vaultrs/
transit.rs

1pub mod key {
2    use crate::api::transit::{
3        requests::{
4            BackupKeyRequest, CreateKeyRequest, CreateKeyRequestBuilder, DeleteKeyRequest,
5            ExportKeyRequest, ExportKeyType, ExportVersion, ListKeysRequest, ReadKeyRequest,
6            RestoreKeyRequest, RestoreKeyRequestBuilder, RotateKeyRequest, TrimKeyRequest,
7            UpdateKeyConfigurationRequest, UpdateKeyConfigurationRequestBuilder,
8        },
9        responses::{BackupKeyResponse, ExportKeyResponse, ListKeysResponse, ReadKeyResponse},
10    };
11    use crate::{api, client::Client, error::ClientError};
12
13    /// Create a new encryption key.
14    ///
15    /// See [CreateKeyRequest]
16    pub async fn create(
17        client: &impl Client,
18        mount: &str,
19        name: &str,
20        opts: Option<&mut CreateKeyRequestBuilder>,
21    ) -> Result<(), ClientError> {
22        let mut builder = CreateKeyRequest::builder();
23        let endpoint = opts
24            .unwrap_or(&mut builder)
25            .mount(mount)
26            .name(name)
27            .build()
28            .unwrap();
29        api::exec_with_empty(client, endpoint).await
30    }
31
32    /// Read encryption key information.
33    ///
34    /// See [ReadKeyRequest]
35    pub async fn read(
36        client: &impl Client,
37        mount: &str,
38        name: &str,
39    ) -> Result<ReadKeyResponse, ClientError> {
40        let endpoint = ReadKeyRequest::builder()
41            .mount(mount)
42            .name(name)
43            .build()
44            .unwrap();
45        api::exec_with_result(client, endpoint).await
46    }
47
48    /// List key names.
49    ///
50    /// See [ListKeysRequest]
51    pub async fn list(client: &impl Client, mount: &str) -> Result<ListKeysResponse, ClientError> {
52        let endpoint = ListKeysRequest::builder().mount(mount).build().unwrap();
53        api::exec_with_result(client, endpoint).await
54    }
55
56    /// Update a key's configuration.
57    ///
58    /// See [UpdateKeyConfigurationRequest]
59    pub async fn update(
60        client: &impl Client,
61        mount: &str,
62        name: &str,
63        opts: Option<&mut UpdateKeyConfigurationRequestBuilder>,
64    ) -> Result<(), ClientError> {
65        let mut builder = UpdateKeyConfigurationRequest::builder();
66        let endpoint = opts
67            .unwrap_or(&mut builder)
68            .mount(mount)
69            .name(name)
70            .build()
71            .unwrap();
72        api::exec_with_empty(client, endpoint).await
73    }
74
75    /// Delete a named encryption key.
76    ///
77    /// See [DeleteKeyRequest]
78    pub async fn delete(client: &impl Client, mount: &str, name: &str) -> Result<(), ClientError> {
79        let endpoint = DeleteKeyRequest::builder()
80            .mount(mount)
81            .name(name)
82            .build()
83            .unwrap();
84        api::exec_with_empty(client, endpoint).await
85    }
86
87    /// Rotate the version of a named key.
88    ///
89    /// See [RotateKeyRequest]
90    pub async fn rotate(client: &impl Client, mount: &str, name: &str) -> Result<(), ClientError> {
91        let endpoint = RotateKeyRequest::builder()
92            .mount(mount)
93            .name(name)
94            .build()
95            .unwrap();
96        api::exec_with_empty(client, endpoint).await
97    }
98
99    /// Export a named key.
100    ///
101    /// See [ExportKeyRequest]
102    pub async fn export(
103        client: &impl Client,
104        mount: &str,
105        name: &str,
106        key_type: ExportKeyType,
107        version: ExportVersion,
108    ) -> Result<ExportKeyResponse, ClientError> {
109        let endpoint = ExportKeyRequest::builder()
110            .mount(mount)
111            .name(name)
112            .key_type(key_type)
113            .version(version)
114            .build()
115            .unwrap();
116        api::exec_with_result(client, endpoint).await
117    }
118
119    /// Return a plaintext backup of a named key.
120    ///
121    /// See [BackupKeyRequest]
122    pub async fn backup(
123        client: &impl Client,
124        mount: &str,
125        name: &str,
126    ) -> Result<BackupKeyResponse, ClientError> {
127        let endpoint = BackupKeyRequest::builder()
128            .mount(mount)
129            .name(name)
130            .build()
131            .unwrap();
132        api::exec_with_result(client, endpoint).await
133    }
134
135    /// Restores the backup of a named key.
