rust-lang · Turbo87 · Apr 28, 2025 · Apr 28, 2025 · May 8, 2025 · May 7, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -145,10 +145,12 @@ crates_io_index = { path = "crates/crates_io_index", features = ["testing"] }
 crates_io_tarball = { path = "crates/crates_io_tarball", features = ["builder"] }
 crates_io_team_repo = { path = "crates/crates_io_team_repo", features = ["mock"] }
 crates_io_test_db = { path = "crates/crates_io_test_db" }
+crates_io_trustpub = { path = "crates/crates_io_trustpub", features = ["test-helpers"] }
 claims = "=0.8.0"
 diesel = { version = "=2.2.10", features = ["r2d2"] }
 googletest = "=0.14.0"
 insta = { version = "=1.43.1", features = ["glob", "json", "redactions"] }
+jsonwebtoken = "=9.3.1"
 regex = "=1.11.1"
 sentry = { version = "=0.38.1", features = ["test"] }
 tokio = "=1.45.0"

diff --git a/crates/crates_io_database/src/models/category.rs b/crates/crates_io_database/src/models/category.rs
@@ -3,6 +3,7 @@ use crate::schema::*;
 use chrono::{DateTime, Utc};
 use diesel::dsl;
 use diesel::prelude::*;
+use diesel::sql_types::Text;
 use diesel_async::scoped_futures::ScopedFutureExt;
 use diesel_async::{AsyncConnection, AsyncPgConnection, RunQueryDsl};
 use futures_util::FutureExt;
@@ -19,7 +20,7 @@ pub struct Category {
     pub created_at: DateTime<Utc>,
 }
 
-type WithSlug<'a> = dsl::Eq<categories::slug, crates_io_diesel_helpers::lower<&'a str>>;
+type WithSlug<'a> = dsl::Eq<categories::slug, crates_io_diesel_helpers::lower<Text, &'a str>>;
 
 #[derive(Associations, Insertable, Identifiable, Debug, Clone, Copy)]
 #[diesel(

diff --git a/crates/crates_io_database/src/models/trustpub/mod.rs b/crates/crates_io_database/src/models/trustpub/mod.rs
@@ -1,3 +1,7 @@
 mod github_config;
+mod token;
+mod used_jti;
 
 pub use self::github_config::{GitHubConfig, NewGitHubConfig};
+pub use self::token::NewToken;
+pub use self::used_jti::NewUsedJti;
diff --git a/crates/crates_io_database/src/models/trustpub/token.rs b/crates/crates_io_database/src/models/trustpub/token.rs
@@ -0,0 +1,22 @@
+use crate::schema::trustpub_tokens;
+use chrono::{DateTime, Utc};
+use diesel::prelude::*;
+use diesel_async::{AsyncPgConnection, RunQueryDsl};
+
+#[derive(Debug, Insertable)]
+#[diesel(table_name = trustpub_tokens, check_for_backend(diesel::pg::Pg))]
+pub struct NewToken<'a> {
+    pub expires_at: DateTime<Utc>,
+    pub hashed_token: &'a [u8],
+    pub crate_ids: &'a [i32],
+}
+
+impl NewToken<'_> {
+    pub async fn insert(&self, conn: &mut AsyncPgConnection) -> QueryResult<()> {
+        self.insert_into(trustpub_tokens::table)
+            .execute(conn)
+            .await?;
+
+        Ok(())
+    }
+}
diff --git a/crates/crates_io_database/src/models/trustpub/used_jti.rs b/crates/crates_io_database/src/models/trustpub/used_jti.rs
@@ -0,0 +1,24 @@
+use crate::schema::trustpub_used_jtis;
+use chrono::{DateTime, Utc};
+use diesel::prelude::*;
+use diesel_async::{AsyncPgConnection, RunQueryDsl};
+
+#[derive(Debug, Insertable)]
+#[diesel(table_name = trustpub_used_jtis, check_for_backend(diesel::pg::Pg))]
+pub struct NewUsedJti<'a> {
+    pub jti: &'a str,
+    pub expires_at: DateTime<Utc>,
+}
+
+impl<'a> NewUsedJti<'a> {
+    pub fn new(jti: &'a str, expires_at: DateTime<Utc>) -> Self {
+        Self { jti, expires_at }
+    }
+
+    pub async fn insert(&self, conn: &mut AsyncPgConnection) -> QueryResult<usize> {
+        diesel::insert_into(trustpub_used_jtis::table)
+            .values(self)
+            .execute(conn)
+            .await
+    }
+}
diff --git a/crates/crates_io_diesel_helpers/src/fns.rs b/crates/crates_io_diesel_helpers/src/fns.rs
@@ -4,7 +4,7 @@ use diesel::sql_types::{Date, Double, Integer, Interval, SingleValue, Text, Time
 define_sql_function!(#[aggregate] fn array_agg<T: SingleValue>(x: T) -> Array<T>);
 define_sql_function!(fn canon_crate_name(x: Text) -> Text);
 define_sql_function!(fn to_char(a: Date, b: Text) -> Text);
-define_sql_function!(fn lower(x: Text) -> Text);
+define_sql_function!(fn lower<T: SingleValue>(x: T) -> T);
 define_sql_function!(fn date_part(x: Text, y: Timestamptz) -> Double);
 define_sql_function! {
     #[sql_name = "date_part"]

