llm-shield-cloud 0.1.1

Cloud abstraction layer for LLM Shield - unified traits for AWS, GCP, and Azure
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403

//! Secret management abstractions.
//!
//! Provides unified trait for secret management across cloud providers:
//! - AWS Secrets Manager
//! - GCP Secret Manager
//! - Azure Key Vault

use crate::error::{CloudError, Result};
use async_trait::async_trait;
use std::collections::HashMap;
use std::sync::Arc;
use std::time::{Duration, Instant};
use tokio::sync::RwLock;

/// Represents a secret value that can be stored and retrieved.
#[derive(Clone, Debug)]
pub struct SecretValue {
    data: Vec<u8>,
}

impl SecretValue {
    /// Creates a secret value from a string.
    pub fn from_string(s: String) -> Self {
        Self {
            data: s.into_bytes(),
        }
    }

    /// Creates a secret value from bytes.
    pub fn from_bytes(data: Vec<u8>) -> Self {
        Self { data }
    }

    /// Returns the secret value as a string.
    ///
    /// # Panics
    ///
    /// Panics if the data is not valid UTF-8.
    pub fn as_string(&self) -> &str {
        std::str::from_utf8(&self.data).expect("Secret value is not valid UTF-8")
    }

    /// Returns the secret value as bytes.
    pub fn as_bytes(&self) -> &[u8] {
        &self.data
    }

    /// Returns the length of the secret in bytes.
    pub fn len(&self) -> usize {
        self.data.len()
    }

    /// Checks if the secret is empty.
    pub fn is_empty(&self) -> bool {
        self.data.is_empty()
    }
}

/// Metadata about a secret.
#[derive(Debug, Clone)]
pub struct SecretMetadata {
    /// The name/ID of the secret.
    pub name: String,

    /// When the secret was created.
    pub created_at: chrono::DateTime<chrono::Utc>,

    /// When the secret was last updated.
    pub updated_at: chrono::DateTime<chrono::Utc>,

    /// Optional tags/labels for the secret.
    pub tags: HashMap<String, String>,

    /// Secret version (if supported by provider).
    pub version: Option<String>,
}

/// Unified trait for cloud secret management.
///
/// This trait provides a consistent interface for managing secrets across
/// different cloud providers (AWS, GCP, Azure).
#[async_trait]
pub trait CloudSecretManager: Send + Sync {
    /// Fetches a secret by name.
    ///
    /// # Arguments
    ///
    /// * `name` - The name/ID of the secret to fetch
    ///
    /// # Returns
    ///
    /// Returns the secret value if found.
    ///
    /// # Errors
    ///
    /// Returns `CloudError::SecretNotFound` if the secret doesn't exist.
    /// Returns `CloudError::SecretFetch` if the fetch operation fails.
    async fn get_secret(&self, name: &str) -> Result<SecretValue>;

    /// Lists all secret names.
    ///
    /// # Returns
    ///
    /// Returns a vector of secret names/IDs.
    ///
    /// # Errors
    ///
    /// Returns `CloudError::SecretList` if the list operation fails.
    async fn list_secrets(&self) -> Result<Vec<String>>;

    /// Creates a new secret.
    ///
    /// # Arguments
    ///
    /// * `name` - The name/ID for the new secret
    /// * `value` - The secret value to store
    ///
    /// # Errors
    ///
    /// Returns `CloudError::SecretCreate` if the create operation fails.
    async fn create_secret(&self, name: &str, value: &SecretValue) -> Result<()>;

    /// Updates an existing secret.
    ///
    /// # Arguments
    ///
    /// * `name` - The name/ID of the secret to update
    /// * `value` - The new secret value
    ///
    /// # Errors
    ///
    /// Returns `CloudError::SecretUpdate` if the update operation fails.
    async fn update_secret(&self, name: &str, value: &SecretValue) -> Result<()>;

    /// Deletes a secret.
    ///
    /// # Arguments
    ///
    /// * `name` - The name/ID of the secret to delete
    ///
    /// # Errors
    ///
    /// Returns `CloudError::SecretDelete` if the delete operation fails.
    async fn delete_secret(&self, name: &str) -> Result<()>;

    /// Rotates a secret (creates a new version).
    ///
    /// Default implementation calls `update_secret`.
    ///
    /// # Arguments
    ///
    /// * `name` - The name/ID of the secret to rotate
    /// * `new_value` - The new secret value
    ///
    /// # Errors
    ///
    /// Returns `CloudError::SecretUpdate` if the rotation fails.
    async fn rotate_secret(&self, name: &str, new_value: &SecretValue) -> Result<()> {
        self.update_secret(name, new_value).await
    }

    /// Gets secret metadata without fetching the value.
    ///
    /// Default implementation fetches the secret and discards the value.
    /// Providers should override this for efficiency.
    ///
    /// # Arguments
    ///
    /// * `name` - The name/ID of the secret
    ///
    /// # Errors
    ///
    /// Returns `CloudError::SecretFetch` if the operation fails.
    async fn get_secret_metadata(&self, name: &str) -> Result<SecretMetadata> {
        // Default implementation - providers should override for efficiency
        let _ = self.get_secret(name).await?;

        Ok(SecretMetadata {
            name: name.to_string(),
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
            tags: HashMap::new(),
            version: None,
        })
    }
}

/// Cached secret with expiration.
#[derive(Clone, Debug)]
struct CachedSecret {
    value: SecretValue,
    cached_at: Instant,
    ttl: Duration,
}

impl CachedSecret {
    /// Checks if the cached secret has expired.
    fn is_expired(&self) -> bool {
        self.cached_at.elapsed() > self.ttl
    }
}

