//! Validators for user profiles, credentials, and SSH keys. use crate::error::AppError; use super::limits; /// Validate a display name pub fn validate_display_name(name: &str) -> Result<(), AppError> { if name.chars().count() > limits::DISPLAY_NAME_MAX { return Err(AppError::validation(format!( "Display name must be {} characters or less", limits::DISPLAY_NAME_MAX ))); } // Reject control characters (ASCII 0-31 except space, plus DEL 0x7F) // to prevent social engineering in plain-text emails. if name.chars().any(|c| c.is_control()) { return Err(AppError::validation( "Display name cannot contain control characters".to_string(), )); } Ok(()) } /// Validate a bio pub fn validate_bio(bio: &str) -> Result<(), AppError> { if bio.chars().count() > limits::BIO_MAX { return Err(AppError::validation(format!( "Bio must be {} characters or less", limits::BIO_MAX ))); } Ok(()) } /// Validate a link URL pub fn validate_link_url(url_str: &str) -> Result<(), AppError> { if url_str.chars().count() > limits::LINK_URL_MAX { return Err(AppError::validation(format!( "URL must be {} characters or less", limits::LINK_URL_MAX ))); } // Parse URL properly to prevent malformed/malicious URLs let parsed = url::Url::parse(url_str) .map_err(|_| AppError::validation("Invalid URL format".to_string()))?; // Only allow http and https schemes match parsed.scheme() { "http" | "https" => {} _ => { return Err(AppError::validation( "URL must use http:// or https://".to_string(), )); } } // Must have a host if parsed.host_str().is_none() { return Err(AppError::validation("URL must have a host".to_string())); } Ok(()) } /// Validate a link title pub fn validate_link_title(title: &str) -> Result<(), AppError> { if title.is_empty() { return Err(AppError::validation("Link title is required".to_string())); } if title.chars().count() > limits::LINK_TITLE_MAX { return Err(AppError::validation(format!( "Link title must be {} characters or less", limits::LINK_TITLE_MAX ))); } Ok(()) } /// Validate a username: 3-50 chars, alphanumeric + underscore. /// /// Also used by the `Username` newtype's `Deserialize` impl. pub fn validate_username(username: &str) -> Result<(), AppError> { let len = username.chars().count(); if len < 3 { return Err(AppError::validation( "Username must be at least 3 characters".to_string(), )); } if len > 50 { return Err(AppError::validation( "Username must be 50 characters or less".to_string(), )); } if !username.chars().all(|c| c.is_ascii_alphanumeric() || c == '_') { return Err(AppError::validation( "Username can only contain letters, numbers, and underscores".to_string(), )); } Ok(()) } /// Validate a machine ID pub fn validate_machine_id(machine_id: &str) -> Result<(), AppError> { if machine_id.is_empty() { return Err(AppError::validation("Machine ID is required".to_string())); } if machine_id.chars().count() > limits::MACHINE_ID_MAX { return Err(AppError::validation(format!( "Machine ID must be {} characters or less", limits::MACHINE_ID_MAX ))); } Ok(()) } /// Validate an activation label pub fn validate_activation_label(label: &str) -> Result<(), AppError> { if label.chars().count() > limits::ACTIVATION_LABEL_MAX { return Err(AppError::validation(format!