✨ App custom secret management

2025-08-24 23:50:57 +08:00
parent 51db08f374
commit 4684550ebf
2 changed files with 348 additions and 1 deletions
--- a/DysonNetwork.Develop/Identity/CustomAppController.cs
+++ b/DysonNetwork.Develop/Identity/CustomAppController.cs
@@ -3,6 +3,7 @@ using DysonNetwork.Develop.Project;
 using DysonNetwork.Shared.Proto;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using NodaTime;

 namespace DysonNetwork.Develop.Identity;

@@ -22,12 +23,36 @@ public class CustomAppController(CustomAppService customApps, DeveloperService d
        CustomAppOauthConfig? OauthConfig
    );

+    public record CreateSecretRequest(
+        [MaxLength(4096)] string? Description,
+        TimeSpan? ExpiresIn = null,
+        bool IsOidc = false
+    );
+
+    public record SecretResponse(
+        string Id,
+        string? Secret,
+        string? Description,
+        Instant? ExpiresAt,
+        bool IsOidc,
+        Instant CreatedAt,
+        Instant UpdatedAt
+    );
+
    [HttpGet]
+    [Authorize]
    public async Task<IActionResult> ListApps([FromRoute] string pubName, [FromRoute] Guid projectId)
    {
+        if (HttpContext.Items["CurrentUser"] is not Account currentUser)
+            return Unauthorized();
+
        var developer = await ds.GetDeveloperByName(pubName);
        if (developer is null) return NotFound();

+        var accountId = Guid.Parse(currentUser.Id);
+        if (!await ds.IsMemberWithRole(developer.PublisherId, accountId, PublisherMemberRole.Viewer))
+            return StatusCode(403, "You must be a viewer of the developer to list custom apps");
+
        var project = await projectService.GetProjectAsync(projectId, developer.Id);
        if (project is null) return NotFound();

@@ -36,11 +61,19 @@ public class CustomAppController(CustomAppService customApps, DeveloperService d
    }

    [HttpGet("{appId:guid}")]
+    [Authorize]
    public async Task<IActionResult> GetApp([FromRoute] string pubName, [FromRoute] Guid projectId,
        [FromRoute] Guid appId)
    {
+        if (HttpContext.Items["CurrentUser"] is not Account currentUser)
+            return Unauthorized();
+        
        var developer = await ds.GetDeveloperByName(pubName);
        if (developer is null) return NotFound();
+        
+        var accountId = Guid.Parse(currentUser.Id);
+        if (!await ds.IsMemberWithRole(developer.PublisherId, accountId, PublisherMemberRole.Viewer))
+            return StatusCode(403, "You must be a viewer of the developer to list custom apps");

        var project = await projectService.GetProjectAsync(projectId, developer.Id);
        if (project is null) return NotFound();
@@ -65,7 +98,7 @@ public class CustomAppController(CustomAppService customApps, DeveloperService d
        var developer = await ds.GetDeveloperByName(pubName);
        if (developer is null)
            return NotFound("Developer not found");
-        
+
        if (!await ds.IsMemberWithRole(developer.PublisherId, Guid.Parse(currentUser.Id), PublisherMemberRole.Editor))
            return StatusCode(403, "You must be an editor of the developer to create a custom app");

@@ -164,4 +197,235 @@ public class CustomAppController(CustomAppService customApps, DeveloperService d

