karak-kms 0.2.0

Karak Key Management SDK
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

use aws_sdk_secretsmanager::primitives::Blob;
use thiserror::Error;

use crate::keypair::traits::Encryptable;

use super::traits::AsyncEncryptedKeystore;

pub use aws_config::SdkConfig as AwsConfig;

#[derive(Debug, Error)]
pub enum AwsKeystoreError<E: std::error::Error + Send + Sync> {
    #[error("Encryption error: {0}")]
    EncryptionError(E),
    #[error("AWS Secrets Manager Put error: {0}")]
    AwsSecretsManagerPutError(
        #[from]
        aws_sdk_secretsmanager::error::SdkError<
            aws_sdk_secretsmanager::operation::put_secret_value::PutSecretValueError,
        >,
    ),
    #[error("AWS Secrets Manager Create error: {0}")]
    AwsSecretsManagerCreateError(
        #[from]
        aws_sdk_secretsmanager::error::SdkError<
            aws_sdk_secretsmanager::operation::create_secret::CreateSecretError,
        >,
    ),
    #[error("AWS Secrets Manager Get error: {0}")]
    AwsSecretsManagerGetError(
        #[from]
        aws_sdk_secretsmanager::error::SdkError<
            aws_sdk_secretsmanager::operation::get_secret_value::GetSecretValueError,
        >,
    ),
    #[error("AWS Secrets Manager Blob empty")]
    AwsSecretBlobEmpty,
}

pub struct AwsEncryptedKeystore {
    client: aws_sdk_secretsmanager::Client,
}

impl AwsEncryptedKeystore {
    pub fn new(config: &AwsConfig) -> Self {
        Self {
            client: aws_sdk_secretsmanager::Client::new(config),
        }
    }
}

pub struct AwsKeystoreParams {
    pub secret_name: String,
}

impl<Keypair: Encryptable + Send + Sync> AsyncEncryptedKeystore<Keypair, AwsKeystoreParams>
    for AwsEncryptedKeystore
{
    type StorageError = AwsKeystoreError<Keypair::EncryptionError>;

    async fn store(
        &self,
        keypair: &Keypair,
        passphrase: &str,
        params: &AwsKeystoreParams,
    ) -> Result<(), Self::StorageError> {
        let encrypted_keypair = keypair
            .encrypt(passphrase)
            .map_err(AwsKeystoreError::EncryptionError)?;

        // TODO: Maybe handle some of the possible error scenarios here?
        // TODO: Also make sure this is idempotent and can work even if the secret does not exist yet
        let resp = self
            .client
            .put_secret_value()
            .secret_id(&params.secret_name)
            .set_secret_binary(Some(Blob::new(encrypted_keypair.clone())))
            .send()
            .await;

        if resp.is_err() {
            self.client
                .create_secret()
                .name(&params.secret_name)
                .set_secret_binary(Some(Blob::new(encrypted_keypair)))
                .send()
                .await?;
        }

        Ok(())
    }

    async fn retrieve(
        &self,
        passphrase: &str,
        params: &AwsKeystoreParams,
    ) -> Result<Keypair, Self::StorageError> {
        let resp = self
            .client
            .get_secret_value()
            .secret_id(&params.secret_name)
            .send()
            .await?;

        let encrypted_keypair = match resp.secret_binary() {
            Some(blob) => blob.as_ref(),
            None => return Err(AwsKeystoreError::AwsSecretBlobEmpty),
        };

        Keypair::decrypt(encrypted_keypair, passphrase).map_err(AwsKeystoreError::EncryptionError)
    }
}