( "Label must be {} characters or less", limits::ACTIVATION_LABEL_MAX ))); } Ok(()) } // ── SSH key validation ── /// Accepted SSH key type prefixes. const SSH_KEY_TYPES: &[&str] = &[ "ssh-rsa", "ssh-ed25519", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", ]; /// Validate and normalize an SSH public key, returning `(normalized_key, fingerprint)`. /// /// - Parses the `{type} {base64} [comment]` format /// - Validates the key type is one of the accepted algorithms /// - Decodes the base64 data to verify it's real key data /// - Computes the fingerprint as `SHA256:{base64(sha256(decoded_key_bytes))}` /// - Returns the normalized key (type + base64, no comment) and fingerprint pub fn validate_ssh_public_key(input: &str) -> std::result::Result<(String, String), AppError> { let input = input.trim(); if input.is_empty() { return Err(AppError::validation("SSH public key is required".to_string())); } if input.len() > 8192 { return Err(AppError::validation("SSH public key is too large".to_string())); } let parts: Vec<&str> = input.split_whitespace().collect(); if parts.len() < 2 { return Err(AppError::validation( "Invalid SSH key format: expected '{type} {base64} [comment]'".to_string(), )); } let key_type = parts[0]; let key_data = parts[1]; if !SSH_KEY_TYPES.contains(&key_type) { return Err(AppError::validation(format!( "Unsupported SSH key type '{}'. Accepted: ssh-rsa, ssh-ed25519, ecdsa-sha2-*", key_type ))); } // Decode base64 to verify it's valid key data use base64::Engine; let decoded = base64::engine::general_purpose::STANDARD .decode(key_data) .map_err(|_| AppError::validation("Invalid SSH key: bad base64 encoding".to_string()))?; if decoded.len() < 16 { return Err(AppError::validation("Invalid SSH key: data too short".to_string())); } // Compute fingerprint: SHA256:{base64(sha256(decoded))} (same as ssh-keygen -lf) use sha2::Digest; let hash = sha2::Sha256::digest(&decoded); let fingerprint = format!( "SHA256:{}", base64::engine::general_purpose::STANDARD_NO_PAD.encode(hash) ); // Normalized key: type + base64 (strip comment) let normalized = format!("{} {}", key_type, key_data); Ok((normalized, fingerprint)) } /// Validate an SSH key label pub fn validate_ssh_key_label(label: &str) -> std::result::Result<(), AppError> { if label.chars().count() > limits::SSH_KEY_LABEL_MAX { return Err(AppError::validation(format!( "SSH key label must be {} characters or less", limits::SSH_KEY_LABEL_MAX ))); } Ok(()) } #[cfg(test)] mod tests { use super::*; #[test] fn test_validate_display_name() { assert!(validate_display_name("John Doe").is_ok()); assert!(validate_display_name("").is_ok()); // Empty is valid assert!(validate_display_name(&"a".repeat(100)).is_ok()); assert!(validate_display_name(&"a".repeat(101)).is_err()); } #[test] fn test_validate_display_name_rejects_control_chars() { assert!(validate_display_name("Alice\nBob").is_err()); // newline assert!(validate_display_name("Alice\rBob").is_err()); // carriage return assert!(validate_display_name("Alice\0Bob").is_err()); // null assert!(validate_display_name("Alice\x7FBob").is_err()); // DEL assert!(validate_display_name("Alice\tBob").is_err()); // tab assert!(validate_display_name("Alice Bob").is_ok()); // space is fine } #[test] fn test_validate_bio() { assert!(validate_bio("I make music").is_ok()); assert!(validate_bio("").is_ok()); assert!(validate_bio(&"a".repeat(2001)).is_err()); } #[test] fn test_validate_link_url() { assert!(validate_link_url("https://example.com").is_ok()); assert!(validate_link_url("http://example.com").is_ok()); assert!(validate_link_url("https://example.com/path?query=1").is_ok()); assert!(validate_link_url("ftp://example.com").is_err()); assert!(validate_link_url("example.com").is_err()); assert!(validate_link_url("javascript:alert(1)").is_err()); assert!(validate_link_url("data:text/html,").is_err()); } #[test] fn test_validate_link_title() { assert!(validate_link_title("My Website").is_ok()); assert!(validate_link_title("X").is_ok()); // single char is valid assert!(validate_link_title("").is_err()); // empty assert!(validate_link_title(&"a".repeat(100)).is_ok()); // at limit assert!