orchestrator-security 0.3.0

SecretStore encryption, key lifecycle, audit, and secure file helpers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

//! SecretStore encryption, key lifecycle, audit, and secure file helpers.
//!
//! This crate provides the security primitives used by the agent orchestrator
//! for encrypting/decrypting SecretStore values, managing key rotation, emitting
//! audit events, and creating files/directories with safe permissions.

#![cfg_attr(
    not(test),
    deny(clippy::panic, clippy::unwrap_used, clippy::expect_used)
)]
#![deny(missing_docs)]

/// SecretStore key audit event types and database helpers.
pub mod secret_key_audit;
/// SecretStore key lifecycle state machine and rotation logic.
pub mod secret_key_lifecycle;
/// SecretStore encryption/decryption helpers (AES-256-GCM-SIV envelope scheme).
pub mod secret_store_crypto;
/// Secure file and directory creation helpers.
pub mod secure_files;

/// Initializes the minimal database schema required by security tests.
///
/// Creates the `secret_keys`, `secret_key_audit`, and `resources` tables
/// needed by lifecycle and crypto integration tests without pulling in
/// the full persistence bootstrap.
#[cfg(test)]
pub(crate) fn init_test_schema(db_path: &std::path::Path) -> anyhow::Result<()> {
    let conn = open_conn(db_path)?;
    conn.execute_batch(
        r#"
        CREATE TABLE IF NOT EXISTS schema_version (
            version INTEGER NOT NULL
        );
        INSERT INTO schema_version (version) VALUES (99);

        CREATE TABLE IF NOT EXISTS secret_keys (
            key_id TEXT PRIMARY KEY,
            state TEXT NOT NULL,
            fingerprint TEXT NOT NULL,
            file_path TEXT NOT NULL,
            created_at TEXT NOT NULL,
            activated_at TEXT,
            rotated_out_at TEXT,
            retired_at TEXT,
            revoked_at TEXT
        );
        CREATE INDEX IF NOT EXISTS idx_secret_keys_state ON secret_keys(state);

        CREATE TABLE IF NOT EXISTS secret_key_audit (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            event_kind TEXT NOT NULL,
            key_id TEXT NOT NULL,
            key_fingerprint TEXT NOT NULL,
            actor TEXT NOT NULL,
            detail_json TEXT NOT NULL DEFAULT '{}',
            created_at TEXT NOT NULL
        );
        CREATE INDEX IF NOT EXISTS idx_secret_key_audit_created ON secret_key_audit(created_at);
        CREATE INDEX IF NOT EXISTS idx_secret_key_audit_key_id ON secret_key_audit(key_id, created_at);

        CREATE TABLE IF NOT EXISTS resources (
            kind TEXT NOT NULL,
            project TEXT NOT NULL,
            name TEXT NOT NULL,
            api_version TEXT NOT NULL,
            spec_json TEXT NOT NULL,
            metadata_json TEXT NOT NULL,
            generation INTEGER NOT NULL DEFAULT 1,
            created_at TEXT NOT NULL,
            updated_at TEXT NOT NULL,
            PRIMARY KEY (kind, project, name)
        );

        CREATE TABLE IF NOT EXISTS resource_versions (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            kind TEXT NOT NULL,
            project TEXT NOT NULL,
            name TEXT NOT NULL,
            spec_json TEXT NOT NULL,
            metadata_json TEXT NOT NULL DEFAULT '{}',
            version INTEGER NOT NULL,
            author TEXT NOT NULL DEFAULT '',
            created_at TEXT NOT NULL
        );
        CREATE INDEX IF NOT EXISTS idx_resource_versions_lookup
            ON resource_versions(kind, project, name, version DESC);
        "#,
    )?;
    Ok(())
}

/// Returns the current UTC timestamp as an RFC 3339 string.
pub(crate) fn now_ts() -> String {
    chrono::Utc::now().to_rfc3339_opts(chrono::SecondsFormat::Secs, true)
}

/// Opens a SQLite connection and applies standard busy-timeout and pragma settings.
pub(crate) fn open_conn(db_path: &std::path::Path) -> anyhow::Result<rusqlite::Connection> {
    use anyhow::Context;
    let conn = rusqlite::Connection::open(db_path).context("failed to open sqlite db")?;
    conn.busy_timeout(std::time::Duration::from_millis(5000))
        .context("failed to set sqlite busy timeout")?;
    conn.execute_batch("PRAGMA foreign_keys = ON;")
        .context("failed to configure sqlite pragmas")?;
    Ok(conn)
}