kagi-vault 0.1.2

Encrypted secrets and environment variable manager for teams — a secure, team-ready dotenv alternative with per-service isolation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

use crate::domain::error::DomainError;

pub trait Encryptor: Send + Sync {
    fn encrypt(&self, plaintext: &[u8], aad: &[u8]) -> Result<Vec<u8>, DomainError>;
    fn decrypt(&self, ciphertext: &[u8], aad: &[u8]) -> Result<Vec<u8>, DomainError>;
}

#[cfg(test)]
pub mod mock {
    use super::*;

    pub struct XorEncryptor {
        key: u8,
    }

    impl XorEncryptor {
        pub fn new(key: u8) -> Self {
            Self { key }
        }
    }

    impl Encryptor for XorEncryptor {
        fn encrypt(&self, plaintext: &[u8], _aad: &[u8]) -> Result<Vec<u8>, DomainError> {
            let mut output = vec![0; 24];
            output.extend(plaintext.iter().map(|b| b ^ self.key));
            output.extend_from_slice(&[0; 16]);
            Ok(output)
        }

        fn decrypt(&self, ciphertext: &[u8], aad: &[u8]) -> Result<Vec<u8>, DomainError> {
            let payload = if ciphertext.len() >= 40 {
                &ciphertext[24..ciphertext.len() - 16]
            } else {
                ciphertext
            };
            let _ = aad;
            Ok(payload.iter().map(|b| b ^ self.key).collect())
        }
    }
}