PyPI - datasette-secrets - Versions diffs - 0.1a0__tar.gz → 0.1a2__tar.gz - Mend

datasette-secrets 0.1a0tar.gz → 0.1a2tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of datasette-secrets might be problematic. Click here for more details.

Files changed (16) hide show

{datasette_secrets-0.1a0 → datasette_secrets-0.1a2}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: datasette-secrets
-Version: 0.1a0
+Version: 0.1a2
 Summary: Manage secrets such as API keys for use with other Datasette plugins
 Author: Datasette
 License: Apache-2.0
@@ -105,6 +105,8 @@ datasette data.db --internal internal.db \
 users with the `manage-secrets` permission will see a new "Manage secrets" link in the Datasette navigation menu. This interface can also be accessed at `/-/secrets`.
+The page with the list of secrets will show the user who last updated each secret. This will use the [actors_from_ids()](https://docs.datasette.io/en/latest/plugin_hooks.html#actors-from-ids-datasette-actor-ids) mechanism, displaying the actor's `username` if available, otherwise the `name`, otherwise the `id`.
 ## For plugin authors
 Plugins can depend on this plugin if they want to implement secrets.
@@ -121,11 +123,24 @@ from datasette_secrets import Secret
 def register_secrets():
     return [
         Secret(
-            "OPENAI_API_KEY",
-            'An OpenAI API key. Get them from <a href="https://platform.openai.com/api-keys">here</a>.',
+            name="OPENAI_API_KEY",
+            description="An OpenAI API key"
+        ),
+    ]
+```
+You can also provide optional `obtain_url` and `obtain_label` fields to link to a page where a user can obtain an API key:
+```python
+@hookimpl
+def register_secrets():
+    return [
+        Secret(
+            name="OPENAI_API_KEY",
+            obtain_url="https://platform.openai.com/api-keys",
+            obtain_label="Get an OpenAI API key"
         ),
     ]
 ```
 The hook can take an optional `datasette` argument. It can return a list or an `async def` function that, when awaited, returns a list.
 The list should consist of `Secret()` instances, each with a name and an optional description. The description can contain HTML.
@@ -135,12 +150,14 @@ To obtain the current value of the secret, use the `await get_secret()` method:
 ```python
 from datasette_secrets import get_secret
-secret = await get_secret(datasette, "OPENAI_API_KEY")
+# Third argument is the actor_id, optional
+secret = await get_secret(datasette, "OPENAI_API_KEY", "root")
 ```
 If the Datasette administrator set a `DATASETTE_SECRETS_OPENAI_API_KEY` environment variable, that will be returned.
 Otherwise the encrypted value in the database table will be decrypted and returned - or `None` if there is no configured secret.
+The `last_used_at` column is updated every time a secret is accessed. The `last_used_by` column will be set to the actor ID passed to `get_secret()`, or `null` if no actor ID was passed.
 ## Development

{datasette_secrets-0.1a0 → datasette_secrets-0.1a2}/README.md RENAMED Viewed

@@ -84,6 +84,8 @@ datasette data.db --internal internal.db \
 users with the `manage-secrets` permission will see a new "Manage secrets" link in the Datasette navigation menu. This interface can also be accessed at `/-/secrets`.
+The page with the list of secrets will show the user who last updated each secret. This will use the [actors_from_ids()](https://docs.datasette.io/en/latest/plugin_hooks.html#actors-from-ids-datasette-actor-ids) mechanism, displaying the actor's `username` if available, otherwise the `name`, otherwise the `id`.
 ## For plugin authors
 Plugins can depend on this plugin if they want to implement secrets.
@@ -100,11 +102,24 @@ from datasette_secrets import Secret
 def register_secrets():
     return [
         Secret(
-            "OPENAI_API_KEY",
-            'An OpenAI API key. Get them from <a href="https://platform.openai.com/api-keys">here</a>.',
+            name="OPENAI_API_KEY",
+            description="An OpenAI API key"
+        ),
+    ]
+```
+You can also provide optional `obtain_url` and `obtain_label` fields to link to a page where a user can obtain an API key:
+```python
+@hookimpl
+def register_secrets():
+    return [
+        Secret(
+            name="OPENAI_API_KEY",
+            obtain_url="https://platform.openai.com/api-keys",
+            obtain_label="Get an OpenAI API key"
         ),
     ]
 ```
 The hook can take an optional `datasette` argument. It can return a list or an `async def` function that, when awaited, returns a list.
 The list should consist of `Secret()` instances, each with a name and an optional description. The description can contain HTML.
@@ -114,12 +129,14 @@ To obtain the current value of the secret, use the `await get_secret()` method:
 ```python
 from datasette_secrets import get_secret
-secret = await get_secret(datasette, "OPENAI_API_KEY")
+# Third argument is the actor_id, optional
+secret = await get_secret(datasette, "OPENAI_API_KEY", "root")
 ```
 If the Datasette administrator set a `DATASETTE_SECRETS_OPENAI_API_KEY` environment variable, that will be returned.
 Otherwise the encrypted value in the database table will be decrypted and returned - or `None` if there is no configured secret.
+The `last_used_at` column is updated every time a secret is accessed. The `last_used_by` column will be set to the actor ID passed to `get_secret()`, or `null` if no actor ID was passed.
 ## Development

