aatxe-core 0.1.1

Core types, statistics, and comparison logic for aatxe. No IO.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

//! Newtype wrapper for credentials.
//!
//! `String`-typed API keys and tokens leak through any accidental `Debug`
//! print — error messages, panic backtraces, third-party logging
//! middleware. Wrapping them in a [`Secret`] ensures the credential is
//! never serialised to a log: both `Debug` and `Display` print a fixed
//! redaction marker, and there is no `Deref` to `str`, so accessing the
//! underlying value requires an explicit [`Secret::reveal`] call that a
//! reader can grep for.
//!
//! `Secret` deliberately does **not** implement `Serialize`. The credential
//! is set in memory and used in HTTP headers; persisting it to disk is a
//! distinct decision the caller should have to make explicitly.

use std::fmt;

/// Opaque credential. Constructed from any string-like value; the only
/// way to read the contents back is [`Secret::reveal`].
#[derive(Clone, PartialEq, Eq)]
pub struct Secret(String);

impl Secret {
    /// Wrap a string as a credential.
    pub fn new(value: impl Into<String>) -> Self {
        Self(value.into())
    }

    /// Borrow the underlying credential as a `&str`. Use only where the
    /// value must be sent (HTTP header, command arg). Never log the result.
    pub fn reveal(&self) -> &str {
        &self.0
    }

    /// True when the credential is the empty string. Useful for "config
    /// missing" checks without needing to call `reveal`.
    pub fn is_empty(&self) -> bool {
        self.0.is_empty()
    }
}

impl fmt::Debug for Secret {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.write_str("Secret(***)")
    }
}

impl fmt::Display for Secret {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.write_str("***")
    }
}

impl From<String> for Secret {
    fn from(s: String) -> Self {
        Self(s)
    }
}

impl From<&str> for Secret {
    fn from(s: &str) -> Self {
        Self(s.to_string())
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn debug_redacts_value() {
        let s = Secret::new("hunter2");
        assert_eq!(format!("{:?}", s), "Secret(***)");
        assert!(!format!("{:?}", s).contains("hunter2"));
    }

    #[test]
    fn display_redacts_value() {
        let s = Secret::new("hunter2");
        assert_eq!(format!("{}", s), "***");
    }

    #[test]
    fn reveal_returns_underlying_value() {
        let s = Secret::new("hunter2");
        assert_eq!(s.reveal(), "hunter2");
    }

    #[test]
    fn redaction_survives_nested_debug() {
        // A struct that derives Debug should still print the redacted form.
        #[derive(Debug)]
        #[allow(dead_code)] // fields are read via the derived Debug impl.
        struct Wrap {
            token: Secret,
            other: u32,
        }
        let w = Wrap {
            token: Secret::new("hunter2"),
            other: 42,
        };
        let printed = format!("{:?}", w);
        assert!(!printed.contains("hunter2"));
        assert!(printed.contains("Secret(***)"));
        assert!(printed.contains("42"));
    }
}