rusty_common/auth/

ed25519.rs

//! Ed25519 signature utilities for exchange authentication
//!
//! Provides a generic Ed25519 authentication implementation that can be used
//! by any exchange requiring Ed25519 signatures. Built on top of ed25519-dalek
//! for cryptographic operations.

use crate::collections::FxHashMap;
use crate::{CommonError, Result, SmartString};
use ed25519_dalek::{Signer, SigningKey, VerifyingKey};
use hex;
use std::fmt::Debug;

/// Ed25519 authentication implementation for exchanges
#[derive(Debug, Clone)]
pub struct Ed25519Auth {
    signing_key: SigningKey,
    verifying_key: VerifyingKey,
    api_key: SmartString,
}

impl Ed25519Auth {
    /// Create new Ed25519 authenticator with existing signing key
    #[must_use]
    pub fn new(signing_key: SigningKey, api_key: SmartString) -> Self {
        let verifying_key = signing_key.verifying_key();
        Self {
            signing_key,
            verifying_key,
            api_key,
        }
    }

    /// Create Ed25519 authenticator from hex-encoded secret key
    ///
    /// # Arguments
    /// * `secret_hex` - 64-character hex string representing the 32-byte secret key
    /// * `api_key` - API key identifier for the exchange
    ///
    /// # Errors
    /// Returns error if the hex string is invalid or not 64 characters
    pub fn from_secret_key_hex(secret_hex: &str, api_key: SmartString) -> Result<Self> {
        // Validate hex string length (32 bytes = 64 hex characters)
        if secret_hex.len() != 64 {
            return Err(CommonError::Auth(
                format!(
                    "Invalid secret key length: expected 64 hex characters, got {}",
                    secret_hex.len()
                )
                .into(),
            ));
        }

        // Decode hex string to bytes
        let secret_bytes = hex::decode(secret_hex)
            .map_err(|e| CommonError::Auth(format!("Invalid hex in secret key: {e}").into()))?;

        // Convert to array (ed25519-dalek requires exactly 32 bytes)
        let secret_array: [u8; 32] = secret_bytes
            .try_into()
            .map_err(|_| CommonError::Auth("Secret key must be exactly 32 bytes".into()))?;

        // Create signing key from secret bytes
        let signing_key = SigningKey::from_bytes(&secret_array);
        let verifying_key = signing_key.verifying_key();

        Ok(Self {
            signing_key,
            verifying_key,
            api_key,
        })
    }

    /// Sign query parameters using Ed25519
    ///
    /// Creates a query string from parameters and signs it using Ed25519.
    /// Parameters are URL-encoded and joined with '&' separator.
    ///
    /// # Arguments
    /// * `params` - Key-value pairs to sign
    ///
    /// # Returns
    /// Hex-encoded Ed25519 signature
    pub fn sign_params(&self, params: &[(&str, &str)]) -> Result<SmartString> {
        // Build query string from parameters
        let query_string = build_query_string(params)?;

        // Use existing signing key

        // Sign the query string
        let signature = self.signing_key.sign(query_string.as_bytes());

        // Return hex-encoded signature
        Ok(hex::encode(signature.to_bytes()).into())
    }

    /// Sign a complete HTTP request
    ///
    /// Creates authentication headers for an HTTP request including the signature.
    /// The signature is computed over the request parameters.
    ///
    /// # Arguments
    /// * `method` - HTTP method (GET, POST, etc.)
    /// * `path` - Request path
    /// * `body` - Optional request body (currently unused but reserved for future use)
    ///
    /// # Returns
    /// HashMap containing authentication headers
    pub fn sign_request(
        &self,
        _method: &str,
        _path: &str,
        _body: Option<&str>,
    ) -> Result<FxHashMap<SmartString, SmartString>> {
        let mut headers = FxHashMap::default();

        // Add API key header
        headers.insert("X-MBX-APIKEY".into(), self.api_key.clone());

        // Note: Actual signature generation would require parameters
        // This is a placeholder for the generic interface
        // Exchange-specific implementations should override this method

        Ok(headers)
    }

    /// Get the API key
    #[must_use]
    pub fn api_key(&self) -> &str {
        &self.api_key
    }

    /// Get the public key as hex string
    #[must_use]
    pub fn public_key_hex(&self) -> SmartString {
        hex::encode(self.verifying_key.to_bytes()).into()
    }

    /// Get the signing key reference (for advanced use cases)
    #[must_use]
    pub const fn signing_key(&self) -> &SigningKey {
        &self.signing_key
    }

    /// Get the verifying key reference (for advanced use cases)
    #[must_use]
    pub const fn verifying_key(&self) -> &VerifyingKey {
        &self.verifying_key
    }
}

