noetl-server 3.8.0

NoETL Control Plane - Async Rust server for workflow orchestration
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191

//! Wallet KEK rotation DB queries (Secrets Wallet Phase 7a.2,
//! [`noetl/ai-meta#61`](https://github.com/noetl/ai-meta/issues/61)).
//!
//! Two surfaces — both batched, both keyed by integer primary key so a
//! crash mid-rotate is recoverable by re-scanning from the last
//! committed id:
//!
//! - [`iter_credential_rows`] / [`iter_keychain_rows`] — pull a window of
//!   `(id, data_encrypted)` rows past a cursor `after_id`.
//! - [`update_credential_data`] / [`update_keychain_data`] — write the
//!   re-wrapped envelope string back to the same row.
//!
//! `key_status_*` queries return per-`kek_version` row counts.  The
//! version label is parsed out of the stored envelope JSON's `dek.kv`
//! field (Phase 1's `StoredDek` shape) — Postgres parses the JSON in
//! the query so we don't pay the round-trip to read every row.

use sqlx::Row;

use crate::db::DbPool;
use crate::error::AppResult;

/// One `(id, data_encrypted)` row from `noetl.credential` or
/// `noetl.keychain`.  The rotation job consumes a stream of these and
/// hands each through [`crate::crypto::EnvelopeCipher::rewrap_storage_string`].
#[derive(Debug, Clone)]
pub struct WalletRow {
    pub id: i64,
    pub data_encrypted: String,
}

/// Fetch up to `batch_size` `noetl.credential` rows with `id > after_id`,
/// ordered by `id ASC`.  Returns the rows in id order so the caller can
/// advance the cursor by tracking the largest id seen.
pub async fn iter_credential_rows(
    pool: &DbPool,
    after_id: i64,
    batch_size: i64,
) -> AppResult<Vec<WalletRow>> {
    let rows = sqlx::query(
        r#"
        SELECT id, data_encrypted
        FROM noetl.credential
        WHERE id > $1
        ORDER BY id ASC
        LIMIT $2
        "#,
    )
    .bind(after_id)
    .bind(batch_size)
    .fetch_all(pool)
    .await?;
    Ok(rows
        .into_iter()
        .map(|r| WalletRow {
            id: r.get::<i64, _>("id"),
            data_encrypted: r.get::<String, _>("data_encrypted"),
        })
        .collect())
}

/// Fetch up to `batch_size` `noetl.keychain` rows with `id > after_id`.
/// Same shape as [`iter_credential_rows`].
pub async fn iter_keychain_rows(
    pool: &DbPool,
    after_id: i64,
    batch_size: i64,
) -> AppResult<Vec<WalletRow>> {
    let rows = sqlx::query(
        r#"
        SELECT id, data_encrypted
        FROM noetl.keychain
        WHERE id > $1
        ORDER BY id ASC
        LIMIT $2
        "#,
    )
    .bind(after_id)
    .bind(batch_size)
    .fetch_all(pool)
    .await?;
    Ok(rows
        .into_iter()
        .map(|r| WalletRow {
            id: r.get::<i64, _>("id"),
            data_encrypted: r.get::<String, _>("data_encrypted"),
        })
        .collect())
}

/// Write the re-wrapped storage string back to `noetl.credential.data_encrypted`.
/// Single-row UPDATE; the caller wraps batches in a transaction.
pub async fn update_credential_data(
    pool: &DbPool,
    id: i64,
    new_data_encrypted: &str,
) -> AppResult<()> {
    sqlx::query(
        r#"
        UPDATE noetl.credential
        SET data_encrypted = $2
        WHERE id = $1
        "#,
    )
    .bind(id)
    .bind(new_data_encrypted)
    .execute(pool)
    .await?;
    Ok(())
}

/// Write the re-wrapped storage string back to `noetl.keychain.data_encrypted`.
pub async fn update_keychain_data(
    pool: &DbPool,
    id: i64,
    new_data_encrypted: &str,
) -> AppResult<()> {
    sqlx::query(
        r#"
        UPDATE noetl.keychain
        SET data_encrypted = $2
        WHERE id = $1
        "#,
    )
    .bind(id)
    .bind(new_data_encrypted)
    .execute(pool)
    .await?;
    Ok(())
}

/// Per-`kek_version` row counts on `noetl.credential`.  The version
/// string comes from the stored envelope's `dek.kv` field — Postgres
/// extracts the JSON path in the query.  Rows whose `data_encrypted`
/// isn't valid envelope JSON are bucketed under the label `"invalid"`
/// (rare; usually means a pre-Phase-1 legacy row that needs manual
/// re-registration).
pub async fn key_status_credential(pool: &DbPool) -> AppResult<Vec<(String, i64)>> {
    let rows = sqlx::query(
        r#"
        SELECT
          COALESCE(
            (data_encrypted::jsonb)->'dek'->>'kv',
            'invalid'
          ) AS kek_version,
          COUNT(*) AS n
        FROM noetl.credential
        GROUP BY kek_version
        ORDER BY kek_version
        "#,
    )
    .fetch_all(pool)
    .await?;
    Ok(rows
        .into_iter()
        .map(|r| {
            (
                r.get::<String, _>("kek_version"),
                r.get::<i64, _>("n"),
            )
        })
        .collect())
}

/// Per-`kek_version` row counts on `noetl.keychain`.
pub async fn key_status_keychain(pool: &DbPool) -> AppResult<Vec<(String, i64)>> {
    let rows = sqlx::query(
        r#"
        SELECT
          COALESCE(
            (data_encrypted::jsonb)->'dek'->>'kv',
            'invalid'
          ) AS kek_version,
          COUNT(*) AS n
        FROM noetl.keychain
        GROUP BY kek_version
        ORDER BY kek_version
        "#,
    )
    .fetch_all(pool)
    .await?;
    Ok(rows
        .into_iter()
        .map(|r| {
            (
                r.get::<String, _>("kek_version"),
                r.get::<i64, _>("n"),
            )
        })
        .collect())
}