zlayer_secrets/
git_credentials.rs

1//! Typed credential store for Git authentication (PAT or SSH key).
2//!
3//! Built on top of any [`SecretsStore`] implementation, this module provides
4//! structured storage for Git credentials. Metadata (name, kind) is stored as
5//! JSON in the `git_credentials_meta` scope, while the actual PAT or SSH key
6//! is stored as a secret in the `git_credentials` scope. Both are keyed by a
7//! UUID identifier.
8//!
9//! # Example
10//!
11//! ```rust,ignore
12//! use zlayer_secrets::{EncryptionKey, PersistentSecretsStore};
13//! use zlayer_secrets::git_credentials::{GitCredentialStore, GitCredentialKind};
14//!
15//! # async fn example() -> zlayer_secrets::Result<()> {
16//! let key = EncryptionKey::generate();
17//! let secrets_dir = zlayer_paths::ZLayerDirs::system_default().secrets();
18//! let store = PersistentSecretsStore::open(&secrets_dir, key).await?;
19//! let git_store = GitCredentialStore::new(store);
20//!
21//! let cred = git_store.create("GitHub PAT for ci", "ghp_xxxx", GitCredentialKind::Pat).await?;
22//! let value = git_store.get_value(&cred.id).await?;
23//! assert_eq!(value.expose(), "ghp_xxxx");
24//! # Ok(())
25//! # }
26//! ```
27
28use tracing::{debug, info};
29use uuid::Uuid;
30
31use crate::{Result, Secret, SecretsError, SecretsStore};
32
33pub use zlayer_types::secrets::git::{GitCredential, GitCredentialKind};
34
35/// Scope used for storing Git credential secrets (PAT / SSH key).
36const GIT_CRED_SCOPE: &str = "git_credentials";
37
38/// Scope used for storing Git credential metadata (JSON).
39const GIT_CRED_META_SCOPE: &str = "git_credentials_meta";
40
41/// Store for Git authentication credentials.
42///
43/// Wraps a [`SecretsStore`] and organises data into two scopes:
44/// - **`git_credentials_meta`**: JSON-serialised [`GitCredential`] metadata
45///   (everything except the secret value).
46/// - **`git_credentials`**: The raw PAT or SSH key as an encrypted secret.
47pub struct GitCredentialStore<S: SecretsStore> {
48    store: S,
49}
50
51impl<S: SecretsStore> std::fmt::Debug for GitCredentialStore<S> {
52    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
53        f.debug_struct("GitCredentialStore")
54            .field("store", &"<secrets store>")
55            .finish()
56    }
57}
58
59impl<S: SecretsStore> GitCredentialStore<S> {
60    /// Create a new Git credential store backed by the provided secrets store.
61    pub fn new(store: S) -> Self {
62        Self { store }
63    }
64
65    /// Store a new Git credential.
66    ///
67    /// Generates a UUID for the credential, stores the PAT/SSH key as an
68    /// encrypted secret in the `git_credentials` scope, and the metadata as
69    /// JSON in the `git_credentials_meta` scope.
70    ///
71    /// # Arguments
72    /// * `name` - Human-readable label (e.g. `"GitHub PAT for ci"`)
73    /// * `value` - The PAT or SSH key content (stored encrypted)
74    /// * `kind` - Whether this is a PAT or SSH key
75    ///
76    /// # Errors
77    /// Returns a [`SecretsError`] if serialisation or storage fails.
78    pub async fn create(
79        &self,
80        name: &str,
81        value: &str,
82        kind: GitCredentialKind,
83    ) -> Result<GitCredential> {
84        let id = Uuid::new_v4().to_string();
85
86        let cred = GitCredential {
87            id: id.clone(),
88            name: name.to_string(),
89            kind,
90        };
91
92        // Store metadata as JSON.
93        let meta_json = serde_json::to_string(&cred)
94            .map_err(|e| SecretsError::Storage(format!("failed to serialise credential: {e}")))?;
95        self.store
96            .set_secret(GIT_CRED_META_SCOPE, &id, &Secret::new(meta_json))
97            .await?;
98
99        // Store the PAT / SSH key as an encrypted secret.
100        self.store
101            .set_secret(GIT_CRED_SCOPE, &id, &Secret::new(value))
102            .await?;
103
104        info!(id = %id, name = %name, kind = ?kind, "Created git credential");
105        Ok(cred)
106    }
107
108    /// Retrieve credential metadata (without the secret value).
