secure_data 0.1.2

Secret wrappers, envelope encryption, KMS providers, crypto agility, and password hashing.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

//! Secret reference resolution — `resolve_secret()`.
//!
//! Resolves a `SecretReference` to its actual string value at runtime.
//!
//! | Scheme | Resolution | Feature required |
//! |--------|-----------|-----------------|
//! | `env://VAR` | `std::env::var(VAR)` | none |
//! | `vault://path#field` | Vault KV v1 GET | `vault` |
//! | `kms://...` | Not supported (KMS keys are not string secrets) | — |

use crate::config::{SecretReference, SecretReferenceProvider};
use crate::error::DataError;
use crate::secret::SecretString;

/// Resolves a [`SecretReference`] to a [`SecretString`] value.
///
/// - `env://VAR` — reads the environment variable `VAR` at call time.
///   Returns [`DataError::SecretNotFound`] if the variable is not set.
/// - `vault://path#field` — reads a KV v1 secret from HashiCorp Vault.
///   Requires `VAULT_ADDR` and `VAULT_TOKEN` environment variables.
///   Only available when the `vault` feature is enabled.
/// - `kms://...` — returns [`DataError::InvalidSecretReference`] because
///   KMS key aliases are not directly resolvable to string secrets.
///
/// # Errors
/// Returns [`DataError`] on resolution failure.
pub async fn resolve_secret(reference: &SecretReference) -> Result<SecretString, DataError> {
    match reference.provider {
        SecretReferenceProvider::Env => resolve_env(reference),
        SecretReferenceProvider::Vault => resolve_vault(reference).await,
        SecretReferenceProvider::Kms => Err(DataError::InvalidSecretReference {
            input: format!("kms://{}", reference.path),
        }),
    }
}

// --- env:// resolution -------------------------------------------------------

fn resolve_env(reference: &SecretReference) -> Result<SecretString, DataError> {
    std::env::var(&reference.path)
        .map(SecretString::new)
        .map_err(|_| DataError::SecretNotFound {
            reference: format!("env://{}", reference.path),
        })
}

// --- vault:// resolution -----------------------------------------------------

#[cfg(feature = "vault")]
async fn resolve_vault(reference: &SecretReference) -> Result<SecretString, DataError> {
    let vault_addr = std::env::var("VAULT_ADDR").map_err(|_| DataError::ProviderUnavailable {
        provider: "vault".to_string(),
        reason: "VAULT_ADDR environment variable not set".to_string(),
    })?;
    let vault_token = std::env::var("VAULT_TOKEN").map_err(|_| DataError::ProviderUnavailable {
        provider: "vault".to_string(),
        reason: "VAULT_TOKEN environment variable not set".to_string(),
    })?;

    let value = crate::providers::vault::fetch_vault_kv_secret(
        &vault_addr,
        &vault_token,
        &reference.path,
        reference.field.as_deref(),
    )
    .await?;

    Ok(SecretString::new(value))
}

#[cfg(not(feature = "vault"))]
async fn resolve_vault(_reference: &SecretReference) -> Result<SecretString, DataError> {
    Err(DataError::ProviderUnavailable {
        provider: "vault".to_string(),
        reason: "vault feature not enabled — recompile with --features vault".to_string(),
    })
}