Update Processor pattern used in secret updation

Author: dhruv-droid-r2

executor/migrations/0046_secret_secret_executor_se_key_60cc82_idx_and_more.py

@@ -1,4 +1,4 @@
-# Generated by Django 4.1.13 on 2025-03-04 12:00
+# Generated by Django 4.1.13 on 2025-03-05 09:24
 
 from django.conf import settings
 from django.db import migrations, models
@@ -10,8 +10,8 @@
 class Migration(migrations.Migration):
 
     dependencies = [
-        ('accounts', '0003_accountuseroauth2sessioncodestore'),
         migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('accounts', '0003_accountuseroauth2sessioncodestore'),
         ('executor', '0045_upgrade_step_relation_conditions'),
     ]
 
@@ -20,7 +20,6 @@ class Migration(migrations.Migration):
             name='Secret',
             fields=[
                 ('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
-                ('name', models.CharField(help_text='Human-readable name', max_length=255)),
                 ('key', models.CharField(help_text='Reference key for the secret', max_length=255)),
                 ('value', encrypted_model_fields.fields.EncryptedTextField()),
                 ('created_at', models.DateTimeField(auto_now_add=True)),

executor/models.py

@@ -676,7 +676,6 @@ def proto(self) -> PlaybookStepRelationExecutionLogProto:
 
 class Secret(models.Model):
     id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
-    name = models.CharField(max_length=255, help_text="Human-readable name")
     key = models.CharField(max_length=255, help_text="Reference key for the secret")
     value = EncryptedTextField()
     account = models.ForeignKey('accounts.Account', on_delete=models.CASCADE)

executor/secrets/crud/__init__.py

@@ -0,0 +1 @@
+

executor/secrets/crud/secrets_update_processor.py

@@ -0,0 +1,60 @@
+import logging
+
+from executor.models import Secret
+from protos.secrets.api_pb2 import UpdateSecretOp
+from utils.update_processor_mixin import UpdateProcessorMixin
+
+logger = logging.getLogger(__name__)
+
+
+class SecretsUpdateProcessor(UpdateProcessorMixin):
+    update_op_cls = UpdateSecretOp
+
+    @staticmethod
+    def update_secret(elem: Secret, update_op: UpdateSecretOp.UpdateSecret) -> Secret:
+        """Update a secret's description and/or value"""
+        update_fields = ['updated_at']
+        
+        # Update description if provided and has a value
+        if hasattr(update_op, 'description') and update_op.description.value:
+            elem.description = update_op.description.value
+            update_fields.append('description')
+            
+        # Update value if provided and has a value
+        if hasattr(update_op, 'value') and update_op.value.value:
+            elem.value = update_op.value.value
+            update_fields.append('value')
+        
+        logger.info(f"Updating secret {elem.key} with fields: {update_fields}, {len(update_fields)}")
+        if len(update_fields) > 1:  # Only save if we have fields to update
+            try:
+                elem.save(update_fields=update_fields)
+            except Exception as ex:
+                logger.exception(f"Error occurred updating secret {elem.key}")
+                raise Exception(f"Error updating secret: {str(ex)}")
+                
+        return elem
+
+    @staticmethod
+    def update_secret_status(elem: Secret, update_op: UpdateSecretOp.UpdateSecretStatus) -> Secret:
+        """Update a secret's active status (soft delete)"""
+        is_active = update_op.is_active.value
+        
+        # Can't reactivate a secret that's been deactivated
+        if not elem.is_active and is_active:
+            raise Exception(f"Secret {elem.key} cannot be reactivated")
+            
+        # No change needed
+        if elem.is_active == is_active:
+            return elem
+            
+        elem.is_active = is_active
+        try:
+            elem.save(update_fields=['is_active', 'updated_at'])
+        except Exception as ex:
+            logger.exception(f"Error occurred updating secret status for {elem.key}")
+            raise Exception(f"Error updating secret status: {str(ex)}")
+        return elem
+
+
+secrets_update_processor = SecretsUpdateProcessor()

executor/secrets/urls.py

@@ -5,6 +5,5 @@
     path('list/', views.secrets_list, name='secrets_list'),
     path('get/', views.secret_get, name='secret_get'),
     path('create/', views.secret_create, name='secret_create'),
-    path('update/', views.secret_update, name='secret_update'),
-    path('delete/', views.secret_delete, name='secret_delete'),
+    path('update/', views.secret_update, name='secret_update')
 ] 

executor/secrets/views.py

@@ -16,8 +16,8 @@
     GetSecretRequest, GetSecretResponse,
     CreateSecretRequest, CreateSecretResponse,
     UpdateSecretRequest, UpdateSecretResponse,
-    DeleteSecretRequest, DeleteSecretResponse,
-    Secret as SecretProto
+    Secret as SecretProto,
+    UpdateSecretOp
 )
 
 logger = logging.getLogger(__name__)
@@ -34,7 +34,6 @@ def _secret_to_proto(secret: Secret) -> SecretProto:
     """Convert a Secret model to a Secret proto"""
     return SecretProto(
         id=StringValue(value=str(secret.id)),
-        name=StringValue(value=secret.name),
         key=StringValue(value=secret.key),
         masked_value=StringValue(value=_mask_secret_value(secret.value)),
         description=StringValue(value=secret.description or ""),
@@ -99,18 +98,17 @@ def secret_create(request_message: CreateSecretRequest) -> Union[CreateSecretRes
     """Create a new secret"""
     account: Account = get_request_account()
     user = get_request_user()
-    
-    name = request_message.name.value
+
     key = request_message.key.value
     value = request_message.value.value
     description = request_message.description.value
 
