1use crate::{
13 config::ConfigFileError,
14 models::signer::{
15 AwsKmsSignerConfig, CdpSignerConfig, GoogleCloudKmsSignerConfig,
16 GoogleCloudKmsSignerKeyConfig, GoogleCloudKmsSignerServiceAccountConfig, LocalSignerConfig,
17 Signer, SignerConfig, TurnkeySignerConfig, VaultSignerConfig, VaultTransitSignerConfig,
18 },
19 models::PlainOrEnvValue,
20};
21use secrets::SecretVec;
22use serde::{Deserialize, Serialize};
23use std::{collections::HashSet, path::Path};
24
25#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
26#[serde(deny_unknown_fields)]
27pub struct LocalSignerFileConfig {
28 pub path: String,
29 pub passphrase: PlainOrEnvValue,
30}
31
32#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
33#[serde(deny_unknown_fields)]
34pub struct AwsKmsSignerFileConfig {
35 pub region: String,
36 pub key_id: String,
37}
38
39#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
40#[serde(deny_unknown_fields)]
41pub struct TurnkeySignerFileConfig {
42 pub api_public_key: String,
43 pub api_private_key: PlainOrEnvValue,
44 pub organization_id: String,
45 pub private_key_id: String,
46 pub public_key: String,
47}
48
49#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
50#[serde(deny_unknown_fields)]
51pub struct CdpSignerFileConfig {
52 pub api_key_id: String,
53 pub api_key_secret: PlainOrEnvValue,
54 pub wallet_secret: PlainOrEnvValue,
55 pub account_address: String,
56}
57
58#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
59#[serde(deny_unknown_fields)]
60pub struct VaultSignerFileConfig {
61 pub address: String,
62 pub namespace: Option<String>,
63 pub role_id: PlainOrEnvValue,
64 pub secret_id: PlainOrEnvValue,
65 pub key_name: String,
66 pub mount_point: Option<String>,
67}
68
69#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
70#[serde(deny_unknown_fields)]
71pub struct VaultTransitSignerFileConfig {
72 pub key_name: String,
73 pub address: String,
74 pub role_id: PlainOrEnvValue,
75 pub secret_id: PlainOrEnvValue,
76 pub pubkey: String,
77 pub mount_point: Option<String>,
78 pub namespace: Option<String>,
79}
80
81fn google_cloud_default_auth_uri() -> String {
82 "https://accounts.google.com/o/oauth2/auth".to_string()
83}
84
85fn google_cloud_default_token_uri() -> String {
86 "https://oauth2.googleapis.com/token".to_string()
87}
88
89fn google_cloud_default_auth_provider_x509_cert_url() -> String {
90 "https://www.googleapis.com/oauth2/v1/certs".to_string()
91}
92
93fn google_cloud_default_client_x509_cert_url() -> String {
94 "https://www.googleapis.com/robot/v1/metadata/x509/solana-signer%40forward-emitter-459820-r7.iam.gserviceaccount.com".to_string()
95}
96
97fn google_cloud_default_universe_domain() -> String {
98 "googleapis.com".to_string()
99}
100
101fn google_cloud_default_key_version() -> u32 {
102 1
103}
104
105fn google_cloud_default_location() -> String {
106 "global".to_string()
107}
108
109#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
110#[serde(deny_unknown_fields)]
111pub struct GoogleCloudKmsServiceAccountFileConfig {
112 pub project_id: String,
113 pub private_key_id: PlainOrEnvValue,
114 pub private_key: PlainOrEnvValue,
115 pub client_email: PlainOrEnvValue,
116 pub client_id: String,
117 #[serde(default = "google_cloud_default_auth_uri")]
118 pub auth_uri: String,
119 #[serde(default = "google_cloud_default_token_uri")]
120 pub token_uri: String,
121 #[serde(default = "google_cloud_default_auth_provider_x509_cert_url")]
122 pub auth_provider_x509_cert_url: String,
123 #[serde(default = "google_cloud_default_client_x509_cert_url")]
124 pub client_x509_cert_url: String,
125 #[serde(default = "google_cloud_default_universe_domain")]
126 pub universe_domain: String,
127}
128
129#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
130#[serde(deny_unknown_fields)]
131pub struct GoogleCloudKmsKeyFileConfig {
132 #[serde(default = "google_cloud_default_location")]
133 pub location: String,
134 pub key_ring_id: String,
135 pub key_id: String,
