sh_layer0/

secrets_manager.rs

//! 密钥管理模块
//!
//! 安全地管理 API 密钥和其他敏感凭证。
//!
//! ## 功能
//! - 从环境变量安全读取密钥
//! - 内存中加密存储
//! - 密钥轮换支持
//! - 访问审计日志

use parking_lot::RwLock;
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::time::Instant;
use thiserror::Error;

/// 密钥管理错误
#[derive(Debug, Error)]
pub enum SecretsError {
    #[error("Secret not found: {0}")]
    NotFound(String),

    #[error("Environment variable not set: {0}")]
    EnvNotSet(String),

    #[error("Secret rotation failed: {0}")]
    RotationFailed(String),

    #[error("Encryption error: {0}")]
    EncryptionError(String),
}

/// 密钥元数据
#[derive(Debug, Clone)]
struct SecretMetadata {
    /// 密钥名称
    name: String,
    /// 创建时间
    created_at: Instant,
    /// 最后访问时间
    last_accessed: Instant,
    /// 最后轮换时间
    last_rotated: Instant,
    /// 访问次数
    access_count: u64,
    /// 是否需要轮换
    requires_rotation: bool,
}

/// 审计日志条目
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuditLogEntry {
    /// 时间戳
    pub timestamp: String,
    /// 操作类型
    pub action: AuditAction,
    /// 密钥名称
    pub secret_name: String,
    /// 结果
    pub result: String,
}

/// 审计操作类型
#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum AuditAction {
    /// 读取密钥
    Read,
    /// 设置密钥
    Set,
    /// 轮换密钥
    Rotate,
    /// 删除密钥
    Delete,
    /// 从环境变量加载
    LoadFromEnv,
}

/// 密钥管理器配置
#[derive(Debug, Clone)]
pub struct SecretsManagerConfig {
    /// 是否启用审计日志
    pub audit_enabled: bool,
    /// 密钥轮换周期（秒）
    pub rotation_interval_secs: u64,
    /// 是否在读取时自动检查轮换
    pub auto_rotation_check: bool,
}

impl Default for SecretsManagerConfig {
    fn default() -> Self {
        Self {
            audit_enabled: true,
            rotation_interval_secs: 86400 * 30, // 30 天
            auto_rotation_check: true,
        }
    }
}

/// 内存加密存储
struct EncryptedStorage {
    /// 加密后的密钥存储
    encrypted_secrets: RwLock<HashMap<String, Vec<u8>>>,
    /// 混淆密钥（简单实现）
    obfuscation_key: [u8; 32],
}

impl EncryptedStorage {
    fn new() -> Self {
        // 生成随机混淆密钥
        let obfuscation_key: [u8; 32] = {
            use std::collections::hash_map::RandomState;
            use std::hash::{BuildHasher, Hasher};
            let state = RandomState::new();
            let mut hasher = state.build_hasher();
            hasher.write_u64(std::process::id() as u64);
            hasher.write_u64(Instant::now().elapsed().as_nanos() as u64);
            let hash = hasher.finish();
            let mut key = [0u8; 32];
            for (i, byte) in key.iter_mut().enumerate() {
                *byte = ((hash >> (i % 8 * 8)) & 0xFF) as u8;
            }
            key
        };

        Self {
            encrypted_secrets: RwLock::new(HashMap::new()),
            obfuscation_key,
        }
    }

    /// 简单 XOR 加密
    fn encrypt(&self, plaintext: &str) -> Vec<u8> {
        plaintext
            .as_bytes()
            .iter()
            .enumerate()
            .map(|(i, &byte)| byte ^ self.obfuscation_key[i % 32])
            .collect()
    }

    /// 简单 XOR 解密
    fn decrypt(&self, ciphertext: &[u8]) -> Result<String, SecretsError> {
        let decrypted: Vec<u8> = ciphertext
            .iter()
            .enumerate()
            .map(|(i, &byte)| byte ^ self.obfuscation_key[i % 32])
            .collect();
        String::from_utf8(decrypted).map_err(|e| SecretsError::EncryptionError(e.to_string()))
    }

    fn set(&self, key: &str, value: &str) {
        let encrypted = self.encrypt(value);
        self.encrypted_secrets
            .write()
            .insert(key.to_string(), encrypted);
    }

    fn get(&self, key: &str) -> Result<Option<String>, SecretsError> {
        let storage = self.encrypted_secrets.read();
        match storage.get(key) {
            Some(encrypted) => {
                let decrypted = self.decrypt(encrypted)?;
                Ok(Some(decrypted))
            }
            None => Ok(None),
        }
    }

    fn remove(&self, key: &str) {
        self.encrypted_secrets.write().remove(key);
    }

    fn contains(&self, key: &str) -> bool {
        self.encrypted_secrets.read().contains_key(key)
    }

    fn keys(&self) -> Vec<String> {
        self.encrypted_secrets.read().keys().cloned().collect()
    }
}

