From 4a5ab5a3c36f479269eaa0f6c5bd1c9b10bf8c9b Mon Sep 17 00:00:00 2001 From: Remo Senekowitsch Date: Thu, 25 Jul 2024 20:43:50 +0200 Subject: [PATCH 1/2] Add a `.well-known/security.txt` --- Cargo.lock | 1 + Cargo.toml | 3 +++ src/main.rs | 6 ++++++ static/text/well_known_security.txt | 2 ++ tests/well_known_security.rs | 25 +++++++++++++++++++++++++ 5 files changed, 37 insertions(+) create mode 100644 static/text/well_known_security.txt create mode 100644 tests/well_known_security.rs diff --git a/Cargo.lock b/Cargo.lock index 068e6e26..d810df42 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2855,6 +2855,7 @@ dependencies = [ "sass-rs", "serde", "serde_json", + "time", "toml", ] diff --git a/Cargo.toml b/Cargo.toml index 60fd92d5..bcb9ed02 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -15,3 +15,6 @@ toml = "0.8" serde_json = "1.0" rust_team_data = { git = "https://github.com/rust-lang/team" } percent-encoding = "2.1.0" + +[dev-dependencies] +time = { version = "0.3.36", features = ["parsing"] } diff --git a/src/main.rs b/src/main.rs index 50fd2f7f..e72a1d7b 100644 --- a/src/main.rs +++ b/src/main.rs @@ -233,6 +233,11 @@ fn redirect_bare_en_us() -> Redirect { Redirect::permanent("/") } +#[get("/.well-known/security.txt")] +fn well_known_security() -> &'static str { + include_str!("../static/text/well_known_security.txt") +} + #[catch(404)] #[allow(clippy::result_large_err)] fn not_found(req: &Request) -> Result { @@ -459,6 +464,7 @@ async fn rocket() -> _ { team_locale, subject_locale, redirect_bare_en_us, + well_known_security, ], ) .register( diff --git a/static/text/well_known_security.txt b/static/text/well_known_security.txt new file mode 100644 index 00000000..c0cf282f --- /dev/null +++ b/static/text/well_known_security.txt @@ -0,0 +1,2 @@ +Contact: https://www.rust-lang.org/policies/security +Expires: 2024-05-15T00:00:00.000Z diff --git a/tests/well_known_security.rs b/tests/well_known_security.rs new file mode 100644 index 00000000..5ee39d66 --- /dev/null +++ b/tests/well_known_security.rs @@ -0,0 +1,25 @@ +use time::{format_description::well_known::Rfc3339, OffsetDateTime}; + +#[test] +fn well_known_security_is_not_expired() { + let text = include_str!("../static/text/well_known_security.txt"); + let expires = text.split("Expires:").nth(1).unwrap().trim(); + let expires = OffsetDateTime::parse(expires, &Rfc3339).unwrap(); + let now = OffsetDateTime::now_utc(); + assert!( + now < expires, + " + ┌────────────────────────────────────────────────────────────────┐ + │ │ + │ I looks like the expiration date of the security policy has │ + │ passed. Before blindly updating it, please make sure the │ + │ pointed-to URL still refers to the source of truth of the │ + │ security policy of the Rust project. If all is well, you can │ + │ update the expiration date in the relevant file: │ + │ │ + │ static/text/well_known_security.txt │ + │ │ + └────────────────────────────────────────────────────────────────┘ + " + ); +} From eef2e6dc2901e89093c7f66f9653a34b39c0a6a2 Mon Sep 17 00:00:00 2001 From: Remo Senekowitsch Date: Fri, 26 Jul 2024 08:45:10 +0200 Subject: [PATCH 2/2] Improve tests for `.well-known/security.txt` - make CI fail already one month before expiry - make sure the expiry date is no further than one year into the future --- static/text/well_known_security.txt | 2 +- tests/well_known_security.rs | 26 +++++++++++++++++++------- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/static/text/well_known_security.txt b/static/text/well_known_security.txt index c0cf282f..5b873bfd 100644 --- a/static/text/well_known_security.txt +++ b/static/text/well_known_security.txt @@ -1,2 +1,2 @@ Contact: https://www.rust-lang.org/policies/security -Expires: 2024-05-15T00:00:00.000Z +Expires: 2025-05-15T00:00:00.000Z diff --git a/tests/well_known_security.rs b/tests/well_known_security.rs index 5ee39d66..fc11d39c 100644 --- a/tests/well_known_security.rs +++ b/tests/well_known_security.rs @@ -1,18 +1,19 @@ use time::{format_description::well_known::Rfc3339, OffsetDateTime}; +static TEXT: &str = include_str!("../static/text/well_known_security.txt"); + #[test] -fn well_known_security_is_not_expired() { - let text = include_str!("../static/text/well_known_security.txt"); - let expires = text.split("Expires:").nth(1).unwrap().trim(); +fn well_known_security_is_not_about_to_expire() { + let expires = TEXT.split("Expires:").nth(1).unwrap().trim(); let expires = OffsetDateTime::parse(expires, &Rfc3339).unwrap(); - let now = OffsetDateTime::now_utc(); + let one_month_from_now = OffsetDateTime::now_utc() + time::Duration::days(30); assert!( - now < expires, + one_month_from_now < expires, " ┌────────────────────────────────────────────────────────────────┐ │ │ - │ I looks like the expiration date of the security policy has │ - │ passed. Before blindly updating it, please make sure the │ + │ I looks like the expiration date of the security policy needs │ + │ updating. Before blindly updating it, please make sure the │ │ pointed-to URL still refers to the source of truth of the │ │ security policy of the Rust project. If all is well, you can │ │ update the expiration date in the relevant file: │ @@ -23,3 +24,14 @@ fn well_known_security_is_not_expired() { " ); } + +#[test] +fn well_known_security_expires_within_a_year() { + let expires = TEXT.split("Expires:").nth(1).unwrap().trim(); + let expires = OffsetDateTime::parse(expires, &Rfc3339).unwrap(); + let one_year_from_now = OffsetDateTime::now_utc() + time::Duration::days(370); + assert!( + expires < one_year_from_now, + "The security policy should be checked once a year, please reduce the expiration date." + ); +}