Secrets Store Secret binding local dev (#8394)

* feat(miniflare): secret store plugin

* feat(wrangler): secret store setup

* chore: add secret-store fixture

* change name

* generate docs

* rebase on main

* finalise

* fix lint

* unskip e2e

* fix tests

* Create calm-grapes-eat.md

* lint

* lint

* fix tests

* fix lint

* Address comments

* Apply suggestions from code review

Co-authored-by: Carmen Popoviciu <[email protected]>

* fix snapshots

* fix lockfile

---------

Co-authored-by: Samuel Macleod <[email protected]>
Co-authored-by: Carmen Popoviciu <[email protected]>

Author: 3 people

.changeset/calm-grapes-eat.md

@@ -0,0 +1,6 @@
+---
+"miniflare": minor
+"wrangler": minor
+---
+
+Support Secrets Store Secret bindings

fixtures/secrets-store/package.json

@@ -0,0 +1,15 @@
+{
+	"name": "secret-store",
+	"private": true,
+	"scripts": {
+		"deploy": "wrangler deploy",
+		"start": "wrangler dev"
+	},
+	"devDependencies": {
+		"@cloudflare/workers-types": "^4.20250224.0",
+		"wrangler": "workspace:*"
+	},
+	"volta": {
+		"extends": "../../package.json"
+	}
+}

fixtures/secrets-store/src/index.ts

@@ -0,0 +1,23 @@
+export interface Env {
+	SECRET: any;
+}
+
+export default {
+	async fetch(
+		request: Request,
+		env: Env,
+		ctx: ExecutionContext
+	): Promise<Response> {
+		try {
+			const value = await env.SECRET.get();
+			return new Response(value);
+		} catch (e) {
+			return new Response(
+				e instanceof Error ? e.message : "Something went wrong",
+				{
+					status: 404,
+				}
+			);
+		}
+	},
+};

fixtures/secrets-store/tsconfig.json

@@ -0,0 +1,13 @@
+{
+	"compilerOptions": {
+		"target": "es2021",
+		"lib": ["es2021"],
+		"module": "es2022",
+		"types": ["@cloudflare/workers-types/experimental"],
+		"noEmit": true,
+		"isolatedModules": true,
+		"forceConsistentCasingInFileNames": true,
+		"strict": true,
+		"skipLibCheck": true
+	}
+}

fixtures/secrets-store/wrangler.jsonc

@@ -0,0 +1,13 @@
+{
+	"$schema": "./node_modules/wrangler/config-schema.json",
+	"compatibility_date": "2025-01-01",
+	"main": "src/index.ts",
+	"name": "secret-store",
+	"secrets_store_secrets": [
+		{
+			"binding": "SECRET",
+			"secret_name": "secret_name",
+			"store_id": "a3fb907f446e4d94bd946d7ea6365b1c",
+		},
+	],
+}

fixtures/worker-ts/wrangler.toml

@@ -1,3 +1,4 @@
 name = "worker-ts"
 main = "src/index.ts"
 compatibility_date = "2023-05-04"
+

packages/miniflare/src/index.ts

@@ -56,6 +56,7 @@ import {
 	QueuesError,
 	R2_PLUGIN_NAME,
 	ReplaceWorkersTypes,
+	SECRET_STORE_PLUGIN_NAME,
 	SERVICE_ENTRY,
 	SharedOptions,
 	SOCKET_ENTRY,
@@ -109,13 +110,15 @@ import {
 	SharedHeaders,
 	SiteBindings,
 } from "./workers";
+import { ADMIN_API } from "./workers/secrets-store/constants";
 import { formatZodError } from "./zod-format";
 import type {
 	CacheStorage,
 	D1Database,
 	DurableObjectNamespace,
 	Fetcher,
 	KVNamespace,
+	KVNamespaceListKey,
 	Queue,
 	R2Bucket,
 } from "@cloudflare/workers-types/experimental";
@@ -1912,6 +1915,34 @@ export class Miniflare {
 	): Promise<ReplaceWorkersTypes<KVNamespace>> {
 		return this.#getProxy(KV_PLUGIN_NAME, bindingName, workerName);
 	}
+	getSecretsStoreSecretAPI(
+		bindingName: string,
+		workerName?: string
+	): Promise<
+		() => {
+			create: (value: string) => Promise<string>;
+			update: (value: string, id: string) => Promise<string>;
+			duplicate: (id: string, newName: string) => Promise<string>;
+			delete: (id: string) => Promise<void>;
+			list: () => Promise<KVNamespaceListKey<{ uuid: string }, string>[]>;
+			get: (id: string) => Promise<string>;
+		}
+	> {
+		return this.#getProxy(
+			SECRET_STORE_PLUGIN_NAME,
+			bindingName,
+			workerName
+		).then((binding) => {
+			// @ts-expect-error We exposed an admin API on this key
+			return binding[ADMIN_API];
+		});
+	}
+	getSecretsStoreSecret(
+		bindingName: string,
+		workerName?: string
+	): Promise<ReplaceWorkersTypes<KVNamespace>> {
+		return this.#getProxy(SECRET_STORE_PLUGIN_NAME, bindingName, workerName);
+	}
 	getQueueProducer<Body = unknown>(
 		bindingName: string,
 		workerName?: string

