hana_vault/

lib.rs

//! # Hana Vault - Encrypted SQLite Credential Manager
//!
//! A secure, encrypted vault for storing SSH credentials, hosts, and sensitive data using SQLite with AES-256-GCM encryption.
//!
//! ## Features
//!
//! - **Encrypted SQLite Storage**: All data is stored in an encrypted in-memory SQLite database
//! - **Binary Encryption**: Vaults can be exported as encrypted bytes
//! - **Autonomous Migrations**: Schema versioning with automatic migration system
//! - **Multiple Credential Types**: Support for username/password, RSA, OpenSSH, Ed25519, ECDSA, and certificate-based auth
//! - **Host Management**: Store hosts with startup commands, environment variables, and custom encodings
//! - **Industry-Standard Crypto**: AES-256-GCM symmetric encryption
//! - **Key-Based API**: Supply your own encryption key (derive from password using Argon2id in your application)
//! - **Zero Knowledge**: Raw SQLite database is never exposed, only encrypted formats
//!
//! ## Usage
//!
//! ```rust
//! use hana_vault::{Vault, Host, Credential, SecretKey};
//! # use hana_vault::error::Result;
//!
//! # fn main() -> Result<()> {
//! // Generate or derive a 256-bit key (in production, derive from password using Argon2id)
//! let key = SecretKey::random();
//!
//! // Create a new vault with the key
//! let vault = Vault::new(key.clone())?;
//!
//! // Add a host
//! let mut host = Host::new("Production Server".to_string(), "prod.example.com".to_string(), 22);
//! host.add_env_var("PATH".to_string(), "/usr/local/bin:/usr/bin".to_string());
//! host = host.with_startup_command("source ~/.profile".to_string());
//! vault.add_host(&host)?;
//!
//! // Add credentials
//! let cred = Credential::new_username_password(
//!     "Admin Credentials".to_string(),
//!     "admin".to_string(),
//!     "super_secret".to_string(),
//! );
//! vault.add_credential(&cred)?;
//!
//! // Link credential to host
//! vault.link_credential_to_host(host.id, cred.id, true)?;
//!
//! // Save to encrypted file (manual implementation)
//! # use std::path::Path;
//! # use std::fs::File;
//! # use std::io::Write;
//! # let temp_dir = std::env::temp_dir();
//! # let path = temp_dir.join("vault.hev");
//! let encrypted_bytes = vault.export_to_bytes()?;
//! let mut file = File::create(&path)?;
//! file.write_all(&encrypted_bytes)?;
//!
//! // Load from file (manual implementation)
//! # use std::io::Read;
//! let mut file = File::open(&path)?;
//! let mut encrypted_data = Vec::new();
//! file.read_to_end(&mut encrypted_data)?;
//! let loaded = Vault::load_from_bytes(&encrypted_data, key)?;
//! # Ok(())
//! # }
//! ```
//!
//! ## Security Features
//!
//! - **Encrypted Storage**: SQLite database encrypted at rest with AES-256-GCM
//! - **Key-Based API**: You control key derivation (recommended: Argon2id with 600,000+ iterations)
//! - **Memory-Only SQLite**: Database only exists in memory, never on disk
//! - **Binary Encryption**: All exports use authenticated encryption (AES-256-GCM)
//! - **Memory Safety**: Sensitive data automatically zeroized on drop
//! - **Checksum Verification**: SHA-256 checksums prevent data corruption
//! - **No Plaintext Storage**: Raw SQLite database never written to disk
//!

pub mod binary;
pub mod crypto;
pub mod error;
pub mod models;
pub mod schema;
pub mod vault;

// Re-export main types for convenience
pub use crypto::SecretKey;
pub use error::{Result, VaultError};
pub use models::{Credential, CredentialType, Host, SecureString};
pub use vault::Vault;

// Re-export crypto constants for advanced users
pub use crypto::{
    NONCE_SIZE, TAG_SIZE, KEY_SIZE,
    VAULT_FORMAT_VERSION, VAULT_MAGIC,
};

// Re-export schema version
pub use schema::CURRENT_VERSION as SCHEMA_VERSION;

