hakanai-lib 2.14.2

Client library for Hakanai, a secure secret sharing service.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280

// SPDX-License-Identifier: Apache-2.0

use std::time::Duration;

use async_trait::async_trait;
use thiserror::Error;
use url::Url;

use crate::crypto::CryptoClient;
use crate::models::Payload;
use crate::options::{SecretReceiveOptions, SecretSendOptions};
use crate::web::WebClient;

/// Defines the asynchronous interface for a client that can send and receive secrets.
///
/// This trait represents the core API for secret operations. The library provides
/// a default implementation via `client::new()`, but users can create wrapper
/// clients that add additional functionality around the core client.
///
/// # Examples
///
/// ## Adding Validation to Client Operations
///
/// ```
/// use hakanai_lib::{client, client::{Client, ClientError}, models::Payload};
/// use hakanai_lib::options::{SecretSendOptions, SecretReceiveOptions};
/// use async_trait::async_trait;
/// use url::Url;
/// use std::time::Duration;
///
/// // Wrapper that adds input validation to client operations
/// struct ValidatingClient {
///     inner: Box<dyn Client<Payload>>,
///     max_size: usize,
/// }
///
/// impl ValidatingClient {
///     fn new(inner: Box<dyn Client<Payload>>, max_size: usize) -> Self {
///         Self { inner, max_size }
///     }
/// }
///
/// #[async_trait]
/// impl Client<Payload> for ValidatingClient {
///     async fn send_secret(
///         &self,
///         base_url: Url,
///         payload: Payload,
///         ttl: Duration,
///         token: String,
///         opts: Option<SecretSendOptions>,
///     ) -> Result<Url, ClientError> {
///         // Validate payload size before sending
///         if payload.data.len() > self.max_size {
///             return Err(ClientError::Custom(format!(
///                 "Payload size {} exceeds maximum {}",
///                 payload.data.len(),
///                 self.max_size
///             )));
///         }
///
///         // Validate filename for security
///         if let Some(ref filename) = payload.filename {
///             if filename.contains("..") || filename.starts_with('/') {
///                 return Err(ClientError::Custom(
///                     "Invalid filename: path traversal detected".to_string()
///                 ));
///             }
///         }
///
///         // Validation passed, proceed with sending
///         self.inner.send_secret(base_url, payload, ttl, token, opts).await
///     }
///
///     async fn receive_secret(
///         &self,
///         url: Url,
///         opts: Option<SecretReceiveOptions>,
///     ) -> Result<Payload, ClientError> {
///         // Pass through to inner client
///         self.inner.receive_secret(url, opts).await
///     }
/// }
///
/// // Usage: wrap the default client with validation
/// # async fn example() -> Result<(), Box<dyn std::error::Error>> {
/// let base_client = client::new();
/// let validating_client = ValidatingClient::new(Box::new(base_client), 1024 * 1024); // 1MB limit
///
/// let payload = Payload {
///     data: "test secret".to_string(),
///     filename: None,
/// };
///
/// // This will validate before sending
/// let url = validating_client.send_secret(
///     Url::parse("https://api.example.com")?,
///     payload,
///     Duration::from_secs(3600),
///     "token".to_string(),
///     None,
/// ).await?;
/// # Ok(())
/// # }
/// ```
#[async_trait]
pub trait Client<T>: Send + Sync {
    /// Sends a secret to be stored.
    ///
    /// # Arguments
    ///
    /// * `base_url` - The base URL of the service.
    /// * `data` - The secret data to be sent.
    /// * `ttl` - The time-to-live for the secret.
    /// * `token` - The authentication token.
    /// * `opts` - Optional options for sending the secret
    ///
    /// # Returns
    ///
    /// A `Result` which is:
    /// - `Ok(Url)` containing the URL of the stored secret.
    /// - `Err(ClientError)` with an error message if the operation fails.
    async fn send_secret(
        &self,
        base_url: Url,
        payload: T,
        ttl: Duration,
        token: String,
        opts: Option<SecretSendOptions>,
    ) -> Result<Url, ClientError>;

    /// Retrieves a secret from the store using its URL.
    ///
    /// # Arguments
    ///
    /// * `url` - The URL of the secret to be retrieved.
    /// * `opts` - Optional options for retrieving the secret
    ///
    /// # Returns
    ///
    /// A `Result` which is:
    /// - `Ok(String)` containing the secret data.
    /// - `Err(ClientError)` with an error message if the secret is not found or another error occurs.
    async fn receive_secret(
        &self,
        url: Url,
        opts: Option<SecretReceiveOptions>,
    ) -> Result<T, ClientError>;
}