/// 密钥管理器
pub struct SecretsManager {
    /// 加密存储
    storage: EncryptedStorage,
    /// 密钥元数据
    metadata: RwLock<HashMap<String, SecretMetadata>>,
    /// 审计日志
    audit_log: RwLock<Vec<AuditLogEntry>>,
    /// 配置
    config: SecretsManagerConfig,
}

impl SecretsManager {
    /// 创建新的密钥管理器
    pub fn new() -> Self {
        Self::with_config(SecretsManagerConfig::default())
    }

    /// 使用自定义配置创建
    pub fn with_config(config: SecretsManagerConfig) -> Self {
        Self {
            storage: EncryptedStorage::new(),
            metadata: RwLock::new(HashMap::new()),
            audit_log: RwLock::new(Vec::new()),
            config,
        }
    }

    /// 从环境变量加载密钥
    pub fn load_from_env(&self, key: &str, env_var: &str) -> Result<(), SecretsError> {
        let value =
            std::env::var(env_var).map_err(|_| SecretsError::EnvNotSet(env_var.to_string()))?;

        self.set(key, &value)?;
        self.log_audit(AuditAction::LoadFromEnv, key, "success")?;

        Ok(())
    }

    /// 设置密钥
    pub fn set(&self, key: &str, value: &str) -> Result<(), SecretsError> {
        let now = Instant::now();

        // 存储加密后的值
        self.storage.set(key, value);

        // 更新元数据
        let mut metadata = self.metadata.write();
        metadata.insert(
            key.to_string(),
            SecretMetadata {
                name: key.to_string(),
                created_at: now,
                last_accessed: now,
                last_rotated: now,
                access_count: 0,
                requires_rotation: false,
            },
        );

        self.log_audit(AuditAction::Set, key, "success")?;
        Ok(())
    }

    /// 获取密钥
    pub fn get(&self, key: &str) -> Result<Option<String>, SecretsError> {
        let result = self.storage.get(key)?;

        // 更新访问元数据
        if result.is_some() {
            let mut metadata = self.metadata.write();
            if let Some(meta) = metadata.get_mut(key) {
                meta.last_accessed = Instant::now();
                meta.access_count += 1;

                // 检查是否需要轮换
                if self.config.auto_rotation_check {
                    let elapsed = meta.last_rotated.elapsed().as_secs();
                    if elapsed >= self.config.rotation_interval_secs {
                        meta.requires_rotation = true;
                    }
                }
            }
        }

        self.log_audit(
            AuditAction::Read,
            key,
            if result.is_some() {
                "found"
            } else {
                "not_found"
            },
        )?;
        Ok(result)
    }

    /// 轮换密钥
    pub fn rotate(&self, key: &str, new_value: &str) -> Result<(), SecretsError> {
        // 检查密钥是否存在
        if !self.storage.contains(key) {
            return Err(SecretsError::NotFound(key.to_string()));
        }

        // 更新密钥值
        self.storage.set(key, new_value);

        // 更新元数据
        let mut metadata = self.metadata.write();
        if let Some(meta) = metadata.get_mut(key) {
            meta.last_rotated = Instant::now();
            meta.requires_rotation = false;
        }

        self.log_audit(AuditAction::Rotate, key, "success")?;
        Ok(())
    }

    /// 删除密钥
    pub fn delete(&self, key: &str) -> Result<(), SecretsError> {
        if !self.storage.contains(key) {
            return Err(SecretsError::NotFound(key.to_string()));
        }

        self.storage.remove(key);
        self.metadata.write().remove(key);

        self.log_audit(AuditAction::Delete, key, "success")?;
        Ok(())
    }

    /// 检查密钥是否存在
    pub fn contains(&self, key: &str) -> bool {
        self.storage.contains(key)
    }

    /// 获取需要轮换的密钥列表
    pub fn get_keys_requiring_rotation(&self) -> Vec<String> {
        self.metadata
            .read()
            .iter()
            .filter(|(_, meta)| meta.requires_rotation)
            .map(|(key, _)| key.clone())
            .collect()
    }

    /// 获取所有密钥名称
    pub fn list_keys(&self) -> Vec<String> {
        self.storage.keys()
    }

    /// 获取密钥元数据（不包含实际值）
    pub fn get_metadata(&self, key: &str) -> Option<SecretMetadataInfo> {
        self.metadata
            .read()
            .get(key)
            .map(|meta| SecretMetadataInfo {
                name: meta.name.clone(),
                age_secs: meta.created_at.elapsed().as_secs(),
                last_accessed_secs_ago: meta.last_accessed.elapsed().as_secs(),
                last_rotated_secs_ago: meta.last_rotated.elapsed().as_secs(),
                access_count: meta.access_count,
                requires_rotation: meta.requires_rotation,
            })
    }

    /// 获取审计日志
    pub fn get_audit_log(&self) -> Vec<AuditLogEntry> {
        self.audit_log.read().clone()
    }

    /// 清空审计日志
    pub fn clear_audit_log(&self) {
        self.audit_log.write().clear();
    }

    /// 记录审计日志
    fn log_audit(
        &self,
        action: AuditAction,
        secret_name: &str,
        result: &str,
    ) -> Result<(), SecretsError> {
        if !self.config.audit_enabled {
            return Ok(());
        }

        let entry = AuditLogEntry {
            timestamp: chrono::Utc::now().to_rfc3339(),
            action,
            secret_name: secret_name.to_string(),
            result: result.to_string(),
        };

        self.audit_log.write().push(entry);
        Ok(())
    }
}

/// 密钥元数据信息（公开）
#[derive(Debug, Clone)]
pub struct SecretMetadataInfo {
    /// 密钥名称
    pub name: String,
    /// 密钥年龄（秒）
    pub age_secs: u64,
    /// 最后访问距今（秒）
    pub last_accessed_secs_ago: u64,
    /// 最后轮换距今（秒）
    pub last_rotated_secs_ago: u64,
    /// 访问次数
    pub access_count: u64,
    /// 是否需要轮换
    pub requires_rotation: bool,
}

impl Default for SecretsManager {
    fn default() -> Self {
        Self::new()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_set_and_get() {
        let manager = SecretsManager::new();

        manager.set("api_key", "secret123").unwrap();
        let value = manager.get("api_key").unwrap();

        assert_eq!(value, Some("secret123".to_string()));
    }

    #[test]
    fn test_not_found() {
        let manager = SecretsManager::new();
        let value = manager.get("nonexistent").unwrap();
        assert!(value.is_none());
    }

    #[test]
    fn test_delete() {
        let manager = SecretsManager::new();

        manager.set("api_key", "secret123").unwrap();
        assert!(manager.contains("api_key"));

        manager.delete("api_key").unwrap();
        assert!(!manager.contains("api_key"));
    }

    #[test]
    fn test_rotate() {
        let manager = SecretsManager::new();

        manager.set("api_key", "secret123").unwrap();
        manager.rotate("api_key", "new_secret456").unwrap();

        let value = manager.get("api_key").unwrap();
        assert_eq!(value, Some("new_secret456".to_string()));
    }

    #[test]
    fn test_audit_log() {
        let manager = SecretsManager::new();

        manager.set("api_key", "secret123").unwrap();
        manager.get("api_key").unwrap();
        manager.rotate("api_key", "new_secret").unwrap();

        let log = manager.get_audit_log();
        assert_eq!(log.len(), 3);
        assert!(matches!(log[0].action, AuditAction::Set));
        assert!(matches!(log[1].action, AuditAction::Read));
        assert!(matches!(log[2].action, AuditAction::Rotate));
    }

    #[test]
    fn test_access_count() {
        let manager = SecretsManager::new();

        manager.set("api_key", "secret123").unwrap();

        for _ in 0..5 {
            manager.get("api_key").unwrap();
        }

        let meta = manager.get_metadata("api_key").unwrap();
        assert_eq!(meta.access_count, 5);
    }

