corteq-onepassword 0.1.5

Secure 1Password SDK wrapper with FFI bindings for Rust applications
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420

//! Error types for the corteq-onepassword crate.
//!
//! All error types are designed to be informative while ensuring
//! sensitive data (tokens, secret values) is never included in error messages.

use thiserror::Error;

/// Result type alias using the crate's Error type.
pub type Result<T> = std::result::Result<T, Error>;

/// Errors that can occur when using the 1Password client.
///
/// Error messages are designed to be helpful for debugging while
/// ensuring that sensitive data (tokens, secret values) is never exposed.
#[derive(Error, Debug)]
pub enum Error {
    /// The `OP_SERVICE_ACCOUNT_TOKEN` environment variable is not set
    /// and no explicit token was provided via `from_token()`.
    #[error("missing authentication token: set OP_SERVICE_ACCOUNT_TOKEN or use from_token()")]
    MissingAuthToken,

    /// The provided token has an invalid format.
    #[error("invalid authentication token format")]
    InvalidToken,

    /// Authentication with 1Password failed.
    /// This typically means the token is expired or revoked.
    #[error("authentication failed: {message}")]
    AuthenticationFailed {
        /// A message describing the authentication failure (never contains the token).
        message: String,
    },

    /// Failed to establish or maintain the SDK session.
    #[error("session error: {message}")]
    SessionError {
        /// A message describing the session error.
        message: String,
    },

    /// The secret reference format is invalid.
    ///
    /// Valid format: `op://vault/item/field` or `op://vault/item/section/field`
    #[error("invalid secret reference '{reference}': {reason}")]
    InvalidReference {
        /// The invalid reference string (safe to display, contains no secrets).
        reference: String,
        /// The reason the reference is invalid.
        reason: String,
    },

    /// The requested secret was not found in 1Password.
    #[error("secret not found: {reference}")]
    SecretNotFound {
        /// The reference that was not found.
        reference: String,
    },

    /// Access to the specified vault was denied.
    /// This typically means the service account lacks permission for this vault.
    #[error("access denied to vault: {vault}")]
    AccessDenied {
        /// The vault name that access was denied to.
        vault: String,
    },

    /// A network error occurred while communicating with 1Password.
    #[error("network error: {message}")]
    NetworkError {
        /// A message describing the network error.
        message: String,
    },

    /// An error occurred in the underlying 1Password SDK.
    #[error("SDK error: {message}")]
    SdkError {
        /// A message describing the SDK error.
        message: String,
    },

    /// Failed to load the native 1Password library.
    #[error("failed to load native library: {message}")]
    LibraryLoadError {
        /// A message describing the library loading error.
        message: String,
    },

    /// JSON serialization or deserialization error.
    #[error("JSON error: {message}")]
    JsonError {
        /// A message describing the JSON error.
        message: String,
    },
}

impl Error {
    /// Check if this error is retriable (e.g., transient network issues).
    pub fn is_retriable(&self) -> bool {
        matches!(
            self,
            Error::NetworkError { .. } | Error::SessionError { .. }
        )
    }

    /// Check if this error indicates an authentication problem.
    pub fn is_auth_error(&self) -> bool {
        matches!(
            self,
            Error::MissingAuthToken
                | Error::InvalidToken
                | Error::AuthenticationFailed { .. }
                | Error::AccessDenied { .. }
        )
    }
}

impl From<serde_json::Error> for Error {
    fn from(err: serde_json::Error) -> Self {
        Error::JsonError {
            message: err.to_string(),
        }
    }
}

impl From<libloading::Error> for Error {
    fn from(err: libloading::Error) -> Self {
        Error::LibraryLoadError {
            message: err.to_string(),
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_error_is_send_sync() {
        fn assert_send_sync<T: Send + Sync>() {}
        assert_send_sync::<Error>();
    }

    #[test]
    fn test_error_display_no_secrets() {
        let error = Error::AuthenticationFailed {
            message: "token expired".to_string(),
        };
        let display = error.to_string();
        assert!(!display.contains("ops_"));
    }

    // ==========================================================================
    // is_retriable() tests
    // ==========================================================================

    #[test]
    fn test_is_retriable_network_error() {
        let error = Error::NetworkError {
            message: "connection reset".to_string(),
        };
        assert!(error.is_retriable());
    }

    #[test]
    fn test_is_retriable_session_error() {
        let error = Error::SessionError {
            message: "session expired".to_string(),
        };
        assert!(error.is_retriable());
    }

    #[test]
    fn test_is_retriable_non_retriable_errors() {
        // All these should NOT be retriable
        let non_retriable = vec![
            Error::MissingAuthToken,
            Error::InvalidToken,
            Error::AuthenticationFailed {
                message: "bad token".to_string(),
            },
            Error::InvalidReference {
                reference: "op://x".to_string(),
                reason: "too short".to_string(),
            },
            Error::SecretNotFound {
                reference: "op://vault/item/field".to_string(),
            },
            Error::AccessDenied {
                vault: "private".to_string(),
            },
            Error::SdkError {
                message: "internal".to_string(),
            },
            Error::LibraryLoadError {
                message: "not found".to_string(),
            },
            Error::JsonError {
                message: "parse error".to_string(),
            },
        ];

        for error in non_retriable {
            assert!(!error.is_retriable(), "{error:?} should not be retriable");
        }
    }

    // ==========================================================================
    // is_auth_error() tests
    // ==========================================================================

    #[test]
    fn test_is_auth_error_missing_token() {
        assert!(Error::MissingAuthToken.is_auth_error());
    }

