From 5dff022db2bf36e5fd4c9fea5727fde3a21de461 Mon Sep 17 00:00:00 2001 From: Toby Hede Date: Wed, 25 Mar 2026 10:56:33 +1100 Subject: [PATCH 1/2] chore: remove dead generate.rs test fixture --- .../src/generate.rs | 261 ------------------ 1 file changed, 261 deletions(-) delete mode 100644 packages/cipherstash-proxy-integration/src/generate.rs diff --git a/packages/cipherstash-proxy-integration/src/generate.rs b/packages/cipherstash-proxy-integration/src/generate.rs deleted file mode 100644 index 59bb1e1d..00000000 --- a/packages/cipherstash-proxy-integration/src/generate.rs +++ /dev/null @@ -1,261 +0,0 @@ -#[cfg(test)] -mod tests { - use crate::common::trace; - use cipherstash_client::config::EnvSource; - use cipherstash_client::credentials::auto_refresh::AutoRefresh; - use cipherstash_client::encryption::{ - Encrypted, EncryptedSteVecTerm, JsonIndexer, JsonIndexerOptions, OreTerm, Plaintext, - PlaintextTarget, ReferencedPendingPipeline, - }; - use cipherstash_client::{encryption::ScopedCipher, zerokms::EncryptedRecord}; - use cipherstash_client::{ConsoleConfig, CtsConfig, ZeroKMSConfig}; - use cipherstash_config::column::{ArrayIndexMode, Index, IndexType}; - use cipherstash_config::{ColumnConfig, ColumnType}; - use cipherstash_proxy::Identifier; - use serde::{Deserialize, Serialize}; - use std::sync::Arc; - use tracing::info; - use uuid::Uuid; - - pub mod option_mp_base85 { - use cipherstash_client::zerokms::encrypted_record::formats::mp_base85; - use cipherstash_client::zerokms::EncryptedRecord; - use serde::{Deserialize, Deserializer, Serializer}; - - pub fn serialize( - value: &Option, - serializer: S, - ) -> Result - where - S: Serializer, - { - match value { - Some(record) => mp_base85::serialize(record, serializer), - None => serializer.serialize_none(), - } - } - - pub fn deserialize<'de, D>(deserializer: D) -> Result, D::Error> - where - D: Deserializer<'de>, - { - let result = Option::::deserialize(deserializer)?; - Ok(result) - } - } - - #[derive(Debug, Deserialize, Serialize)] - pub struct EqlEncrypted { - #[serde(rename = "c", with = "option_mp_base85")] - ciphertext: Option, - #[serde(rename = "i")] - identifier: Identifier, - #[serde(rename = "v")] - version: u16, - - #[serde(rename = "o")] - ore_index: Option>, - #[serde(rename = "m")] - match_index: Option>, - #[serde(rename = "u")] - unique_index: Option, - - #[serde(rename = "s")] - selector: Option, - - #[serde(rename = "b")] - blake3_index: Option, - - #[serde(rename = "ocf")] - ore_cclw_fixed_index: Option, - #[serde(rename = "ocv")] - ore_cclw_var_index: Option, - - #[serde(rename = "sv")] - ste_vec_index: Option>, - } - - #[derive(Debug, Deserialize, Serialize)] - pub struct EqlSteVecEncrypted { - #[serde(rename = "c", with = "option_mp_base85")] - ciphertext: Option, - - #[serde(rename = "s")] - selector: Option, - #[serde(rename = "b")] - blake3_index: Option, - #[serde(rename = "ocf")] - ore_cclw_fixed_index: Option, - #[serde(rename = "ocv")] - ore_cclw_var_index: Option, - } - - impl EqlEncrypted { - pub fn ste_vec(ste_vec_index: Vec) -> Self { - Self { - ste_vec_index: Some(ste_vec_index), - ciphertext: None, - identifier: Identifier { - table: "blah".to_string(), - column: "vtha".to_string(), - }, - version: 1, - ore_index: None, - match_index: None, - unique_index: None, - selector: None, - ore_cclw_fixed_index: None, - ore_cclw_var_index: None, - blake3_index: None, - } - } - } - impl EqlSteVecEncrypted { - pub fn ste_vec_element(selector: String, record: EncryptedRecord) -> Self { - Self { - ciphertext: Some(record), - selector: Some(selector), - ore_cclw_fixed_index: None, - ore_cclw_var_index: None, - blake3_index: None, - } - } - } - - #[tokio::test] - async fn generate_ste_vec() { - trace(); - - // clear().await; - // let client = connect_with_tls(PROXY).await; - - let console_config = ConsoleConfig::builder().with_env().build().unwrap(); - let cts_config = CtsConfig::builder().with_env().build().unwrap(); - let zerokms_config = ZeroKMSConfig::builder() - .add_source(EnvSource::default()) - .console_config(&console_config) - .cts_config(&cts_config) - .build_with_client_key() - .unwrap(); - let zerokms_client = zerokms_config - .create_client_with_credentials(AutoRefresh::new(zerokms_config.credentials())); - - let dataset_id = Uuid::parse_str("295504329cb045c398dc464c52a287a1").unwrap(); - - let cipher = Arc::new( - ScopedCipher::init(Arc::new(zerokms_client), Some(dataset_id)) - .await - .unwrap(), - ); - - let prefix = "prefix".to_string(); - - let column_config = ColumnConfig::build("column_name".to_string()) - .casts_as(ColumnType::JsonB) - .add_index(Index::new(IndexType::SteVec { - prefix: prefix.to_owned(), - term_filters: vec![], - array_index_mode: ArrayIndexMode::ALL, - })); - - // let mut value = - // serde_json::from_str::("{\"hello\": \"one\", \"n\": 10}").unwrap(); - - // let mut value = - // serde_json::from_str::("{\"hello\": \"two\", \"n\": 20}").unwrap(); - - let value = - serde_json::from_str::("{\"hello\": \"two\", \"n\": 30}").unwrap(); - - // let mut value = - // serde_json::from_str::("{\"hello\": \"world\", \"n\": 42}").unwrap(); - - // let mut value = - // serde_json::from_str::("{\"hello\": \"world\", \"n\": 42}").unwrap(); - - // let mut value = - // serde_json::from_str::("{\"blah\": { \"vtha\": 42 }}").unwrap(); - - let plaintext = Plaintext::JsonB(Some(value)); - - let idx = 0; - - let mut pipeline = ReferencedPendingPipeline::new(cipher.clone()); - let encryptable = PlaintextTarget::new(plaintext, column_config); - pipeline - .add_with_ref::(encryptable, idx) - .unwrap(); - - let mut encrypteds = vec![]; - - let mut result = pipeline.encrypt(None).await.unwrap(); - if let Some(Encrypted::SteVec(ste_vec)) = result.remove(idx) { - for entry in ste_vec { - let selector = hex::encode(entry.0.as_bytes()); - let term = entry.1; - let record = entry.2; - - let mut e = EqlSteVecEncrypted::ste_vec_element(selector, record); - - match term { - EncryptedSteVecTerm::Mac(items) => { - e.blake3_index = Some(hex::encode(&items)); - } - EncryptedSteVecTerm::OreFixed(o) => { - e.ore_cclw_fixed_index = Some(hex::encode(&o)); - } - EncryptedSteVecTerm::OreVariable(o) => { - e.ore_cclw_var_index = Some(hex::encode(&o)); - } - } - - encrypteds.push(e); - } - // info!("{:?}" = encrypteds); - } - - info!("---------------------------------------------"); - - let e = EqlEncrypted::ste_vec(encrypteds); - info!("{:?}" = ?e); - - let json = serde_json::to_value(e).unwrap(); - info!("{}", json); - - let indexer = JsonIndexer::new(JsonIndexerOptions { prefix }); - - info!("---------------------------------------------"); - - // Path - // let path: String = "$.blah.vtha".to_string(); - // let selector = Selector::parse(&path).unwrap(); - // let selector = indexer.generate_selector(selector, cipher.index_key()); - // let selector = hex::encode(selector.0); - // info!("{}", selector); - - // Comparison - let n = 30; - let term = OreTerm::Number(n); - - let term = indexer.generate_term(term, cipher.index_key()).unwrap(); - - match term { - EncryptedSteVecTerm::Mac(_) => todo!(), - EncryptedSteVecTerm::OreFixed(ore_cllw8_v1) => { - let term = hex::encode(ore_cllw8_v1.bytes); - info!("{n}: {term}"); - } - EncryptedSteVecTerm::OreVariable(_) => todo!(), - } - - // if let Some(ste_vec_index) = e.ste_vec_index { - // for e in ste_vec_index { - // info!("{}", e); - // if let Some(ct) = e.ciphertext { - // let decrypted = cipher.decrypt(encrypted).await?; - // info!