gman 0.5.0

Universal command line secret management and injection tool
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

use std::sync::Arc;

use azure_core::credentials::TokenCredential;
use azure_identity::DeveloperToolsCredential;
use azure_security_keyvault_secrets::models::SetSecretParameters;
use azure_security_keyvault_secrets::{ResourceExt, SecretClient};
use futures::TryStreamExt;
use serde::{Deserialize, Serialize};
use serde_with::skip_serializing_none;
use validator::Validate;

use crate::providers::SecretProvider;
use crate::providers::error::{SecretError, classify_azure_error};

const PROVIDER: &str = "azure_key_vault";

#[skip_serializing_none]
/// Configuration for Azure Key Vault provider
/// See [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/)
/// for more information.
///
/// This provider stores secrets in Azure Key Vault. It requires
/// a vault name to be specified.
///
/// Example
/// ```no_run
/// use gman::providers::{SecretProvider, SupportedProvider};
/// use gman::config::{Config, ProviderConfig};
/// use gman::providers::azure_key_vault::AzureKeyVaultProvider;
///
/// let provider = AzureKeyVaultProvider {
/// 	vault_name: Some("my-vault-name".to_string()),
/// };
///	let _ =	provider.set_secret("MY_SECRET", "value");
#[derive(Debug, Clone, Validate, Serialize, Deserialize, PartialEq, Eq)]
#[serde(deny_unknown_fields)]
pub struct AzureKeyVaultProvider {
    #[validate(required)]
    pub vault_name: Option<String>,
}

#[async_trait::async_trait]
impl SecretProvider for AzureKeyVaultProvider {
    fn name(&self) -> &'static str {
        "AzureKeyVaultProvider"
    }

    async fn get_secret(&self, key: &str) -> Result<String, SecretError> {
        let response = self
            .get_client()?
            .get_secret(key, None)
            .await
            .map_err(|e| classify_azure_error(e.into(), Some(key), "get_secret"))?;
        let body = response
            .into_model()
            .map_err(|e| SecretError::Other(e.into()))?;

        body.value.ok_or_else(|| SecretError::NotFound {
            key: key.to_string(),
            provider: PROVIDER,
        })
    }

    async fn set_secret(&self, key: &str, value: &str) -> Result<(), SecretError> {
        let params = SetSecretParameters {
            value: Some(value.to_string()),
            ..Default::default()
        };

        let body = params.try_into().map_err(|e: azure_core::Error| {
            classify_azure_error(e.into(), Some(key), "set_secret")
        })?;

        self.get_client()?
            .set_secret(key, body, None)
            .await
            .map_err(|e| classify_azure_error(e.into(), Some(key), "set_secret"))?
            .into_model()
            .map_err(|e| SecretError::Other(e.into()))?;

        Ok(())
    }

    async fn update_secret(&self, key: &str, value: &str) -> Result<(), SecretError> {
        self.set_secret(key, value).await
    }

    async fn delete_secret(&self, key: &str) -> Result<(), SecretError> {
        self.get_client()?
            .delete_secret(key, None)
            .await
            .map_err(|e| classify_azure_error(e.into(), Some(key), "delete_secret"))?;

        Ok(())
    }

    async fn list_secrets(&self) -> Result<Vec<String>, SecretError> {
        let mut pager = self
            .get_client()?
            .list_secret_properties(None)
            .map_err(|e| classify_azure_error(e.into(), None, "list_secrets"))?;
        let mut secrets = Vec::new();
        while let Some(props) = pager
            .try_next()
            .await
            .map_err(|e| classify_azure_error(e.into(), None, "list_secrets"))?
        {
            let name = props
                .resource_id()
                .map_err(|e| SecretError::Other(e.into()))?
                .name;
            secrets.push(name);
        }

        Ok(secrets)
    }
}

impl AzureKeyVaultProvider {
    fn get_client(&self) -> Result<SecretClient, SecretError> {
        let credential: Arc<dyn TokenCredential> =
            DeveloperToolsCredential::new(None).map_err(|e| SecretError::AuthFailed {
                provider: PROVIDER,
                source: e.into(),
            })?;
        let vault_name = self
            .vault_name
            .as_ref()
            .ok_or_else(|| SecretError::Config {
                provider: PROVIDER,
                message: "vault_name is required".to_string(),
            })?;
        let client = SecretClient::new(
            format!("https://{}.vault.azure.net", vault_name).as_str(),
            credential,
            None,
        )
        .map_err(|e| SecretError::Config {
            provider: PROVIDER,
            message: format!("failed to create Azure Key Vault client: {}", e),
        })?;

        Ok(client)
    }
}