     # Validate required fields
-    if not name or not key or not value:
+    if not key or not value:
         return CreateSecretResponse(
             meta=get_meta(),
             success=BoolValue(value=False),
-            message=Message(title="Invalid Request", description="Name, key, and value are required")
+            message=Message(title="Invalid Request", description="Key, and value are required")
         )
 
     # Check if key already exists for this account
@@ -125,7 +123,6 @@ def secret_create(request_message: CreateSecretRequest) -> Union[CreateSecretRes
     try:
         secret = Secret.objects.create(
             account=account,
-            name=name,
             key=key,
             value=value,
             description=description,
@@ -151,94 +148,75 @@ def secret_create(request_message: CreateSecretRequest) -> Union[CreateSecretRes
 
 @web_api(UpdateSecretRequest)
 def secret_update(request_message: UpdateSecretRequest) -> Union[UpdateSecretResponse, HttpResponse]:
-    """Update a secret's name or description (not the value)"""
+    """Update a secret using operations"""
     account: Account = get_request_account()
     user = get_request_user()
 
-    secret_id = request_message.secret_id.value
-    name = request_message.name.value
-    description = request_message.description.value
-    key = request_message.key.value
-
-    if not secret_id:
-        return UpdateSecretResponse(
-            meta=get_meta(),
-            success=BoolValue(value=False),
-            message=Message(title="Invalid Request", description="Secret ID is required")
-        )
+    update_secret_ops = request_message.update_secret_ops
 
-    try:
-        secret = Secret.objects.get(id=secret_id, account=account, is_active=True)
-        
-        # Update fields if provided
-        if name:
-            secret.name = name
-        if description is not None:  # Allow empty description
-            secret.description = description
-        if key:
-            secret.key = key
-        secret.last_updated_by = user
-        secret.save()
-        
-        return UpdateSecretResponse(
-            meta=get_meta(),
-            success=BoolValue(value=True),
-            message=Message(title="Success", description="Secret updated successfully"),
-            secret=_secret_to_proto(secret)
-        )
-    except Secret.DoesNotExist:
+    if not update_secret_ops:
         return UpdateSecretResponse(
             meta=get_meta(),
             success=BoolValue(value=False),
-            message=Message(title="Not Found", description="Secret not found")
+            message=Message(title="Invalid Request", description="No update operations provided")
         )
-    except Exception as e:
-        logger.error(f"Error updating secret: {str(e)}")
+    
+    # All operations should reference the same secret
+    secret_ids = set(op.secret_id.value for op in update_secret_ops)
+    if len(secret_ids) != 1:
         return UpdateSecretResponse(
             meta=get_meta(),
             success=BoolValue(value=False),
-            message=Message(title="Error", description="Failed to update secret")
+            message=Message(title="Invalid Request", description="All operations must reference the same secret")
         )
-
-
-@web_api(DeleteSecretRequest)
-def secret_delete(request_message: DeleteSecretRequest) -> Union[DeleteSecretResponse, HttpResponse]:
-    """Soft delete a secret by setting is_active to False"""
-    account: Account = get_request_account()
-    user = get_request_user()
 
-    secret_id = request_message.secret_id.value
-    
-    if not secret_id:
-        return DeleteSecretResponse(
-            meta=get_meta(),
-            success=BoolValue(value=False),
-            message=Message(title="Invalid Request", description="Secret ID is required")
-        )
+    secret_id = list(secret_ids)[0]
 
     try:
         secret = Secret.objects.get(id=secret_id, account=account, is_active=True)
 
-        # Soft delete by setting is_active to False
-        secret.is_active = False
+        # Store the original user for later restoration
+        original_last_updated_by = secret.last_updated_by
+        
+        # Set the user who is making the update
         secret.last_updated_by = user
-        secret.save()
+        secret.save(update_fields=['last_updated_by'])
 
