hardware-enclave 0.1.0

Hardware-backed key management — macOS Secure Enclave, Windows TPM 2.0, Linux TPM/keyring
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

#![allow(dead_code, unused_imports, unused_qualifications, unreachable_patterns)]
use anyhow::Result;

use super::secret_store::SecretStore;
use super::types::BindingId;

/// Restore a previously-snapshotted secret value (or delete the entry if
/// the snapshot was `None`).  This is the single shared implementation used
/// by management, install, uninstall, and token-source rollback paths.
pub fn restore_previous_secret<S>(
    secret_store: &S,
    id: &BindingId,
    previous_secret: Option<&str>,
) -> Result<()>
where
    S: SecretStore,
{
    match previous_secret {
        Some(secret) => secret_store.set(id, secret)?,
        None => {
            let _ = secret_store.delete(id)?;
        }
    }
    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::internal::app_adapter::MemorySecretStore;

    #[test]
    fn restore_previous_secret_with_some() {
        let store = MemorySecretStore::new();
        let id = BindingId::new("test:default");

        // Set a current value
        store.set(&id, "current-token").expect("set");

        // Restore a previous value
        restore_previous_secret(&store, &id, Some("previous-token")).expect("restore");

        assert_eq!(
            store.get(&id).expect("get"),
            Some("previous-token".to_string())
        );
    }

    #[test]
    fn restore_previous_secret_with_none() {
        let store = MemorySecretStore::new();
        let id = BindingId::new("test:default");

        // Set a current value
        store.set(&id, "current-token").expect("set");

        // Restore None means delete
        restore_previous_secret(&store, &id, None).expect("restore");

        assert_eq!(store.get(&id).expect("get"), None);
    }

    #[test]
    fn restore_previous_secret_with_none_when_no_existing_value() {
        let store = MemorySecretStore::new();
        let id = BindingId::new("test:nonexistent");

        // Restoring None on a non-existent key should succeed
        restore_previous_secret(&store, &id, None).expect("restore");

        assert_eq!(store.get(&id).expect("get"), None);
    }

    #[test]
    fn restore_previous_secret_overwrites_existing() {
        let store = MemorySecretStore::new();
        let id = BindingId::new("test:default");

        store.set(&id, "first").expect("set");
        restore_previous_secret(&store, &id, Some("second")).expect("restore");
        assert_eq!(store.get(&id).expect("get"), Some("second".to_string()));

        restore_previous_secret(&store, &id, Some("third")).expect("restore again");
        assert_eq!(store.get(&id).expect("get"), Some("third".to_string()));
    }
}