(validate_link_title(&"a".repeat(101)).is_err()); // over limit } #[test] fn test_validate_machine_id() { assert!(validate_machine_id("hw-abc123").is_ok()); assert!(validate_machine_id("a").is_ok()); // single char assert!(validate_machine_id("").is_err()); // empty assert!(validate_machine_id(&"a".repeat(255)).is_ok()); // at limit assert!(validate_machine_id(&"a".repeat(256)).is_err()); // over limit } #[test] fn test_validate_activation_label() { assert!(validate_activation_label("Max's laptop").is_ok()); assert!(validate_activation_label("").is_ok()); // empty is valid assert!(validate_activation_label(&"a".repeat(100)).is_ok()); // at limit assert!(validate_activation_label(&"a".repeat(101)).is_err()); // over limit } #[test] fn test_validate_ssh_public_key_ed25519() { let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrJSsFMsNzFqLOsNjMoVMtQ3fMM4JhPmLPWVOmBsBzq test@example.com"; let result = validate_ssh_public_key(key); assert!(result.is_ok(), "ed25519 key should be valid: {:?}", result); let (normalized, fingerprint) = result.unwrap(); // Should strip comment assert!(!normalized.contains("test@example.com")); assert!(normalized.starts_with("ssh-ed25519 ")); // Fingerprint should be SHA256:... assert!(fingerprint.starts_with("SHA256:"), "Fingerprint: {}", fingerprint); } #[test] fn test_validate_ssh_public_key_rejects_empty() { assert!(validate_ssh_public_key("").is_err()); } #[test] fn test_validate_ssh_public_key_rejects_garbage() { assert!(validate_ssh_public_key("not a key").is_err()); } #[test] fn test_validate_ssh_public_key_rejects_bad_type() { assert!(validate_ssh_public_key("ssh-dss AAAAB3NzaC1kc3MAAAA").is_err()); } #[test] fn test_validate_ssh_public_key_rejects_bad_base64() { assert!(validate_ssh_public_key("ssh-ed25519 not-valid-base64!!!").is_err()); } #[test] fn test_validate_ssh_public_key_same_key_same_fingerprint() { let key_with_comment = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrJSsFMsNzFqLOsNjMoVMtQ3fMM4JhPmLPWVOmBsBzq comment"; let key_without_comment = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrJSsFMsNzFqLOsNjMoVMtQ3fMM4JhPmLPWVOmBsBzq"; let (_, fp1) = validate_ssh_public_key(key_with_comment).unwrap(); let (_, fp2) = validate_ssh_public_key(key_without_comment).unwrap(); assert_eq!(fp1, fp2, "Same key data should produce same fingerprint"); } #[test] fn test_validate_ssh_key_label() { assert!(validate_ssh_key_label("").is_ok()); // empty is valid assert!(validate_ssh_key_label("laptop").is_ok()); assert!(validate_ssh_key_label(&"a".repeat(128)).is_ok()); // at limit assert!(validate_ssh_key_label(&"a".repeat(129)).is_err()); // over limit } #[test] fn test_multibyte_display_name() { // CJK characters are 3 bytes each in UTF-8, but should count as 1 character let cjk_at_limit: String = "\u{4e16}".repeat(100); // 100 chars assert_eq!(cjk_at_limit.len(), 300); // 300 bytes assert_eq!(cjk_at_limit.chars().count(), 100); // 100 characters assert!(validate_display_name(&cjk_at_limit).is_ok()); let cjk_over_limit: String = "\u{4e16}".repeat(101); assert_eq!(cjk_over_limit.chars().count(), 101); assert!(validate_display_name(&cjk_over_limit).is_err()); let three_cjk = "\u{4e16}\u{754c}\u{597d}"; assert_eq!(three_cjk.len(), 9); // 9 bytes assert_eq!(three_cjk.chars().count(), 3); // 3 characters assert!(validate_display_name(three_cjk).is_ok()); } // ── Edge cases (test-fuzz) ── #[test] fn test_validate_link_url_internal_ip() { // Internal IPs are technically valid HTTP URLs — no SSRF protection at validation level // (SSRF protection is at the request layer, not validation) assert!(validate_link_url("http://127.0.0.1").is_ok()); assert!(validate_link_url("http://192.168.1.1").is_ok()); assert!