earl 0.5.2

AI-safe CLI for AI agents
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

use std::collections::BTreeMap;
use std::sync::{Arc, Mutex};

use std::time::Duration;

use anyhow::{Result, anyhow, bail};
use chrono::{DateTime, Utc};
use secrecy::{ExposeSecret, SecretString};
use serde::{Deserialize, Serialize};

use super::resolver::SecretResolver;

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SecretMetadata {
    pub key: String,
    pub created_at: DateTime<Utc>,
    pub updated_at: DateTime<Utc>,
}

#[derive(Debug, Clone, Serialize, Deserialize, Default)]
pub struct SecretIndex {
    pub keys: BTreeMap<String, SecretMetadata>,
}

impl SecretIndex {
    pub fn upsert(&mut self, key: &str) {
        let now = Utc::now();
        self.keys
            .entry(key.to_string())
            .and_modify(|meta| {
                meta.updated_at = now;
            })
            .or_insert_with(|| SecretMetadata {
                key: key.to_string(),
                created_at: now,
                updated_at: now,
            });
    }

    pub fn remove(&mut self, key: &str) {
        self.keys.remove(key);
    }

    pub fn list(&self) -> Vec<&SecretMetadata> {
        self.keys.values().collect()
    }

    pub fn get(&self, key: &str) -> Option<&SecretMetadata> {
        self.keys.get(key)
    }
}

pub trait SecretStore {
    fn set_secret(&self, key: &str, secret: SecretString) -> Result<()>;
    fn get_secret(&self, key: &str) -> Result<Option<SecretString>>;
    fn delete_secret(&self, key: &str) -> Result<bool>;
}

#[derive(Debug, Clone, Default)]
pub struct InMemorySecretStore {
    values: Arc<Mutex<BTreeMap<String, String>>>,
}

impl SecretStore for InMemorySecretStore {
    fn set_secret(&self, key: &str, secret: SecretString) -> Result<()> {
        let mut values = self
            .values
            .lock()
            .map_err(|_| anyhow!("in-memory secret store mutex poisoned"))?;
        values.insert(key.to_string(), secret.expose_secret().to_string());
        Ok(())
    }

    fn get_secret(&self, key: &str) -> Result<Option<SecretString>> {
        let values = self
            .values
            .lock()
            .map_err(|_| anyhow!("in-memory secret store mutex poisoned"))?;
        Ok(values.get(key).map(|v| SecretString::new(v.clone().into())))
    }

    fn delete_secret(&self, key: &str) -> Result<bool> {
        let mut values = self
            .values
            .lock()
            .map_err(|_| anyhow!("in-memory secret store mutex poisoned"))?;
        Ok(values.remove(key).is_some())
    }
}

/// Check whether an error message suggests a transient failure worth retrying.
///
/// Note: AWS SDK has its own internal retry logic (3 attempts by default).
/// Earl's retry here is intentionally coarse-grained and covers all providers
/// uniformly, so AWS secrets may see up to 9 total attempts (3 Earl x 3 SDK).
fn is_transient(err: &anyhow::Error) -> bool {
    // Use alternate Display (`{:#}`) to inspect the full error chain,
    // not just the outermost .with_context() wrapper.
    let msg = format!("{:#}", err).to_lowercase();
    msg.contains("timeout")
        || msg.contains("timed out")
        || msg.contains("connection reset")
        || msg.contains("connection refused")
        || msg.contains("broken pipe")
        || msg.contains("http 500")
        || msg.contains("http 502")
        || msg.contains("http 503")
        || msg.contains("http 504")
        || msg.contains("http 429")
        // vaultrs and other libraries may format as "status code 503" etc.
        || msg.contains("status code 500")
        || msg.contains("status code 502")
        || msg.contains("status code 503")
        || msg.contains("status code 504")
        || msg.contains("status code 429")
}

pub fn require_secret(
    store: &dyn SecretStore,
    resolvers: &[Box<dyn SecretResolver>],
    key: &str,
) -> Result<String> {
    // URI-prefixed keys dispatch to the matching resolver
    if let Some((scheme, _)) = key.split_once("://") {
        for resolver in resolvers {
            if resolver.scheme() == scheme {
                let max_attempts: u32 = 3;
                let backoff_base = Duration::from_millis(500);
                for attempt in 1..=max_attempts {
                    match resolver.resolve(key) {
                        Ok(secret) => return Ok(secret.expose_secret().to_string()),
                        Err(err) if attempt < max_attempts && is_transient(&err) => {
                            std::thread::sleep(backoff_base * attempt);
                            continue;
                        }
                        Err(err) => return Err(err),
                    }
                }
                unreachable!("retry loop should have returned");
            }
        }
        bail!("no secret resolver registered for scheme `{scheme}://`");
    }
    // Plain keys fall back to the keychain store
    let secret = store
        .get_secret(key)?
        .ok_or_else(|| anyhow!("missing required secret `{key}`"))?;
    Ok(secret.expose_secret().to_string())
}