136 #[serde(default = "google_cloud_default_key_version")]
137 pub key_version: u32,
138}
139
140#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
141#[serde(deny_unknown_fields)]
142pub struct GoogleCloudKmsSignerFileConfig {
143 pub service_account: GoogleCloudKmsServiceAccountFileConfig,
144 pub key: GoogleCloudKmsKeyFileConfig,
145}
146
147#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
149#[serde(tag = "type", rename_all = "lowercase", content = "config")]
150pub enum SignerFileConfigEnum {
151 Local(LocalSignerFileConfig),
152 #[serde(rename = "aws_kms")]
153 AwsKms(AwsKmsSignerFileConfig),
154 Turnkey(TurnkeySignerFileConfig),
155 Cdp(CdpSignerFileConfig),
156 Vault(VaultSignerFileConfig),
157 #[serde(rename = "vault_transit")]
158 VaultTransit(VaultTransitSignerFileConfig),
159 #[serde(rename = "google_cloud_kms")]
160 GoogleCloudKms(GoogleCloudKmsSignerFileConfig),
161}
162
163#[derive(Debug, Serialize, Deserialize, Clone)]
165#[serde(deny_unknown_fields)]
166pub struct SignerFileConfig {
167 pub id: String,
168 #[serde(flatten)]
169 pub config: SignerFileConfigEnum,
170}
171
172#[derive(Debug, Serialize, Deserialize, Clone)]
174#[serde(deny_unknown_fields)]
175pub struct SignersFileConfig {
176 pub signers: Vec<SignerFileConfig>,
177}
178
179impl SignerFileConfig {
180 pub fn validate_basic(&self) -> Result<(), ConfigFileError> {
181 if self.id.is_empty() {
182 return Err(ConfigFileError::InvalidIdLength(
183 "Signer ID cannot be empty".into(),
184 ));
185 }
186 Ok(())
187 }
188}
189
190impl SignersFileConfig {
191 pub fn new(signers: Vec<SignerFileConfig>) -> Self {
192 Self { signers }
193 }
194
195 pub fn validate(&self) -> Result<(), ConfigFileError> {
196 if self.signers.is_empty() {
197 return Ok(());
198 }
199
200 let mut ids = HashSet::new();
201 for signer in &self.signers {
202 signer.validate_basic()?;
203 if !ids.insert(signer.id.clone()) {
204 return Err(ConfigFileError::DuplicateId(signer.id.clone()));
205 }
206 }
207 Ok(())
208 }
209}
210
211impl TryFrom<LocalSignerFileConfig> for LocalSignerConfig {
212 type Error = ConfigFileError;
213
214 fn try_from(config: LocalSignerFileConfig) -> Result<Self, Self::Error> {
215 if config.path.is_empty() {
216 return Err(ConfigFileError::InvalidIdLength(
217 "Signer path cannot be empty".into(),
218 ));
219 }
220
221 let path = Path::new(&config.path);
222 if !path.exists() {
223 return Err(ConfigFileError::FileNotFound(format!(
224 "Signer file not found at path: {}",
225 path.display()
226 )));
227 }
228
229 if !path.is_file() {
230 return Err(ConfigFileError::InvalidFormat(format!(
231 "Path exists but is not a file: {}",
232 path.display()
233 )));
234 }
235
236 let passphrase = config.passphrase.get_value().map_err(|e| {
237 ConfigFileError::InvalidFormat(format!("Failed to get passphrase value: {e}"))
238 })?;
239
240 if passphrase.is_empty() {
241 return Err(ConfigFileError::InvalidFormat(
242 "Local signer passphrase cannot be empty".into(),
243 ));
244 }
245
246 let raw_key = SecretVec::new(32, |buffer| {
247 let loaded = oz_keystore::LocalClient::load(
248 Path::new(&config.path).to_path_buf(),
249 passphrase.to_str().as_str().to_string(),
250 );
251 buffer.copy_from_slice(&loaded);
252 });
253
254 Ok(LocalSignerConfig { raw_key })
255 }
256}
257
258impl TryFrom<AwsKmsSignerFileConfig> for AwsKmsSignerConfig {
259 type Error = ConfigFileError;
260
261 fn try_from(config: AwsKmsSignerFileConfig) -> Result<Self, Self::Error> {
262 Ok(AwsKmsSignerConfig {
263 region: Some(config.region),
264 key_id: config.key_id,
265 })
266 }
267}
268
269impl TryFrom<TurnkeySignerFileConfig> for TurnkeySignerConfig {
270 type Error = ConfigFileError;
271
272 fn try_from(config: TurnkeySignerFileConfig) -> Result<Self, Self::Error> {
273 let api_private_key = config.api_private_key.get_value().map_err(|e| {
274 ConfigFileError::InvalidFormat(format!("Failed to get API private key: {e}"))
275 })?;
276
277 Ok(TurnkeySignerConfig {
278 api_public_key: config.api_public_key,
