Compare commits
3 Commits
secrets-mc
...
df701f21b9
| Author | SHA1 | Date | |
|---|---|---|---|
| df701f21b9 | |||
| c3c536200e | |||
| 7909f7102d |
@@ -118,7 +118,7 @@ oauth_accounts (
|
||||
|
||||
### PEM 共享(`key_ref`)
|
||||
|
||||
将共享 PEM 存为 **`type=key`** 的 entry;其它记录在 `metadata.key_ref` 指向该 key 的 `name`(支持 `folder/name` 格式消歧)。更新 key 记录后,引用方通过服务层解析合并逻辑即可使用新密钥(实现见 `secrets_core::service::env_map`)。
|
||||
建议将共享 PEM 存为 **`type=key`** 的 entry;其它记录在 `metadata.key_ref` 指向目标 entry 的 `name`(支持 `folder/name` 格式消歧)。删除被引用 key 时,服务会自动迁移为单副本 + 重定向(复制到首个引用方,其余引用方改指向新 owner);解析逻辑见 `secrets_core::service::env_map`。
|
||||
|
||||
## 代码规范
|
||||
|
||||
|
||||
2
Cargo.lock
generated
2
Cargo.lock
generated
@@ -1968,7 +1968,7 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "secrets-mcp"
|
||||
version = "0.3.4"
|
||||
version = "0.3.7"
|
||||
dependencies = [
|
||||
"anyhow",
|
||||
"askama",
|
||||
|
||||
@@ -57,6 +57,7 @@ SECRETS_ENV=production
|
||||
- **`secrets_search`**:发现条目(可按 query / folder / type / name 过滤);不要求加密头。
|
||||
- **`secrets_get` / `secrets_update` / `secrets_delete`(按 name)/ `secrets_history` / `secrets_rollback`**:仅 `name` 且全局唯一则直接命中;若多条同名,返回消歧错误,需在参数中补 **`folder`**。
|
||||
- **`secrets_delete`**:`dry_run=true` 时与真实删除相同的消歧规则——唯一则预览一条,多条则报错并要求 `folder`。
|
||||
- **共享 key 自动迁移删除**:删除仍被 `metadata.key_ref` 引用的 key 条目时,系统会自动迁移:把密文复制到首个引用方,并将其余引用方的 `key_ref` 重定向到新 owner,然后继续删除。
|
||||
|
||||
## 加密架构(混合 E2EE)
|
||||
|
||||
@@ -167,7 +168,8 @@ flowchart LR
|
||||
|
||||
### PEM 共享(`key_ref`)
|
||||
|
||||
同一 PEM 可被多条 `server` 等记录引用:将 PEM 存为 **`type=key`** 的 entry,在其它条目的 `metadata.key_ref` 中写该 key 条目的 `name`(支持 `folder/name` 格式消歧);轮换时只更新 key 记录即可。
|
||||
同一 PEM 可被多条 `server` 等记录引用:建议将 PEM 存为 **`type=key`** 的 entry,在其它条目的 `metadata.key_ref` 中写目标 entry 的 `name`(支持 `folder/name` 格式消歧);轮换时只更新该目标记录即可。
|
||||
删除共享 key 时,系统会自动迁移引用:将密文复制到首个引用方(单副本),其余引用方的 `key_ref` 自动重定向到该新 owner,再删除原 key 记录。
|
||||
|
||||
## 审计日志
|
||||
|
||||
|
||||
@@ -51,6 +51,34 @@ pub struct EntryRow {
|
||||
pub notes: String,
|
||||
}
|
||||
|
||||
/// Entry row including `name` (used for id-scoped web / service updates).
|
||||
#[derive(Debug, sqlx::FromRow)]
|
||||
pub struct EntryWriteRow {
|
||||
pub id: Uuid,
|
||||
pub version: i64,
|
||||
pub folder: String,
|
||||
#[sqlx(rename = "type")]
|
||||
pub entry_type: String,
|
||||
pub name: String,
|
||||
pub tags: Vec<String>,
|
||||
pub metadata: Value,
|
||||
pub notes: String,
|
||||
}
|
||||
|
||||
impl From<&EntryWriteRow> for EntryRow {
|
||||
fn from(r: &EntryWriteRow) -> Self {
|
||||
EntryRow {
|
||||
id: r.id,
|
||||
version: r.version,
|
||||
folder: r.folder.clone(),
|
||||
entry_type: r.entry_type.clone(),
|
||||
tags: r.tags.clone(),
|
||||
metadata: r.metadata.clone(),
|
||||
notes: r.notes.clone(),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// Minimal secret field row fetched before snapshots or cascade deletes.
|
||||
#[derive(Debug, sqlx::FromRow)]
|
||||
pub struct SecretFieldRow {
|
||||
|
||||
@@ -4,7 +4,7 @@ use sqlx::PgPool;
|
||||
use uuid::Uuid;
|
||||
|
||||
use crate::db;
|
||||
use crate::models::{EntryRow, SecretFieldRow};
|
||||
use crate::models::{EntryRow, EntryWriteRow, SecretFieldRow};
|
||||
|
||||
#[derive(Debug, serde::Serialize)]
|
||||
pub struct DeletedEntry {
|
||||
@@ -17,6 +17,7 @@ pub struct DeletedEntry {
|
||||
#[derive(Debug, serde::Serialize)]
|
||||
pub struct DeleteResult {
|
||||
pub deleted: Vec<DeletedEntry>,
|
||||
pub migrated: Vec<String>,
|
||||
pub dry_run: bool,
|
||||
}
|
||||
|
||||
@@ -31,6 +32,233 @@ pub struct DeleteParams<'a> {
|
||||
pub user_id: Option<Uuid>,
|
||||
}
|
||||
|
||||
#[derive(Debug, sqlx::FromRow)]
|
||||
struct KeyReferrer {
|
||||
id: Uuid,
|
||||
folder: String,
|
||||
#[sqlx(rename = "type")]
|
||||
entry_type: String,
|
||||
name: String,
|
||||
}
|
||||
|
||||
fn ref_label(r: &KeyReferrer) -> String {
|
||||
format!("{}/{} ({})", r.folder, r.name, r.entry_type)
|
||||
}
|
||||
|
||||
fn ref_path(r: &KeyReferrer) -> String {
|
||||
format!("{}/{}", r.folder, r.name)
|
||||
}
|
||||
|
||||
async fn fetch_key_referrers_pool(
|
||||
pool: &PgPool,
|
||||
key_entry_id: Uuid,
|
||||
key_folder: &str,
|
||||
key_name: &str,
|
||||
user_id: Option<Uuid>,
|
||||
) -> Result<Vec<KeyReferrer>> {
|
||||
let qualified = format!("{}/{}", key_folder, key_name);
|
||||
let refs: Vec<KeyReferrer> = if let Some(uid) = user_id {
|
||||
sqlx::query_as(
|
||||
"SELECT id, folder, type, name FROM entries \
|
||||
WHERE user_id = $1 AND id <> $2 \
|
||||
AND (metadata->>'key_ref' = $3 OR metadata->>'key_ref' = $4) \
|
||||
ORDER BY folder, type, name",
|
||||
)
|
||||
.bind(uid)
|
||||
.bind(key_entry_id)
|
||||
.bind(key_name)
|
||||
.bind(&qualified)
|
||||
.fetch_all(pool)
|
||||
.await?
|
||||
} else {
|
||||
sqlx::query_as(
|
||||
"SELECT id, folder, type, name FROM entries \
|
||||
WHERE user_id IS NULL AND id <> $1 \
|
||||
AND (metadata->>'key_ref' = $2 OR metadata->>'key_ref' = $3) \
|
||||
ORDER BY folder, type, name",
|
||||
)
|
||||
.bind(key_entry_id)
|
||||
.bind(key_name)
|
||||
.bind(&qualified)
|
||||
.fetch_all(pool)
|
||||
.await?