136    ///
137    /// See [RestoreKeyRequest]
138    pub async fn restore(
139        client: &impl Client,
140        mount: &str,
141        backup: &str,
142        opts: Option<&mut RestoreKeyRequestBuilder>,
143    ) -> Result<(), ClientError> {
144        let mut builder = RestoreKeyRequest::builder();
145        let endpoint = opts
146            .unwrap_or(&mut builder)
147            .mount(mount)
148            .backup(backup)
149            .build()
150            .unwrap();
151        api::exec_with_empty(client, endpoint).await
152    }
153
154    /// Trim older key versions setting a minimum version for the keyring.
155    ///
156    /// See [TrimKeyRequest]
157    pub async fn trim(
158        client: &impl Client,
159        mount: &str,
160        name: &str,
161        min_available_version: u64,
162    ) -> Result<(), ClientError> {
163        let endpoint = TrimKeyRequest::builder()
164            .mount(mount)
165            .name(name)
166            .min_available_version(min_available_version)
167            .build()
168            .unwrap();
169        api::exec_with_empty(client, endpoint).await
170    }
171}
172
173pub mod data {
174    use crate::api::transit::{
175        requests::{
176            DecryptDataRequest, DecryptDataRequestBuilder, EncryptDataRequest,
177            EncryptDataRequestBuilder, RewrapDataRequest, RewrapDataRequestBuilder,
178            SignDataRequest, SignDataRequestBuilder, VerifySignedDataRequest,
179            VerifySignedDataRequestBuilder,
180        },
181        responses::{
182            DecryptDataResponse, EncryptDataResponse, RewrapDataResponse, SignDataResponse,
183            VerifySignedDataResponse,
184        },
185    };
186    use crate::{api, client::Client, error::ClientError};
187
188    /// Encrypt base64-encoded plaintext data using the named key.
189    ///
190    /// See [EncryptDataRequest]
191    pub async fn encrypt(
192        client: &impl Client,
193        mount: &str,
194        name: &str,
195        plaintext: &str,
196        opts: Option<&mut EncryptDataRequestBuilder>,
197    ) -> Result<EncryptDataResponse, ClientError> {
198        let mut builder = EncryptDataRequest::builder();
199        let endpoint = opts
200            .unwrap_or(&mut builder)
201            .mount(mount)
202            .name(name)
203            .plaintext(plaintext)
204            .build()
205            .unwrap();
206        api::exec_with_result(client, endpoint).await
207    }
208
209    /// Decrypt the provided ciphertext using the named key.
210    ///
211    /// See [DecryptDataRequest]
212    pub async fn decrypt(
213        client: &impl Client,
214        mount: &str,
215        name: &str,
216        ciphertext: &str,
217        opts: Option<&mut DecryptDataRequestBuilder>,
218    ) -> Result<DecryptDataResponse, ClientError> {
219        let mut builder = DecryptDataRequest::builder();
220        let endpoint = opts
221            .unwrap_or(&mut builder)
222            .mount(mount)
223            .name(name)
224            .ciphertext(ciphertext)
225            .build()
226            .unwrap();
227        api::exec_with_result(client, endpoint).await
228    }
229
230    /// Rewrap the provided ciphertext using the latest version of the named
231    /// key.
232    ///
233    /// See [RewrapDataRequest]
234    pub async fn rewrap(
235        client: &impl Client,
236        mount: &str,
237        name: &str,
238        ciphertext: &str,
239        opts: Option<&mut RewrapDataRequestBuilder>,
240    ) -> Result<RewrapDataResponse, ClientError> {
241        let mut builder = RewrapDataRequest::builder();
242        let endpoint = opts
243            .unwrap_or(&mut builder)
244            .mount(mount)
245            .name(name)
246            .ciphertext(ciphertext)
247            .build()
248            .unwrap();
249        api::exec_with_result(client, endpoint).await
250    }
251
252    /// Return the cryptographic signature of the base64-encoded input data.
253    ///
254    /// See [SignDataRequest]
255    pub async fn sign(
256        client: &impl Client,
257        mount: &str,
258        name: &str,
259        input: &str,
260        opts: Option<&mut SignDataRequestBuilder>,
261    ) -> Result<SignDataResponse, ClientError> {
262        let mut builder = SignDataRequest::builder();
263        let endpoint = opts
264            .unwrap_or(&mut builder)
265            .mount(mount)
266            .name(name)
267            .input(input)
268            .build()
269            .unwrap();
270        api::exec_with_result(client, endpoint).await
271    }
272
273    /// Return whether the provided signature is valid for the base64-encoded
274    /// input data.
