Skip to main content

arbiter_credential/
provider.rs

1//! The `CredentialProvider` trait and supporting types.
2//!
3//! Every credential backend (file, env-var, vault, etc.) implements this trait
4//! so the injection middleware can resolve references without knowing the
5//! storage details.
6
7use async_trait::async_trait;
8use chrono::{DateTime, Utc};
9use secrecy::SecretString;
10use serde::{Deserialize, Serialize};
11
12use crate::error::CredentialError;
13
14/// Metadata about a single credential reference.
15#[derive(Debug, Clone, Serialize, Deserialize)]
16pub struct CredentialRef {
17    /// The reference name used to look up this credential.
18    pub name: String,
19
20    /// Which provider owns this credential ("file", "env", "vault", etc.).
21    pub provider: String,
22
23    /// When the credential was last rotated, if known.
24    pub last_rotated: Option<DateTime<Utc>>,
25}
26
27/// A provider capable of resolving credential references to their secret values.
28///
29/// Resolved values are returned as [`SecretString`] to ensure they are zeroized
30/// on drop and never accidentally logged via `Debug` or `Display`.
31#[async_trait]
32pub trait CredentialProvider: Send + Sync {
33    /// Resolve a reference name to the corresponding secret value.
34    async fn resolve(&self, reference: &str) -> Result<SecretString, CredentialError>;
35
36    /// List all credential references available from this provider.
37    async fn list_refs(&self) -> Result<Vec<CredentialRef>, CredentialError>;
38}