feat(secrets): scope- and type-aware Secrets class

rustyconover · claude · rustyconover · commit a6f6a043d25b · 2026-06-26T14:02:42.000-04:00
Add a Secrets class (parse + field/namedField/ofType/secretType/forScope/
forScopeOfType/fieldFor) for resolved secrets now keyed by name, selecting
among several secrets of one type by their scope and type fields. Update the
example workers to select the vgi_example-typed secret (and skip the new
scope protocol field). Unit-tested.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/vgi-example-worker/src/main/java/farm/query/vgi/example/scalar/ReturnSecretValueFunction.java b/vgi-example-worker/src/main/java/farm/query/vgi/example/scalar/ReturnSecretValueFunction.java
@@ -30,7 +30,7 @@ public final class ReturnSecretValueFunction implements ScalarFunction {
 
     private static final byte[] OUTPUT_SCHEMA_IPC = Schemas.singleResultIpc(Schemas.UTF8);
     private static final java.util.Set<String> PROTOCOL_FIELDS =
-            java.util.Set.of("name", "type", "provider");
+            java.util.Set.of("name", "type", "provider", "scope");
 
     private static final FunctionSpec SPEC = FunctionSpec.builder("return_secret_value")
             .description("Return a secret's value")
@@ -73,6 +73,11 @@ private static String encodeSecretJson(byte[] bytes) {
                     FieldVector vv = root.getVector(f.getName());
                     if (vv == null || vv.isNull(0)) continue;
                     if (vv instanceof org.apache.arrow.vector.complex.StructVector sv) {
+                        // Secrets are keyed by name; select the vgi_example-typed one.
+                        FieldVector typeCol = sv.getChild("type");
+                        String secretType = (typeCol != null && !typeCol.isNull(0))
+                                ? String.valueOf(typeCol.getObject(0)) : "";
+                        if (!"vgi_example".equals(secretType)) continue;
                         for (Field child : f.getChildren()) {
                             String name = child.getName();
                             if (PROTOCOL_FIELDS.contains(name)) continue;
diff --git a/vgi-example-worker/src/main/java/farm/query/vgi/example/scalar/SecretFieldFunction.java b/vgi-example-worker/src/main/java/farm/query/vgi/example/scalar/SecretFieldFunction.java
@@ -2,24 +2,20 @@
 
 package farm.query.vgi.example.scalar;
 
+import farm.query.vgi.Secrets;
 import farm.query.vgi.function.FunctionSpec;
 import farm.query.vgi.protocol.BindResponse;
 import farm.query.vgi.scalar.ScalarBindParams;
 import farm.query.vgi.scalar.ScalarFunction;
 import farm.query.vgi.scalar.ScalarProcessParams;
 import farm.query.vgi.types.Schemas;
-import farm.query.vgirpc.wire.Allocators;
 import org.apache.arrow.memory.BufferAllocator;
-import org.apache.arrow.vector.FieldVector;
 import org.apache.arrow.vector.VarCharVector;
 import org.apache.arrow.vector.VectorSchemaRoot;
-import org.apache.arrow.vector.complex.StructVector;
-import org.apache.arrow.vector.ipc.ArrowStreamReader;
-import org.apache.arrow.vector.types.pojo.Field;
 import org.apache.arrow.vector.util.Text;
 
-import java.io.ByteArrayInputStream;
 import java.util.List;
+import java.util.Map;
 
 /**
  * {@code secret_field()} — looks up individual fields on the resolved
@@ -57,27 +53,9 @@ public final class SecretFieldFunction implements ScalarFunction {
     }
 
