wireapp · coriolinus · Feb 24, 2025 · Feb 21, 2025 · Feb 21, 2025 · Feb 21, 2025
@@ -2,7 +2,7 @@
 name = "rusty-acme"
 description = "ACME types"
 version = "0.12.0"
-edition = "2021"
+edition = "2024"
 repository = "https://github.com/wireapp/rusty-jwt-tools"
 license = "MPL-2.0"
 publish = false

@@ -41,7 +41,7 @@
                 return Err(RustyAcmeError::ClientImplementationError(
                     "an authorization is not supposed to be valid at this point. \
                     You should only use this method to parse the response of an authorization creation.",
-                ))
+                ));
             }
         }
         Ok(authz)
@@ -164,7 +164,7 @@
        use super::*;

        #[test]
        #[wasm_bindgen_test]
        fn can_deserialize_sample_response() {
            let rfc_sample = json!({
                "status": "pending",

@@ -1,8 +1,8 @@
 use crate::{error::CertificateError, identifier::CanonicalIdentifier, prelude::*};
 use rusty_jwt_tools::prelude::*;
 use rusty_x509_check::revocation::{PkiEnvironment, PkiEnvironmentParams};
-use x509_cert::anchor::TrustAnchorChoice;
 use x509_cert::Certificate;
+use x509_cert::anchor::TrustAnchorChoice;
 
 impl RustyAcme {
     /// For fetching the generated certificate

@@ -56,12 +56,12 @@ impl RustyAcme {
                 return Err(RustyAcmeError::ClientImplementationError(
                     "a challenge is not supposed to be pending at this point. \
                     It must either be 'valid' or 'processing'.",
-                ))
+                ));
             }
             None => {
                 return Err(RustyAcmeError::ClientImplementationError(
                     "at this point a challenge is supposed to have a status",
-                ))
+                ));
             }
         }
         Ok(chall)

@@ -250,7 +250,7 @@ impl AcmeFinalize {
                 return Err(RustyAcmeError::ClientImplementationError(
                     "finalize is not supposed to be 'pending | processing | ready' at this point. \
                     It means you have forgotten previous steps",
-                ))
+                ));
             }
             AcmeOrderStatus::Invalid => return Err(AcmeFinalizeError(AcmeOrderError::Invalid))?,
         }

@@ -1,8 +1,8 @@
 use x509_cert::der::Decode as _;
 
 use rusty_jwt_tools::prelude::*;
-use rusty_x509_check::revocation::PkiEnvironment;
 use rusty_x509_check::IdentityStatus;
+use rusty_x509_check::revocation::PkiEnvironment;
 
 use crate::error::CertificateError;
 use crate::prelude::*;

@@ -40,7 +40,7 @@ pub(crate) fn try_compute_jwk_canonicalized_thumbprint(
 fn try_into_jwk(spki: &SubjectPublicKeyInfoOwned) -> RustyAcmeResult<Jwk> {
     use const_oid::db::{
         rfc5912::{ID_EC_PUBLIC_KEY, SECP_256_R_1, SECP_384_R_1, SECP_521_R_1},
-        rfc8410::{ID_ED_25519, ID_ED_448},
+        rfc8410::{ID_ED_448, ID_ED_25519},
     };
     let params = spki
         .algorithm

@@ -57,7 +57,7 @@ impl RustyAcme {
                 return Err(RustyAcmeError::ClientImplementationError(
                     "an order is not supposed to be 'processing | valid | ready' at this point. \
                     You should only be using this method after account creation, not after finalize",
-                ))
+                ));
             }
             AcmeOrderStatus::Invalid => return Err(AcmeOrderError::Invalid)?,
         }
@@ -96,21 +96,21 @@ impl RustyAcme {
                 return Err(RustyAcmeError::ClientImplementationError(
                     "an order is not supposed to be 'pending' at this point. \
                     It means you have forgotten to create authorizations",
-                ))
+                ));
             }
             AcmeOrderStatus::Processing => {
                 return Err(RustyAcmeError::ClientImplementationError(
                     "an order is not supposed to be 'processing' at this point. \
                     You should not have called finalize yet ; in fact, you should only call finalize \
                     once this order turns 'ready'",
-                ))
+                ));
             }
             AcmeOrderStatus::Valid => {
                 return Err(RustyAcmeError::ClientImplementationError(
                     "an order is not supposed to be 'valid' at this point. \
                     It means a certificate has already been delivered which defeats the purpose \
                     of using this method",
-                ))
+                ));
             }
             AcmeOrderStatus::Invalid => return Err(AcmeOrderError::Invalid)?,
         }

