,"stats":{"Line":1},"fn_name":"serialize"},{"line":464,"address":[547931],"length":1,"stats":{"Line":1},"fn_name":null},{"line":465,"address":[547968],"length":1,"stats":{"Line":1},"fn_name":null},{"line":468,"address":[548084],"length":1,"stats":{"Line":1},"fn_name":null},{"line":469,"address":[548229,548171],"length":1,"stats":{"Line":2},"fn_name":null},{"line":470,"address":[548429,548258],"length":1,"stats":{"Line":1},"fn_name":null},{"line":472,"address":[548318],"length":1,"stats":{"Line":1},"fn_name":null},{"line":478,"address":[548592,548943],"length":1,"stats":{"Line":1},"fn_name":"serialize_to_pem"},{"line":479,"address":[548734,548617],"length":1,"stats":{"Line":1},"fn_name":null},{"line":481,"address":[548852,549018,549084],"length":1,"stats":{"Line":3},"fn_name":null},{"line":482,"address":[548702],"length":1,"stats":{"Line":1},"fn_name":null},{"line":483,"address":[548826],"length":1,"stats":{"Line":1},"fn_name":null},{"line":490,"address":[549728,549184,549697],"length":1,"stats":{"Line":1},"fn_name":"sha256sum"},{"line":491,"address":[549208,549322],"length":1,"stats":{"Line":1},"fn_name":null},{"line":493,"address":[549311],"length":1,"stats":{"Line":1},"fn_name":null},{"line":494,"address":[549422],"length":1,"stats":{"Line":1},"fn_name":null},{"line":496,"address":[549479],"length":1,"stats":{"Line":1},"fn_name":null},{"line":527,"address":[549744],"length":1,"stats":{"Line":1},"fn_name":"net_match"},{"line":528,"address":[549858,549794],"length":1,"stats":{"Line":2},"fn_name":null},{"line":529,"address":[549868],"length":1,"stats":{"Line":1},"fn_name":null},{"line":530,"address":[549885],"length":1,"stats":{"Line":1},"fn_name":null},{"line":533,"address":[549851],"length":1,"stats":{"Line":1},"fn_name":null}],"covered":178,"coverable":205},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","cert_codec.rs"],"content":"// Automatically generated rust module for 'cert_codec.proto' file\n\n#![allow(non_snake_case)]\n#![allow(non_upper_case_globals)]\n#![allow(non_camel_case_types)]\n#![allow(unused_imports)]\n#![allow(unknown_lints)]\n#![allow(clippy::all)]\n#![cfg_attr(rustfmt, rustfmt_skip)]\n#![allow(clippy::pedantic)]\n\nuse quick_protobuf::{MessageInfo, MessageRead, MessageWrite, BytesReader, Writer, WriterBackend, Result};\nuse quick_protobuf::sizeofs::*;\nuse super::*;\n\n#[allow(clippy::derive_partial_eq_without_eq)]\n#[derive(Debug, Default, PartialEq, Clone)]\npub struct RawNebulaCertificate {\n    pub Details: Option\u003ccert_codec::RawNebulaCertificateDetails\u003e,\n    pub Signature: Vec\u003cu8\u003e,\n}\n\nimpl\u003c'a\u003e MessageRead\u003c'a\u003e for RawNebulaCertificate {\n    fn from_reader(r: \u0026mut BytesReader, bytes: \u0026'a [u8]) -\u003e Result\u003cSelf\u003e {\n        let mut msg = Self::default();\n        while !r.is_eof() {\n            match r.next_tag(bytes) {\n                Ok(10) =\u003e msg.Details = Some(r.read_message::\u003ccert_codec::RawNebulaCertificateDetails\u003e(bytes)?),\n                Ok(18) =\u003e msg.Signature = r.read_bytes(bytes)?.to_owned(),\n                Ok(t) =\u003e { r.read_unknown(bytes, t)?; }\n                Err(e) =\u003e return Err(e),\n            }\n        }\n        Ok(msg)\n    }\n}\n\nimpl MessageWrite for RawNebulaCertificate {\n    fn get_size(\u0026self) -\u003e usize {\n        0\n        + self.Details.as_ref().map_or(0, |m| 1 + sizeof_len((m).get_size()))\n        + if self.Signature.is_empty() { 0 } else { 1 + sizeof_len((\u0026self.Signature).len()) }\n    }\n\n    fn write_message\u003cW: WriterBackend\u003e(\u0026self, w: \u0026mut Writer\u003cW\u003e) -\u003e Result\u003c()\u003e {\n        if let Some(ref s) = self.Details { w.write_with_tag(10, |w| w.write_message(s))?; }\n        if !self.Signature.is_empty() { w.write_with_tag(18, |w| w.write_bytes(\u0026**\u0026self.Signature))?; }\n        Ok(())\n    }\n}\n\n#[allow(clippy::derive_partial_eq_without_eq)]\n#[derive(Debug, Default, PartialEq, Clone)]\npub struct RawNebulaCertificateDetails {\n    pub Name: String,\n    pub Ips: Vec\u003cu32\u003e,\n    pub Subnets: Vec\u003cu32\u003e,\n    pub Groups: Vec\u003cString\u003e,\n    pub NotBefore: i64,\n    pub NotAfter: i64,\n    pub PublicKey: Vec\u003cu8\u003e,\n    pub IsCA: bool,\n    pub Issuer: Vec\u003cu8\u003e,\n}\n\nimpl\u003c'a\u003e MessageRead\u003c'a\u003e for RawNebulaCertificateDetails {\n    fn from_reader(r: \u0026mut BytesReader, bytes: \u0026'a [u8]) -\u003e Result\u003cSelf\u003e {\n        let mut msg = Self::default();\n        while !r.is_eof() {\n            match r.next_tag(bytes) {\n                Ok(10) =\u003e msg.Name = r.read_string(bytes)?.to_owned(),\n                Ok(18) =\u003e msg.Ips = r.read_packed(bytes, |r, bytes| Ok(r.read_uint32(bytes)?))?,\n                Ok(26) =\u003e msg.Subnets = r.read_packed(bytes, |r, bytes| Ok(r.read_uint32(bytes)?))?,\n                Ok(34) =\u003e msg.Groups.push(r.read_string(bytes)?.to_owned()),\n                Ok(40) =\u003e msg.NotBefore = r.read_int64(bytes)?,\n                Ok(48) =\u003e msg.NotAfter = r.read_int64(bytes)?,\n                Ok(58) =\u003e msg.PublicKey = r.read_bytes(bytes)?.to_owned(),\n                Ok(64) =\u003e msg.IsCA = r.read_bool(bytes)?,\n                Ok(74) =\u003e msg.Issuer = r.read_bytes(bytes)?.to_owned(),\n                Ok(t) =\u003e { r.read_unknown(bytes, t)?; }\n                Err(e) =\u003e return Err(e),\n            }\n        }\n        Ok(msg)\n    }\n}\n\nimpl MessageWrite for RawNebulaCertificateDetails {\n    fn get_size(\u0026self) -\u003e usize {\n        0\n        + if self.Name == String::default() { 0 } else { 1 + sizeof_len((\u0026self.Name).len()) }\n        + if self.Ips.is_empty() { 0 } else { 1 + sizeof_len(self.Ips.iter().map(|s| sizeof_varint(*(s) as u64)).sum::\u003cusize\u003e()) }\n        + if self.Subnets.is_empty() { 0 } else { 1 + sizeof_len(self.Subnets.iter().map(|s| sizeof_varint(*(s) as u64)).sum::\u003cusize\u003e()) }\n        + self.Groups.iter().map(|s| 1 + sizeof_len((s).len())).sum::\u003cusize\u003e()\n        + if self.NotBefore == 0i64 { 0 } else { 1 + sizeof_varint(*(\u0026self.NotBefore) as u64) }\n        + if self.NotAfter == 0i64 { 0 } else { 1 + sizeof_varint(*(\u0026self.NotAfter) as u64) }\n        + if self.PublicKey.is_empty() { 0 } else { 1 + sizeof_len((\u0026self.PublicKey).len()) }\n        + if self.IsCA == false { 0 } else { 1 + sizeof_varint(*(\u0026self.IsCA) as u64) }\n        + if self.Issuer.is_empty() { 0 } else { 1 + sizeof_len((\u0026self.Issuer).len()) }\n    }\n\n    fn write_message\u003cW: WriterBackend\u003e(\u0026self, w: \u0026mut Writer\u003cW\u003e) -\u003e Result\u003c()\u003e {\n        if self.Name != String::default() { w.write_with_tag(10, |w| w.write_string(\u0026**\u0026self.Name))?; }\n        w.write_packed_with_tag(18, \u0026self.Ips, |w, m| w.write_uint32(*m), \u0026|m| sizeof_varint(*(m) as u64))?;\n        w.write_packed_with_tag(26, \u0026self.Subnets, |w, m| w.write_uint32(*m), \u0026|m| sizeof_varint(*(m) as u64))?;\n        for s in \u0026self.Groups { w.write_with_tag(34, |w| w.write_string(\u0026**s))?; }\n        if self.NotBefore != 0i64 { w.write_with_tag(40, |w| w.write_int64(*\u0026self.NotBefore))?; }\n        if self.NotAfter != 0i64 { w.write_with_tag(48, |w| w.write_int64(*\u0026self.NotAfter))?; }\n        if !self.PublicKey.is_empty() { w.write_with_tag(58, |w| w.write_bytes(\u0026**\u0026self.PublicKey))?; }\n        if self.IsCA != false { w.write_with_tag(64, |w| w.write_bool(*\u0026self.IsCA))?; }\n        if !self.Issuer.is_empty() { w.write_with_tag(74, |w| w.write_bytes(\u0026**\u0026self.Issuer))?; }\n        Ok(())\n    }\n}\n\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","lib.rs"],"content":"//! # trifid-pki\n//! trifid-pki is a crate for interacting with the Nebula PKI system. It was created to prevent the need to make constant CLI calls for signing operations in Nebula.\n//! It is designed to be interoperable with the original Go implementation and as such has some oddities with key management to ensure compatability.\n//!\n//! This crate has not received any format security audits, however the underlying crates used for actual cryptographic operations (ed25519-dalek and curve25519-dalek) have been audited with no major issues.\n\n#![warn(clippy::pedantic)]\n#![warn(clippy::nursery)]\n#![deny(clippy::unwrap_used)]\n#![deny(clippy::expect_used)]\n#![deny(missing_docs)]\n#![deny(clippy::missing_errors_doc)]\n#![deny(clippy::missing_panics_doc)]\n#![deny(clippy::missing_safety_doc)]\n#![allow(clippy::must_use_candidate)]\n#![allow(clippy::too_many_lines)]\n#![allow(clippy::module_name_repetitions)]\n\n\nextern crate core;\n\npub mod ca;\npub mod cert;\n#[cfg(not(tarpaulin_include))]\npub(crate) mod cert_codec;\n#[cfg(test)]\n#[macro_use]\npub mod test;","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","test.rs"],"content":"#![allow(clippy::unwrap_used)]\n#![allow(clippy::expect_used)]\n\nuse crate::netmask;\nuse std::net::Ipv4Addr;\nuse std::ops::{Add, Sub};\nuse std::time::{Duration, SystemTime, SystemTimeError, UNIX_EPOCH};\nuse ipnet::Ipv4Net;\nuse crate::cert::{CertificateValidity, deserialize_ed25519_private, deserialize_ed25519_public, deserialize_nebula_certificate, deserialize_nebula_certificate_from_pem, deserialize_x25519_private, deserialize_x25519_public, NebulaCertificate, NebulaCertificateDetails, serialize_ed25519_private, serialize_ed25519_public, serialize_x25519_private, serialize_x25519_public};\nuse std::str::FromStr;\nuse ed25519_dalek::{SigningKey, VerifyingKey};\nuse quick_protobuf::{MessageWrite, Writer};\nuse rand::rngs::OsRng;\nuse crate::ca::{NebulaCAPool};\nuse crate::cert_codec::{RawNebulaCertificate, RawNebulaCertificateDetails};\n\n/// This is a cert that we (e3team) actually use in production, and it's a known-good certificate.\npub const KNOWN_GOOD_CERT: \u0026[u8; 258] = b\"-----BEGIN NEBULA CERTIFICATE-----\\nCkkKF2UzdGVhbSBJbnRlcm5hbCBOZXR3b3JrKJWev5wGMJWFxKsGOiCvpwoHyKY5\\n8Q5+2XxDjtoCf/zlNY/EUdB8bwXQSwEo50ABEkB0Dx76lkMqc3IyH5+ml2dKjTyv\\nB4Jiw6x3abf5YZcf8rDuVEgQpvFdJmo3xJyIb3C9vKZ6kXsUxjw6s1JdWgkA\\n-----END NEBULA CERTIFICATE-----\";\n\n#[test]\nfn certificate_serialization() {\n    let before = round_systime_to_secs(SystemTime::now() - Duration::from_secs(60)).unwrap();\n    let after = round_systime_to_secs(SystemTime::now() + Duration::from_secs(60)).unwrap();\n    let pub_key = b\"1234567890abcedfghij1234567890ab\";\n\n    let cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"testing\".to_string(),\n            ips: vec![\n                netmask!(\"10.1.1.1\", \"255.255.255.0\"),\n                netmask!(\"10.1.1.2\", \"255.255.0.0\"),\n                netmask!(\"10.1.1.3\", \"255.0.0.0\")\n            ],\n            subnets: vec![\n                netmask!(\"9.1.1.1\", \"255.255.255.128\"),\n                netmask!(\"9.1.1.2\", \"255.255.255.0\"),\n                netmask!(\"9.1.1.3\", \"255.255.0.0\")\n            ],\n            groups: vec![\"test-group1\".to_string(), \"test-group2\".to_string(), \"test-group3\".to_string()],\n            not_before: before,\n            not_after: after,\n            public_key: *pub_key,\n            is_ca: false,\n            issuer: \"1234567890abcedfabcd1234567890ab\".to_string(),\n        },\n        signature: b\"1234567890abcedfghij1234567890ab\".to_vec(),\n    };\n\n    let bytes = cert.serialize().unwrap();\n\n    let deserialized = deserialize_nebula_certificate(\u0026bytes).unwrap();\n\n    assert_eq!(cert.signature, deserialized.signature);\n    assert_eq!(cert.details.name, deserialized.details.name);\n    assert_eq!(cert.details.not_before, deserialized.details.not_before);\n    assert_eq!(cert.details.not_after, deserialized.details.not_after);\n    assert_eq!(cert.details.public_key, deserialized.details.public_key);\n    assert_eq!(cert.details.is_ca, deserialized.details.is_ca);\n\n    assert_eq!(cert.details.ips.len(), deserialized.details.ips.len());\n    for item in \u0026cert.details.ips {\n        assert!(deserialized.details.ips.contains(item), \"deserialized does not contain from source\");\n    }\n\n    assert_eq!(cert.details.subnets.len(), deserialized.details.subnets.len());\n    for item in \u0026cert.details.subnets {\n        assert!(deserialized.details.subnets.contains(item), \"deserialized does not contain from source\");\n    }\n\n    assert_eq!(cert.details.groups.len(), deserialized.details.groups.len());\n    for item in \u0026cert.details.groups {\n        assert!(deserialized.details.groups.contains(item), \"deserialized does not contain from source\");\n    }\n}\n\n#[test]\nfn certificate_serialization_pem() {\n    let before = round_systime_to_secs(SystemTime::now() - Duration::from_secs(60)).unwrap();\n    let after = round_systime_to_secs(SystemTime::now() + Duration::from_secs(60)).unwrap();\n    let pub_key = b\"1234567890abcedfghij1234567890ab\";\n\n    let cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"testing\".to_string(),\n            ips: vec![\n                netmask!(\"10.1.1.1\", \"255.255.255.0\"),\n                netmask!(\"10.1.1.2\", \"255.255.0.0\"),\n                netmask!(\"10.1.1.3\", \"255.0.0.0\")\n            ],\n            subnets: vec![\n                netmask!(\"9.1.1.1\", \"255.255.255.128\"),\n                netmask!(\"9.1.1.2\", \"255.255.255.0\"),\n                netmask!(\"9.1.1.3\", \"255.255.0.0\")\n            ],\n            groups: vec![\"test-group1\".to_string(), \"test-group2\".to_string(), \"test-group3\".to_string()],\n            not_before: before,\n            not_after: after,\n            public_key: *pub_key,\n            is_ca: false,\n            issuer: \"1234567890abcedfabcd1234567890ab\".to_string(),\n        },\n        signature: b\"1234567890abcedfghij1234567890ab\".to_vec(),\n    };\n\n    let bytes = cert.serialize_to_pem().unwrap();\n\n    let deserialized = deserialize_nebula_certificate_from_pem(\u0026bytes).unwrap();\n\n    assert_eq!(cert.signature, deserialized.signature);\n    assert_eq!(cert.details.name, deserialized.details.name);\n    assert_eq!(cert.details.not_before, deserialized.details.not_before);\n    assert_eq!(cert.details.not_after, deserialized.details.not_after);\n    assert_eq!(cert.details.public_key, deserialized.details.public_key);\n    assert_eq!(cert.details.is_ca, deserialized.details.is_ca);\n\n    assert_eq!(cert.details.ips.len(), deserialized.details.ips.len());\n    for item in \u0026cert.details.ips {\n        assert!(deserialized.details.ips.contains(item), \"deserialized does not contain from source\");\n    }\n\n    assert_eq!(cert.details.subnets.len(), deserialized.details.subnets.len());\n    for item in \u0026cert.details.subnets {\n        assert!(deserialized.details.subnets.contains(item), \"deserialized does not contain from source\");\n    }\n\n    assert_eq!(cert.details.groups.len(), deserialized.details.groups.len());\n    for item in \u0026cert.details.groups {\n        assert!(deserialized.details.groups.contains(item), \"deserialized does not contain from source\");\n    }\n}\n\n#[test]\nfn cert_signing() {\n    let before = round_systime_to_secs(SystemTime::now() - Duration::from_secs(60)).unwrap();\n    let after = round_systime_to_secs(SystemTime::now() + Duration::from_secs(60)).unwrap();\n    let pub_key = b\"1234567890abcedfghij1234567890ab\";\n\n    let mut cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"testing\".to_string(),\n            ips: vec![\n                netmask!(\"10.1.1.1\", \"255.255.255.0\"),\n                netmask!(\"10.1.1.2\", \"255.255.0.0\"),\n                netmask!(\"10.1.1.3\", \"255.0.0.0\")\n            ],\n            subnets: vec![\n                netmask!(\"9.1.1.1\", \"255.255.255.128\"),\n                netmask!(\"9.1.1.2\", \"255.255.255.0\"),\n                netmask!(\"9.1.1.3\", \"255.255.0.0\")\n            ],\n            groups: vec![\"test-group1\".to_string(), \"test-group2\".to_string(), \"test-group3\".to_string()],\n            not_before: before,\n            not_after: after,\n            public_key: *pub_key,\n            is_ca: false,\n            issuer: \"1234567890abcedfabcd1234567890ab\".to_string(),\n        },\n        signature: b\"1234567890abcedfghij1234567890ab\".to_vec(),\n    };\n\n    let mut csprng = OsRng;\n    let key = SigningKey::generate(\u0026mut csprng);\n\n    assert!(cert.check_signature(\u0026key.verifying_key()).is_err());\n    cert.sign(\u0026key).unwrap();\n    assert!(cert.check_signature(\u0026key.verifying_key()).unwrap());\n}\n\n#[test]\nfn cert_expiry() {\n    let cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: String::new(),\n            ips: vec![],\n            subnets: vec![],\n            groups: vec![],\n            not_before: SystemTime::now().sub(Duration::from_secs(60)),\n            not_after: SystemTime::now().add(Duration::from_secs(60)),\n            public_key: [0u8; 32],\n            is_ca: false,\n            issuer: String::new(),\n        },\n        signature: vec![],\n    };\n\n    assert!(cert.expired(SystemTime::now().add(Duration::from_secs(60 * 60 * 60))));\n    assert!(cert.expired(SystemTime::now().sub(Duration::from_secs(60 * 60 * 60))));\n    assert!(!cert.expired(SystemTime::now()));\n}\n\n#[test]\nfn cert_display() {\n    let cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: String::new(),\n            ips: vec![],\n            subnets: vec![],\n            groups: vec![],\n            not_before: SystemTime::now().sub(Duration::from_secs(60)),\n            not_after: SystemTime::now().add(Duration::from_secs(60)),\n            public_key: [0u8; 32],\n            is_ca: false,\n            issuer: String::new(),\n        },\n        signature: vec![],\n    };\n    println!(\"{cert}\");\n}\n\n#[test]\n#[should_panic]\nfn cert_deserialize_empty_bytes() {\n    deserialize_nebula_certificate(\u0026[]).unwrap();\n}\n\n#[test]\nfn cert_deserialize_unpaired_ips() {\n    let broken_cert = RawNebulaCertificate {\n        Details: Some(RawNebulaCertificateDetails {\n            Name: String::new(),\n            Ips: vec![0],\n            Subnets: vec![],\n            Groups: vec![],\n            NotBefore: 0,\n            NotAfter: 0,\n            PublicKey: vec![],\n            IsCA: false,\n            Issuer: vec![],\n        }),\n        Signature: vec![],\n    };\n    let mut bytes = vec![];\n    let mut writer = Writer::new(\u0026mut bytes);\n    broken_cert.write_message(\u0026mut writer).unwrap();\n\n    deserialize_nebula_certificate(\u0026bytes).unwrap_err();\n}\n\n#[test]\nfn cert_deserialize_unpaired_subnets() {\n    let broken_cert = RawNebulaCertificate {\n        Details: Some(RawNebulaCertificateDetails {\n            Name: String::new(),\n            Ips: vec![],\n            Subnets: vec![0],\n            Groups: vec![],\n            NotBefore: 0,\n            NotAfter: 0,\n            PublicKey: vec![],\n            IsCA: false,\n            Issuer: vec![],\n        }),\n        Signature: vec![],\n    };\n    let mut bytes = vec![];\n    let mut writer = Writer::new(\u0026mut bytes);\n    broken_cert.write_message(\u0026mut writer).unwrap();\n\n    deserialize_nebula_certificate(\u0026bytes).unwrap_err();\n}\n\n#[test]\nfn cert_deserialize_wrong_pubkey_len() {\n    let broken_cert = RawNebulaCertificate {\n        Details: Some(RawNebulaCertificateDetails {\n            Name: String::new(),\n            Ips: vec![],\n            Subnets: vec![],\n            Groups: vec![],\n            NotBefore: 0,\n            NotAfter: 0,\n            PublicKey: vec![0u8; 31],\n            IsCA: false,\n            Issuer: vec![],\n        }),\n        Signature: vec![],\n    };\n    let mut bytes = vec![];\n    let mut writer = Writer::new(\u0026mut bytes);\n    broken_cert.write_message(\u0026mut writer).unwrap();\n\n    deserialize_nebula_certificate(\u0026bytes).unwrap_err();\n\n    assert!(deserialize_nebula_certificate_from_pem(\u0026[0u8; 32]).is_err());\n}\n\n#[test]\nfn x25519_serialization() {\n    let bytes = [0u8; 32];\n    assert_eq!(deserialize_x25519_private(\u0026serialize_x25519_private(\u0026bytes)).unwrap(), bytes);\n    assert!(deserialize_x25519_private(\u0026[0u8; 32]).is_err());\n    assert_eq!(deserialize_x25519_public(\u0026serialize_x25519_public(\u0026bytes)).unwrap(), bytes);\n    assert!(deserialize_x25519_public(\u0026[0u8; 32]).is_err());\n}\n\n#[test]\nfn ed25519_serialization() {\n    let bytes = [0u8; 32];\n    assert_eq!(deserialize_ed25519_private(\u0026serialize_ed25519_private(\u0026bytes)).unwrap(), bytes);\n    assert!(deserialize_ed25519_private(\u0026[0u8; 32]).is_err());\n    assert_eq!(deserialize_ed25519_public(\u0026serialize_ed25519_public(\u0026bytes)).unwrap(), bytes);\n    assert!(deserialize_ed25519_public(\u0026[0u8; 32]).is_err());\n}\n\n#[test]\nfn cert_verify() {\n    let (ca_cert, ca_key, _ca_pub) = test_ca_cert(round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 10)).unwrap(), vec![], vec![], vec![\"groupa\".to_string()]);\n\n    let (cert, _, _) = test_cert(\u0026ca_cert, \u0026ca_key, SystemTime::now(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![], vec![], vec![]);\n\n    let mut ca_pool = NebulaCAPool::new();\n    ca_pool.add_ca_certificate(\u0026ca_cert.serialize_to_pem().unwrap()).unwrap();\n\n    let fingerprint = cert.sha256sum().unwrap();\n    ca_pool.blocklist_fingerprint(\u0026fingerprint);\n\n    assert!(matches!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Blocklisted));\n\n    ca_pool.reset_blocklist();\n\n    assert!(matches!(cert.verify(SystemTime::now() + Duration::from_secs(60 * 60 * 60), \u0026ca_pool).unwrap(), CertificateValidity::RootCertExpired));\n    assert!(matches!(cert.verify(SystemTime::now() + Duration::from_secs(60 * 60 * 6), \u0026ca_pool).unwrap(), CertificateValidity::CertExpired));\n\n    let (cert_with_bad_group, _, _) = test_cert(\u0026ca_cert, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), in_a_minute(), vec![], vec![], vec![\"group-not-present on parent\".to_string()]);\n    assert_eq!(cert_with_bad_group.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::GroupNotPresentOnSigner);\n\n    let (cert_with_good_group, _, _) = test_cert(\u0026ca_cert, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), in_a_minute(), vec![], vec![], vec![\"groupa\".to_string()]);\n    assert_eq!(cert_with_good_group.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n}\n\n#[test]\nfn cert_verify_ip() {\n    let ca_ip_1 = Ipv4Net::from_str(\"10.0.0.0/16\").unwrap();\n    let ca_ip_2 = Ipv4Net::from_str(\"192.168.0.0/24\").unwrap();\n\n    let (ca, ca_key, _ca_pub) = test_ca_cert(round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 10)).unwrap(), vec![ca_ip_1, ca_ip_2], vec![], vec![]);\n\n    let ca_pem = ca.serialize_to_pem().unwrap();\n\n    let mut ca_pool = NebulaCAPool::new();\n    ca_pool.add_ca_certificate(\u0026ca_pem).unwrap();\n\n    // ip is outside the network\n    let cip1 = netmask!(\"10.1.0.0\", \"255.255.255.0\");\n    let cip2 = netmask!(\"192.198.0.1\", \"255.255.0.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::IPNotPresentOnSigner);\n\n    // ip is outside the network - reversed order from above\n    let cip1 = netmask!(\"192.198.0.1\", \"255.255.255.0\");\n    let cip2 = netmask!(\"10.1.0.0\", \"255.255.255.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::IPNotPresentOnSigner);\n\n    // ip is within the network but mask is outside\n    let cip1 = netmask!(\"10.0.1.0\", \"255.254.0.0\");\n    let cip2 = netmask!(\"192.168.0.1\", \"255.255.255.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::IPNotPresentOnSigner);\n\n    // ip is within the network but mask is outside - reversed order from above\n    let cip1 = netmask!(\"192.168.0.1\", \"255.255.255.0\");\n    let cip2 = netmask!(\"10.0.1.0\", \"255.254.0.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::IPNotPresentOnSigner);\n\n    // ip and mask are within the network\n    let cip1 = netmask!(\"10.0.1.0\", \"255.255.0.0\");\n    let cip2 = netmask!(\"192.168.0.1\", \"255.255.255.128\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![ca_ip_1, ca_ip_2], vec![], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches reversed\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![ca_ip_2, ca_ip_1], vec![], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches reversed with just one\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![ca_ip_2], vec![], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n}\n\n#[test]\nfn cert_verify_subnet() {\n    let ca_ip_1 = Ipv4Net::from_str(\"10.0.0.0/16\").unwrap();\n    let ca_ip_2 = Ipv4Net::from_str(\"192.168.0.0/24\").unwrap();\n\n    let (ca, ca_key, _ca_pub) = test_ca_cert(round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 10)).unwrap(), vec![],vec![ca_ip_1, ca_ip_2], vec![]);\n\n    let ca_pem = ca.serialize_to_pem().unwrap();\n\n    let mut ca_pool = NebulaCAPool::new();\n    ca_pool.add_ca_certificate(\u0026ca_pem).unwrap();\n\n    // ip is outside the network\n    let cip1 = netmask!(\"10.1.0.0\", \"255.255.255.0\");\n    let cip2 = netmask!(\"192.198.0.1\", \"255.255.0.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![],vec![cip1, cip2], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::SubnetNotPresentOnSigner);\n\n    // ip is outside the network - reversed order from above\n    let cip1 = netmask!(\"192.198.0.1\", \"255.255.255.0\");\n    let cip2 = netmask!(\"10.1.0.0\", \"255.255.255.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![],vec![cip1, cip2], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::SubnetNotPresentOnSigner);\n\n    // ip is within the network but mask is outside\n    let cip1 = netmask!(\"10.0.1.0\", \"255.254.0.0\");\n    let cip2 = netmask!(\"192.168.0.1\", \"255.255.255.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![],vec![cip1, cip2], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::SubnetNotPresentOnSigner);\n\n    // ip is within the network but mask is outside - reversed order from above\n    let cip1 = netmask!(\"192.168.0.1\", \"255.255.255.0\");\n    let cip2 = netmask!(\"10.0.1.0\", \"255.254.0.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::SubnetNotPresentOnSigner);\n\n    // ip and mask are within the network\n    let cip1 = netmask!(\"10.0.1.0\", \"255.255.0.0\");\n    let cip2 = netmask!(\"192.168.0.1\", \"255.255.255.128\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![], vec![cip1, cip2], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![],vec![ca_ip_1, ca_ip_2], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches reversed\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![], vec![ca_ip_2, ca_ip_1], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches reversed with just one\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![], vec![ca_ip_2], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n}\n\n#[test]\nfn cert_private_key() {\n    let (ca, ca_key, _) = test_ca_cert(SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n    ca.verify_private_key(\u0026ca_key.to_keypair_bytes()).unwrap();\n\n    let (_, ca_key2, _) = test_ca_cert(SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n    ca.verify_private_key(\u0026ca_key2.to_keypair_bytes()).unwrap_err();\n\n    let (cert, priv_key, _) = test_cert(\u0026ca, \u0026ca_key, SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n    cert.verify_private_key(\u0026priv_key.to_bytes()).unwrap();\n\n    let (cert2, _, _) = test_cert(\u0026ca, \u0026ca_key, SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n    cert2.verify_private_key(\u0026priv_key.to_bytes()).unwrap_err();\n}\n\n#[test]\nfn capool_from_pem() {\n    let no_newlines = b\"# Current provisional, Remove once everything moves over to the real root.\n-----BEGIN NEBULA CERTIFICATE-----\nCkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL\nvcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv\nbzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB\n-----END NEBULA CERTIFICATE-----\n# root-ca01\n-----BEGIN NEBULA CERTIFICATE-----\nCkMKEW5lYnVsYSByb290IGNhIDAxKJL2u9EFMJL86+cGOiDPXMH4oU6HZTk/CqTG\nBVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf\n8/phAUt+FLzqTECzQKisYswKvE3pl9mbEYKbOdIHrxdIp95mo4sF\n-----END NEBULA CERTIFICATE-----\";\n    let with_newlines = b\"# Current provisional, Remove once everything moves over to the real root.\n-----BEGIN NEBULA CERTIFICATE-----\nCkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL\nvcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv\nbzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB\n-----END NEBULA CERTIFICATE-----\n# root-ca01\n-----BEGIN NEBULA CERTIFICATE-----\nCkMKEW5lYnVsYSByb290IGNhIDAxKJL2u9EFMJL86+cGOiDPXMH4oU6HZTk/CqTG\nBVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf\n8/phAUt+FLzqTECzQKisYswKvE3pl9mbEYKbOdIHrxdIp95mo4sF\n-----END NEBULA CERTIFICATE-----\n\n\";\n    let expired = b\"# expired certificate\n-----BEGIN NEBULA CERTIFICATE-----\nCjkKB2V4cGlyZWQouPmWjQYwufmWjQY6ILCRaoCkJlqHgv5jfDN4lzLHBvDzaQm4\nvZxfu144hmgjQAESQG4qlnZi8DncvD/LDZnLgJHOaX1DWCHHEh59epVsC+BNgTie\nWH1M9n4O7cFtGlM6sJJOS+rCVVEJ3ABS7+MPdQs=\n-----END NEBULA CERTIFICATE-----\";\n\n    let pool_a = NebulaCAPool::new_from_pem(no_newlines).unwrap();\n    assert_eq!(pool_a.cas[\"c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522\"].details.name, \"nebula root ca\".to_string());\n    assert_eq!(pool_a.cas[\"5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd\"].details.name, \"nebula root ca 01\".to_string());\n    assert!(!pool_a.expired);\n\n    let pool_b = NebulaCAPool::new_from_pem(with_newlines).unwrap();\n    assert_eq!(pool_b.cas[\"c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522\"].details.name, \"nebula root ca\".to_string());\n    assert_eq!(pool_b.cas[\"5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd\"].details.name, \"nebula root ca 01\".to_string());\n    assert!(!pool_b.expired);\n\n    let pool_c = NebulaCAPool::new_from_pem(expired).unwrap();\n    assert!(pool_c.expired);\n    assert_eq!(pool_c.cas[\"152070be6bb19bc9e3bde4c2f0e7d8f4ff5448b4c9856b8eccb314fade0229b0\"].details.name, \"expired\");\n\n    let mut pool_d = NebulaCAPool::new_from_pem(with_newlines).unwrap();\n    pool_d.add_ca_certificate(expired).unwrap();\n    assert_eq!(pool_d.cas[\"c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522\"].details.name, \"nebula root ca\".to_string());\n    assert_eq!(pool_d.cas[\"5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd\"].details.name, \"nebula root ca 01\".to_string());\n    assert_eq!(pool_d.cas[\"152070be6bb19bc9e3bde4c2f0e7d8f4ff5448b4c9856b8eccb314fade0229b0\"].details.name, \"expired\");\n    assert!(pool_d.expired);\n    assert_eq!(pool_d.get_fingerprints().len(), 3);\n}\n\n#[macro_export]\nmacro_rules! netmask {\n    ($ip:expr,$mask:expr) =\u003e {\n        Ipv4Net::with_netmask(Ipv4Addr::from_str($ip).unwrap(), Ipv4Addr::from_str($mask).unwrap()).unwrap()\n    };\n}\n\nfn round_systime_to_secs(time: SystemTime) -\u003e Result\u003cSystemTime, SystemTimeError\u003e {\n    let secs = time.duration_since(UNIX_EPOCH)?.as_secs();\n    Ok(SystemTime::UNIX_EPOCH.add(Duration::from_secs(secs)))\n}\n\nfn test_ca_cert(before: SystemTime, after: SystemTime, ips: Vec\u003cIpv4Net\u003e, subnets: Vec\u003cIpv4Net\u003e, groups: Vec\u003cString\u003e) -\u003e (NebulaCertificate, SigningKey, VerifyingKey) {\n    let mut csprng = OsRng;\n    let key = SigningKey::generate(\u0026mut csprng);\n    let pub_key = key.verifying_key();\n\n    let mut cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"TEST_CA\".to_string(),\n            ips,\n            subnets,\n            groups,\n            not_before: before,\n            not_after: after,\n            public_key: pub_key.to_bytes(),\n            is_ca: true,\n            issuer: \"\".to_string(),\n        },\n        signature: vec![],\n    };\n    cert.sign(\u0026key).unwrap();\n    (cert, key, pub_key)\n}\n\nfn test_cert(ca: \u0026NebulaCertificate, key: \u0026SigningKey, before: SystemTime, after: SystemTime, ips: Vec\u003cIpv4Net\u003e, subnets: Vec\u003cIpv4Net\u003e, groups: Vec\u003cString\u003e) -\u003e (NebulaCertificate, SigningKey, VerifyingKey) {\n    let issuer = ca.sha256sum().unwrap();\n\n    let real_groups = if groups.is_empty() {\n        vec![\"test-group1\".to_string(), \"test-group2\".to_string(), \"test-group3\".to_string()]\n    } else {\n        groups\n    };\n\n    let real_ips = if ips.is_empty() {\n        vec![\n            netmask!(\"10.1.1.1\", \"255.255.255.0\"),\n            netmask!(\"10.1.1.2\", \"255.255.0.0\"),\n            netmask!(\"10.1.1.3\", \"255.0.0.0\")\n        ]\n    } else {\n        ips\n    };\n\n    let real_subnets = if subnets.is_empty() {\n        vec![\n            netmask!(\"9.1.1.1\", \"255.255.255.128\"),\n            netmask!(\"9.1.1.2\", \"255.255.255.0\"),\n            netmask!(\"9.1.1.3\", \"255.255.0.0\")\n        ]\n    } else {\n        subnets\n    };\n\n    let mut csprng = OsRng;\n    let cert_key = SigningKey::generate(\u0026mut csprng);\n    let pub_key = cert_key.verifying_key();\n\n    let mut cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"TEST_CA\".to_string(),\n            ips: real_ips,\n            subnets: real_subnets,\n            groups: real_groups,\n            not_before: before,\n            not_after: after,\n            public_key: pub_key.to_bytes(),\n            is_ca: false,\n            issuer,\n        },\n        signature: vec![],\n    };\n    cert.sign(key).unwrap();\n    (cert, cert_key, pub_key)\n}\n\n#[allow(dead_code)]\nfn in_a_minute() -\u003e SystemTime {\n    round_systime_to_secs(SystemTime::now().add(Duration::from_secs(60))).unwrap()\n}\n#[allow(dead_code)]\nfn a_minute_ago() -\u003e SystemTime {\n    round_systime_to_secs(SystemTime::now().sub(Duration::from_secs(60))).unwrap()\n}","traces":[],"covered":0,"coverable":0}]};
+        var data = {"files":[{"path":["/","home","core","prj","e3t","trifid","tfclient","src","main.rs"],"content":"fn main() {\n    println!(\"Hello, world!\");\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","build.rs"],"content":"// generated by `sqlx migrate build-script`\nfn main() {\n    // trigger recompilation when a new migration is added\n    println!(\"cargo:rerun-if-changed=migrations\");\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","auth.rs"],"content":"use rocket::http::Status;\nuse rocket::{Request};\nuse rocket::request::{FromRequest, Outcome};\nuse crate::tokens::{validate_auth_token, validate_session_token};\n\npub struct PartialUserInfo {\n    pub user_id: i32,\n    pub created_at: i64,\n    pub email: String,\n    pub has_totp_auth: bool,\n\n    pub session_id: String,\n    pub auth_id: Option\u003cString\u003e\n}\n\n#[derive(Debug)]\npub enum AuthenticationError {\n    MissingToken,\n    InvalidToken(usize),\n    DatabaseError,\n    RequiresTOTP\n}\n\n#[rocket::async_trait]\nimpl\u003c'r\u003e FromRequest\u003c'r\u003e for PartialUserInfo {\n    type Error = AuthenticationError;\n\n    async fn from_request(req: \u0026'r Request\u003c'_\u003e) -\u003e Outcome\u003cSelf, Self::Error\u003e {\n        let headers = req.headers();\n\n        // make sure the bearer token exists\n        if let Some(authorization) = headers.get_one(\"Authorization\") {\n            // parse bearer token\n            let components = authorization.split(' ').collect::\u003cVec\u003c\u0026str\u003e\u003e();\n\n            if components.len() != 2 \u0026\u0026 components.len() != 3 {\n                return Outcome::Failure((Status::Unauthorized, AuthenticationError::MissingToken));\n            }\n\n            if components[0] != \"Bearer\" {\n                return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(0)));\n            }\n\n            if components.len() == 2 \u0026\u0026 !components[1].starts_with(\"st-\") {\n                return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(1)));\n            }\n\n            let st: String;\n            let user_id: i64;\n            let at: Option\u003cString\u003e;\n\n            match \u0026components[1][..3] {\n                \"st-\" =\u003e {\n                    // validate session token\n                    st = components[1].to_string();\n                    match validate_session_token(st.clone(), req.rocket().state().unwrap()).await {\n                        Ok(uid) =\u003e user_id = uid,\n                        Err(_) =\u003e return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(2)))\n                    }\n                },\n                _ =\u003e return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(3)))\n            }\n\n            if components.len() == 3 {\n                match \u0026components[2][..3] {\n                    \"at-\" =\u003e {\n                        // validate auth token\n                        at = Some(components[2].to_string());\n                        match validate_auth_token(at.clone().unwrap().clone(), st.clone(), req.rocket().state().unwrap()).await {\n                            Ok(_) =\u003e (),\n                            Err(_) =\u003e return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(4)))\n                        }\n                    },\n                    _ =\u003e return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(5)))\n                }\n            } else {\n                at = None;\n            }\n\n            // this user is 100% valid and authenticated, fetch their info\n\n            let user = match sqlx::query!(\"SELECT * FROM users WHERE id = $1\", user_id.clone() as i32).fetch_one(req.rocket().state().unwrap()).await {\n                Ok(u) =\u003e u,\n                Err(_) =\u003e return Outcome::Failure((Status::InternalServerError, AuthenticationError::DatabaseError))\n            };\n\n            Outcome::Success(PartialUserInfo {\n                user_id: user_id as i32,\n                created_at: user.created_on as i64,\n                email: user.email,\n                has_totp_auth: at.is_some(),\n                session_id: st,\n                auth_id: at,\n            })\n        } else {\n            Outcome::Failure((Status::Unauthorized, AuthenticationError::MissingToken))\n        }\n    }\n}\n\npub struct TOTPAuthenticatedUserInfo {\n    pub user_id: i32,\n    pub created_at: i64,\n    pub email: String,\n}\n#[rocket::async_trait]\nimpl\u003c'r\u003e FromRequest\u003c'r\u003e for TOTPAuthenticatedUserInfo {\n    type Error = AuthenticationError;\n\n    async fn from_request(request: \u0026'r Request\u003c'_\u003e) -\u003e Outcome\u003cSelf, Self::Error\u003e {\n        let userinfo = PartialUserInfo::from_request(request).await;\n        match userinfo {\n            Outcome::Failure(e) =\u003e Outcome::Failure(e),\n            Outcome::Forward(f) =\u003e Outcome::Forward(f),\n            Outcome::Success(s) =\u003e {\n                if s.has_totp_auth {\n                    Outcome::Success(Self {\n                        user_id: s.user_id,\n                        created_at: s.created_at,\n                        email: s.email,\n                    })\n                } else {\n                    Outcome::Failure((Status::Unauthorized, AuthenticationError::RequiresTOTP))\n                }\n            }\n        }\n    }\n}","traces":[{"line":28,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":29,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":32,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":34,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":36,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":37,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":40,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":41,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":44,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":45,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":48,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":49,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":50,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":52,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":53,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":55,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":56,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":57,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":58,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":61,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":64,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":65,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":66,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":68,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":69,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":70,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":71,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":74,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":77,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":82,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":83,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":84,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":87,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":88,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":89,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":90,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":91,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":92,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":93,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":96,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":110,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":111,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":112,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":113,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":114,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":115,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":116,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":117,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":118,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":119,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":120,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":123,"address":[],"length":0,"stats":{"Line":0},"fn_name":null}],"covered":0,"coverable":52},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","config.rs"],"content":"use serde::Deserialize;\nuse url::Url;\n\n#[derive(Deserialize)]\npub struct TFConfig {\n    pub listen_port: u16,\n    pub db_url: String,\n    pub base: Url,\n    pub web_root: Url,\n    pub magic_links_valid_for: i64,\n    pub session_tokens_valid_for: i64,\n    pub totp_verification_valid_for: i64,\n    pub data_key: String\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","crypto.rs"],"content":"use std::error::Error;\nuse aes_gcm::{Aes256Gcm, KeyInit, Nonce};\nuse aes_gcm::aead::{Aead, Payload};\nuse crate::config::TFConfig;\n\npub fn get_cipher_from_config(config: \u0026TFConfig) -\u003e Result\u003cAes256Gcm, Box\u003cdyn Error\u003e\u003e {\n    let key_slice = hex::decode(\u0026config.data_key)?;\n    Ok(Aes256Gcm::new_from_slice(\u0026key_slice)?)\n}\n\npub fn encrypt_with_nonce(plaintext: \u0026[u8], nonce: [u8; 12], cipher: \u0026Aes256Gcm) -\u003e Result\u003cVec\u003cu8\u003e, aes_gcm::Error\u003e {\n    let nonce = Nonce::from_slice(\u0026nonce);\n    let ciphertext = cipher.encrypt(nonce, plaintext)?;\n    Ok(ciphertext)\n}\n\npub fn decrypt_with_nonce(ciphertext: \u0026[u8], nonce: [u8; 12], cipher: \u0026Aes256Gcm) -\u003e Result\u003cVec\u003cu8\u003e, aes_gcm::Error\u003e {\n    let nonce = Nonce::from_slice(\u0026nonce);\n    let plaintext = cipher.decrypt(nonce, Payload::from(ciphertext))?;\n    Ok(plaintext)\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","db.rs"],"content":"","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","format.rs"],"content":"use std::fmt::{Display, Formatter};\nuse crate::format::PEMValidationError::{IncorrectSegmentLength, InvalidBase64Data, MissingStartSentinel};\nuse crate::util::base64decode;\n\npub const ED_PUBKEY_START_STR: \u0026str = \"-----BEGIN NEBULA ED25519 PUBLIC KEY-----\";\npub const ED_PUBKEY_END_STR: \u0026str = \"-----END NEBULA ED25519 PUBLIC KEY-----\";\n\npub const DH_PUBKEY_START_STR: \u0026str = \"-----BEGIN NEBULA X25519 PUBLIC KEY-----\";\npub const DH_PUBKEY_END_STR: \u0026str = \"-----END NEBULA X25519 PUBLIC KEY-----\";\n\npub enum PEMValidationError {\n    MissingStartSentinel,\n    InvalidBase64Data,\n    MissingEndSentinel,\n    IncorrectSegmentLength(usize, usize)\n}\nimpl Display for PEMValidationError {\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        match self {\n            Self::MissingEndSentinel =\u003e write!(f, \"Missing ending sentinel\"),\n            Self::MissingStartSentinel =\u003e write!(f, \"Missing starting sentinel\"),\n            Self::InvalidBase64Data =\u003e write!(f, \"invalid base64 data\"),\n            Self::IncorrectSegmentLength(expected, got) =\u003e write!(f, \"incorrect number of segments, expected {} got {}\", expected, got)\n        }\n    }\n}\n\npub fn validate_ed_pubkey_pem(pubkey: \u0026str) -\u003e Result\u003c(), PEMValidationError\u003e {\n    let segments = pubkey.split('\\n');\n    let segs = segments.collect::\u003cVec\u003c\u0026str\u003e\u003e();\n    if segs.len() \u003c 3 {\n        return Err(IncorrectSegmentLength(3, segs.len()))\n    }\n    if segs[0] != ED_PUBKEY_START_STR {\n        return Err(MissingStartSentinel)\n    }\n    if base64decode(segs[1]).is_err() {\n        return Err(InvalidBase64Data)\n    }\n    if segs[2] != ED_PUBKEY_END_STR {\n        return Err(MissingStartSentinel)\n    }\n    Ok(())\n}\n\npub fn validate_dh_pubkey_pem(pubkey: \u0026str) -\u003e Result\u003c(), PEMValidationError\u003e {\n    let segments = pubkey.split('\\n');\n    let segs = segments.collect::\u003cVec\u003c\u0026str\u003e\u003e();\n    if segs.len() \u003c 3 {\n        return Err(IncorrectSegmentLength(3, segs.len()))\n    }\n    if segs[0] != DH_PUBKEY_START_STR {\n        return Err(MissingStartSentinel)\n    }\n    if base64decode(segs[1]).is_err() {\n        return Err(InvalidBase64Data)\n    }\n    if segs[2] != DH_PUBKEY_END_STR {\n        return Err(MissingStartSentinel)\n    }\n    Ok(())\n}\n\npub fn validate_ed_pubkey_base64(pubkey: \u0026str) -\u003e Result\u003c(), PEMValidationError\u003e {\n    match base64decode(pubkey) {\n        Ok(k) =\u003e validate_ed_pubkey_pem(match std::str::from_utf8(k.as_ref()) {\n            Ok(k) =\u003e k,\n            Err(_) =\u003e return Err(InvalidBase64Data)\n        }),\n        Err(_) =\u003e Err(InvalidBase64Data)\n    }\n}\n\npub fn validate_dh_pubkey_base64(pubkey: \u0026str) -\u003e Result\u003c(), PEMValidationError\u003e {\n    match base64decode(pubkey) {\n        Ok(k) =\u003e validate_dh_pubkey_pem(match std::str::from_utf8(k.as_ref()) {\n            Ok(k) =\u003e k,\n            Err(_) =\u003e return Err(InvalidBase64Data)\n        }),\n        Err(_) =\u003e Err(InvalidBase64Data)\n    }\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","main.rs"],"content":"extern crate core;\n\nuse std::error::Error;\nuse std::fs;\nuse std::path::Path;\nuse dotenvy::dotenv;\nuse log::{error, info};\nuse rocket::{catchers, Request, Response, routes};\nuse rocket::fairing::{Fairing, Info, Kind};\nuse rocket::http::Header;\nuse sqlx::migrate::Migrator;\nuse sqlx::postgres::PgPoolOptions;\nuse crate::config::TFConfig;\n\npub mod format;\npub mod util;\npub mod db;\npub mod config;\npub mod tokens;\npub mod routes;\npub mod auth;\npub mod crypto;\npub mod org;\n\nstatic MIGRATOR: Migrator = sqlx::migrate!();\n\npub struct CORS;\n\n#[rocket::async_trait]\nimpl Fairing for CORS {\n    fn info(\u0026self) -\u003e Info {\n        Info {\n            name: \"Add CORS headers to responses\",\n            kind: Kind::Response\n        }\n    }\n\n    async fn on_response\u003c'r\u003e(\u0026self, _request: \u0026'r Request\u003c'_\u003e, response: \u0026mut Response\u003c'r\u003e) {\n        response.set_header(Header::new(\"Access-Control-Allow-Origin\", \"*\"));\n        response.set_header(Header::new(\"Access-Control-Allow-Methods\", \"POST, GET, PATCH, OPTIONS\"));\n        response.set_header(Header::new(\"Access-Control-Allow-Headers\", \"*\"));\n        response.set_header(Header::new(\"Access-Control-Allow-Credentials\", \"true\"));\n    }\n}\n\n#[rocket::main]\nasync fn main() -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n    let _ = rocket::build();\n\n    info!(\"[tfapi] loading config\");\n\n    let _ = dotenv();\n\n    if std::env::var(\"CONFIG_FILE\").is_err() \u0026\u0026 !Path::new(\"config.toml\").exists() {\n        error!(\"[tfapi] fatal: the environment variable CONFIG_FILE is not set\");\n        error!(\"[tfapi]  help: try creating a .env file that sets it\");\n        error!(\"[tfapi]  help: or, create a file config.toml with your config, as it is loaded automatically\");\n        std::process::exit(1);\n    }\n\n    let config_file = if Path::new(\"config.toml\").exists() {\n        \"config.toml\".to_string()\n    } else {\n        std::env::var(\"CONFIG_FILE\").unwrap()\n    };\n\n    let config_data = match fs::read_to_string(\u0026config_file) {\n        Ok(d) =\u003e d,\n        Err(e) =\u003e {\n            error!(\"[tfapi] fatal: unable to read config from {}\", config_file);\n            error!(\"[tfapi] fatal: {}\", e);\n            std::process::exit(1);\n        }\n    };\n\n    let config: TFConfig = match toml::from_str(\u0026config_data) {\n        Ok(c) =\u003e c,\n        Err(e) =\u003e {\n            error!(\"[tfapi] fatal: unable to parse config from {}\", config_file);\n            error!(\"[tfapi] fatal: {}\", e);\n            std::process::exit(1);\n        }\n    };\n\n    info!(\"[tfapi] connecting to database pool\");\n\n    let pool = match PgPoolOptions::new().max_connections(5).connect(\u0026config.db_url).await {\n        Ok(p) =\u003e p,\n        Err(e) =\u003e {\n            error!(\"[tfapi] fatal: unable to connect to database pool\");\n            error!(\"[tfapi] fatal: {}\", e);\n            std::process::exit(1);\n        }\n    };\n\n    info!(\"[tfapi] running database migrations\");\n\n    MIGRATOR.run(\u0026pool).await?;\n\n    info!