lfg2025/archy
1
0
Fork 0
Code Issues 14 Pull Requests Actions Packages Projects Releases 44 Wiki Activity
archy/core/security/src/secrets_manager.rs

98 lines
2.9 KiB
Rust
Raw Normal View History

Initial commit
2026-01-24 22:01:51 +00:00
// Encrypted secrets management for containers
// Stores secrets securely and injects them at runtime
use anyhow::{Context, Result};
use std::path::PathBuf;
use tokio::fs;
use uuid::Uuid;
pub struct SecretsManager {
secrets_dir: PathBuf,
Update archipelago: API, auth, container, parmanode, performance, security - API handler, RPC, and server updates - Auth and coding rules - Container data manager, dev orchestrator, health monitor, podman client - Parmanode script runner - Performance resource manager - Security container policies and secrets manager - Add build scripts and documentation
2026-01-27 22:27:17 +00:00
_encryption_key: Vec<u8>, // In production, derive from user password
Initial commit
2026-01-24 22:01:51 +00:00
}
impl SecretsManager {
pub fn new(secrets_dir: PathBuf, encryption_key: Vec<u8>) -> Self {
Self {
secrets_dir,
Update archipelago: API, auth, container, parmanode, performance, security - API handler, RPC, and server updates - Auth and coding rules - Container data manager, dev orchestrator, health monitor, podman client - Parmanode script runner - Performance resource manager - Security container policies and secrets manager - Add build scripts and documentation
2026-01-27 22:27:17 +00:00
_encryption_key: encryption_key,
Initial commit
2026-01-24 22:01:51 +00:00
}
}
/// Store a secret for an app
pub async fn store_secret(
&self,
app_id: &str,
Update archipelago: API, auth, container, parmanode, performance, security - API handler, RPC, and server updates - Auth and coding rules - Container data manager, dev orchestrator, health monitor, podman client - Parmanode script runner - Performance resource manager - Security container policies and secrets manager - Add build scripts and documentation
2026-01-27 22:27:17 +00:00
_key: &str,
Initial commit
2026-01-24 22:01:51 +00:00
value: &str,
) -> Result<String> {
let secret_id = Uuid::new_v4().to_string();
let secret_path = self.secrets_dir
.join(app_id)
.join(format!("{}.secret", secret_id));
fs::create_dir_all(secret_path.parent().unwrap()).await?;
// TODO: Encrypt the secret value
// For now, store as plaintext (MUST be encrypted in production)
fs::write(&secret_path, value).await
.context("Failed to write secret")?;
// Set restrictive permissions
#[cfg(unix)]
{
use std::os::unix::fs::PermissionsExt;
let mut perms = fs::metadata(&secret_path).await?.permissions();
perms.set_mode(0o600);
fs::set_permissions(&secret_path, perms).await?;
}
Ok(secret_id)
}
/// Retrieve a secret (returns the secret ID path for volume mounting)
pub fn get_secret_path(&self, app_id: &str, secret_id: &str) -> PathBuf {
self.secrets_dir
.join(app_id)
.join(format!("{}.secret", secret_id))
}
/// List secrets for an app
pub async fn list_secrets(&self, app_id: &str) -> Result<Vec<String>> {
let app_secrets_dir = self.secrets_dir.join(app_id);
if !app_secrets_dir.exists() {
return Ok(vec![]);
}
let mut secrets = Vec::new();
let mut entries = fs::read_dir(&app_secrets_dir).await?;
while let Some(entry) = entries.next_entry().await? {
let path = entry.path();
if path.extension().and_then(|s| s.to_str()) == Some("secret") {
if let Some(secret_id) = path.file_stem()
.and_then(|s| s.to_str())
.map(|s| s.to_string()) {
secrets.push(secret_id);
}
}
}
Ok(secrets)
}
/// Delete a secret
pub async fn delete_secret(&self, app_id: &str, secret_id: &str) -> Result<()> {
let secret_path = self.secrets_dir
.join(app_id)
.join(format!("{}.secret", secret_id));
if secret_path.exists() {
fs::remove_file(&secret_path).await?;
}
Ok(())
}
}
Reference in New Issue Copy Permalink