@@ -2,7 +2,7 @@
 name = "wire-e2e-identity"
 description = "Public API for Wire end to end identity"
 version = "0.12.0"
-edition = "2021"
+edition = "2024"
 repository = "https://github.com/wireapp/rusty-jwt-tools"
 license = "MPL-2.0"
 publish = false

@@ -17,21 +17,21 @@ mod types;
 pub mod prelude {
     pub use rusty_acme::prelude::x509;
     pub use rusty_acme::prelude::{
-        compute_raw_key_thumbprint, x509::IdentityStatus, AcmeDirectory, RustyAcme, RustyAcmeError, WireIdentity,
-        WireIdentityReader,
+        AcmeDirectory, RustyAcme, RustyAcmeError, WireIdentity, WireIdentityReader, compute_raw_key_thumbprint,
+        x509::IdentityStatus,
     };
     pub use rusty_jwt_tools::prelude::{
-        parse_json_jwk, ClientId as E2eiClientId, Handle, HashAlgorithm, JwsAlgorithm, RustyJwtError,
+        ClientId as E2eiClientId, Handle, HashAlgorithm, JwsAlgorithm, RustyJwtError, parse_json_jwk,
     };
 
     #[cfg(feature = "builder")]
     pub use rusty_jwt_tools::prelude::generate_jwk;
 
+    pub use super::RustyE2eIdentity;
     pub use super::error::{E2eIdentityError, E2eIdentityResult};
     pub use super::types::{
         E2eiAcmeAccount, E2eiAcmeAuthorization, E2eiAcmeChallenge, E2eiAcmeFinalize, E2eiAcmeOrder, E2eiNewAcmeOrder,
     };
-    pub use super::RustyE2eIdentity;
 }
 
 pub type Json = serde_json::Value;

@@ -1,17 +1,17 @@
 #![cfg(not(target_family = "wasm"))]
 
 use jwt_simple::prelude::*;
-use serde_json::{json, Value};
+use serde_json::{Value, json};
 
 use rusty_acme::prelude::*;
 use rusty_jwt_tools::prelude::*;
 use utils::{
+    TestError,
     cfg::{E2eTest, EnrollmentFlow, OidcProvider},
     docker::{stepca::CaCfg, wiremock::WiremockImage},
     id_token::resign_id_token,
     rand_base64_str, rand_client_id,
     wire_server::OauthCfg,
-    TestError,
 };
 
 #[path = "utils/mod.rs"]
@@ -133,10 +133,10 @@
 #[cfg(not(ci))]
 mod acme_server {
     use super::*;
+    use rusty_acme::prelude::x509::RustyX509CheckError;
     use rusty_acme::prelude::x509::reexports::certval;
     use rusty_acme::prelude::x509::reexports::certval::PathValidationStatus;
     use rusty_acme::prelude::x509::revocation::{PkiEnvironment, PkiEnvironmentParams};
-    use rusty_acme::prelude::x509::RustyX509CheckError;
     use x509_cert::der::Decode;
 
     /// Acme server has been man-in-middle:ed and returns untrusted certificates

@@ -1,5 +1,5 @@
 use std::{
-    collections::{hash_map::RandomState, HashMap},
+    collections::{HashMap, hash_map::RandomState},
     net::SocketAddr,
 };
 
