CLI: rewrite in rust

.github/workflows/cli-lint.yml

@@ -0,0 +1,79 @@
+name: CLI Lint
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'svix-cli/**'
+      - 'rust/**'
+      - '.github/workflows/cli-lint.yml'
+  pull_request:
+    paths:
+      - 'svix-cli/**'
+      - 'rust/**'
+      - '.github/workflows/cli-lint.yml'
+      - 'openapi.json'
+
+# When pushing to a PR, cancel any jobs still running for the previous head commit of the PR
+concurrency:
+  # head_ref is only defined for pull requests, run_id is always unique and defined so if this
+  # workflow was not triggered by a pull request, nothing gets cancelled.
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  check-fmt:
+    name: Check formatting
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@nightly
+        with:
+          components: rustfmt
+
+      - name: rustfmt
+        run: cargo fmt -- --check
+        working-directory: svix-cli
+
+  test-versions:
+    name: CLI Lint
+    runs-on: ubuntu-24.04
+    strategy:
+      matrix:
+        rust: [stable, beta]
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Regen openapi libs
+      run: |
+        yarn
+        ./regen_openapi.sh
+
+    - uses: dtolnay/rust-toolchain@master
+      with:
+        toolchain: ${{ matrix.rust }}
+        components: clippy
+
+    - uses: Swatinem/rust-cache@v2
+      with:
+        workspaces: "svix-cli -> target"
+        # only save the cache on the main branch
+        # cf https://github.com/Swatinem/rust-cache/issues/95
+        save-if: ${{ github.ref == 'refs/heads/main' }}
+        # include relevant information in the cache name
+        prefix-key: "cli-${{ matrix.rust }}"
+
+    - uses: taiki-e/install-action@nextest
+
+    - name: Clippy
+      run: cargo clippy --all-targets --all-features -- -D warnings
+      working-directory: svix-cli
+
+    - name: Run tests
+      run: cargo nextest run
+      working-directory: svix-cli

.github/workflows/cli-security.yml

@@ -0,0 +1,24 @@
+name: CLI Security
+
+on:
+  push:
+    branches:
+    - main
+    paths:
+      - 'svix-cli/**/Cargo.toml'
+      - 'svix-cli/**/Cargo.lock'
+      - '.github/workflows/cli-security.yml'
+  pull_request:
+    paths:
+      - 'rust/**/Cargo.toml'
+      - 'rust/**/Cargo.lock'
+      - '.github/workflows/cli-security.yml'
+
+jobs:
+  security_audit:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          manifest-path: svix-cli/Cargo.toml

deny.toml

@@ -33,6 +33,7 @@ allow = [
 confidence-threshold = 0.8
 exceptions = [
     #{ allow = ["Zlib"], name = "adler32", version = "*" },
+    { allow = ["EPL-2.0"], name = "colored_json", version = "*" }
 ]
 
 [[licenses.clarify]]

rust/src/webhooks.rs

@@ -57,6 +57,23 @@ impl Webhook {
     }
 
     pub fn verify<HM: HeaderMap>(&self, payload: &[u8], headers: &HM) -> Result<(), WebhookError> {
+        self.verify_inner(payload, headers, /* enforce_tolerance */ true)
+    }
+
+    pub fn verify_ignoring_timestamp<HM: HeaderMap>(
+        &self,
+        payload: &[u8],
+        headers: &HM,
+    ) -> Result<(), WebhookError> {
+        self.verify_inner(payload, headers, /* enforce_tolerance */ false)
+    }
+
+    fn verify_inner<HM: HeaderMap>(
+        &self,
+        payload: &[u8],
+        headers: &HM,
+        enforce_tolerance: bool,
+    ) -> Result<(), WebhookError> {
         let msg_id = Self::get_header(headers, SVIX_MSG_ID_KEY, UNBRANDED_MSG_ID_KEY, "id")?;
         let msg_signature = Self::get_header(
             headers,
@@ -72,7 +89,9 @@ impl Webhook {
         )
         .and_then(Self::parse_timestamp)?;
 
-        Self::verify_timestamp(msg_ts)?;
+        if enforce_tolerance {
+            Self::verify_timestamp(msg_ts)?;
+        }
 
         let versioned_signature = self.sign(msg_id, msg_ts, payload)?;
         let expected_signature = versioned_signature
@@ -317,22 +336,37 @@ mod tests {
         let payload = br#"{"email":"[email protected]","username":"test_user"}"#;
         let wh = Webhook::new(&secret).unwrap();
 
-        let signature = wh
-            .sign(msg_id, OffsetDateTime::now_utc().unix_timestamp(), payload)
-            .unwrap();
-
-        let mut headers = get_svix_headers(msg_id, &signature);
+        // Checks that timestamps that are in the future or too old are rejected by
+        // `verify` but okay for `verify_ignoring_timestamp`.
         for ts in [
             OffsetDateTime::now_utc().unix_timestamp() - (super::TOLERANCE_IN_SECONDS + 1),
             OffsetDateTime::now_utc().unix_timestamp() + (super::TOLERANCE_IN_SECONDS + 1),
         ] {
+            let signature = wh.sign(msg_id, ts, payload).unwrap();
+            let mut headers = get_svix_headers(msg_id, &signature);
             headers.insert(
                 super::SVIX_MSG_TIMESTAMP_KEY,
                 ts.to_string().parse().unwrap(),
             );
 
             assert!(wh.verify(payload, &headers,).is_err());
+            // Timestamp tolerance is not considered in this case.
+            assert!(wh.verify_ignoring_timestamp(payload, &headers,).is_ok());
         }
+
+        let ts = OffsetDateTime::now_utc().unix_timestamp();
+        let signature = wh.sign(msg_id, ts, payload).unwrap();
+        let mut headers = get_svix_headers(msg_id, &signature);
+        headers.insert(
+            super::SVIX_MSG_TIMESTAMP_KEY,
+            // Timestamp mismatch!
+            (ts + 1).to_string().parse().unwrap(),
+        );
+
+        // Both versions should reject the timestamp if it's not the same one used to
+        // produce the signature.
+        assert!(wh.verify(payload, &headers,).is_err());
+        assert!(wh.verify_ignoring_timestamp(payload, &headers,).is_err());
     }
 
     #[test]

svix-cli/.gitignore

@@ -0,0 +1 @@
+target/

svix-cli/.rustfmt.toml

@@ -0,0 +1,2 @@
+imports_granularity = "Crate"
+group_imports = "StdExternalCrate"