Skip to content

feat: basic implementation of secrets feature [DO NOT MERGE] #18775

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
+293 −1
Draft

feat: basic implementation of secrets feature [DO NOT MERGE] #18775

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
88d5eec
feat: basic implementation of secrets feature
evgeniy-scherbina Jul 7, 2025
8fdc61b
test: fix migration tests
evgeniy-scherbina Jul 8, 2025
c6249d3
test: fix rbac tests
evgeniy-scherbina Jul 8, 2025
17326fd
Merge remote-tracking branch 'origin/main' into yevhenii/secrets-prot…
evgeniy-scherbina Jul 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions coderd/apidoc/docs.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions coderd/apidoc/swagger.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 9 additions & 0 deletions coderd/database/dbauthz/dbauthz.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3884,6 +3884,15 @@ func (q *querier) InsertUserLink(ctx context.Context, arg database.InsertUserLin
return q.db.InsertUserLink(ctx, arg)
}

func (q *querier) InsertUserSecret(ctx context.Context, arg database.InsertUserSecretParams) (database.UserSecret, error) {
obj := rbac.ResourceUserSecret.WithOwner(arg.UserID.String())
if err := q.authorizeContext(ctx, policy.ActionCreate, obj); err != nil {
return database.UserSecret{}, err
}

return q.db.InsertUserSecret(ctx, arg)
}

func (q *querier) InsertVolumeResourceMonitor(ctx context.Context, arg database.InsertVolumeResourceMonitorParams) (database.WorkspaceAgentVolumeResourceMonitor, error) {
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceWorkspaceAgentResourceMonitor); err != nil {
return database.WorkspaceAgentVolumeResourceMonitor{}, err
Expand Down
12 changes: 12 additions & 0 deletions coderd/database/dbauthz/dbauthz_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5769,3 +5769,15 @@ func (s *MethodTestSuite) TestAuthorizePrebuiltWorkspace() {
}).Asserts(w, policy.ActionUpdate, w.AsPrebuild(), policy.ActionUpdate)
}))
}

func (s *MethodTestSuite) TestUserSecrets() {
s.Run("InsertUserSecret", s.Subtest(func(db database.Store, check *expects) {
user := dbgen.User(s.T(), db, database.User{})
arg := database.InsertUserSecretParams{
UserID: user.ID,
}
check.Args(arg).
Asserts(rbac.ResourceUserSecret.WithOwner(arg.UserID.String()), policy.ActionCreate).
ErrorsWithInMemDB(dbmem.ErrUnimplemented)
}))
}
13 changes: 13 additions & 0 deletions coderd/database/dbgen/dbgen.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1363,6 +1363,19 @@ func PresetParameter(t testing.TB, db database.Store, seed database.InsertPreset
return parameters
}

func UserSecret(t testing.TB, db database.Store, seed database.InsertUserSecretParams) database.UserSecret {
schedule, err := db.InsertUserSecret(genCtx, database.InsertUserSecretParams{
ID: takeFirst(seed.ID, uuid.New()),
UserID: takeFirst(seed.UserID, uuid.New()),
Name: takeFirst(seed.Name, "secret-name"),
Description: takeFirst(seed.Description, "secret description"),
Value: takeFirst(seed.Value, "secret value"),
ValueKeyID: takeFirst(seed.ValueKeyID, sql.NullString{}),
})
require.NoError(t, err, "insert preset prebuild schedule")
return schedule
}

func ClaimPrebuild(t testing.TB, db database.Store, newUserID uuid.UUID, newName string, presetID uuid.UUID) database.ClaimPrebuiltWorkspaceRow {
claimedWorkspace, err := db.ClaimPrebuiltWorkspace(genCtx, database.ClaimPrebuiltWorkspaceParams{
NewUserID: newUserID,
Expand Down
9 changes: 9 additions & 0 deletions coderd/database/dbmem/dbmem.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9710,6 +9710,15 @@ func (q *FakeQuerier) InsertUserLink(_ context.Context, args database.InsertUser
return link, nil
}

func (q *FakeQuerier) InsertUserSecret(ctx context.Context, arg database.InsertUserSecretParams) (database.UserSecret, error) {
err := validateDatabaseType(arg)
if err != nil {
return database.UserSecret{}, err
}

return database.UserSecret{}, ErrUnimplemented
}

func (q *FakeQuerier) InsertVolumeResourceMonitor(_ context.Context, arg database.InsertVolumeResourceMonitorParams) (database.WorkspaceAgentVolumeResourceMonitor, error) {
err := validateDatabaseType(arg)
if err != nil {
Expand Down
7 changes: 7 additions & 0 deletions coderd/database/dbmetrics/querymetrics.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 15 additions & 0 deletions coderd/database/dbmock/dbmock.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

22 changes: 22 additions & 0 deletions coderd/database/dump.sql
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions coderd/database/foreign_key_constraint.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions coderd/database/migrations/000349_add_user_secrets.down.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
DROP TABLE user_secrets;
-- TODO: DROP index
21 changes: 21 additions & 0 deletions coderd/database/migrations/000349_add_user_secrets.up.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
-- Stores encrypted user secrets (global, available across all organizations)
CREATE TABLE user_secrets (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
name TEXT NOT NULL,
description TEXT NOT NULL,

-- The encrypted secret value (base64-encoded encrypted data)
value TEXT NOT NULL,

-- The ID of the key used to encrypt the secret value.
-- If this is NULL, the secret value is not encrypted.
value_key_id TEXT REFERENCES dbcrypt_keys(active_key_digest),

-- Timestamps
created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP NOT NULL,
updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP NOT NULL
);

-- Unique constraint: user can't have duplicate secret names
CREATE UNIQUE INDEX user_secrets_user_name_idx ON user_secrets(user_id, name);
16 changes: 16 additions & 0 deletions coderd/database/migrations/testdata/fixtures/000349_add_user_secrets.up.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
INSERT INTO user_secrets (
id,
user_id,
name,
description,
value,
value_key_id
)
VALUES (
'4848b19e-b392-4a1b-bc7d-0b7ffb41ef87',
'30095c71-380b-457a-8995-97b8ee6e5307',
'secret-name',
'secret-description',
'secret-value',
NULL
);
4 changes: 4 additions & 0 deletions coderd/database/modelmethods.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -615,3 +615,7 @@ func (m WorkspaceAgentVolumeResourceMonitor) Debounce(

return m.DebouncedUntil, false
}

func (s UserSecret) RBACObject() rbac.Object {
return rbac.ResourceUserSecret.WithOwner(s.UserID.String())
}
11 changes: 11 additions & 0 deletions coderd/database/models.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions coderd/database/querier.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

59 changes: 59 additions & 0 deletions coderd/database/queries.sql.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

25 changes: 25 additions & 0 deletions coderd/database/queries/user_secrets.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
-- GetUserSecret - Get by user_id and name
-- GetUserSecretByID - Get by ID
-- ListUserSecrets - List all secrets for a user
-- CreateUserSecret - Create new secret
-- UpdateUserSecret - Update existing secret
-- DeleteUserSecret - Delete by user_id and name
-- DeleteUserSecretByID - Delete by ID

-- name: InsertUserSecret :one
INSERT INTO user_secrets (
id,
user_id,
name,
description,
value,
value_key_id
)
VALUES (
@id,
@user_id,
@name,
@description,
@value,
@value_key_id
) RETURNING *;
2 changes: 2 additions & 0 deletions coderd/database/unique_constraint.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading