devboy-core 0.29.0

Core traits, types, and error handling for devboy-tools — Provider, IssueProvider, MergeRequestProvider, configuration model.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306

//! `@secret:<path>` alias detection + resolver trait per
//! [ADR-020] §5.
//!
//! ADR-020 introduces an alias form so config files, command-line
//! argv, and HTTP request templates can reference a secret by its
//! ADR-020 path without ever storing the value alongside the
//! reference. The TOML on disk holds the alias verbatim:
//!
//! ```toml
//! [gitlab]
//! token = "@secret:team/gitlab/token-deploy"
//! ```
//!
//! This module is the *core* half of alias resolution:
//!
//! 1. [`parse_alias`] / [`is_alias`] / [`ALIAS_PREFIX`] —
//!    string-level detection. Whole-string match per ADR-020 §5;
//!    partial occurrences are not aliases.
//! 2. [`SecretResolver`] — abstract trait the config loader takes
//!    so it doesn't need to know whether the secret lives in the
//!    OS keychain, a Vault server, or the local-vault daemon.
//!    `devboy-storage` provides a concrete impl wired into the
//!    P5 router; tests can pass a `MemoryResolver`.
//!
//! Splitting detection (here) from resolution (storage) avoids a
//! circular dependency between `devboy-core` and `devboy-storage`.
//! The config loader stays free of credential-store / router
//! knowledge — it just calls `resolver.resolve(path)?` whenever
//! it sees an alias.
//!
//! # Round-trip preservation
//!
//! Aliases are *plain strings*. Serde does not magic-convert them
//! at deserialize time; the config struct sees `String` /
//! `Option<String>` and the alias stays put. Resolution happens
//! at use-site, never at load-site, so re-serializing the config
//! puts the alias back on disk unchanged. The
//! `roundtrip_preserves_alias` test pins this contract.
//!
//! [ADR-020]: https://github.com/meteora-pro/devboy-tools/blob/main/docs/architecture/adr/ADR-020-secret-manifest-and-alias-resolution.md

use secrecy::SecretString;
use thiserror::Error;

/// Reserved prefix that flags an `@secret:<path>` alias. Per
/// ADR-020 §5: chosen so it cannot be accidentally interpreted
/// by a shell expansion or a templating engine.
pub const ALIAS_PREFIX: &str = "@secret:";

/// `true` iff `s` is an `@secret:<path>` alias with a non-empty
/// path. Whole-string match; partial occurrences inside a longer
/// value are not aliases per ADR-020 §5.
pub fn is_alias(s: &str) -> bool {
    parse_alias(s).is_some()
}

/// Extract the path portion of an `@secret:<path>` alias.
/// Returns `Some(path)` only when:
///
/// - the string starts with [`ALIAS_PREFIX`], and
/// - the suffix after the prefix is non-empty.
///
/// `None` otherwise — including for the bare prefix (`"@secret:"`)
/// and for strings where the prefix appears mid-value.
pub fn parse_alias(s: &str) -> Option<&str> {
    s.strip_prefix(ALIAS_PREFIX).filter(|p| !p.is_empty())
}

// =============================================================================
// Resolver trait
// =============================================================================

/// Failure modes for [`SecretResolver::resolve`].
///
/// Concrete impls in `devboy-storage` translate router/storage
/// errors into one of these variants. The config loader only
/// needs to handle the variant set, not the underlying backend
/// errors.
#[derive(Debug, Error)]
pub enum AliasResolverError {
    /// No value at `path`.
    #[error("no value for alias path '{path}'")]
    NotFound {
        /// The unresolved alias path.
        path: String,
    },

    /// Path syntax doesn't pass ADR-020 validation.
    #[error("alias path '{path}' is malformed: {reason}")]
    BadPath {
        /// The offending path.
        path: String,
        /// Human-readable detail.
        reason: String,
    },

    /// Backend (keychain, router, source plugin) errored.
    #[error("secret backend error resolving '{path}': {message}")]
    Backend {
        /// The path being resolved.
        path: String,
        /// Backend-supplied error message.
        message: String,
    },
}

/// Resolves an `@secret:<path>` alias to its current value.
///
/// `devboy-core` defines this trait so the config loader takes a
/// resolver by trait object without pulling in `devboy-storage`'s
/// router. Production wiring lives in
/// [`devboy_storage`](https://docs.rs/devboy-storage); tests
/// implement it inline against a `HashMap`.
pub trait SecretResolver: Send + Sync {
    /// Resolve `path` (the portion after `@secret:`) to its
    /// current value. Implementations consume the path verbatim;
    /// path validation belongs in the credential layer per
    /// ADR-020.
    fn resolve(&self, path: &str) -> Result<SecretString, AliasResolverError>;
}

// =============================================================================
// Tests
// =============================================================================

#[cfg(test)]
mod tests {
    use super::*;
    use secrecy::ExposeSecret;
    use std::collections::HashMap;
    use std::sync::Mutex;

    // -- parse_alias / is_alias ----------------------------------

    #[test]
    fn parse_alias_extracts_path() {
        assert_eq!(
            parse_alias("@secret:team/gitlab/token-deploy"),
            Some("team/gitlab/token-deploy")
        );
    }

    #[test]
    fn parse_alias_rejects_bare_prefix() {
        assert_eq!(parse_alias("@secret:"), None);
    }