/// Library version
pub const VERSION: &str = env!("CARGO_PKG_VERSION");

#[cfg(test)]
mod integration_tests {
    use super::*;
    use tempfile::NamedTempFile;

    #[test]
    fn test_full_workflow() -> Result<()> {
        // Create vault with a random key
        let key = SecretKey::random();
        let vault = Vault::new(key.clone())?;

        // Add hosts
        let mut web_server = Host::new(
            "Web Server".to_string(),
            "web.example.com".to_string(),
            22,
        );
        web_server = web_server.with_username("deploy".to_string());
        web_server = web_server.with_startup_command("cd /var/www && source env.sh".to_string());
        web_server.add_env_var("NODE_ENV".to_string(), "production".to_string());
        web_server.add_env_var("PORT".to_string(), "3000".to_string());

        let db_server = Host::new(
            "Database Server".to_string(),
            "db.example.com".to_string(),
            22,
        );

        vault.add_host(&web_server)?;
        vault.add_host(&db_server)?;

        // Add credentials
        let ssh_key_cred = Credential::new_ssh_key(
            "Deploy Key".to_string(),
            CredentialType::OpenSsh,
            "-----BEGIN OPENSSH PRIVATE KEY-----\ntest_key_data\n-----END OPENSSH PRIVATE KEY-----".to_string(),
            Some("ssh-ed25519 AAAAC3... user@example.com".to_string()),
            None,
        );

        let password_cred = Credential::new_username_password(
            "Admin Password".to_string(),
            "admin".to_string(),
            "super_secure_password_123!".to_string(),
        );

        vault.add_credential(&ssh_key_cred)?;
        vault.add_credential(&password_cred)?;

        // Link credentials to hosts
        vault.link_credential_to_host(web_server.id, ssh_key_cred.id, true)?;
        vault.link_credential_to_host(db_server.id, password_cred.id, true)?;

        // Test retrieval
        let hosts = vault.list_hosts()?;
        assert_eq!(hosts.len(), 2);

        let credentials = vault.list_credentials()?;
        assert_eq!(credentials.len(), 2);

        let web_server_creds = vault.get_host_credentials(web_server.id)?;
        assert_eq!(web_server_creds.len(), 1);
        assert_eq!(web_server_creds[0].0.name, "Deploy Key");
        assert!(web_server_creds[0].1); // is_default

        // Test export to bytes
        let encrypted_bytes = vault.export_to_bytes()?;
        assert!(!encrypted_bytes.is_empty());

        // Test load from bytes
        let loaded_vault = Vault::load_from_bytes(&encrypted_bytes, key)?;

        let loaded_hosts = loaded_vault.list_hosts()?;
        assert_eq!(loaded_hosts.len(), 2);

        // Verify environment variables were preserved
        let loaded_web = loaded_hosts.iter().find(|h| h.name == "Web Server").unwrap();
        assert_eq!(loaded_web.environment_variables.get("NODE_ENV"), Some(&"production".to_string()));
        assert_eq!(loaded_web.environment_variables.get("PORT"), Some(&"3000".to_string()));
        assert_eq!(loaded_web.startup_command.as_deref(), Some("cd /var/www && source env.sh"));

        Ok(())
    }

    #[test]
    fn test_file_roundtrip() -> Result<()> {
        let temp_file = NamedTempFile::new().unwrap();
        let path = temp_file.path();

        // Create and save vault
        let key = SecretKey::random();
        let vault = Vault::new(key.clone())?;

        let host = Host::new("Test Server".to_string(), "test.example.com".to_string(), 2222);
        vault.add_host(&host)?;

        let encrypted_data = vault.export_to_bytes()?;
        std::fs::write(path, &encrypted_data)?;

        // Load vault
        let file_data = std::fs::read(path)?;
        let loaded = Vault::load_from_bytes(&file_data, key)?;

        let hosts = loaded.list_hosts()?;
        assert_eq!(hosts.len(), 1);
        assert_eq!(hosts[0].name, "Test Server");
        assert_eq!(hosts[0].port, 2222);

        Ok(())
    }

    #[test]
    fn test_wrong_key() {
        let correct_key = SecretKey::random();
        let wrong_key = SecretKey::random();
        
        let vault = Vault::new(correct_key).unwrap();
        let bytes = vault.export_to_bytes().unwrap();

        let result = Vault::load_from_bytes(&bytes, wrong_key);
        assert!(matches!(result, Err(VaultError::InvalidKey)));
    }

    #[test]
    fn test_update_operations() -> Result<()> {
        let key = SecretKey::random();
        let vault = Vault::new(key)?;

        // Add and update host
        let mut host = Host::new("Server".to_string(), "example.com".to_string(), 22);
        vault.add_host(&host)?;

        host.name = "Updated Server".to_string();
        host.port = 2222;
        host.add_env_var("NEW_VAR".to_string(), "value".to_string());
        vault.update_host(&host)?;

        let updated = vault.get_host(host.id)?.unwrap();
        assert_eq!(updated.name, "Updated Server");
        assert_eq!(updated.port, 2222);
        assert_eq!(updated.environment_variables.get("NEW_VAR"), Some(&"value".to_string()));

        // Add and update credential
        let mut cred = Credential::new_username_password(
            "Cred".to_string(),
            "user".to_string(),
            "pass".to_string(),
        );
        vault.add_credential(&cred)?;

        cred.name = "Updated Cred".to_string();
        vault.update_credential(&cred)?;

        let updated_cred = vault.get_credential(cred.id)?.unwrap();
        assert_eq!(updated_cred.name, "Updated Cred");

        Ok(())
    }

    #[test]
    fn test_delete_operations() -> Result<()> {
        let key = SecretKey::random();
        let vault = Vault::new(key)?;

        let host = Host::new("Server".to_string(), "example.com".to_string(), 22);
        vault.add_host(&host)?;

        let cred = Credential::new_username_password(
            "Cred".to_string(),
            "user".to_string(),
            "pass".to_string(),
        );
        vault.add_credential(&cred)?;

        // Delete host
        vault.delete_host(host.id)?;
        assert!(vault.get_host(host.id)?.is_none());

        // Delete credential
        vault.delete_credential(cred.id)?;
        assert!(vault.get_credential(cred.id)?.is_none());

        Ok(())
    }

    #[test]
    fn test_multiple_credentials_per_host() -> Result<()> {
        let key = SecretKey::random();
        let vault = Vault::new(key)?;

        let host = Host::new("Server".to_string(), "example.com".to_string(), 22);
        vault.add_host(&host)?;

        let cred1 = Credential::new_username_password(
            "Cred 1".to_string(),
            "user1".to_string(),
            "pass1".to_string(),
        );
        let cred2 = Credential::new_username_password(
            "Cred 2".to_string(),
            "user2".to_string(),
            "pass2".to_string(),
        );

        vault.add_credential(&cred1)?;
        vault.add_credential(&cred2)?;

        vault.link_credential_to_host(host.id, cred1.id, true)?;
        vault.link_credential_to_host(host.id, cred2.id, false)?;

        let host_creds = vault.get_host_credentials(host.id)?;
        assert_eq!(host_creds.len(), 2);

        // First should be default (sorted by is_default DESC)
        assert_eq!(host_creds[0].0.id, cred1.id);
        assert!(host_creds[0].1);

        Ok(())
    }


    #[test]
    fn test_all_credential_types() -> Result<()> {
        let key = SecretKey::random();
        let vault = Vault::new(key)?;

        let types = vec![
            CredentialType::UsernamePassword,
            CredentialType::Rsa,
            CredentialType::OpenSsh,
            CredentialType::Ed25519,
            CredentialType::Ecdsa,
            CredentialType::Certificate,
            CredentialType::Custom,
        ];

        for cred_type in types {
            let cred = Credential::new_ssh_key(
                format!("{:?} Key", cred_type),
                cred_type,
                "test_private_key".to_string(),
                Some("test_public_key".to_string()),
                None,
            );
            vault.add_credential(&cred)?;

            let retrieved = vault.get_credential(cred.id)?.unwrap();
            assert_eq!(retrieved.credential_type, cred_type);
        }

        let all_creds = vault.list_credentials()?;
        assert_eq!(all_creds.len(), 7);

        Ok(())
    }
}