mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-08 13:03:32 +02:00
5214c5f819
* Refactor WireGuard key management: generate all keys locally with Ansible modules - Move all WireGuard key generation from remote hosts to local execution via Ansible modules - Enhance x25519_pubkey module for robust, idempotent, and secure key handling - Update WireGuard role tasks to use local key generation and management - Improve error handling and support for check mode * Improve x25519_pubkey module code quality and add integration tests Code Quality Improvements: - Fix import organization and Ruff linting errors - Replace bare except clauses with practical error handling - Simplify documentation while maintaining useful debugging info - Use dictionary literals instead of dict() calls for better performance New Integration Test: - Add comprehensive WireGuard key generation test (test_wireguard_key_generation.py) - Tests actual deployment scenarios matching roles/wireguard/tasks/keys.yml - Validates mathematical correctness of X25519 key derivation - Tests both file and string input methods used by Algo - Includes consistency validation and WireGuard tool integration - Addresses documented test gap in tests/README.md line 63-67 Test Coverage: - Module import validation - Raw private key file processing - Base64 private key string processing - Key derivation consistency checks - Optional WireGuard tool validation (when available) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Trigger CI build for PR #14803 Testing x25519_pubkey module improvements and WireGuard key generation changes. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix yamllint error: add missing newline at end of keys.yml Resolves: no new line character at the end of file (new-line-at-end-of-file) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix critical binary data corruption bug in x25519_pubkey module Issue: Private keys with whitespace-like bytes (0x09, 0x0A, etc.) at edges were corrupted by .strip() call on binary data, causing 32-byte keys to become 31 bytes and deployment failures. Root Cause: - Called .strip() on raw binary data unconditionally - X25519 keys containing whitespace bytes were truncated - Error: "got 31 bytes" instead of expected 32 bytes Fix: - Only strip whitespace when processing base64 text data - Preserve raw binary data integrity for 32-byte keys - Maintain backward compatibility with both formats Addresses deployment failure: "Private key file must be either base64 or exactly 32 raw bytes, got 31 bytes" 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add inline comments to prevent binary data corruption bug Explain the base64/raw file detection logic with clear warnings about the critical issue where .strip() on raw binary data corrupts X25519 keys containing whitespace-like bytes (0x09, 0x0A, etc.). This prevents future developers from accidentally reintroducing the 'got 31 bytes' deployment error by misunderstanding the dual-format key handling logic. --------- Co-authored-by: Dan Guido <dan@trailofbits.com> Co-authored-by: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| client | ||
| cloud-azure | ||
| cloud-cloudstack/tasks | ||
| cloud-digitalocean/tasks | ||
| cloud-ec2 | ||
| cloud-gce/tasks | ||
| cloud-hetzner/tasks | ||
| cloud-lightsail | ||
| cloud-linode | ||
| cloud-openstack/tasks | ||
| cloud-scaleway | ||
| cloud-vultr/tasks | ||
| common | ||
| dns | ||
| local/tasks | ||
| ssh_tunneling | ||
| strongswan | ||
| wireguard | ||