Skip to content

Commit a4e898e

Browse files
vault: Wire vault plugin through KVStoreWrapper (#21824)
* Wire vault plugin through KVStoreWrapper * Use t.Context in vault wrapper tests
1 parent 86b875e commit a4e898e

4 files changed

Lines changed: 581 additions & 71 deletions

File tree

core/services/ocr2/plugins/vault/kvstore_wrapper.go

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,15 @@ type KVStoreWrapper struct {
2323
migrationEnabled bool
2424
}
2525

26+
// requestScopedKVStore binds a wrapper to the orgID/workflowOwner for a single
27+
// top-level plugin request while preserving the existing ReadKVStore /
28+
// WriteKVStore interfaces used throughout plugin.go.
29+
type requestScopedKVStore struct {
30+
wrapper *KVStoreWrapper
31+
orgID string
32+
workflowOwner string
33+
}
34+
2635
// NewKVStoreWrapper creates a wrapper around the given store.
2736
// When migrationEnabled is true, an internal ownerMigrationAdapter handles
2837
// the transition from workflow_owner-keyed entries to org_id-keyed entries.
@@ -38,6 +47,18 @@ func NewKVStoreWrapper(store WriteKVStore, migrationEnabled bool, lggr logger.Lo
3847
return w
3948
}
4049

50+
// WithRequest returns a store view bound to the top-level request's orgID and
51+
// workflowOwner. When migration is enabled, owner-scoped operations are routed
52+
// through the migration adapter using the bound orgID/workflowOwner while
53+
// preserving the plugin's existing store interface usage.
54+
func (w *KVStoreWrapper) WithRequest(orgID, workflowOwner string) WriteKVStore {
55+
return &requestScopedKVStore{
56+
wrapper: w,
57+
orgID: orgID,
58+
workflowOwner: workflowOwner,
59+
}
60+
}
61+
4162
// GetSecret tries orgID first, falling back to workflowOwner for legacy entries.
4263
// When migration is disabled, delegates directly to the inner store using id as-is.
4364
func (w *KVStoreWrapper) GetSecret(ctx context.Context, id *vault.SecretIdentifier, orgID, workflowOwner string) (*vault.StoredSecret, error) {
@@ -112,6 +133,57 @@ func (w *KVStoreWrapper) WritePendingQueue(ctx context.Context, pending []*vault
112133
return w.store.WritePendingQueue(ctx, pending)
113134
}
114135

136+
func (s *requestScopedKVStore) effectiveOwner(owner string) string {
137+
if s.wrapper.migrationEnabled && s.orgID != "" {
138+
return s.orgID
139+
}
140+
return owner
141+
}
142+
143+
func (s *requestScopedKVStore) GetSecret(ctx context.Context, id *vault.SecretIdentifier) (*vault.StoredSecret, error) {
144+
orgID := ""
145+
if id != nil {
146+
orgID = s.effectiveOwner(id.Owner)
147+
}
148+
return s.wrapper.GetSecret(ctx, id, orgID, s.workflowOwner)
149+
}
150+
151+
func (s *requestScopedKVStore) GetMetadata(ctx context.Context, owner string) (*vault.StoredMetadata, error) {
152+
return s.wrapper.GetMetadata(ctx, s.effectiveOwner(owner), s.workflowOwner)
153+
}
154+
155+
func (s *requestScopedKVStore) GetSecretIdentifiersCountForOwner(ctx context.Context, owner string) (int, error) {
156+
return s.wrapper.GetSecretIdentifiersCountForOwner(ctx, s.effectiveOwner(owner), s.workflowOwner)
157+
}
158+
159+
func (s *requestScopedKVStore) WriteSecret(ctx context.Context, id *vault.SecretIdentifier, secret *vault.StoredSecret) error {
160+
orgID := ""
161+
if id != nil {
162+
orgID = s.effectiveOwner(id.Owner)
163+
}
164+
return s.wrapper.WriteSecret(ctx, id, secret, orgID, s.workflowOwner)
165+
}
166+
167+
func (s *requestScopedKVStore) WriteMetadata(ctx context.Context, owner string, metadata *vault.StoredMetadata) error {
168+
return s.wrapper.WriteMetadata(ctx, s.effectiveOwner(owner), metadata)
169+
}
170+
171+
func (s *requestScopedKVStore) DeleteSecret(ctx context.Context, id *vault.SecretIdentifier) error {
172+
orgID := ""
173+
if id != nil {
174+
orgID = s.effectiveOwner(id.Owner)
175+
}
176+
return s.wrapper.DeleteSecret(ctx, id, orgID, s.workflowOwner)
177+
}
178+
179+
func (s *requestScopedKVStore) GetPendingQueue(ctx context.Context) ([]*vault.StoredPendingQueueItem, error) {
180+
return s.wrapper.GetPendingQueue(ctx)
181+
}
182+
183+
func (s *requestScopedKVStore) WritePendingQueue(ctx context.Context, pending []*vault.StoredPendingQueueItem) error {
184+
return s.wrapper.WritePendingQueue(ctx, pending)
185+
}
186+
115187
// ownerMigrationAdapter handles the migration of secrets from workflow_owner-keyed
116188
// entries to org_id-keyed entries. It performs dual-lookup reads, org_id-based
117189
// writes, lazy migration on update, metadata merge for list, and dual-owner

0 commit comments

Comments
 (0)