Compare commits
5 Commits
secrets-0.
...
secrets-0.
| Author | SHA1 | Date | |
|---|---|---|---|
|
3a5ec92bf0 | ||
|
|
854720f10c | ||
|
|
62a1df316b | ||
|
|
d0796e9c9a | ||
|
|
66b6417faa |
@@ -17,6 +17,7 @@ permissions:
|
||||
|
||||
env:
|
||||
BINARY_NAME: secrets
|
||||
SECRETS_UPGRADE_URL: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/latest
|
||||
CARGO_INCREMENTAL: 0
|
||||
CARGO_NET_RETRY: 10
|
||||
CARGO_TERM_COLOR: always
|
||||
|
||||
2
.vscode/tasks.json
vendored
2
.vscode/tasks.json
vendored
@@ -142,7 +142,7 @@
|
||||
{
|
||||
"label": "test: add with file secret",
|
||||
"type": "shell",
|
||||
"command": "echo '--- add key from file ---' && ./target/debug/secrets add -n test --kind key --name test-key --tag test -s content=@./refining/keys/Vultr && echo '--- verify metadata ---' && ./target/debug/secrets search -n test --kind key && echo '--- verify inject ---' && ./target/debug/secrets inject -n test --kind key --name test-key && echo '--- cleanup ---' && ./target/debug/secrets delete -n test --kind key --name test-key",
|
||||
"command": "echo '--- add key from file ---' && ./target/debug/secrets add -n test --kind key --name test-key --tag test -s content=@./test-fixtures/example-key.pem && echo '--- verify metadata ---' && ./target/debug/secrets search -n test --kind key && echo '--- verify inject ---' && ./target/debug/secrets inject -n test --kind key --name test-key && echo '--- cleanup ---' && ./target/debug/secrets delete -n test --kind key --name test-key",
|
||||
"dependsOn": "build"
|
||||
}
|
||||
]
|
||||
|
||||
98
AGENTS.md
98
AGENTS.md
@@ -30,7 +30,7 @@ secrets/
|
||||
update.rs # update 命令:增量更新,secrets 行级 UPSERT/DELETE,CAS 并发保护
|
||||
rollback.rs # rollback 命令:按 entry_version 恢复 entry + secrets
|
||||
history.rs # history 命令:查看 entry 变更历史列表
|
||||
run.rs # inject / run 命令:逐字段解密 + key_ref 引用解析
|
||||
run.rs # inject / run 命令:仅 secrets 逐字段解密 + key_ref 引用解析(不含 metadata)
|
||||
upgrade.rs # upgrade 命令:检查、校验摘要并下载最新版本,自动替换二进制
|
||||
export_cmd.rs # export 命令:批量导出记录,支持 JSON/TOML/YAML,含解密明文
|
||||
import_cmd.rs # import 命令:批量导入记录,冲突检测,dry-run,重新加密写入
|
||||
@@ -71,8 +71,6 @@ secrets (
|
||||
id UUID PRIMARY KEY DEFAULT uuidv7(),
|
||||
entry_id UUID NOT NULL REFERENCES entries(id) ON DELETE CASCADE,
|
||||
field_name VARCHAR(256) NOT NULL, -- 明文字段名: "username", "token", "ssh_key"
|
||||
field_type VARCHAR(32) NOT NULL DEFAULT 'string', -- 明文类型: "string"|"number"|"boolean"|"json"
|
||||
value_len INT NOT NULL DEFAULT 0, -- 明文原始值字符数(PEM≈4096,token≈40)
|
||||
encrypted BYTEA NOT NULL DEFAULT '\x', -- 仅加密值本身:nonce(12B)||ciphertext+tag
|
||||
version BIGINT NOT NULL DEFAULT 1,
|
||||
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
|
||||
@@ -130,8 +128,6 @@ secrets_history (
|
||||
secret_id UUID NOT NULL, -- 对应 secrets.id
|
||||
entry_version BIGINT NOT NULL, -- 关联 entries_history 的版本号
|
||||
field_name VARCHAR(256) NOT NULL,
|
||||
field_type VARCHAR(32) NOT NULL DEFAULT 'string',
|
||||
value_len INT NOT NULL DEFAULT 0,
|
||||
encrypted BYTEA NOT NULL DEFAULT '\x',
|
||||
action VARCHAR(16) NOT NULL, -- 'add' | 'update' | 'delete' | 'rollback'
|
||||
actor VARCHAR(128) NOT NULL DEFAULT '',
|
||||
@@ -145,12 +141,10 @@ secrets_history (
|
||||
|------|--------|------|
|
||||
| `namespace` | 项目/团队隔离 | `refining`, `ricnsmart` |
|
||||
| `kind` | 记录类型 | `server`, `service`, `key` |
|
||||
| `name` | 唯一标识名 | `i-uf63f2uookgs5uxmrdyc`, `gitea` |
|
||||
| `name` | 唯一标识名 | `i-example0abcd1234efgh`, `gitea` |
|
||||
| `tags` | 多维分类标签 | `["aliyun","hongkong","ricn"]` |
|
||||
| `metadata` | 明文非敏感信息 | `{"ip":"47.243.154.187","desc":"Grafana","key_ref":"ricn-hk-260127"}` |
|
||||
| `metadata` | 明文非敏感信息 | `{"ip":"192.0.2.1","desc":"Grafana","key_ref":"my-shared-key"}` |
|
||||
| `secrets.field_name` | 加密字段名(明文) | `"username"`, `"token"`, `"ssh_key"` |
|
||||
| `secrets.field_type` | 值类型(明文) | `"string"`, `"number"`, `"boolean"`, `"json"` |
|
||||
| `secrets.value_len` | 原始值字符数(明文) | `4`(root),`40`(token),`4096`(PEM) |
|
||||
| `secrets.encrypted` | 仅加密值本身 | AES-256-GCM 密文 |
|
||||
|
||||
### PEM 共享机制(key_ref)
|
||||
@@ -159,17 +153,17 @@ secrets_history (
|
||||
|
||||
```bash
|
||||
# 1. 存共享 PEM
|
||||
secrets add -n refining --kind key --name ricn-hk-260127 \
|
||||
secrets add -n refining --kind key --name my-shared-key \
|
||||
--tag aliyun --tag hongkong \
|
||||
-s content=@./keys/ricn-hk-260127.pem
|
||||
-s content=@./keys/my-shared-key.pem
|
||||
|
||||
# 2. 服务器通过 metadata.key_ref 引用(inject/run 时自动合并 key 的 secrets)
|
||||
secrets add -n refining --kind server --name i-j6c39dmtkr26vztii0ox \
|
||||
-m ip=47.243.154.187 -m key_ref=ricn-hk-260127 \
|
||||
secrets add -n refining --kind server --name i-example0xyz789 \
|
||||
-m ip=192.0.2.1 -m key_ref=my-shared-key \
|
||||
-s username=ecs-user
|
||||
|
||||
# 3. 轮换只需更新 key 记录,所有引用服务器自动生效
|
||||
secrets update -n refining --kind key --name ricn-hk-260127 \
|
||||
secrets update -n refining --kind key --name my-shared-key \
|
||||
-s content=@./keys/new-key.pem
|
||||
```
|
||||
|
||||
@@ -231,7 +225,7 @@ secrets init
|
||||
# 参数说明(带典型值)
|
||||
# -n / --namespace refining | ricnsmart
|
||||
# --kind server | service
|
||||
# --name gitea | i-uf63f2uookgs5uxmrdyc | mqtt
|
||||
# --name gitea | i-example0abcd1234efgh | mqtt
|
||||
# --tag aliyun | hongkong | production
|
||||
# -q / --query mqtt | grafana | gitea (模糊匹配 name/namespace/kind/tags/metadata)
|
||||
# secrets schema search 默认展示 secrets 字段名、类型与长度(无需 master_key)
|
||||
@@ -249,7 +243,7 @@ secrets search --sort updated --limit 10 --summary
|
||||
|
||||
# 精确定位单条记录
|
||||
secrets search -n refining --kind service --name gitea
|
||||
secrets search -n refining --kind server --name i-uf63f2uookgs5uxmrdyc
|
||||
secrets search -n refining --kind server --name i-example0abcd1234efgh
|
||||
|
||||
# 精确定位并获取完整内容(secrets 保持加密占位)
|
||||
secrets search -n refining --kind service --name gitea -o json
|
||||
@@ -266,7 +260,7 @@ secrets run -n refining --kind service --name gitea -- printenv
|
||||
# 模糊关键词搜索
|
||||
secrets search -q mqtt
|
||||
secrets search -q grafana
|
||||
secrets search -q 47.117
|
||||
secrets search -q 192.0.2
|
||||
|
||||
# 按条件过滤
|
||||
secrets search -n refining --kind service
|
||||
@@ -290,31 +284,31 @@ secrets search -n refining --kind service | jq '.[].name'
|
||||
# 参数说明(带典型值)
|
||||
# -n / --namespace refining | ricnsmart
|
||||
# --kind server | service
|
||||
# --name gitea | i-uf63f2uookgs5uxmrdyc
|
||||
# --name gitea | i-example0abcd1234efgh
|
||||
# --tag aliyun | hongkong(可重复)
|
||||
# -m / --meta ip=47.117.131.22 | desc="Aliyun ECS" | url=https://... | tls:cert@./cert.pem(可重复)
|
||||
# -m / --meta ip=10.0.0.1 | desc="ECS" | url=https://... | tls:cert@./cert.pem(可重复)
|
||||
# -s / --secret token=<value> | ssh_key=@./key.pem | password=secret123 | credentials:content@./key.pem(可重复)
|
||||
|
||||
# 添加服务器
|
||||
secrets add -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
|
||||