     private static String formatSecretField(byte[] bytes) {
-        String port = "";
-        String name = "";
-        if (bytes != null && bytes.length > 0) {
-            try (ByteArrayInputStream in = new ByteArrayInputStream(bytes);
-                 ArrowStreamReader r = new ArrowStreamReader(in, Allocators.root())) {
-                if (r.loadNextBatch()) {
-                    VectorSchemaRoot root = r.getVectorSchemaRoot();
-                    for (Field f : root.getSchema().getFields()) {
-                        FieldVector vv = root.getVector(f.getName());
-                        if (vv instanceof StructVector sv) {
-                            FieldVector pc = sv.getChild("port");
-                            if (pc != null && !pc.isNull(0)) port = String.valueOf(pc.getObject(0));
-                            FieldVector nc = sv.getChild("secret_string");
-                            if (nc != null && !nc.isNull(0)) name = String.valueOf(nc.getObject(0));
-                        }
-                    }
-                }
-            } catch (Exception ignore) {
-                // Resolve failure → empty fields, matching the python fixture.
-            }
-        }
-        return "port=" + port + ";name=" + name;
+        // Secrets are keyed by name; select the vgi_example-typed secret.
+        Map<String, String> s = Secrets.parse(bytes).ofType("vgi_example")
+                .stream().findFirst().orElse(Map.of());
+        return "port=" + s.getOrDefault("port", "") + ";name=" + s.getOrDefault("secret_string", "");
     }
 }
diff --git a/vgi-example-worker/src/main/java/farm/query/vgi/example/table/SecretDemoFunction.java b/vgi-example-worker/src/main/java/farm/query/vgi/example/table/SecretDemoFunction.java
@@ -78,6 +78,11 @@ private static List<String[]> decodeSecret(byte[] bytes) {
                     // Descend into its children, skipping protocol fields
                     // that aren't user-supplied parameters.
                     if (v instanceof org.apache.arrow.vector.complex.StructVector sv) {
+                        // Secrets are keyed by name; select the vgi_example-typed one.
+                        FieldVector typeCol = sv.getChild("type");
+                        String secretType = (typeCol != null && !typeCol.isNull(0))
+                                ? String.valueOf(typeCol.getObject(0)) : "";
+                        if (!"vgi_example".equals(secretType)) continue;
                         for (Field child : f.getChildren()) {
                             String name = child.getName();
                             if (PROTOCOL_FIELDS.contains(name)) continue;
@@ -104,7 +109,7 @@ private static List<String[]> decodeSecret(byte[] bytes) {
 
     /** Protocol-supplied fields on a resolved secret struct (not user data). */
     private static final java.util.Set<String> PROTOCOL_FIELDS =
-            java.util.Set.of("name", "type", "provider");
+            java.util.Set.of("name", "type", "provider", "scope");
 
