secure_data 0.1.0

Secret wrappers, envelope encryption, KMS providers, crypto agility, and password hashing.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

//! BDD tests for resolve_secret() — Milestone 13
//!
//! Feature: resolve_secret

use secure_data::config::SecretReference;
use secure_data::error::DataError;
use secure_data::resolve::resolve_secret;

/// Scenario: Resolve env:// — happy path
/// Given env var TEST_SECRET_M13 set to "my-secret"
/// When resolve_secret(&ref) where ref is env://TEST_SECRET_M13
/// Then returns SecretString("my-secret")
#[tokio::test]
async fn test_resolve_env_happy_path() {
    // Given: environment variable is set
    std::env::set_var("TEST_SECRET_M13", "my-secret");

    let reference =
        SecretReference::parse("env://TEST_SECRET_M13").expect("parsing env:// must succeed");

    // When: resolve_secret is called
    let result = resolve_secret(&reference).await;

    // Then: returns the secret value
    let secret = result.expect("resolve_secret must succeed for valid env var");
    assert_eq!(
        secret.expose_secret(),
        "my-secret",
        "resolved value must match env var"
    );

    // Clean up
    std::env::remove_var("TEST_SECRET_M13");
}

/// Scenario: Resolve env:// missing — invalid input
/// Given env var is not set
/// When resolve_secret(&ref)
/// Then returns DataError::SecretNotFound
#[tokio::test]
async fn test_resolve_env_missing() {
    // Given: environment variable is NOT set
    std::env::remove_var("TEST_SECRET_M13_MISSING_XYZ");

    let reference = SecretReference::parse("env://TEST_SECRET_M13_MISSING_XYZ")
        .expect("parsing env:// must succeed");

    // When: resolve_secret is called
    let result = resolve_secret(&reference).await;

    // Then: returns DataError::SecretNotFound
    assert!(
        matches!(result, Err(DataError::SecretNotFound { .. })),
        "expected SecretNotFound, got: {result:?}"
    );
}

/// Scenario: Invalid scheme — invalid input
/// Given a kms:// reference (not resolvable to a string secret)
/// When resolve_secret(&ref)
/// Then returns DataError::InvalidSecretReference
#[tokio::test]
async fn test_resolve_kms_scheme_unsupported() {
    // Given: a kms:// reference (KMS keys are not directly resolvable to string secrets)
    let reference =
        SecretReference::parse("kms://alias/my-key").expect("parsing kms:// must succeed");

    // When: resolve_secret is called
    let result = resolve_secret(&reference).await;

    // Then: returns DataError::InvalidSecretReference (kms:// not supported for string resolution)
    assert!(
        matches!(result, Err(DataError::InvalidSecretReference { .. })),
        "expected InvalidSecretReference for kms:// scheme, got: {result:?}"
    );
}

/// Scenario: Resolve vault:// — happy path (requires vault feature)
/// This test is only compiled when the vault feature is enabled.
#[cfg(feature = "vault")]
#[tokio::test]
async fn test_resolve_vault_happy_path() {
    use std::io::{Read, Write};
    use std::net::TcpListener;

    // Given: mock Vault KV server
    let field_value = "my-vault-secret";
    let body = format!(r#"{{"data":{{"password":"{field_value}"}}}}"#);
    let response = format!(
        "HTTP/1.1 200 OK\r\nContent-Type: application/json\r\nContent-Length: {}\r\nConnection: close\r\n\r\n{}",
        body.len(),
        body
    );

    let listener = TcpListener::bind("127.0.0.1:0").expect("bind mock vault server");
    let port = listener.local_addr().unwrap().port();

    std::thread::spawn(move || {
        if let Ok((mut stream, _)) = listener.accept() {
            let mut buf = [0u8; 8192];
            let _ = stream.read(&mut buf);
            let _ = stream.write_all(response.as_bytes());
        }
    });

    // Set up env vars for vault client
    std::env::set_var("VAULT_ADDR", format!("http://127.0.0.1:{port}"));
    std::env::set_var("VAULT_TOKEN", "test-token");

    let reference = SecretReference::parse("vault://kv/db-credentials#password")
        .expect("parsing vault:// must succeed");

    // When: resolve_secret is called
    let result = resolve_secret(&reference).await;

    // Then: returns secret value
    let secret = result.expect("resolve_secret must succeed for vault:// with mock");
    assert_eq!(
        secret.expose_secret(),
        field_value,
        "resolved value must match mock response"
    );

    // Clean up env vars
    std::env::remove_var("VAULT_ADDR");
    std::env::remove_var("VAULT_TOKEN");
}

/// Scenario: Vault unavailable without feature — partial failure
/// When vault feature is not enabled and vault:// reference is resolved
/// Then returns DataError::ProviderUnavailable
#[cfg(not(feature = "vault"))]
#[tokio::test]
async fn test_resolve_vault_feature_not_enabled() {
    let reference = SecretReference::parse("vault://kv/db-credentials#password")
        .expect("parsing vault:// must succeed");

    let result = resolve_secret(&reference).await;

    assert!(
        matches!(result, Err(DataError::ProviderUnavailable { .. })),
        "expected ProviderUnavailable when vault feature not enabled, got: {result:?}"
    );
}