jesus/nushell-plugins
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
nushell-plugins/nu_plugin_kms/implementation-summary.md

1 line
9.3 KiB
Markdown
Raw Normal View History

chore: update all plugins to Nushell 0.111.0 - Bump all 18 plugins from 0.110.0 to 0.111.0 - Update rust-toolchain.toml channel to 1.93.1 (nu 0.111.0 requires ≥1.91.1) Fixes: - interprocess pin =2.2.x → ^2.3.1 in nu_plugin_mcp, nu_plugin_nats, nu_plugin_typedialog (required by nu-plugin-core 0.111.0) - nu_plugin_typedialog: BackendType::Web initializer — add open_browser: false field - nu_plugin_auth: implement missing user_info_to_value helper referenced in tests Scripts: - update_all_plugins.nu: fix [package].version update on minor bumps; add [dev-dependencies] pass; add nu-plugin-test-support to managed crates - download_nushell.nu: rustup override unset before rm -rf on nushell dir replace; fix unclosed ) in string interpolation
2026-03-11 03:22:42 +00:00
# nu_plugin_kms - Real Backend Implementation Summary\n\n**Date**: 2025-10-08\n**Status**: ✅ Implemented and Compiled Successfully\n\n## Overview\n\nImplemented real KMS backends for `nu_plugin_kms` to work with:\n\n1. **RustyVault** (native Rust client)\n2. **Age** (native encryption)\n3. **HTTP Fallback** (Cosmian or other HTTP KMS services)\n\n## Implementation Details\n\n### 1. Backend Architecture\n\n**File**: `src/helpers.rs` (357 lines)\n\nThe plugin now supports three backend types:\n\n```rust\npub enum Backend {\n RustyVault { client: RustyVaultClient },\n Age { recipient: String, identity: Option<String> },\n HttpFallback { backend_name: String, url: String },\n}\n```\n\n### 2. RustyVault Integration\n\n**API Used**: `rusty_vault::api::Client` (low-level logical API)\n\n**Operations Implemented**:\n\n- `encrypt_rustyvault()` - Encrypts data using Transit backend\n- `decrypt_rustyvault()` - Decrypts data using Transit backend\n- `generate_data_key_rustyvault()` - Generates AES128/AES256 data keys\n\n**Example API Call**:\n\n```rust\nlet path = format!("transit/encrypt/{}", key_name);\nlet response = client.logical().write(&path, Some(req_data))?;\n```\n\n**Environment Variables**:\n\n- `RUSTYVAULT_ADDR` - Vault server URL (default: <http://localhost:8200>)\n- `RUSTYVAULT_TOKEN` - Authentication token\n\n### 3. Age Integration\n\n**Library Used**: `age` crate (v0.10)\n\n**Operations Implemented**:\n\n- `encrypt_age()` - Encrypts with Age recipient (returns ASCII-armored format)\n- `decrypt_age()` - Decrypts with Age identity file\n- `generate_age_key()` - Generates Ed25519 key pair\n\n**Key Features**:\n\n- X25519 encryption\n- ASCII-armored output format\n- Identity file-based decryption\n- Recipient validation (must start with `age1`)\n\n**Environment Variables**:\n\n- `AGE_RECIPIENT` - Public key for encryption\n- `AGE_IDENTITY` - Path to private key file for decryption\n\n### 4. HTTP Fallback\n\n**Library Used**: `reqwest` (async HTTP client)\n\n**Operations Implemented**:\n\n- `encrypt_http()` - POST to `/api/v1/kms/encrypt`\n- `decrypt_http()` - POST to `/api/v1/kms/decrypt`\n- `generate_data_key_http()` - POST to `/api/v1/kms/generate-data-key`\n\n**Environment Variables**:\n\n- `KMS_HTTP_URL` - KMS service URL (default: <http://localhost:8081>)\n- `KMS_HTTP_BACKEND` - Backend name (default: cosmian)\n\n### 5. Auto-Detection\n\n**Function**: `detect_backend()`\n\n**Detection Order**:\n\n1. Check for RustyVault (RUSTYVAULT_ADDR + RUSTYVAULT_TOKEN)\n2. Check for Age (AGE_RECIPIENT)\n3. Fallback to HTTP (KMS_HTTP_URL + KMS_HTTP_BACKEND)\n\n## Command Implementation\n\n### Encrypt Command\n\n```bash\n# Auto-detect backend\nkms encrypt "secret data"\n\n# Explicit RustyVault\nkms encrypt "data" --backend rustyvault --key my-key\n\n# Explicit Age\nkms encrypt "data" --backend age --key age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p\n```\n\n### Decrypt Command\n\n```bash\n# Auto-detect backend\nkms decrypt "vault:v1:..."\n\n# Age with identity file\nkms decrypt "-----BEGIN AGE..." --backend age --key ~/.age/key.txt\n```\n\n### Generate Key Command\n\n```bash\n# RustyVault - generates AES data key\nkms generate-key --backend rustyvault --spec AES256\n\n# Age - generates Ed25519 key pair\nkms generate-key --backend age\n```\n\n### Status Command\n\n```bash\n# Check current backend and configuration\nkms status\n\n# Example output:\n# {\n# "backend": "rustyvault",\n# "available": true,\n# "config": "addr: http://localhost:8200"\n# }\n```\n\n## Compilation Results\n\n### Build Command\n\n```bash\ncd provisioning/core/plugins/nushell-plugins/nu_plugin_kms\ncargo build --release\n```\n\n### Output\n\n```plaintext\n✅ Compiled successfully in 1m 11s\n⚠ 3 warnings (non-critical)\n - 2 unused utility functions (encode_base64, decode_base64)\n - 1 lifetime syntax warning (cosmetic)\n```\n\n### Binary Location\n\n```plaintext\ntarget/release/nu_plugin_kms\n```\n\n## Testing Recommendations\n\n### 1. Test RustyVault Backend\n\n**Prerequisites**:\n\n- RustyVault server running on loc
Reference in New Issue Copy Permalink