{datasette_secrets-0.1a0 → datasette_secrets-0.1a2}/datasette_secrets/__init__.py RENAMED Viewed

@@ -13,7 +13,7 @@ MAX_NOTE_LENGTH = 100
 pm.add_hookspecs(hookspecs)
-async def get_secret(datasette, secret_name):
+async def get_secret(datasette, secret_name, actor_id=None):
     secrets_by_name = {secret.name: secret for secret in await get_secrets(datasette)}
     if secret_name not in secrets_by_name:
         return None
@@ -24,23 +24,40 @@ async def get_secret(datasette, secret_name):
     # Now look it up in the database
     config = get_config(datasette)
     db = get_database(datasette)
-    encrypted = (
+    db_secret = (
         await db.execute(
-            "select encrypted from datasette_secrets where name = ? order by version desc limit 1",
+            "select id, encrypted from datasette_secrets where name = ? order by version desc limit 1",
             (secret_name,),
         )
     ).first()
-    if not encrypted:
+    if not db_secret:
         return None
     key = Fernet(config["encryption_key"].encode("utf-8"))
-    decrypted = key.decrypt(encrypted["encrypted"])
+    decrypted = key.decrypt(db_secret["encrypted"])
+    # Update the last used timestamp and actor_id
+    params = (actor_id, db_secret["id"])
+    if not actor_id:
+        params = (db_secret["id"],)
+    await db.execute_write(
+        """
+        update datasette_secrets
+        set last_used_at = datetime('now'),
+            last_used_by = {}
+        where id = ?
+        """.format(
+            "?" if actor_id else "null"
+        ),
+        params,
+    )
     return decrypted.decode("utf-8")
 @dataclasses.dataclass
 class Secret:
     name: str
-    description_html: Optional[str] = None
+    description: Optional[str] = None
+    obtain_url: Optional[str] = None
+    obtain_label: Optional[str] = None
 SCHEMA = """
@@ -51,7 +68,6 @@ create table if not exists datasette_secrets (
     version integer not null default 1,
     encrypted blob,
     encryption_key_name text not null,
-    redacted text,
     created_at text,
     created_by text,
     updated_at text,
@@ -100,25 +116,20 @@ def register_permissions(datasette):
 async def get_secrets(datasette):
     secrets = []
+    seen = set()
     for result in pm.hook.register_secrets(datasette=datasette):
         result = await await_me_maybe(result)
-        secrets.extend(result)
+        for secret in result:
+            if secret.name in seen:
+                continue  # Skip duplicates
+            seen.add(secret.name)
+            secrets.append(secret)
     # if not secrets:
     secrets.append(Secret("EXAMPLE_SECRET", "An example secret"))
     return secrets
-@hookimpl
-def register_secrets():
-    return [
-        Secret(
-            "OPENAI_API_KEY",
-            'An OpenAI API key. Get them from <a href="https://platform.openai.com/api-keys">here</a>.',
-        ),
-    ]
 @hookimpl
 def register_commands(cli):
     @cli.group()
@@ -169,6 +180,16 @@ async def secrets_index(datasette, request):
         list(environment_secrets_names),
     )
     existing_secrets = {row["name"]: dict(row) for row in existing_secrets_result.rows}
+    # Try to turn updated_by into actors
+    actors = await datasette.actors_from_ids(
+        {row["updated_by"] for row in existing_secrets.values() if row["updated_by"]}
+    )
+    for secret in existing_secrets.values():
+        if secret["updated_by"]:
+            actor = actors.get(secret["updated_by"])
+            if actor:
+                display = actor.get("username") or actor.get("name") or actor.get("id")
+                secret["updated_by"] = display
     unset_secrets = [
         secret
         for secret in all_secrets

