Add global and organization secrets (#1027)

* Implement database changes and store methods for global and organization secrets * Add tests for new store methods * Add organization secret API and UI * Add global secrets API and UI * Add suggestions * Update warning style * Apply suggestions from code review Co-authored-by: Anbraten <anton@ju60.de> * Fix lint warning Co-authored-by: Anbraten <anton@ju60.de>
2025-09-16 02:29:27 +00:00 · 2022-08-14 14:48:53 +03:00
parent bed3ef104c
commit 1ac2c42652
35 changed files with 1777 additions and 130 deletions
--- a/server/model/secret.go
+++ b/server/model/secret.go
@@ -30,29 +30,47 @@ var (

 // SecretService defines a service for managing secrets.
 type SecretService interface {
+	SecretListBuild(*Repo, *Build) ([]*Secret, error)
+	// Repository secrets
 	SecretFind(*Repo, string) (*Secret, error)
 	SecretList(*Repo) ([]*Secret, error)
-	SecretListBuild(*Repo, *Build) ([]*Secret, error)
 	SecretCreate(*Repo, *Secret) error
 	SecretUpdate(*Repo, *Secret) error
 	SecretDelete(*Repo, string) error
+	// Organization secrets
+	OrgSecretFind(string, string) (*Secret, error)
+	OrgSecretList(string) ([]*Secret, error)
+	OrgSecretCreate(string, *Secret) error
+	OrgSecretUpdate(string, *Secret) error
+	OrgSecretDelete(string, string) error
+	// Global secrets
+	GlobalSecretFind(string) (*Secret, error)
+	GlobalSecretList() ([]*Secret, error)
+	GlobalSecretCreate(*Secret) error
+	GlobalSecretUpdate(*Secret) error
+	GlobalSecretDelete(string) error
 }

 // SecretStore persists secret information to storage.
 type SecretStore interface {
 	SecretFind(*Repo, string) (*Secret, error)
-	SecretList(*Repo) ([]*Secret, error)
+	SecretList(*Repo, bool) ([]*Secret, error)
 	SecretCreate(*Secret) error
 	SecretUpdate(*Secret) error
 	SecretDelete(*Secret) error
+	OrgSecretFind(string, string) (*Secret, error)
+	OrgSecretList(string) ([]*Secret, error)
+	GlobalSecretFind(string) (*Secret, error)
+	GlobalSecretList() ([]*Secret, error)
 }

 // Secret represents a secret variable, such as a password or token.
 // swagger:model registry
 type Secret struct {
 	ID         int64          `json:"id"              xorm:"pk autoincr 'secret_id'"`
-	RepoID     int64          `json:"-"               xorm:"UNIQUE(s) INDEX 'secret_repo_id'"`
-	Name       string         `json:"name"            xorm:"UNIQUE(s) INDEX 'secret_name'"`
+	Owner      string         `json:"-"               xorm:"NOT NULL DEFAULT '' UNIQUE(s) INDEX 'secret_owner'"`
+	RepoID     int64          `json:"-"               xorm:"NOT NULL DEFAULT 0 UNIQUE(s) INDEX 'secret_repo_id'"`
+	Name       string         `json:"name"            xorm:"NOT NULL UNIQUE(s) INDEX 'secret_name'"`
 	Value      string         `json:"value,omitempty" xorm:"TEXT 'secret_value'"`
 	Images     []string       `json:"image"           xorm:"json 'secret_images'"`
 	Events     []WebhookEvent `json:"event"           xorm:"json 'secret_events'"`
@@ -65,6 +83,16 @@ func (Secret) TableName() string {
 	return "secrets"
 }

+// Global secret.
+func (s Secret) Global() bool {
+	return s.RepoID == 0 && s.Owner == ""
+}
+
+// Organization secret.
+func (s Secret) Organization() bool {
+	return s.RepoID == 0 && s.Owner != ""
+}
+
 // Match returns true if an image and event match the restricted list.
 func (s *Secret) Match(event WebhookEvent) bool {
 	if len(s.Events) == 0 {
@@ -119,6 +147,7 @@ func (s *Secret) Validate() error {
 func (s *Secret) Copy() *Secret {
 	return &Secret{
 		ID:     s.ID,
+		Owner:  s.Owner,
 		RepoID: s.RepoID,
 		Name:   s.Name,
 		Images: s.Images,