Skip to main content

PullSource

tsafe_core::pullconfig

Enum PullSource 

Source 
pub enum PullSource {
    AzureKeyVault {
        name: Option<String>,
        ns: Option<String>,
        vault_url: String,
        prefix: Option<String>,
        overwrite: bool,
    },
    HashiCorpVault {
        name: Option<String>,
        ns: Option<String>,
        addr: String,
        mount: String,
        prefix: Option<String>,
        overwrite: bool,
        auth: Option<VaultAuthConfig>,
        vault_namespace: Option<String>,
    },
    OnePassword {
        name: Option<String>,
        ns: Option<String>,
        item: String,
        op_vault: Option<String>,
        overwrite: bool,
    },
    Aws {
        name: Option<String>,
        ns: Option<String>,
        region: Option<String>,
        prefix: Option<String>,
        overwrite: bool,
    },
    SsmParameterStore {
        name: Option<String>,
        ns: Option<String>,
        region: Option<String>,
        path: Option<String>,
        overwrite: bool,
    },
    Gcp {
        name: Option<String>,
        ns: Option<String>,
        project: Option<String>,
        prefix: Option<String>,
        overwrite: bool,
    },
    Bitwarden {
        name: Option<String>,
        ns: Option<String>,
        api_url: Option<String>,
        identity_url: Option<String>,
        client_id: Option<String>,
        client_secret: Option<String>,
        folder: Option<String>,
        password_env: Option<String>,
        overwrite: bool,
    },
    Keepass {
        name: Option<String>,
        path: String,
        password_env: Option<String>,
        keyfile_path: Option<String>,
        group: Option<String>,
        recursive: Option<bool>,
        ns: Option<String>,
        overwrite: bool,
    },
}
Expand description

A single pull source definition.

Every variant includes two ADR-012 optional fields:

  • name: label for --source <label> filtering
  • ns: namespace prefix applied to fetched keys (separator .)

Variants§

§

AzureKeyVault

Azure Key Vault.

Fields

§name: Option<String>

Optional label for --source <label> filtering (ADR-012).

§ns: Option<String>

Optional namespace prefix; keys become <ns>.KEY_NAME (ADR-012).

§vault_url: String
§prefix: Option<String>
§overwrite: bool
§

HashiCorpVault

HashiCorp Vault KV v2.

Fields

§name: Option<String>

Optional label for --source <label> filtering (ADR-012).

§ns: Option<String>

Optional namespace prefix; keys become <ns>.KEY_NAME (ADR-012).

§addr: String
§mount: String
§prefix: Option<String>
§overwrite: bool
§auth: Option<VaultAuthConfig>

Authentication method. When absent, the runtime reads env vars (VAULT_ROLE_ID+VAULT_SECRET_ID → AppRole; else VAULT_TOKEN).

§vault_namespace: Option<String>

HCP Vault Enterprise namespace. When set, every request carries X-Vault-Namespace: <vault_namespace>. Also read from VAULT_NAMESPACE.

§

OnePassword

1Password via the op CLI.

Fields

§name: Option<String>

Optional label for --source <label> filtering (ADR-012).

§ns: Option<String>

Optional namespace prefix; keys become <ns>.KEY_NAME (ADR-012).

§item: String
§op_vault: Option<String>
§overwrite: bool
§

Aws

AWS Secrets Manager.

Fields

§name: Option<String>

Optional label for --source <label> filtering (ADR-012).

§ns: Option<String>

Optional namespace prefix; keys become <ns>.KEY_NAME (ADR-012).

§region: Option<String>

AWS region, e.g. us-east-1. Overrides AWS_DEFAULT_REGION/AWS_REGION.

§prefix: Option<String>

Only import secrets whose names start with this prefix.

§overwrite: bool
§

SsmParameterStore

AWS SSM Parameter Store.

Fields

§name: Option<String>

Optional label for --source <label> filtering (ADR-012).

§ns: Option<String>

Optional namespace prefix; keys become <ns>.KEY_NAME (ADR-012).

§region: Option<String>

AWS region, e.g. us-east-1. Overrides AWS_DEFAULT_REGION/AWS_REGION.

§path: Option<String>

Parameter path prefix (e.g. /myapp/prod/). Defaults to /.

§overwrite: bool
§

Gcp

GCP Secret Manager.

Fields

§name: Option<String>

Optional label for --source <label> filtering (ADR-012).

§ns: Option<String>

Optional namespace prefix; keys become <ns>.KEY_NAME (ADR-012).

§project: Option<String>

GCP project ID. Overrides GOOGLE_CLOUD_PROJECT/GCLOUD_PROJECT.

§prefix: Option<String>

Only import secrets whose names start with this prefix.

§overwrite: bool
§

Bitwarden

Bitwarden via the bw CLI (task E2.2).

Cipher values in the Bitwarden REST API are always E2E encrypted client-side; this source uses the bw CLI subprocess to unlock and list items with plaintext decryption handled by the CLI.

Auth requires TSAFE_BW_CLIENT_ID, TSAFE_BW_CLIENT_SECRET, and TSAFE_BW_PASSWORD (master password for bw unlock).

Fields

§name: Option<String>

Optional label for --source <label> filtering (ADR-012).

§ns: Option<String>

Optional namespace prefix; keys become <ns>.KEY_NAME (ADR-012).

§api_url: Option<String>

Bitwarden API base URL. Defaults to https://api.bitwarden.com. Override for self-hosted Vaultwarden instances.

§identity_url: Option<String>

Bitwarden identity base URL. Defaults to https://identity.bitwarden.com.

§client_id: Option<String>

OAuth2 client ID. Reads TSAFE_BW_CLIENT_ID when not set here.

§client_secret: Option<String>

OAuth2 client secret. Reads TSAFE_BW_CLIENT_SECRET when not set here.

§folder: Option<String>

Bitwarden folder ID to filter items. Imports all items when absent.

§password_env: Option<String>

Name of the env var that holds the master password for bw unlock. Defaults to TSAFE_BW_PASSWORD.

§overwrite: bool
§

Keepass

KeePass .kdbx file (local path).

The master password is read from the env var named by password_env (never stored literally in the manifest). An optional key file can supplement or replace the password.

Fields

§name: Option<String>

Optional label for --source <label> filtering (ADR-012).

§path: String

Absolute path to the .kdbx file.

§password_env: Option<String>

Name of the environment variable that holds the master password. If omitted and no keyfile_path is set, opening the database will fail.

§keyfile_path: Option<String>

Absolute path to a KeePass key file (.keyx or binary).

§group: Option<String>

Only import entries whose direct parent group has this name (case-insensitive). When absent, all entries from the root group are imported (or all groups when recursive is true).

§recursive: Option<bool>

When true, traverse descendant groups as well as the matched top-level group. Defaults to false.

§ns: Option<String>

Optional namespace prefix; keys become <ns>.KEY_NAME (ADR-012).

§overwrite: bool

Implementations§

Source§

impl PullSource

Source

pub fn name(&self) -> Option<&str>

Return the name label for this source, if declared (ADR-012).

Source

pub fn ns(&self) -> Option<&str>

Return the ns namespace prefix for this source, if declared (ADR-012).

Keys fetched from a source with ns set are stored as <ns>.KEY_NAME.

Source

pub fn provider_type(&self) -> &'static str

Return a human-readable provider type label for display purposes.

Trait Implementations§

Source§

impl Debug for PullSource

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl<'de> Deserialize<'de> for PullSource

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,