refactor: workspace secrets-core + secrets-mcp MCP SaaS

- Split library (db/crypto/service) and MCP/Web/OAuth binary - Add deploy examples and CI/docs updates Made-with: Cursor
2026-03-20 17:36:00 +08:00
parent ff9767ff95
commit 49fb7430a8
56 changed files with 5531 additions and 5456 deletions
--- a/crates/secrets-core/src/service/rollback.rs
+++ b/crates/secrets-core/src/service/rollback.rs
@@ -0,0 +1,229 @@
+use anyhow::Result;
+use serde_json::Value;
+use sqlx::PgPool;
+use uuid::Uuid;
+
+use crate::crypto;
+use crate::db;
+
+#[derive(Debug, serde::Serialize)]
+pub struct RollbackResult {
+    pub namespace: String,
+    pub kind: String,
+    pub name: String,
+    pub restored_version: i64,
+}
+
+pub async fn run(
+    pool: &PgPool,
+    namespace: &str,
+    kind: &str,
+    name: &str,
+    to_version: Option<i64>,
+    master_key: &[u8; 32],
+    _user_id: Option<Uuid>,
+) -> Result<RollbackResult> {
+    #[derive(sqlx::FromRow)]
+    struct EntryHistoryRow {
+        entry_id: Uuid,
+        version: i64,
+        action: String,
+        tags: Vec<String>,
+        metadata: Value,
+    }
+
+    let snap: Option<EntryHistoryRow> = if let Some(ver) = to_version {
+        sqlx::query_as(
+            "SELECT entry_id, version, action, tags, metadata FROM entries_history \
+             WHERE namespace = $1 AND kind = $2 AND name = $3 AND version = $4 \
+             ORDER BY id DESC LIMIT 1",
+        )
+        .bind(namespace)
+        .bind(kind)
+        .bind(name)
+        .bind(ver)
+        .fetch_optional(pool)
+        .await?
+    } else {
+        sqlx::query_as(
+            "SELECT entry_id, version, action, tags, metadata FROM entries_history \
+             WHERE namespace = $1 AND kind = $2 AND name = $3 ORDER BY id DESC LIMIT 1",
+        )
+        .bind(namespace)
+        .bind(kind)
+        .bind(name)
+        .fetch_optional(pool)
+        .await?
+    };
+
+    let snap = snap.ok_or_else(|| {
+        anyhow::anyhow!(
+            "No history found for [{}/{}] {}{}.",
+            namespace,
+            kind,
+            name,
+            to_version
+                .map(|v| format!(" at version {}", v))
+                .unwrap_or_default()
+        )
+    })?;
+
+    #[derive(sqlx::FromRow)]
+    struct SecretHistoryRow {
+        secret_id: Uuid,
+        field_name: String,
+        encrypted: Vec<u8>,
+        action: String,
+    }
+
+    let field_snaps: Vec<SecretHistoryRow> = sqlx::query_as(
+        "SELECT secret_id, field_name, encrypted, action FROM secrets_history \
+         WHERE entry_id = $1 AND entry_version = $2 ORDER BY field_name",
+    )
+    .bind(snap.entry_id)
+    .bind(snap.version)
+    .fetch_all(pool)
+    .await?;
+
+    for f in &field_snaps {
+        if f.action != "delete" && !f.encrypted.is_empty() {
+            crypto::decrypt_json(master_key, &f.encrypted).map_err(|e| {
+                anyhow::anyhow!(
+                    "Cannot decrypt snapshot for field '{}': {}",
+                    f.field_name,
+                    e
+                )
+            })?;
+        }
+    }
+
+    let mut tx = pool.begin().await?;
+
+    #[derive(sqlx::FromRow)]
+    struct LiveEntry {
+        id: Uuid,
+        version: i64,
+        tags: Vec<String>,
+        metadata: Value,
+    }
+    let live: Option<LiveEntry> = sqlx::query_as(
+        "SELECT id, version, tags, metadata FROM entries \
+         WHERE namespace = $1 AND kind = $2 AND name = $3 FOR UPDATE",
+    )
+    .bind(namespace)
+    .bind(kind)
+    .bind(name)
+    .fetch_optional(&mut *tx)
+    .await?;
+
+    if let Some(ref lr) = live {
+        if let Err(e) = db::snapshot_entry_history(
+            &mut tx,
+            db::EntrySnapshotParams {
+                entry_id: lr.id,
+                namespace,
+                kind,
+                name,
+                version: lr.version,
+                action: "rollback",
+                tags: &lr.tags,
+                metadata: &lr.metadata,
+            },
+        )
+        .await
+        {
+            tracing::warn!(error = %e, "failed to snapshot entry before rollback");
+        }
+
+        #[derive(sqlx::FromRow)]
+        struct LiveField {
+            id: Uuid,
+            field_name: String,
+            encrypted: Vec<u8>,
+        }
+        let live_fields: Vec<LiveField> =
+            sqlx::query_as("SELECT id, field_name, encrypted FROM secrets WHERE entry_id = $1")
+                .bind(lr.id)
+                .fetch_all(&mut *tx)
+                .await?;
+
+        for f in &live_fields {
+            if let Err(e) = db::snapshot_secret_history(
+                &mut tx,
+                db::SecretSnapshotParams {
+                    entry_id: lr.id,
+                    secret_id: f.id,
+                    entry_version: lr.version,
+                    field_name: &f.field_name,
+                    encrypted: &f.encrypted,
+                    action: "rollback",
+                },
+            )
+            .await
+            {
+                tracing::warn!(error = %e, "failed to snapshot secret field before rollback");
+            }
+        }
+    }
+
+    sqlx::query(
+        "INSERT INTO entries (id, namespace, kind, name, tags, metadata, version, updated_at) \
+         VALUES ($1, $2, $3, $4, $5, $6, $7, NOW()) \
+         ON CONFLICT (namespace, kind, name) WHERE user_id IS NULL DO UPDATE SET \
+             tags = EXCLUDED.tags, metadata = EXCLUDED.metadata, \
+             version = entries.version + 1, updated_at = NOW()",
+    )
+    .bind(snap.entry_id)
+    .bind(namespace)
+    .bind(kind)
+    .bind(name)
+    .bind(&snap.tags)
+    .bind(&snap.metadata)
+    .bind(snap.version)
+    .execute(&mut *tx)
+    .await?;
+
+    sqlx::query("DELETE FROM secrets WHERE entry_id = $1")
+        .bind(snap.entry_id)
+        .execute(&mut *tx)
+        .await?;
+
+    for f in &field_snaps {
+        if f.action == "delete" {
+            continue;
+        }
+        sqlx::query(
+            "INSERT INTO secrets (id, entry_id, field_name, encrypted) VALUES ($1, $2, $3, $4) \
+             ON CONFLICT (entry_id, field_name) DO UPDATE SET \
+                 encrypted = EXCLUDED.encrypted, version = secrets.version + 1, updated_at = NOW()",
+        )
+        .bind(f.secret_id)
+        .bind(snap.entry_id)
+        .bind(&f.field_name)
+        .bind(&f.encrypted)
+        .execute(&mut *tx)
+        .await?;
+    }
+
+    crate::audit::log_tx(
+        &mut tx,
+        "rollback",
+        namespace,
+        kind,
+        name,
+        serde_json::json!({
+            "restored_version": snap.version,
+            "original_action": snap.action,
+        }),
+    )
+    .await;
+
+    tx.commit().await?;
+
+    Ok(RollbackResult {
+        namespace: namespace.to_string(),
+        kind: kind.to_string(),
+        name: name.to_string(),
+        restored_version: snap.version,
+    })
+}