-        return DeleteSecretResponse(
-            meta=get_meta(),
-            success=BoolValue(value=True),
-            message=Message(title="Success", description="Secret deleted successfully")
-        )
+        try:
+            # Apply all update operations
+            from executor.secrets.crud.secrets_update_processor import secrets_update_processor
+            secrets_update_processor.update(secret, update_secret_ops)
+            
+            # Get the updated secret
+            updated_secret = Secret.objects.get(id=secret_id)
+            
+            return UpdateSecretResponse(
+                meta=get_meta(),
+                success=BoolValue(value=True),
+                message=Message(title="Success", description="Secret updated successfully"),
+                secret=_secret_to_proto(updated_secret)
+            )
+        except Exception as e:
+            # Restore the original user if update fails
+            secret.last_updated_by = original_last_updated_by
+            secret.save(update_fields=['last_updated_by'])
+            
+            logger.error(f"Error updating secret: {str(e)}")
+            return UpdateSecretResponse(
+                meta=get_meta(),
+                success=BoolValue(value=False),
+                message=Message(title="Error", description=str(e))
+            )
     except Secret.DoesNotExist:
-        return DeleteSecretResponse(
+        return UpdateSecretResponse(
             meta=get_meta(),
             success=BoolValue(value=False),
             message=Message(title="Not Found", description="Secret not found")
         )
     except Exception as e:
-        logger.error(f"Error deleting secret: {str(e)}")
-        return DeleteSecretResponse(
+        logger.error(f"Error updating secret: {str(e)}")
+        return UpdateSecretResponse(
             meta=get_meta(),
             success=BoolValue(value=False),
-            message=Message(title="Error", description="Failed to delete secret")
-        ) 
+            message=Message(title="Error", description="Failed to update secret")
+        )

playbooks/urls.py

@@ -27,10 +27,10 @@
     path('executor/', include('executor.urls')),
     path('executor/workflows/', include('executor.workflows.urls')),
     path('executor/engine/', include('executor.engine_manager.urls')),
+    path('executor/secrets/', include('executor.secrets.urls')),
     path('pb/', include('executor.urls')),
     path('management/', include('management.urls')),
     path('media/', include('media.urls')),
-    path('secrets/', include('executor.secrets.urls')),
     path('', include('django_prometheus.urls')),
     path('', views.index),
 ]

protos/secrets/api.proto

@@ -6,15 +6,14 @@ import "protos/base.proto";
 
 message Secret {
   google.protobuf.StringValue id = 1;
-  google.protobuf.StringValue name = 2;
-  google.protobuf.StringValue key = 3;
-  google.protobuf.StringValue masked_value = 4;
-  google.protobuf.StringValue description = 5;
-  google.protobuf.StringValue creator = 6;
-  google.protobuf.StringValue last_updated_by = 7;
-  int64 created_at = 8;
-  int64 updated_at = 9;
-  bool is_active = 10;
+  google.protobuf.StringValue key = 2;
+  google.protobuf.StringValue masked_value = 3;
+  google.protobuf.StringValue description = 4;
+  google.protobuf.StringValue creator = 5;
+  google.protobuf.StringValue last_updated_by = 6;
+  int64 created_at = 7;
+  int64 updated_at = 8;
+  bool is_active = 9;
 }
 
 message GetSecretsRequest {
@@ -42,10 +41,9 @@ message GetSecretResponse {
 
 message CreateSecretRequest {
   Meta meta = 1;
-  google.protobuf.StringValue name = 2;
-  google.protobuf.StringValue key = 3;
-  google.protobuf.StringValue value = 4;
-  google.protobuf.StringValue description = 5;
+  google.protobuf.StringValue key = 2;
+  google.protobuf.StringValue value = 3;
+  google.protobuf.StringValue description = 4;
 }
 
 message CreateSecretResponse {
@@ -55,12 +53,33 @@ message CreateSecretResponse {
   Secret secret = 4;
 }
 
+message UpdateSecretOp {
+  enum Op {
+    UNKNOWN = 0;
+    UPDATE_SECRET = 1;
+    UPDATE_SECRET_STATUS = 2;
+  }
+
+  message UpdateSecret {
+    google.protobuf.StringValue description = 1;
+    google.protobuf.StringValue value = 2;
+  }
+
+  message UpdateSecretStatus {
+    google.protobuf.BoolValue is_active = 1;
+  }
+
+  Op op = 1;
+  google.protobuf.StringValue secret_id = 2;
+  oneof update {
+    UpdateSecret update_secret = 3;
+    UpdateSecretStatus update_secret_status = 4;
+  }
+}
+
 message UpdateSecretRequest {
   Meta meta = 1;
-  google.protobuf.StringValue secret_id = 2;
-  google.protobuf.StringValue name = 3;
-  google.protobuf.StringValue description = 4;
-  google.protobuf.StringValue key = 5;
+  repeated UpdateSecretOp update_secret_ops = 2;
 }
 
 message UpdateSecretResponse {
@@ -69,14 +88,3 @@ message UpdateSecretResponse {
   Message message = 3;
   Secret secret = 4;
 }
-
-message DeleteSecretRequest {
-  Meta meta = 1;
-  google.protobuf.StringValue secret_id = 2;
-}
-
-message DeleteSecretResponse {
-  Meta meta = 1;
-  google.protobuf.BoolValue success = 2;
-  Message message = 3;
-}