Standardize source credential bindings

Author: RhysSullivan

apps/cloud/src/services/sources-api.node.test.ts

@@ -760,13 +760,14 @@ describe("sources api (HTTP)", () => {
               value: "alice-secret",
             },
           });
-          const binding = yield* client.openapi.setSourceBinding({
+          const binding = yield* client.credentialBindings.set({
             params: { scopeId: ScopeId.make(aliceScope) },
             payload: {
+              targetScope: ScopeId.make(aliceScope),
+              pluginId: "openapi",
               sourceId: namespace,
               sourceScope: ScopeId.make(orgId),
-              scope: ScopeId.make(aliceScope),
-              slot: "auth:personal-token",
+              slotKey: "auth:personal-token",
               value: {
                 kind: "secret",
                 secretId: SecretId.make("alice_pat"),
@@ -777,7 +778,7 @@ describe("sources api (HTTP)", () => {
             sourceId: namespace,
             sourceScopeId: ScopeId.make(orgId),
             scopeId: ScopeId.make(aliceScope),
-            slot: "auth:personal-token",
+            slotKey: "auth:personal-token",
             value: {
               kind: "secret",
               secretId: SecretId.make("alice_pat"),
@@ -798,13 +799,14 @@ describe("sources api (HTTP)", () => {
               value: "bob-secret",
             },
           });
-          yield* client.openapi.setSourceBinding({
+          yield* client.credentialBindings.set({
             params: { scopeId: ScopeId.make(bobScope) },
             payload: {
+              targetScope: ScopeId.make(bobScope),
+              pluginId: "openapi",
               sourceId: namespace,
               sourceScope: ScopeId.make(orgId),
-              scope: ScopeId.make(bobScope),
-              slot: "auth:personal-token",
+              slotKey: "auth:personal-token",
               value: {
                 kind: "secret",
                 secretId: SecretId.make("bob_pat"),
@@ -815,18 +817,19 @@ describe("sources api (HTTP)", () => {
       );
 
       const aliceBindings = yield* asUser(aliceId, orgId, (client) =>
-        client.openapi.listSourceBindings({
+        client.credentialBindings.listForSource({
           params: {
             scopeId: ScopeId.make(aliceScope),
-            namespace,
-            sourceScopeId: ScopeId.make(orgId),
+            pluginId: "openapi",
+            sourceId: namespace,
+            sourceScope: ScopeId.make(orgId),
           },
         }),
       );
       expect(aliceBindings).toContainEqual(
         expect.objectContaining({
           scopeId: ScopeId.make(aliceScope),
-          slot: "auth:personal-token",
+          slotKey: "auth:personal-token",
           value: {
             kind: "secret",
             secretId: SecretId.make("alice_pat"),
@@ -837,25 +840,26 @@ describe("sources api (HTTP)", () => {
       expect(
         aliceBindings.some(
           (binding) =>
-            binding.slot === "auth:personal-token" &&
+            binding.slotKey === "auth:personal-token" &&
             binding.value.kind === "secret" &&
             binding.value.secretId === SecretId.make("bob_pat"),
         ),
       ).toBe(false);
 
       const bobBindings = yield* asUser(bobId, orgId, (client) =>
-        client.openapi.listSourceBindings({
+        client.credentialBindings.listForSource({
           params: {
             scopeId: ScopeId.make(bobScope),
-            namespace,
-            sourceScopeId: ScopeId.make(orgId),
+            pluginId: "openapi",
+            sourceId: namespace,
+            sourceScope: ScopeId.make(orgId),
           },
         }),
       );
       expect(bobBindings).toContainEqual(
         expect.objectContaining({
           scopeId: ScopeId.make(bobScope),
-          slot: "auth:personal-token",
+          slotKey: "auth:personal-token",
           value: {
             kind: "secret",
             secretId: SecretId.make("bob_pat"),
@@ -866,7 +870,7 @@ describe("sources api (HTTP)", () => {
       expect(
         bobBindings.some(
           (binding) =>
-            binding.slot === "auth:personal-token" &&
+            binding.slotKey === "auth:personal-token" &&
             binding.value.kind === "secret" &&
             binding.value.secretId === SecretId.make("alice_pat"),
         ),

apps/cloud/src/services/tenant-isolation.node.test.ts

@@ -272,13 +272,14 @@ describe("tenant isolation (HTTP)", () => {
               },
             },
           });
-          yield* client.openapi.setSourceBinding({
+          yield* client.credentialBindings.set({
             params: { scopeId: ScopeId.make(orgA) },
             payload: {
+              targetScope: ScopeId.make(orgA),
+              pluginId: "openapi",
               sourceId: namespaceA,
               sourceScope: ScopeId.make(orgA),
-              scope: ScopeId.make(orgA),
-              slot: "auth:token",
+              slotKey: "auth:token",
               value: { kind: "secret", secretId: secretIdA },
             },
           });
@@ -319,13 +320,14 @@ describe("tenant isolation (HTTP)", () => {
               },
             },
           });
-          yield* client.openapi.setSourceBinding({
+          yield* client.credentialBindings.set({
             params: { scopeId: ScopeId.make(orgA) },
             payload: {
+              targetScope: ScopeId.make(orgA),
+              pluginId: "openapi",
               sourceId: namespaceA,
               sourceScope: ScopeId.make(orgA),
-              scope: ScopeId.make(orgA),
-              slot: "auth:conn",
+              slotKey: "auth:conn",
               value: { kind: "connection", connectionId: connectionIdA },
             },
           });

packages/core/api/src/api.ts

@@ -9,6 +9,7 @@ import { ExecutionsApi } from "./executions/api";
 import { ScopeApi } from "./scope/api";
 import { OAuthApi } from "./oauth/api";
 import { PoliciesApi } from "./policies/api";
+import { CredentialBindingsApi } from "./credential-bindings/api";
 
 export const CoreExecutorApi = HttpApi.make("executor")
   .add(ToolsApi)
@@ -19,6 +20,7 @@ export const CoreExecutorApi = HttpApi.make("executor")
   .add(ScopeApi)
   .add(OAuthApi)
   .add(PoliciesApi)
+  .add(CredentialBindingsApi)
   .annotateMerge(
     OpenApi.annotations({
       title: "Executor API",

packages/core/api/src/credential-bindings.test.ts

@@ -0,0 +1,162 @@
+import { HttpApiBuilder } from "effect/unstable/httpapi";
+import * as HttpApiClient from "effect/unstable/httpapi/HttpApiClient";
+import {
+  HttpClient,
+  HttpClientError,
+  HttpClientRequest,
+  HttpClientResponse,
+  HttpRouter,
+  HttpServer,
+} from "effect/unstable/http";
+import { describe, expect, it } from "@effect/vitest";
+import { Context, Effect, Layer } from "effect";
+
+import {
+  Scope,
+  ScopeId,
+  createExecutor,
+  definePlugin,
+  makeTestConfig,
+  type Executor,
+} from "@executor-js/sdk";
+
+import { ExecutorApi } from "./api";
+import { observabilityMiddleware } from "./observability";
+import { CoreHandlers, ExecutionEngineService, ExecutorService } from "./server";
+
+const TEST_PLUGIN_ID = "credentialApiTest";
+const TEST_SOURCE_ID = "shared-api";
+const TEST_SLOT = "request.header.Authorization";
+
+const webHandlerFor = (executor: Executor) =>
+  Effect.acquireRelease(
+    Effect.sync(() =>
+      HttpRouter.toWebHandler(
+        HttpApiBuilder.layer(ExecutorApi).pipe(
+          Layer.provide(CoreHandlers),
+          Layer.provide(observabilityMiddleware(ExecutorApi)),
+          Layer.provide(Layer.succeed(ExecutorService)(executor)),
+          Layer.provide(
+            Layer.succeed(ExecutionEngineService)({} as ExecutionEngineService["Service"]),
+          ),
+          Layer.provideMerge(HttpServer.layerServices),
+          Layer.provideMerge(Layer.succeed(HttpRouter.RouterConfig)({ maxParamLength: 1000 })),
+        ),
+        { disableLogger: true },
+      ),
+    ),
+    (web) => Effect.promise(() => web.dispose()),
+  );
+
+const handlerContextFor = (executor: Executor) =>
+  Context.make(ExecutorService, executor).pipe(
+    Context.add(ExecutionEngineService, {} as ExecutionEngineService["Service"]),
+  );
+
+const apiClientFor = (executor: Executor) =>
+  Effect.gen(function* () {
+    const web = yield* webHandlerFor(executor);
+    const context = handlerContextFor(executor);
+    const httpClient = HttpClient.make((request, _url, signal) =>
+      Effect.gen(function* () {
+        const webRequest = yield* HttpClientRequest.toWeb(request, { signal }).pipe(
+          Effect.mapError(
+            (cause) =>
+              new HttpClientError.HttpClientError({
+                reason: new HttpClientError.InvalidUrlError({ request, cause }),
+              }),
+          ),
+        );
+        const response = yield* Effect.promise(() => web.handler(webRequest, context));
+        return HttpClientResponse.fromWeb(request, response);
+      }),
+    );
+    return yield* HttpApiClient.makeWith(ExecutorApi, {
+      httpClient,
+      baseUrl: "http://localhost",
+    });
+  });
+
+const scope = (id: ScopeId, name: string) => Scope.make({ id, name, createdAt: new Date() });
+
+const credentialApiTestPlugin = definePlugin(() => ({
+  id: TEST_PLUGIN_ID,
+  storage: () => ({}),
+  extension: (ctx) => ({
+    registerSource: (targetScope: ScopeId) =>
+      ctx.core.sources.register({
+        id: TEST_SOURCE_ID,
+        scope: targetScope,
+        kind: "test-api",
+        name: "Shared API",
+        tools: [{ name: "read", description: "read from the shared API" }],
+      }),
+  }),
+}));
+
+describe("credential binding API", () => {
+  it.effect("sets, lists, and removes source credential bindings", () =>
+    Effect.gen(function* () {
+      const userScope = ScopeId.make("api-user");
+      const orgScope = ScopeId.make("api-org");
+      const executor = yield* createExecutor(
+        makeTestConfig({
+          scopes: [scope(userScope, "user"), scope(orgScope, "org")],
+          plugins: [credentialApiTestPlugin()] as const,
+        }),
+      );
+      yield* executor.credentialApiTest.registerSource(orgScope);
+      const client = yield* apiClientFor(executor);
+
+      const created = yield* client.credentialBindings.set({
+        params: { scopeId: userScope },
+        payload: {
+          targetScope: userScope,
+          pluginId: TEST_PLUGIN_ID,
+          sourceId: TEST_SOURCE_ID,
+          sourceScope: orgScope,
+          slotKey: TEST_SLOT,
+          value: { kind: "text", text: "test-token" },
+        },
+      });
+      expect(created).toMatchObject({
+        slotKey: TEST_SLOT,
+        scopeId: String(userScope),
+        value: { kind: "text", text: "test-token" },
+      });
+
+      const listed = yield* client.credentialBindings.listForSource({
+        params: {
+          scopeId: userScope,
+          pluginId: TEST_PLUGIN_ID,
+          sourceId: TEST_SOURCE_ID,
+          sourceScope: orgScope,
+        },
+      });
+      expect(listed).toHaveLength(1);
+      expect(listed[0]).toMatchObject({ slotKey: TEST_SLOT, scopeId: String(userScope) });
+
+      const removed = yield* client.credentialBindings.remove({
+        params: { scopeId: userScope },
+        payload: {
+          targetScope: userScope,
+          pluginId: TEST_PLUGIN_ID,
+          sourceId: TEST_SOURCE_ID,
+          sourceScope: orgScope,
+          slotKey: TEST_SLOT,
+        },
+      });
+      expect(removed).toEqual({ removed: true });
+
+      const afterRemove = yield* client.credentialBindings.listForSource({
+        params: {
+          scopeId: userScope,
+          pluginId: TEST_PLUGIN_ID,
+          sourceId: TEST_SOURCE_ID,
+          sourceScope: orgScope,
+        },
+      });
+      expect(afterRemove).toEqual([]);
+    }),
+  );
+});

