keeper-secrets-manager-core 17.1.0

Rust SDK for Keeper Secrets Manager
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326

// -*- coding: utf-8 -*-
//  _  __
// | |/ /___ ___ _ __  ___ _ _ (R)
// | ' </ -_) -_) '_ \/ -_) '_|
// |_|\_\___\___| .__/\___|_|
//              |_|
//
// Keeper Secrets Manager
// Copyright 2024 Keeper Security Inc.
// Contact: sm@keepersecurity.com
//

//! Caching post function for disaster recovery
//!
//! This module provides a drop-in replacement for the default HTTP post function
//! that automatically caches successful API responses. On network failure, it falls
//! back to cached data to enable offline operation.
//!
//! # Usage
//!
//! ```rust,no_run
//! use keeper_secrets_manager_core::core::{ClientOptions, SecretsManager};
//! use keeper_secrets_manager_core::storage::FileKeyValueStorage;
//! use keeper_secrets_manager_core::caching;
//!
//! # fn main() -> Result<(), Box<dyn std::error::Error>> {
//! let config = FileKeyValueStorage::new_config_storage("config.json".to_string())?;
//! let mut client_options = ClientOptions::new_client_options(config);
//!
//! // Use caching post function for disaster recovery
//! client_options.set_custom_post_function(caching::caching_post_function);
//!
//! let mut secrets_manager = SecretsManager::new(client_options)?;
//!
//! // First call saves to cache
//! let secrets = secrets_manager.get_secrets(Vec::new())?;
//!
//! // If network fails, falls back to cached data
//! // let secrets = secrets_manager.get_secrets(Vec::new())?; // Uses cache on failure
//! # Ok(())
//! # }
//! ```

use crate::crypto::CryptoUtils;
use crate::custom_error::KSMRError;
use crate::dto::{EncryptedPayload, KsmHttpResponse, TransmissionKey};
use log::{debug, warn};
use reqwest::blocking::Client;
use reqwest::header::{HeaderMap, HeaderName, HeaderValue};
use std::env;
use std::fs::{File, OpenOptions};
use std::io::{Read, Write};
use std::path::{Path, PathBuf};
use std::str::FromStr;

/// Default cache file name
const DEFAULT_CACHE_FILE: &str = "ksm_cache.bin";

/// Get the cache file path from environment or default
pub fn get_cache_file_path() -> PathBuf {
    let cache_dir = env::var("KSM_CACHE_DIR").unwrap_or_else(|_| ".".to_string());
    Path::new(&cache_dir).join(DEFAULT_CACHE_FILE)
}

/// Save cache data to disk
///
/// # Arguments
/// * `data` - The data to cache (transmission key + encrypted response)
///
/// # Errors
/// Silently fails on write errors (doesn't break the application)
pub fn save_cache(data: &[u8]) -> Result<(), KSMRError> {
    let cache_path = get_cache_file_path();

    let mut file = OpenOptions::new()
        .write(true)
        .create(true)
        .truncate(true)
        .open(&cache_path)
        .map_err(|e| KSMRError::CacheSaveError(format!("Failed to open cache file: {}", e)))?;

    file.write_all(data)
        .map_err(|e| KSMRError::CacheSaveError(format!("Failed to write cache: {}", e)))?;

    // Explicitly sync to disk to ensure file is visible immediately (important for tests)
    file.sync_all()
        .map_err(|e| KSMRError::CacheSaveError(format!("Failed to sync cache: {}", e)))?;

    debug!("Cache saved to {:?}", cache_path);
    Ok(())
}

/// Load cache data from disk
///
/// # Returns
/// * `Option<Vec<u8>>` - Cached data if available, None otherwise
pub fn get_cached_data() -> Option<Vec<u8>> {
    let cache_path = get_cache_file_path();

    if !cache_path.exists() {
        return None;
    }

    let mut file = File::open(&cache_path).ok()?;
    let mut data = Vec::new();
    file.read_to_end(&mut data).ok()?;

    debug!("Cache loaded from {:?}", cache_path);
    Some(data)
}

/// Clear the cache file
pub fn clear_cache() -> Result<(), KSMRError> {
    let cache_path = get_cache_file_path();

    if cache_path.exists() {
        std::fs::remove_file(&cache_path)
            .map_err(|e| KSMRError::CacheRetrieveError(format!("Failed to delete cache: {}", e)))?;
    }

    Ok(())
}

/// Check if cache file exists
pub fn cache_exists() -> bool {
    get_cache_file_path().exists()
}

/// Caching post function for disaster recovery.
///
/// This function wraps the normal HTTP POST operation and:
/// 1. On success: Saves the response to cache (transmission key + encrypted data)
/// 2. On failure: Falls back to cached data if available
///
/// # Arguments
/// * `url` - The API endpoint URL
/// * `transmission_key` - The transmission key for encryption
/// * `encrypted_payload` - The encrypted payload with signature
///
/// # Returns
/// * `Result<KsmHttpResponse, KSMRError>` - Response object (from network or cache)
///
/// # Example
/// ```rust,no_run
/// use keeper_secrets_manager_core::core::ClientOptions;
/// use keeper_secrets_manager_core::caching::caching_post_function;
///
/// # fn main() {
/// let mut options = ClientOptions::new_client_options(keeper_secrets_manager_core::enums::KvStoreType::None);
/// options.set_custom_post_function(caching_post_function);
/// # }
/// ```
pub fn caching_post_function(
    url: String,
    transmission_key: TransmissionKey,
    encrypted_payload: EncryptedPayload,
) -> Result<KsmHttpResponse, KSMRError> {
    let proxy_url = std::env::var("KSM_PROXY_URL").ok();
    // Try network request first
    match make_http_request(url, transmission_key.clone(), encrypted_payload, proxy_url) {
        Ok(response) if response.status_code == 200 => {
            // On success, save to cache (transmission key + encrypted response body)
            let mut cache_data = transmission_key.key.clone();
            cache_data.extend_from_slice(&response.data);

            // Silently fail on cache write errors
            if let Err(e) = save_cache(&cache_data) {
                warn!("Failed to save cache: {}", e);
            }

            Ok(response)
        }
        Ok(response) => {
            // Non-200 response - don't cache, return error response
            Ok(response)
        }
        Err(network_error) => {
            // Network failed - try to load from cache
            warn!(
                "Network request failed: {}, attempting to use cached data",
                network_error
            );

            if let Some(cached_data) = get_cached_data() {
                if cached_data.len() > 32 {
                    // Extract cached transmission key and response data
                    // First 32 bytes are the transmission key, rest is encrypted response
                    let cached_transmission_key = cached_data[0..32].to_vec();
                    let cached_response_data = cached_data[32..].to_vec();

                    debug!("Using cached data ({} bytes)", cached_response_data.len());

                    // Decrypt cached response with cached transmission key
                    let decrypted_data =
                        CryptoUtils::decrypt_aes(&cached_response_data, &cached_transmission_key)
                            .map_err(|e| {
                            warn!("Failed to decrypt cached data: {}", e);
                            KSMRError::CryptoError(format!("Cache decryption failed: {}", e))
                        })?;

                    // Re-encrypt with current transmission key so caller can decrypt it
                    let re_encrypted_data =
                        CryptoUtils::encrypt_aes_gcm(&decrypted_data, &transmission_key.key, None)?;

                    debug!(
                        "Successfully decrypted cached data and re-encrypted with current transmission key"
                    );

                    // Return re-encrypted cached response
                    return Ok(KsmHttpResponse {
                        status_code: 200,
                        data: re_encrypted_data,
                        http_response: Some("Cached response (re-encrypted)".to_string()),
                    });
                }
            }

            // No cache available - re-raise the original error
            Err(network_error)
        }
    }
}

/// Make HTTP request - extracted to be testable
///
/// This duplicates some logic from SecretsManager#process_post_request
/// because we need a standalone function for the caching pattern.
fn make_http_request(
    url: String,
    transmission_key: TransmissionKey,
    encrypted_payload: EncryptedPayload,
    proxy_url: Option<String>,
) -> Result<KsmHttpResponse, KSMRError> {
    let mut client_builder = Client::builder();
    if let Some(ref proxy) = proxy_url {
        if let Ok(p) = reqwest::Proxy::all(proxy) {
            client_builder = client_builder.proxy(p);
        }
    }
    let client = client_builder
        .build()
        .map_err(|e| KSMRError::HTTPError(format!("Failed to build client: {}", e)))?;

    // Build headers
    let mut headers = HeaderMap::new();
    headers.insert(
        HeaderName::from_str("Content-Type").unwrap(),
        HeaderValue::from_str("application/octet-stream").unwrap(),
    );
    headers.insert(
        HeaderName::from_str("PublicKeyId").unwrap(),
        HeaderValue::from_str(&transmission_key.public_key_id).unwrap(),
    );
    headers.insert(
        HeaderName::from_str("TransmissionKey").unwrap(),
        HeaderValue::from_str(&crate::utils::bytes_to_base64(
            &transmission_key.encrypted_key,
        ))
        .unwrap(),
    );
    headers.insert(
        HeaderName::from_str("Authorization").unwrap(),
        HeaderValue::from_str(&format!(
            "Signature {}",
            crate::utils::bytes_to_base64(&encrypted_payload.signature.to_bytes())
        ))
        .unwrap(),
    );

    // Make POST request
    let response = client
        .post(&url)
        .headers(headers)
        .body(encrypted_payload.encrypted_payload.clone())
        .send()
        .map_err(|e| KSMRError::HTTPError(format!("HTTP request failed: {}", e)))?;

    let status_code = response.status().as_u16();
    let response_body = response
        .bytes()
        .map_err(|e| KSMRError::HTTPError(format!("Failed to read response: {}", e)))?
        .to_vec();

    Ok(KsmHttpResponse {
        status_code,
        data: response_body,
        http_response: None,
    })
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_cache_file_path() {
        let path = get_cache_file_path();
        assert!(path.to_str().unwrap().contains("ksm_cache.bin"));
    }

    #[test]
    fn test_cache_operations() {
        // Clear any existing cache
        let _ = clear_cache();

        // Initially no cache
        assert!(!cache_exists());
        assert!(get_cached_data().is_none());

        // Save some test data
        let test_data = b"test cache data";
        save_cache(test_data).ok();

        // Cache should now exist
        assert!(cache_exists());

        // Load cache
        let loaded = get_cached_data();
        assert!(loaded.is_some());
        assert_eq!(loaded.unwrap(), test_data);

        // Clear cache
        clear_cache().ok();
        assert!(!cache_exists());
    }
}