1use crate::{
13 config::ConfigFileError,
14 models::signer::{
15 AwsKmsSignerConfig, CdpSignerConfig, GoogleCloudKmsSignerConfig,
16 GoogleCloudKmsSignerKeyConfig, GoogleCloudKmsSignerServiceAccountConfig, LocalSignerConfig,
17 Signer, SignerConfig, TurnkeySignerConfig, VaultSignerConfig, VaultTransitSignerConfig,
18 },
19 models::PlainOrEnvValue,
20};
21use secrets::SecretVec;
22use serde::{Deserialize, Serialize};
23use std::{collections::HashSet, path::Path};
24
25#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
26#[serde(deny_unknown_fields)]
27pub struct LocalSignerFileConfig {
28 pub path: String,
29 pub passphrase: PlainOrEnvValue,
30}
31
32#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
33#[serde(deny_unknown_fields)]
34pub struct AwsKmsSignerFileConfig {
35 pub region: String,
36 pub key_id: String,
37}
38
39#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
40#[serde(deny_unknown_fields)]
41pub struct TurnkeySignerFileConfig {
42 pub api_public_key: String,
43 pub api_private_key: PlainOrEnvValue,
44 pub organization_id: String,
45 pub private_key_id: String,
46 pub public_key: String,
47}
48
49#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
50#[serde(deny_unknown_fields)]
51pub struct CdpSignerFileConfig {
52 pub api_key_id: String,
53 pub api_key_secret: PlainOrEnvValue,
54 pub wallet_secret: PlainOrEnvValue,
55 pub account_address: String,
56}
57
58#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
59#[serde(deny_unknown_fields)]
60pub struct VaultSignerFileConfig {
61 pub address: String,
62 pub namespace: Option<String>,
63 pub role_id: PlainOrEnvValue,
64 pub secret_id: PlainOrEnvValue,
65 pub key_name: String,
66 pub mount_point: Option<String>,
67}
68
69#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
70#[serde(deny_unknown_fields)]
71pub struct VaultTransitSignerFileConfig {
72 pub key_name: String,
73 pub address: String,
74 pub role_id: PlainOrEnvValue,
75 pub secret_id: PlainOrEnvValue,
76 pub pubkey: String,
77 pub mount_point: Option<String>,
78 pub namespace: Option<String>,
79}
80
81fn google_cloud_default_auth_uri() -> String {
82 "https://accounts.google.com/o/oauth2/auth".to_string()
83}
84
85fn google_cloud_default_token_uri() -> String {
86 "https://oauth2.googleapis.com/token".to_string()
87}
88
89fn google_cloud_default_auth_provider_x509_cert_url() -> String {
90 "https://www.googleapis.com/oauth2/v1/certs".to_string()
91}
92
93fn google_cloud_default_client_x509_cert_url() -> String {
94 "https://www.googleapis.com/robot/v1/metadata/x509/solana-signer%40forward-emitter-459820-r7.iam.gserviceaccount.com".to_string()
95}
96
97fn google_cloud_default_universe_domain() -> String {
98 "googleapis.com".to_string()
99}
100
101fn google_cloud_default_key_version() -> u32 {
102 1
103}
104
105fn google_cloud_default_location() -> String {
106 "global".to_string()
107}
108
109#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
110#[serde(deny_unknown_fields)]
111pub struct GoogleCloudKmsServiceAccountFileConfig {
112 pub project_id: String,
113 pub private_key_id: PlainOrEnvValue,
114 pub private_key: PlainOrEnvValue,
115 pub client_email: PlainOrEnvValue,
116 pub client_id: String,
117 #[serde(default = "google_cloud_default_auth_uri")]
118 pub auth_uri: String,
119 #[serde(default = "google_cloud_default_token_uri")]
120 pub token_uri: String,
121 #[serde(default = "google_cloud_default_auth_provider_x509_cert_url")]
122 pub auth_provider_x509_cert_url: String,
123 #[serde(default = "google_cloud_default_client_x509_cert_url")]
124 pub client_x509_cert_url: String,
125 #[serde(default = "google_cloud_default_universe_domain")]
126 pub universe_domain: String,
127}
128
129#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
130#[serde(deny_unknown_fields)]
131pub struct GoogleCloudKmsKeyFileConfig {
132 #[serde(default = "google_cloud_default_location")]
133 pub location: String,
134 pub key_ring_id: String,
135 pub key_id: String,
136 #[serde(default = "google_cloud_default_key_version")]