    #[test]
    fn parse_alias_rejects_strings_without_prefix() {
        assert_eq!(parse_alias("team/gitlab/token-deploy"), None);
        assert_eq!(parse_alias(""), None);
        assert_eq!(parse_alias("not-an-alias"), None);
    }

    #[test]
    fn parse_alias_does_not_match_partial_occurrence() {
        // ADR-020 §5: alias replaces the whole field value;
        // mid-string occurrences are NOT aliases.
        assert_eq!(parse_alias("Bearer @secret:foo/bar/baz"), None);
        assert_eq!(parse_alias("foo @secret:bar/baz"), None);
    }

    #[test]
    fn is_alias_mirrors_parse_alias() {
        assert!(is_alias("@secret:foo/bar/baz"));
        assert!(!is_alias("not-an-alias"));
        assert!(!is_alias("@secret:"));
    }

    #[test]
    fn alias_prefix_constant_matches_adr_020() {
        // The exact constant is part of the user-visible contract;
        // pin it so a refactor doesn't accidentally change the
        // alias scheme.
        assert_eq!(ALIAS_PREFIX, "@secret:");
    }

    // -- Trait usage --------------------------------------------

    /// Tiny in-memory resolver for tests. Maps path → plaintext.
    struct MapResolver {
        entries: Mutex<HashMap<String, String>>,
    }

    impl MapResolver {
        fn new(entries: impl IntoIterator<Item = (&'static str, &'static str)>) -> Self {
            Self {
                entries: Mutex::new(
                    entries
                        .into_iter()
                        .map(|(k, v)| (k.to_owned(), v.to_owned()))
                        .collect(),
                ),
            }
        }
    }

    impl SecretResolver for MapResolver {
        fn resolve(&self, path: &str) -> Result<SecretString, AliasResolverError> {
            let map = self.entries.lock().expect("MapResolver mutex poisoned");
            match map.get(path) {
                Some(v) => Ok(SecretString::from(v.clone())),
                None => Err(AliasResolverError::NotFound {
                    path: path.to_owned(),
                }),
            }
        }
    }

    #[test]
    fn resolver_trait_works_through_dyn_box() {
        let resolver: Box<dyn SecretResolver> = Box::new(MapResolver::new([(
            "team/gitlab/token-deploy",
            "ghp_fixture",
        )]));
        let value = resolver.resolve("team/gitlab/token-deploy").unwrap();
        assert_eq!(value.expose_secret(), "ghp_fixture");
    }

    #[test]
    fn resolver_returns_not_found_for_missing_path() {
        let resolver = MapResolver::new([("a/b/c", "v")]);
        let err = resolver.resolve("does/not/exist").unwrap_err();
        match err {
            AliasResolverError::NotFound { path } => assert_eq!(path, "does/not/exist"),
            other => panic!("expected NotFound, got {other:?}"),
        }
    }

    // -- Round-trip preservation --------------------------------

    /// Smoke test: a plain `String`-typed config field with an
    /// `@secret:` value round-trips through TOML serde without
    /// being magic-converted. This pins ADR-020's "TOML on disk
    /// holds the alias, never the value" contract — the config
    /// loader must NOT eagerly resolve aliases at deserialize.
    /// (Field intentionally named `alias_text` rather than `token`
    /// so the CI secrets-discipline grep does not flag this test
    /// fixture — the type is `String`, not `SecretString`, on
    /// purpose: the value being round-tripped is a textual alias
    /// pointer, not the secret itself.)
    #[test]
    fn roundtrip_preserves_alias_in_string_field() {
        #[derive(serde::Serialize, serde::Deserialize, PartialEq, Debug)]
        struct Cfg {
            alias_text: String,
        }
        let original = Cfg {
            alias_text: "@secret:team/gitlab/token-deploy".to_owned(),
        };
        let toml_text = toml::to_string(&original).unwrap();
        assert!(toml_text.contains("@secret:team/gitlab/token-deploy"));
        let back: Cfg = toml::from_str(&toml_text).unwrap();
        assert_eq!(back, original);
        assert_eq!(back.alias_text, "@secret:team/gitlab/token-deploy");
    }

    #[test]
    fn roundtrip_preserves_alias_in_optional_field() {
        #[derive(serde::Serialize, serde::Deserialize, PartialEq, Debug)]
        struct Cfg {
            alias_text: Option<String>,
        }
        let original = Cfg {
            alias_text: Some("@secret:personal/github/pat".to_owned()),
        };
        let toml_text = toml::to_string(&original).unwrap();
        let back: Cfg = toml::from_str(&toml_text).unwrap();
        assert_eq!(
            back.alias_text.as_deref(),
            Some("@secret:personal/github/pat")
        );
    }

    // -- Display of the error variants --------------------------

    #[test]
    fn error_display_includes_path_for_not_found() {
        let e = AliasResolverError::NotFound {
            path: "team/x/y".into(),
        };
        let s = format!("{e}");
        assert!(s.contains("team/x/y"));
    }

    #[test]
    fn error_display_includes_reason_for_bad_path() {
        let e = AliasResolverError::BadPath {
            path: "BAD".into(),
            reason: "uppercase letter".into(),
        };
        let s = format!("{e}");
        assert!(s.contains("BAD"));
        assert!(s.contains("uppercase letter"));
    }

    #[test]
    fn error_display_includes_backend_message() {
        let e = AliasResolverError::Backend {
            path: "team/x/y".into(),
            message: "vault unsealed but token expired".into(),
        };
        let s = format!("{e}");
        assert!(s.contains("vault unsealed but token expired"));
    }
}