Add instance-level secrets

Author: jbgomond

models/secret/secret.go

@@ -64,8 +64,8 @@ func init() {
 }
 
 func (s *Secret) Validate() error {
-	if s.OwnerID == 0 && s.RepoID == 0 {
-		return errors.New("the secret is not bound to any scope")
+	if s.OwnerID != 0 && s.RepoID != 0 {
+		return errors.New("a secret should not be bound to an owner and a repository at the same time")
 	}
 	return nil
 }
@@ -80,12 +80,8 @@ type FindSecretsOptions struct {
 
 func (opts *FindSecretsOptions) toConds() builder.Cond {
 	cond := builder.NewCond()
-	if opts.OwnerID > 0 {
-		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
-	}
-	if opts.RepoID > 0 {
-		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
-	}
+	cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
+	cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
 	if opts.SecretID != 0 {
 		cond = cond.And(builder.Eq{"id": opts.SecretID})
 	}

routers/api/actions/runner/utils.go

@@ -67,6 +67,11 @@ func getSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[s
 		return secrets
 	}
 
+	globalSecrets, err := secret_model.FindSecrets(ctx, secret_model.FindSecretsOptions{})
+	if err != nil {
+		log.Error("find global secrets: %v", err)
+		// go on
+	}
 	ownerSecrets, err := secret_model.FindSecrets(ctx, secret_model.FindSecretsOptions{OwnerID: task.Job.Run.Repo.OwnerID})
 	if err != nil {
 		log.Error("find secrets of owner %v: %v", task.Job.Run.Repo.OwnerID, err)
@@ -78,7 +83,8 @@ func getSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[s
 		// go on
 	}
 
-	for _, secret := range append(ownerSecrets, repoSecrets...) {
+	// Level precedence: Repo > Org / User > Global
+	for _, secret := range append(globalSecrets, append(ownerSecrets, repoSecrets...)...) {
 		if v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data); err != nil {
 			log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err)
 			// go on

routers/api/v1/admin/action.go

@@ -0,0 +1,103 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package admin
+
+import (
+	"errors"
+	"net/http"
+
+	"code.gitea.io/gitea/modules/context"
+	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/modules/web"
+	secret_service "code.gitea.io/gitea/services/secrets"
+)
+
+// create or update one secret in the instance scope
+func CreateOrUpdateSecret(ctx *context.APIContext) {
+	// swagger:operation PUT /admin/actions/secrets/{secretname} admin updateAdminSecret
+	// ---
+	// summary: Create or Update a secret value in the instance scope
+	// consumes:
+	// - application/json
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: secretname
+	//   in: path
+	//   description: name of the secret
+	//   type: string
+	//   required: true
+	// - name: body
+	//   in: body
+	//   schema:
+	//     "$ref": "#/definitions/CreateOrUpdateSecretOption"
+	// responses:
+	//   "201":
+	//     description: response when creating a secret
+	//   "204":
+	//     description: response when updating a secret
+	//   "400":
+	//     "$ref": "#/responses/error"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+
+	opt := web.GetForm(ctx).(*api.CreateOrUpdateSecretOption)
+
+	_, created, err := secret_service.CreateOrUpdateSecret(ctx, 0, 0, ctx.Params("secretname"), opt.Data)
+	if err != nil {
+		if errors.Is(err, util.ErrInvalidArgument) {
+			ctx.Error(http.StatusBadRequest, "CreateOrUpdateSecret", err)
+		} else if errors.Is(err, util.ErrNotExist) {
+			ctx.Error(http.StatusNotFound, "CreateOrUpdateSecret", err)
+		} else {
+			ctx.Error(http.StatusInternalServerError, "CreateOrUpdateSecret", err)
+		}
+		return
+	}
+
+	if created {
+		ctx.Status(http.StatusCreated)
+	} else {
+		ctx.Status(http.StatusNoContent)
+	}
+}
+
+// DeleteSecret delete one secret in the instance scope
+func DeleteSecret(ctx *context.APIContext) {
+	// swagger:operation DELETE /admin/actions/secrets/{secretname} admin deleteAdminSecret
+	// ---
+	// summary: Delete a secret in the instance scope
+	// consumes:
+	// - application/json
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: secretname
+	//   in: path
+	//   description: name of the secret
+	//   type: string
+	//   required: true
+	// responses:
+	//   "204":
+	//     description: delete one secret of the admin
+	//   "400":
+	//     "$ref": "#/responses/error"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+
+	err := secret_service.DeleteSecretByName(ctx, 0, 0, ctx.Params("secretname"))
+	if err != nil {
+		if errors.Is(err, util.ErrInvalidArgument) {
+			ctx.Error(http.StatusBadRequest, "DeleteSecret", err)
+		} else if errors.Is(err, util.ErrNotExist) {
+			ctx.Error(http.StatusNotFound, "DeleteSecret", err)
+		} else {
+			ctx.Error(http.StatusInternalServerError, "DeleteSecret", err)
+		}
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}

