fabi/PiCloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(v1.1.7-secrets): secrets SDK + table + admin API + dashboard

Browse Source 
Encrypted per-app secrets, reachable from scripts as
secrets::{get,set,delete,list}(name) and managed from the dashboard
Secrets tab. Values are AES-256-GCM-sealed with the process master key
(picloud_shared::crypto) before they touch Postgres; the repo only ever
sees ciphertext + nonce. JSON round-trip preserves Rhai types.

- migration 0023_secrets.sql (PRIMARY KEY (app_id, name)).
- SecretsService trait (picloud-shared) + SecretsServiceImpl + repo
  (manager-core), wired into the Services bundle and Rhai engine.
- Capability::AppSecretsRead/Write (→ script:read / script:write); no
  new Scope variants (seven-scope commitment).
- Admin API GET/POST/DELETE /apps/{id}/secrets (list returns names +
  updated_at, never values).
- build_app now takes a MasterKey, sourced from PICLOUD_SECRET_KEY in
  main.rs; test callers pass a fixed test key.
- 64 KB value cap (PICLOUD_SECRET_MAX_VALUE_BYTES); no ServiceEvent
  emission (secret writes don't fire triggers, by design).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
2026-06-04 21:37:17 +02:00
parent dc2e4fa01f
commit 2d11090d1a
28 changed files with 1959 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
crates/executor-core/src/sdk/mod.rs
View File

@@ -19,6 +19,7 @@ pub mod files;
pub mod http;
pub mod kv;
pub mod pubsub;
pub mod secrets;
pub mod stdlib;
pub use bridge::{dynamic_to_json, json_to_dynamic};
@@ -41,5 +42,6 @@ pub fn register_all(engine: &mut RhaiEngine, services: &Services, cx: Arc<SdkCal
dead_letters::register(engine, services, cx.clone());
http::register(engine, services, cx.clone());
files::register(engine, services, cx.clone());
pubsub::register(engine, services, cx);
pubsub::register(engine, services, cx.clone());
secrets::register(engine, services, cx);
}

