secure_data 0.1.2

Secret wrappers, envelope encryption, KMS providers, crypto agility, and password hashing.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174

//! AWS KMS key provider.
//!
//! Uses `aws-sdk-kms` to call `GenerateDataKey` and `Decrypt`.
//! AWS credentials are loaded from the standard credential chain
//! (env vars, shared credentials file, IAM role, etc.).
//!
//! **Feature flag**: only compiled when the `aws-kms` feature is enabled.

use base64::{engine::general_purpose::STANDARD as B64, Engine};
use zeroize::Zeroizing;

use crate::error::DataError;
use crate::kms::{DataKey, KeyAlias, WrappedDataKey};

/// AWS KMS key provider.
///
/// Wraps `aws-sdk-kms::Client` to implement [`crate::kms::KeyProvider`] for AWS KMS.
/// AWS credentials are resolved from the standard chain at construction time.
pub struct AwsKmsKeyProvider {
    client: aws_sdk_kms::Client,
}

impl AwsKmsKeyProvider {
    /// Creates an `AwsKmsKeyProvider` using the standard AWS credential chain.
    pub async fn new() -> Self {
        let config = aws_config::defaults(aws_config::BehaviorVersion::latest())
            .load()
            .await;
        let client = aws_sdk_kms::Client::new(&config);
        Self { client }
    }

    /// Creates an `AwsKmsKeyProvider` pointing at a custom endpoint URL.
    ///
    /// Used in tests to point at a local mock KMS server.
    pub async fn with_endpoint(endpoint_url: impl Into<String>) -> Self {
        let endpoint = endpoint_url.into();
        let config = aws_config::defaults(aws_config::BehaviorVersion::latest())
            .endpoint_url(&endpoint)
            .region(aws_config::Region::new("us-east-1"))
            .credentials_provider(aws_sdk_kms::config::Credentials::new(
                "test-key-id",
                "test-secret-key",
                None,
                None,
                "test",
            ))
            .load()
            .await;
        let client = aws_sdk_kms::Client::new(&config);
        Self { client }
    }

    /// Creates an `AwsKmsKeyProvider` from an already-built `aws-sdk-kms` client.
    ///
    /// Allows injecting a pre-configured client (e.g. for testing with LocalStack).
    #[must_use]
    pub fn with_client(client: aws_sdk_kms::Client) -> Self {
        Self { client }
    }
}

// --- Sealed impl + KeyProvider impl -----------------------------------------

impl crate::kms::private::Sealed for AwsKmsKeyProvider {}

impl crate::kms::KeyProvider for AwsKmsKeyProvider {
    fn generate_data_key(
        &self,
        alias: &KeyAlias,
    ) -> impl std::future::Future<Output = Result<(DataKey, WrappedDataKey, String), DataError>> + Send
    {
        let client = self.client.clone();
        let key_id = alias.to_string();

        async move {
            let resp = client
                .generate_data_key()
                .key_id(&key_id)
                .key_spec(aws_sdk_kms::types::DataKeySpec::Aes256)
                .send()
                .await
                .map_err(|e| map_kms_error(e.into()))?;

            let plaintext_blob =
                resp.plaintext()
                    .ok_or_else(|| DataError::ProviderUnavailable {
                        provider: "aws-kms".to_string(),
                        reason: "GenerateDataKey response missing Plaintext".to_string(),
                    })?;

            let ciphertext_blob =
                resp.ciphertext_blob()
                    .ok_or_else(|| DataError::ProviderUnavailable {
                        provider: "aws-kms".to_string(),
                        reason: "GenerateDataKey response missing CiphertextBlob".to_string(),
                    })?;

            let dek = Zeroizing::new(plaintext_blob.as_ref().to_vec());
            let wrapped = ciphertext_blob.as_ref().to_vec();
            let version = "1".to_string();

            Ok((dek, wrapped, version))
        }
    }

    fn unwrap_data_key(
        &self,
        wrapped: &WrappedDataKey,
        _alias: &KeyAlias,
        _version: &str,
    ) -> impl std::future::Future<Output = Result<DataKey, DataError>> + Send {
        let client = self.client.clone();
        let ciphertext_blob = aws_sdk_kms::primitives::Blob::new(wrapped.clone());

        async move {
            let resp = client
                .decrypt()
                .ciphertext_blob(ciphertext_blob)
                .send()
                .await
                .map_err(|e| map_kms_error(e.into()))?;

            let plaintext_blob =
                resp.plaintext()
                    .ok_or_else(|| DataError::ProviderUnavailable {
                        provider: "aws-kms".to_string(),
                        reason: "Decrypt response missing Plaintext".to_string(),
                    })?;

            Ok(Zeroizing::new(plaintext_blob.as_ref().to_vec()))
        }
    }
}

// --- Error mapping ----------------------------------------------------------

fn map_kms_error(e: Box<dyn std::error::Error + Send + Sync>) -> DataError {
    let msg = e.to_string();
    // Check for auth errors
    if msg.contains("AccessDeniedException")
        || msg.contains("InvalidSignatureException")
        || msg.contains("AuthFailure")
        || msg.contains("UnauthorizedOperation")
    {
        return DataError::ProviderAuthError {
            provider: "aws-kms".to_string(),
            reason: msg,
        };
    }
    // All other errors (connection refused, timeout, etc.) → unavailable
    DataError::ProviderUnavailable {
        provider: "aws-kms".to_string(),
        reason: msg,
    }
}

// --- JSON mock support for tests (parses AWS-format JSON responses) ----------
// The aws-sdk-kms uses its own HTTP layer. When endpoint_url is overridden
// to a mock server, the SDK sends real AWS-protocol requests and parses
// the mock's JSON responses. No special handling needed here — the SDK
// handles response parsing.

/// Decodes a base64-encoded value from an AWS KMS JSON response field.
///
/// Used internally for parsing custom mock responses in tests.
#[allow(dead_code)]
fn decode_b64(value: &str) -> Result<Vec<u8>, DataError> {
    B64.decode(value)
        .map_err(|e| DataError::ProviderUnavailable {
            provider: "aws-kms".to_string(),
            reason: format!("base64 decode error: {e}"),
        })
}