cellos-broker-env 0.5.0

Environment-variable SecretBroker for CellOS — resolves spec secretRefs from process env. Dev/CI default.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146

//! [`SecretBroker`] that reads `CELLOS_SECRET_<KEY>` from the process environment.
//!
//! Intended for CI runners and shell-level composition where the host or CI system
//! has already injected secrets as environment variables. For workload-identity (OIDC)
//! flows, use a dedicated OIDC broker crate instead.
//!
//! # Revocation
//!
//! `revoke_for_cell` is a documented no-op: environment variables cannot be unset from
//! a parent process after injection. Isolation relies on the cell model's teardown
//! semantics (cleared subprocess env, short TTLs) rather than runtime revocation.
//!
//! # Correlation propagation (Tranche-1 seam-freeze G1)
//!
//! This broker has no upstream session of its own (env vars are stamped before
//! the supervisor starts) and therefore returns `None` from
//! [`SecretBroker::broker_correlation_id`]. The supervisor falls back to the
//! operator-supplied `spec.correlation.correlationId` for cross-tool
//! correlation in that case. Future env-style brokers that observe a CI
//! workflow run ID (e.g. `GITHUB_RUN_ID`) MAY override `broker_correlation_id`
//! to thread that ID into every event the supervisor emits for the cell that
//! consumed the resolved secret.

use async_trait::async_trait;
use cellos_core::ports::SecretBroker;
use cellos_core::{CellosError, SecretView};

/// Resolves secrets from environment variables using the pattern `CELLOS_SECRET_<UPPER_KEY>`.
///
/// # Example
/// ```no_run
/// // Set in environment: CELLOS_SECRET_GITHUB_TOKEN=ghp_...
/// // Resolve with key: "GITHUB_TOKEN"
/// ```
pub struct EnvSecretBroker;

impl EnvSecretBroker {
    pub fn new() -> Self {
        Self
    }

    fn env_var_name(key: &str) -> String {
        format!("CELLOS_SECRET_{}", key.to_uppercase().replace('-', "_"))
    }

    /// Reject keys that would cause [`std::env::var`] to panic (NUL byte or
    /// ASCII `=`). The result `CELLOS_SECRET_<key>` is never empty, so the
    /// "empty key" panic case in `std::env::var` is unreachable here, but
    /// NUL and `=` would propagate from the operator-supplied `key` into
    /// the env-var name and crash the supervisor. Convert to a typed
    /// `CellosError::SecretBroker` instead.
    ///
    /// Note: the error message intentionally references only the key
    /// **name** the operator supplied, never any resolved value.
    fn validate_key(key: &str) -> Result<(), CellosError> {
        if key.is_empty() {
            return Err(CellosError::SecretBroker(
                "secret key must not be empty".into(),
            ));
        }
        if key.as_bytes().contains(&0) {
            return Err(CellosError::SecretBroker(
                "secret key must not contain NUL byte".into(),
            ));
        }
        if key.contains('=') {
            return Err(CellosError::SecretBroker(
                "secret key must not contain '=' character".into(),
            ));
        }
        Ok(())
    }
}

impl Default for EnvSecretBroker {
    fn default() -> Self {
        Self::new()
    }
}

#[async_trait]
impl SecretBroker for EnvSecretBroker {
    async fn resolve(
        &self,
        key: &str,
        _cell_id: &str,
        _ttl_seconds: u64,
    ) -> Result<SecretView, CellosError> {
        Self::validate_key(key)?;
        let var = Self::env_var_name(key);
        let value = std::env::var(&var).map_err(|_| {
            CellosError::SecretBroker(format!(
                "env var {var} not set (required for secret key {key:?})"
            ))
        })?;
        Ok(SecretView {
            key: key.to_string(),
            value: zeroize::Zeroizing::new(value),
        })
    }

    /// No-op — environment variables cannot be revoked at runtime.
    /// Isolation relies on cleared subprocess env and TTL-bound cell lifetime.
    async fn revoke_for_cell(&self, _cell_id: &str) -> Result<(), CellosError> {
        Ok(())
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[tokio::test]
    async fn resolves_present_key() {
        std::env::set_var("CELLOS_SECRET_TEST_TOKEN", "secret-value");
        let broker = EnvSecretBroker::new();
        let view = broker.resolve("TEST_TOKEN", "cell-1", 60).await.unwrap();
        assert_eq!(view.key, "TEST_TOKEN");
        assert_eq!(view.value.as_str(), "secret-value");
    }

    #[tokio::test]
    async fn errors_on_missing_key() {
        std::env::remove_var("CELLOS_SECRET_MISSING_KEY_XYZ");
        let broker = EnvSecretBroker::new();
        let err = broker
            .resolve("MISSING_KEY_XYZ", "cell-1", 60)
            .await
            .unwrap_err();
        assert!(err.to_string().contains("CELLOS_SECRET_MISSING_KEY_XYZ"));
    }

    #[tokio::test]
    async fn revoke_is_noop() {
        let broker = EnvSecretBroker::new();
        broker.revoke_for_cell("any-cell").await.unwrap();
    }

    #[tokio::test]
    async fn normalizes_hyphenated_key() {
        std::env::set_var("CELLOS_SECRET_MY_API_KEY", "tok");
        let broker = EnvSecretBroker::new();
        let view = broker.resolve("my-api-key", "cell-1", 60).await.unwrap();
        assert_eq!(view.value.as_str(), "tok");
    }
}