diff --git a/crates/crates_io_trustpub/Cargo.toml b/crates/crates_io_trustpub/Cargo.toml
@@ -7,10 +7,30 @@ edition = "2024"
 [lints]
 workspace = true
 
+[features]
+test-helpers = ["dep:bon", "dep:mockall", "dep:serde_json"]
+
 [dependencies]
+anyhow = "=1.0.98"
+async-trait = "=0.1.88"
+bon = { version = "=3.6.3", optional = true }
+chrono = { version = "=0.4.41", features = ["serde"] }
+jsonwebtoken = "=9.3.1"
+mockall = { version = "=0.13.1", optional = true }
+rand = "=0.9.1"
+reqwest = { version = "=0.12.15", features = ["gzip", "json"] }
 regex = "=1.11.1"
+secrecy = "=0.10.3"
+serde = { version = "=1.0.219", features = ["derive"] }
+serde_json = { version = "=1.0.140", optional = true }
+sha2 = "=0.10.9"
 thiserror = "=2.0.12"
+tokio = { version = "=1.45.0", features = ["sync"] }
 
 [dev-dependencies]
+bon = "=3.6.3"
 claims = "=0.8.0"
-insta = "=1.43.1"
+insta = { version = "=1.43.1", features = ["json", "redactions"] }
+mockito = "=1.7.0"
+serde_json = "=1.0.140"
+tokio = { version = "=1.45.0", features = ["macros", "rt-multi-thread"] }
diff --git a/crates/crates_io_trustpub/src/access_token.rs b/crates/crates_io_trustpub/src/access_token.rs
@@ -0,0 +1,174 @@
+use rand::distr::{Alphanumeric, SampleString};
+use secrecy::{ExposeSecret, SecretString};
+use sha2::digest::Output;
+use sha2::{Digest, Sha256};
+
+/// A temporary access token used to publish crates to crates.io using
+/// the "Trusted Publishing" feature.
+///
+/// The token consists of a prefix, a random alphanumeric string (31 characters),
+/// and a single-character checksum.
+#[derive(Debug)]
+pub struct AccessToken(SecretString);
+
+impl AccessToken {
+    /// The prefix used for the temporary access token.
+    ///
+    /// This overlaps with the `cio` prefix used for other tokens, but since
+    /// the regular tokens don't use `_` characters, they can easily be
+    /// distinguished.
+    pub const PREFIX: &str = "cio_tp_";
+
+    /// The length of the random alphanumeric string in the token, without
+    /// the checksum.
+    const RAW_LENGTH: usize = 31;
+
+    /// Generate a new random access token.
+    pub fn generate() -> Self {
+        let raw = Alphanumeric.sample_string(&mut rand::rng(), Self::RAW_LENGTH);
+        Self(raw.into())
+    }
+
+    /// Parse a byte string into an access token.
+    ///
+    /// This can be used to convert an HTTP header value into an access token.
+    pub fn from_byte_str(byte_str: &[u8]) -> Result<Self, AccessTokenError> {
+        let suffix = byte_str
+            .strip_prefix(Self::PREFIX.as_bytes())
+            .ok_or(AccessTokenError::MissingPrefix)?;
+
+        if suffix.len() != Self::RAW_LENGTH + 1 {
+            return Err(AccessTokenError::InvalidLength);
+        }
+
+        let suffix = std::str::from_utf8(suffix).map_err(|_| AccessTokenError::InvalidCharacter)?;
+        if !suffix.chars().all(|c| char::is_ascii_alphanumeric(&c)) {
+            return Err(AccessTokenError::InvalidCharacter);
+        }
+
+        let raw = suffix.chars().take(Self::RAW_LENGTH).collect::<String>();
+        let claimed_checksum = suffix.chars().nth(Self::RAW_LENGTH).unwrap();
+        let actual_checksum = checksum(raw.as_bytes());
+        if claimed_checksum != actual_checksum {
+            return Err(AccessTokenError::InvalidChecksum {
+                claimed: claimed_checksum,
+                actual: actual_checksum,
+            });
+        }
+
+        Ok(Self(raw.into()))
+    }
+
+    /// Wrap the raw access token with the token prefix and a checksum.
+    ///
+    /// This turns e.g. `ABC` into `cio_tp_ABC{checksum}`.
+    pub fn finalize(&self) -> SecretString {