secrets add -n refining --kind server --name i-example0abcd1234efgh \
|
||||
--tag aliyun --tag shanghai \
|
||||
-m ip=47.117.131.22 -m desc="Aliyun Shanghai ECS" \
|
||||
-s username=root -s ssh_key=@./keys/voson_shanghai_e.pem
|
||||
-m ip=10.0.0.1 -m desc="Aliyun Shanghai ECS" \
|
||||
-s username=root -s ssh_key=@./keys/deploy-key.pem
|
||||
|
||||
# 添加服务凭据
|
||||
secrets add -n refining --kind service --name gitea \
|
||||
--tag gitea \
|
||||
-m url=https://gitea.refining.dev -m default_org=refining -m username=voson \
|
||||
-m url=https://code.example.com -m default_org=refining -m username=voson \
|
||||
-s token=<token> -s runner_token=<runner_token>
|
||||
|
||||
# 从文件读取 token
|
||||
secrets add -n ricnsmart --kind service --name mqtt \
|
||||
-m host=mqtt.ricnsmart.com -m port=1883 \
|
||||
-m host=mqtt.example.com -m port=1883 \
|
||||
-s password=@./mqtt_password.txt
|
||||
|
||||
# 多行文件直接写入嵌套 secret 字段
|
||||
secrets add -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
|
||||
-s credentials:content@./keys/voson_shanghai_e.pem
|
||||
secrets add -n refining --kind server --name i-example0abcd1234efgh \
|
||||
-s credentials:content@./keys/deploy-key.pem
|
||||
|
||||
# 使用类型化值(key:=<json>)存储非字符串类型
|
||||
secrets add -n refining --kind service --name prometheus \
|
||||
@@ -334,7 +328,7 @@ secrets add -n refining --kind service --name prometheus \
|
||||
# 参数说明(带典型值)
|
||||
# -n / --namespace refining | ricnsmart
|
||||
# --kind server | service
|
||||
# --name gitea | i-uf63f2uookgs5uxmrdyc
|
||||
# --name gitea | i-example0abcd1234efgh
|
||||
# --add-tag production | backup(不影响已有 tag,可重复)
|
||||
# --remove-tag staging | deprecated(可重复)
|
||||
# -m / --meta ip=10.0.0.1 | desc="新描述" | credentials:username=root(新增或覆盖,可重复)
|
||||
@@ -343,7 +337,7 @@ secrets add -n refining --kind service --name prometheus \
|
||||
# --remove-secret old_password | deprecated_key | credentials:content(删除 secret 字段,可重复)
|
||||
|
||||
# 更新单个 metadata 字段
|
||||
secrets update -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
|
||||
secrets update -n refining --kind server --name i-example0abcd1234efgh \
|
||||
-m ip=10.0.0.1
|
||||
|
||||
# 轮换 token
|
||||
@@ -360,11 +354,11 @@ secrets update -n refining --kind service --name mqtt \
|
||||
--remove-meta old_port --remove-secret old_password
|
||||
|
||||
# 从文件更新嵌套 secret 字段
|
||||
secrets update -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
|
||||
-s credentials:content@./keys/voson_shanghai_e.pem
|
||||
secrets update -n refining --kind server --name i-example0abcd1234efgh \
|
||||
-s credentials:content@./keys/deploy-key.pem
|
||||
|
||||
# 删除嵌套字段
|
||||
secrets update -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
|
||||
secrets update -n refining --kind server --name i-example0abcd1234efgh \
|
||||
--remove-secret credentials:content
|
||||
|
||||
# 移除 tag
|
||||
@@ -373,19 +367,34 @@ secrets update -n refining --kind service --name gitea --remove-tag staging
|
||||
|
||||
---
|
||||
|
||||
### delete — 删除记录
|
||||
### delete — 删除记录(支持单条精确删除与批量删除)
|
||||
|
||||
删除时会自动将 entry 与所有关联 secret 字段快照到历史表,并写入审计日志,可通过 `rollback` 命令恢复。
|
||||
|
||||
```bash
|
||||
# 参数说明(带典型值)
|
||||
# -n / --namespace refining | ricnsmart
|
||||
# --kind server | service
|
||||
# --name gitea | i-uf63f2uookgs5uxmrdyc(必须精确匹配)
|
||||
# -n / --namespace refining | ricnsmart(必填)
|
||||
# --kind server | service(指定 --name 时必填;批量时可选)
|
||||
# --name gitea | i-example0abcd1234efgh(精确匹配;省略则批量删除)
|
||||
# --dry-run 预览将删除的记录,不实际写入(仅批量模式有效)
|
||||
# -o / --output text | json | json-compact
|
||||
|
||||
# 删除服务凭据
|
||||
# 精确删除单条记录(--kind 必填)
|
||||
secrets delete -n refining --kind service --name legacy-mqtt
|
||||
|
||||
# 删除服务器记录
|
||||
secrets delete -n ricnsmart --kind server --name i-old-server-id
|
||||
|
||||
# 预览批量删除(不写入数据库)
|
||||
secrets delete -n refining --dry-run
|
||||
secrets delete -n ricnsmart --kind server --dry-run
|
||||
|
||||
# 批量删除整个 namespace 的所有记录
|
||||
secrets delete -n ricnsmart
|
||||
|
||||
# 批量删除 namespace 下指定 kind 的所有记录
|
||||
secrets delete -n ricnsmart --kind server
|
||||
|
||||
# JSON 输出
|
||||
secrets delete -n refining --kind service -o json
|
||||
```
|
||||
|
||||
---
|
||||
@@ -431,7 +440,7 @@ secrets rollback -n refining --kind service --name gitea --to-version 3
|
||||
|
||||
### inject — 输出临时环境变量
|
||||
|
||||
敏感值仅打印到 stdout,不持久化、不写入当前 shell。
|
||||
仅注入 secrets 表中的加密字段(解密后),不含 metadata。敏感值仅打印到 stdout,不持久化、不写入当前 shell。
|
||||
|
||||
```bash
|
||||
# 参数说明
|
||||
@@ -442,7 +451,7 @@ secrets rollback -n refining --kind service --name gitea --to-version 3
|
||||
# --prefix 变量名前缀(留空则以记录 name 作前缀)
|
||||
# -o / --output text(默认 KEY=VALUE)| json | json-compact
|
||||
|
||||
# 打印单条记录的所有变量(KEY=VALUE 格式)
|
||||
# 打印单条记录的 secrets 变量(KEY=VALUE 格式)
|
||||
secrets inject -n refining --kind service --name gitea
|
||||
|
||||
# 自定义前缀
|
||||
@@ -459,7 +468,7 @@ eval $(secrets inject -n refining --kind service --name gitea)
|
||||
|
||||
### run — 向子进程注入 secrets 并执行命令
|
||||
|
||||
secrets 仅作用于子进程环境,不修改当前 shell,进程退出码透传。
|
||||
仅注入 secrets 表中的加密字段(解密后),不含 metadata。secrets 仅作用于子进程环境,不修改当前 shell,进程退出码透传。
|
||||
|
||||
```bash
|
||||
# 参数说明
|
||||
@@ -484,7 +493,9 @@ secrets run -n refining --kind service --name gitea -- printenv
|
||||
|
||||
### upgrade — 自动更新 CLI 二进制
|
||||
|
||||
从 Gitea Release 下载最新版本,校验对应 `.sha256` 摘要后替换当前二进制,无需数据库连接或主密钥。
|
||||
从 Release 服务器下载最新版本,校验对应 `.sha256` 摘要后替换当前二进制,无需数据库连接或主密钥。
|
||||
|
||||
**配置方式**:`SECRETS_UPGRADE_URL` 必填。优先用**构建时**:`SECRETS_UPGRADE_URL=https://... cargo build`,CI 已自动注入。或**运行时**:写在 `.env` 或 `export` 后执行。
|
||||
|
||||
```bash
|
||||
# 检查是否有新版本(不下载)
|
||||
@@ -504,7 +515,7 @@ secrets upgrade
|
||||
# 参数说明
|
||||
# -n / --namespace refining | ricnsmart
|
||||
# --kind server | service
|
||||
# --name gitea | i-uf63f2uookgs5uxmrdyc
|
||||
# --name gitea | i-example0abcd1234efgh
|
||||
# --tag aliyun | production(可重复)
|
||||
# -q / --query 模糊关键词
|
||||
# --file <path> 输出文件路径,格式由扩展名推断(.json / .toml / .yaml / .yml)
|
||||
@@ -664,5 +675,6 @@ cargo fmt -- --check && cargo clippy -- -D warnings && cargo test
|
||||
|------|------|
|
||||
| `RUST_LOG` | 日志级别,如 `secrets=debug`、`secrets=trace`(默认 warn) |
|
||||
| `USER` | 审计日志 actor 字段来源,Shell 自动设置,通常无需手动配置 |
|
||||
| `SECRETS_UPGRADE_URL` | upgrade 的 Release API 地址。构建时(cargo build)或运行时(.env/export) |
|
||||
|
||||
数据库连接通过 `secrets config set-db` 持久化到 `~/.config/secrets/config.toml`,不支持环境变量。
|
||||
|
||||
3
Cargo.lock
generated
3
Cargo.lock
generated
@@ -1836,7 +1836,7 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
|
||||
|
||||
[[package]]
|
||||
name = "secrets"
|
||||
version = "0.9.1"
|
||||
version = "0.9.5"
|
||||
dependencies = [
|
||||
"aes-gcm",
|
||||
"anyhow",
|
||||
@@ -1844,6 +1844,7 @@ dependencies = [
|
||||
"chrono",
|
||||
"clap",
|
||||
"dirs",
|
||||
"dotenvy",
|
||||
"flate2",
|
||||
"keyring",
|
||||
"rand 0.10.0",
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "secrets"
|
||||
