tsafe-azure 1.0.3

Azure Key Vault integration for tsafe — optional secret pull.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

use crate::error::KvError;

/// Runtime config for the Azure Key Vault client.
/// Loaded entirely from environment variables — no credentials in source.
#[derive(Clone)]
pub struct KvConfig {
    /// Key Vault URL, e.g. `https://myvault.vault.azure.net`
    pub vault_url: String,
}

fn akv_url_from_env() -> Result<String, KvError> {
    let raw = std::env::var("TSAFE_AKV_URL").map_err(|_| {
        KvError::Config("TSAFE_AKV_URL is not set — e.g. https://myvault.vault.azure.net".into())
    })?;
    let url = raw.trim_end_matches('/').to_string();
    if !url.starts_with("https://") {
        return Err(KvError::Config(
            "TSAFE_AKV_URL must start with https:// — plain HTTP is not allowed".into(),
        ));
    }
    Ok(url)
}

impl KvConfig {
    /// Load from `TSAFE_AKV_URL`. Fails fast if absent.
    pub fn from_env() -> Result<Self, KvError> {
        Ok(Self {
            vault_url: akv_url_from_env()?,
        })
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn from_env_missing_url_returns_config_error() {
        let result = temp_env::with_var("TSAFE_AKV_URL", None::<&str>, KvConfig::from_env);
        assert!(matches!(result, Err(KvError::Config(_))));
    }

    #[test]
    fn from_env_http_url_rejected() {
        let result = temp_env::with_var(
            "TSAFE_AKV_URL",
            Some("http://myvault.vault.azure.net"),
            KvConfig::from_env,
        );
        assert!(matches!(result, Err(KvError::Config(_))));
    }

    #[test]
    fn from_env_https_url_accepted() {
        let result = temp_env::with_var(
            "TSAFE_AKV_URL",
            Some("https://myvault.vault.azure.net"),
            KvConfig::from_env,
        );
        assert!(result.is_ok());
        assert_eq!(result.unwrap().vault_url, "https://myvault.vault.azure.net");
    }

    #[test]
    fn from_env_trailing_slash_trimmed() {
        let result = temp_env::with_var(
            "TSAFE_AKV_URL",
            Some("https://myvault.vault.azure.net/"),
            KvConfig::from_env,
        );
        assert!(result.is_ok());
        assert_eq!(result.unwrap().vault_url, "https://myvault.vault.azure.net");
    }
}