(\"[tfapi] building rocket config\");\n\n    let figment = rocket::Config::figment().merge((\"port\", config.listen_port));\n\n    let _ = rocket::custom(figment)\n        .mount(\"/\", routes![\n            crate::routes::v1::auth::magic_link::magiclink_request,\n            crate::routes::v1::auth::magic_link::options,\n            crate::routes::v1::signup::signup_request,\n            crate::routes::v1::signup::options,\n            crate::routes::v1::auth::verify_magic_link::verify_magic_link,\n            crate::routes::v1::auth::verify_magic_link::options,\n            crate::routes::v1::totp_authenticators::totp_authenticators_request,\n            crate::routes::v1::totp_authenticators::options,\n            crate::routes::v1::verify_totp_authenticator::verify_totp_authenticator_request,\n            crate::routes::v1::verify_totp_authenticator::options,\n            crate::routes::v1::auth::totp::totp_request,\n            crate::routes::v1::auth::totp::options,\n            crate::routes::v1::auth::check_session::check_session,\n            crate::routes::v1::auth::check_session::check_session_auth,\n            crate::routes::v1::auth::check_session::options,\n            crate::routes::v1::auth::check_session::options_auth,\n            crate::routes::v2::whoami::whoami_request,\n            crate::routes::v2::whoami::options,\n\n            crate::routes::v1::organization::options,\n            crate::routes::v1::organization::orgidoptions,\n            crate::routes::v1::organization::orginfo_req,\n            crate::routes::v1::organization::orglist_req,\n            crate::routes::v1::organization::create_org\n        ])\n        .register(\"/\", catchers![\n            crate::routes::handler_400,\n            crate::routes::handler_401,\n            crate::routes::handler_403,\n            crate::routes::handler_404,\n            crate::routes::handler_422,\n\n            crate::routes::handler_500,\n            crate::routes::handler_501,\n            crate::routes::handler_502,\n            crate::routes::handler_503,\n            crate::routes::handler_504,\n            crate::routes::handler_505,\n        ])\n        .attach(CORS)\n        .manage(pool)\n        .manage(config)\n        .launch().await?;\n\n    Ok(())\n}","traces":[{"line":38,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":39,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":40,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":41,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":42,"address":[],"length":0,"stats":{"Line":0},"fn_name":null}],"covered":0,"coverable":5},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","org.rs"],"content":"use std::error::Error;\nuse rocket::form::validate::Contains;\nuse sqlx::PgPool;\n\npub async fn get_org_by_owner_id(user: i32, db: \u0026PgPool) -\u003e Result\u003cOption\u003ci32\u003e, Box\u003cdyn Error\u003e\u003e {\n    Ok(match sqlx::query!(\"SELECT id FROM organizations WHERE owner = $1\", user).fetch_optional(db).await? {\n        Some(r) =\u003e Some(r.id),\n        None =\u003e None\n    })\n}\n\npub async fn get_orgs_by_assoc_id(user: i32, db: \u0026PgPool) -\u003e Result\u003cVec\u003ci32\u003e, Box\u003cdyn Error\u003e\u003e {\n    let res: Vec\u003c_\u003e = sqlx::query!(\"SELECT org_id FROM organization_authorized_users WHERE user_id = $1\", user).fetch_all(db).await?;\n\n    let mut ret = vec![];\n\n    for i in res {\n        ret.push(i.org_id);\n    }\n\n    Ok(ret)\n}\n\npub async fn get_users_by_assoc_org(org: i32, db: \u0026PgPool) -\u003e Result\u003cVec\u003ci32\u003e, Box\u003cdyn Error\u003e\u003e {\n    let res: Vec\u003c_\u003e = sqlx::query!(\"SELECT user_id FROM organization_authorized_users WHERE org_id = $1\", org).fetch_all(db).await?;\n\n    let mut ret = vec![];\n\n    for i in res {\n        ret.push(i.org_id);\n    }\n\n    Ok(ret)\n}\n\npub async fn get_associated_orgs(user: i32, db: \u0026PgPool) -\u003e Result\u003cVec\u003ci32\u003e, Box\u003cdyn Error\u003e\u003e {\n    let mut assoc_orgs = vec![];\n\n    if let Some(owned_org) = get_org_by_owner_id(user, db).await? {\n        assoc_orgs.push(owned_org);\n    }\n\n    assoc_orgs.append(\u0026mut get_orgs_by_assoc_id(user, db).await?);\n\n    Ok(assoc_orgs)\n}\n\npub async fn user_has_org_assoc(user: i32, org: i32, db: \u0026PgPool) -\u003e Result\u003cbool, Box\u003cdyn Error\u003e\u003e {\n    Ok(get_associated_orgs(user, db).await?.contains(org))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","mod.rs"],"content":"pub mod v1;\npub mod v2;\n\nuse rocket::catch;\nuse serde::{Serialize};\nuse rocket::http::Status;\n\npub const ERR_MSG_MALFORMED_REQUEST: \u0026str = \"unable to parse the request body - is it valid JSON, using correct types?\";\npub const ERR_MSG_MALFORMED_REQUEST_CODE: \u0026str = \"ERR_MALFORMED_REQUEST\";\n\n/*\nTODO:\n    /v1/auth/magic-link                         [done]\n    /v1/auth/totp                               [done]\n    /v1/auth/verify-magic-link                  [done]\n    /v1/hosts/host-{id}/enrollment-code\n    /v1/hosts/host-{id}/enrollment-code-check\n    /v1/hosts/host-{id}\n    /v1/roles/role-{id}\n    /v1/feature-flags\n    /v1/hosts\n    /v1/networks\n    /v1/roles\n    /v1/signup                                  [done]\n    /v1/totp-authenticators                     [done]\n    /v1/verify-totp-authenticator               [done]\n    /v1/dnclient\n    /v2/enroll\n    /v2/whoami                                  [in-progress]\n */\n\n#[derive(Serialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct APIError {\n    errors: Vec\u003cAPIErrorSingular\u003e\n}\n#[derive(Serialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct APIErrorSingular {\n    code: String,\n    message: String\n}\n\nmacro_rules! error_handler {\n    ($code: expr, $err: expr, $msg: expr) =\u003e {\n        ::paste::paste! {\n            #[catch($code)]\n            pub fn [\u003chandler_ $code\u003e]() -\u003e (Status, String) {\n                (Status::from_code($code).unwrap(), format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", $err, $msg))\n            }\n        }\n    };\n}\nerror_handler!(400, \"ERR_MALFORMED_REQUEST\", \"unable to parse the request body, is it properly formatted?\");\nerror_handler!(401, \"ERR_AUTHENTICATION_REQUIRED\", \"this endpoint requires authentication but it was not provided\");\nerror_handler!(403, \"ERR_UNAUTHORIZED\", \"authorization was provided but it is expired or invalid\");\nerror_handler!(404, \"ERR_NOT_FOUND\", \"resource not found\");\nerror_handler!(405, \"ERR_METHOD_NOT_ALLOWED\", \"method not allowed for this endpoint\");\nerror_handler!(422, \"ERR_MALFORMED_REQUEST\", \"unable to parse the request body, is it properly formatted?\");\n\nerror_handler!(500, \"ERR_QL_QUERY_FAILED\", \"graphql query timed out\");\nerror_handler!(501, \"ERR_NOT_IMPLEMENTED\", \"query not supported by this version of graphql\");\nerror_handler!(502, \"ERR_PROXY_ERR\", \"servers under load, please try again later\");\nerror_handler!(503, \"ERR_SERVER_OVERLOADED\", \"servers under load, please try again later\");\nerror_handler!(504, \"ERR_PROXY_TIMEOUT\", \"servers under load, please try again later\");\nerror_handler!(505, \"ERR_CLIENT_UNSUPPORTED\", \"your version of dnclient is out of date, please update\");\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","check_session.rs"],"content":"use rocket::{post, options};\nuse crate::auth::{PartialUserInfo, TOTPAuthenticatedUserInfo};\n\n#[options(\"/v1/auth/check_session\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n#[post(\"/v1/auth/check_session\")]\npub async fn check_session(_user: PartialUserInfo) -\u003e \u0026'static str {\n    \"ok\"\n}\n\n#[options(\"/v1/auth/check_auth\")]\npub async fn options_auth() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/auth/check_auth\")]\npub async fn check_session_auth(_user: TOTPAuthenticatedUserInfo) -\u003e \u0026'static str {\n    \"ok\"\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","magic_link.rs"],"content":"use rocket::{post, State};\nuse rocket::serde::json::Json;\nuse serde::{Serialize, Deserialize};\nuse rocket::http::{ContentType, Status};\nuse sqlx::PgPool;\nuse crate::config::TFConfig;\nuse crate::tokens::send_magic_link;\nuse rocket::options;\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct MagicLinkRequest {\n    pub email: String,\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct MagicLinkResponseMetadata {}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct MagicLinkResponse {\n    pub data: Option\u003cString\u003e,\n    pub metadata: MagicLinkResponseMetadata,\n}\n\n\n#[options(\"/v1/auth/magic-link\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n#[post(\"/v1/auth/magic-link\", data = \"\u003creq\u003e\")]\npub async fn magiclink_request(req: Json\u003cMagicLinkRequest\u003e, pool: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cMagicLinkResponse\u003e), (Status, String)\u003e {\n    // figure out if the user already exists\n    let mut id = -1;\n    match sqlx::query!(\"SELECT id FROM users WHERE email = $1\", req.email.clone()).fetch_optional(pool.inner()).await {\n        Ok(res) =\u003e if let Some(r) = res { id = r.id as i64 },\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n        }\n    }\n\n    if id == -1 {\n        return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_UNAUTHORIZED\", \"authorization was provided but it is expired or invalid\")))\n    }\n\n    // send magic link to email\n    match send_magic_link(id, req.email.clone(), pool.inner(), config.inner()).await {\n        Ok(_) =\u003e (),\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n        }\n    };\n\n    // this endpoint doesn't actually ever return an error? it will send you the magic link no matter what\n    // this appears to do the exact same thing as /v1/auth/magic-link, but it doesn't check if you have an account (magic-link does)\n    Ok((ContentType::JSON, Json(MagicLinkResponse {\n        data: None,\n        metadata: MagicLinkResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","mod.rs"],"content":"pub mod verify_magic_link;\npub mod magic_link;\npub mod totp;\npub mod check_session;","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","totp.rs"],"content":"use rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse crate::auth::PartialUserInfo;\nuse serde::{Serialize, Deserialize};\nuse rocket::{post, State};\nuse sqlx::PgPool;\nuse rocket::options;\nuse crate::tokens::{generate_auth_token, get_totpmachine, user_has_totp};\n\npub const TOTP_GENERIC_UNAUTHORIZED_ERROR: \u0026str = \"{\\\"errors\\\":[{\\\"code\\\":\\\"ERR_INVALID_TOTP_CODE\\\",\\\"message\\\":\\\"invalid TOTP code (maybe it expired?)\\\",\\\"path\\\":\\\"code\\\"}]}\";\npub const TOTP_NO_TOTP_ERROR: \u0026str = \"{\\\"errors\\\":[{\\\"code\\\":\\\"ERR_NO_TOTP\\\",\\\"message\\\":\\\"logged-in user does not have totp enabled\\\",\\\"path\\\":\\\"code\\\"}]}\";\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpRequest {\n    pub code: String\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpResponseData {\n    #[serde(rename = \"authToken\")]\n    auth_token: String\n}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpResponseMetadata {\n}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpResponse {\n    data: TotpResponseData,\n    metadata: TotpResponseMetadata\n}\n\n#[options(\"/v1/auth/totp\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/auth/totp\", data = \"\u003creq\u003e\")]\npub async fn totp_request(req: Json\u003cTotpRequest\u003e, user: PartialUserInfo, db: \u0026State\u003cPgPool\u003e) -\u003e Result\u003c(ContentType, Json\u003cTotpResponse\u003e), (Status, String)\u003e {\n    if !match user_has_totp(user.user_id, db.inner()).await {\n        Ok(b) =\u003e b,\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n    } {\n        return Err((Status::UnprocessableEntity, TOTP_NO_TOTP_ERROR.to_string()))\n    }\n\n    if user.has_totp_auth {\n        return Err((Status::BadRequest, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_TOTP_ALREADY_AUTHED\", \"user already has valid totp authentication\")))\n    }\n\n    let totpmachine = match get_totpmachine(user.user_id, db.inner()).await {\n        Ok(t) =\u003e t,\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n        }\n    };\n\n    if !totpmachine.check_current(\u0026req.0.code).unwrap_or(false) {\n        return Err((Status::Unauthorized, TOTP_GENERIC_UNAUTHORIZED_ERROR.to_string()))\n    }\n\n    Ok((ContentType::JSON, Json(TotpResponse {\n        data: TotpResponseData { auth_token: match generate_auth_token(user.user_id as i64, user.session_id, db.inner()).await {\n            Ok(t) =\u003e t,\n            Err(e) =\u003e { return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e))) }\n        } },\n        metadata: TotpResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","verify_magic_link.rs"],"content":"use std::time::{SystemTime, UNIX_EPOCH};\nuse rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse serde::{Serialize, Deserialize};\nuse rocket::{post, State};\nuse sqlx::PgPool;\nuse crate::config::TFConfig;\nuse crate::tokens::generate_session_token;\nuse rocket::options;\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct VerifyMagicLinkRequest {\n    #[serde(rename = \"magicLinkToken\")]\n    pub magic_link_token: String,\n}\n\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyMagicLinkResponseMetadata {}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyMagicLinkResponseData {\n    #[serde(rename = \"sessionToken\")]\n    pub session_token: String,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyMagicLinkResponse {\n    pub data: VerifyMagicLinkResponseData,\n    pub metadata: VerifyMagicLinkResponseMetadata,\n}\n\n#[options(\"/v1/auth/verify-magic-link\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/auth/verify-magic-link\", data = \"\u003creq\u003e\")]\npub async fn verify_magic_link(req: Json\u003cVerifyMagicLinkRequest\u003e, db: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cVerifyMagicLinkResponse\u003e), (Status, String)\u003e {\n    // get the current time to check if the token is expired\n    let (user_id, expired_at) = match sqlx::query!(\"SELECT user_id, expires_on FROM magic_links WHERE id = $1\", req.0.magic_link_token).fetch_one(db.inner()).await {\n        Ok(row) =\u003e (row.user_id, row.expires_on),\n        Err(e) =\u003e {\n            return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNAUTHORIZED\", \"this token is invalid\", e)))\n        }\n    };\n    let current_time = SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32;\n    println!(\"expired on {}, currently {}\", expired_at, current_time);\n    if expired_at \u003c current_time {\n        return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_UNAUTHORIZED\", \"valid authorization was provided but it is expired\")))\n    }\n\n    // generate session token\n    let token = match generate_session_token(user_id as i64, db.inner(), config.inner()).await {\n        Ok(t) =\u003e t,\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n        }\n    };\n\n    // delete the token\n    match sqlx::query!(\"DELETE FROM magic_links WHERE id = $1\", req.0.magic_link_token).execute(db.inner()).await {\n        Ok(_) =\u003e (),\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n        }\n    }\n\n    Ok((ContentType::JSON, Json(VerifyMagicLinkResponse {\n        data: VerifyMagicLinkResponseData { session_token: token },\n        metadata: VerifyMagicLinkResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","mod.rs"],"content":"pub mod auth;\npub mod signup;\n\npub mod totp_authenticators;\npub mod verify_totp_authenticator;\npub mod organization;","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","organization.rs"],"content":"use std::slice::from_raw_parts_mut;\nuse rocket::{get, post, options, State};\nuse rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse serde::{Serialize, Deserialize};\nuse sqlx::PgPool;\nuse crate::auth::TOTPAuthenticatedUserInfo;\nuse crate::config::TFConfig;\nuse crate::org::{get_associated_orgs, get_org_by_owner_id, get_users_by_assoc_org, user_has_org_assoc};\n\n#[options(\"/v1/orgs\")]\npub fn options() -\u003e \u0026'static str {\n    \"\"\n}\n#[options(\"/v1/org/\u003c_id\u003e\")]\npub fn orgidoptions(_id: i32) -\u003e \u0026'static str {\n    \"\"\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct OrglistStruct {\n    pub org_ids: Vec\u003ci32\u003e\n}\n\n\n#[get(\"/v1/orgs\")]\npub async fn orglist_req(user: TOTPAuthenticatedUserInfo, db: \u0026State\u003cPgPool\u003e) -\u003e Result\u003c(ContentType, Json\u003cOrglistStruct\u003e), (Status, String)\u003e {\n    // this endpoint lists the associated organizations this user has access to\n    let associated_orgs = match get_associated_orgs(user.user_id, db.inner()).await {\n        Ok(r) =\u003e r,\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_DB_QUERY_FAILED\", \"an error occurred while running the database query\")))\n    };\n\n    Ok((ContentType::JSON, Json(OrglistStruct {\n        org_ids: associated_orgs\n    })))\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct OrginfoStruct {\n    pub org_id: i32,\n    pub owner_id: i32,\n    pub ca_crt: String,\n    pub authorized_users: Vec\u003ci32\u003e\n}\n\n#[get(\"/v1/org/\u003corgid\u003e\")]\npub async fn orginfo_req(orgid: i32, user: TOTPAuthenticatedUserInfo, db: \u0026State\u003cPgPool\u003e) -\u003e Result\u003c(ContentType, Json\u003cOrginfoStruct\u003e), (Status, String)\u003e {\n    if !user_has_org_assoc(orgid, user.user_id, db.inner()).await.map_err(|e| (Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))? {\n        return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_MISSING_ORG_AUTHORIZATION\", \"this user does not have permission to access this org\")));\n    }\n\n    let org = sqlx::query!(\"SELECT id, owner, ca_crt FROM organizations WHERE id = $1\", orgid).fetch_one(orgid).await.map_err(|e| (Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))?;\n    let authorized_users = get_users_by_assoc_org(orgid, db.inner()).await.map_err(|e| (Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))?;\n\n    Ok((ContentType::JSON, Json(\n        OrginfoStruct {\n            org_id: orgid,\n            owner_id: org.owner,\n            ca_crt: org.ca_crt,\n            authorized_users,\n        }\n    )))\n}\n\n#[post(\"/v1/org\")]\npub async fn create_org(user: TOTPAuthenticatedUserInfo, db: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cOrginfoStruct\u003e), (Status, String)\u003e {\n    if get_org_by_owner_id(user.user_id, db.inner()).await.map_err(|e| (Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))?.is_some() {\n        return Err((Status::Conflict, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_USER_OWNS_ORG\", \"a user can only own one organization at a time\")))\n    }\n\n    // we need to generate a keypair and CA certificate for this new org\n\n    Ok((ContentType::JSON, Json(\n        OrginfoStruct {\n            org_id: orgid,\n            owner_id: org.owner,\n            ca_crt: org.ca_crt,\n            authorized_users,\n        }\n    )))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","signup.rs"],"content":"use rocket::{post, State};\nuse rocket::serde::json::Json;\nuse serde::{Serialize, Deserialize};\nuse std::time::{SystemTime, UNIX_EPOCH};\nuse rocket::http::{ContentType, Status};\nuse sqlx::PgPool;\nuse crate::config::TFConfig;\nuse crate::tokens::send_magic_link;\nuse rocket::options;\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct SignupRequest {\n    pub email: String,\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct SignupResponseMetadata {}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct SignupResponse {\n    pub data: Option\u003cString\u003e,\n    pub metadata: SignupResponseMetadata,\n}\n/*\ncreated_on TIMESTAMP NOT NULL,\n\n    banned INTEGER NOT NULL,\n    ban_reason VARCHAR(1024) NOT NULL\n */\n#[options(\"/v1/signup\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n#[post(\"/v1/signup\", data = \"\u003creq\u003e\")]\npub async fn signup_request(req: Json\u003cSignupRequest\u003e, pool: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cSignupResponse\u003e), (Status, String)\u003e {\n    // figure out if the user already exists\n    let mut id = -1;\n    match sqlx::query!(\"SELECT id FROM users WHERE email = $1\", req.email.clone()).fetch_optional(pool.inner()).await {\n        Ok(res) =\u003e if let Some(r) = res { id = r.id as i64 },\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n        }\n    }\n\n    if id == -1 {\n        let id_res = match sqlx::query!(\"INSERT INTO users (email, created_on, banned, ban_reason, totp_secret, totp_otpurl, totp_verified) VALUES ($1, $2, $3, $4, $5, $6, $7) ON CONFLICT DO NOTHING RETURNING id;\", req.email, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i64, 0, \"\", \"\", \"\", 0).fetch_one(pool.inner()).await {\n            Ok(row) =\u003e row.id,\n            Err(e) =\u003e {\n                return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n            }\n        };\n        id = id_res as i64;\n    }\n\n    // send magic link to email\n    match send_magic_link(id, req.email.clone(), pool.inner(), config.inner()).await {\n        Ok(_) =\u003e (),\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n        }\n    };\n\n    // this endpoint doesn't actually ever return an error? it will send you the magic link no matter what\n    // this appears to do the exact same thing as /v1/auth/magic-link, but it doesn't check if you have an account (magic-link does)\n    Ok((ContentType::JSON, Json(SignupResponse {\n        data: None,\n        metadata: SignupResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","totp_authenticators.rs"],"content":"use rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse rocket::{State, post};\nuse sqlx::PgPool;\nuse serde::{Serialize, Deserialize};\nuse crate::auth::PartialUserInfo;\nuse crate::config::TFConfig;\nuse crate::tokens::{create_totp_token, user_has_totp};\nuse rocket::options;\n\n#[derive(Deserialize)]\npub struct TotpAuthenticatorsRequest {}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpAuthenticatorsResponseMetadata {}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpAuthenticatorsResponseData {\n    #[serde(rename = \"totpToken\")]\n    pub totp_token: String,\n    pub secret: String,\n    pub url: String,\n}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpAuthenticatorsResponse {\n    pub data: TotpAuthenticatorsResponseData,\n    pub metadata: TotpAuthenticatorsResponseMetadata,\n}\n\n#[options(\"/v1/totp-authenticators\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/totp-authenticators\", data = \"\u003c_req\u003e\")]\npub async fn totp_authenticators_request(_req: Json\u003cTotpAuthenticatorsRequest\u003e, user: PartialUserInfo, db: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cTotpAuthenticatorsResponse\u003e), (Status, String)\u003e {\n    if match user_has_totp(user.user_id, db.inner()).await {\n        Ok(b) =\u003e b,\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n    } {\n        return Err((Status::BadRequest, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_TOTP_ALREADY_EXISTS\", \"this user already has a totp authenticator on their account\")))\n    }\n\n    // generate a totp token\n    let (totptoken, totpmachine) = match create_totp_token(user.email, db.inner(), config.inner()).await {\n        Ok(t) =\u003e t,\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured issuing a totp token, try again later\", e)))\n    };\n\n    Ok((ContentType::JSON, Json(TotpAuthenticatorsResponse {\n        data: TotpAuthenticatorsResponseData {\n            totp_token: totptoken,\n            secret: totpmachine.get_secret_base32(),\n            url: totpmachine.get_url(),\n        },\n        metadata: TotpAuthenticatorsResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","verify_totp_authenticator.rs"],"content":"/*\n{\"totpToken\":\"totp-mH9eLzA9Q5WB-sg3Fq8CfkP13eTh3DxF25kVK2VEDOk\",\"code\":\"266242\"}\n{\"errors\":[{\"code\":\"ERR_INVALID_TOTP_TOKEN\",\"message\":\"TOTP token does not exist (maybe it expired?)\",\"path\":\"totpToken\"}]}\n\n\n{\"totpToken\":\"totp-gaUDaxPrrIBc8GEQ6z0vPisT8k0MEP1fgI8FA2ztLMw\",\"code\":\"175543\"}\n{\"data\":{\"authToken\":\"auth-O7mugxdYta-RKtLMqDW4j8XCJ85EfZKKezeZZXBYtFQ\"},\"metadata\":{}}\n*/\n\nuse rocket::http::{ContentType, Status};\nuse crate::auth::PartialUserInfo;\nuse rocket::post;\nuse rocket::serde::json::Json;\nuse rocket::State;\nuse serde::{Serialize, Deserialize};\nuse sqlx::PgPool;\nuse crate::tokens::{generate_auth_token, use_totp_token, verify_totp_token};\nuse rocket::options;\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyTotpAuthenticatorRequest {\n    #[serde(rename = \"totpToken\")]\n    pub totp_token: String,\n    pub code: String,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyTotpAuthenticatorResponseMetadata {}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyTotpAuthenticatorResponseData {\n    #[serde(rename = \"authToken\")]\n    pub auth_token: String,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyTotpAuthenticatorResponse {\n    pub data: VerifyTotpAuthenticatorResponseData,\n    pub metadata: VerifyTotpAuthenticatorResponseMetadata,\n}\n\n#[options(\"/v1/verify-totp-authenticator\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/verify-totp-authenticator\", data = \"\u003creq\u003e\")]\npub async fn verify_totp_authenticator_request(req: Json\u003cVerifyTotpAuthenticatorRequest\u003e, db: \u0026State\u003cPgPool\u003e, user: PartialUserInfo) -\u003e Result\u003c(ContentType, Json\u003cVerifyTotpAuthenticatorResponse\u003e), (Status, String)\u003e {\n    let totpmachine = match verify_totp_token(req.0.totp_token.clone(), user.email.clone(), db.inner()).await {\n        Ok(t) =\u003e t,\n        Err(e) =\u003e return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNAUTHORIZED\", \"this token is invalid\", e)))\n    };\n    if !totpmachine.check_current(\u0026req.0.code).unwrap() {\n        return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\",\\\"path\\\":\\\"totpToken\\\"}}]}}\", \"ERR_INVALID_TOTP_CODE\", \"Invalid TOTP code\")))\n    }\n    match use_totp_token(req.0.totp_token, user.email, db.inner()).await {\n        Ok(_) =\u003e (),\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n    }\n    Ok((ContentType::JSON, Json(VerifyTotpAuthenticatorResponse {\n        data: VerifyTotpAuthenticatorResponseData { auth_token: match generate_auth_token(user.user_id as i64, user.session_id, db.inner()).await {\n            Ok(at) =\u003e at,\n            Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n        } },\n        metadata: VerifyTotpAuthenticatorResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v2","mod.rs"],"content":"pub mod whoami;","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v2","whoami.rs"],"content":"use chrono::{NaiveDateTime, Utc};\nuse serde::{Serialize, Deserialize};\nuse rocket::{options, get, State};\nuse rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse sqlx::PgPool;\nuse crate::auth::PartialUserInfo;\nuse crate::tokens::user_has_totp;\n\n#[derive(Serialize, Deserialize)]\npub struct WhoamiMetadata {}\n\n#[derive(Serialize, Deserialize)]\npub struct WhoamiActor {\n    pub id: String,\n    #[serde(rename = \"organizationID\")]\n    pub organization_id: String,\n    pub email: String,\n    #[serde(rename = \"createdAt\")]\n    pub created_at: String,\n    #[serde(rename = \"hasTOTPAuthenticator\")]\n    pub has_totpauthenticator: bool,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct WhoamiData {\n    #[serde(rename = \"actorType\")]\n    pub actor_type: String,\n    pub actor: WhoamiActor,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct WhoamiResponse {\n    pub data: WhoamiData,\n    pub metadata: WhoamiMetadata,\n}\n\n#[options(\"/v2/whoami\")]\npub fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n#[get(\"/v2/whoami\")]\npub async fn whoami_request(user: PartialUserInfo, db: \u0026State\u003cPgPool\u003e) -\u003e Result\u003c(ContentType, Json\u003cWhoamiResponse\u003e), (Status, String)\u003e {\n    Ok((ContentType::JSON, Json(WhoamiResponse {\n        data: WhoamiData {\n            actor_type: \"user\".to_string(),\n            actor: WhoamiActor {\n                id: user.user_id.to_string(),\n                organization_id: \"TEMP_ORG_BECAUSE_THAT_ISNT_IMPLEMENTED_YET\".to_string(),\n                email: user.email,\n                created_at: NaiveDateTime::from_timestamp_opt(user.created_at, 0).unwrap().and_local_timezone(Utc).unwrap().to_rfc3339(),\n                has_totpauthenticator: match user_has_totp(user.user_id, db.inner()).await {\n                    Ok(b) =\u003e b,\n                    Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_DBERROR\", \"an error occured trying to verify your user\", e)))\n                },\n            }\n        },\n        metadata: WhoamiMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","tokens.rs"],"content":"use std::error::Error;\nuse log::info;\nuse sqlx::PgPool;\nuse uuid::Uuid;\nuse crate::config::TFConfig;\nuse std::time::SystemTime;\nuse std::time::UNIX_EPOCH;\nuse totp_rs::{Secret, TOTP};\nuse crate::util::{TOTP_ALGORITHM, TOTP_DIGITS, TOTP_ISSUER, TOTP_SKEW, TOTP_STEP};\n\n// https://admin.defined.net/auth/magic-link?email=coredoescode%40gmail.com\u0026token=ml-ckBsgw_5IdK5VYgseBYcoV_v_cQjtdq1re_RhDu_MKg\npub async fn send_magic_link(id: i64, email: String, db: \u0026PgPool, config: \u0026TFConfig) -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n    let otp = format!(\"ml-{}\", Uuid::new_v4());\n    let otp_url = config.web_root.join(\u0026format!(\"/auth/magic-link?email={}\u0026token={}\", urlencoding::encode(\u0026email.clone()), otp.clone())).unwrap();\n    sqlx::query!(\"INSERT INTO magic_links (id, user_id, expires_on) VALUES ($1, $2, $3) ON CONFLICT DO NOTHING;\", otp, id as i32, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32 + config.magic_links_valid_for as i32).execute(db).await?;\n    // TODO: send email\n    info!(\"sent magic link {} to {}, valid for {} seconds\", otp_url, email.clone(), config.magic_links_valid_for);\n    Ok(())\n}\n\npub async fn generate_session_token(user_id: i64, db: \u0026PgPool, config: \u0026TFConfig) -\u003e Result\u003cString, Box\u003cdyn Error\u003e\u003e {\n    let token = format!(\"st-{}\", Uuid::new_v4());\n    sqlx::query!(\"INSERT INTO session_tokens (id, user_id, expires_on) VALUES ($1, $2, $3) ON CONFLICT DO NOTHING;\", token, user_id as i32, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32 + config.session_tokens_valid_for as i32).execute(db).await?;\n    Ok(token)\n}\npub async fn validate_session_token(token: String, db: \u0026PgPool) -\u003e Result\u003ci64, Box\u003cdyn Error\u003e\u003e {\n    Ok(sqlx::query!(\"SELECT user_id FROM session_tokens WHERE id = $1 AND expires_on \u003e $2\", token, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32).fetch_one(db).await?.user_id as i64)\n}\n\npub async fn generate_auth_token(user_id: i64, session_id: String, db: \u0026PgPool) -\u003e Result\u003cString, Box\u003cdyn Error\u003e\u003e {\n    let token = format!(\"at-{}\", Uuid::new_v4());\n    sqlx::query!(\"INSERT INTO auth_tokens (id, session_token, user_id) VALUES ($1, $2, $3) ON CONFLICT DO NOTHING;\", token, session_id, user_id as i32).execute(db).await?;\n    Ok(token)\n}\npub async fn validate_auth_token(token: String, session_id: String, db: \u0026PgPool) -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n    validate_session_token(session_id.clone(), db).await?;\n    sqlx::query!(\"SELECT * FROM auth_tokens WHERE id = $1 AND session_token = $2\", token, session_id).fetch_one(db).await?;\n    Ok(())\n}\n\n\n/*\nCREATE TABLE totp_create_tokens (\n    id VARCHAR(39) NOT NULL PRIMARY KEY,\n    expires_on INTEGER NOT NULL,\n    totp_otpurl VARCHAR(3000) NOT NULL,\n    totp_secret VARCHAR(128) NOT NULL\n);\n */\n\npub async fn create_totp_token(email: String, db: \u0026PgPool, config: \u0026TFConfig) -\u003e Result\u003c(String, TOTP), Box\u003cdyn Error\u003e\u003e {\n    // create the TOTP parameters\n\n    let secret = Secret::generate_secret();\n    let totpmachine = TOTP::new(TOTP_ALGORITHM, TOTP_DIGITS, TOTP_SKEW, TOTP_STEP, secret.to_bytes().unwrap(), Some(TOTP_ISSUER.to_string()), email).unwrap();\n    let otpurl = totpmachine.get_url();\n    let otpsecret = totpmachine.get_secret_base32();\n\n    let otpid = format!(\"totp-{}\", Uuid::new_v4());\n\n    sqlx::query!(\"INSERT INTO totp_create_tokens (id, expires_on, totp_otpurl, totp_secret) VALUES ($1, $2, $3, $4);\", otpid.clone(), (SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i64 + config.totp_verification_valid_for) as i32, otpurl, otpsecret).execute(db).await?;\n\n    Ok((otpid, totpmachine))\n}\n\npub async fn verify_totp_token(otpid: String, email: String, db: \u0026PgPool) -\u003e Result\u003cTOTP, Box\u003cdyn Error\u003e\u003e {\n    let totprow = sqlx::query!(\"SELECT * FROM totp_create_tokens WHERE id = $1 AND expires_on \u003e $2\", otpid, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32).fetch_one(db).await?;\n    let secret = Secret::Encoded(totprow.totp_secret);\n    let totpmachine = TOTP::new(TOTP_ALGORITHM, TOTP_DIGITS, TOTP_SKEW, TOTP_STEP, secret.to_bytes().unwrap(), Some(TOTP_ISSUER.to_string()), email).unwrap();\n\n    if totpmachine.get_url() != totprow.totp_otpurl {\n        return Err(\"OTPURLs do not match (email does not match?)\".into())\n    }\n\n    Ok(totpmachine)\n}\n\npub async fn use_totp_token(otpid: String, email: String, db: \u0026PgPool) -\u003e Result\u003cTOTP, Box\u003cdyn Error\u003e\u003e {\n    let totpmachine = verify_totp_token(otpid.clone(), email.clone(), db).await?;\n    sqlx::query!(\"DELETE FROM totp_create_tokens WHERE id = $1\", otpid).execute(db).await?;\n    sqlx::query!(\"UPDATE users SET totp_otpurl = $1, totp_secret = $2, totp_verified = 1 WHERE email = $3\", totpmachine.get_url(), totpmachine.get_secret_base32(), email).execute(db).await?;\n    Ok(totpmachine)\n}\n\npub async fn get_totpmachine(user: i32, db: \u0026PgPool) -\u003e Result\u003cTOTP, Box\u003cdyn Error\u003e\u003e {\n    let user = sqlx::query!(\"SELECT totp_secret, totp_otpurl, email FROM users WHERE id = $1\", user).fetch_one(db).await?;\n    let secret = Secret::Encoded(user.totp_secret);\n    Ok(TOTP::new(TOTP_ALGORITHM, TOTP_DIGITS, TOTP_SKEW, TOTP_STEP, secret.to_bytes().unwrap(), Some(TOTP_ISSUER.to_string()), user.email).unwrap())\n}\n\npub async fn user_has_totp(user: i32, db: \u0026PgPool) -\u003e Result\u003cbool, Box\u003cdyn Error\u003e\u003e {\n    Ok(sqlx::query!(\"SELECT totp_verified FROM users WHERE id = $1\", user).fetch_one(db).await?.totp_verified == 1)\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","util.rs"],"content":"use base64::Engine;\nuse totp_rs::Algorithm;\n\npub const TOTP_ALGORITHM: Algorithm = Algorithm::SHA1;\npub const TOTP_DIGITS: usize = 6;\npub const TOTP_SKEW: u8 = 1;\npub const TOTP_STEP: u64 = 30;\npub const TOTP_ISSUER: \u0026str = \"trifidapi\";\n\npub fn base64decode(val: \u0026str) -\u003e Result\u003cVec\u003cu8\u003e, base64::DecodeError\u003e {\n    base64::engine::general_purpose::STANDARD.decode(val)\n}\npub fn base64encode(val: Vec\u003cu8\u003e) -\u003e String {\n    base64::engine::general_purpose::STANDARD.encode(val)\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","ca.rs"],"content":"//! Structs to represent a pool of CA's and blacklisted certificates\n\nuse std::collections::HashMap;\nuse std::error::Error;\nuse std::fmt::{Display, Formatter};\nuse std::time::SystemTime;\nuse ed25519_dalek::VerifyingKey;\nuse crate::cert::{deserialize_nebula_certificate_from_pem, NebulaCertificate};\n\n/// A pool of trusted CA certificates, and certificates that should be blocked.\n/// This is equivalent to the `pki` section in a typical Nebula config.yml.\n#[derive(Default)]\npub struct NebulaCAPool {\n    /// The list of CA root certificates that should be trusted.\n    pub cas: HashMap\u003cString, NebulaCertificate\u003e,\n    /// The list of blocklisted certificate fingerprints\n    pub cert_blocklist: Vec\u003cString\u003e,\n    /// True if any of the member CAs certificates are expired. Must be handled.\n    pub expired: bool\n}\n\nimpl NebulaCAPool {\n    /// Create a new, blank CA pool\n    pub fn new() -\u003e Self {\n        Self::default()\n    }\n\n    /// Create a new CA pool from a set of PEM encoded CA certificates.\n    /// If any of the certificates are expired, the pool will **still be returned**, with the expired flag set.\n    /// This must be handled properly.\n    /// # Errors\n    /// This function will return an error if PEM data provided was invalid.\n    pub fn new_from_pem(bytes: \u0026[u8]) -\u003e Result\u003cSelf, Box\u003cdyn Error\u003e\u003e {\n        let pems = pem::parse_many(bytes)?;\n\n        let mut pool = Self::new();\n\n        for cert in pems {\n            match pool.add_ca_certificate(pem::encode(\u0026cert).as_bytes()) {\n                Ok(did_expire) =\u003e if did_expire { pool.expired = true },\n                Err(e) =\u003e return Err(e)\n            }\n        }\n\n        Ok(pool)\n    }\n\n    /// Add a given CA certificate to the CA pool. If the certificate is expired, it will **still be added** - the return value will be `true` instead of `false`\n    /// # Errors\n    /// This function will return an error if the certificate is invalid in any way.\n    pub fn add_ca_certificate(\u0026mut self, bytes: \u0026[u8]) -\u003e Result\u003cbool, Box\u003cdyn Error\u003e\u003e {\n        let cert = deserialize_nebula_certificate_from_pem(bytes)?;\n\n        if !cert.details.is_ca {\n            return Err(CaPoolError::NotACA.into())\n        }\n\n        if !cert.check_signature(\u0026VerifyingKey::from_bytes(\u0026cert.details.public_key)?)? {\n            return Err(CaPoolError::NotSelfSigned.into())\n        }\n\n        let fingerprint = cert.sha256sum()?;\n        let expired = cert.expired(SystemTime::now());\n\n        if expired { self.expired = true }\n\n        self.cas.insert(fingerprint, cert);\n\n       Ok(expired)\n    }\n\n    /// Blocklist the given certificate in the CA pool\n    pub fn blocklist_fingerprint(\u0026mut self, fingerprint: \u0026str) {\n        self.cert_blocklist.push(fingerprint.to_string());\n    }\n\n    /// Clears the list of blocklisted fingerprints\n    pub fn reset_blocklist(\u0026mut self) {\n        self.cert_blocklist = vec![];\n    }\n\n    /// Checks if the given certificate is blocklisted\n    pub fn is_blocklisted(\u0026self, cert: \u0026NebulaCertificate) -\u003e bool {\n        let Ok(h) = cert.sha256sum() else { return false };\n        self.cert_blocklist.contains(\u0026h)\n    }\n\n    /// Gets the CA certificate used to sign the given certificate\n    /// # Errors\n    /// This function will return an error if the certificate does not have an issuer attached (it is self-signed)\n    pub fn get_ca_for_cert(\u0026self, cert: \u0026NebulaCertificate) -\u003e Result\u003cOption\u003c\u0026NebulaCertificate\u003e, Box\u003cdyn Error\u003e\u003e {\n        if cert.details.issuer == String::new() {\n            return Err(CaPoolError::NoIssuer.into())\n        }\n\n        Ok(self.cas.get(\u0026cert.details.issuer))\n    }\n\n    /// Get a list of trusted CA fingerprints\n    pub fn get_fingerprints(\u0026self) -\u003e Vec\u003c\u0026String\u003e {\n        self.cas.keys().collect()\n    }\n}\n\n#[derive(Debug)]\n/// A list of errors that can happen when working with a CA Pool\npub enum CaPoolError {\n    /// Tried to add a non-CA cert to the CA pool\n    NotACA,\n    /// Tried to add a non-self-signed cert to the CA pool (all CAs must be root certificates)\n    NotSelfSigned,\n    /// Tried to look up a certificate that does not have an issuer field\n    NoIssuer\n}\nimpl Error for CaPoolError {}\n#[cfg(not(tarpaulin_include))]\nimpl Display for CaPoolError {\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        match self {\n            Self::NotACA =\u003e write!(f, \"Tried to add a non-CA cert to the CA pool\"),\n            Self::NotSelfSigned =\u003e write!(f, \"Tried to add a non-self-signed cert to the CA pool (all CAs must be root certificates)\"),\n            Self::NoIssuer =\u003e write!(f, \"Tried to look up a certificate with a null issuer field\")\n        }\n    }\n}","traces":[{"line":24,"address":[453696],"length":1,"stats":{"Line":1},"fn_name":"new"},{"line":25,"address":[453704],"length":1,"stats":{"Line":1},"fn_name":null},{"line":33,"address":[454852,453728,454538],"length":1,"stats":{"Line":1},"fn_name":"new_from_pem"},{"line":34,"address":[453761,453895],"length":1,"stats":{"Line":1},"fn_name":null},{"line":36,"address":[453885],"length":1,"stats":{"Line":1},"fn_name":null},{"line":38,"address":[454117,454667,454023,454788],"length":1,"stats":{"Line":3},"fn_name":null},{"line":39,"address":[454339,454418,454500],"length":1,"stats":{"Line":3},"fn_name":null},{"line":40,"address":[454549,454759],"length":1,"stats":{"Line":2},"fn_name":null},{"line":41,"address":[454586],"length":1,"stats":{"Line":0},"fn_name":null},{"line":45,"address":[454793],"length":1,"stats":{"Line":1},"fn_name":null},{"line":51,"address":[456302,454880],"length":1,"stats":{"Line":1},"fn_name":"add_ca_certificate"},{"line":52,"address":[455110,454952],"length":1,"stats":{"Line":1},"fn_name":null},{"line":54,"address":[455090],"length":1,"stats":{"Line":1},"fn_name":null},{"line":55,"address":[455279,455190],"length":1,"stats":{"Line":2},"fn_name":null},{"line":58,"address":[455546,455183,455304],"length":1,"stats":{"Line":3},"fn_name":null},{"line":59,"address":[455715],"length":1,"stats":{"Line":0},"fn_name":null},{"line":62,"address":[455708,455791,455909],"length":1,"stats":{"Line":2},"fn_name":null},{"line":63,"address":[455881,456066],"length":1,"stats":{"Line":2},"fn_name":null},{"line":65,"address":[456216,456093],"length":1,"stats":{"Line":2},"fn_name":null},{"line":67,"address":[456230,456097],"length":1,"stats":{"Line":3},"fn_name":null},{"line":69,"address":[456246],"length":1,"stats":{"Line":1},"fn_name":null},{"line":73,"address":[456352],"length":1,"stats":{"Line":1},"fn_name":"blocklist_fingerprint"},{"line":74,"address":[456371],"length":1,"stats":{"Line":1},"fn_name":null},{"line":78,"address":[456480,456416],"length":1,"stats":{"Line":1},"fn_name":"reset_blocklist"},{"line":79,"address":[456512,456434],"length":1,"stats":{"Line":2},"fn_name":null},{"line":83,"address":[456544,456832,456804],"length":1,"stats":{"Line":2},"fn_name":"is_blocklisted"},{"line":84,"address":[456686,456566,456743],"length":1,"stats":{"Line":2},"fn_name":null},{"line":85,"address":[456765,456713],"length":1,"stats":{"Line":4},"fn_name":null},{"line":91,"address":[456848,456982],"length":1,"stats":{"Line":1},"fn_name":"get_ca_for_cert"},{"line":92,"address":[456881],"length":1,"stats":{"Line":1},"fn_name":null},{"line":93,"address":[457047],"length":1,"stats":{"Line":0},"fn_name":null},{"line":96,"address":[457014],"length":1,"stats":{"Line":1},"fn_name":null},{"line":100,"address":[457088],"length":1,"stats":{"Line":1},"fn_name":"get_fingerprints"},{"line":101,"address":[457107],"length":1,"stats":{"Line":1},"fn_name":null}],"covered":31,"coverable":34},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","cert.rs"],"content":"//! Manage Nebula PKI Certificates\n//! This is pretty much a direct port of nebula/cert/cert.go\n\nuse std::error::Error;\nuse std::fmt::{Display, Formatter};\nuse std::net::Ipv4Addr;\nuse std::ops::Add;\nuse std::time::{Duration, SystemTime, UNIX_EPOCH};\nuse ed25519_dalek::{Signature, Signer, SigningKey, Verifier, VerifyingKey};\nuse ipnet::{Ipv4Net};\nuse pem::Pem;\nuse quick_protobuf::{BytesReader, MessageRead, MessageWrite, Writer};\nuse sha2::Sha256;\nuse crate::ca::NebulaCAPool;\nuse crate::cert_codec::{RawNebulaCertificate, RawNebulaCertificateDetails};\nuse sha2::Digest;\n\n/// The length, in bytes, of public keys\npub const PUBLIC_KEY_LENGTH: i32 = 32;\n\n/// The PEM banner for certificates\npub const CERT_BANNER: \u0026str = \"NEBULA CERTIFICATE\";\n/// The PEM banner for X25519 private keys\npub const X25519_PRIVATE_KEY_BANNER: \u0026str = \"NEBULA X25519 PRIVATE KEY\";\n/// The PEM banner for X25519 public keys\npub const X25519_PUBLIC_KEY_BANNER: \u0026str = \"NEBULA X25519 PUBLIC KEY\";\n/// The PEM banner for Ed25519 private keys\npub const ED25519_PRIVATE_KEY_BANNER: \u0026str = \"NEBULA ED25519 PRIVATE KEY\";\n/// The PEM banner for Ed25519 public keys\npub const ED25519_PUBLIC_KEY_BANNER: \u0026str = \"NEBULA ED25519 PUBLIC KEY\";\n\n/// A Nebula PKI certificate\n#[derive(Debug, Clone)]\npub struct NebulaCertificate {\n    /// The signed data of this certificate\n    pub details: NebulaCertificateDetails,\n    /// The Ed25519 signature of this certificate\n    pub signature: Vec\u003cu8\u003e\n}\n\n/// The signed details contained in a Nebula PKI certificate\n#[derive(Debug, Clone)]\npub struct NebulaCertificateDetails {\n    /// The name of the identity this certificate was issued for\n    pub name: String,\n    /// The IPv4 addresses issued to this node\n    pub ips: Vec\u003cIpv4Net\u003e,\n    /// The IPv4 subnets this node is responsible for routing\n    pub subnets: Vec\u003cIpv4Net\u003e,\n    /// The groups this node is a part of\n    pub groups: Vec\u003cString\u003e,\n    /// Certificate start date and time\n    pub not_before: SystemTime,\n    /// Certificate expiry date and time\n    pub not_after: SystemTime,\n    /// Public key\n    pub public_key: [u8; PUBLIC_KEY_LENGTH as usize],\n    /// Is this node a CA?\n    pub is_ca: bool,\n    /// SHA256 of issuer certificate. If blank, this cert is self-signed.\n    pub issuer: String\n}\n\n/// A list of errors that can occur parsing certificates\n#[derive(Debug)]\npub enum CertificateError {\n    /// Attempted to deserialize a certificate from an empty byte array\n    EmptyByteArray,\n    /// The encoded Details field is null\n    NilDetails,\n    /// The encoded Ips field is not formatted correctly\n    IpsNotPairs,\n    /// The encoded Subnets field is not formatted correctly\n    SubnetsNotPairs,\n    /// Signatures are expected to be 64 bytes but the signature on the certificate was a different length\n    WrongSigLength,\n    /// Public keys are expected to be 32 bytes but the public key on this cert is not\n    WrongKeyLength,\n    /// Certificates should have the PEM tag `NEBULA CERTIFICATE`, but this block did not\n    WrongPemTag,\n    /// This certificate either is not yet valid or has already expired\n    Expired,\n    /// The public key does not match the expected value\n    KeyMismatch\n}\n#[cfg(not(tarpaulin_include))]\nimpl Display for CertificateError {\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        match self {\n            Self::EmptyByteArray =\u003e write!(f, \"Certificate bytearray is empty\"),\n            Self::NilDetails =\u003e write!(f, \"The encoded Details field is null\"),\n            Self::IpsNotPairs =\u003e write!(f, \"encoded IPs should be in pairs, an odd number was found\"),\n            Self::SubnetsNotPairs =\u003e write!(f, \"encoded subnets should be in pairs, an odd number was found\"),\n            Self::WrongSigLength =\u003e write!(f, \"Signature should be 64 bytes but is a different size\"),\n            Self::WrongKeyLength =\u003e write!(f, \"Public keys are expected to be 32 bytes but the public key on this cert is not\"),\n            Self::WrongPemTag =\u003e write!(f, \"Certificates should have the PEM tag `NEBULA CERTIFICATE`, but this block did not\"),\n            Self::Expired =\u003e write!(f, \"This certificate either is not yet valid or has already expired\"),\n            Self::KeyMismatch =\u003e write!(f, \"Key does not match expected value\")\n        }\n    }\n}\nimpl Error for CertificateError {}\n\nfn map_cidr_pairs(pairs: \u0026[u32]) -\u003e Result\u003cVec\u003cIpv4Net\u003e, Box\u003cdyn Error\u003e\u003e {\n    let mut res_vec = vec![];\n    for pair in pairs.chunks(2) {\n        res_vec.push(Ipv4Net::with_netmask(Ipv4Addr::from(pair[0]), Ipv4Addr::from(pair[1]))?);\n    }\n    Ok(res_vec)\n}\n\n#[cfg(not(tarpaulin_include))]\nimpl Display for NebulaCertificate {\n    #[allow(clippy::unwrap_used)]\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        writeln!(f, \"NebulaCertificate {{\")?;\n        writeln!(f, \"   Details {{\")?;\n        writeln!(f, \"       Name: {}\", self.details.name)?;\n        writeln!(f, \"       Ips: {:?}\", self.details.ips)?;\n        writeln!(f, \"       Subnets: {:?}\", self.details.subnets)?;\n        writeln!(f, \"       Groups: {:?}\", self.details.groups)?;\n        writeln!(f, \"       Not before: {:?}\", self.details.not_before)?;\n        writeln!(f, \"       Not after: {:?}\", self.details.not_after)?;\n        writeln!(f, \"       Is CA: {}\", self.details.is_ca)?;\n        writeln!(f, \"       Issuer: {}\", self.details.issuer)?;\n        writeln!(f, \"       Public key: {}\", hex::encode(self.details.public_key))?;\n        writeln!(f, \"   }}\")?;\n        writeln!(f, \"   Fingerprint: {}\", self.sha256sum().unwrap())?;\n        writeln!(f, \"   Signature: {}\", hex::encode(self.signature.clone()))?;\n        writeln!(f, \"}}\")\n    }\n}\n\n/// Given a protobuf-encoded certificate bytearray, deserialize it into a `NebulaCertificate` object.\n/// # Errors\n/// This function will return an error if there is a protobuf parsing error, or if the certificate data is invalid.\n/// # Panics\npub fn deserialize_nebula_certificate(bytes: \u0026[u8]) -\u003e Result\u003cNebulaCertificate, Box\u003cdyn Error\u003e\u003e {\n    if bytes.is_empty() {\n        return Err(CertificateError::EmptyByteArray.into())\n    }\n\n    let mut reader = BytesReader::from_bytes(bytes);\n\n    let raw_cert = RawNebulaCertificate::from_reader(\u0026mut reader, bytes)?;\n\n    let details = raw_cert.Details.ok_or(CertificateError::NilDetails)?;\n\n    if details.Ips.len() % 2 != 0 {\n        return Err(CertificateError::IpsNotPairs.into())\n    }\n\n    if details.Subnets.len() % 2 != 0 {\n        return Err(CertificateError::SubnetsNotPairs.into())\n    }\n\n    let mut nebula_cert;\n    #[allow(clippy::cast_sign_loss)]\n    {\n        nebula_cert = NebulaCertificate {\n            details: NebulaCertificateDetails {\n                name: details.Name.to_string(),\n                ips: map_cidr_pairs(\u0026details.Ips)?,\n                subnets: map_cidr_pairs(\u0026details.Subnets)?,\n                groups: details.Groups.iter().map(std::string::ToString::to_string).collect(),\n                not_before: SystemTime::UNIX_EPOCH.add(Duration::from_secs(details.NotBefore as u64)),\n                not_after: SystemTime::UNIX_EPOCH.add(Duration::from_secs(details.NotAfter as u64)),\n                public_key: [0u8; 32],\n                is_ca: details.IsCA,\n                issuer: hex::encode(details.Issuer),\n            },\n            signature: vec![],\n        };\n    }\n\n    nebula_cert.signature = raw_cert.Signature;\n\n    if details.PublicKey.len() != 32 {\n        return Err(CertificateError::WrongKeyLength.into())\n    }\n\n    #[allow(clippy::unwrap_used)] { nebula_cert.details.public_key = details.PublicKey.try_into().unwrap(); }\n\n    Ok(nebula_cert)\n}\n\n/// A list of errors that can occur parsing keys\n#[derive(Debug)]\npub enum KeyError {\n    /// Keys should have their associated PEM tags but this had the wrong one\n    WrongPemTag,\n    /// Ed25519 private keys are 64 bytes\n    Not64Bytes,\n    /// X25519 private keys are 32 bytes\n    Not32Bytes\n}\n#[cfg(not(tarpaulin_include))]\nimpl Display for KeyError {\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        match self {\n            Self::WrongPemTag =\u003e write!