libvault 0.2.2

the libvault is modified from RustyVault
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394

//! This crate is the 'library' part of RustyVault, a Rust and real free replica of Hashicorp Vault.
//! RustyVault is focused on identity-based secrets management and works in two ways independently:
//!
//! 1. A standalone application serving secrets management via RESTful API;
//! 2. A Rust crate that provides same features for other application to integrate.
//!
//! This document is only about the crate part of RustyVault. For the first working mode,
//! please go to RustyVault's [RESTful API documentation], which documents all RustyVault's RESTful API.
//! Users can use an HTTP client tool (curl, e.g.) to send commands to a running RustyVault server and
//! then have relevant secret management features.
//!
//! The second working mode, which works as a typical Rust crate called `libvault`, allows Rust
//! application developers to integrate RustyVault easily into their own applications to have the
//! ability of secrets management such as secure key/vaule storage, public key cryptography, data
//! encryption and so forth.
//!
//! This is the official documentation of crate `libvault`, and it's mainly for developers.
//! Once again, if you are looking for how to use the RustyVault server via a set of RESTful API,
//! then you may prefer the RustyVault's [RESTful API documentation].
//!
//! [Hashicorp Vault]: https://www.hashicorp.com/products/vault
//! [RESTful API documentation]: https://www.tongsuo.net

use std::sync::Arc;

use arc_swap::ArcSwap;
use serde_json::{Map, Value};
use zeroize::Zeroizing;

use crate::{
    config::Config,
    core::Core,
    errors::RvError,
    logical::{Request, Response},
    modules::{
        auth::AuthModule, credential::cert::CertModule, kv::KvModule, pki::PkiModule,
        policy::PolicyModule,
    },
    mount::MountsMonitor,
    storage::Backend,
};

pub mod config;
pub mod context;
pub mod core;
pub mod errors;
pub mod handler;
pub mod logical;
pub mod module_manager;
pub mod modules;
pub mod mount;
pub mod router;
pub mod shamir;
pub mod storage;
pub mod utils;

/// libvault crate version.
///
/// This constant reflects the crate package version from Cargo.toml and is
/// useful for diagnostics and logging when embedding `libvault` into
/// applications.
pub const VERSION: &str = env!("CARGO_PKG_VERSION");

/// Main entry point for using the `libvault` crate programmatically.
///
/// `RustyVault` holds an `ArcSwap<Core>` which contains the operating state
/// and runtime components (modules, storage backend, handlers) and a
/// token cache for client authentication. The type is intentionally
/// lightweight to allow cloning the inner `Arc` for concurrent usage.
pub struct RustyVault {
    /// Shared, atomically-updatable reference to the internal `Core`.
    pub core: ArcSwap<Core>,

    /// Cached client token used for requests when an explicit token is not
    /// provided. Stored in an `ArcSwap` to allow lock-free updates.
    pub token: ArcSwap<String>,
}

impl RustyVault {
    pub fn new(backend: Arc<dyn Backend>, config: Option<&Config>) -> Result<Self, RvError> {
        let mut core = Core::new(backend);
        if let Some(conf) = config {
            core.mount_entry_hmac_level = conf.mount_entry_hmac_level;
            core.mounts_monitor_interval = conf.mounts_monitor_interval;
        }

        let core = core.wrap();

        if core.mounts_monitor_interval > 0 {
            core.mounts_monitor.store(Some(Arc::new(MountsMonitor::new(
                core.clone(),
                core.mounts_monitor_interval,
            ))));
        }

        core.module_manager.set_default_modules(core.clone())?;

        // add auth_module
        let auth_module = AuthModule::new(core.clone())?;
        core.module_manager.add_module(Arc::new(auth_module))?;

        // add policy_module
        let policy_module = PolicyModule::new(core.clone());
        core.module_manager.add_module(Arc::new(policy_module))?;

        // add pki_module
        let pki_module = PkiModule::new(core.clone());
        core.module_manager.add_module(Arc::new(pki_module))?;

        // add credential module: cert
        let cert_module = CertModule::new(core.clone());
        core.module_manager.add_module(Arc::new(cert_module))?;