@@ -11,6 +11,7 @@ use rusty_acme::prelude::{AcmeAccount, AcmeAuthz, AcmeChallenge, AcmeDirectory,
 use rusty_jwt_tools::{jwk::TryIntoJwk, prelude::*};
 
 use crate::utils::{
+    TestResult,
     ctx::ctx_store_http_client,
     display::TestDisplay,
     docker::{
@@ -21,8 +22,7 @@ use crate::utils::{
         stepca::{AcmeServer, CaCfg},
     },
     rand_base64_str, rand_str,
-    wire_server::{oidc::OidcCfg, OauthCfg, WireServer},
-    TestResult,
+    wire_server::{OauthCfg, WireServer, oidc::OidcCfg},
 };
 
 pub struct E2eTest {

@@ -3,7 +3,7 @@
 
 use std::net::SocketAddr;
 use std::{
-    collections::{hash_map::RandomState, HashMap},
+    collections::{HashMap, hash_map::RandomState},
     str::FromStr,
 };
 

@@ -2,9 +2,9 @@ use std::{collections::HashMap, net::SocketAddr};
 
 use testcontainers::core::{ContainerPort, Mount};
 use testcontainers::runners::AsyncRunner;
-use testcontainers::{core::WaitFor, ContainerAsync, Image, ImageExt};
+use testcontainers::{ContainerAsync, Image, ImageExt, core::WaitFor};
 
-use crate::utils::docker::{ldap::LdapCfg, rand_str, SHM};
+use crate::utils::docker::{SHM, ldap::LdapCfg, rand_str};
 
 pub struct DexServer {
     pub uri: String,

@@ -4,14 +4,14 @@ use std::sync::OnceLock;
 use std::{collections::HashMap, env, net::SocketAddr};
 
 use keycloak::{
+    KeycloakAdmin, KeycloakAdminToken,
     types::ProtocolMapperRepresentation,
     types::{ClientRepresentation, CredentialRepresentation, UserRepresentation},
-    KeycloakAdmin, KeycloakAdminToken,
 };
 
 use testcontainers::core::{ContainerPort, IntoContainerPort, Mount};
 use testcontainers::runners::AsyncRunner;
-use testcontainers::{core::WaitFor, ContainerAsync, Image, ImageExt};
+use testcontainers::{ContainerAsync, Image, ImageExt, core::WaitFor};
 
 use crate::utils::docker::SHM;
 

@@ -1,9 +1,9 @@
-use crate::utils::docker::{rand_str, SHM};
+use crate::utils::docker::{SHM, rand_str};
 use std::borrow::Cow;
 use std::{collections::HashMap, net::SocketAddr};
 use testcontainers::core::{ContainerPort, Mount};
 use testcontainers::runners::AsyncRunner;
-use testcontainers::{core::WaitFor, ContainerAsync, Image, ImageExt};
+use testcontainers::{ContainerAsync, Image, ImageExt, core::WaitFor};
 
 pub struct LdapServer {
     pub node: ContainerAsync<LdapImage>,

@@ -4,9 +4,9 @@ use std::path::Path;
 
 use serde_json::json;
 use testcontainers::core::{CmdWaitFor, ContainerPort, ExecCommand, Mount};
-use testcontainers::{runners::AsyncRunner, ContainerAsync, GenericImage, ImageExt};
+use testcontainers::{ContainerAsync, GenericImage, ImageExt, runners::AsyncRunner};
 
-use crate::utils::docker::{rand_str, NETWORK, SHM};
+use crate::utils::docker::{NETWORK, SHM, rand_str};
 
 pub struct AcmeServer {
     pub uri: String,

@@ -3,7 +3,7 @@ use std::borrow::Cow;
 use std::{collections::HashMap, path::PathBuf};
 use testcontainers::core::{ContainerPort, Mount};
 use testcontainers::runners::AsyncRunner;
-use testcontainers::{core::WaitFor, ContainerAsync, Image, ImageExt};
+use testcontainers::{ContainerAsync, Image, ImageExt, core::WaitFor};
 
 /// Allows to run WireMock in Docker. Uses stubs to mock responses to predefined requests.
 /// The stubs are generated in [crate::E2eTest::new_jwks_uri_mock].