(validate_link_url("http://10.0.0.1").is_ok()); } #[test] fn test_validate_link_url_with_port() { assert!(validate_link_url("https://example.com:8080/path").is_ok()); } #[test] fn test_validate_link_url_with_auth() { // URLs with userinfo (user:pass@host) — technically valid HTTP assert!(validate_link_url("https://user:pass@example.com").is_ok()); } #[test] fn test_validate_link_url_file_scheme() { assert!(validate_link_url("file:///etc/passwd").is_err()); } #[test] fn test_validate_ssh_key_too_large() { let big_key = format!("ssh-ed25519 {} comment", "A".repeat(8193)); assert!(validate_ssh_public_key(&big_key).is_err()); } #[test] fn test_validate_ssh_key_whitespace_only() { assert!(validate_ssh_public_key(" ").is_err()); } #[test] fn test_validate_username_all_underscores() { assert!(validate_username("___").is_ok()); // 3 underscores is technically valid } #[test] fn test_validate_username_all_numbers() { assert!(validate_username("123").is_ok()); } #[test] fn test_validate_username_unicode_rejected() { assert!(validate_username("\u{00e9}mile").is_err()); // non-ASCII } // ── Adversarial tests (test-fuzz) ── #[test] fn test_validate_username_null_bytes() { assert!(validate_username("use\0r").is_err()); } #[test] fn test_validate_username_zero_width() { assert!(validate_username("use\u{200B}r").is_err()); // zero-width space } #[test] fn test_validate_username_at_boundaries() { assert!(validate_username("ab").is_err()); // 2 chars, min is 3 assert!(validate_username("abc").is_ok()); // exactly 3 assert!(validate_username(&"a".repeat(50)).is_ok()); // exactly 50 assert!(validate_username(&"a".repeat(51)).is_err()); // 51 } #[test] fn test_validate_username_hyphen_rejected() { // Hyphens are NOT allowed in usernames (only slugs) assert!(validate_username("my-user").is_err()); } #[test] fn test_validate_link_url_javascript_variations() { assert!(validate_link_url("javascript:alert(1)").is_err()); // url::Url::parse should reject these too assert!(validate_link_url("JAVASCRIPT:alert(1)").is_err()); assert!(validate_link_url("jAvAsCrIpT:alert(1)").is_err()); } #[test] fn test_validate_link_url_at_max_length() { let long_url = format!("https://example.com/{}", "a".repeat(475)); assert!(long_url.chars().count() <= 500); assert!(validate_link_url(&long_url).is_ok()); let too_long = format!("https://example.com/{}", "a".repeat(481)); assert!(too_long.chars().count() > 500); assert!(validate_link_url(&too_long).is_err()); } #[test] fn test_validate_link_url_no_host() { // Scheme-only URLs (no host) assert!(validate_link_url("http://").is_err()); assert!(validate_link_url("https://").is_err()); } #[test] fn test_validate_ssh_key_with_multiple_spaces() { // Split_whitespace handles multiple spaces between parts let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrJSsFMsNzFqLOsNjMoVMtQ3fMM4JhPmLPWVOmBsBzq comment"; assert!(validate_ssh_public_key(key).is_ok()); } #[test] fn test_validate_ssh_key_with_tabs() { let key = "ssh-ed25519\tAAAAC3NzaC1lZDI1NTE5AAAAIGrJSsFMsNzFqLOsNjMoVMtQ3fMM4JhPmLPWVOmBsBzq"; assert!(validate_ssh_public_key(key).is_ok()); } // ── Property-based tests (test-fuzz) ── proptest::proptest! { #[test] fn prop_username_valid_always_accepted(s in "[a-zA-Z0-9_]{3,50}") { proptest::prop_assert!(validate_username(&s).is_ok(), "Valid username rejected: {:?}", s); } #[test] fn prop_username_short_always_rejected(s in "[a-zA-Z0-9_]{1,2}") { proptest::prop_assert!(validate_username(&s).is_err(), "Short username accepted: {:?}", s); } #[test] fn prop_display_name_never_panics(s in "\\PC{0,200}") { let _ = validate_display_name(&s); } #[test] fn prop_bio_never_panics(s in "\\PC{0,3000}") { let _ = validate_bio(&s); } } }