("{}", decrypted); - // } - // } - // } - } -} From 82d7104b8ac22686703c296b9ef711ba1dcf4e9b Mon Sep 17 00:00:00 2001 From: Toby Hede Date: Wed, 25 Mar 2026 10:56:40 +1100 Subject: [PATCH 2/2] feat(deps): upgrade cipherstash-client from 0.33.2 to 0.34.0-alpha.4 Adapt proxy to breaking API changes in cipherstash-client 0.34: - Update ZeroKMS client initialization for new builder API - Add authentication strategy detection with AutoStrategy - Use valid UUID placeholders in example config - Add documentation URLs to config validation error messages - Use ZEROKMS log target constant for consistency - Update development docs for new credential requirements --- Cargo.lock | 855 +++++++++++++----- Cargo.toml | 4 +- DEVELOPMENT.md | 27 +- cipherstash-proxy-example.toml | 4 +- docker-compose.yml | 2 + packages/cipherstash-proxy/Cargo.toml | 2 +- .../cipherstash-proxy/src/config/tandem.rs | 83 +- packages/cipherstash-proxy/src/error.rs | 25 +- packages/cipherstash-proxy/src/proxy/mod.rs | 23 +- .../src/proxy/zerokms/mod.rs | 63 +- .../src/proxy/zerokms/zerokms.rs | 2 +- .../cipherstash-proxy-bad-client-id.toml | 19 + .../tests/config/cipherstash-proxy-test.toml | 2 +- .../config/cipherstash-proxy-with-crn.toml | 2 +- tests/docker-compose.yml | 4 + 15 files changed, 772 insertions(+), 345 deletions(-) create mode 100644 packages/cipherstash-proxy/tests/config/cipherstash-proxy-bad-client-id.toml diff --git a/Cargo.lock b/Cargo.lock index 56ca3955..fa73667a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -35,7 +35,7 @@ checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0" dependencies = [ "cfg-if", "cipher 0.4.4", - "cpufeatures", + "cpufeatures 0.2.17", "zeroize", ] @@ -172,6 +172,20 @@ version = "1.0.97" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dcfed56ad506cb2c684a14971b8861fdc3baaaae314b9e5f9bb532cbe3ba7a4f" +[[package]] +name = "aquamarine" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0f50776554130342de4836ba542aa85a4ddb361690d7e8df13774d7284c3d5c2" +dependencies = [ + "include_dir", + "itertools 0.10.5", + "proc-macro-error2", + "proc-macro2", + "quote", + "syn 2.0.117", +] + [[package]] name = "arc-swap" version = "1.7.1" @@ -212,7 +226,7 @@ dependencies = [ "nom 7.1.3", "num-traits", "rusticata-macros", - "thiserror 2.0.12", + "thiserror 2.0.18", "time", ] @@ -224,7 +238,7 @@ checksum = "3109e49b1e4909e9db6515a30c633684d68cdeaa252f215214cb4fa1a5bfee2c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", "synstructure", ] @@ -236,7 +250,7 @@ checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -281,7 +295,7 @@ checksum = "e539d3fca749fcee5236ab05e93a52867dd549cc157c8cb7f99595f3cedffdb5" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -414,7 +428,7 @@ checksum = "604fde5e028fea851ce1d8570bbdc034bec850d157f7569d10f347d06808c05c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -566,7 +580,7 @@ dependencies = [ "proc-macro-crate", "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -663,7 +677,7 @@ dependencies = [ "darling", "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -702,6 +716,17 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724" +[[package]] +name = "chacha20" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6f8d983286843e49675a4b7a2d174efe136dc93a18d69130dd18198a6c167601" +dependencies = [ + "cfg-if", + "cpufeatures 0.3.0", + "rand_core 0.10.0", +] + [[package]] name = "chrono" version = "0.4.42" @@ -737,9 +762,9 @@ dependencies = [ [[package]] name = "cipherstash-client" -version = "0.33.2" +version = "0.34.0-alpha.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "178b3176d30da0e10794e82675f3b8462a36d4c5f5e317874fc0b6d31c23e3b8" +checksum = "200537bf2ab562b085e34df7e3391d0426ab04eea3ed588a7fc27f1bd218ee33" dependencies = [ "aes-gcm-siv", "anyhow", @@ -751,7 +776,7 @@ dependencies = [ "blake3", "cfg-if", "chrono", - "cipherstash-config", + "cipherstash-config 0.34.0-alpha.4", "cipherstash-core", "cllw-ore", "cts-common", @@ -760,17 +785,17 @@ dependencies = [ "futures", "hex", "hmac", - "itertools", + "itertools 0.12.1", "lazy_static", "log", "miette", "opaque-debug", - "open", + "open 3.2.0", "ore-rs", "percent-encoding", "rand 0.8.5", - "recipher", - "reqwest 0.12.15", + "recipher 0.2.0", + "reqwest", "reqwest-middleware", "reqwest-retry", "reqwest-tracing", @@ -783,6 +808,8 @@ dependencies = [ "serde_json", "serdect", "sha2", + "stack-auth", + "stack-profile", "static_assertions", "thiserror 1.0.69", "tokio", @@ -790,6 +817,8 @@ dependencies = [ "tracing", "url", "uuid", + "vitaminc", + "vitaminc-protected", "winnow 0.6.26", "zeroize", "zerokms-protocol", @@ -806,11 +835,22 @@ dependencies = [ "thiserror 1.0.69", ] +[[package]] +name = "cipherstash-config" +version = "0.34.0-alpha.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "333ba6c42338ce6bbbc515fb75e43b57311ece1a9ea41e7daabe50478c342841" +dependencies = [ + "bitflags", + "serde", + "thiserror 1.0.69", +] + [[package]] name = "cipherstash-core" -version = "0.1.2" +version = "0.34.0-alpha.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dd56dfac0a35146968ef6696fb822b22f70a664a8739874385876d5452844b7a" +checksum = "32921e505e39f8f7cae9f55e82462d8dd92764a9148f479b42abf52e60e90437" dependencies = [ "hmac", "lazy_static", @@ -848,7 +888,7 @@ dependencies = [ "postgres-protocol", "postgres-types", "rand 0.9.2", - "recipher", + "recipher 0.1.3", "regex", "rust_decimal", "rustls", @@ -859,7 +899,7 @@ dependencies = [ "socket2 0.5.8", "sqltk", "temp-env", - "thiserror 2.0.12", + "thiserror 2.0.18", "tokio", "tokio-postgres", "tokio-postgres-rustls", @@ -879,13 +919,13 @@ dependencies = [ "bytes", "chrono", "cipherstash-client", - "cipherstash-config", + "cipherstash-config 0.2.6", "cipherstash-proxy", "fake 4.2.0", "hex", "postgres-types", "rand 0.9.2", - "reqwest 0.13.1", + "reqwest", "rustls", "serde", "serde_json", @@ -930,7 +970,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -941,9 +981,9 @@ checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6" [[package]] name = "cllw-ore" -version = "0.3.0" +version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2f709d51cf9a5ed6f6fc319a49bbfc160f5b29f8cc9ba0df2e7412a3b9d519b0" +checksum = "c676b8e0a3130e6f8b4398d9aa5b287c3ce7074ac89f1ccf1570ebeb22281629" dependencies = [ "blake3", "hex", @@ -1020,7 +1060,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "83e22e0ed40b96a48d3db274f72fd365bd78f67af39b6bbd47e8a15e1c6207ff" dependencies = [ "cfg-if", - "cpufeatures", + "cpufeatures 0.2.17", "hex", "proptest", "serde", @@ -1082,6 +1122,15 @@ dependencies = [ "libc", ] +[[package]] +name = "cpufeatures" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201" +dependencies = [ + "libc", +] + [[package]] name = "crc32fast" version = "1.5.0" @@ -1091,6 +1140,12 @@ dependencies = [ "cfg-if", ] +[[package]] +name = "critical-section" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "790eea4361631c5e7d22598ecd5723ff611904e3344ce8720784c93e3d83d40b" + [[package]] name = "crossbeam-channel" version = "0.5.15" @@ -1137,9 +1192,9 @@ dependencies = [ [[package]] name = "cts-common" -version = "0.4.1" +version = "0.34.0-alpha.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b1b0b629ef1939040e09625a0c70045650149f5b6be7bd0935fc0c4a50129b54" +checksum = "d7817fb03b19c6a588bc9120fd876a6d65f531a0b2aa0d39384bc78f3c4c4340" dependencies = [ "arrayvec", "axum", @@ -1187,7 +1242,7 @@ dependencies = [ "proc-macro2", "quote", "strsim", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -1198,7 +1253,7 @@ checksum = "d336a2a514f6ccccaa3e09b02d41d35330c07ddf03a62165fcec10bb561c7806" dependencies = [ "darling_core", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -1250,7 +1305,7 @@ checksum = "8034092389675178f570469e6c3b0465d3d30b4505c294a6550db47f3c17ad18" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -1288,7 +1343,7 @@ checksum = "cb7330aeadfbe296029522e6c40f315320aba36fc43a5b3632f3795348f3bd22" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", "unicode-xid", ] @@ -1300,7 +1355,7 @@ checksum = "bda628edc44c4bb645fbe0f758797143e4e07926f7ebf4e9bdfbd3d2ce621df3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", "unicode-xid", ] @@ -1331,7 +1386,7 @@ dependencies = [ "dsl_auto_type", "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -1340,7 +1395,7 @@ version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "209c735641a413bc68c4923a9d6ad4bcb3ca306b794edaa7eb0b3228a99ffb25" dependencies = [ - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -1388,7 +1443,7 @@ checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -1402,7 +1457,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -1414,7 +1469,7 @@ dependencies = [ "darling", "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -1426,7 +1481,7 @@ dependencies = [ "darling", "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -1438,7 +1493,7 @@ dependencies = [ "darling", "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -1474,7 +1529,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -1486,7 +1541,7 @@ dependencies = [ "impl-trait-for-tuples", "pretty_assertions", "sqltk", - "thiserror 2.0.12", + "thiserror 2.0.18", "topological-sort", "tracing", "tracing-subscriber", @@ -1499,7 +1554,7 @@ dependencies = [ "pretty_assertions", "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -1703,7 +1758,7 @@ checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -1760,6 +1815,16 @@ dependencies = [ "version_check", ] +[[package]] +name = "gethostname" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dc3655aa6818d65bc620d6911f05aa7b6aeb596291e1e9f79e52df85583d1e30" +dependencies = [ + "rustix 0.38.44", + "windows-targets 0.52.6", +] + [[package]] name = "getrandom" version = "0.2.15" @@ -1782,11 +1847,25 @@ dependencies = [ "cfg-if", "js-sys", "libc", - "r-efi", + "r-efi 5.2.0", "wasi 0.14.2+wasi-0.2.4", "wasm-bindgen", ] +[[package]] +name = "getrandom" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555" +dependencies = [ + "cfg-if", + "libc", + "r-efi 6.0.0", + "rand_core 0.10.0", + "wasip2", + "wasip3", +] + [[package]] name = "gimli" version = "0.31.1" @@ -1869,9 +1948,9 @@ checksum = "7ebdb29d2ea9ed0083cd8cece49bbd968021bd99b0849edb4a9a7ee0fdf6a4e0" [[package]] name = "hickory-proto" -version = "0.24.4" +version = "0.25.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "92652067c9ce6f66ce53cc38d1169daa36e6e7eb7dd3b63b5103bd9d97117248" +checksum = "f8a6fe56c0038198998a6f217ca4e7ef3a5e51f46163bd6dd60b5c71ca6c6502" dependencies = [ "async-trait", "cfg-if", @@ -1883,8 +1962,9 @@ dependencies = [ "idna", "ipnet", "once_cell", - "rand 0.8.5", - "thiserror 1.0.69", + "rand 0.9.2", + "ring", + "thiserror 2.0.18", "tinyvec", "tokio", "tracing", @@ -1893,21 +1973,21 @@ dependencies = [ [[package]] name = "hickory-resolver" -version = "0.24.4" +version = "0.25.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cbb117a1ca520e111743ab2f6688eddee69db4e0ea242545a604dce8a66fd22e" +checksum = "dc62a9a99b0bfb44d2ab95a7208ac952d31060efc16241c87eaf36406fecf87a" dependencies = [ "cfg-if", "futures-util", "hickory-proto", "ipconfig", - "lru-cache", + "moka", "once_cell", "parking_lot", - "rand 0.8.5", + "rand 0.9.2", "resolv-conf", "smallvec", - "thiserror 1.0.69", + "thiserror 2.0.18", "tokio", "tracing", ] @@ -2006,7 +2086,6 @@ dependencies = [ "tokio", "tokio-rustls", "tower-service", - "webpki-roots 0.26.11", ] [[package]] @@ -2174,9 +2253,15 @@ checksum = "1ec89e9337638ecdc08744df490b221a7399bf8d164eb52a665454e60e075ad6" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] +[[package]] +name = "id-arena" +version = "2.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954" + [[package]] name = "ident_case" version = "1.0.1" @@ -2212,7 +2297,26 @@ checksum = "a0eb5a3343abf848c0984fe4604b2b105da9539376e24fc0a3b0007411ae4fd9" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", +] + +[[package]] +name = "include_dir" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "923d117408f1e49d914f1a379a309cffe4f18c05cf4e3d12e613a15fc81bd0dd" +dependencies = [ + "include_dir_macros", +] + +[[package]] +name = "include_dir_macros" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7cab85a7ed0bd5f0e76d93846e0147172bed2e2d3f859bcc33a8d9699cad1a75" +dependencies = [ + "proc-macro2", + "quote", ] [[package]] @@ -2263,6 +2367,25 @@ dependencies = [ "serde", ] +[[package]] +name = "is-docker" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "928bae27f42bc99b60d9ac7334e3a21d10ad8f1835a4e12ec3ec0464765ed1b3" +dependencies = [ + "once_cell", +] + +[[package]] +name = "is-wsl" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "173609498df190136aa7dea1a91db051746d339e18476eed5ca40521f02d7aa5" +dependencies = [ + "is-docker", + "once_cell", +] + [[package]] name = "is_ci" version = "1.2.0" @@ -2275,6 +2398,15 @@ version = "1.70.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf" +[[package]] +name = "itertools" +version = "0.10.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473" +dependencies = [ + "either", +] + [[package]] name = "itertools" version = "0.12.1" @@ -2331,12 +2463,33 @@ dependencies = [ "wasm-bindgen", ] +[[package]] +name = "jsonwebtoken" +version = "9.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5a87cc7a48537badeae96744432de36f4be2b4a34a05a5ef32e9dd8a1c169dde" +dependencies = [ + "base64", + "js-sys", + "pem", + "ring", + "serde", + "serde_json", + "simple_asn1", +] + [[package]] name = "lazy_static" version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" +[[package]] +name = "leb128fmt" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2" + [[package]] name = "libc" version = "0.2.177" @@ -2360,10 +2513,10 @@ dependencies = [ ] [[package]] -name = "linked-hash-map" -version = "0.5.6" +name = "linux-raw-sys" +version = "0.4.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0717cef1bc8b636c6e1c1bbdefc09e6322da8a9321966e8928ef80d20f7f770f" +checksum = "d26c52dbd32dccf2d10cac7725f8eae5296885fb5703b261f7d0a0739ec807ab" [[package]] name = "linux-raw-sys" @@ -2406,15 +2559,6 @@ dependencies = [ "tracing-subscriber", ] -[[package]] -name = "lru-cache" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "31e24f1ad8321ca0e8a1e0ac13f23cb668e6f5466c2c57319f6a5cf1cc8e3b1c" -dependencies = [ - "linked-hash-map", -] - [[package]] name = "lru-slab" version = "0.1.2" @@ -2478,7 +2622,7 @@ dependencies = [ "metrics", "metrics-util", "quanta", - "thiserror 2.0.12", + "thiserror 2.0.18", "tokio", "tracing", ] @@ -2527,7 +2671,7 @@ checksum = "bf45bf44ab49be92fd1227a3be6fc6f617f1a337c06af54981048574d8783147" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -2714,6 +2858,10 @@ name = "once_cell" version = "1.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c2806eaa3524762875e21c3dcd057bc4b7bfa01ce4da8d46be1cd43649e1cc6b" +dependencies = [ + "critical-section", + "portable-atomic", +] [[package]] name = "opaque-debug" @@ -2731,6 +2879,17 @@ dependencies = [ "windows-sys 0.42.0", ] +[[package]] +name = "open" +version = "5.3.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "43bb73a7fa3799b198970490a51174027ba0d4ec504b03cd08caf513d40024bc" +dependencies = [ + "is-wsl", + "libc", + "pathdiff", +] + [[package]] name = "openssl-probe" version = "0.1.6" @@ -2826,6 +2985,16 @@ version = "0.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "df94ce210e5bc13cb6651479fa48d14f601d9858cfe0467f43ae157023b938d3" +[[package]] +name = "pem" +version = "3.0.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1d30c53c26bc5b31a98cd02d20f25a7c8567146caf63ed593a9d87b2775291be" +dependencies = [ + "base64", + "serde_core", +] + [[package]] name = "percent-encoding" version = "2.3.1" @@ -2871,7 +3040,7 @@ dependencies = [ "phf_shared", "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -2908,7 +3077,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9d1fe60d06143b2430aa532c94cfe9e29783047f06c0d7fd359a9a51b729fa25" dependencies = [ "cfg-if", - "cpufeatures", + "cpufeatures 0.2.17", "opaque-debug", "universal-hash", ] @@ -2928,7 +3097,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -3013,6 +3182,16 @@ dependencies = [ "yansi", ] +[[package]] +name = "prettyplease" +version = "0.2.37" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b" +dependencies = [ + "proc-macro2", + "syn 2.0.117", +] + [[package]] name = "proc-macro-crate" version = "3.3.0" @@ -3022,6 +3201,28 @@ dependencies = [ "toml_edit", ] +[[package]] +name = "proc-macro-error-attr2" +version = "2.