(f, \"Keys should have their associated PEM tags but this had the wrong one\"),\n            Self::Not64Bytes =\u003e write!(f, \"Ed25519 private keys are 64 bytes\"),\n            Self::Not32Bytes =\u003e write!(f, \"X25519 private keys are 32 bytes\")\n        }\n    }\n}\nimpl Error for KeyError {}\n\n\n/// Deserialize the first PEM block in the given byte array into a `NebulaCertificate`\n/// # Errors\n/// This function will return an error if the PEM data is invalid, or if there is an error parsing the certificate (see `deserialize_nebula_certificate`)\npub fn deserialize_nebula_certificate_from_pem(bytes: \u0026[u8]) -\u003e Result\u003cNebulaCertificate, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != CERT_BANNER {\n        return Err(CertificateError::WrongPemTag.into())\n    }\n    deserialize_nebula_certificate(\u0026pem.contents)\n}\n\n/// Simple helper to PEM encode an X25519 private key\npub fn serialize_x25519_private(bytes: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    pem::encode(\u0026Pem {\n        tag: X25519_PRIVATE_KEY_BANNER.to_string(),\n        contents: bytes.to_vec(),\n    }).as_bytes().to_vec()\n}\n\n/// Simple helper to PEM encode an X25519 public key\npub fn serialize_x25519_public(bytes: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    pem::encode(\u0026Pem {\n        tag: X25519_PUBLIC_KEY_BANNER.to_string(),\n        contents: bytes.to_vec(),\n    }).as_bytes().to_vec()\n}\n\n/// Attempt to deserialize a PEM encoded X25519 private key\n/// # Errors\n/// This function will return an error if the PEM data is invalid or has the wrong tag\npub fn deserialize_x25519_private(bytes: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != X25519_PRIVATE_KEY_BANNER {\n        return Err(KeyError::WrongPemTag.into())\n    }\n    if pem.contents.len() != 32 {\n        return Err(KeyError::Not32Bytes.into())\n    }\n    Ok(pem.contents)\n}\n\n/// Attempt to deserialize a PEM encoded X25519 public key\n/// # Errors\n/// This function will return an error if the PEM data is invalid or has the wrong tag\npub fn deserialize_x25519_public(bytes: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != X25519_PUBLIC_KEY_BANNER {\n        return Err(KeyError::WrongPemTag.into())\n    }\n    if pem.contents.len() != 32 {\n        return Err(KeyError::Not32Bytes.into())\n    }\n    Ok(pem.contents)\n}\n\n/// Simple helper to PEM encode an Ed25519 private key\npub fn serialize_ed25519_private(bytes: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    pem::encode(\u0026Pem {\n        tag: ED25519_PRIVATE_KEY_BANNER.to_string(),\n        contents: bytes.to_vec(),\n    }).as_bytes().to_vec()\n}\n\n/// Simple helper to PEM encode an Ed25519 public key\npub fn serialize_ed25519_public(bytes: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    pem::encode(\u0026Pem {\n        tag: ED25519_PUBLIC_KEY_BANNER.to_string(),\n        contents: bytes.to_vec(),\n    }).as_bytes().to_vec()\n}\n\n/// Attempt to deserialize a PEM encoded Ed25519 private key\n/// # Errors\n/// This function will return an error if the PEM data is invalid or has the wrong tag\npub fn deserialize_ed25519_private(bytes: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != ED25519_PRIVATE_KEY_BANNER {\n        return Err(KeyError::WrongPemTag.into())\n    }\n    if pem.contents.len() != 64 {\n        return Err(KeyError::Not64Bytes.into())\n    }\n    Ok(pem.contents)\n}\n\n/// Attempt to deserialize a PEM encoded Ed25519 public key\n/// # Errors\n/// This function will return an error if the PEM data is invalid or has the wrong tag\npub fn deserialize_ed25519_public(bytes: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != ED25519_PUBLIC_KEY_BANNER {\n        return Err(KeyError::WrongPemTag.into())\n    }\n    if pem.contents.len() != 64 {\n        return Err(KeyError::Not64Bytes.into())\n    }\n    Ok(pem.contents)\n}\n\nimpl NebulaCertificate {\n    /// Sign a nebula certificate with the provided private key\n    /// # Errors\n    /// This function will return an error if the certificate could not be serialized or signed.\n    pub fn sign(\u0026mut self, key: \u0026SigningKey) -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n        let mut out = Vec::new();\n        let mut writer = Writer::new(\u0026mut out);\n        self.get_raw_details().write_message(\u0026mut writer)?;\n\n        self.signature = key.sign(\u0026out).to_vec();\n        Ok(())\n    }\n\n    /// Verify the signature on a certificate with the provided public key\n    /// # Errors\n    /// This function will return an error if the certificate could not be serialized or the signature could not be checked.\n    pub fn check_signature(\u0026self, key: \u0026VerifyingKey) -\u003e Result\u003cbool, Box\u003cdyn Error\u003e\u003e {\n        let mut out = Vec::new();\n        let mut writer = Writer::new(\u0026mut out);\n        self.get_raw_details().write_message(\u0026mut writer)?;\n\n        let sig = Signature::from_slice(\u0026self.signature)?;\n\n        Ok(key.verify(\u0026out, \u0026sig).is_ok())\n    }\n\n    /// Returns true if the signature is too young or too old compared to the provided time\n    pub fn expired(\u0026self, time: SystemTime) -\u003e bool {\n        self.details.not_before \u003e time || self.details.not_after \u003c time\n    }\n\n    /// Verify will ensure a certificate is good in all respects (expiry, group membership, signature, cert blocklist, etc)\n    /// # Errors\n    /// This function will return an error if there is an error parsing the cert or the CA pool.\n    pub fn verify(\u0026self, time: SystemTime, ca_pool: \u0026NebulaCAPool) -\u003e Result\u003cCertificateValidity, Box\u003cdyn Error\u003e\u003e {\n        if ca_pool.is_blocklisted(self) {\n            return Ok(CertificateValidity::Blocklisted);\n        }\n\n        let Some(signer) = ca_pool.get_ca_for_cert(self)? else { return Ok(CertificateValidity::NotSignedByThisCAPool) };\n\n        if signer.expired(time) {\n            return Ok(CertificateValidity::RootCertExpired)\n        }\n\n        if self.expired(time) {\n            return Ok(CertificateValidity::CertExpired)\n        }\n\n        if !self.check_signature(\u0026VerifyingKey::from_bytes(\u0026signer.details.public_key)?)? {\n            return Ok(CertificateValidity::BadSignature)\n        }\n\n        Ok(self.check_root_constraints(signer))\n    }\n\n    /// Make sure that this certificate does not break any of the constraints set by the signing certificate\n    pub fn check_root_constraints(\u0026self, signer: \u0026Self) -\u003e CertificateValidity {\n        // Make sure this cert doesn't expire after the signer\n        println!(\"{:?} {:?}\", signer.details.not_before, self.details.not_before);\n        if signer.details.not_before \u003c self.details.not_before {\n            return CertificateValidity::CertExpiresAfterSigner;\n        }\n\n        // Make sure this cert doesn't come into validity before the root\n        if signer.details.not_before \u003e self.details.not_before {\n            return CertificateValidity::CertValidBeforeSigner;\n        }\n\n        // If the signer contains a limited set of groups, make sure this cert only has a subset of them\n        if !signer.details.groups.is_empty() {\n            println!(\"root groups: {:?}, child groups: {:?}\", signer.details.groups, self.details.groups);\n            for group in \u0026self.details.groups {\n                if !signer.details.groups.contains(group) {\n                    return CertificateValidity::GroupNotPresentOnSigner;\n                }\n            }\n        }\n\n        // If the signer contains a limited set of IP ranges, make sure the cert only contains a subset\n        if !signer.details.ips.is_empty() {\n            for ip in \u0026self.details.ips {\n                if !net_match(*ip, \u0026signer.details.ips) {\n                    return CertificateValidity::IPNotPresentOnSigner;\n                }\n            }\n        }\n\n        // If the signer contains a limited set of subnets, make sure the cert only contains a subset\n        if !signer.details.subnets.is_empty() {\n            for subnet in \u0026self.details.subnets {\n                if !net_match(*subnet, \u0026signer.details.subnets) {\n                    return CertificateValidity::SubnetNotPresentOnSigner;\n                }\n            }\n        }\n\n        CertificateValidity::Ok\n    }\n\n    #[allow(clippy::unwrap_used)]\n    /// Verify if the given private key corresponds to the public key contained in this certificate\n    /// # Errors\n    /// This function will return an error if either keys are invalid.\n    /// # Panics\n    /// This function, while containing calls to unwrap, has proper bounds checking and will not panic.\n    pub fn verify_private_key(\u0026self, key: \u0026[u8]) -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n        if self.details.is_ca {\n            // convert the keys\n            if key.len() != 64 {\n                return Err(\"key not 64-bytes long\".into())\n            }\n\n\n            let secret = SigningKey::from_keypair_bytes(key.try_into().unwrap())?;\n            let pub_key = secret.verifying_key().to_bytes();\n            if pub_key != self.details.public_key {\n                return Err(CertificateError::KeyMismatch.into());\n            }\n\n            return Ok(());\n        }\n\n        if key.len() != 32 {\n            return Err(\"key not 32-bytes long\".into())\n        }\n\n        let pubkey_raw = SigningKey::from_bytes(key.try_into()?).verifying_key();\n        let pubkey = pubkey_raw.as_bytes();\n\n        println!(\"{} {}\", hex::encode(pubkey), hex::encode(self.details.public_key));\n        if *pubkey != self.details.public_key {\n            return Err(CertificateError::KeyMismatch.into());\n        }\n\n        Ok(())\n    }\n\n\n    /// Get a protobuf-ready raw struct, ready for serialization\n    #[allow(clippy::expect_used)]\n    #[allow(clippy::cast_possible_wrap)]\n    /// # Panics\n    /// This function will panic if time went backwards, or if the certificate contains extremely invalid data.\n    pub fn get_raw_details(\u0026self) -\u003e RawNebulaCertificateDetails {\n\n        let mut raw = RawNebulaCertificateDetails {\n            Name: self.details.name.clone(),\n            Ips: vec![],\n            Subnets: vec![],\n            Groups: self.details.groups.iter().map(std::convert::Into::into).collect(),\n            NotBefore: self.details.not_before.duration_since(UNIX_EPOCH).expect(\"Time went backwards\").as_secs() as i64,\n            NotAfter: self.details.not_after.duration_since(UNIX_EPOCH).expect(\"Time went backwards\").as_secs() as i64,\n            PublicKey: self.details.public_key.into(),\n            IsCA: self.details.is_ca,\n            Issuer: hex::decode(\u0026self.details.issuer).expect(\"Issuer was not a hex-encoded value\"),\n        };\n\n        for ip_net in \u0026self.details.ips {\n            raw.Ips.push(ip_net.addr().into());\n            raw.Ips.push(ip_net.netmask().into());\n        }\n\n        for subnet in \u0026self.details.subnets {\n            raw.Subnets.push(subnet.addr().into());\n            raw.Subnets.push(subnet.netmask().into());\n        }\n\n        raw\n    }\n\n    /// Will serialize this cert into a protobuf byte array.\n    /// # Errors\n    /// This function will return an error if protobuf was unable to serialize the data.\n    pub fn serialize(\u0026self) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n        let raw_cert = RawNebulaCertificate {\n            Details: Some(self.get_raw_details()),\n            Signature: self.signature.clone(),\n        };\n\n        let mut out = vec![];\n        let mut writer = Writer::new(\u0026mut out);\n        raw_cert.write_message(\u0026mut writer)?;\n\n        Ok(out)\n    }\n\n    /// Will serialize this cert into a PEM byte array.\n    /// # Errors\n    /// This function will return an error if protobuf was unable to serialize the data.\n    pub fn serialize_to_pem(\u0026self) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n        let pbuf_bytes = self.serialize()?;\n\n        Ok(pem::encode(\u0026Pem {\n            tag: CERT_BANNER.to_string(),\n            contents: pbuf_bytes,\n        }).as_bytes().to_vec())\n    }\n\n    /// Get the fingerprint of this certificate\n    /// # Errors\n    /// This functiom will return an error if protobuf was unable to serialize the cert.\n    pub fn sha256sum(\u0026self) -\u003e Result\u003cString, Box\u003cdyn Error\u003e\u003e {\n        let pbuf_bytes = self.serialize()?;\n\n        let mut hasher = Sha256::new();\n        hasher.update(pbuf_bytes);\n\n        Ok(hex::encode(hasher.finalize()))\n    }\n}\n\n/// A list of possible errors that can happen validating a certificate\n#[derive(Eq, PartialEq, Debug)]\npub enum CertificateValidity {\n    /// There are no issues with this certificate\n    Ok,\n    /// This cert has been blocklisted in the given CA pool\n    Blocklisted,\n    /// The certificate that signed this cert is expired\n    RootCertExpired,\n    /// This cert is expired\n    CertExpired,\n    /// This cert's signature is invalid\n    BadSignature,\n    /// This cert was not signed by any CAs in the CA pool\n    NotSignedByThisCAPool,\n    /// This cert expires after the signer's cert expires\n    CertExpiresAfterSigner,\n    /// This cert enters validity before the signer's cert does\n    CertValidBeforeSigner,\n    /// A group present on this certificate is not present on the signer's certificate\n    GroupNotPresentOnSigner,\n    /// An IP present on this certificate is not present on the signer's certificate\n    IPNotPresentOnSigner,\n    /// A subnet on this certificate is not present on the signer's certificate\n    SubnetNotPresentOnSigner\n}\n\nfn net_match(cert_ip: Ipv4Net, root_ips: \u0026Vec\u003cIpv4Net\u003e) -\u003e bool {\n    for net in root_ips {\n        if net.contains(\u0026cert_ip) {\n            return true;\n        }\n    }\n    false\n}","traces":[{"line":104,"address":[548224,549155],"length":1,"stats":{"Line":1},"fn_name":"map_cidr_pairs"},{"line":105,"address":[548267],"length":1,"stats":{"Line":1},"fn_name":null},{"line":106,"address":[548589,548365,548304],"length":1,"stats":{"Line":3},"fn_name":null},{"line":107,"address":[548631,549150],"length":1,"stats":{"Line":4},"fn_name":null},{"line":109,"address":[548502],"length":1,"stats":{"Line":1},"fn_name":null},{"line":138,"address":[553592,557101,552064],"length":1,"stats":{"Line":1},"fn_name":"deserialize_nebula_certificate"},{"line":139,"address":[552141],"length":1,"stats":{"Line":3},"fn_name":null},{"line":140,"address":[552335],"length":1,"stats":{"Line":1},"fn_name":null},{"line":143,"address":[552219],"length":1,"stats":{"Line":1},"fn_name":null},{"line":145,"address":[552263,552449,552598],"length":1,"stats":{"Line":3},"fn_name":null},{"line":147,"address":[552824,553002,552509],"length":1,"stats":{"Line":3},"fn_name":null},{"line":149,"address":[552964,553149],"length":1,"stats":{"Line":3},"fn_name":null},{"line":150,"address":[553186],"length":1,"stats":{"Line":1},"fn_name":null},{"line":153,"address":[553159,553293],"length":1,"stats":{"Line":2},"fn_name":null},{"line":154,"address":[553326],"length":1,"stats":{"Line":1},"fn_name":null},{"line":160,"address":[555110],"length":1,"stats":{"Line":1},"fn_name":null},{"line":161,"address":[554782],"length":1,"stats":{"Line":1},"fn_name":null},{"line":162,"address":[553303],"length":1,"stats":{"Line":1},"fn_name":null},{"line":163,"address":[553603,553449,553713,553549],"length":1,"stats":{"Line":3},"fn_name":null},{"line":164,"address":[553667,553916,554067],"length":1,"stats":{"Line":2},"fn_name":null},{"line":165,"address":[554344,554021],"length":1,"stats":{"Line":2},"fn_name":null},{"line":166,"address":[554526,554437],"length":1,"stats":{"Line":2},"fn_name":null},{"line":167,"address":[554583],"length":1,"stats":{"Line":1},"fn_name":null},{"line":168,"address":[554667],"length":1,"stats":{"Line":1},"fn_name":null},{"line":169,"address":[554686],"length":1,"stats":{"Line":1},"fn_name":null},{"line":170,"address":[554697],"length":1,"stats":{"Line":1},"fn_name":null},{"line":172,"address":[555013],"length":1,"stats":{"Line":1},"fn_name":null},{"line":176,"address":[555185],"length":1,"stats":{"Line":1},"fn_name":null},{"line":178,"address":[555367],"length":1,"stats":{"Line":1},"fn_name":null},{"line":179,"address":[555468],"length":1,"stats":{"Line":1},"fn_name":null},{"line":184,"address":[556429],"length":1,"stats":{"Line":1},"fn_name":null},{"line":213,"address":[557869,557392],"length":1,"stats":{"Line":1},"fn_name":"deserialize_nebula_certificate_from_pem"},{"line":214,"address":[557425,557589],"length":1,"stats":{"Line":2},"fn_name":null},{"line":215,"address":[557721,557563],"length":1,"stats":{"Line":2},"fn_name":null},{"line":216,"address":[557753],"length":1,"stats":{"Line":1},"fn_name":null},{"line":218,"address":[557846,557727],"length":1,"stats":{"Line":2},"fn_name":null},{"line":222,"address":[557904,558115],"length":1,"stats":{"Line":1},"fn_name":"serialize_x25519_private"},{"line":223,"address":[558254,558042,558184],"length":1,"stats":{"Line":3},"fn_name":null},{"line":224,"address":[557947],"length":1,"stats":{"Line":1},"fn_name":null},{"line":225,"address":[557982],"length":1,"stats":{"Line":1},"fn_name":null},{"line":226,"address":[558001],"length":1,"stats":{"Line":0},"fn_name":null},{"line":230,"address":[558531,558320],"length":1,"stats":{"Line":1},"fn_name":"serialize_x25519_public"},{"line":231,"address":[558600,558458,558670],"length":1,"stats":{"Line":3},"fn_name":null},{"line":232,"address":[558363],"length":1,"stats":{"Line":1},"fn_name":null},{"line":233,"address":[558398],"length":1,"stats":{"Line":1},"fn_name":null},{"line":234,"address":[558417],"length":1,"stats":{"Line":0},"fn_name":null},{"line":240,"address":[559351,558736],"length":1,"stats":{"Line":1},"fn_name":"deserialize_x25519_private"},{"line":241,"address":[558933,558769],"length":1,"stats":{"Line":2},"fn_name":null},{"line":242,"address":[559065,558907],"length":1,"stats":{"Line":2},"fn_name":null},{"line":243,"address":[559092],"length":1,"stats":{"Line":1},"fn_name":null},{"line":245,"address":[559071,559176],"length":1,"stats":{"Line":2},"fn_name":null},{"line":246,"address":[559285],"length":1,"stats":{"Line":1},"fn_name":null},{"line":248,"address":[559187],"length":1,"stats":{"Line":1},"fn_name":null},{"line":254,"address":[560007,559392],"length":1,"stats":{"Line":1},"fn_name":"deserialize_x25519_public"},{"line":255,"address":[559425,559589],"length":1,"stats":{"Line":2},"fn_name":null},{"line":256,"address":[559563,559721],"length":1,"stats":{"Line":2},"fn_name":null},{"line":257,"address":[559748],"length":1,"stats":{"Line":1},"fn_name":null},{"line":259,"address":[559727,559832],"length":1,"stats":{"Line":2},"fn_name":null},{"line":260,"address":[559941],"length":1,"stats":{"Line":1},"fn_name":null},{"line":262,"address":[559843],"length":1,"stats":{"Line":1},"fn_name":null},{"line":266,"address":[560048,560259],"length":1,"stats":{"Line":1},"fn_name":"serialize_ed25519_private"},{"line":267,"address":[560398,560186,560328],"length":1,"stats":{"Line":3},"fn_name":null},{"line":268,"address":[560091],"length":1,"stats":{"Line":1},"fn_name":null},{"line":269,"address":[560126],"length":1,"stats":{"Line":1},"fn_name":null},{"line":270,"address":[560145],"length":1,"stats":{"Line":0},"fn_name":null},{"line":274,"address":[560675,560464],"length":1,"stats":{"Line":1},"fn_name":"serialize_ed25519_public"},{"line":275,"address":[560602,560814,560744],"length":1,"stats":{"Line":3},"fn_name":null},{"line":276,"address":[560507],"length":1,"stats":{"Line":1},"fn_name":null},{"line":277,"address":[560542],"length":1,"stats":{"Line":1},"fn_name":null},{"line":278,"address":[560561],"length":1,"stats":{"Line":0},"fn_name":null},{"line":284,"address":[561495,560880],"length":1,"stats":{"Line":1},"fn_name":"deserialize_ed25519_private"},{"line":285,"address":[561077,560913],"length":1,"stats":{"Line":2},"fn_name":null},{"line":286,"address":[561209,561051],"length":1,"stats":{"Line":2},"fn_name":null},{"line":287,"address":[561236],"length":1,"stats":{"Line":1},"fn_name":null},{"line":289,"address":[561215,561320],"length":1,"stats":{"Line":2},"fn_name":null},{"line":290,"address":[561429],"length":1,"stats":{"Line":1},"fn_name":null},{"line":292,"address":[561331],"length":1,"stats":{"Line":2},"fn_name":null},{"line":298,"address":[562151,561536],"length":1,"stats":{"Line":1},"fn_name":"deserialize_ed25519_public"},{"line":299,"address":[561733,561569],"length":1,"stats":{"Line":2},"fn_name":null},{"line":300,"address":[561707,561865],"length":1,"stats":{"Line":2},"fn_name":null},{"line":301,"address":[561892],"length":1,"stats":{"Line":1},"fn_name":null},{"line":303,"address":[561976,561871],"length":1,"stats":{"Line":2},"fn_name":null},{"line":304,"address":[562085],"length":1,"stats":{"Line":1},"fn_name":null},{"line":306,"address":[561987],"length":1,"stats":{"Line":1},"fn_name":null},{"line":313,"address":[562612,562192,562914],"length":1,"stats":{"Line":3},"fn_name":"sign"},{"line":314,"address":[562225],"length":1,"stats":{"Line":3},"fn_name":null},{"line":315,"address":[562249,562312],"length":1,"stats":{"Line":6},"fn_name":null},{"line":316,"address":[562325],"length":1,"stats":{"Line":3},"fn_name":null},{"line":318,"address":[562652],"length":1,"stats":{"Line":3},"fn_name":null},{"line":319,"address":[562889],"length":1,"stats":{"Line":4},"fn_name":null},{"line":325,"address":[563349,563794,562944],"length":1,"stats":{"Line":1},"fn_name":"check_signature"},{"line":326,"address":[562987],"length":1,"stats":{"Line":1},"fn_name":null},{"line":327,"address":[563074,563011],"length":1,"stats":{"Line":2},"fn_name":null},{"line":328,"address":[563087],"length":1,"stats":{"Line":1},"fn_name":null},{"line":330,"address":[563642,563381],"length":1,"stats":{"Line":2},"fn_name":null},{"line":332,"address":[563611,563856,563748],"length":1,"stats":{"Line":3},"fn_name":null},{"line":336,"address":[563952],"length":1,"stats":{"Line":1},"fn_name":"expired"},{"line":337,"address":[563974],"length":1,"stats":{"Line":1},"fn_name":null},{"line":343,"address":[564048],"length":1,"stats":{"Line":1},"fn_name":"verify"},{"line":344,"address":[564123],"length":1,"stats":{"Line":1},"fn_name":null},{"line":345,"address":[564200],"length":1,"stats":{"Line":1},"fn_name":null},{"line":348,"address":[564224,564142,564324,564357],"length":1,"stats":{"Line":5},"fn_name":null},{"line":350,"address":[564341],"length":1,"stats":{"Line":2},"fn_name":null},{"line":351,"address":[564403],"length":1,"stats":{"Line":1},"fn_name":null},{"line":354,"address":[564387],"length":1,"stats":{"Line":1},"fn_name":null},{"line":355,"address":[564479],"length":1,"stats":{"Line":1},"fn_name":null},{"line":358,"address":[564423,564671,564495],"length":1,"stats":{"Line":5},"fn_name":null},{"line":359,"address":[564781],"length":1,"stats":{"Line":0},"fn_name":null},{"line":362,"address":[564749],"length":1,"stats":{"Line":2},"fn_name":null},{"line":366,"address":[564800],"length":1,"stats":{"Line":2},"fn_name":"check_root_constraints"},{"line":368,"address":[564846],"length":1,"stats":{"Line":2},"fn_name":null},{"line":369,"address":[564972],"length":1,"stats":{"Line":2},"fn_name":null},{"line":370,"address":[565018],"length":1,"stats":{"Line":0},"fn_name":null},{"line":374,"address":[564999],"length":1,"stats":{"Line":2},"fn_name":null},{"line":375,"address":[565060],"length":1,"stats":{"Line":0},"fn_name":null},{"line":379,"address":[565040],"length":1,"stats":{"Line":2},"fn_name":null},{"line":380,"address":[565101],"length":1,"stats":{"Line":1},"fn_name":null},{"line":381,"address":[565240],"length":1,"stats":{"Line":1},"fn_name":null},{"line":382,"address":[565348],"length":1,"stats":{"Line":1},"fn_name":null},{"line":383,"address":[565384],"length":1,"stats":{"Line":1},"fn_name":null},{"line":389,"address":[565072],"length":1,"stats":{"Line":1},"fn_name":null},{"line":390,"address":[565428],"length":1,"stats":{"Line":1},"fn_name":null},{"line":391,"address":[565525],"length":1,"stats":{"Line":1},"fn_name":null},{"line":392,"address":[565588],"length":1,"stats":{"Line":1},"fn_name":null},{"line":398,"address":[565399],"length":1,"stats":{"Line":1},"fn_name":null},{"line":399,"address":[565613],"length":1,"stats":{"Line":1},"fn_name":null},{"line":400,"address":[565710],"length":1,"stats":{"Line":1},"fn_name":null},{"line":401,"address":[565773],"length":1,"stats":{"Line":1},"fn_name":null},{"line":406,"address":[565598],"length":1,"stats":{"Line":1},"fn_name":null},{"line":415,"address":[565792,566389],"length":1,"stats":{"Line":1},"fn_name":"verify_private_key"},{"line":416,"address":[565847],"length":1,"stats":{"Line":1},"fn_name":null},{"line":418,"address":[565887],"length":1,"stats":{"Line":1},"fn_name":null},{"line":419,"address":[565983],"length":1,"stats":{"Line":0},"fn_name":null},{"line":423,"address":[566145,566040,565909],"length":1,"stats":{"Line":2},"fn_name":null},{"line":424,"address":[566126,566270],"length":1,"stats":{"Line":2},"fn_name":null},{"line":425,"address":[566293],"length":1,"stats":{"Line":1},"fn_name":null},{"line":426,"address":[566328],"length":1,"stats":{"Line":1},"fn_name":null},{"line":429,"address":[566314],"length":1,"stats":{"Line":1},"fn_name":null},{"line":432,"address":[565864],"length":1,"stats":{"Line":1},"fn_name":null},{"line":433,"address":[566503],"length":1,"stats":{"Line":0},"fn_name":null},{"line":436,"address":[566541,566450],"length":1,"stats":{"Line":2},"fn_name":null},{"line":437,"address":[566701],"length":1,"stats":{"Line":1},"fn_name":null},{"line":439,"address":[566738],"length":1,"stats":{"Line":1},"fn_name":null},{"line":440,"address":[567118],"length":1,"stats":{"Line":1},"fn_name":null},{"line":441,"address":[567144],"length":1,"stats":{"Line":1},"fn_name":null},{"line":444,"address":[567127],"length":1,"stats":{"Line":1},"fn_name":null},{"line":453,"address":[567200,568321],"length":1,"stats":{"Line":6},"fn_name":"get_raw_details"},{"line":456,"address":[567239],"length":1,"stats":{"Line":6},"fn_name":null},{"line":457,"address":[567268],"length":1,"stats":{"Line":5},"fn_name":null},{"line":458,"address":[567327],"length":1,"stats":{"Line":5},"fn_name":null},{"line":459,"address":[567383,567474],"length":1,"stats":{"Line":12},"fn_name":null},{"line":460,"address":[567655,567575],"length":1,"stats":{"Line":12},"fn_name":null},{"line":461,"address":[567765],"length":1,"stats":{"Line":6},"fn_name":null},{"line":462,"address":[567911],"length":1,"stats":{"Line":6},"fn_name":null},{"line":463,"address":[567965],"length":1,"stats":{"Line":6},"fn_name":null},{"line":464,"address":[567978,568044],"length":1,"stats":{"Line":12},"fn_name":null},{"line":467,"address":[568400,568528,568294],"length":1,"stats":{"Line":14},"fn_name":null},{"line":468,"address":[568549],"length":1,"stats":{"Line":2},"fn_name":null},{"line":469,"address":[568649],"length":1,"stats":{"Line":2},"fn_name":null},{"line":472,"address":[568496,568751,568857],"length":1,"stats":{"Line":9},"fn_name":null},{"line":473,"address":[568878],"length":1,"stats":{"Line":1},"fn_name":null},{"line":474,"address":[568978],"length":1,"stats":{"Line":1},"fn_name":null},{"line":483,"address":[569072,569287],"length":1,"stats":{"Line":1},"fn_name":"serialize"},{"line":485,"address":[569115],"length":1,"stats":{"Line":1},"fn_name":null},{"line":486,"address":[569152],"length":1,"stats":{"Line":1},"fn_name":null},{"line":489,"address":[569268],"length":1,"stats":{"Line":1},"fn_name":null},{"line":490,"address":[569413,569355],"length":1,"stats":{"Line":6},"fn_name":null},{"line":491,"address":[569442,569613],"length":1,"stats":{"Line":4},"fn_name":null},{"line":493,"address":[569502],"length":1,"stats":{"Line":4},"fn_name":null},{"line":499,"address":[570127,569776],"length":1,"stats":{"Line":1},"fn_name":"serialize_to_pem"},{"line":500,"address":[569801,569918],"length":1,"stats":{"Line":1},"fn_name":null},{"line":502,"address":[570036,570202,570268],"length":1,"stats":{"Line":6},"fn_name":null},{"line":503,"address":[569886],"length":1,"stats":{"Line":1},"fn_name":null},{"line":504,"address":[570010],"length":1,"stats":{"Line":1},"fn_name":null},{"line":511,"address":[570881,570912,570368],"length":1,"stats":{"Line":1},"fn_name":"sha256sum"},{"line":512,"address":[570506,570392],"length":1,"stats":{"Line":1},"fn_name":null},{"line":514,"address":[570495],"length":1,"stats":{"Line":3},"fn_name":null},{"line":515,"address":[570606],"length":1,"stats":{"Line":2},"fn_name":null},{"line":517,"address":[570663],"length":1,"stats":{"Line":3},"fn_name":null},{"line":548,"address":[570928],"length":1,"stats":{"Line":1},"fn_name":"net_match"},{"line":549,"address":[570978,571042],"length":1,"stats":{"Line":2},"fn_name":null},{"line":550,"address":[571052],"length":1,"stats":{"Line":1},"fn_name":null},{"line":551,"address":[571069],"length":1,"stats":{"Line":1},"fn_name":null},{"line":554,"address":[571035],"length":1,"stats":{"Line":1},"fn_name":null}],"covered":175,"coverable":184},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","cert_codec.rs"],"content":"// Automatically generated rust module for 'cert_codec.proto' file\n\n#![allow(non_snake_case)]\n#![allow(non_upper_case_globals)]\n#![allow(non_camel_case_types)]\n#![allow(unused_imports)]\n#![allow(unknown_lints)]\n#![allow(clippy::all)]\n#![cfg_attr(rustfmt, rustfmt_skip)]\n#![allow(clippy::pedantic)]\n\nuse quick_protobuf::{MessageInfo, MessageRead, MessageWrite, BytesReader, Writer, WriterBackend, Result};\nuse quick_protobuf::sizeofs::*;\nuse super::*;\n\n#[allow(clippy::derive_partial_eq_without_eq)]\n#[derive(Debug, Default, PartialEq, Clone)]\npub struct RawNebulaCertificate {\n    pub Details: Option\u003ccert_codec::RawNebulaCertificateDetails\u003e,\n    pub Signature: Vec\u003cu8\u003e,\n}\n\nimpl\u003c'a\u003e MessageRead\u003c'a\u003e for RawNebulaCertificate {\n    fn from_reader(r: \u0026mut BytesReader, bytes: \u0026'a [u8]) -\u003e Result\u003cSelf\u003e {\n        let mut msg = Self::default();\n        while !r.is_eof() {\n            match r.next_tag(bytes) {\n                Ok(10) =\u003e msg.Details = Some(r.read_message::\u003ccert_codec::RawNebulaCertificateDetails\u003e(bytes)?),\n                Ok(18) =\u003e msg.Signature = r.read_bytes(bytes)?.to_owned(),\n                Ok(t) =\u003e { r.read_unknown(bytes, t)?; }\n                Err(e) =\u003e return Err(e),\n            }\n        }\n        Ok(msg)\n    }\n}\n\nimpl MessageWrite for RawNebulaCertificate {\n    fn get_size(\u0026self) -\u003e usize {\n        0\n        + self.Details.as_ref().map_or(0, |m| 1 + sizeof_len((m).get_size()))\n        + if self.Signature.is_empty() { 0 } else { 1 + sizeof_len((\u0026self.Signature).len()) }\n    }\n\n    fn write_message\u003cW: WriterBackend\u003e(\u0026self, w: \u0026mut Writer\u003cW\u003e) -\u003e Result\u003c()\u003e {\n        if let Some(ref s) = self.Details { w.write_with_tag(10, |w| w.write_message(s))?; }\n        if !self.Signature.is_empty() { w.write_with_tag(18, |w| w.write_bytes(\u0026**\u0026self.Signature))?; }\n        Ok(())\n    }\n}\n\n#[allow(clippy::derive_partial_eq_without_eq)]\n#[derive(Debug, Default, PartialEq, Clone)]\npub struct RawNebulaCertificateDetails {\n    pub Name: String,\n    pub Ips: Vec\u003cu32\u003e,\n    pub Subnets: Vec\u003cu32\u003e,\n    pub Groups: Vec\u003cString\u003e,\n    pub NotBefore: i64,\n    pub NotAfter: i64,\n    pub PublicKey: Vec\u003cu8\u003e,\n    pub IsCA: bool,\n    pub Issuer: Vec\u003cu8\u003e,\n}\n\nimpl\u003c'a\u003e MessageRead\u003c'a\u003e for RawNebulaCertificateDetails {\n    fn from_reader(r: \u0026mut BytesReader, bytes: \u0026'a [u8]) -\u003e Result\u003cSelf\u003e {\n        let mut msg = Self::default();\n        while !r.is_eof() {\n            match r.next_tag(bytes) {\n                Ok(10) =\u003e msg.Name = r.read_string(bytes)?.to_owned(),\n                Ok(18) =\u003e msg.Ips = r.read_packed(bytes, |r, bytes| Ok(r.read_uint32(bytes)?))?,\n                Ok(26) =\u003e msg.Subnets = r.read_packed(bytes, |r, bytes| Ok(r.read_uint32(bytes)?))?,\n                Ok(34) =\u003e msg.Groups.push(r.read_string(bytes)?.to_owned()),\n                Ok(40) =\u003e msg.NotBefore = r.read_int64(bytes)?,\n                Ok(48) =\u003e msg.NotAfter = r.read_int64(bytes)?,\n                Ok(58) =\u003e msg.PublicKey = r.read_bytes(bytes)?.to_owned(),\n                Ok(64) =\u003e msg.IsCA = r.read_bool(bytes)?,\n                Ok(74) =\u003e msg.Issuer = r.read_bytes(bytes)?.to_owned(),\n                Ok(t) =\u003e { r.read_unknown(bytes, t)?; }\n                Err(e) =\u003e return Err(e),\n            }\n        }\n        Ok(msg)\n    }\n}\n\nimpl MessageWrite for RawNebulaCertificateDetails {\n    fn get_size(\u0026self) -\u003e usize {\n        0\n        + if self.Name == String::default() { 0 } else { 1 + sizeof_len((\u0026self.Name).len()) }\n        + if self.Ips.is_empty() { 0 } else { 1 + sizeof_len(self.Ips.iter().map(|s| sizeof_varint(*(s) as u64)).sum::\u003cusize\u003e()) }\n        + if self.Subnets.is_empty() { 0 } else { 1 + sizeof_len(self.Subnets.iter().map(|s| sizeof_varint(*(s) as u64)).sum::\u003cusize\u003e()) }\n        + self.Groups.iter().map(|s| 1 + sizeof_len((s).len())).sum::\u003cusize\u003e()\n        + if self.NotBefore == 0i64 { 0 } else { 1 + sizeof_varint(*(\u0026self.NotBefore) as u64) }\n        + if self.NotAfter == 0i64 { 0 } else { 1 + sizeof_varint(*(\u0026self.NotAfter) as u64) }\n        + if self.PublicKey.is_empty() { 0 } else { 1 + sizeof_len((\u0026self.PublicKey).len()) }\n        + if self.IsCA == false { 0 } else { 1 + sizeof_varint(*(\u0026self.IsCA) as u64) }\n        + if self.Issuer.is_empty() { 0 } else { 1 + sizeof_len((\u0026self.Issuer).len()) }\n    }\n\n    fn write_message\u003cW: WriterBackend\u003e(\u0026self, w: \u0026mut Writer\u003cW\u003e) -\u003e Result\u003c()\u003e {\n        if self.Name != String::default() { w.write_with_tag(10, |w| w.write_string(\u0026**\u0026self.Name))?; }\n        w.write_packed_with_tag(18, \u0026self.Ips, |w, m| w.write_uint32(*m), \u0026|m| sizeof_varint(*(m) as u64))?;\n        w.write_packed_with_tag(26, \u0026self.Subnets, |w, m| w.write_uint32(*m), \u0026|m| sizeof_varint(*(m) as u64))?;\n        for s in \u0026self.Groups { w.write_with_tag(34, |w| w.write_string(\u0026**s))?; }\n        if self.NotBefore != 0i64 { w.write_with_tag(40, |w| w.write_int64(*\u0026self.NotBefore))?; }\n        if self.NotAfter != 0i64 { w.write_with_tag(48, |w| w.write_int64(*\u0026self.NotAfter))?; }\n        if !self.PublicKey.is_empty() { w.write_with_tag(58, |w| w.write_bytes(\u0026**\u0026self.PublicKey))?; }\n        if self.IsCA != false { w.write_with_tag(64, |w| w.write_bool(*\u0026self.IsCA))?; }\n        if !self.Issuer.is_empty() { w.write_with_tag(74, |w| w.write_bytes(\u0026**\u0026self.Issuer))?; }\n        Ok(())\n    }\n}\n\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","lib.rs"],"content":"//! # trifid-pki\n//! trifid-pki is a crate for interacting with the Nebula PKI system. It was created to prevent the need to make constant CLI calls for signing operations in Nebula.\n//! It is designed to be interoperable with the original Go implementation and as such has some oddities with key management to ensure compatability.\n//!\n//! This crate has not received any format security audits, however the underlying crates used for actual cryptographic operations (ed25519-dalek and curve25519-dalek) have been audited with no major issues.\n\n#![warn(clippy::pedantic)]\n#![warn(clippy::nursery)]\n#![deny(clippy::unwrap_used)]\n#![deny(clippy::expect_used)]\n#![deny(missing_docs)]\n#![deny(clippy::missing_errors_doc)]\n#![deny(clippy::missing_panics_doc)]\n#![deny(clippy::missing_safety_doc)]\n#![allow(clippy::must_use_candidate)]\n#![allow(clippy::too_many_lines)]\n#![allow(clippy::module_name_repetitions)]\n\n\nextern crate core;\n\npub mod ca;\npub mod cert;\n#[cfg(not(tarpaulin_include))]\npub(crate) mod cert_codec;\n#[cfg(test)]\n#[macro_use]\npub mod test;","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","test.rs"],"content":"#![allow(clippy::unwrap_used)]\n#![allow(clippy::expect_used)]\n\nuse crate::netmask;\nuse std::net::Ipv4Addr;\nuse std::ops::{Add, Sub};\nuse std::time::{Duration, SystemTime, SystemTimeError, UNIX_EPOCH};\nuse ipnet::Ipv4Net;\nuse crate::cert::{CertificateValidity, deserialize_ed25519_private, deserialize_ed25519_public, deserialize_nebula_certificate, deserialize_nebula_certificate_from_pem, deserialize_x25519_private, deserialize_x25519_public, NebulaCertificate, NebulaCertificateDetails, serialize_ed25519_private, serialize_ed25519_public, serialize_x25519_private, serialize_x25519_public};\nuse std::str::FromStr;\nuse ed25519_dalek::{SigningKey, VerifyingKey};\nuse quick_protobuf::{MessageWrite, Writer};\nuse rand::rngs::OsRng;\nuse crate::ca::{NebulaCAPool};\nuse crate::cert_codec::{RawNebulaCertificate, RawNebulaCertificateDetails};\n\n/// This is a cert that we (e3team) actually use in production, and it's a known-good certificate.\npub const KNOWN_GOOD_CERT: \u0026[u8; 258] = b\"-----BEGIN NEBULA CERTIFICATE-----\\nCkkKF2UzdGVhbSBJbnRlcm5hbCBOZXR3b3JrKJWev5wGMJWFxKsGOiCvpwoHyKY5\\n8Q5+2XxDjtoCf/zlNY/EUdB8bwXQSwEo50ABEkB0Dx76lkMqc3IyH5+ml2dKjTyv\\nB4Jiw6x3abf5YZcf8rDuVEgQpvFdJmo3xJyIb3C9vKZ6kXsUxjw6s1JdWgkA\\n-----END NEBULA CERTIFICATE-----\";\n\n#[test]\nfn certificate_serialization() {\n    let before = round_systime_to_secs(SystemTime::now() - Duration::from_secs(60)).unwrap();\n    let after = round_systime_to_secs(SystemTime::now() + Duration::from_secs(60)).unwrap();\n    let pub_key = b\"1234567890abcedfghij1234567890ab\";\n\n    let cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"testing\".to_string(),\n            ips: vec![\n                netmask!(\"10.1.1.1\", \"255.255.255.0\"),\n                netmask!(\"10.1.1.2\", \"255.255.0.0\"),\n                netmask!(\"10.1.1.3\", \"255.0.0.0\")\n            ],\n            subnets: vec![\n                netmask!(\"9.1.1.1\", \"255.255.255.128\"),\n                netmask!(\"9.1.1.2\", \"255.255.255.0\"),\n                netmask!(\"9.1.1.3\", \"255.255.0.0\")\n            ],\n            groups: vec![\"test-group1\".to_string(), \"test-group2\".to_string(), \"test-group3\".to_string()],\n            not_before: before,\n            not_after: after,\n            public_key: *pub_key,\n            is_ca: false,\n            issuer: \"1234567890abcedfabcd1234567890ab\".to_string(),\n        },\n        signature: b\"1234567890abcedfghij1234567890ab\".to_vec(),\n    };\n\n    let bytes = cert.serialize().unwrap();\n\n    let deserialized = deserialize_nebula_certificate(\u0026bytes).unwrap();\n\n    assert_eq!(cert.signature, deserialized.signature);\n    assert_eq!(cert.details.name, deserialized.details.name);\n    assert_eq!(cert.details.not_before, deserialized.details.not_before);\n    assert_eq!(cert.details.not_after, deserialized.details.not_after);\n    assert_eq!(cert.details.public_key, deserialized.details.public_key);\n    assert_eq!(cert.details.is_ca, deserialized.details.is_ca);\n\n    assert_eq!(cert.details.ips.len(), deserialized.details.ips.len());\n    for item in \u0026cert.details.ips {\n        assert!(deserialized.details.ips.contains(item), \"deserialized does not contain from source\");\n    }\n\n    assert_eq!(cert.details.subnets.len(), deserialized.details.subnets.len());\n    for item in \u0026cert.details.subnets {\n        assert!(deserialized.details.subnets.contains(item), \"deserialized does not contain from source\");\n    }\n\n    assert_eq!(cert.details.groups.len(), deserialized.details.groups.len());\n    for item in \u0026cert.details.groups {\n        assert!(deserialized.details.groups.contains(item), \"deserialized does not contain from source\");\n    }\n}\n\n#[test]\nfn certificate_serialization_pem() {\n    let before = round_systime_to_secs(SystemTime::now() - Duration::from_secs(60)).unwrap();\n    let after = round_systime_to_secs(SystemTime::now() + Duration::from_secs(60)).unwrap();\n    let pub_key = b\"1234567890abcedfghij1234567890ab\";\n\n    let cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"testing\".to_string(),\n            ips: vec![\n                netmask!(\"10.1.1.1\", \"255.255.255.0\"),\n                netmask!(\"10.1.1.2\", \"255.255.0.0\"),\n                netmask!(\"10.1.1.3\", \"255.0.0.0\")\n            ],\n            subnets: vec![\n                netmask!(\"9.1.1.1\", \"255.255.255.128\"),\n                netmask!(\"9.1.1.2\", \"255.255.255.0\"),\n                netmask!(\"9.1.1.3\", \"255.255.0.0\")\n            ],\n            groups: vec![\"test-group1\".to_string(), \"test-group2\".to_string(), \"test-group3\".to_string()],\n            not_before: before,\n            not_after: after,\n            public_key: *pub_key,\n            is_ca: false,\n            issuer: \"1234567890abcedfabcd1234567890ab\".to_string(),\n        },\n        signature: b\"1234567890abcedfghij1234567890ab\".to_vec(),\n    };\n\n    let bytes = cert.serialize_to_pem().unwrap();\n\n    let deserialized = deserialize_nebula_certificate_from_pem(\u0026bytes).unwrap();\n\n    assert_eq!(cert.signature, deserialized.signature);\n    assert_eq!(cert.details.name, deserialized.details.name);\n    assert_eq!(cert.details.not_before, deserialized.details.not_before);\n    assert_eq!(cert.details.not_after, deserialized.details.not_after);\n    assert_eq!(cert.details.public_key, deserialized.details.public_key);\n    assert_eq!(cert.details.is_ca, deserialized.details.is_ca);\n\n    assert_eq!(cert.details.ips.len(), deserialized.details.ips.len());\n    for item in \u0026cert.details.ips {\n        assert!(deserialized.details.ips.contains(item), \"deserialized does not contain from source\");\n    }\n\n    assert_eq!(cert.details.subnets.len(), deserialized.details.subnets.len());\n    for item in \u0026cert.details.subnets {\n        assert!(deserialized.details.subnets.contains(item), \"deserialized does not contain from source\");\n    }\n\n    assert_eq!(cert.details.groups.len(), deserialized.details.groups.len());\n    for item in \u0026cert.details.groups {\n        assert!(deserialized.details.groups.contains(item), \"deserialized does not contain from source\");\n    }\n}\n\n#[test]\nfn cert_signing() {\n    let before = round_systime_to_secs(SystemTime::now() - Duration::from_secs(60)).unwrap();\n    let after = round_systime_to_secs(SystemTime::now() + Duration::from_secs(60)).unwrap();\n    let pub_key = b\"1234567890abcedfghij1234567890ab\";\n\n    let mut cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"testing\".to_string(),\n            ips: vec![\n                netmask!(\"10.1.1.1\", \"255.255.255.0\"),\n                netmask!(\"10.1.1.2\", \"255.255.0.0\"),\n                netmask!(\"10.1.1.3\", \"255.0.0.0\")\n            ],\n            subnets: vec![\n                netmask!(\"9.1.1.1\", \"255.255.255.128\"),\n                netmask!(\"9.1.1.2\", \"255.255.255.0\"),\n                netmask!(\"9.1.1.3\", \"255.255.0.0\")\n            ],\n            groups: vec![\"test-group1\".to_string(), \"test-group2\".to_string(), \"test-group3\".to_string()],\n            not_before: before,\n            not_after: after,\n            public_key: *pub_key,\n            is_ca: false,\n            issuer: \"1234567890abcedfabcd1234567890ab\".to_string(),\n        },\n        signature: b\"1234567890abcedfghij1234567890ab\".to_vec(),\n    };\n\n    let mut csprng = OsRng;\n    let key = SigningKey::generate(\u0026mut csprng);\n\n    assert!(cert.check_signature(\u0026key.verifying_key()).is_err());\n    cert.sign(\u0026key).unwrap();\n    assert!(cert.check_signature(\u0026key.verifying_key()).unwrap());\n}\n\n#[test]\nfn cert_expiry() {\n    let cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: String::new(),\n            ips: vec![],\n            subnets: vec![],\n            groups: vec![],\n            not_before: SystemTime::now().sub(Duration::from_secs(60)),\n            not_after: SystemTime::now().add(Duration::from_secs(60)),\n            public_key: [0u8; 32],\n            is_ca: false,\n            issuer: String::new(),\n        },\n        signature: vec![],\n    };\n\n    assert!(cert.expired(SystemTime::now().add(Duration::from_secs(60 * 60 * 60))));\n    assert!(cert.expired(SystemTime::now().sub(Duration::from_secs(60 * 60 * 60))));\n    assert!(!cert.expired(SystemTime::now()));\n}\n\n#[test]\nfn cert_display() {\n    let cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: String::new(),\n            ips: vec![],\n            subnets: vec![],\n            groups: vec![],\n            not_before: SystemTime::now().sub(Duration::from_secs(60)),\n            not_after: SystemTime::now().add(Duration::from_secs(60)),\n            public_key: [0u8; 32],\n            is_ca: false,\n            issuer: String::new(),\n        },\n        signature: vec![],\n    };\n    println!(\"{cert}\");\n}\n\n#[test]\n#[should_panic]\nfn cert_deserialize_empty_bytes() {\n    deserialize_nebula_certificate(\u0026[]).unwrap();\n}\n\n#[test]\nfn cert_deserialize_unpaired_ips() {\n    let broken_cert = RawNebulaCertificate {\n        Details: Some(RawNebulaCertificateDetails {\n            Name: String::new(),\n            Ips: vec![0],\n            Subnets: vec![],\n            Groups: vec![],\n            NotBefore: 0,\n            NotAfter: 0,\n            PublicKey: vec![],\n            IsCA: false,\n            Issuer: vec![],\n        }),\n        Signature: vec![],\n    };\n    let mut bytes = vec![];\n    let mut writer = Writer::new(\u0026mut bytes);\n    broken_cert.write_message(\u0026mut writer).unwrap();\n\n    deserialize_nebula_certificate(\u0026bytes).unwrap_err();\n}\n\n#[test]\nfn cert_deserialize_unpaired_subnets() {\n    let broken_cert = RawNebulaCertificate {\n        Details: Some(RawNebulaCertificateDetails {\n            Name: String::new(),\n            Ips: vec![],\n            Subnets: vec![0],\n            Groups: vec![],\n            NotBefore: 0,\n            NotAfter: 0,\n            PublicKey: vec![],\n            IsCA: false,\n            Issuer: vec![],\n        }),\n        Signature: vec![],\n    };\n    let mut bytes = vec![];\n    let mut writer = Writer::new(\u0026mut bytes);\n    broken_cert.write_message(\u0026mut writer).unwrap();\n\n    deserialize_nebula_certificate(\u0026bytes).unwrap_err();\n}\n\n#[test]\nfn cert_deserialize_wrong_pubkey_len() {\n    let broken_cert = RawNebulaCertificate {\n        Details: Some(RawNebulaCertificateDetails {\n            Name: String::new(),\n            Ips: vec![],\n            Subnets: vec![],\n            Groups: vec![],\n            NotBefore: 0,\n            NotAfter: 0,\n            PublicKey: vec![0u8; 31],\n            IsCA: false,\n            Issuer: vec![],\n        }),\n        Signature: vec![],\n    };\n    let mut bytes = vec![];\n    let mut writer = Writer::new(\u0026mut bytes);\n    broken_cert.write_message(\u0026mut writer).unwrap();\n\n    deserialize_nebula_certificate(\u0026bytes).unwrap_err();\n\n    assert!(deserialize_nebula_certificate_from_pem(\u0026[0u8; 32]).is_err());\n}\n\n#[test]\nfn x25519_serialization() {\n    let bytes = [0u8; 32];\n    assert_eq!(deserialize_x25519_private(\u0026serialize_x25519_private(\u0026bytes)).unwrap(), bytes);\n    assert!(deserialize_x25519_private(\u0026[0u8; 32]).is_err());\n    assert_eq!(deserialize_x25519_public(\u0026serialize_x25519_public(\u0026bytes)).unwrap(), bytes);\n    assert!(deserialize_x25519_public(\u0026[0u8; 32]).is_err());\n}\n\n#[test]\nfn ed25519_serialization() {\n    let bytes = [0u8; 64];\n    assert_eq!(deserialize_ed25519_private(\u0026serialize_ed25519_private(\u0026bytes)).unwrap(), bytes);\n    assert!(deserialize_ed25519_private(\u0026[0u8; 32]).is_err());\n    assert_eq!(deserialize_ed25519_public(\u0026serialize_ed25519_public(\u0026bytes)).unwrap(), bytes);\n    assert!(deserialize_ed25519_public(\u0026[0u8; 32]).is_err());\n}\n\n#[test]\nfn cert_verify() {\n    let (ca_cert, ca_key, _ca_pub) = test_ca_cert(round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 10)).unwrap(), vec![], vec![], vec![\"groupa\".to_string()]);\n\n    let (cert, _, _) = test_cert(\u0026ca_cert, \u0026ca_key, SystemTime::now(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![], vec![], vec![]);\n\n    let mut ca_pool = NebulaCAPool::new();\n    ca_pool.add_ca_certificate(\u0026ca_cert.serialize_to_pem().unwrap()).unwrap();\n\n    let fingerprint = cert.sha256sum().unwrap();\n    ca_pool.blocklist_fingerprint(\u0026fingerprint);\n\n    assert!(matches!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Blocklisted));\n\n    ca_pool.reset_blocklist();\n\n    assert!(matches!(cert.verify(SystemTime::now() + Duration::from_secs(60 * 60 * 60), \u0026ca_pool).unwrap(), CertificateValidity::RootCertExpired));\n    assert!(matches!(cert.verify(SystemTime::now() + Duration::from_secs(60 * 60 * 6), \u0026ca_pool).unwrap(), CertificateValidity::CertExpired));\n\n    let (cert_with_bad_group, _, _) = test_cert(\u0026ca_cert, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), in_a_minute(), vec![], vec![], vec![\"group-not-present on parent\".to_string()]);\n    assert_eq!(cert_with_bad_group.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::GroupNotPresentOnSigner);\n\n    let (cert_with_good_group, _, _) = test_cert(\u0026ca_cert, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), in_a_minute(), vec![], vec![], vec![\"groupa\".to_string()]);\n    assert_eq!(cert_with_good_group.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n}\n\n#[test]\nfn cert_verify_ip() {\n    let ca_ip_1 = Ipv4Net::from_str(\"10.0.0.0/16\").unwrap();\n    let ca_ip_2 = Ipv4Net::from_str(\"192.168.0.0/24\").unwrap();\n\n    let (ca, ca_key, _ca_pub) = test_ca_cert(round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 10)).unwrap(), vec![ca_ip_1, ca_ip_2], vec![], vec![]);\n\n    let ca_pem = ca.serialize_to_pem().unwrap();\n\n    let mut ca_pool = NebulaCAPool::new();\n    ca_pool.add_ca_certificate(\u0026ca_pem).unwrap();\n\n    // ip is outside the network\n    let cip1 = netmask!(\"10.1.0.0\", \"255.255.255.0\");\n    let cip2 = netmask!(\"192.198.0.1\", \"255.255.0.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::IPNotPresentOnSigner);\n\n    // ip is outside the network - reversed order from above\n    let cip1 = netmask!(\"192.198.0.1\", \"255.255.255.0\");\n    let cip2 = netmask!(\"10.1.0.0\", \"255.255.255.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::IPNotPresentOnSigner);\n\n    // ip is within the network but mask is outside\n    let cip1 = netmask!(\"10.0.1.0\", \"255.254.0.0\");\n    let cip2 = netmask!(\"192.168.0.1\", \"255.255.255.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::IPNotPresentOnSigner);\n\n    // ip is within the network but mask is outside - reversed order from above\n    let cip1 = netmask!