|
||||
};
|
||||
Ok(refs)
|
||||
}
|
||||
|
||||
async fn migrate_key_refs_if_needed(
|
||||
tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
|
||||
key_row: &EntryRow,
|
||||
key_name: &str,
|
||||
user_id: Option<Uuid>,
|
||||
dry_run: bool,
|
||||
) -> Result<Vec<String>> {
|
||||
let qualified = format!("{}/{}", key_row.folder, key_name);
|
||||
let refs: Vec<KeyReferrer> = if let Some(uid) = user_id {
|
||||
sqlx::query_as(
|
||||
"SELECT id, folder, type, name FROM entries \
|
||||
WHERE user_id = $1 AND id <> $2 \
|
||||
AND (metadata->>'key_ref' = $3 OR metadata->>'key_ref' = $4) \
|
||||
ORDER BY folder, type, name",
|
||||
)
|
||||
.bind(uid)
|
||||
.bind(key_row.id)
|
||||
.bind(key_name)
|
||||
.bind(&qualified)
|
||||
.fetch_all(&mut **tx)
|
||||
.await?
|
||||
} else {
|
||||
sqlx::query_as(
|
||||
"SELECT id, folder, type, name FROM entries \
|
||||
WHERE user_id IS NULL AND id <> $1 \
|
||||
AND (metadata->>'key_ref' = $2 OR metadata->>'key_ref' = $3) \
|
||||
ORDER BY folder, type, name",
|
||||
)
|
||||
.bind(key_row.id)
|
||||
.bind(key_name)
|
||||
.bind(&qualified)
|
||||
.fetch_all(&mut **tx)
|
||||
.await?
|
||||
};
|
||||
|
||||
if refs.is_empty() {
|
||||
return Ok(vec![]);
|
||||
}
|
||||
if dry_run {
|
||||
return Ok(refs.iter().map(ref_label).collect());
|
||||
}
|
||||
|
||||
let owner = &refs[0];
|
||||
let owner_path = ref_path(owner);
|
||||
let key_fields: Vec<SecretFieldRow> =
|
||||
sqlx::query_as("SELECT id, field_name, encrypted FROM secrets WHERE entry_id = $1")
|
||||
.bind(key_row.id)
|
||||
.fetch_all(&mut **tx)
|
||||
.await?;
|
||||
|
||||
for f in &key_fields {
|
||||
sqlx::query(
|
||||
"INSERT INTO secrets (entry_id, field_name, encrypted) VALUES ($1, $2, $3) \
|
||||
ON CONFLICT (entry_id, field_name) DO NOTHING",
|
||||
)
|
||||
.bind(owner.id)
|
||||
.bind(&f.field_name)
|
||||
.bind(&f.encrypted)
|
||||
.execute(&mut **tx)
|
||||
.await?;
|
||||
}
|
||||
|
||||
sqlx::query(
|
||||
"UPDATE entries SET metadata = metadata - 'key_ref', \
|
||||
version = version + 1, updated_at = NOW() WHERE id = $1",
|
||||
)
|
||||
.bind(owner.id)
|
||||
.execute(&mut **tx)
|
||||
.await?;
|
||||
|
||||
crate::audit::log_tx(
|
||||
tx,
|
||||
user_id,
|
||||
"key_migrate",
|
||||
&owner.folder,
|
||||
&owner.entry_type,
|
||||
&owner.name,
|
||||
json!({
|
||||
"from_key": format!("{}/{}", key_row.folder, key_name),
|
||||
"role": "new_owner",
|
||||
"redirect_target": owner_path,
|
||||
}),
|
||||
)
|
||||
.await;
|
||||
|
||||
for r in refs.iter().skip(1) {
|
||||
sqlx::query(
|
||||
"UPDATE entries SET metadata = jsonb_set(metadata, '{key_ref}', to_jsonb($2::text), true), \
|
||||
version = version + 1, updated_at = NOW() WHERE id = $1",
|
||||
)
|
||||
.bind(r.id)
|
||||
.bind(&owner_path)
|
||||
.execute(&mut **tx)
|
||||
.await?;
|
||||
|
||||
crate::audit::log_tx(
|
||||
tx,
|
||||
user_id,
|
||||
"key_migrate",
|
||||
&r.folder,
|
||||
&r.entry_type,
|
||||
&r.name,
|
||||
json!({
|
||||
"from_key": format!("{}/{}", key_row.folder, key_name),
|
||||
"role": "redirected_ref",
|
||||
"redirect_to": owner_path,
|
||||
}),
|
||||
)
|
||||
.await;
|
||||
}
|
||||
|
||||
Ok(refs.iter().map(ref_label).collect())
|
||||
}
|
||||
|
||||
/// Delete a single entry by id (multi-tenant: `user_id` must match). Cascades `secrets` via FK.
|
||||
pub async fn delete_by_id(pool: &PgPool, entry_id: Uuid, user_id: Uuid) -> Result<DeleteResult> {
|
||||
let mut tx = pool.begin().await?;
|
||||
let row: Option<EntryWriteRow> = sqlx::query_as(
|
||||
"SELECT id, version, folder, type, name, tags, metadata, notes FROM entries \
|
||||
WHERE id = $1 AND user_id = $2 FOR UPDATE",
|
||||
)
|
||||
.bind(entry_id)
|
||||
.bind(user_id)
|
||||
.fetch_optional(&mut *tx)
|
||||
.await?;
|
||||
|
||||
let row = match row {
|
||||
Some(r) => r,
|
||||
None => {
|
||||
tx.rollback().await?;
|
||||
anyhow::bail!("Entry not found");
|
||||
}
|
||||
};
|
||||
|
||||
let folder = row.folder.clone();
|
||||
let entry_type = row.entry_type.clone();
|
||||
let name = row.name.clone();
|
||||
let entry_row: EntryRow = (&row).into();
|
||||
let migrated =
|
||||
migrate_key_refs_if_needed(&mut tx, &entry_row, &name, Some(user_id), false).await?;
|
||||
|
||||
snapshot_and_delete(
|
||||
&mut tx,
|
||||
&folder,
|
||||
&entry_type,
|
||||
&name,
|
||||
&entry_row,
|
||||
Some(user_id),
|
||||
)
|
||||
.await?;
|
||||
crate::audit::log_tx(
|
||||
&mut tx,
|
||||
Some(user_id),
|
||||
"delete",
|
||||
&folder,
|
||||
&entry_type,
|
||||
&name,
|
||||
json!({ "source": "web", "entry_id": entry_id }),
|
||||
)
|
||||
.await;
|
||||
tx.commit().await?;
|
||||
|
||||
Ok(DeleteResult {
|
||||
deleted: vec![DeletedEntry {
|
||||
name,
|
||||
folder,
|
||||
entry_type,
|
||||
}],
|
||||
migrated,
|
||||
dry_run: false,
|
||||
})
|
||||
}
|
||||
|
||||
pub async fn run(pool: &PgPool, params: DeleteParams<'_>) -> Result<DeleteResult> {
|
||||
match params.name {
|
||||
Some(name) => delete_one(pool, name, params.folder, params.dry_run, params.user_id).await,
|
||||
@@ -66,6 +294,7 @@ async fn delete_one(
|
||||
// - 2+ matches → disambiguation error (same as non-dry-run)
|
||||
#[derive(sqlx::FromRow)]
|
||||
struct DryRunRow {
|
||||
id: Uuid,
|
||||
folder: String,
|
||||
#[sqlx(rename = "type")]
|
||||
entry_type: String,
|
||||
@@ -74,7 +303,7 @@ async fn delete_one(
|
||||
let rows: Vec<DryRunRow> = if let Some(uid) = user_id {
|
||||
if let Some(f) = folder {
|
||||
sqlx::query_as(
|
||||
"SELECT folder, type FROM entries WHERE user_id = $1 AND folder = $2 AND name = $3",
|
||||
"SELECT id, folder, type FROM entries WHERE user_id = $1 AND folder = $2 AND name = $3",
|
||||
)
|
||||
.bind(uid)
|
||||
.bind(f)
|
||||
@@ -82,40 +311,48 @@ async fn delete_one(
|
||||
.fetch_all(pool)
|
||||
.await?