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "96de42df36bb9bba5542fe9f1a054b8cc87e172759a1868aa05c1f3acc89dfc5" +dependencies = [ + "proc-macro2", + "quote", +] + +[[package]] +name = "proc-macro-error2" +version = "2.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "11ec05c52be0a07b08061f7dd003e7d7092e0472bc731b4af7bb1ef876109802" +dependencies = [ + "proc-macro-error-attr2", + "proc-macro2", + "quote", + "syn 2.0.117", +] + [[package]] name = "proc-macro2" version = "1.0.95" @@ -3105,7 +3306,7 @@ dependencies = [ "rustc-hash", "rustls", "socket2 0.5.8", - "thiserror 2.0.12", + "thiserror 2.0.18", "tokio", "tracing", "web-time", @@ -3127,7 +3328,7 @@ dependencies = [ "rustls", "rustls-pki-types", "slab", - "thiserror 2.0.12", + "thiserror 2.0.18", "tinyvec", "tracing", "web-time", @@ -3162,6 +3363,12 @@ version = "5.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "74765f6d916ee2faa39bc8e68e4f3ed8949b48cccdac59983d287a7cb71ce9c5" +[[package]] +name = "r-efi" +version = "6.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf" + [[package]] name = "radium" version = "0.7.0" @@ -3189,6 +3396,17 @@ dependencies = [ "rand_core 0.9.3", ] +[[package]] +name = "rand" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bc266eb313df6c5c09c1c7b1fbe2510961e5bcd3add930c1e31f7ed9da0feff8" +dependencies = [ + "chacha20", + "getrandom 0.4.2", + "rand_core 0.10.0", +] + [[package]] name = "rand_chacha" version = "0.3.1" @@ -3227,6 +3445,12 @@ dependencies = [ "getrandom 0.3.2", ] +[[package]] +name = "rand_core" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c8d0fd677905edcbeedbf2edb6494d676f0e98d54d5cf9bda0b061cb8fb8aba" + [[package]] name = "rand_xorshift" version = "0.4.0" @@ -3275,6 +3499,27 @@ dependencies = [ "zeroize", ] +[[package]] +name = "recipher" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "061598013445a8bb847d0c95ee33b5e95c1d198d5242b6a8b9f3078aa7437e79" +dependencies = [ + "aes", + "async-trait", + "cmac", + "hex", + "hex-literal", + "opaque-debug", + "rand 0.8.5", + "rand_chacha 0.3.1", + "serde", + "serde_cbor", + "sha2", + "thiserror 1.0.69", + "zeroize", +] + [[package]] name = "recursive" version = "0.1.1" @@ -3292,7 +3537,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "76009fbe0614077fc1a2ce255e3a1881a2e3a3527097d5dc6d8212c585e7e38b" dependencies = [ "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -3355,15 +3600,16 @@ dependencies = [ [[package]] name = "reqwest" -version = "0.12.15" +version = "0.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d19c46a6fdd48bc4dab94b6103fccc55d34c67cc0ad04653aad4ea2a07cd7bbb" +checksum = "04e9018c9d814e5f30cc16a0f03271aeab3571e609612d9fe78c1aa8d11c2f62" dependencies = [ - "async-compression", "base64", "bytes", + "encoding_rs", "futures-core", "futures-util", + "h2", "hickory-resolver", "http", "http-body", @@ -3371,7 +3617,6 @@ dependencies = [ "hyper", "hyper-rustls", "hyper-util", - "ipnet", "js-sys", "log", "mime", @@ -3380,8 +3625,8 @@ dependencies = [ "pin-project-lite", "quinn", "rustls", - "rustls-pemfile", "rustls-pki-types", + "rustls-platform-verifier 0.6.2", "serde", "serde_json", "serde_urlencoded", @@ -3390,74 +3635,35 @@ dependencies = [ "tokio-rustls", "tokio-util", "tower", - "tower-service", - "url", - "wasm-bindgen", - "wasm-bindgen-futures", - "wasm-streams", - "web-sys", - "webpki-roots 0.26.11", - "windows-registry", -] - -[[package]] -name = "reqwest" -version = "0.13.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "04e9018c9d814e5f30cc16a0f03271aeab3571e609612d9fe78c1aa8d11c2f62" -dependencies = [ - "base64", - "bytes", - "encoding_rs", - "futures-core", - "h2", - "http", - "http-body", - "http-body-util", - "hyper", - "hyper-rustls", - "hyper-util", - "js-sys", - "log", - "mime", - "percent-encoding", - "pin-project-lite", - "quinn", - "rustls", - "rustls-pki-types", - "rustls-platform-verifier 0.6.2", - "sync_wrapper", - "tokio", - "tokio-rustls", - "tower", "tower-http", "tower-service", "url", "wasm-bindgen", "wasm-bindgen-futures", + "wasm-streams", "web-sys", ] [[package]] name = "reqwest-middleware" -version = "0.4.2" +version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "57f17d28a6e6acfe1733fe24bcd30774d13bffa4b8a22535b4c8c98423088d4e" +checksum = "199dda04a536b532d0cc04d7979e39b1c763ea749bf91507017069c00b96056f" dependencies = [ "anyhow", "async-trait", "http", - "reqwest 0.12.15", + "reqwest", "serde", - "thiserror 1.0.69", + "thiserror 2.0.18", "tower-service", ] [[package]] name = "reqwest-retry" -version = "0.8.0" +version = "0.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "105747e3a037fe5bf17458d794de91149e575b6183fc72c85623a44abb9683f5" +checksum = "fe2412db2af7d2268e7a5406be0431f37d9eb67ff390f35b395716f5f06c2eaa" dependencies = [ "anyhow", "async-trait", @@ -3465,10 +3671,10 @@ dependencies = [ "getrandom 0.2.15", "http", "hyper", - "reqwest 0.12.15", + "reqwest", "reqwest-middleware", "retry-policies", - "thiserror 2.0.12", + "thiserror 2.0.18", "tokio", "tracing", "wasmtimer", @@ -3476,16 +3682,16 @@ dependencies = [ [[package]] name = "reqwest-tracing" -version = "0.5.8" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d70ea85f131b2ee9874f0b160ac5976f8af75f3c9badfe0d955880257d10bd83" +checksum = "d5c1a1510677d43dce9e9c0c07fc5db8772c0e5a43e4f9cef75a11affa05a578" dependencies = [ "anyhow", "async-trait", "getrandom 0.2.15", "http", "matchit", - "reqwest 0.12.15", + "reqwest", "reqwest-middleware", "tracing", ] @@ -3561,11 +3767,10 @@ dependencies = [ [[package]] name = "rmp-serde" -version = "1.3.0" +version = "1.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "52e599a477cf9840e92f2cde9a7189e67b42c57532749bf90aea6ec10facd4db" +checksum = "72f81bee8c8ef9b577d1681a70ebbc962c232461e397b22c208c43c04b67a155" dependencies = [ - "byteorder", "rmp", "serde", ] @@ -3627,6 +3832,19 @@ dependencies = [ "nom 7.1.3", ] +[[package]] +name = "rustix" +version = "0.38.44" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fdb5bc1ae2baa591800df16c9ca78619bf65c0488b41b96ccec5d11220d8c154" +dependencies = [ + "bitflags", + "errno", + "libc", + "linux-raw-sys 0.4.15", + "windows-sys 0.59.0", +] + [[package]] name = "rustix" version = "1.0.3" @@ -3636,7 +3854,7 @@ dependencies = [ "bitflags", "errno", "libc", - "linux-raw-sys", + "linux-raw-sys 0.9.3", "windows-sys 0.59.0", ] @@ -3649,7 +3867,6 @@ dependencies = [ "aws-lc-rs", "log", "once_cell", - "ring", "rustls-pki-types", "rustls-webpki", "subtle", @@ -3668,15 +3885,6 @@ dependencies = [ "security-framework", ] -[[package]] -name = "rustls-pemfile" -version = "2.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50" -dependencies = [ - "rustls-pki-types", -] - [[package]] name = "rustls-pki-types" version = "1.11.0" @@ -3884,7 +4092,7 @@ checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -3977,7 +4185,7 @@ checksum = "0a7d91949b85b0d2fb687445e448b40d322b6b3e4af6b44a29b21d9a5f33e6d9" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -3993,7 +4201,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8" dependencies = [ "cfg-if", - "cpufeatures", + "cpufeatures 0.2.17", "digest", ] @@ -4043,6 +4251,18 @@ version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e3a9fe34e3e7a50316060351f37187a3f546bce95496156754b601a5fa71b76e" +[[package]] +name = "simple_asn1" +version = "0.6.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0d585997b0ac10be3c5ee635f1bab02d512760d14b7c468801ac8a01d9ae5f1d" +dependencies = [ + "num-bigint", + "num-traits", + "thiserror 2.0.18", + "time", +] + [[package]] name = "siphasher" version = "1.0.1" @@ -4127,6 +4347,45 @@ version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3" +[[package]] +name = "stack-auth" +version = "0.34.0-alpha.