     /** Friendly Arrow type name (Utf8 → "string", Int64 → "int64", etc.). */
     private static String arrowTypeName(Field f) {
diff --git a/vgi/src/main/java/farm/query/vgi/Secrets.java b/vgi/src/main/java/farm/query/vgi/Secrets.java
@@ -0,0 +1,196 @@
+// Copyright 2026 Query Farm LLC - https://query.farm
+
+package farm.query.vgi;
+
+import farm.query.vgirpc.wire.Allocators;
+import org.apache.arrow.vector.BigIntVector;
+import org.apache.arrow.vector.BitVector;
+import org.apache.arrow.vector.FieldVector;
+import org.apache.arrow.vector.IntVector;
+import org.apache.arrow.vector.VarCharVector;
+import org.apache.arrow.vector.VectorSchemaRoot;
+import org.apache.arrow.vector.complex.StructVector;
+import org.apache.arrow.vector.ipc.ArrowStreamReader;
+import org.apache.arrow.vector.types.pojo.Field;
+
+import java.io.ByteArrayInputStream;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+
+/**
+ * Resolved secrets passed to a worker, keyed by each secret's unique DuckDB
+ * secret name (not by type) so several secrets of the same type (e.g. one per S3
+ * bucket) coexist. Each secret carries its connector-serialized {@code type} (the
+ * DuckDB secret type) and {@code scope} (newline-joined scope prefixes) fields,
+ * plus type-specific fields like {@code key_id}.
+ *
+ * <p>Mirrors {@code vgi::Secrets} in the Rust SDK. Parse the {@code byte[]} blob
+ * carried on the params with {@link #parse(byte[])}, then select by name, type,
+ * or scope.</p>
+ */
+public final class Secrets {
+
+    /** name -> { field -> value-as-string }. */
+    private final Map<String, Map<String, String>> byName;
+
+    private Secrets(Map<String, Map<String, String>> byName) {
+        this.byName = byName;
+    }
+
+    /**
+     * Build directly from a name -> fields map (for tests / non-IPC callers).
+     *
+     * @param byName the resolved secrets keyed by secret name
+     * @return a {@code Secrets} over a copy of {@code byName}
+     */
+    public static Secrets of(Map<String, Map<String, String>> byName) {
+        Map<String, Map<String, String>> copy = new LinkedHashMap<>();
+        byName.forEach((k, v) -> copy.put(k, new LinkedHashMap<>(v)));
+        return new Secrets(copy);
+    }
+
+    /**
+     * Parse the IPC secrets blob. Each column is a secret (named by its DuckDB
+     * secret name) holding a struct of its fields, including {@code type} and
+     * {@code scope}. Empty/null blob yields empty secrets.
+     *
+     * @param bytes the IPC batch, or {@code null}/empty
+     * @return the parsed secrets
+     */
+    public static Secrets parse(byte[] bytes) {
+        Map<String, Map<String, String>> byName = new LinkedHashMap<>();
+        if (bytes == null || bytes.length == 0) {
+            return new Secrets(byName);
+        }
+        try (ByteArrayInputStream in = new ByteArrayInputStream(bytes);
+             ArrowStreamReader r = new ArrowStreamReader(in, Allocators.root())) {
+            if (r.loadNextBatch()) {
+                VectorSchemaRoot root = r.getVectorSchemaRoot();
+                for (Field f : root.getSchema().getFields()) {
+                    FieldVector col = root.getVector(f.getName());
+                    if (col == null || col.isNull(0)) {
+                        continue;
+                    }
+                    Map<String, String> fields = new LinkedHashMap<>();
+                    if (col instanceof StructVector sv) {
+                        for (Field child : f.getChildren()) {
+                            FieldVector cv = sv.getChild(child.getName());
+                            if (cv != null && !cv.isNull(0)) {
+                                fields.put(child.getName(), render(cv));
+                            }
+                        }
+                    } else {
+                        fields.put(f.getName(), render(col));
+                    }
+                    if (!fields.isEmpty()) {
+                        byName.put(f.getName(), fields);
+                    }
+                }
+            }
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to parse secrets IPC batch", e);
+        }
+        return new Secrets(byName);
+    }
+
+    /** A field value from the first secret carrying it (any name). */
+    public Optional<String> field(String field) {
+        return byName.values().stream()
+                .map(m -> m.get(field))
+                .filter(java.util.Objects::nonNull)
+                .findFirst();
+    }
+
+    /** A named secret's field. */
+    public Optional<String> namedField(String name, String field) {
+        Map<String, String> m = byName.get(name);
+        return m == null ? Optional.empty() : Optional.ofNullable(m.get(field));
+    }
+
+    /** Every resolved secret as (name -> fields). */
+    public Map<String, Map<String, String>> byName() {
+        return byName;
+    }
+
+    /** The DuckDB secret type of the named secret (its {@code type} field). */
+    public Optional<String> secretType(String name) {
+        return namedField(name, "type");
+    }
+
+    /** Every resolved secret whose {@code type} field matches {@code secretType}. */
+    public List<Map<String, String>> ofType(String secretType) {
+        return byName.values().stream()
+                .filter(m -> secretType.equals(m.get("type")))
+                .toList();
+    }
+
+    /**
+     * The fields of the secret whose {@code scope} is the longest prefix of
