hexvault 1.1.2

Cascading cell-partitioned encryption architecture.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

//! # hexvault
//!
//! Cascading cell-partitioned encryption architecture.
//!
//! Data is partitioned into isolated cells, each with cascading layers of
//! encryption corresponding to different trust boundaries. Movement between
//! cells is controlled by auditable edge handlers that re-encrypt without
//! exposing plaintext.
//!
//! ## Public API
//!
//! The public surface of this crate is intentionally narrow. Only the types
//! and functions listed here are intended for use by callers. Everything else
//! is `pub(crate)` at most.

// Module declarations.
pub mod audit;
pub mod cell;
pub(crate) mod crypto;
pub mod edge;
pub mod error;
pub mod keys;
pub mod partition;
pub mod stack;

// ---------------------------------------------------------------------------
// Public API — Phase 2 surface
// ---------------------------------------------------------------------------

use keys::MasterKey;

/// Generate a cryptographically secure master key.
///
/// This is the only entry point for producing key material. The returned
/// `MasterKey` is the single secret from which all per-cell and per-layer
/// keys are derived. In production, callers should source master keys from
/// a dedicated KMS rather than generating them locally.
#[must_use = "discarding a master key is likely a bug"]
pub fn generate_master_key() -> Result<MasterKey, error::HexvaultError> {
    let bytes = crypto::generate_random_key()?;
    Ok(MasterKey::from_bytes(bytes))
}

// ---------------------------------------------------------------------------
// Phase 4 API — Vault Wrapper
// ---------------------------------------------------------------------------

use audit::AuditLog;
use cell::Cell;
use partition::Partition;
use stack::{Layer, TokenResolver};

use std::sync::Arc;

/// The high-level entry point for managing cells and traversals.
///
/// Holds the master key, the central audit log, and token resolver.
pub struct Vault {
    master_key: MasterKey,
    audit_log: AuditLog,
    token_resolver: Arc<dyn TokenResolver>,
}

impl Vault {
    /// Create a new Vault with the provided master key and token resolver.
    pub fn new(master_key: MasterKey, token_resolver: Arc<dyn TokenResolver>) -> Self {
        Self {
            master_key,
            audit_log: AuditLog::new(),
            token_resolver,
        }
    }

    /// Create or get a partition.
    pub fn get_partition(&self, id: &str) -> Result<Partition, error::HexvaultError> {
        let key = keys::derive_partition_key(&self.master_key, id)?;
        Ok(Partition::new(
            id.to_string(),
            key,
            Arc::clone(&self.token_resolver),
        ))
    }

    /// Traverse data from one cell to another.
    #[allow(clippy::too_many_arguments)]
    pub fn traverse(
        &mut self,
        source_partition: &Partition,
        source: &Cell,
        dest_partition: &Partition,
        dest: &mut Cell,
        key: &str,
        target_layer: Layer,
        source_token: &str,
        dest_token: &str,
    ) -> Result<(), error::HexvaultError> {
        let source_ctx = self.token_resolver.resolve(source_token)?;
        let dest_ctx = self.token_resolver.resolve(dest_token)?;

        edge::traverse(
            &mut self.audit_log,
            edge::TraversalRequest {
                source_partition_key: source_partition.key(),
                dest_partition_key: dest_partition.key(),
                source,
                dest,
                key,
                target_layer,
                source_ctx: &source_ctx,
                dest_ctx: &dest_ctx,
            },
        )
    }

    /// Inspect the audit log.
    pub fn audit_log(&self) -> &AuditLog {
        &self.audit_log
    }

    /// Add a sink to receive a copy of every traversal record.
    /// Use this to persist the audit log to a file, S3, or other store.
    pub fn add_audit_sink(&mut self, sink: Box<dyn audit::AuditSink>) {
        self.audit_log.add_forward_sink(sink);
    }

    /// Return the number of audit records logged so far.
    ///
    /// Convenience method equivalent to `vault.audit_log().len()`.
    pub fn audit_log_len(&self) -> usize {
        self.audit_log.len()
    }
}