    #[test]
    fn test_encrypted_storage() {
        let storage = EncryptedStorage::new();

        storage.set("test_key", "test_value");
        let value = storage.get("test_key").unwrap();

        assert_eq!(value, Some("test_value".to_string()));
    }

    #[test]
    fn test_encryption_roundtrip() {
        let storage = EncryptedStorage::new();
        let plaintext = "my_secret_api_key_12345";

        storage.set("key", plaintext);
        let decrypted = storage.get("key").unwrap().unwrap();

        assert_eq!(plaintext, decrypted);
    }

    #[test]
    fn test_list_keys() {
        let manager = SecretsManager::new();

        manager.set("key1", "value1").unwrap();
        manager.set("key2", "value2").unwrap();
        manager.set("key3", "value3").unwrap();

        let keys = manager.list_keys();
        assert_eq!(keys.len(), 3);
        assert!(keys.contains(&"key1".to_string()));
        assert!(keys.contains(&"key2".to_string()));
        assert!(keys.contains(&"key3".to_string()));
    }

    #[test]
    fn test_rotation_required() {
        let config = SecretsManagerConfig {
            audit_enabled: true,
            rotation_interval_secs: 0, // 立即需要轮换
            auto_rotation_check: true,
        };
        let manager = SecretsManager::with_config(config);

        manager.set("api_key", "secret").unwrap();
        // 等待一小段时间确保 elapsed > 0
        std::thread::sleep(std::time::Duration::from_millis(10));
        manager.get("api_key").unwrap(); // 触发轮换检查

        let keys = manager.get_keys_requiring_rotation();
        assert!(!keys.is_empty());
        assert!(keys.contains(&"api_key".to_string()));
    }

    #[test]
    fn test_load_from_env() {
        std::env::set_var("TEST_SECRET_KEY", "test_env_value");

        let manager = SecretsManager::new();
        manager.load_from_env("my_key", "TEST_SECRET_KEY").unwrap();

        let value = manager.get("my_key").unwrap();
        assert_eq!(value, Some("test_env_value".to_string()));

        std::env::remove_var("TEST_SECRET_KEY");
    }

    #[test]
    fn test_load_from_missing_env() {
        let manager = SecretsManager::new();
        let result = manager.load_from_env("key", "NONEXISTENT_ENV_VAR_12345");

        assert!(result.is_err());
        assert!(matches!(result.unwrap_err(), SecretsError::EnvNotSet(_)));
    }

    #[test]
    fn test_clear_audit_log() {
        let manager = SecretsManager::new();

        manager.set("key", "value").unwrap();
        assert!(!manager.get_audit_log().is_empty());

        manager.clear_audit_log();
        assert!(manager.get_audit_log().is_empty());
    }

    #[test]
    fn test_delete_nonexistent() {
        let manager = SecretsManager::new();
        let result = manager.delete("nonexistent");

        assert!(result.is_err());
        assert!(matches!(result.unwrap_err(), SecretsError::NotFound(_)));
    }

    #[test]
    fn test_rotate_nonexistent() {
        let manager = SecretsManager::new();
        let result = manager.rotate("nonexistent", "new_value");

        assert!(result.is_err());
        assert!(matches!(result.unwrap_err(), SecretsError::NotFound(_)));
    }

    // ========== 边界条件测试 ==========

    #[test]
    fn test_empty_key_name() {
        let manager = SecretsManager::new();
        // 空密钥名应该被接受（边界情况）
        let result = manager.set("", "value");
        assert!(result.is_ok());
        assert!(manager.contains(""));
    }

    #[test]
    fn test_empty_secret_value() {
        let manager = SecretsManager::new();
        // 空密钥值应该被接受
        let result = manager.set("key", "");
        assert!(result.is_ok());
        let value = manager.get("key").unwrap();
        assert_eq!(value, Some("".to_string()));
    }

    #[test]
    fn test_long_key_name() {
        let manager = SecretsManager::new();
        let long_key = "a".repeat(10000);
        let result = manager.set(&long_key, "value");
        assert!(result.is_ok());
        assert!(manager.contains(&long_key));
    }

    #[test]
    fn test_long_secret_value() {
        let manager = SecretsManager::new();
        let long_value = "x".repeat(1_000_000); // 1MB
        let result = manager.set("big_secret", &long_value);
        assert!(result.is_ok());
        let value = manager.get("big_secret").unwrap();
        assert_eq!(value, Some(long_value));
    }

