gaia-client 0.0.1-rc.9

Rust client library for Gaia secret management daemon
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226

use crate::config::GaiaClientConfig;
use crate::error::Result;
use crate::proto::gaia_client_client::GaiaClientClient;
use crate::proto::{
    GetSecretRequest, Namespace, Secret,
};
use crate::tls::create_tls_channel;
use tonic::transport::Channel;

/// Options for loading secrets into the environment.
#[derive(Debug, Clone, Default)]
pub struct LoadEnvOptions {
    /// Prefix to prepend to environment variable names.
    /// If strictly empty or None, no prefix is added.
    pub prefix: Option<String>,
    
    /// Whether to include the namespace in the environment variable name.
    pub use_namespace: bool,
}

impl LoadEnvOptions {
    /// Create new options with default values (key only).
    pub fn new() -> Self {
        Self::default()
    }

    /// Set the prefix.
    pub fn with_prefix(mut self, prefix: impl Into<String>) -> Self {
        self.prefix = Some(prefix.into());
        self
    }

    /// Set whether to use the namespace.
    pub fn with_namespace(mut self, use_namespace: bool) -> Self {
        self.use_namespace = use_namespace;
        self
    }
}

/// A client for interacting with the Gaia secret management daemon.
///
/// The client uses mutual TLS (mTLS) for secure communication and provides
/// methods to retrieve secrets and check daemon status.
pub struct GaiaClient {
    inner: GaiaClientClient<Channel>,
}

impl GaiaClient {
    /// Connects to the Gaia daemon using the provided configuration.
    ///
    /// # Arguments
    ///
    /// * `config` - Configuration containing server address and TLS certificates
    ///
    /// # Errors
    ///
    /// Returns an error if:
    /// - TLS certificates cannot be loaded
    /// - Connection to the daemon fails
    ///
    /// # Example
    ///
    /// ```no_run
    /// use gaia_client::{GaiaClient, GaiaClientConfig};
    ///
    /// #[tokio::main]
    /// async fn main() -> Result<(), Box<dyn std::error::Error>> {
    ///     let config = GaiaClientConfig::new(
    ///         "localhost:50051",
    ///         "/etc/gaia/certs/ca.crt",
    ///         "/etc/gaia/certs/client.crt",
    ///         "/etc/gaia/certs/client.key",
    ///     );
    ///
    ///     let client = GaiaClient::connect(config).await?;
    ///     Ok(())
    /// }
    /// ```
    pub async fn connect(config: GaiaClientConfig) -> Result<Self> {
        let channel = create_tls_channel(&config).await?;
        let inner = GaiaClientClient::new(channel);
        Ok(Self { inner })
    }

    /// Retrieves a secret from the specified namespace.
    ///
    /// # Arguments
    ///
    /// * `namespace` - The namespace containing the secret
    /// * `id` - The secret identifier
    ///
    /// # Errors
    ///
    /// Returns an error if:
    /// - The daemon is locked
    /// - The secret does not exist
    /// - A network error occurs
    ///
    /// # Example
    ///
    /// ```no_run
    /// # use gaia_client::{GaiaClient, GaiaClientConfig};
    /// # #[tokio::main]
    /// # async fn main() -> Result<(), Box<dyn std::error::Error>> {
    /// # let config = GaiaClientConfig::new("localhost:50051", "ca.crt", "client.crt", "client.key");
    /// # let mut client = GaiaClient::connect(config).await?;
    /// let secret = client.get_secret("production", "database_url").await?;
    /// println!("Secret: {}", secret.value);
    /// # Ok(())
    /// # }
    /// ```
    pub async fn get_secret(&mut self, namespace: &str, id: &str) -> Result<Secret> {
        let request = tonic::Request::new(GetSecretRequest {
            namespace: namespace.to_string(),
            id: id.to_string(),
        });

        let response = self.inner.get_secret(request).await?;
        Ok(response.into_inner())
    }









    /// Lists all secrets for the authenticated client.
    ///
    /// Returns secrets from the client's own namespaces plus the common namespace.
    /// If a namespace filter is provided, only secrets from that namespace are returned.
    ///
    /// # Arguments
    ///
    /// * `namespace` - Optional namespace filter
    ///
    /// # Example
    ///
    /// ```no_run
    /// # use gaia_client::{GaiaClient, GaiaClientConfig};
    /// # #[tokio::main]
    /// # async fn main() -> Result<(), Box<dyn std::error::Error>> {
    /// # let config = GaiaClientConfig::new("localhost:50051", "ca.crt", "client.crt", "client.key");
    /// # let mut client = GaiaClient::connect(config).await?;
    /// // Get all secrets (client's own + common)
    /// let all_secrets = client.list_secrets(None).await?;
    ///
    /// // Get only secrets from a specific namespace
    /// let prod_secrets = client.list_secrets(Some("production".to_string())).await?;
    ///
    /// for namespace in all_secrets {
    ///     println!("Namespace: {}", namespace.name);
    ///     for secret in namespace.secrets {
    ///         println!("  - {}: {}", secret.id, secret.value);
    ///     }
    /// }
    /// # Ok(())
    /// # }
    /// ```
    pub async fn list_secrets(&mut self, namespace: Option<String>) -> Result<Vec<Namespace>> {
        use crate::proto::ClientListSecretsRequest;

        let request = tonic::Request::new(ClientListSecretsRequest {
            namespace: namespace.unwrap_or_default(),
        });

        let response = self.inner.list_secrets(request).await?;
        Ok(response.into_inner().namespaces)
    }

    /// Fetches all accessible secrets and loads them into the current process's environment.
    ///
    /// By default, environment variables are named after the secret key, converted to uppercase
    /// with hyphens replaced by underscores. Optional prefix and namespace inclusion can be
    /// configured via `LoadEnvOptions`.
    ///
    /// # Arguments
    ///
    /// * `options` - Optional configuration for env var naming
    ///
    /// # Example
    ///
    /// ```no_run
    /// # use gaia_client::{GaiaClient, GaiaClientConfig, LoadEnvOptions};
    /// # #[tokio::main]
    /// # async fn main() -> Result<(), Box<dyn std::error::Error>> {
    /// # let config = GaiaClientConfig::new("localhost:50051", "ca.crt", "client.crt", "client.key");
    /// # let mut client = GaiaClient::connect(config).await?;
    /// // Load with default behavior (key only)
    /// client.load_env(None).await?;
    ///
    /// // Load with prefix and namespace: GAIA_PRODUCTION_DATABASE_URL
    /// client.load_env(Some(LoadEnvOptions::new().with_prefix("GAIA").with_namespace(true))).await?;
    /// # Ok(())
    /// # }
    /// ```
    pub async fn load_env(&mut self, options: Option<LoadEnvOptions>) -> Result<()> {
        let opts = options.unwrap_or_default();
        let namespaces = self.list_secrets(None).await?;

        for ns in namespaces {
            for secret in ns.secrets {
                let mut parts = Vec::new();

                if let Some(prefix) = &opts.prefix {
                    if !prefix.is_empty() {
                        parts.push(prefix.to_uppercase().replace("-", "_"));
                    }
                }

                if opts.use_namespace {
                    parts.push(ns.name.to_uppercase().replace("-", "_"));
                }

                parts.push(secret.id.to_uppercase().replace("-", "_"));

                let env_var_name = parts.join("_");
                std::env::set_var(env_var_name, secret.value);
            }
        }

        Ok(())
    }
}