1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89
//! A simple secrets database.
//!
//! While `hips` can be used as a binary for operational purposes, you might need your server to
//! retrieve secrets at runtime.
//!
//! You should be mostly manipulating the [`Database`][1] object directly. It exposes an API very
//! similar to the hips binary's (store, load, remove, list...)
//!
//! [1]: struct.Database.html
#[macro_use]
extern crate serde;
use crate::prelude::*;
mod prelude {
pub use crate::{Backend, Database, Encrypter};
pub use crate::{Encrypted, Secret};
pub use anyhow::{Context, Error, Result};
pub use std::io::{Read, Write};
pub use std::path::PathBuf;
}
/// A handle to the underlying secrets database.
///
/// Any calls to this object's methods (load, store..) will result in a similar call on the
/// injected `Backend` implementation, no caching is being done. Every call will also invoke
/// encryption/decryption logic, which should be considered slow.
pub struct Database {
b: Box<dyn Backend>,
e: Box<dyn Encrypter>,
}
mod database;
/// Storage behavior: what does it mean to store/load/..?
///
/// A few backends are implemented by default ([`YAML`][1] and [`Folder`][2] at this time.) You are
/// free to implement your own `Backend` (that connects to a remote server for example) and
/// initialize a new `Database` with it.
///
/// [1]: backends/struct.YAML.html
/// [2]: backends/struct.Folder.html
pub trait Backend {
fn store(&mut self, encrypted: Encrypted) -> Result<()>;
fn load(&self, name: String) -> Result<Encrypted>;
fn remove(&mut self, name: String) -> Result<()>;
fn list(&self) -> Result<Vec<Encrypted>>;
}
pub mod backends;
/// Encryption behavior: what does it mean to encrypt/decrypt?
///
/// A single [`Ring`][1] encrypter is available at this time. In a past version, an openssl option
/// was also available. You are free to implement your own `Encrypter` and initialize a new
/// `Database` with it.
///
/// [1]: encrypters/struct.Ring.html
pub trait Encrypter {
fn encrypt(&self, secret: Secret) -> Result<Encrypted>;
fn decrypt(&self, encrypted: Encrypted) -> Result<Secret>;
}
pub mod encrypters;
/// A plaintext secret and its name.
///
/// Returned by the `decrypt` method of an [`Encrypter`][1] when provided an [`Encrypted`][2]
/// secret. Passing this secret to the same encrypter's `encrypt` method again might yield
/// different `Encrypted` data (this depends on the encrypter implementation.)
///
/// [1]: trait.Encrypter.html
/// [2]: struct.Encrypted.html
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct Secret {
pub name: String,
pub secret: String,
}
/// An encrypted secret and its name.
///
/// Returned by the `encrypt` method of an [`Encrypter`][1] when provided a [`Secret`][2]. Should
/// yield the same `Secret` when passed to the same encrypter's `decrypt` method.
///
/// [1]: trait.Encrypter.html
/// [2]: struct.Secret.html
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct Encrypted {
name: String,
secret: String,
salt: String,
}