version = "0.9.1"
|
||||
version = "0.9.5"
|
||||
edition = "2024"
|
||||
|
||||
[dependencies]
|
||||
@@ -10,6 +10,7 @@ argon2 = { version = "^0.5.3", features = ["std"] }
|
||||
chrono = { version = "^0.4.44", features = ["serde"] }
|
||||
clap = { version = "^4.6.0", features = ["derive"] }
|
||||
dirs = "^6.0.0"
|
||||
dotenvy = "^0.15"
|
||||
flate2 = "^1.1.9"
|
||||
keyring = { version = "^3.6.3", features = ["apple-native", "windows-native", "linux-native"] }
|
||||
rand = "^0.10.0"
|
||||
|
||||
29
README.md
29
README.md
@@ -54,7 +54,7 @@ secrets search --sort updated --limit 10 --summary
|
||||
# 精确定位(namespace + kind + name 三元组)
|
||||
secrets search -n refining --kind service --name gitea
|
||||
|
||||
# 获取完整记录(含 secrets 字段 schema:field_name、field_type、value_len,无需 master_key)
|
||||
# 获取完整记录(含 secrets 字段名,无需 master_key)
|
||||
secrets search -n refining --kind service --name gitea -o json
|
||||
|
||||
# 直接提取单个 metadata 字段值(最短路径)
|
||||
@@ -69,7 +69,7 @@ secrets inject -n refining --kind service --name gitea
|
||||
secrets run -n refining --kind service --name gitea -- printenv
|
||||
```
|
||||
|
||||
`search` 展示 metadata 与 secrets 的字段 schema(字段名、类型、长度),不展示 secret 值本身;需要值时用 `inject` / `run`。
|
||||
`search` 展示 metadata 与 secrets 的字段名,不展示 secret 值本身;需要 secret 值时用 `inject` / `run`(仅注入加密字段,不含 metadata)。
|
||||
|
||||
### 输出格式
|
||||
|
||||
@@ -120,7 +120,7 @@ secrets search -n refining --summary --limit 10 --offset 10 # 翻页
|
||||
# ── add ──────────────────────────────────────────────────────────────────────
|
||||
secrets add -n refining --kind server --name my-server \
|
||||
--tag aliyun --tag shanghai \
|
||||
-m ip=47.117.131.22 -m desc="Aliyun Shanghai ECS" \
|
||||
-m ip=10.0.0.1 -m desc="Example ECS" \
|
||||
-s username=root -s ssh_key=@./keys/server.pem
|
||||
|
||||
# 多行文件直接写入嵌套 secret 字段
|
||||
@@ -136,7 +136,7 @@ secrets add -n refining --kind service --name deploy-bot \
|
||||
|
||||
secrets add -n refining --kind service --name gitea \
|
||||
--tag gitea \
|
||||
-m url=https://gitea.refining.dev -m default_org=refining \
|
||||
-m url=https://code.example.com -m default_org=myorg \
|
||||
-s token=<token>
|
||||
|
||||
# ── update ───────────────────────────────────────────────────────────────────
|
||||
@@ -146,7 +146,10 @@ secrets update -n refining --kind service --name mqtt --remove-meta old_port --r
|
||||
secrets update -n refining --kind server --name my-server --remove-secret credentials:content
|
||||
|
||||
# ── delete ───────────────────────────────────────────────────────────────────
|
||||
secrets delete -n refining --kind service --name legacy-mqtt
|
||||
secrets delete -n refining --kind service --name legacy-mqtt # 精确删除单条(--kind 必填)
|
||||
secrets delete -n refining --dry-run # 预览批量删除(不写入)
|
||||
secrets delete -n ricnsmart # 批量删除整个 namespace
|
||||
secrets delete -n ricnsmart --kind server # 批量删除指定 kind
|
||||
|
||||
# ── init ─────────────────────────────────────────────────────────────────────
|
||||
secrets init # 主密钥初始化(每台设备一次,主密码至少 8 位,派生后存钥匙串)
|
||||
@@ -158,7 +161,7 @@ secrets config path # 打印配置文件路径
|
||||
|
||||
# ── upgrade ──────────────────────────────────────────────────────────────────
|
||||
secrets upgrade --check # 仅检查是否有新版本
|
||||
secrets upgrade # 下载、校验 SHA-256 并安装最新版(从 Gitea Release)
|
||||
secrets upgrade # 下载、校验 SHA-256 并安装最新版(可通过 SECRETS_UPGRADE_URL 自托管)
|
||||
|
||||
# ── export ────────────────────────────────────────────────────────────────────
|
||||
secrets export --file backup.json # 全量导出到 JSON
|
||||
@@ -181,7 +184,7 @@ RUST_LOG=secrets=trace secrets search
|
||||
|
||||
## 数据模型
|
||||
|
||||
主表 `entries`(namespace、kind、name、tags、metadata)+ 子表 `secrets`(每个加密字段一行,含 field_name、field_type、value_len、encrypted)。首次连接自动建表;同时创建 `audit_log`、`entries_history`、`secrets_history` 等表。
|
||||
主表 `entries`(namespace、kind、name、tags、metadata)+ 子表 `secrets`(每个加密字段一行,含 field_name、encrypted)。首次连接自动建表;同时创建 `audit_log`、`entries_history`、`secrets_history` 等表。
|
||||
|
||||
| 位置 | 字段 | 说明 |
|
||||
|------|------|------|
|
||||
@@ -190,7 +193,7 @@ RUST_LOG=secrets=trace secrets search
|
||||
| entries | name | 人类可读唯一标识 |
|
||||
| entries | tags | 多维标签,如 `["aliyun","hongkong"]` |
|
||||
| entries | metadata | 明文描述(ip、desc、domains、key_ref 等) |
|
||||
| secrets | field_name / field_type / value_len | 明文,search 可见,AI 可推断 inject 会生成什么变量 |
|
||||
| secrets | field_name | 明文,search 可见,AI 可推断 inject 会生成什么变量 |
|
||||
| secrets | encrypted | 仅加密值本身,AES-256-GCM |
|
||||
|
||||
`-m` / `--meta` 写入 `metadata`,`-s` / `--secret` 写入 `secrets` 表的独立行。支持 `key=value`、`key=@file`、`key:=<json>`,也支持 `credentials:content@./key.pem` 这类嵌套字段文件写入;删除时支持 `--remove-secret credentials:content`。加解密使用主密钥(由 `secrets init` 设置)。
|
||||
@@ -203,12 +206,12 @@ RUST_LOG=secrets=trace secrets search
|
||||
|
||||
| 目标值 | 写法示例 | 实际存入 |
|
||||
|------|------|------|
|
||||
| 普通字符串 | `-m url=https://gitea.refining.dev` | `"https://gitea.refining.dev"` |
|
||||
| 普通字符串 | `-m url=https://code.example.com` | `"https://code.example.com"` |
|
||||
| 文件内容字符串 | `-m notes=@./service-notes.txt` | `"..."` |
|
||||
| 布尔值 | `-m enabled:=true` | `true` |
|
||||
| 数字 | `-m port:=3000` | `3000` |
|
||||
| `null` | `-m deprecated_at:=null` | `null` |
|
||||
| 数组 | `-m domains:='["gitea.refining.dev","git.refining.dev"]'` | `["gitea.refining.dev","git.refining.dev"]` |
|
||||
| 数组 | `-m domains:='["code.example.com","git.example.com"]'` | `["code.example.com","git.example.com"]` |
|
||||
| 对象 | `-m tls:='{"enabled":true,"redirect_http":true}'` | `{"enabled":true,"redirect_http":true}` |
|
||||
| 嵌套路径 + JSON | `-m deploy:strategy:='{"type":"rolling","batch":2}'` | `{"deploy":{"strategy":{"type":"rolling","batch":2}}}` |
|
||||
|
||||
@@ -223,10 +226,10 @@ RUST_LOG=secrets=trace secrets search
|
||||
|
||||
```bash
|
||||
secrets add -n refining --kind service --name gitea \
|
||||
-m url=https://gitea.refining.dev \
|
||||
-m url=https://code.example.com \
|
||||
-m port:=3000 \
|
||||
-m enabled:=true \
|
||||
-m domains:='["gitea.refining.dev","git.refining.dev"]' \
|
||||
-m domains:='["code.example.com","git.example.com"]' \
|
||||
-m tls:='{"enabled":true,"redirect_http":true}'
|
||||
```
|
||||
|
||||
@@ -311,7 +314,7 @@ src/
|
||||
delete.rs # 删除(CASCADE 删除 secrets)
|
||||
update.rs # 增量更新(tags/metadata + secrets 行级 UPSERT/DELETE)
|
||||
rollback.rs # rollback / history:按 entry_version 恢复
|
||||
run.rs # inject / run,逐字段解密 + key_ref 引用解析
|
||||
run.rs # inject / run,仅 secrets 逐字段解密 + key_ref 引用解析(不含 metadata)
|
||||
upgrade.rs # 从 Gitea Release 自更新
|
||||
export_cmd.rs # export:批量导出,支持 JSON/TOML/YAML,含解密明文
|
||||
import_cmd.rs # import:批量导入,冲突检测,dry-run,重新加密写入
|
||||
|
||||
@@ -161,28 +161,6 @@ pub(crate) fn remove_path(map: &mut Map<String, Value>, path: &[String]) -> Resu
|
||||
Ok(removed)
|
||||
}
|
||||
|
||||
// ── field_type inference and value_len ──────────────────────────────────────
|
||||
|
||||
/// Infer the field type string from a JSON value.
