refactor: entries + secrets 双表,search 展示 field schema,key_ref PEM 共享
Some checks failed
Secrets CLI - Build & Release / 质量检查 (fmt / clippy / test) (push) Successful in 1m57s
Secrets CLI - Build & Release / 版本 & Release (push) Successful in 3s
Secrets CLI - Build & Release / Build (macOS aarch64 + x86_64) (push) Successful in 51s
Secrets CLI - Build & Release / Build (x86_64-unknown-linux-musl) (push) Successful in 1m6s
Secrets CLI - Build & Release / 发布草稿 Release (push) Has been cancelled
Secrets CLI - Build & Release / Build (x86_64-pc-windows-msvc) (push) Has been cancelled
Some checks failed
Secrets CLI - Build & Release / 质量检查 (fmt / clippy / test) (push) Successful in 1m57s
Secrets CLI - Build & Release / 版本 & Release (push) Successful in 3s
Secrets CLI - Build & Release / Build (macOS aarch64 + x86_64) (push) Successful in 51s
Secrets CLI - Build & Release / Build (x86_64-unknown-linux-musl) (push) Successful in 1m6s
Secrets CLI - Build & Release / 发布草稿 Release (push) Has been cancelled
Secrets CLI - Build & Release / Build (x86_64-pc-windows-msvc) (push) Has been cancelled
- secrets 表拆为 entries(主表)+ secrets(每字段一行) - search 无需 master_key 即可展示 secrets 字段名、类型、长度 - inject/run 支持 metadata.key_ref 引用 kind=key 记录,PEM 轮换 O(1) - entries_history + secrets_history 字段级历史,rollback 按 version 恢复 - 移除迁移用 DROP 语句,migrate 幂等 - v0.8.0 Made-with: Cursor
This commit is contained in:
voson
@@ -4,19 +4,19 @@ use sqlx::{FromRow, PgPool};
|
||||
use uuid::Uuid;
|
||||
|
||||
use super::add::{
|
||||
collect_field_paths, collect_key_paths, insert_path, parse_key_path, parse_kv, remove_path,
|
||||
collect_field_paths, collect_key_paths, compute_value_len, flatten_json_fields,
|
||||
infer_field_type, insert_path, parse_key_path, parse_kv, remove_path,
|
||||
};
|
||||
use crate::crypto;
|
||||
use crate::db;
|
||||
use crate::output::OutputMode;
|
||||
|
||||
#[derive(FromRow)]
|
||||
struct UpdateRow {
|
||||
struct EntryRow {
|
||||
id: Uuid,
|
||||
version: i64,
|
||||
tags: Vec<String>,
|
||||
metadata: Value,
|
||||
encrypted: Vec<u8>,
|
||||
}
|
||||
|
||||
pub struct UpdateArgs<'a> {
|
||||
@@ -35,9 +35,9 @@ pub struct UpdateArgs<'a> {
|
||||
pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) -> Result<()> {
|
||||
let mut tx = pool.begin().await?;
|
||||
|
||||
let row: Option<UpdateRow> = sqlx::query_as(
|
||||
"SELECT id, version, tags, metadata, encrypted \
|
||||
FROM secrets \
|
||||
let row: Option<EntryRow> = sqlx::query_as(
|
||||
"SELECT id, version, tags, metadata \
|
||||
FROM entries \
|
||||
WHERE namespace = $1 AND kind = $2 AND name = $3 \
|
||||
FOR UPDATE",
|
||||
)
|
||||
@@ -56,11 +56,11 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
|
||||
)
|
||||
})?;
|
||||
|
||||
// Snapshot current state before modifying.
|
||||
if let Err(e) = db::snapshot_history(
|
||||
// Snapshot current entry state before modifying.
|
||||
if let Err(e) = db::snapshot_entry_history(
|
||||
&mut tx,
|
||||
db::SnapshotParams {
|
||||
secret_id: row.id,
|
||||
db::EntrySnapshotParams {
|
||||
entry_id: row.id,
|
||||
namespace: args.namespace,
|
||||
kind: args.kind,
|
||||
name: args.name,
|
||||
@@ -68,15 +68,14 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
|
||||
action: "update",
|
||||
tags: &row.tags,
|
||||
metadata: &row.metadata,
|
||||
encrypted: &row.encrypted,
|
||||
},
|
||||
)
|
||||
.await
|
||||
{
|
||||
tracing::warn!(error = %e, "failed to snapshot history before update");
|
||||
tracing::warn!(error = %e, "failed to snapshot entry history before update");
|
||||
}
|
||||
|
||||
// Merge tags
|
||||
// ── Merge tags ────────────────────────────────────────────────────────────
|
||||
let mut tags: Vec<String> = row.tags;
|
||||
for t in args.add_tags {
|
||||
if !tags.contains(t) {
|
||||
@@ -85,7 +84,7 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
|
||||
}
|
||||
tags.retain(|t| !args.remove_tags.contains(t));
|
||||
|
||||
// Merge metadata
|
||||
// ── Merge metadata ────────────────────────────────────────────────────────
|
||||
let mut meta_map: Map<String, Value> = match row.metadata {
|
||||
Value::Object(m) => m,
|
||||
_ => Map::new(),
|
||||
@@ -100,43 +99,14 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
|
||||
}
|
||||
let metadata = Value::Object(meta_map);
|
||||
|
||||
// Decrypt existing encrypted blob, merge changes, re-encrypt
|
||||
let existing_json = if row.encrypted.is_empty() {
|
||||
Value::Object(Map::new())
|
||||
} else {
|
||||
crypto::decrypt_json(master_key, &row.encrypted)?
|
||||
};
|
||||
let mut enc_map: Map<String, Value> = match existing_json {
|
||||
Value::Object(m) => m,
|
||||
_ => Map::new(),
|
||||
};
|
||||
for entry in args.secret_entries {
|
||||
let (path, value) = parse_kv(entry)?;
|
||||
insert_path(&mut enc_map, &path, value)?;
|
||||
}
|
||||
for key in args.remove_secrets {
|
||||
let path = parse_key_path(key)?;
|
||||
remove_path(&mut enc_map, &path)?;
|
||||
}
|
||||
let secret_json = Value::Object(enc_map);
|
||||
let encrypted_bytes = crypto::encrypt_json(master_key, &secret_json)?;
|
||||
|
||||
tracing::debug!(
|
||||
namespace = args.namespace,
|
||||
kind = args.kind,
|
||||
name = args.name,
|
||||
"updating record"
|
||||
);
|
||||
|
||||
// CAS: update only if version hasn't changed (FOR UPDATE lock ensures this).
|
||||
// CAS update of the entry row.
|
||||
let result = sqlx::query(
|
||||
"UPDATE secrets \
|
||||
SET tags = $1, metadata = $2, encrypted = $3, version = version + 1, updated_at = NOW() \
|
||||
WHERE id = $4 AND version = $5",
|
||||
"UPDATE entries \
|
||||
SET tags = $1, metadata = $2, version = version + 1, updated_at = NOW() \
|
||||
WHERE id = $3 AND version = $4",
|
||||
)
|
||||
.bind(&tags)
|
||||
.bind(&metadata)
|
||||
.bind(&encrypted_bytes)
|
||||
.bind(row.id)
|
||||
.bind(row.version)
|
||||
.execute(&mut *tx)
|
||||
@@ -152,6 +122,130 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
|
||||
);
|
||||
}
|
||||
|
||||
let new_version = row.version + 1;
|
||||
|
||||
// ── Update secret fields ──────────────────────────────────────────────────
|
||||
for entry in args.secret_entries {
|
||||
let (path, field_value) = parse_kv(entry)?;
|
||||
|
||||
// For nested paths (e.g. credentials:type), flatten into dot-separated names
|
||||
// and treat the sub-value as the individual field to store.
|
||||
let flat = flatten_json_fields("", &{
|
||||
let mut m = Map::new();
|
||||
insert_path(&mut m, &path, field_value)?;
|
||||
Value::Object(m)
|
||||
});
|
||||
|
||||
for (field_name, fv) in &flat {
|
||||
let field_type = infer_field_type(fv);
|
||||
let value_len = compute_value_len(fv);
|
||||
let encrypted = crypto::encrypt_json(master_key, fv)?;
|
||||
|
||||
// Snapshot existing field before replacing.