/// Represents errors that can occur during client operations.
///
/// This enum covers all possible error cases when sending or receiving secrets,
/// including network errors, parsing errors, and cryptographic failures.
///
/// # Examples
///
/// ```
/// use hakanai_lib::{client, client::{Client, ClientError}, models::Payload};
/// use std::time::Duration;
/// use url::Url;
///
/// # async fn example() -> Result<(), Box<dyn std::error::Error>> {
/// let client = client::new();
/// let payload = Payload::from_bytes(b"Test secret", None);
///
/// match client.send_secret(
///     Url::parse("https://api.example.com")?,
///     payload,
///     Duration::from_secs(3600),
///     "auth-token".to_string(),
///     None,
/// ).await {
///     Ok(url) => println!("Secret stored at: {}", url),
///     Err(ClientError::Web(e)) => eprintln!("Network error: {}", e),
///     Err(ClientError::Http(msg)) => eprintln!("Server error: {}", msg),
///     Err(ClientError::CryptoError(msg)) => eprintln!("Decryption failed: {}", msg),
///     Err(e) => eprintln!("Other error: {}", e),
/// }
/// # Ok(())
/// # }
/// ```
#[derive(Debug, Error)]
pub enum ClientError {
    /// Network request failed.
    ///
    /// This error occurs when the underlying HTTP client (reqwest) encounters
    /// a network-level error such as connection timeout, DNS resolution failure,
    /// or inability to establish a connection.
    #[error("web request failed")]
    Web(#[from] reqwest::Error),

    /// JSON parsing or serialization failed.
    ///
    /// This error occurs when the response from the server cannot be parsed
    /// as valid JSON, or when serializing the payload to JSON fails.
    #[error("parsing JSON failed")]
    Json(#[from] serde_json::Error),

    /// URL parsing failed.
    ///
    /// This error occurs when constructing or parsing URLs, typically when
    /// the base URL or secret URL is malformed.
    #[error("invalid URL")]
    Url(#[from] url::ParseError),

    /// HTTP-level error from the server.
    ///
    /// This error represents HTTP status code errors (4xx, 5xx) returned by
    /// the server, with the error message containing details about the failure.
    #[error("HTTP error: {0}")]
    Http(String),

    /// Custom client error.
    ///
    /// This is a catch-all error for client-specific failures that don't
    /// fit into other categories.
    #[error("Client error: {0}")]
    Custom(String),

    /// Cryptographic error.
    #[error("crypto error")]
    CryptoError(String),

    /// Error converting bytes to UTF-8.
    #[error("UTF-8 decoding error")]
    Utf8DecodeError(#[from] std::string::FromUtf8Error),

    /// Base64 decoding error.
    #[error("base64 decoding error")]
    Base64DecodeError(#[from] base64::DecodeError),

    #[error("decrypted data does not match expected hash")]
    HashValidationError(),
}

impl From<aes_gcm::Error> for ClientError {
    fn from(err: aes_gcm::Error) -> Self {
        ClientError::CryptoError(format!("AES-GCM error: {err:?}"))
    }
}

/// Creates a new client instance with the default configuration.
///
/// This function constructs a layered client stack that provides:
/// - HTTP communication via `WebClient`
/// - AES-256-GCM encryption via `CryptoClient`
/// - Automatic `Payload` serialization via `SecretClient`
///
/// # Examples
///
/// ```no_run
/// use hakanai_lib::{client, client::Client, models::Payload};
/// use std::time::Duration;
/// use url::Url;
///
/// # async fn example() -> Result<(), Box<dyn std::error::Error>> {
/// // Create the default client
/// let client = client::new();
///
/// // Send a secret
/// let url = client.send_secret(
///     Url::parse("https://api.example.com")?,
///     Payload {
///         data: "my secret data".to_string(),
///         filename: None,
///     },
///     Duration::from_secs(3600),
///     "auth-token".to_string(),
///     None,
/// ).await?;
///
/// // The URL contains the encryption key and hash in the fragment (#key:hash)
/// println!("Share this URL: {}", url);
/// # Ok(())
/// # }
/// ```
pub fn new() -> impl Client<Payload> {
    CryptoClient::new(Box::new(WebClient::new()))
}