routers/api/v1/api.go

@@ -956,14 +956,11 @@ func Routes() *web.Route {
 				Get(user.ListEmails).
 				Post(bind(api.CreateEmailOption{}), user.AddEmail).
 				Delete(bind(api.DeleteEmailOption{}), user.DeleteEmail)
-
-			// create or update a user's actions secrets
 			m.Group("/actions/secrets", func() {
 				m.Combo("/{secretname}").
 					Put(bind(api.CreateOrUpdateSecretOption{}), user.CreateOrUpdateSecret).
 					Delete(user.DeleteSecret)
 			})
-
 			m.Get("/followers", user.ListMyFollowers)
 			m.Group("/following", func() {
 				m.Get("", user.ListMyFollowing)
@@ -1490,6 +1487,11 @@ func Routes() *web.Route {
 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization), orgAssignment(false, true), reqToken(), reqTeamMembership())
 
 		m.Group("/admin", func() {
+			m.Group("/actions/secrets", func() {
+				m.Combo("/{secretname}").
+					Put(bind(api.CreateOrUpdateSecretOption{}), admin.CreateOrUpdateSecret).
+					Delete(admin.DeleteSecret)
+			})
 			m.Group("/cron", func() {
 				m.Get("", admin.ListCronTasks)
 				m.Post("/{task}", admin.PostCronTask)

routers/api/v1/org/action.go

@@ -72,7 +72,7 @@ func ListActionsSecrets(ctx *context.APIContext) {
 	ctx.JSON(http.StatusOK, apiSecrets)
 }
 
-// create or update one secret of the organization
+// create or update one secret in the organization
 func CreateOrUpdateSecret(ctx *context.APIContext) {
 	// swagger:operation PUT /orgs/{org}/actions/secrets/{secretname} organization updateOrgSecret
 	// ---
@@ -127,7 +127,7 @@ func CreateOrUpdateSecret(ctx *context.APIContext) {
 	}
 }
 
-// DeleteSecret delete one secret of the organization
+// delete one secret in the organization
 func DeleteSecret(ctx *context.APIContext) {
 	// swagger:operation DELETE /orgs/{org}/actions/secrets/{secretname} organization deleteOrgSecret
 	// ---

routers/api/v1/repo/action.go

@@ -14,7 +14,7 @@ import (
 	secret_service "code.gitea.io/gitea/services/secrets"
 )
 
-// create or update one secret of the repository
+// create or update one secret in the repository
 func CreateOrUpdateSecret(ctx *context.APIContext) {
 	// swagger:operation PUT /repos/{owner}/{repo}/actions/secrets/{secretname} repository updateRepoSecret
 	// ---
@@ -53,12 +53,11 @@ func CreateOrUpdateSecret(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	owner := ctx.Repo.Owner
 	repo := ctx.Repo.Repository
 
 	opt := web.GetForm(ctx).(*api.CreateOrUpdateSecretOption)
 
-	_, created, err := secret_service.CreateOrUpdateSecret(ctx, owner.ID, repo.ID, ctx.Params("secretname"), opt.Data)
+	_, created, err := secret_service.CreateOrUpdateSecret(ctx, 0, repo.ID, ctx.Params("secretname"), opt.Data)
 	if err != nil {
 		if errors.Is(err, util.ErrInvalidArgument) {
 			ctx.Error(http.StatusBadRequest, "CreateOrUpdateSecret", err)
@@ -77,7 +76,7 @@ func CreateOrUpdateSecret(ctx *context.APIContext) {
 	}
 }
 
-// DeleteSecret delete one secret of the repository
+// delete one secret in the repository
 func DeleteSecret(ctx *context.APIContext) {
 	// swagger:operation DELETE /repos/{owner}/{repo}/actions/secrets/{secretname} repository deleteRepoSecret
 	// ---
@@ -110,10 +109,9 @@ func DeleteSecret(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	owner := ctx.Repo.Owner
 	repo := ctx.Repo.Repository
 