137 pub key_version: u32,
138}
139
140#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
141#[serde(deny_unknown_fields)]
142pub struct GoogleCloudKmsSignerFileConfig {
143 pub service_account: GoogleCloudKmsServiceAccountFileConfig,
144 pub key: GoogleCloudKmsKeyFileConfig,
145}
146
147#[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
149#[serde(tag = "type", rename_all = "lowercase", content = "config")]
150pub enum SignerFileConfigEnum {
151 Local(LocalSignerFileConfig),
152 #[serde(rename = "aws_kms")]
153 AwsKms(AwsKmsSignerFileConfig),
154 Turnkey(TurnkeySignerFileConfig),
155 Cdp(CdpSignerFileConfig),
156 Vault(VaultSignerFileConfig),
157 #[serde(rename = "vault_transit")]
158 VaultTransit(VaultTransitSignerFileConfig),
159 #[serde(rename = "google_cloud_kms")]
160 GoogleCloudKms(GoogleCloudKmsSignerFileConfig),
161}
162
163#[derive(Debug, Serialize, Deserialize, Clone)]
165#[serde(deny_unknown_fields)]
166pub struct SignerFileConfig {
167 pub id: String,
168 #[serde(flatten)]
169 pub config: SignerFileConfigEnum,
170}
171
172#[derive(Debug, Serialize, Deserialize, Clone)]
174#[serde(deny_unknown_fields)]
175pub struct SignersFileConfig {
176 pub signers: Vec<SignerFileConfig>,
177}
178
179impl SignerFileConfig {
180 pub fn validate_basic(&self) -> Result<(), ConfigFileError> {
181 if self.id.is_empty() {
182 return Err(ConfigFileError::InvalidIdLength(
183 "Signer ID cannot be empty".into(),
184 ));
185 }
186 Ok(())
187 }
188}
189
190impl SignersFileConfig {
191 pub fn new(signers: Vec<SignerFileConfig>) -> Self {
192 Self { signers }
193 }
194
195 pub fn validate(&self) -> Result<(), ConfigFileError> {
196 if self.signers.is_empty() {
197 return Ok(());
198 }
199
200 let mut ids = HashSet::new();
201 for signer in &self.signers {
202 signer.validate_basic()?;
203 if !ids.insert(signer.id.clone()) {
204 return Err(ConfigFileError::DuplicateId(signer.id.clone()));
205 }
206 }
207 Ok(())
208 }
209}
210
211impl TryFrom<LocalSignerFileConfig> for LocalSignerConfig {
212 type Error = ConfigFileError;
213
214 fn try_from(config: LocalSignerFileConfig) -> Result<Self, Self::Error> {
215 if config.path.is_empty() {
216 return Err(ConfigFileError::InvalidIdLength(
217 "Signer path cannot be empty".into(),
218 ));
219 }
220
221 let path = Path::new(&config.path);
222 if !path.exists() {
223 return Err(ConfigFileError::FileNotFound(format!(
224 "Signer file not found at path: {}",
225 path.display()
226 )));
227 }
228
229 if !path.is_file() {
230 return Err(ConfigFileError::InvalidFormat(format!(
231 "Path exists but is not a file: {}",
232 path.display()
233 )));
234 }
235
236 let passphrase = config.passphrase.get_value().map_err(|e| {
237 ConfigFileError::InvalidFormat(format!("Failed to get passphrase value: {}", e))
238 })?;
239
240 if passphrase.is_empty() {
241 return Err(ConfigFileError::InvalidFormat(
242 "Local signer passphrase cannot be empty".into(),
243 ));
244 }
245
246 let raw_key = SecretVec::new(32, |buffer| {
247 let loaded = oz_keystore::LocalClient::load(
248 Path::new(&config.path).to_path_buf(),
249 passphrase.to_str().as_str().to_string(),
250 );
251 buffer.copy_from_slice(&loaded);
252 });
253
254 Ok(LocalSignerConfig { raw_key })
255 }
256}
257
258impl TryFrom<AwsKmsSignerFileConfig> for AwsKmsSignerConfig {
259 type Error = ConfigFileError;
260
261 fn try_from(config: AwsKmsSignerFileConfig) -> Result<Self, Self::Error> {
262 Ok(AwsKmsSignerConfig {
263 region: Some(config.region),
264 key_id: config.key_id,
265 })
266 }
267}
268
269impl TryFrom<TurnkeySignerFileConfig> for TurnkeySignerConfig {
270 type Error = ConfigFileError;
271
272 fn try_from(config: TurnkeySignerFileConfig) -> Result<Self, Self::Error> {
273 let api_private_key = config.api_private_key.get_value().map_err(|e| {
274 ConfigFileError::InvalidFormat(format!("Failed to get API private key: {}", e))
275 })?;
276
277 Ok(TurnkeySignerConfig {
278 api_public_key: config.api_public_key,
279 api_private_key,
