openbao 0.10.0

Secure, typed, async Rust SDK for OpenBao
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168

//! Cubbyhole secrets engine support.
//!
//! Cubbyhole data is scoped to the client token used for each request. It is
//! useful for short-lived handoff data, response wrapping workflows, and
//! per-token scratch storage. Do not use it as a replacement for shared KV
//! application configuration.

use reqwest::Method;
use serde::{Deserialize, Serialize, de::DeserializeOwned};

use crate::{
    Authenticated, Client, Result,
    path::{validate_endpoint_path, validate_mount_path},
    response::{Empty, ListEntries, ResponseEnvelope, deserialize_bounded_string_vec},
};

/// Handle for a mounted Cubbyhole secrets engine.
#[derive(Debug)]
pub struct Cubbyhole<'a> {
    client: &'a Client<Authenticated>,
    mount: Vec<String>,
}

/// Cubbyhole list response.
#[derive(Clone, Debug, Deserialize, Serialize)]
pub struct CubbyholeList {
    /// Child keys. Directory-like entries end with `/`.
    #[serde(default, deserialize_with = "deserialize_bounded_string_vec")]
    pub keys: Vec<String>,
}

impl ListEntries for CubbyholeList {
    fn entries(&self) -> &[String] {
        &self.keys
    }
}

impl Client<Authenticated> {
    /// Uses the default Cubbyhole engine mounted at `cubbyhole`.
    pub fn cubbyhole(&self) -> Result<Cubbyhole<'_>> {
        self.cubbyhole_at("cubbyhole")
    }

    /// Uses a Cubbyhole engine mounted at `mount`.
    pub fn cubbyhole_at(&self, mount: impl Into<String>) -> Result<Cubbyhole<'_>> {
        let mount = mount.into();
        Ok(Cubbyhole {
            client: self,
            mount: validate_mount_path(&mount)?,
        })
    }
}

impl Cubbyhole<'_> {
    /// Reads a Cubbyhole secret scoped to the authenticated token.
    pub async fn read<T>(&self, path: &str) -> Result<T>
    where
        T: DeserializeOwned,
    {
        let envelope: ResponseEnvelope<T> = self
            .client
            .request_json(Method::GET, &self.path(path)?, Option::<&Empty>::None)
            .await?;
        Ok(envelope.data)
    }

    /// Reads a Cubbyhole secret and maps OpenBao `404` to `None`.
    pub async fn read_optional<T>(&self, path: &str) -> Result<Option<T>>
    where
        T: DeserializeOwned,
    {
        match self.read(path).await {
            Ok(secret) => Ok(Some(secret)),
            Err(error) if error.is_not_found() => Ok(None),
            Err(error) => Err(error),
        }
    }

    /// Reads a Cubbyhole secret as a bounded service configuration map.
    ///
    /// Each value must be a JSON string and is loaded as
    /// [`SecretString`](crate::SecretString).
    #[cfg(feature = "kv2")]
    pub async fn read_service_config(
        &self,
        path: &str,
    ) -> Result<crate::secrets::kv2::Kv2ServiceConfig> {
        self.read(path).await
    }

    /// Writes a Cubbyhole secret scoped to the authenticated token.
    pub async fn write<T>(&self, path: &str, data: T) -> Result<Empty>
    where
        T: Serialize,
    {
        self.client
            .request_json(Method::POST, &self.path(path)?, Some(&data))
            .await
    }

    /// Deletes a Cubbyhole secret scoped to the authenticated token.
    pub async fn delete(&self, path: &str) -> Result<Empty> {
        self.client
            .request_json(Method::DELETE, &self.path(path)?, Option::<&Empty>::None)
            .await
    }

    /// Lists keys below a Cubbyhole path.
    pub async fn list(&self, path: &str) -> Result<CubbyholeList> {
        let method = Method::from_bytes(b"LIST")
            .map_err(|error| crate::Error::InvalidHeader(error.to_string()))?;
        let envelope: ResponseEnvelope<CubbyholeList> = self
            .client
            .request_json(method, &self.path(path)?, Option::<&Empty>::None)
            .await?;
        Ok(envelope.data)
    }

    fn path(&self, path: &str) -> Result<String> {
        let mut segments = self.mount.clone();
        segments.extend(validate_endpoint_path(path)?);
        Ok(segments.join("/"))
    }
}

#[cfg(test)]
mod tests {
    #![allow(clippy::panic)]

    use secrecy::SecretString;

    use crate::{Client, OpenBaoConfig};

    use super::CubbyholeList;

    #[test]
    fn cubbyhole_paths_are_validated() {
        let config = OpenBaoConfig::new("http://127.0.0.1:8200")
            .and_then(OpenBaoConfig::allow_localhost_http)
            .unwrap_or_else(|error| panic!("{error}"));
        let client = Client::from_config(config)
            .and_then(|client| client.try_with_token(SecretString::from("token")))
            .unwrap_or_else(|error| panic!("{error}"));
        let cubbyhole = client.cubbyhole().unwrap_or_else(|error| panic!("{error}"));
        assert_eq!(
            cubbyhole
                .path("handoff/config")
                .unwrap_or_else(|error| panic!("{error}")),
            "cubbyhole/handoff/config"
        );
        assert!(cubbyhole.path("../config").is_err());
        assert!(client.cubbyhole_at("../cubbyhole").is_err());
    }

    #[test]
    fn cubbyhole_list_keys_are_bounded() {
        let mut keys = Vec::new();
        for index in 0..=crate::response::MAX_RESPONSE_STRINGS {
            keys.push(format!("key-{index}"));
        }
        let value = serde_json::json!({ "keys": keys });
        let error = match serde_json::from_value::<CubbyholeList>(value) {
            Ok(_) => panic!("oversized Cubbyhole key list unexpectedly decoded"),
            Err(error) => error,
        };
        assert!(error.to_string().contains("exceeds item limit"));
    }
}