279 api_private_key,
280 organization_id: config.organization_id,
281 private_key_id: config.private_key_id,
282 public_key: config.public_key,
283 })
284 }
285}
286
287impl TryFrom<CdpSignerFileConfig> for CdpSignerConfig {
288 type Error = ConfigFileError;
289
290 fn try_from(config: CdpSignerFileConfig) -> Result<Self, Self::Error> {
291 let api_key_secret = config.api_key_secret.get_value().map_err(|e| {
292 ConfigFileError::InvalidFormat(format!("Failed to get API key secret: {e}"))
293 })?;
294
295 let wallet_secret = config.wallet_secret.get_value().map_err(|e| {
296 ConfigFileError::InvalidFormat(format!("Failed to get wallet secret: {e}"))
297 })?;
298
299 Ok(CdpSignerConfig {
300 api_key_id: config.api_key_id,
301 api_key_secret,
302 wallet_secret,
303 account_address: config.account_address,
304 })
305 }
306}
307
308impl TryFrom<VaultSignerFileConfig> for VaultSignerConfig {
309 type Error = ConfigFileError;
310
311 fn try_from(config: VaultSignerFileConfig) -> Result<Self, Self::Error> {
312 let role_id = config
313 .role_id
314 .get_value()
315 .map_err(|e| ConfigFileError::InvalidFormat(format!("Failed to get role ID: {e}")))?;
316
317 let secret_id = config
318 .secret_id
319 .get_value()
320 .map_err(|e| ConfigFileError::InvalidFormat(format!("Failed to get secret ID: {e}")))?;
321
322 Ok(VaultSignerConfig {
323 address: config.address,
324 namespace: config.namespace,
325 role_id,
326 secret_id,
327 key_name: config.key_name,
328 mount_point: config.mount_point,
329 })
330 }
331}
332
333impl TryFrom<VaultTransitSignerFileConfig> for VaultTransitSignerConfig {
334 type Error = ConfigFileError;
335
336 fn try_from(config: VaultTransitSignerFileConfig) -> Result<Self, Self::Error> {
337 let role_id = config
338 .role_id
339 .get_value()
340 .map_err(|e| ConfigFileError::InvalidFormat(format!("Failed to get role ID: {e}")))?;
341
342 let secret_id = config
343 .secret_id
344 .get_value()
345 .map_err(|e| ConfigFileError::InvalidFormat(format!("Failed to get secret ID: {e}")))?;
346
347 Ok(VaultTransitSignerConfig {
348 key_name: config.key_name,
349 address: config.address,
350 namespace: config.namespace,
351 role_id,
352 secret_id,
353 pubkey: config.pubkey,
354 mount_point: config.mount_point,
355 })
356 }
357}
358
359impl TryFrom<GoogleCloudKmsSignerFileConfig> for GoogleCloudKmsSignerConfig {
360 type Error = ConfigFileError;
361
362 fn try_from(config: GoogleCloudKmsSignerFileConfig) -> Result<Self, Self::Error> {
363 let private_key = config
364 .service_account
365 .private_key
366 .get_value()
367 .map_err(|e| {
368 ConfigFileError::InvalidFormat(format!("Failed to get private key: {e}"))
369 })?;
370
371 let private_key_id = config
372 .service_account
373 .private_key_id
374 .get_value()
375 .map_err(|e| {
376 ConfigFileError::InvalidFormat(format!("Failed to get private key ID: {e}"))
377 })?;
378
379 let client_email = config
380 .service_account
381 .client_email
382 .get_value()
383 .map_err(|e| {
384 ConfigFileError::InvalidFormat(format!("Failed to get client email: {e}"))
385 })?;
386
387 let service_account = GoogleCloudKmsSignerServiceAccountConfig {
388 private_key,
389 private_key_id,
390 project_id: config.service_account.project_id,
391 client_email,
392 client_id: config.service_account.client_id,
393 auth_uri: config.service_account.auth_uri,
394 token_uri: config.service_account.token_uri,
395 auth_provider_x509_cert_url: config.service_account.auth_provider_x509_cert_url,
396 client_x509_cert_url: config.service_account.client_x509_cert_url,
397 universe_domain: config.service_account.universe_domain,
398 };
399
400 let key = GoogleCloudKmsSignerKeyConfig {
401 location: config.key.location,
402 key_ring_id: config.key.key_ring_id,
403 key_id: config.key.key_id,
404 key_version: config.key.key_version,
405 };
406
407 Ok(GoogleCloudKmsSignerConfig {
408 service_account,
409 key,
410 })
411 }
412}
413
414impl TryFrom<SignerFileConfigEnum> for SignerConfig {
415 type Error = ConfigFileError;
416
417 fn try_from(config: SignerFileConfigEnum) -> Result<Self, Self::Error> {
418 match config {
419 SignerFileConfigEnum::Local(local) => {
420 Ok(SignerConfig::Local(LocalSignerConfig::try_from(local)?))
421 }
422 SignerFileConfigEnum::AwsKms(aws_kms) => {
423 Ok(SignerConfig::AwsKms(AwsKmsSignerConfig::try_from(aws_kms)?))
424 }
425 SignerFileConfigEnum::Turnkey(turnkey) => Ok(SignerConfig::Turnkey(
426 TurnkeySignerConfig::try_from(turnkey)?,
427 )),
428 SignerFileConfigEnum::Cdp(cdp) => {
429 Ok(SignerConfig::Cdp(CdpSignerConfig::try_from(cdp)?))
430 }
431 SignerFileConfigEnum::Vault(vault) => {
432 Ok(SignerConfig::Vault(VaultSignerConfig::try_from(vault)?))
433 }
434 SignerFileConfigEnum::VaultTransit(vault_transit) => Ok(SignerConfig::VaultTransit(
435 VaultTransitSignerConfig::try_from(vault_transit)?,
436 )),
437 SignerFileConfigEnum::GoogleCloudKms(gcp_kms) => Ok(SignerConfig::GoogleCloudKms(
438 GoogleCloudKmsSignerConfig::try_from(gcp_kms)?,
439 )),
440 }
441 }
442}
443
444impl TryFrom<SignerFileConfig> for Signer {
445 type Error = ConfigFileError;
446
447 fn try_from(config: SignerFileConfig) -> Result<Self, Self::Error> {
448 config.validate_basic()?;
449
450 let signer_config = SignerConfig::try_from(config.config)?;
451
452 let signer = Signer::new(config.id, signer_config);
454
455 signer.validate().map_err(|e| match e {
457 crate::models::signer::SignerValidationError::EmptyId => {
458 ConfigFileError::MissingField("signer id".into())
459 }
460 crate::models::signer::SignerValidationError::InvalidIdFormat => {
461 ConfigFileError::InvalidFormat("Invalid signer ID format".into())
462 }
463 crate::models::signer::SignerValidationError::InvalidConfig(msg) => {
464 ConfigFileError::InvalidFormat(format!("Invalid signer configuration: {msg}"))
465 }
466 })?;
467
468 Ok(signer)
469 }
470}
471
472#[cfg(test)]
473mod tests {
474 use super::*;
475 use crate::models::SecretString;
476
477 #[test]
478 fn test_aws_kms_conversion() {
479 let config = AwsKmsSignerFileConfig {
480 region: "us-east-1".to_string(),
481 key_id: "test-key-id".to_string(),
482 };
483
484 let result = AwsKmsSignerConfig::try_from(config);
485 assert!(result.is_ok());
486
487 let aws_config = result.unwrap();
488 assert_eq!(aws_config.region, Some("us-east-1".to_string()));
489 assert_eq!(aws_config.key_id, "test-key-id");
490 }
491
492 #[test]
493 fn test_turnkey_conversion() {
494 let config = TurnkeySignerFileConfig {
495 api_public_key: "test-public-key".to_string(),
496 api_private_key: PlainOrEnvValue::Plain {
497 value: SecretString::new("test-private-key"),
498 },
499 organization_id: "test-org".to_string(),
500 private_key_id: "test-private-key-id".to_string(),
501 public_key: "test-public-key".to_string(),
502 };
503
504 let result = TurnkeySignerConfig::try_from(config);
505 assert!(result.is_ok());
506
507 let turnkey_config = result.unwrap();
508 assert_eq!(turnkey_config.api_public_key, "test-public-key");
509 assert_eq!(turnkey_config.organization_id, "test-org");
510 }
511
512 #[test]
513 fn test_signer_file_config_validation() {
514 let signer_config = SignerFileConfig {
515 id: "test-signer".to_string(),
516 config: SignerFileConfigEnum::Local(LocalSignerFileConfig {
517 path: "test-path".to_string(),
518 passphrase: PlainOrEnvValue::Plain {