280 organization_id: config.organization_id,
281 private_key_id: config.private_key_id,
282 public_key: config.public_key,
283 })
284 }
285}
286
287impl TryFrom<CdpSignerFileConfig> for CdpSignerConfig {
288 type Error = ConfigFileError;
289
290 fn try_from(config: CdpSignerFileConfig) -> Result<Self, Self::Error> {
291 let api_key_secret = config.api_key_secret.get_value().map_err(|e| {
292 ConfigFileError::InvalidFormat(format!("Failed to get API key secret: {}", e))
293 })?;
294
295 let wallet_secret = config.wallet_secret.get_value().map_err(|e| {
296 ConfigFileError::InvalidFormat(format!("Failed to get wallet secret: {}", e))
297 })?;
298
299 Ok(CdpSignerConfig {
300 api_key_id: config.api_key_id,
301 api_key_secret,
302 wallet_secret,
303 account_address: config.account_address,
304 })
305 }
306}
307
308impl TryFrom<VaultSignerFileConfig> for VaultSignerConfig {
309 type Error = ConfigFileError;
310
311 fn try_from(config: VaultSignerFileConfig) -> Result<Self, Self::Error> {
312 let role_id = config
313 .role_id
314 .get_value()
315 .map_err(|e| ConfigFileError::InvalidFormat(format!("Failed to get role ID: {}", e)))?;
316
317 let secret_id = config.secret_id.get_value().map_err(|e| {
318 ConfigFileError::InvalidFormat(format!("Failed to get secret ID: {}", e))
319 })?;
320
321 Ok(VaultSignerConfig {
322 address: config.address,
323 namespace: config.namespace,
324 role_id,
325 secret_id,
326 key_name: config.key_name,
327 mount_point: config.mount_point,
328 })
329 }
330}
331
332impl TryFrom<VaultTransitSignerFileConfig> for VaultTransitSignerConfig {
333 type Error = ConfigFileError;
334
335 fn try_from(config: VaultTransitSignerFileConfig) -> Result<Self, Self::Error> {
336 let role_id = config
337 .role_id
338 .get_value()
339 .map_err(|e| ConfigFileError::InvalidFormat(format!("Failed to get role ID: {}", e)))?;
340
341 let secret_id = config.secret_id.get_value().map_err(|e| {
342 ConfigFileError::InvalidFormat(format!("Failed to get secret ID: {}", e))
343 })?;
344
345 Ok(VaultTransitSignerConfig {
346 key_name: config.key_name,
347 address: config.address,
348 namespace: config.namespace,
349 role_id,
350 secret_id,
351 pubkey: config.pubkey,
352 mount_point: config.mount_point,
353 })
354 }
355}
356
357impl TryFrom<GoogleCloudKmsSignerFileConfig> for GoogleCloudKmsSignerConfig {
358 type Error = ConfigFileError;
359
360 fn try_from(config: GoogleCloudKmsSignerFileConfig) -> Result<Self, Self::Error> {
361 let private_key = config
362 .service_account
363 .private_key
364 .get_value()
365 .map_err(|e| {
366 ConfigFileError::InvalidFormat(format!("Failed to get private key: {}", e))
367 })?;
368
369 let private_key_id = config
370 .service_account
371 .private_key_id
372 .get_value()
373 .map_err(|e| {
374 ConfigFileError::InvalidFormat(format!("Failed to get private key ID: {}", e))
375 })?;
376
377 let client_email = config
378 .service_account
379 .client_email
380 .get_value()
381 .map_err(|e| {
382 ConfigFileError::InvalidFormat(format!("Failed to get client email: {}", e))
383 })?;
384
385 let service_account = GoogleCloudKmsSignerServiceAccountConfig {
386 private_key,
387 private_key_id,
388 project_id: config.service_account.project_id,
389 client_email,
390 client_id: config.service_account.client_id,
391 auth_uri: config.service_account.auth_uri,
392 token_uri: config.service_account.token_uri,
393 auth_provider_x509_cert_url: config.service_account.auth_provider_x509_cert_url,
394 client_x509_cert_url: config.service_account.client_x509_cert_url,
395 universe_domain: config.service_account.universe_domain,
396 };
397
398 let key = GoogleCloudKmsSignerKeyConfig {
399 location: config.key.location,
400 key_ring_id: config.key.key_ring_id,
401 key_id: config.key.key_id,
402 key_version: config.key.key_version,
403 };
404
405 Ok(GoogleCloudKmsSignerConfig {
406 service_account,
407 key,
408 })
409 }
410}
411
412impl TryFrom<SignerFileConfigEnum> for SignerConfig {
413 type Error = ConfigFileError;
