keyring-core 1.0.0

Cross-platform library for managing passwords/secrets
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339

use std::any::Any;
use std::collections::HashMap;
use std::sync::{Arc, RwLock, Weak};
use std::time::{Duration, SystemTime, UNIX_EPOCH};

use dashmap::DashMap;
use log::{debug, error};
use serde::{Deserialize, Serialize};
use uuid::Uuid;

use super::credential::{CredId, CredKey};
use crate::{
    Entry,
    Error::{Invalid, PlatformFailure},
    Result,
    api::{CredentialPersistence, CredentialStoreApi},
    attributes::parse_attributes,
};

/// The stored data for a credential
#[derive(Debug, Serialize, Deserialize)]
pub struct CredValue {
    pub secret: Vec<u8>,
    pub comment: Option<String>,
    pub creation_date: Option<String>,
}

impl CredValue {
    pub fn new(secret: &[u8]) -> Self {
        CredValue {
            secret: secret.to_vec(),
            comment: None,
            creation_date: None,
        }
    }

    pub fn new_ambiguous(comment: &str) -> CredValue {
        CredValue {
            secret: vec![],
            comment: Some(comment.to_string()),
            creation_date: Some(chrono::Local::now().to_rfc2822()),
        }
    }
}

/// A map from <service, user> pairs to matching credentials
pub type CredMap = DashMap<CredId, DashMap<String, CredValue>>;

/// A Store's mutable weak reference to itself
///
/// Because credentials contain an `Arc` to their store,
/// the store needs to keep a `Weak` to itself which can be
/// upgraded to create the credential. Because
/// the Store has to be created and an `Arc` of it taken
/// before that `Arc` can be downgraded and stored inside
/// the Store, the self-reference must be mutable.
pub struct SelfRef {
    inner_store: Weak<Store>,
}

/// A credential store.
///
/// The credential data is kept in the CredMap. We keep the index of
/// ourself in the STORES vector, so we can get a pointer to ourself
/// whenever we need to build a credential.
pub struct Store {
    pub id: String,
    pub creds: CredMap,
    pub backing: Option<String>, // the backing file, if any
    pub self_ref: RwLock<SelfRef>,
}

impl std::fmt::Debug for Store {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("Store")
            .field("vendor", &self.vendor())
            .field("id", &self.id)
            .field("backing", &self.backing)
            .field("cred-count", &self.creds.len())
            .finish()
    }
}

impl Drop for Store {
    fn drop(&mut self) {
        if self.backing.is_none() {
            debug!("dropping store {self:?}")
        } else {
            debug!("Saving store {self:?} on drop...");
            match self.save() {
                Ok(_) => debug!("Save of store {self:?} completed"),
                Err(e) => error!("Save of store {self:?} failed: {e:?}"),
            }
        }
    }
}

impl Store {
    /// Create a new store with a default configuration.
    ///
    /// The default configuration is empty with no backing file.
    pub fn new() -> Result<Arc<Self>> {
        Ok(Self::new_internal(DashMap::new(), None))
    }

    /// Create a new store with a user-specified configuration.
    ///
    /// There are two allowed configuration keys: `persist` and `backing-file`. See
    /// the module docs for details of how these affect the store's behavior.
    pub fn new_with_configuration(config: &HashMap<&str, &str>) -> Result<Arc<Self>> {
        let mods = parse_attributes(&["backing-file", "*persist"], Some(config))?;
        if let Some(path) = mods.get("backing-file") {
            Self::new_with_backing(path)
        } else if let Some(persist) = mods.get("persist") {
            if persist == "true" {
                let dir = std::env::temp_dir();
                let path = dir.join("keyring-sample-store.ron");
                Self::new_with_backing(path.to_str().expect("Invalid backing path"))
            } else {
                Self::new()
            }
        } else {
            Self::new()
        }
    }

    /// Create a new store from a backing file.
    ///
    /// The backing file must be a valid path, but it need not exist,
    /// in which case the store starts off empty. If the file does
    /// exist, the initial contents of the store are loaded from it.
    pub fn new_with_backing(path: &str) -> Result<Arc<Self>> {
        Ok(Self::new_internal(
            Self::load_credentials(path)?,
            Some(String::from(path)),
        ))
    }

    /// Save the current state of this store to its backing file.
    ///
    /// This is a no-op if there is no backing file.
    ///
    /// Yes, stores will save themselves to their backing file
    /// when they go out of scope (i.e., are dropped).
    /// But using this entry to take a snapshot can save
    /// you from crashes or let you pass the store state
    /// off to another process.
    pub fn save(&self) -> Result<()> {
        if self.backing.is_none() {
            return Ok(());
        };
        let content = ron::ser::to_string_pretty(&self.creds, ron::ser::PrettyConfig::new())
            .map_err(|e| PlatformFailure(Box::from(e)))?;
        std::fs::write(self.backing.as_ref().unwrap(), content)
            .map_err(|e| PlatformFailure(Box::from(e)))?;
        Ok(())
    }

    /// Create a store with the given credentials and backing file.
    pub fn new_internal(creds: CredMap, backing: Option<String>) -> Arc<Self> {
        let store = Store {
            id: format!(
                "Crate version {}, Instantiated at {}",
                env!("CARGO_PKG_VERSION"),
                SystemTime::now()
                    .duration_since(UNIX_EPOCH)
                    .unwrap_or_else(|_| Duration::new(0, 0))
                    .as_secs_f64()
            ),
            creds,
            backing,
            self_ref: RwLock::new(SelfRef {
                inner_store: Weak::new(),
            }),
        };
        debug!("Created new store: {store:?}");
        let result = Arc::new(store);
        result.set_store(result.clone());
        result
    }

