-
Notifications
You must be signed in to change notification settings - Fork 4
fix: use random IVs for stored keys (put/get), matching the Dart SDK #526
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: trunk
Are you sure you want to change the base?
Changes from all commits
2d4779c
1a1d663
2bc6618
55a411e
d512358
77617ff
1ddf934
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,85 @@ | ||||||
| # DRAFT — opt-in cross-SDK IV interop test (Python at_client <-> Dart at_client). | ||||||
| # Manual only (workflow_dispatch). Review before enabling on PRs: it starts the | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. and this |
||||||
| # ephemeral environment container, onboards two test atSigns via CRAM, installs the | ||||||
| # SDK, and runs test/interop_test.py with AT_INTEROP=1. | ||||||
| name: interop (Python <-> Dart) | ||||||
|
|
||||||
| on: | ||||||
| workflow_dispatch: | ||||||
|
|
||||||
| permissions: | ||||||
| contents: read | ||||||
|
|
||||||
| jobs: | ||||||
| interop: | ||||||
| runs-on: ubuntu-latest | ||||||
| timeout-minutes: 20 | ||||||
| services: | ||||||
| ee: | ||||||
| image: atsigncompany/ephemeral | ||||||
| env: | ||||||
| DNS_FQDN: vip.ve.atsign.zone | ||||||
| FIRST_PORT: 2500 | ||||||
| ports: | ||||||
| - 64:64 | ||||||
| - 2500-2540:2500-2540 | ||||||
| steps: | ||||||
| - uses: actions/checkout@v4 | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Action not pinned, and badly out of date.
Suggested change
|
||||||
|
|
||||||
| - name: Resolve the EE FQDN to localhost (matches the cert CN) | ||||||
| run: echo "127.0.0.1 vip.ve.atsign.zone" | sudo tee -a /etc/hosts | ||||||
|
|
||||||
| - uses: actions/setup-python@v5 | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Action not pinned and badly out of date.
Suggested change
|
||||||
| with: | ||||||
| python-version: '3.13' | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Use latest stable release:
Suggested change
|
||||||
| - uses: dart-lang/setup-dart@v1 | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Action not pinned
Suggested change
|
||||||
|
|
||||||
| - name: Install the SDK (repo generates README.PyPI.md at publish time) | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why is anything being done with PyPI.md here? |
||||||
| run: | | ||||||
| cp README.md README.PyPI.md | ||||||
| pip install . | ||||||
|
|
||||||
| - name: Wait for the EE root, then onboard @alpha and @bravo (CRAM) | ||||||
| run: | | ||||||
| export HOME=/tmp/eehome | ||||||
| mkdir -p "$HOME/.atsign/keys" | ||||||
| # give the root time to register the atServers | ||||||
| sleep 30 | ||||||
| cid=$(docker ps --filter ancestor=atsigncompany/ephemeral --format '{{.ID}}' | head -1) | ||||||
| python - "$cid" <<'PY' | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Lot's of inline Python here that should probably be in a script. |
||||||
| import subprocess, sys | ||||||
| from at_client.connections import Address, AtRootConnection, AtSecondaryConnection | ||||||
| from at_client.common import AtSign | ||||||
| from at_client.util import AuthUtil, OnboardingUtil, KeysUtil | ||||||
| cid = sys.argv[1] | ||||||
| root = Address.from_string("vip.ve.atsign.zone:64") | ||||||
| for name in ("alpha", "bravo"): | ||||||
| atsign = AtSign("@" + name) | ||||||
| cram = subprocess.check_output( | ||||||
| ["docker", "exec", cid, "cat", f"/atsign/atservers/{name}/CRAM"]).decode().strip() | ||||||
| sec = AtRootConnection.get_instance(root.host, root.port).find_secondary(atsign) | ||||||
| conn = AtSecondaryConnection(sec); conn.connect() | ||||||
| auth, ob = AuthUtil(), OnboardingUtil() | ||||||
| auth.authenticate_with_cram(conn, atsign, cram) | ||||||
| keys = {} | ||||||
| ob.generate_self_encryption_key(keys); ob.generate_pkam_keypair(keys) | ||||||
| ob.generate_encryption_keypair(keys); KeysUtil.save_keys(atsign, keys) | ||||||
| ob.store_pkam_public_key(conn, keys) | ||||||
| auth.authenticate_with_pkam(conn, atsign, KeysUtil.load_keys(atsign)) | ||||||
| ob.store_public_encryption_key(conn, atsign.without_prefix, keys) | ||||||
| ob.delete_cram_key(conn) | ||||||
| print("onboarded @" + name) | ||||||
| PY | ||||||
|
|
||||||
| - name: dart pub get (interop helper) | ||||||
| run: dart pub get | ||||||
| working-directory: test/interop | ||||||
|
|
||||||
| - name: Run interop test | ||||||
| run: | | ||||||
| # Start from clean Dart local storage (keeps .atKeys). Harmless on a fresh | ||||||
| # runner; prevents stale-key errors when re-running against a recreated EE. | ||||||
| rm -rf /tmp/eehome/.atsign/storage | ||||||
| HOME=/tmp/eehome AT_INTEROP=1 \ | ||||||
| AT_ROOT=vip.ve.atsign.zone:64 AT_ROOT_DOMAIN=vip.ve.atsign.zone \ | ||||||
| python -m unittest discover -s test -p 'interop_test.py' -v | ||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Has worked on test run, so this can go.