414
415 fn try_from(config: SignerFileConfigEnum) -> Result<Self, Self::Error> {
416 match config {
417 SignerFileConfigEnum::Local(local) => {
418 Ok(SignerConfig::Local(LocalSignerConfig::try_from(local)?))
419 }
420 SignerFileConfigEnum::AwsKms(aws_kms) => {
421 Ok(SignerConfig::AwsKms(AwsKmsSignerConfig::try_from(aws_kms)?))
422 }
423 SignerFileConfigEnum::Turnkey(turnkey) => Ok(SignerConfig::Turnkey(
424 TurnkeySignerConfig::try_from(turnkey)?,
425 )),
426 SignerFileConfigEnum::Cdp(cdp) => {
427 Ok(SignerConfig::Cdp(CdpSignerConfig::try_from(cdp)?))
428 }
429 SignerFileConfigEnum::Vault(vault) => {
430 Ok(SignerConfig::Vault(VaultSignerConfig::try_from(vault)?))
431 }
432 SignerFileConfigEnum::VaultTransit(vault_transit) => Ok(SignerConfig::VaultTransit(
433 VaultTransitSignerConfig::try_from(vault_transit)?,
434 )),
435 SignerFileConfigEnum::GoogleCloudKms(gcp_kms) => Ok(SignerConfig::GoogleCloudKms(
436 GoogleCloudKmsSignerConfig::try_from(gcp_kms)?,
437 )),
438 }
439 }
440}
441
442impl TryFrom<SignerFileConfig> for Signer {
443 type Error = ConfigFileError;
444
445 fn try_from(config: SignerFileConfig) -> Result<Self, Self::Error> {
446 config.validate_basic()?;
447
448 let signer_config = SignerConfig::try_from(config.config)?;
449
450 let signer = Signer::new(config.id, signer_config);
452
453 signer.validate().map_err(|e| match e {
455 crate::models::signer::SignerValidationError::EmptyId => {
456 ConfigFileError::MissingField("signer id".into())
457 }
458 crate::models::signer::SignerValidationError::InvalidIdFormat => {
459 ConfigFileError::InvalidFormat("Invalid signer ID format".into())
460 }
461 crate::models::signer::SignerValidationError::InvalidConfig(msg) => {
462 ConfigFileError::InvalidFormat(format!("Invalid signer configuration: {}", msg))
463 }
464 })?;
465
466 Ok(signer)
467 }
468}
469
470#[cfg(test)]
471mod tests {
472 use super::*;
473 use crate::models::SecretString;
474
475 #[test]
476 fn test_aws_kms_conversion() {
477 let config = AwsKmsSignerFileConfig {
478 region: "us-east-1".to_string(),
479 key_id: "test-key-id".to_string(),
480 };
481
482 let result = AwsKmsSignerConfig::try_from(config);
483 assert!(result.is_ok());
484
485 let aws_config = result.unwrap();
486 assert_eq!(aws_config.region, Some("us-east-1".to_string()));
487 assert_eq!(aws_config.key_id, "test-key-id");
488 }
489
490 #[test]
491 fn test_turnkey_conversion() {
492 let config = TurnkeySignerFileConfig {
493 api_public_key: "test-public-key".to_string(),
494 api_private_key: PlainOrEnvValue::Plain {
495 value: SecretString::new("test-private-key"),
496 },
497 organization_id: "test-org".to_string(),
498 private_key_id: "test-private-key-id".to_string(),
499 public_key: "test-public-key".to_string(),
500 };
501
502 let result = TurnkeySignerConfig::try_from(config);
503 assert!(result.is_ok());
504
505 let turnkey_config = result.unwrap();
506 assert_eq!(turnkey_config.api_public_key, "test-public-key");
507 assert_eq!(turnkey_config.organization_id, "test-org");
508 }
509
510 #[test]
511 fn test_signer_file_config_validation() {
512 let signer_config = SignerFileConfig {
513 id: "test-signer".to_string(),
514 config: SignerFileConfigEnum::Local(LocalSignerFileConfig {
515 path: "test-path".to_string(),
516 passphrase: PlainOrEnvValue::Plain {
517 value: SecretString::new("test-passphrase"),
518 },
519 }),
520 };
521
522 assert!(signer_config.validate_basic().is_ok());
523 }
524
525 #[test]
526 fn test_empty_signer_id() {
527 let signer_config = SignerFileConfig {
528 id: "".to_string(),
529 config: SignerFileConfigEnum::Local(LocalSignerFileConfig {
530 path: "test-path".to_string(),
531 passphrase: PlainOrEnvValue::Plain {
532 value: SecretString::new("test-passphrase"),
533 },
534 }),
535 };
536
537 assert!(signer_config.validate_basic().is_err());
538 }
539
540 #[test]
541 fn test_signers_config_validation() {
542 let configs = SignersFileConfig::new(vec![
543 SignerFileConfig {
544 id: "signer1".to_string(),
545 config: SignerFileConfigEnum::Local(LocalSignerFileConfig {
546 path: "test-path".to_string(),
547 passphrase: PlainOrEnvValue::Plain {
548 value: SecretString::new("test-passphrase"),
549 },
550 }),
551 },
552 SignerFileConfig {
553 id: "signer2".to_string(),
554 config: SignerFileConfigEnum::Local(LocalSignerFileConfig {
555 path: "test-path".to_string(),
556 passphrase: PlainOrEnvValue::Plain {
557 value: SecretString::new("test-passphrase"),
558 },
559 }),
560 },
561 ]);
562
563 assert!(configs.validate().is_ok());
564 }
565
566 #[test]
567 fn test_duplicate_signer_ids() {
568 let configs = SignersFileConfig::new(vec![
569 SignerFileConfig {
570 id: "signer1".to_string(),
571 config: SignerFileConfigEnum::Local(LocalSignerFileConfig {
572 path: "test-path".to_string(),
573 passphrase: PlainOrEnvValue::Plain {
574 value: SecretString::new("test-passphrase"),
575 },
576 }),
577 },
578 SignerFileConfig {
579 id: "signer1".to_string(), config: SignerFileConfigEnum::Local(LocalSignerFileConfig {
581 path: "test-path".to_string(),
582 passphrase: PlainOrEnvValue::Plain {
583 value: SecretString::new("test-passphrase"),
584 },
585 }),
586 },
587 ]);
588
589 assert!(matches!(
590 configs.validate(),
591 Err(ConfigFileError::DuplicateId(_))
592 ));
593 }
594
595 #[test]
596 fn test_local_conversion_invalid_path() {
597 let config = LocalSignerFileConfig {
598 path: "non-existent-path".to_string(),
599 passphrase: PlainOrEnvValue::Plain {
600 value: SecretString::new("test-passphrase"),
601 },
602 };
603
604 let result = LocalSignerConfig::try_from(config);
605 assert!(result.is_err());
606 if let Err(ConfigFileError::FileNotFound(msg)) = result {
607 assert!(msg.contains("Signer file not found"));
608 } else {
609 panic!("Expected FileNotFound error");
610 }
611 }
612
613 #[test]
614 fn test_vault_conversion() {
615 let config = VaultSignerFileConfig {
616 address: "https://vault.example.com".to_string(),
617 namespace: Some("test-namespace".to_string()),
618 role_id: PlainOrEnvValue::Plain {
619 value: SecretString::new("test-role"),
620 },
621 secret_id: PlainOrEnvValue::Plain {
622 value: SecretString::new("test-secret"),
623 },
624 key_name: "test-key".to_string(),
625 mount_point: Some("test-mount".to_string()),
626 };
627
628 let result = VaultSignerConfig::try_from(config);
629 assert!(result.is_ok());
630
631 let vault_config = result.unwrap();
632 assert_eq!(vault_config.address, "https://vault.example.com");
633 assert_eq!(vault_config.namespace, Some("test-namespace".to_string()));
634 }
635
636 #[test]
637 fn test_google_cloud_kms_conversion() {
638 let config = GoogleCloudKmsSignerFileConfig {
