From 8bad02bcda6afc1f0cf075688e030c01f6b90bf1 Mon Sep 17 00:00:00 2001 From: Karolin Varner Date: Wed, 25 Jun 2025 19:15:13 +0200 Subject: [PATCH] feat: Disallow unknown fields in rosenpass and rp configuration --- .ci/boot_race/a.toml | 5 ----- .ci/boot_race/b.toml | 5 ----- rosenpass/src/api/config.rs | 1 + rosenpass/src/config.rs | 6 ++++++ rp/src/exchange.rs | 2 ++ 5 files changed, 9 insertions(+), 10 deletions(-) diff --git a/.ci/boot_race/a.toml b/.ci/boot_race/a.toml index d8e69fc..439966a 100644 --- a/.ci/boot_race/a.toml +++ b/.ci/boot_race/a.toml @@ -3,11 +3,6 @@ secret_key = "rp-a-secret-key" listen = ["127.0.0.1:9999"] verbosity = "Verbose" -[api] -listen_path = [] -listen_fd = [] -stream_fd = [] - [[peers]] public_key = "rp-b-public-key" endpoint = "127.0.0.1:9998" diff --git a/.ci/boot_race/b.toml b/.ci/boot_race/b.toml index b760975..52f43f1 100644 --- a/.ci/boot_race/b.toml +++ b/.ci/boot_race/b.toml @@ -3,11 +3,6 @@ secret_key = "rp-b-secret-key" listen = ["127.0.0.1:9998"] verbosity = "Verbose" -[api] -listen_path = [] -listen_fd = [] -stream_fd = [] - [[peers]] public_key = "rp-a-public-key" endpoint = "127.0.0.1:9999" diff --git a/rosenpass/src/api/config.rs b/rosenpass/src/api/config.rs index 122bfdb..0fa11b8 100644 --- a/rosenpass/src/api/config.rs +++ b/rosenpass/src/api/config.rs @@ -8,6 +8,7 @@ use crate::app_server::AppServer; /// Configuration options for the Rosenpass API #[derive(Debug, Serialize, Deserialize, Default, Clone, PartialEq, Eq)] +#[serde(deny_unknown_fields)] pub struct ApiConfig { /// Where in the file-system to create the unix socket the rosenpass API will be listening for /// connections on diff --git a/rosenpass/src/config.rs b/rosenpass/src/config.rs index 9f79cce..403c2c8 100644 --- a/rosenpass/src/config.rs +++ b/rosenpass/src/config.rs @@ -34,6 +34,7 @@ fn empty_api_config() -> crate::api::config::ApiConfig { /// /// i.e. configuration for the `rosenpass exchange` and `rosenpass exchange-config` commands #[derive(Debug, Serialize, Deserialize, PartialEq, Eq)] +#[serde(deny_unknown_fields)] pub struct Rosenpass { // TODO: Raise error if secret key or public key alone is set during deserialization // SEE: https://github.com/serde-rs/serde/issues/2793 @@ -75,6 +76,7 @@ pub struct Rosenpass { /// Public key and secret key locations. #[derive(Debug, Deserialize, Serialize, PartialEq, Eq, Clone)] +#[serde(deny_unknown_fields)] pub struct Keypair { /// path to the public key file pub public_key: PathBuf, @@ -102,6 +104,7 @@ impl Keypair { /// /// - TODO: replace this type with [`log::LevelFilter`], also see #[derive(Debug, PartialEq, Eq, Serialize, Deserialize, Copy, Clone)] +#[serde(deny_unknown_fields)] pub enum Verbosity { Quiet, Verbose, @@ -109,6 +112,7 @@ pub enum Verbosity { /// The protocol version to be used by a peer. #[derive(Debug, PartialEq, Eq, Serialize, Deserialize, Copy, Clone, Default)] +#[serde(deny_unknown_fields)] pub enum ProtocolVersion { #[default] V02, @@ -117,6 +121,7 @@ pub enum ProtocolVersion { /// Configuration data for a single Rosenpass peer #[derive(Debug, Default, PartialEq, Eq, Serialize, Deserialize)] +#[serde(deny_unknown_fields)] pub struct RosenpassPeer { /// path to the public key of the peer pub public_key: PathBuf, @@ -152,6 +157,7 @@ pub struct RosenpassPeer { /// Information for supplying exchanged keys directly to WireGuard #[derive(Debug, Default, PartialEq, Eq, Serialize, Deserialize)] +#[serde(deny_unknown_fields)] pub struct WireGuard { /// Name of the WireGuard interface to supply with pre-shared keys generated by the Rosenpass /// key exchange diff --git a/rp/src/exchange.rs b/rp/src/exchange.rs index e099b58..e4df77d 100644 --- a/rp/src/exchange.rs +++ b/rp/src/exchange.rs @@ -15,6 +15,7 @@ use crate::key::WG_B64_LEN; /// a directory for storing public keys and optionally an IP address and port of the endpoint, /// for how long the connection should be kept alive and a list of allowed IPs for the peer. #[derive(Default, Deserialize)] +#[serde(deny_unknown_fields)] pub struct ExchangePeer { /// Directory where public keys are stored pub public_keys_dir: PathBuf, @@ -31,6 +32,7 @@ pub struct ExchangePeer { /// Options for the exchange operation of the `rp` binary. #[derive(Default, Deserialize)] +#[serde(deny_unknown_fields)] pub struct ExchangeOptions { /// Whether the cli output should be verbose. pub verbose: bool,