|
||||
} else {
|
||||
sqlx::query_as("SELECT folder, type FROM entries WHERE user_id = $1 AND name = $2")
|
||||
.bind(uid)
|
||||
.bind(name)
|
||||
.fetch_all(pool)
|
||||
.await?
|
||||
sqlx::query_as(
|
||||
"SELECT id, folder, type FROM entries WHERE user_id = $1 AND name = $2",
|
||||
)
|
||||
.bind(uid)
|
||||
.bind(name)
|
||||
.fetch_all(pool)
|
||||
.await?
|
||||
}
|
||||
} else if let Some(f) = folder {
|
||||
sqlx::query_as(
|
||||
"SELECT folder, type FROM entries WHERE user_id IS NULL AND folder = $1 AND name = $2",
|
||||
"SELECT id, folder, type FROM entries WHERE user_id IS NULL AND folder = $1 AND name = $2",
|
||||
)
|
||||
.bind(f)
|
||||
.bind(name)
|
||||
.fetch_all(pool)
|
||||
.await?
|
||||
} else {
|
||||
sqlx::query_as("SELECT folder, type FROM entries WHERE user_id IS NULL AND name = $1")
|
||||
.bind(name)
|
||||
.fetch_all(pool)
|
||||
.await?
|
||||
sqlx::query_as(
|
||||
"SELECT id, folder, type FROM entries WHERE user_id IS NULL AND name = $1",
|
||||
)
|
||||
.bind(name)
|
||||
.fetch_all(pool)
|
||||
.await?
|
||||
};
|
||||
|
||||
return match rows.len() {
|
||||
0 => Ok(DeleteResult {
|
||||
deleted: vec![],
|
||||
migrated: vec![],
|
||||
dry_run: true,
|
||||
}),
|
||||
1 => {
|
||||
let row = rows.into_iter().next().unwrap();
|
||||
let refs =
|
||||
fetch_key_referrers_pool(pool, row.id, &row.folder, name, user_id).await?;
|
||||
Ok(DeleteResult {
|
||||
deleted: vec![DeletedEntry {
|
||||
name: name.to_string(),
|
||||
folder: row.folder,
|
||||
entry_type: row.entry_type,
|
||||
}],
|
||||
migrated: refs.iter().map(ref_label).collect(),
|
||||
dry_run: true,
|
||||
})
|
||||
}
|
||||
@@ -180,6 +417,7 @@ async fn delete_one(
|
||||
tx.rollback().await?;
|
||||
return Ok(DeleteResult {
|
||||
deleted: vec![],
|
||||
migrated: vec![],
|
||||
dry_run: false,
|
||||
});
|
||||
}
|
||||
@@ -199,6 +437,7 @@ async fn delete_one(
|
||||
|
||||
let folder = row.folder.clone();
|
||||
let entry_type = row.entry_type.clone();
|
||||
let migrated = migrate_key_refs_if_needed(&mut tx, &row, name, user_id, false).await?;
|
||||
snapshot_and_delete(&mut tx, &folder, &entry_type, name, &row, user_id).await?;
|
||||
crate::audit::log_tx(
|
||||
&mut tx,
|
||||
@@ -218,6 +457,7 @@ async fn delete_one(
|
||||
folder,
|
||||
entry_type,
|
||||
}],
|
||||
migrated,
|
||||
dry_run: false,
|
||||
})
|
||||
}
|
||||
@@ -278,6 +518,12 @@ async fn delete_bulk(
|
||||
let rows = q.fetch_all(pool).await?;
|
||||
|
||||
if dry_run {
|
||||
let mut migrated: Vec<String> = Vec::new();
|
||||
for row in &rows {
|
||||
let refs =
|
||||
fetch_key_referrers_pool(pool, row.id, &row.folder, &row.name, user_id).await?;
|
||||
migrated.extend(refs.iter().map(ref_label));
|
||||
}
|
||||
let deleted = rows
|
||||
.iter()
|
||||
.map(|r| DeletedEntry {
|
||||
@@ -288,11 +534,13 @@ async fn delete_bulk(
|
||||
.collect();
|
||||
return Ok(DeleteResult {
|
||||
deleted,
|
||||
migrated,
|
||||
dry_run: true,
|
||||
});
|
||||
}
|
||||
|
||||
let mut deleted = Vec::with_capacity(rows.len());
|
||||
let mut migrated: Vec<String> = Vec::new();
|
||||
for row in &rows {
|
||||
let entry_row = EntryRow {
|
||||
id: row.id,
|
||||
@@ -304,6 +552,8 @@ async fn delete_bulk(
|
||||
notes: row.notes.clone(),
|
||||
};
|
||||
let mut tx = pool.begin().await?;
|
||||
let m = migrate_key_refs_if_needed(&mut tx, &entry_row, &row.name, user_id, false).await?;
|
||||
migrated.extend(m);
|
||||
snapshot_and_delete(
|
||||
&mut tx,
|
||||
&row.folder,
|
||||
@@ -333,6 +583,7 @@ async fn delete_bulk(
|
||||
|
||||
Ok(DeleteResult {
|
||||
deleted,
|
||||
migrated,
|
||||
dry_run: false,
|
||||
})
|
||||
}
|
||||
@@ -395,3 +646,264 @@ async fn snapshot_and_delete(
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::*;
|
||||
use serde_json::json;
|
||||
|
||||
async fn maybe_test_pool() -> Option<PgPool> {
|
||||
let Ok(url) = std::env::var("SECRETS_DATABASE_URL") else {
|
||||
eprintln!("skip delete migration tests: SECRETS_DATABASE_URL is not set");
|
||||
return None;
|
||||
};
|
||||
let Ok(pool) = PgPool::connect(&url).await else {
|
||||
eprintln!("skip delete migration tests: cannot connect to database");
|
||||
return None;
|
||||
};
|
||||
if let Err(e) = crate::db::migrate(&pool).await {
|
||||
eprintln!("skip delete migration tests: migrate failed: {e}");
|
||||
return None;
|
||||
}
|
||||
Some(pool)
|
||||
}
|
||||
|
||||
async fn insert_entry(
|
||||
pool: &PgPool,
|
||||
id: Uuid,
|
||||
user_id: Uuid,
|
||||
folder: &str,
|
||||
entry_type: &str,
|
||||
name: &str,
|
||||
metadata: serde_json::Value,
|
||||
) -> Result<()> {
|
||||
sqlx::query(
|
||||
"INSERT INTO entries (id, user_id, folder, type, name, notes, tags, metadata, version) \
|
||||
VALUES ($1, $2, $3, $4, $5, '', ARRAY[]::text[], $6, 1)",
|
||||
)
|
||||
.bind(id)
|
||||
.bind(user_id)
|
||||
.bind(folder)
|
||||
.bind(entry_type)
|
||||
.bind(name)
|
||||
.bind(metadata)
|
||||
.execute(pool)
|
||||
.await?;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[tokio::test]
|
||||
async fn delete_shared_key_dry_run_reports_migration_without_writes() -> Result<()> {
|
||||
let Some(pool) = maybe_test_pool().await else {
|
||||
return Ok(());
|
||||
};
|
||||
|
||||
let user_id = Uuid::from_u128(rand::random());
|
||||
let key_id = Uuid::from_u128(rand::random());
|
||||
let ref_a = Uuid::from_u128(rand::random());
|
||||
let ref_b = Uuid::from_u128(rand::random());
|
||||
|
||||
insert_entry(
|
||||
&pool,
|
||||
key_id,
|
||||
user_id,
|
||||
"kfolder",
|
||||
"key",
|
||||
"shared-key",
|
||||
json!({}),
|
||||
)
|
||||
.await?;
|
||||
sqlx::query("INSERT INTO secrets (entry_id, field_name, encrypted) VALUES ($1, $2, $3)")
|
||||
.bind(key_id)
|
||||
.bind("pem")
|
||||
.bind(vec![1_u8, 2, 3])
|
||||
.execute(&pool)
|
||||
.await?;
|
||||
|
||||
insert_entry(
|
||||
&pool,
|
||||
ref_a,
|
||||
user_id,
|
||||
"afolder",
|
||||
"server",