@@ -3,12 +3,15 @@ use itertools::Itertools;
 use jwt_simple::prelude::*;
 use oauth2::{ClientSecret, CsrfToken, PkceCodeChallenge, RedirectUrl, RefreshToken, Scope};
 use openidconnect::{
-    core::{CoreAuthenticationFlow, CoreClient, CoreProviderMetadata},
     IssuerUrl, Nonce,
+    core::{CoreAuthenticationFlow, CoreClient, CoreProviderMetadata},
 };
 use reqwest::StatusCode;
-use serde_json::{json, Value};
-use std::collections::{hash_map::RandomState, HashMap};
+use serde_json::{Value, json};
+use std::{
+    collections::{HashMap, hash_map::RandomState},
+    sync::{Mutex, mpsc},
+};
 use url::Url;
 use x509_cert::der::{DecodePem, Encode};
 
@@ -21,19 +24,20 @@ use rusty_jwt_tools::{
 };
 
 use crate::utils::{
+    TestError, TestResult,
     cfg::{E2eTest, EnrollmentFlow, OidcProvider},
     ctx::*,
     display::Actor,
     docker::stepca,
     helpers::{AcmeAsserter, ClientHelper, RespHelper},
     rand_base64_str,
     wire_server::oidc::{scrap_grant, scrap_login},
-    TestError, TestResult,
 };
 
-// unsafe static mutable channels for the Google OIDC login since it requires tester interaction in browser
-pub(crate) static mut GOOGLE_SND: Option<std::sync::Mutex<std::sync::mpsc::Sender<String>>> = None;
-static mut GOOGLE_RECV: Option<std::sync::Mutex<std::sync::mpsc::Receiver<String>>> = None;
+// These tests require tester interaction to handle Google OIDC login, and the way we're
+// accommodating that under the hood is with these channels.
+pub(crate) static GOOGLE_SND: Mutex<Option<mpsc::Sender<String>>> = Mutex::new(None);
+static GOOGLE_RECV: Mutex<Option<mpsc::Receiver<String>>> = Mutex::new(None);
 
 fn keypair_to_pubkey(alg: JwsAlgorithm, keypair: &Pem) -> Pem {
     match alg {
@@ -768,12 +772,9 @@ impl E2eTest {
     }
 
     pub async fn fetch_id_token_from_google(&mut self) -> TestResult<String> {
-        // SAFETY: safe because there is one codepath using these variables and we are just unconditionally setting them here.
-        unsafe {
-            let (tx, rx) = std::sync::mpsc::channel();
-            GOOGLE_SND = Some(std::sync::Mutex::new(tx));
-            GOOGLE_RECV = Some(std::sync::Mutex::new(rx));
-        }
+        let (tx, rx) = mpsc::channel();
+        *GOOGLE_SND.lock().unwrap() = Some(tx);
+        *GOOGLE_RECV.lock().unwrap() = Some(rx);
 
         // hack to pass args to wire-server
         ctx_store("domain", &self.domain);
@@ -811,10 +812,9 @@ impl E2eTest {
             .url();
         webbrowser::open(authz_url.as_str()).unwrap();
 
-        // SAFETY: We initialized the reference earlier in this function, and the worst case if
-        // someone has mutated it under us is that one of the unwraps causes a test to panic.
-        let id_token = unsafe {
-            let rx = GOOGLE_RECV.as_ref().unwrap().lock().unwrap();
+        let id_token = {
+            let rx = GOOGLE_RECV.lock().unwrap();
+            let rx = rx.as_ref().unwrap();
             rx.recv().unwrap()
         };
         Ok(id_token)

@@ -1,6 +1,6 @@
 use crate::utils::TestResult;
 use http::header::AsHeaderName;
-use http::{header, HeaderName, HeaderValue};
+use http::{HeaderName, HeaderValue, header};
 use itertools::Itertools;
 
 pub trait ClientHelper {
@@ -84,10 +84,11 @@ impl AcmeAsserter for reqwest::Response {
         self
     }
     fn expect_content_type_json(&mut self) -> &mut Self {
-        assert!(self
-            .headers()
-            .iter()
-            .contains(&(&header::CONTENT_TYPE, &HeaderValue::from_static("application/json"))));
+        assert!(
+            self.headers()
+                .iter()
+                .contains(&(&header::CONTENT_TYPE, &HeaderValue::from_static("application/json")))
+        );
         self
     }
     fn has_replay_nonce(&mut self) -> &mut Self {