    /// Loads store content from a backing file.
    ///
    /// If the backing file does not exist, the returned store is empty.
    pub fn load_credentials(path: &str) -> Result<CredMap> {
        match std::fs::exists(path) {
            Ok(true) => match std::fs::read_to_string(path) {
                Ok(s) => Ok(ron::de::from_str(&s).map_err(|e| PlatformFailure(Box::from(e)))?),
                Err(e) => Err(PlatformFailure(Box::from(e))),
            },
            Ok(false) => Ok(DashMap::new()),
            Err(e) => Err(Invalid("Invalid path".to_string(), e.to_string())),
        }
    }

    fn get_store(&self) -> Arc<Store> {
        self.self_ref
            .read()
            .expect("RwLock bug at get!")
            .inner_store
            .upgrade()
            .expect("Arc bug at get!")
    }

    fn set_store(&self, store: Arc<Store>) {
        let mut guard = self.self_ref.write().expect("RwLock bug at set!");
        guard.inner_store = Arc::downgrade(&store);
    }
}

impl CredentialStoreApi for Store {
    /// See the API docs.
    fn vendor(&self) -> String {
        String::from("Sample store, https://crates.io/crates/keyring-core")
    }

    /// See the API docs.
    ///
    /// The store ID is based on its sequence number
    /// in the list of created stores.
    fn id(&self) -> String {
        self.id.clone()
    }

    /// See the API docs.
    ///
    /// The only modifier you can specify is `force-create`, which forces
    /// immediate credential creation and can be used to create ambiguity.
    ///
    /// When the force-create modifier is specified, the created credential gets
    /// an empty password/secret, a `comment` attribute with the value of the modifier,
    /// and a `creation_`date` attribute with a string for the current local time.
    fn build(
        &self,
        service: &str,
        user: &str,
        mods: Option<&HashMap<&str, &str>>,
    ) -> Result<Entry> {
        let id = CredId {
            service: service.to_owned(),
            user: user.to_owned(),
        };
        let key = CredKey {
            store: self.get_store(),
            id: id.clone(),
            uuid: None,
        };
        if let Some(force_create) = parse_attributes(&["force-create"], mods)?.get("force-create") {
            let uuid = Uuid::new_v4().to_string();
            let value = CredValue::new_ambiguous(force_create);
            match self.creds.get(&id) {
                None => {
                    let creds = DashMap::new();
                    creds.insert(uuid, value);
                    self.creds.insert(id, creds);
                }
                Some(creds) => {
                    creds.value().insert(uuid, value);
                }
            };
        }
        Ok(Entry {
            inner: Arc::new(key),
        })
    }

    /// See the API docs.
    ///
    /// The specification must contain exactly two keys - `service` and `user` -
    /// and their values must be valid regular expressions.
    /// Every credential whose service name matches the service regex
    /// _and_ whose username matches the user regex will be returned.
    /// (The match is a substring match, so the empty string will match every value.)
    fn search(&self, spec: &HashMap<&str, &str>) -> Result<Vec<Entry>> {
        let spec = parse_attributes(&["service", "user", "uuid", "comment"], Some(spec))?;
        let mut result: Vec<Entry> = Vec::new();
        let empty = String::new();
        let svc = regex::Regex::new(spec.get("service").unwrap_or(&empty))
            .map_err(|e| Invalid("service regex".to_string(), e.to_string()))?;
        let usr = regex::Regex::new(spec.get("user").unwrap_or(&empty))
            .map_err(|e| Invalid("user regex".to_string(), e.to_string()))?;
        let comment = regex::Regex::new(spec.get("comment").unwrap_or(&empty))
            .map_err(|e| Invalid("comment regex".to_string(), e.to_string()))?;
        let uuid = regex::Regex::new(spec.get("uuid").unwrap_or(&empty))
            .map_err(|e| Invalid("uuid regex".to_string(), e.to_string()))?;
        let store = self.get_store();
        for pair in self.creds.iter() {
            if !svc.is_match(pair.key().service.as_str()) {
                continue;
            }
            if !usr.is_match(pair.key().user.as_str()) {
                continue;
            }
            for cred in pair.value().iter() {
                if !uuid.is_match(cred.key()) {
                    continue;
                }
                if spec.contains_key("comment") {
                    if cred.value().comment.is_none() {
                        continue;
                    }
                    if !comment.is_match(cred.value().comment.as_ref().unwrap()) {
                        continue;
                    }
                }
                result.push(Entry {
                    inner: Arc::new(CredKey {
                        store: store.clone(),
                        id: pair.key().clone(),
                        uuid: Some(cred.key().clone()),
                    }),
                })
            }
        }
        Ok(result)
    }

    //// See the API docs.
    fn as_any(&self) -> &dyn Any {
        self
    }

    //// See the API docs.
    ////
    //// If this store has a backing file, credential persistence is
    //// `UntilDelete`. Otherwise, it's `ProcessOnly`.
    fn persistence(&self) -> CredentialPersistence {
        if self.backing.is_none() {
            CredentialPersistence::ProcessOnly
        } else {
            CredentialPersistence::UntilDelete
        }
    }

    /// See the API docs.
    fn debug_fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        std::fmt::Debug::fmt(self, f)
    }
}