@highstate/backend 0.9.18 → 0.9.19

package/src/business/secret.ts

@@ -1,281 +1,250 @@
 import type { Logger } from "pino"
+import type { DatabaseManager, ProjectTransaction } from "../database"
 import type { LibraryBackend } from "../library"
-import type { StateManager } from "../state"
-import type { InstanceStateService } from "./instance-state"
-import type { RandomProvider } from "../common"
+import type { PubSubManager } from "../pubsub"
+import { randomBytes } from "node:crypto"
+import { isUnitModel, parseInstanceId, type CommonObjectMeta } from "@highstate/contract"
 import {
-  HighstateSignature,
-  isUnitModel,
-  parseInstanceId,
-  type UnitSecretModel,
-} from "@highstate/contract"
-import { isNonNullish } from "remeda"
-import { formatSecretDescriptor, type Project, type Secret, type SecretDescriptor } from "../shared"
+  InstanceStateNotFoundError,
+  InvalidInstanceKindError,
+  ProjectNotFoundError,
+  SystemSecretNames,
+} from "../shared"
 
 export class SecretService {
   constructor(
-    private readonly stateManager: StateManager,
+    private readonly database: DatabaseManager,
+    private readonly pubsubManager: PubSubManager,
     private readonly libraryBackend: LibraryBackend,
-    private readonly instanceStateService: InstanceStateService,
-    private readonly random: RandomProvider,
     private readonly logger: Logger,
   ) {}
 
   /**
-   * Updates secrets for a specific instance, handling both creation/updates and deletions.
-   * Also updates the instance state's secretNames field.
+   * Updates the secrets for a specific instance within an existing transaction.
+   * Only works with unit instances.
    *
-   * @param project The project to which the instance belongs.
-   * @param instanceId The instance ID.
-   * @param changedSecretValues The secrets to create or update.
-   * @param deletedSecretNames The names of secrets to delete.
-   * @param invalidateState Whether to invalidate the instance state after updating secrets.
+   * @param tx The database transaction to use.
+   * @param libraryId The ID of the library containing the component.
+   * @param stateId The ID of the instance state.
+   * @param secretValues The secrets to create or update. Missing secrets will be deleted.
+   * @returns The list of secret names that were updated or created.
    */
-  async updateInstanceSecrets(
-    project: Project,
-    instanceId: string,
-    changedSecretValues: Record<string, unknown>,
-    deletedSecretNames: string[],
-    invalidateState = true,
-  ): Promise<void> {
-    const library = await this.libraryBackend.loadLibrary(project.libraryId)
+  async updateInstanceSecretsCore(
+    tx: ProjectTransaction,
+    libraryId: string,
+    stateId: string,
+    secretValues: Record<string, unknown>,
+  ): Promise<string[]> {
+    // verify instance exists and is a unit
+    const state = await tx.instanceState.findUnique({
+      where: { id: stateId },
+      select: { kind: true, instanceId: true },
+    })
+
+    if (!state) {
+      throw new InstanceStateNotFoundError("", stateId)
+    }
+
+    if (state.kind !== "unit") {
+      throw new InvalidInstanceKindError("", stateId, "unit", state.kind)
+    }
+
+    const library = await this.libraryBackend.loadLibrary(libraryId)
+
+    const [componentType] = parseInstanceId(state.instanceId)
+    const component = library.components[componentType]
 
-    const [type] = parseInstanceId(instanceId)
-    const component = library.components[type]
     if (!component) {
-      throw new Error(`Component type ${type} not found in library`)
+      throw new Error(`Component type "${componentType}" not found in library "${libraryId}"`)
     }
 
     if (!isUnitModel(component)) {
-      throw new Error(`Component type ${type} is not a unit model`)
+      throw new Error(`Component type "${componentType}" is not a unit model`)
     }
 
-    // validate changed secrets
-    for (const secretName of Object.keys(changedSecretValues)) {
-      if (!component.secrets[secretName]) {
-        throw new Error(`Secret ${secretName} not found in component ${type}`)
+    // upsert provided secrets
+    for (const [secretName, value] of Object.entries(secretValues)) {
+      const componentSecret = component.secrets[secretName]
+      if (!componentSecret) {
+        throw new Error(`Secret "${secretName}" not defined in component "${componentType}"`)
       }
-    }
 
-    // validate deleted secrets
-    for (const secretName of deletedSecretNames) {
-      if (!component.secrets[secretName]) {
-        throw new Error(`Secret ${secretName} not found in component ${type}`)
+      const meta: CommonObjectMeta = {
+        ...componentSecret.meta,
+
+        // fallback to component icon if secret icon is not defined
+        icon: componentSecret.meta.icon || component.meta.icon,
+        iconColor: componentSecret.meta.iconColor || component.meta.iconColor,
       }
-    }
 
