ferrule-config 0.2.0-alpha

Connection registry, profiles, and the layered credential-resolution stack (CLI flag / env / OS keyring / file via hasp) for the ferrule database CLI.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

use hasp::Store;
use secrecy::SecretString;

/// Resolve credentials through the hasp unified stack.
///
/// Resolution order:
/// 1. `explicit` (CLI `--password` flag)
/// 2. `password_url` via `hasp::Store::get()`
/// 3. `env://FERRULE_{NAME}_PASSWORD` via hasp
/// 4. `keyring://ferrule/{name}` via hasp
///
/// Returns `Ok(None)` when no credential is found so the caller can
/// fall back to an interactive prompt.
pub fn resolve_password_stack(
    name: &str,
    explicit: Option<SecretString>,
    password_url: Option<&str>,
) -> Result<Option<SecretString>, crate::error::ConfigError> {
    if let Some(pwd) = explicit {
        return Ok(Some(pwd));
    }

    let store = Store::with_defaults();

    // 2. password_url from profile
    if let Some(url) = password_url {
        match store.get(url) {
            Ok(secret) => return Ok(Some(secret)),
            Err(ref e) => {
                if let Some(err) = warn_or_fail(url, e) {
                    return Err(err);
                }
            }
        }
    }

    // 3. Legacy env var via hasp
    let env_url = format!(
        "env://FERRULE_{}_PASSWORD",
        name.to_ascii_uppercase().replace('-', "_")
    );
    match store.get(&env_url) {
        Ok(secret) => return Ok(Some(secret)),
        Err(ref e) => {
            if let Some(err) = warn_or_fail(&env_url, e) {
                return Err(err);
            }
        }
    }

    // 4. OS keyring via hasp
    let keyring_url = format!("keyring://ferrule/{}", name);
    match store.get(&keyring_url) {
        Ok(secret) => return Ok(Some(secret)),
        Err(ref e) => {
            if let Some(err) = warn_or_fail(&keyring_url, e) {
                return Err(err);
            }
        }
    }

    Ok(None)
}

fn warn_or_fail(url: &str, err: &hasp::Error) -> Option<crate::error::ConfigError> {
    match err {
        hasp::Error::NotFound(_) => None,
        hasp::Error::PermissionDenied(_) => {
            eprintln!("Warning: hasp permission denied for {}", url);
            None
        }
        hasp::Error::AuthenticationFailed(_) => {
            eprintln!("Warning: hasp authentication failed for {}", url);
            None
        }
        e if e.is_transient() => {
            eprintln!("Warning: hasp transient failure for {}, retrying...", url);
            None
        }
        hasp::Error::InvalidUrl(msg) => Some(crate::error::ConfigError::HaspError(format!(
            "invalid hasp URL '{}': {}",
            url, msg
        ))),
        hasp::Error::UrlParse(e) => Some(crate::error::ConfigError::HaspError(format!(
            "invalid hasp URL '{}': {}",
            url, e
        ))),
        e => {
            eprintln!("Warning: hasp lookup failed for {}: {}", url, e);
            None
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use secrecy::ExposeSecret;

    #[test]
    fn explicit_password_returned_immediately() {
        let secret = SecretString::new("hunter2".into());
        let result = resolve_password_stack(
            "prod",
            Some(secret.clone()),
            Some("env://SHOULD_NOT_BE_READ"),
        );
        assert_eq!(result.unwrap().unwrap().expose_secret(), "hunter2");
    }

    #[test]
    fn password_url_resolved_via_hasp_env() {
        std::env::set_var("FERRULE_TEST_HASP_PWD", "from_env");
        let result = resolve_password_stack("test", None, Some("env://FERRULE_TEST_HASP_PWD"));
        assert_eq!(result.unwrap().unwrap().expose_secret(), "from_env");
        std::env::remove_var("FERRULE_TEST_HASP_PWD");
    }

    #[test]
    fn legacy_env_var_via_hasp() {
        std::env::set_var("FERRULE_LEGACY_ENV_PASSWORD", "legacy");
        let result = resolve_password_stack("legacy-env", None, None);
        assert_eq!(result.unwrap().unwrap().expose_secret(), "legacy");
        std::env::remove_var("FERRULE_LEGACY_ENV_PASSWORD");
    }

    #[test]
    fn not_found_falls_through_to_none() {
        std::env::remove_var("FERRULE_NONEXISTENT_PASSWORD");
        let result = resolve_password_stack("nonexistent", None, None).unwrap();
        assert!(result.is_none());
    }

    #[test]
    fn invalid_password_url_returns_error() {
        let result = resolve_password_stack("test", None, Some("not-a-url"));
        assert!(result.is_err());
    }
}