coder
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 2 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 2 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 9 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 9 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 12 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 12 additions & 0 deletions
diff --git a/‎coderd/database/dbgen/dbgen.go
Lines changed: 13 additions & 0 deletions b/‎coderd/database/dbgen/dbgen.go
Lines changed: 13 additions & 0 deletions
diff --git a/‎coderd/database/dbmem/dbmem.go
Lines changed: 9 additions & 0 deletions b/‎coderd/database/dbmem/dbmem.go
Lines changed: 9 additions & 0 deletions
diff --git a/‎coderd/database/dbmetrics/querymetrics.go
Lines changed: 7 additions & 0 deletions b/‎coderd/database/dbmetrics/querymetrics.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/database/dbmock/dbmock.go
Lines changed: 15 additions & 0 deletions b/‎coderd/database/dbmock/dbmock.go
Lines changed: 15 additions & 0 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 22 additions & 0 deletions b/‎coderd/database/dump.sql
Lines changed: 22 additions & 0 deletions
diff --git a/‎coderd/database/foreign_key_constraint.go
Lines changed: 2 additions & 0 deletions b/‎coderd/database/foreign_key_constraint.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000349_add_user_secrets.down.sql
Lines changed: 2 additions & 0 deletions b/‎coderd/database/migrations/000349_add_user_secrets.down.sql
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000349_add_user_secrets.up.sql
Lines changed: 21 additions & 0 deletions b/‎coderd/database/migrations/000349_add_user_secrets.up.sql
Lines changed: 21 additions & 0 deletions
diff --git a/‎coderd/database/modelmethods.go
Lines changed: 4 additions & 0 deletions b/‎coderd/database/modelmethods.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/database/models.go
Lines changed: 11 additions & 0 deletions b/‎coderd/database/models.go
Lines changed: 11 additions & 0 deletions
diff --git a/‎coderd/database/querier.go
Lines changed: 8 additions & 0 deletions b/‎coderd/database/querier.go
Lines changed: 8 additions & 0 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 59 additions & 0 deletions b/‎coderd/database/queries.sql.go
Lines changed: 59 additions & 0 deletions
diff --git a/‎coderd/database/queries/user_secrets.sql
Lines changed: 25 additions & 0 deletions b/‎coderd/database/queries/user_secrets.sql
Lines changed: 25 additions & 0 deletions
diff --git a/‎coderd/database/unique_constraint.go
Lines changed: 2 additions & 0 deletions b/‎coderd/database/unique_constraint.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/rbac/object_gen.go
Lines changed: 11 additions & 0 deletions b/‎coderd/rbac/object_gen.go
Lines changed: 11 additions & 0 deletions
@@ -3871,6 +3871,15 @@ func (q *querier) InsertUserLink(ctx context.Context, arg database.InsertUserLin
 	return q.db.InsertUserLink(ctx, arg)
 }
 
+func (q *querier) InsertUserSecret(ctx context.Context, arg database.InsertUserSecretParams) (database.UserSecret, error) {
+	obj := rbac.ResourceUserSecret.WithOwner(arg.UserID.String())
+	if err := q.authorizeContext(ctx, policy.ActionCreate, obj); err != nil {
+		return database.UserSecret{}, err
+	}
+
+	return q.db.InsertUserSecret(ctx, arg)
+}
+
 func (q *querier) InsertVolumeResourceMonitor(ctx context.Context, arg database.InsertVolumeResourceMonitorParams) (database.WorkspaceAgentVolumeResourceMonitor, error) {
 	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceWorkspaceAgentResourceMonitor); err != nil {
 		return database.WorkspaceAgentVolumeResourceMonitor{}, err
 
@@ -5718,3 +5718,15 @@ func (s *MethodTestSuite) TestAuthorizePrebuiltWorkspace() {
 			}).Asserts(w, policy.ActionUpdate, w.AsPrebuild(), policy.ActionUpdate)
 	}))
 }
+
+func (s *MethodTestSuite) TestUserSecrets() {
+	s.Run("InsertUserSecret", s.Subtest(func(db database.Store, check *expects) {
+		user := dbgen.User(s.T(), db, database.User{})
+		arg := database.InsertUserSecretParams{
+			UserID: user.ID,
+		}
+		check.Args(arg).
+			Asserts(rbac.ResourceUserSecret.WithOwner(arg.UserID.String()), policy.ActionCreate).
+			ErrorsWithInMemDB(dbmem.ErrUnimplemented)
+	}))
+}
@@ -1352,6 +1352,19 @@ func PresetParameter(t testing.TB, db database.Store, seed database.InsertPreset
 	return parameters
 }
 
