im-core 0.1.0

Rust IM SDK for Awiki clients built on Agent Network Protocol (ANP)
Documentation
use base64::Engine as _;
use im_core::vault::{
    parse_device_vault_root_key_b64, DeviceVaultRootKey, FileSecretVault, FileSecretVaultStore,
    SealSecretRequest, SecretAccessPolicy, SecretBytes, SecretKind, SecretMetadata, SecretVault,
    DEVICE_VAULT_ROOT_KEY_LEN,
};

#[test]
fn public_vault_api_seals_opens_lists_and_deletes_secret() {
    let root = tempfile::tempdir().unwrap();
    let vault = FileSecretVault::new(
        DeviceVaultRootKey::from_bytes([13_u8; 32]),
        FileSecretVaultStore::new(root.path().join("vault")),
    );
    let metadata = SecretMetadata {
        workspace_id: "workspace-a".to_owned(),
        device_id: "device-a".to_owned(),
        identity_id: Some("identity-a".to_owned()),
        did: Some("did:wba:alice@example.com".to_owned()),
        kind: SecretKind::IdentityRootPrivate,
        key_id: "key-1".to_owned(),
        key_version: 1,
        policy: SecretAccessPolicy::no_prompt_local_secret(),
    };

    let secret_ref = vault
        .seal(SealSecretRequest {
            metadata,
            plaintext: SecretBytes::from_vec(b"external-private-key".to_vec()),
        })
        .unwrap();

    let opened = vault.open(&secret_ref).unwrap();
    assert_eq!(opened.expose_secret(), b"external-private-key");
    assert_eq!(vault.list().unwrap(), vec![secret_ref.clone()]);
    assert!(!format!("{opened:?}").contains("external-private-key"));
    assert!(!format!("{:?}", DeviceVaultRootKey::from_bytes([14_u8; 32])).contains("14"));

    vault.delete(&secret_ref).unwrap();
    assert!(vault.list().unwrap().is_empty());
}

#[test]
fn public_vault_root_key_parser_accepts_base64_and_redacts_errors() {
    let raw = base64::engine::general_purpose::URL_SAFE_NO_PAD.encode([21_u8; 32]);
    let root_key = parse_device_vault_root_key_b64(&raw, "TEST_VAULT_ROOT_KEY").unwrap();
    let debug = format!("{root_key:?}");

    assert!(debug.contains("DeviceVaultRootKey"));
    assert!(debug.contains(&DEVICE_VAULT_ROOT_KEY_LEN.to_string()));
    assert!(!debug.contains(&raw));
    assert!(!debug.contains("21"));

    let err = parse_device_vault_root_key_b64("not-base64-secret-value", "TEST_VAULT_ROOT_KEY")
        .unwrap_err()
        .to_string();

    assert!(err.contains("TEST_VAULT_ROOT_KEY"));
    assert!(!err.contains("not-base64-secret-value"));
}