|
||||
"srv-a",
|
||||
json!({"key_ref":"kfolder/shared-key"}),
|
||||
)
|
||||
.await?;
|
||||
insert_entry(
|
||||
&pool,
|
||||
ref_b,
|
||||
user_id,
|
||||
"bfolder",
|
||||
"server",
|
||||
"srv-b",
|
||||
json!({"key_ref":"shared-key"}),
|
||||
)
|
||||
.await?;
|
||||
|
||||
let result = run(
|
||||
&pool,
|
||||
DeleteParams {
|
||||
name: Some("shared-key"),
|
||||
folder: Some("kfolder"),
|
||||
entry_type: None,
|
||||
dry_run: true,
|
||||
user_id: Some(user_id),
|
||||
},
|
||||
)
|
||||
.await?;
|
||||
|
||||
assert!(result.dry_run);
|
||||
assert_eq!(result.deleted.len(), 1);
|
||||
assert_eq!(result.migrated.len(), 2);
|
||||
|
||||
let key_exists: bool = sqlx::query_scalar(
|
||||
"SELECT EXISTS(SELECT 1 FROM entries WHERE id = $1 AND user_id = $2)",
|
||||
)
|
||||
.bind(key_id)
|
||||
.bind(user_id)
|
||||
.fetch_one(&pool)
|
||||
.await?;
|
||||
assert!(key_exists);
|
||||
|
||||
let ref_a_key_ref: Option<String> =
|
||||
sqlx::query_scalar("SELECT metadata->>'key_ref' FROM entries WHERE id = $1")
|
||||
.bind(ref_a)
|
||||
.fetch_one(&pool)
|
||||
.await?;
|
||||
let ref_b_key_ref: Option<String> =
|
||||
sqlx::query_scalar("SELECT metadata->>'key_ref' FROM entries WHERE id = $1")
|
||||
.bind(ref_b)
|
||||
.fetch_one(&pool)
|
||||
.await?;
|
||||
assert_eq!(ref_a_key_ref.as_deref(), Some("kfolder/shared-key"));
|
||||
assert_eq!(ref_b_key_ref.as_deref(), Some("shared-key"));
|
||||
|
||||
sqlx::query("DELETE FROM entries WHERE user_id = $1")
|
||||
.bind(user_id)
|
||||
.execute(&pool)
|
||||
.await?;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[tokio::test]
|
||||
async fn delete_shared_key_auto_migrates_single_copy_and_redirects_refs() -> Result<()> {
|
||||
let Some(pool) = maybe_test_pool().await else {
|
||||
return Ok(());
|
||||
};
|
||||
|
||||
let user_id = Uuid::from_u128(rand::random());
|
||||
let key_id = Uuid::from_u128(rand::random());
|
||||
let ref_a = Uuid::from_u128(rand::random());
|
||||
let ref_b = Uuid::from_u128(rand::random());
|
||||
let ref_c = Uuid::from_u128(rand::random());
|
||||
|
||||
insert_entry(
|
||||
&pool,
|
||||
key_id,
|
||||
user_id,
|
||||
"kfolder",
|
||||
"key",
|
||||
"shared-key",
|
||||
json!({}),
|
||||
)
|
||||
.await?;
|
||||
sqlx::query("INSERT INTO secrets (entry_id, field_name, encrypted) VALUES ($1, $2, $3)")
|
||||
.bind(key_id)
|
||||
.bind("pem")
|
||||
.bind(vec![7_u8, 8, 9])
|
||||
.execute(&pool)
|
||||
.await?;
|
||||
|
||||
// owner candidate (sorted first by folder)
|
||||
insert_entry(
|
||||
&pool,
|
||||
ref_a,
|
||||
user_id,
|
||||
"afolder",
|
||||
"server",
|
||||
"srv-a",
|
||||
json!({"key_ref":"kfolder/shared-key"}),
|
||||
)
|
||||
.await?;
|
||||
insert_entry(
|
||||
&pool,
|
||||
ref_b,
|
||||
user_id,
|
||||
"bfolder",
|
||||
"server",
|
||||
"srv-b",
|
||||
json!({"key_ref":"shared-key"}),
|
||||
)
|
||||
.await?;
|
||||
insert_entry(
|
||||
&pool,
|
||||
ref_c,
|
||||
user_id,
|
||||
"cfolder",
|
||||
"service",
|
||||
"svc-c",
|
||||
json!({"key_ref":"kfolder/shared-key"}),
|
||||
)
|
||||
.await?;
|
||||
|
||||
let result = run(
|
||||
&pool,
|
||||
DeleteParams {
|
||||
name: Some("shared-key"),
|
||||
folder: Some("kfolder"),
|
||||
entry_type: None,
|
||||
dry_run: false,
|
||||
user_id: Some(user_id),
|
||||
},
|
||||
)
|
||||
.await?;
|
||||
|
||||
assert!(!result.dry_run);
|
||||
assert_eq!(result.deleted.len(), 1);
|
||||
assert_eq!(result.migrated.len(), 3);
|
||||
|
||||
let key_exists: bool = sqlx::query_scalar(
|
||||
"SELECT EXISTS(SELECT 1 FROM entries WHERE id = $1 AND user_id = $2)",
|
||||
)
|
||||
.bind(key_id)
|
||||
.bind(user_id)
|
||||
.fetch_one(&pool)
|
||||
.await?;
|
||||
assert!(!key_exists);
|
||||
|
||||
let owner_key_ref: Option<String> =
|
||||
sqlx::query_scalar("SELECT metadata->>'key_ref' FROM entries WHERE id = $1")
|
||||
.bind(ref_a)
|
||||
.fetch_one(&pool)
|
||||
.await?;
|
||||
let ref_b_key_ref: Option<String> =
|
||||
sqlx::query_scalar("SELECT metadata->>'key_ref' FROM entries WHERE id = $1")
|
||||
.bind(ref_b)
|
||||
.fetch_one(&pool)
|
||||
.await?;
|
||||
let ref_c_key_ref: Option<String> =
|
||||
sqlx::query_scalar("SELECT metadata->>'key_ref' FROM entries WHERE id = $1")
|
||||
.bind(ref_c)
|
||||
.fetch_one(&pool)
|
||||
.await?;
|
||||
|
||||
assert_eq!(owner_key_ref, None);
|
||||
assert_eq!(ref_b_key_ref.as_deref(), Some("afolder/srv-a"));
|
||||
assert_eq!(ref_c_key_ref.as_deref(), Some("afolder/srv-a"));
|
||||
|
||||
let owner_has_copied: bool = sqlx::query_scalar(
|
||||
"SELECT EXISTS(SELECT 1 FROM secrets WHERE entry_id = $1 AND field_name = 'pem')",
|
||||
)
|
||||
.bind(ref_a)
|
||||
.fetch_one(&pool)
|
||||
.await?;
|
||||
assert!(owner_has_copied);
|
||||
|
||||
sqlx::query("DELETE FROM entries WHERE user_id = $1")
|
||||
.bind(user_id)
|
||||
.execute(&pool)
|
||||
.await?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
@@ -75,16 +75,8 @@ async fn build_entry_env_map(
|
||||
} else {
|
||||
(None, key_ref)
|
||||
};
|
||||
let key_entries = fetch_entries(
|
||||
pool,
|
||||
ref_folder,
|
||||
Some("key"),
|
||||
Some(ref_name),
|
||||
&[],
|
||||
None,
|
||||
user_id,
|
||||
)
|
||||
.await?;
|
||||
let key_entries =
|
||||
fetch_entries(pool, ref_folder, None, Some(ref_name), &[], None, user_id).await?;
|
||||
|
||||
if key_entries.len() > 1 {
|
||||
anyhow::bail!(
|
||||
|
||||
@@ -5,7 +5,7 @@ use uuid::Uuid;
|
||||
|
||||
use crate::crypto;
|
||||
use crate::db;
|
||||
use crate::models::EntryRow;
|
||||
use crate::models::{EntryRow, EntryWriteRow};
|
||||
use crate::service::add::{
|
||||
collect_field_paths, collect_key_paths, flatten_json_fields, insert_path, parse_key_path,
|
||||
parse_kv, remove_path,
|
||||
@@ -306,3 +306,118 @@ pub async fn run(
|
||||
remove_secrets: remove_secret_keys,
|
||||
})
|
||||
}
|
||||
|
||||
/// Update non-sensitive entry columns by primary key (multi-tenant: `user_id` must match).