        return NoContent();
    }
+
+    [HttpGet("{appId:guid}/secrets")]
+    [Authorize]
+    public async Task<IActionResult> ListSecrets(
+        [FromRoute] string pubName,
+        [FromRoute] Guid projectId,
+        [FromRoute] Guid appId)
+    {
+        if (HttpContext.Items["CurrentUser"] is not Account currentUser)
+            return Unauthorized();
+
+        var developer = await ds.GetDeveloperByName(pubName);
+        if (developer is null)
+            return NotFound("Developer not found");
+
+        if (!await ds.IsMemberWithRole(developer.PublisherId, Guid.Parse(currentUser.Id), PublisherMemberRole.Editor))
+            return StatusCode(403, "You must be an editor of the developer to view app secrets");
+
+        var project = await projectService.GetProjectAsync(projectId, developer.Id);
+        if (project is null)
+            return NotFound("Project not found or you don't have access");
+
+        var app = await customApps.GetAppAsync(appId, projectId);
+        if (app == null)
+            return NotFound("App not found");
+
+        var secrets = await customApps.GetAppSecretsAsync(appId);
+        return Ok(secrets.Select(s => new SecretResponse(
+            s.Id.ToString(),
+            null,
+            s.Description,
+            s.ExpiredAt,
+            s.IsOidc,
+            s.CreatedAt,
+            s.UpdatedAt
+        )));
+    }
+
+    [HttpPost("{appId:guid}/secrets")]
+    [Authorize]
+    public async Task<IActionResult> CreateSecret(
+        [FromRoute] string pubName,
+        [FromRoute] Guid projectId,
+        [FromRoute] Guid appId,
+        [FromBody] CreateSecretRequest request)
+    {
+        if (HttpContext.Items["CurrentUser"] is not Account currentUser)
+            return Unauthorized();
+
+        var developer = await ds.GetDeveloperByName(pubName);
+        if (developer is null)
+            return NotFound("Developer not found");
+
+        if (!await ds.IsMemberWithRole(developer.PublisherId, Guid.Parse(currentUser.Id), PublisherMemberRole.Editor))
+            return StatusCode(403, "You must be an editor of the developer to create app secrets");
+
+        var project = await projectService.GetProjectAsync(projectId, developer.Id);
+        if (project is null)
+            return NotFound("Project not found or you don't have access");
+
+        var app = await customApps.GetAppAsync(appId, projectId);
+        if (app == null)
+            return NotFound("App not found");
+
+        try
+        {
+            var secret = await customApps.CreateAppSecretAsync(new CustomAppSecret
+            {
+                AppId = appId,
+                Description = request.Description,
+                ExpiredAt = request.ExpiresIn.HasValue
+                    ? NodaTime.SystemClock.Instance.GetCurrentInstant()
+                        .Plus(Duration.FromTimeSpan(request.ExpiresIn.Value))
+                    : (NodaTime.Instant?)null,
+                IsOidc = request.IsOidc
+            });
+
+            return CreatedAtAction(
+                nameof(GetSecret),
+                new { pubName, projectId, appId, secretId = secret.Id },
+                new SecretResponse(
+                    secret.Id.ToString(),
+                    secret.Secret,
+                    secret.Description,
+                    secret.ExpiredAt,
+                    secret.IsOidc,
+                    secret.CreatedAt,
+                    secret.UpdatedAt
+                )
+            );
+        }
+        catch (InvalidOperationException ex)
+        {
+            return BadRequest(ex.Message);
+        }
+    }
+
+    [HttpGet("{appId:guid}/secrets/{secretId:guid}")]
+    [Authorize]
+    public async Task<IActionResult> GetSecret(
+        [FromRoute] string pubName,
+        [FromRoute] Guid projectId,
+        [FromRoute] Guid appId,
+        [FromRoute] Guid secretId)
+    {
+        if (HttpContext.Items["CurrentUser"] is not Account currentUser)
+            return Unauthorized();
+
+        var developer = await ds.GetDeveloperByName(pubName);
+        if (developer is null)
+            return NotFound("Developer not found");
+
+        if (!await ds.IsMemberWithRole(developer.PublisherId, Guid.Parse(currentUser.Id), PublisherMemberRole.Editor))
+            return StatusCode(403, "You must be an editor of the developer to view app secrets");
