feat(rust-sdk): release Keeper Secrets Manager Rust SDK v17.2.0#993
Draft
stas-schaller wants to merge 8 commits intomasterfrom
Draft
feat(rust-sdk): release Keeper Secrets Manager Rust SDK v17.2.0#993stas-schaller wants to merge 8 commits intomasterfrom
stas-schaller wants to merge 8 commits intomasterfrom
Conversation
Building a new reqwest::blocking::Client inside tokio::spawn_blocking fails with "builder error" because reqwest's blocking module creates an internal tokio runtime that conflicts with the existing one. This affected get_file_data() and get_thumbnail_data() in KeeperFile, which built a fresh HTTP client per call (dtos.rs:1155). The main API calls in post_query() worked because they configured danger_accept_invalid_certs which changed the TLS init path. Fix: - Build one reqwest::blocking::Client in SecretsManager::new() after SSL/proxy config is resolved - Store it on the SecretsManager struct, propagate to KeeperFile instances (same pattern as proxy_url propagation) - get_file_data() and get_thumbnail_data() reuse the pre-built client when available, fall back to building a new one for backward compat - Add skip_ssl_verify field to KeeperFile (propagated from SecretsManager.verify_ssl_certs) for the fallback path Precedent: OpenTelemetry Rust (issue #2400), TiKV rust-prometheus (PR #343), reqwest docs all recommend building the blocking client outside async runtimes. See: seanmonstar/reqwest#1017
…client fix(rust-sdk): KSM-886 reuse HTTP client for file downloads
- pub(crate) on KeeperFile::http_client and skip_ssl_verify — both are internal propagation fields with no reason to be part of the public API - client_builder.build().ok() → build().map_err(...)? in SecretsManager::new() so a TLS init failure surfaces at construction time instead of deferring to the first file download - extract KeeperFile::resolve_http_client() helper to eliminate duplicated client-building fallback in get_file_data() and get_thumbnail_data()
get_folders() and its private fetch_and_decrypt_folders() both took self by value, consuming the SecretsManager and preventing any subsequent call on the same instance without cloning first. Changed both to &mut self to match the rest of the API (get_secrets, create_secret, etc.). Also fixes a pre-existing compile error in empty_config_test.rs where ClientOptions::new() calls were missing the proxy_url argument after it was added to the signature.
…self fix(rust-sdk): KSM-812 get_folders() borrows instead of consuming SecretsManager
Both Rust SDK workflows (test + publish) updated: - Add missing integration tests present in one workflow but absent from the other: caching_transmission_key_tests, download_file_by_title_tests, duplicate_uid_notation_test, empty_config_test (+ proxy_test in publish) - Pin actions/checkout v3 → v6 (SHA), actions-rust-lang/setup-rust-toolchain → SHA, manifest-cyber/manifest-github-action → SHA, actions/upload-artifact v4 → SHA, rust-lang/crates-io-auth-action v1 → SHA - Add persist-credentials: false to all checkout steps (zizmor artipacked) - Suppress secrets-outside-env for MANIFEST_TOKEN (SBOM publish, low risk, job already gated by test-rust-sdk) All layers pass actionlint and zizmor (offline); Layer 4 Docker auth is a local Keeper org enforcement, not a workflow bug.
Add check-version job at the start of the publish pipeline that hits crates.io API before any expensive work (tests, SBOM, cargo package). Fails fast with a clear message if the version already exists, rather than burning ~10min of CI then failing at the upload step. test-rust-sdk now needs: check-version so the entire pipeline gates on the version check.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Rust SDK v17.2.0 — bug fix release.
Bug Fixes
KSM-886: Fixed
get_file_data()andget_thumbnail_data()failing with "builder error" when called from insidetokio::spawn_blocking. Root cause:reqwest::blocking::Clientcreates an internal tokio runtime on construction; building it inside an existing async context (e.g. KeeperDB Proxy in Docker) panics. Fix: build a single shared client inSecretsManager::new()and propagate it toKeeperFileobjects. (#991)KSM-812: Fixed
get_folders()consuming theSecretsManagerinstance (self) instead of borrowing it (&mut self), forcing unnecessary clones. Now consistent with all other methods. Closes #950. (#992)Internal / Housekeeping
KeeperFile::http_clientandskip_ssl_verifyfields narrowed frompubtopub(crate)— implementation details with no external use caseclient_builder.build().ok()→build().map_err(...)?inSecretsManager::new()— TLS init failures now surface at construction timeKeeperFile::resolve_http_client()helper to eliminate duplicated client-building fallbackempty_config_test.rs(missingproxy_urlargument inClientOptions::new()calls)Related Issues