feat(secrets): working storages for var groups

Author: fiftin

api/projects/environment.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"github.com/semaphoreui/semaphore/api/helpers"
 	"github.com/semaphoreui/semaphore/db"
+	"github.com/semaphoreui/semaphore/pkg/random"
 	"github.com/semaphoreui/semaphore/services/server"
 	"net/http"
 )
@@ -27,44 +28,65 @@ func NewEnvironmentController(
 }
 
 func (c *EnvironmentController) updateEnvironmentSecrets(env db.Environment) error {
+
+	errors := make([]error, 0)
+
 	for _, secret := range env.Secrets {
 		err := secret.Validate()
 		if err != nil {
+			errors = append(errors, err)
 			continue
 		}
 
 		var key db.AccessKey
 
 		switch secret.Operation {
 		case db.EnvironmentSecretCreate:
-			key, err = c.accessKeyService.CreateAccessKey(db.AccessKey{
-				Name:          secret.Name,
-				String:        secret.Secret,
-				EnvironmentID: &env.ID,
-				ProjectID:     &env.ProjectID,
-				Type:          db.AccessKeyString,
-				Owner:         secret.Type.GetAccessKeyOwner(),
+			var sourceStorageKey *string
+			if env.SecretStorageKeyPrefix != nil {
+				tmp := *env.SecretStorageKeyPrefix + random.String(10)
+				sourceStorageKey = &tmp
+			}
+
+			key, err = c.accessKeyService.Create(db.AccessKey{
+				Name:             secret.Name,
+				String:           secret.Secret,
+				EnvironmentID:    &env.ID,
+				ProjectID:        &env.ProjectID,
+				Type:             db.AccessKeyString,
+				Owner:            secret.Type.GetAccessKeyOwner(),
+				SourceStorageID:  env.SecretStorageID,
+				SourceStorageKey: sourceStorageKey,
 			})
+
+			if err != nil {
+				errors = append(errors, err)
+				continue
+			}
 		case db.EnvironmentSecretDelete:
 			key, err = c.accessKeyRepo.GetAccessKey(env.ProjectID, secret.ID)
 
 			if err != nil {
+				errors = append(errors, err)
 				continue
 			}
 
 			if key.EnvironmentID == nil && *key.EnvironmentID == env.ID {
+				errors = append(errors, err)
 				continue
 			}
 
-			err = c.accessKeyService.DeleteAccessKey(env.ProjectID, secret.ID)
+			err = c.accessKeyService.Delete(env.ProjectID, secret.ID)
 		case db.EnvironmentSecretUpdate:
 			key, err = c.accessKeyRepo.GetAccessKey(env.ProjectID, secret.ID)
 
 			if err != nil {
+				errors = append(errors, err)
 				continue
 			}
 
 			if key.EnvironmentID == nil && *key.EnvironmentID == env.ID {
+				errors = append(errors, err)
 				continue
 			}
 
@@ -80,10 +102,14 @@ func (c *EnvironmentController) updateEnvironmentSecrets(env db.Environment) err
 				updateKey.OverrideSecret = true
 			}
 
-			err = c.accessKeyService.UpdateAccessKey(updateKey)
+			err = c.accessKeyService.Update(updateKey)
 		}
 	}
 
+	if len(errors) > 0 {
+		return errors[0]
+	}
+
 	return nil
 }
 

api/projects/keys.go

@@ -98,7 +98,7 @@ func (c *KeyController) AddKey(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	newKey, err := c.accessKeyService.CreateAccessKey(key)
+	newKey, err := c.accessKeyService.Create(key)
 
 	if err != nil {
 		helpers.WriteError(w, err)
@@ -150,7 +150,7 @@ func (c *KeyController) UpdateKey(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	err = c.accessKeyService.UpdateAccessKey(key)
+	err = c.accessKeyService.Update(key)
 	if err != nil {
 		helpers.WriteError(w, err)
 		return
@@ -171,7 +171,7 @@ func (c *KeyController) UpdateKey(w http.ResponseWriter, r *http.Request) {
 func (c *KeyController) RemoveKey(w http.ResponseWriter, r *http.Request) {
 	key := helpers.GetFromContext(r, "accessKey").(db.AccessKey)
 
