max / makenotwork

16.8 KB · 485 lines History Blame Raw

1	//! Validators for user profiles, credentials, and SSH keys.
2
3	use crate::error::AppError;
4	use super::limits;
5
6	/// Validate a display name
7	pub fn validate_display_name(name: &str) -> Result<(), AppError> {
8	if name.chars().count() > limits::DISPLAY_NAME_MAX {
9	return Err(AppError::validation(format!(
10	"Display name must be {} characters or less",
11	limits::DISPLAY_NAME_MAX
12	)));
13	}
14	// Reject control characters (ASCII 0-31 except space, plus DEL 0x7F)
15	// to prevent social engineering in plain-text emails.
16	if name.chars().any(\|c\| c.is_control()) {
17	return Err(AppError::validation(
18	"Display name cannot contain control characters".to_string(),
19	));
20	}
21	Ok(())
22	}
23
24	/// Validate a bio
25	pub fn validate_bio(bio: &str) -> Result<(), AppError> {
26	if bio.chars().count() > limits::BIO_MAX {
27	return Err(AppError::validation(format!(
28	"Bio must be {} characters or less",
29	limits::BIO_MAX
30	)));
31	}
32	Ok(())
33	}
34
35	/// Validate a link URL
36	pub fn validate_link_url(url_str: &str) -> Result<(), AppError> {
37	if url_str.chars().count() > limits::LINK_URL_MAX {
38	return Err(AppError::validation(format!(
39	"URL must be {} characters or less",
40	limits::LINK_URL_MAX
41	)));
42	}
43
44	// Parse URL properly to prevent malformed/malicious URLs
45	let parsed = url::Url::parse(url_str)
46	.map_err(\|_\| AppError::validation("Invalid URL format".to_string()))?;
47
48	// Only allow http and https schemes
49	match parsed.scheme() {
50	"http" \| "https" => {}
51	_ => {
52	return Err(AppError::validation(
53	"URL must use http:// or https://".to_string(),
54	));
55	}
56	}
57
58	// Must have a host
59	if parsed.host_str().is_none() {
60	return Err(AppError::validation("URL must have a host".to_string()));
61	}
62
63	Ok(())
64	}
65
66	/// Validate a link title
67	pub fn validate_link_title(title: &str) -> Result<(), AppError> {
68	if title.is_empty() {
69	return Err(AppError::validation("Link title is required".to_string()));
70	}
71	if title.chars().count() > limits::LINK_TITLE_MAX {
72	return Err(AppError::validation(format!(
73	"Link title must be {} characters or less",
74	limits::LINK_TITLE_MAX
75	)));
76	}
77	Ok(())
78	}
79
80	/// Validate a username: 3-50 chars, alphanumeric + underscore.
81	///
82	/// Also used by the `Username` newtype's `Deserialize` impl.
83	pub fn validate_username(username: &str) -> Result<(), AppError> {
84	let len = username.chars().count();
85	if len < 3 {
86	return Err(AppError::validation(
87	"Username must be at least 3 characters".to_string(),
88	));
89	}
90	if len > 50 {
91	return Err(AppError::validation(
92	"Username must be 50 characters or less".to_string(),
93	));
94	}
95	if !username.chars().all(\|c\| c.is_ascii_alphanumeric() \|\| c == '_') {
96	return Err(AppError::validation(
97	"Username can only contain letters, numbers, and underscores".to_string(),
98	));
99	}
100	Ok(())
101	}
102
103	/// Validate a machine ID
104	pub fn validate_machine_id(machine_id: &str) -> Result<(), AppError> {
105	if machine_id.is_empty() {
106	return Err(AppError::validation("Machine ID is required".to_string()));
107	}
108	if machine_id.chars().count() > limits::MACHINE_ID_MAX {
109	return Err(AppError::validation(format!(
110	"Machine ID must be {} characters or less",
111	limits::MACHINE_ID_MAX
112	)));
113	}
114	Ok(())
115	}
116
117	/// Validate an activation label
118	pub fn validate_activation_label(label: &str) -> Result<(), AppError> {
119	if label.chars().count() > limits::ACTIVATION_LABEL_MAX {
120	return Err(AppError::validation(format!(
121	"Label must be {} characters or less",
122	limits::ACTIVATION_LABEL_MAX
123	)));
124	}
125	Ok(())
126	}
127
128	// ── SSH key validation ──
129
130	/// Accepted SSH key type prefixes.
131	const SSH_KEY_TYPES: &[&str] = &[
132	"ssh-rsa",
133	"ssh-ed25519",
134	"ecdsa-sha2-nistp256",
135	"ecdsa-sha2-nistp384",
136	"ecdsa-sha2-nistp521",
137	];
138
139	/// Validate and normalize an SSH public key, returning `(normalized_key, fingerprint)`.
140	///
141	/// - Parses the `{type} {base64} [comment]` format
142	/// - Validates the key type is one of the accepted algorithms
143	/// - Decodes the base64 data to verify it's real key data
144	/// - Computes the fingerprint as `SHA256:{base64(sha256(decoded_key_bytes))}`
145	/// - Returns the normalized key (type + base64, no comment) and fingerprint
146	pub fn validate_ssh_public_key(input: &str) -> std::result::Result<(String, String), AppError> {
147	let input = input.trim();
148
149	if input.is_empty() {
150	return Err(AppError::validation("SSH public key is required".to_string()));
151	}
152
153	if input.len() > 8192 {
154	return Err(AppError::validation("SSH public key is too large".to_string()));
155	}
156
157	let parts: Vec<&str> = input.split_whitespace().collect();
158	if parts.len() < 2 {
159	return Err(AppError::validation(
160	"Invalid SSH key format: expected '{type} {base64} [comment]'".to_string(),
161	));
162	}
163
164	let key_type = parts[0];
165	let key_data = parts[1];
166
167	if !SSH_KEY_TYPES.contains(&key_type) {
168	return Err(AppError::validation(format!(
169	"Unsupported SSH key type '{}'. Accepted: ssh-rsa, ssh-ed25519, ecdsa-sha2-*",
170	key_type
171	)));
172	}
173
174	// Decode base64 to verify it's valid key data
175	use base64::Engine;
176	let decoded = base64::engine::general_purpose::STANDARD
177	.decode(key_data)
178	.map_err(\|_\| AppError::validation("Invalid SSH key: bad base64 encoding".to_string()))?;
179
180	if decoded.len() < 16 {
181	return Err(AppError::validation("Invalid SSH key: data too short".to_string()));
182	}
183
184	// Compute fingerprint: SHA256:{base64(sha256(decoded))} (same as ssh-keygen -lf)
185	use sha2::Digest;
186	let hash = sha2::Sha256::digest(&decoded);
187	let fingerprint = format!(
188	"SHA256:{}",
189	base64::engine::general_purpose::STANDARD_NO_PAD.encode(hash)
190	);
191
192	// Normalized key: type + base64 (strip comment)
193	let normalized = format!("{} {}", key_type, key_data);
194
195	Ok((normalized, fingerprint))
196	}
197
198	/// Validate an SSH key label
199	pub fn validate_ssh_key_label(label: &str) -> std::result::Result<(), AppError> {
200	if label.chars().count() > limits::SSH_KEY_LABEL_MAX {
201	return Err(AppError::validation(format!(
202	"SSH key label must be {} characters or less",
203	limits::SSH_KEY_LABEL_MAX
204	)));
205	}
206	Ok(())
207	}
208
209	#[cfg(test)]
210	mod tests {
211	use super::*;
212
213	#[test]
214	fn test_validate_display_name() {
215	assert!(validate_display_name("John Doe").is_ok());
216	assert!(validate_display_name("").is_ok()); // Empty is valid
217	assert!(validate_display_name(&"a".repeat(100)).is_ok());