{datasette_secrets-0.1a0 → datasette_secrets-0.1a2}/datasette_secrets/templates/secrets_index.html RENAMED Viewed

@@ -25,7 +25,10 @@
 <ul>
   {% for secret in unset_secrets %}
     <li><strong><a href="{{ urls.path("/-/secrets/") }}{{ secret.name }}">{{ secret.name }}</a></strong>
-    {% if secret.description_html %} - {{ secret.description_html|safe }}{% endif %}</li>
+    {% if secret.description or secret.obtain_label %}
+      - {{ secret.description or "" }}{% if secret.description and secret.obtain_label %}, {% endif %}
+      {% if secret.obtain_label %}<a href="{{ secret.obtain_url }}">{{ secret.obtain_label }}</a>{% endif %}
+    {% endif %}</li>
   {% endfor %}
 </ul>
 {% endif %}
@@ -34,7 +37,7 @@
 <p style="margin-top: 2em">The following secret{% if environment_secrets|length == 1 %} is{% else %}s are{% endif %} set using environment variables:</p>
 <ul>
   {% for secret in environment_secrets %}
-    <li><strong>{{ secret.name }}</a></strong>- {{ secret.description_html|safe }}<br>
+    <li><strong>{{ secret.name }}</a></strong>{% if secret.description %} - {{ secret.description }}{% endif %}<br>
       <span style="font-size: 0.8 em">Set by <code>DATASETTE_SECRETS_{{ secret.name }}</code></span></li>
   {% endfor %}
 </ul>

{datasette_secrets-0.1a0 → datasette_secrets-0.1a2}/datasette_secrets/templates/secrets_update.html RENAMED Viewed

@@ -9,8 +9,10 @@
 {% block content %}
 <h1>{% if current_secret %}Update{% else %}Add{% endif %} secret: {{ secret_name }}</h1>
-{% if secret_details and secret_details.description_html %}
-  <p>{{ secret_details.description_html|safe }}</p>
+{% if secret_details.description or secret_details.obtain_label %}
+  <p>{{ secret_details.description or "" }}{% if secret_details.description and secret_details.obtain_label %}. {% endif %}
+  {% if secret_details.obtain_label %}<a href="{{ secret_details.obtain_url }}">{{ secret_details.obtain_label }}</a>{% endif %}
+  </p>
 {% endif %}
 {% if error %}

