@highstate/backend 0.9.15 → 0.9.18

package/src/business/secret.ts

@@ -0,0 +1,281 @@
+import type { Logger } from "pino"
+import type { LibraryBackend } from "../library"
+import type { StateManager } from "../state"
+import type { InstanceStateService } from "./instance-state"
+import type { RandomProvider } from "../common"
+import {
+  HighstateSignature,
+  isUnitModel,
+  parseInstanceId,
+  type UnitSecretModel,
+} from "@highstate/contract"
+import { isNonNullish } from "remeda"
+import { formatSecretDescriptor, type Project, type Secret, type SecretDescriptor } from "../shared"
+
+export class SecretService {
+  constructor(
+    private readonly stateManager: StateManager,
+    private readonly libraryBackend: LibraryBackend,
+    private readonly instanceStateService: InstanceStateService,
+    private readonly random: RandomProvider,
+    private readonly logger: Logger,
+  ) {}
+
+  /**
+   * Updates secrets for a specific instance, handling both creation/updates and deletions.
+   * Also updates the instance state's secretNames field.
+   *
+   * @param project The project to which the instance belongs.
+   * @param instanceId The instance ID.
+   * @param changedSecretValues The secrets to create or update.
+   * @param deletedSecretNames The names of secrets to delete.
+   * @param invalidateState Whether to invalidate the instance state after updating secrets.
+   */
+  async updateInstanceSecrets(
+    project: Project,
+    instanceId: string,
+    changedSecretValues: Record<string, unknown>,
+    deletedSecretNames: string[],
+    invalidateState = true,
+  ): Promise<void> {
+    const library = await this.libraryBackend.loadLibrary(project.libraryId)
+
+    const [type] = parseInstanceId(instanceId)
+    const component = library.components[type]
+    if (!component) {
+      throw new Error(`Component type ${type} not found in library`)
+    }
+
+    if (!isUnitModel(component)) {
+      throw new Error(`Component type ${type} is not a unit model`)
+    }
+
+    // validate changed secrets
+    for (const secretName of Object.keys(changedSecretValues)) {
+      if (!component.secrets[secretName]) {
+        throw new Error(`Secret ${secretName} not found in component ${type}`)
+      }
+    }
+
+    // validate deleted secrets
+    for (const secretName of deletedSecretNames) {
+      if (!component.secrets[secretName]) {
+        throw new Error(`Secret ${secretName} not found in component ${type}`)
+      }
+    }
+
+    // use a batch for atomic operations
+    await using batch = this.stateManager.batch()
+
+    const secretRepo = this.stateManager.getSecretRepository(project.id)
+    const secretContentRepo = this.stateManager.getSecretContentRepository(project.id)
+    const indexRepo = this.stateManager.getSecretIndexRepository(project.id)
+
+    // process changed secrets
+    for (const [secretName, value] of Object.entries(changedSecretValues)) {
+      const descriptor: SecretDescriptor = { type: "instance", instanceId, secretName }
+      const indexKey = formatSecretDescriptor(descriptor)
+
+      // check if secret already exists
+      const existingSecret = await indexRepo.get(indexKey)
+
+      // create or update secret info
+      const secret: Secret = {
+        id: existingSecret?.id ?? this.random.uuidv7(),
+        descriptor: descriptor,
+        meta: {
+          ...existingSecret?.meta,
+          ...component.secrets[secretName].meta,
+          icon: component.secrets[secretName].meta.icon ?? component.meta.icon,
+        },
+      }
+
+      // store secret info and content
+      await secretRepo.putItem(secret, batch)
+      await secretContentRepo.put(indexKey, value, batch)
+
+      // update index mapping
+      await indexRepo.indexRepository.put(indexKey, secret.id, batch)
+    }
+
+    // process deleted secrets
+    for (const secretName of deletedSecretNames) {
+      const indexKey = formatSecretDescriptor({ type: "instance", instanceId, secretName })
+
+      // get the secret ID from index
+      const secretId = await indexRepo.indexRepository.get(indexKey)
+      if (secretId) {
+        // delete secret info, content, and index entry
+        await secretRepo.delete(secretId, batch)
+        await secretContentRepo.delete(indexKey, batch)
+        await indexRepo.indexRepository.delete(indexKey, batch)
+      }
+    }
+
+    // write all changes atomically
+    await batch.write()
+
+    // update instance state secretNames
+    await this.instanceStateService.updateStateSecretNames(
+      project.id,
+      instanceId,
+      Object.keys(changedSecretValues),
+      deletedSecretNames,
+      invalidateState,
+    )
+
+    this.logger.info(
+      {
+        projectId: project.id,
+        instanceId,
+        changedCount: Object.keys(changedSecretValues).length,
+        deletedCount: deletedSecretNames.length,
+      },
+      `updated instance secrets for instance "%s"`,
+      instanceId,
+    )
+  }
+
+  /**
+   * Gets the values of all secrets for a specific instance.