        // add kv module
        let kv_module = KvModule::new(core.clone());
        core.module_manager.add_module(Arc::new(kv_module))?;

        let handlers = core.handlers.load().clone();
        for handler in handlers.iter() {
            match handler.post_config(core.clone(), config) {
                Ok(_) => {
                    continue;
                }
                Err(error) => {
                    if error != RvError::ErrHandlerDefault {
                        return Err(error);
                    }
                }
            }
        }

        Ok(Self {
            core: ArcSwap::new(core),
            token: ArcSwap::new(Arc::new(String::new())),
        })
    }

    /// Initialize the vault with the provided `SealConfig`.
    ///
    /// This forwards to the `Core::init` implementation which performs the
    /// necessary cryptographic initialization (generating KEK, master keys,
    /// and initial state). Returns an `InitResult` describing the outcome.
    pub async fn init(&self, seal_config: &core::SealConfig) -> Result<core::InitResult, RvError> {
        self.core.load().init(seal_config).await
    }

    /// This is a lightweight query that checks the stored state in `Core`. \
    /// Returns whether the vault has already been initialized.
    pub async fn inited(&self) -> Result<bool, RvError> {
        self.core.load().inited().await
    }

    pub async fn unseal(&self, keys: &[&[u8]]) -> Result<bool, RvError> {
        for key in keys.iter() {
            if self.core.load().unseal(key).await? {
                return Ok(true);
            }
        }

        Ok(false)
    }

    /// Attempts to unseal the vault using a list of candidate unseal keys.
    ///
    /// Tries each supplied key in order and returns `Ok(true)` as soon as one
    /// key successfully unseals the vault. If none succeed, returns `Ok(false)`.
    ///
    /// Unseals the vault once and immediately generates new unseal keys.
    ///
    /// This is a high-level wrapper around the core's unseal_once method that provides
    /// one-time unseal functionality with automatic key rotation for enhanced security.
    ///
    /// # Arguments
    /// - `key`: The unseal key to use for the unseal operation
    ///
    /// # Returns
    /// A `Result` containing new unseal keys if successful, or an error if the operation fails.
    ///
    /// # Security
    /// - Prevents replay attacks by invalidating used keys
    /// - Automatically generates fresh keys for future use
    /// - Provides forward secrecy through key rotation
    pub async fn unseal_once(&self, key: &[u8]) -> Result<Zeroizing<Vec<Vec<u8>>>, RvError> {
        self.core.load().unseal_once(key).await
    }

    /// Generates new unseal keys using the current Key Encryption Key (KEK).
    ///
    /// This is a high-level wrapper around the core's generate_unseal_keys method
    /// that creates a fresh set of unseal keys for future vault operations.
    ///
    /// # Returns
    /// A `Result` containing new unseal key shares, or an error if generation fails.
    ///
    /// # Requirements
    /// - The vault must be currently unsealed
    /// - A valid KEK must exist in the current state
    ///
    /// # Security
    /// - Uses Shamir's Secret Sharing for key distribution
    /// - Generated keys are cryptographically independent
    /// - Returns zeroizing vector for secure memory cleanup
    pub async fn generate_unseal_keys(&self) -> Result<Zeroizing<Vec<Vec<u8>>>, RvError> {
        self.core.load().generate_unseal_keys().await
    }

    pub async fn seal(&self) -> Result<(), RvError> {
        self.core.load().seal().await
    }

    /// Seal the vault, wiping sensitive in-memory keys as needed.
    ///
    /// This instructs `Core` to transition into a sealed state where secret
    /// material is protected until a successful unseal operation.
    pub fn set_token<S: Into<String>>(&self, token: S) {
        self.token.store(Arc::new(token.into()));
    }

    /// Set the cached client token used for subsequent requests when an
    /// explicit token is not provided to the API methods.
    pub async fn mount<S: Into<String>>(
        &self,
        token: Option<S>,
        path: S,
        mount_type: S,
    ) -> Result<Option<Response>, RvError> {
        let data = serde_json::json!({
            "type": mount_type.into(),
        })
        .as_object()
        .cloned();

        self.write::<String>(
            token.map(|t| t.into()),
            format!("sys/mounts/{}", path.into()),
            data,
        )
        .await
    }

    /// Mount a new secrets engine at `path` of the given `mount_type`.
    ///
    /// If `token` is `None`, the cached token from `set_token` will be used.
    pub async fn unmount<S: Into<String>>(
        &self,
        token: Option<S>,
        path: S,
    ) -> Result<Option<Response>, RvError> {
        self.delete::<String>(
            token.map(|t| t.into()),
            format!("sys/mounts/{}", path.into()),
            None,
        )
        .await
    }

