Merge pull request #533 from molnett/mk/keys_from_env

feat: allow keys from env

Author: jmt-lab

Cargo.lock

@@ -163,6 +163,9 @@ pub enum SigningKeyConfig {
     ssm {
         parameter: String,
     },
+    env {
+        var_name: String,
+    },
 }
 
 /// AWS region-specific configuration
@@ -202,6 +205,9 @@ impl TryFrom<SigningKeyConfig> for Url {
                 };
                 Url::parse(&format!("aws-ssm://{}", parameter)).map_err(|_| ())
             }
+            SigningKeyConfig::env { var_name } => {
+                Url::parse(&format!("env://{}", var_name)).map_err(|_| ())
+            }
         }
     }
 }

tools/pubsys-config/src/lib.rs

@@ -9,6 +9,7 @@ publish = false
 [dependencies]
 amispec.workspace = true
 async-stream.workspace = true
+async-trait.workspace = true
 aws-config.workspace = true
 aws-credential-types.workspace = true
 aws-sdk-ebs.workspace = true

tools/pubsys/Cargo.toml

@@ -5,10 +5,13 @@ pub(crate) mod fetch_variant;
 pub(crate) mod refresh_repo;
 pub(crate) mod validate_repo;
 
+mod env_key_source;
+
 use crate::{friendly_version, read_stream, Args};
 use aws_sdk_kms::{config::Region, Client as KmsClient};
 use chrono::{DateTime, Utc};
 use clap::Parser;
+use env_key_source::EnvKeySource;
 use lazy_static::lazy_static;
 use log::{debug, info, trace, warn};
 use parse_datetime::parse_datetime;
@@ -429,6 +432,9 @@ fn get_signing_key_source(signing_key_config: &SigningKeyConfig) -> Result<Box<d
             parameter_name: parameter.clone(),
             key_id: None,
         })),
+        SigningKeyConfig::env { var_name } => Ok(Box::new(EnvKeySource {
+            var_name: var_name.clone(),
+        })),
     }
 }
 

tools/pubsys/src/repo.rs

@@ -0,0 +1,60 @@
+use async_trait::async_trait;
+use log::{debug, warn};
+use snafu::Snafu;
+use std::env;
+use tough::key_source::KeySource;
+use tough::sign::{parse_keypair, Sign};
+
+#[derive(Debug)]
+pub struct EnvKeySource {
+    pub var_name: String,
+}
+
+#[derive(Debug, Snafu)]
+pub enum Error {
+    #[snafu(display("Environment variable '{}' not found", var_name))]
+    EnvVarNotFound { var_name: String },
+
+    #[snafu(display(
+        "Failed to parse key from environment variable '{}': {}",
+        var_name,
+        source
+    ))]
+    KeyParse {
+        var_name: String,
+        source: Box<dyn std::error::Error + Send + Sync>,
+    },
+}
+
+#[async_trait]
+impl KeySource for EnvKeySource {
+    async fn as_sign(
+        &self,
+    ) -> std::result::Result<Box<dyn Sign>, Box<dyn std::error::Error + Send + Sync>> {
+        debug!("Reading key from environment variable: {}", self.var_name);
+
+        // Get the key data from the environment variable
+        let key_data = env::var(&self.var_name).map_err(|_| Error::EnvVarNotFound {
+            var_name: self.var_name.clone(),
+        })?;
+
+        // Parse the key data into a signer
+        let key = parse_keypair(key_data.as_bytes()).map_err(|e| Error::KeyParse {
+            var_name: self.var_name.clone(),
+            source: Box::new(e),
+        })?;
+
+        Ok(Box::new(key))
+    }
+
+    async fn write(
+        &self,
+        _value: &str,
+        _key_id_hex: &str,
+    ) -> std::result::Result<(), Box<dyn std::error::Error + Send + Sync>> {
+        // We don't support writing keys back to environment variables
+        // as this wouldn't persist beyond the current process
+        warn!("Writing keys back to environment variables is not supported");
+        Ok(())
+    }
+}