config_vault_source/

lib.rs

//! # config-vault-source
//!
//! `config-vault-source` is an extension for the [`config`](https://docs.rs/config)
//! crate that allows loading configuration values directly from **HashiCorp Vault**.
//!
//! This crate provides:
//! - Support for **KV1** and **KV2** Vault engines  
//! - Optional **TLS** support (via the `tls` feature)  
//! - Optional **async loading** (via the `async` feature)  
//! - Automatic **flattening** of nested JSON secrets into config keys  
//! - A clean and ergonomic **Builder API**  
//!
//! It is designed as a drop-in additional `Source` (or `AsyncSource`) for the
//! `config` crate and works the same way as other config sources.
//!
//! ---
//!
//! ## ✨ Example (Synchronous)
//!
//! ```rust
//! use config::Config;
//! use config_vault_source::VaultSource;
//!
//! fn load_config() -> Result<Config, config::ConfigError> {
//!     let vault = VaultSource::builder()
//!         .address("http://127.0.0.1:8200")
//!         .token("hvs.EXAMPLE_TOKEN")
//!         .mount("secret")
//!         .path("dev")
//!         .build()?;
//!
//!     let config = Config::builder()
//!         .add_source(vault)
//!         .build()?;
//!
//!     Ok(config)
//! }
//! ```
//!
//! ---
//!
//! ## ⚡ Example (Asynchronous)
//!
//! Requires:
//! ```toml
//! config-vault-source = { version = "...", features = ["async"] }
//! ```
//!
//! ```rust
//! use config_vault_source::VaultSource;
//!
//! pub async fn get_configuration_async() -> Result<Settings, config::ConfigError> {
//!     let vault_async_source = VaultSource::builder()
//!         .address(std::env::var("VAULT_ADDR").unwrap_or("http://0.0.0.0:8200".into()))
//!         .token(std::env::var("VAULT_TOKEN").unwrap_or("root".into()))
//!         .mount(std::env::var("VAULT_MOUNT").unwrap_or("secret".into()))
//!         .path(std::env::var("VAULT_PATH").unwrap_or("dev".into()))
//!         .build()?;
//!
//!     let settings = config::Config::builder()
//!         .add_source(config::File::with_name("config"))
//!         .add_async_source(vault_async_source)
//!         .build()
//!         .await?;
//!
//!     settings.try_deserialize()
//! }
//! ```
//!
//! ---
//!
//! ## 🔐 TLS Support
//!
//! Enable the `tls` feature:
//! ```toml
//! config-vault-source = { version = "...", features = ["tls"] }
//! ```
//!
//! Builder options become available for CA certificates, client certificates,
//! client keys, and allowing invalid certs (development mode).
//!
//! ---
//!
//! ## 🧩 KV Engine Support
//!
//! By default the source uses **KV2**.  
//! To use **KV1**, call:
//!
//! ```rust
//! let vault = VaultSource::builder()
//!     .kv_version(KvVersion::V1)
//!     // ...
//!     .build()?;
//! ```
//!
//! ---
//!
//! ## 📦 Flattening of Nested Secrets
//!
//! Vault secrets like:
//!
//! ```json
//! {
//!   "database": {
//!       "host": "localhost",
//!       "port": 5432
//!   }
//! }
//! ```
//!
//! automatically become:
//!
//! ```
//! database.host = "localhost"
//! database.port = 5432
//! ```
//!
//! This makes them compatible with `config` merging and with `serde` deserialization.
//!
//! ---
//!
//! For full usage examples, see the README or the builder documentation.
pub mod builder;
mod utils;

pub use builder::VaultSourceBuilder;

use std::ops::Deref;
use std::str::FromStr;

use config::{Config, Source};
use config::{ConfigError, Map, Value};

#[cfg(feature = "async")]
use async_trait::async_trait;
#[cfg(feature = "async")]
use config::AsyncSource;
use url::Url;

use crate::utils::flatten_json;