(\"192.168.0.1\", \"255.255.255.0\");\n    let cip2 = netmask!(\"10.0.1.0\", \"255.254.0.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::IPNotPresentOnSigner);\n\n    // ip and mask are within the network\n    let cip1 = netmask!(\"10.0.1.0\", \"255.255.0.0\");\n    let cip2 = netmask!(\"192.168.0.1\", \"255.255.255.128\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![ca_ip_1, ca_ip_2], vec![], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches reversed\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![ca_ip_2, ca_ip_1], vec![], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches reversed with just one\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![ca_ip_2], vec![], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n}\n\n#[test]\nfn cert_verify_subnet() {\n    let ca_ip_1 = Ipv4Net::from_str(\"10.0.0.0/16\").unwrap();\n    let ca_ip_2 = Ipv4Net::from_str(\"192.168.0.0/24\").unwrap();\n\n    let (ca, ca_key, _ca_pub) = test_ca_cert(round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 10)).unwrap(), vec![],vec![ca_ip_1, ca_ip_2], vec![]);\n\n    let ca_pem = ca.serialize_to_pem().unwrap();\n\n    let mut ca_pool = NebulaCAPool::new();\n    ca_pool.add_ca_certificate(\u0026ca_pem).unwrap();\n\n    // ip is outside the network\n    let cip1 = netmask!(\"10.1.0.0\", \"255.255.255.0\");\n    let cip2 = netmask!(\"192.198.0.1\", \"255.255.0.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![],vec![cip1, cip2], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::SubnetNotPresentOnSigner);\n\n    // ip is outside the network - reversed order from above\n    let cip1 = netmask!(\"192.198.0.1\", \"255.255.255.0\");\n    let cip2 = netmask!(\"10.1.0.0\", \"255.255.255.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![],vec![cip1, cip2], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::SubnetNotPresentOnSigner);\n\n    // ip is within the network but mask is outside\n    let cip1 = netmask!(\"10.0.1.0\", \"255.254.0.0\");\n    let cip2 = netmask!(\"192.168.0.1\", \"255.255.255.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![],vec![cip1, cip2], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::SubnetNotPresentOnSigner);\n\n    // ip is within the network but mask is outside - reversed order from above\n    let cip1 = netmask!(\"192.168.0.1\", \"255.255.255.0\");\n    let cip2 = netmask!(\"10.0.1.0\", \"255.254.0.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::SubnetNotPresentOnSigner);\n\n    // ip and mask are within the network\n    let cip1 = netmask!(\"10.0.1.0\", \"255.255.0.0\");\n    let cip2 = netmask!(\"192.168.0.1\", \"255.255.255.128\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![], vec![cip1, cip2], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![],vec![ca_ip_1, ca_ip_2], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches reversed\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![], vec![ca_ip_2, ca_ip_1], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches reversed with just one\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![], vec![ca_ip_2], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n}\n\n#[test]\nfn cert_private_key() {\n    let (ca, ca_key, _) = test_ca_cert(SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n    ca.verify_private_key(\u0026ca_key.to_keypair_bytes()).unwrap();\n\n    let (_, ca_key2, _) = test_ca_cert(SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n    ca.verify_private_key(\u0026ca_key2.to_keypair_bytes()).unwrap_err();\n\n    let (cert, priv_key, _) = test_cert(\u0026ca, \u0026ca_key, SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n    cert.verify_private_key(\u0026priv_key.to_bytes()).unwrap();\n\n    let (cert2, _, _) = test_cert(\u0026ca, \u0026ca_key, SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n    cert2.verify_private_key(\u0026priv_key.to_bytes()).unwrap_err();\n}\n\n#[test]\nfn capool_from_pem() {\n    let no_newlines = b\"# Current provisional, Remove once everything moves over to the real root.\n-----BEGIN NEBULA CERTIFICATE-----\nCkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL\nvcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv\nbzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB\n-----END NEBULA CERTIFICATE-----\n# root-ca01\n-----BEGIN NEBULA CERTIFICATE-----\nCkMKEW5lYnVsYSByb290IGNhIDAxKJL2u9EFMJL86+cGOiDPXMH4oU6HZTk/CqTG\nBVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf\n8/phAUt+FLzqTECzQKisYswKvE3pl9mbEYKbOdIHrxdIp95mo4sF\n-----END NEBULA CERTIFICATE-----\";\n    let with_newlines = b\"# Current provisional, Remove once everything moves over to the real root.\n-----BEGIN NEBULA CERTIFICATE-----\nCkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL\nvcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv\nbzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB\n-----END NEBULA CERTIFICATE-----\n# root-ca01\n-----BEGIN NEBULA CERTIFICATE-----\nCkMKEW5lYnVsYSByb290IGNhIDAxKJL2u9EFMJL86+cGOiDPXMH4oU6HZTk/CqTG\nBVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf\n8/phAUt+FLzqTECzQKisYswKvE3pl9mbEYKbOdIHrxdIp95mo4sF\n-----END NEBULA CERTIFICATE-----\n\n\";\n    let expired = b\"# expired certificate\n-----BEGIN NEBULA CERTIFICATE-----\nCjkKB2V4cGlyZWQouPmWjQYwufmWjQY6ILCRaoCkJlqHgv5jfDN4lzLHBvDzaQm4\nvZxfu144hmgjQAESQG4qlnZi8DncvD/LDZnLgJHOaX1DWCHHEh59epVsC+BNgTie\nWH1M9n4O7cFtGlM6sJJOS+rCVVEJ3ABS7+MPdQs=\n-----END NEBULA CERTIFICATE-----\";\n\n    let pool_a = NebulaCAPool::new_from_pem(no_newlines).unwrap();\n    assert_eq!(pool_a.cas[\"c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522\"].details.name, \"nebula root ca\".to_string());\n    assert_eq!(pool_a.cas[\"5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd\"].details.name, \"nebula root ca 01\".to_string());\n    assert!(!pool_a.expired);\n\n    let pool_b = NebulaCAPool::new_from_pem(with_newlines).unwrap();\n    assert_eq!(pool_b.cas[\"c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522\"].details.name, \"nebula root ca\".to_string());\n    assert_eq!(pool_b.cas[\"5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd\"].details.name, \"nebula root ca 01\".to_string());\n    assert!(!pool_b.expired);\n\n    let pool_c = NebulaCAPool::new_from_pem(expired).unwrap();\n    assert!(pool_c.expired);\n    assert_eq!(pool_c.cas[\"152070be6bb19bc9e3bde4c2f0e7d8f4ff5448b4c9856b8eccb314fade0229b0\"].details.name, \"expired\");\n\n    let mut pool_d = NebulaCAPool::new_from_pem(with_newlines).unwrap();\n    pool_d.add_ca_certificate(expired).unwrap();\n    assert_eq!(pool_d.cas[\"c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522\"].details.name, \"nebula root ca\".to_string());\n    assert_eq!(pool_d.cas[\"5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd\"].details.name, \"nebula root ca 01\".to_string());\n    assert_eq!(pool_d.cas[\"152070be6bb19bc9e3bde4c2f0e7d8f4ff5448b4c9856b8eccb314fade0229b0\"].details.name, \"expired\");\n    assert!(pool_d.expired);\n    assert_eq!(pool_d.get_fingerprints().len(), 3);\n}\n\n#[macro_export]\nmacro_rules! netmask {\n    ($ip:expr,$mask:expr) =\u003e {\n        Ipv4Net::with_netmask(Ipv4Addr::from_str($ip).unwrap(), Ipv4Addr::from_str($mask).unwrap()).unwrap()\n    };\n}\n\nfn round_systime_to_secs(time: SystemTime) -\u003e Result\u003cSystemTime, SystemTimeError\u003e {\n    let secs = time.duration_since(UNIX_EPOCH)?.as_secs();\n    Ok(SystemTime::UNIX_EPOCH.add(Duration::from_secs(secs)))\n}\n\nfn test_ca_cert(before: SystemTime, after: SystemTime, ips: Vec\u003cIpv4Net\u003e, subnets: Vec\u003cIpv4Net\u003e, groups: Vec\u003cString\u003e) -\u003e (NebulaCertificate, SigningKey, VerifyingKey) {\n    let mut csprng = OsRng;\n    let key = SigningKey::generate(\u0026mut csprng);\n    let pub_key = key.verifying_key();\n\n    let mut cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"TEST_CA\".to_string(),\n            ips,\n            subnets,\n            groups,\n            not_before: before,\n            not_after: after,\n            public_key: pub_key.to_bytes(),\n            is_ca: true,\n            issuer: String::new(),\n        },\n        signature: vec![],\n    };\n    cert.sign(\u0026key).unwrap();\n    (cert, key, pub_key)\n}\n\n#[test]\nfn test_deserialize_ed25519_private() {\n    let priv_key = b\"-----BEGIN NEBULA ED25519 PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n-----END NEBULA ED25519 PRIVATE KEY-----\";\n    let short_key = b\"-----BEGIN NEBULA ED25519 PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n-----END NEBULA ED25519 PRIVATE KEY-----\";\n    let invalid_banner = b\"-----BEGIN NOT A NEBULA PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n-----END NOT A NEBULA PRIVATE KEY-----\";\n    let invalid_pem = b\"-BEGIN NEBULA ED25519 PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n-END NEBULA ED25519 PRIVATE KEY-----\";\n\n    deserialize_ed25519_private(priv_key).unwrap();\n\n    deserialize_ed25519_private(short_key).unwrap_err();\n\n    deserialize_ed25519_private(invalid_banner).unwrap_err();\n\n    deserialize_ed25519_private(invalid_pem).unwrap_err();\n}\n\n#[test]\nfn test_deserialize_x25519_private() {\n    let priv_key = b\"-----BEGIN NEBULA X25519 PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n-----END NEBULA X25519 PRIVATE KEY-----\";\n    let short_key = b\"-----BEGIN NEBULA X25519 PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n-----END NEBULA X25519 PRIVATE KEY-----\";\n    let invalid_banner = b\"-----BEGIN NOT A NEBULA PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n-----END NOT A NEBULA PRIVATE KEY-----\";\n    let invalid_pem = b\"-BEGIN NEBULA X25519 PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n-END NEBULA X25519 PRIVATE KEY-----\";\n\n    deserialize_x25519_private(priv_key).unwrap();\n\n    deserialize_x25519_private(short_key).unwrap_err();\n\n    deserialize_x25519_private(invalid_banner).unwrap_err();\n\n    deserialize_x25519_private(invalid_pem).unwrap_err();\n}\n\n#[test]\nfn test_pem_deserialization() {\n    let good_cert = b\"# A good cert\n-----BEGIN NEBULA CERTIFICATE-----\nCkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL\nvcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv\nbzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB\n-----END NEBULA CERTIFICATE-----\";\n    let bad_banner = b\"-----BEGIN NOT A NEBULA CERTIFICATE-----\nCkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL\nvcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv\nbzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB\n-----END NOT A NEBULA CERTIFICATE-----\";\n    let invalid_pem = b\"# Not a valid PEM format\n-BEGIN NEBULA CERTIFICATE-----\nCkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL\nvcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv\nbzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB\n-END NEBULA CERTIFICATE----\";\n\n    // success\n    deserialize_nebula_certificate_from_pem(good_cert).unwrap();\n\n    // fail because invalid banner\n    deserialize_nebula_certificate_from_pem(bad_banner).unwrap_err();\n\n    // fail because nonsense pem\n    deserialize_nebula_certificate_from_pem(invalid_pem).unwrap_err();\n}\n\n#[test]\nfn test_deserialize_ed25519_public() {\n    let priv_key = b\"-----BEGIN NEBULA ED25519 PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n-----END NEBULA ED25519 PUBLIC KEY-----\";\n    let short_key = b\"-----BEGIN NEBULA ED25519 PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n-----END NEBULA ED25519 PUBLIC KEY-----\";\n    let invalid_banner = b\"-----BEGIN NOT A NEBULA PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n-----END NOT A NEBULA PUBLIC KEY-----\";\n    let invalid_pem = b\"-BEGIN NEBULA ED25519 PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n-END NEBULA ED25519 PUBLIC KEY-----\";\n\n    deserialize_ed25519_public(priv_key).unwrap();\n\n    deserialize_ed25519_public(short_key).unwrap_err();\n\n    deserialize_ed25519_public(invalid_banner).unwrap_err();\n\n    deserialize_ed25519_public(invalid_pem).unwrap_err();\n}\n\n#[test]\n// Ensure that trifid-pki produces the *exact same* bit-for-bit representation as nebula does\n// to ensure signature interoperability\n// We use an e3team production certificate for this as it is a known-good certificate.\nfn test_serialization_interoperability() {\n    let known_good_cert = hex::decode(\"0a650a08636f72652d74777212098184c4508080f8ff0f28ae9fbf9c06309485c4ab063a20304e6279d8722f0fd8d966faa70adaeec08c4649d486457bb038be243753a7474a2056860ded3d14b7f3b77ca2a062ee5d683dd06b35f87446d8d6a7e923b6a7783d1240eb5d6b688eda0d36e925219c098ff2799e42207a093f7d9b7d875823ca05b2e0d3a749dd2fc9cec811ed9a2865d71c4d53cfdfd1bf7e6d5058bd9ecd388ddf0d\").unwrap();\n\n    let cert = deserialize_nebula_certificate(\u0026known_good_cert).unwrap();\n    let reserialized_cert_pem = cert.serialize().unwrap();\n    assert_eq!(known_good_cert, reserialized_cert_pem);\n}\n\n#[test]\nfn test_deserialize_x25519_public() {\n    let priv_key = b\"-----BEGIN NEBULA X25519 PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n-----END NEBULA X25519 PUBLIC KEY-----\";\n    let short_key = b\"-----BEGIN NEBULA X25519 PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n-----END NEBULA X25519 PUBLIC KEY-----\";\n    let invalid_banner = b\"-----BEGIN NOT A NEBULA PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n-----END NOT A NEBULA PUBLIC KEY-----\";\n    let invalid_pem = b\"-BEGIN NEBULA X25519 PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n-END NEBULA X25519 PUBLIC KEY-----\";\n\n    deserialize_x25519_public(priv_key).unwrap();\n\n    deserialize_x25519_public(short_key).unwrap_err();\n\n    deserialize_x25519_public(invalid_banner).unwrap_err();\n\n    deserialize_x25519_public(invalid_pem).unwrap_err();\n}\n\n#[test]\nfn ca_pool_add_non_ca() {\n    let mut ca_pool = NebulaCAPool::new();\n\n    let (ca, ca_key, _) = test_ca_cert(SystemTime::now(), SystemTime::now() + Duration::from_secs(3600), vec![], vec![], vec![]);\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n\n    ca_pool.add_ca_certificate(\u0026cert.serialize_to_pem().unwrap()).unwrap_err();\n}\n\nfn test_cert(ca: \u0026NebulaCertificate, key: \u0026SigningKey, before: SystemTime, after: SystemTime, ips: Vec\u003cIpv4Net\u003e, subnets: Vec\u003cIpv4Net\u003e, groups: Vec\u003cString\u003e) -\u003e (NebulaCertificate, SigningKey, VerifyingKey) {\n    let issuer = ca.sha256sum().unwrap();\n\n    let real_groups = if groups.is_empty() {\n        vec![\"test-group1\".to_string(), \"test-group2\".to_string(), \"test-group3\".to_string()]\n    } else {\n        groups\n    };\n\n    let real_ips = if ips.is_empty() {\n        vec![\n            netmask!(\"10.1.1.1\", \"255.255.255.0\"),\n            netmask!(\"10.1.1.2\", \"255.255.0.0\"),\n            netmask!(\"10.1.1.3\", \"255.0.0.0\")\n        ]\n    } else {\n        ips\n    };\n\n    let real_subnets = if subnets.is_empty() {\n        vec![\n            netmask!(\"9.1.1.1\", \"255.255.255.128\"),\n            netmask!(\"9.1.1.2\", \"255.255.255.0\"),\n            netmask!(\"9.1.1.3\", \"255.255.0.0\")\n        ]\n    } else {\n        subnets\n    };\n\n    let mut csprng = OsRng;\n    let cert_key = SigningKey::generate(\u0026mut csprng);\n    let pub_key = cert_key.verifying_key();\n\n    let mut cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"TEST_CA\".to_string(),\n            ips: real_ips,\n            subnets: real_subnets,\n            groups: real_groups,\n            not_before: before,\n            not_after: after,\n            public_key: pub_key.to_bytes(),\n            is_ca: false,\n            issuer,\n        },\n        signature: vec![],\n    };\n    cert.sign(key).unwrap();\n    (cert, cert_key, pub_key)\n}\n\n#[allow(dead_code)]\nfn in_a_minute() -\u003e SystemTime {\n    round_systime_to_secs(SystemTime::now().add(Duration::from_secs(60))).unwrap()\n}\n#[allow(dead_code)]\nfn a_minute_ago() -\u003e SystemTime {\n    round_systime_to_secs(SystemTime::now().sub(Duration::from_secs(60))).unwrap()\n}","traces":[],"covered":0,"coverable":0}]};
+        var previousData = {"files":[{"path":["/","home","core","prj","e3t","trifid","tfclient","src","main.rs"],"content":"fn main() {\n    println!(\"Hello, world!\");\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","build.rs"],"content":"// generated by `sqlx migrate build-script`\nfn main() {\n    // trigger recompilation when a new migration is added\n    println!(\"cargo:rerun-if-changed=migrations\");\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","auth.rs"],"content":"use rocket::http::Status;\nuse rocket::{Request};\nuse rocket::request::{FromRequest, Outcome};\nuse crate::tokens::{validate_auth_token, validate_session_token};\n\npub struct PartialUserInfo {\n    pub user_id: i32,\n    pub created_at: i64,\n    pub email: String,\n    pub has_totp_auth: bool,\n\n    pub session_id: String,\n    pub auth_id: Option\u003cString\u003e\n}\n\n#[derive(Debug)]\npub enum AuthenticationError {\n    MissingToken,\n    InvalidToken(usize),\n    DatabaseError,\n    RequiresTOTP\n}\n\n#[rocket::async_trait]\nimpl\u003c'r\u003e FromRequest\u003c'r\u003e for PartialUserInfo {\n    type Error = AuthenticationError;\n\n    async fn from_request(req: \u0026'r Request\u003c'_\u003e) -\u003e Outcome\u003cSelf, Self::Error\u003e {\n        let headers = req.headers();\n\n        // make sure the bearer token exists\n        if let Some(authorization) = headers.get_one(\"Authorization\") {\n            // parse bearer token\n            let components = authorization.split(' ').collect::\u003cVec\u003c\u0026str\u003e\u003e();\n\n            if components.len() != 2 \u0026\u0026 components.len() != 3 {\n                return Outcome::Failure((Status::Unauthorized, AuthenticationError::MissingToken));\n            }\n\n            if components[0] != \"Bearer\" {\n                return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(0)));\n            }\n\n            if components.len() == 2 \u0026\u0026 !components[1].starts_with(\"st-\") {\n                return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(1)));\n            }\n\n            let st: String;\n            let user_id: i64;\n            let at: Option\u003cString\u003e;\n\n            match \u0026components[1][..3] {\n                \"st-\" =\u003e {\n                    // validate session token\n                    st = components[1].to_string();\n                    match validate_session_token(st.clone(), req.rocket().state().unwrap()).await {\n                        Ok(uid) =\u003e user_id = uid,\n                        Err(_) =\u003e return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(2)))\n                    }\n                },\n                _ =\u003e return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(3)))\n            }\n\n            if components.len() == 3 {\n                match \u0026components[2][..3] {\n                    \"at-\" =\u003e {\n                        // validate auth token\n                        at = Some(components[2].to_string());\n                        match validate_auth_token(at.clone().unwrap().clone(), st.clone(), req.rocket().state().unwrap()).await {\n                            Ok(_) =\u003e (),\n                            Err(_) =\u003e return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(4)))\n                        }\n                    },\n                    _ =\u003e return Outcome::Failure((Status::Unauthorized, AuthenticationError::InvalidToken(5)))\n                }\n            } else {\n                at = None;\n            }\n\n            // this user is 100% valid and authenticated, fetch their info\n\n            let user = match sqlx::query!(\"SELECT * FROM users WHERE id = $1\", user_id.clone() as i32).fetch_one(req.rocket().state().unwrap()).await {\n                Ok(u) =\u003e u,\n                Err(_) =\u003e return Outcome::Failure((Status::InternalServerError, AuthenticationError::DatabaseError))\n            };\n\n            Outcome::Success(PartialUserInfo {\n                user_id: user_id as i32,\n                created_at: user.created_on as i64,\n                email: user.email,\n                has_totp_auth: at.is_some(),\n                session_id: st,\n                auth_id: at,\n            })\n        } else {\n            Outcome::Failure((Status::Unauthorized, AuthenticationError::MissingToken))\n        }\n    }\n}\n\npub struct TOTPAuthenticatedUserInfo {\n    pub user_id: i32,\n    pub created_at: i64,\n    pub email: String,\n}\n#[rocket::async_trait]\nimpl\u003c'r\u003e FromRequest\u003c'r\u003e for TOTPAuthenticatedUserInfo {\n    type Error = AuthenticationError;\n\n    async fn from_request(request: \u0026'r Request\u003c'_\u003e) -\u003e Outcome\u003cSelf, Self::Error\u003e {\n        let userinfo = PartialUserInfo::from_request(request).await;\n        match userinfo {\n            Outcome::Failure(e) =\u003e Outcome::Failure(e),\n            Outcome::Forward(f) =\u003e Outcome::Forward(f),\n            Outcome::Success(s) =\u003e {\n                if s.has_totp_auth {\n                    Outcome::Success(Self {\n                        user_id: s.user_id,\n                        created_at: s.created_at,\n                        email: s.email,\n                    })\n                } else {\n                    Outcome::Failure((Status::Unauthorized, AuthenticationError::RequiresTOTP))\n                }\n            }\n        }\n    }\n}","traces":[{"line":28,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":29,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":32,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":34,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":36,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":37,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":40,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":41,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":44,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":45,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":48,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":49,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":50,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":52,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":53,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":55,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":56,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":57,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":58,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":61,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":64,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":65,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":66,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":68,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":69,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":70,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":71,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":74,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":77,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":82,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":83,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":84,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":87,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":88,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":89,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":90,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":91,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":92,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":93,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":96,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":110,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":111,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":112,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":113,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":114,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":115,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":116,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":117,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":118,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":119,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":120,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":123,"address":[],"length":0,"stats":{"Line":0},"fn_name":null}],"covered":0,"coverable":52},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","config.rs"],"content":"use serde::Deserialize;\nuse url::Url;\n\n#[derive(Deserialize)]\npub struct TFConfig {\n    pub listen_port: u16,\n    pub db_url: String,\n    pub base: Url,\n    pub web_root: Url,\n    pub magic_links_valid_for: i64,\n    pub session_tokens_valid_for: i64,\n    pub totp_verification_valid_for: i64,\n    pub data_key: String\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","crypto.rs"],"content":"use std::error::Error;\nuse aes_gcm::{Aes256Gcm, KeyInit, Nonce};\nuse aes_gcm::aead::{Aead, Payload};\nuse crate::config::TFConfig;\n\npub fn get_cipher_from_config(config: \u0026TFConfig) -\u003e Result\u003cAes256Gcm, Box\u003cdyn Error\u003e\u003e {\n    let key_slice = hex::decode(\u0026config.data_key)?;\n    Ok(Aes256Gcm::new_from_slice(\u0026key_slice)?)\n}\n\npub fn encrypt_with_nonce(plaintext: \u0026[u8], nonce: [u8; 12], cipher: \u0026Aes256Gcm) -\u003e Result\u003cVec\u003cu8\u003e, aes_gcm::Error\u003e {\n    let nonce = Nonce::from_slice(\u0026nonce);\n    let ciphertext = cipher.encrypt(nonce, plaintext)?;\n    Ok(ciphertext)\n}\n\npub fn decrypt_with_nonce(ciphertext: \u0026[u8], nonce: [u8; 12], cipher: \u0026Aes256Gcm) -\u003e Result\u003cVec\u003cu8\u003e, aes_gcm::Error\u003e {\n    let nonce = Nonce::from_slice(\u0026nonce);\n    let plaintext = cipher.decrypt(nonce, Payload::from(ciphertext))?;\n    Ok(plaintext)\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","db.rs"],"content":"","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","format.rs"],"content":"use std::fmt::{Display, Formatter};\nuse crate::format::PEMValidationError::{IncorrectSegmentLength, InvalidBase64Data, MissingStartSentinel};\nuse crate::util::base64decode;\n\npub const ED_PUBKEY_START_STR: \u0026str = \"-----BEGIN NEBULA ED25519 PUBLIC KEY-----\";\npub const ED_PUBKEY_END_STR: \u0026str = \"-----END NEBULA ED25519 PUBLIC KEY-----\";\n\npub const DH_PUBKEY_START_STR: \u0026str = \"-----BEGIN NEBULA X25519 PUBLIC KEY-----\";\npub const DH_PUBKEY_END_STR: \u0026str = \"-----END NEBULA X25519 PUBLIC KEY-----\";\n\npub enum PEMValidationError {\n    MissingStartSentinel,\n    InvalidBase64Data,\n    MissingEndSentinel,\n    IncorrectSegmentLength(usize, usize)\n}\nimpl Display for PEMValidationError {\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        match self {\n            Self::MissingEndSentinel =\u003e write!(f, \"Missing ending sentinel\"),\n            Self::MissingStartSentinel =\u003e write!(f, \"Missing starting sentinel\"),\n            Self::InvalidBase64Data =\u003e write!(f, \"invalid base64 data\"),\n            Self::IncorrectSegmentLength(expected, got) =\u003e write!(f, \"incorrect number of segments, expected {} got {}\", expected, got)\n        }\n    }\n}\n\npub fn validate_ed_pubkey_pem(pubkey: \u0026str) -\u003e Result\u003c(), PEMValidationError\u003e {\n    let segments = pubkey.split('\\n');\n    let segs = segments.collect::\u003cVec\u003c\u0026str\u003e\u003e();\n    if segs.len() \u003c 3 {\n        return Err(IncorrectSegmentLength(3, segs.len()))\n    }\n    if segs[0] != ED_PUBKEY_START_STR {\n        return Err(MissingStartSentinel)\n    }\n    if base64decode(segs[1]).is_err() {\n        return Err(InvalidBase64Data)\n    }\n    if segs[2] != ED_PUBKEY_END_STR {\n        return Err(MissingStartSentinel)\n    }\n    Ok(())\n}\n\npub fn validate_dh_pubkey_pem(pubkey: \u0026str) -\u003e Result\u003c(), PEMValidationError\u003e {\n    let segments = pubkey.split('\\n');\n    let segs = segments.collect::\u003cVec\u003c\u0026str\u003e\u003e();\n    if segs.len() \u003c 3 {\n        return Err(IncorrectSegmentLength(3, segs.len()))\n    }\n    if segs[0] != DH_PUBKEY_START_STR {\n        return Err(MissingStartSentinel)\n    }\n    if base64decode(segs[1]).is_err() {\n        return Err(InvalidBase64Data)\n    }\n    if segs[2] != DH_PUBKEY_END_STR {\n        return Err(MissingStartSentinel)\n    }\n    Ok(())\n}\n\npub fn validate_ed_pubkey_base64(pubkey: \u0026str) -\u003e Result\u003c(), PEMValidationError\u003e {\n    match base64decode(pubkey) {\n        Ok(k) =\u003e validate_ed_pubkey_pem(match std::str::from_utf8(k.as_ref()) {\n            Ok(k) =\u003e k,\n            Err(_) =\u003e return Err(InvalidBase64Data)\n        }),\n        Err(_) =\u003e Err(InvalidBase64Data)\n    }\n}\n\npub fn validate_dh_pubkey_base64(pubkey: \u0026str) -\u003e Result\u003c(), PEMValidationError\u003e {\n    match base64decode(pubkey) {\n        Ok(k) =\u003e validate_dh_pubkey_pem(match std::str::from_utf8(k.as_ref()) {\n            Ok(k) =\u003e k,\n            Err(_) =\u003e return Err(InvalidBase64Data)\n        }),\n        Err(_) =\u003e Err(InvalidBase64Data)\n    }\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","main.rs"],"content":"extern crate core;\n\nuse std::error::Error;\nuse std::fs;\nuse std::path::Path;\nuse dotenvy::dotenv;\nuse log::{error, info};\nuse rocket::{catchers, Request, Response, routes};\nuse rocket::fairing::{Fairing, Info, Kind};\nuse rocket::http::Header;\nuse sqlx::migrate::Migrator;\nuse sqlx::postgres::PgPoolOptions;\nuse crate::config::TFConfig;\n\npub mod format;\npub mod util;\npub mod db;\npub mod config;\npub mod tokens;\npub mod routes;\npub mod auth;\npub mod crypto;\npub mod org;\n\nstatic MIGRATOR: Migrator = sqlx::migrate!();\n\npub struct CORS;\n\n#[rocket::async_trait]\nimpl Fairing for CORS {\n    fn info(\u0026self) -\u003e Info {\n        Info {\n            name: \"Add CORS headers to responses\",\n            kind: Kind::Response\n        }\n    }\n\n    async fn on_response\u003c'r\u003e(\u0026self, _request: \u0026'r Request\u003c'_\u003e, response: \u0026mut Response\u003c'r\u003e) {\n        response.set_header(Header::new(\"Access-Control-Allow-Origin\", \"*\"));\n        response.set_header(Header::new(\"Access-Control-Allow-Methods\", \"POST, GET, PATCH, OPTIONS\"));\n        response.set_header(Header::new(\"Access-Control-Allow-Headers\", \"*\"));\n        response.set_header(Header::new(\"Access-Control-Allow-Credentials\", \"true\"));\n    }\n}\n\n#[rocket::main]\nasync fn main() -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n    let _ = rocket::build();\n\n    info!(\"[tfapi] loading config\");\n\n    let _ = dotenv();\n\n    if std::env::var(\"CONFIG_FILE\").is_err() \u0026\u0026 !Path::new(\"config.toml\").exists() {\n        error!(\"[tfapi] fatal: the environment variable CONFIG_FILE is not set\");\n        error!(\"[tfapi]  help: try creating a .env file that sets it\");\n        error!(\"[tfapi]  help: or, create a file config.toml with your config, as it is loaded automatically\");\n        std::process::exit(1);\n    }\n\n    let config_file = if Path::new(\"config.toml\").exists() {\n        \"config.toml\".to_string()\n    } else {\n        std::env::var(\"CONFIG_FILE\").unwrap()\n    };\n\n    let config_data = match fs::read_to_string(\u0026config_file) {\n        Ok(d) =\u003e d,\n        Err(e) =\u003e {\n            error!(\"[tfapi] fatal: unable to read config from {}\", config_file);\n            error!(\"[tfapi] fatal: {}\", e);\n            std::process::exit(1);\n        }\n    };\n\n    let config: TFConfig = match toml::from_str(\u0026config_data) {\n        Ok(c) =\u003e c,\n        Err(e) =\u003e {\n            error!(\"[tfapi] fatal: unable to parse config from {}\", config_file);\n            error!(\"[tfapi] fatal: {}\", e);\n            std::process::exit(1);\n        }\n    };\n\n    info!(\"[tfapi] connecting to database pool\");\n\n    let pool = match PgPoolOptions::new().max_connections(5).connect(\u0026config.db_url).await {\n        Ok(p) =\u003e p,\n        Err(e) =\u003e {\n            error!(\"[tfapi] fatal: unable to connect to database pool\");\n            error!(\"[tfapi] fatal: {}\", e);\n            std::process::exit(1);\n        }\n    };\n\n    info!(\"[tfapi] running database migrations\");\n\n    MIGRATOR.run(\u0026pool).await?;\n\n    info!(\"[tfapi] building rocket config\");\n\n    let figment = rocket::Config::figment().merge((\"port\", config.listen_port));\n\n    let _ = rocket::custom(figment)\n        .mount(\"/\", routes![\n            crate::routes::v1::auth::magic_link::magiclink_request,\n            crate::routes::v1::auth::magic_link::options,\n            crate::routes::v1::signup::signup_request,\n            crate::routes::v1::signup::options,\n            crate::routes::v1::auth::verify_magic_link::verify_magic_link,\n            crate::routes::v1::auth::verify_magic_link::options,\n            crate::routes::v1::totp_authenticators::totp_authenticators_request,\n            crate::routes::v1::totp_authenticators::options,\n            crate::routes::v1::verify_totp_authenticator::verify_totp_authenticator_request,\n            crate::routes::v1::verify_totp_authenticator::options,\n            crate::routes::v1::auth::totp::totp_request,\n            crate::routes::v1::auth::totp::options,\n            crate::routes::v1::auth::check_session::check_session,\n            crate::routes::v1::auth::check_session::check_session_auth,\n            crate::routes::v1::auth::check_session::options,\n            crate::routes::v1::auth::check_session::options_auth,\n            crate::routes::v2::whoami::whoami_request,\n            crate::routes::v2::whoami::options,\n\n            crate::routes::v1::organization::options,\n            crate::routes::v1::organization::orgidoptions,\n            crate::routes::v1::organization::orginfo_req,\n            crate::routes::v1::organization::orglist_req,\n            crate::routes::v1::organization::create_org\n        ])\n        .register(\"/\", catchers![\n            crate::routes::handler_400,\n            crate::routes::handler_401,\n            crate::routes::handler_403,\n            crate::routes::handler_404,\n            crate::routes::handler_422,\n\n            crate::routes::handler_500,\n            crate::routes::handler_501,\n            crate::routes::handler_502,\n            crate::routes::handler_503,\n            crate::routes::handler_504,\n            crate::routes::handler_505,\n        ])\n        .attach(CORS)\n        .manage(pool)\n        .manage(config)\n        .launch().await?;\n\n    Ok(())\n}","traces":[{"line":38,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":39,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":40,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":41,"address":[],"length":0,"stats":{"Line":0},"fn_name":null},{"line":42,"address":[],"length":0,"stats":{"Line":0},"fn_name":null}],"covered":0,"coverable":5},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","org.rs"],"content":"use std::error::Error;\nuse rocket::form::validate::Contains;\nuse sqlx::PgPool;\n\npub async fn get_org_by_owner_id(user: i32, db: \u0026PgPool) -\u003e Result\u003cOption\u003ci32\u003e, Box\u003cdyn Error\u003e\u003e {\n    Ok(match sqlx::query!(\"SELECT id FROM organizations WHERE owner = $1\", user).fetch_optional(db).await? {\n        Some(r) =\u003e Some(r.id),\n        None =\u003e None\n    })\n}\n\npub async fn get_orgs_by_assoc_id(user: i32, db: \u0026PgPool) -\u003e Result\u003cVec\u003ci32\u003e, Box\u003cdyn Error\u003e\u003e {\n    let res: Vec\u003c_\u003e = sqlx::query!(\"SELECT org_id FROM organization_authorized_users WHERE user_id = $1\", user).fetch_all(db).await?;\n\n    let mut ret = vec![];\n\n    for i in res {\n        ret.push(i.org_id);\n    }\n\n    Ok(ret)\n}\n\npub async fn get_users_by_assoc_org(org: i32, db: \u0026PgPool) -\u003e Result\u003cVec\u003ci32\u003e, Box\u003cdyn Error\u003e\u003e {\n    let res: Vec\u003c_\u003e = sqlx::query!(\"SELECT user_id FROM organization_authorized_users WHERE org_id = $1\", org).fetch_all(db).await?;\n\n    let mut ret = vec![];\n\n    for i in res {\n        ret.push(i.org_id);\n    }\n\n    Ok(ret)\n}\n\npub async fn get_associated_orgs(user: i32, db: \u0026PgPool) -\u003e Result\u003cVec\u003ci32\u003e, Box\u003cdyn Error\u003e\u003e {\n    let mut assoc_orgs = vec![];\n\n    if let Some(owned_org) = get_org_by_owner_id(user, db).await? {\n        assoc_orgs.push(owned_org);\n    }\n\n    assoc_orgs.append(\u0026mut get_orgs_by_assoc_id(user, db).await?);\n\n    Ok(assoc_orgs)\n}\n\npub async fn user_has_org_assoc(user: i32, org: i32, db: \u0026PgPool) -\u003e Result\u003cbool, Box\u003cdyn Error\u003e\u003e {\n    Ok(get_associated_orgs(user, db).await?.contains(org))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","mod.rs"],"content":"pub mod v1;\npub mod v2;\n\nuse rocket::catch;\nuse serde::{Serialize};\nuse rocket::http::Status;\n\npub const ERR_MSG_MALFORMED_REQUEST: \u0026str = \"unable to parse the request body - is it valid JSON, using correct types?\";\npub const ERR_MSG_MALFORMED_REQUEST_CODE: \u0026str = \"ERR_MALFORMED_REQUEST\";\n\n/*\nTODO:\n    /v1/auth/magic-link                         [done]\n    /v1/auth/totp                               [done]\n    /v1/auth/verify-magic-link                  [done]\n    /v1/hosts/host-{id}/enrollment-code\n    /v1/hosts/host-{id}/enrollment-code-check\n    /v1/hosts/host-{id}\n    /v1/roles/role-{id}\n    /v1/feature-flags\n    /v1/hosts\n    /v1/networks\n    /v1/roles\n    /v1/signup                                  [done]\n    /v1/totp-authenticators                     [done]\n    /v1/verify-totp-authenticator               [done]\n    /v1/dnclient\n    /v2/enroll\n    /v2/whoami                                  [in-progress]\n */\n\n#[derive(Serialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct APIError {\n    errors: Vec\u003cAPIErrorSingular\u003e\n}\n#[derive(Serialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct APIErrorSingular {\n    code: String,\n    message: String\n}\n\nmacro_rules! error_handler {\n    ($code: expr, $err: expr, $msg: expr) =\u003e {\n        ::paste::paste! {\n            #[catch($code)]\n            pub fn [\u003chandler_ $code\u003e]() -\u003e (Status, String) {\n                (Status::from_code($code).unwrap(), format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", $err, $msg))\n            }\n        }\n    };\n}\nerror_handler!(400, \"ERR_MALFORMED_REQUEST\", \"unable to parse the request body, is it properly formatted?\");\nerror_handler!(401, \"ERR_AUTHENTICATION_REQUIRED\", \"this endpoint requires authentication but it was not provided\");\nerror_handler!(403, \"ERR_UNAUTHORIZED\", \"authorization was provided but it is expired or invalid\");\nerror_handler!(404, \"ERR_NOT_FOUND\", \"resource not found\");\nerror_handler!(405, \"ERR_METHOD_NOT_ALLOWED\", \"method not allowed for this endpoint\");\nerror_handler!(422, \"ERR_MALFORMED_REQUEST\", \"unable to parse the request body, is it properly formatted?\");\n\nerror_handler!(500, \"ERR_QL_QUERY_FAILED\", \"graphql query timed out\");\nerror_handler!(501, \"ERR_NOT_IMPLEMENTED\", \"query not supported by this version of graphql\");\nerror_handler!(502, \"ERR_PROXY_ERR\", \"servers under load, please try again later\");\nerror_handler!(503, \"ERR_SERVER_OVERLOADED\", \"servers under load, please try again later\");\nerror_handler!(504, \"ERR_PROXY_TIMEOUT\", \"servers under load, please try again later\");\nerror_handler!(505, \"ERR_CLIENT_UNSUPPORTED\", \"your version of dnclient is out of date, please update\");\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","check_session.rs"],"content":"use rocket::{post, options};\nuse crate::auth::{PartialUserInfo, TOTPAuthenticatedUserInfo};\n\n#[options(\"/v1/auth/check_session\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n#[post(\"/v1/auth/check_session\")]\npub async fn check_session(_user: PartialUserInfo) -\u003e \u0026'static str {\n    \"ok\"\n}\n\n#[options(\"/v1/auth/check_auth\")]\npub async fn options_auth() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/auth/check_auth\")]\npub async fn check_session_auth(_user: TOTPAuthenticatedUserInfo) -\u003e \u0026'static str {\n    \"ok\"\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","magic_link.rs"],"content":"use rocket::{post, State};\nuse rocket::serde::json::Json;\nuse serde::{Serialize, Deserialize};\nuse rocket::http::{ContentType, Status};\nuse sqlx::PgPool;\nuse crate::config::TFConfig;\nuse crate::tokens::send_magic_link;\nuse rocket::options;\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct MagicLinkRequest {\n    pub email: String,\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct MagicLinkResponseMetadata {}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct MagicLinkResponse {\n    pub data: Option\u003cString\u003e,\n    pub metadata: MagicLinkResponseMetadata,\n}\n\n\n#[options(\"/v1/auth/magic-link\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n#[post(\"/v1/auth/magic-link\", data = \"\u003creq\u003e\")]\npub async fn magiclink_request(req: Json\u003cMagicLinkRequest\u003e, pool: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cMagicLinkResponse\u003e), (Status, String)\u003e {\n    // figure out if the user already exists\n    let mut id = -1;\n    match sqlx::query!(\"SELECT id FROM users WHERE email = $1\", req.email.clone()).fetch_optional(pool.inner()).await {\n        Ok(res) =\u003e if let Some(r) = res { id = r.id as i64 },\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n        }\n    }\n\n    if id == -1 {\n        return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_UNAUTHORIZED\", \"authorization was provided but it is expired or invalid\")))\n    }\n\n    // send magic link to email\n    match send_magic_link(id, req.email.clone(), pool.inner(), config.inner()).await {\n        Ok(_) =\u003e (),\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n        }\n    };\n\n    // this endpoint doesn't actually ever return an error? it will send you the magic link no matter what\n    // this appears to do the exact same thing as /v1/auth/magic-link, but it doesn't check if you have an account (magic-link does)\n    Ok((ContentType::JSON, Json(MagicLinkResponse {\n        data: None,\n        metadata: MagicLinkResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","mod.rs"],"content":"pub mod verify_magic_link;\npub mod magic_link;\npub mod totp;\npub mod check_session;","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","totp.rs"],"content":"use rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse crate::auth::PartialUserInfo;\nuse serde::{Serialize, Deserialize};\nuse rocket::{post, State};\nuse sqlx::PgPool;\nuse rocket::options;\nuse crate::tokens::{generate_auth_token, get_totpmachine, user_has_totp};\n\npub const TOTP_GENERIC_UNAUTHORIZED_ERROR: \u0026str = \"{\\\"errors\\\":[{\\\"code\\\":\\\"ERR_INVALID_TOTP_CODE\\\",\\\"message\\\":\\\"invalid TOTP code (maybe it expired?)\\\",\\\"path\\\":\\\"code\\\"}]}\";\npub const TOTP_NO_TOTP_ERROR: \u0026str = \"{\\\"errors\\\":[{\\\"code\\\":\\\"ERR_NO_TOTP\\\",\\\"message\\\":\\\"logged-in user does not have totp enabled\\\",\\\"path\\\":\\\"code\\\"}]}\";\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpRequest {\n    pub code: String\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpResponseData {\n    #[serde(rename = \"authToken\")]\n    auth_token: String\n}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpResponseMetadata {\n}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpResponse {\n    data: TotpResponseData,\n    metadata: TotpResponseMetadata\n}\n\n#[options(\"/v1/auth/totp\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/auth/totp\", data = \"\u003creq\u003e\")]\npub async fn totp_request(req: Json\u003cTotpRequest\u003e, user: PartialUserInfo, db: \u0026State\u003cPgPool\u003e) -\u003e Result\u003c(ContentType, Json\u003cTotpResponse\u003e), (Status, String)\u003e {\n    if !match user_has_totp(user.user_id, db.inner()).await {\n        Ok(b) =\u003e b,\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n    } {\n        return Err((Status::UnprocessableEntity, TOTP_NO_TOTP_ERROR.to_string()))\n    }\n\n    if user.has_totp_auth {\n        return Err((Status::BadRequest, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_TOTP_ALREADY_AUTHED\", \"user already has valid totp authentication\")))\n    }\n\n    let totpmachine = match get_totpmachine(user.user_id, db.inner()).await {\n        Ok(t) =\u003e t,\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n        }\n    };\n\n    if !totpmachine.check_current(\u0026req.0.code).unwrap_or(false) {\n        return Err((Status::Unauthorized, TOTP_GENERIC_UNAUTHORIZED_ERROR.to_string()))\n    }\n\n    Ok((ContentType::JSON, Json(TotpResponse {\n        data: TotpResponseData { auth_token: match generate_auth_token(user.user_id as i64, user.session_id, db.inner()).await {\n            Ok(t) =\u003e t,\n            Err(e) =\u003e { return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e))) }\n        } },\n        metadata: TotpResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","auth","verify_magic_link.rs"],"content":"use std::time::{SystemTime, UNIX_EPOCH};\nuse rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse serde::{Serialize, Deserialize};\nuse rocket::{post, State};\nuse sqlx::PgPool;\nuse crate::config::TFConfig;\nuse crate::tokens::generate_session_token;\nuse rocket::options;\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct VerifyMagicLinkRequest {\n    #[serde(rename = \"magicLinkToken\")]\n    pub magic_link_token: String,\n}\n\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyMagicLinkResponseMetadata {}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyMagicLinkResponseData {\n    #[serde(rename = \"sessionToken\")]\n    pub session_token: String,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyMagicLinkResponse {\n    pub data: VerifyMagicLinkResponseData,\n    pub metadata: VerifyMagicLinkResponseMetadata,\n}\n\n#[options(\"/v1/auth/verify-magic-link\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/auth/verify-magic-link\", data = \"\u003creq\u003e\")]\npub async fn verify_magic_link(req: Json\u003cVerifyMagicLinkRequest\u003e, db: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cVerifyMagicLinkResponse\u003e), (Status, String)\u003e {\n    // get the current time to check if the token is expired\n    let (user_id, expired_at) = match sqlx::query!(\"SELECT user_id, expires_on FROM magic_links WHERE id = $1\", req.0.magic_link_token).fetch_one(db.inner()).await {\n        Ok(row) =\u003e (row.user_id, row.expires_on),\n        Err(e) =\u003e {\n            return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNAUTHORIZED\", \"this token is invalid\", e)))\n        }\n    };\n    let current_time = SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32;\n    println!(\"expired on {}, currently {}\", expired_at, current_time);\n    if expired_at \u003c current_time {\n        return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_UNAUTHORIZED\", \"valid authorization was provided but it is expired\")))\n    }\n\n    // generate session token\n    let token = match generate_session_token(user_id as i64, db.inner(), config.inner()).await {\n        Ok(t) =\u003e t,\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n        }\n    };\n\n    // delete the token\n    match sqlx::query!(\"DELETE FROM magic_links WHERE id = $1\", req.0.magic_link_token).execute(db.inner()).await {\n        Ok(_) =\u003e (),\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n        }\n    }\n\n    Ok((ContentType::JSON, Json(VerifyMagicLinkResponse {\n        data: VerifyMagicLinkResponseData { session_token: token },\n        metadata: VerifyMagicLinkResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","mod.rs"],"content":"pub mod auth;\npub mod signup;\n\npub mod totp_authenticators;\npub mod verify_totp_authenticator;\npub mod organization;","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","organization.rs"],"content":"use std::slice::from_raw_parts_mut;\nuse rocket::{get, post, options, State};\nuse rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse serde::{Serialize, Deserialize};\nuse sqlx::PgPool;\nuse crate::auth::TOTPAuthenticatedUserInfo;\nuse crate::config::TFConfig;\nuse crate::org::{get_associated_orgs, get_org_by_owner_id, get_users_by_assoc_org, user_has_org_assoc};\n\n#[options(\"/v1/orgs\")]\npub fn options() -\u003e \u0026'static str {\n    \"\"\n}\n#[options(\"/v1/org/\u003c_id\u003e\")]\npub fn orgidoptions(_id: i32) -\u003e \u0026'static str {\n    \"\"\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct OrglistStruct {\n    pub org_ids: Vec\u003ci32\u003e\n}\n\n\n#[get(\"/v1/orgs\")]\npub async fn orglist_req(user: TOTPAuthenticatedUserInfo, db: \u0026State\u003cPgPool\u003e) -\u003e Result\u003c(ContentType, Json\u003cOrglistStruct\u003e), (Status, String)\u003e {\n    // this endpoint lists the associated organizations this user has access to\n    let associated_orgs = match get_associated_orgs(user.user_id, db.inner()).await {\n        Ok(r) =\u003e r,\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_DB_QUERY_FAILED\", \"an error occurred while running the database query\")))\n    };\n\n    Ok((ContentType::JSON, Json(OrglistStruct {\n        org_ids: associated_orgs\n    })))\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct OrginfoStruct {\n    pub org_id: i32,\n    pub owner_id: i32,\n    pub ca_crt: String,\n    pub authorized_users: Vec\u003ci32\u003e\n}\n\n#[get(\"/v1/org/\u003corgid\u003e\")]\npub async fn orginfo_req(orgid: i32, user: TOTPAuthenticatedUserInfo, db: \u0026State\u003cPgPool\u003e) -\u003e Result\u003c(ContentType, Json\u003cOrginfoStruct\u003e), (Status, String)\u003e {\n    if !user_has_org_assoc(orgid, user.user_id, db.inner()).await.map_err(|e| (Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))? {\n        return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_MISSING_ORG_AUTHORIZATION\", \"this user does not have permission to access this org\")));\n    }\n\n    let org = sqlx::query!(\"SELECT id, owner, ca_crt FROM organizations WHERE id = $1\", orgid).fetch_one(orgid).await.map_err(|e| (Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))?;\n    let authorized_users = get_users_by_assoc_org(orgid, db.inner()).await.map_err(|e| (Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))?;\n\n    Ok((ContentType::JSON, Json(\n        OrginfoStruct {\n            org_id: orgid,\n            owner_id: org.owner,\n            ca_crt: org.ca_crt,\n            authorized_users,\n        }\n    )))\n}\n\n#[post(\"/v1/org\")]\npub async fn create_org(user: TOTPAuthenticatedUserInfo, db: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cOrginfoStruct\u003e), (Status, String)\u003e {\n    if get_org_by_owner_id(user.user_id, db.inner()).await.map_err(|e| (Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))?.is_some() {\n        return Err((Status::Conflict, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_USER_OWNS_ORG\", \"a user can only own one organization at a time\")))\n    }\n\n    // we need to generate a keypair and CA certificate for this new org\n\n    Ok((ContentType::JSON, Json(\n        OrginfoStruct {\n            org_id: orgid,\n            owner_id: org.owner,\n            ca_crt: org.ca_crt,\n            authorized_users,\n        }\n    )))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","signup.rs"],"content":"use rocket::{post, State};\nuse rocket::serde::json::Json;\nuse serde::{Serialize, Deserialize};\nuse std::time::{SystemTime, UNIX_EPOCH};\nuse rocket::http::{ContentType, Status};\nuse sqlx::PgPool;\nuse crate::config::TFConfig;\nuse crate::tokens::send_magic_link;\nuse rocket::options;\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct SignupRequest {\n    pub email: String,\n}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct SignupResponseMetadata {}\n\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct SignupResponse {\n    pub data: Option\u003cString\u003e,\n    pub metadata: SignupResponseMetadata,\n}\n/*\ncreated_on TIMESTAMP NOT NULL,\n\n    banned INTEGER NOT NULL,\n    ban_reason VARCHAR(1024) NOT NULL\n */\n#[options(\"/v1/signup\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n#[post(\"/v1/signup\", data = \"\u003creq\u003e\")]\npub async fn signup_request(req: Json\u003cSignupRequest\u003e, pool: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cSignupResponse\u003e), (Status, String)\u003e {\n    // figure out if the user already exists\n    let mut id = -1;\n    match sqlx::query!(\"SELECT id FROM users WHERE email = $1\", req.email.clone()).fetch_optional(pool.inner()).await {\n        Ok(res) =\u003e if let Some(r) = res { id = r.id as i64 },\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n        }\n    }\n\n    if id == -1 {\n        let id_res = match sqlx::query!(\"INSERT INTO users (email, created_on, banned, ban_reason, totp_secret, totp_otpurl, totp_verified) VALUES ($1, $2, $3, $4, $5, $6, $7) ON CONFLICT DO NOTHING RETURNING id;\", req.email, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i64, 0, \"\", \"\", \"\", 0).fetch_one(pool.inner()).await {\n            Ok(row) =\u003e row.id,\n            Err(e) =\u003e {\n                return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n            }\n        };\n        id = id_res as i64;\n    }\n\n    // send magic link to email\n    match send_magic_link(id, req.email.clone(), pool.inner(), config.inner()).await {\n        Ok(_) =\u003e (),\n        Err(e) =\u003e {\n            return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_QL_QUERY_FAILED\", \"an error occurred while running the graphql query\", e)))\n        }\n    };\n\n    // this endpoint doesn't actually ever return an error? it will send you the magic link no matter what\n    // this appears to do the exact same thing as /v1/auth/magic-link, but it doesn't check if you have an account (magic-link does)\n    Ok((ContentType::JSON, Json(SignupResponse {\n        data: None,\n        metadata: SignupResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","totp_authenticators.rs"],"content":"use rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse rocket::{State, post};\nuse sqlx::PgPool;\nuse serde::{Serialize, Deserialize};\nuse crate::auth::PartialUserInfo;\nuse crate::config::TFConfig;\nuse crate::tokens::{create_totp_token, user_has_totp};\nuse rocket::options;\n\n#[derive(Deserialize)]\npub struct TotpAuthenticatorsRequest {}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpAuthenticatorsResponseMetadata {}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpAuthenticatorsResponseData {\n    #[serde(rename = \"totpToken\")]\n    pub totp_token: String,\n    pub secret: String,\n    pub url: String,\n}\n#[derive(Serialize, Deserialize)]\n#[serde(crate = \"rocket::serde\")]\npub struct TotpAuthenticatorsResponse {\n    pub data: TotpAuthenticatorsResponseData,\n    pub metadata: TotpAuthenticatorsResponseMetadata,\n}\n\n#[options(\"/v1/totp-authenticators\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/totp-authenticators\", data = \"\u003c_req\u003e\")]\npub async fn totp_authenticators_request(_req: Json\u003cTotpAuthenticatorsRequest\u003e, user: PartialUserInfo, db: \u0026State\u003cPgPool\u003e, config: \u0026State\u003cTFConfig\u003e) -\u003e Result\u003c(ContentType, Json\u003cTotpAuthenticatorsResponse\u003e), (Status, String)\u003e {\n    if match user_has_totp(user.user_id, db.inner()).await {\n        Ok(b) =\u003e b,\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n    } {\n        return Err((Status::BadRequest, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\"}}]}}\", \"ERR_TOTP_ALREADY_EXISTS\", \"this user already has a totp authenticator on their account\")))\n    }\n\n    // generate a totp token\n    let (totptoken, totpmachine) = match create_totp_token(user.email, db.inner(), config.inner()).await {\n        Ok(t) =\u003e t,\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured issuing a totp token, try again later\", e)))\n    };\n\n    Ok((ContentType::JSON, Json(TotpAuthenticatorsResponse {\n        data: TotpAuthenticatorsResponseData {\n            totp_token: totptoken,\n            secret: totpmachine.get_secret_base32(),\n            url: totpmachine.get_url(),\n        },\n        metadata: TotpAuthenticatorsResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v1","verify_totp_authenticator.rs"],"content":"/*\n{\"totpToken\":\"totp-mH9eLzA9Q5WB-sg3Fq8CfkP13eTh3DxF25kVK2VEDOk\",\"code\":\"266242\"}\n{\"errors\":[{\"code\":\"ERR_INVALID_TOTP_TOKEN\",\"message\":\"TOTP token does not exist (maybe it expired?)\",\"path\":\"totpToken\"}]}\n\n\n{\"totpToken\":\"totp-gaUDaxPrrIBc8GEQ6z0vPisT8k0MEP1fgI8FA2ztLMw\",\"code\":\"175543\"}\n{\"data\":{\"authToken\":\"auth-O7mugxdYta-RKtLMqDW4j8XCJ85EfZKKezeZZXBYtFQ\"},\"metadata\":{}}\n*/\n\nuse rocket::http::{ContentType, Status};\nuse crate::auth::PartialUserInfo;\nuse rocket::post;\nuse rocket::serde::json::Json;\nuse rocket::State;\nuse serde::{Serialize, Deserialize};\nuse sqlx::PgPool;\nuse crate::tokens::{generate_auth_token, use_totp_token, verify_totp_token};\nuse rocket::options;\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyTotpAuthenticatorRequest {\n    #[serde(rename = \"totpToken\")]\n    pub totp_token: String,\n    pub code: String,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyTotpAuthenticatorResponseMetadata {}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyTotpAuthenticatorResponseData {\n    #[serde(rename = \"authToken\")]\n    pub auth_token: String,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct VerifyTotpAuthenticatorResponse {\n    pub data: VerifyTotpAuthenticatorResponseData,\n    pub metadata: VerifyTotpAuthenticatorResponseMetadata,\n}\n\n#[options(\"/v1/verify-totp-authenticator\")]\npub async fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n\n#[post(\"/v1/verify-totp-authenticator\", data = \"\u003creq\u003e\")]\npub async fn verify_totp_authenticator_request(req: Json\u003cVerifyTotpAuthenticatorRequest\u003e, db: \u0026State\u003cPgPool\u003e, user: PartialUserInfo) -\u003e Result\u003c(ContentType, Json\u003cVerifyTotpAuthenticatorResponse\u003e), (Status, String)\u003e {\n    let totpmachine = match verify_totp_token(req.0.totp_token.clone(), user.email.clone(), db.inner()).await {\n        Ok(t) =\u003e t,\n        Err(e) =\u003e return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNAUTHORIZED\", \"this token is invalid\", e)))\n    };\n    if !totpmachine.check_current(\u0026req.0.code).unwrap() {\n        return Err((Status::Unauthorized, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{}\\\",\\\"path\\\":\\\"totpToken\\\"}}]}}\", \"ERR_INVALID_TOTP_CODE\", \"Invalid TOTP code\")))\n    }\n    match use_totp_token(req.0.totp_token, user.email, db.inner()).await {\n        Ok(_) =\u003e (),\n        Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n    }\n    Ok((ContentType::JSON, Json(VerifyTotpAuthenticatorResponse {\n        data: VerifyTotpAuthenticatorResponseData { auth_token: match generate_auth_token(user.user_id as i64, user.session_id, db.inner()).await {\n            Ok(at) =\u003e at,\n            Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_UNABLE_TO_ISSUE\", \"an error occured trying to issue a session token, please try again later\", e)))\n        } },\n        metadata: VerifyTotpAuthenticatorResponseMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v2","mod.rs"],"content":"pub mod whoami;","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","routes","v2","whoami.rs"],"content":"use chrono::{NaiveDateTime, Utc};\nuse serde::{Serialize, Deserialize};\nuse rocket::{options, get, State};\nuse rocket::http::{ContentType, Status};\nuse rocket::serde::json::Json;\nuse sqlx::PgPool;\nuse crate::auth::PartialUserInfo;\nuse crate::tokens::user_has_totp;\n\n#[derive(Serialize, Deserialize)]\npub struct WhoamiMetadata {}\n\n#[derive(Serialize, Deserialize)]\npub struct WhoamiActor {\n    pub id: String,\n    #[serde(rename = \"organizationID\")]\n    pub organization_id: String,\n    pub email: String,\n    #[serde(rename = \"createdAt\")]\n    pub created_at: String,\n    #[serde(rename = \"hasTOTPAuthenticator\")]\n    pub has_totpauthenticator: bool,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct WhoamiData {\n    #[serde(rename = \"actorType\")]\n    pub actor_type: String,\n    pub actor: WhoamiActor,\n}\n\n#[derive(Serialize, Deserialize)]\npub struct WhoamiResponse {\n    pub data: WhoamiData,\n    pub metadata: WhoamiMetadata,\n}\n\n#[options(\"/v2/whoami\")]\npub fn options() -\u003e \u0026'static str {\n    \"\"\n}\n\n#[get(\"/v2/whoami\")]\npub async fn whoami_request(user: PartialUserInfo, db: \u0026State\u003cPgPool\u003e) -\u003e Result\u003c(ContentType, Json\u003cWhoamiResponse\u003e), (Status, String)\u003e {\n    Ok((ContentType::JSON, Json(WhoamiResponse {\n        data: WhoamiData {\n            actor_type: \"user\".to_string(),\n            actor: WhoamiActor {\n                id: user.user_id.to_string(),\n                organization_id: \"TEMP_ORG_BECAUSE_THAT_ISNT_IMPLEMENTED_YET\".to_string(),\n                email: user.email,\n                created_at: NaiveDateTime::from_timestamp_opt(user.created_at, 0).unwrap().and_local_timezone(Utc).unwrap().to_rfc3339(),\n                has_totpauthenticator: match user_has_totp(user.user_id, db.inner()).await {\n                    Ok(b) =\u003e b,\n                    Err(e) =\u003e return Err((Status::InternalServerError, format!(\"{{\\\"errors\\\":[{{\\\"code\\\":\\\"{}\\\",\\\"message\\\":\\\"{} - {}\\\"}}]}}\", \"ERR_DBERROR\", \"an error occured trying to verify your user\", e)))\n                },\n            }\n        },\n        metadata: WhoamiMetadata {},\n    })))\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","tokens.rs"],"content":"use std::error::Error;\nuse log::info;\nuse sqlx::PgPool;\nuse uuid::Uuid;\nuse crate::config::TFConfig;\nuse std::time::SystemTime;\nuse std::time::UNIX_EPOCH;\nuse totp_rs::{Secret, TOTP};\nuse crate::util::{TOTP_ALGORITHM, TOTP_DIGITS, TOTP_ISSUER, TOTP_SKEW, TOTP_STEP};\n\n// https://admin.defined.net/auth/magic-link?email=coredoescode%40gmail.com\u0026token=ml-ckBsgw_5IdK5VYgseBYcoV_v_cQjtdq1re_RhDu_MKg\npub async fn send_magic_link(id: i64, email: String, db: \u0026PgPool, config: \u0026TFConfig) -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n    let otp = format!(\"ml-{}\", Uuid::new_v4());\n    let otp_url = config.web_root.join(\u0026format!(\"/auth/magic-link?email={}\u0026token={}\", urlencoding::encode(\u0026email.clone()), otp.clone())).unwrap();\n    sqlx::query!(\"INSERT INTO magic_links (id, user_id, expires_on) VALUES ($1, $2, $3) ON CONFLICT DO NOTHING;\", otp, id as i32, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32 + config.magic_links_valid_for as i32).execute(db).await?;\n    // TODO: send email\n    info!(\"sent magic link {} to {}, valid for {} seconds\", otp_url, email.clone(), config.magic_links_valid_for);\n    Ok(())\n}\n\npub async fn generate_session_token(user_id: i64, db: \u0026PgPool, config: \u0026TFConfig) -\u003e Result\u003cString, Box\u003cdyn Error\u003e\u003e {\n    let token = format!(\"st-{}\", Uuid::new_v4());\n    sqlx::query!(\"INSERT INTO session_tokens (id, user_id, expires_on) VALUES ($1, $2, $3) ON CONFLICT DO NOTHING;\", token, user_id as i32, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32 + config.session_tokens_valid_for as i32).execute(db).await?;\n    Ok(token)\n}\npub async fn validate_session_token(token: String, db: \u0026PgPool) -\u003e Result\u003ci64, Box\u003cdyn Error\u003e\u003e {\n    Ok(sqlx::query!(\"SELECT user_id FROM session_tokens WHERE id = $1 AND expires_on \u003e $2\", token, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32).fetch_one(db).await?.user_id as i64)\n}\n\npub async fn generate_auth_token(user_id: i64, session_id: String, db: \u0026PgPool) -\u003e Result\u003cString, Box\u003cdyn Error\u003e\u003e {\n    let token = format!(\"at-{}\", Uuid::new_v4());\n    sqlx::query!(\"INSERT INTO auth_tokens (id, session_token, user_id) VALUES ($1, $2, $3) ON CONFLICT DO NOTHING;\", token, session_id, user_id as i32).execute(db).await?;\n    Ok(token)\n}\npub async fn validate_auth_token(token: String, session_id: String, db: \u0026PgPool) -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n    validate_session_token(session_id.clone(), db).await?;\n    sqlx::query!(\"SELECT * FROM auth_tokens WHERE id = $1 AND session_token = $2\", token, session_id).fetch_one(db).await?;\n    Ok(())\n}\n\n\n/*\nCREATE TABLE totp_create_tokens (\n    id VARCHAR(39) NOT NULL PRIMARY KEY,\n    expires_on INTEGER NOT NULL,\n    totp_otpurl VARCHAR(3000) NOT NULL,\n    totp_secret VARCHAR(128) NOT NULL\n);\n */\n\npub async fn create_totp_token(email: String, db: \u0026PgPool, config: \u0026TFConfig) -\u003e Result\u003c(String, TOTP), Box\u003cdyn Error\u003e\u003e {\n    // create the TOTP parameters\n\n    let secret = Secret::generate_secret();\n    let totpmachine = TOTP::new(TOTP_ALGORITHM, TOTP_DIGITS, TOTP_SKEW, TOTP_STEP, secret.to_bytes().unwrap(), Some(TOTP_ISSUER.to_string()), email).unwrap();\n    let otpurl = totpmachine.get_url();\n    let otpsecret = totpmachine.get_secret_base32();\n\n    let otpid = format!(\"totp-{}\", Uuid::new_v4());\n\n    sqlx::query!(\"INSERT INTO totp_create_tokens (id, expires_on, totp_otpurl, totp_secret) VALUES ($1, $2, $3, $4);\", otpid.clone(), (SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i64 + config.totp_verification_valid_for) as i32, otpurl, otpsecret).execute(db).await?;\n\n    Ok((otpid, totpmachine))\n}\n\npub async fn verify_totp_token(otpid: String, email: String, db: \u0026PgPool) -\u003e Result\u003cTOTP, Box\u003cdyn Error\u003e\u003e {\n    let totprow = sqlx::query!(\"SELECT * FROM totp_create_tokens WHERE id = $1 AND expires_on \u003e $2\", otpid, SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i32).fetch_one(db).await?;\n    let secret = Secret::Encoded(totprow.totp_secret);\n    let totpmachine = TOTP::new(TOTP_ALGORITHM, TOTP_DIGITS, TOTP_SKEW, TOTP_STEP, secret.to_bytes().unwrap(), Some(TOTP_ISSUER.to_string()), email).unwrap();\n\n    if totpmachine.get_url() != totprow.totp_otpurl {\n        return Err(\"OTPURLs do not match (email does not match?)\".into())\n    }\n\n    Ok(totpmachine)\n}\n\npub async fn use_totp_token(otpid: String, email: String, db: \u0026PgPool) -\u003e Result\u003cTOTP, Box\u003cdyn Error\u003e\u003e {\n    let totpmachine = verify_totp_token(otpid.clone(), email.clone(), db).await?;\n    sqlx::query!(\"DELETE FROM totp_create_tokens WHERE id = $1\", otpid).execute(db).await?;\n    sqlx::query!(\"UPDATE users SET totp_otpurl = $1, totp_secret = $2, totp_verified = 1 WHERE email = $3\", totpmachine.get_url(), totpmachine.get_secret_base32(), email).execute(db).await?;\n    Ok(totpmachine)\n}\n\npub async fn get_totpmachine(user: i32, db: \u0026PgPool) -\u003e Result\u003cTOTP, Box\u003cdyn Error\u003e\u003e {\n    let user = sqlx::query!(\"SELECT totp_secret, totp_otpurl, email FROM users WHERE id = $1\", user).fetch_one(db).await?;\n    let secret = Secret::Encoded(user.totp_secret);\n    Ok(TOTP::new(TOTP_ALGORITHM, TOTP_DIGITS, TOTP_SKEW, TOTP_STEP, secret.to_bytes().unwrap(), Some(TOTP_ISSUER.to_string()), user.email).unwrap())\n}\n\npub async fn user_has_totp(user: i32, db: \u0026PgPool) -\u003e Result\u003cbool, Box\u003cdyn Error\u003e\u003e {\n    Ok(sqlx::query!(\"SELECT totp_verified FROM users WHERE id = $1\", user).fetch_one(db).await?.totp_verified == 1)\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-api","src","util.rs"],"content":"use base64::Engine;\nuse totp_rs::Algorithm;\n\npub const TOTP_ALGORITHM: Algorithm = Algorithm::SHA1;\npub const TOTP_DIGITS: usize = 6;\npub const TOTP_SKEW: u8 = 1;\npub const TOTP_STEP: u64 = 30;\npub const TOTP_ISSUER: \u0026str = \"trifidapi\";\n\npub fn base64decode(val: \u0026str) -\u003e Result\u003cVec\u003cu8\u003e, base64::DecodeError\u003e {\n    base64::engine::general_purpose::STANDARD.decode(val)\n}\npub fn base64encode(val: Vec\u003cu8\u003e) -\u003e String {\n    base64::engine::general_purpose::STANDARD.encode(val)\n}","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","ca.rs"],"content":"//! Structs to represent a pool of CA's and blacklisted certificates\n\nuse std::collections::HashMap;\nuse std::error::Error;\nuse std::fmt::{Display, Formatter};\nuse std::time::SystemTime;\nuse ed25519_dalek::VerifyingKey;\nuse crate::cert::{deserialize_nebula_certificate_from_pem, NebulaCertificate};\n\n/// A pool of trusted CA certificates, and certificates that should be blocked.\n/// This is equivalent to the `pki` section in a typical Nebula config.yml.\n#[derive(Default)]\npub struct NebulaCAPool {\n    /// The list of CA root certificates that should be trusted.\n    pub cas: HashMap\u003cString, NebulaCertificate\u003e,\n    /// The list of blocklisted certificate fingerprints\n    pub cert_blocklist: Vec\u003cString\u003e,\n    /// True if any of the member CAs certificates are expired. Must be handled.\n    pub expired: bool\n}\n\nimpl NebulaCAPool {\n    /// Create a new, blank CA pool\n    pub fn new() -\u003e Self {\n        Self::default()\n    }\n\n    /// Create a new CA pool from a set of PEM encoded CA certificates.\n    /// If any of the certificates are expired, the pool will **still be returned**, with the expired flag set.\n    /// This must be handled properly.\n    /// # Errors\n    /// This function will return an error if PEM data provided was invalid.\n    pub fn new_from_pem(bytes: \u0026[u8]) -\u003e Result\u003cSelf, Box\u003cdyn Error\u003e\u003e {\n        let pems = pem::parse_many(bytes)?;\n\n        let mut pool = Self::new();\n\n        for cert in pems {\n            match pool.add_ca_certificate(pem::encode(\u0026cert).as_bytes()) {\n                Ok(did_expire) =\u003e if did_expire { pool.expired = true },\n                Err(e) =\u003e return Err(e)\n            }\n        }\n\n        Ok(pool)\n    }\n\n    /// Add a given CA certificate to the CA pool. If the certificate is expired, it will **still be added** - the return value will be `true` instead of `false`\n    /// # Errors\n    /// This function will return an error if the certificate is invalid in any way.\n    pub fn add_ca_certificate(\u0026mut self, bytes: \u0026[u8]) -\u003e Result\u003cbool, Box\u003cdyn Error\u003e\u003e {\n        let cert = deserialize_nebula_certificate_from_pem(bytes)?;\n\n        if !cert.details.is_ca {\n            return Err(CaPoolError::NotACA.into())\n        }\n\n        if !cert.check_signature(\u0026VerifyingKey::from_bytes(\u0026cert.details.public_key)?)? {\n            return Err(CaPoolError::NotSelfSigned.into())\n        }\n\n        let fingerprint = cert.sha256sum()?;\n        let expired = cert.expired(SystemTime::now());\n\n        if expired { self.expired = true }\n\n        self.cas.insert(fingerprint, cert);\n\n       Ok(expired)\n    }\n\n    /// Blocklist the given certificate in the CA pool\n    pub fn blocklist_fingerprint(\u0026mut self, fingerprint: \u0026str) {\n        self.cert_blocklist.push(fingerprint.to_string());\n    }\n\n    /// Clears the list of blocklisted fingerprints\n    pub fn reset_blocklist(\u0026mut self) {\n        self.cert_blocklist = vec![];\n    }\n\n    /// Checks if the given certificate is blocklisted\n    pub fn is_blocklisted(\u0026self, cert: \u0026NebulaCertificate) -\u003e bool {\n        let Ok(h) = cert.sha256sum() else { return false };\n        self.cert_blocklist.contains(\u0026h)\n    }\n\n    /// Gets the CA certificate used to sign the given certificate\n    /// # Errors\n    /// This function will return an error if the certificate does not have an issuer attached (it is self-signed)\n    pub fn get_ca_for_cert(\u0026self, cert: \u0026NebulaCertificate) -\u003e Result\u003cOption\u003c\u0026NebulaCertificate\u003e, Box\u003cdyn Error\u003e\u003e {\n        if cert.details.issuer == String::new() {\n            return Err(CaPoolError::NoIssuer.into())\n        }\n\n        Ok(self.cas.get(\u0026cert.details.issuer))\n    }\n\n    /// Get a list of trusted CA fingerprints\n    pub fn get_fingerprints(\u0026self) -\u003e Vec\u003c\u0026String\u003e {\n        self.cas.keys().collect()\n    }\n}\n\n#[derive(Debug)]\n/// A list of errors that can happen when working with a CA Pool\npub enum CaPoolError {\n    /// Tried to add a non-CA cert to the CA pool\n    NotACA,\n    /// Tried to add a non-self-signed cert to the CA pool (all CAs must be root certificates)\n    NotSelfSigned,\n    /// Tried to look up a certificate that does not have an issuer field\n    NoIssuer\n}\nimpl Error for CaPoolError {}\n#[cfg(not(tarpaulin_include))]\nimpl Display for CaPoolError {\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        match self {\n            Self::NotACA =\u003e write!(f, \"Tried to add a non-CA cert to the CA pool\"),\n            Self::NotSelfSigned =\u003e write!(f, \"Tried to add a non-self-signed cert to the CA pool (all CAs must be root certificates)\"),\n            Self::NoIssuer =\u003e write!(f, \"Tried to look up a certificate with a null issuer field\")\n        }\n    }\n}","traces":[{"line":24,"address":[453696],"length":1,"stats":{"Line":1},"fn_name":"new"},{"line":25,"address":[453704],"length":1,"stats":{"Line":1},"fn_name":null},{"line":33,"address":[454852,454538,453728],"length":1,"stats":{"Line":1},"fn_name":"new_from_pem"},{"line":34,"address":[453895,453761],"length":1,"stats":{"Line":1},"fn_name":null},{"line":36,"address":[453885],"length":1,"stats":{"Line":1},"fn_name":null},{"line":38,"address":[454023,454788,454117,454667],"length":1,"stats":{"Line":3},"fn_name":null},{"line":39,"address":[454500,454418,454339],"length":1,"stats":{"Line":3},"fn_name":null},{"line":40,"address":[454759,454549],"length":1,"stats":{"Line":2},"fn_name":null},{"line":41,"address":[454586],"length":1,"stats":{"Line":0},"fn_name":null},{"line":45,"address":[454793],"length":1,"stats":{"Line":1},"fn_name":null},{"line":51,"address":[456302,454880],"length":1,"stats":{"Line":1},"fn_name":"add_ca_certificate"},{"line":52,"address":[454952,455110],"length":1,"stats":{"Line":1},"fn_name":null},{"line":54,"address":[455090],"length":1,"stats":{"Line":3},"fn_name":null},{"line":55,"address":[455190,455279],"length":1,"stats":{"Line":2},"fn_name":null},{"line":58,"address":[455304,455183,455546],"length":1,"stats":{"Line":8},"fn_name":null},{"line":59,"address":[455715],"length":1,"stats":{"Line":0},"fn_name":null},{"line":62,"address":[455708,455909,455791],"length":1,"stats":{"Line":5},"fn_name":null},{"line":63,"address":[456066,455881],"length":1,"stats":{"Line":6},"fn_name":null},{"line":65,"address":[456216,456093],"length":1,"stats":{"Line":4},"fn_name":null},{"line":67,"address":[456230,456097],"length":1,"stats":{"Line":6},"fn_name":null},{"line":69,"address":[456246],"length":1,"stats":{"Line":3},"fn_name":null},{"line":73,"address":[456352],"length":1,"stats":{"Line":1},"fn_name":"blocklist_fingerprint"},{"line":74,"address":[456371],"length":1,"stats":{"Line":1},"fn_name":null},{"line":78,"address":[456480,456416],"length":1,"stats":{"Line":1},"fn_name":"reset_blocklist"},{"line":79,"address":[456434,456512],"length":1,"stats":{"Line":2},"fn_name":null},{"line":83,"address":[456832,456804,456544],"length":1,"stats":{"Line":2},"fn_name":"is_blocklisted"},{"line":84,"address":[456686,456743,456566],"length":1,"stats":{"Line":2},"fn_name":null},{"line":85,"address":[456765,456713],"length":1,"stats":{"Line":4},"fn_name":null},{"line":91,"address":[456982,456848],"length":1,"stats":{"Line":1},"fn_name":"get_ca_for_cert"},{"line":92,"address":[456881],"length":1,"stats":{"Line":1},"fn_name":null},{"line":93,"address":[457047],"length":1,"stats":{"Line":0},"fn_name":null},{"line":96,"address":[457014],"length":1,"stats":{"Line":1},"fn_name":null},{"line":100,"address":[457088],"length":1,"stats":{"Line":1},"fn_name":"get_fingerprints"},{"line":101,"address":[457107],"length":1,"stats":{"Line":1},"fn_name":null}],"covered":31,"coverable":34},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","cert.rs"],"content":"//! Manage Nebula PKI Certificates\n//! This is pretty much a direct port of nebula/cert/cert.go\n\nuse std::error::Error;\nuse std::fmt::{Display, Formatter};\nuse std::net::Ipv4Addr;\nuse std::ops::Add;\nuse std::time::{Duration, SystemTime, UNIX_EPOCH};\nuse ed25519_dalek::{Signature, Signer, SigningKey, Verifier, VerifyingKey};\nuse ipnet::{Ipv4Net};\nuse pem::Pem;\nuse quick_protobuf::{BytesReader, MessageRead, MessageWrite, Writer};\nuse sha2::Sha256;\nuse crate::ca::NebulaCAPool;\nuse crate::cert_codec::{RawNebulaCertificate, RawNebulaCertificateDetails};\nuse sha2::Digest;\n\n/// The length, in bytes, of public keys\npub const PUBLIC_KEY_LENGTH: i32 = 32;\n\n/// The PEM banner for certificates\npub const CERT_BANNER: \u0026str = \"NEBULA CERTIFICATE\";\n/// The PEM banner for X25519 private keys\npub const X25519_PRIVATE_KEY_BANNER: \u0026str = \"NEBULA X25519 PRIVATE KEY\";\n/// The PEM banner for X25519 public keys\npub const X25519_PUBLIC_KEY_BANNER: \u0026str = \"NEBULA X25519 PUBLIC KEY\";\n/// The PEM banner for Ed25519 private keys\npub const ED25519_PRIVATE_KEY_BANNER: \u0026str = \"NEBULA ED25519 PRIVATE KEY\";\n/// The PEM banner for Ed25519 public keys\npub const ED25519_PUBLIC_KEY_BANNER: \u0026str = \"NEBULA ED25519 PUBLIC KEY\";\n\n/// A Nebula PKI certificate\n#[derive(Debug, Clone)]\npub struct NebulaCertificate {\n    /// The signed data of this certificate\n    pub details: NebulaCertificateDetails,\n    /// The Ed25519 signature of this certificate\n    pub signature: Vec\u003cu8\u003e\n}\n\n/// The signed details contained in a Nebula PKI certificate\n#[derive(Debug, Clone)]\npub struct NebulaCertificateDetails {\n    /// The name of the identity this certificate was issued for\n    pub name: String,\n    /// The IPv4 addresses issued to this node\n    pub ips: Vec\u003cIpv4Net\u003e,\n    /// The IPv4 subnets this node is responsible for routing\n    pub subnets: Vec\u003cIpv4Net\u003e,\n    /// The groups this node is a part of\n    pub groups: Vec\u003cString\u003e,\n    /// Certificate start date and time\n    pub not_before: SystemTime,\n    /// Certificate expiry date and time\n    pub not_after: SystemTime,\n    /// Public key\n    pub public_key: [u8; PUBLIC_KEY_LENGTH as usize],\n    /// Is this node a CA?\n    pub is_ca: bool,\n    /// SHA256 of issuer certificate. If blank, this cert is self-signed.\n    pub issuer: String\n}\n\n/// A list of errors that can occur parsing certificates\n#[derive(Debug)]\npub enum CertificateError {\n    /// Attempted to deserialize a certificate from an empty byte array\n    EmptyByteArray,\n    /// The encoded Details field is null\n    NilDetails,\n    /// The encoded Ips field is not formatted correctly\n    IpsNotPairs,\n    /// The encoded Subnets field is not formatted correctly\n    SubnetsNotPairs,\n    /// Signatures are expected to be 64 bytes but the signature on the certificate was a different length\n    WrongSigLength,\n    /// Public keys are expected to be 32 bytes but the public key on this cert is not\n    WrongKeyLength,\n    /// Certificates should have the PEM tag `NEBULA CERTIFICATE`, but this block did not\n    WrongPemTag,\n    /// This certificate either is not yet valid or has already expired\n    Expired,\n    /// The public key does not match the expected value\n    KeyMismatch\n}\n#[cfg(not(tarpaulin_include))]\nimpl Display for CertificateError {\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        match self {\n            Self::EmptyByteArray =\u003e write!(f, \"Certificate bytearray is empty\"),\n            Self::NilDetails =\u003e write!(f, \"The encoded Details field is null\"),\n            Self::IpsNotPairs =\u003e write!(f, \"encoded IPs should be in pairs, an odd number was found\"),\n            Self::SubnetsNotPairs =\u003e write!(f, \"encoded subnets should be in pairs, an odd number was found\"),\n            Self::WrongSigLength =\u003e write!(f, \"Signature should be 64 bytes but is a different size\"),\n            Self::WrongKeyLength =\u003e write!(f, \"Public keys are expected to be 32 bytes but the public key on this cert is not\"),\n            Self::WrongPemTag =\u003e write!(f, \"Certificates should have the PEM tag `NEBULA CERTIFICATE`, but this block did not\"),\n            Self::Expired =\u003e write!(f, \"This certificate either is not yet valid or has already expired\"),\n            Self::KeyMismatch =\u003e write!(f, \"Key does not match expected value\")\n        }\n    }\n}\nimpl Error for CertificateError {}\n\nfn map_cidr_pairs(pairs: \u0026[u32]) -\u003e Result\u003cVec\u003cIpv4Net\u003e, Box\u003cdyn Error\u003e\u003e {\n    let mut res_vec = vec![];\n    for pair in pairs.chunks(2) {\n        res_vec.push(Ipv4Net::with_netmask(Ipv4Addr::from(pair[0]), Ipv4Addr::from(pair[1]))?);\n    }\n    Ok(res_vec)\n}\n\n#[cfg(not(tarpaulin_include))]\nimpl Display for NebulaCertificate {\n    #[allow(clippy::unwrap_used)]\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        writeln!(f, \"NebulaCertificate {{\")?;\n        writeln!(f, \"   Details {{\")?;\n        writeln!(f, \"       Name: {}\", self.details.name)?;\n        writeln!(f, \"       Ips: {:?}\", self.details.ips)?;\n        writeln!(f, \"       Subnets: {:?}\", self.details.subnets)?;\n        writeln!(f, \"       Groups: {:?}\", self.details.groups)?;\n        writeln!(f, \"       Not before: {:?}\", self.details.not_before)?;\n        writeln!(f, \"       Not after: {:?}\", self.details.not_after)?;\n        writeln!(f, \"       Is CA: {}\", self.details.is_ca)?;\n        writeln!(f, \"       Issuer: {}\", self.details.issuer)?;\n        writeln!(f, \"       Public key: {}\", hex::encode(self.details.public_key))?;\n        writeln!(f, \"   }}\")?;\n        writeln!(f, \"   Fingerprint: {}\", self.sha256sum().unwrap())?;\n        writeln!(f, \"   Signature: {}\", hex::encode(self.signature.clone()))?;\n        writeln!(f, \"}}\")\n    }\n}\n\n/// Given a protobuf-encoded certificate bytearray, deserialize it into a `NebulaCertificate` object.\n/// # Errors\n/// This function will return an error if there is a protobuf parsing error, or if the certificate data is invalid.\n/// # Panics\npub fn deserialize_nebula_certificate(bytes: \u0026[u8]) -\u003e Result\u003cNebulaCertificate, Box\u003cdyn Error\u003e\u003e {\n    if bytes.is_empty() {\n        return Err(CertificateError::EmptyByteArray.into())\n    }\n\n    let mut reader = BytesReader::from_bytes(bytes);\n\n    let raw_cert = RawNebulaCertificate::from_reader(\u0026mut reader, bytes)?;\n\n    let details = raw_cert.Details.ok_or(CertificateError::NilDetails)?;\n\n    if details.Ips.len() % 2 != 0 {\n        return Err(CertificateError::IpsNotPairs.into())\n    }\n\n    if details.Subnets.len() % 2 != 0 {\n        return Err(CertificateError::SubnetsNotPairs.into())\n    }\n\n    let mut nebula_cert;\n    #[allow(clippy::cast_sign_loss)]\n    {\n        nebula_cert = NebulaCertificate {\n            details: NebulaCertificateDetails {\n                name: details.Name.to_string(),\n                ips: map_cidr_pairs(\u0026details.Ips)?,\n                subnets: map_cidr_pairs(\u0026details.Subnets)?,\n                groups: details.Groups.iter().map(std::string::ToString::to_string).collect(),\n                not_before: SystemTime::UNIX_EPOCH.add(Duration::from_secs(details.NotBefore as u64)),\n                not_after: SystemTime::UNIX_EPOCH.add(Duration::from_secs(details.NotAfter as u64)),\n                public_key: [0u8; 32],\n                is_ca: details.IsCA,\n                issuer: hex::encode(details.Issuer),\n            },\n            signature: vec![],\n        };\n    }\n\n    nebula_cert.signature = raw_cert.Signature;\n\n    if details.PublicKey.len() != 32 {\n        return Err(CertificateError::WrongKeyLength.into())\n    }\n\n    #[allow(clippy::unwrap_used)] { nebula_cert.details.public_key = details.PublicKey.try_into().unwrap(); }\n\n    Ok(nebula_cert)\n}\n\n/// A list of errors that can occur parsing keys\n#[derive(Debug)]\npub enum KeyError {\n    /// Keys should have their associated PEM tags but this had the wrong one\n    WrongPemTag,\n    /// Ed25519 private keys are 64 bytes\n    Not64Bytes,\n    /// X25519 private keys are 32 bytes\n    Not32Bytes\n}\n#[cfg(not(tarpaulin_include))]\nimpl Display for KeyError {\n    fn fmt(\u0026self, f: \u0026mut Formatter\u003c'_\u003e) -\u003e std::fmt::Result {\n        match self {\n            Self::WrongPemTag =\u003e write!(f, \"Keys should have their associated PEM tags but this had the wrong one\"),\n            Self::Not64Bytes =\u003e write!(f, \"Ed25519 private keys are 64 bytes\"),\n            Self::Not32Bytes =\u003e write!(f, \"X25519 private keys are 32 bytes\")\n        }\n    }\n}\nimpl Error for KeyError {}\n\n\n/// Deserialize the first PEM block in the given byte array into a `NebulaCertificate`\n/// # Errors\n/// This function will return an error if the PEM data is invalid, or if there is an error parsing the certificate (see `deserialize_nebula_certificate`)\npub fn deserialize_nebula_certificate_from_pem(bytes: \u0026[u8]) -\u003e Result\u003cNebulaCertificate, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != CERT_BANNER {\n        return Err(CertificateError::WrongPemTag.into())\n    }\n    deserialize_nebula_certificate(\u0026pem.contents)\n}\n\n/// Simple helper to PEM encode an X25519 private key\npub fn serialize_x25519_private(bytes: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    pem::encode(\u0026Pem {\n        tag: X25519_PRIVATE_KEY_BANNER.to_string(),\n        contents: bytes.to_vec(),\n    }).as_bytes().to_vec()\n}\n\n/// Simple helper to PEM encode an X25519 public key\npub fn serialize_x25519_public(bytes: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    pem::encode(\u0026Pem {\n        tag: X25519_PUBLIC_KEY_BANNER.to_string(),\n        contents: bytes.to_vec(),\n    }).as_bytes().to_vec()\n}\n\n/// Attempt to deserialize a PEM encoded X25519 private key\n/// # Errors\n/// This function will return an error if the PEM data is invalid or has the wrong tag\npub fn deserialize_x25519_private(bytes: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != X25519_PRIVATE_KEY_BANNER {\n        return Err(KeyError::WrongPemTag.into())\n    }\n    if pem.contents.len() != 32 {\n        return Err(KeyError::Not32Bytes.into())\n    }\n    Ok(pem.contents)\n}\n\n/// Attempt to deserialize a PEM encoded X25519 public key\n/// # Errors\n/// This function will return an error if the PEM data is invalid or has the wrong tag\npub fn deserialize_x25519_public(bytes: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != X25519_PUBLIC_KEY_BANNER {\n        return Err(KeyError::WrongPemTag.into())\n    }\n    if pem.contents.len() != 32 {\n        return Err(KeyError::Not32Bytes.into())\n    }\n    Ok(pem.contents)\n}\n\n/// Simple helper to PEM encode an Ed25519 private key\npub fn serialize_ed25519_private(bytes: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    pem::encode(\u0026Pem {\n        tag: ED25519_PRIVATE_KEY_BANNER.to_string(),\n        contents: bytes.to_vec(),\n    }).as_bytes().to_vec()\n}\n\n/// Simple helper to PEM encode an Ed25519 public key\npub fn serialize_ed25519_public(bytes: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    pem::encode(\u0026Pem {\n        tag: ED25519_PUBLIC_KEY_BANNER.to_string(),\n        contents: bytes.to_vec(),\n    }).as_bytes().to_vec()\n}\n\n/// Attempt to deserialize a PEM encoded Ed25519 private key\n/// # Errors\n/// This function will return an error if the PEM data is invalid or has the wrong tag\npub fn deserialize_ed25519_private(bytes: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != ED25519_PRIVATE_KEY_BANNER {\n        return Err(KeyError::WrongPemTag.into())\n    }\n    if pem.contents.len() != 64 {\n        return Err(KeyError::Not64Bytes.into())\n    }\n    Ok(pem.contents)\n}\n\n/// Attempt to deserialize a PEM encoded Ed25519 public key\n/// # Errors\n/// This function will return an error if the PEM data is invalid or has the wrong tag\npub fn deserialize_ed25519_public(bytes: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n    let pem = pem::parse(bytes)?;\n    if pem.tag != ED25519_PUBLIC_KEY_BANNER {\n        return Err(KeyError::WrongPemTag.into())\n    }\n    if pem.contents.len() != 64 {\n        return Err(KeyError::Not64Bytes.into())\n    }\n    Ok(pem.contents)\n}\n\nimpl NebulaCertificate {\n    /// Sign a nebula certificate with the provided private key\n    /// # Errors\n    /// This function will return an error if the certificate could not be serialized or signed.\n    pub fn sign(\u0026mut self, key: \u0026SigningKey) -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n        let mut out = Vec::new();\n        let mut writer = Writer::new(\u0026mut out);\n        self.get_raw_details().write_message(\u0026mut writer)?;\n\n        self.signature = key.sign(\u0026out).to_vec();\n        Ok(())\n    }\n\n    /// Verify the signature on a certificate with the provided public key\n    /// # Errors\n    /// This function will return an error if the certificate could not be serialized or the signature could not be checked.\n    pub fn check_signature(\u0026self, key: \u0026VerifyingKey) -\u003e Result\u003cbool, Box\u003cdyn Error\u003e\u003e {\n        let mut out = Vec::new();\n        let mut writer = Writer::new(\u0026mut out);\n        self.get_raw_details().write_message(\u0026mut writer)?;\n\n        let sig = Signature::from_slice(\u0026self.signature)?;\n\n        Ok(key.verify(\u0026out, \u0026sig).is_ok())\n    }\n\n    /// Returns true if the signature is too young or too old compared to the provided time\n    pub fn expired(\u0026self, time: SystemTime) -\u003e bool {\n        self.details.not_before \u003e time || self.details.not_after \u003c time\n    }\n\n    /// Verify will ensure a certificate is good in all respects (expiry, group membership, signature, cert blocklist, etc)\n    /// # Errors\n    /// This function will return an error if there is an error parsing the cert or the CA pool.\n    pub fn verify(\u0026self, time: SystemTime, ca_pool: \u0026NebulaCAPool) -\u003e Result\u003cCertificateValidity, Box\u003cdyn Error\u003e\u003e {\n        if ca_pool.is_blocklisted(self) {\n            return Ok(CertificateValidity::Blocklisted);\n        }\n\n        let Some(signer) = ca_pool.get_ca_for_cert(self)? else { return Ok(CertificateValidity::NotSignedByThisCAPool) };\n\n        if signer.expired(time) {\n            return Ok(CertificateValidity::RootCertExpired)\n        }\n\n        if self.expired(time) {\n            return Ok(CertificateValidity::CertExpired)\n        }\n\n        if !self.check_signature(\u0026VerifyingKey::from_bytes(\u0026signer.details.public_key)?)? {\n            return Ok(CertificateValidity::BadSignature)\n        }\n\n        Ok(self.check_root_constraints(signer))\n    }\n\n    /// Make sure that this certificate does not break any of the constraints set by the signing certificate\n    pub fn check_root_constraints(\u0026self, signer: \u0026Self) -\u003e CertificateValidity {\n        // Make sure this cert doesn't expire after the signer\n        println!(\"{:?} {:?}\", signer.details.not_before, self.details.not_before);\n        if signer.details.not_before \u003c self.details.not_before {\n            return CertificateValidity::CertExpiresAfterSigner;\n        }\n\n        // Make sure this cert doesn't come into validity before the root\n        if signer.details.not_before \u003e self.details.not_before {\n            return CertificateValidity::CertValidBeforeSigner;\n        }\n\n        // If the signer contains a limited set of groups, make sure this cert only has a subset of them\n        if !signer.details.groups.is_empty() {\n            println!(\"root groups: {:?}, child groups: {:?}\", signer.details.groups, self.details.groups);\n            for group in \u0026self.details.groups {\n                if !signer.details.groups.contains(group) {\n                    return CertificateValidity::GroupNotPresentOnSigner;\n                }\n            }\n        }\n\n        // If the signer contains a limited set of IP ranges, make sure the cert only contains a subset\n        if !signer.details.ips.is_empty() {\n            for ip in \u0026self.details.ips {\n                if !net_match(*ip, \u0026signer.details.ips) {\n                    return CertificateValidity::IPNotPresentOnSigner;\n                }\n            }\n        }\n\n        // If the signer contains a limited set of subnets, make sure the cert only contains a subset\n        if !signer.details.subnets.is_empty() {\n            for subnet in \u0026self.details.subnets {\n                if !net_match(*subnet, \u0026signer.details.subnets) {\n                    return CertificateValidity::SubnetNotPresentOnSigner;\n                }\n            }\n        }\n\n        CertificateValidity::Ok\n    }\n\n    #[allow(clippy::unwrap_used)]\n    /// Verify if the given private key corresponds to the public key contained in this certificate\n    /// # Errors\n    /// This function will return an error if either keys are invalid.\n    /// # Panics\n    /// This function, while containing calls to unwrap, has proper bounds checking and will not panic.\n    pub fn verify_private_key(\u0026self, key: \u0026[u8]) -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n        if self.details.is_ca {\n            // convert the keys\n            if key.len() != 64 {\n                return Err(\"key not 64-bytes long\".into())\n            }\n\n\n            let secret = SigningKey::from_keypair_bytes(key.try_into().unwrap())?;\n            let pub_key = secret.verifying_key().to_bytes();\n            if pub_key != self.details.public_key {\n                return Err(CertificateError::KeyMismatch.into());\n            }\n\n            return Ok(());\n        }\n\n        if key.len() != 32 {\n            return Err(\"key not 32-bytes long\".into())\n        }\n\n        let pubkey_raw = SigningKey::from_bytes(key.try_into()?).verifying_key();\n        let pubkey = pubkey_raw.as_bytes();\n\n        println!(\"{} {}\", hex::encode(pubkey), hex::encode(self.details.public_key));\n        if *pubkey != self.details.public_key {\n            return Err(CertificateError::KeyMismatch.into());\n        }\n\n        Ok(())\n    }\n\n\n    /// Get a protobuf-ready raw struct, ready for serialization\n    #[allow(clippy::expect_used)]\n    #[allow(clippy::cast_possible_wrap)]\n    /// # Panics\n    /// This function will panic if time went backwards, or if the certificate contains extremely invalid data.\n    pub fn get_raw_details(\u0026self) -\u003e RawNebulaCertificateDetails {\n\n        let mut raw = RawNebulaCertificateDetails {\n            Name: self.details.name.clone(),\n            Ips: vec![],\n            Subnets: vec![],\n            Groups: self.details.groups.iter().map(std::convert::Into::into).collect(),\n            NotBefore: self.details.not_before.duration_since(UNIX_EPOCH).expect(\"Time went backwards\").as_secs() as i64,\n            NotAfter: self.details.not_after.duration_since(UNIX_EPOCH).expect(\"Time went backwards\").as_secs() as i64,\n            PublicKey: self.details.public_key.into(),\n            IsCA: self.details.is_ca,\n            Issuer: hex::decode(\u0026self.details.issuer).expect(\"Issuer was not a hex-encoded value\"),\n        };\n\n        for ip_net in \u0026self.details.ips {\n            raw.Ips.push(ip_net.addr().into());\n            raw.Ips.push(ip_net.netmask().into());\n        }\n\n        for subnet in \u0026self.details.subnets {\n            raw.Subnets.push(subnet.addr().into());\n            raw.Subnets.push(subnet.netmask().into());\n        }\n\n        raw\n    }\n\n    /// Will serialize this cert into a protobuf byte array.\n    /// # Errors\n    /// This function will return an error if protobuf was unable to serialize the data.\n    pub fn serialize(\u0026self) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n        let raw_cert = RawNebulaCertificate {\n            Details: Some(self.get_raw_details()),\n            Signature: self.signature.clone(),\n        };\n\n        let mut out = vec![];\n        let mut writer = Writer::new(\u0026mut out);\n        raw_cert.write_message(\u0026mut writer)?;\n\n        Ok(out)\n    }\n\n    /// Will serialize this cert into a PEM byte array.\n    /// # Errors\n    /// This function will return an error if protobuf was unable to serialize the data.\n    pub fn serialize_to_pem(\u0026self) -\u003e Result\u003cVec\u003cu8\u003e, Box\u003cdyn Error\u003e\u003e {\n        let pbuf_bytes = self.serialize()?;\n\n        Ok(pem::encode(\u0026Pem {\n            tag: CERT_BANNER.to_string(),\n            contents: pbuf_bytes,\n        }).as_bytes().to_vec())\n    }\n\n    /// Get the fingerprint of this certificate\n    /// # Errors\n    /// This functiom will return an error if protobuf was unable to serialize the cert.