    /// Unmount a previously mounted secrets engine at `path`.
    pub async fn remount<S: Into<String>>(
        &self,
        token: Option<S>,
        from: S,
        to: S,
    ) -> Result<Option<Response>, RvError> {
        let data = serde_json::json!({
            "from": from.into(),
            "to": to.into(),
        })
        .as_object()
        .cloned();

        self.write::<String>(token.map(|t| t.into()), "sys/remount".to_string(), data)
            .await
    }

    /// Remount a secrets engine from one path to another.
    pub async fn enable_auth<S: Into<String>>(
        &self,
        token: Option<S>,
        path: S,
        auth_type: S,
    ) -> Result<Option<Response>, RvError> {
        let data = serde_json::json!({
            "type": auth_type.into(),
        })
        .as_object()
        .cloned();

        self.write::<String>(
            token.map(|t| t.into()),
            format!("sys/auth/{}", path.into()),
            data,
        )
        .await
    }

    /// Enable an authentication method at `path` with the given `auth_type`.
    pub async fn disable_auth<S: Into<String>>(
        &self,
        token: Option<S>,
        path: S,
    ) -> Result<Option<Response>, RvError> {
        self.delete::<String>(
            token.map(|t| t.into()),
            format!("sys/auth/{}", path.into()),
            None,
        )
        .await
    }

    /// Disable an authentication method at `path`.
    pub async fn login<S: Into<String>>(
        &self,
        path: S,
        data: Option<Map<String, Value>>,
    ) -> Result<(Option<Response>, bool), RvError> {
        let mut login_success = false;
        let mut req = Request::new_write_request(path, data);
        let resp = self.core.load().handle_request(&mut req).await?;
        if let Some(response) = resp.as_ref()
            && let Some(auth) = response.auth.as_ref()
        {
            self.token.store(Arc::new(auth.client_token.clone()));
            login_success = true;
        }

        Ok((resp, login_success))
    }

    /// Perform a login against an auth backend at `path` using `data`.
    ///
    /// On success the returned tuple contains the full `Response` and a
    /// boolean indicating whether login succeeded; when credentials include
    /// a client token it will also be cached in `RustyVault`.
    pub async fn request(&self, req: &mut Request) -> Result<Option<Response>, RvError> {
        self.core.load().handle_request(req).await
    }

    /// Send a prepared logical `Request` to the core request handler.
    ///
    /// This is the low-level API for executing read/write/delete/list
    /// operations when callers prefer to construct `Request` themselves.
    pub async fn read<S: Into<String>>(
        &self,
        token: Option<S>,
        path: &str,
    ) -> Result<Option<Response>, RvError> {
        let mut req = Request::new_read_request(path);
        req.client_token = token
            .map(Into::into)
            .unwrap_or_else(|| self.token.load().as_ref().clone());
        self.request(&mut req).await
    }

    /// Read a secret at `path` using the provided or cached token.
    pub async fn write<S: Into<String>>(
        &self,
        token: Option<S>,
        path: S,
        data: Option<Map<String, Value>>,
    ) -> Result<Option<Response>, RvError> {
        let mut req = Request::new_write_request(path, data);
        req.client_token = token
            .map(Into::into)
            .unwrap_or_else(|| self.token.load().as_ref().clone());
        self.request(&mut req).await
    }

    /// Write `data` to `path` using provided or cached token.
    pub async fn delete<S: Into<String>>(
        &self,
        token: Option<S>,
        path: S,
        data: Option<Map<String, Value>>,
    ) -> Result<Option<Response>, RvError> {
        let mut req = Request::new_delete_request(path, data);
        req.client_token = token
            .map(Into::into)
            .unwrap_or_else(|| self.token.load().as_ref().clone());
        self.request(&mut req).await
    }

    /// Delete data at `path` with optional request body.
    pub async fn list<S: Into<String>>(
        &self,
        token: Option<S>,
        path: S,
    ) -> Result<Option<Response>, RvError> {
        let mut req = Request::new_list_request(path);
        req.client_token = token
            .map(Into::into)
            .unwrap_or_else(|| self.token.load().as_ref().clone());
        self.request(&mut req).await
    }
}