109    ///
110    /// Returns `None` if no credential with the given `id` exists.
111    ///
112    /// # Errors
113    /// Returns a [`SecretsError`] on storage/decryption errors.
114    pub async fn get(&self, id: &str) -> Result<Option<GitCredential>> {
115        let secret = match self.store.get_secret(GIT_CRED_META_SCOPE, id).await {
116            Ok(s) => s,
117            Err(SecretsError::NotFound { .. }) => {
118                debug!(id = %id, "Git credential not found");
119                return Ok(None);
120            }
121            Err(e) => return Err(e),
122        };
123
124        let cred: GitCredential = serde_json::from_str(secret.expose())
125            .map_err(|e| SecretsError::Storage(format!("corrupt git credential '{id}': {e}")))?;
126
127        Ok(Some(cred))
128    }
129
130    /// Retrieve the PAT or SSH key for a Git credential.
131    ///
132    /// # Errors
133    /// Returns [`SecretsError::NotFound`] if the credential does not exist.
134    pub async fn get_value(&self, id: &str) -> Result<Secret> {
135        self.store.get_secret(GIT_CRED_SCOPE, id).await
136    }
137
138    /// List all Git credentials (metadata only, no secret values).
139    ///
140    /// # Errors
141    /// Returns a [`SecretsError`] on storage/decryption errors.
142    pub async fn list(&self) -> Result<Vec<GitCredential>> {
143        let metas = self.store.list_secrets(GIT_CRED_META_SCOPE).await?;
144
145        let mut creds = Vec::with_capacity(metas.len());
146        for meta in metas {
147            if let Some(cred) = self.get(&meta.name).await? {
148                creds.push(cred);
149            }
150        }
151
152        Ok(creds)
153    }
154
155    /// Delete a Git credential and its associated secret.
156    ///
157    /// Both the metadata and the secret value are removed.
158    ///
159    /// # Errors
160    /// Returns [`SecretsError::NotFound`] if the credential does not exist.
161    pub async fn delete(&self, id: &str) -> Result<()> {
162        // Delete metadata first; if it doesn't exist, the whole credential is missing.
163        self.store.delete_secret(GIT_CRED_META_SCOPE, id).await?;
164
165        // Delete the secret value. Ignore NotFound here in case only metadata
166        // existed (defensive).
167        match self.store.delete_secret(GIT_CRED_SCOPE, id).await {
168            Ok(()) | Err(SecretsError::NotFound { .. }) => {}
169            Err(e) => return Err(e),
170        }
171
172        info!(id = %id, "Deleted git credential");
173        Ok(())
174    }
175}
176
177#[cfg(test)]
178mod tests {
179    use super::*;
180    use crate::{EncryptionKey, PersistentSecretsStore};
181
182    async fn create_test_store() -> (PersistentSecretsStore, tempfile::TempDir) {
183        let temp_dir = tempfile::tempdir().unwrap();
184        let db_path = temp_dir.path().join("test_git_creds.sqlite");
185        let key = EncryptionKey::generate();
186        let store = PersistentSecretsStore::open(&db_path, key).await.unwrap();
187        (store, temp_dir)
188    }
189
190    #[tokio::test]
191    async fn test_create_and_get() {
192        let (store, _temp) = create_test_store().await;
193        let git_store = GitCredentialStore::new(store);
194
195        let cred = git_store
196            .create("GitHub PAT for ci", "ghp_xxxx", GitCredentialKind::Pat)
197            .await
198            .unwrap();
199
200        assert_eq!(cred.name, "GitHub PAT for ci");
201        assert_eq!(cred.kind, GitCredentialKind::Pat);
202        assert!(!cred.id.is_empty());
203
204        let retrieved = git_store.get(&cred.id).await.unwrap();
205        assert!(retrieved.is_some());
206        let retrieved = retrieved.unwrap();
207        assert_eq!(retrieved.id, cred.id);
208        assert_eq!(retrieved.name, "GitHub PAT for ci");
209        assert_eq!(retrieved.kind, GitCredentialKind::Pat);
210    }
211
212    #[tokio::test]
213    async fn test_get_value() {
214        let (store, _temp) = create_test_store().await;
215        let git_store = GitCredentialStore::new(store);
216
217        let cred = git_store
218            .create(
219                "My SSH key",
220                "-----BEGIN OPENSSH PRIVATE KEY-----\n...",
