refactor: address requested changes

src/app.rs

@@ -19,8 +19,6 @@ use crate::crypto::{
     kms::{self, Base64Encoded, KmsData, Raw},
     Encryption,
 };
-#[cfg(feature = "kms")]
-use std::marker::PhantomData;
 
 ///
 /// AppState:
@@ -125,7 +123,6 @@ impl AppState {
             let master_key_kms_input: KmsData<Base64Encoded> = KmsData::new(
                 String::from_utf8(config.secrets.master_key.clone())
                     .expect("Failed while converting bytes to String"),
-                PhantomData,
             );
             let kms_decrypted_master_key: KmsData<Raw> = kms_client
                 .decrypt(master_key_kms_input)
@@ -134,7 +131,7 @@ impl AppState {
             config.secrets.master_key = kms_decrypted_master_key.data;
 
             let tenant_public_key_kms_input: KmsData<Base64Encoded> =
-                KmsData::new(config.secrets.tenant_public_key.peek().clone(), PhantomData);
+                KmsData::new(config.secrets.tenant_public_key.peek().clone());
             let kms_decrypted_tenant_public_key: KmsData<Raw> = kms_client
                 .decrypt(tenant_public_key_kms_input)
                 .await
@@ -146,10 +143,8 @@ impl AppState {
                     .expect("Failed while converting bytes to String")
                     .into();
 
-            let locker_private_key_kms_input: KmsData<Base64Encoded> = KmsData::new(
-                config.secrets.locker_private_key.peek().clone(),
-                PhantomData,
-            );
+            let locker_private_key_kms_input: KmsData<Base64Encoded> =
+                KmsData::new(config.secrets.locker_private_key.peek().clone());
             let kms_decrypted_locker_private_key: KmsData<Raw> = kms_client
                 .decrypt(locker_private_key_kms_input)
                 .await
@@ -162,15 +157,16 @@ impl AppState {
                     .into();
 
             let db_password_kms_input: KmsData<Base64Encoded> =
-                KmsData::new(config.database.password.clone(), PhantomData);
+                KmsData::new(config.database.password.peek().clone());
             let kms_decrypted_db_password: KmsData<Raw> = kms_client
                 .decrypt(db_password_kms_input)
                 .await
                 .change_context(error::ConfigurationError::KmsDecryptError(
                     "locker_private_key",
                 ))?;
             config.database.password = String::from_utf8(kms_decrypted_db_password.data)
-                .expect("Failed while converting bytes to String");
+                .expect("Failed while converting bytes to String")
+                .into();
         }
 
         Ok(Self {

src/config.rs

@@ -22,7 +22,8 @@ pub struct Server {
 #[derive(Clone, serde::Deserialize, Debug)]
 pub struct Database {
     pub username: String,
-    pub password: String,
+    // KMS encrypted
+    pub password: masking::Secret<String>,
     pub host: String,
     pub port: u16,
     pub dbname: String,
@@ -31,10 +32,13 @@ pub struct Database {
 #[derive(Clone, serde::Deserialize, Debug)]
 pub struct Secrets {
     pub tenant: String,
+    // KMS encrypted
     #[serde(deserialize_with = "deserialize_hex")]
     pub master_key: Vec<u8>,
+    // KMS encrypted
     #[cfg(feature = "middleware")]
     pub locker_private_key: masking::Secret<String>,
+    // KMS encrypted
     #[cfg(feature = "middleware")]
     pub tenant_public_key: masking::Secret<String>,
 }

src/crypto/kms.rs

@@ -100,8 +100,11 @@ pub struct KmsData<T: Decoder> {
 }
 
 impl<T: Decoder> KmsData<T> {
-    pub fn new(data: T::Data, decode_op: PhantomData<T>) -> Self {
-        Self { data, decode_op }
+    pub fn new(data: T::Data) -> Self {
+        Self {
+            data,
+            decode_op: PhantomData,
+        }
     }
     pub fn into_decoded(self) -> Result<Vec<u8>, T::Error> {
         T::decode(self.data)