secret_rs 0.4.2

a library to embed a secret value into a running binary
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

# secret_rs

A library that supports injecting file system's secrets or environment
variables secrets into a JSON configuration.

The goal of `secret_rs` is twofold:

- improve the developer experience by centralizing all the application's configuration
  under the same location, that is allowing access of both secret and unsecreted values
  within the same data structure 
- simplify secret management in the context of cloud-native applications, such as K8s containers

## Overview

`secret_rs` library enables applications to load a JSON configuration file that
may contain references to external secret values without writing them in plaintext.

This is achieved by transparently resolving the external secrets during the deserialization process. Secrets can be read from:

- a plaintext value within the configuration, so that the same interface
  can be employed also for non-sensitive values
- an environment variable
- the content of a file
- the content of a key within a file (such a `.ini` or `.json`)

In addition, when using an environment variable or a file, it is possible to optionally
specify in which encoding the value has been stored.
In this manner, the library can load external secrets saved in a format different from plaintext. At the moment only `base64` is supported.

## Configuration Examples

In this section are listed all the possible ways a secret can be written within a JSON configuration file:

1. as a plain string
    ```json
    {
       "secret": "not so secret"
    }
    ```
2. as a reference to an environment variable
    ```json
    {
       "secret": {
          "type": "env",
          "key": "MY_SECRET_ENV_VAR_NAME"
       }
    }
    ```
3. as a reference to a file (load all its content as secret)
    ```json
    {
       "secret": {
          "type": "file",
          "path": "/path/to/file"
       }
    }
    ```
4. as a reference to a key in a JSON or INI file (load only the key's value as secret)
    ```json
    {
       "secret": {
          "type": "file",
          "path": "/path/to/file",
          "key": "MY_SECRET"
       }
    }
    ```

The application is then able to deserialize all of them using the `Secret` enum.

```rust
use secret_rs::Secret;
use serde::{Deserialize, Serialize};

#[derive(Deserialize, Serialize)]
pub struct AppConfig {
    /// my external sensitive value
    pub secret: Secret,
}
```

The value of `secret` field then can be read using its `read()` method, which allows
extracting the actual value contained within the deserialized enum.

## Contributing

More details on how to contribute to this project can be found in [CONTRIBUTING.md](CONTRIBUTING.md) file.