+        let raw = self.0.expose_secret();
+        let checksum = checksum(raw.as_bytes());
+        format!("{}{raw}{checksum}", Self::PREFIX).into()
+    }
+
+    /// Generate a SHA256 hash of the access token.
+    ///
+    /// This is used to create a hashed version of the token for storage in
+    /// the database to avoid storing the plaintext token.
+    pub fn sha256(&self) -> Output<Sha256> {
+        Sha256::digest(self.0.expose_secret())
+    }
+}
+
+/// The error type for parsing access tokens.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum AccessTokenError {
+    MissingPrefix,
+    InvalidLength,
+    InvalidCharacter,
+    InvalidChecksum { claimed: char, actual: char },
+}
+
+/// Generate a single-character checksum for the given raw token.
+///
+/// Note that this checksum is not cryptographically secure and should not be
+/// used for security purposes. It should only be used to detect invalid tokens.
+fn checksum(raw: &[u8]) -> char {
+    const ALPHANUMERIC: &str = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+
+    let checksum = raw.iter().fold(0, |acc, &b| acc ^ b);
+
+    ALPHANUMERIC
+        .chars()
+        .nth(checksum as usize % ALPHANUMERIC.len())
+        .unwrap_or('0')
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use claims::{assert_err_eq, assert_ok};
+    use insta::{assert_compact_debug_snapshot, assert_snapshot};
+
+    const EXAMPLE_TOKEN: &str = "gGK6jurSwKyl9V3Az19z7YEFQI9aoOO";
+
+    #[test]
+    fn test_generate() {
+        let token = AccessToken::generate();
+        assert_eq!(token.0.expose_secret().len(), AccessToken::RAW_LENGTH);
+    }
+
+    #[test]
+    fn test_finalize() {
+        let token = AccessToken(SecretString::from(EXAMPLE_TOKEN));
+        assert_snapshot!(token.finalize().expose_secret(), @"cio_tp_gGK6jurSwKyl9V3Az19z7YEFQI9aoOOd");
+    }
+
+    #[test]
+    fn test_sha256() {
+        let token = AccessToken(SecretString::from(EXAMPLE_TOKEN));
+        let hash = token.sha256();
+        assert_compact_debug_snapshot!(hash.as_slice(), @"[11, 102, 58, 175, 81, 174, 38, 227, 173, 48, 158, 96, 20, 130, 99, 78, 7, 16, 241, 211, 195, 166, 110, 74, 193, 126, 53, 125, 42, 21, 23, 124]");
+    }
+
+    #[test]
+    fn test_from_byte_str() {
+        let token = AccessToken::generate().finalize();
+        let token = token.expose_secret();
+        let token2 = assert_ok!(AccessToken::from_byte_str(token.as_bytes()));
+        assert_eq!(token2.finalize().expose_secret(), token);
+
+        let bytes = b"cio_tp_0000000000000000000000000000000w";
+        assert_ok!(AccessToken::from_byte_str(bytes));
+
+        let bytes = b"invalid_token";
+        assert_err_eq!(
+            AccessToken::from_byte_str(bytes),
+            AccessTokenError::MissingPrefix
+        );
+
+        let bytes = b"cio_tp_invalid_token";
+        assert_err_eq!(
+            AccessToken::from_byte_str(bytes),
+            AccessTokenError::InvalidLength
+        );
+
+        let bytes = b"cio_tp_00000000000000000000000000";
+        assert_err_eq!(
+            AccessToken::from_byte_str(bytes),
+            AccessTokenError::InvalidLength
+        );
+
+        let bytes = b"cio_tp_000000@0000000000000000000000000";
+        assert_err_eq!(
+            AccessToken::from_byte_str(bytes),
+            AccessTokenError::InvalidCharacter
+        );
+
+        let bytes = b"cio_tp_00000000000000000000000000000000";
+        assert_err_eq!(
+            AccessToken::from_byte_str(bytes),
+            AccessTokenError::InvalidChecksum {
+                claimed: '0',
+                actual: 'w',
+            }
+        );
+    }
+}