519 value: SecretString::new("test-passphrase"),
520 },
521 }),
522 };
523
524 assert!(signer_config.validate_basic().is_ok());
525 }
526
527 #[test]
528 fn test_empty_signer_id() {
529 let signer_config = SignerFileConfig {
530 id: "".to_string(),
531 config: SignerFileConfigEnum::Local(LocalSignerFileConfig {
532 path: "test-path".to_string(),
533 passphrase: PlainOrEnvValue::Plain {
534 value: SecretString::new("test-passphrase"),
535 },
536 }),
537 };
538
539 assert!(signer_config.validate_basic().is_err());
540 }
541
542 #[test]
543 fn test_signers_config_validation() {
544 let configs = SignersFileConfig::new(vec![
545 SignerFileConfig {
546 id: "signer1".to_string(),
547 config: SignerFileConfigEnum::Local(LocalSignerFileConfig {
548 path: "test-path".to_string(),
549 passphrase: PlainOrEnvValue::Plain {
550 value: SecretString::new("test-passphrase"),
551 },
552 }),
553 },
554 SignerFileConfig {
555 id: "signer2".to_string(),
556 config: SignerFileConfigEnum::Local(LocalSignerFileConfig {
557 path: "test-path".to_string(),
558 passphrase: PlainOrEnvValue::Plain {
559 value: SecretString::new("test-passphrase"),
560 },
561 }),
562 },
563 ]);
564
565 assert!(configs.validate().is_ok());
566 }
567
568 #[test]
569 fn test_duplicate_signer_ids() {
570 let configs = SignersFileConfig::new(vec![
571 SignerFileConfig {
572 id: "signer1".to_string(),
573 config: SignerFileConfigEnum::Local(LocalSignerFileConfig {
574 path: "test-path".to_string(),
575 passphrase: PlainOrEnvValue::Plain {
576 value: SecretString::new("test-passphrase"),
577 },
578 }),
579 },
580 SignerFileConfig {
581 id: "signer1".to_string(), config: SignerFileConfigEnum::Local(LocalSignerFileConfig {
583 path: "test-path".to_string(),
584 passphrase: PlainOrEnvValue::Plain {
585 value: SecretString::new("test-passphrase"),
586 },
587 }),
588 },
589 ]);
590
591 assert!(matches!(
592 configs.validate(),
593 Err(ConfigFileError::DuplicateId(_))
594 ));
595 }
596
597 #[test]
598 fn test_local_conversion_invalid_path() {
599 let config = LocalSignerFileConfig {
600 path: "non-existent-path".to_string(),
601 passphrase: PlainOrEnvValue::Plain {
602 value: SecretString::new("test-passphrase"),
603 },
604 };
605
606 let result = LocalSignerConfig::try_from(config);
607 assert!(result.is_err());
608 if let Err(ConfigFileError::FileNotFound(msg)) = result {
609 assert!(msg.contains("Signer file not found"));
610 } else {
611 panic!("Expected FileNotFound error");
612 }
613 }
614
615 #[test]
616 fn test_vault_conversion() {
617 let config = VaultSignerFileConfig {
618 address: "https://vault.example.com".to_string(),
619 namespace: Some("test-namespace".to_string()),
620 role_id: PlainOrEnvValue::Plain {
621 value: SecretString::new("test-role"),
622 },
623 secret_id: PlainOrEnvValue::Plain {
624 value: SecretString::new("test-secret"),
625 },
626 key_name: "test-key".to_string(),
627 mount_point: Some("test-mount".to_string()),
628 };
629
630 let result = VaultSignerConfig::try_from(config);
631 assert!(result.is_ok());
632
633 let vault_config = result.unwrap();
634 assert_eq!(vault_config.address, "https://vault.example.com");
635 assert_eq!(vault_config.namespace, Some("test-namespace".to_string()));
636 }
637
638 #[test]
639 fn test_google_cloud_kms_conversion() {
640 let config = GoogleCloudKmsSignerFileConfig {
