pluots · tgross35 · Nov 10, 2023 · Nov 10, 2023
diff --git a/.github/workflows/validation.yaml b/.github/workflows/validation.yaml
@@ -9,7 +9,7 @@ name: Rust Validation
 
 env:
   RUSTDOCFLAGS: -D warnings
-  RUSTFLAGS: -D warnings -C debuginfo=1
+  RUSTFLAGS: -C debuginfo=1
   RUST_LOG: debug
   CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse
 

diff --git a/src/jose.rs b/src/jose.rs
@@ -302,6 +302,7 @@ struct TangParams {
 }
 
 impl KeyMeta {
+    #[must_use]
     pub fn to_json(&self) -> String {
         serde_json::to_string(self).expect("serialization failure")
     }

diff --git a/src/key_exchange.rs b/src/key_exchange.rs
@@ -25,6 +25,7 @@ pub struct EncryptionKey<const N: usize>(Zeroizing<[u8; N]>);
 
 impl<const N: usize> EncryptionKey<N> {
     /// Return the secret key
+    #[must_use]
     pub fn as_bytes(&self) -> &[u8; N] {
         &self.0
     }
@@ -57,8 +58,7 @@ fn eccurve_from_jwk(jwk: &Jwk) -> Result<EcCurve> {
 ///   key used to encrypt data, and also satisfies `K = [cs]G`
 pub fn create_enc_key<const N: usize>(s_pub_jwk: &Jwk) -> Result<(Jwk, EncryptionKey<N>)> {
     match s_pub_jwk.algorithm() {
-        Some("ECMR") => (),
-        Some("ECDH-ES") => (),
+        Some("ECMR" | "ECDH-ES") => (),
         alg => {
             return Err(Error::Algorithm(
                 alg.unwrap_or("none").into(),
@@ -119,15 +119,15 @@ where
 ///
 /// From the clevis docs:
 ///
-/// To recover dJWK after discarding it, the client generates a third
-/// ephemeral key (eJWK). Using eJWK, the client performs elliptic curve group
-/// addition of eJWK and cJWK, producing xJWK. The client POSTs xJWK to the server.
+/// To recover `dJWK` after discarding it, the client generates a third
+/// ephemeral key (`eJWK`). Using `eJWK`, the client performs elliptic curve group
+/// addition of `eJWK` and `cJWK`, producing `xJWK`. The client POSTs `xJWK` to the server.
 ///
-/// The server then performs its half of the ECDH key exchange using xJWK and sJWK,
-/// producing yJWK. The server returns yJWK to the client.
+/// The server then performs its half of the ECDH key exchange using `xJWK` and `sJWK`,
+/// producing `yJWK`. The server returns `yJWK` to the client.
 ///
-/// The client then performs half of an ECDH key exchange between eJWK and sJWK,
-/// producing zJWK. Subtracting zJWK from yJWK produces dJWK again.
+/// The client then performs half of an ECDH key exchange between `eJWK` and `sJWK`,
+/// producing `zJWK`. Subtracting `zJWK` from `yJWK` produces `dJWK` again.
 //
 /// Expressed mathematically (capital = private key):
 ///
@@ -173,7 +173,7 @@ where
     Ok(secret_to_key(k))
 }
 
-/// Reimplementation of elliptic_curve::ecdh::diffie_hellman that works with our types easier
+/// Reimplementation of `elliptic_curve::ecdh::diffie_hellman` that works with our types easier
 ///
 /// This is standard ECDH, and first mode of the so-called "ECMR" algorithm
 fn diffie_hellman<C>(
@@ -216,6 +216,7 @@ where
         .map_err(|_| Error::IdentityPointCreated)
 }
 
+#[allow(clippy::needless_pass_by_value)]
 fn secret_to_key<C: Curve, const KEYBYTES: usize>(
     secret: SharedSecret<C>,
 ) -> EncryptionKey<KEYBYTES> {

diff --git a/src/key_exchange_tests.rs b/src/key_exchange_tests.rs
@@ -1,6 +1,6 @@
 //! Tests to verify we match with `jose jwk exc`
 //!
-//! Quoting from https://www.mankier.com/1/jose-jwk-exc:
+//! Quoting from <https://www.mankier.com/1/jose-jwk-exc>:
 //!
 //!
 //! > The ECMR algorithm has three modes of operation. Where the local key has a

diff --git a/src/lib.rs b/src/lib.rs
@@ -1,3 +1,7 @@
+#![warn(clippy::pedantic)]
+#![allow(clippy::missing_panics_doc)]
+#![allow(clippy::missing_errors_doc)]
+
 mod error;
 mod jose;
 mod key_exchange;

diff --git a/src/tang_interface.rs b/src/tang_interface.rs
@@ -16,6 +16,7 @@ pub struct TangClient {
 
 impl TangClient {
     /// Create a new client. If timeout is not specified, it will default to 120s.
+    #[must_use]
     pub fn new(url: &str, timeout: Option<Duration>) -> Self {
         let url = if url.starts_with("http") {
             url.to_owned()
@@ -46,7 +47,7 @@ impl TangClient {
     /// Recover a secure key using metadata that was stored
     pub fn recover_secure_key<const KEYBYTES: usize>(
         &self,
-        meta: KeyMeta,
+        meta: &KeyMeta,
     ) -> Result<EncryptionKey<KEYBYTES>> {
         meta.recover_key(|kid, x_pub_jwk| self.fetch_recovery_key(kid, x_pub_jwk))
     }

diff --git a/tests/backend.rs b/tests/backend.rs
@@ -31,7 +31,7 @@ fn test_roundtrip() {
     // --- recovery ---
 
     let new_meta = KeyMeta::from_json(&meta_str).unwrap();
-    let newkey = client.recover_secure_key::<10>(new_meta).unwrap();
+    let newkey = client.recover_secure_key::<10>(&new_meta).unwrap();
 
     assert_eq!(encryption_key.as_bytes(), newkey.as_bytes());
 }