-	err := c.accessKeyService.DeleteAccessKey(*key.ProjectID, key.ID)
+	err := c.accessKeyService.Delete(*key.ProjectID, key.ID)
 	if errors.Is(err, db.ErrInvalidOperation) {
 		helpers.WriteJSON(w, http.StatusBadRequest, map[string]any{
 			"error": "Access Key is in use by one or more templates",

api/projects/projects.go

@@ -83,7 +83,7 @@ func (c *ProjectsController) createDemoProject(projectID int, noneKeyID int, emp
 		return
 	}
 
-	vaultKey, err := c.accessKeyService.CreateAccessKey(db.AccessKey{
+	vaultKey, err := c.accessKeyService.Create(db.AccessKey{
 		Name:      "Vault Password",
 		Type:      db.AccessKeyLoginPassword,
 		ProjectID: &projectID,
@@ -343,7 +343,7 @@ func (c *ProjectsController) AddProject(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	noneKey, err := c.accessKeyService.CreateAccessKey(db.AccessKey{
+	noneKey, err := c.accessKeyService.Create(db.AccessKey{
 		Name:      "None",
 		Type:      db.AccessKeyNone,
 		ProjectID: &body.ID,

api/projects/secret_storages.go

@@ -93,7 +93,7 @@ func (c *SecretStorageController) Update(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	err := c.secretStorageService.UpdateSecretStorage(storage)
+	err := c.secretStorageService.Update(storage)
 	if err != nil {
 		helpers.WriteError(w, err)
 		return
@@ -125,7 +125,7 @@ func (c *SecretStorageController) Add(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	newStorage, err := c.secretRepo.CreateSecretStorage(storage)
+	newStorage, err := c.secretStorageService.Create(storage)
 
 	if err != nil {
 		helpers.WriteError(w, err)
@@ -151,7 +151,7 @@ func (c *SecretStorageController) Remove(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	err = c.secretStorageService.DeleteSecretStorage(project.ID, storageID)
+	err = c.secretStorageService.Delete(project.ID, storageID)
 	if err != nil {
 		helpers.WriteError(w, err)
 		return

cli/cmd/root.go

@@ -80,8 +80,8 @@ func runService() {
 		store,
 		encryptionService,
 	)
-	secretStorageService := server.NewSecretStorageService(store, store)
-	accessKeyService := server.NewAccessKeyService(store, secretStorageService, encryptionService)
+	accessKeyService := server.NewAccessKeyService(store, encryptionService)
+	secretStorageService := server.NewSecretStorageService(store, accessKeyService)
 
 	taskPool := tasks.CreateTaskPool(
 		store,

db/sql/SqlDb.go

@@ -402,6 +402,13 @@ func (d *SqlDb) Connect(_ string) {
 	d.sql.AddTableWithName(db.Template{}, "project__template").SetKeys(true, "id")
 	d.sql.AddTableWithName(db.User{}, "user").SetKeys(true, "id")
 	d.sql.AddTableWithName(db.Session{}, "session").SetKeys(true, "id")
+
+	if d.GetDialect() == util.DbDriverSQLite {
+		_, err = d.exec("PRAGMA foreign_keys = ON")
+		if err != nil {
+			panic(err)
+		}
+	}
 }
 
 func (d *SqlDb) getObjectRefs(projectID int, objectProps db.ObjectProps, objectID int) (refs db.ObjectReferrers, err error) {

services/server/access_key_svc.go

@@ -3,10 +3,10 @@ package server
 import "github.com/semaphoreui/semaphore/db"
 