+   *
+   * @param project The project to which the instance belongs.
+   * @param instanceId The instance ID.
+   * @returns A record of secret key-value pairs.
+   */
+  async getInstanceSecretValues(
+    project: Project,
+    instanceId: string,
+  ): Promise<Record<string, unknown>> {
+    const { indexKeys, secrets, secretContentMap } = await this.getInstanceSecretData(
+      project,
+      instanceId,
+    )
+
+    // build the result mapping secret names to values
+    const values: Record<string, unknown> = {}
+    for (const descriptor of indexKeys) {
+      const secret = secrets[descriptor]
+      if (!secret) {
+        continue
+      }
+
+      const content = secretContentMap[secret.id]
+      if (content) {
+        values[descriptor] = content
+      }
+    }
+
+    return secrets
+  }
+
+  /**
+   * Gets the secrets for a specific instance, including metadata.
+   * Will create missing secrets with empty values.
+   *
+   * @param project The project to which the instance belongs.
+   * @param instanceId The instance ID.
+   * @return A record of secret key-value pairs with metadata.
+   */
+  async getUnitSecrets(
+    project: Project,
+    instanceId: string,
+  ): Promise<Record<string, UnitSecretModel>> {
+    const { descriptors, component, secrets, secretContentMap } = await this.getInstanceSecretData(
+      project,
+      instanceId,
+    )
+
+    const missingDescriptors: SecretDescriptor[] = []
+    const result: Record<string, UnitSecretModel> = {}
+
+    for (const descriptor of descriptors) {
+      const secret = secrets[formatSecretDescriptor(descriptor)]
+
+      if (secret) {
+        result[descriptor.secretName] = {
+          [HighstateSignature.Secret]: true,
+          id: secret.id,
+          value: secretContentMap[secret.id],
+        }
+      } else {
+        missingDescriptors.push(descriptor)
+      }
+    }
+
+    const batch = this.stateManager.batch()
+
+    // create missing secrets with empty values
+    for (const descriptor of missingDescriptors) {
+      const secret: Secret = {
+        id: this.random.uuidv7(),
+        meta: {
+          ...component.secrets[descriptor.secretName].meta,
+          icon: component.secrets[descriptor.secretName].meta.icon ?? component.meta.icon,
+        },
+        descriptor,
+      }
+
+      const rawDescriptor = formatSecretDescriptor(descriptor)
+
+      await this.stateManager.getSecretRepository(project.id).putItem(secret, batch)
+      await this.stateManager.getSecretContentRepository(project.id).put(rawDescriptor, null, batch)
+
+      await this.stateManager
+        .getSecretIndexRepository(project.id)
+        .indexRepository.put(rawDescriptor, secret.id, batch)
+
+      result[descriptor.secretName] = {
+        [HighstateSignature.Secret]: true,
+        id: secret.id,
+        value: null,
+      }
+    }
+
+    await batch.write()
+
+    return result
+  }
+
+  private async getInstanceSecretData(project: Project, instanceId: string) {
+    const library = await this.libraryBackend.loadLibrary(project.libraryId)
+
+    const [type] = parseInstanceId(instanceId)
+    const component = library.components[type]
+    if (!component) {
+      throw new Error(`Component type ${type} not found in library`)
+    }
+
+    if (!isUnitModel(component)) {
+      throw new Error(`Component type ${type} is not a unit model`)
+    }
+
+    const descriptors = Object.keys(component.secrets).map(secretName => ({
+      type: "instance" as const,
+      instanceId,
+      secretName,
+    }))
+
+    const indexKeys = descriptors.map(formatSecretDescriptor)
+
+    const secrets = await this.stateManager
+      .getSecretIndexRepository(project.id)
+      .getManyRecord(indexKeys)
+
+    const secretIds = Object.values(secrets)
+      .map(secret => secret?.id)
+      .filter(isNonNullish)
+
+    const secretContentMap = await this.stateManager
+      .getSecretContentRepository(project.id)
+      .getManyRecord(secretIds)
+
+    return {
+      indexKeys,
+      descriptors,
+      component,
+      secrets,
+      secretContentMap,
+    }
+  }
+}