Struct AdminCredentials

pub struct AdminCredentials { /* private fields */ }

Administrative credentials.

Tracks the following credentials and passphrases:

• the backup passphrase of the backend,
• the unlock passphrase of the backend,
• the top-level administrator credentials of the backend,
• the namespace administrator credentials of the backend.

Note

The unlock and backup passphrase must be at least 10 characters long. The passphrases of top-level and namespace administrator accounts must be at least 10 characters long. The list of top-level administrator credentials must include an account with the username “admin”.

Implementations

impl AdminCredentials

pub fn new( iteration: u32, backup_passphrase: Passphrase, unlock_passphrase: Passphrase, administrators: Vec<FullCredentials>, namespace_administrators: Vec<FullCredentials>, ) -> Result<Self, Error>

Creates a new AdminCredentials instance.

Examples

use nethsm::FullCredentials;
use signstar_config::admin_credentials::AdminCredentials;

let creds = AdminCredentials::new(
    1,
    "backup-passphrase".parse()?,
    "unlock-passphrase".parse()?,
    vec![FullCredentials::new(
        "admin".parse()?,
        "admin-passphrase".parse()?,
    )],
    vec![FullCredentials::new(
        "ns1~admin".parse()?,
        "ns1-admin-passphrase".parse()?,
    )],
)?;

pub fn load( secrets_handling: AdministrativeSecretHandling, ) -> Result<Self, Error>

Loads an AdminCredentials from the default file location.

Depending on secrets_handling, the file path and contents differ:

• AdministrativeSecretHandling::Plaintext: the file path is defined by get_plaintext_credentials_file and the contents are plaintext,
• AdministrativeSecretHandling::SystemdCreds: the file path is defined by get_systemd_creds_credentials_file and the contents are systemd-creds encrypted.

Delegates to AdminCredentials::load_from_file, providing the specific file path and the selected secrets_handling.

Examples

use signstar_config::{AdminCredentials, AdministrativeSecretHandling};

// load plaintext credentials from default location
let plaintext_admin_creds = AdminCredentials::load(AdministrativeSecretHandling::Plaintext)?;

// load systemd-creds encrypted credentials from default location
let systemd_creds_admin_creds =
    AdminCredentials::load(AdministrativeSecretHandling::SystemdCreds)?;

Errors

Returns an error if AdminCredentials::load_from_file fails.

Panics

This function panics when providing AdministrativeSecretHandling::ShamirsSecretSharing as secrets_handling.

pub fn load_from_file( path: impl AsRef<Path>, secrets_handling: AdministrativeSecretHandling, ) -> Result<Self, Error>

Loads an AdminCredentials instance from file.

Depending on path and secrets_handling, the behavior of this function differs:

• If secrets_handling is set to AdministrativeSecretHandling::Plaintext the contents at path are considered to be plaintext.
• If secrets_handling is set to AdministrativeSecretHandling::SystemdCreds the contents at path are considered to be systemd-creds encrypted.

Examples

use std::io::Write;

use signstar_config::{AdminCredentials, AdministrativeSecretHandling};

let admin_creds = r#"iteration = 1
backup_passphrase = "backup-passphrase"
unlock_passphrase = "unlock-passphrase"

[[administrators]]
name = "admin"
passphrase = "admin-passphrase"

[[namespace_administrators]]
name = "ns1~admin"
passphrase = "ns1-admin-passphrase"
"#;
let mut tempfile = tempfile::NamedTempFile::new()?;
write!(tempfile.as_file_mut(), "{admin_creds}");

assert!(
    AdminCredentials::load_from_file(tempfile.path(), AdministrativeSecretHandling::Plaintext)
        .is_ok()
);

Errors

Returns an error if

• the function is called by a system user that is not root,
• the file at path does not exist,
• the file at path is not a file,
• the file at path is considered as plaintext but can not be loaded,
• the file at path is considered as systemd-creds encrypted but can not be decrypted,
• or the file at path is considered as systemd-creds encrypted but can not be loaded after decryption.

Panics

This function panics when providing AdministrativeSecretHandling::ShamirsSecretSharing as secrets_handling.

pub fn store( &self, secrets_handling: AdministrativeSecretHandling, ) -> Result<(), Error>

Stores the AdminCredentials as a file in the default location.

Depending on secrets_handling, the file path and contents differ:

• AdministrativeSecretHandling::Plaintext: the file path is defined by get_plaintext_credentials_file and the contents are plaintext,
• AdministrativeSecretHandling::SystemdCreds: the file path is defined by get_systemd_creds_credentials_file and the contents are systemd-creds encrypted.

Automatically creates the directory in which the administrative credentials are created. After storing the AdminCredentials as file, its file permissions and ownership are adjusted so that it is only accessible by root.

Examples

use nethsm::FullCredentials;
use signstar_config::{AdminCredentials, AdministrativeSecretHandling};

let creds = AdminCredentials::new(
    1,
    "backup-passphrase".parse()?,
    "unlock-passphrase".parse()?,
    vec![FullCredentials::new(
        "admin".parse()?,
        "admin-passphrase".parse()?,
    )],
    vec![FullCredentials::new(
        "ns1~admin".parse()?,
        "ns1-admin-passphrase".parse()?,
    )],
)?;

// store as plaintext file
creds.store(AdministrativeSecretHandling::Plaintext)?;

// store as systemd-creds encrypted file
creds.store(AdministrativeSecretHandling::SystemdCreds)?;

Errors

Returns an error if

• the function is called by a system user that is not root,
• the directory for administrative credentials cannot be created,
• self cannot be turned into its TOML representation,
• the systemd-creds command is not found,
• systemd-creds fails to encrypt the TOML representation of self,
• the target file can not be created,
• the plaintext or systemd-creds encrypted data can not be written to file,
• or the ownership or permissions of the target file can not be adjusted.

Panics

This function panics when providing AdministrativeSecretHandling::ShamirsSecretSharing as secrets_handling.

pub fn get_iteration(&self) -> u32

Returns the iteration.

pub fn get_backup_passphrase(&self) -> &str

Returns the backup passphrase.

pub fn get_unlock_passphrase(&self) -> &str

Returns the unlock passphrase.

pub fn get_administrators(&self) -> &[FullCredentials]

Returns the list of administrators.

pub fn get_default_administrator(&self) -> Result<&FullCredentials, Error>

Returns the default system-wide administrator “admin”.

Errors

Returns an error if no administrative account with the system-wide UserId “admin” is found.

pub fn get_namespace_administrators(&self) -> &[FullCredentials]

Returns the list of namespace administrators.

Trait Implementations

impl Clone for AdminCredentials

fn clone(&self) -> AdminCredentials

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for AdminCredentials

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for AdminCredentials

fn default() -> AdminCredentials

Returns the “default value” for a type.

impl<'de> Deserialize<'de> for AdminCredentials

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Serialize for AdminCredentials

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.