Rename provider to key_file. Pass in KeyValueSecret, get back token string.

Alex-Monahan · Alex-Monahan · commit 56d545298422 · 2025-01-21T08:43:31.000-07:00
diff --git a/docs/pages/index.md b/docs/pages/index.md
@@ -45,7 +45,7 @@ CREATE SECRET (
 -- (see "Getting a Google API Access Private Key" below)
 CREATE SECRET (
     TYPE gsheet, 
-    PROVIDER private_key, 
+    PROVIDER key_file, 
     FILENAME '<path_to_JSON_file_with_private_key>'
 );
 ```
@@ -119,7 +119,7 @@ Follow steps 1-9 above to get a JSON file with your private key inside.
 Include the path to the file as the `FILENAME` parameter when creating a secret.
 The recommendation is to use an absolute path, not a relative one, and to store it in the `~/.duckdb` folder.
 You will need to be able to access this file while querying GSheets (its content are not persisted. Later versions of this extension may enable that.)
-Ex: `CREATE SECRET (TYPE gsheet, PROVIDER private_key, FILENAME '<path_to_JSON_file_with_private_key>');`
+Ex: `CREATE SECRET (TYPE gsheet, PROVIDER key_file, FILENAME '<path_to_JSON_file_with_private_key>');`
 
 You can skip steps 10, 11, and 12 since this extension will convert from your JSON file to a token on your behalf!
 
diff --git a/src/gsheets_auth.cpp b/src/gsheets_auth.cpp
@@ -83,7 +83,7 @@ namespace duckdb
     }
 
     // TODO: Maybe this should be a KeyValueSecret
-    static unique_ptr<BaseSecret> CreateGsheetSecretFromPrivateKey(ClientContext &context, CreateSecretInput &input) {
+    static unique_ptr<BaseSecret> CreateGsheetSecretFromKeyFile(ClientContext &context, CreateSecretInput &input) {
         auto scope = input.scope;
 
         auto result = make_uniq<KeyValueSecret>(scope, input.type, input.provider, input.name);
@@ -95,16 +95,16 @@ namespace duckdb
         std::ifstream ifs(filename);
         json credentials_file = json::parse(ifs);
         std::string email = credentials_file["client_email"].get<std::string>();
-        std::string private_key_string = credentials_file["private_key"].get<std::string>();
+        std::string secret = credentials_file["private_key"].get<std::string>();
 
         // Manage specific secret option
-        (*result).secret_map["client_email"] = Value(email);
-        (*result).secret_map["sheets_private_key"] = Value(private_key_string);
+        (*result).secret_map["email"] = Value(email);
+        (*result).secret_map["secret"] = Value(secret);
         CopySecret("filename", input, *result); // Store the filename anyway
 
         // Redact sensible keys
         RedactCommonKeys(*result);
-        result->redact_keys.insert("sheets_private_key");
+        result->redact_keys.insert("secret");
         result->redact_keys.insert("filename");
 
         return std::move(result);
@@ -134,10 +134,10 @@ namespace duckdb
         ExtensionUtil::RegisterFunction(instance, oauth_function);
 
         // Register the private key secret provider
-        CreateSecretFunction private_key_function = {type, "private_key", CreateGsheetSecretFromPrivateKey};
-        private_key_function.named_parameters["filename"] = LogicalType::VARCHAR;
-        RegisterCommonSecretParameters(private_key_function);
-        ExtensionUtil::RegisterFunction(instance, private_key_function);
+        CreateSecretFunction key_file_function = {type, "key_file", CreateGsheetSecretFromKeyFile};
+        key_file_function.named_parameters["filename"] = LogicalType::VARCHAR;
+        RegisterCommonSecretParameters(key_file_function);
+        ExtensionUtil::RegisterFunction(instance, key_file_function);
     }
 
     std::string InitiateOAuthFlow()
diff --git a/src/gsheets_copy.cpp b/src/gsheets_copy.cpp
@@ -54,25 +54,11 @@ namespace duckdb
 
         std::string token;
 
-        if (secret.GetProvider() == "private_key") {
+        if (secret.GetProvider() == "key_file") {
             // If using a private key, retrieve the private key from the secret, but convert it 
             // into a token before use. This is an extra request per Google Sheet read or copy.
