feat: add get_vault_secret_by_name() function

supabase · Aug 26, 2024 · b08261a · b08261a
1 parent fe91635
commit b08261a
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 8 deletions.
diff --git a/supabase-wrappers/src/utils.rs b/supabase-wrappers/src/utils.rs
@@ -154,9 +154,9 @@ pub fn create_async_runtime() -> Result<Runtime, CreateRuntimeError> {
     Ok(Builder::new_current_thread().enable_all().build()?)
 }
 
-/// Get decrypted secret from Vault
+/// Get decrypted secret from Vault by secret ID
 ///
-/// Get decrypted secret as string from Vault. Vault is an extension for storing
+/// Get decrypted secret as string from Vault by secret ID. Vault is an extension for storing
 /// encrypted secrets, [see more details](https://github.com/supabase/vault).
 pub fn get_vault_secret(secret_id: &str) -> Option<String> {
     match Uuid::try_parse(secret_id) {
@@ -169,11 +169,11 @@ pub fn get_vault_secret(secret_id: &str) -> Option<String> {
                     pgrx::Uuid::from_bytes(sid).into_datum(),
                 )],
             ) {
-                Ok(sid) => sid,
+                Ok(decrypted) => decrypted,
                 Err(err) => {
                     report_error(
                         PgSqlErrorCode::ERRCODE_FDW_ERROR,
-                        &format!("invalid secret id \"{}\": {}", secret_id, err),
+                        &format!("query vault failed \"{}\": {}", secret_id, err),
                     );
                     None
                 }
@@ -189,6 +189,26 @@ pub fn get_vault_secret(secret_id: &str) -> Option<String> {
     }
 }
 
+/// Get decrypted secret from Vault by secret name
+///
+/// Get decrypted secret as string from Vault by secret name. Vault is an extension for storing
+/// encrypted secrets, [see more details](https://github.com/supabase/vault).
+pub fn get_vault_secret_by_name(secret_name: &str) -> Option<String> {
+    match Spi::get_one_with_args::<String>(
+        "select decrypted_secret from vault.decrypted_secrets where name = $1",
+        vec![(PgBuiltInOids::TEXTOID.oid(), secret_name.into_datum())],
+    ) {
+        Ok(decrypted) => decrypted,
+        Err(err) => {
+            report_error(
+                PgSqlErrorCode::ERRCODE_FDW_ERROR,
+                &format!("query vault failed \"{}\": {}", secret_name, err),
+            );
+            None
+        }
+    }
+}
+
 pub(super) unsafe fn tuple_table_slot_to_row(slot: *mut pg_sys::TupleTableSlot) -> Row {
     let tup_desc = PgTupleDesc::from_pg_copy((*slot).tts_tupleDescriptor);
 

diff --git a/wrappers/src/fdw/stripe_fdw/stripe_fdw.rs b/wrappers/src/fdw/stripe_fdw/stripe_fdw.rs
@@ -638,10 +638,17 @@ impl ForeignDataWrapper<StripeFdwError> for StripeFdw {
         let api_version = server.options.get("api_version").map(|t| t.as_str());
         let client = match server.options.get("api_key") {
             Some(api_key) => Some(create_client(api_key, api_version)),
-            None => {
-                let key_id = require_option("api_key_id", &server.options)?;
-                get_vault_secret(key_id).map(|api_key| create_client(&api_key, api_version))
-            }
+            None => server
+                .options
+                .get("api_key_id")
+                .and_then(|key_id| get_vault_secret(key_id))
+                .or_else(|| {
+                    server
+                        .options
+                        .get("api_key_name")
+                        .and_then(|key_name| get_vault_secret_by_name(key_name))
+                })
+                .map(|api_key| create_client(&api_key, api_version)),
         }
         .transpose()?;