153
crates/executor-core/src/sdk/secrets.rs Normal file
View File

@@ -0,0 +1,153 @@
//! `secrets::` Rhai bridge — encrypted per-app secrets (v1.1.7).
//!
//! ```rhai
//! secrets::set("stripe_key", "sk_live_xxx");
//! secrets::set("oauth", #{ client_id: "abc", client_secret: "xyz" });
//! let key = secrets::get("stripe_key"); // value or ()
//! let removed = secrets::delete("stripe_key"); // bool
//! let page = secrets::list(#{ cursor: (), limit: 100 });
//! // page = #{ names: [...], next_cursor: () | "..." }
//! ```
//!
//! Collection-less (secrets are per-app, like pubsub topics) so there's
//! no `::collection(...)`. Values are any JSON-serializable Rhai value
//! (String/Map/Array/number/bool); a String round-trips back as a
//! String. `app_id` is derived from `cx.app_id` in the service — it
//! never appears in the script-side signature, preserving cross-app
//! isolation.
use std::sync::Arc;
use picloud_shared::{SdkCallCx, SecretsError, SecretsListPage, Services};
use rhai::{Array, Dynamic, Engine as RhaiEngine, EvalAltResult, Map, Module};
use tokio::runtime::Handle as TokioHandle;
use super::bridge::{dynamic_to_json, json_to_dynamic};
pub(super) fn register(engine: &mut RhaiEngine, services: &Services, cx: Arc<SdkCallCx>) {
let svc = services.secrets.clone();
let mut module = Module::new();
// secrets::set(name, value) — overwrites if present.
{
let svc = svc.clone();
let cx = cx.clone();
module.set_native_fn(
"set",
move |name: &str, value: Dynamic| -> Result<(), Box<EvalAltResult>> {
let json = dynamic_to_json(&value);
let svc = svc.clone();
let cx = cx.clone();
block_on(async move { svc.set(&cx, name, json).await })
},
);
}
// secrets::get(name) — decoded value, or () if missing.
{
let svc = svc.clone();
let cx = cx.clone();
module.set_native_fn(
"get",
move |name: &str| -> Result<Dynamic, Box<EvalAltResult>> {
let svc = svc.clone();
let cx = cx.clone();
let opt = block_on(async move { svc.get(&cx, name).await })?;
Ok(opt.map_or(Dynamic::UNIT, json_to_dynamic))
},
);
}
// secrets::delete(name) — bool was-present.
{
let svc = svc.clone();
let cx = cx.clone();
module.set_native_fn(
"delete",
move |name: &str| -> Result<bool, Box<EvalAltResult>> {
let svc = svc.clone();
let cx = cx.clone();
block_on(async move { svc.delete(&cx, name).await })
},
);
}
// secrets::list(#{ cursor, limit }) — names only, cursor-paginated.
{
let svc = svc.clone();
let cx = cx.clone();
module.set_native_fn(
"list",
move |opts: Map| -> Result<Map, Box<EvalAltResult>> {
let (cursor, limit) = parse_list_opts(&opts)?;
let svc = svc.clone();
let cx = cx.clone();
let page: SecretsListPage =
block_on(async move { svc.list(&cx, cursor.as_deref(), limit).await })?;
Ok(list_page_to_map(page))
},
);
}
engine.register_static_module("secrets", module.into());
}
/// Pull `cursor` (string or `()`) and `limit` (int or `()`) out of the
/// options map. Unknown/extra keys are ignored.
fn parse_list_opts(opts: &Map) -> Result<(Option<String>, u32), Box<EvalAltResult>> {
let cursor = match opts.get("cursor") {
None => None,
Some(d) if d.is_unit() => None,
Some(d) if d.is_string() => Some(d.clone().into_string().unwrap_or_default()),
Some(_) => return Err(runtime_err("secrets::list: cursor must be a string or ()")),
};
let limit = match opts.get("limit") {
None => 0,
Some(d) if d.is_unit() => 0,
Some(d) => {
let n = d
.as_int()
.map_err(|_| runtime_err("secrets::list: limit must be an integer or ()"))?;
u32::try_from(n.max(0)).unwrap_or(u32::MAX)
}
};
Ok((cursor, limit))
}
fn list_page_to_map(page: SecretsListPage) -> Map {
let mut m = Map::new();
let names: Array = page.names.into_iter().map(Dynamic::from).collect();
m.insert("names".into(), names.into());
m.insert(
"next_cursor".into(),
page.next_cursor.map_or(Dynamic::UNIT, Dynamic::from),
);
m
}
// Returns the boxed error directly because every caller needs a
// `Box<EvalAltResult>` (Rhai's error type), matching the other bridges.
#[allow(clippy::unnecessary_box_returns)]
fn runtime_err(msg: &str) -> Box<EvalAltResult> {
EvalAltResult::ErrorRuntime(msg.into(), rhai::Position::NONE).into()
}
/// Run a `SecretsService` future inside the synchronous Rhai context,
/// mapping any `SecretsError` to a Rhai runtime error. Mirrors
/// `kv::block_on` / `pubsub::block_on`.
fn block_on<T, F>(fut: F) -> Result<T, Box<EvalAltResult>>
where
F: std::future::Future<Output = Result<T, SecretsError>> + Send,
T: Send,
{
let handle = TokioHandle::try_current().map_err(|e| -> Box<EvalAltResult> {
EvalAltResult::ErrorRuntime(
format!("secrets: no tokio runtime available: {e}").into(),
rhai::Position::NONE,
)
.into()
})?;
handle.block_on(fut).map_err(|err| -> Box<EvalAltResult> {
EvalAltResult::ErrorRuntime(format!("secrets: {err}").into(), rhai::Position::NONE).into()
})
}

1
crates/executor-core/tests/module_redaction_logging.rs
View File

@@ -101,6 +101,7 @@ async fn original_backend_error_is_logged_at_error_level() {
Arc::new(NoopHttpService),
Arc::new(picloud_shared::NoopFilesService),
Arc::new(picloud_shared::NoopPubsubService),
Arc::new(picloud_shared::NoopSecretsService),
);
let engine = Engine::new(Limits::default(), services);

1
crates/executor-core/tests/modules.rs
View File

@@ -99,6 +99,7 @@ fn services_with(modules: Arc<dyn ModuleSource>) -> Services {
Arc::new(NoopHttpService),
Arc::new(picloud_shared::NoopFilesService),
Arc::new(picloud_shared::NoopPubsubService),
Arc::new(picloud_shared::NoopSecretsService),
)
}

1
crates/executor-core/tests/sdk_docs.rs
View File

@@ -230,6 +230,7 @@ fn make_engine() -> Arc<Engine> {
Arc::new(NoopHttpService),
Arc::new(picloud_shared::NoopFilesService),
Arc::new(picloud_shared::NoopPubsubService),
Arc::new(picloud_shared::NoopSecretsService),
);
Arc::new(Engine::new(Limits::default(), services))
}