 type AccessKeyService interface {
-	UpdateAccessKey(key db.AccessKey) error
-	CreateAccessKey(key db.AccessKey) (newKey db.AccessKey, err error)
-	GetAccessKeys(projectID int, options db.GetAccessKeyOptions, params db.RetrieveQueryParams) ([]db.AccessKey, error)
-	DeleteAccessKey(projectID int, keyID int) (err error)
+	Update(key db.AccessKey) error
+	Create(key db.AccessKey) (newKey db.AccessKey, err error)
+	GetAll(projectID int, options db.GetAccessKeyOptions, params db.RetrieveQueryParams) ([]db.AccessKey, error)
+	Delete(projectID int, keyID int) (err error)
 }
 
 type AccessKeyServiceImpl struct {
@@ -17,17 +17,15 @@ type AccessKeyServiceImpl struct {
 
 func NewAccessKeyService(
 	accessKeyRepo db.AccessKeyManager,
-	storageService SecretStorageService,
 	encryptionService AccessKeyEncryptionService,
 ) AccessKeyService {
 	return &AccessKeyServiceImpl{
-		accessKeyRepo:        accessKeyRepo,
-		encryptionService:    encryptionService,
-		secretStorageService: storageService,
+		accessKeyRepo:     accessKeyRepo,
+		encryptionService: encryptionService,
 	}
 }
 
-func (s *AccessKeyServiceImpl) DeleteAccessKey(projectID int, keyID int) (err error) {
+func (s *AccessKeyServiceImpl) Delete(projectID int, keyID int) (err error) {
 	key, err := s.accessKeyRepo.GetAccessKey(projectID, keyID)
 	if err != nil {
 		return
@@ -53,11 +51,17 @@ func (s *AccessKeyServiceImpl) DeleteAccessKey(projectID int, keyID int) (err er
 	return
 }
 
-func (s *AccessKeyServiceImpl) GetAccessKeys(projectID int, options db.GetAccessKeyOptions, params db.RetrieveQueryParams) ([]db.AccessKey, error) {
+func (s *AccessKeyServiceImpl) GetAll(projectID int, options db.GetAccessKeyOptions, params db.RetrieveQueryParams) ([]db.AccessKey, error) {
 	return s.accessKeyRepo.GetAccessKeys(projectID, options, params)
 }
 
-func (s *AccessKeyServiceImpl) CreateAccessKey(key db.AccessKey) (newKey db.AccessKey, err error) {
+func (s *AccessKeyServiceImpl) Create(key db.AccessKey) (newKey db.AccessKey, err error) {
+
+	err = key.Validate(true)
+	if err != nil {
+		return
+	}
+
 	err = s.encryptionService.SerializeSecret(&key)
 	if err != nil {
 		return
@@ -67,7 +71,7 @@ func (s *AccessKeyServiceImpl) CreateAccessKey(key db.AccessKey) (newKey db.Acce
 	return
 }
 
-func (s *AccessKeyServiceImpl) UpdateAccessKey(key db.AccessKey) (err error) {
+func (s *AccessKeyServiceImpl) Update(key db.AccessKey) (err error) {
 	if key.OverrideSecret {
 		err = s.encryptionService.SerializeSecret(&key)
 		if err != nil {

services/server/secret_storage_svc.go

@@ -2,14 +2,16 @@ package server
 
 import (
 	"github.com/semaphoreui/semaphore/db"
+	"github.com/semaphoreui/semaphore/pkg/random"
 	pro "github.com/semaphoreui/semaphore/pro/services/server"
 )
 
 type SecretStorageService interface {
 	GetSecretStorage(projectID int, storageID int) (db.SecretStorage, error)
-	UpdateSecretStorage(storage db.SecretStorage) error
-	DeleteSecretStorage(projectID int, storageID int) error
+	Update(storage db.SecretStorage) error
+	Delete(projectID int, storageID int) error
 	GetSecretStorages(projectID int) ([]db.SecretStorage, error)
+	Create(storage db.SecretStorage) (res db.SecretStorage, err error)
 }
 
 func NewSecretStorageService(
@@ -27,21 +29,60 @@ type SecretStorageServiceImpl struct {
 	accessKeyService  AccessKeyService
 }
 
