Skip to content

Commit 5ece53a

Browse files
author
root
committed
new secrets module
1 parent a971d2f commit 5ece53a

50 files changed

Lines changed: 4091 additions & 852 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

Note.md

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,4 +49,19 @@
4949

5050
## Access Portal
5151

52-
免登录访问 saas 系统的控制台
52+
免登录访问 saas 系统的控制台
53+
54+
## 凭据的分布
55+
56+
Secrets(基础设施层)
57+
└── 哑存储:只管加密存取,不懂业务,不知道值是给谁用的
58+
59+
Integrations(业务层)
60+
└── 智能连接器:知道"GitHub 需要什么",管理 API key + endpoint + 客户端安装 + OAuth 等
61+
└── 其中,敏感字段通过 secretRef 指向 Secrets,自己不存明文
62+
63+
Settings(配置层)
64+
└── 非敏感的全局配置
65+
66+
## LLM
67+
- 本地小模型内嵌?

backend/cmd/appos/main.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,12 @@
11
package main
22

33
import (
4+
"fmt"
45
"log"
56

67
"github.com/websoft9/appos/backend/internal/hooks"
78
"github.com/websoft9/appos/backend/internal/routes"
9+
"github.com/websoft9/appos/backend/internal/secrets"
810
servers "github.com/websoft9/appos/backend/internal/servers"
911
"github.com/websoft9/appos/backend/internal/worker"
1012

@@ -16,6 +18,13 @@ import (
1618
)
1719

1820
func main() {
21+
if err := secrets.LoadKeyFromEnv(); err != nil {
22+
log.Fatal(fmt.Errorf("secrets init failed: %w", err))
23+
}
24+
if err := secrets.LoadTemplatesFromDefaultPath(); err != nil {
25+
log.Fatal(fmt.Errorf("secrets templates init failed: %w", err))
26+
}
27+
1928
app := pocketbase.New()
2029

2130
// Initialize Asynq worker (created once, shared across app lifecycle)

backend/docs/openapi/api.yaml

Lines changed: 2 additions & 132 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,8 @@ tags:
5151
name: System Cron
5252
- description: Tunnel lifecycle and connectivity management APIs.
5353
name: Tunnel
54+
- description: Secrets lifecycle management — encrypted credential CRUD, template listing, payload rotation, internal resolve, and reveal APIs. Uses PB native collection for storage with application-layer AES-256-GCM encryption.
55+
name: Secrets
5456
- description: Concrete users collection APIs derived from Native Record CRUD actions
5557
name: Users
5658
components:
@@ -3933,138 +3935,6 @@ paths:
39333935
summary: Update resources scripts by id
39343936
tags:
39353937
- Resource
3936-
/api/ext/resources/secrets:
3937-
get:
3938-
operationId: get_api_ext_resources_secrets
3939-
responses:
3940-
"200":
3941-
content:
3942-
application/json:
3943-
schema:
3944-
$ref: '#/components/schemas/SuccessEnvelope'
3945-
description: OK
3946-
"401":
3947-
content:
3948-
application/json:
3949-
schema:
3950-
$ref: '#/components/schemas/ErrorEnvelope'
3951-
description: Unauthorized
3952-
security:
3953-
- bearerAuth: []
3954-
summary: Get resources secrets
3955-
tags:
3956-
- Resource
3957-
post:
3958-
operationId: post_api_ext_resources_secrets
3959-
requestBody:
3960-
content:
3961-
application/json:
3962-
schema:
3963-
$ref: '#/components/schemas/GenericRequest'
3964-
required: false
3965-
responses:
3966-
"200":
3967-
content:
3968-
application/json:
3969-
schema:
3970-
$ref: '#/components/schemas/SuccessEnvelope'
3971-
description: OK
3972-
"401":
3973-
content:
3974-
application/json:
3975-
schema:
3976-
$ref: '#/components/schemas/ErrorEnvelope'
3977-
description: Unauthorized
3978-
security:
3979-
- bearerAuth: []
3980-
summary: Create or execute resources secrets
3981-
tags:
3982-
- Resource
3983-
/api/ext/resources/secrets/{id}:
3984-
delete:
3985-
operationId: delete_api_ext_resources_secrets_id
3986-
parameters:
3987-
- in: path
3988-
name: id
3989-
required: true
3990-
schema:
3991-
type: string
3992-
responses:
3993-
"200":
3994-
content:
3995-
application/json:
3996-
schema:
3997-
$ref: '#/components/schemas/SuccessEnvelope'
3998-
description: OK
3999-
"401":
4000-
content:
4001-
application/json:
4002-
schema:
4003-
$ref: '#/components/schemas/ErrorEnvelope'
4004-
description: Unauthorized
4005-
security:
4006-
- bearerAuth: []
4007-
summary: Delete resources secrets by id
4008-
tags:
4009-
- Resource
4010-
get:
4011-
operationId: get_api_ext_resources_secrets_id
4012-
parameters:
4013-
- in: path
4014-
name: id
4015-
required: true
4016-
schema:
4017-
type: string
4018-
responses:
4019-
"200":
4020-
content:
4021-
application/json:
4022-
schema:
4023-
$ref: '#/components/schemas/SuccessEnvelope'
4024-
description: OK
4025-
"401":
4026-
content:
4027-
application/json:
4028-
schema:
4029-
$ref: '#/components/schemas/ErrorEnvelope'
4030-
description: Unauthorized
4031-
security:
4032-
- bearerAuth: []
4033-
summary: Get resources secrets by id
4034-
tags:
4035-
- Resource
4036-
put:
4037-
operationId: put_api_ext_resources_secrets_id
4038-
parameters:
4039-
- in: path
4040-
name: id
4041-
required: true
4042-
schema:
4043-
type: string
4044-
requestBody:
4045-
content:
4046-
application/json:
4047-
schema:
4048-
$ref: '#/components/schemas/GenericRequest'
4049-
required: false
4050-
responses:
4051-
"200":
4052-
content:
4053-
application/json:
4054-
schema:
4055-
$ref: '#/components/schemas/SuccessEnvelope'
4056-
description: OK
4057-
"401":
4058-
content:
4059-
application/json:
4060-
schema:
4061-
$ref: '#/components/schemas/ErrorEnvelope'
4062-
description: Unauthorized
4063-
security:
4064-
- bearerAuth: []
4065-
summary: Update resources secrets by id
4066-
tags:
4067-
- Resource
40683938
/api/ext/services:
40693939
get:
40703940
description: Returns all supervisord programs with runtime status (RUNNING/STOPPED/etc.) and CPU/memory usage. Superuser only.