218	assert!(validate_display_name(&"a".repeat(101)).is_err());
219	}
220
221	#[test]
222	fn test_validate_display_name_rejects_control_chars() {
223	assert!(validate_display_name("Alice\nBob").is_err()); // newline
224	assert!(validate_display_name("Alice\rBob").is_err()); // carriage return
225	assert!(validate_display_name("Alice\0Bob").is_err()); // null
226	assert!(validate_display_name("Alice\x7FBob").is_err()); // DEL
227	assert!(validate_display_name("Alice\tBob").is_err()); // tab
228	assert!(validate_display_name("Alice Bob").is_ok()); // space is fine
229	}
230
231	#[test]
232	fn test_validate_bio() {
233	assert!(validate_bio("I make music").is_ok());
234	assert!(validate_bio("").is_ok());
235	assert!(validate_bio(&"a".repeat(2001)).is_err());
236	}
237
238	#[test]
239	fn test_validate_link_url() {
240	assert!(validate_link_url("https://example.com").is_ok());
241	assert!(validate_link_url("http://example.com").is_ok());
242	assert!(validate_link_url("https://example.com/path?query=1").is_ok());
243	assert!(validate_link_url("ftp://example.com").is_err());
244	assert!(validate_link_url("example.com").is_err());
245	assert!(validate_link_url("javascript:alert(1)").is_err());
246	assert!(validate_link_url("data:text/html,<script>alert(1)</script>").is_err());
247	}
248
249	#[test]
250	fn test_validate_link_title() {
251	assert!(validate_link_title("My Website").is_ok());
252	assert!(validate_link_title("X").is_ok()); // single char is valid
253	assert!(validate_link_title("").is_err()); // empty
254	assert!(validate_link_title(&"a".repeat(100)).is_ok()); // at limit
255	assert!(validate_link_title(&"a".repeat(101)).is_err()); // over limit
256	}
257
258	#[test]
259	fn test_validate_machine_id() {
260	assert!(validate_machine_id("hw-abc123").is_ok());
261	assert!(validate_machine_id("a").is_ok()); // single char
262	assert!(validate_machine_id("").is_err()); // empty
263	assert!(validate_machine_id(&"a".repeat(255)).is_ok()); // at limit
264	assert!(validate_machine_id(&"a".repeat(256)).is_err()); // over limit
265	}
266
267	#[test]
268	fn test_validate_activation_label() {
269	assert!(validate_activation_label("Max's laptop").is_ok());
270	assert!(validate_activation_label("").is_ok()); // empty is valid
271	assert!(validate_activation_label(&"a".repeat(100)).is_ok()); // at limit
272	assert!(validate_activation_label(&"a".repeat(101)).is_err()); // over limit
273	}
274
275	#[test]
276	fn test_validate_ssh_public_key_ed25519() {
277	let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrJSsFMsNzFqLOsNjMoVMtQ3fMM4JhPmLPWVOmBsBzq test@example.com";
278	let result = validate_ssh_public_key(key);
279	assert!(result.is_ok(), "ed25519 key should be valid: {:?}", result);
280	let (normalized, fingerprint) = result.unwrap();
281	// Should strip comment
282	assert!(!normalized.contains("test@example.com"));
283	assert!(normalized.starts_with("ssh-ed25519 "));
284	// Fingerprint should be SHA256:...
