siphon-secrets 0.1.1

Secret management with multiple backend support for Siphon
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

//! OS Keychain backend
//!
//! Supports:
//! - macOS Keychain
//! - Windows Credential Manager
//! - Linux Secret Service (via libsecret)

use crate::error::SecretError;

/// Resolve a secret from the OS keychain
pub fn resolve(service: &str, key: &str) -> Result<String, SecretError> {
    let entry = keyring::Entry::new(service, key)
        .map_err(|e| SecretError::backend("keychain", e.to_string()))?;

    entry.get_password().map_err(|e| match e {
        keyring::Error::NoEntry => {
            SecretError::NotFound(format!("No keychain entry for {}/{}", service, key))
        }
        keyring::Error::Ambiguous(creds) => SecretError::backend(
            "keychain",
            format!("Ambiguous entry: {} credentials found", creds.len()),
        ),
        keyring::Error::NoStorageAccess(inner) => {
            SecretError::AccessDenied(format!("Cannot access keychain storage: {}", inner))
        }
        _ => SecretError::backend("keychain", e.to_string()),
    })
}

/// Store a secret in the OS keychain (useful for setup)
#[allow(dead_code)]
pub fn store(service: &str, key: &str, value: &str) -> Result<(), SecretError> {
    let entry = keyring::Entry::new(service, key)
        .map_err(|e| SecretError::backend("keychain", e.to_string()))?;

    entry
        .set_password(value)
        .map_err(|e| SecretError::backend("keychain", e.to_string()))
}

/// Delete a secret from the OS keychain
#[allow(dead_code)]
pub fn delete(service: &str, key: &str) -> Result<(), SecretError> {
    let entry = keyring::Entry::new(service, key)
        .map_err(|e| SecretError::backend("keychain", e.to_string()))?;

    entry
        .delete_credential()
        .map_err(|e| SecretError::backend("keychain", e.to_string()))
}