639 service_account: GoogleCloudKmsServiceAccountFileConfig {
640 project_id: "test-project".to_string(),
641 private_key_id: PlainOrEnvValue::Plain {
642 value: SecretString::new("test-key-id"),
643 },
644 private_key: PlainOrEnvValue::Plain {
645 value: SecretString::new("test-private-key"),
646 },
647 client_email: PlainOrEnvValue::Plain {
648 value: SecretString::new("test@email.com"),
649 },
650 client_id: "test-client-id".to_string(),
651 auth_uri: google_cloud_default_auth_uri(),
652 token_uri: google_cloud_default_token_uri(),
653 auth_provider_x509_cert_url: google_cloud_default_auth_provider_x509_cert_url(),
654 client_x509_cert_url: google_cloud_default_client_x509_cert_url(),
655 universe_domain: google_cloud_default_universe_domain(),
656 },
657 key: GoogleCloudKmsKeyFileConfig {
658 location: google_cloud_default_location(),
659 key_ring_id: "test-ring".to_string(),
660 key_id: "test-key".to_string(),
661 key_version: google_cloud_default_key_version(),
662 },
663 };
664
665 let result = GoogleCloudKmsSignerConfig::try_from(config);
666 assert!(result.is_ok());
667
668 let gcp_config = result.unwrap();
669 assert_eq!(gcp_config.key.key_id, "test-key");
670 assert_eq!(gcp_config.service_account.project_id, "test-project");
671 }
672
673 #[test]
674 fn test_cdp_file_config_conversion() {
675 use crate::models::SecretString;
676 let cfg = CdpSignerFileConfig {
677 api_key_id: "id".into(),
678 api_key_secret: PlainOrEnvValue::Plain {
679 value: SecretString::new("asecret"),
680 },
681 wallet_secret: PlainOrEnvValue::Plain {
682 value: SecretString::new("wsecret"),
683 },
684 account_address: "0x0000000000000000000000000000000000000000".into(),
685 };
686 let res = CdpSignerConfig::try_from(cfg);
687 assert!(res.is_ok());
688 let c = res.unwrap();
689 assert_eq!(c.api_key_id, "id");
690 assert_eq!(
691 c.account_address,
692 "0x0000000000000000000000000000000000000000"
693 );
694 }
695
696 #[test]
697 fn test_cdp_file_config_conversion_api_key_secret_error() {
698 let cfg = CdpSignerFileConfig {
699 api_key_id: "id".into(),
700 api_key_secret: PlainOrEnvValue::Env {
701 value: "NONEXISTENT_ENV_VAR".into(),
702 },
703 wallet_secret: PlainOrEnvValue::Plain {
704 value: SecretString::new("wsecret"),
705 },
706 account_address: "0x0000000000000000000000000000000000000000".into(),
707 };
708 let res = CdpSignerConfig::try_from(cfg);
709 assert!(res.is_err());
710 let err = res.unwrap_err();
711 assert!(matches!(err, ConfigFileError::InvalidFormat(_)));
712 if let ConfigFileError::InvalidFormat(msg) = err {
713 assert!(msg.contains("Failed to get API key secret"));
714 }
715 }
716
717 #[test]
718 fn test_cdp_file_config_conversion_wallet_secret_error() {
719 let cfg = CdpSignerFileConfig {
720 api_key_id: "id".into(),
721 api_key_secret: PlainOrEnvValue::Plain {
722 value: SecretString::new("asecret"),
723 },
724 wallet_secret: PlainOrEnvValue::Env {
725 value: "NONEXISTENT_ENV_VAR".into(),
726 },
727 account_address: "0x0000000000000000000000000000000000000000".into(),
728 };
729 let res = CdpSignerConfig::try_from(cfg);
730 assert!(res.is_err());
731 let err = res.unwrap_err();
732 assert!(matches!(err, ConfigFileError::InvalidFormat(_)));
733 if let ConfigFileError::InvalidFormat(msg) = err {
734 assert!(msg.contains("Failed to get wallet secret"));
735 }
736 }
737}