Skip to content

feat: add user_secrets table #19162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 22 commits into from
Aug 7, 2025
Merged

feat: add user_secrets table #19162

merged 22 commits into from
Aug 7, 2025

Conversation

evgeniy-scherbina
Copy link
Contributor

@evgeniy-scherbina evgeniy-scherbina commented Aug 4, 2025
edited
Loading

Closes coder/internal#780

Summary of changes:

  • added user_secrets table
    • user_secrets table contains env_name and file_path fields which are not used at the moment, but will be used in later PRs
    • user_secrets table doesn't contain value_key_id, I will add it in a separate migration in a dbcrypt PR
    • on one hand I don't want to add fields which are not used (because it's a risk smth may change in implementation later), on the other hand I don't want to add too many migrations for user secrets table
  • added unique sql indexes
  • added sql queries for CRUD operations on user-secrets
  • introduced new ResourceUserSecret resource
  • basic unit-tests for CRUD ops and authorization behavior
  • Role updates:
    • owner:
      • remove ResourceUserSecret from site-wide perms
      • add ResourceUserSecret to user-wide perms
    • orgAdmin
      • remove ResourceUserSecret from org-wide perms; seems it's not strictly required, because ResourceUserSecret is not tied to organization in dbauthz wrappers?
    • memberRole
      • no need to change memberRole because it implicitly has access to user-secrets thanks to the allPermsExcept
    • is it enough changes to roles?

Main questions:

  • We will have 2 migrations for user-secrets:
    • initial migration (in current PR)
    • adding value_key_id in dbcrypt PR
    • is this approach reasonable?
  • Are changes to roles's permissions are correct?
  • Are changes in roles_test.go are correct?

@evgeniy-scherbina evgeniy-scherbina marked this pull request as ready for review August 7, 2025 14:01
bcpeinhardt
bcpeinhardt reviewed Aug 7, 2025
View reviewed changes
Emyrk
Emyrk reviewed Aug 7, 2025
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some suggestions before I stamp 👍

Overall LG!

@evgeniy-scherbina evgeniy-scherbina merged commit c65996a into main Aug 7, 2025
34 of 36 checks passed
@evgeniy-scherbina evgeniy-scherbina deleted the yevhenii/secrets-db-schema branch August 7, 2025 19:59
@github-actions github-actions bot locked and limited conversation to collaborators Aug 7, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bcpeinhardt bcpeinhardt bcpeinhardt left review comments

@Emyrk Emyrk Emyrk approved these changes

@cstyan cstyan Awaiting requested review from cstyan

Assignees

@evgeniy-scherbina evgeniy-scherbina

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Define database schema for user-secrets
3 participants
@evgeniy-scherbina @Emyrk @bcpeinhardt
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy