Skip to content

Standardize source credential binding API #810

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
RhysSullivan wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Standardize source credential binding API #810

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 21 additions & 17 deletions apps/cloud/src/services/sources-api.node.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -760,13 +760,14 @@ describe("sources api (HTTP)", () => {
value: "alice-secret",
},
});
const binding = yield* client.openapi.setSourceBinding({
const binding = yield* client.credentialBindings.set({
params: { scopeId: ScopeId.make(aliceScope) },
payload: {
targetScope: ScopeId.make(aliceScope),
pluginId: "openapi",
sourceId: namespace,
sourceScope: ScopeId.make(orgId),
scope: ScopeId.make(aliceScope),
slot: "auth:personal-token",
slotKey: "auth:personal-token",
value: {
kind: "secret",
secretId: SecretId.make("alice_pat"),
Expand All @@ -777,7 +778,7 @@ describe("sources api (HTTP)", () => {
sourceId: namespace,
sourceScopeId: ScopeId.make(orgId),
scopeId: ScopeId.make(aliceScope),
slot: "auth:personal-token",
slotKey: "auth:personal-token",
value: {
kind: "secret",
secretId: SecretId.make("alice_pat"),
Expand All @@ -798,13 +799,14 @@ describe("sources api (HTTP)", () => {
value: "bob-secret",
},
});
yield* client.openapi.setSourceBinding({
yield* client.credentialBindings.set({
params: { scopeId: ScopeId.make(bobScope) },
payload: {
targetScope: ScopeId.make(bobScope),
pluginId: "openapi",
sourceId: namespace,
sourceScope: ScopeId.make(orgId),
scope: ScopeId.make(bobScope),
slot: "auth:personal-token",
slotKey: "auth:personal-token",
value: {
kind: "secret",
secretId: SecretId.make("bob_pat"),
Expand All @@ -815,18 +817,19 @@ describe("sources api (HTTP)", () => {
);

const aliceBindings = yield* asUser(aliceId, orgId, (client) =>
client.openapi.listSourceBindings({
client.credentialBindings.listForSource({
params: {
scopeId: ScopeId.make(aliceScope),
namespace,
sourceScopeId: ScopeId.make(orgId),
pluginId: "openapi",
sourceId: namespace,
sourceScope: ScopeId.make(orgId),
},
}),
);
expect(aliceBindings).toContainEqual(
expect.objectContaining({
scopeId: ScopeId.make(aliceScope),
slot: "auth:personal-token",
slotKey: "auth:personal-token",
value: {
kind: "secret",
secretId: SecretId.make("alice_pat"),
Expand All @@ -837,25 +840,26 @@ describe("sources api (HTTP)", () => {
expect(
aliceBindings.some(
(binding) =>
binding.slot === "auth:personal-token" &&
binding.slotKey === "auth:personal-token" &&
binding.value.kind === "secret" &&
binding.value.secretId === SecretId.make("bob_pat"),
),
).toBe(false);

const bobBindings = yield* asUser(bobId, orgId, (client) =>
client.openapi.listSourceBindings({
client.credentialBindings.listForSource({
params: {
scopeId: ScopeId.make(bobScope),
namespace,
sourceScopeId: ScopeId.make(orgId),
pluginId: "openapi",
sourceId: namespace,
sourceScope: ScopeId.make(orgId),
},
}),
);
expect(bobBindings).toContainEqual(
expect.objectContaining({
scopeId: ScopeId.make(bobScope),
slot: "auth:personal-token",
slotKey: "auth:personal-token",
value: {
kind: "secret",
secretId: SecretId.make("bob_pat"),
Expand All @@ -866,7 +870,7 @@ describe("sources api (HTTP)", () => {
expect(
bobBindings.some(
(binding) =>
binding.slot === "auth:personal-token" &&
binding.slotKey === "auth:personal-token" &&
binding.value.kind === "secret" &&
binding.value.secretId === SecretId.make("alice_pat"),
),
Expand Down
14 changes: 8 additions & 6 deletions apps/cloud/src/services/tenant-isolation.node.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -272,13 +272,14 @@ describe("tenant isolation (HTTP)", () => {
},
},
});
yield* client.openapi.setSourceBinding({
yield* client.credentialBindings.set({
params: { scopeId: ScopeId.make(orgA) },
payload: {
targetScope: ScopeId.make(orgA),
pluginId: "openapi",
sourceId: namespaceA,
sourceScope: ScopeId.make(orgA),
scope: ScopeId.make(orgA),
slot: "auth:token",
slotKey: "auth:token",
value: { kind: "secret", secretId: secretIdA },
},
});
Expand Down Expand Up @@ -319,13 +320,14 @@ describe("tenant isolation (HTTP)", () => {
},
},
});
yield* client.openapi.setSourceBinding({
yield* client.credentialBindings.set({
params: { scopeId: ScopeId.make(orgA) },
payload: {
targetScope: ScopeId.make(orgA),
pluginId: "openapi",
sourceId: namespaceA,
sourceScope: ScopeId.make(orgA),
scope: ScopeId.make(orgA),
slot: "auth:conn",
slotKey: "auth:conn",
value: { kind: "connection", connectionId: connectionIdA },
},
});
Expand Down
2 changes: 2 additions & 0 deletions packages/core/api/src/api.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import { ExecutionsApi } from "./executions/api";
import { ScopeApi } from "./scope/api";
import { OAuthApi } from "./oauth/api";
import { PoliciesApi } from "./policies/api";
import { CredentialBindingsApi } from "./credential-bindings/api";