-	err := secret_service.DeleteSecretByName(ctx, owner.ID, repo.ID, ctx.Params("secretname"))
+	err := secret_service.DeleteSecretByName(ctx, 0, repo.ID, ctx.Params("secretname"))
 	if err != nil {
 		if errors.Is(err, util.ErrInvalidArgument) {
 			ctx.Error(http.StatusBadRequest, "DeleteSecret", err)

routers/api/v1/user/action.go

@@ -14,7 +14,7 @@ import (
 	secret_service "code.gitea.io/gitea/services/secrets"
 )
 
-// create or update one secret of the user scope
+// create or update one secret in the user scope
 func CreateOrUpdateSecret(ctx *context.APIContext) {
 	// swagger:operation PUT /user/actions/secrets/{secretname} user updateUserSecret
 	// ---
@@ -64,7 +64,7 @@ func CreateOrUpdateSecret(ctx *context.APIContext) {
 	}
 }
 
-// DeleteSecret delete one secret of the user scope
+// delete one secret in the user scope
 func DeleteSecret(ctx *context.APIContext) {
 	// swagger:operation DELETE /user/actions/secrets/{secretname} user deleteUserSecret
 	// ---

routers/web/repo/setting/secrets.go

@@ -16,9 +16,10 @@ import (
 
 const (
 	// TODO: Separate secrets from runners when layout is ready
-	tplRepoSecrets base.TplName = "repo/settings/actions"
-	tplOrgSecrets  base.TplName = "org/settings/actions"
-	tplUserSecrets base.TplName = "user/settings/actions"
+	tplRepoSecrets  base.TplName = "repo/settings/actions"
+	tplOrgSecrets   base.TplName = "org/settings/actions"
+	tplUserSecrets  base.TplName = "user/settings/actions"
+	tplAdminSecrets base.TplName = "admin/actions"
 )
 
 type secretsCtx struct {
@@ -27,6 +28,7 @@ type secretsCtx struct {
 	IsRepo          bool
 	IsOrg           bool
 	IsUser          bool
+	IsGlobal        bool
 	SecretsTemplate base.TplName
 	RedirectLink    string
 }
@@ -67,6 +69,16 @@ func getSecretsCtx(ctx *context.Context) (*secretsCtx, error) {
 		}, nil
 	}
 
+	if ctx.Data["PageIsAdmin"] == true {
+		return &secretsCtx{
+			OwnerID:         0,
+			RepoID:          0,
+			IsGlobal:        true,
+			SecretsTemplate: tplAdminSecrets,
+			RedirectLink:    setting.AppSubURL + "/admin/actions/secrets",
+		}, nil
+	}
+
 	return nil, errors.New("unable to set Secrets context")
 }
 

routers/web/web.go

@@ -757,6 +757,7 @@ func registerRoutes(m *web.Route) {
 		m.Group("/actions", func() {
 			m.Get("", admin.RedirectToDefaultSetting)
 			addSettingsRunnersRoutes()
+			addSettingsSecretsRoutes()
 		})
 	}, adminReq, ctxDataSet("EnableOAuth2", setting.OAuth2.Enable, "EnablePackages", setting.Packages.Enabled))
 	// ***** END: Admin *****

templates/admin/actions.tmpl

@@ -3,5 +3,8 @@
 	{{if eq .PageType "runners"}}
 		{{template "shared/actions/runner_list" .}}
 	{{end}}
+	{{if eq .PageType "secrets"}}
+		{{template "shared/secrets/add_list" .}}
+	{{end}}
 	</div>
 {{template "admin/layout_footer" .}}

templates/admin/navbar.tmpl

@@ -60,12 +60,15 @@
 			{{end}}
 		{{end}}
 		{{if .EnableActions}}
-		<details class="item toggleable-item" {{if .PageIsSharedSettingsRunners}}open{{end}}>
+		<details class="item toggleable-item" {{if or .PageIsSharedSettingsRunners .PageIsSharedSettingsSecrets}}open{{end}}>
 			<summary>{{ctx.Locale.Tr "actions.actions"}}</summary>
 			<div class="menu">
 				<a class="{{if .PageIsSharedSettingsRunners}}active {{end}}item" href="{{AppSubUrl}}/admin/actions/runners">
 					{{ctx.Locale.Tr "actions.runners"}}
 				</a>
+				<a class="{{if .PageIsSharedSettingsSecrets}}active {{end}}item" href="{{AppSubUrl}}/admin/actions/secrets">
+					{{ctx.Locale.Tr "secrets.secrets"}}
+				</a>
 			</div>
 		</details>
 		{{end}}