secret_store 0.1.1

A unified, async secret store interface for Azure Key Vault, AWS Secrets Manager, GCP Secret Manager, and generic HTTP endpoints
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

//! AWS Secrets Manager SDK abstraction and real adapter.

use async_trait::async_trait;
use aws_sdk_secretsmanager::Client;

use super::types::map_aws_error;
use crate::common::{Error, Result};

// ─────────────────────────────────────────────────────────────────────────────
// SDK abstraction trait
// ─────────────────────────────────────────────────────────────────────────────

/// Low-level AWS Secrets Manager operations.
///
/// The real implementation wraps the AWS SDK [`Client`]; unit tests inject a
/// `MockAwsSmOps` generated by `mockall`.
#[cfg_attr(test, mockall::automock)]
#[async_trait]
pub trait AwsSmOps: Send + Sync {
    /// Minimal label used by `Display` (e.g. `"AwsSecretsManager(region=us-east-1)"`).
    fn display_name(&self) -> String;
    /// Verbose info used by `Debug` (region, endpoint override, provider tag).
    fn debug_info(&self) -> String;

    async fn get(&self, name: &str) -> Result<String>;
    /// Creates a new secret (will fail if it already exists).
    async fn create(&self, name: &str, value: &str) -> Result<()>;
    /// Updates the value of an existing secret.
    async fn put(&self, name: &str, value: &str) -> Result<()>;
    async fn delete(&self, name: &str) -> Result<()>;
    async fn list(&self, prefix: Option<String>) -> Result<Vec<String>>;
}

// ─────────────────────────────────────────────────────────────────────────────
// Real SDK adapter
// ─────────────────────────────────────────────────────────────────────────────

/// Wraps the real `aws_sdk_secretsmanager::Client`.
pub(super) struct AwsSdkClient {
    pub client: Client,
}

#[async_trait]
impl AwsSmOps for AwsSdkClient {
    fn display_name(&self) -> String {
        let region = self
            .client
            .config()
            .region()
            .map(|r| r.as_ref().to_owned())
            .unwrap_or_else(|| "unknown".to_owned());
        format!("AwsSecretsManager(region={})", region)
    }

    fn debug_info(&self) -> String {
        let cfg = self.client.config();
        let region = cfg.region().map(|r| r.as_ref()).unwrap_or("unknown");
        format!("region={region}, provider=AwsSecretsManager")
    }

    async fn get(&self, name: &str) -> Result<String> {
        self.client
            .get_secret_value()
            .secret_id(name)
            .send()
            .await
            .map_err(|e| map_aws_error(name, e.into_service_error()))
            .map(|r| r.secret_string().unwrap_or_default().to_owned())
    }

    async fn create(&self, name: &str, value: &str) -> Result<()> {
        self.client
            .create_secret()
            .name(name)
            .secret_string(value)
            .send()
            .await
            .map(|_| ())
            .map_err(|e| map_aws_error(name, e.into_service_error()))
    }

    async fn put(&self, name: &str, value: &str) -> Result<()> {
        self.client
            .put_secret_value()
            .secret_id(name)
            .secret_string(value)
            .send()
            .await
            .map(|_| ())
            .map_err(|e| map_aws_error(name, e.into_service_error()))
    }

    async fn delete(&self, name: &str) -> Result<()> {
        self.client
            .delete_secret()
            .secret_id(name)
            .send()
            .await
            .map(|_| ())
            .map_err(|e| map_aws_error(name, e.into_service_error()))
    }

    async fn list(&self, prefix: Option<String>) -> Result<Vec<String>> {
        let mut names = Vec::new();
        let mut paginator = self.client.list_secrets().into_paginator().send();
        while let Some(page) = paginator.next().await {
            let page = page.map_err(|e| Error::Generic {
                store: "AwsSecretsManager",
                source: Box::new(e.into_service_error()),
            })?;
            for entry in page.secret_list() {
                if let Some(n) = entry.name() {
                    if prefix.as_deref().is_none_or(|p| n.starts_with(p)) {
                        names.push(n.to_owned());
                    }
                }
            }
        }
        Ok(names)
    }
}