A rust crate to manage, persist and encrypt your configurations.
Explore the docs »
View Demo
·
Report Bug
·
Request Feature
Table of Contents
Sometimes, we need to store config in our application that we don't want to expose to the public. For example, the database password, the api key, etc.
One solution is to store them in the OS' secret manager, such as Keychain on macOS, Credential Manager on Windows, libsecret on Linux.
However, they usually have limitation on the secret length. For example, Keychain only allows 255 bytes for the secret, Credential Manager is even shorter. So we can't store a long secret in it.
Another solution is to store the secret in a file and encrypt it with a rsa public key, and store the private key in the OS' secret manager. This is what this crate does.
This crate provides 3 ways to manage your config:
- [
NormalSource]: A normal source, not persisted or encrypted - [
PersistSource]: A source that will be persisted to local file, not encrypted - [
SecretSource]: A source that will be persisted to local file and encrypted
This crate also has some optional features:
persist: If enabled, you can use the [PersistSource] trait.secret: If enabled, you can use the [PersistSource] and the [SecretSource] trait.mock: If enabled, you can use the mock for testing, which will not use the OS' secret manager.default_config_dir: If enabled, the default config dir will be used. Implemented through dirs.protobuf: If enabled, protobuf will be used instead of json for better performance. (WIP)
One of linux-secret-service and linux-keyutils features should be enabled on Linux, or a compile error will be raised.
- Rust
- Keyring
[target.'cfg(target_os = "linux")'.dependencies]
encrypt_config = { version = "0.3", features = ["full", "linux-secret-service"] }
[target.'cfg(not(target_os = "linux"))'.dependencies]
encrypt_config = { version = "0.3", features = ["full"] }
[profile.dev.package.num-bigint-dig]
opt-level = 3# #[cfg(all(feature = "full", feature = "mock", feature = "default_config_dir"))]
# {
use encrypt_config::{Config, NormalSource, PersistSource, SecretSource};
use serde::{Deserialize, Serialize};
use std::sync::OnceLock;
#[derive(Default, NormalSource)]
struct NormalConfig {
count: usize,
}
#[derive(Default, Serialize, Deserialize, PersistSource)]
#[source(name = "persist_config.json")]
struct PersistConfig {
name: String,
age: usize,
}
#[derive(Default, Serialize, Deserialize, SecretSource)]
#[source(name = "secret_config", keyring_entry = "secret")]
struct SecretConfig {
password: String,
}
fn config() -> &'static Config {
static CONFIG: OnceLock<Config> = OnceLock::new();
CONFIG.get_or_init(|| {
let mut config = Config::default();
config.load_source::<(NormalConfig, PersistConfig, SecretConfig)>();
config
})
}
let cfg = config();
{
let normal_config = cfg.get::<NormalConfig>().unwrap();
assert_eq!(normal_config.count, 0);
}
let mut normal_config = cfg.get_mut::<NormalConfig>().unwrap();
normal_config.count = 42;
assert_eq!(normal_config.count, 42);
let jh = std::thread::spawn(|| {
// work in another thread
let cfg = config();
let mut persist_config = cfg.get_mut::<PersistConfig>().unwrap();
persist_config.name = "Louis".to_string();
persist_config.age = 22;
// save to file
persist_config.save().unwrap();
});
let cfg = config();
let mut secret_config = cfg.get_mut::<SecretConfig>().unwrap();
secret_config.password = "123456".to_string();
// encrypt and save to file
secret_config.save().unwrap();
jh.join().unwrap();
// let's new a config in the next start
let mut config = Config::default();
config.load_source::<(NormalConfig, PersistConfig, SecretConfig)>();
// normal config will not be saved
assert_eq!(config.get::<NormalConfig>().unwrap().count, 0);
// persist config will be saved
assert_eq!(config.get::<PersistConfig>().unwrap().name, "Louis");
// secret config will be encrypted
assert_eq!(config.get::<SecretConfig>().unwrap().password, "123456");
// The secret config file should not be able to load directly
let encrypted_file = std::fs::File::open(SecretConfig::path()).unwrap();
assert!(serde_json::from_reader::<_, SecretConfig>(encrypted_file).is_err());
// You can also save in this way
config.save::<(PersistConfig, SecretConfig)>().unwrap();
# }For more examples, please refer to the Example or Documentation
- v0.2.x -> v0.3.x: Now, multi-config-sources can be saved and loaded through
Configin one go. Butadd_xx_sources are removed. By the way, one can defined their own sources by implementingSourcetrait whileNormalSourcePersistSourceSecretSourceare still provided. - v0.1.x -> v0.2.x: A broken change has been made. Heavily refactored with
std::anyand methods fromdependencies injection.
- Enable protobuf instead of json for better performance
See the open issues for a full list of proposed features (and known issues).
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Distributed under the MIT License. See LICENSE.txt for more information.
Louis - 836250617@qq.com
Project Link: https://github.com/kingwingfly/encrypt-config