+     * {@code path}. The connector serializes each secret's scope as a
+     * newline-joined list of prefixes; a secret with no (or empty) scope matches
+     * as a last-resort fallback. Empty only when there are no candidate secrets.
+     *
+     * @param path the path to match (e.g. {@code s3://bucket/data/x.dat})
+     * @return the best-matching secret's fields
+     */
+    public Optional<Map<String, String>> forScope(String path) {
+        return selectForScope(path, null);
+    }
+
+    /** Like {@link #forScope} but only over secrets of {@code secretType}. */
+    public Optional<Map<String, String>> forScopeOfType(String path, String secretType) {
+        return selectForScope(path, secretType);
+    }
+
+    /** A field of the best scope-matching secret for {@code path}. */
+    public Optional<String> fieldFor(String path, String field) {
+        return forScope(path).map(m -> m.get(field)).filter(java.util.Objects::nonNull);
+    }
+
+    private Optional<Map<String, String>> selectForScope(String path, String secretType) {
+        Map<String, String> best = null;
+        int bestLen = -1;
+        Map<String, String> fallback = null;
+        for (Map<String, String> fields : byName.values()) {
+            if (secretType != null && !secretType.equals(fields.get("type"))) {
+                continue;
+            }
+            String scope = fields.get("scope");
+            if (scope == null || scope.isEmpty()) {
+                if (fallback == null) {
+                    fallback = fields;
+                }
+                continue;
+            }
+            for (String prefix : scope.split("\n")) {
+                if (!prefix.isEmpty() && path.startsWith(prefix) && prefix.length() > bestLen) {
+                    bestLen = prefix.length();
+                    best = fields;
+                }
+            }
+        }
+        return Optional.ofNullable(best != null ? best : fallback);
+    }
+
+    private static String render(FieldVector v) {
+        if (v.isNull(0)) {
+            return "";
+        }
+        if (v instanceof VarCharVector vc) {
+            return new String(vc.get(0), java.nio.charset.StandardCharsets.UTF_8);
+        }
+        if (v instanceof BigIntVector iv) {
+            return String.valueOf(iv.get(0));
+        }
+        if (v instanceof IntVector iv) {
+            return String.valueOf(iv.get(0));
+        }
+        if (v instanceof BitVector bv) {
+            return String.valueOf(bv.get(0) != 0);
+        }
+        Object o = v.getObject(0);
+        return o == null ? "" : o.toString();
+    }
+}
diff --git a/vgi/src/test/java/farm/query/vgi/SecretsTest.java b/vgi/src/test/java/farm/query/vgi/SecretsTest.java
@@ -0,0 +1,72 @@
+// Copyright 2026 Query Farm LLC - https://query.farm
+
+package farm.query.vgi;
+
+import org.junit.jupiter.api.Test;
+
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+/** Type- and scope-aware selection over resolved secrets. */
+class SecretsTest {
+
+    private static Map<String, String> fields(String... kv) {
+        Map<String, String> m = new LinkedHashMap<>();
+        for (int i = 0; i < kv.length; i += 2) {
+            m.put(kv[i], kv[i + 1]);
+        }
+        return m;
+    }
+
+    private static Secrets sample() {
+        Map<String, Map<String, String>> byName = new LinkedHashMap<>();
+        byName.put("my_s3", fields("type", "s3", "key_id", "AAA", "scope", "s3://bucket-a"));
+        byName.put("my_s3_b",
+                fields("type", "s3", "key_id", "BBB", "scope", "s3://bucket-b\ns3://bucket-b2"));
+        byName.put("my_gcs", fields("type", "gcs", "key_id", "G"));
+        return Secrets.of(byName);
+    }
+
+    @Test
+    void typeAware() {
+        Secrets s = sample();
+        assertEquals("s3", s.secretType("my_s3").orElse(null));
+        assertEquals("gcs", s.secretType("my_gcs").orElse(null));
+        assertEquals(2, s.ofType("s3").size());
+        assertEquals(1, s.ofType("gcs").size());
+        assertTrue(s.ofType("azure").isEmpty());
+    }
+
+    @Test
+    void scopeSelectionPerBucket() {
+        Secrets s = sample();
+        assertEquals("AAA", s.forScopeOfType("s3://bucket-a/x.dat", "s3").orElseThrow().get("key_id"));
+        assertEquals("BBB", s.forScopeOfType("s3://bucket-b2/y.dat", "s3").orElseThrow().get("key_id"));
+        assertEquals("AAA", s.fieldFor("s3://bucket-a/x.dat", "key_id").orElse(null));
+    }
+
+    @Test
+    void longestPrefixAndFallback() {
+        Map<String, Map<String, String>> byName = new LinkedHashMap<>();
+        byName.put("broad", fields("type", "s3", "key_id", "broad", "scope", "s3://bucket"));
+        byName.put("narrow", fields("type", "s3", "key_id", "narrow", "scope", "s3://bucket/data"));
+        Secrets s = Secrets.of(byName);
+        assertEquals("narrow", s.fieldFor("s3://bucket/data/x.dat", "key_id").orElse(null));
+        assertEquals("broad", s.fieldFor("s3://bucket/other/x.dat", "key_id").orElse(null));
+
+        Secrets unscoped = Secrets.of(Map.of("only", fields("type", "s3", "key_id", "only")));
+        assertEquals("only", unscoped.fieldFor("s3://any/x", "key_id").orElse(null));
+
+        assertFalse(s.forScope("s3://nope/x").isPresent());
+    }
+
+    @Test
+    void parseEmpty() {
+        assertTrue(Secrets.parse(new byte[0]).byName().isEmpty());
+        assertTrue(Secrets.parse(null).field("anything").isEmpty());
+    }
+}