backend/docs/openapi/ext-api.yaml

Lines changed: 2 additions & 127 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,8 @@ tags:
4141
description: "Host metrics, file browser and system shell utility endpoints."
4242
- name: Tunnel
4343
description: "Tunnel lifecycle and connectivity management APIs."
44+
- name: Secrets
45+
description: "Secrets lifecycle management — encrypted credential CRUD, template listing, payload rotation, internal resolve, and reveal APIs. Uses PB native collection for storage with application-layer AES-256-GCM encryption."
4446

4547
components:
4648
securitySchemes:
@@ -3235,133 +3237,6 @@ paths:
32353237
application/json:
32363238
schema:
32373239
$ref: '#/components/schemas/ErrorEnvelope'
3238-
/api/ext/resources/secrets:
3239-
get:
3240-
tags: [Resource]
3241-
summary: Get resources secrets
3242-
operationId: get_api_ext_resources_secrets
3243-
security:
3244-
- bearerAuth: [] # superuser required
3245-
responses:
3246-
"200":
3247-
description: OK
3248-
content:
3249-
application/json:
3250-
schema:
3251-
$ref: '#/components/schemas/SuccessEnvelope'
3252-
"401":
3253-
description: Unauthorized
3254-
content:
3255-
application/json:
3256-
schema:
3257-
$ref: '#/components/schemas/ErrorEnvelope'
3258-
post:
3259-
tags: [Resource]
3260-
summary: Create or execute resources secrets
3261-
operationId: post_api_ext_resources_secrets
3262-
requestBody:
3263-
required: false
3264-
content:
3265-
application/json:
3266-
schema:
3267-
$ref: '#/components/schemas/GenericRequest'
3268-
security:
3269-
- bearerAuth: [] # superuser required
3270-
responses:
3271-
"200":
3272-
description: OK
3273-
content:
3274-
application/json:
3275-
schema:
3276-
$ref: '#/components/schemas/SuccessEnvelope'
3277-
"401":
3278-
description: Unauthorized
3279-
content:
3280-
application/json:
3281-
schema:
3282-
$ref: '#/components/schemas/ErrorEnvelope'
3283-
/api/ext/resources/secrets/{id}:
3284-
delete:
3285-
tags: [Resource]
3286-
summary: Delete resources secrets by id
3287-
operationId: delete_api_ext_resources_secrets_id
3288-
parameters:
3289-
- name: id
3290-
in: path
3291-
required: true
3292-
schema:
3293-
type: string
3294-
security:
3295-
- bearerAuth: [] # superuser required
3296-
responses:
3297-
"200":
3298-
description: OK
3299-
content:
3300-
application/json:
3301-
schema:
3302-
$ref: '#/components/schemas/SuccessEnvelope'
3303-
"401":
3304-
description: Unauthorized
3305-
content:
3306-
application/json:
3307-
schema:
3308-
$ref: '#/components/schemas/ErrorEnvelope'
3309-
get:
3310-
tags: [Resource]
3311-
summary: Get resources secrets by id
3312-
operationId: get_api_ext_resources_secrets_id
3313-
parameters:
3314-
- name: id
3315-
in: path
3316-
required: true
3317-
schema:
3318-
type: string
3319-
security:
3320-
- bearerAuth: [] # superuser required
3321-
responses:
3322-
"200":
3323-
description: OK
3324-
content:
3325-
application/json:
3326-
schema:
3327-
$ref: '#/components/schemas/SuccessEnvelope'
3328-
"401":
3329-
description: Unauthorized
3330-
content:
3331-
application/json:
3332-
