Skip to content

app-storage: re-gate MockEncryptionStorage behind mock feature#73

Merged
jgowdy-godaddy merged 1 commit intomainfrom
fix/gate-mock-behind-feature
Apr 17, 2026
Merged

app-storage: re-gate MockEncryptionStorage behind mock feature#73
jgowdy-godaddy merged 1 commit intomainfrom
fix/gate-mock-behind-feature

Conversation

@jgowdy-godaddy
Copy link
Copy Markdown
Contributor

@jgowdy-godaddy jgowdy-godaddy commented Apr 17, 2026

Summary

#71 made the mock backend always-compiled so `ENCLAVEAPP_MOCK_STORAGE` could be honored at runtime. That was wrong: a runtime flag in a production binary lets anyone with the env var swap the hardware-backed backend for an in-RAM AES mock. Security hole.

Re-gate: `mock` cargo feature opt-in. Release builds (`cargo build`) have no path to the mock. Test builds (`cargo test`) pull it in via downstream `[dev-dependencies]` with `features = ["mock"]` — cargo feature unification turns it on during tests only.

Keeps #72's deterministic key derivation so cross-process integration tests still work.

Mechanical changes

  • `mock` cargo feature restored; aes-gcm/rand/sha2 are optional deps pulled in by it.
  • `mod mock`, `pub use MockEncryptionStorage`, `MOCK_STORAGE_ENV` constant, and the env-var branch in `create_encryption_storage` all `#[cfg(feature = "mock")]`.

Follow-ups

  • awsenc-cli and sso-jwt-lib already declared `features = ["mock"]` in their `[dev-dependencies]` — no change needed.
  • npmenc's `npmenc` and `npxenc` packages need the same `[dev-dependencies]` entry so `cargo test --workspace` turns the feature on for their integration tests. Will PR against npmenc.

Test plan

  • `cargo build --workspace` — no `aes-gcm` pulled through `enclaveapp-app-storage`.
  • `cargo clippy --workspace --all-targets -- -D warnings`.
  • `cargo clippy -p enclaveapp-app-storage --features mock --all-targets -- -D warnings`.
  • `cargo test -p enclaveapp-app-storage --features mock`.

@jgowdy
app-storage: re-gate MockEncryptionStorage behind mock feature
fab8b22 
#71 made the mock backend always-compiled so ENCLAVEAPP_MOCK_STORAGE
could be honored at runtime without cargo feature gymnastics. That
is a security hole for release binaries: anyone setting the env var
on a production install would downgrade the hardware-backed backend
to an AES-in-RAM mock.

Restore the compile-time gate:
- `mock` cargo feature opt-in, with aes-gcm/rand/sha2 as optional
  deps only pulled in by the feature.
- `mock` module, `MockEncryptionStorage` re-export, `MOCK_STORAGE_ENV`
  constant, and the env-var check inside `create_encryption_storage`
  all gated on `#[cfg(feature = "mock")]`.
- Release builds (no --features mock) have no path to the mock at
  all — setting ENCLAVEAPP_MOCK_STORAGE in production is a no-op.
- Test builds enable the feature via downstream `[dev-dependencies]`
  with `features = ["mock"]`; cargo unifies features during
  `cargo test`, so the env var works in CI as intended.

Keeps #72's deterministic key derivation inside the gated mock
module so cross-process test spawning still works.
@jgowdy-godaddy jgowdy-godaddy merged commit 5c35951 into main Apr 17, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jgowdy-godaddy @jgowdy