common

package

v1.17.0 Latest Latest Go to latest Published: May 27, 2026 License: MIT Imports: 44 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/smartcontractkit/cre-cli

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func CalculateDigest[I any](r jsonrpc2.Request[I]) ([32]byte, error)
func DeriveBundleFilename(digest [32]byte) string
func EncryptSecret(secret, masterPublicKeyHex string, ownerAddress string) (string, error)
func HexToBytes32(h string) ([32]byte, error)
func IsBrowserFlow(flow string) bool
func SaveBundle(path string, b *UnsignedBundle) error
func ValidateSecretsAuthFlow(flow, envName string) error
type Handler
- func NewHandler(execCtx context.Context, ctx *runtime.Context, ...) (*Handler, error)
type MockClientFactory
type SecretItem
type SecretsYamlConfig
type UnsignedBundle
- func LoadBundle(path string) (*UnsignedBundle, error)
type UpsertSecretsInputs

Constants ¶

View Source

const (
	SecretsAuthOnchain = "onchain"
	SecretsAuthBrowser = "browser"
)

Variables ¶

This section is empty.

Functions ¶

func CalculateDigest ¶

func CalculateDigest[I any](r jsonrpc2.Request[I]) ([32]byte, error)

func DeriveBundleFilename ¶

func DeriveBundleFilename(digest [32]byte) string

func EncryptSecret ¶

func EncryptSecret(secret, masterPublicKeyHex string, ownerAddress string) (string, error)

EncryptSecret encrypts for the owner-key / web3 flow using a 32-byte label derived from the EOA (12 zero bytes + 20-byte address).

func HexToBytes32 ¶

func HexToBytes32(h string) ([32]byte, error)

func IsBrowserFlow ¶ added in v1.8.0

func IsBrowserFlow(flow string) bool

IsBrowserFlow returns true when the browser (JWT) auth flow is selected.

func SaveBundle ¶

func SaveBundle(path string, b *UnsignedBundle) error

func ValidateSecretsAuthFlow ¶ added in v1.8.0

func ValidateSecretsAuthFlow(flow, envName string) error

ValidateSecretsAuthFlow checks that the chosen auth flow is valid and allowed in the current environment. Browser flow is blocked in production.

Types ¶

type Handler ¶

type Handler struct {
	Log                  *zerolog.Logger
	ClientFactory        client.Factory
	SecretsFilePath      string
	PrivateKey           *ecdsa.PrivateKey
	OwnerAddress         string
	DerivedWorkflowOwner string
	EnvironmentSet       *environments.EnvironmentSet
	GatewayURL           string
	Gw                   gateway.Client
	Wrc                  *client.WorkflowRegistryV2Client
	Credentials          *credentials.Credentials
	Settings             *settings.Settings
	// contains filtered or unexported fields
}

func NewHandler ¶

func NewHandler(execCtx context.Context, ctx *runtime.Context, secretsFilePath, secretsAuth string) (*Handler, error)

NewHandler creates a new handler instance. secretsAuth is the value of the --secrets-auth flag (e.g. "onchain" or "browser"). For the browser OAuth flow the on-chain WorkflowRegistryV2Client is not needed and is intentionally skipped to avoid requiring an ethereum-mainnet RPC URL.

func (*Handler) EncryptSecrets ¶

func (h *Handler) EncryptSecrets(rawSecrets UpsertSecretsInputs, owner string) ([]*vault.EncryptedSecret, error)

EncryptSecrets encrypts secrets for the given workflow owner address. TDH2 label is the workflow owner address left-padded to 32 bytes; SecretIdentifier.Owner is the same hex address string.

func (*Handler) EnsureDeploymentRPCForOwnerKeySecrets ¶ added in v1.8.0

func (h *Handler) EnsureDeploymentRPCForOwnerKeySecrets() error

EnsureDeploymentRPCForOwnerKeySecrets checks project settings for an RPC URL on the workflow registry chain (owner-key / allowlist flows only).

func (*Handler) EnsureOwnerLinkedOrFail ¶

func (h *Handler) EnsureOwnerLinkedOrFail(ctx context.Context) error

EnsureOwnerLinkedOrFail TODO this reuses the same logic as in auto_link.go which is tied to deploy; consider refactoring to avoid duplication

func (*Handler) Execute ¶

func (h *Handler) Execute(
	ctx context.Context,
	inputs UpsertSecretsInputs,
	method string,
	duration time.Duration,
	secretsAuth string,
) error