{datasette_secrets-0.1a0 → datasette_secrets-0.1a2}/datasette_secrets.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: datasette-secrets
-Version: 0.1a0
+Version: 0.1a2
 Summary: Manage secrets such as API keys for use with other Datasette plugins
 Author: Datasette
 License: Apache-2.0
@@ -105,6 +105,8 @@ datasette data.db --internal internal.db \
 users with the `manage-secrets` permission will see a new "Manage secrets" link in the Datasette navigation menu. This interface can also be accessed at `/-/secrets`.
+The page with the list of secrets will show the user who last updated each secret. This will use the [actors_from_ids()](https://docs.datasette.io/en/latest/plugin_hooks.html#actors-from-ids-datasette-actor-ids) mechanism, displaying the actor's `username` if available, otherwise the `name`, otherwise the `id`.
 ## For plugin authors
 Plugins can depend on this plugin if they want to implement secrets.
@@ -121,11 +123,24 @@ from datasette_secrets import Secret
 def register_secrets():
     return [
         Secret(
-            "OPENAI_API_KEY",
-            'An OpenAI API key. Get them from <a href="https://platform.openai.com/api-keys">here</a>.',
+            name="OPENAI_API_KEY",
+            description="An OpenAI API key"
+        ),
+    ]
+```
+You can also provide optional `obtain_url` and `obtain_label` fields to link to a page where a user can obtain an API key:
+```python
+@hookimpl
+def register_secrets():
+    return [
+        Secret(
+            name="OPENAI_API_KEY",
+            obtain_url="https://platform.openai.com/api-keys",
+            obtain_label="Get an OpenAI API key"
         ),
     ]
 ```
 The hook can take an optional `datasette` argument. It can return a list or an `async def` function that, when awaited, returns a list.
 The list should consist of `Secret()` instances, each with a name and an optional description. The description can contain HTML.
@@ -135,12 +150,14 @@ To obtain the current value of the secret, use the `await get_secret()` method:
 ```python
 from datasette_secrets import get_secret
-secret = await get_secret(datasette, "OPENAI_API_KEY")
+# Third argument is the actor_id, optional
+secret = await get_secret(datasette, "OPENAI_API_KEY", "root")
 ```
 If the Datasette administrator set a `DATASETTE_SECRETS_OPENAI_API_KEY` environment variable, that will be returned.
 Otherwise the encrypted value in the database table will be decrypted and returned - or `None` if there is no configured secret.
+The `last_used_at` column is updated every time a secret is accessed. The `last_used_by` column will be set to the actor ID passed to `get_secret()`, or `null` if no actor ID was passed.
 ## Development

{datasette_secrets-0.1a0 → datasette_secrets-0.1a2}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "datasette-secrets"
-version = "0.1a0"
+version = "0.1a2"
 description = "Manage secrets such as API keys for use with other Datasette plugins"
 readme = "README.md"
 authors = [{name = "Datasette"}]

{datasette_secrets-0.1a0 → datasette_secrets-0.1a2}/tests/test_secrets.py RENAMED Viewed

@@ -1,8 +1,10 @@
 from click.testing import CliRunner
 from cryptography.fernet import Fernet
+from datasette import hookimpl
 from datasette.app import Datasette
 from datasette.cli import cli
-from datasette_secrets import get_secret
+from datasette.plugins import pm
+from datasette_secrets import get_secret, Secret
 import pytest
 from unittest.mock import ANY
@@ -21,6 +23,69 @@ def test_generate_command():
     assert key.decrypt(key.encrypt(message)) == message
+@pytest.fixture
+def use_actors_plugin():
+    class ActorPlugin:
+        __name__ = "ActorPlugin"
+        @hookimpl
+        def actors_from_ids(self, actor_ids):
+            return {
+                id: {
+                    "id": id,
+                    "username": id.upper(),
+                }
+                for id in actor_ids
+            }
+    pm.register(ActorPlugin(), name="ActorPlugin")
+    yield
+    pm.unregister(name="ActorPlugin")
+@pytest.fixture
+def register_multiple_secrets():
+    class SecretOnePlugin:
+        __name__ = "SecretOnePlugin"
+        @hookimpl
+        def register_secrets(self):
+            return [
+                Secret(
+                    name="OPENAI_API_KEY",
+                    obtain_url="https://platform.openai.com/api-keys",
+                    obtain_label="Get an OpenAI API key",
+                ),
+                Secret(
+                    name="ANTHROPIC_API_KEY", description="A key for Anthropic's API"
+                ),
+            ]
+    class SecretTwoPlugin:
+        __name__ = "SecretTwoPlugin"
+        @hookimpl
+        def register_secrets(self):
+            return [
+                Secret(
+                    name="OPENAI_API_KEY",
+                    description="Just a description but should be ignored",
+                ),
+                Secret(
+                    name="OPENCAGE_API_KEY",
+                    description="The OpenCage Geocoder",
+                    obtain_url="https://opencagedata.com/dashboard",
+                    obtain_label="Get an OpenCage API key",