/// A `Source` for the `config` library that loads configurations from HashiCorp Vault.
///
/// This source connects to a HashiCorp Vault server and loads a secret from
/// the version 2 of the KV (Key-Value) engine. The values from the secret are included
/// in the configuration as flat key-value pairs.
///
/// # Example
///
/// ```
/// use config_vault::VaultSource;
///
/// let vault = VaultSource::new(
///     "http://vault.example.com:8200".to_string(),
///     "my-token".to_string(),
///     "secret".to_string(),
///     "dev".to_string(),
/// );
/// ```
#[derive(Debug, Clone, PartialEq)]
pub struct VaultSource {
    config: VaultConfig,
    kv_version: KvVersion,
}

#[derive(Debug, Clone, PartialEq)]
pub struct VaultAddr(Url);

impl Deref for VaultAddr {
    type Target = Url;

    fn deref(&self) -> &Self::Target {
        &self.0
    }
}

impl FromStr for VaultAddr {
    type Err = ConfigError;

    fn from_str(s: &str) -> Result<Self, Self::Err> {
        let url = url::Url::parse(s)
            .map_err(|e| ConfigError::Message(format!("Invalid Vault address: {e}")))?;

        if url.cannot_be_a_base() {
            return Err(ConfigError::Message(
                "Vault address cannot be a base URL".into(),
            ));
        }

        if !url.path().trim_matches('/').is_empty() {
            return Err(ConfigError::Message(
                "Vault address must not contain a path (e.g. use https://host:8200, not https://host:8200/v1)"
                    .into(),
            ));
        }

        Ok(VaultAddr(url))
    }
}

impl TryFrom<&str> for VaultAddr {
    type Error = ConfigError;

    fn try_from(value: &str) -> Result<Self, Self::Error> {
        value.parse()
    }
}

impl TryFrom<String> for VaultAddr {
    type Error = ConfigError;

    fn try_from(value: String) -> Result<Self, Self::Error> {
        value.parse()
    }
}

#[derive(Debug, Clone, PartialEq)]
pub struct VaultConfig {
    pub address: VaultAddr,
    pub token: String,
    pub mount: String,
    pub path: String,

    #[cfg(feature = "tls")]
    pub tls: Option<TlsConfig>,
}

#[cfg(feature = "tls")]
#[derive(Debug, Clone, PartialEq)]
pub struct TlsConfig {
    pub ca_cert_bytes: Option<Vec<u8>>,
    pub client_cert: Option<Vec<u8>>,
    pub client_key: Option<Vec<u8>>,
    pub danger_accept_invalid_certs: bool,
}

#[derive(Debug, Clone, PartialEq, Default)]
pub enum KvVersion {
    V1,
    #[default]
    V2,
}

impl VaultSource {
    pub fn builder() -> VaultSourceBuilder {
        VaultSourceBuilder::new()
    }

    fn build_read_url(&self) -> Result<url::Url, ConfigError> {
        let api_path = match self.kv_version {
            KvVersion::V1 => format!("v1/{}/{}", self.config.mount, self.config.path),
            KvVersion::V2 => format!("v1/{}/data/{}", self.config.mount, self.config.path),
        };

        let mut url = self.config.address.0.clone();

        url.path_segments_mut()
            .map_err(|_| ConfigError::Message("Vault base URL cannot be a base".into()))?
            .pop_if_empty()
            .extend(api_path.split("/"));

        Ok(url)
    }

    fn build_blocking_client(&self) -> Result<reqwest::blocking::Client, ConfigError> {
        let mut builder = reqwest::blocking::Client::builder();

        #[cfg(feature = "tls")]
        if let Some(tls) = &self.config.tls {
            if let Some(ca_bytes) = &tls.ca_cert_bytes {
                let cert = reqwest::Certificate::from_pem(&ca_bytes)
                    .map_err(|e| ConfigError::Foreign(Box::new(e)))?;

                builder = builder.add_root_certificate(cert);
            }

            if let (Some(cert), Some(key)) = (&tls.client_cert, &tls.client_key) {
                let mut identity_bytes = cert.clone();
                identity_bytes.extend_from_slice(key);
                let identity = reqwest::Identity::from_pem(&identity_bytes)
                    .map_err(|e| ConfigError::Foreign(Box::new(e)))?;
                builder = builder.identity(identity);
            }

            if tls.danger_accept_invalid_certs {
                builder = builder.danger_accept_invalid_certs(true);
            }
        }

        builder
            .build()
            .map_err(|e| ConfigError::Foreign(Box::new(e)))
    }