275    ///
276    /// See [SignDataRequest]
277    pub async fn verify(
278        client: &impl Client,
279        mount: &str,
280        name: &str,
281        input: &str,
282        opts: Option<&mut VerifySignedDataRequestBuilder>,
283    ) -> Result<VerifySignedDataResponse, ClientError> {
284        let mut builder = VerifySignedDataRequest::builder();
285        let endpoint = opts
286            .unwrap_or(&mut builder)
287            .mount(mount)
288            .name(name)
289            .input(input)
290            .build()
291            .unwrap();
292        api::exec_with_result(client, endpoint).await
293    }
294}
295
296pub mod generate {
297    use crate::api::transit::{
298        requests::{
299            DataKeyType, GenerateDataKeyRequest, GenerateDataKeyRequestBuilder,
300            GenerateHmacRequest, GenerateHmacRequestBuilder, GenerateRandomBytesRequest,
301            GenerateRandomBytesRequestBuilder, HashDataRequest, HashDataRequestBuilder,
302            RandomBytesSource,
303        },
304        responses::{
305            GenerateDataKeyResponse, GenerateHmacResponse, GenerateRandomBytesResponse,
306            HashDataResponse,
307        },
308        OutputFormat,
309    };
310    use crate::{api, client::Client, error::ClientError};
311
312    /// Generate a new high-entropy key and the value encrypted with the named
313    /// key.
314    ///
315    /// See [GenerateDataKeyRequest]
316    pub async fn data_key(
317        client: &impl Client,
318        mount: &str,
319        name: &str,
320        key_type: DataKeyType,
321        opts: Option<&mut GenerateDataKeyRequestBuilder>,
322    ) -> Result<GenerateDataKeyResponse, ClientError> {
323        let mut builder = GenerateDataKeyRequest::builder();
324        let endpoint = opts
325            .unwrap_or(&mut builder)
326            .mount(mount)
327            .name(name)
328            .key_type(key_type)
329            .build()
330            .unwrap();
331        api::exec_with_result(client, endpoint).await
332    }
333
334    /// Generate random bytes.
335    ///
336    /// See [GenerateRandomBytesRequest]
337    pub async fn random_bytes(
338        client: &impl Client,
339        mount: &str,
340        format: OutputFormat,
341        source: RandomBytesSource,
342        opts: Option<&mut GenerateRandomBytesRequestBuilder>,
343    ) -> Result<GenerateRandomBytesResponse, ClientError> {
344        let mut builder = GenerateRandomBytesRequest::builder();
345        let endpoint = opts
346            .unwrap_or(&mut builder)
347            .mount(mount)
348            .format(format)
349            .source(source)
350            .build()
351            .unwrap();
352        api::exec_with_result(client, endpoint).await
353    }
354
355    /// Return the cryptographic hash of the base64-encoded input data.
356    ///
357    /// See [HashDataRequest]
358    pub async fn hash(
359        client: &impl Client,
360        mount: &str,
361        input: &str,
362        opts: Option<&mut HashDataRequestBuilder>,
363    ) -> Result<HashDataResponse, ClientError> {
364        let mut builder = HashDataRequest::builder();
365        let endpoint = opts
366            .unwrap_or(&mut builder)
367            .mount(mount)
368            .input(input)
369            .build()
370            .unwrap();
371        api::exec_with_result(client, endpoint).await
372    }
373
374    /// Return the digest of the base64-encoded input data.
375    ///
376    /// See [GenerateHmacRequest]
377    pub async fn hmac(
378        client: &impl Client,
379        mount: &str,
380        name: &str,
381        input: &str,
382        opts: Option<&mut GenerateHmacRequestBuilder>,
383    ) -> Result<GenerateHmacResponse, ClientError> {
384        let mut builder = GenerateHmacRequest::builder();
385        let endpoint = opts
386            .unwrap_or(&mut builder)
387            .mount(mount)
388            .name(name)
389            .input(input)
390            .build()
391            .unwrap();
392        api::exec_with_result(client, endpoint).await
393    }
394}
395
396pub mod cache {
397    use crate::api::transit::{
398        requests::{
399            ConfigureCacheRequest, ConfigureCacheRequestBuilder,
400            ReadTransitCacheConfigurationRequest,
401        },
402        responses::ReadTransitCacheConfigurationResponse,
403    };
404    use crate::{api, client::Client, error::ClientError};
405
406    /// Read the transit cache configuration.
407    ///
408    /// See [ReadTransitCacheConfigurationRequest]
409    pub async fn read(
410        client: &impl Client,
411        mount: &str,
412    ) -> Result<ReadTransitCacheConfigurationResponse, ClientError> {
413        let endpoint = ReadTransitCacheConfigurationRequest::builder()
414            .mount(mount)
415            .build()
416            .unwrap();
417        api::exec_with_result(client, endpoint).await
418    }
419
420    /// Configure the transit engine's cache.
421    ///
422    /// See [ConfigureCacheRequest]
423    pub async fn configure(
424        client: &impl Client,
425        mount: &str,
426        opts: Option<&mut ConfigureCacheRequestBuilder>,
427    ) -> Result<(), ClientError> {
428        let mut builder = ConfigureCacheRequest::builder();
429        let endpoint = opts.unwrap_or(&mut builder).mount(mount).build().unwrap();
430        api::exec_with_empty(client, endpoint).await
431    }
432}