Skip to main content

mssql_auth/
lib.rs

1//! # mssql-auth
2//!
3//! Authentication strategies for SQL Server connections.
4//!
5//! This crate provides various authentication methods, isolated from
6//! connection logic for better modularity and testing.
7//!
8//! ## Supported Authentication Methods
9//!
10//! | Method | Feature Flag | Status | Description |
11//! |--------|--------------|--------|-------------|
12//! | SQL Authentication | default | ✅ Implemented | Username/password |
13//! | Azure AD Token | default | ✅ Implemented | Pre-obtained access token |
14//! | Azure Managed Identity | `azure-identity` | ✅ Implemented | VM/container identity |
15//! | Service Principal | `azure-identity` | ✅ Implemented | App credentials |
16//! | Integrated (Kerberos) | `integrated-auth` | ✅ Implemented | GSSAPI/Kerberos (Linux/macOS) |
17//! | Windows SSPI | `sspi-auth` | ✅ Implemented | Native Windows SSPI |
18//! | Certificate | `cert-auth` | ✅ Implemented | Client certificate (mTLS) |
19//!
20//! ## Authentication Tiers
21//!
22//! Per ARCHITECTURE.md, authentication is tiered:
23//!
24//! ### Tier 1 (Core - Pure Rust, Default) ✅ Implemented
25//!
26//! - [`SqlServerAuth`] - Username/password via Login7
27//! - [`AzureAdAuth`] - Pre-acquired access token
28//!
29//! ### Tier 2 (Azure Native - `azure-identity` feature) ✅ Implemented
30//!
31//! - `ManagedIdentityAuth` - Azure VM/Container identity
32//! - `ServicePrincipalAuth` - Client ID + Secret
33//!
34//! ### Tier 3 (Enterprise - `integrated-auth` or `sspi-auth` feature) ✅ Implemented
35//!
36//! - `IntegratedAuth` - Kerberos (Linux/macOS via GSSAPI)
37//! - `SspiAuth` - Windows SSPI (native Windows, cross-platform via sspi-rs)
38//!
39//! ### Tier 4 (Certificate - `cert-auth` feature) ✅ Implemented
40//!
41//! - `CertificateAuth` - Client certificate authentication (mTLS)
42//!
43//! ## Secure Credential Handling
44//!
45//! Enable the `zeroize` feature for secure credential handling:
46//!
47//! ```toml
48//! mssql-auth = { version = "0.1", features = ["zeroize"] }
49//! ```
50//!
51//! This enables secure credential handling that automatically zeroes
52//! sensitive data from memory when dropped.
53//!
54//! ## Example
55//!
56//! ```rust
57//! use mssql_auth::{SqlServerAuth, AzureAdAuth, AuthProvider};
58//!
59//! // SQL Server authentication
60//! let sql_auth = SqlServerAuth::new("sa", "Password123!");
61//! let auth_data = sql_auth.authenticate().unwrap();
62//!
63//! // Azure AD authentication with pre-acquired token
64//! let azure_auth = AzureAdAuth::with_token("eyJ0eXAi...");
65//! ```
66
67#![warn(missing_docs)]
68// Unsafe code is denied globally but allowed in the Windows CNG FFI module.
69// See windows_certstore.rs for detailed SAFETY comments on each unsafe block.
70#![deny(unsafe_code)]
71
72pub mod azure_ad;
73#[cfg(feature = "azure-identity")]
74pub mod azure_identity_auth;
75#[cfg(feature = "cert-auth")]
76pub mod cert_auth;
77pub mod credentials;
78pub mod encryption;
79pub mod error;
80#[cfg(feature = "integrated-auth")]
81pub mod integrated_auth;
82#[cfg(any(feature = "integrated-auth", feature = "sspi-auth"))]
83pub mod negotiator;
84pub mod provider;
85pub mod sql_auth;
86#[cfg(feature = "sspi-auth")]
87pub mod sspi_auth;
88
89// Always Encrypted cryptography
90#[cfg(feature = "always-encrypted")]
91pub mod aead;
92#[cfg(feature = "always-encrypted")]
93pub mod key_store;
94#[cfg(feature = "always-encrypted")]
95pub mod key_unwrap;
96
97// Always Encrypted key providers
98#[cfg(feature = "azure-keyvault")]
99pub mod azure_keyvault;
100#[cfg(all(windows, feature = "windows-certstore"))]
101#[allow(unsafe_code)] // Windows CNG FFI; see SAFETY comments in each unsafe block
102pub mod windows_certstore;
103
104// Core types
105pub use credentials::Credentials;
106pub use error::AuthError;
107pub use provider::{AsyncAuthProvider, AuthData, AuthMethod, AuthProvider};
108
109// Authentication providers
110pub use azure_ad::{AzureAdAuth, FedAuthLibrary};
111pub use sql_auth::SqlServerAuth;
112
113// Secure credential types (with zeroize feature)
114#[cfg(feature = "zeroize")]
115pub use credentials::{SecretString, SecureCredentials};
116
117// Azure Identity authentication (with azure-identity feature)
118#[cfg(feature = "azure-identity")]
119pub use azure_identity_auth::{ManagedIdentityAuth, ServicePrincipalAuth};
120
121// Integrated authentication (Kerberos/GSSAPI - with integrated-auth feature)
122#[cfg(feature = "integrated-auth")]
123pub use integrated_auth::IntegratedAuth;
124
125// Certificate authentication (Azure AD with X.509 certificate - with cert-auth feature)
126#[cfg(feature = "cert-auth")]
127pub use cert_auth::CertificateAuth;
128
129// Windows SSPI authentication (with sspi-auth feature)
130#[cfg(feature = "sspi-auth")]
131pub use sspi_auth::SspiAuth;
132
133// SSPI/GSSAPI negotiator trait (with integrated-auth or sspi-auth feature)
134#[cfg(any(feature = "integrated-auth", feature = "sspi-auth"))]
135pub use negotiator::SspiNegotiator;
136
137// Always Encrypted infrastructure
138pub use encryption::{
139    CekMetadata, ColumnEncryptionConfig, ColumnEncryptionInfo, EncryptedValue, EncryptionError,
140    EncryptionType, KeyStoreProvider,
141};
142
143// Always Encrypted cryptography (with always-encrypted feature)
144#[cfg(feature = "always-encrypted")]
145pub use aead::AeadEncryptor;
146#[cfg(feature = "always-encrypted")]
147pub use key_store::{CekCache, CekCacheKey, InMemoryKeyStore};
148#[cfg(feature = "always-encrypted")]
149pub use key_unwrap::RsaKeyUnwrapper;
150
151// Always Encrypted key providers
152#[cfg(feature = "azure-keyvault")]
153pub use azure_keyvault::AzureKeyVaultProvider;
154#[cfg(all(windows, feature = "windows-certstore"))]
155pub use windows_certstore::WindowsCertStoreProvider;