bilelmoussaoui · warusadura · Sep 2, 2024 · Sep 3, 2024 · bilelmoussaoui · Sep 7, 2024
diff --git a/client/src/portal/api/mod.rs b/client/src/portal/api/mod.rs
@@ -259,6 +259,31 @@ impl Keyring {
         )
     }
 
+    pub(crate) fn verify_secret(&self, secret: &Secret) -> bool {
+        let key = self.derive_key(secret);
+
+        // if this is a new keyring or a keyring with zero items
+        if self.items.is_empty() {
+            return true;
+        }
+
+        // decrypting the first item may be enough to verify the secret.
+        // but to avoid a scenario where the first item is corrupted,
+        // decrypting all the items here.
+        let mut decrypt_counter = 0;
+        for item in self.items.clone() {
+            if item.decrypt(&key).is_ok() {
+                decrypt_counter += 1;
+            }
+        }
+
+        if decrypt_counter == self.items.len() {
+            return true;
+        }
+
+        false
+    }
+
     // Reset Keyring content
     pub(crate) fn reset(&mut self) {
         let salt = rand::thread_rng().gen::<[u8; DEFAULT_SALT_SIZE]>().to_vec();

diff --git a/client/src/portal/error.rs b/client/src/portal/error.rs
@@ -41,6 +41,8 @@ pub enum Error {
     Utf8(std::str::Utf8Error),
     /// Mismatch of algorithms used in legacy keyring file.
     AlgorithmMismatch(u8),
+    /// Keyring secret mismatch
+    InvalidSecret,
 }
 
 impl From<zvariant::Error> for Error {
@@ -105,6 +107,7 @@ impl std::fmt::Display for Error {
             Error::InvalidItemIndex(index) => write!(f, "The addressed item index {index} does not exist"),
             Error::Utf8(e) => write!(f, "UTF-8 encoding error {e}"),
             Error::AlgorithmMismatch(e) => write!(f, "Unknown algorithm {e}"),
+            Error::InvalidSecret => write!(f, "Keyring secret does not match the expected value"),
         }
     }
 }

diff --git a/client/src/portal/mod.rs b/client/src/portal/mod.rs
@@ -120,6 +120,10 @@ impl Keyring {
 
                 let keyring = api::Keyring::try_from(content.as_slice())?;
 
+                if !keyring.verify_secret(&secret) {
+                    return Err(Error::InvalidSecret);
+                }
+
                 (mtime, keyring)
             }
         };
@@ -450,6 +454,33 @@ impl Keyring {
 
         self.write().await
     }
+
+    /// Verify the secret associated with a keyring.
+    ///
+    /// This function supports all keyring formats (legacy and latest).
+    ///
+    /// # Arguments
+    /// *`name` - The name of the keyring.
+    /// * `secret` - The service key, usually retrieved from the Secrets portal.
+    pub async fn verify_secret(name: &str, secret: Secret) -> bool {
+        #[cfg(feature = "tracing")]
+        tracing::debug!("Trying to verify {} keyring secret", name);
+
+        let mut ret = false;
+
+        match Self::open(name, secret).await {
+            Err(err) => {
+                if matches!(err, Error::InvalidSecret) {
+                    ret = false;
+                }
+            }
+            Ok(_) => {
+                ret = true;
+            }
+        }
+
+        ret
+    }
 }
 
 #[cfg(test)]
@@ -679,6 +710,42 @@ mod tests {
         Ok(())
     }
 
+    #[tokio::test]
+    async fn load() -> Result<(), Error> {
+        let temp_dir = tempdir()?;
+        let keyring_dir = temp_dir.path().join("keyrings");
+
+        fs::create_dir_all(&keyring_dir).await?;
+
+        let fixture_path = PathBuf::from(env!("CARGO_MANIFEST_DIR"))
+            .join("fixtures")
+            .join("default.keyring");
+
+        fs::copy(&fixture_path, &keyring_dir.join("default.keyring")).await?;
+
+        std::env::set_var("XDG_DATA_HOME", &temp_dir.path());
+
+        let password = b"wrong";
+        let secret = Secret::from(password.to_vec());
+        match Keyring::load(keyring_dir.join("default.keyring"), secret).await {
+            Err(err) => {
+                assert!(matches!(err, Error::InvalidSecret));
+            }
+            Ok(_) => assert!(false),
+        };
+
+        let password = b"test";
+        let secret = Secret::from(password.to_vec());
+        match Keyring::load(keyring_dir.join("default.keyring"), secret).await {
+            Err(err) => {
+                assert!(matches!(err, Error::InvalidSecret));
+            }
+            Ok(_) => assert!(true),
+        };
+
+        Ok(())
+    }
+
     #[tokio::test]
     async fn change_secret() -> Result<(), Error> {
         let path = PathBuf::from("../../tests/test_rekeying.keyring");
@@ -704,4 +771,32 @@ mod tests {
 
         Ok(())
     }
+
+    #[tokio::test]
+    async fn verify_secret() -> Result<(), Error> {
+        let temp_dir = tempdir()?;
+        let keyring_dir = temp_dir.path().join("keyrings");
+
+        fs::create_dir_all(&keyring_dir).await?;
+
+        let fixture_path = PathBuf::from(env!("CARGO_MANIFEST_DIR"))
+            .join("fixtures")
+            .join("legacy.keyring");
+
+        fs::copy(&fixture_path, &keyring_dir.join("legacy.keyring")).await?;
+
+        std::env::set_var("XDG_DATA_HOME", &temp_dir.path());
+
+        // test with a wrong secret
+        let password = b"wrong";
+        let secret = Secret::from(password.to_vec());
+        assert_eq!(Keyring::verify_secret("legacy", secret).await, false);
+
+        // test with the correct secret
+        let password = b"test";
+        let secret = Secret::from(password.to_vec());
+        assert!(Keyring::verify_secret("legacy", secret).await);
+
+        Ok(())
+    }
 }