|
||||
#[derive(sqlx::FromRow)]
|
||||
struct ExistingField {
|
||||
id: Uuid,
|
||||
field_type: String,
|
||||
value_len: i32,
|
||||
encrypted: Vec<u8>,
|
||||
}
|
||||
let existing_field: Option<ExistingField> = sqlx::query_as(
|
||||
"SELECT id, field_type, value_len, encrypted \
|
||||
FROM secrets WHERE entry_id = $1 AND field_name = $2",
|
||||
)
|
||||
.bind(row.id)
|
||||
.bind(field_name)
|
||||
.fetch_optional(&mut *tx)
|
||||
.await?;
|
||||
|
||||
if let Some(ef) = &existing_field
|
||||
&& let Err(e) = db::snapshot_secret_history(
|
||||
&mut tx,
|
||||
db::SecretSnapshotParams {
|
||||
entry_id: row.id,
|
||||
secret_id: ef.id,
|
||||
entry_version: row.version,
|
||||
field_name,
|
||||
field_type: &ef.field_type,
|
||||
value_len: ef.value_len,
|
||||
encrypted: &ef.encrypted,
|
||||
action: "update",
|
||||
},
|
||||
)
|
||||
.await
|
||||
{
|
||||
tracing::warn!(error = %e, "failed to snapshot secret field history");
|
||||
}
|
||||
|
||||
sqlx::query(
|
||||
"INSERT INTO secrets (entry_id, field_name, field_type, value_len, encrypted) \
|
||||
VALUES ($1, $2, $3, $4, $5) \
|
||||
ON CONFLICT (entry_id, field_name) DO UPDATE SET \
|
||||
field_type = EXCLUDED.field_type, \
|
||||
value_len = EXCLUDED.value_len, \
|
||||
encrypted = EXCLUDED.encrypted, \
|
||||
version = secrets.version + 1, \
|
||||
updated_at = NOW()",
|
||||
)
|
||||
.bind(row.id)
|
||||
.bind(field_name)
|
||||
.bind(field_type)
|
||||
.bind(value_len)
|
||||
.bind(&encrypted)
|
||||
.execute(&mut *tx)
|
||||
.await?;
|
||||
}
|
||||
}
|
||||
|
||||
// ── Remove secret fields ──────────────────────────────────────────────────
|
||||
for key in args.remove_secrets {
|
||||
let path = parse_key_path(key)?;
|
||||
// Dot-join the path to match flattened field_name storage.
|
||||
let field_name = path.join(".");
|
||||
|
||||
// Snapshot before delete.
|
||||
#[derive(sqlx::FromRow)]
|
||||
struct FieldToDelete {
|
||||
id: Uuid,
|
||||
field_type: String,
|
||||
value_len: i32,
|
||||
encrypted: Vec<u8>,
|
||||
}
|
||||
let field: Option<FieldToDelete> = sqlx::query_as(
|
||||
"SELECT id, field_type, value_len, encrypted \
|
||||
FROM secrets WHERE entry_id = $1 AND field_name = $2",
|
||||
)
|
||||
.bind(row.id)
|
||||
.bind(&field_name)
|
||||
.fetch_optional(&mut *tx)
|
||||
.await?;
|
||||
|
||||
if let Some(f) = field {
|
||||
if let Err(e) = db::snapshot_secret_history(
|
||||
&mut tx,
|
||||
db::SecretSnapshotParams {
|
||||
entry_id: row.id,
|
||||
secret_id: f.id,
|
||||
entry_version: new_version,
|
||||
field_name: &field_name,
|
||||
field_type: &f.field_type,
|
||||
value_len: f.value_len,
|
||||
encrypted: &f.encrypted,
|
||||
action: "delete",
|
||||
},
|
||||
)
|
||||
.await
|
||||
{
|
||||
tracing::warn!(error = %e, "failed to snapshot secret field history before delete");
|
||||
}
|
||||
|
||||
sqlx::query("DELETE FROM secrets WHERE id = $1")
|
||||
.bind(f.id)
|
||||
.execute(&mut *tx)
|
||||
.await?;
|
||||
}
|
||||
}
|
||||
|
||||
let meta_keys = collect_key_paths(args.meta_entries)?;
|
||||
let remove_meta_keys = collect_field_paths(args.remove_meta)?;
|
||||
let secret_keys = collect_key_paths(args.secret_entries)?;
|
||||
|
||||
Reference in New Issue
Block a user