vault-client-rs 0.8.0

A Rust client for the HashiCorp Vault HTTP API
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

use std::sync::atomic::{AtomicU64, Ordering};

use secrecy::SecretString;

use vault_client_rs::VaultClient;
use vault_client_rs::types::sys::*;

static COUNTER: AtomicU64 = AtomicU64::new(0);

/// Generate a unique name for parallel-safe test isolation
pub fn unique_name(prefix: &str) -> String {
    let pid = std::process::id();
    let seq = COUNTER.fetch_add(1, Ordering::Relaxed);
    format!("{prefix}-{pid}-{seq}")
}

/// Read `VAULT_ADDR` and `VAULT_TOKEN` from the environment
///
/// Start a dev-mode Vault before running integration tests:
///
/// ```sh
/// podman run --rm -d -p 8200:8200 \
///   -e VAULT_DEV_ROOT_TOKEN_ID=myroot \
///   -e VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200 \
///   --name vault-test hashicorp/vault:1.18
/// export VAULT_ADDR=http://127.0.0.1:8200
/// export VAULT_TOKEN=myroot
/// cargo nextest run --all-features -p vault-client-rs --test integration
/// podman rm -f vault-test
/// ```
pub fn vault_addr() -> String {
    std::env::var("VAULT_ADDR")
        .expect("VAULT_ADDR must be set (see tests/integration/common.rs for instructions)")
}

pub fn vault_token() -> SecretString {
    SecretString::from(
        std::env::var("VAULT_TOKEN")
            .expect("VAULT_TOKEN must be set (see tests/integration/common.rs for instructions)"),
    )
}

pub fn build_client(addr: &str, token: SecretString) -> VaultClient {
    VaultClient::builder()
        .address(addr)
        .token(token)
        .max_retries(0)
        .build()
        .unwrap()
}

pub fn build_wrapping_client(addr: &str, token: SecretString, ttl: &str) -> VaultClient {
    VaultClient::builder()
        .address(addr)
        .token(token)
        .max_retries(0)
        .wrap_ttl(ttl)
        .build()
        .unwrap()
}

/// Idempotent secrets engine mount — swallows "path is already in use" errors
pub async fn ensure_mount(client: &VaultClient, path: &str, mount_type: &str) {
    let _ = client
        .sys()
        .mount(
            path,
            &MountParams {
                mount_type: mount_type.into(),
                description: Some(format!("test {mount_type}")),
                config: None,
                options: None,
            },
        )
        .await;
}

/// Idempotent auth method enable — swallows "already in use" errors
pub async fn ensure_auth(client: &VaultClient, path: &str, auth_type: &str) {
    let _ = client
        .sys()
        .enable_auth(
            path,
            &AuthMountParams {
                mount_type: auth_type.into(),
                description: Some(format!("test {auth_type}")),
                config: None,
            },
        )
        .await;
}

/// Mount a KV v1 engine at a unique path, returning the path
pub async fn mount_kv1(client: &VaultClient) -> String {
    let path = unique_name("kv1");
    client
        .sys()
        .mount(
            &path,
            &MountParams {
                mount_type: "kv".into(),
                description: Some("test kv1".into()),
                config: None,
                options: Some([("version".to_string(), "1".to_string())].into()),
            },
        )
        .await
        .unwrap();
    path
}

/// Mount a PKI engine at a unique path, returning the path
pub async fn mount_pki(client: &VaultClient) -> String {
    let path = unique_name("pki");
    client
        .sys()
        .mount(
            &path,
            &MountParams {
                mount_type: "pki".into(),
                description: Some("test pki".into()),
                config: None,
                options: None,
            },
        )
        .await
        .unwrap();
    path
}