@@ -23,6 +23,15 @@ type KVStoreWrapper struct {
2323 migrationEnabled bool
2424}
2525
26+ // requestScopedKVStore binds a wrapper to the orgID/workflowOwner for a single
27+ // top-level plugin request while preserving the existing ReadKVStore /
28+ // WriteKVStore interfaces used throughout plugin.go.
29+ type requestScopedKVStore struct {
30+ wrapper * KVStoreWrapper
31+ orgID string
32+ workflowOwner string
33+ }
34+
2635// NewKVStoreWrapper creates a wrapper around the given store.
2736// When migrationEnabled is true, an internal ownerMigrationAdapter handles
2837// the transition from workflow_owner-keyed entries to org_id-keyed entries.
@@ -38,6 +47,18 @@ func NewKVStoreWrapper(store WriteKVStore, migrationEnabled bool, lggr logger.Lo
3847 return w
3948}
4049
50+ // WithRequest returns a store view bound to the top-level request's orgID and
51+ // workflowOwner. When migration is enabled, owner-scoped operations are routed
52+ // through the migration adapter using the bound orgID/workflowOwner while
53+ // preserving the plugin's existing store interface usage.
54+ func (w * KVStoreWrapper ) WithRequest (orgID , workflowOwner string ) WriteKVStore {
55+ return & requestScopedKVStore {
56+ wrapper : w ,
57+ orgID : orgID ,
58+ workflowOwner : workflowOwner ,
59+ }
60+ }
61+
4162// GetSecret tries orgID first, falling back to workflowOwner for legacy entries.
4263// When migration is disabled, delegates directly to the inner store using id as-is.
4364func (w * KVStoreWrapper ) GetSecret (ctx context.Context , id * vault.SecretIdentifier , orgID , workflowOwner string ) (* vault.StoredSecret , error ) {
@@ -112,6 +133,57 @@ func (w *KVStoreWrapper) WritePendingQueue(ctx context.Context, pending []*vault
112133 return w .store .WritePendingQueue (ctx , pending )
113134}
114135
136+ func (s * requestScopedKVStore ) effectiveOwner (owner string ) string {
137+ if s .wrapper .migrationEnabled && s .orgID != "" {
138+ return s .orgID
139+ }
140+ return owner
141+ }
142+
143+ func (s * requestScopedKVStore ) GetSecret (ctx context.Context , id * vault.SecretIdentifier ) (* vault.StoredSecret , error ) {
144+ orgID := ""
145+ if id != nil {
146+ orgID = s .effectiveOwner (id .Owner )
147+ }
148+ return s .wrapper .GetSecret (ctx , id , orgID , s .workflowOwner )
149+ }
150+
151+ func (s * requestScopedKVStore ) GetMetadata (ctx context.Context , owner string ) (* vault.StoredMetadata , error ) {
152+ return s .wrapper .GetMetadata (ctx , s .effectiveOwner (owner ), s .workflowOwner )
153+ }
154+
155+ func (s * requestScopedKVStore ) GetSecretIdentifiersCountForOwner (ctx context.Context , owner string ) (int , error ) {
156+ return s .wrapper .GetSecretIdentifiersCountForOwner (ctx , s .effectiveOwner (owner ), s .workflowOwner )
157+ }
158+
159+ func (s * requestScopedKVStore ) WriteSecret (ctx context.Context , id * vault.SecretIdentifier , secret * vault.StoredSecret ) error {
160+ orgID := ""
161+ if id != nil {
162+ orgID = s .effectiveOwner (id .Owner )
163+ }
164+ return s .wrapper .WriteSecret (ctx , id , secret , orgID , s .workflowOwner )
165+ }
166+
167+ func (s * requestScopedKVStore ) WriteMetadata (ctx context.Context , owner string , metadata * vault.StoredMetadata ) error {
168+ return s .wrapper .WriteMetadata (ctx , s .effectiveOwner (owner ), metadata )
169+ }
170+
171+ func (s * requestScopedKVStore ) DeleteSecret (ctx context.Context , id * vault.SecretIdentifier ) error {
172+ orgID := ""
173+ if id != nil {
174+ orgID = s .effectiveOwner (id .Owner )
175+ }
176+ return s .wrapper .DeleteSecret (ctx , id , orgID , s .workflowOwner )
177+ }
178+
179+ func (s * requestScopedKVStore ) GetPendingQueue (ctx context.Context ) ([]* vault.StoredPendingQueueItem , error ) {
180+ return s .wrapper .GetPendingQueue (ctx )
181+ }
182+
183+ func (s * requestScopedKVStore ) WritePendingQueue (ctx context.Context , pending []* vault.StoredPendingQueueItem ) error {
184+ return s .wrapper .WritePendingQueue (ctx , pending )
185+ }
186+
115187// ownerMigrationAdapter handles the migration of secrets from workflow_owner-keyed
116188// entries to org_id-keyed entries. It performs dual-lookup reads, org_id-based
117189// writes, lazy migration on update, metadata merge for list, and dual-owner
0 commit comments