trustpub: Implement AccessToken struct

Turbo87 · Turbo87 · commit a4b8069c8d2b · 2025-05-20T07:45:15.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/crates_io_trustpub/Cargo.toml b/crates/crates_io_trustpub/Cargo.toml
@@ -17,10 +17,13 @@ bon = { version = "=3.6.3", optional = true }
 chrono = { version = "=0.4.41", features = ["serde"] }
 jsonwebtoken = "=9.3.1"
 mockall = { version = "=0.13.1", optional = true }
+rand = "=0.9.1"
 reqwest = { version = "=0.12.15", features = ["gzip", "json"] }
 regex = "=1.11.1"
+secrecy = "=0.10.3"
 serde = { version = "=1.0.219", features = ["derive"] }
 serde_json = { version = "=1.0.140", optional = true }
+sha2 = "=0.10.9"
 thiserror = "=2.0.12"
 tokio = { version = "=1.45.0", features = ["sync"] }
 
diff --git a/crates/crates_io_trustpub/src/access_token.rs b/crates/crates_io_trustpub/src/access_token.rs
@@ -0,0 +1,174 @@
+use rand::distr::{Alphanumeric, SampleString};
+use secrecy::{ExposeSecret, SecretString};
+use sha2::digest::Output;
+use sha2::{Digest, Sha256};
+
+/// A temporary access token used to publish crates to crates.io using
+/// the "Trusted Publishing" feature.
+///
+/// The token consists of a prefix, a random alphanumeric string (31 characters),
+/// and a single-character checksum.
+#[derive(Debug)]
+pub struct AccessToken(SecretString);
+
+impl AccessToken {
+    /// The prefix used for the temporary access token.
+    ///
+    /// This overlaps with the `cio` prefix used for other tokens, but since
+    /// the regular tokens don't use `_` characters, they can easily be
+    /// distinguished.
+    pub const PREFIX: &str = "cio_tp_";
+
+    /// The length of the random alphanumeric string in the token, without
+    /// the checksum.
+    const RAW_LENGTH: usize = 31;
+
+    /// Generate a new random access token.
+    pub fn generate() -> Self {
+        let raw = Alphanumeric.sample_string(&mut rand::rng(), Self::RAW_LENGTH);
+        Self(raw.into())
+    }
+
+    /// Parse a byte string into an access token.
+    ///
+    /// This can be used to convert an HTTP header value into an access token.
+    pub fn from_byte_str(byte_str: &[u8]) -> Result<Self, AccessTokenError> {
+        let suffix = byte_str
+            .strip_prefix(Self::PREFIX.as_bytes())
+            .ok_or(AccessTokenError::MissingPrefix)?;
+
+        if suffix.len() != Self::RAW_LENGTH + 1 {
+            return Err(AccessTokenError::InvalidLength);
+        }
+
+        let suffix = std::str::from_utf8(suffix).map_err(|_| AccessTokenError::InvalidCharacter)?;
+        if !suffix.chars().all(|c| char::is_ascii_alphanumeric(&c)) {
+            return Err(AccessTokenError::InvalidCharacter);
+        }
+
+        let raw = suffix.chars().take(Self::RAW_LENGTH).collect::<String>();
+        let claimed_checksum = suffix.chars().nth(Self::RAW_LENGTH).unwrap();
+        let actual_checksum = checksum(raw.as_bytes());
+        if claimed_checksum != actual_checksum {
+            return Err(AccessTokenError::InvalidChecksum {
+                claimed: claimed_checksum,
+                actual: actual_checksum,
+            });
+        }
+
+        Ok(Self(raw.into()))
+    }
+
+    /// Wrap the raw access token with the token prefix and a checksum.
+    ///
+    /// This turns e.g. `ABC` into `cio_tp_ABC{checksum}`.
+    pub fn finalize(&self) -> SecretString {
+        let raw = self.0.expose_secret();
+        let checksum = checksum(raw.as_bytes());
+        format!("{}{raw}{checksum}", Self::PREFIX).into()
+    }
+
+    /// Generate a SHA256 hash of the access token.
+    ///
+    /// This is used to create a hashed version of the token for storage in
+    /// the database to avoid storing the plaintext token.
+    pub fn sha256(&self) -> Output<Sha256> {
+        Sha256::digest(self.0.expose_secret())
+    }
+}
+
+/// The error type for parsing access tokens.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum AccessTokenError {
+    MissingPrefix,
+    InvalidLength,
+    InvalidCharacter,
+    InvalidChecksum { claimed: char, actual: char },
+}
+
+/// Generate a single-character checksum for the given raw token.
+///
+/// Note that this checksum is not cryptographically secure and should not be
+/// used for security purposes. It should only be used to detect invalid tokens.
+fn checksum(raw: &[u8]) -> char {
+    const ALPHANUMERIC: &str = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+
+    let checksum = raw.iter().fold(0, |acc, &b| acc ^ b);
+
+    ALPHANUMERIC
+        .chars()
+        .nth(checksum as usize % ALPHANUMERIC.len())
+        .unwrap_or('0')
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use claims::{assert_err_eq, assert_ok};
+    use insta::{assert_compact_debug_snapshot, assert_snapshot};
+
+    const EXAMPLE_TOKEN: &str = "gGK6jurSwKyl9V3Az19z7YEFQI9aoOO";
+
+    #[test]
+    fn test_generate() {
+        let token = AccessToken::generate();
+        assert_eq!(token.0.expose_secret().len(), AccessToken::RAW_LENGTH);
+    }
+
+    #[test]
+    fn test_finalize() {
+        let token = AccessToken(SecretString::from(EXAMPLE_TOKEN));
+        assert_snapshot!(token.finalize().expose_secret(), @"cio_tp_gGK6jurSwKyl9V3Az19z7YEFQI9aoOOd");
+    }
+
+    #[test]
+    fn test_sha256() {
+        let token = AccessToken(SecretString::from(EXAMPLE_TOKEN));
+        let hash = token.sha256();
+        assert_compact_debug_snapshot!(hash.as_slice(), @"[11, 102, 58, 175, 81, 174, 38, 227, 173, 48, 158, 96, 20, 130, 99, 78, 7, 16, 241, 211, 195, 166, 110, 74, 193, 126, 53, 125, 42, 21, 23, 124]");
+    }
+
+    #[test]
+    fn test_from_byte_str() {
+        let token = AccessToken::generate().finalize();
+        let token = token.expose_secret();
+        let token2 = assert_ok!(AccessToken::from_byte_str(token.as_bytes()));
+        assert_eq!(token2.finalize().expose_secret(), token);
+
+        let bytes = b"cio_tp_0000000000000000000000000000000w";
+        assert_ok!(AccessToken::from_byte_str(bytes));
+
+        let bytes = b"invalid_token";
+        assert_err_eq!(
+            AccessToken::from_byte_str(bytes),
+            AccessTokenError::MissingPrefix
+        );
+
+        let bytes = b"cio_tp_invalid_token";
+        assert_err_eq!(
+            AccessToken::from_byte_str(bytes),
+            AccessTokenError::InvalidLength
+        );
+
+        let bytes = b"cio_tp_00000000000000000000000000";
+        assert_err_eq!(
+            AccessToken::from_byte_str(bytes),
+            AccessTokenError::InvalidLength
+        );
+
+        let bytes = b"cio_tp_000000@0000000000000000000000000";
+        assert_err_eq!(
+            AccessToken::from_byte_str(bytes),
+            AccessTokenError::InvalidCharacter
+        );
+
+        let bytes = b"cio_tp_00000000000000000000000000000000";
+        assert_err_eq!(
+            AccessToken::from_byte_str(bytes),
+            AccessTokenError::InvalidChecksum {
+                claimed: '0',
+                actual: 'w',
+            }
+        );
+    }
+}
diff --git a/crates/crates_io_trustpub/src/lib.rs b/crates/crates_io_trustpub/src/lib.rs
@@ -1,5 +1,6 @@
 #![doc = include_str!("../README.md")]
 
+pub mod access_token;
 pub mod github;
 pub mod keystore;
 #[cfg(any(test, feature = "test-helpers"))]