\n    pub fn sha256sum(\u0026self) -\u003e Result\u003cString, Box\u003cdyn Error\u003e\u003e {\n        let pbuf_bytes = self.serialize()?;\n\n        let mut hasher = Sha256::new();\n        hasher.update(pbuf_bytes);\n\n        Ok(hex::encode(hasher.finalize()))\n    }\n}\n\n/// A list of possible errors that can happen validating a certificate\n#[derive(Eq, PartialEq, Debug)]\npub enum CertificateValidity {\n    /// There are no issues with this certificate\n    Ok,\n    /// This cert has been blocklisted in the given CA pool\n    Blocklisted,\n    /// The certificate that signed this cert is expired\n    RootCertExpired,\n    /// This cert is expired\n    CertExpired,\n    /// This cert's signature is invalid\n    BadSignature,\n    /// This cert was not signed by any CAs in the CA pool\n    NotSignedByThisCAPool,\n    /// This cert expires after the signer's cert expires\n    CertExpiresAfterSigner,\n    /// This cert enters validity before the signer's cert does\n    CertValidBeforeSigner,\n    /// A group present on this certificate is not present on the signer's certificate\n    GroupNotPresentOnSigner,\n    /// An IP present on this certificate is not present on the signer's certificate\n    IPNotPresentOnSigner,\n    /// A subnet on this certificate is not present on the signer's certificate\n    SubnetNotPresentOnSigner\n}\n\nfn net_match(cert_ip: Ipv4Net, root_ips: \u0026Vec\u003cIpv4Net\u003e) -\u003e bool {\n    for net in root_ips {\n        if net.contains(\u0026cert_ip) {\n            return true;\n        }\n    }\n    false\n}","traces":[{"line":104,"address":[549155,548224],"length":1,"stats":{"Line":1},"fn_name":"map_cidr_pairs"},{"line":105,"address":[548267],"length":1,"stats":{"Line":1},"fn_name":null},{"line":106,"address":[548589,548304,548365],"length":1,"stats":{"Line":3},"fn_name":null},{"line":107,"address":[549150,548631],"length":1,"stats":{"Line":2},"fn_name":null},{"line":109,"address":[548502],"length":1,"stats":{"Line":1},"fn_name":null},{"line":138,"address":[553592,557101,552064],"length":1,"stats":{"Line":4},"fn_name":"deserialize_nebula_certificate"},{"line":139,"address":[552141],"length":1,"stats":{"Line":4},"fn_name":null},{"line":140,"address":[552335],"length":1,"stats":{"Line":1},"fn_name":null},{"line":143,"address":[552219],"length":1,"stats":{"Line":3},"fn_name":null},{"line":145,"address":[552263,552598,552449],"length":1,"stats":{"Line":6},"fn_name":null},{"line":147,"address":[552509,552824,553002],"length":1,"stats":{"Line":6},"fn_name":null},{"line":149,"address":[553149,552964],"length":1,"stats":{"Line":6},"fn_name":null},{"line":150,"address":[553186],"length":1,"stats":{"Line":1},"fn_name":null},{"line":153,"address":[553293,553159],"length":1,"stats":{"Line":4},"fn_name":null},{"line":154,"address":[553326],"length":1,"stats":{"Line":1},"fn_name":null},{"line":160,"address":[555110],"length":1,"stats":{"Line":3},"fn_name":null},{"line":161,"address":[554782],"length":1,"stats":{"Line":3},"fn_name":null},{"line":162,"address":[553303],"length":1,"stats":{"Line":1},"fn_name":null},{"line":163,"address":[553603,553449,553713,553549],"length":1,"stats":{"Line":3},"fn_name":null},{"line":164,"address":[554067,553916,553667],"length":1,"stats":{"Line":2},"fn_name":null},{"line":165,"address":[554344,554021],"length":1,"stats":{"Line":2},"fn_name":null},{"line":166,"address":[554526,554437],"length":1,"stats":{"Line":4},"fn_name":null},{"line":167,"address":[554583],"length":1,"stats":{"Line":2},"fn_name":null},{"line":168,"address":[554667],"length":1,"stats":{"Line":2},"fn_name":null},{"line":169,"address":[554686],"length":1,"stats":{"Line":2},"fn_name":null},{"line":170,"address":[554697],"length":1,"stats":{"Line":2},"fn_name":null},{"line":172,"address":[555013],"length":1,"stats":{"Line":3},"fn_name":null},{"line":176,"address":[555185],"length":1,"stats":{"Line":4},"fn_name":null},{"line":178,"address":[555367],"length":1,"stats":{"Line":4},"fn_name":null},{"line":179,"address":[555468],"length":1,"stats":{"Line":1},"fn_name":null},{"line":184,"address":[556429],"length":1,"stats":{"Line":3},"fn_name":null},{"line":213,"address":[557392,557869],"length":1,"stats":{"Line":1},"fn_name":"deserialize_nebula_certificate_from_pem"},{"line":214,"address":[557425,557589],"length":1,"stats":{"Line":2},"fn_name":null},{"line":215,"address":[557721,557563],"length":1,"stats":{"Line":2},"fn_name":null},{"line":216,"address":[557753],"length":1,"stats":{"Line":1},"fn_name":null},{"line":218,"address":[557846,557727],"length":1,"stats":{"Line":2},"fn_name":null},{"line":222,"address":[557904,558115],"length":1,"stats":{"Line":1},"fn_name":"serialize_x25519_private"},{"line":223,"address":[558184,558254,558042],"length":1,"stats":{"Line":3},"fn_name":null},{"line":224,"address":[557947],"length":1,"stats":{"Line":1},"fn_name":null},{"line":225,"address":[557982],"length":1,"stats":{"Line":1},"fn_name":null},{"line":226,"address":[558001],"length":1,"stats":{"Line":0},"fn_name":null},{"line":230,"address":[558531,558320],"length":1,"stats":{"Line":1},"fn_name":"serialize_x25519_public"},{"line":231,"address":[558600,558458,558670],"length":1,"stats":{"Line":3},"fn_name":null},{"line":232,"address":[558363],"length":1,"stats":{"Line":1},"fn_name":null},{"line":233,"address":[558398],"length":1,"stats":{"Line":1},"fn_name":null},{"line":234,"address":[558417],"length":1,"stats":{"Line":0},"fn_name":null},{"line":240,"address":[559351,558736],"length":1,"stats":{"Line":1},"fn_name":"deserialize_x25519_private"},{"line":241,"address":[558769,558933],"length":1,"stats":{"Line":2},"fn_name":null},{"line":242,"address":[558907,559065],"length":1,"stats":{"Line":2},"fn_name":null},{"line":243,"address":[559092],"length":1,"stats":{"Line":1},"fn_name":null},{"line":245,"address":[559071,559176],"length":1,"stats":{"Line":2},"fn_name":null},{"line":246,"address":[559285],"length":1,"stats":{"Line":1},"fn_name":null},{"line":248,"address":[559187],"length":1,"stats":{"Line":2},"fn_name":null},{"line":254,"address":[559392,560007],"length":1,"stats":{"Line":1},"fn_name":"deserialize_x25519_public"},{"line":255,"address":[559425,559589],"length":1,"stats":{"Line":2},"fn_name":null},{"line":256,"address":[559721,559563],"length":1,"stats":{"Line":2},"fn_name":null},{"line":257,"address":[559748],"length":1,"stats":{"Line":0},"fn_name":null},{"line":259,"address":[559727,559832],"length":1,"stats":{"Line":2},"fn_name":null},{"line":260,"address":[559941],"length":1,"stats":{"Line":1},"fn_name":null},{"line":262,"address":[559843],"length":1,"stats":{"Line":1},"fn_name":null},{"line":266,"address":[560048,560259],"length":1,"stats":{"Line":1},"fn_name":"serialize_ed25519_private"},{"line":267,"address":[560186,560398,560328],"length":1,"stats":{"Line":3},"fn_name":null},{"line":268,"address":[560091],"length":1,"stats":{"Line":1},"fn_name":null},{"line":269,"address":[560126],"length":1,"stats":{"Line":1},"fn_name":null},{"line":270,"address":[560145],"length":1,"stats":{"Line":0},"fn_name":null},{"line":274,"address":[560464,560675],"length":1,"stats":{"Line":1},"fn_name":"serialize_ed25519_public"},{"line":275,"address":[560602,560744,560814],"length":1,"stats":{"Line":3},"fn_name":null},{"line":276,"address":[560507],"length":1,"stats":{"Line":1},"fn_name":null},{"line":277,"address":[560542],"length":1,"stats":{"Line":1},"fn_name":null},{"line":278,"address":[560561],"length":1,"stats":{"Line":0},"fn_name":null},{"line":284,"address":[560880,561495],"length":1,"stats":{"Line":1},"fn_name":"deserialize_ed25519_private"},{"line":285,"address":[561077,560913],"length":1,"stats":{"Line":2},"fn_name":null},{"line":286,"address":[561051,561209],"length":1,"stats":{"Line":2},"fn_name":null},{"line":287,"address":[561236],"length":1,"stats":{"Line":1},"fn_name":null},{"line":289,"address":[561215,561320],"length":1,"stats":{"Line":2},"fn_name":null},{"line":290,"address":[561429],"length":1,"stats":{"Line":1},"fn_name":null},{"line":292,"address":[561331],"length":1,"stats":{"Line":1},"fn_name":null},{"line":298,"address":[561536,562151],"length":1,"stats":{"Line":1},"fn_name":"deserialize_ed25519_public"},{"line":299,"address":[561733,561569],"length":1,"stats":{"Line":2},"fn_name":null},{"line":300,"address":[561865,561707],"length":1,"stats":{"Line":2},"fn_name":null},{"line":301,"address":[561892],"length":1,"stats":{"Line":1},"fn_name":null},{"line":303,"address":[561871,561976],"length":1,"stats":{"Line":2},"fn_name":null},{"line":304,"address":[562085],"length":1,"stats":{"Line":1},"fn_name":null},{"line":306,"address":[561987],"length":1,"stats":{"Line":1},"fn_name":null},{"line":313,"address":[562192,562914,562612],"length":1,"stats":{"Line":3},"fn_name":"sign"},{"line":314,"address":[562225],"length":1,"stats":{"Line":3},"fn_name":null},{"line":315,"address":[562312,562249],"length":1,"stats":{"Line":6},"fn_name":null},{"line":316,"address":[562325],"length":1,"stats":{"Line":3},"fn_name":null},{"line":318,"address":[562652],"length":1,"stats":{"Line":2},"fn_name":null},{"line":319,"address":[562889],"length":1,"stats":{"Line":4},"fn_name":null},{"line":325,"address":[563794,562944,563349],"length":1,"stats":{"Line":1},"fn_name":"check_signature"},{"line":326,"address":[562987],"length":1,"stats":{"Line":1},"fn_name":null},{"line":327,"address":[563011,563074],"length":1,"stats":{"Line":2},"fn_name":null},{"line":328,"address":[563087],"length":1,"stats":{"Line":1},"fn_name":null},{"line":330,"address":[563381,563642],"length":1,"stats":{"Line":2},"fn_name":null},{"line":332,"address":[563611,563748,563856],"length":1,"stats":{"Line":3},"fn_name":null},{"line":336,"address":[563952],"length":1,"stats":{"Line":1},"fn_name":"expired"},{"line":337,"address":[563974],"length":1,"stats":{"Line":1},"fn_name":null},{"line":343,"address":[564048],"length":1,"stats":{"Line":1},"fn_name":"verify"},{"line":344,"address":[564123],"length":1,"stats":{"Line":1},"fn_name":null},{"line":345,"address":[564200],"length":1,"stats":{"Line":1},"fn_name":null},{"line":348,"address":[564224,564142,564357,564324],"length":1,"stats":{"Line":5},"fn_name":null},{"line":350,"address":[564341],"length":1,"stats":{"Line":2},"fn_name":null},{"line":351,"address":[564403],"length":1,"stats":{"Line":1},"fn_name":null},{"line":354,"address":[564387],"length":1,"stats":{"Line":1},"fn_name":null},{"line":355,"address":[564479],"length":1,"stats":{"Line":1},"fn_name":null},{"line":358,"address":[564495,564671,564423],"length":1,"stats":{"Line":5},"fn_name":null},{"line":359,"address":[564781],"length":1,"stats":{"Line":0},"fn_name":null},{"line":362,"address":[564749],"length":1,"stats":{"Line":2},"fn_name":null},{"line":366,"address":[564800],"length":1,"stats":{"Line":2},"fn_name":"check_root_constraints"},{"line":368,"address":[564846],"length":1,"stats":{"Line":2},"fn_name":null},{"line":369,"address":[564972],"length":1,"stats":{"Line":2},"fn_name":null},{"line":370,"address":[565018],"length":1,"stats":{"Line":0},"fn_name":null},{"line":374,"address":[564999],"length":1,"stats":{"Line":2},"fn_name":null},{"line":375,"address":[565060],"length":1,"stats":{"Line":0},"fn_name":null},{"line":379,"address":[565040],"length":1,"stats":{"Line":2},"fn_name":null},{"line":380,"address":[565101],"length":1,"stats":{"Line":1},"fn_name":null},{"line":381,"address":[565240],"length":1,"stats":{"Line":1},"fn_name":null},{"line":382,"address":[565348],"length":1,"stats":{"Line":1},"fn_name":null},{"line":383,"address":[565384],"length":1,"stats":{"Line":1},"fn_name":null},{"line":389,"address":[565072],"length":1,"stats":{"Line":1},"fn_name":null},{"line":390,"address":[565428],"length":1,"stats":{"Line":1},"fn_name":null},{"line":391,"address":[565525],"length":1,"stats":{"Line":1},"fn_name":null},{"line":392,"address":[565588],"length":1,"stats":{"Line":1},"fn_name":null},{"line":398,"address":[565399],"length":1,"stats":{"Line":1},"fn_name":null},{"line":399,"address":[565613],"length":1,"stats":{"Line":1},"fn_name":null},{"line":400,"address":[565710],"length":1,"stats":{"Line":1},"fn_name":null},{"line":401,"address":[565773],"length":1,"stats":{"Line":1},"fn_name":null},{"line":406,"address":[565598],"length":1,"stats":{"Line":1},"fn_name":null},{"line":415,"address":[565792,566389],"length":1,"stats":{"Line":1},"fn_name":"verify_private_key"},{"line":416,"address":[565847],"length":1,"stats":{"Line":1},"fn_name":null},{"line":418,"address":[565887],"length":1,"stats":{"Line":1},"fn_name":null},{"line":419,"address":[565983],"length":1,"stats":{"Line":0},"fn_name":null},{"line":423,"address":[566145,565909,566040],"length":1,"stats":{"Line":2},"fn_name":null},{"line":424,"address":[566126,566270],"length":1,"stats":{"Line":2},"fn_name":null},{"line":425,"address":[566293],"length":1,"stats":{"Line":1},"fn_name":null},{"line":426,"address":[566328],"length":1,"stats":{"Line":1},"fn_name":null},{"line":429,"address":[566314],"length":1,"stats":{"Line":1},"fn_name":null},{"line":432,"address":[565864],"length":1,"stats":{"Line":1},"fn_name":null},{"line":433,"address":[566503],"length":1,"stats":{"Line":0},"fn_name":null},{"line":436,"address":[566541,566450],"length":1,"stats":{"Line":2},"fn_name":null},{"line":437,"address":[566701],"length":1,"stats":{"Line":1},"fn_name":null},{"line":439,"address":[566738],"length":1,"stats":{"Line":1},"fn_name":null},{"line":440,"address":[567118],"length":1,"stats":{"Line":1},"fn_name":null},{"line":441,"address":[567144],"length":1,"stats":{"Line":1},"fn_name":null},{"line":444,"address":[567127],"length":1,"stats":{"Line":1},"fn_name":null},{"line":453,"address":[567200,568321],"length":1,"stats":{"Line":5},"fn_name":"get_raw_details"},{"line":456,"address":[567239],"length":1,"stats":{"Line":5},"fn_name":null},{"line":457,"address":[567268],"length":1,"stats":{"Line":6},"fn_name":null},{"line":458,"address":[567327],"length":1,"stats":{"Line":5},"fn_name":null},{"line":459,"address":[567383,567474],"length":1,"stats":{"Line":11},"fn_name":null},{"line":460,"address":[567575,567655],"length":1,"stats":{"Line":11},"fn_name":null},{"line":461,"address":[567765],"length":1,"stats":{"Line":5},"fn_name":null},{"line":462,"address":[567911],"length":1,"stats":{"Line":5},"fn_name":null},{"line":463,"address":[567965],"length":1,"stats":{"Line":6},"fn_name":null},{"line":464,"address":[568044,567978],"length":1,"stats":{"Line":11},"fn_name":null},{"line":467,"address":[568528,568400,568294],"length":1,"stats":{"Line":13},"fn_name":null},{"line":468,"address":[568549],"length":1,"stats":{"Line":2},"fn_name":null},{"line":469,"address":[568649],"length":1,"stats":{"Line":2},"fn_name":null},{"line":472,"address":[568751,568496,568857],"length":1,"stats":{"Line":8},"fn_name":null},{"line":473,"address":[568878],"length":1,"stats":{"Line":1},"fn_name":null},{"line":474,"address":[568978],"length":1,"stats":{"Line":1},"fn_name":null},{"line":483,"address":[569287,569072],"length":1,"stats":{"Line":1},"fn_name":"serialize"},{"line":485,"address":[569115],"length":1,"stats":{"Line":1},"fn_name":null},{"line":486,"address":[569152],"length":1,"stats":{"Line":1},"fn_name":null},{"line":489,"address":[569268],"length":1,"stats":{"Line":1},"fn_name":null},{"line":490,"address":[569355,569413],"length":1,"stats":{"Line":5},"fn_name":null},{"line":491,"address":[569613,569442],"length":1,"stats":{"Line":3},"fn_name":null},{"line":493,"address":[569502],"length":1,"stats":{"Line":4},"fn_name":null},{"line":499,"address":[570127,569776],"length":1,"stats":{"Line":1},"fn_name":"serialize_to_pem"},{"line":500,"address":[569801,569918],"length":1,"stats":{"Line":1},"fn_name":null},{"line":502,"address":[570036,570202,570268],"length":1,"stats":{"Line":6},"fn_name":null},{"line":503,"address":[569886],"length":1,"stats":{"Line":1},"fn_name":null},{"line":504,"address":[570010],"length":1,"stats":{"Line":1},"fn_name":null},{"line":511,"address":[570368,570912,570881],"length":1,"stats":{"Line":1},"fn_name":"sha256sum"},{"line":512,"address":[570506,570392],"length":1,"stats":{"Line":1},"fn_name":null},{"line":514,"address":[570495],"length":1,"stats":{"Line":2},"fn_name":null},{"line":515,"address":[570606],"length":1,"stats":{"Line":3},"fn_name":null},{"line":517,"address":[570663],"length":1,"stats":{"Line":2},"fn_name":null},{"line":548,"address":[570928],"length":1,"stats":{"Line":1},"fn_name":"net_match"},{"line":549,"address":[570978,571042],"length":1,"stats":{"Line":2},"fn_name":null},{"line":550,"address":[571052],"length":1,"stats":{"Line":1},"fn_name":null},{"line":551,"address":[571069],"length":1,"stats":{"Line":1},"fn_name":null},{"line":554,"address":[571035],"length":1,"stats":{"Line":1},"fn_name":null}],"covered":174,"coverable":184},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","cert_codec.rs"],"content":"// Automatically generated rust module for 'cert_codec.proto' file\n\n#![allow(non_snake_case)]\n#![allow(non_upper_case_globals)]\n#![allow(non_camel_case_types)]\n#![allow(unused_imports)]\n#![allow(unknown_lints)]\n#![allow(clippy::all)]\n#![cfg_attr(rustfmt, rustfmt_skip)]\n#![allow(clippy::pedantic)]\n\nuse quick_protobuf::{MessageInfo, MessageRead, MessageWrite, BytesReader, Writer, WriterBackend, Result};\nuse quick_protobuf::sizeofs::*;\nuse super::*;\n\n#[allow(clippy::derive_partial_eq_without_eq)]\n#[derive(Debug, Default, PartialEq, Clone)]\npub struct RawNebulaCertificate {\n    pub Details: Option\u003ccert_codec::RawNebulaCertificateDetails\u003e,\n    pub Signature: Vec\u003cu8\u003e,\n}\n\nimpl\u003c'a\u003e MessageRead\u003c'a\u003e for RawNebulaCertificate {\n    fn from_reader(r: \u0026mut BytesReader, bytes: \u0026'a [u8]) -\u003e Result\u003cSelf\u003e {\n        let mut msg = Self::default();\n        while !r.is_eof() {\n            match r.next_tag(bytes) {\n                Ok(10) =\u003e msg.Details = Some(r.read_message::\u003ccert_codec::RawNebulaCertificateDetails\u003e(bytes)?),\n                Ok(18) =\u003e msg.Signature = r.read_bytes(bytes)?.to_owned(),\n                Ok(t) =\u003e { r.read_unknown(bytes, t)?; }\n                Err(e) =\u003e return Err(e),\n            }\n        }\n        Ok(msg)\n    }\n}\n\nimpl MessageWrite for RawNebulaCertificate {\n    fn get_size(\u0026self) -\u003e usize {\n        0\n        + self.Details.as_ref().map_or(0, |m| 1 + sizeof_len((m).get_size()))\n        + if self.Signature.is_empty() { 0 } else { 1 + sizeof_len((\u0026self.Signature).len()) }\n    }\n\n    fn write_message\u003cW: WriterBackend\u003e(\u0026self, w: \u0026mut Writer\u003cW\u003e) -\u003e Result\u003c()\u003e {\n        if let Some(ref s) = self.Details { w.write_with_tag(10, |w| w.write_message(s))?; }\n        if !self.Signature.is_empty() { w.write_with_tag(18, |w| w.write_bytes(\u0026**\u0026self.Signature))?; }\n        Ok(())\n    }\n}\n\n#[allow(clippy::derive_partial_eq_without_eq)]\n#[derive(Debug, Default, PartialEq, Clone)]\npub struct RawNebulaCertificateDetails {\n    pub Name: String,\n    pub Ips: Vec\u003cu32\u003e,\n    pub Subnets: Vec\u003cu32\u003e,\n    pub Groups: Vec\u003cString\u003e,\n    pub NotBefore: i64,\n    pub NotAfter: i64,\n    pub PublicKey: Vec\u003cu8\u003e,\n    pub IsCA: bool,\n    pub Issuer: Vec\u003cu8\u003e,\n}\n\nimpl\u003c'a\u003e MessageRead\u003c'a\u003e for RawNebulaCertificateDetails {\n    fn from_reader(r: \u0026mut BytesReader, bytes: \u0026'a [u8]) -\u003e Result\u003cSelf\u003e {\n        let mut msg = Self::default();\n        while !r.is_eof() {\n            match r.next_tag(bytes) {\n                Ok(10) =\u003e msg.Name = r.read_string(bytes)?.to_owned(),\n                Ok(18) =\u003e msg.Ips = r.read_packed(bytes, |r, bytes| Ok(r.read_uint32(bytes)?))?,\n                Ok(26) =\u003e msg.Subnets = r.read_packed(bytes, |r, bytes| Ok(r.read_uint32(bytes)?))?,\n                Ok(34) =\u003e msg.Groups.push(r.read_string(bytes)?.to_owned()),\n                Ok(40) =\u003e msg.NotBefore = r.read_int64(bytes)?,\n                Ok(48) =\u003e msg.NotAfter = r.read_int64(bytes)?,\n                Ok(58) =\u003e msg.PublicKey = r.read_bytes(bytes)?.to_owned(),\n                Ok(64) =\u003e msg.IsCA = r.read_bool(bytes)?,\n                Ok(74) =\u003e msg.Issuer = r.read_bytes(bytes)?.to_owned(),\n                Ok(t) =\u003e { r.read_unknown(bytes, t)?; }\n                Err(e) =\u003e return Err(e),\n            }\n        }\n        Ok(msg)\n    }\n}\n\nimpl MessageWrite for RawNebulaCertificateDetails {\n    fn get_size(\u0026self) -\u003e usize {\n        0\n        + if self.Name == String::default() { 0 } else { 1 + sizeof_len((\u0026self.Name).len()) }\n        + if self.Ips.is_empty() { 0 } else { 1 + sizeof_len(self.Ips.iter().map(|s| sizeof_varint(*(s) as u64)).sum::\u003cusize\u003e()) }\n        + if self.Subnets.is_empty() { 0 } else { 1 + sizeof_len(self.Subnets.iter().map(|s| sizeof_varint(*(s) as u64)).sum::\u003cusize\u003e()) }\n        + self.Groups.iter().map(|s| 1 + sizeof_len((s).len())).sum::\u003cusize\u003e()\n        + if self.NotBefore == 0i64 { 0 } else { 1 + sizeof_varint(*(\u0026self.NotBefore) as u64) }\n        + if self.NotAfter == 0i64 { 0 } else { 1 + sizeof_varint(*(\u0026self.NotAfter) as u64) }\n        + if self.PublicKey.is_empty() { 0 } else { 1 + sizeof_len((\u0026self.PublicKey).len()) }\n        + if self.IsCA == false { 0 } else { 1 + sizeof_varint(*(\u0026self.IsCA) as u64) }\n        + if self.Issuer.is_empty() { 0 } else { 1 + sizeof_len((\u0026self.Issuer).len()) }\n    }\n\n    fn write_message\u003cW: WriterBackend\u003e(\u0026self, w: \u0026mut Writer\u003cW\u003e) -\u003e Result\u003c()\u003e {\n        if self.Name != String::default() { w.write_with_tag(10, |w| w.write_string(\u0026**\u0026self.Name))?; }\n        w.write_packed_with_tag(18, \u0026self.Ips, |w, m| w.write_uint32(*m), \u0026|m| sizeof_varint(*(m) as u64))?;\n        w.write_packed_with_tag(26, \u0026self.Subnets, |w, m| w.write_uint32(*m), \u0026|m| sizeof_varint(*(m) as u64))?;\n        for s in \u0026self.Groups { w.write_with_tag(34, |w| w.write_string(\u0026**s))?; }\n        if self.NotBefore != 0i64 { w.write_with_tag(40, |w| w.write_int64(*\u0026self.NotBefore))?; }\n        if self.NotAfter != 0i64 { w.write_with_tag(48, |w| w.write_int64(*\u0026self.NotAfter))?; }\n        if !self.PublicKey.is_empty() { w.write_with_tag(58, |w| w.write_bytes(\u0026**\u0026self.PublicKey))?; }\n        if self.IsCA != false { w.write_with_tag(64, |w| w.write_bool(*\u0026self.IsCA))?; }\n        if !self.Issuer.is_empty() { w.write_with_tag(74, |w| w.write_bytes(\u0026**\u0026self.Issuer))?; }\n        Ok(())\n    }\n}\n\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","lib.rs"],"content":"//! # trifid-pki\n//! trifid-pki is a crate for interacting with the Nebula PKI system. It was created to prevent the need to make constant CLI calls for signing operations in Nebula.\n//! It is designed to be interoperable with the original Go implementation and as such has some oddities with key management to ensure compatability.\n//!\n//! This crate has not received any format security audits, however the underlying crates used for actual cryptographic operations (ed25519-dalek and curve25519-dalek) have been audited with no major issues.\n\n#![warn(clippy::pedantic)]\n#![warn(clippy::nursery)]\n#![deny(clippy::unwrap_used)]\n#![deny(clippy::expect_used)]\n#![deny(missing_docs)]\n#![deny(clippy::missing_errors_doc)]\n#![deny(clippy::missing_panics_doc)]\n#![deny(clippy::missing_safety_doc)]\n#![allow(clippy::must_use_candidate)]\n#![allow(clippy::too_many_lines)]\n#![allow(clippy::module_name_repetitions)]\n\n\nextern crate core;\n\npub mod ca;\npub mod cert;\n#[cfg(not(tarpaulin_include))]\npub(crate) mod cert_codec;\n#[cfg(test)]\n#[macro_use]\npub mod test;","traces":[],"covered":0,"coverable":0},{"path":["/","home","core","prj","e3t","trifid","trifid-pki","src","test.rs"],"content":"#![allow(clippy::unwrap_used)]\n#![allow(clippy::expect_used)]\n\nuse crate::netmask;\nuse std::net::Ipv4Addr;\nuse std::ops::{Add, Sub};\nuse std::time::{Duration, SystemTime, SystemTimeError, UNIX_EPOCH};\nuse ipnet::Ipv4Net;\nuse crate::cert::{CertificateValidity, deserialize_ed25519_private, deserialize_ed25519_public, deserialize_nebula_certificate, deserialize_nebula_certificate_from_pem, deserialize_x25519_private, deserialize_x25519_public, NebulaCertificate, NebulaCertificateDetails, serialize_ed25519_private, serialize_ed25519_public, serialize_x25519_private, serialize_x25519_public};\nuse std::str::FromStr;\nuse ed25519_dalek::{SigningKey, VerifyingKey};\nuse quick_protobuf::{MessageWrite, Writer};\nuse rand::rngs::OsRng;\nuse crate::ca::{NebulaCAPool};\nuse crate::cert_codec::{RawNebulaCertificate, RawNebulaCertificateDetails};\n\n/// This is a cert that we (e3team) actually use in production, and it's a known-good certificate.\npub const KNOWN_GOOD_CERT: \u0026[u8; 258] = b\"-----BEGIN NEBULA CERTIFICATE-----\\nCkkKF2UzdGVhbSBJbnRlcm5hbCBOZXR3b3JrKJWev5wGMJWFxKsGOiCvpwoHyKY5\\n8Q5+2XxDjtoCf/zlNY/EUdB8bwXQSwEo50ABEkB0Dx76lkMqc3IyH5+ml2dKjTyv\\nB4Jiw6x3abf5YZcf8rDuVEgQpvFdJmo3xJyIb3C9vKZ6kXsUxjw6s1JdWgkA\\n-----END NEBULA CERTIFICATE-----\";\n\n#[test]\nfn certificate_serialization() {\n    let before = round_systime_to_secs(SystemTime::now() - Duration::from_secs(60)).unwrap();\n    let after = round_systime_to_secs(SystemTime::now() + Duration::from_secs(60)).unwrap();\n    let pub_key = b\"1234567890abcedfghij1234567890ab\";\n\n    let cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"testing\".to_string(),\n            ips: vec![\n                netmask!(\"10.1.1.1\", \"255.255.255.0\"),\n                netmask!(\"10.1.1.2\", \"255.255.0.0\"),\n                netmask!(\"10.1.1.3\", \"255.0.0.0\")\n            ],\n            subnets: vec![\n                netmask!(\"9.1.1.1\", \"255.255.255.128\"),\n                netmask!(\"9.1.1.2\", \"255.255.255.0\"),\n                netmask!(\"9.1.1.3\", \"255.255.0.0\")\n            ],\n            groups: vec![\"test-group1\".to_string(), \"test-group2\".to_string(), \"test-group3\".to_string()],\n            not_before: before,\n            not_after: after,\n            public_key: *pub_key,\n            is_ca: false,\n            issuer: \"1234567890abcedfabcd1234567890ab\".to_string(),\n        },\n        signature: b\"1234567890abcedfghij1234567890ab\".to_vec(),\n    };\n\n    let bytes = cert.serialize().unwrap();\n\n    let deserialized = deserialize_nebula_certificate(\u0026bytes).unwrap();\n\n    assert_eq!(cert.signature, deserialized.signature);\n    assert_eq!(cert.details.name, deserialized.details.name);\n    assert_eq!(cert.details.not_before, deserialized.details.not_before);\n    assert_eq!(cert.details.not_after, deserialized.details.not_after);\n    assert_eq!(cert.details.public_key, deserialized.details.public_key);\n    assert_eq!(cert.details.is_ca, deserialized.details.is_ca);\n\n    assert_eq!(cert.details.ips.len(), deserialized.details.ips.len());\n    for item in \u0026cert.details.ips {\n        assert!(deserialized.details.ips.contains(item), \"deserialized does not contain from source\");\n    }\n\n    assert_eq!(cert.details.subnets.len(), deserialized.details.subnets.len());\n    for item in \u0026cert.details.subnets {\n        assert!(deserialized.details.subnets.contains(item), \"deserialized does not contain from source\");\n    }\n\n    assert_eq!(cert.details.groups.len(), deserialized.details.groups.len());\n    for item in \u0026cert.details.groups {\n        assert!(deserialized.details.groups.contains(item), \"deserialized does not contain from source\");\n    }\n}\n\n#[test]\nfn certificate_serialization_pem() {\n    let before = round_systime_to_secs(SystemTime::now() - Duration::from_secs(60)).unwrap();\n    let after = round_systime_to_secs(SystemTime::now() + Duration::from_secs(60)).unwrap();\n    let pub_key = b\"1234567890abcedfghij1234567890ab\";\n\n    let cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"testing\".to_string(),\n            ips: vec![\n                netmask!(\"10.1.1.1\", \"255.255.255.0\"),\n                netmask!(\"10.1.1.2\", \"255.255.0.0\"),\n                netmask!(\"10.1.1.3\", \"255.0.0.0\")\n            ],\n            subnets: vec![\n                netmask!(\"9.1.1.1\", \"255.255.255.128\"),\n                netmask!(\"9.1.1.2\", \"255.255.255.0\"),\n                netmask!(\"9.1.1.3\", \"255.255.0.0\")\n            ],\n            groups: vec![\"test-group1\".to_string(), \"test-group2\".to_string(), \"test-group3\".to_string()],\n            not_before: before,\n            not_after: after,\n            public_key: *pub_key,\n            is_ca: false,\n            issuer: \"1234567890abcedfabcd1234567890ab\".to_string(),\n        },\n        signature: b\"1234567890abcedfghij1234567890ab\".to_vec(),\n    };\n\n    let bytes = cert.serialize_to_pem().unwrap();\n\n    let deserialized = deserialize_nebula_certificate_from_pem(\u0026bytes).unwrap();\n\n    assert_eq!(cert.signature, deserialized.signature);\n    assert_eq!(cert.details.name, deserialized.details.name);\n    assert_eq!(cert.details.not_before, deserialized.details.not_before);\n    assert_eq!(cert.details.not_after, deserialized.details.not_after);\n    assert_eq!(cert.details.public_key, deserialized.details.public_key);\n    assert_eq!(cert.details.is_ca, deserialized.details.is_ca);\n\n    assert_eq!(cert.details.ips.len(), deserialized.details.ips.len());\n    for item in \u0026cert.details.ips {\n        assert!(deserialized.details.ips.contains(item), \"deserialized does not contain from source\");\n    }\n\n    assert_eq!(cert.details.subnets.len(), deserialized.details.subnets.len());\n    for item in \u0026cert.details.subnets {\n        assert!(deserialized.details.subnets.contains(item), \"deserialized does not contain from source\");\n    }\n\n    assert_eq!(cert.details.groups.len(), deserialized.details.groups.len());\n    for item in \u0026cert.details.groups {\n        assert!(deserialized.details.groups.contains(item), \"deserialized does not contain from source\");\n    }\n}\n\n#[test]\nfn cert_signing() {\n    let before = round_systime_to_secs(SystemTime::now() - Duration::from_secs(60)).unwrap();\n    let after = round_systime_to_secs(SystemTime::now() + Duration::from_secs(60)).unwrap();\n    let pub_key = b\"1234567890abcedfghij1234567890ab\";\n\n    let mut cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"testing\".to_string(),\n            ips: vec![\n                netmask!(\"10.1.1.1\", \"255.255.255.0\"),\n                netmask!(\"10.1.1.2\", \"255.255.0.0\"),\n                netmask!(\"10.1.1.3\", \"255.0.0.0\")\n            ],\n            subnets: vec![\n                netmask!(\"9.1.1.1\", \"255.255.255.128\"),\n                netmask!(\"9.1.1.2\", \"255.255.255.0\"),\n                netmask!(\"9.1.1.3\", \"255.255.0.0\")\n            ],\n            groups: vec![\"test-group1\".to_string(), \"test-group2\".to_string(), \"test-group3\".to_string()],\n            not_before: before,\n            not_after: after,\n            public_key: *pub_key,\n            is_ca: false,\n            issuer: \"1234567890abcedfabcd1234567890ab\".to_string(),\n        },\n        signature: b\"1234567890abcedfghij1234567890ab\".to_vec(),\n    };\n\n    let mut csprng = OsRng;\n    let key = SigningKey::generate(\u0026mut csprng);\n\n    assert!(cert.check_signature(\u0026key.verifying_key()).is_err());\n    cert.sign(\u0026key).unwrap();\n    assert!(cert.check_signature(\u0026key.verifying_key()).unwrap());\n}\n\n#[test]\nfn cert_expiry() {\n    let cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: String::new(),\n            ips: vec![],\n            subnets: vec![],\n            groups: vec![],\n            not_before: SystemTime::now().sub(Duration::from_secs(60)),\n            not_after: SystemTime::now().add(Duration::from_secs(60)),\n            public_key: [0u8; 32],\n            is_ca: false,\n            issuer: String::new(),\n        },\n        signature: vec![],\n    };\n\n    assert!(cert.expired(SystemTime::now().add(Duration::from_secs(60 * 60 * 60))));\n    assert!(cert.expired(SystemTime::now().sub(Duration::from_secs(60 * 60 * 60))));\n    assert!(!cert.expired(SystemTime::now()));\n}\n\n#[test]\nfn cert_display() {\n    let cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: String::new(),\n            ips: vec![],\n            subnets: vec![],\n            groups: vec![],\n            not_before: SystemTime::now().sub(Duration::from_secs(60)),\n            not_after: SystemTime::now().add(Duration::from_secs(60)),\n            public_key: [0u8; 32],\n            is_ca: false,\n            issuer: String::new(),\n        },\n        signature: vec![],\n    };\n    println!(\"{cert}\");\n}\n\n#[test]\n#[should_panic]\nfn cert_deserialize_empty_bytes() {\n    deserialize_nebula_certificate(\u0026[]).unwrap();\n}\n\n#[test]\nfn cert_deserialize_unpaired_ips() {\n    let broken_cert = RawNebulaCertificate {\n        Details: Some(RawNebulaCertificateDetails {\n            Name: String::new(),\n            Ips: vec![0],\n            Subnets: vec![],\n            Groups: vec![],\n            NotBefore: 0,\n            NotAfter: 0,\n            PublicKey: vec![],\n            IsCA: false,\n            Issuer: vec![],\n        }),\n        Signature: vec![],\n    };\n    let mut bytes = vec![];\n    let mut writer = Writer::new(\u0026mut bytes);\n    broken_cert.write_message(\u0026mut writer).unwrap();\n\n    deserialize_nebula_certificate(\u0026bytes).unwrap_err();\n}\n\n#[test]\nfn cert_deserialize_unpaired_subnets() {\n    let broken_cert = RawNebulaCertificate {\n        Details: Some(RawNebulaCertificateDetails {\n            Name: String::new(),\n            Ips: vec![],\n            Subnets: vec![0],\n            Groups: vec![],\n            NotBefore: 0,\n            NotAfter: 0,\n            PublicKey: vec![],\n            IsCA: false,\n            Issuer: vec![],\n        }),\n        Signature: vec![],\n    };\n    let mut bytes = vec![];\n    let mut writer = Writer::new(\u0026mut bytes);\n    broken_cert.write_message(\u0026mut writer).unwrap();\n\n    deserialize_nebula_certificate(\u0026bytes).unwrap_err();\n}\n\n#[test]\nfn cert_deserialize_wrong_pubkey_len() {\n    let broken_cert = RawNebulaCertificate {\n        Details: Some(RawNebulaCertificateDetails {\n            Name: String::new(),\n            Ips: vec![],\n            Subnets: vec![],\n            Groups: vec![],\n            NotBefore: 0,\n            NotAfter: 0,\n            PublicKey: vec![0u8; 31],\n            IsCA: false,\n            Issuer: vec![],\n        }),\n        Signature: vec![],\n    };\n    let mut bytes = vec![];\n    let mut writer = Writer::new(\u0026mut bytes);\n    broken_cert.write_message(\u0026mut writer).unwrap();\n\n    deserialize_nebula_certificate(\u0026bytes).unwrap_err();\n\n    assert!(deserialize_nebula_certificate_from_pem(\u0026[0u8; 32]).is_err());\n}\n\n#[test]\nfn x25519_serialization() {\n    let bytes = [0u8; 32];\n    assert_eq!(deserialize_x25519_private(\u0026serialize_x25519_private(\u0026bytes)).unwrap(), bytes);\n    assert!(deserialize_x25519_private(\u0026[0u8; 32]).is_err());\n    assert_eq!(deserialize_x25519_public(\u0026serialize_x25519_public(\u0026bytes)).unwrap(), bytes);\n    assert!(deserialize_x25519_public(\u0026[0u8; 32]).is_err());\n}\n\n#[test]\nfn ed25519_serialization() {\n    let bytes = [0u8; 64];\n    assert_eq!(deserialize_ed25519_private(\u0026serialize_ed25519_private(\u0026bytes)).unwrap(), bytes);\n    assert!(deserialize_ed25519_private(\u0026[0u8; 32]).is_err());\n    assert_eq!(deserialize_ed25519_public(\u0026serialize_ed25519_public(\u0026bytes)).unwrap(), bytes);\n    assert!(deserialize_ed25519_public(\u0026[0u8; 32]).is_err());\n}\n\n#[test]\nfn cert_verify() {\n    let (ca_cert, ca_key, _ca_pub) = test_ca_cert(round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 10)).unwrap(), vec![], vec![], vec![\"groupa\".to_string()]);\n\n    let (cert, _, _) = test_cert(\u0026ca_cert, \u0026ca_key, SystemTime::now(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![], vec![], vec![]);\n\n    let mut ca_pool = NebulaCAPool::new();\n    ca_pool.add_ca_certificate(\u0026ca_cert.serialize_to_pem().unwrap()).unwrap();\n\n    let fingerprint = cert.sha256sum().unwrap();\n    ca_pool.blocklist_fingerprint(\u0026fingerprint);\n\n    assert!(matches!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Blocklisted));\n\n    ca_pool.reset_blocklist();\n\n    assert!(matches!(cert.verify(SystemTime::now() + Duration::from_secs(60 * 60 * 60), \u0026ca_pool).unwrap(), CertificateValidity::RootCertExpired));\n    assert!(matches!(cert.verify(SystemTime::now() + Duration::from_secs(60 * 60 * 6), \u0026ca_pool).unwrap(), CertificateValidity::CertExpired));\n\n    let (cert_with_bad_group, _, _) = test_cert(\u0026ca_cert, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), in_a_minute(), vec![], vec![], vec![\"group-not-present on parent\".to_string()]);\n    assert_eq!(cert_with_bad_group.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::GroupNotPresentOnSigner);\n\n    let (cert_with_good_group, _, _) = test_cert(\u0026ca_cert, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), in_a_minute(), vec![], vec![], vec![\"groupa\".to_string()]);\n    assert_eq!(cert_with_good_group.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n}\n\n#[test]\nfn cert_verify_ip() {\n    let ca_ip_1 = Ipv4Net::from_str(\"10.0.0.0/16\").unwrap();\n    let ca_ip_2 = Ipv4Net::from_str(\"192.168.0.0/24\").unwrap();\n\n    let (ca, ca_key, _ca_pub) = test_ca_cert(round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 10)).unwrap(), vec![ca_ip_1, ca_ip_2], vec![], vec![]);\n\n    let ca_pem = ca.serialize_to_pem().unwrap();\n\n    let mut ca_pool = NebulaCAPool::new();\n    ca_pool.add_ca_certificate(\u0026ca_pem).unwrap();\n\n    // ip is outside the network\n    let cip1 = netmask!(\"10.1.0.0\", \"255.255.255.0\");\n    let cip2 = netmask!(\"192.198.0.1\", \"255.255.0.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::IPNotPresentOnSigner);\n\n    // ip is outside the network - reversed order from above\n    let cip1 = netmask!(\"192.198.0.1\", \"255.255.255.0\");\n    let cip2 = netmask!(\"10.1.0.0\", \"255.255.255.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::IPNotPresentOnSigner);\n\n    // ip is within the network but mask is outside\n    let cip1 = netmask!(\"10.0.1.0\", \"255.254.0.0\");\n    let cip2 = netmask!(\"192.168.0.1\", \"255.255.255.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::IPNotPresentOnSigner);\n\n    // ip is within the network but mask is outside - reversed order from above\n    let cip1 = netmask!(\"192.168.0.1\", \"255.255.255.0\");\n    let cip2 = netmask!(\"10.0.1.0\", \"255.254.0.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::IPNotPresentOnSigner);\n\n    // ip and mask are within the network\n    let cip1 = netmask!(\"10.0.1.0\", \"255.255.0.0\");\n    let cip2 = netmask!(\"192.168.0.1\", \"255.255.255.128\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![ca_ip_1, ca_ip_2], vec![], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches reversed\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![ca_ip_2, ca_ip_1], vec![], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches reversed with just one\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![ca_ip_2], vec![], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n}\n\n#[test]\nfn cert_verify_subnet() {\n    let ca_ip_1 = Ipv4Net::from_str(\"10.0.0.0/16\").unwrap();\n    let ca_ip_2 = Ipv4Net::from_str(\"192.168.0.0/24\").unwrap();\n\n    let (ca, ca_key, _ca_pub) = test_ca_cert(round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 10)).unwrap(), vec![],vec![ca_ip_1, ca_ip_2], vec![]);\n\n    let ca_pem = ca.serialize_to_pem().unwrap();\n\n    let mut ca_pool = NebulaCAPool::new();\n    ca_pool.add_ca_certificate(\u0026ca_pem).unwrap();\n\n    // ip is outside the network\n    let cip1 = netmask!(\"10.1.0.0\", \"255.255.255.0\");\n    let cip2 = netmask!(\"192.198.0.1\", \"255.255.0.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![],vec![cip1, cip2], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::SubnetNotPresentOnSigner);\n\n    // ip is outside the network - reversed order from above\n    let cip1 = netmask!(\"192.198.0.1\", \"255.255.255.0\");\n    let cip2 = netmask!(\"10.1.0.0\", \"255.255.255.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![],vec![cip1, cip2], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::SubnetNotPresentOnSigner);\n\n    // ip is within the network but mask is outside\n    let cip1 = netmask!(\"10.0.1.0\", \"255.254.0.0\");\n    let cip2 = netmask!(\"192.168.0.1\", \"255.255.255.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![],vec![cip1, cip2], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::SubnetNotPresentOnSigner);\n\n    // ip is within the network but mask is outside - reversed order from above\n    let cip1 = netmask!(\"192.168.0.1\", \"255.255.255.0\");\n    let cip2 = netmask!(\"10.0.1.0\", \"255.254.0.0\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![cip1, cip2], vec![], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::SubnetNotPresentOnSigner);\n\n    // ip and mask are within the network\n    let cip1 = netmask!(\"10.0.1.0\", \"255.255.0.0\");\n    let cip2 = netmask!(\"192.168.0.1\", \"255.255.255.128\");\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![], vec![cip1, cip2], vec![]);\n\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![],vec![ca_ip_1, ca_ip_2], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches reversed\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![], vec![ca_ip_2, ca_ip_1], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n\n    // Exact matches reversed with just one\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, round_systime_to_secs(SystemTime::now()).unwrap(), round_systime_to_secs(SystemTime::now() + Duration::from_secs(60 * 60 * 5)).unwrap(), vec![], vec![ca_ip_2], vec![]);\n    assert_eq!(cert.verify(SystemTime::now(), \u0026ca_pool).unwrap(), CertificateValidity::Ok);\n}\n\n#[test]\nfn cert_private_key() {\n    let (ca, ca_key, _) = test_ca_cert(SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n    ca.verify_private_key(\u0026ca_key.to_keypair_bytes()).unwrap();\n\n    let (_, ca_key2, _) = test_ca_cert(SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n    ca.verify_private_key(\u0026ca_key2.to_keypair_bytes()).unwrap_err();\n\n    let (cert, priv_key, _) = test_cert(\u0026ca, \u0026ca_key, SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n    cert.verify_private_key(\u0026priv_key.to_bytes()).unwrap();\n\n    let (cert2, _, _) = test_cert(\u0026ca, \u0026ca_key, SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n    cert2.verify_private_key(\u0026priv_key.to_bytes()).unwrap_err();\n}\n\n#[test]\nfn capool_from_pem() {\n    let no_newlines = b\"# Current provisional, Remove once everything moves over to the real root.\n-----BEGIN NEBULA CERTIFICATE-----\nCkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL\nvcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv\nbzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB\n-----END NEBULA CERTIFICATE-----\n# root-ca01\n-----BEGIN NEBULA CERTIFICATE-----\nCkMKEW5lYnVsYSByb290IGNhIDAxKJL2u9EFMJL86+cGOiDPXMH4oU6HZTk/CqTG\nBVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf\n8/phAUt+FLzqTECzQKisYswKvE3pl9mbEYKbOdIHrxdIp95mo4sF\n-----END NEBULA CERTIFICATE-----\";\n    let with_newlines = b\"# Current provisional, Remove once everything moves over to the real root.\n-----BEGIN NEBULA CERTIFICATE-----\nCkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL\nvcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv\nbzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB\n-----END NEBULA CERTIFICATE-----\n# root-ca01\n-----BEGIN NEBULA CERTIFICATE-----\nCkMKEW5lYnVsYSByb290IGNhIDAxKJL2u9EFMJL86+cGOiDPXMH4oU6HZTk/CqTG\nBVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf\n8/phAUt+FLzqTECzQKisYswKvE3pl9mbEYKbOdIHrxdIp95mo4sF\n-----END NEBULA CERTIFICATE-----\n\n\";\n    let expired = b\"# expired certificate\n-----BEGIN NEBULA CERTIFICATE-----\nCjkKB2V4cGlyZWQouPmWjQYwufmWjQY6ILCRaoCkJlqHgv5jfDN4lzLHBvDzaQm4\nvZxfu144hmgjQAESQG4qlnZi8DncvD/LDZnLgJHOaX1DWCHHEh59epVsC+BNgTie\nWH1M9n4O7cFtGlM6sJJOS+rCVVEJ3ABS7+MPdQs=\n-----END NEBULA CERTIFICATE-----\";\n\n    let pool_a = NebulaCAPool::new_from_pem(no_newlines).unwrap();\n    assert_eq!(pool_a.cas[\"c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522\"].details.name, \"nebula root ca\".to_string());\n    assert_eq!(pool_a.cas[\"5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd\"].details.name, \"nebula root ca 01\".to_string());\n    assert!(!pool_a.expired);\n\n    let pool_b = NebulaCAPool::new_from_pem(with_newlines).unwrap();\n    assert_eq!(pool_b.cas[\"c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522\"].details.name, \"nebula root ca\".to_string());\n    assert_eq!(pool_b.cas[\"5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd\"].details.name, \"nebula root ca 01\".to_string());\n    assert!(!pool_b.expired);\n\n    let pool_c = NebulaCAPool::new_from_pem(expired).unwrap();\n    assert!(pool_c.expired);\n    assert_eq!(pool_c.cas[\"152070be6bb19bc9e3bde4c2f0e7d8f4ff5448b4c9856b8eccb314fade0229b0\"].details.name, \"expired\");\n\n    let mut pool_d = NebulaCAPool::new_from_pem(with_newlines).unwrap();\n    pool_d.add_ca_certificate(expired).unwrap();\n    assert_eq!(pool_d.cas[\"c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522\"].details.name, \"nebula root ca\".to_string());\n    assert_eq!(pool_d.cas[\"5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd\"].details.name, \"nebula root ca 01\".to_string());\n    assert_eq!(pool_d.cas[\"152070be6bb19bc9e3bde4c2f0e7d8f4ff5448b4c9856b8eccb314fade0229b0\"].details.name, \"expired\");\n    assert!(pool_d.expired);\n    assert_eq!(pool_d.get_fingerprints().len(), 3);\n}\n\n#[macro_export]\nmacro_rules! netmask {\n    ($ip:expr,$mask:expr) =\u003e {\n        Ipv4Net::with_netmask(Ipv4Addr::from_str($ip).unwrap(), Ipv4Addr::from_str($mask).unwrap()).unwrap()\n    };\n}\n\nfn round_systime_to_secs(time: SystemTime) -\u003e Result\u003cSystemTime, SystemTimeError\u003e {\n    let secs = time.duration_since(UNIX_EPOCH)?.as_secs();\n    Ok(SystemTime::UNIX_EPOCH.add(Duration::from_secs(secs)))\n}\n\nfn test_ca_cert(before: SystemTime, after: SystemTime, ips: Vec\u003cIpv4Net\u003e, subnets: Vec\u003cIpv4Net\u003e, groups: Vec\u003cString\u003e) -\u003e (NebulaCertificate, SigningKey, VerifyingKey) {\n    let mut csprng = OsRng;\n    let key = SigningKey::generate(\u0026mut csprng);\n    let pub_key = key.verifying_key();\n\n    let mut cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"TEST_CA\".to_string(),\n            ips,\n            subnets,\n            groups,\n            not_before: before,\n            not_after: after,\n            public_key: pub_key.to_bytes(),\n            is_ca: true,\n            issuer: String::new(),\n        },\n        signature: vec![],\n    };\n    cert.sign(\u0026key).unwrap();\n    (cert, key, pub_key)\n}\n\n#[test]\nfn test_deserialize_ed25519_private() {\n    let priv_key = b\"-----BEGIN NEBULA ED25519 PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n-----END NEBULA ED25519 PRIVATE KEY-----\";\n    let short_key = b\"-----BEGIN NEBULA ED25519 PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n-----END NEBULA ED25519 PRIVATE KEY-----\";\n    let invalid_banner = b\"-----BEGIN NOT A NEBULA PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n-----END NOT A NEBULA PRIVATE KEY-----\";\n    let invalid_pem = b\"-BEGIN NEBULA ED25519 PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n-END NEBULA ED25519 PRIVATE KEY-----\";\n\n    deserialize_ed25519_private(priv_key).unwrap();\n\n    deserialize_ed25519_private(short_key).unwrap_err();\n\n    deserialize_ed25519_private(invalid_banner).unwrap_err();\n\n    deserialize_ed25519_private(invalid_pem).unwrap_err();\n}\n\n#[test]\nfn test_deserialize_x25519_private() {\n    let priv_key = b\"-----BEGIN NEBULA X25519 PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n-----END NEBULA X25519 PRIVATE KEY-----\";\n    let short_key = b\"-----BEGIN NEBULA X25519 PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n-----END NEBULA X25519 PRIVATE KEY-----\";\n    let invalid_banner = b\"-----BEGIN NOT A NEBULA PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n-----END NOT A NEBULA PRIVATE KEY-----\";\n    let invalid_pem = b\"-BEGIN NEBULA X25519 PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n-END NEBULA X25519 PRIVATE KEY-----\";\n\n    deserialize_x25519_private(priv_key).unwrap();\n\n    deserialize_x25519_private(short_key).unwrap_err();\n\n    deserialize_x25519_private(invalid_banner).unwrap_err();\n\n    deserialize_x25519_private(invalid_pem).unwrap_err();\n}\n\n#[test]\nfn test_pem_deserialization() {\n    let good_cert = b\"# A good cert\n-----BEGIN NEBULA CERTIFICATE-----\nCkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL\nvcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv\nbzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB\n-----END NEBULA CERTIFICATE-----\";\n    let bad_banner = b\"-----BEGIN NOT A NEBULA CERTIFICATE-----\nCkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL\nvcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv\nbzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB\n-----END NOT A NEBULA CERTIFICATE-----\";\n    let invalid_pem = b\"# Not a valid PEM format\n-BEGIN NEBULA CERTIFICATE-----\nCkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL\nvcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv\nbzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB\n-END NEBULA CERTIFICATE----\";\n\n    // success\n    deserialize_nebula_certificate_from_pem(good_cert).unwrap();\n\n    // fail because invalid banner\n    deserialize_nebula_certificate_from_pem(bad_banner).unwrap_err();\n\n    // fail because nonsense pem\n    deserialize_nebula_certificate_from_pem(invalid_pem).unwrap_err();\n}\n\n#[test]\nfn test_deserialize_ed25519_public() {\n    let priv_key = b\"-----BEGIN NEBULA ED25519 PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n-----END NEBULA ED25519 PUBLIC KEY-----\";\n    let short_key = b\"-----BEGIN NEBULA ED25519 PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n-----END NEBULA ED25519 PUBLIC KEY-----\";\n    let invalid_banner = b\"-----BEGIN NOT A NEBULA PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n-----END NOT A NEBULA PUBLIC KEY-----\";\n    let invalid_pem = b\"-BEGIN NEBULA ED25519 PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n-END NEBULA ED25519 PUBLIC KEY-----\";\n\n    deserialize_ed25519_public(priv_key).unwrap();\n\n    deserialize_ed25519_public(short_key).unwrap_err();\n\n    deserialize_ed25519_public(invalid_banner).unwrap_err();\n\n    deserialize_ed25519_public(invalid_pem).unwrap_err();\n}\n\n#[test]\n// Ensure that trifid-pki produces the *exact same* bit-for-bit representation as nebula does\n// to ensure signature interoperability\n// We use an e3team production certificate for this as it is a known-good certificate.\nfn test_serialization_interoperability() {\n    let known_good_cert = hex::decode(\"0a650a08636f72652d74777212098184c4508080f8ff0f28ae9fbf9c06309485c4ab063a20304e6279d8722f0fd8d966faa70adaeec08c4649d486457bb038be243753a7474a2056860ded3d14b7f3b77ca2a062ee5d683dd06b35f87446d8d6a7e923b6a7783d1240eb5d6b688eda0d36e925219c098ff2799e42207a093f7d9b7d875823ca05b2e0d3a749dd2fc9cec811ed9a2865d71c4d53cfdfd1bf7e6d5058bd9ecd388ddf0d\").unwrap();\n\n    let cert = deserialize_nebula_certificate(\u0026known_good_cert).unwrap();\n    let reserialized_cert_pem = cert.serialize().unwrap();\n    assert_eq!(known_good_cert, reserialized_cert_pem);\n}\n\n#[test]\nfn test_deserialize_x25519_public() {\n    let priv_key = b\"-----BEGIN NEBULA X25519 PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n-----END NEBULA X25519 PUBLIC KEY-----\";\n    let short_key = b\"-----BEGIN NEBULA X25519 PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n-----END NEBULA X25519 PUBLIC KEY-----\";\n    let invalid_banner = b\"-----BEGIN NOT A NEBULA PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n-----END NOT A NEBULA PUBLIC KEY-----\";\n    let invalid_pem = b\"-BEGIN NEBULA X25519 PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n-END NEBULA X25519 PUBLIC KEY-----\";\n\n    deserialize_x25519_public(priv_key).unwrap();\n\n    deserialize_x25519_public(short_key).unwrap_err();\n\n    deserialize_x25519_public(invalid_banner).unwrap_err();\n\n    deserialize_x25519_public(invalid_pem).unwrap_err();\n}\n\n#[test]\nfn ca_pool_add_non_ca() {\n    let mut ca_pool = NebulaCAPool::new();\n\n    let (ca, ca_key, _) = test_ca_cert(SystemTime::now(), SystemTime::now() + Duration::from_secs(3600), vec![], vec![], vec![]);\n    let (cert, _, _) = test_cert(\u0026ca, \u0026ca_key, SystemTime::now(), SystemTime::now(), vec![], vec![], vec![]);\n\n    ca_pool.add_ca_certificate(\u0026cert.serialize_to_pem().unwrap()).unwrap_err();\n}\n\nfn test_cert(ca: \u0026NebulaCertificate, key: \u0026SigningKey, before: SystemTime, after: SystemTime, ips: Vec\u003cIpv4Net\u003e, subnets: Vec\u003cIpv4Net\u003e, groups: Vec\u003cString\u003e) -\u003e (NebulaCertificate, SigningKey, VerifyingKey) {\n    let issuer = ca.sha256sum().unwrap();\n\n    let real_groups = if groups.is_empty() {\n        vec![\"test-group1\".to_string(), \"test-group2\".to_string(), \"test-group3\".to_string()]\n    } else {\n        groups\n    };\n\n    let real_ips = if ips.is_empty() {\n        vec![\n            netmask!(\"10.1.1.1\", \"255.255.255.0\"),\n            netmask!(\"10.1.1.2\", \"255.255.0.0\"),\n            netmask!(\"10.1.1.3\", \"255.0.0.0\")\n        ]\n    } else {\n        ips\n    };\n\n    let real_subnets = if subnets.is_empty() {\n        vec![\n            netmask!(\"9.1.1.1\", \"255.255.255.128\"),\n            netmask!(\"9.1.1.2\", \"255.255.255.0\"),\n            netmask!(\"9.1.1.3\", \"255.255.0.0\")\n        ]\n    } else {\n        subnets\n    };\n\n    let mut csprng = OsRng;\n    let cert_key = SigningKey::generate(\u0026mut csprng);\n    let pub_key = cert_key.verifying_key();\n\n    let mut cert = NebulaCertificate {\n        details: NebulaCertificateDetails {\n            name: \"TEST_CA\".to_string(),\n            ips: real_ips,\n            subnets: real_subnets,\n            groups: real_groups,\n            not_before: before,\n            not_after: after,\n            public_key: pub_key.to_bytes(),\n            is_ca: false,\n            issuer,\n        },\n        signature: vec![],\n    };\n    cert.sign(key).unwrap();\n    (cert, cert_key, pub_key)\n}\n\n#[allow(dead_code)]\nfn in_a_minute() -\u003e SystemTime {\n    round_systime_to_secs(SystemTime::now().add(Duration::from_secs(60))).unwrap()\n}\n#[allow(dead_code)]\nfn a_minute_ago() -\u003e SystemTime {\n    round_systime_to_secs(SystemTime::now().sub(Duration::from_secs(60))).unwrap()\n}","traces":[],"covered":0,"coverable":0}]};
     </script>
     <script crossorigin>/** @license React v16.13.1
  * react.production.min.js
@@ -569,7 +569,7 @@ function File({file, onClick}) {
         + (file.is_folder ? ' files-list__file_folder': ''),
       onClick: () => onClick(file),
     },
-    e('td', null, e('a', null, pathToString(file.path))),
+    e('td', null, pathToString(file.path)),
     e('td', null,
       file.covered + ' / ' + file.coverable +
       (coverage >= 0 ? ' (' + coverage.toFixed(2) + '%)' : ''),