|
||||
pub(crate) fn infer_field_type(v: &Value) -> &'static str {
|
||||
match v {
|
||||
Value::String(_) => "string",
|
||||
Value::Number(_) => "number",
|
||||
Value::Bool(_) => "boolean",
|
||||
Value::Null => "string",
|
||||
Value::Array(_) | Value::Object(_) => "json",
|
||||
}
|
||||
}
|
||||
|
||||
/// Compute the plaintext length of a JSON value (chars for string, serialized length otherwise).
|
||||
pub(crate) fn compute_value_len(v: &Value) -> i32 {
|
||||
match v {
|
||||
Value::String(s) => s.chars().count() as i32,
|
||||
Value::Null => 0,
|
||||
other => other.to_string().chars().count() as i32,
|
||||
}
|
||||
}
|
||||
|
||||
/// Flatten a (potentially nested) JSON object into dot-separated field entries.
|
||||
/// e.g. `{"credentials": {"type": "ssh", "content": "..."}}` →
|
||||
/// `[("credentials.type", "ssh"), ("credentials.content", "...")]`
|
||||
@@ -291,12 +269,10 @@ pub async fn run(pool: &PgPool, args: AddArgs<'_>, master_key: &[u8; 32]) -> Res
|
||||
struct ExistingField {
|
||||
id: uuid::Uuid,
|
||||
field_name: String,
|
||||
field_type: String,
|
||||
value_len: i32,
|
||||
encrypted: Vec<u8>,
|
||||
}
|
||||
let existing_fields: Vec<ExistingField> = sqlx::query_as(
|
||||
"SELECT id, field_name, field_type, value_len, encrypted \
|
||||
"SELECT id, field_name, encrypted \
|
||||
FROM secrets WHERE entry_id = $1",
|
||||
)
|
||||
.bind(entry_id)
|
||||
@@ -311,8 +287,6 @@ pub async fn run(pool: &PgPool, args: AddArgs<'_>, master_key: &[u8; 32]) -> Res
|
||||
secret_id: f.id,
|
||||
entry_version: new_entry_version - 1,
|
||||
field_name: &f.field_name,
|
||||
field_type: &f.field_type,
|
||||
value_len: f.value_len,
|
||||
encrypted: &f.encrypted,
|
||||
action: "add",
|
||||
},
|
||||
@@ -333,18 +307,14 @@ pub async fn run(pool: &PgPool, args: AddArgs<'_>, master_key: &[u8; 32]) -> Res
|
||||
// Insert new secret fields.
|
||||
let flat_fields = flatten_json_fields("", &secret_json);
|
||||
for (field_name, field_value) in &flat_fields {
|
||||
let field_type = infer_field_type(field_value);
|
||||
let value_len = compute_value_len(field_value);
|
||||
let encrypted = crypto::encrypt_json(master_key, field_value)?;
|
||||
|
||||
sqlx::query(
|
||||
"INSERT INTO secrets (entry_id, field_name, field_type, value_len, encrypted) \
|
||||
VALUES ($1, $2, $3, $4, $5)",
|
||||
"INSERT INTO secrets (entry_id, field_name, encrypted) \
|
||||
VALUES ($1, $2, $3)",
|
||||
)
|
||||
.bind(entry_id)
|
||||
.bind(field_name)
|
||||
.bind(field_type)
|
||||
.bind(value_len)
|
||||
.bind(&encrypted)
|
||||
.execute(&mut *tx)
|
||||
.await?;
|
||||
@@ -399,10 +369,7 @@ pub async fn run(pool: &PgPool, args: AddArgs<'_>, master_key: &[u8; 32]) -> Res
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::{
|
||||
build_json, compute_value_len, flatten_json_fields, infer_field_type, key_path_to_string,
|
||||
parse_kv, remove_path,
|
||||
};
|
||||
use super::{build_json, flatten_json_fields, key_path_to_string, parse_kv, remove_path};
|
||||
use serde_json::Value;
|
||||
use std::fs;
|
||||
use std::path::PathBuf;
|
||||
@@ -489,19 +456,4 @@ mod tests {
|
||||
assert_eq!(fields[1].0, "credentials.type");
|
||||
assert_eq!(fields[2].0, "username");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn infer_field_types() {
|
||||
assert_eq!(infer_field_type(&Value::String("x".into())), "string");
|
||||
assert_eq!(infer_field_type(&serde_json::json!(42)), "number");
|
||||
assert_eq!(infer_field_type(&Value::Bool(true)), "boolean");
|
||||
assert_eq!(infer_field_type(&serde_json::json!(["a"])), "json");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn compute_value_len_string() {
|
||||
assert_eq!(compute_value_len(&Value::String("root".into())), 4);
|
||||
assert_eq!(compute_value_len(&Value::Null), 0);
|
||||
assert_eq!(compute_value_len(&serde_json::json!(1234)), 4);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
use anyhow::Result;
|
||||
use serde_json::json;
|
||||
use sqlx::PgPool;
|
||||
use uuid::Uuid;
|
||||
|
||||
use crate::db;
|
||||
use crate::models::{EntryRow, SecretFieldRow};
|
||||
@@ -8,13 +9,50 @@ use crate::output::{OutputMode, print_json};
|
||||
|
||||
pub struct DeleteArgs<'a> {
|
||||
pub namespace: &'a str,
|
||||
pub kind: &'a str,
|
||||
pub name: &'a str,
|
||||
/// Kind filter. Required when --name is given; optional for bulk deletes.
|
||||
pub kind: Option<&'a str>,
|
||||
/// Exact record name. When None, bulk-delete all matching records.
|
||||
pub name: Option<&'a str>,
|
||||
/// Preview without writing to the database (bulk mode only).
|
||||
pub dry_run: bool,
|
||||
pub output: OutputMode,
|
||||
}
|
||||
|
||||
// ── Internal row type used for bulk queries ────────────────────────────────
|
||||
|
||||
#[derive(Debug, sqlx::FromRow)]
|
||||
struct FullEntryRow {
|
||||
pub id: Uuid,
|
||||
pub version: i64,
|
||||
pub kind: String,
|
||||
pub name: String,
|
||||
pub metadata: serde_json::Value,
|
||||
pub tags: Vec<String>,
|
||||
}
|
||||
|
||||
// ── Entry point ────────────────────────────────────────────────────────────
|
||||
|
||||
pub async fn run(pool: &PgPool, args: DeleteArgs<'_>) -> Result<()> {
|
||||
let (namespace, kind, name) = (args.namespace, args.kind, args.name);
|
||||
match args.name {
|
||||
Some(name) => {
|
||||
let kind = args
|
||||
.kind
|
||||
.ok_or_else(|| anyhow::anyhow!("--kind is required when --name is specified"))?;
|
||||
delete_one(pool, args.namespace, kind, name, args.output).await
|
||||
}
|
||||
None => delete_bulk(pool, args.namespace, args.kind, args.dry_run, args.output).await,
|
||||
}
|
||||
}
|
||||
|
||||
// ── Single-record delete (original behaviour) ─────────────────────────────
|
||||
|
||||
async fn delete_one(
|
||||
pool: &PgPool,
|
||||
namespace: &str,
|
||||
kind: &str,
|
||||
name: &str,
|
||||
output: OutputMode,
|
||||
) -> Result<()> {
|
||||
tracing::debug!(namespace, kind, name, "deleting entry");
|
||||
|
||||
let mut tx = pool.begin().await?;
|
||||
@@ -34,16 +72,174 @@ pub async fn run(pool: &PgPool, args: DeleteArgs<'_>) -> Result<()> {
|
||||
tx.rollback().await?;
|
||||
tracing::warn!(namespace, kind, name, "entry not found for deletion");
|
||||
let v = json!({"action":"not_found","namespace":namespace,"kind":kind,"name":name});
|
||||
match args.output {
|
||||
match output {
|
||||
OutputMode::Text => println!("Not found: [{}/{}] {}", namespace, kind, name),
|
||||
ref mode => print_json(&v, mode)?,
|
||||
}
|
||||
return Ok(());
|
||||
};
|
||||
|
||||
// Snapshot entry history before deleting.
|
||||
if let Err(e) = db::snapshot_entry_history(
|
||||
snapshot_and_delete(&mut tx, namespace, kind, name, &row).await?;
|
||||
|
||||
crate::audit::log_tx(&mut tx, "delete", namespace, kind, name, json!({})).await;
|
||||
tx.commit().await?;
|
||||
|
||||
let v = json!({"action":"deleted","namespace":namespace,"kind":kind,"name":name});
|
||||
match output {
|
||||
OutputMode::Text => println!("Deleted: [{}/{}] {}", namespace, kind, name),
|
||||
ref mode => print_json(&v, mode)?,
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
|
||||
// ── Bulk delete by namespace (+ optional kind filter) ─────────────────────
|
||||
|
||||
async fn delete_bulk(
|
||||
pool: &PgPool,
|
||||
namespace: &str,
|
||||
kind: Option<&str>,
|
||||
dry_run: bool,
|
||||
output: OutputMode,
|
||||
) -> Result<()> {
|
||||
tracing::debug!(namespace, ?kind, dry_run, "bulk-deleting entries");
|
||||
|
||||
let rows: Vec<FullEntryRow> = if let Some(k) = kind {
|
||||
sqlx::query_as(
|
||||
"SELECT id, version, kind, name, metadata, tags FROM entries \
|
||||
WHERE namespace = $1 AND kind = $2 \
|
||||
ORDER BY name",
|
||||
)
|
||||
.bind(namespace)
|
||||
.bind(k)
|
||||
.fetch_all(pool)
|
||||
.await?
