lade 0.15.0

Automatically load secrets from your preferred vault as environment variables, and clear them once your shell command is over.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

use std::collections::HashMap;
use std::path::PathBuf;

use rustc_hash::FxHashSet;

fn should_mask(key: &str, sources: &HashMap<String, String>, maskable: &FxHashSet<String>) -> bool {
    sources
        .get(key)
        .is_some_and(|source| maskable.contains(source))
}

/// Resolved values whose config source was loaded by a masking provider.
pub fn secrets_for_redaction(
    env: &HashMap<String, String>,
    files: &HashMap<PathBuf, HashMap<String, String>>,
    sources: &HashMap<String, String>,
    maskable: &FxHashSet<String>,
) -> HashMap<String, String> {
    let mut redact = HashMap::new();
    for (key, value) in env
        .iter()
        .chain(files.values().flat_map(|vars| vars.iter()))
    {
        if should_mask(key, sources, maskable) {
            redact.insert(key.clone(), value.clone());
        }
    }
    redact
}

#[cfg(test)]
mod tests {
    use super::*;
    use rustc_hash::FxHashSet;

    #[test]
    fn test_only_maskable_sources_included() {
        let env = HashMap::from([
            ("RAW".to_string(), "3".to_string()),
            ("SECRET".to_string(), "hunter2".to_string()),
        ]);
        let sources = HashMap::from([
            ("RAW".to_string(), "3".to_string()),
            ("SECRET".to_string(), "op://vault/item/field".to_string()),
        ]);
        let mut maskable = FxHashSet::default();
        maskable.insert("op://vault/item/field".to_string());
        let redact = secrets_for_redaction(&env, &HashMap::new(), &sources, &maskable);
        assert_eq!(redact.len(), 1);
        assert_eq!(redact.get("SECRET").unwrap(), "hunter2");
    }
}