From 2bc854414008e4afdea61408c8ae59e263a2cdfd Mon Sep 17 00:00:00 2001
From: core <core@coredoes.dev>
Date: Mon, 27 Feb 2023 19:04:28 -0500
Subject: [PATCH 2/5] finish up trifid-pki for now

---
 trifid-pki/src/lib.rs | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/trifid-pki/src/lib.rs b/trifid-pki/src/lib.rs
index c14db88..7323013 100644
--- a/trifid-pki/src/lib.rs
+++ b/trifid-pki/src/lib.rs
@@ -3,6 +3,35 @@
 //! It is designed to be interoperable with the original Go implementation and as such has some oddities with key management to ensure compatability.
 //!
 //! This crate has not received any formal security audits, however the underlying crates used for actual cryptographic operations (ed25519-dalek and curve25519-dalek) have been audited with no major issues.
+//! # Examples
+//! ## Load a certificate from PEM
+//! ```rust
+//! use trifid_pki::cert::deserialize_nebula_certificate_from_pem;
+//! let cert_bytes = b"-----BEGIN NEBULA CERTIFICATE-----
+//! CmUKCGNvcmUtdHdyEgmBhMRQgID4/w8orp+/nAYwlIXEqwY6IDBOYnnYci8P2Nlm
+//! +qcK2u7AjEZJ1IZFe7A4viQ3U6dHSiBWhg3tPRS387d8oqBi7l1oPdBrNfh0RtjW
+//! p+kjtqd4PRJA611raI7aDTbpJSGcCY/yeZ5CIHoJP32bfYdYI8oFsuDTp0ndL8nO
+//! yBHtmihl1xxNU8/f0b9+bVBYvZ7NOI3fDQ==
+//! -----END NEBULA CERTIFICATE-----";
+//! let cert = deserialize_nebula_certificate_from_pem(cert_bytes).unwrap();
+//! println!("{}", cert);
+//! // NebulaCertificate {
+//! //  Details {
+//! //      Name: core-twr
+//! //      Ips: [10.17.2.1/15]
+//! //      Subnets: []
+//! //      Gruops: []
+//! //      Not before: SystemTime { tv_sec: 1670369198, tv_nsec: 0 }
+//! //      Not after: SystemTime { tv_sec: 1701905044, tv_nsec: 0 }
+//! //      Is CA: false
+//! //      Issuer: 56860ded3d14b7f3b77ca2a062ee5d683dd06b35f87446d8d6a7e923b6a7783d
+//! //      Public key: 304e6279d8722f0fd8d966faa70adaeec08c4649d486457bb038be243753a747
+//! //  }
+//! //  Fingerprint: c1a723acf8a1c8a438eb1f8efb756eb9e1a3c529d5b93cd143d282ca87e549b4
+//! //  Signature: eb5d6b688eda0d36e925219c098ff2799e42207a093f7d9b7d875823ca05b2e0d3a749dd2fc9cec811ed9a2865d71c4d53cfdfd1bf7e6d5058bd9ecd388ddf0d
+//! // }
+//! ```
+
 
