Skip to content

Define database schema for org-secrets #799

New issue
New issue
Open
Open
Define database schema for org-secrets#799
@evgeniy-scherbina

Description

@evgeniy-scherbina
evgeniy-scherbina
opened on Jul 23, 2025

This issue is very similar to #780, so final implementation and design decision can be based on it.

Sub-tasks:

  • Add org_secrets tables
  • Add unique indexes and constraints
  • Add SQL Queries
  • Implement DBAuthz wrappers
  • Define OrgSecret Resource and corresponding RBAC policies
  • Add database-level tests

SQL Schema (refer to RFC for the latest up-to-date version):

-- Stores encrypted organization secrets (scoped to organization)
CREATE TABLE organization_secrets (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    organization_id UUID NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
    name TEXT NOT NULL,
    description TEXT NOT NULL,
    
    -- The encrypted secret value (base64-encoded encrypted data)
    value TEXT NOT NULL,
    
    -- The ID of the key used to encrypt the secret value.
    -- If this is NULL, the secret value is not encrypted.
    value_key_id TEXT REFERENCES dbcrypt_keys(active_key_digest),
    
    created_by UUID NOT NULL REFERENCES users(id),
    updated_by UUID NOT NULL REFERENCES users(id),
    
    -- Auto-injection settings
    -- Environment variable name (e.g., "DATABASE_PASSWORD", "API_KEY")
    -- Empty string means don't inject as env var
    env_name TEXT NOT NULL DEFAULT '',
    
    -- File path where secret should be written (e.g., "/home/coder/.ssh/id_rsa")
    -- Empty string means don't inject as file
    file_path TEXT NOT NULL DEFAULT '',
    
    -- Timestamps
    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP NOT NULL,
    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP NOT NULL
);

-- Unique constraint: organization can't have duplicate secret names
CREATE UNIQUE INDEX organization_secrets_org_name_idx ON organization_secrets(organization_id, name);

-- Unique constraint: organization can't have duplicate env names
CREATE UNIQUE INDEX org_secrets_org_env_name_idx ON organization_secrets(organization_id, env_name) 
WHERE env_name != '';

-- Unique constraint: organization can't have duplicate file paths  
CREATE UNIQUE INDEX org_secrets_org_file_path_idx ON organization_secrets(organization_id, file_path) 
WHERE file_path != '';

DB Queries

GetOrganizationSecretByOrgIDAndName - Get by organization_id and name
GetOrganizationSecret - Get by ID
ListOrganizationSecrets - List all secrets for an organization
CreateOrganizationSecret - Create new secret (sets both created_by and updated_by)
UpdateOrganizationSecret - Update existing secret by ID (updates updated_by)
DeleteOrganizationSecret - Delete by ID

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions