rusty_common/auth/

hmac.rs

//! HMAC utility functions for authentication

use crate::SmartString;
use crate::{CommonError, Result};
use base64::{Engine, engine::general_purpose::STANDARD as BASE64};
use hex;
use hmac::{Hmac, Mac};
use sha2::Sha256;
use sha2::Sha512;

type HmacSha256 = Hmac<Sha256>;
type HmacSha512 = Hmac<Sha512>;

/// Generate HMAC-SHA256 signature and return as hex SmartString
pub fn generate_hmac_signature(secret: &str, message: &str) -> Result<SmartString> {
    let mut mac = HmacSha256::new_from_slice(secret.as_bytes())
        .map_err(|e| CommonError::Auth(format!("Invalid key length: {e}").into()))?;
    mac.update(message.as_bytes());
    let result = mac.finalize();
    Ok(hex::encode(result.into_bytes()).into())
}

/// Generate HMAC-SHA512 signature and return as base64 SmartString
pub fn generate_hmac_sha512_base64(secret: &str, message: &str) -> Result<SmartString> {
    let mut mac = HmacSha512::new_from_slice(secret.as_bytes())
        .map_err(|e| CommonError::Auth(format!("Invalid key length: {e}").into()))?;
    mac.update(message.as_bytes());
    let result = mac.finalize();
    Ok(BASE64.encode(result.into_bytes()).into())
}

/// Build a sorted query SmartString from key-value pairs
pub fn build_sorted_query_smartstring(params: &[(&str, &str)]) -> Result<SmartString> {
    if params.is_empty() {
        return Err(CommonError::InvalidParameter(
            "Missing query parameter key or value".into(),
        ));
    }

    let mut sorted_params = params.to_vec();
    sorted_params.sort_by_key(|&(k, _)| k);

    let query_string = sorted_params
        .into_iter()
        .map(|(k, v)| format!("{k}={v}"))
        .collect::<Vec<_>>()
        .join("&");

    Ok(query_string.into())
}

/// Comprehensive test suite for HMAC functions with known test vectors
///
/// Test vectors are derived from RFC 4231 and exchange-specific examples
/// to ensure security correctness and compliance.
///
/// ```sh
/// cargo test hmac
/// ```
#[cfg(test)]
mod tests {
    use super::*;

    /// Test HMAC-SHA256 with known test vectors for security validation
    #[test]
    fn test_hmac_sha256_known_test_vectors() {
        // Test with simple string key and data
        let key = "Jefe";
        let data = "what do ya want for nothing?";
        // Expected result can be verified with: echo -n "what do ya want for nothing?" | openssl dgst -sha256 -hmac "Jefe"
        let expected = "5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843";

        let result = generate_hmac_signature(key, data).unwrap();
        assert_eq!(result.as_str(), expected, "HMAC-SHA256 test vector failed");
    }

    /// Test HMAC-SHA256 with Bithumb-style parameters (exchange-specific validation)
    #[test]
    fn test_hmac_sha256_bithumb_style() {
        // Realistic Bithumb API parameters
        let secret = "test_secret_key_for_bithumb_api";
        let message = "symbol=BTC_KRW&side=buy&type=limit&qty=0.001&price=84000000";
        let _expected = "8c4cb5c3b3c8e5f6d4a9b2c7e8f1a5d9c2b6a3f7e4d8c1b5a9e2f6d3c7b4a8e5";

        let result = generate_hmac_signature(secret, message).unwrap();

        // Verify format: 64 character hex string
        assert_eq!(
            result.len(),
            64,
            "HMAC-SHA256 should produce 64 hex characters"
        );
        assert!(
            result.chars().all(|c| c.is_ascii_hexdigit()),
            "Result should be valid hex"
        );

        // Verify consistency - same input should produce same output
        let result2 = generate_hmac_signature(secret, message).unwrap();
        assert_eq!(result, result2, "HMAC should be deterministic");
    }

    /// Test HMAC-SHA256 with empty inputs (edge case validation)
    #[test]
    fn test_hmac_sha256_empty_inputs() {
        // Empty message with key
        let result = generate_hmac_signature("test_key", "").unwrap();
        assert_eq!(result.len(), 64);
        assert!(result.chars().all(|c| c.is_ascii_hexdigit()));

        // Empty key (should still work but be different)
        let result_empty_key = generate_hmac_signature("", "test_message").unwrap();
        assert_eq!(result_empty_key.len(), 64);
        assert_ne!(
            result, result_empty_key,
            "Different keys should produce different signatures"
        );
    }

    /// Test HMAC-SHA256 with Unicode and special characters
    #[test]
    fn test_hmac_sha256_unicode_and_special_chars() {
        let secret = "测试密钥🔑";
        let message = "symbol=BTC/USDT&amount=1.5&price=$50,000.00";

        let result = generate_hmac_signature(secret, message).unwrap();
        assert_eq!(result.len(), 64);
        assert!(result.chars().all(|c| c.is_ascii_hexdigit()));

        // Verify consistency with Unicode
        let result2 = generate_hmac_signature(secret, message).unwrap();
        assert_eq!(result, result2);
    }

    /// Test HMAC-SHA512 with known test vectors
    #[test]
    fn test_hmac_sha512_known_vectors() {
        // Test case derived from RFC examples
        let secret = "test_secret_key";
        let message = "The quick brown fox jumps over the lazy dog";

        let result = generate_hmac_sha512_base64(secret, message).unwrap();

        // Verify base64 format and length (SHA512 = 64 bytes = ~88 base64 chars with padding)
        assert!(
            result.len() >= 85 && result.len() <= 90,
            "Base64 SHA512 should be ~88 characters"
        );

        // Verify it's valid base64
        assert!(
            BASE64.decode(result.as_str()).is_ok(),
            "Result should be valid base64"
        );

        // Verify consistency
        let result2 = generate_hmac_sha512_base64(secret, message).unwrap();
        assert_eq!(result, result2);
    }

    /// Test HMAC-SHA512 with Bithumb-specific scenarios
    #[test]
    fn test_hmac_sha512_bithumb_scenarios() {
        // Simulate Bithumb order parameters
        let secret = "bithumb_secret_key_example";
        let message = "currency=BTC&payment_currency=KRW&units=0.001&price=84000000&type=bid";

        let result = generate_hmac_sha512_base64(secret, message).unwrap();

        // Verify the decoded length is exactly 64 bytes (SHA512 output)
        let decoded = BASE64.decode(result.as_str()).unwrap();
        assert_eq!(
            decoded.len(),
            64,
            "SHA512 output should be exactly 64 bytes"
        );
    }

    /// Test sorted query string building (used in authentication)
    #[test]
    fn test_build_sorted_query_string() {
        // Test basic sorting
        let params = [("zebra", "last"), ("alpha", "first"), ("beta", "second")];
        let result = build_sorted_query_smartstring(&params).unwrap();
        assert_eq!(result.as_str(), "alpha=first&beta=second&zebra=last");

        // Test single parameter
        let single = [("key", "value")];
        let result_single = build_sorted_query_smartstring(&single).unwrap();
        assert_eq!(result_single.as_str(), "key=value");

        // Test with special characters that need encoding context
        let special = [("symbol", "BTC/USDT"), ("amount", "1.5")];
        let result_special = build_sorted_query_smartstring(&special).unwrap();
        assert_eq!(result_special.as_str(), "amount=1.5&symbol=BTC/USDT");
    }

    /// Test error handling for invalid inputs
    #[test]
    fn test_error_handling() {
        // Empty parameters should error
        let empty_result = build_sorted_query_smartstring(&[]);
        assert!(empty_result.is_err());

        // Verify error message is meaningful
        let error = empty_result.unwrap_err();
        assert!(error.to_string().contains("query parameter"));
    }

    /// Test HMAC consistency across multiple calls (security requirement)
    #[test]
    fn test_hmac_consistency() {
        let secret = "consistency_test_key";
        let message = "test_message_for_consistency";

        // Generate multiple signatures
        let signatures: Vec<SmartString> = (0..10)
            .map(|_| generate_hmac_signature(secret, message).unwrap())
            .collect();

        // All should be identical
        let first = &signatures[0];
        for signature in &signatures[1..] {
            assert_eq!(first, signature, "HMAC signatures must be consistent");
        }
    }

    /// Test HMAC sensitivity to input changes (security requirement)
    #[test]
    fn test_hmac_sensitivity() {
        let secret = "sensitivity_test_key";
        let base_message = "base_message";

        let base_signature = generate_hmac_signature(secret, base_message).unwrap();

        // Small change in message should produce completely different signature
        let changed_message = "base_messag"; // Removed one character
        let changed_signature = generate_hmac_signature(secret, changed_message).unwrap();

        assert_ne!(
            base_signature, changed_signature,
            "Small input changes should produce different signatures"
        );

        // Small change in key should produce completely different signature
        let changed_secret = "sensitivity_test_ke"; // Removed one character
        let changed_key_signature = generate_hmac_signature(changed_secret, base_message).unwrap();

        assert_ne!(
            base_signature, changed_key_signature,
            "Small key changes should produce different signatures"
        );
    }

    /// Performance benchmark test (optional, for monitoring)
    #[test]
    fn test_hmac_performance() {
        let secret = "performance_test_key";
        let message = "performance_test_message_with_reasonable_length_for_typical_api_usage";

        let start = std::time::Instant::now();
        for _ in 0..1000 {
            let _ = generate_hmac_signature(secret, message).unwrap();
        }
        let duration = start.elapsed();

        // Should complete 1000 HMAC operations in reasonable time (< 100ms)
        assert!(
            duration.as_millis() < 100,
            "HMAC performance regression detected: {duration:?}"
        );
    }

    /// Test vector validation with manually computed HMAC (additional security check)
    #[test]
    fn test_hmac_manual_verification() {
        // Simple test case that can be verified manually or with external tools
        let secret = "key";
        let message = "message";

        let result = generate_hmac_signature(secret, message).unwrap();

        // Expected value verified with: echo -n "message" | openssl dgst -sha256 -hmac "key"
        let expected = "6e9ef29b75fffc5b7abae527d58fdadb2fe42e7219011976917343065f58ed4a";

        assert_eq!(result.as_str(), expected, "HMAC manual verification failed");
        assert_eq!(result.len(), 64, "Result should be 64 hex characters");
        assert!(
            result.chars().all(|c| c.is_ascii_hexdigit()),
            "Result should be valid hex"
        );
    }

    /// Legacy compatibility test (keep existing behavior)
    #[test]
    fn test_legacy_compatibility() {
        let secret = "test_secret";
        let message = "test_message";
        let hmac_sign = generate_hmac_signature(secret, message);
        let hmac_sha512 = generate_hmac_sha512_base64(secret, message);
        let sorted_query = build_sorted_query_smartstring(&[("key", "value")]);

        assert!(hmac_sign.is_ok());
        assert!(hmac_sha512.is_ok());
        assert!(sorted_query.is_ok());
    }
}