+                ),
+            ]
+    pm.register(SecretTwoPlugin(), name="SecretTwoPlugin")
+    pm.register(SecretOnePlugin(), name="SecretOnePlugin")
+    yield
+    pm.unregister(name="SecretOnePlugin")
+    pm.unregister(name="SecretTwoPlugin")
 @pytest.fixture
 def ds():
     return Datasette(
@@ -65,7 +130,7 @@ async def test_permissions(ds, path, verb, data, user):
 @pytest.mark.asyncio
-async def test_set_secret(ds):
+async def test_set_secret(ds, use_actors_plugin):
     cookies = {"ds_actor": ds.client.actor_cookie({"id": "admin"})}
     get_response = await ds.client.get("/-/secrets/EXAMPLE_SECRET", cookies=cookies)
     csrftoken = get_response.cookies["ds_csrftoken"]
@@ -88,7 +153,6 @@ async def test_set_secret(ds):
             "version": 1,
             "encrypted": ANY,
             "encryption_key_name": "default",
-            "redacted": None,
             "created_at": ANY,
             "created_by": "admin",
             "updated_at": ANY,
@@ -105,6 +169,13 @@ async def test_set_secret(ds):
     decrypted = key.decrypt(encrypted)
     assert decrypted == b"new-secret-value"
+    # Check that the listing is as expected, including showing the actor username
+    response = await ds.client.get("/-/secrets", cookies=cookies)
+    assert response.status_code == 200
+    assert "EXAMPLE_SECRET" in response.text
+    assert "new-note" in response.text
+    assert "<td>ADMIN</td>" in response.text
     # Now let's edit it
     post_response2 = await ds.client.post(
         "/-/secrets/EXAMPLE_SECRET",
@@ -128,7 +199,6 @@ async def test_set_secret(ds):
         "version": 2,
         "encrypted": ANY,
         "encryption_key_name": "default",
-        "redacted": None,
         "created_at": ANY,
         "created_by": "admin",
         "updated_at": ANY,
@@ -147,6 +217,11 @@ async def test_get_secret(ds, monkeypatch):
     get_response = await ds.client.get("/-/secrets/EXAMPLE_SECRET", cookies=cookies)
     csrftoken = get_response.cookies["ds_csrftoken"]
     cookies["ds_csrftoken"] = csrftoken
+    db = ds.get_internal_database()
+    # Reset state
+    await db.execute_write(
+        "update datasette_secrets set last_used_at = null, last_used_by = null"
+    )
     post_response = await ds.client.post(
         "/-/secrets/EXAMPLE_SECRET",
         cookies=cookies,
@@ -158,9 +233,73 @@ async def test_get_secret(ds, monkeypatch):
     )
     assert post_response.status_code == 302
+    assert await get_secret(ds, "EXAMPLE_SECRET", "actor") == "manually-set-secret"
+    # Should have updated last_used_at and last_used_by
+    secret = (
+        await db.execute(
+            "select * from datasette_secrets where name = ? order by version desc limit 1",
+            ["EXAMPLE_SECRET"],
+        )
+    ).first()
+    assert secret["last_used_by"] == "actor"
+    assert secret["last_used_at"] is not None
+    # Calling again without actor ID should set that to null
     assert await get_secret(ds, "EXAMPLE_SECRET") == "manually-set-secret"
+    secret2 = (
+        await db.execute(
+            "select * from datasette_secrets where name = ? order by version desc limit 1",
+            ["EXAMPLE_SECRET"],
+        )
+    ).first()
+    assert secret2["last_used_by"] is None
     # Now over-ride with an environment variable
     monkeypatch.setenv("DATASETTE_SECRETS_EXAMPLE_SECRET", "from env")
     assert await get_secret(ds, "EXAMPLE_SECRET") == "from env"
+    # And check that it's shown that way on the /-/secrets page
+    response = await ds.client.get("/-/secrets", cookies=cookies)
+    assert response.status_code == 200
+    expected_html = """
+    <li><strong>EXAMPLE_SECRET</a></strong> - An example secret<br>
+      <span style="font-size: 0.8 em">Set by <code>DATASETTE_SECRETS_EXAMPLE_SECRET</code></span></li>
+    """
+    assert remove_whitespace(expected_html) in remove_whitespace(response.text)
+@pytest.mark.asyncio
+async def test_secret_index_page(ds, register_multiple_secrets):
+    response = await ds.client.get(
+        "/-/secrets",
+        cookies={
+            "ds_actor": ds.client.actor_cookie({"id": "admin"}),
+        },
+    )
+    assert response.status_code == 200
+    expected_html = """
+    <p style="margin-top: 2em">The following secrets have not been set:</p>
+    <ul>
+        <li><strong><a href="/-/secrets/OPENAI_API_KEY">OPENAI_API_KEY</a></strong>
+        -
+        <a href="https://platform.openai.com/api-keys">Get an OpenAI API key</a>
+        </li>
+        <li><strong><a href="/-/secrets/ANTHROPIC_API_KEY">ANTHROPIC_API_KEY</a></strong>
+        - A key for Anthropic&#39;s API
+        </li>
+        <li><strong><a href="/-/secrets/OPENCAGE_API_KEY">OPENCAGE_API_KEY</a></strong>
+        - The OpenCage Geocoder,
+        <a href="https://opencagedata.com/dashboard">Get an OpenCage API key</a>
+        </li>
+        <li><strong><a href="/-/secrets/EXAMPLE_SECRET">EXAMPLE_SECRET</a></strong>
+        - An example secret
+        </li>
+    </ul>
+    """
+    assert remove_whitespace(expected_html) in remove_whitespace(response.text)
+def remove_whitespace(s):
+    return " ".join(s.split())