|
||||
} else {
|
||||
sqlx::query_as(
|
||||
"SELECT id, version, kind, name, metadata, tags FROM entries \
|
||||
WHERE namespace = $1 \
|
||||
ORDER BY kind, name",
|
||||
)
|
||||
.bind(namespace)
|
||||
.fetch_all(pool)
|
||||
.await?
|
||||
};
|
||||
|
||||
if rows.is_empty() {
|
||||
let v = json!({
|
||||
"action": "noop",
|
||||
"namespace": namespace,
|
||||
"kind": kind,
|
||||
"deleted": 0,
|
||||
"dry_run": dry_run
|
||||
});
|
||||
match output {
|
||||
OutputMode::Text => println!(
|
||||
"No records found in namespace \"{}\"{}.",
|
||||
namespace,
|
||||
kind.map(|k| format!(" with kind \"{}\"", k))
|
||||
.unwrap_or_default()
|
||||
),
|
||||
ref mode => print_json(&v, mode)?,
|
||||
}
|
||||
return Ok(());
|
||||
}
|
||||
|
||||
if dry_run {
|
||||
let count = rows.len();
|
||||
match output {
|
||||
OutputMode::Text => {
|
||||
println!(
|
||||
"dry-run: would delete {} record(s) in namespace \"{}\":",
|
||||
count, namespace
|
||||
);
|
||||
for r in &rows {
|
||||
println!(" [{}/{}] {}", namespace, r.kind, r.name);
|
||||
}
|
||||
}
|
||||
ref mode => {
|
||||
let items: Vec<_> = rows
|
||||
.iter()
|
||||
.map(|r| json!({"namespace": namespace, "kind": r.kind, "name": r.name}))
|
||||
.collect();
|
||||
print_json(
|
||||
&json!({
|
||||
"action": "dry_run",
|
||||
"namespace": namespace,
|
||||
"kind": kind,
|
||||
"would_delete": count,
|
||||
"entries": items
|
||||
}),
|
||||
mode,
|
||||
)?;
|
||||
}
|
||||
}
|
||||
return Ok(());
|
||||
}
|
||||
|
||||
let mut deleted = Vec::with_capacity(rows.len());
|
||||
|
||||
for row in &rows {
|
||||
let entry_row = EntryRow {
|
||||
id: row.id,
|
||||
version: row.version,
|
||||
tags: row.tags.clone(),
|
||||
metadata: row.metadata.clone(),
|
||||
};
|
||||
let mut tx = pool.begin().await?;
|
||||
snapshot_and_delete(&mut tx, namespace, &row.kind, &row.name, &entry_row).await?;
|
||||
crate::audit::log_tx(
|
||||
&mut tx,
|
||||
"delete",
|
||||
namespace,
|
||||
&row.kind,
|
||||
&row.name,
|
||||
json!({"bulk": true}),
|
||||
)
|
||||
.await;
|
||||
tx.commit().await?;
|
||||
|
||||
deleted.push(json!({"namespace": namespace, "kind": row.kind, "name": row.name}));
|
||||
tracing::info!(namespace, kind = %row.kind, name = %row.name, "bulk deleted");
|
||||
}
|
||||
|
||||
let count = deleted.len();
|
||||
match output {
|
||||
OutputMode::Text => {
|
||||
for item in &deleted {
|
||||
println!(
|
||||
"Deleted: [{}/{}] {}",
|
||||
item["namespace"].as_str().unwrap_or(""),
|
||||
item["kind"].as_str().unwrap_or(""),
|
||||
item["name"].as_str().unwrap_or("")
|
||||
);
|
||||
}
|
||||
println!("Total: {} record(s) deleted.", count);
|
||||
}
|
||||
ref mode => print_json(
|
||||
&json!({
|
||||
"action": "deleted",
|
||||
"namespace": namespace,
|
||||
"kind": kind,
|
||||
"deleted": count,
|
||||
"entries": deleted
|
||||
}),
|
||||
mode,
|
||||
)?,
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
|
||||
// ── Shared helper: snapshot history then DELETE ────────────────────────────
|
||||
|
||||
async fn snapshot_and_delete(
|
||||
tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
|
||||
namespace: &str,
|
||||
kind: &str,
|
||||
name: &str,
|
||||
row: &EntryRow,
|
||||
) -> Result<()> {
|
||||
if let Err(e) = db::snapshot_entry_history(
|
||||
tx,
|
||||
db::EntrySnapshotParams {
|
||||
entry_id: row.id,
|
||||
namespace,
|
||||
@@ -60,50 +256,36 @@ pub async fn run(pool: &PgPool, args: DeleteArgs<'_>) -> Result<()> {
|
||||
tracing::warn!(error = %e, "failed to snapshot entry history before delete");
|
||||
}
|
||||
|
||||
// Snapshot all secret fields before cascade delete.
|
||||
let fields: Vec<SecretFieldRow> = sqlx::query_as(
|
||||
"SELECT id, field_name, field_type, value_len, encrypted \
|
||||
"SELECT id, field_name, encrypted \
|
||||
FROM secrets WHERE entry_id = $1",
|
||||
)
|
||||
.bind(row.id)
|
||||
.fetch_all(&mut *tx)
|
||||
.fetch_all(&mut **tx)
|
||||
.await?;
|
||||
|
||||
for f in &fields {
|
||||
if let Err(e) = db::snapshot_secret_history(
|
||||
&mut tx,
|
||||
tx,
|
||||
db::SecretSnapshotParams {
|
||||
entry_id: row.id,
|
||||
secret_id: f.id,
|
||||
entry_version: row.version,
|
||||
field_name: &f.field_name,
|
||||
field_type: &f.field_type,
|
||||
value_len: f.value_len,
|
||||
encrypted: &f.encrypted,
|
||||
action: "delete",
|
||||
},
|
||||
)
|
||||
.await
|
||||
{
|
||||
tracing::warn!(error = %e, "failed to snapshot secret field history before delete");
|
||||
tracing::warn!(error = %e, "failed to snapshot secret history before delete");
|
||||
}
|
||||
}
|
||||
|
||||
// Delete the entry — secrets rows are removed via ON DELETE CASCADE.
|
||||
sqlx::query("DELETE FROM entries WHERE id = $1")
|
||||
.bind(row.id)
|
||||
.execute(&mut *tx)
|
||||
.execute(&mut **tx)
|
||||
.await?;
|
||||
|
||||
crate::audit::log_tx(&mut tx, "delete", namespace, kind, name, json!({})).await;
|
||||
|
||||
tx.commit().await?;
|
||||
|
||||
let v = json!({"action":"deleted","namespace":namespace,"kind":kind,"name":name});
|
||||
match args.output {
|
||||
OutputMode::Text => println!("Deleted: [{}/{}] {}", namespace, kind, name),
|
||||
ref mode => print_json(&v, mode)?,
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
@@ -71,14 +71,12 @@ pub async fn run(pool: &PgPool, args: RollbackArgs<'_>, master_key: &[u8; 32]) -
|
||||
struct SecretHistoryRow {
|
||||
secret_id: Uuid,
|
||||
field_name: String,
|
||||
field_type: String,
|
||||
value_len: i32,
|
||||
encrypted: Vec<u8>,
|
||||
action: String,
|
||||
}
|
||||
|
||||
let field_snaps: Vec<SecretHistoryRow> = sqlx::query_as(
|
||||
"SELECT secret_id, field_name, field_type, value_len, encrypted, action \
|
||||
"SELECT secret_id, field_name, encrypted, action \
|
||||
FROM secrets_history \
|
||||
WHERE entry_id = $1 AND entry_version = $2 \
|
||||
ORDER BY field_name",
|
||||
@@ -145,12 +143,10 @@ pub async fn run(pool: &PgPool, args: RollbackArgs<'_>, master_key: &[u8; 32]) -
|
||||
struct LiveField {
|
||||
id: Uuid,
|
||||
field_name: String,
|
||||
field_type: String,
|
||||
value_len: i32,
|
||||
encrypted: Vec<u8>,
|
||||
}
|
||||
let live_fields: Vec<LiveField> = sqlx::query_as(
|
||||
"SELECT id, field_name, field_type, value_len, encrypted \
|
||||
"SELECT id, field_name, encrypted \
|
||||
FROM secrets WHERE entry_id = $1",
|
||||
)
|
||||
.bind(lr.id)
|
||||
@@ -165,8 +161,6 @@ pub async fn run(pool: &PgPool, args: RollbackArgs<'_>, master_key: &[u8; 32]) -
|
||||
secret_id: f.id,
|
||||
entry_version: lr.version,
|
||||
field_name: &f.field_name,
|
||||
field_type: &f.field_type,
|
||||
value_len: f.value_len,
|
||||
encrypted: &f.encrypted,
|
||||
action: "rollback",
|
||||
},
|
||||
@@ -212,11 +206,9 @@ pub async fn run(pool: &PgPool, args: RollbackArgs<'_>, master_key: &[u8; 32]) -
|
||||
continue;
|
||||
}
|
||||
sqlx::query(
|
||||
"INSERT INTO secrets (id, entry_id, field_name, field_type, value_len, encrypted) \
|
||||
VALUES ($1, $2, $3, $4, $5, $6) \
|
||||
"INSERT INTO secrets (id, entry_id, field_name, encrypted) \
|
||||
VALUES ($1, $2, $3, $4) \
|
||||
ON CONFLICT (entry_id, field_name) DO UPDATE SET \
|
||||
field_type = EXCLUDED.field_type, \
|
||||
value_len = EXCLUDED.value_len, \
|
||||
encrypted = EXCLUDED.encrypted, \
|
||||
version = secrets.version + 1, \
|
||||
updated_at = NOW()",
|
||||
@@ -224,8 +216,6 @@ pub async fn run(pool: &PgPool, args: RollbackArgs<'_>, master_key: &[u8; 32]) -
|
||||
.bind(f.secret_id)
|
||||
.bind(snap.entry_id)
|
||||
.bind(&f.field_name)
|
||||
.bind(&f.field_type)
|
||||
.bind(f.value_len)
|
||||
.bind(&f.encrypted)
|
||||
.execute(&mut *tx)
|
||||
.await?;
|
||||
|
||||
@@ -24,7 +24,7 @@ pub struct RunArgs<'a> {
|
||||
pub command: &'a [String],
|
||||
}
|
||||
|
||||
/// Fetch entries matching the filter and build a flat env map (metadata + decrypted secrets).