Execute implements secrets create and update from YAML (multisig bundle, owner-key with allowlist, or interactive org sign-in).

func (*Handler) ExecuteBrowserVaultAuthorization ¶ added in v1.8.1

func (h *Handler) ExecuteBrowserVaultAuthorization(ctx context.Context, method string, digest [32]byte, requestBody []byte, workflowOwner string) error

ExecuteBrowserVaultAuthorization completes platform OAuth for a vault JSON-RPC digest (create/update/delete/list), then POSTs the same request body to the gateway with the vault JWT in the Authorization header.

func (*Handler) LogMSIGNextSteps ¶

func (h *Handler) LogMSIGNextSteps(txData string, digest [32]byte, bundlePath string) error

func (*Handler) PackAllowlistRequestTxData ¶

func (h *Handler) PackAllowlistRequestTxData(reqDigest [32]byte, duration time.Duration) (string, error)

TODO: use TxType interface

func (*Handler) ParseVaultGatewayResponse ¶

func (h *Handler) ParseVaultGatewayResponse(method string, respBody []byte) error

ParseVaultGatewayResponse parses the JSON-RPC response, decodes the SignedOCRResponse payload into the appropriate proto type (CreateSecretsResponse, UpdateSecretsResponse, DeleteSecretsResponse), and logs one line per secret with id/owner/namespace/success/error.

func (*Handler) ResolveEffectiveOwner ¶ added in v1.10.0

func (h *Handler) ResolveEffectiveOwner() (string, error)

ResolveEffectiveOwner returns the checksummed workflow owner address for owner-key vault operations.

func (*Handler) ResolveInputs ¶

func (h *Handler) ResolveInputs() (UpsertSecretsInputs, error)

ResolveInputs loads secrets from a YAML file. Errors if the path is not .yaml/.yml — MSIG step 2 is handled by `cre secrets execute`.

func (*Handler) ResolveVaultIdentifierOwnerForAuth ¶ added in v1.14.0

func (h *Handler) ResolveVaultIdentifierOwnerForAuth(secretsAuth string) (string, error)

ResolveVaultIdentifierOwnerForAuth returns the owner used in vault JSON-RPC payloads (SecretIdentifier.Owner, list Owner, TDH2 labels). Onchain auth uses the linked EOA from settings; browser auth uses DerivedWorkflowOwner from runtime.Context (getCreOrganizationInfo at login).

func (*Handler) ValidateInputs ¶

func (h *Handler) ValidateInputs(inputs UpsertSecretsInputs) error

ValidateInputs validates the input structure.

type MockClientFactory ¶

type MockClientFactory struct {
	mock.Mock
}

func (*MockClientFactory) GetSkipConfirmation ¶

func (m *MockClientFactory) GetSkipConfirmation() bool

func (*MockClientFactory) GetTxType ¶

func (m *MockClientFactory) GetTxType() client.TxType

func (*MockClientFactory) NewWorkflowRegistryV2Client ¶

func (m *MockClientFactory) NewWorkflowRegistryV2Client(ctx context.Context) (*client.WorkflowRegistryV2Client, error)

type SecretItem ¶

type SecretItem struct {
	ID        string `json:"id" validate:"required"`
	Value     string `json:"value" validate:"required"`
	Namespace string `json:"namespace"`
}

SecretItem represents a single secret with its ID, value, and optional namespace.

type SecretsYamlConfig ¶

type SecretsYamlConfig struct {
	SecretsNames map[string][]string `yaml:"secretsNames"`
}

type UnsignedBundle ¶

type UnsignedBundle struct {
	RequestID   string          `json:"request_id"`
	Method      string          `json:"method"`
	DigestHex   string          `json:"digest_hex"`
	RequestBody json.RawMessage `json:"request_body"`
	CreatedAt   time.Time       `json:"created_at"`
}

func LoadBundle ¶

func LoadBundle(path string) (*UnsignedBundle, error)

type UpsertSecretsInputs ¶

type UpsertSecretsInputs []SecretItem

UpsertSecretsInputs holds the secrets passed to the CLI.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
gateway

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL