stormchaser-engine 0.1.0

A robust, distributed workflow engine for event-driven and human-triggered workflows.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

use aes_gcm::{
    aead::{Aead, KeyInit},
    Aes256Gcm, Nonce,
};
use anyhow::Result;
use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine as _};
use serde_json::json;
use sha2::{Digest, Sha256};
use uuid::Uuid;

/// Generates an HMAC-based token for Human-In-The-Loop (HITL) step approval or rejection.
pub fn generate_approval_token(
    run_id: Uuid,
    step_id: Uuid,
    action: &str,
    secret: &str,
) -> Result<String> {
    // 1. Derive key from secret
    let mut hasher = Sha256::new();
    hasher.update(secret);
    let key_bytes = hasher.finalize();
    let key = aes_gcm::Key::<Aes256Gcm>::from_slice(&key_bytes);
    let cipher = Aes256Gcm::new(key);

    // 2. Prepare payload
    let payload = json!({
        "run_id": run_id,
        "step_id": step_id,
        "action": action,
        "inputs": {},
    });
    let plaintext = serde_json::to_vec(&payload)?;

    // 3. Encrypt
    let mut nonce_bytes = [0u8; 12];
    // In a real app we'd use a CSPRNG, but for this utility we can use Uuid bytes or similar if needed.
    // Actually, let's use a simple deterministic nonce for now if we don't want to add rand,
    // but better to add rand for security.
    // Given the constraints, let's just use the first 12 bytes of a new Uuid.
    let nonce_uuid = Uuid::new_v4();
    nonce_bytes.copy_from_slice(&nonce_uuid.as_bytes()[..12]);
    let nonce = Nonce::from_slice(&nonce_bytes);

    let ciphertext = cipher
        .encrypt(nonce, plaintext.as_ref())
        .map_err(|e| anyhow::anyhow!("Encryption failed: {:?}", e))?;

    // 4. Combine nonce + ciphertext
    let mut combined = Vec::with_capacity(nonce_bytes.len() + ciphertext.len());
    combined.extend_from_slice(&nonce_bytes);
    combined.extend_from_slice(&ciphertext);

    // 5. Encode base64
    Ok(URL_SAFE_NO_PAD.encode(combined))
}

#[cfg(test)]
mod tests {
    use super::*;
    use serde_json::Value;

    #[test]
    fn test_generate_approval_token() {
        let run_id = Uuid::new_v4();
        let step_id = Uuid::new_v4();
        let secret = "test-secret";

        let token = generate_approval_token(run_id, step_id, "approve", secret).unwrap();
        assert!(!token.is_empty());

        // Verify we can decrypt it back (simulating API logic)
        let mut hasher = Sha256::new();
        hasher.update(secret);
        let key_bytes = hasher.finalize();
        let key = aes_gcm::Key::<Aes256Gcm>::from_slice(&key_bytes);
        let cipher = Aes256Gcm::new(key);

        let decoded = URL_SAFE_NO_PAD.decode(token).unwrap();
        let (nonce_bytes, ciphertext) = decoded.split_at(12);
        let nonce = Nonce::from_slice(nonce_bytes);
        let plaintext = cipher.decrypt(nonce, ciphertext).unwrap();

        let payload: Value = serde_json::from_slice(&plaintext).unwrap();
        assert_eq!(payload["run_id"], run_id.to_string());
        assert_eq!(payload["step_id"], step_id.to_string());
        assert_eq!(payload["action"], "approve");
    }
}