schema:
3333-
$ref: '#/components/schemas/ErrorEnvelope'
3334-
put:
3335-
tags: [Resource]
3336-
summary: Update resources secrets by id
3337-
operationId: put_api_ext_resources_secrets_id
3338-
parameters:
3339-
- name: id
3340-
in: path
3341-
required: true
3342-
schema:
3343-
type: string
3344-
requestBody:
3345-
required: false
3346-
content:
3347-
application/json:
3348-
schema:
3349-
$ref: '#/components/schemas/GenericRequest'
3350-
security:
3351-
- bearerAuth: [] # superuser required
3352-
responses:
3353-
"200":
3354-
description: OK
3355-
content:
3356-
application/json:
3357-
schema:
3358-
$ref: '#/components/schemas/SuccessEnvelope'
3359-
"401":
3360-
description: Unauthorized
3361-
content:
3362-
application/json:
3363-
schema:
3364-
$ref: '#/components/schemas/ErrorEnvelope'
33653240
/api/ext/services:
33663241
get:
33673242
tags: [Services]

backend/docs/openapi/group-matrix.yaml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -311,4 +311,24 @@ groups:
311311
- tunnel.go
312312
nativeRefs: []
313313

314+
- group: Secrets
315+
description: Secrets lifecycle management — encrypted credential CRUD, template listing, payload rotation, internal resolve, and reveal APIs. Uses PB native collection for storage with application-layer AES-256-GCM encryption.
316+
apiType: Mixed
317+
extSurface:
318+
- GET /api/secrets/templates
319+
- PUT /api/secrets/{id}/payload
320+
- POST /api/secrets/resolve
321+
- GET /api/secrets/{id}/reveal
322+
nativeSurface:
323+
- GET /api/collections/secrets/records
324+
- POST /api/collections/secrets/records
325+
- GET /api/collections/secrets/records/{id}
326+
- PATCH /api/collections/secrets/records/{id}
327+
- DELETE /api/collections/secrets/records/{id}
328+
sources:
329+
extRouteFiles:
330+
- secrets.go
331+
nativeRefs:
332+
- https://pocketbase.io/docs/api-records/#crud-actions
333+
314334

backend/internal/hooks/hooks.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ import (
1313
"github.com/pocketbase/pocketbase/apis"
1414
"github.com/pocketbase/pocketbase/core"
1515
"github.com/websoft9/appos/backend/internal/audit"
16+
"github.com/websoft9/appos/backend/internal/secrets"
1617
"github.com/websoft9/appos/backend/internal/settings"
1718
)
1819

@@ -40,6 +41,7 @@ func Register(app *pocketbase.PocketBase) {
4041
registerSuperuserHooks(app)
4142
registerUserAuditHooks(app)
4243
registerLoginAuditHooks(app)
44+
secrets.RegisterHooks(app)
4345
}
4446

4547
// registerAppHooks registers hooks related to the apps collection.

backend/internal/migrations/1740000000_create_resource_collections.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,15 @@ func init() {
4444
secrets.Fields.Add(&core.TextField{
4545
Name: "description",
4646
})
47+
secrets.Fields.Add(&core.AutodateField{
48+
Name: "created",
49+
OnCreate: true,
50+
})
51+
secrets.Fields.Add(&core.AutodateField{
52+
Name: "updated",
53+
OnCreate: true,
54+
OnUpdate: true,
55+
})
4756
secrets.AddIndex("idx_secrets_name", true, "name", "")
4857

4958
if err := app.Save(secrets); err != nil {

0 commit comments

Comments
 (0)