-func (s *SecretStorageServiceImpl) DeleteSecretStorage(projectID int, storageID int) error {
-	return s.secretStorageRepo.DeleteSecretStorage(projectID, storageID)
+func (s *SecretStorageServiceImpl) Delete(projectID int, storageID int) (err error) {
+	err = s.secretStorageRepo.DeleteSecretStorage(projectID, storageID)
+	if err != nil {
+		return
+	}
+
+	keys, err := s.accessKeyService.GetAll(projectID, db.GetAccessKeyOptions{
+		Owner:     db.AccessKeyVault,
+		StorageID: &storageID,
+	}, db.RetrieveQueryParams{})
+
+	if err != nil {
+		return
+	}
+
+	for _, key := range keys {
+		err = s.accessKeyService.Delete(projectID, key.ID)
+	}
+
+	return
 }
 
 func (s *SecretStorageServiceImpl) GetSecretStorage(projectID int, storageID int) (res db.SecretStorage, err error) {
 	return s.secretStorageRepo.GetSecretStorage(projectID, storageID)
 }
 
-func (s *SecretStorageServiceImpl) UpdateSecretStorage(storage db.SecretStorage) (err error) {
+func (s *SecretStorageServiceImpl) Create(storage db.SecretStorage) (res db.SecretStorage, err error) {
+	res, err = s.secretStorageRepo.CreateSecretStorage(storage)
+
+	if err != nil {
+		return
+	}
+
+	key := db.AccessKey{
+		Name:      random.String(10),
+		Type:      db.AccessKeyString,
+		ProjectID: &storage.ProjectID,
+		String:    storage.VaultToken,
+		Owner:     db.AccessKeyVault,
+		StorageID: &res.ID,
+	}
+
+	_, err = s.accessKeyService.Create(key)
+
+	return
+}
+
+func (s *SecretStorageServiceImpl) Update(storage db.SecretStorage) (err error) {
 	err = s.secretStorageRepo.UpdateSecretStorage(storage)
 	if err != nil {
 		return
 	}
 
-	keys, err := s.accessKeyService.GetAccessKeys(storage.ProjectID, db.GetAccessKeyOptions{
+	keys, err := s.accessKeyService.GetAll(storage.ProjectID, db.GetAccessKeyOptions{
 		Owner:     db.AccessKeyVault,
 		StorageID: &storage.ID,
 	}, db.RetrieveQueryParams{})
@@ -52,15 +93,17 @@ func (s *SecretStorageServiceImpl) UpdateSecretStorage(storage db.SecretStorage)
 
 	if len(keys) == 0 {
 		if storage.VaultToken != "" {
-			_, err = s.accessKeyService.CreateAccessKey(db.AccessKey{
+			_, err = s.accessKeyService.Create(db.AccessKey{
+				Name:      random.String(10),
 				Type:      db.AccessKeyString,
 				ProjectID: &storage.ProjectID,
-				Secret:    nil,
 				String:    storage.VaultToken,
 				Owner:     db.AccessKeyVault,
-				Plain:     nil,
 				StorageID: &storage.ID,
 			})
+		} else {
+			// empty vault token means the user didn't set a new token,
+			// so we don't create a new access key.
 		}
 	} else {
 		vault := keys[0]
@@ -72,7 +115,7 @@ func (s *SecretStorageServiceImpl) UpdateSecretStorage(storage db.SecretStorage)
 		} else {
 			vault.OverrideSecret = true
 			vault.String = storage.VaultToken
-			err = s.accessKeyService.UpdateAccessKey(vault)
+			err = s.accessKeyService.Update(vault)
 		}
 	}