feat(*): Enforce signatures on server

src/cache/lru.rs

@@ -212,10 +212,7 @@ where
 #[cfg(test)]
 mod test {
     use super::*;
-    use crate::{
-        provider::Provider, signature::KeyRing, testing, SecretKeyEntry, SignatureRole,
-        VerificationStrategy,
-    };
+    use crate::{provider::Provider, testing};
     use std::{convert::TryFrom, sync::Arc};
 
     use tokio::sync::Mutex;
@@ -411,13 +408,9 @@ mod test {
         // Make sure all the create operations pass through
         let provider = TestProvider::default();
         let cache = LruCache::new(10, provider.clone());
-        let sk = SecretKeyEntry::new("TEST", vec![SignatureRole::Proxy]);
 
         let scaffold = testing::Scaffold::load("valid_v1").await;
-        let verified = VerificationStrategy::MultipleAttestation(vec![])
-            .verify(scaffold.invoice.clone(), &KeyRing::default())
-            .unwrap();
-        let signed = crate::invoice::sign(verified, vec![(SignatureRole::Creator, &sk)]).unwrap();
+        let signed = NoopSigned(NoopVerified(scaffold.invoice.clone()));
         cache
             .create_invoice(signed)
             .await

src/invoice/mod.rs

@@ -447,13 +447,6 @@ mod test {
 
         let invoice: crate::Invoice = toml::from_str(invoice).expect("a nice clean parse");
 
-        // Base case: No signature, no keyring should pass.
-        assert!(invoice.signature.is_none());
-        let nokeys = KeyRing::default();
-        let verified = VerificationStrategy::default()
-            .verify(invoice, &nokeys)
-            .expect("If no signature, then this should verify fine");
-
         // Create two signing keys.
         let signer_name1 = "Matt Butcher <matt@example.com>";
         let signer_name2 = "Not Matt Butcher <not.matt@example.com>";
@@ -467,7 +460,7 @@ mod test {
 
         // Add two signatures
         let signed = sign(
-            verified,
+            invoice,
             vec![
                 (SignatureRole::Creator, &keypair1),
                 (SignatureRole::Proxy, &keypair2),

src/invoice/verification.rs

@@ -3,7 +3,7 @@ use crate::invoice::Signed;
 use super::signature::KeyRing;
 use super::{Invoice, Signature, SignatureError, SignatureRole};
 use ed25519_dalek::{PublicKey, Signature as EdSignature};
-use tracing::{debug, info};
+use tracing::debug;
 
 use std::borrow::{Borrow, BorrowMut};
 use std::fmt::Debug;
@@ -193,8 +193,11 @@ impl VerificationStrategy {
         // Either the Creator or an Approver must be in the keyring
         match inv.signature.as_ref() {
             None => {
-                info!(id = %inv.bindle.id, "No signatures on invoice");
-                Ok(VerifiedInvoice(invoice))
+                debug!(id = %inv.bindle.id, "No signatures on invoice");
+                Err(SignatureError::Unverified(
+                    "No signatures found on invoice. At least one signature is required"
+                        .to_string(),
+                ))
             }
             Some(signatures) => {
                 let mut known_key = false;

src/provider/file/mod.rs

@@ -647,9 +647,8 @@ impl Drop for PartFile {
 #[cfg(test)]
 mod test {
     use super::*;
-    use crate::invoice::signature::{KeyRing, SecretKeyEntry, SignatureRole};
-    use crate::testing;
-    use crate::VerificationStrategy;
+    use crate::verification::NoopVerified;
+    use crate::{testing, NoopSigned};
     use tempfile::tempdir;
     use tokio::io::AsyncReadExt;
 
@@ -668,17 +667,6 @@ mod test {
         );
     }
 
-    fn mock_secret_key() -> SecretKeyEntry {
-        SecretKeyEntry::new(
-            "Bogo Key",
-            vec![
-                SignatureRole::Host,
-                SignatureRole::Proxy,
-                SignatureRole::Creator,
-            ],
-        )
-    }
-
     #[tokio::test]
     async fn test_should_create_yank_invoice() {
         // Create a temporary directory
@@ -691,11 +679,7 @@ mod test {
         .await;
         let inv_name = scaffold.invoice.canonical_name();
 