285	assert!(fingerprint.starts_with("SHA256:"), "Fingerprint: {}", fingerprint);
286	}
287
288	#[test]
289	fn test_validate_ssh_public_key_rejects_empty() {
290	assert!(validate_ssh_public_key("").is_err());
291	}
292
293	#[test]
294	fn test_validate_ssh_public_key_rejects_garbage() {
295	assert!(validate_ssh_public_key("not a key").is_err());
296	}
297
298	#[test]
299	fn test_validate_ssh_public_key_rejects_bad_type() {
300	assert!(validate_ssh_public_key("ssh-dss AAAAB3NzaC1kc3MAAAA").is_err());
301	}
302
303	#[test]
304	fn test_validate_ssh_public_key_rejects_bad_base64() {
305	assert!(validate_ssh_public_key("ssh-ed25519 not-valid-base64!!!").is_err());
306	}
307
308	#[test]
309	fn test_validate_ssh_public_key_same_key_same_fingerprint() {
310	let key_with_comment = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrJSsFMsNzFqLOsNjMoVMtQ3fMM4JhPmLPWVOmBsBzq comment";
311	let key_without_comment = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrJSsFMsNzFqLOsNjMoVMtQ3fMM4JhPmLPWVOmBsBzq";
312	let (_, fp1) = validate_ssh_public_key(key_with_comment).unwrap();
313	let (_, fp2) = validate_ssh_public_key(key_without_comment).unwrap();
314	assert_eq!(fp1, fp2, "Same key data should produce same fingerprint");
315	}
316
317	#[test]
318	fn test_validate_ssh_key_label() {
319	assert!(validate_ssh_key_label("").is_ok()); // empty is valid
320	assert!(validate_ssh_key_label("laptop").is_ok());
321	assert!(validate_ssh_key_label(&"a".repeat(128)).is_ok()); // at limit
322	assert!(validate_ssh_key_label(&"a".repeat(129)).is_err()); // over limit
323	}
324
325	#[test]
326	fn test_multibyte_display_name() {
327	// CJK characters are 3 bytes each in UTF-8, but should count as 1 character
328	let cjk_at_limit: String = "\u{4e16}".repeat(100); // 100 chars
329	assert_eq!(cjk_at_limit.len(), 300); // 300 bytes
330	assert_eq!(cjk_at_limit.chars().count(), 100); // 100 characters
331	assert!(validate_display_name(&cjk_at_limit).is_ok());
332
333	let cjk_over_limit: String = "\u{4e16}".repeat(101);
334	assert_eq!(cjk_over_limit.chars().count(), 101);
335	assert!(validate_display_name(&cjk_over_limit).is_err());
336
337	let three_cjk = "\u{4e16}\u{754c}\u{597d}";
338	assert_eq!(three_cjk.len(), 9); // 9 bytes
339	assert_eq!(three_cjk.chars().count(), 3); // 3 characters
340	assert!(validate_display_name(three_cjk).is_ok());
341	}
342
343	// ── Edge cases (test-fuzz) ──
344
345	#[test]
346	fn test_validate_link_url_internal_ip() {
347	// Internal IPs are technically valid HTTP URLs — no SSRF protection at validation level
348	// (SSRF protection is at the request layer, not validation)
349	assert!(validate_link_url("http://127.0.0.1").is_ok());
350	assert!(validate_link_url("http://192.168.1.1").is_ok());
351	assert!(validate_link_url("http://10.0.0.1").is_ok());
352	}
353
354	#[test]
355	fn test_validate_link_url_with_port() {
356	assert!(validate_link_url("https://example.com:8080/path").is_ok());
357	}
358
359	#[test]
360	fn test_validate_link_url_with_auth() {
361	// URLs with userinfo (user:pass@host) — technically valid HTTP
362	assert!(validate_link_url("https://user:pass@example.com").is_ok());
363	}
364
365	#[test]
366	fn test_validate_link_url_file_scheme() {
367	assert!(validate_link_url("file:///etc/passwd").is_err());
368	}
369
370	#[test]
371	fn test_validate_ssh_key_too_large() {
372	let big_key = format!("ssh-ed25519 {} comment", "A".repeat(8193));
373	assert!(validate_ssh_public_key(&big_key).is_err());
374	}
375
376	#[test]
