dugout 0.1.0

A local secrets manager for development teams, written in Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

//! Age encryption backend implementation.
//!
//! Provides encryption/decryption using the age format with x25519 keys
//! and ASCII armor encoding.

use std::io::{Read, Write};

use ::age::x25519;
use tracing::trace;

use super::Cipher;
use crate::error::{CipherError, Result};

/// Age-based cryptographic backend using x25519 keys
pub struct Age;

impl Cipher for Age {
    type Recipient = x25519::Recipient;
    type Identity = x25519::Identity;

    fn name(&self) -> &'static str {
        "age"
    }

    fn encrypt(&self, plaintext: &str, recipients: &[x25519::Recipient]) -> Result<String> {
        trace!(
            recipients = recipients.len(),
            plaintext_len = plaintext.len(),
            "encrypting"
        );

        let encryptor =
            age::Encryptor::with_recipients(recipients.iter().map(|r| r as &dyn age::Recipient))
                .map_err(|e| CipherError::EncryptionFailed(format!("{}", e)))?;

        let mut encrypted = Vec::new();
        let mut writer = encryptor
            .wrap_output(age::armor::ArmoredWriter::wrap_output(
                &mut encrypted,
                age::armor::Format::AsciiArmor,
            )?)
            .map_err(|e| CipherError::EncryptionFailed(format!("{}", e)))?;

        writer.write_all(plaintext.as_bytes())?;
        let armored = writer
            .finish()
            .map_err(|e| CipherError::EncryptionFailed(format!("{}", e)))?;
        armored
            .finish()
            .map_err(|e| CipherError::ArmorFailed(format!("{}", e)))?;

        trace!(ciphertext_len = encrypted.len(), "encrypted");

        String::from_utf8(encrypted)
            .map_err(|e| CipherError::EncryptionFailed(format!("UTF-8 error: {}", e)).into())
    }

    fn decrypt(&self, encrypted: &str, identity: &x25519::Identity) -> Result<String> {
        trace!(ciphertext_len = encrypted.len(), "decrypting");

        let reader = age::armor::ArmoredReader::new(encrypted.as_bytes());
        let decryptor = age::Decryptor::new(reader)
            .map_err(|e| CipherError::DecryptionFailed(format!("{}", e)))?;

        let mut decrypted = Vec::new();
        let mut reader = decryptor
            .decrypt(std::iter::once(identity as &dyn age::Identity))
            .map_err(|e| CipherError::DecryptionFailed(format!("{}", e)))?;

        reader.read_to_end(&mut decrypted)?;

        trace!(plaintext_len = decrypted.len(), "decrypted");

        String::from_utf8(decrypted)
            .map_err(|e| CipherError::DecryptionFailed(format!("UTF-8 error: {}", e)).into())
    }
}

/// Parse a public key string into an age recipient
///
/// # Errors
///
/// Returns `CipherError::InvalidPublicKey` if the key format is invalid.
pub fn parse_recipient(key: &str) -> Result<x25519::Recipient> {
    key.parse::<x25519::Recipient>()
        .map_err(|_| CipherError::InvalidPublicKey(key.to_string()).into())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_encrypt_decrypt_roundtrip() {
        let cipher = Age;
        let identity = x25519::Identity::generate();
        let recipient = identity.to_public();

        let plaintext = "Hello, World!";
        let encrypted = cipher.encrypt(plaintext, &[recipient]).unwrap();

        assert_ne!(encrypted, plaintext);
        assert!(encrypted.contains("-----BEGIN AGE ENCRYPTED FILE-----"));

        let decrypted = cipher.decrypt(&encrypted, &identity).unwrap();
        assert_eq!(decrypted, plaintext);
    }

    #[test]
    fn test_encrypt_decrypt_large_payload() {
        let cipher = Age;
        let identity = x25519::Identity::generate();
        let recipient = identity.to_public();

        // Create a large payload (10KB)
        let plaintext = "A".repeat(10_000);
        let encrypted = cipher.encrypt(&plaintext, &[recipient]).unwrap();

        let decrypted = cipher.decrypt(&encrypted, &identity).unwrap();
        assert_eq!(decrypted, plaintext);
        assert_eq!(decrypted.len(), 10_000);
    }

    #[test]
    fn test_encrypt_with_multiple_recipients() {
        let cipher = Age;

        let identity1 = x25519::Identity::generate();
        let identity2 = x25519::Identity::generate();
        let recipient1 = identity1.to_public();
        let recipient2 = identity2.to_public();

        let plaintext = "Shared secret";
        let encrypted = cipher
            .encrypt(plaintext, &[recipient1, recipient2])
            .unwrap();

        // Both identities should be able to decrypt
        let decrypted1 = cipher.decrypt(&encrypted, &identity1).unwrap();
        assert_eq!(decrypted1, plaintext);

        let decrypted2 = cipher.decrypt(&encrypted, &identity2).unwrap();
        assert_eq!(decrypted2, plaintext);
    }
}