fn0-worker 0.3.27

Worker binary for the fn0 FaaS platform
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100

use anyhow::{Result, anyhow};
use base64::Engine;
use oci_rust_sdk::auth::{RequestSigner, SimpleAuthProvider, SimpleAuthProviderRequiredFields};
use serde::{Deserialize, Serialize};
use std::sync::Arc;

#[derive(Clone)]
pub struct VaultClient {
    crypto_endpoint: String,
    key_ocid: String,
    signer: Arc<RequestSigner>,
    client: reqwest::Client,
}

#[derive(Serialize)]
struct DecryptRequest<'a> {
    ciphertext: &'a str,
    #[serde(rename = "keyId")]
    key_id: &'a str,
}

#[derive(Deserialize)]
struct DecryptResponse {
    plaintext: String,
}

impl VaultClient {
    pub fn from_env() -> Result<Self> {
        let crypto_endpoint = std::env::var("FN0_VAULT_CRYPTO_ENDPOINT")
            .map_err(|_| anyhow!("FN0_VAULT_CRYPTO_ENDPOINT is required"))?;
        let key_ocid = std::env::var("FN0_VAULT_KEY_OCID")
            .map_err(|_| anyhow!("FN0_VAULT_KEY_OCID is required"))?;
        let tenancy = std::env::var("FN0_VAULT_OCI_TENANCY_ID")
            .map_err(|_| anyhow!("FN0_VAULT_OCI_TENANCY_ID is required"))?;
        let user = std::env::var("FN0_VAULT_OCI_USER_ID")
            .map_err(|_| anyhow!("FN0_VAULT_OCI_USER_ID is required"))?;
        let fingerprint = std::env::var("FN0_VAULT_OCI_FINGERPRINT")
            .map_err(|_| anyhow!("FN0_VAULT_OCI_FINGERPRINT is required"))?;
        let private_key_b64 = std::env::var("FN0_VAULT_OCI_PRIVATE_KEY_BASE64")
            .map_err(|_| anyhow!("FN0_VAULT_OCI_PRIVATE_KEY_BASE64 is required"))?;
        let private_key_pem = String::from_utf8(
            base64::engine::general_purpose::STANDARD
                .decode(private_key_b64.as_bytes())
                .map_err(|e| anyhow!("vault private key base64: {e}"))?,
        )
        .map_err(|e| anyhow!("vault private key utf8: {e}"))?;

        let provider: Arc<SimpleAuthProvider> = Arc::new(
            SimpleAuthProvider::builder(SimpleAuthProviderRequiredFields {
                tenancy,
                user,
                fingerprint,
                private_key: private_key_pem,
            })
            .build(),
        );
        let signer = Arc::new(
            RequestSigner::new(provider as Arc<dyn oci_rust_sdk::auth::AuthProvider>)
                .map_err(|e| anyhow!("vault signer init: {e:?}"))?,
        );

        Ok(Self {
            crypto_endpoint,
            key_ocid,
            signer,
            client: reqwest::Client::new(),
        })
    }

    pub async fn decrypt(&self, ciphertext_b64: &str) -> Result<Vec<u8>> {
        let body = serde_json::to_vec(&DecryptRequest {
            ciphertext: ciphertext_b64,
            key_id: &self.key_ocid,
        })?;

        let url_str = format!(
            "{}/20180608/decrypt",
            self.crypto_endpoint.trim_end_matches('/')
        );
        let url = url::Url::parse(&url_str).map_err(|e| anyhow!("vault url parse: {e}"))?;

        let mut headers = reqwest::header::HeaderMap::new();
        self.signer
            .sign_request("POST", &url, &mut headers, Some(&body))
            .map_err(|e| anyhow!("vault sign: {e:?}"))?;

        let resp = self
            .client
            .post(url)
            .headers(headers)
            .body(body)
            .send()
            .await?;
        let resp = resp.error_for_status()?;
        let parsed: DecryptResponse = resp.json().await?;
        base64::engine::general_purpose::STANDARD
            .decode(parsed.plaintext.as_bytes())
            .map_err(|e| anyhow!("vault decrypt response base64: {e}"))
    }
}