cuenv-secrets 0.40.6

Secret resolution and management for the cuenv ecosystem
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

//! Command execution secret resolver

use crate::{SecretError, SecretResolver, SecretSpec};
use async_trait::async_trait;
use serde::{Deserialize, Serialize};
use serde_json::Value;
use std::collections::HashMap;
use tokio::process::Command;

/// Configuration for exec-based secret resolution
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
pub struct ExecSecretConfig {
    /// Command to execute
    pub command: String,

    /// Arguments to pass to the command
    #[serde(default)]
    pub args: Vec<String>,

    /// Additional fields for extensibility
    #[serde(flatten)]
    pub extra: HashMap<String, Value>,
}

impl ExecSecretConfig {
    /// Create a new exec secret config
    #[must_use]
    #[allow(dead_code)] // Used in tests; #[expect] incompatible with --all-targets
    pub fn new(command: impl Into<String>, args: Vec<String>) -> Self {
        Self {
            command: command.into(),
            args,
            extra: HashMap::new(),
        }
    }
}

/// Resolves secrets by executing commands
///
/// The `source` field in [`SecretSpec`] is interpreted as a JSON-encoded
/// [`ExecSecretConfig`], or as a simple command string if parsing fails.
#[derive(Debug, Clone, Default)]
pub struct ExecSecretResolver;

impl ExecSecretResolver {
    /// Create a new command execution resolver
    #[must_use]
    pub const fn new() -> Self {
        Self
    }

    /// Execute a command and return its output
    async fn execute_command(
        &self,
        name: &str,
        command: &str,
        args: &[String],
    ) -> Result<String, SecretError> {
        let output = Command::new(command)
            .args(args)
            .output()
            .await
            .map_err(|e| SecretError::ResolutionFailed {
                name: name.to_string(),
                message: format!("Failed to execute command '{command}': {e}"),
            })?;

        if !output.status.success() {
            let stderr = String::from_utf8_lossy(&output.stderr);
            return Err(SecretError::ResolutionFailed {
                name: name.to_string(),
                message: format!("Command '{command}' failed: {stderr}"),
            });
        }

        let stdout = String::from_utf8_lossy(&output.stdout);
        Ok(stdout.trim().to_string())
    }
}

#[async_trait]
impl SecretResolver for ExecSecretResolver {
    fn provider_name(&self) -> &'static str {
        "exec"
    }

    async fn resolve(&self, name: &str, spec: &SecretSpec) -> Result<String, SecretError> {
        // Try to parse source as JSON ExecSecretConfig
        if let Ok(config) = serde_json::from_str::<ExecSecretConfig>(&spec.source) {
            return self
                .execute_command(name, &config.command, &config.args)
                .await;
        }

        // Fallback: treat source as a simple command (shell expansion)
        self.execute_command(name, "sh", &["-c".to_string(), spec.source.clone()])
            .await
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[tokio::test]
    async fn test_exec_simple_command() {
        let resolver = ExecSecretResolver::new();
        let spec = SecretSpec::new("echo test_value");
        let result = resolver.resolve("test", &spec).await;

        assert_eq!(result.unwrap(), "test_value");
    }

    #[tokio::test]
    async fn test_exec_json_config() {
        let config = ExecSecretConfig::new("echo", vec!["json_value".to_string()]);
        let json_source = serde_json::to_string(&config).unwrap();

        let resolver = ExecSecretResolver::new();
        let spec = SecretSpec::new(json_source);
        let result = resolver.resolve("test", &spec).await;

        assert_eq!(result.unwrap(), "json_value");
    }

    #[tokio::test]
    async fn test_exec_command_failure() {
        let resolver = ExecSecretResolver::new();
        let spec = SecretSpec::new("exit 1");
        let result = resolver.resolve("test", &spec).await;

        assert!(matches!(result, Err(SecretError::ResolutionFailed { .. })));
    }
}