/// In-memory cache for secrets with TTL.
///
/// This cache reduces the number of API calls to cloud secret managers.
pub struct SecretCache {
    cache: Arc<RwLock<HashMap<String, CachedSecret>>>,
    default_ttl: Duration,
}

impl SecretCache {
    /// Creates a new secret cache with the specified TTL.
    ///
    /// # Arguments
    ///
    /// * `ttl_seconds` - Default time-to-live for cached secrets in seconds
    pub fn new(ttl_seconds: u64) -> Self {
        Self {
            cache: Arc::new(RwLock::new(HashMap::new())),
            default_ttl: Duration::from_secs(ttl_seconds),
        }
    }

    /// Gets a secret from the cache if it exists and hasn't expired.
    ///
    /// # Arguments
    ///
    /// * `key` - The secret name/key
    ///
    /// # Returns
    ///
    /// Returns `Some(SecretValue)` if the secret is in cache and not expired,
    /// otherwise returns `None`.
    pub async fn get(&self, key: &str) -> Option<SecretValue> {
        let cache = self.cache.read().await;

        if let Some(cached) = cache.get(key) {
            if !cached.is_expired() {
                return Some(cached.value.clone());
            }
        }

        None
    }

    /// Stores a secret in the cache.
    ///
    /// # Arguments
    ///
    /// * `key` - The secret name/key
    /// * `value` - The secret value to cache
    pub async fn set(&self, key: String, value: SecretValue) {
        let mut cache = self.cache.write().await;
        cache.insert(
            key,
            CachedSecret {
                value,
                cached_at: Instant::now(),
                ttl: self.default_ttl,
            },
        );
    }

    /// Invalidates a specific secret in the cache.
    ///
    /// # Arguments
    ///
    /// * `key` - The secret name/key to invalidate
    pub async fn invalidate(&self, key: &str) {
        let mut cache = self.cache.write().await;
        cache.remove(key);
    }

    /// Clears all secrets from the cache.
    pub async fn clear(&self) {
        let mut cache = self.cache.write().await;
        cache.clear();
    }

    /// Returns the number of secrets currently in the cache.
    pub async fn len(&self) -> usize {
        let cache = self.cache.read().await;
        cache.len()
    }

    /// Checks if the cache is empty.
    pub async fn is_empty(&self) -> bool {
        let cache = self.cache.read().await;
        cache.is_empty()
    }

    /// Removes expired secrets from the cache.
    pub async fn cleanup_expired(&self) {
        let mut cache = self.cache.write().await;
        cache.retain(|_, cached| !cached.is_expired());
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_secret_value_from_string() {
        let secret = SecretValue::from_string("test-secret".to_string());
        assert_eq!(secret.as_string(), "test-secret");
        assert_eq!(secret.len(), 11);
        assert!(!secret.is_empty());
    }

    #[test]
    fn test_secret_value_from_bytes() {
        let data = vec![1, 2, 3, 4];
        let secret = SecretValue::from_bytes(data.clone());
        assert_eq!(secret.as_bytes(), &data[..]);
        assert_eq!(secret.len(), 4);
    }

    #[test]
    fn test_secret_value_empty() {
        let secret = SecretValue::from_bytes(vec![]);
        assert!(secret.is_empty());
        assert_eq!(secret.len(), 0);
    }

    #[tokio::test]
    async fn test_secret_cache_basic() {
        let cache = SecretCache::new(300);
        let secret = SecretValue::from_string("cached-value".to_string());

        // Initially empty
        assert!(cache.is_empty().await);
        assert_eq!(cache.len().await, 0);

        // Set and get
        cache.set("test-key".to_string(), secret.clone()).await;
        assert_eq!(cache.len().await, 1);

        let retrieved = cache.get("test-key").await;
        assert!(retrieved.is_some());
        assert_eq!(retrieved.unwrap().as_string(), "cached-value");

        // Invalidate
        cache.invalidate("test-key").await;
        assert!(cache.get("test-key").await.is_none());
    }

    #[tokio::test]
    async fn test_secret_cache_expiration() {
        let cache = SecretCache::new(1); // 1 second TTL
        let secret = SecretValue::from_string("expires-soon".to_string());

        cache.set("expiring-key".to_string(), secret).await;

        // Should be available immediately
        assert!(cache.get("expiring-key").await.is_some());

        // Wait for expiration
        tokio::time::sleep(Duration::from_secs(2)).await;

        // Should be expired
        assert!(cache.get("expiring-key").await.is_none());
    }

    #[tokio::test]
    async fn test_secret_cache_clear() {
        let cache = SecretCache::new(300);

        cache.set("key1".to_string(), SecretValue::from_string("val1".to_string())).await;
        cache.set("key2".to_string(), SecretValue::from_string("val2".to_string())).await;

        assert_eq!(cache.len().await, 2);

        cache.clear().await;

        assert_eq!(cache.len().await, 0);
        assert!(cache.is_empty().await);
    }

    #[tokio::test]
    async fn test_secret_cache_cleanup_expired() {
        let cache = SecretCache::new(1); // 1 second TTL

        cache.set("short".to_string(), SecretValue::from_string("expires".to_string())).await;

        // Wait for expiration
        tokio::time::sleep(Duration::from_secs(2)).await;

        // Add a fresh entry
        cache.set("fresh".to_string(), SecretValue::from_string("current".to_string())).await;

        // Should have 2 entries (one expired)
        assert_eq!(cache.len().await, 2);

        // Cleanup expired
        cache.cleanup_expired().await;

        // Should only have the fresh entry
        assert_eq!(cache.len().await, 1);
        assert!(cache.get("fresh").await.is_some());
        assert!(cache.get("short").await.is_none());
    }
}