1
crates/executor-core/tests/sdk_files.rs
View File

@@ -167,6 +167,7 @@ fn make_engine() -> Arc<Engine> {
Arc::new(NoopHttpService),
Arc::new(InMemoryFiles::default()),
Arc::new(picloud_shared::NoopPubsubService),
Arc::new(picloud_shared::NoopSecretsService),
);
Arc::new(Engine::new(Limits::default(), services))
}

1
crates/executor-core/tests/sdk_http.rs
View File

@@ -90,6 +90,7 @@ fn engine_with(http: Arc<dyn HttpService>) -> Arc<Engine> {
http,
Arc::new(picloud_shared::NoopFilesService),
Arc::new(picloud_shared::NoopPubsubService),
Arc::new(picloud_shared::NoopSecretsService),
);
Arc::new(Engine::new(Limits::default(), services))
}

1
crates/executor-core/tests/sdk_kv.rs
View File

@@ -109,6 +109,7 @@ fn make_engine() -> Arc<Engine> {
Arc::new(NoopHttpService),
Arc::new(picloud_shared::NoopFilesService),
Arc::new(picloud_shared::NoopPubsubService),
Arc::new(picloud_shared::NoopSecretsService),
);
Arc::new(Engine::new(Limits::default(), services))
}

1
crates/executor-core/tests/sdk_pubsub.rs
View File

@@ -47,6 +47,7 @@ fn make_engine(svc: Arc<RecordingPubsub>) -> Arc<Engine> {
Arc::new(NoopHttpService),
Arc::new(NoopFilesService),
svc,
Arc::new(picloud_shared::NoopSecretsService),
);
Arc::new(Engine::new(Limits::default(), services))
}