packages/miniflare/src/plugins/index.ts

@@ -12,6 +12,7 @@ import { PIPELINE_PLUGIN, PIPELINES_PLUGIN_NAME } from "./pipelines";
 import { QUEUES_PLUGIN, QUEUES_PLUGIN_NAME } from "./queues";
 import { R2_PLUGIN, R2_PLUGIN_NAME } from "./r2";
 import { RATELIMIT_PLUGIN, RATELIMIT_PLUGIN_NAME } from "./ratelimit";
+import { SECRET_STORE_PLUGIN, SECRET_STORE_PLUGIN_NAME } from "./secret-store";
 import { WORKFLOWS_PLUGIN, WORKFLOWS_PLUGIN_NAME } from "./workflows";
 
 export const PLUGINS = {
@@ -27,6 +28,7 @@ export const PLUGINS = {
 	[ASSETS_PLUGIN_NAME]: ASSETS_PLUGIN,
 	[WORKFLOWS_PLUGIN_NAME]: WORKFLOWS_PLUGIN,
 	[PIPELINES_PLUGIN_NAME]: PIPELINE_PLUGIN,
+	[SECRET_STORE_PLUGIN_NAME]: SECRET_STORE_PLUGIN,
 };
 export type Plugins = typeof PLUGINS;
 
@@ -76,15 +78,17 @@ export type WorkerOptions = z.input<typeof CORE_PLUGIN.options> &
 	z.input<typeof RATELIMIT_PLUGIN.options> &
 	z.input<typeof ASSETS_PLUGIN.options> &
 	z.input<typeof WORKFLOWS_PLUGIN.options> &
-	z.input<typeof PIPELINE_PLUGIN.options>;
+	z.input<typeof PIPELINE_PLUGIN.options> &
+	z.input<typeof SECRET_STORE_PLUGIN.options>;
 
 export type SharedOptions = z.input<typeof CORE_PLUGIN.sharedOptions> &
 	z.input<typeof CACHE_PLUGIN.sharedOptions> &
 	z.input<typeof D1_PLUGIN.sharedOptions> &
 	z.input<typeof DURABLE_OBJECTS_PLUGIN.sharedOptions> &
 	z.input<typeof KV_PLUGIN.sharedOptions> &
 	z.input<typeof R2_PLUGIN.sharedOptions> &
-	z.input<typeof WORKFLOWS_PLUGIN.sharedOptions>;
+	z.input<typeof WORKFLOWS_PLUGIN.sharedOptions> &
+	z.input<typeof SECRET_STORE_PLUGIN.sharedOptions>;
 
 export const PLUGIN_ENTRIES = Object.entries(PLUGINS) as [
 	keyof Plugins,
@@ -134,3 +138,4 @@ export * from "./assets";
 export * from "./assets/schema";
 export * from "./workflows";
 export * from "./pipelines";
+export * from "./secret-store";

