sshenv 0.0.1-alpha.1

SSH-key-backed encrypted vault for environment variables
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

//! Runtime configuration for sshenv CLI security behavior.

use std::path::PathBuf;

use anyhow::{Context, Result};
use serde::Deserialize;

#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, Deserialize)]
#[serde(rename_all = "kebab-case")]
pub enum UnencryptedSshKeysPolicy {
    Allow,
    #[default]
    Warn,
    Deny,
}

impl UnencryptedSshKeysPolicy {
    #[must_use]
    pub const fn label(self) -> &'static str {
        match self {
            Self::Allow => "allow",
            Self::Warn => "warn",
            Self::Deny => "deny",
        }
    }
}

#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, Deserialize)]
#[serde(rename_all = "kebab-case")]
pub enum PassphraseCacheBackend {
    #[default]
    Auto,
    MacosKeychain,
    WindowsDpapi,
}

#[derive(Debug, Clone, Deserialize)]
pub struct PassphraseCacheConfig {
    #[serde(default)]
    pub enabled: bool,
    #[serde(default)]
    pub backend: PassphraseCacheBackend,
    pub ttl_seconds: Option<u64>,
}

impl Default for PassphraseCacheConfig {
    fn default() -> Self {
        Self {
            enabled: false,
            backend: PassphraseCacheBackend::Auto,
            ttl_seconds: Some(300),
        }
    }
}

#[derive(Debug, Clone, Deserialize)]
pub struct SecurityConfig {
    #[serde(default)]
    pub unencrypted_ssh_keys: UnencryptedSshKeysPolicy,
    #[serde(default)]
    pub passphrase_cache: PassphraseCacheConfig,
}

impl Default for SecurityConfig {
    fn default() -> Self {
        Self {
            unencrypted_ssh_keys: UnencryptedSshKeysPolicy::Warn,
            passphrase_cache: PassphraseCacheConfig::default(),
        }
    }
}

#[derive(Debug, Clone, Default, Deserialize)]
pub struct SshenvConfig {
    #[serde(default)]
    pub security: SecurityConfig,
}

/// Resolve runtime config path: `$SSHENV_CONFIG`, else `~/.sshenv/config.toml`.
#[must_use]
pub fn default_config_path() -> PathBuf {
    if let Ok(path) = std::env::var("SSHENV_CONFIG") {
        return PathBuf::from(path);
    }
    sshenv_home_dir().map_or_else(
        || PathBuf::from(".sshenv/config.toml"),
        |home| home.join(".sshenv").join("config.toml"),
    )
}

fn sshenv_home_dir() -> Option<PathBuf> {
    std::env::var_os("HOME")
        .filter(|value| !value.is_empty())
        .map(PathBuf::from)
        .or_else(dirs::home_dir)
}

/// Load runtime configuration, returning defaults when no config file exists.
///
/// # Errors
///
/// Returns an error when the config file exists but cannot be read or parsed.
pub fn load() -> Result<SshenvConfig> {
    let path = default_config_path();
    if !path.exists() {
        return Ok(SshenvConfig::default());
    }
    let text = std::fs::read_to_string(&path)
        .with_context(|| format!("failed to read config {}", path.display()))?;
    toml::from_str(&text).with_context(|| format!("failed to parse config {}", path.display()))
}