gitcaddy-server/services/secrets/secrets.go

// Copyright 2023 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package secrets

import (
	"context"
	"fmt"

	"code.gitcaddy.com/server/v3/models/db"
	secret_model "code.gitcaddy.com/server/v3/models/secret"
	"code.gitcaddy.com/server/v3/modules/util"
)

func CreateOrUpdateSecret(ctx context.Context, ownerID, repoID int64, name, data, description string) (*secret_model.Secret, bool, error) {
	if err := ValidateName(name); err != nil {
		return nil, false, err
	}

	s, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{
		OwnerID: ownerID,
		RepoID:  repoID,
		Name:    name,
	})
	if err != nil {
		return nil, false, err
	}

	if len(s) == 0 {
		// Creating new secret - data is required
		if data == "" {
			return nil, false, fmt.Errorf("%w: secret value is required for new secrets", util.ErrInvalidArgument)
		}
		s, err := secret_model.InsertEncryptedSecret(ctx, ownerID, repoID, name, data, description)
		if err != nil {
			return nil, false, err
		}
		return s, true, nil
	}

	// Updating existing secret - data is optional (description-only update allowed)
	if err := secret_model.UpdateSecret(ctx, s[0].ID, data, description); err != nil {
		return nil, false, err
	}

	return s[0], false, nil
}

// CreateOrUpdateGlobalSecret creates or updates a global secret (OwnerID=0, RepoID=0)
// Global secrets are available to all workflows system-wide
func CreateOrUpdateGlobalSecret(ctx context.Context, name, data, description string) (*secret_model.Secret, bool, error) {
	if err := ValidateName(name); err != nil {
		return nil, false, err
	}

	s, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{
		Global: true,
		Name:   name,
	})
	if err != nil {
		return nil, false, err
	}

	if len(s) == 0 {
		// Creating new secret - data is required
		if data == "" {
			return nil, false, fmt.Errorf("%w: secret value is required for new secrets", util.ErrInvalidArgument)
		}
		// Insert with ownerID=0, repoID=0 for global secret
		s, err := secret_model.InsertEncryptedSecret(ctx, 0, 0, name, data, description)
		if err != nil {
			return nil, false, err
		}
		return s, true, nil
	}

	// Updating existing secret - data is optional (description-only update allowed)
	if err := secret_model.UpdateSecret(ctx, s[0].ID, data, description); err != nil {
		return nil, false, err
	}

	return s[0], false, nil
}

func DeleteSecretByID(ctx context.Context, ownerID, repoID, secretID int64) error {
	s, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{
		OwnerID:  ownerID,
		RepoID:   repoID,
		SecretID: secretID,
	})
	if err != nil {
		return err
	}
	if len(s) != 1 {
		return secret_model.ErrSecretNotFound{}
	}

	return deleteSecret(ctx, s[0])
}

// DeleteGlobalSecretByID deletes a global secret by ID
func DeleteGlobalSecretByID(ctx context.Context, secretID int64) error {
	s, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{
		Global:   true,
		SecretID: secretID,
	})
	if err != nil {
		return err
	}
	if len(s) != 1 {
		return secret_model.ErrSecretNotFound{}
	}

	return deleteSecret(ctx, s[0])
}

func DeleteSecretByName(ctx context.Context, ownerID, repoID int64, name string) error {
	s, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{
		OwnerID: ownerID,
		RepoID:  repoID,
		Name:    name,
	})
	if err != nil {
		return err
	}
	if len(s) != 1 {
		return secret_model.ErrSecretNotFound{}
	}

	return deleteSecret(ctx, s[0])
}

// PromoteSecret moves a secret to a new scope (org or global).
func PromoteSecret(ctx context.Context, secretID, newOwnerID, newRepoID int64) error {
	return secret_model.MoveSecret(ctx, secretID, newOwnerID, newRepoID)
}

func deleteSecret(ctx context.Context, s *secret_model.Secret) error {
	if _, err := db.DeleteByID[secret_model.Secret](ctx, s.ID); err != nil {
		return err
	}
	return nil
}