packages/miniflare/src/plugins/secret-store/index.ts

@@ -0,0 +1,144 @@
+import SCRIPT_SECRETS_STORE_SECRET from "worker:secrets-store/secret";
+import { z } from "zod";
+import { ServiceDesignator, Worker_Binding } from "../../runtime";
+import { KV_PLUGIN, KVOptionsSchema } from "../kv";
+import { PersistenceSchema, Plugin, ProxyNodeBinding } from "../shared";
+
+const SecretsStoreSecretsSchema = z.record(
+	z.object({
+		store_id: z.string(),
+		secret_name: z.string(),
+	})
+);
+
+export const SecretsStoreSecretsOptionsSchema = z.object({
+	secretsStoreSecrets: SecretsStoreSecretsSchema.optional(),
+});
+
+export const SecretsStoreSecretsSharedOptionsSchema = z.object({
+	secretsStorePersist: PersistenceSchema,
+});
+
+export const SECRET_STORE_PLUGIN_NAME = "secrets-store";
+
+function getkvNamespacesOptions(
+	secretsStoreSecrets: z.input<typeof SecretsStoreSecretsSchema>
+): z.input<typeof KVOptionsSchema> {
+	// Get unique store ids
+	const storeIds = new Set(
+		Object.values(secretsStoreSecrets).map((store) => store.store_id)
+	);
+	// Setup a KV Namespace per store id with store id as the binding name
+	const storeIdKvNamespaceEntries = Array.from(storeIds).map((storeId) => [
+		storeId,
+		`${SECRET_STORE_PLUGIN_NAME}:${storeId}`,
+	]);
+
+	return {
+		kvNamespaces: Object.fromEntries(storeIdKvNamespaceEntries),
+	};
+}
+
+function isKvBinding(
+	binding: Worker_Binding
+): binding is Worker_Binding & { kvNamespace: ServiceDesignator } {
+	return "kvNamespace" in binding;
+}
+
+export const SECRET_STORE_PLUGIN: Plugin<
+	typeof SecretsStoreSecretsOptionsSchema,
+	typeof SecretsStoreSecretsSharedOptionsSchema
+> = {
+	options: SecretsStoreSecretsOptionsSchema,
+	sharedOptions: SecretsStoreSecretsSharedOptionsSchema,
+	async getBindings(options) {
+		if (!options.secretsStoreSecrets) {
+			return [];
+		}
+
+		const bindings = Object.entries(
+			options.secretsStoreSecrets
+		).map<Worker_Binding>(([name, config]) => {
+			return {
+				name,
+				service: {
+					name: `${SECRET_STORE_PLUGIN_NAME}:${config.store_id}:${config.secret_name}`,
+					entrypoint: "SecretsStoreSecret",
+				},
+			};
+		});
+		return bindings;
+	},
+	getNodeBindings(options: z.infer<typeof SecretsStoreSecretsOptionsSchema>) {
+		if (!options.secretsStoreSecrets) {
+			return {};
+		}
+		return Object.fromEntries(
+			Object.keys(options.secretsStoreSecrets).map((name) => [
+				name,
+				new ProxyNodeBinding(),
+			])
+		);
+	},
+	async getServices({ options, sharedOptions, ...restOptions }) {
+		if (!options.secretsStoreSecrets) {
+			return [];
+		}
+
+		const kvServices = await KV_PLUGIN.getServices({
+			options: getkvNamespacesOptions(options.secretsStoreSecrets),
+			sharedOptions: {
+				kvPersist: sharedOptions.secretsStorePersist,
+			},
+			...restOptions,
+		});
+
+		const kvBindings = await KV_PLUGIN.getBindings(
+			getkvNamespacesOptions(options.secretsStoreSecrets),
+			restOptions.workerIndex
+		);
+
+		if (!kvBindings || !kvBindings.every(isKvBinding)) {
+			throw new Error(
+				"Expected KV plugin to return bindings with kvNamespace defined"
+			);
+		}
+
+		if (!Array.isArray(kvServices)) {
+			throw new Error("Expected KV plugin to return an array of services");
+		}
+
+		return [
+			...kvServices,
+			...Object.entries(options.secretsStoreSecrets).map<Worker_Binding>(
+				([_, config]) => {
+					return {
+						name: `${SECRET_STORE_PLUGIN_NAME}:${config.store_id}:${config.secret_name}`,
+						worker: {
+							compatibilityDate: "2025-01-01",
+							modules: [
+								{
+									name: "secret.worker.js",
+									esModule: SCRIPT_SECRETS_STORE_SECRET(),
+								},
+							],
+							bindings: [
+								{
+									name: "store",
+									kvNamespace: kvBindings.find(
+										// Look up the corresponding KV namespace for the store id
+										(binding) => binding.name === config.store_id
+									)?.kvNamespace,
+								},
+								{
+									name: "secret_name",
+									json: JSON.stringify(config.secret_name),
+								},
+							],
+						},
+					};
+				}
+			),
+		];
+	},
+};

packages/miniflare/src/workers/secrets-store/constants.ts

@@ -0,0 +1 @@
+export const ADMIN_API = "SecretsStoreSecret::admin_api";