377	fn test_validate_ssh_key_whitespace_only() {
378	assert!(validate_ssh_public_key(" ").is_err());
379	}
380
381	#[test]
382	fn test_validate_username_all_underscores() {
383	assert!(validate_username("___").is_ok()); // 3 underscores is technically valid
384	}
385
386	#[test]
387	fn test_validate_username_all_numbers() {
388	assert!(validate_username("123").is_ok());
389	}
390
391	#[test]
392	fn test_validate_username_unicode_rejected() {
393	assert!(validate_username("\u{00e9}mile").is_err()); // non-ASCII
394	}
395
396	// ── Adversarial tests (test-fuzz) ──
397
398	#[test]
399	fn test_validate_username_null_bytes() {
400	assert!(validate_username("use\0r").is_err());
401	}
402
403	#[test]
404	fn test_validate_username_zero_width() {
405	assert!(validate_username("use\u{200B}r").is_err()); // zero-width space
406	}
407
408	#[test]
409	fn test_validate_username_at_boundaries() {
410	assert!(validate_username("ab").is_err()); // 2 chars, min is 3
411	assert!(validate_username("abc").is_ok()); // exactly 3
412	assert!(validate_username(&"a".repeat(50)).is_ok()); // exactly 50
413	assert!(validate_username(&"a".repeat(51)).is_err()); // 51
414	}
415
416	#[test]
417	fn test_validate_username_hyphen_rejected() {
418	// Hyphens are NOT allowed in usernames (only slugs)
419	assert!(validate_username("my-user").is_err());
420	}
421
422	#[test]
423	fn test_validate_link_url_javascript_variations() {
424	assert!(validate_link_url("javascript:alert(1)").is_err());
425	// url::Url::parse should reject these too
426	assert!(validate_link_url("JAVASCRIPT:alert(1)").is_err());
427	assert!(validate_link_url("jAvAsCrIpT:alert(1)").is_err());
428	}
429
430	#[test]
431	fn test_validate_link_url_at_max_length() {
432	let long_url = format!("https://example.com/{}", "a".repeat(475));
433	assert!(long_url.chars().count() <= 500);
434	assert!(validate_link_url(&long_url).is_ok());
435
436	let too_long = format!("https://example.com/{}", "a".repeat(481));
437	assert!(too_long.chars().count() > 500);
438	assert!(validate_link_url(&too_long).is_err());
439	}
440
441	#[test]
442	fn test_validate_link_url_no_host() {
443	// Scheme-only URLs (no host)
444	assert!(validate_link_url("http://").is_err());
445	assert!(validate_link_url("https://").is_err());
446	}
447
448	#[test]
449	fn test_validate_ssh_key_with_multiple_spaces() {
450	// Split_whitespace handles multiple spaces between parts
451	let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrJSsFMsNzFqLOsNjMoVMtQ3fMM4JhPmLPWVOmBsBzq comment";
452	assert!(validate_ssh_public_key(key).is_ok());
453	}
454
455	#[test]
456	fn test_validate_ssh_key_with_tabs() {
457	let key = "ssh-ed25519\tAAAAC3NzaC1lZDI1NTE5AAAAIGrJSsFMsNzFqLOsNjMoVMtQ3fMM4JhPmLPWVOmBsBzq";
458	assert!(validate_ssh_public_key(key).is_ok());
459	}
460
461	// ── Property-based tests (test-fuzz) ──
462
463	proptest::proptest! {
464	#[test]
465	fn prop_username_valid_always_accepted(s in "[a-zA-Z0-9_]{3,50}") {
466	proptest::prop_assert!(validate_username(&s).is_ok(), "Valid username rejected: {:?}", s);
467	}
468
469	#[test]
470	fn prop_username_short_always_rejected(s in "[a-zA-Z0-9_]{1,2}") {
471	proptest::prop_assert!(validate_username(&s).is_err(), "Short username accepted: {:?}", s);
472	}
473
474	#[test]
475	fn prop_display_name_never_panics(s in "\\PC{0,200}") {
476	let _ = validate_display_name(&s);
477	}
478
479	#[test]
480	fn prop_bio_never_panics(s in "\\PC{0,3000}") {
481	let _ = validate_bio(&s);
482	}
483	}
484	}
485