|
||||
/// Fetch entries matching the filter and build a flat env map (decrypted secrets only, no metadata).
|
||||
pub async fn collect_env_map(
|
||||
pool: &PgPool,
|
||||
namespace: Option<&str>,
|
||||
|
||||
@@ -250,8 +250,8 @@ async fn fetch_entries_paged(pool: &PgPool, a: PagedFetchArgs<'_>) -> Result<Vec
|
||||
|
||||
// ── Secret schema fetching (no master key) ───────────────────────────────────
|
||||
|
||||
/// Fetch secret field schemas (field_name, field_type, value_len) for a set of entry ids.
|
||||
/// Returns a map from entry_id to list of SecretField (encrypted field not used here).
|
||||
/// Fetch secret field names for a set of entry ids.
|
||||
/// Returns a map from entry_id to list of SecretField.
|
||||
async fn fetch_secret_schemas(
|
||||
pool: &PgPool,
|
||||
entry_ids: &[uuid::Uuid],
|
||||
@@ -312,25 +312,7 @@ fn env_prefix(entry: &Entry, prefix: &str) -> String {
|
||||
}
|
||||
}
|
||||
|
||||
/// Build a flat KEY=VALUE map from metadata only (no master key required).
|
||||
pub fn build_metadata_env_map(entry: &Entry, prefix: &str) -> HashMap<String, String> {
|
||||
let effective_prefix = env_prefix(entry, prefix);
|
||||
let mut map = HashMap::new();
|
||||
|
||||
if let Some(meta) = entry.metadata.as_object() {
|
||||
for (k, v) in meta {
|
||||
let key = format!(
|
||||
"{}_{}",
|
||||
effective_prefix,
|
||||
k.to_uppercase().replace(['-', '.'], "_")
|
||||
);
|
||||
map.insert(key, json_value_to_env_string(v));
|
||||
}
|
||||
}
|
||||
map
|
||||
}
|
||||
|
||||
/// Build a flat KEY=VALUE map from metadata + decrypted secret fields.
|
||||
/// Build a flat KEY=VALUE map from decrypted secret fields only.
|
||||
/// Resolves key_ref: if metadata.key_ref is set, merges secret fields from that key entry.
|
||||
pub async fn build_injected_env_map(
|
||||
pool: &PgPool,
|
||||
@@ -340,7 +322,7 @@ pub async fn build_injected_env_map(
|
||||
fields: &[SecretField],
|
||||
) -> Result<HashMap<String, String>> {
|
||||
let effective_prefix = env_prefix(entry, prefix);
|
||||
let mut map = build_metadata_env_map(entry, prefix);
|
||||
let mut map = HashMap::new();
|
||||
|
||||
// Decrypt each secret field and add to env map.
|
||||
for f in fields {
|
||||
@@ -423,8 +405,6 @@ fn to_json(entry: &Entry, summary: bool, schema: Option<&[SecretField]>) -> Valu
|
||||
.map(|f| {
|
||||
json!({
|
||||
"field_name": f.field_name,
|
||||
"field_type": f.field_type,
|
||||
"value_len": f.value_len,
|
||||
})
|
||||
})
|
||||
.collect();
|
||||
@@ -474,10 +454,7 @@ fn print_text(entry: &Entry, summary: bool, schema: Option<&[SecretField]>) -> R
|
||||
}
|
||||
match schema {
|
||||
Some(fields) if !fields.is_empty() => {
|
||||
let schema_str: Vec<String> = fields
|
||||
.iter()
|
||||
.map(|f| format!("{}: {}({})", f.field_name, f.field_type, f.value_len))
|
||||
.collect();
|
||||
let schema_str: Vec<String> = fields.iter().map(|f| f.field_name.clone()).collect();
|
||||
println!(" secrets: {}", schema_str.join(", "));
|
||||
println!(" (use `secrets inject` or `secrets run` to get values)");
|
||||
}
|
||||
@@ -542,7 +519,7 @@ mod tests {
|
||||
kind: "service".to_string(),
|
||||
name: "gitea.main".to_string(),
|
||||
tags: vec!["prod".to_string()],
|
||||
metadata: json!({"url": "https://gitea.refining.dev", "enabled": true}),
|
||||
metadata: json!({"url": "https://code.example.com", "enabled": true}),
|
||||
version: 1,
|
||||
created_at: Utc::now(),
|
||||
updated_at: Utc::now(),
|
||||
@@ -556,8 +533,6 @@ mod tests {
|
||||
id: Uuid::nil(),
|
||||
entry_id: Uuid::nil(),
|
||||
field_name: "token".to_string(),
|
||||
field_type: "string".to_string(),
|
||||
value_len: 6,
|
||||
encrypted: enc,
|
||||
version: 1,
|
||||
created_at: Utc::now(),
|
||||
@@ -572,22 +547,6 @@ mod tests {
|
||||
assert!(err.to_string().contains("sensitive"));
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn metadata_env_map_excludes_secret_values() {
|
||||
let entry = sample_entry();
|
||||
let map = build_metadata_env_map(&entry, "");
|
||||
|
||||
assert_eq!(
|
||||
map.get("GITEA_MAIN_URL").map(String::as_str),
|
||||
Some("https://gitea.refining.dev")
|
||||
);
|
||||
assert_eq!(
|
||||
map.get("GITEA_MAIN_ENABLED").map(String::as_str),
|
||||
Some("true")
|
||||
);
|
||||
assert!(!map.contains_key("GITEA_MAIN_TOKEN"));
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn to_json_full_includes_secrets_schema() {
|
||||
let entry = sample_entry();
|
||||
@@ -597,8 +556,6 @@ mod tests {
|
||||
let secrets = v.get("secrets").unwrap().as_array().unwrap();
|
||||
assert_eq!(secrets.len(), 1);
|
||||
assert_eq!(secrets[0]["field_name"], "token");
|
||||
assert_eq!(secrets[0]["field_type"], "string");
|
||||
assert_eq!(secrets[0]["value_len"], 6);
|
||||
}
|
||||
|
||||
#[test]
|
||||
|
||||
@@ -4,8 +4,8 @@ use sqlx::PgPool;
|
||||
use uuid::Uuid;
|
||||
|
||||
use super::add::{
|
||||
collect_field_paths, collect_key_paths, compute_value_len, flatten_json_fields,
|
||||
infer_field_type, insert_path, parse_key_path, parse_kv, remove_path,
|
||||
collect_field_paths, collect_key_paths, flatten_json_fields, insert_path, parse_key_path,
|
||||
parse_kv, remove_path,
|
||||
};
|
||||
use crate::crypto;
|
||||
use crate::db;
|
||||
@@ -130,20 +130,16 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
|
||||
});
|
||||
|
||||
for (field_name, fv) in &flat {
|
||||
let field_type = infer_field_type(fv);
|
||||
let value_len = compute_value_len(fv);
|
||||
let encrypted = crypto::encrypt_json(master_key, fv)?;
|
||||
|
||||
// Snapshot existing field before replacing.