/// Generate Ed25519 signature for parameters (standalone function)
///
/// This is a convenience function that creates a temporary Ed25519Auth
/// instance and signs the parameters.
///
/// # Arguments
/// * `secret_key_hex` - Hex-encoded secret key
/// * `params` - Parameters to sign
///
/// # Returns
/// Hex-encoded signature
pub fn generate_ed25519_signature(
    secret_key_hex: &str,
    params: &[(&str, &str)],
) -> Result<SmartString> {
    let auth = Ed25519Auth::from_secret_key_hex(secret_key_hex, "temp".into())?;
    auth.sign_params(params)
}

/// Build query string from parameters
///
/// Creates a URL-encoded query string from key-value pairs.
/// Parameters are sorted by key for consistent signature generation.
///
/// # Arguments
/// * `params` - Key-value pairs
///
/// # Returns
/// URL-encoded query string
fn build_query_string(params: &[(&str, &str)]) -> Result<SmartString> {
    if params.is_empty() {
        return Ok(SmartString::new());
    }

    // Sort parameters by key for consistent ordering
    let mut sorted_params = params.to_vec();
    sorted_params.sort_by_key(|&(k, _)| k);

    let mut query_parts = Vec::with_capacity(sorted_params.len());

    for (key, value) in sorted_params {
        // URL encode both key and value for correctness
        let encoded_key = urlencoding::encode(key);
        let encoded_value = urlencoding::encode(value);
        query_parts.push(format!("{encoded_key}={encoded_value}"));
    }

    Ok(query_parts.join("&").into())
}

/// Generate a test Ed25519 signing key with fixed key for deterministic testing
///
/// # Returns
/// Fixed Ed25519 signing key for testing purposes
#[cfg(test)]
pub fn generate_test_signing_key() -> SigningKey {
    // Use a fixed key for deterministic testing
    let test_key_bytes = [
        0x4c, 0x5b, 0x2e, 0x7d, 0x3f, 0x8a, 0x9b, 0x1c, 0x6e, 0x5d, 0x4a, 0x3b, 0x2c, 0x1d, 0x0e,
        0x9f, 0x8a, 0x7b, 0x6c, 0x5d, 0x4e, 0x3f, 0x2a, 0x1b, 0x0c, 0x9d, 0x8e, 0x7f, 0x6a, 0x5b,
        0x4c, 0x3d,
    ];
    SigningKey::from_bytes(&test_key_bytes)
}

/// Create test Ed25519Auth instance for testing
#[cfg(test)]
pub fn create_test_auth() -> Ed25519Auth {
    let signing_key = generate_test_signing_key();
    Ed25519Auth::new(signing_key, "test-api-key".into())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_ed25519_auth_creation_from_hex() {
        // Valid 64-character hex string (32 bytes)
        let secret_hex = "4c5b2e7d3f8a9b1c6e5d4a3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d";
        let api_key = "test-api-key".into();

        let auth = Ed25519Auth::from_secret_key_hex(secret_hex, api_key);
        assert!(auth.is_ok());

        let auth = auth.unwrap();
        assert_eq!(auth.api_key(), "test-api-key");
        assert_eq!(auth.public_key_hex().len(), 64); // 32 bytes = 64 hex chars
    }

    #[test]
    fn test_ed25519_auth_invalid_hex_length() {
        // Too short
        let short_hex = "4c5b2e7d3f8a9b1c";
        let result = Ed25519Auth::from_secret_key_hex(short_hex, "test".into());
        assert!(result.is_err());
        assert!(
            result
                .unwrap_err()
                .to_string()
                .contains("Invalid secret key length")
        );

        // Too long
        let long_hex = "4c5b2e7d3f8a9b1c6e5d4a3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d1234";
        let result = Ed25519Auth::from_secret_key_hex(long_hex, "test".into());
        assert!(result.is_err());
        assert!(
            result
                .unwrap_err()
                .to_string()
                .contains("Invalid secret key length")
        );
    }

    #[test]
    fn test_ed25519_auth_invalid_hex_chars() {
        // Contains non-hex characters
        let invalid_hex = "4c5b2e7d3f8a9b1c6e5d4a3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8e7f6a5b4cZZ";
        let result = Ed25519Auth::from_secret_key_hex(invalid_hex, "test".into());
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("Invalid hex"));
    }

    #[test]
    fn test_sign_params_empty() {
        let auth = create_test_auth();
        let signature = auth.sign_params(&[]);
        assert!(signature.is_ok());

        let sig = signature.unwrap();
        assert_eq!(sig.len(), 128); // Ed25519 signature is 64 bytes = 128 hex chars
    }

    #[test]
    fn test_sign_params_single() {
        let auth = create_test_auth();
        let params = [("symbol", "BTCUSDT")];
        let signature = auth.sign_params(&params);
        assert!(signature.is_ok());

        let sig = signature.unwrap();
        assert_eq!(sig.len(), 128);
        assert!(sig.chars().all(|c| c.is_ascii_hexdigit()));
    }