             // The secret is the JSON file that is extracted from Google as per the README
-            
-
-            Value client_email_value;
-            if (!kv_secret->TryGetValue("client_email", client_email_value)) {
-                throw InvalidInputException("'client_email' not found in 'gsheet' secret");
-            }
-            std::string client_email_string = client_email_value.ToString();
-
-            Value sheets_private_key_value;
-            if (!kv_secret->TryGetValue("sheets_private_key", sheets_private_key_value)) {
-                throw InvalidInputException("'sheets_private_key' not found in 'gsheet' secret");
-            }
-            std::string sheets_private_key_string = sheets_private_key_value.ToString();
-            
-            token = get_token(client_email_string, sheets_private_key_string);
+            token = get_token(kv_secret);
         } else {
             Value token_value;
             if (!kv_secret->TryGetValue("token", token_value)) {
diff --git a/src/gsheets_get_token.cpp b/src/gsheets_get_token.cpp
@@ -6,6 +6,7 @@
 #include "gsheets_requests.hpp"
 #include "gsheets_utils.hpp"
 #include "duckdb/common/exception.hpp"
+#include "duckdb/main/secret/secret_manager.hpp"
 
 #include <openssl/ssl.h>
 #include <openssl/err.h>
@@ -67,14 +68,26 @@ namespace duckdb
         output[output_index] = '\0';
     }
 
-    std::string get_token(const std::string& email, const std::string& private_key_string) {
+    std::string get_token(const KeyValueSecret* kv_secret) {
         const char *header = "{\"alg\":\"RS256\",\"typ\":\"JWT\"}";
 
         /* Create jwt claim set */
         json jwt_claim_set;
         std::time_t t = std::time(NULL);
 
-        jwt_claim_set["iss"] = email; /* service account email address */
+        Value email_value;
+        if (!kv_secret->TryGetValue("email", email_value)) {
+            throw InvalidInputException("'email' not found in 'gsheet' secret");
+        }
+        std::string email_string = email_value.ToString();
+
+        Value secret_value;
+        if (!kv_secret->TryGetValue("secret", secret_value)) {
+            throw InvalidInputException("'secret' (private_key) not found in 'gsheet' secret");
+        }
+        std::string secret_string = secret_value.ToString();
+
+        jwt_claim_set["iss"] = email_string; /* service account email address */
         jwt_claim_set["scope"] = "https://www.googleapis.com/auth/spreadsheets" /* scope of requested access token */;
         jwt_claim_set["aud"] = "https://accounts.google.com/o/oauth2/token"; /* intended target of the assertion for an access token */
         jwt_claim_set["iat"] = std::to_string(t); /* issued time */
@@ -100,8 +113,8 @@ namespace duckdb
         digest_str[SHA256_DIGEST_LENGTH * 2] = '\0';
         
         BIO* bio = BIO_new(BIO_s_mem());
-        const void * private_key_pointer = private_key_string.c_str();
-        int private_key_length = std::strlen(private_key_string.c_str());
+        const void * private_key_pointer = secret_string.c_str();
+        int private_key_length = std::strlen(secret_string.c_str());
         BIO_write(bio, private_key_pointer, private_key_length);
         EVP_PKEY* evp_key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
         RSA* rsa = EVP_PKEY_get1_RSA(evp_key);
diff --git a/src/gsheets_read.cpp b/src/gsheets_read.cpp
@@ -134,25 +134,11 @@ unique_ptr<FunctionData> ReadSheetBind(ClientContext &context, TableFunctionBind
 
     std::string token;
 
-    if (secret.GetProvider() == "private_key") {
+    if (secret.GetProvider() == "key_file") {
         // If using a private key, retrieve the private key from the secret, but convert it 
         // into a token before use. This is an extra request per Google Sheet read or copy.
         // The secret is the JSON file that is extracted from Google as per the README
-        
-
-        Value client_email_value;
-        if (!kv_secret->TryGetValue("client_email", client_email_value)) {
-            throw InvalidInputException("'client_email' not found in 'gsheet' secret");
-        }
-        std::string client_email_string = client_email_value.ToString();
-
-        Value sheets_private_key_value;
-        if (!kv_secret->TryGetValue("sheets_private_key", sheets_private_key_value)) {
-            throw InvalidInputException("'sheets_private_key' not found in 'gsheet' secret");
-        }
-        std::string sheets_private_key_string = sheets_private_key_value.ToString();
-        
-        token = get_token(client_email_string, sheets_private_key_string);
+        token = get_token(kv_secret);
 
     } else {
         Value token_value;
diff --git a/src/include/gsheets_get_token.hpp b/src/include/gsheets_get_token.hpp
@@ -2,13 +2,14 @@
 
 #include <string>
 #include <stdlib.h>
+#include "duckdb/main/secret/secret_manager.hpp"
 
 namespace duckdb {
 
     char get_base64_char(char byte);
 
     void base64encode(char *output, const char *input, size_t input_length) ;
 
-    std::string get_token(const std::string& email, const std::string& private_key_string ) ;
+    std::string get_token(const KeyValueSecret* kv_secret) ;
 
 }