221                GitCredentialKind::SshKey,
222            )
223            .await
224            .unwrap();
225
226        let value = git_store.get_value(&cred.id).await.unwrap();
227        assert_eq!(value.expose(), "-----BEGIN OPENSSH PRIVATE KEY-----\n...");
228    }
229
230    #[tokio::test]
231    async fn test_list() {
232        let (store, _temp) = create_test_store().await;
233        let git_store = GitCredentialStore::new(store);
234
235        git_store
236            .create("PAT 1", "token1", GitCredentialKind::Pat)
237            .await
238            .unwrap();
239        git_store
240            .create("SSH key 1", "key1", GitCredentialKind::SshKey)
241            .await
242            .unwrap();
243
244        let list = git_store.list().await.unwrap();
245        assert_eq!(list.len(), 2);
246
247        let names: Vec<&str> = list.iter().map(|c| c.name.as_str()).collect();
248        assert!(names.contains(&"PAT 1"));
249        assert!(names.contains(&"SSH key 1"));
250    }
251
252    #[tokio::test]
253    async fn test_delete() {
254        let (store, _temp) = create_test_store().await;
255        let git_store = GitCredentialStore::new(store);
256
257        let cred = git_store
258            .create("To delete", "token", GitCredentialKind::Pat)
259            .await
260            .unwrap();
261
262        git_store.delete(&cred.id).await.unwrap();
263
264        assert!(git_store.get(&cred.id).await.unwrap().is_none());
265        assert!(git_store.get_value(&cred.id).await.is_err());
266    }
267
268    #[tokio::test]
269    async fn test_create_multiple_same_name() {
270        let (store, _temp) = create_test_store().await;
271        let git_store = GitCredentialStore::new(store);
272
273        let cred1 = git_store
274            .create("Same name", "val1", GitCredentialKind::Pat)
275            .await
276            .unwrap();
277        let cred2 = git_store
278            .create("Same name", "val2", GitCredentialKind::Pat)
279            .await
280            .unwrap();
281
282        // Different UUIDs, both accessible.
283        assert_ne!(cred1.id, cred2.id);
284
285        let v1 = git_store.get_value(&cred1.id).await.unwrap();
286        let v2 = git_store.get_value(&cred2.id).await.unwrap();
287        assert_eq!(v1.expose(), "val1");
288        assert_eq!(v2.expose(), "val2");
289    }
290
291    #[tokio::test]
292    async fn test_get_nonexistent_returns_none() {
293        let (store, _temp) = create_test_store().await;
294        let git_store = GitCredentialStore::new(store);
295
296        let result = git_store.get("nonexistent-id").await.unwrap();
297        assert!(result.is_none());
298    }
299
300    #[tokio::test]
301    async fn test_get_value_nonexistent_returns_error() {
302        let (store, _temp) = create_test_store().await;
303        let git_store = GitCredentialStore::new(store);
304
305        let result = git_store.get_value("nonexistent-id").await;
306        assert!(result.is_err());
307        assert!(matches!(result.unwrap_err(), SecretsError::NotFound { .. }));
308    }
309
310    #[tokio::test]
311    async fn test_delete_nonexistent_returns_error() {
312        let (store, _temp) = create_test_store().await;
313        let git_store = GitCredentialStore::new(store);
314
315        let result = git_store.delete("nonexistent-id").await;
316        assert!(result.is_err());
317        assert!(matches!(result.unwrap_err(), SecretsError::NotFound { .. }));
318    }
319
320    #[tokio::test]
321    async fn test_serde_credential_kind_roundtrip() {
322        let pat = serde_json::to_string(&GitCredentialKind::Pat).unwrap();
323        assert_eq!(pat, "\"pat\"");
324
325        let ssh = serde_json::to_string(&GitCredentialKind::SshKey).unwrap();
326        assert_eq!(ssh, "\"ssh_key\"");
327
328        let parsed: GitCredentialKind = serde_json::from_str(&pat).unwrap();
329        assert_eq!(parsed, GitCredentialKind::Pat);
330
331        let parsed: GitCredentialKind = serde_json::from_str(&ssh).unwrap();
332        assert_eq!(parsed, GitCredentialKind::SshKey);
333    }
334}
zlayer_secrets/git_credentials.rs

zlayer_secrets/
git_credentials.rs