    #[test]
    fn test_sign_params_multiple() {
        let auth = create_test_auth();
        let params = [
            ("symbol", "BTCUSDT"),
            ("side", "BUY"),
            ("type", "LIMIT"),
            ("quantity", "1"),
            ("price", "50000"),
        ];
        let signature = auth.sign_params(&params);
        assert!(signature.is_ok());

        let sig = signature.unwrap();
        assert_eq!(sig.len(), 128);
        assert!(sig.chars().all(|c| c.is_ascii_hexdigit()));
    }

    #[test]
    fn test_sign_params_with_special_chars() {
        let auth = create_test_auth();
        let params = [
            ("symbol", "BTC/USDT"),
            ("message", "Hello World!"),
            ("special", "[email protected]"),
        ];
        let signature = auth.sign_params(&params);
        assert!(signature.is_ok());

        let sig = signature.unwrap();
        assert_eq!(sig.len(), 128);
    }

    #[test]
    fn test_signature_consistency() {
        let auth = create_test_auth();
        let params = [("symbol", "BTCUSDT"), ("price", "50000")];

        let sig1 = auth.sign_params(&params).unwrap();
        let sig2 = auth.sign_params(&params).unwrap();

        assert_eq!(sig1, sig2, "Signatures should be deterministic");
    }

    #[test]
    fn test_signature_sensitivity() {
        let auth = create_test_auth();

        let params1 = [("symbol", "BTCUSDT")];
        let params2 = [("symbol", "ETHUSDT")]; // Different value

        let sig1 = auth.sign_params(&params1).unwrap();
        let sig2 = auth.sign_params(&params2).unwrap();

        assert_ne!(
            sig1, sig2,
            "Different parameters should produce different signatures"
        );
    }

    #[test]
    fn test_parameter_ordering() {
        let auth = create_test_auth();

        // Same parameters in different order
        let params1 = [("symbol", "BTCUSDT"), ("side", "BUY")];
        let params2 = [("side", "BUY"), ("symbol", "BTCUSDT")];

        let sig1 = auth.sign_params(&params1).unwrap();
        let sig2 = auth.sign_params(&params2).unwrap();

        assert_eq!(sig1, sig2, "Parameter order should not affect signature");
    }

    #[test]
    fn test_generate_ed25519_signature_function() {
        let secret_hex = "4c5b2e7d3f8a9b1c6e5d4a3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d";
        let params = [("symbol", "BTCUSDT"), ("side", "BUY")];

        let signature = generate_ed25519_signature(secret_hex, &params);
        assert!(signature.is_ok());

        let sig = signature.unwrap();
        assert_eq!(sig.len(), 128);
        assert!(sig.chars().all(|c| c.is_ascii_hexdigit()));
    }

    #[test]
    fn test_sign_request_headers() {
        let auth = create_test_auth();
        let headers = auth.sign_request("GET", "/api/v3/account", None);
        assert!(headers.is_ok());

        let headers = headers.unwrap();
        let api_key_header: SmartString = "X-MBX-APIKEY".into();
        assert!(headers.contains_key(&api_key_header));
        assert_eq!(headers.get(&api_key_header).unwrap(), "test-api-key");
    }

    #[test]
    fn test_public_key_generation() {
        let secret_hex = "4c5b2e7d3f8a9b1c6e5d4a3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d";
        let auth = Ed25519Auth::from_secret_key_hex(secret_hex, "test".into()).unwrap();

        let public_key = auth.public_key_hex();
        assert_eq!(public_key.len(), 64); // 32 bytes = 64 hex chars
        assert!(public_key.chars().all(|c| c.is_ascii_hexdigit()));
    }

    #[test]
    fn test_build_query_string() {
        // Empty parameters
        let result = build_query_string(&[]);
        assert!(result.is_ok());
        assert_eq!(result.unwrap(), "");

        // Single parameter
        let result = build_query_string(&[("key", "value")]);
        assert!(result.is_ok());
        assert_eq!(result.unwrap(), "key=value");

        // Multiple parameters (should be sorted by key)
        let result = build_query_string(&[("zebra", "last"), ("alpha", "first")]);
        assert!(result.is_ok());
        assert_eq!(result.unwrap(), "alpha=first&zebra=last");

        // Parameters with special characters
        let result = build_query_string(&[("symbol", "BTC/USDT"), ("message", "Hello World!")]);
        assert!(result.is_ok());
        let query = result.unwrap();
        assert!(query.contains("BTC%2FUSDT")); // URL encoded
        assert!(query.contains("Hello%20World%21")); // URL encoded
    }
}