Skip to main content

Crate wrkflw_secrets

Crate wrkflw_secrets 

Source
Expand description

§wrkflw-secrets

Comprehensive secrets management for wrkflw workflow execution. Supports multiple secret providers and secure handling throughout the execution pipeline.

§Features

  • Multiple Secret Providers: Environment variables, file-based storage, with extensibility for cloud providers
  • Secret Substitution: GitHub Actions-style secret references (${{ secrets.SECRET_NAME }})
  • Automatic Masking: Intelligent secret detection and masking in logs and output
  • Rate Limiting: Built-in protection against secret access abuse
  • Caching: Configurable caching for improved performance
  • Input Validation: Comprehensive validation of secret names and values
  • Thread Safety: Full async/await support with thread-safe operations

§Quick Start

use wrkflw_secrets::{SecretManager, SecretMasker, SecretSubstitution};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Initialize the secret manager with default configuration
    let manager = SecretManager::default().await?;
     
    // Set an environment variable for testing
    std::env::set_var("API_TOKEN", "secret_api_token_123");
     
    // Retrieve a secret
    let secret = manager.get_secret("API_TOKEN").await?;
    println!("Secret value: {}", secret.value());
     
    // Use secret substitution
    let mut substitution = SecretSubstitution::new(&manager);
    let template = "Using token: ${{ secrets.API_TOKEN }}";
    let resolved = substitution.substitute(template).await?;
    println!("Resolved: {}", resolved);
     
    // Set up secret masking
    let mut masker = SecretMasker::new();
    masker.add_secret("secret_api_token_123");
     
    let log_message = "Failed to authenticate with token: secret_api_token_123";
    let masked = masker.mask(log_message);
    println!("Masked: {}", masked); // Will show: "Failed to authenticate with token: se***123"
     
    // Clean up
    std::env::remove_var("API_TOKEN");
    Ok(())
}

§Configuration

use wrkflw_secrets::{SecretConfig, SecretProviderConfig, SecretManager};
use std::collections::HashMap;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let mut providers = HashMap::new();
     
    // Environment variable provider with prefix
    providers.insert(
        "env".to_string(),
        SecretProviderConfig::Environment {
            prefix: Some("MYAPP_SECRET_".to_string())
        }
    );
     
    // File-based provider
    providers.insert(
        "file".to_string(),
        SecretProviderConfig::File {
            path: "/path/to/secrets.json".to_string()
        }
    );
     
    let config = SecretConfig {
        default_provider: "env".to_string(),
        providers,
        enable_masking: true,
        timeout_seconds: 30,
        enable_caching: true,
        cache_ttl_seconds: 300,
        rate_limit: Default::default(),
    };
     
    let manager = SecretManager::new(config).await?;
    Ok(())
}

§Security Features

§Input Validation

All secret names and values are validated to prevent injection attacks and ensure compliance with naming conventions.

§Rate Limiting

Built-in rate limiting prevents abuse and denial-of-service attacks on secret providers.

§Automatic Pattern Detection

The masking system automatically detects and masks common secret patterns:

  • GitHub Personal Access Tokens (ghp_*)
  • AWS Access Keys (AKIA*)
  • JWT tokens
  • API keys and tokens

§Memory Safety

Secrets are handled with care to minimize exposure in memory and logs.

§Provider Support

§Environment Variables

use wrkflw_secrets::{SecretProviderConfig, SecretManager, SecretConfig};

// With prefix for better security
let provider = SecretProviderConfig::Environment {
    prefix: Some("MYAPP_".to_string())
};

§File-based Storage

Supports JSON, YAML, and environment file formats:

{
  "database_password": "super_secret_password",
  "api_key": "your_api_key_here"
}
database_password: super_secret_password
api_key: your_api_key_here
# Environment format
DATABASE_PASSWORD=super_secret_password
API_KEY="your_api_key_here"

Re-exports§

pub use config::SecretConfig;
pub use config::SecretProviderConfig;
pub use error::SecretError;
pub use error::SecretResult;
pub use manager::SecretManager;
pub use masking::SecretMasker;
pub use providers::SecretProvider;
pub use providers::SecretValue;
pub use substitution::SecretSubstitution;

Modules§

config
error
manager
masking
prelude
Re-export commonly used types
providers
rate_limit
Rate limiting for secret access operations
storage
substitution
validation
Input validation utilities for secrets management