packages/core/api/src/credential-bindings/api.ts

@@ -0,0 +1,47 @@
+import { HttpApiEndpoint, HttpApiGroup } from "effect/unstable/httpapi";
+import { Schema } from "effect";
+import {
+  CredentialBindingRef,
+  RemoveCredentialBindingInput,
+  ScopeId,
+  SetCredentialBindingInput,
+} from "@executor-js/sdk";
+
+import { InternalError } from "../observability";
+
+const ScopeParams = { scopeId: ScopeId };
+const CredentialBindingSourceParams = {
+  scopeId: ScopeId,
+  pluginId: Schema.String,
+  sourceId: Schema.String,
+  sourceScope: ScopeId,
+};
+
+export const CredentialBindingsApi = HttpApiGroup.make("credentialBindings")
+  .add(
+    HttpApiEndpoint.get(
+      "listForSource",
+      "/scopes/:scopeId/credential-bindings/:pluginId/sources/:sourceId/base/:sourceScope",
+      {
+        params: CredentialBindingSourceParams,
+        success: Schema.Array(CredentialBindingRef),
+        error: InternalError,
+      },
+    ),
+  )
+  .add(
+    HttpApiEndpoint.post("set", "/scopes/:scopeId/credential-bindings", {
+      params: ScopeParams,
+      payload: SetCredentialBindingInput,
+      success: CredentialBindingRef,
+      error: InternalError,
+    }),
+  )
+  .add(
+    HttpApiEndpoint.post("remove", "/scopes/:scopeId/credential-bindings/remove", {
+      params: ScopeParams,
+      payload: RemoveCredentialBindingInput,
+      success: Schema.Struct({ removed: Schema.Boolean }),
+      error: InternalError,
+    }),
+  );