-    // use a batch for atomic operations
-    await using batch = this.stateManager.batch()
-
-    const secretRepo = this.stateManager.getSecretRepository(project.id)
-    const secretContentRepo = this.stateManager.getSecretContentRepository(project.id)
-    const indexRepo = this.stateManager.getSecretIndexRepository(project.id)
-
-    // process changed secrets
-    for (const [secretName, value] of Object.entries(changedSecretValues)) {
-      const descriptor: SecretDescriptor = { type: "instance", instanceId, secretName }
-      const indexKey = formatSecretDescriptor(descriptor)
-
-      // check if secret already exists
-      const existingSecret = await indexRepo.get(indexKey)
-
-      // create or update secret info
-      const secret: Secret = {
-        id: existingSecret?.id ?? this.random.uuidv7(),
-        descriptor: descriptor,
-        meta: {
-          ...existingSecret?.meta,
-          ...component.secrets[secretName].meta,
-          icon: component.secrets[secretName].meta.icon ?? component.meta.icon,
+      await tx.secret.upsert({
+        where: {
+          stateId_name: {
+            stateId,
+            name: secretName,
+          },
         },
-      }
+        update: {
+          meta,
+          content: value,
+        },
+        create: {
+          stateId,
+          name: secretName,
+          meta,
+          content: value,
+        },
+      })
+    }
 
-      // store secret info and content
-      await secretRepo.putItem(secret, batch)
-      await secretContentRepo.put(indexKey, value, batch)
+    // delete secrets that are no longer provided
+    const providedSecretNames = Object.keys(secretValues)
+    await tx.secret.deleteMany({
+      where: {
+        stateId,
+        name: { notIn: providedSecretNames },
+      },
+    })
 
-      // update index mapping
-      await indexRepo.indexRepository.put(indexKey, secret.id, batch)
-    }
+    return Object.keys(secretValues)
+  }
 
-    // process deleted secrets
-    for (const secretName of deletedSecretNames) {
-      const indexKey = formatSecretDescriptor({ type: "instance", instanceId, secretName })
-
-      // get the secret ID from index
-      const secretId = await indexRepo.indexRepository.get(indexKey)
-      if (secretId) {
-        // delete secret info, content, and index entry
-        await secretRepo.delete(secretId, batch)
-        await secretContentRepo.delete(indexKey, batch)
-        await indexRepo.indexRepository.delete(indexKey, batch)
-      }
+  /**
+   * Updates secrets for a specific instance, handling both creation/updates and deletions.
+   * Only works with unit instances.
+   *
+   * @param projectId The project ID containing the instance.
+   * @param stateId The ID of the instance state.
+   * @param secretValues The secrets to create or update. Missing secrets will be deleted.
+   */
+  async updateInstanceSecrets(
+    projectId: string,
+    stateId: string,
+    secretValues: Record<string, unknown>,
+  ): Promise<void> {
+    const database = await this.database.forProject(projectId)
+
+    const project = await this.database.backend.project.findUnique({
+      where: { id: projectId },
+      select: { libraryId: true },
+    })
+
+    if (!project) {
+      throw new ProjectNotFoundError(projectId)
     }
 
-    // write all changes atomically
-    await batch.write()
+    const statePatch = await database.$transaction(async tx => {
+      await this.updateInstanceSecretsCore(tx, project.libraryId, stateId, secretValues)
 
-    // update instance state secretNames
-    await this.instanceStateService.updateStateSecretNames(
-      project.id,
-      instanceId,
-      Object.keys(changedSecretValues),
-      deletedSecretNames,
-      invalidateState,
-    )
+      // invalidate instance state
+      const state = await tx.instanceState.update({
+        where: { id: stateId },
+        data: { inputHashNonce: randomBytes(4).readInt32LE() },
+        select: { inputHashNonce: true },
+      })
+
+      return { ...state, secretNames: Object.keys(secretValues) }
+    })
+
+    this.pubsubManager.publish(["instance-state", projectId], {
+      type: "patched",
+      stateId,
+      patch: statePatch,
+    })
 
     this.logger.info(
       {
-        projectId: project.id,
-        instanceId,
-        changedCount: Object.keys(changedSecretValues).length,
-        deletedCount: deletedSecretNames.length,
+        projectId,
+        stateId,
+        secretCount: Object.keys(secretValues).length,
       },
-      `updated instance secrets for instance "%s"`,
-      instanceId,
+      "updated instance secrets",
     )
   }
 
   /**
    * Gets the values of all secrets for a specific instance.
+   * Only works with unit instances.
    *
-   * @param project The project to which the instance belongs.
-   * @param instanceId The instance ID.
+   * @param projectId The project ID containing the instance.
+   * @param stateId The ID of the instance state.
    * @returns A record of secret key-value pairs.
    */
   async getInstanceSecretValues(
-    project: Project,
-    instanceId: string,
+    projectId: string,
+    stateId: string,
   ): Promise<Record<string, unknown>> {
-    const { indexKeys, secrets, secretContentMap } = await this.getInstanceSecretData(
-      project,
-      instanceId,
-    )
+    const database = await this.database.forProject(projectId)
 
-    // build the result mapping secret names to values
-    const values: Record<string, unknown> = {}
-    for (const descriptor of indexKeys) {
-      const secret = secrets[descriptor]
-      if (!secret) {
-        continue
-      }
+    // verify instance exists and is a unit
+    const state = await database.instanceState.findUnique({
+      where: { id: stateId },
+      select: { kind: true },
+    })
 
