From 4db55d9b72b894fe81e8210ec2c70c808527211f Mon Sep 17 00:00:00 2001
From: Joseph Shearer <joseph@josephshearer.net>
Date: Fri, 3 Jan 2025 18:00:49 -0500
Subject: [PATCH] runtime: Move `unseal` out of runtime into its own crate

We need `runtime` to depend on `dekaf`, and they both need `unseal`, so it needed to be moved somewhere, and there didn't seem to be anywhere good to put it other than its own crate.
---
 Cargo.lock                                    | 18 +++++++++++++++
 crates/dekaf/Cargo.toml                       |  1 +
 crates/runtime/Cargo.toml                     |  1 +
 crates/runtime/src/capture/connector.rs       |  3 ++-
 crates/runtime/src/derive/connector.rs        |  3 ++-
 crates/runtime/src/lib.rs                     |  1 -
 crates/runtime/src/materialize/connector.rs   |  3 ++-
 crates/unseal/Cargo.toml                      | 22 +++++++++++++++++++
 .../src/unseal/mod.rs => unseal/src/lib.rs}   |  0
 .../src}/testdata/empty-input.json            |  0
 .../src}/testdata/hyphen-suffix.json          |  0
 .../src}/testdata/no-suffix.json              |  0
 .../src}/testdata/not-encrypted.json          |  0
 .../src}/testdata/under-suffix.json           |  0
 14 files changed, 48 insertions(+), 4 deletions(-)
 create mode 100644 crates/unseal/Cargo.toml
 rename crates/{runtime/src/unseal/mod.rs => unseal/src/lib.rs} (100%)
 rename crates/{runtime/src/unseal => unseal/src}/testdata/empty-input.json (100%)
 rename crates/{runtime/src/unseal => unseal/src}/testdata/hyphen-suffix.json (100%)
 rename crates/{runtime/src/unseal => unseal/src}/testdata/no-suffix.json (100%)
 rename crates/{runtime/src/unseal => unseal/src}/testdata/not-encrypted.json (100%)
 rename crates/{runtime/src/unseal => unseal/src}/testdata/under-suffix.json (100%)

diff --git a/Cargo.lock b/Cargo.lock
index d419459a3d..f17efc967e 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1990,6 +1990,7 @@ dependencies = [
  "tracing",
  "tracing-subscriber",
  "typestate",
+ "unseal",
  "url",
  "webpki",
 ]
@@ -5437,6 +5438,7 @@ dependencies = [
  "tracing",
  "tracing-subscriber",
  "tuple",
+ "unseal",
  "uuid 1.10.0",
  "xxhash-rust",
  "zeroize",
@@ -7050,6 +7052,22 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39ec24b3121d976906ece63c9daad25b85969647682eee313cb5779fdd69e14e"
 
+[[package]]
+name = "unseal"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "async-process",
+ "futures",
+ "insta",
+ "locate-bin",
+ "models",
+ "serde",
+ "serde_json",
+ "tokio",
+ "zeroize",
+]
+
 [[package]]
 name = "untrusted"
 version = "0.9.0"
diff --git a/crates/dekaf/Cargo.toml b/crates/dekaf/Cargo.toml
index d9eda59926..66eb29e321 100644
--- a/crates/dekaf/Cargo.toml
+++ b/crates/dekaf/Cargo.toml
@@ -21,6 +21,7 @@ models = { path = "../models" }
 ops = { path = "../ops" }
 proto-flow = { path = "../proto-flow" }
 proto-gazette = { path = "../proto-gazette" }
+unseal = { path = "../unseal" }
 simd-doc = { path = "../simd-doc" }
 
 aes-siv = { workspace = true }
diff --git a/crates/runtime/Cargo.toml b/crates/runtime/Cargo.toml
index 6116c3591a..2bbe9ec921 100644
--- a/crates/runtime/Cargo.toml
+++ b/crates/runtime/Cargo.toml
@@ -35,6 +35,7 @@ proto-grpc = { path = "../proto-grpc", features = [
 ] }
 simd-doc = { path = "../simd-doc" }
 tuple = { path = "../tuple" }
+unseal = { path = "../unseal" }
 
 anyhow = { workspace = true }
 bytes = { workspace = true }
diff --git a/crates/runtime/src/capture/connector.rs b/crates/runtime/src/capture/connector.rs
index 9ad16564a0..ff280b3622 100644
--- a/crates/runtime/src/capture/connector.rs
+++ b/crates/runtime/src/capture/connector.rs
@@ -1,10 +1,11 @@
-use crate::{unseal, verify, LogHandler, Runtime};
+use crate::{verify, LogHandler, Runtime};
 use anyhow::Context;
 use futures::{channel::mpsc, stream::BoxStream, FutureExt, StreamExt};
 use proto_flow::{
     capture::{Request, Response},
     flow::capture_spec::ConnectorType,
 };
+use unseal;
 