-        let sk = mock_secret_key();
-        let verified = VerificationStrategy::MultipleAttestation(vec![])
-            .verify(scaffold.invoice.clone(), &KeyRing::default())
-            .unwrap();
-        let signed = crate::invoice::sign(verified, vec![(SignatureRole::Creator, &sk)]).unwrap();
+        let signed = NoopSigned(NoopVerified(scaffold.invoice.clone()));
         // Create an invoice
         let (_, missing) = store.create_invoice(signed).await.unwrap();
         assert_eq!(1, missing.len());
@@ -732,11 +716,7 @@ mod test {
         )
         .await;
 
-        let sk = mock_secret_key();
-        let verified = VerificationStrategy::MultipleAttestation(vec![])
-            .verify(scaffold.invoice.clone(), &KeyRing::default())
-            .unwrap();
-        let signed = crate::invoice::sign(verified, vec![(SignatureRole::Creator, &sk)]).unwrap();
+        let signed = NoopSigned(NoopVerified(scaffold.invoice.clone()));
         assert!(store.create_invoice(signed).await.is_err());
     }
 
@@ -751,11 +731,7 @@ mod test {
         )
         .await;
 
-        let sk = mock_secret_key();
-        let verified = VerificationStrategy::MultipleAttestation(vec![])
-            .verify(scaffold.invoice.clone(), &KeyRing::default())
-            .unwrap();
-        let signed = crate::invoice::sign(verified, vec![(SignatureRole::Creator, &sk)]).unwrap();
+        let signed = NoopSigned(NoopVerified(scaffold.invoice.clone()));
         // Create the invoice so we can create a parcel
         store
             .create_invoice(signed)
@@ -807,11 +783,7 @@ mod test {
 
         let scaffold = testing::Scaffold::load("valid_v1").await;
 
-        let sk = mock_secret_key();
-        let verified = VerificationStrategy::MultipleAttestation(vec![])
-            .verify(scaffold.invoice.clone(), &KeyRing::default())
-            .unwrap();
-        let signed = crate::invoice::sign(verified, vec![(SignatureRole::Creator, &sk)]).unwrap();
+        let signed = NoopSigned(NoopVerified(scaffold.invoice.clone()));
         // Store an invoice first and then create the parcel for it
         store
             .create_invoice(signed)
@@ -858,11 +830,7 @@ mod test {
         )
         .await;
 
-        let sk = mock_secret_key();
-        let verified = VerificationStrategy::MultipleAttestation(vec![])
-            .verify(scaffold.invoice.clone(), &KeyRing::default())
-            .unwrap();
-        let signed = crate::invoice::sign(verified, vec![(SignatureRole::Creator, &sk)]).unwrap();
+        let signed = NoopSigned(NoopVerified(scaffold.invoice.clone()));
         store
             .create_invoice(signed)
             .await
@@ -895,18 +863,9 @@ mod test {
         )
         .await;
 
-        let sk = mock_secret_key();
-
-        // We want two copies, since they will each get signed, and we don't want
-        // an error that they are already signed.
-        let verified = VerificationStrategy::MultipleAttestation(vec![])
-            .verify(scaffold.invoice.clone(), &KeyRing::default())
-            .unwrap();
-        let signed1 = crate::invoice::sign(verified, vec![(SignatureRole::Creator, &sk)]).unwrap();
-        let verified = VerificationStrategy::MultipleAttestation(vec![])
-            .verify(scaffold.invoice.clone(), &KeyRing::default())
-            .unwrap();
-        let signed2 = crate::invoice::sign(verified, vec![(SignatureRole::Creator, &sk)]).unwrap();
+        // We want two copies to try and write at the same time
+        let signed1 = NoopSigned(NoopVerified(scaffold.invoice.clone()));
+        let signed2 = NoopSigned(NoopVerified(scaffold.invoice.clone()));
         let (first, second) =
             tokio::join!(store.create_invoice(signed1), store.create_invoice(signed2));