    #[test]
    fn test_is_auth_error_invalid_token() {
        assert!(Error::InvalidToken.is_auth_error());
    }

    #[test]
    fn test_is_auth_error_auth_failed() {
        let error = Error::AuthenticationFailed {
            message: "token expired".to_string(),
        };
        assert!(error.is_auth_error());
    }

    #[test]
    fn test_is_auth_error_access_denied() {
        let error = Error::AccessDenied {
            vault: "private-vault".to_string(),
        };
        assert!(error.is_auth_error());
    }

    #[test]
    fn test_is_auth_error_non_auth_errors() {
        // All these should NOT be auth errors
        let non_auth = vec![
            Error::SessionError {
                message: "session expired".to_string(),
            },
            Error::InvalidReference {
                reference: "op://x".to_string(),
                reason: "too short".to_string(),
            },
            Error::SecretNotFound {
                reference: "op://vault/item/field".to_string(),
            },
            Error::NetworkError {
                message: "timeout".to_string(),
            },
            Error::SdkError {
                message: "internal".to_string(),
            },
            Error::LibraryLoadError {
                message: "not found".to_string(),
            },
            Error::JsonError {
                message: "parse error".to_string(),
            },
        ];

        for error in non_auth {
            assert!(!error.is_auth_error(), "{error:?} should not be auth error");
        }
    }

    // ==========================================================================
    // From implementations tests
    // ==========================================================================

    #[test]
    fn test_from_serde_json_error() {
        // Create an actual serde_json error by trying to parse invalid JSON
        let json_err = serde_json::from_str::<String>("not valid json").unwrap_err();
        let error: Error = json_err.into();

        assert!(matches!(error, Error::JsonError { .. }));
        let display = error.to_string();
        assert!(display.contains("JSON error"));
    }

    #[test]
    fn test_from_libloading_error() {
        // Create a libloading error by trying to load a non-existent library
        let lib_err =
            unsafe { libloading::Library::new("/nonexistent/path/to/lib.so") }.unwrap_err();
        let error: Error = lib_err.into();

        assert!(matches!(error, Error::LibraryLoadError { .. }));
        let display = error.to_string();
        assert!(display.contains("native library"));
    }

    // ==========================================================================
    // Display message tests
    // ==========================================================================

    #[test]
    fn test_error_display_missing_auth_token() {
        let error = Error::MissingAuthToken;
        let display = error.to_string();
        assert!(display.contains("missing authentication token"));
        assert!(display.contains("OP_SERVICE_ACCOUNT_TOKEN"));
    }

    #[test]
    fn test_error_display_invalid_token() {
        let error = Error::InvalidToken;
        let display = error.to_string();
        assert!(display.contains("invalid authentication token format"));
    }

    #[test]
    fn test_error_display_authentication_failed() {
        let error = Error::AuthenticationFailed {
            message: "token expired".to_string(),
        };
        let display = error.to_string();
        assert!(display.contains("authentication failed"));
        assert!(display.contains("token expired"));
    }

    #[test]
    fn test_error_display_session_error() {
        let error = Error::SessionError {
            message: "connection lost".to_string(),
        };
        let display = error.to_string();
        assert!(display.contains("session error"));
        assert!(display.contains("connection lost"));
    }

    #[test]
    fn test_error_display_invalid_reference() {
        let error = Error::InvalidReference {
            reference: "op://vault".to_string(),
            reason: "missing item and field".to_string(),
        };
        let display = error.to_string();
        assert!(display.contains("invalid secret reference"));
        assert!(display.contains("op://vault"));
        assert!(display.contains("missing item and field"));
    }

    #[test]
    fn test_error_display_secret_not_found() {
        let error = Error::SecretNotFound {
            reference: "op://vault/item/field".to_string(),
        };
        let display = error.to_string();
        assert!(display.contains("secret not found"));
        assert!(display.contains("op://vault/item/field"));
    }

    #[test]
    fn test_error_display_access_denied() {
        let error = Error::AccessDenied {
            vault: "private-vault".to_string(),
        };
        let display = error.to_string();
        assert!(display.contains("access denied"));
        assert!(display.contains("private-vault"));
    }

    #[test]
    fn test_error_display_network_error() {
        let error = Error::NetworkError {
            message: "connection timed out".to_string(),
        };
        let display = error.to_string();
        assert!(display.contains("network error"));
        assert!(display.contains("connection timed out"));
    }

    #[test]
    fn test_error_display_sdk_error() {
        let error = Error::SdkError {
            message: "internal SDK failure".to_string(),
        };
        let display = error.to_string();
        assert!(display.contains("SDK error"));
        assert!(display.contains("internal SDK failure"));
    }

    #[test]
    fn test_error_display_library_load_error() {
        let error = Error::LibraryLoadError {
            message: "library not found".to_string(),
        };
        let display = error.to_string();
        assert!(display.contains("native library"));
        assert!(display.contains("library not found"));
    }

    #[test]
    fn test_error_display_json_error() {
        let error = Error::JsonError {
            message: "unexpected token".to_string(),
        };
        let display = error.to_string();
        assert!(display.contains("JSON error"));
        assert!(display.contains("unexpected token"));
    }

    // ==========================================================================
    // Debug trait test
    // ==========================================================================

    #[test]
    fn test_error_debug_impl() {
        let error = Error::SdkError {
            message: "test".to_string(),
        };
        let debug_str = format!("{error:?}");
        assert!(debug_str.contains("SdkError"));
    }
}