641 service_account: GoogleCloudKmsServiceAccountFileConfig {
642 project_id: "test-project".to_string(),
643 private_key_id: PlainOrEnvValue::Plain {
644 value: SecretString::new("test-key-id"),
645 },
646 private_key: PlainOrEnvValue::Plain {
647 value: SecretString::new("test-private-key"),
648 },
649 client_email: PlainOrEnvValue::Plain {
650 value: SecretString::new("test@email.com"),
651 },
652 client_id: "test-client-id".to_string(),
653 auth_uri: google_cloud_default_auth_uri(),
654 token_uri: google_cloud_default_token_uri(),
655 auth_provider_x509_cert_url: google_cloud_default_auth_provider_x509_cert_url(),
656 client_x509_cert_url: google_cloud_default_client_x509_cert_url(),
657 universe_domain: google_cloud_default_universe_domain(),
658 },
659 key: GoogleCloudKmsKeyFileConfig {
660 location: google_cloud_default_location(),
661 key_ring_id: "test-ring".to_string(),
662 key_id: "test-key".to_string(),
663 key_version: google_cloud_default_key_version(),
664 },
665 };
666
667 let result = GoogleCloudKmsSignerConfig::try_from(config);
668 assert!(result.is_ok());
669
670 let gcp_config = result.unwrap();
671 assert_eq!(gcp_config.key.key_id, "test-key");
672 assert_eq!(gcp_config.service_account.project_id, "test-project");
673 }
674
675 #[test]
676 fn test_cdp_file_config_conversion() {
677 use crate::models::SecretString;
678 let cfg = CdpSignerFileConfig {
679 api_key_id: "id".into(),
680 api_key_secret: PlainOrEnvValue::Plain {
681 value: SecretString::new("asecret"),
682 },
683 wallet_secret: PlainOrEnvValue::Plain {
684 value: SecretString::new("wsecret"),
685 },
686 account_address: "0x0000000000000000000000000000000000000000".into(),
687 };
688 let res = CdpSignerConfig::try_from(cfg);
689 assert!(res.is_ok());
690 let c = res.unwrap();
691 assert_eq!(c.api_key_id, "id");
692 assert_eq!(
693 c.account_address,
694 "0x0000000000000000000000000000000000000000"
695 );
696 }
697
698 #[test]
699 fn test_cdp_file_config_conversion_api_key_secret_error() {
700 let cfg = CdpSignerFileConfig {
701 api_key_id: "id".into(),
702 api_key_secret: PlainOrEnvValue::Env {
703 value: "NONEXISTENT_ENV_VAR".into(),
704 },
705 wallet_secret: PlainOrEnvValue::Plain {
706 value: SecretString::new("wsecret"),
707 },
708 account_address: "0x0000000000000000000000000000000000000000".into(),
709 };
710 let res = CdpSignerConfig::try_from(cfg);
711 assert!(res.is_err());
712 let err = res.unwrap_err();
713 assert!(matches!(err, ConfigFileError::InvalidFormat(_)));
714 if let ConfigFileError::InvalidFormat(msg) = err {
715 assert!(msg.contains("Failed to get API key secret"));
716 }
717 }
718
719 #[test]
720 fn test_cdp_file_config_conversion_wallet_secret_error() {
721 let cfg = CdpSignerFileConfig {
722 api_key_id: "id".into(),
723 api_key_secret: PlainOrEnvValue::Plain {
724 value: SecretString::new("asecret"),
725 },
726 wallet_secret: PlainOrEnvValue::Env {
727 value: "NONEXISTENT_ENV_VAR".into(),
728 },
729 account_address: "0x0000000000000000000000000000000000000000".into(),
730 };
731 let res = CdpSignerConfig::try_from(cfg);
732 assert!(res.is_err());
733 let err = res.unwrap_err();
734 assert!(matches!(err, ConfigFileError::InvalidFormat(_)));
735 if let ConfigFileError::InvalidFormat(msg) = err {
736 assert!(msg.contains("Failed to get wallet secret"));
737 }
738 }
739}