Alan-Jowett / sonde / 26619330596
82%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 124
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 82.082% (-0.07%) from 82.154%
26619330596

push

github

web-flow 
fix: persist rotated master key to KeyProvider backend (GW-2014) (#1095)

* fix: persist rotated master key to KeyProvider backend (GW-2014)

After master key rotation the new key was only swapped in memory and
committed to the database, but never written back to the KeyProvider
backend (file, DPAPI blob, or keyring).  On restart the old key was
loaded from the provider and PSK decryption failed fatally.

Changes:

KeyProvider trait (key_provider.rs):
- Add \write_master_key(&self, key)\ and \is_writable(&self) -> bool\
  with default implementations (not-writable) so existing backends
  compile without changes.
- FileKeyProvider: atomic write-to-tmp + rename.
- DpapiKeyProvider: DPAPI encrypt + atomic file write.
- SecretServiceKeyProvider: delegates to \store_in_secret_service()\.
- EnvKeyProvider: returns \NotWritable\ (environment variables are
  read-only at runtime).
- Add unit tests for write round-trip and not-writable rejection.

Storage (sqlite_storage.rs):
- \commit_rotation()\ no longer deletes \pending_rotation\ — the
  record is retained as a crash-recovery marker until the key is
  persisted to the provider.
- Add \delete_pending_rotation()\ for explicit cleanup after
  \write_master_key()\ succeeds.
- Add \get_master_key_epoch()\ to support three-way epoch comparison
  during startup recovery.
- \load_pending_rotation_key()\ now tolerates the post-write/pre-delete
  state: when decryption fails but DB epoch == pending epoch, the record
  is a stale marker and \open()\ proceeds instead of failing fatally.

Rotation engine (rotation_engine.rs):
- Accept \Arc<dyn KeyProvider>\ in constructor; gate
  \handle_rotation_payload()\ on \is_writable()\.
- Post-commit persistence sequence in \xecute_rotation()\:
    1. DB commit (retains \pending_rotation\)
    2. \write_master_key()\ to provider
    3. \delete_pending_rotation()\
    4. Swap in-memory key
- Rewrite \esume_pending_rotation()\ with three-way epoch comparison:
    - epoch < pendi... (continued)

135 of 271 new or added lines in 4 files covered. (49.82%)

325 existing lines in 1 file now uncovered.

38251 of 46601 relevant lines covered (82.08%)

248.87 hits per line

Uncovered Changes

Lines Coverage File
52
87.7
 -5.72% crates/sonde-gateway/src/rotation_engine.rs
33
82.73
 -0.28% crates/sonde-gateway/src/sqlite_storage.rs
29
56.48
 3.3% crates/sonde-gateway/src/key_provider.rs
22
68.57
 -0.26% crates/sonde-gateway/src/bin/gateway.rs

Coverage Regressions

Lines Coverage File
325
85.98
 0.7% crates/sonde-azure-handler/src/lib.rs
Jobs
ID Job ID Ran Files Coverage
1 26619330596.1 124
82.08
 GitHub Action Run
Source Files on build 26619330596