|
||||
/// Does not read or modify `secrets` rows.
|
||||
pub struct UpdateEntryFieldsByIdParams<'a> {
|
||||
pub folder: &'a str,
|
||||
pub entry_type: &'a str,
|
||||
pub name: &'a str,
|
||||
pub notes: &'a str,
|
||||
pub tags: &'a [String],
|
||||
pub metadata: &'a serde_json::Value,
|
||||
}
|
||||
|
||||
pub async fn update_fields_by_id(
|
||||
pool: &PgPool,
|
||||
entry_id: Uuid,
|
||||
user_id: Uuid,
|
||||
params: UpdateEntryFieldsByIdParams<'_>,
|
||||
) -> Result<()> {
|
||||
if params.folder.len() > 128 {
|
||||
anyhow::bail!("folder must be at most 128 characters");
|
||||
}
|
||||
if params.entry_type.len() > 64 {
|
||||
anyhow::bail!("type must be at most 64 characters");
|
||||
}
|
||||
if params.name.len() > 256 {
|
||||
anyhow::bail!("name must be at most 256 characters");
|
||||
}
|
||||
|
||||
let mut tx = pool.begin().await?;
|
||||
|
||||
let row: Option<EntryWriteRow> = sqlx::query_as(
|
||||
"SELECT id, version, folder, type, name, tags, metadata, notes FROM entries \
|
||||
WHERE id = $1 AND user_id = $2 FOR UPDATE",
|
||||
)
|
||||
.bind(entry_id)
|
||||
.bind(user_id)
|
||||
.fetch_optional(&mut *tx)
|
||||
.await?;
|
||||
|
||||
let row = match row {
|
||||
Some(r) => r,
|
||||
None => {
|
||||
tx.rollback().await?;
|
||||
anyhow::bail!("Entry not found");
|
||||
}
|
||||
};
|
||||
|
||||
if let Err(e) = db::snapshot_entry_history(
|
||||
&mut tx,
|
||||
db::EntrySnapshotParams {
|
||||
entry_id: row.id,
|
||||
user_id: Some(user_id),
|
||||
folder: &row.folder,
|
||||
entry_type: &row.entry_type,
|
||||
name: &row.name,
|
||||
version: row.version,
|
||||
action: "update",
|
||||
tags: &row.tags,
|
||||
metadata: &row.metadata,
|
||||
},
|
||||
)
|
||||
.await
|
||||
{
|
||||
tracing::warn!(error = %e, "failed to snapshot entry history before web update");
|
||||
}
|
||||
|
||||
let res = sqlx::query(
|
||||
"UPDATE entries SET folder = $1, type = $2, name = $3, notes = $4, tags = $5, metadata = $6, \
|
||||
version = version + 1, updated_at = NOW() \
|
||||
WHERE id = $7 AND version = $8",
|
||||
)
|
||||
.bind(params.folder)
|
||||
.bind(params.entry_type)
|
||||
.bind(params.name)
|
||||
.bind(params.notes)
|
||||
.bind(params.tags)
|
||||
.bind(params.metadata)
|
||||
.bind(row.id)
|
||||
.bind(row.version)
|
||||
.execute(&mut *tx)
|
||||
.await
|
||||
.map_err(|e| {
|
||||
if let sqlx::Error::Database(ref d) = e
|
||||
&& d.code().as_deref() == Some("23505")
|
||||
{
|
||||
return anyhow::anyhow!(
|
||||
"An entry with this folder and name already exists for your account."
|
||||
);
|
||||
}
|
||||
e.into()
|
||||
})?;
|
||||
|
||||
if res.rows_affected() == 0 {
|
||||
tx.rollback().await?;
|
||||
anyhow::bail!("Concurrent modification detected. Please refresh and try again.");
|
||||
}
|
||||
|
||||
crate::audit::log_tx(
|
||||
&mut tx,
|
||||
Some(user_id),
|
||||
"update",
|
||||
params.folder,
|
||||
params.entry_type,
|
||||
params.name,
|
||||
serde_json::json!({
|
||||
"source": "web",
|
||||
"entry_id": entry_id,
|
||||
"fields": ["folder", "type", "name", "notes", "tags", "metadata"],
|
||||
}),
|
||||
)
|
||||
.await;
|
||||
|
||||
tx.commit().await?;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "secrets-mcp"
|
||||
version = "0.3.4"
|
||||
version = "0.3.7"
|
||||
edition.workspace = true
|
||||
|
||||
[[bin]]
|
||||
|
||||
@@ -8,9 +8,10 @@ use axum::{
|
||||
extract::{ConnectInfo, Path, Query, State},
|
||||
http::{HeaderMap, StatusCode, header},
|
||||
response::{Html, IntoResponse, Redirect, Response},
|
||||
routing::{get, post},
|
||||
routing::{get, patch, post},
|
||||
};
|
||||
use serde::{Deserialize, Serialize};
|
||||
use serde_json::json;
|
||||
use tower_sessions::Session;
|
||||
use uuid::Uuid;
|
||||
|
||||
@@ -19,7 +20,9 @@ use secrets_core::crypto::hex;
|
||||
use secrets_core::service::{
|
||||
api_key::{ensure_api_key, regenerate_api_key},
|
||||
audit_log::list_for_user,
|
||||
delete::delete_by_id,
|
||||
search::{SearchParams, count_entries, list_entries},
|
||||
update::{UpdateEntryFieldsByIdParams, update_fields_by_id},
|
||||
user::{
|
||||
OAuthProfile, bind_oauth_account, find_or_create_user, get_user_by_id,
|
||||
unbind_oauth_account, update_user_key_setup,
|
||||
@@ -88,11 +91,14 @@ struct EntriesPageTemplate {
|
||||
total_count: i64,
|
||||
shown_count: usize,
|
||||
limit: u32,
|
||||
filter_folder: String,
|
||||
filter_type: String,
|
||||
version: &'static str,
|
||||
}
|
||||
|
||||
/// Non-sensitive fields only (no `secrets` / ciphertext).
|
||||
struct EntryListItemView {
|
||||
id: String,
|
||||
folder: String,
|
||||
entry_type: String,
|
||||
name: String,
|
||||
@@ -106,6 +112,14 @@ struct EntryListItemView {
|
||||
/// Cap for HTML list (avoids loading unbounded rows into memory).
|
||||
const ENTRIES_PAGE_LIMIT: u32 = 5_000;
|
||||
|
||||
#[derive(Deserialize)]
|
||||
struct EntriesQuery {
|
||||
folder: Option<String>,
|
||||
/// URL query key is `type` (maps to DB column `entries.type`).