 #![warn(clippy::pedantic)]
 #![warn(clippy::nursery)]
@@ -16,6 +45,9 @@
 #![allow(clippy::too_many_lines)]
 #![allow(clippy::module_name_repetitions)]
 
+pub use ed25519_dalek;
+pub use x25519_dalek;
+pub use rand_core;
 
 extern crate core;
 

From 071bb7201e0228e31edc7e9d73426e0dc562428d Mon Sep 17 00:00:00 2001
From: core <core@coredoes.dev>
Date: Mon, 27 Feb 2023 19:07:47 -0500
Subject: [PATCH 3/5] trifid-pki manifest improvements

---
 trifid-pki/Cargo.toml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/trifid-pki/Cargo.toml b/trifid-pki/Cargo.toml
index 2c69fe6..82e0007 100644
--- a/trifid-pki/Cargo.toml
+++ b/trifid-pki/Cargo.toml
@@ -1,9 +1,12 @@
 [package]
 name = "trifid-pki"
-version = "0.1.2"
+version = "0.1.3"
 edition = "2021"
 description = "A rust implementation of the Nebula PKI system"
 license = "GPL-3.0-or-later"
+documentation = "https://docs.rs/trifid-pki"
+homepage = "https://git.e3t.cc/~core/trifid"
+repository = "https://git.e3t.cc/~core/trifid"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

From 5d06781a63ac22205cd4205fa24afcd4689b8f28 Mon Sep 17 00:00:00 2001
From: core <core@coredoes.dev>
Date: Mon, 27 Feb 2023 20:29:52 -0500
Subject: [PATCH 4/5] proper org creation endpoints

---
 Cargo.lock                               |  3 +-
 trifid-api/Cargo.toml                    |  3 +-
 trifid-api/config.toml                   |  2 +-
 trifid-api/src/crypto.rs                 |  6 ++++
 trifid-api/src/org.rs                    | 17 ++++++++----
 trifid-api/src/routes/v1/organization.rs | 35 ++++++++++++++++++------
 6 files changed, 50 insertions(+), 16 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index a14c4b2..a702c5c 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2412,6 +2412,7 @@ dependencies = [
  "tokio",
  "toml 0.7.1",
  "totp-rs",
+ "trifid-pki",
  "url",
  "urlencoding",
  "uuid",
@@ -2419,7 +2420,7 @@ dependencies = [
 
 [[package]]
 name = "trifid-pki"
-version = "0.1.2"
+version = "0.1.3"
 dependencies = [
  "ed25519-dalek",
  "hex",
diff --git a/trifid-api/Cargo.toml b/trifid-api/Cargo.toml
index 84d8cb0..49a21ac 100644
--- a/trifid-api/Cargo.toml
+++ b/trifid-api/Cargo.toml
@@ -22,4 +22,5 @@ urlencoding = "2.1.2"
 chrono = "0.4.23"
 aes-gcm = "0.10.1"
 hex = "0.4.3"
-rand = "0.8.5"
\ No newline at end of file
+rand = "0.8.5"
+trifid-pki = { version = "0.1.3", path = "../trifid-pki" }
\ No newline at end of file
diff --git a/trifid-api/config.toml b/trifid-api/config.toml
index ef4d2c3..02d1ef3 100644
--- a/trifid-api/config.toml
+++ b/trifid-api/config.toml
@@ -5,4 +5,4 @@ web_root = "http://localhost:5173"
 magic_links_valid_for = 86400
 session_tokens_valid_for = 86400
 totp_verification_valid_for = 3600
-data_key = "1f94d6ba57d79845135ba66446478537f3fccb5ec8e5b7eff7262caa0c358858106a8c5d8d4269ed6e9fc4dd00612bc89b4db06c2288bc2b19ae3e7cebcb461d"
+data_key = "edd600bcebea461381ea23791b6967c8667e12827ac8b94dc022f189a5dc59a2"
diff --git a/trifid-api/src/crypto.rs b/trifid-api/src/crypto.rs
index 193ddf0..66f3000 100644
--- a/trifid-api/src/crypto.rs
+++ b/trifid-api/src/crypto.rs
@@ -1,6 +1,8 @@
 use std::error::Error;
 use aes_gcm::{Aes256Gcm, KeyInit, Nonce};
 use aes_gcm::aead::{Aead, Payload};
+use rand::Rng;
+use rand::rngs::OsRng;
 use crate::config::TFConfig;
 
 pub fn get_cipher_from_config(config: &TFConfig) -> Result<Aes256Gcm, Box<dyn Error>> {
@@ -18,4 +20,8 @@ pub fn decrypt_with_nonce(ciphertext: &[u8], nonce: [u8; 12], cipher: &Aes256Gcm
     let nonce = Nonce::from_slice(&nonce);
     let plaintext = cipher.decrypt(nonce, Payload::from(ciphertext))?;
     Ok(plaintext)
+}
+
+pub fn generate_random_iv() -> [u8; 12] {
+    OsRng.gen()
 }
\ No newline at end of file
diff --git a/trifid-api/src/org.rs b/trifid-api/src/org.rs
index de1dcb4..315f8e7 100644
--- a/trifid-api/src/org.rs
+++ b/trifid-api/src/org.rs
@@ -1,12 +1,10 @@
 use std::error::Error;
 use rocket::form::validate::Contains;
 use sqlx::PgPool;
+use trifid_pki::ca::NebulaCAPool;
 
 pub async fn get_org_by_owner_id(user: i32, db: &PgPool) -> Result<Option<i32>, Box<dyn Error>> {
-    Ok(match sqlx::query!("SELECT id FROM organizations WHERE owner = $1", user).fetch_optional(db).await? {
-        Some(r) => Some(r.id),
-        None => None
-    })
+    Ok(sqlx::query!("SELECT id FROM organizations WHERE owner = $1", user).fetch_optional(db).await?.map(|r| r.id))
 }
 
 pub async fn get_orgs_by_assoc_id(user: i32, db: &PgPool) -> Result<Vec<i32>, Box<dyn Error>> {
@@ -27,7 +25,7 @@ pub async fn get_users_by_assoc_org(org: i32, db: &PgPool) -> Result<Vec<i32>, B
     let mut ret = vec![];
 
     for i in res {
-        ret.push(i.org_id);
+        ret.push(i.user_id);
     }
 
     Ok(ret)
@@ -47,4 +45,13 @@ pub async fn get_associated_orgs(user: i32, db: &PgPool) -> Result<Vec<i32>, Box
 
 pub async fn user_has_org_assoc(user: i32, org: i32, db: &PgPool) -> Result<bool, Box<dyn Error>> {
     Ok(get_associated_orgs(user, db).await?.contains(org))
+}
+
+pub async fn get_org_ca_pool(org: i32, db: &PgPool) -> Result<NebulaCAPool, Box<dyn Error>> {
+    // get CAPool PEM from db
+    let pem = sqlx::query!("SELECT ca_crt FROM organizations WHERE id = $1", org).fetch_one(db).await?.ca_crt;
+
+    let ca_pool = NebulaCAPool::new_from_pem(&hex::decode(pem)?)?;
+
+    Ok(ca_pool)
 }
\ No newline at end of file
diff --git a/trifid-api/src/routes/v1/organization.rs b/trifid-api/src/routes/v1/organization.rs
index 947e417..ac3d557 100644
--- a/trifid-api/src/routes/v1/organization.rs
+++ b/trifid-api/src/routes/v1/organization.rs
@@ -1,4 +1,3 @@
-use std::slice::from_raw_parts_mut;
 use rocket::{get, post, options, State};
 use rocket::http::{ContentType, Status};
 use rocket::serde::json::Json;
@@ -6,6 +5,7 @@ use serde::{Serialize, Deserialize};
 use sqlx::PgPool;
 use crate::auth::TOTPAuthenticatedUserInfo;
 use crate::config::TFConfig;
+use crate::crypto::{encrypt_with_nonce, generate_random_iv, get_cipher_from_config};
 use crate::org::{get_associated_orgs, get_org_by_owner_id, get_users_by_assoc_org, user_has_org_assoc};
 
 #[options("/v1/orgs")]
@@ -29,7 +29,7 @@ pub async fn orglist_req(user: TOTPAuthenticatedUserInfo, db: &State<PgPool>) ->
     // this endpoint lists the associated organizations this user has access to
     let associated_orgs = match get_associated_orgs(user.user_id, db.inner()).await {
         Ok(r) => r,
-        Err(e) => return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_DB_QUERY_FAILED", "an error occurred while running the database query")))
+        Err(e) => return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_DB_QUERY_FAILED", "an error occurred while running the database query", e)))
     };
 
     Ok((ContentType::JSON, Json(OrglistStruct {
@@ -52,7 +52,7 @@ pub async fn orginfo_req(orgid: i32, user: TOTPAuthenticatedUserInfo, db: &State
         return Err((Status::Unauthorized, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{}\"}}]}}", "ERR_MISSING_ORG_AUTHORIZATION", "this user does not have permission to access this org")));
     }
 
-    let org = sqlx::query!("SELECT id, owner, ca_crt FROM organizations WHERE id = $1", orgid).fetch_one(orgid).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
+    let org = sqlx::query!("SELECT id, owner, ca_crt FROM organizations WHERE id = $1", orgid).fetch_one(db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
     let authorized_users = get_users_by_assoc_org(orgid, db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
 
     Ok((ContentType::JSON, Json(
@@ -71,14 +71,33 @@ pub async fn create_org(user: TOTPAuthenticatedUserInfo, db: &State<PgPool>, con
         return Err((Status::Conflict, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{}\"}}]}}", "ERR_USER_OWNS_ORG", "a user can only own one organization at a time")))
     }
 
-    // we need to generate a keypair and CA certificate for this new org
+    // generate an AES iv to use for key encryption
+    let iv = generate_random_iv();
+    let iv_hex = hex::encode(iv);
+
+    let owner_id = user.user_id;
+    let cipher = match get_cipher_from_config(config) {
+        Ok(c) => c,
+        Err(e) => {
+            return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_CRYPTOGRAPHY_CREATE_CIPHER", "Unable to build cipher construct, please try again later", e)));
+        }
+    };
+    let ca_key = match encrypt_with_nonce(b"", iv, &cipher) {
+        Ok(key) => hex::encode(key),
+        Err(e) => {
+            return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_CRYPTOGRAPHY_ENCRYPT_KEY", "Unable to build cipher construct, please try again later", e)));
+        }
+    };
+    let ca_crt = hex::encode(b"");
+
+    let result = sqlx::query!("INSERT INTO organizations (owner, ca_key, ca_crt, iv) VALUES ($1, $2, $3, $4) RETURNING id", owner_id, ca_key, ca_crt, iv_hex).fetch_one(db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
 
     Ok((ContentType::JSON, Json(
         OrginfoStruct {
-            org_id: orgid,
-            owner_id: org.owner,
-            ca_crt: org.ca_crt,
-            authorized_users,
+            org_id: result.id,
+            owner_id,
+            ca_crt,
+            authorized_users: vec![owner_id],
         }
     )))
 }
\ No newline at end of file

From de6f8141d6c26b50b8cd13b0f24c9f531a1148c4 Mon Sep 17 00:00:00 2001
From: core <core@coredoes.dev>
Date: Mon, 27 Feb 2023 20:50:31 -0500
Subject: [PATCH 5/5] licensing

---
 Cargo.lock                                    |   2 +-
 LICENSE.txt                                   |   4 +
 tfclient/LICENSE.txt                          | 674 ++++++++++++++++++
 tfclient/src/main.rs                          |  16 +
 trifid-api/build.rs                           |  15 +
 trifid-api/config.example.toml                |  86 +++
 trifid-api/src/auth.rs                        |  16 +
 trifid-api/src/config.rs                      |  16 +
 trifid-api/src/crypto.rs                      |  16 +
 trifid-api/src/db.rs                          |  15 +
 trifid-api/src/format.rs                      |  16 +
 trifid-api/src/main.rs                        |  16 +
 trifid-api/src/org.rs                         |  16 +
 trifid-api/src/routes/mod.rs                  |  16 +
 .../src/routes/v1/auth/check_session.rs       |  16 +
 trifid-api/src/routes/v1/auth/magic_link.rs   |  16 +
 trifid-api/src/routes/v1/auth/mod.rs          |  16 +
 trifid-api/src/routes/v1/auth/totp.rs         |  16 +
 .../src/routes/v1/auth/verify_magic_link.rs   |  16 +
 trifid-api/src/routes/v1/mod.rs               |  16 +
 trifid-api/src/routes/v1/organization.rs      |  16 +
 trifid-api/src/routes/v1/signup.rs            |  16 +
 .../src/routes/v1/totp_authenticators.rs      |  16 +
 .../routes/v1/verify_totp_authenticator.rs    |  23 +-
 trifid-api/src/routes/v2/mod.rs               |  16 +
 trifid-api/src/routes/v2/whoami.rs            |  16 +
 trifid-api/src/tokens.rs                      |  16 +
 trifid-api/src/util.rs                        |  16 +
 trifid-pki/Cargo.toml                         |   4 +-
 29 files changed, 1148 insertions(+), 11 deletions(-)
 create mode 100644 LICENSE.txt
 create mode 100644 tfclient/LICENSE.txt
 create mode 100644 trifid-api/config.example.toml

diff --git a/Cargo.lock b/Cargo.lock
index a702c5c..de8e821 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2420,7 +2420,7 @@ dependencies = [
 
 [[package]]
 name = "trifid-pki"
-version = "0.1.3"
+version = "0.1.4"
 dependencies = [
  "ed25519-dalek",
  "hex",
diff --git a/LICENSE.txt b/LICENSE.txt
new file mode 100644
index 0000000..77bcf67
--- /dev/null
+++ b/LICENSE.txt
@@ -0,0 +1,4 @@
+tfclient is licensed under GNU GPL 3.0. See tfclient/LICENSE.txt for details.
+tfweb is licensed under GNU GPL 3.0. See tfweb/LICENSE.txt for details.
+trifid-api is licensed under GNU GPL 3.0. See trifid-api/LICENSE.txt for details.
+trifid-pki is licensed under GNU AGPL 3.0. See trifid-pki/LICENSE.txt for details.
\ No newline at end of file
diff --git a/tfclient/LICENSE.txt b/tfclient/LICENSE.txt
new file mode 100644
index 0000000..e72bfdd
--- /dev/null
+++ b/tfclient/LICENSE.txt
@@ -0,0 +1,674 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<https://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<https://www.gnu.org/licenses/why-not-lgpl.html>.
\ No newline at end of file
diff --git a/tfclient/src/main.rs b/tfclient/src/main.rs
index e7a11a9..82c783f 100644
--- a/tfclient/src/main.rs
+++ b/tfclient/src/main.rs
@@ -1,3 +1,19 @@
+// tfclient, an open source client for the Defined Networking nebula management protocol.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 fn main() {
     println!("Hello, world!");
 }
diff --git a/trifid-api/build.rs b/trifid-api/build.rs
index 7609593..d658ea5 100644
--- a/trifid-api/build.rs
+++ b/trifid-api/build.rs
@@ -1,3 +1,18 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
 // generated by `sqlx migrate build-script`
 fn main() {
     // trigger recompilation when a new migration is added
diff --git a/trifid-api/config.example.toml b/trifid-api/config.example.toml
new file mode 100644
index 0000000..ee5c7f2
--- /dev/null
+++ b/trifid-api/config.example.toml
@@ -0,0 +1,86 @@
+##################################
+# trifid-api example config file #
+##################################
+# trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+#     Copyright (C) 2023 c0repwn3r
+#
+#     This program is free software: you can redistribute it and/or modify
+#     it under the terms of the GNU General Public License as published by
+#     the Free Software Foundation, either version 3 of the License, or
+#     (at your option) any later version.
+#
+#     This program is distributed in the hope that it will be useful,
+#     but WITHOUT ANY WARRANTY; without even the implied warranty of
+#     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#     GNU General Public License for more details.
+#
+#     You should have received a copy of the GNU General Public License
+#     along with this program.  If not, see <https:#www.gnu.org/licenses/>.
+
+# Please read this file in it's entirety to learn what options you do or don't need to change
+# to get a functional trifid-api instance.
+
+# What port should the API server listen on?
+# e.g. 8000 would mean the server is reachable at localhost:8000.
+# You probably don't need to change this.
+listen_port = 8000
+
+# What is the postgres connection url to connect to the database?
+# Example: postgres://username:password@database_host/database_name
+# You absolutely need to change this.
+db_url = "postgres://postgres@localhost/trifidapi"
+
+# What is the externally accessible URL of this instance?
+# If you are running behind a reverse proxy, or a domain name, or similar,
+# you need to set this to the URL that the web UI can make requests to.
+# e.g. http://localhost:8000
+# Reminder: this ip needs to be internet-accessible.
+# You absolutely need to change this.
+base = "http://localhost:8000"
+
+# What is the externally accessible URL of the **web ui** for this instance?
+# This URL will be used to generate magic links, and needs to be correct.
+# You absolutely need to change this.
+web_root = "http://localhost:5173"
+
+# How long should magic links be valid for (in seconds)?
+# You probably don't need to change this, 86400 (24 hours) is a sane default.
+magic_links_valid_for = 86400
+
+# How long should session tokens be valid for (in seconds)?
+# This controls how long a user can go without requesting a new "magic link" to re-log-in.
+# This is a completley independent timer than `totp_verification_valid_for` - the auth token can (and often will) expire
+# while the session token remains completley valid.
+# You probably don't need to change this, 86400 (24 hours) is a sane default.
+session_tokens_valid_for = 86400
+
+# How long should 2FA authentication be valid for (in seconds)?
+# This controls how long a user can remain logged in without having to re-do the 2FA authentication process.
+# This is a completley independent timer than `session_tokens_valid_for` - the session token can expire while the 2FA token
+# remains completley valid.
+# You probably don't need to change this, 3600 (1 hour) is a sane default.
+totp_verification_valid_for = 3600
+
+# The per-instance data encryption key to protect sensitive data in the instance.
+# YOU ABSOLUTELY NEED TO CHANGE THIS. If you don't change anything else in this file, this should be the one thing you change.
+# Reiterating:
+# -----
+# YOU ABSOLUTELY NEED TO CHANGE THIS VALUE
+# -----
+# Leaving this at it's default (edd600bcebea461381ea23791b6967c8667e12827ac8b94dc022f189a5dc59a2) is DANGEROUS
+# and UNSAFE, and could lead to DATA LEAKS and SECURITY BREACHES.
+#
+# This should be a 32-byte hex value. Generate it with `openssl rand -hex 32`, or any other tool of your choice.
+# If you get "InvalidLength" errors while trying to do anything involving organizations, that indicates that this
+# value was improperly generated.
+#
+# ------- WARNING -------
+# DO NOT CHANGE THIS VALUE IN A PRODUCTION INSTANCE.
+# CHANGING THIS VALUE WILL RESULT IN PERMANENT, IRREVERSIBLE LOSS OF **ALL** ORGANIZATION DATA IN THE DATABASE.
+# IT IS DIRECTLY RESPONSIBLE FOR DECRYPTING ORGANIZATION KEYS.
+# ENSURE THAT ORGANIZATIONS FUNCTION PROPERLY BEFORE CREATING A PRODUCTION ORGANIZATION.
+# REITERATING: CHANGING THIS VALUE WILL RESULT IN PERMANENT, IRREVIRSIBLE LOSS OF **ALL** ORGANIZATION DATA IN THE DATABASE.
+# DO NOT CHANGE THIS VALUE IN A PRODUCTION INSTANCE.
+# THERE IS NO GOING BACK.
+# ------- WARNING -------
+data_key = "edd600bcebea461381ea23791b6967c8667e12827ac8b94dc022f189a5dc59a2"
diff --git a/trifid-api/src/auth.rs b/trifid-api/src/auth.rs
index d58cd46..cf399af 100644
--- a/trifid-api/src/auth.rs
+++ b/trifid-api/src/auth.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 use rocket::http::Status;
 use rocket::{Request};
 use rocket::request::{FromRequest, Outcome};
diff --git a/trifid-api/src/config.rs b/trifid-api/src/config.rs
index aabddca..0697317 100644
--- a/trifid-api/src/config.rs
+++ b/trifid-api/src/config.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 use serde::Deserialize;
 use url::Url;
 
diff --git a/trifid-api/src/crypto.rs b/trifid-api/src/crypto.rs
index 66f3000..bb879de 100644
--- a/trifid-api/src/crypto.rs
+++ b/trifid-api/src/crypto.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 use std::error::Error;
 use aes_gcm::{Aes256Gcm, KeyInit, Nonce};
 use aes_gcm::aead::{Aead, Payload};
diff --git a/trifid-api/src/db.rs b/trifid-api/src/db.rs
index e69de29..e15090a 100644
--- a/trifid-api/src/db.rs
+++ b/trifid-api/src/db.rs
@@ -0,0 +1,15 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
\ No newline at end of file
diff --git a/trifid-api/src/format.rs b/trifid-api/src/format.rs
index 30546c5..d193d65 100644
--- a/trifid-api/src/format.rs
+++ b/trifid-api/src/format.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 use std::fmt::{Display, Formatter};
 use crate::format::PEMValidationError::{IncorrectSegmentLength, InvalidBase64Data, MissingStartSentinel};
 use crate::util::base64decode;
diff --git a/trifid-api/src/main.rs b/trifid-api/src/main.rs
index e7f143d..82e4b04 100644
--- a/trifid-api/src/main.rs
+++ b/trifid-api/src/main.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 extern crate core;
 
 use std::error::Error;
diff --git a/trifid-api/src/org.rs b/trifid-api/src/org.rs
index 315f8e7..83c754e 100644
--- a/trifid-api/src/org.rs
+++ b/trifid-api/src/org.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 use std::error::Error;
 use rocket::form::validate::Contains;
 use sqlx::PgPool;
diff --git a/trifid-api/src/routes/mod.rs b/trifid-api/src/routes/mod.rs
index 839d56f..074561f 100644
--- a/trifid-api/src/routes/mod.rs
+++ b/trifid-api/src/routes/mod.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 pub mod v1;
 pub mod v2;
 
diff --git a/trifid-api/src/routes/v1/auth/check_session.rs b/trifid-api/src/routes/v1/auth/check_session.rs
index fea33e8..0bab53d 100644
--- a/trifid-api/src/routes/v1/auth/check_session.rs
+++ b/trifid-api/src/routes/v1/auth/check_session.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 use rocket::{post, options};
 use crate::auth::{PartialUserInfo, TOTPAuthenticatedUserInfo};
 
diff --git a/trifid-api/src/routes/v1/auth/magic_link.rs b/trifid-api/src/routes/v1/auth/magic_link.rs
index 8f679de..5706818 100644
--- a/trifid-api/src/routes/v1/auth/magic_link.rs
+++ b/trifid-api/src/routes/v1/auth/magic_link.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 use rocket::{post, State};
 use rocket::serde::json::Json;
 use serde::{Serialize, Deserialize};
diff --git a/trifid-api/src/routes/v1/auth/mod.rs b/trifid-api/src/routes/v1/auth/mod.rs
index 7a20be5..f00abb5 100644
--- a/trifid-api/src/routes/v1/auth/mod.rs
+++ b/trifid-api/src/routes/v1/auth/mod.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 pub mod verify_magic_link;
 pub mod magic_link;
 pub mod totp;
diff --git a/trifid-api/src/routes/v1/auth/totp.rs b/trifid-api/src/routes/v1/auth/totp.rs
index ababb7a..dc841b6 100644
--- a/trifid-api/src/routes/v1/auth/totp.rs
+++ b/trifid-api/src/routes/v1/auth/totp.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 use rocket::http::{ContentType, Status};
 use rocket::serde::json::Json;
 use crate::auth::PartialUserInfo;
diff --git a/trifid-api/src/routes/v1/auth/verify_magic_link.rs b/trifid-api/src/routes/v1/auth/verify_magic_link.rs
index 8ec682c..79a4eb8 100644
--- a/trifid-api/src/routes/v1/auth/verify_magic_link.rs
+++ b/trifid-api/src/routes/v1/auth/verify_magic_link.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 use std::time::{SystemTime, UNIX_EPOCH};
 use rocket::http::{ContentType, Status};
 use rocket::serde::json::Json;
diff --git a/trifid-api/src/routes/v1/mod.rs b/trifid-api/src/routes/v1/mod.rs
index 6ede35c..c91b714 100644
--- a/trifid-api/src/routes/v1/mod.rs
+++ b/trifid-api/src/routes/v1/mod.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 pub mod auth;
 pub mod signup;
 
diff --git a/trifid-api/src/routes/v1/organization.rs b/trifid-api/src/routes/v1/organization.rs
index ac3d557..013c80a 100644
--- a/trifid-api/src/routes/v1/organization.rs
+++ b/trifid-api/src/routes/v1/organization.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 use rocket::{get, post, options, State};
 use rocket::http::{ContentType, Status};
 use rocket::serde::json::Json;
diff --git a/trifid-api/src/routes/v1/signup.rs b/trifid-api/src/routes/v1/signup.rs
index a1dcd01..be6a59f 100644
--- a/trifid-api/src/routes/v1/signup.rs
+++ b/trifid-api/src/routes/v1/signup.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 use rocket::{post, State};
 use rocket::serde::json::Json;
 use serde::{Serialize, Deserialize};
diff --git a/trifid-api/src/routes/v1/totp_authenticators.rs b/trifid-api/src/routes/v1/totp_authenticators.rs
index 088d631..55c4c92 100644
--- a/trifid-api/src/routes/v1/totp_authenticators.rs
+++ b/trifid-api/src/routes/v1/totp_authenticators.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 use rocket::http::{ContentType, Status};
 use rocket::serde::json::Json;
 use rocket::{State, post};
diff --git a/trifid-api/src/routes/v1/verify_totp_authenticator.rs b/trifid-api/src/routes/v1/verify_totp_authenticator.rs
index 3aacd4c..223cffd 100644
--- a/trifid-api/src/routes/v1/verify_totp_authenticator.rs
+++ b/trifid-api/src/routes/v1/verify_totp_authenticator.rs
@@ -1,11 +1,18 @@
-/*
-{"totpToken":"totp-mH9eLzA9Q5WB-sg3Fq8CfkP13eTh3DxF25kVK2VEDOk","code":"266242"}
-{"errors":[{"code":"ERR_INVALID_TOTP_TOKEN","message":"TOTP token does not exist (maybe it expired?)","path":"totpToken"}]}
-
-
-{"totpToken":"totp-gaUDaxPrrIBc8GEQ6z0vPisT8k0MEP1fgI8FA2ztLMw","code":"175543"}
-{"data":{"authToken":"auth-O7mugxdYta-RKtLMqDW4j8XCJ85EfZKKezeZZXBYtFQ"},"metadata":{}}
-*/
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
 use rocket::http::{ContentType, Status};
 use crate::auth::PartialUserInfo;
diff --git a/trifid-api/src/routes/v2/mod.rs b/trifid-api/src/routes/v2/mod.rs
index f511e9f..c603733 100644
--- a/trifid-api/src/routes/v2/mod.rs
+++ b/trifid-api/src/routes/v2/mod.rs
@@ -1 +1,17 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 pub mod whoami;
\ No newline at end of file
diff --git a/trifid-api/src/routes/v2/whoami.rs b/trifid-api/src/routes/v2/whoami.rs
index 27bea05..b7a9697 100644
--- a/trifid-api/src/routes/v2/whoami.rs
+++ b/trifid-api/src/routes/v2/whoami.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 use chrono::{NaiveDateTime, Utc};
 use serde::{Serialize, Deserialize};
 use rocket::{options, get, State};
diff --git a/trifid-api/src/tokens.rs b/trifid-api/src/tokens.rs
index 5e8c31f..a9b0d8e 100644
--- a/trifid-api/src/tokens.rs
+++ b/trifid-api/src/tokens.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 use std::error::Error;
 use log::info;
 use sqlx::PgPool;
diff --git a/trifid-api/src/util.rs b/trifid-api/src/util.rs
index 5ea8c3c..ca7857e 100644
--- a/trifid-api/src/util.rs
+++ b/trifid-api/src/util.rs
@@ -1,3 +1,19 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
 use base64::Engine;
 use totp_rs::Algorithm;
 
diff --git a/trifid-pki/Cargo.toml b/trifid-pki/Cargo.toml
index 82e0007..ce4daba 100644
--- a/trifid-pki/Cargo.toml
+++ b/trifid-pki/Cargo.toml
@@ -1,9 +1,9 @@
 [package]
 name = "trifid-pki"
-version = "0.1.3"
+version = "0.1.4"
 edition = "2021"
 description = "A rust implementation of the Nebula PKI system"
-license = "GPL-3.0-or-later"
+license = "AGPL-3.0-or-later"
 documentation = "https://docs.rs/trifid-pki"
 homepage = "https://git.e3t.cc/~core/trifid"
 repository = "https://git.e3t.cc/~core/trifid"