|
||||
#[derive(sqlx::FromRow)]
|
||||
struct ExistingField {
|
||||
id: Uuid,
|
||||
field_type: String,
|
||||
value_len: i32,
|
||||
encrypted: Vec<u8>,
|
||||
}
|
||||
let existing_field: Option<ExistingField> = sqlx::query_as(
|
||||
"SELECT id, field_type, value_len, encrypted \
|
||||
"SELECT id, encrypted \
|
||||
FROM secrets WHERE entry_id = $1 AND field_name = $2",
|
||||
)
|
||||
.bind(row.id)
|
||||
@@ -159,8 +155,6 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
|
||||
secret_id: ef.id,
|
||||
entry_version: row.version,
|
||||
field_name,
|
||||
field_type: &ef.field_type,
|
||||
value_len: ef.value_len,
|
||||
encrypted: &ef.encrypted,
|
||||
action: "update",
|
||||
},
|
||||
@@ -171,19 +165,15 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
|
||||
}
|
||||
|
||||
sqlx::query(
|
||||
"INSERT INTO secrets (entry_id, field_name, field_type, value_len, encrypted) \
|
||||
VALUES ($1, $2, $3, $4, $5) \
|
||||
"INSERT INTO secrets (entry_id, field_name, encrypted) \
|
||||
VALUES ($1, $2, $3) \
|
||||
ON CONFLICT (entry_id, field_name) DO UPDATE SET \
|
||||
field_type = EXCLUDED.field_type, \
|
||||
value_len = EXCLUDED.value_len, \
|
||||
encrypted = EXCLUDED.encrypted, \
|
||||
version = secrets.version + 1, \
|
||||
updated_at = NOW()",
|
||||
)
|
||||
.bind(row.id)
|
||||
.bind(field_name)
|
||||
.bind(field_type)
|
||||
.bind(value_len)
|
||||
.bind(&encrypted)
|
||||
.execute(&mut *tx)
|
||||
.await?;
|
||||
@@ -200,12 +190,10 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
|
||||
#[derive(sqlx::FromRow)]
|
||||
struct FieldToDelete {
|
||||
id: Uuid,
|
||||
field_type: String,
|
||||
value_len: i32,
|
||||
encrypted: Vec<u8>,
|
||||
}
|
||||
let field: Option<FieldToDelete> = sqlx::query_as(
|
||||
"SELECT id, field_type, value_len, encrypted \
|
||||
"SELECT id, encrypted \
|
||||
FROM secrets WHERE entry_id = $1 AND field_name = $2",
|
||||
)
|
||||
.bind(row.id)
|
||||
@@ -221,8 +209,6 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
|
||||
secret_id: f.id,
|
||||
entry_version: new_version,
|
||||
field_name: &field_name,
|
||||
field_type: &f.field_type,
|
||||
value_len: f.value_len,
|
||||
encrypted: &f.encrypted,
|
||||
action: "delete",
|
||||
},
|
||||
|
||||
@@ -5,10 +5,26 @@ use sha2::{Digest, Sha256};
|
||||
use std::io::{Cursor, Read, Write};
|
||||
use std::time::Duration;
|
||||
|
||||
const GITEA_API: &str = "https://gitea.refining.dev/api/v1/repos/refining/secrets/releases/latest";
|
||||
|
||||
const CURRENT_VERSION: &str = env!("CARGO_PKG_VERSION");
|
||||
|
||||
/// Build-time config via `option_env!("SECRETS_UPGRADE_URL")`. Set during `cargo build`, e.g.:
|
||||
/// SECRETS_UPGRADE_URL=https://... cargo build --release
|
||||
const BUILD_UPGRADE_URL: Option<&'static str> = option_env!("SECRETS_UPGRADE_URL");
|
||||
|
||||
fn upgrade_api_url() -> Result<String> {
|
||||
if let Some(url) = BUILD_UPGRADE_URL.filter(|s| !s.trim().is_empty()) {
|
||||
return Ok(url.to_string());
|
||||
}
|
||||
let url = std::env::var("SECRETS_UPGRADE_URL").context(
|
||||
"SECRETS_UPGRADE_URL is not set at build or runtime. Set it when building: \
|
||||
SECRETS_UPGRADE_URL=https://... cargo build, or export before running secrets upgrade.",
|
||||
)?;
|
||||
if url.trim().is_empty() {
|
||||
anyhow::bail!("SECRETS_UPGRADE_URL is empty.");
|
||||
}
|
||||
Ok(url)
|
||||
}
|
||||
|
||||
#[derive(Debug, Deserialize)]
|
||||
struct Release {
|
||||
tag_name: String,
|
||||
@@ -186,13 +202,14 @@ pub async fn run(check_only: bool) -> Result<()> {
|
||||
.build()
|
||||
.context("failed to build HTTP client")?;
|
||||
|
||||
let api_url = upgrade_api_url()?;
|
||||
let release: Release = client
|
||||
.get(GITEA_API)
|
||||
.get(&api_url)
|
||||
.send()
|
||||
.await
|
||||
.context("failed to fetch release info from Gitea")?
|
||||
.context("failed to fetch release info")?
|
||||
.error_for_status()
|
||||
.context("Gitea API returned an error")?
|
||||
.context("release API returned an error")?
|
||||
.json()
|
||||
.await
|
||||
.context("failed to parse release JSON")?;
|
||||
|
||||
12
src/db.rs
12
src/db.rs
@@ -44,8 +44,6 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
|
||||
id UUID PRIMARY KEY DEFAULT uuidv7(),
|
||||
entry_id UUID NOT NULL REFERENCES entries(id) ON DELETE CASCADE,
|
||||
field_name VARCHAR(256) NOT NULL,
|
||||
field_type VARCHAR(32) NOT NULL DEFAULT 'string',
|
||||
value_len INT NOT NULL DEFAULT 0,
|
||||
encrypted BYTEA NOT NULL DEFAULT '\x',
|
||||
version BIGINT NOT NULL DEFAULT 1,
|
||||
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
|
||||
@@ -103,8 +101,6 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
|
||||
secret_id UUID NOT NULL,
|
||||
entry_version BIGINT NOT NULL,
|
||||
field_name VARCHAR(256) NOT NULL,
|
||||
field_type VARCHAR(32) NOT NULL DEFAULT 'string',
|
||||
value_len INT NOT NULL DEFAULT 0,
|
||||
encrypted BYTEA NOT NULL DEFAULT '\x',
|
||||
action VARCHAR(16) NOT NULL,
|
||||
actor VARCHAR(128) NOT NULL DEFAULT '',
|
||||
@@ -168,8 +164,6 @@ pub struct SecretSnapshotParams<'a> {
|
||||
pub secret_id: uuid::Uuid,
|
||||
pub entry_version: i64,
|
||||
pub field_name: &'a str,
|
||||
pub field_type: &'a str,
|
||||
pub value_len: i32,
|
||||
pub encrypted: &'a [u8],
|
||||
pub action: &'a str,
|
||||
}
|
||||
@@ -182,15 +176,13 @@ pub async fn snapshot_secret_history(
|
||||
let actor = current_actor();
|
||||
sqlx::query(
|
||||
"INSERT INTO secrets_history \
|
||||
(entry_id, secret_id, entry_version, field_name, field_type, value_len, encrypted, action, actor) \
|
||||
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
|
||||
(entry_id, secret_id, entry_version, field_name, encrypted, action, actor) \
|
||||
VALUES ($1, $2, $3, $4, $5, $6, $7)",
|
||||
)
|
||||
.bind(p.entry_id)
|
||||
.bind(p.secret_id)
|
||||
.bind(p.entry_version)
|
||||
.bind(p.field_name)
|
||||
.bind(p.field_type)
|
||||
.bind(p.value_len)
|
||||
.bind(p.encrypted)
|
||||
.bind(p.action)
|
||||
.bind(&actor)
|
||||
|
||||
90
src/main.rs
90
src/main.rs
@@ -7,6 +7,11 @@ mod models;
|
||||
mod output;
|
||||
|
||||
use anyhow::Result;
|
||||
|
||||
/// Load .env from current or parent directories (best-effort, no error if missing).
|
||||
fn load_dotenv() {
|
||||
let _ = dotenvy::dotenv();
|
||||
}
|
||||
use clap::{Parser, Subcommand};
|
||||
use tracing_subscriber::EnvFilter;
|
||||
|
||||
@@ -76,25 +81,25 @@ EXAMPLES:
|
||||
# Add a server
|
||||
secrets add -n refining --kind server --name my-server \\
|
||||
--tag aliyun --tag shanghai \\
|
||||
-m ip=47.117.131.22 -m desc=\"Aliyun Shanghai ECS\" \\
|
||||
-m ip=10.0.0.1 -m desc=\"Example ECS\" \\
|
||||
-s username=root -s ssh_key=@./keys/server.pem
|
||||
|
||||
# Add a service credential
|
||||
secrets add -n refining --kind service --name gitea \\
|
||||
--tag gitea \\
|
||||
-m url=https://gitea.refining.dev -m default_org=refining \\
|
||||
-m url=https://code.example.com -m default_org=myorg \\
|
||||
-s token=<token>
|
||||
|
||||
# Add typed JSON metadata
|
||||
secrets add -n refining --kind service --name gitea \\
|
||||
-m port:=3000 \\
|
||||
-m enabled:=true \\
|
||||
-m domains:='[\"gitea.refining.dev\",\"git.refining.dev\"]' \\
|
||||
-m domains:='[\"code.example.com\",\"git.example.com\"]' \\
|
||||
-m tls:='{\"enabled\":true,\"redirect_http\":true}'
|
||||
|
||||
# Add with token read from a file
|
||||
secrets add -n ricnsmart --kind service --name mqtt \\
|
||||
-m host=mqtt.ricnsmart.com -m port=1883 \\
|
||||
-m host=mqtt.example.com -m port=1883 \\
|
||||
-s password=@./mqtt_password.txt
|
||||
|
||||
# Add typed JSON secrets
|
||||
@@ -106,7 +111,13 @@ EXAMPLES:
|
||||
|
||||
# Write a multiline file into a nested secret field
|
||||
secrets add -n refining --kind server --name my-server \\
|
||||
-s credentials:content@./keys/server.pem")]
|
||||
-s credentials:content@./keys/server.pem
|
||||
|
||||
# Shared PEM (key_ref): store key once, reference from multiple servers
|
||||
secrets add -n refining --kind key --name my-shared-key \\
|
||||
--tag aliyun -s content=@./keys/shared.pem
|
||||
secrets add -n refining --kind server --name i-abc123 \\
|
||||
-m ip=10.0.0.1 -m key_ref=my-shared-key -s username=ecs-user")]
|
||||
Add {
|
||||
/// Namespace, e.g. refining, ricnsmart
|
||||
#[arg(short, long)]
|
||||
@@ -114,13 +125,14 @@ EXAMPLES:
|
||||
/// Kind of record: server, service, key, ...
|
||||
#[arg(long)]
|
||||
kind: String,
|
||||
/// Human-readable unique name, e.g. gitea, i-uf63f2uookgs5uxmrdyc
|
||||
/// Human-readable unique name, e.g. gitea, i-example0abcd1234efgh
|
||||
#[arg(long)]
|
||||
name: String,
|
||||
/// Tag for categorization (repeatable), e.g. --tag aliyun --tag hongkong
|
||||
#[arg(long = "tag")]
|
||||
tags: Vec<String>,
|
||||
/// Plaintext metadata: key=value, key:=<json>, key=@file, or nested:path@file
|
||||
/// Plaintext metadata: key=value, key:=<json>, key=@file, or nested:path@file.
|
||||
/// Use key_ref=<name> to reference a shared key entry (kind=key); inject/run merge its secrets.
|
||||
#[arg(long = "meta", short = 'm')]
|
||||
meta: Vec<String>,
|
||||
/// Secret entry: key=value, key:=<json>, key=@file, or nested:path@file
|
||||
@@ -177,7 +189,7 @@ EXAMPLES:
|
||||
/// Filter by kind, e.g. server, service
|
||||
#[arg(long)]
|
||||
kind: Option<String>,
|
||||
/// Exact name filter, e.g. gitea, i-uf63f2uookgs5uxmrdyc
|
||||
/// Exact name filter, e.g. gitea, i-example0abcd1234efgh
|
||||
#[arg(long)]
|
||||
name: Option<String>,
|
||||
/// Filter by tag, e.g. --tag aliyun (repeatable for AND intersection)
|
||||
@@ -206,23 +218,39 @@ EXAMPLES:
|
||||
output: Option<String>,
|
||||
},
|
||||
|
||||
/// Delete a record permanently. Requires exact namespace + kind + name.
|
||||
/// Delete one record precisely, or bulk-delete by namespace.
|
||||
///
|
||||
/// With --name: deletes exactly that record (--kind also required).
|
||||
/// Without --name: bulk-deletes all records matching namespace + optional --kind.
|
||||
/// Use --dry-run to preview bulk deletes before committing.
|
||||
#[command(after_help = "EXAMPLES:
|
||||
# Delete a service credential
|
||||
# Delete a single record (exact match)
|
||||
secrets delete -n refining --kind service --name legacy-mqtt
|
||||
|
||||
# Delete a server record
|
||||
secrets delete -n ricnsmart --kind server --name i-old-server-id")]
|
||||
# Preview what a bulk delete would remove (no writes)
|
||||
secrets delete -n refining --dry-run
|
||||
|
||||
# Bulk-delete all records in a namespace
|
||||
secrets delete -n ricnsmart
|
||||
|
||||
# Bulk-delete only server records in a namespace
|
||||
secrets delete -n ricnsmart --kind server
|
||||
|
||||
# JSON output
|
||||
secrets delete -n refining --kind service -o json")]
|
||||
Delete {
|
||||
/// Namespace, e.g. refining
|
||||
#[arg(short, long)]
|
||||
namespace: String,
|
||||
/// Kind, e.g. server, service
|
||||
/// Kind filter, e.g. server, service (required with --name; optional for bulk)
|
||||
#[arg(long)]
|
||||
kind: String,
|
||||
/// Exact name of the record to delete
|
||||
kind: Option<String>,
|
||||
/// Exact name of the record to delete (omit for bulk delete)
|
||||
#[arg(long)]
|
||||
name: String,
|
||||
name: Option<String>,
|
||||
/// Preview what would be deleted without making any changes (bulk mode only)
|
||||
#[arg(long)]
|
||||
dry_run: bool,
|
||||
/// Output format: text (default on TTY), json, json-compact
|
||||
#[arg(short, long = "output")]
|
||||
output: Option<String>,
|
||||
@@ -266,7 +294,11 @@ EXAMPLES:
|
||||
# Update nested typed JSON fields
|
||||
secrets update -n refining --kind service --name deploy-bot \\
|
||||
-s auth:config:='{\"issuer\":\"gitea\",\"rotate\":true}' \\
|
||||
-s auth:retry:=5")]
|
||||
-s auth:retry:=5
|
||||
|
||||
# Rotate shared PEM (all servers with key_ref=my-shared-key get the new key)
|
||||
secrets update -n refining --kind key --name my-shared-key \\
|
||||
-s content=@./keys/new-shared.pem")]
|
||||
Update {
|
||||
/// Namespace, e.g. refining, ricnsmart
|
||||
#[arg(short, long)]
|
||||
@@ -283,7 +315,8 @@ EXAMPLES:
|
||||
/// Remove a tag (repeatable)
|
||||
#[arg(long = "remove-tag")]
|
||||
remove_tags: Vec<String>,
|
||||
/// Set or overwrite a metadata field: key=value, key:=<json>, key=@file, or nested:path@file
|
||||
/// Set or overwrite a metadata field: key=value, key:=<json>, key=@file, or nested:path@file.
|
||||
/// Use key_ref=<name> to reference a shared key entry (kind=key).
|
||||
#[arg(long = "meta", short = 'm')]
|
||||
meta: Vec<String>,
|
||||
/// Delete a metadata field by key or nested path, e.g. old_port or credentials:content
|
||||
@@ -373,7 +406,9 @@ EXAMPLES:
|
||||
secrets inject -n refining --kind service --name gitea -o json
|
||||
|
||||
# Eval into current shell (use with caution)
|
||||
eval $(secrets inject -n refining --kind service --name gitea)")]
|
||||
eval $(secrets inject -n refining --kind service --name gitea)
|
||||
|
||||
# For entries with metadata.key_ref, referenced key's secrets are merged automatically")]
|
||||
Inject {
|
||||
#[arg(short, long)]
|
||||
namespace: Option<String>,
|
||||
@@ -403,7 +438,9 @@ EXAMPLES:
|
||||
secrets run --tag production -- env | grep GITEA
|
||||
|
||||
# With prefix
|
||||
secrets run -n refining --kind service --name gitea --prefix GITEA -- printenv")]
|
||||
secrets run -n refining --kind service --name gitea --prefix GITEA -- printenv
|
||||
|
||||
# metadata.key_ref entries get key secrets merged (e.g. server + shared PEM)")]
|
||||
Run {
|
||||
#[arg(short, long)]
|
||||
namespace: Option<String>,
|
||||
@@ -423,8 +460,8 @@ EXAMPLES:
|
||||
|
||||
/// Check for a newer version and update the binary in-place.
|
||||
///
|
||||
/// Downloads the latest release from Gitea and replaces the current binary.
|
||||
/// No database connection or master key required.
|
||||
/// Downloads the latest release and replaces the current binary. No database connection or master key required.
|
||||
/// Release URL defaults to the upstream server; override via SECRETS_UPGRADE_URL for self-hosted or fork.
|
||||
#[command(after_help = "EXAMPLES:
|
||||
# Check for updates only (no download)
|
||||
secrets upgrade --check
|
||||
@@ -530,6 +567,7 @@ enum ConfigAction {
|
||||
|
||||
#[tokio::main]
|
||||
async fn main() -> Result<()> {
|
||||
load_dotenv();
|
||||
let cli = Cli::parse();
|
||||
|
||||
let filter = if cli.verbose {
|
||||
@@ -634,17 +672,19 @@ async fn main() -> Result<()> {
|
||||
namespace,
|
||||
kind,
|
||||
name,
|
||||
dry_run,
|
||||
output,
|
||||
} => {
|
||||
let _span =
|
||||
tracing::info_span!("cmd", command = "delete", %namespace, %kind, %name).entered();
|
||||
tracing::info_span!("cmd", command = "delete", %namespace, ?kind, ?name).entered();
|
||||
let out = resolve_output_mode(output.as_deref())?;
|
||||
commands::delete::run(
|
||||
&pool,
|
||||
commands::delete::DeleteArgs {
|
||||
namespace: &namespace,
|
||||
kind: &kind,
|
||||
name: &name,
|
||||
kind: kind.as_deref(),
|
||||
name: name.as_deref(),
|
||||
dry_run,
|
||||
output: out,
|
||||
},
|
||||
)
|
||||
|
||||
@@ -20,17 +20,11 @@ pub struct Entry {
|
||||
}
|
||||
|
||||
/// A single encrypted field belonging to an Entry.
|
||||
/// field_name, field_type, and value_len are stored in plaintext so that
|
||||
/// `search` can show the schema without requiring the master key.
|
||||
#[derive(Debug, Serialize, Deserialize, sqlx::FromRow)]
|
||||
pub struct SecretField {
|
||||
pub id: Uuid,
|
||||
pub entry_id: Uuid,
|
||||
pub field_name: String,
|
||||
/// Inferred type: "string", "number", "boolean", "json"
|
||||
pub field_type: String,
|
||||
/// Length of the plaintext value in characters (0 for binary-like PEM)
|
||||
pub value_len: i32,
|
||||
/// AES-256-GCM ciphertext: nonce(12B) || ciphertext+tag
|
||||
pub encrypted: Vec<u8>,
|
||||
pub version: i64,
|
||||
@@ -54,8 +48,6 @@ pub struct EntryRow {
|
||||
pub struct SecretFieldRow {
|
||||
pub id: Uuid,
|
||||
pub field_name: String,
|
||||
pub field_type: String,
|
||||
pub value_len: i32,
|
||||
pub encrypted: Vec<u8>,
|
||||
}
|
||||
|
||||
|
||||
3
test-fixtures/example-key.pem
Normal file
3
test-fixtures/example-key.pem
Normal file
@@ -0,0 +1,3 @@
|
||||
-----BEGIN EXAMPLE KEY PLACEHOLDER-----
|
||||
This file is for local dev/testing. Replace with a real key when needed.
|
||||
-----END EXAMPLE KEY PLACEHOLDER-----
|
||||
Reference in New Issue
Block a user