d25d482dc2
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
143 lines
4.8 KiB
TypeScript
143 lines
4.8 KiB
TypeScript
import { getErrorMessage } from '@sim/utils/errors'
|
|
import { serviceAccountJsonSchema } from '@/lib/api/contracts/credentials'
|
|
import { getValidationErrorMessage } from '@/lib/api/server'
|
|
import { encryptSecret } from '@/lib/core/security/encryption'
|
|
import {
|
|
normalizeAtlassianDomain,
|
|
validateAtlassianServiceAccount,
|
|
} from '@/lib/credentials/atlassian-service-account'
|
|
import {
|
|
ATLASSIAN_SERVICE_ACCOUNT_PROVIDER_ID,
|
|
ATLASSIAN_SERVICE_ACCOUNT_SECRET_TYPE,
|
|
SLACK_CUSTOM_BOT_PROVIDER_ID,
|
|
SLACK_CUSTOM_BOT_SECRET_TYPE,
|
|
} from '@/lib/oauth/types'
|
|
import { fetchSlackTeamId } from '@/lib/webhooks/providers/slack'
|
|
|
|
/** Provider-specific secret inputs a service-account credential can carry. */
|
|
export interface ServiceAccountSecretFields {
|
|
signingSecret?: string
|
|
botToken?: string
|
|
apiToken?: string
|
|
domain?: string
|
|
serviceAccountJson?: string
|
|
}
|
|
|
|
export interface ServiceAccountSecretResult {
|
|
/** Canonical provider id for the resolved secret. */
|
|
providerId: string
|
|
encryptedServiceAccountKey: string
|
|
displayName: string
|
|
auditMetadata: Record<string, string>
|
|
/** Slack custom bot: the derived bot user id (for reaction self-drop). */
|
|
botUserId?: string
|
|
}
|
|
|
|
/** Thrown when a service-account secret is missing or fails provider verification. */
|
|
export class ServiceAccountSecretError extends Error {
|
|
constructor(message: string) {
|
|
super(message)
|
|
this.name = 'ServiceAccountSecretError'
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Verifies a service-account secret against its provider, derives the display
|
|
* name, and returns the encrypted blob ready to persist. Shared by credential
|
|
* create (POST) and in-place reconnect (PUT) so both paths verify + encrypt
|
|
* identically. Throws {@link ServiceAccountSecretError} on missing fields or a
|
|
* failed provider verification (callers map it to a 400).
|
|
*/
|
|
export async function verifyAndBuildServiceAccountSecret(
|
|
providerId: string,
|
|
fields: ServiceAccountSecretFields
|
|
): Promise<ServiceAccountSecretResult> {
|
|
if (providerId === ATLASSIAN_SERVICE_ACCOUNT_PROVIDER_ID) {
|
|
const { apiToken, domain } = fields
|
|
if (!apiToken || !domain) {
|
|
throw new ServiceAccountSecretError(
|
|
'apiToken and domain are required for Atlassian service account credentials'
|
|
)
|
|
}
|
|
const normalizedDomain = normalizeAtlassianDomain(domain)
|
|
const validation = await validateAtlassianServiceAccount(apiToken, normalizedDomain)
|
|
const blob = JSON.stringify({
|
|
type: ATLASSIAN_SERVICE_ACCOUNT_SECRET_TYPE,
|
|
apiToken,
|
|
domain: normalizedDomain,
|
|
cloudId: validation.cloudId,
|
|
atlassianAccountId: validation.accountId,
|
|
})
|
|
const { encrypted } = await encryptSecret(blob)
|
|
return {
|
|
providerId: ATLASSIAN_SERVICE_ACCOUNT_PROVIDER_ID,
|
|
encryptedServiceAccountKey: encrypted,
|
|
displayName: validation.displayName,
|
|
auditMetadata: {
|
|
atlassianDomain: normalizedDomain,
|
|
atlassianCloudId: validation.cloudId,
|
|
},
|
|
}
|
|
}
|
|
|
|
if (providerId === SLACK_CUSTOM_BOT_PROVIDER_ID) {
|
|
const { signingSecret, botToken } = fields
|
|
if (!signingSecret || !botToken) {
|
|
throw new ServiceAccountSecretError(
|
|
'signingSecret and botToken are required for a custom Slack bot credential'
|
|
)
|
|
}
|
|
// Verify the token and derive the workspace/team identity (never trusted
|
|
// from the client) via auth.test.
|
|
let teamId: string
|
|
let botUserId: string | undefined
|
|
let teamName: string | undefined
|
|
try {
|
|
const auth = await fetchSlackTeamId(botToken)
|
|
teamId = auth.teamId
|
|
botUserId = auth.userId
|
|
teamName = auth.teamName
|
|
} catch (error) {
|
|
throw new ServiceAccountSecretError(
|
|
`Could not verify the Slack bot token: ${getErrorMessage(error)}`
|
|
)
|
|
}
|
|
const blob = JSON.stringify({
|
|
type: SLACK_CUSTOM_BOT_SECRET_TYPE,
|
|
signingSecret,
|
|
botToken,
|
|
teamId,
|
|
botUserId,
|
|
teamName,
|
|
})
|
|
const { encrypted } = await encryptSecret(blob)
|
|
return {
|
|
providerId: SLACK_CUSTOM_BOT_PROVIDER_ID,
|
|
encryptedServiceAccountKey: encrypted,
|
|
displayName: teamName || 'Slack bot',
|
|
auditMetadata: { slackTeamId: teamId },
|
|
botUserId,
|
|
}
|
|
}
|
|
|
|
const { serviceAccountJson } = fields
|
|
if (!serviceAccountJson) {
|
|
throw new ServiceAccountSecretError(
|
|
'serviceAccountJson is required for service account credentials'
|
|
)
|
|
}
|
|
const jsonParseResult = serviceAccountJsonSchema.safeParse(serviceAccountJson)
|
|
if (!jsonParseResult.success) {
|
|
throw new ServiceAccountSecretError(
|
|
getValidationErrorMessage(jsonParseResult.error, 'Invalid service account JSON')
|
|
)
|
|
}
|
|
const { encrypted } = await encryptSecret(serviceAccountJson)
|
|
return {
|
|
providerId: 'google-service-account',
|
|
encryptedServiceAccountKey: encrypted,
|
|
displayName: jsonParseResult.data.client_email,
|
|
auditMetadata: {},
|
|
}
|
|
}
|