Add encryption and credential management infrastructure

Implements AES-256-GCM encrypted storage and keyring-based credential management for securely handling API keys and sensitive data. Supports secure local storage and OS-native keychain integration. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-06 18:31:51 +02:00
parent 2eabe55fe6
commit 0b17a0f4c8
2 changed files with 310 additions and 0 deletions
--- a/crates/owlen-core/src/credentials.rs
+++ b/crates/owlen-core/src/credentials.rs
@@ -0,0 +1,69 @@
+use std::sync::Arc;
+
+use serde::{Deserialize, Serialize};
+
+use crate::{storage::StorageManager, Error, Result};
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct ApiCredentials {
+    pub api_key: String,
+    pub endpoint: String,
+}
+
+pub struct CredentialManager {
+    storage: Arc<StorageManager>,
+    master_key: Arc<Vec<u8>>,
+    namespace: String,
+}
+
+impl CredentialManager {
+    pub fn new(storage: Arc<StorageManager>, master_key: Arc<Vec<u8>>) -> Self {
+        Self {
+            storage,
+            master_key,
+            namespace: "owlen".to_string(),
+        }
+    }
+
+    fn namespaced_key(&self, tool_name: &str) -> String {
+        format!("{}_{}", self.namespace, tool_name)
+    }
+
+    pub async fn store_credentials(
+        &self,
+        tool_name: &str,
+        credentials: &ApiCredentials,
+    ) -> Result<()> {
+        let key = self.namespaced_key(tool_name);
+        let payload = serde_json::to_vec(credentials).map_err(|e| {
+            Error::Storage(format!(
+                "Failed to serialize credentials for secure storage: {e}"
+            ))
+        })?;
+        self.storage
+            .store_secure_item(&key, &payload, &self.master_key)
+            .await
+    }
+
+    pub async fn get_credentials(&self, tool_name: &str) -> Result<Option<ApiCredentials>> {
+        let key = self.namespaced_key(tool_name);
+        match self
+            .storage
+            .load_secure_item(&key, &self.master_key)
+            .await?
+        {
+            Some(bytes) => {
+                let creds = serde_json::from_slice(&bytes).map_err(|e| {
+                    Error::Storage(format!("Failed to deserialize stored credentials: {e}"))
+                })?;
+                Ok(Some(creds))
+            }
+            None => Ok(None),
+        }
+    }
+
+    pub async fn delete_credentials(&self, tool_name: &str) -> Result<()> {
+        let key = self.namespaced_key(tool_name);
+        self.storage.delete_secure_item(&key).await
+    }
+}