-      const content = secretContentMap[secret.id]
-      if (content) {
-        values[descriptor] = content
-      }
+    if (!state) {
+      throw new InstanceStateNotFoundError(projectId, stateId)
     }
 
-    return secrets
-  }
-
-  /**
-   * Gets the secrets for a specific instance, including metadata.
-   * Will create missing secrets with empty values.
-   *
-   * @param project The project to which the instance belongs.
-   * @param instanceId The instance ID.
-   * @return A record of secret key-value pairs with metadata.
-   */
-  async getUnitSecrets(
-    project: Project,
-    instanceId: string,
-  ): Promise<Record<string, UnitSecretModel>> {
-    const { descriptors, component, secrets, secretContentMap } = await this.getInstanceSecretData(
-      project,
-      instanceId,
-    )
-
-    const missingDescriptors: SecretDescriptor[] = []
-    const result: Record<string, UnitSecretModel> = {}
-
-    for (const descriptor of descriptors) {
-      const secret = secrets[formatSecretDescriptor(descriptor)]
-
-      if (secret) {
-        result[descriptor.secretName] = {
-          [HighstateSignature.Secret]: true,
-          id: secret.id,
-          value: secretContentMap[secret.id],
-        }
-      } else {
-        missingDescriptors.push(descriptor)
-      }
+    if (state.kind !== "unit") {
+      throw new InvalidInstanceKindError(projectId, stateId, "unit", state.kind)
     }
 
-    const batch = this.stateManager.batch()
-
-    // create missing secrets with empty values
-    for (const descriptor of missingDescriptors) {
-      const secret: Secret = {
-        id: this.random.uuidv7(),
-        meta: {
-          ...component.secrets[descriptor.secretName].meta,
-          icon: component.secrets[descriptor.secretName].meta.icon ?? component.meta.icon,
-        },
-        descriptor,
-      }
-
-      const rawDescriptor = formatSecretDescriptor(descriptor)
-
-      await this.stateManager.getSecretRepository(project.id).putItem(secret, batch)
-      await this.stateManager.getSecretContentRepository(project.id).put(rawDescriptor, null, batch)
+    const secrets = await database.secret.findMany({
+      where: {
+        stateId,
+        name: { not: null },
+      },
+    })
 
-      await this.stateManager
-        .getSecretIndexRepository(project.id)
-        .indexRepository.put(rawDescriptor, secret.id, batch)
+    const values: Record<string, unknown> = {}
 
-      result[descriptor.secretName] = {
-        [HighstateSignature.Secret]: true,
-        id: secret.id,
-        value: null,
+    for (const secret of secrets) {
+      if (secret.name) {
+        values[secret.name] = secret.content
       }
     }
 
-    await batch.write()
-
-    return result
+    return values
   }
 
-  private async getInstanceSecretData(project: Project, instanceId: string) {
-    const library = await this.libraryBackend.loadLibrary(project.libraryId)
-
-    const [type] = parseInstanceId(instanceId)
-    const component = library.components[type]
-    if (!component) {
-      throw new Error(`Component type ${type} not found in library`)
-    }
-
-    if (!isUnitModel(component)) {
-      throw new Error(`Component type ${type} is not a unit model`)
-    }
-
-    const descriptors = Object.keys(component.secrets).map(secretName => ({
-      type: "instance" as const,
-      instanceId,
-      secretName,
-    }))
-
-    const indexKeys = descriptors.map(formatSecretDescriptor)
+  /**
+   * Gets or creates the Pulumi password secret for the given project.
+   * Uses the new direct systemName field approach.
+   *
+   * @param projectId The ID of the project for which to get or create the Pulumi password.
+   * @returns The Pulumi password.
+   */
+  async getPulumiPassword(projectId: string): Promise<string> {
+    const database = await this.database.forProject(projectId)
 
-    const secrets = await this.stateManager
-      .getSecretIndexRepository(project.id)
-      .getManyRecord(indexKeys)
+    return await database.$transaction(async tx => {
+      const existingSecret = await tx.secret.findUnique({
+        where: {
+          systemName: SystemSecretNames.PulumiPassword,
+        },
+      })
 
-    const secretIds = Object.values(secrets)
-      .map(secret => secret?.id)
-      .filter(isNonNullish)
+      if (existingSecret) {
+        return existingSecret.content as string
+      }
 
-    const secretContentMap = await this.stateManager
-      .getSecretContentRepository(project.id)
-      .getManyRecord(secretIds)
+      const newPassword = randomBytes(32).toString("hex")
+
+      await tx.secret.create({
+        data: {
+          systemName: SystemSecretNames.PulumiPassword,
+          meta: {
+            title: "Pulumi Password",
+            description: "The password used to encrypt the Pulumi state.",
+            icon: "devicon:pulumi",
+          },
+          content: newPassword,
+        },
+      })
 
-    return {
-      indexKeys,
-      descriptors,
-      component,
-      secrets,
-      secretContentMap,
-    }
+      this.logger.info({ projectId }, "created new Pulumi password")
+      return newPassword
+    })
   }
 }