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e3e8a681ffc8eb40575fb5f40b8316f1b9e03074eb1e4951e0690b00b0349fed" +dependencies = [ + "aquamarine", + "cts-common", + "jsonwebtoken", + "miette", + "open 5.3.3", + "reqwest", + "serde", + "serde_json", + "stack-profile", + "thiserror 1.0.69", + "tokio", + "tracing", + "url", + "uuid", + "vitaminc", + "vitaminc-protected", + "zeroize", +] + +[[package]] +name = "stack-profile" +version = "0.34.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "56fdb1e5ef2111e616fb46da39ad63485b3f3c82de3245fe3c14ce52e8775112" +dependencies = [ + "dirs", + "gethostname", + "serde", + "serde_json", + "thiserror 1.0.69", + "uuid", +] + [[package]] name = "stacker" version = "0.1.21" @@ -4209,9 +4468,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.101" +version = "2.0.117" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ce2b7fc941b3a24138a0a7cf8e858bfc6a992e7978a068a5c760deb0ed43caf" +checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99" dependencies = [ "proc-macro2", "quote", @@ -4235,7 +4494,7 @@ checksum = "c8af7666ab7b6390ab78131fb5b0fce11d6b7a6951602017c35fa82800708971" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -4286,7 +4545,7 @@ version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "45c6481c4829e4cc63825e62c49186a34538b7b2750b73b266581ffb612fb5ed" dependencies = [ - "rustix", + "rustix 1.0.3", "windows-sys 0.59.0", ] @@ -4311,11 +4570,11 @@ dependencies = [ [[package]] name = "thiserror" -version = "2.0.12" +version = "2.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "567b8a2dae586314f7be2a752ec7474332959c6460e02bde30d702a66d488708" +checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4" dependencies = [ - "thiserror-impl 2.0.12", + "thiserror-impl 2.0.18", ] [[package]] @@ -4326,18 +4585,18 @@ checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] name = "thiserror-impl" -version = "2.0.12" +version = "2.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f7cf42b4507d8ea322120659672cf1b9dbb93f8f2d4ecfd6e51350ff5b17a1d" +checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -4424,7 +4683,7 @@ checksum = "2d2e76690929402faae40aebdda620a2c0e25dd6d3b9afe48867dfd95991f4bd" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -4452,7 +4711,7 @@ checksum = "af407857209536a95c8e56f8231ef2c2e2aff839b22e07a1ffcbc617e9db9fa5" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -4583,13 +4842,18 @@ version = "0.6.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8" dependencies = [ + "async-compression", "bitflags", "bytes", + "futures-core", "futures-util", "http", "http-body", + "http-body-util", "iri-string", "pin-project-lite", + "tokio", + "tokio-util", "tower", "tower-layer", "tower-service", @@ -4627,7 +4891,7 @@ checksum = "395ae124c09f9e6918a2310af6038fba074bcf474ac352496d5910dd59a2226d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -4829,7 +5093,7 @@ checksum = "6d79d08d92ab8af4c5e8a6da20c47ae3f61a0f1dabc1997cdf2d082b757ca08b" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", "url", "uuid", ] @@ -4847,6 +5111,36 @@ dependencies = [ "sha1_smol", ] +[[package]] +name = "validator" +version = "0.20.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "43fb22e1a008ece370ce08a3e9e4447a910e92621bb49b85d6e48a45397e7cfa" +dependencies = [ + "idna", + "once_cell", + "regex", + "serde", + "serde_derive", + "serde_json", + "url", + "validator_derive", +] + +[[package]] +name = "validator_derive" +version = "0.20.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b7df16e474ef958526d1205f6dda359fdfab79d9aa6d54bafcb92dcd07673dca" +dependencies = [ + "darling", + "once_cell", + "proc-macro-error2", + "proc-macro2", + "quote", + "syn 2.0.117", +] + [[package]] name = "valuable" version = "0.1.1" @@ -4867,10 +5161,11 @@ checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a" [[package]] name = "vitaminc" -version = "0.1.0-pre4" +version = "0.1.0-pre4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3f800bb9d02311571a8de172d63a4c9c10e07869089e3ddd84a8b05f3bef2d93" +checksum = "7c8b739a2cb1e528e77a69267728532f52d2d5ce18ae2839e26c797859fe9015" dependencies = [ + "vitaminc-aead", "vitaminc-encrypt", "vitaminc-protected", "vitaminc-random", @@ -4879,9 +5174,9 @@ dependencies = [ [[package]] name = "vitaminc-aead" -version = "0.1.0-pre4" +version = "0.1.0-pre4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4e2b9f64cfbcc0c8d781e2a7d33beb183fd8f58735bed8c662286548042de820" +checksum = "7c29cef4d4b0d018c4223d366017d2a9756012acf76e25011aaca877f3c74904" dependencies = [ "bytes", "serde", @@ -4892,9 +5187,9 @@ dependencies = [ [[package]] name = "vitaminc-encrypt" -version = "0.1.0-pre4" +version = "0.1.0-pre4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dc871c8b8c61e5d2e4e097526e9cf7bc99913a45c23f31c2f6d5f1f2d0b8eec7" +checksum = "c4e3869aaf60ebb95ccbdfcf003985132325b4d1ac6f5d945ad2fbb9149afd3a" dependencies = [ "aws-lc-rs", "vitaminc-aead", @@ -4905,13 +5200,12 @@ dependencies = [ [[package]] name = "vitaminc-protected" -version = "0.1.0-pre3" +version = "0.1.0-pre4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf363bf624d149a8862a79a879b22d9b3f50bebabe90a7bdfb0a2b2f42844cdb" +checksum = "af693c39d3cd1c818ef6267539433c6ceca87840b12d24124adbc9c8ecba1709" dependencies = [ "bitvec", "digest", - "opaque-debug", "serde", "serde_bytes", "subtle", @@ -4921,24 +5215,23 @@ dependencies = [ [[package]] name = "vitaminc-protected-derive" -version = "0.1.0-pre3" +version = "0.1.0-pre4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7baafd4f0fa70bb246ac6895f5695ba1fdd529688ba5b92f8ae39922e1b1cb7a" +checksum = "e74520596b66eec546ef18d5376f6f18cdaf874caca9fa39e03eb12f9abb76fa" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] name = "vitaminc-random" -version = "0.1.0-pre4" +version = "0.1.0-pre4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "30ed841b58f676dc55a49d65284c91a2da2b71e57508c646a77c91f4dd31eb96" +checksum = "ea9de431cb93359d293ec7e70d05d87117a57f34bfc5bc94f040b81d4dd1afd6" dependencies = [ - "rand 0.8.5", - "rand_chacha 0.3.1", - "thiserror 1.0.69", + "rand 0.10.0", + "thiserror 2.0.18", "vitaminc-protected", "vitaminc-random-derives", "zeroize", @@ -4946,26 +5239,26 @@ dependencies = [ [[package]] name = "vitaminc-random-derives" -version = "0.1.0-pre4" +version = "0.1.0-pre4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "172cdde4c52be52584990097655de39d835e9bcca5593c2b3517c8978ac87e89" +checksum = "49d33ac4682235551d25c874525c20e03d4c863b39f556391f52f7a2083bfbdf" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] name = "vitaminc-traits" -version = "0.1.0-pre4" +version = "0.1.0-pre4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fb63364ce6b2a33176d2a1aba75d6b77d982518654e84192419d18b8c97f36b5" +checksum = "c25a9e51d24c3befddd71e907dd4ae9f21cfbaae065fb0ef5202e5d21cd198d0" dependencies = [ "anyhow", "bytes", "rmp-serde", "serde", - "thiserror 1.0.69", + "thiserror 2.0.18", "vitaminc-protected", "vitaminc-random", "zeroize", @@ -5005,6 +5298,24 @@ dependencies = [ "wit-bindgen-rt", ] +[[package]] +name = "wasip2" +version = "1.0.2+wasi-0.2.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5" +dependencies = [ + "wit-bindgen", +] + +[[package]] +name = "wasip3" +version = "0.4.0+wasi-0.3.0-rc-2026-01-06" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5" +dependencies = [ + "wit-bindgen", +] + [[package]] name = "wasite" version = "0.1.0" @@ -5033,7 +5344,7 @@ dependencies = [ "log", "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", "wasm-bindgen-shared", ] @@ -5068,7 +5379,7 @@ checksum = "8ae87ea40c9f689fc23f209965b6fb8a99ad69aeeb0231408be24920604395de" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", "wasm-bindgen-backend", "wasm-bindgen-shared", ] @@ -5082,6 +5393,28 @@ dependencies = [ "unicode-ident", ] +[[package]] +name = "wasm-encoder" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "990065f2fe63003fe337b932cfb5e3b80e0b4d0f5ff650e6985b1048f62c8319" +dependencies = [ + "leb128fmt", + "wasmparser", +] + +[[package]] +name = "wasm-metadata" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909" +dependencies = [ + "anyhow", + "indexmap", + "wasm-encoder", + "wasmparser", +] + [[package]] name = "wasm-streams" version = "0.4.2" @@ -5095,6 +5428,18 @@ dependencies = [ "web-sys", ] +[[package]] +name = "wasmparser" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe" +dependencies = [ + "bitflags", + "hashbrown 0.15.2", + "indexmap", + "semver", +] + [[package]] name = "wasmtimer" version = "0.4.3" @@ -5147,24 +5492,6 @@ dependencies = [ "rustls-pki-types", ] -[[package]] -name = "webpki-roots" -version = "0.26.11" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "521bc38abb08001b01866da9f51eb7c5d647a19260e00054a8c7fd5f9e57f7a9" -dependencies = [ - "webpki-roots 1.0.0", -] - -[[package]] -name = "webpki-roots" -version = "1.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2853738d1cc4f2da3a225c18ec6c3721abb31961096e9dbf5ab35fa88b19cfdb" -dependencies = [ - "rustls-pki-types", -] - [[package]] name = "whoami" version = "1.6.0" @@ -5276,7 +5603,7 @@ checksum = "a47fddd13af08290e67f4acabf4b459f647552718f683a7b415d290ac744a836" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -5287,7 +5614,7 @@ checksum = "bd9211b69f8dcdfa817bfd14bf1c97c9188afa36f4750130fcdf3f400eca9fa8" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -5699,6 +6026,26 @@ dependencies = [ "windows-sys 0.48.0", ] +[[package]] +name = "wit-bindgen" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5" +dependencies = [ + "wit-bindgen-rust-macro", +] + +[[package]] +name = "wit-bindgen-core" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ea61de684c3ea68cb082b7a88508a8b27fcc8b797d738bfc99a82facf1d752dc" +dependencies = [ + "anyhow", + "heck", + "wit-parser", +] + [[package]] name = "wit-bindgen-rt" version = "0.39.0" @@ -5708,6 +6055,74 @@ dependencies = [ "bitflags", ] +[[package]] +name = "wit-bindgen-rust" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21" +dependencies = [ + "anyhow", + "heck", + "indexmap", + "prettyplease", + "syn 2.0.117", + "wasm-metadata", + "wit-bindgen-core", + "wit-component", +] + +[[package]] +name = "wit-bindgen-rust-macro" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c0f9bfd77e6a48eccf51359e3ae77140a7f50b1e2ebfe62422d8afdaffab17a" +dependencies = [ + "anyhow", + "prettyplease", + "proc-macro2", + "quote", + "syn 2.0.117", + "wit-bindgen-core", + "wit-bindgen-rust", +] + +[[package]] +name = "wit-component" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2" +dependencies = [ + "anyhow", + "bitflags", + "indexmap", + "log", + "serde", + "serde_derive", + "serde_json", + "wasm-encoder", + "wasm-metadata", + "wasmparser", + "wit-parser", +] + +[[package]] +name = "wit-parser" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736" +dependencies = [ + "anyhow", + "id-arena", + "indexmap", + "log", + "semver", + "serde", + "serde_derive", + "serde_json", + "unicode-xid", + "wasmparser", +] + [[package]] name = "write16" version = "1.0.0" @@ -5754,7 +6169,7 @@ dependencies = [ "nom 7.1.3", "oid-registry", "rusticata-macros", - "thiserror 2.0.12", + "thiserror 2.0.18", "time", ] @@ -5784,7 +6199,7 @@ checksum = "2380878cad4ac9aac1e2435f3eb4020e8374b5f13c296cb75b4620ff8e229154" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", "synstructure", ] @@ -5814,7 +6229,7 @@ checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -5825,7 +6240,7 @@ checksum = "a996a8f63c5c4448cd959ac1bab0aaa3306ccfd060472f85943ee0750f0169be" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] @@ -5845,7 +6260,7 @@ checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", "synstructure", ] @@ -5866,17 +6281,17 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] [[package]] name = "zerokms-protocol" -version = "0.11.0" +version = "0.12.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "79a4c335246480040f9fe9b257e878bb6d6c2d140d69fe0c8628baae28b46cc1" +checksum = "f52f1d857d2e6d4fe258c49906d53f8b2666c4841dc2e39e67cfea3717382294" dependencies = [ "base64", - "cipherstash-config", + "cipherstash-config 0.34.0-alpha.4", "const-hex", "cts-common", "fake 2.10.0", @@ -5885,7 +6300,9 @@ dependencies = [ "serde", "static_assertions", "thiserror 1.0.69", + "utoipa", "uuid", + "validator", "zeroize", ] @@ -5908,5 +6325,5 @@ checksum = "6eafa6dfb17584ea3e2bd6e76e0cc15ad7af12b09abdd1ca55961bed9b1063c6" dependencies = [ "proc-macro2", "quote", - "syn 2.0.101", + "syn 2.0.117", ] diff --git a/Cargo.toml b/Cargo.toml index 92865489..34e7b461 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -43,8 +43,8 @@ debug = true [workspace.dependencies] sqltk = { version = "0.10.0" } -cipherstash-client = { version = "0.33.2" } -cts-common = { version = "0.4.1" } +cipherstash-client = { version = "0.34.0-alpha.4" } +cts-common = { version = "0.34.0-alpha.4" } thiserror = "2.0.9" tokio = { version = "1.44.2", features = ["full"] } diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index 5733b1e7..54688d28 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -501,29 +501,14 @@ Certificates are generated by `mkcert`, and live in `tests/tls/`. #### Configuration: development endpoints +ZeroKMS and CTS host endpoints can be configured for local development using environment variables. -ZeroKMS and CTS host endpoints can be configured for local development. +These are read directly by `cipherstash-client` and do not require proxy configuration: -Env variables are `CS_DEVELOPMENT__ZEROKMS_HOST` and `CS_DEVELOPMENT__CTS_HOST`. - - -```toml - -[development] -# ZeroKMS host -# Optional -# Defaults to CipherStash Production ZeroKMS host -# Env: CS_DEVELOPMENT__ZEROKMS_HOST -zerokms_host = "1.1.1.1" - - -# CTS host -# Optional -# Defaults to CipherStash Production CTS host -# Env: CS_DEVELOPMENT__CTS_HOST -cts_host = "1.1.1.1" - -``` +| Variable | Description | +|---|---| +| `CS_ZEROKMS_HOST` | Override ZeroKMS endpoint (default: resolved from JWT `services` claim) | +| `CS_CTS_HOST` | Override CTS auth endpoint (default: resolved from workspace CRN region) | diff --git a/cipherstash-proxy-example.toml b/cipherstash-proxy-example.toml index 495e1b03..1851d6a8 100644 --- a/cipherstash-proxy-example.toml +++ b/cipherstash-proxy-example.toml @@ -24,6 +24,6 @@ workspace_crn = "workspace_crn" client_access_key = "client_access_key" [encrypt] -default_keyset_id = "default_keyset_id" -client_id = "client_id" +default_keyset_id = "00000000-0000-0000-0000-000000000000" +client_id = "00000000-0000-0000-0000-000000000000" client_key = "client_key" diff --git a/docker-compose.yml b/docker-compose.yml index 4c7a41a5..ef781408 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -43,6 +43,8 @@ services: - CS_PROMETHEUS__ENABLED=${CS_PROMETHEUS__ENABLED:-true} - CS_DATABASE__INSTALL_EQL=true # install EQL into the PostgreSQL database - CS_DATABASE__INSTALL_EXAMPLE_SCHEMA=true # install example schema into the PostgreSQL database + - CS_CTS_HOST=${CS_CTS_HOST:-} + - CS_ZEROKMS_HOST=${CS_ZEROKMS_HOST:-} networks: - cipherstash diff --git a/packages/cipherstash-proxy/Cargo.toml b/packages/cipherstash-proxy/Cargo.toml index f161b1d3..30aa4c01 100644 --- a/packages/cipherstash-proxy/Cargo.toml +++ b/packages/cipherstash-proxy/Cargo.toml @@ -55,8 +55,8 @@ tokio-util = { version = "0.7.13", features = ["rt"] } tracing = { workspace = true } tracing-subscriber = { workspace = true } uuid = { version = "1.11.0", features = ["serde", "v4"] } +vitaminc-protected = "0.1.0-pre4.2" x509-parser = "0.17.0" -vitaminc-protected = "0.1.0-pre2" [dev-dependencies] diff --git a/packages/cipherstash-proxy/src/config/tandem.rs b/packages/cipherstash-proxy/src/config/tandem.rs index 99d5ca8c..f149144d 100644 --- a/packages/cipherstash-proxy/src/config/tandem.rs +++ b/packages/cipherstash-proxy/src/config/tandem.rs @@ -9,6 +9,7 @@ use crate::Args; use cipherstash_client::config::vars::{ CS_CLIENT_ACCESS_KEY, CS_CLIENT_ID, CS_CLIENT_KEY, CS_DEFAULT_KEYSET_ID, CS_WORKSPACE_CRN, }; +use cipherstash_client::zerokms::ClientKey; use config::{Config, Environment}; use cts_common::Crn; use regex::Regex; @@ -42,7 +43,7 @@ pub struct AuthConfig { #[derive(Debug, Deserialize, Clone, PartialEq)] pub struct EncryptConfig { - pub client_id: String, + pub client_id: Uuid, pub client_key: String, pub default_keyset_id: Option, } @@ -66,12 +67,6 @@ pub struct DevelopmentConfig { #[serde(default)] pub enable_mapping_errors: bool, - - #[serde(default)] - pub zerokms_host: Option, - - #[serde(default)] - pub cts_host: Option, } /// Config defaults to a file called `tandem` in the current directory. @@ -191,7 +186,7 @@ impl TandemConfig { } // Source order is important! - let config = Config::builder() + let config: TandemConfig = Config::builder() .add_source(config::File::with_name(&args.config_file_path).required(false)) .add_source(cs_env_source) .add_source(stash_setup_source) @@ -203,7 +198,16 @@ impl TandemConfig { // - missing parameters are returned by at least two different errors, depending the source of the error // Easier to inspect the error message. match err.to_string() { - s if s.contains("UUID parsing failed") => ConfigError::InvalidDatasetId, + s if s.contains("UUID parsing failed") => { + if s.contains("client_id") && !s.contains("keyset") { + ConfigError::InvalidParameter { + name: "client_id".to_string(), + value: "invalid UUID".to_string(), + } + } else { + ConfigError::InvalidDefaultKeysetId + } + } s if s.contains("missing field") => { let (field, key) = extract_missing_field_and_key(&s); match (field, key) { @@ -222,6 +226,8 @@ impl TandemConfig { } })?; + config.encrypt.build_client_key()?; + Ok(config) } @@ -246,18 +252,6 @@ impl TandemConfig { } } - pub fn zerokms_host(&self) -> Option { - self.development - .as_ref() - .and_then(|dev| dev.zerokms_host.clone()) - } - - pub fn cts_host(&self) -> Option { - self.development - .as_ref() - .and_then(|dev| dev.cts_host.clone()) - } - pub fn use_structured_logging(&self) -> bool { matches!(self.log.format, LogFormat::Structured) } @@ -326,8 +320,8 @@ impl TandemConfig { client_access_key: "test".to_string(), }, encrypt: EncryptConfig { - client_id: "test".to_string(), - client_key: "test".to_string(), + client_id: Uuid::parse_str("00000000-0000-0000-0000-000000000001").unwrap(), + client_key: "a4627031a16b7065726d75746174696f6e900e05030d0608090007020c04010b0a0f6770325f66726f6da16b7065726d75746174696f6e900608000a0204030f01070d090e0b0c056570325f746fa16b7065726d75746174696f6e90000908060701030a05040e020d0b0c0f627033a16b7065726d75746174696f6e982107181d130d05181f08040a181c1002181e010311181818200b0f0e0915181b0c16171819060012181a14".to_string(), default_keyset_id: Some( Uuid::parse_str("00000000-0000-0000-0000-000000000000").unwrap(), ), @@ -340,6 +334,13 @@ impl TandemConfig { } } +impl EncryptConfig { + pub fn build_client_key(&self) -> Result { + ClientKey::from_hex_v1(self.client_id, &self.client_key) + .map_err(|_| Error::from(ConfigError::InvalidClientKey)) + } +} + impl PrometheusConfig { pub fn default_port() -> u16 { 9930 @@ -426,9 +427,12 @@ mod tests { temp_env::with_vars( [ // Orignal recipe ENV var - ("CS_ENCRYPT__CLIENT_ID", Some("CS_ENCRYPT__CLIENT_ID")), - (CS_CLIENT_ID, Some("CS_CLIENT_ID")), - (CS_CLIENT_KEY, Some("CS_CLIENT_KEY")), + ( + "CS_ENCRYPT__CLIENT_ID", + Some("11111111-1111-1111-1111-111111111111"), + ), + (CS_CLIENT_ID, Some("22222222-2222-2222-2222-222222222222")), + (CS_CLIENT_KEY, Some("a4627031a16b7065726d75746174696f6e900e05030d0608090007020c04010b0a0f6770325f66726f6da16b7065726d75746174696f6e900608000a0204030f01070d090e0b0c056570325f746fa16b7065726d75746174696f6e90000908060701030a05040e020d0b0c0f627033a16b7065726d75746174696f6e982107181d130d05181f08040a181c1002181e010311181818200b0f0e0915181b0c16171819060012181a14")), ( CS_DEFAULT_KEYSET_ID, Some("dd0a239f-02e2-4c8e-ba20-d9f0f85af9ac"), @@ -440,7 +444,10 @@ mod tests { TandemConfig::build_path("tests/config/cipherstash-proxy-test.toml") .unwrap(); - assert_eq!(config.encrypt.client_id, "CS_CLIENT_ID".to_string()); + assert_eq!( + config.encrypt.client_id, + Uuid::parse_str("22222222-2222-2222-2222-222222222222").unwrap() + ); assert_eq!( config.auth.client_access_key, @@ -474,8 +481,8 @@ mod tests { .unwrap(); assert_eq!( - &config.encrypt.client_id, - "dd0a239f-02e2-4c8e-ba20-d9f0f85af9ac" + config.encrypt.client_id, + Uuid::parse_str("dd0a239f-02e2-4c8e-ba20-d9f0f85af9ac").unwrap() ); }, ); @@ -512,6 +519,22 @@ mod tests { }); } + #[test] + fn invalid_client_id_uuid() { + with_no_cs_vars(|| { + let result = + TandemConfig::build_path("tests/config/cipherstash-proxy-bad-client-id.toml"); + assert!(result.is_err()); + let err = result.unwrap_err(); + // Should produce InvalidParameter for client_id, not InvalidDatasetId + assert!( + err.to_string().contains("Invalid client_id"), + "Expected 'Invalid client_id' but got: {}", + err + ); + }); + } + #[test] fn prometheus_config() { with_no_cs_vars(|| { @@ -584,7 +607,7 @@ mod tests { fn default_env_vars() -> Vec<(&'static str, Option<&'static str>)> { vec![ ("CS_CLIENT_ID", Some("00000000-0000-0000-0000-000000000000")), - ("CS_CLIENT_KEY", Some("CS_CLIENT_KEY")), + ("CS_CLIENT_KEY", Some("a4627031a16b7065726d75746174696f6e900e05030d0608090007020c04010b0a0f6770325f66726f6da16b7065726d75746174696f6e900608000a0204030f01070d090e0b0c056570325f746fa16b7065726d75746174696f6e90000908060701030a05040e020d0b0c0f627033a16b7065726d75746174696f6e982107181d130d05181f08040a181c1002181e010311181818200b0f0e0915181b0c16171819060012181a14")), ( "CS_DEFAULT_KEYSET_ID", Some("00000000-0000-0000-0000-000000000000"), diff --git a/packages/cipherstash-proxy/src/error.rs b/packages/cipherstash-proxy/src/error.rs index afd37b69..98b8421f 100644 --- a/packages/cipherstash-proxy/src/error.rs +++ b/packages/cipherstash-proxy/src/error.rs @@ -15,9 +15,6 @@ pub enum Error { #[error("Connection closed after cancel request")] CancelRequest, - #[error(transparent)] - Client(#[from] cipherstash_client::config::errors::ConfigError), - #[error(transparent)] Config(#[from] ConfigError), @@ -72,6 +69,9 @@ pub enum ZeroKMSError { #[error("ZeroKMS authentication failed. Check the configured credentials. For help visit {}#zerokms-authentication-failed", ERROR_DOC_BASE_URL)] AuthenticationFailed, + #[error(transparent)] + Builder(#[from] cipherstash_client::zerokms::ZeroKMSBuilderError), + #[error(transparent)] System(#[from] cipherstash_client::zerokms::Error), } @@ -116,17 +116,20 @@ pub enum ConfigError { #[error(transparent)] Certificate(#[from] rustls_pki_types::pem::Error), - #[error(transparent)] - EncryptConfig(#[from] cipherstash_client::config::errors::ConfigError), - #[error(transparent)] Database(#[from] tokio_postgres::Error), #[error(transparent)] FileOrEnvironment(#[from] config::ConfigError), - #[error("Dataset id is not a valid UUID.")] - InvalidDatasetId, + #[error("Client key is not valid. For help visit {}", ERROR_DOC_CONFIG_URL)] + InvalidClientKey, + + #[error( + "default_keyset_id is not a valid UUID. For help visit {}", + ERROR_DOC_CONFIG_URL + )] + InvalidDefaultKeysetId, #[error("Server host {name} is not a valid server name")] InvalidServerName { name: String }, @@ -436,6 +439,12 @@ impl From for Error { } } +impl From for Error { + fn from(e: cipherstash_client::zerokms::ZeroKMSBuilderError) -> Self { + Error::ZeroKMS(e.into()) + } +} + impl From for Error { fn from(e: cipherstash_client::encryption::TypeParseError) -> Self { Error::Encrypt(e.into()) diff --git a/packages/cipherstash-proxy/src/proxy/mod.rs b/packages/cipherstash-proxy/src/proxy/mod.rs index 7ee12a8b..9a46b990 100644 --- a/packages/cipherstash-proxy/src/proxy/mod.rs +++ b/packages/cipherstash-proxy/src/proxy/mod.rs @@ -168,10 +168,10 @@ pub trait EncryptionService: Send + Sync { #[cfg(test)] mod tests { - use super::*; use crate::config::TandemConfig; use crate::test_helpers::with_no_cs_vars; - use cts_common::WorkspaceId; + + use super::zerokms; fn build_tandem_config(env: Vec<(&str, Option<&str>)>) -> TandemConfig { with_no_cs_vars(|| { @@ -195,10 +195,10 @@ mod tests { } #[test] - fn build_zerokms_config_with_crn() { + fn init_zerokms_client_with_crn() { with_no_cs_vars(|| { let mut env = default_env_vars(); - env.push(("CS_CLIENT_ACCESS_KEY", Some("client-access-key"))); + env.push(("CS_CLIENT_ACCESS_KEY", Some("CSAKtestKeyId.testKeySecret"))); env.push(( "CS_WORKSPACE_CRN", Some("crn:ap-southeast-2.aws:3KISDURL3ZCWYZ2O"), @@ -206,17 +206,12 @@ mod tests { let tandem_config = build_tandem_config(env); - let zerokms_config = zerokms::build_zerokms_config(&tandem_config).unwrap(); - - assert_eq!( - WorkspaceId::try_from("3KISDURL3ZCWYZ2O").unwrap(), - zerokms_config.workspace_id() + let result = zerokms::init_zerokms_client(&tandem_config); + assert!( + result.is_ok(), + "init_zerokms_client failed: {:?}", + result.err() ); - - assert!(zerokms_config - .base_url() - .to_string() - .contains("ap-southeast-2.aws")); }); } } diff --git a/packages/cipherstash-proxy/src/proxy/zerokms/mod.rs b/packages/cipherstash-proxy/src/proxy/zerokms/mod.rs index fb9a4092..f4e337e7 100644 --- a/packages/cipherstash-proxy/src/proxy/zerokms/mod.rs +++ b/packages/cipherstash-proxy/src/proxy/zerokms/mod.rs @@ -4,56 +4,29 @@ mod zerokms; pub use zerokms::ZeroKms; use crate::config::TandemConfig; -use cipherstash_client::config::{ConfigError, ZeroKMSConfigWithClientKey}; +use crate::error::{Error, ZeroKMSError}; +use crate::log::ZEROKMS; use cipherstash_client::{ - config::EnvSource, - credentials::{auto_refresh::AutoRefresh, ServiceCredentials}, - zerokms::ClientKey, - ConsoleConfig, CtsConfig, ZeroKMS, ZeroKMSConfig, + zerokms::{ClientKey, ZeroKMSBuilder}, + AutoStrategy, ZeroKMS, }; -pub type ScopedCipher = - cipherstash_client::encryption::ScopedCipher>; +pub type ScopedCipher = cipherstash_client::encryption::ScopedCipher; -pub type ZerokmsClient = ZeroKMS, ClientKey>; +pub type ZerokmsClient = ZeroKMS; -pub(crate) fn init_zerokms_client( - config: &TandemConfig, -) -> Result, ClientKey>, ConfigError> { - let zerokms_config = build_zerokms_config(config)?; +pub(crate) fn init_zerokms_client(config: &TandemConfig) -> Result { + let strategy = AutoStrategy::builder() + .with_access_key(&config.auth.client_access_key) + .with_workspace_crn(config.auth.workspace_crn.clone()) + .detect() + .map_err(|e| { + tracing::warn!(target: ZEROKMS, msg = "ZeroKMS authentication strategy detection failed", error = %e); + ZeroKMSError::AuthenticationFailed + })?; - Ok(zerokms_config - .create_client_with_credentials(AutoRefresh::new(zerokms_config.credentials()))) -} - -pub fn build_zerokms_config( - config: &TandemConfig, -) -> Result { - let console_config = ConsoleConfig::builder().with_env().build()?; - - let builder = CtsConfig::builder().with_env(); - let builder = if let Some(cts_host) = config.cts_host() { - builder.base_url(&cts_host) - } else { - builder - }; - let cts_config = builder.build()?; - - // Not using with_env because the proxy config should take precedence - let builder = ZeroKMSConfig::builder() - .add_source(EnvSource::default()) - .workspace_crn(config.auth.workspace_crn.clone()) - .access_key(&config.auth.client_access_key) - .try_with_client_id(&config.encrypt.client_id)? - .try_with_client_key(&config.encrypt.client_key)? - .console_config(&console_config) - .cts_config(&cts_config); - - let builder = if let Some(zerokms_host) = config.zerokms_host() { - builder.base_url(zerokms_host) - } else { - builder - }; + let client_key = config.encrypt.build_client_key()?; - builder.build_with_client_key() + let builder = ZeroKMSBuilder::new(strategy); + Ok(builder.with_client_key(client_key).build()?) } diff --git a/packages/cipherstash-proxy/src/proxy/zerokms/zerokms.rs b/packages/cipherstash-proxy/src/proxy/zerokms/zerokms.rs index cbc4bda5..15e120d3 100644 --- a/packages/cipherstash-proxy/src/proxy/zerokms/zerokms.rs +++ b/packages/cipherstash-proxy/src/proxy/zerokms/zerokms.rs @@ -137,7 +137,7 @@ impl ZeroKms { } .into()) } - cipherstash_client::zerokms::Error::Credentials(_) => { + cipherstash_client::zerokms::Error::Auth(_) => { Err(ZeroKMSError::AuthenticationFailed.into()) } _ => Err(Error::ZeroKMS(err.into())), diff --git a/packages/cipherstash-proxy/tests/config/cipherstash-proxy-bad-client-id.toml b/packages/cipherstash-proxy/tests/config/cipherstash-proxy-bad-client-id.toml new file mode 100644 index 00000000..60af1bc4 --- /dev/null +++ b/packages/cipherstash-proxy/tests/config/cipherstash-proxy-bad-client-id.toml @@ -0,0 +1,19 @@ +[tls] +certificate_path = "tests/tls/server.cert" +private_key_path = "tests/tls/server.key" + +[database] +name = "cipherstash" +host = "localhost" +port = 5532 +username = "cipherstash" +password = "password" + +[auth] +workspace_crn = "crn:ap-southeast-2.aws:E4UMRN47WJNSMAKR" +client_access_key = "client_access_key" + +[encrypt] +default_keyset_id = "484cd205-99e8-41ca-acfe-55a7e25a8ec2" +client_id = "not-a-uuid" +client_key = "a4627031a16b7065726d75746174696f6e900e05030d0608090007020c04010b0a0f6770325f66726f6da16b7065726d75746174696f6e900608000a0204030f01070d090e0b0c056570325f746fa16b7065726d75746174696f6e90000908060701030a05040e020d0b0c0f627033a16b7065726d75746174696f6e982107181d130d05181f08040a181c1002181e010311181818200b0f0e0915181b0c16171819060012181a14" diff --git a/packages/cipherstash-proxy/tests/config/cipherstash-proxy-test.toml b/packages/cipherstash-proxy/tests/config/cipherstash-proxy-test.toml index d0efa991..a1ffd004 100644 --- a/packages/cipherstash-proxy/tests/config/cipherstash-proxy-test.toml +++ b/packages/cipherstash-proxy/tests/config/cipherstash-proxy-test.toml @@ -16,4 +16,4 @@ client_access_key = "client_access_key" [encrypt] default_keyset_id = "484cd205-99e8-41ca-acfe-55a7e25a8ec2" # generated guid for validation client_id = "5912717c-2c3b-4fb6-a051-0a8e71cd9e37" # generated guid for validation -client_key = "client_key" +client_key = "a4627031a16b7065726d75746174696f6e900e05030d0608090007020c04010b0a0f6770325f66726f6da16b7065726d75746174696f6e900608000a0204030f01070d090e0b0c056570325f746fa16b7065726d75746174696f6e90000908060701030a05040e020d0b0c0f627033a16b7065726d75746174696f6e982107181d130d05181f08040a181c1002181e010311181818200b0f0e0915181b0c16171819060012181a14" diff --git a/packages/cipherstash-proxy/tests/config/cipherstash-proxy-with-crn.toml b/packages/cipherstash-proxy/tests/config/cipherstash-proxy-with-crn.toml index 20f25288..a5127008 100644 --- a/packages/cipherstash-proxy/tests/config/cipherstash-proxy-with-crn.toml +++ b/packages/cipherstash-proxy/tests/config/cipherstash-proxy-with-crn.toml @@ -9,4 +9,4 @@ password = "password" [encrypt] client_id = "5912717c-2c3b-4fb6-a051-0a8e71cd9e37" # generated guid for validation -client_key = "client_key" +client_key = "a4627031a16b7065726d75746174696f6e900e05030d0608090007020c04010b0a0f6770325f66726f6da16b7065726d75746174696f6e900608000a0204030f01070d090e0b0c056570325f746fa16b7065726d75746174696f6e90000908060701030a05040e020d0b0c0f627033a16b7065726d75746174696f6e982107181d130d05181f08040a181c1002181e010311181818200b0f0e0915181b0c16171819060012181a14" diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml index 9f02b650..918fda43 100644 --- a/tests/docker-compose.yml +++ b/tests/docker-compose.yml @@ -65,6 +65,8 @@ services: - CS_PROMETHEUS__ENABLED=${CS_PROMETHEUS__ENABLED:-true} - CS_SERVER__WORKER_THREADS=${CS_SERVER__WORKER_THREADS:-4} - CS_WORKSPACE_CRN=${CS_WORKSPACE_CRN} + - CS_CTS_HOST=${CS_CTS_HOST:-} + - CS_ZEROKMS_HOST=${CS_ZEROKMS_HOST:-} - CS_LOG__FORMAT=${CS_LOG__FORMAT:-pretty} - CS_LOG__LEVEL=${CS_LOG__LEVEL:-debug} - CS_LOG__PROTOCOL_LEVEL=${CS_LOG__PROTOCOL_LEVEL:-debug} @@ -109,6 +111,8 @@ services: - CS_SERVER__REQUIRE_TLS=true - CS_PROMETHEUS__ENABLED=${CS_PROMETHEUS__ENABLED:-true} - CS_WORKSPACE_CRN=${CS_WORKSPACE_CRN} + - CS_CTS_HOST=${CS_CTS_HOST:-} + - CS_ZEROKMS_HOST=${CS_ZEROKMS_HOST:-} - CS_LOG__FORMAT=${CS_LOG__FORMAT:-pretty} - CS_LOG__LEVEL=${CS_LOG__LEVEL:-debug} - CS_LOG__PROTOCOL_LEVEL=${CS_LOG__PROTOCOL_LEVEL:-debug}