 // Start a capture connector as indicated by the `initial` Request.
 // Returns a pair of Streams for sending Requests and receiving Responses.
diff --git a/crates/runtime/src/derive/connector.rs b/crates/runtime/src/derive/connector.rs
index 212f4c5176..b6437bcee7 100644
--- a/crates/runtime/src/derive/connector.rs
+++ b/crates/runtime/src/derive/connector.rs
@@ -1,10 +1,11 @@
-use crate::{unseal, LogHandler, Runtime};
+use crate::{LogHandler, Runtime};
 use anyhow::Context;
 use futures::{channel::mpsc, stream::BoxStream, FutureExt, StreamExt};
 use proto_flow::{
     derive::{Request, Response},
     flow::collection_spec::derivation::ConnectorType,
 };
+use unseal;
 
 // Start a derivation connector as indicated by the `initial` Request.
 // Returns a pair of Streams for sending Requests and receiving Responses.
diff --git a/crates/runtime/src/lib.rs b/crates/runtime/src/lib.rs
index 0352ec2c25..7761054807 100644
--- a/crates/runtime/src/lib.rs
+++ b/crates/runtime/src/lib.rs
@@ -14,7 +14,6 @@ mod rocksdb;
 mod task_service;
 mod tokio_context;
 mod unary;
-mod unseal;
 pub mod uuid;
 
 pub use container::flow_runtime_protocol;
diff --git a/crates/runtime/src/materialize/connector.rs b/crates/runtime/src/materialize/connector.rs
index 6d1c215830..6261fdda5a 100644
--- a/crates/runtime/src/materialize/connector.rs
+++ b/crates/runtime/src/materialize/connector.rs
@@ -1,10 +1,11 @@
-use crate::{unseal, LogHandler, Runtime};
+use crate::{LogHandler, Runtime};
 use anyhow::{bail, Context};
 use futures::{channel::mpsc, stream::BoxStream, FutureExt, StreamExt};
 use proto_flow::{
     flow::materialization_spec::ConnectorType,
     materialize::{Request, Response},
 };
+use unseal;
 
 // Start a materialization connector as indicated by the `initial` Request.
 // Returns a pair of Streams for sending Requests and receiving Responses.
diff --git a/crates/unseal/Cargo.toml b/crates/unseal/Cargo.toml
new file mode 100644
index 0000000000..4b1c885a97
--- /dev/null
+++ b/crates/unseal/Cargo.toml
@@ -0,0 +1,22 @@
+[package]
+name = "unseal"
+version.workspace = true
+rust-version.workspace = true
+edition.workspace = true
+authors.workspace = true
+homepage.workspace = true
+repository.workspace = true
+license.workspace = true
+
+[dependencies]
+async-process = { path = "../async-process" }
+models = { path = "../models" }
+locate-bin = { path = "../locate-bin" }
+
+anyhow = { workspace = true }
+serde = { workspace = true }
+serde_json = { workspace = true }
+zeroize = { workspace = true }
+futures = { workspace = true }
+tokio = { workspace = true }
+insta = { workspace = true }
diff --git a/crates/runtime/src/unseal/mod.rs b/crates/unseal/src/lib.rs
similarity index 100%
rename from crates/runtime/src/unseal/mod.rs
rename to crates/unseal/src/lib.rs
diff --git a/crates/runtime/src/unseal/testdata/empty-input.json b/crates/unseal/src/testdata/empty-input.json
similarity index 100%
rename from crates/runtime/src/unseal/testdata/empty-input.json
rename to crates/unseal/src/testdata/empty-input.json
diff --git a/crates/runtime/src/unseal/testdata/hyphen-suffix.json b/crates/unseal/src/testdata/hyphen-suffix.json
similarity index 100%
rename from crates/runtime/src/unseal/testdata/hyphen-suffix.json
rename to crates/unseal/src/testdata/hyphen-suffix.json
diff --git a/crates/runtime/src/unseal/testdata/no-suffix.json b/crates/unseal/src/testdata/no-suffix.json
similarity index 100%
rename from crates/runtime/src/unseal/testdata/no-suffix.json
rename to crates/unseal/src/testdata/no-suffix.json
diff --git a/crates/runtime/src/unseal/testdata/not-encrypted.json b/crates/unseal/src/testdata/not-encrypted.json
similarity index 100%
rename from crates/runtime/src/unseal/testdata/not-encrypted.json
rename to crates/unseal/src/testdata/not-encrypted.json
diff --git a/crates/runtime/src/unseal/testdata/under-suffix.json b/crates/unseal/src/testdata/under-suffix.json
similarity index 100%
rename from crates/runtime/src/unseal/testdata/under-suffix.json
rename to crates/unseal/src/testdata/under-suffix.json