    #[cfg(feature = "async")]
    fn build_async_client(&self) -> Result<reqwest::Client, ConfigError> {
        let mut builder = reqwest::Client::builder();

        #[cfg(feature = "tls")]
        if let Some(tls) = &self.config.tls {
            if let Some(ca_bytes) = &tls.ca_cert_bytes {
                let cert = reqwest::Certificate::from_pem(&ca_bytes)
                    .map_err(|e| ConfigError::Foreign(Box::new(e)))?;

                builder = builder.add_root_certificate(cert);
            }

            if let (Some(cert), Some(key)) = (&tls.client_cert, &tls.client_key) {
                let mut identity_bytes = cert.clone();
                identity_bytes.extend_from_slice(key);
                let identity = reqwest::Identity::from_pem(&identity_bytes)
                    .map_err(|e| ConfigError::Foreign(Box::new(e)))?;
                builder = builder.identity(identity);
            }

            if tls.danger_accept_invalid_certs {
                builder = builder.danger_accept_invalid_certs(true);
            }
        }

        builder
            .build()
            .map_err(|e| ConfigError::Foreign(Box::new(e)))
    }
}

impl Source for VaultSource {
    fn clone_into_box(&self) -> Box<dyn Source + Send + Sync> {
        Box::new(self.clone())
    }

    fn collect(&self) -> Result<Map<String, Value>, ConfigError> {
        let client = self.build_blocking_client()?;
        let url = self.build_read_url()?;
        let resp = client
            .get(url)
            .header("X-Vault-Token", &self.config.token)
            .send()
            .map_err(|e| ConfigError::Foreign(Box::new(e)))?;

        if !resp.status().is_success() {
            return Err(ConfigError::Message("Vault request failed".into()));
        }

        let raw: serde_json::Value = resp.json().map_err(|e| ConfigError::Foreign(Box::new(e)))?;
        let json_obj = raw
            .get("data")
            .and_then(|x| {
                if self.kv_version == KvVersion::V2 {
                    x.get("data")
                } else {
                    Some(x)
                }
            })
            .and_then(|x| x.as_object())
            .ok_or_else(|| ConfigError::Message("Vault response missing data".into()))?;

        let mut secret = std::collections::HashMap::new();
        flatten_json(
            "",
            &serde_json::Value::Object(json_obj.clone()),
            &mut secret,
        );
        Ok(secret)
    }
}

#[cfg(feature = "async")]
#[async_trait]
impl AsyncSource for VaultSource {
    async fn collect(&self) -> Result<Map<String, Value>, ConfigError> {
        let client = self.build_async_client()?;
        let url = self.build_read_url()?;
        let resp = client
            .get(url)
            .header("X-Vault-Token", &self.config.token)
            .send()
            .await
            .map_err(|e| ConfigError::Foreign(Box::new(e)))?;

        if !resp.status().is_success() {
            return Err(ConfigError::Message("Vault request failed".into()));
        }

        let raw: serde_json::Value = resp
            .json()
            .await
            .map_err(|e| ConfigError::Foreign(Box::new(e)))?;
        let json_obj = raw
            .get("data")
            .and_then(|x| {
                if self.kv_version == KvVersion::V2 {
                    x.get("data")
                } else {
                    Some(x)
                }
            })
            .and_then(|x| x.as_object())
            .ok_or_else(|| ConfigError::Message("Vault response missing data".into()))?;

        let mut secret = std::collections::HashMap::new();
        flatten_json(
            "",
            &serde_json::Value::Object(json_obj.clone()),
            &mut secret,
        );
        Ok(secret)
    }
}