+func UserSecret(t testing.TB, db database.Store, seed database.InsertUserSecretParams) database.UserSecret {
+	schedule, err := db.InsertUserSecret(genCtx, database.InsertUserSecretParams{
+		ID:          takeFirst(seed.ID, uuid.New()),
+		UserID:      takeFirst(seed.UserID, uuid.New()),
+		Name:        takeFirst(seed.Name, "secret-name"),
+		Description: takeFirst(seed.Description, "secret description"),
+		Value:       takeFirst(seed.Value, "secret value"),
+		ValueKeyID:  takeFirst(seed.ValueKeyID, sql.NullString{}),
+	})
+	require.NoError(t, err, "insert preset prebuild schedule")
+	return schedule
+}
+
 func provisionerJobTiming(t testing.TB, db database.Store, seed database.ProvisionerJobTiming) database.ProvisionerJobTiming {
 	timing, err := db.InsertProvisionerJobTimings(genCtx, database.InsertProvisionerJobTimingsParams{
 		JobID:     takeFirst(seed.JobID, uuid.New()),
 
@@ -9710,6 +9710,15 @@ func (q *FakeQuerier) InsertUserLink(_ context.Context, args database.InsertUser
 	return link, nil
 }
 
+func (q *FakeQuerier) InsertUserSecret(ctx context.Context, arg database.InsertUserSecretParams) (database.UserSecret, error) {
+	err := validateDatabaseType(arg)
+	if err != nil {
+		return database.UserSecret{}, err
+	}
+
+	return database.UserSecret{}, ErrUnimplemented
+}
+
 func (q *FakeQuerier) InsertVolumeResourceMonitor(_ context.Context, arg database.InsertVolumeResourceMonitorParams) (database.WorkspaceAgentVolumeResourceMonitor, error) {
 	err := validateDatabaseType(arg)
 	if err != nil {
 
@@ -0,0 +1,2 @@
+DROP TABLE user_secrets;
+-- TODO: DROP index
@@ -0,0 +1,21 @@
+-- Stores encrypted user secrets (global, available across all organizations)
+CREATE TABLE user_secrets (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    name TEXT NOT NULL,
+    description TEXT NOT NULL,
+
+    -- The encrypted secret value (base64-encoded encrypted data)
+    value TEXT NOT NULL,
+
+    -- The ID of the key used to encrypt the secret value.
+    -- If this is NULL, the secret value is not encrypted.
+    value_key_id TEXT REFERENCES dbcrypt_keys(active_key_digest),
+
+    -- Timestamps
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP NOT NULL,
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP NOT NULL
+);
+
+-- Unique constraint: user can't have duplicate secret names
+CREATE UNIQUE INDEX user_secrets_user_name_idx ON user_secrets(user_id, name);
@@ -615,3 +615,7 @@ func (m WorkspaceAgentVolumeResourceMonitor) Debounce(
 
 	return m.DebouncedUntil, false
 }
+
+func (s UserSecret) RBACObject() rbac.Object {
+	return rbac.ResourceUserSecret.WithOwner(s.UserID.String())
+}
@@ -0,0 +1,25 @@
+-- GetUserSecret - Get by user_id and name
+-- GetUserSecretByID - Get by ID
+-- ListUserSecrets - List all secrets for a user
+-- CreateUserSecret - Create new secret
+-- UpdateUserSecret - Update existing secret
+-- DeleteUserSecret - Delete by user_id and name
+-- DeleteUserSecretByID - Delete by ID
+
+-- name: InsertUserSecret :one
+INSERT INTO user_secrets (
+	id,
+	user_id,
+	name,
+	description,
+	value,
+	value_key_id
+)
+VALUES (
+	@id,
+	@user_id,
+	@name,
+	@description,
+	@value,
+	@value_key_id
+) RETURNING *;
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+DROP TABLE user_secrets;`
	`2`	`+-- TODO: DROP index`
Original file line number	Diff line number	Diff line change
`@@ -615,3 +615,7 @@ func (m WorkspaceAgentVolumeResourceMonitor) Debounce(`
`615`	`615`
`616`	`616`	`return m.DebouncedUntil, false`
`617`	`617`	`}`
	`618`	`+`
	`619`	`+func (s UserSecret) RBACObject() rbac.Object {`
	`620`	`+ return rbac.ResourceUserSecret.WithOwner(s.UserID.String())`
	`621`	`+}`