|
||||
#[serde(rename = "type")]
|
||||
entry_type: Option<String>,
|
||||
}
|
||||
|
||||
// ── App state helpers ─────────────────────────────────────────────────────────
|
||||
|
||||
fn google_cfg(state: &AppState) -> Option<&OAuthConfig> {
|
||||
@@ -189,6 +203,10 @@ pub fn web_router() -> Router<AppState> {
|
||||
.route("/api/key-setup", post(api_key_setup))
|
||||
.route("/api/apikey", get(api_apikey_get))
|
||||
.route("/api/apikey/regenerate", post(api_apikey_regenerate))
|
||||
.route(
|
||||
"/api/entries/{id}",
|
||||
patch(api_entry_patch).delete(api_entry_delete),
|
||||
)
|
||||
}
|
||||
|
||||
fn text_asset_response(content: &'static str, content_type: &'static str) -> Response {
|
||||
@@ -510,6 +528,7 @@ async fn dashboard(
|
||||
async fn entries_page(
|
||||
State(state): State<AppState>,
|
||||
session: Session,
|
||||
Query(q): Query<EntriesQuery>,
|
||||
) -> Result<Response, StatusCode> {
|
||||
let Some(user_id) = current_user_id(&session).await else {
|
||||
return Ok(Redirect::to("/login").into_response());
|
||||
@@ -523,9 +542,22 @@ async fn entries_page(
|
||||
None => return Ok(Redirect::to("/login").into_response()),
|
||||
};
|
||||
|
||||
let folder_filter = q
|
||||
.folder
|
||||
.as_ref()
|
||||
.map(|s| s.trim())
|
||||
.filter(|s| !s.is_empty())
|
||||
.map(|s| s.to_string());
|
||||
let type_filter = q
|
||||
.entry_type
|
||||
.as_ref()
|
||||
.map(|s| s.trim())
|
||||
.filter(|s| !s.is_empty())
|
||||
.map(|s| s.to_string());
|
||||
|
||||
let params = SearchParams {
|
||||
folder: None,
|
||||
entry_type: None,
|
||||
folder: folder_filter.as_deref(),
|
||||
entry_type: type_filter.as_deref(),
|
||||
name: None,
|
||||
tags: &[],
|
||||
query: None,
|
||||
@@ -549,6 +581,7 @@ async fn entries_page(
|
||||
let entries = rows
|
||||
.into_iter()
|
||||
.map(|e| EntryListItemView {
|
||||
id: e.id.to_string(),
|
||||
folder: e.folder,
|
||||
entry_type: e.entry_type,
|
||||
name: e.name,
|
||||
@@ -567,6 +600,8 @@ async fn entries_page(
|
||||
total_count,
|
||||
shown_count,
|
||||
limit: ENTRIES_PAGE_LIMIT,
|
||||
filter_folder: folder_filter.unwrap_or_default(),
|
||||
filter_type: type_filter.unwrap_or_default(),
|
||||
version: env!("CARGO_PKG_VERSION"),
|
||||
};
|
||||
|
||||
@@ -846,6 +881,125 @@ async fn api_apikey_regenerate(
|
||||
Ok(Json(ApiKeyResponse { api_key }))
|
||||
}
|
||||
|
||||
// ── Entry management (Web UI, non-sensitive fields only) ───────────────────────
|
||||
|
||||
#[derive(Deserialize)]
|
||||
struct EntryPatchBody {
|
||||
folder: String,
|
||||
#[serde(rename = "type")]
|
||||
entry_type: String,
|
||||
name: String,
|
||||
notes: String,
|
||||
tags: Vec<String>,
|
||||
metadata: serde_json::Value,
|
||||
}
|
||||
|
||||
type EntryApiError = (StatusCode, Json<serde_json::Value>);
|
||||
|
||||
fn map_entry_mutation_err(e: anyhow::Error) -> EntryApiError {
|
||||
let msg = e.to_string();
|
||||
if msg.contains("Entry not found") {
|
||||
return (
|
||||
StatusCode::NOT_FOUND,
|
||||
Json(json!({ "error": "条目不存在或无权访问" })),
|
||||
);
|
||||
}
|
||||
if msg.contains("already exists") {
|
||||
return (
|
||||
StatusCode::CONFLICT,
|
||||
Json(json!({ "error": "该账号下已存在相同 folder + name 的条目" })),
|
||||
);
|
||||
}
|
||||
if msg.contains("Concurrent modification") {
|
||||
return (
|
||||
StatusCode::CONFLICT,
|
||||
Json(json!({ "error": "条目已被修改,请刷新后重试" })),
|
||||
);
|
||||
}
|
||||
if msg.contains("must be at most") {
|
||||
return (StatusCode::BAD_REQUEST, Json(json!({ "error": msg })));
|
||||
}
|
||||
tracing::error!(error = %e, "entry mutation failed");
|
||||
(
|
||||
StatusCode::INTERNAL_SERVER_ERROR,
|
||||
Json(json!({ "error": "操作失败,请稍后重试" })),
|
||||
)
|
||||
}
|
||||
|
||||
async fn api_entry_patch(
|
||||
State(state): State<AppState>,
|
||||
session: Session,
|
||||
Path(entry_id): Path<Uuid>,
|
||||
Json(body): Json<EntryPatchBody>,
|
||||
) -> Result<Json<serde_json::Value>, EntryApiError> {
|
||||
let user_id = current_user_id(&session)
|
||||
.await
|
||||
.ok_or((StatusCode::UNAUTHORIZED, Json(json!({ "error": "未登录" }))))?;
|
||||
|
||||
let folder = body.folder.trim();
|
||||
let entry_type = body.entry_type.trim();
|
||||
let name = body.name.trim();
|
||||
let notes = body.notes.trim();
|
||||
|
||||
if name.is_empty() {
|
||||
return Err((
|
||||
StatusCode::BAD_REQUEST,
|
||||
Json(json!({ "error": "name 不能为空" })),
|
||||
));
|
||||
}
|
||||
|
||||
let tags: Vec<String> = body
|
||||
.tags
|
||||
.into_iter()
|
||||
.map(|t| t.trim().to_string())
|
||||
.filter(|t| !t.is_empty())
|
||||
.collect();
|
||||
|
||||
if !body.metadata.is_object() {
|
||||
return Err((
|
||||
StatusCode::BAD_REQUEST,
|
||||
Json(json!({ "error": "metadata 必须是 JSON 对象" })),
|
||||
));
|
||||
}
|
||||
|
||||
update_fields_by_id(
|
||||
&state.pool,
|
||||
entry_id,
|
||||
user_id,
|
||||
UpdateEntryFieldsByIdParams {
|
||||
folder,
|
||||
entry_type,
|
||||
name,
|
||||
notes,
|
||||
tags: &tags,
|
||||
metadata: &body.metadata,
|
||||
},
|
||||
)
|
||||
.await
|
||||
.map_err(map_entry_mutation_err)?;
|
||||
|
||||
Ok(Json(json!({ "ok": true })))
|
||||
}
|
||||
|
||||
async fn api_entry_delete(
|
||||
State(state): State<AppState>,
|
||||
session: Session,
|
||||
Path(entry_id): Path<Uuid>,
|
||||
) -> Result<Json<serde_json::Value>, EntryApiError> {
|
||||
let user_id = current_user_id(&session)
|
||||
.await
|
||||
.ok_or((StatusCode::UNAUTHORIZED, Json(json!({ "error": "未登录" }))))?;
|
||||
|
||||
let result = delete_by_id(&state.pool, entry_id, user_id)
|
||||
.await
|
||||
.map_err(map_entry_mutation_err)?;
|
||||
|
||||
Ok(Json(json!({
|
||||
"ok": true,
|
||||
"migrated": result.migrated,
|
||||
})))
|
||||
}
|
||||
|
||||
// ── OAuth / Well-known ────────────────────────────────────────────────────────
|
||||
|
||||
/// RFC 9728 — OAuth 2.0 Protected Resource Metadata.
|
||||
|
||||
@@ -48,6 +48,30 @@
|
||||
padding: 24px; width: 100%; max-width: 1280px; margin: 0 auto; }
|
||||
.card-title { font-size: 20px; font-weight: 600; margin-bottom: 8px; }
|
||||
.card-subtitle { color: var(--text-muted); font-size: 13px; margin-bottom: 20px; }
|
||||
.filter-bar {
|
||||
display: flex; flex-wrap: wrap; align-items: flex-end; gap: 12px 16px;
|
||||
margin-bottom: 20px; padding: 16px; background: var(--bg); border: 1px solid var(--border);
|
||||
border-radius: 10px;
|
||||
}
|
||||
.filter-field { display: flex; flex-direction: column; gap: 6px; min-width: 140px; flex: 1; }
|
||||
.filter-field label { font-size: 12px; color: var(--text-muted); font-weight: 500; }
|
||||
.filter-field input {
|
||||
background: var(--surface); border: 1px solid var(--border); border-radius: 6px;
|
||||
color: var(--text); padding: 8px 10px; font-size: 13px; font-family: 'JetBrains Mono', monospace;
|
||||
outline: none; width: 100%;
|
||||
}
|
||||
.filter-field input:focus { border-color: var(--accent); }
|
||||
.filter-actions { display: flex; flex-wrap: wrap; align-items: center; gap: 8px; }
|
||||
.btn-filter {
|
||||
padding: 8px 16px; border-radius: 6px; border: none; background: var(--accent); color: #0d1117;
|
||||
font-size: 13px; font-weight: 600; cursor: pointer;
|
||||
}
|
||||
.btn-filter:hover { background: var(--accent-hover); }
|
||||
.btn-clear {
|
||||
padding: 8px 14px; border-radius: 6px; border: 1px solid var(--border); background: transparent;
|
||||
color: var(--text-muted); font-size: 13px; text-decoration: none; cursor: pointer;
|
||||
}
|
||||
.btn-clear:hover { background: var(--surface2); color: var(--text); }
|
||||
.empty { color: var(--text-muted); font-size: 14px; padding: 20px 0; }
|
||||
.table-wrap { overflow-x: auto; }
|
||||
table { width: 100%; border-collapse: collapse; min-width: 720px; }
|
||||
@@ -58,11 +82,58 @@
|
||||
.cell-notes, .cell-meta {
|
||||
max-width: 280px; word-break: break-word;
|
||||
}
|
||||
.notes-scroll {
|
||||
max-height: 160px;
|
||||
overflow: auto;
|
||||
white-space: pre-wrap;
|
||||
word-break: break-word;
|
||||
padding: 8px;
|
||||
background: var(--bg);
|
||||
border: 1px solid var(--border);
|
||||
border-radius: 8px;
|
||||
font-size: 12px;
|
||||
}
|
||||
.detail {
|
||||
background: var(--bg); border: 1px solid var(--border); border-radius: 8px;
|
||||
padding: 10px; white-space: pre-wrap; word-break: break-word; font-size: 12px;
|
||||
max-width: 320px; max-height: 160px; overflow: auto;
|
||||
}
|
||||
.col-actions { white-space: nowrap; }
|
||||
.row-actions { display: flex; flex-wrap: wrap; gap: 6px; }
|
||||
.btn-row {
|
||||
padding: 4px 10px; border-radius: 6px; font-size: 12px; cursor: pointer;
|
||||
border: 1px solid var(--border); background: var(--surface2); color: var(--text-muted);
|
||||
font-family: inherit;
|
||||
}
|
||||
.btn-row:hover { color: var(--text); border-color: var(--text-muted); }
|
||||
.btn-row.danger:hover { border-color: #f85149; color: #f85149; }
|
||||
.modal-overlay {
|
||||
position: fixed; inset: 0; background: rgba(1, 4, 9, 0.65); z-index: 200;
|
||||
display: flex; align-items: center; justify-content: center; padding: 16px;
|
||||
}
|
||||
.modal-overlay[hidden] { display: none !important; }
|
||||
.modal {
|
||||
background: var(--surface); border: 1px solid var(--border); border-radius: 12px;
|
||||
padding: 22px; width: 100%; max-width: 520px; max-height: 90vh; overflow: auto;
|
||||
box-shadow: 0 16px 48px rgba(0,0,0,0.45);
|
||||
}
|
||||
.modal-title { font-size: 16px; font-weight: 600; margin-bottom: 14px; }
|
||||
.modal-field { margin-bottom: 12px; }
|
||||
.modal-field label { display: block; font-size: 12px; color: var(--text-muted); margin-bottom: 5px; }
|
||||
.modal-field input, .modal-field textarea {
|
||||
width: 100%; background: var(--bg); border: 1px solid var(--border); border-radius: 6px;
|
||||
color: var(--text); padding: 8px 10px; font-size: 13px; font-family: 'JetBrains Mono', monospace;
|
||||
outline: none;
|
||||
}
|
||||
.modal-field textarea { min-height: 72px; resize: vertical; }
|
||||
.modal-field textarea.metadata-edit { min-height: 140px; }
|
||||
.modal-error { color: #f85149; font-size: 12px; margin-bottom: 10px; display: none; }
|
||||
.modal-error.visible { display: block; }
|
||||
.modal-footer { display: flex; flex-wrap: wrap; gap: 8px; justify-content: flex-end; margin-top: 16px; }
|
||||
.btn-modal { padding: 8px 16px; border-radius: 6px; font-size: 13px; cursor: pointer; font-family: inherit; border: 1px solid var(--border); background: transparent; color: var(--text); }
|
||||
.btn-modal.primary { background: var(--accent); color: #0d1117; border-color: transparent; font-weight: 600; }
|
||||
.btn-modal.primary:hover { background: var(--accent-hover); }
|
||||
.btn-modal.danger { border-color: #f85149; color: #f85149; }
|
||||
@media (max-width: 900px) {
|
||||
.layout { flex-direction: column; }
|
||||
.sidebar {
|
||||
@@ -89,7 +160,9 @@
|
||||
td.col-notes::before { content: "Notes"; }
|
||||
td.col-tags::before { content: "Tags"; }
|
||||
td.col-meta::before { content: "Metadata"; }
|
||||
td.col-actions::before { content: "操作"; }
|
||||
.detail { max-width: none; }
|
||||
.notes-scroll { max-width: none; }
|
||||
}
|
||||
</style>
|
||||
</head>
|
||||
@@ -116,7 +189,22 @@
|
||||
<main class="main">
|
||||
<section class="card">
|
||||
<div class="card-title">我的条目</div>
|
||||
<div class="card-subtitle">共 <strong>{{ total_count }}</strong> 条记录;当前列表显示 <strong>{{ shown_count }}</strong> 条(按更新时间降序,单页最多 {{ limit }} 条)。不含密文字段。时间为浏览器本地时区。</div>
|
||||
<div class="card-subtitle">在当前筛选条件下,共 <strong>{{ total_count }}</strong> 条记录;本页显示 <strong>{{ shown_count }}</strong> 条(按更新时间降序,单页最多 {{ limit }} 条)。不含密文字段。时间为浏览器本地时区。</div>
|
||||
|
||||
<form class="filter-bar" method="get" action="/entries">
|
||||
<div class="filter-field">
|
||||
<label for="filter-folder">Folder(精确匹配)</label>
|
||||
<input id="filter-folder" name="folder" type="text" value="{{ filter_folder }}" placeholder="例如 refining" autocomplete="off">
|
||||
</div>
|
||||
<div class="filter-field">
|
||||
<label for="filter-type">Type(精确匹配)</label>
|
||||
<input id="filter-type" name="type" type="text" value="{{ filter_type }}" placeholder="例如 server" autocomplete="off">
|
||||
</div>
|
||||
<div class="filter-actions">
|
||||
<button type="submit" class="btn-filter">筛选</button>
|
||||
<a href="/entries" class="btn-clear">清空</a>
|
||||
</div>
|
||||
</form>
|
||||
|
||||
{% if entries.is_empty() %}
|
||||
<div class="empty">暂无条目。</div>
|
||||
@@ -132,18 +220,25 @@
|
||||
<th>Notes</th>
|
||||
<th>Tags</th>
|
||||
<th>Metadata</th>
|
||||
<th>操作</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
{% for entry in entries %}
|
||||
<tr>
|
||||
<tr data-entry-id="{{ entry.id }}">
|
||||
<td class="col-updated mono"><time class="entry-local-time" datetime="{{ entry.updated_at_iso }}">{{ entry.updated_at_iso }}</time></td>
|
||||
<td class="col-folder mono">{{ entry.folder }}</td>
|
||||
<td class="col-type mono">{{ entry.entry_type }}</td>
|
||||
<td class="col-name mono">{{ entry.name }}</td>
|
||||
<td class="col-notes cell-notes">{{ entry.notes }}</td>
|
||||
<td class="col-tags mono">{{ entry.tags }}</td>
|
||||
<td class="col-meta cell-meta"><pre class="detail">{{ entry.metadata }}</pre></td>
|
||||
<td class="col-folder mono cell-folder">{{ entry.folder }}</td>
|
||||
<td class="col-type mono cell-type">{{ entry.entry_type }}</td>
|
||||
<td class="col-name mono cell-name">{{ entry.name }}</td>
|
||||
<td class="col-notes cell-notes">{% if !entry.notes.is_empty() %}<div class="notes-scroll cell-notes-val">{{ entry.notes }}</div>{% endif %}</td>
|
||||
<td class="col-tags mono cell-tags-val">{{ entry.tags }}</td>
|
||||
<td class="col-meta cell-meta"><pre class="detail cell-meta-val">{{ entry.metadata }}</pre></td>
|
||||
<td class="col-actions">
|
||||
<div class="row-actions">
|
||||
<button type="button" class="btn-row btn-edit">编辑</button>
|
||||
<button type="button" class="btn-row danger btn-del">删除</button>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
{% endfor %}
|
||||
</tbody>
|
||||
@@ -154,6 +249,23 @@
|
||||
</main>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div id="edit-overlay" class="modal-overlay" hidden>
|
||||
<div class="modal" role="dialog" aria-modal="true" aria-labelledby="edit-title">
|
||||
<div class="modal-title" id="edit-title">编辑条目</div>
|
||||
<div id="edit-error" class="modal-error"></div>
|
||||
<div class="modal-field"><label for="edit-folder">Folder</label><input id="edit-folder" type="text" autocomplete="off"></div>
|
||||
<div class="modal-field"><label for="edit-type">Type</label><input id="edit-type" type="text" autocomplete="off"></div>
|
||||
<div class="modal-field"><label for="edit-name">Name</label><input id="edit-name" type="text" autocomplete="off"></div>
|
||||
<div class="modal-field"><label for="edit-notes">Notes</label><textarea id="edit-notes"></textarea></div>
|
||||
<div class="modal-field"><label for="edit-tags">Tags(逗号分隔)</label><input id="edit-tags" type="text" autocomplete="off"></div>
|
||||
<div class="modal-field"><label for="edit-metadata">Metadata(JSON 对象)</label><textarea id="edit-metadata" class="metadata-edit"></textarea></div>
|
||||
<div class="modal-footer">
|
||||
<button type="button" class="btn-modal" id="edit-cancel">取消</button>
|
||||
<button type="button" class="btn-modal primary" id="edit-save">保存</button>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<script>
|
||||
(function () {
|
||||
document.querySelectorAll('time.entry-local-time[datetime]').forEach(function (el) {
|
||||
@@ -164,6 +276,114 @@
|
||||
el.title = raw + ' (UTC)';
|
||||
}
|
||||
});
|
||||
|
||||
var editOverlay = document.getElementById('edit-overlay');
|
||||
var editError = document.getElementById('edit-error');
|
||||
var editFolder = document.getElementById('edit-folder');
|
||||
var editType = document.getElementById('edit-type');
|
||||
var editName = document.getElementById('edit-name');
|
||||
var editNotes = document.getElementById('edit-notes');
|
||||
var editTags = document.getElementById('edit-tags');
|
||||
var editMetadata = document.getElementById('edit-metadata');
|
||||
var currentEntryId = null;
|
||||
|
||||
function showEditErr(msg) {
|
||||
editError.textContent = msg || '';
|
||||
editError.classList.toggle('visible', !!msg);
|
||||
}
|
||||
|
||||
function openEdit(tr) {
|
||||
var id = tr.getAttribute('data-entry-id');
|
||||
if (!id) return;
|
||||
currentEntryId = id;
|
||||
showEditErr('');
|
||||
editFolder.value = tr.querySelector('.cell-folder') ? tr.querySelector('.cell-folder').textContent.trim() : '';
|
||||
editType.value = tr.querySelector('.cell-type') ? tr.querySelector('.cell-type').textContent.trim() : '';
|
||||
editName.value = tr.querySelector('.cell-name') ? tr.querySelector('.cell-name').textContent.trim() : '';
|
||||
editNotes.value = tr.querySelector('.cell-notes-val') ? tr.querySelector('.cell-notes-val').textContent : '';
|
||||
var tagsText = tr.querySelector('.cell-tags-val') ? tr.querySelector('.cell-tags-val').textContent.trim() : '';
|
||||
editTags.value = tagsText;
|
||||
var metaPre = tr.querySelector('.cell-meta-val');
|
||||
editMetadata.value = metaPre ? metaPre.textContent : '{}';
|
||||
editOverlay.hidden = false;
|
||||
}
|
||||
|
||||
function closeEdit() {
|
||||
editOverlay.hidden = true;
|
||||
currentEntryId = null;
|
||||
showEditErr('');
|
||||
}
|
||||
|
||||
document.getElementById('edit-cancel').addEventListener('click', closeEdit);
|
||||
editOverlay.addEventListener('click', function (e) {
|
||||
if (e.target === editOverlay) closeEdit();
|
||||
});
|
||||
|
||||
document.getElementById('edit-save').addEventListener('click', function () {
|
||||
if (!currentEntryId) return;
|
||||
var meta;
|
||||
try {
|
||||
meta = JSON.parse(editMetadata.value);
|
||||
} catch (err) {
|
||||
showEditErr('Metadata 不是合法 JSON');
|
||||
return;
|
||||
}
|
||||
if (meta === null || typeof meta !== 'object' || Array.isArray(meta)) {
|
||||
showEditErr('Metadata 必须是 JSON 对象');
|
||||
return;
|
||||
}
|
||||
var tags = editTags.value.split(',').map(function (s) { return s.trim(); }).filter(Boolean);
|
||||
var body = {
|
||||
folder: editFolder.value,
|
||||
type: editType.value,
|
||||
name: editName.value.trim(),
|
||||
notes: editNotes.value,
|
||||
tags: tags,
|
||||
metadata: meta
|
||||
};
|
||||
showEditErr('');
|
||||
fetch('/api/entries/' + encodeURIComponent(currentEntryId), {
|
||||
method: 'PATCH',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
credentials: 'same-origin',
|
||||
body: JSON.stringify(body)
|
||||
}).then(function (r) {
|
||||
return r.json().then(function (data) {
|
||||
if (!r.ok) throw new Error(data.error || ('HTTP ' + r.status));
|
||||
return data;
|
||||
});
|
||||
}).then(function () {
|
||||
closeEdit();
|
||||
window.location.reload();
|
||||
}).catch(function (e) {
|
||||
showEditErr(e.message || String(e));
|
||||
});
|
||||
});
|
||||
|
||||
document.querySelectorAll('tr[data-entry-id]').forEach(function (tr) {
|
||||
tr.querySelector('.btn-edit').addEventListener('click', function () { openEdit(tr); });
|
||||
tr.querySelector('.btn-del').addEventListener('click', function () {
|
||||
var id = tr.getAttribute('data-entry-id');
|
||||
var nameEl = tr.querySelector('.cell-name');
|
||||
var name = nameEl ? nameEl.textContent.trim() : '';
|
||||
if (!id) return;
|
||||
if (!confirm('确定删除条目「' + name + '」?')) return;
|
||||
fetch('/api/entries/' + encodeURIComponent(id), { method: 'DELETE', credentials: 'same-origin' })
|
||||
.then(function (r) {
|
||||
return r.json().then(function (data) {
|
||||
if (!r.ok) throw new Error(data.error || ('HTTP ' + r.status));
|
||||
return data;
|
||||
});
|
||||
})
|
||||
.then(function (data) {
|
||||
if (data && Array.isArray(data.migrated) && data.migrated.length > 0) {
|
||||
alert('已自动迁移共享 key 引用:' + data.migrated.length + ' 个条目完成重定向。');
|
||||
}
|
||||
window.location.reload();
|
||||
})
|
||||
.catch(function (e) { alert(e.message || String(e)); });
|
||||
});
|
||||
});
|
||||
})();
|
||||
</script>
|
||||
</body>
|
||||
|
||||
Reference in New Issue
Block a user