    #[test]
    fn test_unicode_key_and_value() {
        let manager = SecretsManager::new();
        let unicode_key = "密钥_🔑_key";
        let unicode_value = "秘密值_🔐_value";

        manager.set(unicode_key, unicode_value).unwrap();
        let value = manager.get(unicode_key).unwrap();
        assert_eq!(value, Some(unicode_value.to_string()));
    }

    #[test]
    fn test_special_characters_in_value() {
        let manager = SecretsManager::new();
        let special_value = "!@#$%^&*()_+-=[]{}|;':\",./<>?\n\t\r\\";

        manager.set("special", special_value).unwrap();
        let value = manager.get("special").unwrap();
        assert_eq!(value, Some(special_value.to_string()));
    }

    #[test]
    fn test_binary_like_value() {
        let manager = SecretsManager::new();
        // 包含所有字节值的字符串
        let binary_value: String = (0u8..=255).map(|b| b as char).collect();

        manager.set("binary", &binary_value).unwrap();
        let value = manager.get("binary").unwrap();
        assert_eq!(value, Some(binary_value));
    }

    #[test]
    fn test_get_metadata_for_nonexistent_key() {
        let manager = SecretsManager::new();
        let meta = manager.get_metadata("nonexistent");
        assert!(meta.is_none());
    }

    #[test]
    fn test_audit_disabled() {
        let config = SecretsManagerConfig {
            audit_enabled: false,
            rotation_interval_secs: 86400,
            auto_rotation_check: false,
        };
        let manager = SecretsManager::with_config(config);

        manager.set("key", "value").unwrap();
        manager.get("key").unwrap();

        // 审计日志应该为空
        assert!(manager.get_audit_log().is_empty());
    }

    #[test]
    fn test_auto_rotation_disabled() {
        let config = SecretsManagerConfig {
            audit_enabled: true,
            rotation_interval_secs: 0,
            auto_rotation_check: false,
        };
        let manager = SecretsManager::with_config(config);

        manager.set("key", "value").unwrap();
        std::thread::sleep(std::time::Duration::from_millis(10));
        manager.get("key").unwrap();

        // 即使过了轮换周期，也不应该标记需要轮换
        let keys = manager.get_keys_requiring_rotation();
        assert!(keys.is_empty());
    }

    #[test]
    fn test_overwrite_existing_key() {
        let manager = SecretsManager::new();

        manager.set("key", "value1").unwrap();
        assert_eq!(manager.get("key").unwrap(), Some("value1".to_string()));

        // 覆盖现有密钥
        manager.set("key", "value2").unwrap();
        assert_eq!(manager.get("key").unwrap(), Some("value2".to_string()));

        // 应该只有一条 Set 记录（最后一次）
        let log = manager.get_audit_log();
        let set_count = log
            .iter()
            .filter(|e| matches!(e.action, AuditAction::Set))
            .count();
        assert_eq!(set_count, 2);
    }

    #[test]
    fn test_concurrent_access() {
        use std::sync::Arc;
        use std::thread;

        let manager = Arc::new(SecretsManager::new());
        let mut handles = vec![];

        for i in 0..10 {
            let m = Arc::clone(&manager);
            handles.push(thread::spawn(move || {
                let key = format!("key_{}", i);
                m.set(&key, &format!("value_{}", i)).unwrap();
                m.get(&key).unwrap();
            }));
        }

        for h in handles {
            h.join().unwrap();
        }

        // 所有密钥应该都被正确设置
        for i in 0..10 {
            let key = format!("key_{}", i);
            assert!(manager.contains(&key));
        }
    }

    #[test]
    fn test_encrypted_storage_invalid_utf8() {
        let storage = EncryptedStorage::new();
        storage.set("key", "value");

        // 获取加密后的数据
        let encrypted = storage
            .encrypted_secrets
            .read()
            .get("key")
            .cloned()
            .unwrap();

        // 手动破坏加密数据使其无法解码为 UTF-8
        let mut corrupted = encrypted.clone();
        // 插入无效 UTF-8 序列
        for i in 0..corrupted.len().min(10) {
            corrupted[i] = 0x80 | (corrupted[i] & 0x7F);
        }

        // 重新设置破坏的数据
        storage
            .encrypted_secrets
            .write()
            .insert("key".to_string(), corrupted);

        // 解密应该失败并返回 EncryptionError
        let result = storage.get("key");
        // 由于我们可能正好产生了有效的 UTF-8，这里只是验证不会 panic
        assert!(result.is_ok() || result.is_err());
    }
}