keyden 0.1.6

Keyden: a simple CLI and library for managing, rotating, and generating secret keys safely.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

use crate::commons::{KeyMaterial, KeyStore, KeyStoreError};
use regex::Regex;
use std::{fs, path::{Path, PathBuf}};

pub struct FileKeyStore {
    path: PathBuf,
}

impl FileKeyStore {
    pub fn new(path: impl Into<PathBuf>) -> Result<Self, KeyStoreError> {
        let path = path.into();
        // if path.exists() {
        //     check_permissions(&path)?;
        // } else if let Some(parent) = path.parent() {
        //     check_permissions(parent)?;
        // }
        Ok(Self { path })
    }
}

impl KeyStore for FileKeyStore {
    fn read_keys(&self) -> Result<Vec<KeyMaterial>, KeyStoreError> {
        let content = std::fs::read_to_string(&self.path)?;
        let regex = Regex::new(r"^([^:]+):([^:]+):(\d+)$").unwrap();
        let mut keys = Vec::new();

        for (i, line) in content.lines().enumerate() {
            let line = line.trim();
            if line.is_empty() {
                continue;
            }
            if let Some(caps) = regex.captures(line) {
                let kid = caps.get(1).unwrap().as_str().to_string();
                let secret = caps.get(2).unwrap().as_str().to_string();
                let created_at_unix = caps.get(3).unwrap().as_str().parse()?;
                keys.push(KeyMaterial { kid, secret, created_at_unix });
            } else {
                return Err(KeyStoreError::InvalidFormat(format!("Invalid line {}: {}", i + 1, line)));
            }
        }

        Ok(keys)
    }

    fn write_keys(&self, keys: &[KeyMaterial]) -> Result<(), KeyStoreError> {
        let mut content = String::new();
        for key in keys {
            content.push_str(&format!("{}:{}:{}\n", key.kid, key.secret, key.created_at_unix));
        }
        std::fs::write(&self.path, content)?;
        // set_secure_file_permissions(&self.path)?;
        Ok(())
    }
}

#[cfg(unix)]
fn check_permissions(path: &Path) -> Result<(), KeyStoreError> {
    use std::os::unix::fs::PermissionsExt;
    let metadata = fs::metadata(path)?;
    let mode = metadata.permissions().mode();
    if mode & 0o077 != 0 {
        panic!("{} permissions too open (mode {:o})", path.display(), mode);
    }
    Ok(())
}

#[cfg(windows)]
fn check_permissions(_path: &Path) -> Result<(), KeyStoreError> {
    Ok(())
}

fn set_secure_file_permissions(path: &Path) -> Result<(), KeyStoreError> {
    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        fs::set_permissions(path, fs::Permissions::from_mode(0o600))?;
    }
    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;
    use tempfile::NamedTempFile;

    #[test]
    fn test_write_and_read_keys() {
        let tmpfile = NamedTempFile::new().unwrap();
        let path = tmpfile.path().to_path_buf();

        let store = FileKeyStore::new(&path).unwrap();

        let key = KeyMaterial {
            kid: "test-kid".to_string(),
            secret: "supersecret".to_string(),
            created_at_unix: 1234567890,
        };

        store.write_keys(&[key.clone()]).unwrap();

        let keys = store.read_keys().unwrap();
        assert_eq!(keys.len(), 1);
        assert_eq!(keys[0].kid, key.kid);
        assert_eq!(keys[0].secret, key.secret);
        assert_eq!(keys[0].created_at_unix, key.created_at_unix);
    }

    #[test]
    fn test_invalid_format_fails() {
        let tmpfile = NamedTempFile::new().unwrap();
        let path = tmpfile.path().to_path_buf();
        let store = FileKeyStore::new(&path).unwrap();

        fs::write(&path, "badly:formatted:line:extra\n").unwrap();

        let result = store.read_keys();
        assert!(result.is_err());
    }
}