+
+        var project = await projectService.GetProjectAsync(projectId, developer.Id);
+        if (project is null)
+            return NotFound("Project not found or you don't have access");
+
+        var app = await customApps.GetAppAsync(appId, projectId);
+        if (app == null)
+            return NotFound("App not found");
+
+        var secret = await customApps.GetAppSecretAsync(secretId, appId);
+        if (secret == null)
+            return NotFound("Secret not found");
+
+        return Ok(new SecretResponse(
+            secret.Id.ToString(),
+            null,
+            secret.Description,
+            secret.ExpiredAt,
+            secret.IsOidc,
+            secret.CreatedAt,
+            secret.UpdatedAt
+        ));
+    }
+
+    [HttpDelete("{appId:guid}/secrets/{secretId:guid}")]
+    [Authorize]
+    public async Task<IActionResult> DeleteSecret(
+        [FromRoute] string pubName,
+        [FromRoute] Guid projectId,
+        [FromRoute] Guid appId,
+        [FromRoute] Guid secretId)
+    {
+        if (HttpContext.Items["CurrentUser"] is not Account currentUser)
+            return Unauthorized();
+
+        var developer = await ds.GetDeveloperByName(pubName);
+        if (developer is null)
+            return NotFound("Developer not found");
+
+        if (!await ds.IsMemberWithRole(developer.PublisherId, Guid.Parse(currentUser.Id), PublisherMemberRole.Editor))
+            return StatusCode(403, "You must be an editor of the developer to delete app secrets");
+
+        var project = await projectService.GetProjectAsync(projectId, developer.Id);
+        if (project is null)
+            return NotFound("Project not found or you don't have access");
+
+        var app = await customApps.GetAppAsync(appId, projectId);
+        if (app == null)
+            return NotFound("App not found");
+
+        var secret = await customApps.GetAppSecretAsync(secretId, appId);
+        if (secret == null)
+            return NotFound("Secret not found");
+
+        var result = await customApps.DeleteAppSecretAsync(secretId, appId);
+        if (!result)
+            return NotFound("Failed to delete secret");
+
+        return NoContent();
+    }
+
+    [HttpPost("{appId:guid}/secrets/{secretId:guid}/rotate")]
+    [Authorize]
+    public async Task<IActionResult> RotateSecret(
+        [FromRoute] string pubName,
+        [FromRoute] Guid projectId,
+        [FromRoute] Guid appId,
+        [FromRoute] Guid secretId,
+        [FromBody] CreateSecretRequest? request = null)
+    {
+        if (HttpContext.Items["CurrentUser"] is not Account currentUser)
+            return Unauthorized();
+
+        var developer = await ds.GetDeveloperByName(pubName);
+        if (developer is null)
+            return NotFound("Developer not found");
+
+        if (!await ds.IsMemberWithRole(developer.PublisherId, Guid.Parse(currentUser.Id), PublisherMemberRole.Editor))
+            return StatusCode(403, "You must be an editor of the developer to rotate app secrets");
+
+        var project = await projectService.GetProjectAsync(projectId, developer.Id);
+        if (project is null)
+            return NotFound("Project not found or you don't have access");
+
+        var app = await customApps.GetAppAsync(appId, projectId);
+        if (app == null)
+            return NotFound("App not found");
+
+        try
+        {
+            var secret = await customApps.RotateAppSecretAsync(new CustomAppSecret
+            {
+                Id = secretId,
+                AppId = appId,
+                Description = request?.Description,
+                ExpiredAt = request?.ExpiresIn.HasValue == true
+                    ? NodaTime.SystemClock.Instance.GetCurrentInstant()
+                        .Plus(Duration.FromTimeSpan(request.ExpiresIn.Value))
+                    : (NodaTime.Instant?)null,
+                IsOidc = request?.IsOidc ?? false
+            });
+
+            return Ok(new SecretResponse(
+                secret.Id.ToString(),
+                secret.Secret,
+                secret.Description,
+                secret.ExpiredAt,
+                secret.IsOidc,
+                secret.CreatedAt,
+                secret.UpdatedAt
+            ));
+        }
+        catch (InvalidOperationException ex)
+        {
+            return BadRequest(ex.Message);
+        }
+    }
 }