export const CoreExecutorApi = HttpApi.make("executor")
.add(ToolsApi)
Expand All @@ -19,6 +20,7 @@ export const CoreExecutorApi = HttpApi.make("executor")
.add(ScopeApi)
.add(OAuthApi)
.add(PoliciesApi)
.add(CredentialBindingsApi)
.annotateMerge(
OpenApi.annotations({
title: "Executor API",
Expand Down
162 changes: 162 additions & 0 deletions packages/core/api/src/credential-bindings.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,162 @@
import { HttpApiBuilder } from "effect/unstable/httpapi";
import * as HttpApiClient from "effect/unstable/httpapi/HttpApiClient";
import {
HttpClient,
HttpClientError,
HttpClientRequest,
HttpClientResponse,
HttpRouter,
HttpServer,
} from "effect/unstable/http";
import { describe, expect, it } from "@effect/vitest";
import { Context, Effect, Layer } from "effect";

import {
Scope,
ScopeId,
createExecutor,
definePlugin,
makeTestConfig,
type Executor,
} from "@executor-js/sdk";

import { ExecutorApi } from "./api";
import { observabilityMiddleware } from "./observability";
import { CoreHandlers, ExecutionEngineService, ExecutorService } from "./server";

const TEST_PLUGIN_ID = "credentialApiTest";
const TEST_SOURCE_ID = "shared-api";
const TEST_SLOT = "request.header.Authorization";

const webHandlerFor = (executor: Executor) =>
Effect.acquireRelease(
Effect.sync(() =>
HttpRouter.toWebHandler(
HttpApiBuilder.layer(ExecutorApi).pipe(
Layer.provide(CoreHandlers),
Layer.provide(observabilityMiddleware(ExecutorApi)),
Layer.provide(Layer.succeed(ExecutorService)(executor)),
Layer.provide(
Layer.succeed(ExecutionEngineService)({} as ExecutionEngineService["Service"]),
),
Layer.provideMerge(HttpServer.layerServices),
Layer.provideMerge(Layer.succeed(HttpRouter.RouterConfig)({ maxParamLength: 1000 })),
),
{ disableLogger: true },
),
),
(web) => Effect.promise(() => web.dispose()),
);

const handlerContextFor = (executor: Executor) =>
Context.make(ExecutorService, executor).pipe(
Context.add(ExecutionEngineService, {} as ExecutionEngineService["Service"]),
);

const apiClientFor = (executor: Executor) =>
Effect.gen(function* () {
const web = yield* webHandlerFor(executor);
const context = handlerContextFor(executor);
const httpClient = HttpClient.make((request, _url, signal) =>
Effect.gen(function* () {
const webRequest = yield* HttpClientRequest.toWeb(request, { signal }).pipe(
Effect.mapError(
(cause) =>
new HttpClientError.HttpClientError({
reason: new HttpClientError.InvalidUrlError({ request, cause }),
}),
),
);
const response = yield* Effect.promise(() => web.handler(webRequest, context));
return HttpClientResponse.fromWeb(request, response);
}),
);
return yield* HttpApiClient.makeWith(ExecutorApi, {
httpClient,
baseUrl: "http://localhost",
});
});