212
crates/executor-core/tests/sdk_secrets.rs Normal file
View File

@@ -0,0 +1,212 @@
//! `secrets::` SDK bridge integration tests — runs a real Rhai engine
//! against an in-memory `SecretsService` impl. Mirrors `sdk_kv.rs`: the
//! engine runs under `spawn_blocking` so the bridge's `block_on` has a
//! reachable runtime.
//!
//! This exercises the Rhai⇄JSON plumbing + the static `secrets` module
//! (set/get/delete/list, the missing→() contract, and the
//! String/Map/Array type round-trip). Encryption + authz + the
//! cross-app boundary are unit-tested at the service layer in
//! `manager-core::secrets_service`.
use std::collections::BTreeMap;
use std::sync::Arc;
use async_trait::async_trait;
use picloud_executor_core::{Engine, ExecRequest, InvocationType, Limits};
use picloud_shared::{
AppId, ExecutionId, NoopDeadLetterService, NoopDocsService, NoopEventEmitter, NoopHttpService,
NoopKvService, NoopModuleSource, RequestId, ScriptId, ScriptSandbox, SdkCallCx, SecretsError,
SecretsListPage, SecretsService, Services,
};
use serde_json::{json, Value};
use tokio::sync::Mutex;
/// In-memory secrets store keyed by `(app_id, name)`. Stores the JSON
/// value directly — the bridge test only cares about the Rhai plumbing,
/// not the at-rest encryption (which the service layer owns).
#[derive(Default)]
struct InMemorySecrets {
data: Mutex<BTreeMap<(AppId, String), Value>>,
}
#[async_trait]
impl SecretsService for InMemorySecrets {
async fn get(&self, cx: &SdkCallCx, name: &str) -> Result<Option<Value>, SecretsError> {
picloud_shared::validate_secret_name(name)?;
Ok(self
.data
.lock()
.await
.get(&(cx.app_id, name.to_string()))
.cloned())
}
async fn set(&self, cx: &SdkCallCx, name: &str, value: Value) -> Result<(), SecretsError> {
picloud_shared::validate_secret_name(name)?;
self.data
.lock()
.await
.insert((cx.app_id, name.to_string()), value);
Ok(())
}
async fn delete(&self, cx: &SdkCallCx, name: &str) -> Result<bool, SecretsError> {
picloud_shared::validate_secret_name(name)?;
Ok(self
.data
.lock()
.await
.remove(&(cx.app_id, name.to_string()))
.is_some())
}
async fn list(
&self,
cx: &SdkCallCx,
cursor: Option<&str>,
limit: u32,
) -> Result<SecretsListPage, SecretsError> {
let data = self.data.lock().await;
let mut names: Vec<String> = data
.iter()
.filter(|((a, _), _)| *a == cx.app_id)
.map(|((_, n), _)| n.clone())
.filter(|n| cursor.is_none_or(|c| n.as_str() > c))
.collect();
names.sort();
let take = if limit == 0 {
usize::MAX
} else {
limit as usize
};
let next_cursor = if names.len() > take {
names.truncate(take);
names.last().cloned()
} else {
None
};
Ok(SecretsListPage { names, next_cursor })
}
}
fn make_engine() -> Arc<Engine> {
let services = Services::new(
Arc::new(NoopKvService),
Arc::new(NoopDocsService),
Arc::new(NoopDeadLetterService),
Arc::new(NoopEventEmitter),
Arc::new(NoopModuleSource),
Arc::new(NoopHttpService),
Arc::new(picloud_shared::NoopFilesService),
Arc::new(picloud_shared::NoopPubsubService),
Arc::new(InMemorySecrets::default()),
);
Arc::new(Engine::new(Limits::default(), services))
}
fn baseline_request(app_id: AppId) -> ExecRequest {
let execution_id = ExecutionId::new();
ExecRequest {
execution_id,
request_id: RequestId::new(),
script_id: ScriptId::new(),
script_name: "secrets-test".into(),
invocation_type: InvocationType::Http,
path: "/secrets-test".into(),
headers: BTreeMap::new(),
body: Value::Null,
params: BTreeMap::new(),
query: BTreeMap::new(),
rest: String::new(),
sandbox_overrides: ScriptSandbox::default(),
app_id,
principal: None,
trigger_depth: 0,
root_execution_id: execution_id,
is_dead_letter_handler: false,
event: None,
}
}
async fn run_script(engine: Arc<Engine>, src: &str, req: ExecRequest) -> Value {
let src = src.to_string();
tokio::task::spawn_blocking(move || engine.execute(&src, req))
.await
.expect("spawn_blocking should not panic")
.expect("script execution should succeed")
.body
}
#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
async fn set_then_get_string_round_trips() {
let engine = make_engine();
let src = r#"
secrets::set("stripe_key", "sk_live_xxx");
secrets::get("stripe_key")
"#;
let body = run_script(engine, src, baseline_request(AppId::new())).await;
// A String comes back a String, not a JSON-quoted "\"sk_live_xxx\"".
assert_eq!(body, json!("sk_live_xxx"));
}
#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
async fn set_then_get_map_round_trips() {
let engine = make_engine();
let src = r#"
secrets::set("oauth", #{ client_id: "abc", client_secret: "xyz" });
secrets::get("oauth")
"#;
let body = run_script(engine, src, baseline_request(AppId::new())).await;
assert_eq!(body, json!({ "client_id": "abc", "client_secret": "xyz" }));
}
#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
async fn get_missing_returns_unit() {
let engine = make_engine();
let src = r#"
let v = secrets::get("nope");
#{ is_unit: type_of(v) == "()" }
"#;
let body = run_script(engine, src, baseline_request(AppId::new())).await;
assert_eq!(body, json!({ "is_unit": true }));
}
#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
async fn delete_returns_was_present() {
let engine = make_engine();
let src = r#"
secrets::set("k", "v");
let first = secrets::delete("k");
let second = secrets::delete("k");
#{ first: first, second: second }
"#;
let body = run_script(engine, src, baseline_request(AppId::new())).await;
assert_eq!(body, json!({ "first": true, "second": false }));
}
#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
async fn list_returns_names_and_cursor() {
let engine = make_engine();
let src = r#"
secrets::set("a", 1);
secrets::set("b", 2);
secrets::set("c", 3);
let page = secrets::list(#{ cursor: (), limit: 2 });
page
"#;
let body = run_script(engine, src, baseline_request(AppId::new())).await;
assert_eq!(body["names"], json!(["a", "b"]));
assert_eq!(body["next_cursor"], json!("b"));
}
#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
async fn empty_name_throws() {
let engine = make_engine();
let src = r#" secrets::set("", "v"); #{ ok: true } "#;
let app = AppId::new();
let out = tokio::task::spawn_blocking(move || engine.execute(src, baseline_request(app)))
.await
.expect("spawn_blocking");
assert!(out.is_err(), "empty secret name must throw");
}

1
crates/executor-core/tests/sdk_subscriber_token.rs
View File

@@ -94,6 +94,7 @@ fn make_engine() -> Arc<Engine> {
Arc::new(NoopHttpService),
Arc::new(NoopFilesService),
Arc::new(FakeMintPubsub),
Arc::new(picloud_shared::NoopSecretsService),
);
Arc::new(Engine::new(Limits::default(), services))
}