const scope = (id: ScopeId, name: string) => Scope.make({ id, name, createdAt: new Date() });

const credentialApiTestPlugin = definePlugin(() => ({
id: TEST_PLUGIN_ID,
storage: () => ({}),
extension: (ctx) => ({
registerSource: (targetScope: ScopeId) =>
ctx.core.sources.register({
id: TEST_SOURCE_ID,
scope: targetScope,
kind: "test-api",
name: "Shared API",
tools: [{ name: "read", description: "read from the shared API" }],
}),
}),
}));

describe("credential binding API", () => {
it.effect("sets, lists, and removes source credential bindings", () =>
Effect.gen(function* () {
const userScope = ScopeId.make("api-user");
const orgScope = ScopeId.make("api-org");
const executor = yield* createExecutor(
makeTestConfig({
scopes: [scope(userScope, "user"), scope(orgScope, "org")],
plugins: [credentialApiTestPlugin()] as const,
}),
);
yield* executor.credentialApiTest.registerSource(orgScope);
const client = yield* apiClientFor(executor);

const created = yield* client.credentialBindings.set({
params: { scopeId: userScope },
payload: {
targetScope: userScope,
pluginId: TEST_PLUGIN_ID,
sourceId: TEST_SOURCE_ID,
sourceScope: orgScope,
slotKey: TEST_SLOT,
value: { kind: "text", text: "test-token" },
},
});
expect(created).toMatchObject({
slotKey: TEST_SLOT,
scopeId: String(userScope),
value: { kind: "text", text: "test-token" },
});

const listed = yield* client.credentialBindings.listForSource({
params: {
scopeId: userScope,
pluginId: TEST_PLUGIN_ID,
sourceId: TEST_SOURCE_ID,
sourceScope: orgScope,
},
});
expect(listed).toHaveLength(1);
expect(listed[0]).toMatchObject({ slotKey: TEST_SLOT, scopeId: String(userScope) });

const removed = yield* client.credentialBindings.remove({
params: { scopeId: userScope },
payload: {
targetScope: userScope,
pluginId: TEST_PLUGIN_ID,
sourceId: TEST_SOURCE_ID,
sourceScope: orgScope,
slotKey: TEST_SLOT,
},
});
expect(removed).toEqual({ removed: true });

const afterRemove = yield* client.credentialBindings.listForSource({
params: {
scopeId: userScope,
pluginId: TEST_PLUGIN_ID,
sourceId: TEST_SOURCE_ID,
sourceScope: orgScope,
},
});
expect(afterRemove).toEqual([]);
}),
);
});
47 changes: 47 additions & 0 deletions packages/core/api/src/credential-bindings/api.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
import { HttpApiEndpoint, HttpApiGroup } from "effect/unstable/httpapi";
import { Schema } from "effect";
import {
CredentialBindingRef,
RemoveCredentialBindingInput,
ScopeId,
SetCredentialBindingInput,
} from "@executor-js/sdk";

import { InternalError } from "../observability";

const ScopeParams = { scopeId: ScopeId };
const CredentialBindingSourceParams = {
scopeId: ScopeId,
pluginId: Schema.String,
sourceId: Schema.String,
sourceScope: ScopeId,
};

export const CredentialBindingsApi = HttpApiGroup.make("credentialBindings")
.add(
HttpApiEndpoint.get(
"listForSource",
"/scopes/:scopeId/credential-bindings/:pluginId/sources/:sourceId/base/:sourceScope",
{
params: CredentialBindingSourceParams,
success: Schema.Array(CredentialBindingRef),
error: InternalError,
},
),
)
.add(
HttpApiEndpoint.post("set", "/scopes/:scopeId/credential-bindings", {
params: ScopeParams,
payload: SetCredentialBindingInput,
success: CredentialBindingRef,
error: InternalError,
}),
)
.add(
HttpApiEndpoint.post("remove", "/scopes/:scopeId/credential-bindings/remove", {
params: ScopeParams,
payload: RemoveCredentialBindingInput,
success: Schema.Struct({ removed: Schema.Boolean }),
error: InternalError,
}),
);
Loading
Loading