Files
simstudioai--sim/apps/sim/lib/credentials/service-account-secret.ts
T
wehub-resource-sync d25d482dc2
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:20:55 +08:00

143 lines
4.8 KiB
TypeScript

import { getErrorMessage } from '@sim/utils/errors'
import { serviceAccountJsonSchema } from '@/lib/api/contracts/credentials'
import { getValidationErrorMessage } from '@/lib/api/server'
import { encryptSecret } from '@/lib/core/security/encryption'
import {
normalizeAtlassianDomain,
validateAtlassianServiceAccount,
} from '@/lib/credentials/atlassian-service-account'
import {
ATLASSIAN_SERVICE_ACCOUNT_PROVIDER_ID,
ATLASSIAN_SERVICE_ACCOUNT_SECRET_TYPE,
SLACK_CUSTOM_BOT_PROVIDER_ID,
SLACK_CUSTOM_BOT_SECRET_TYPE,
} from '@/lib/oauth/types'
import { fetchSlackTeamId } from '@/lib/webhooks/providers/slack'
/** Provider-specific secret inputs a service-account credential can carry. */
export interface ServiceAccountSecretFields {
signingSecret?: string
botToken?: string
apiToken?: string
domain?: string
serviceAccountJson?: string
}
export interface ServiceAccountSecretResult {
/** Canonical provider id for the resolved secret. */
providerId: string
encryptedServiceAccountKey: string
displayName: string
auditMetadata: Record<string, string>
/** Slack custom bot: the derived bot user id (for reaction self-drop). */
botUserId?: string
}
/** Thrown when a service-account secret is missing or fails provider verification. */
export class ServiceAccountSecretError extends Error {
constructor(message: string) {
super(message)
this.name = 'ServiceAccountSecretError'
}
}
/**
* Verifies a service-account secret against its provider, derives the display
* name, and returns the encrypted blob ready to persist. Shared by credential
* create (POST) and in-place reconnect (PUT) so both paths verify + encrypt
* identically. Throws {@link ServiceAccountSecretError} on missing fields or a
* failed provider verification (callers map it to a 400).
*/
export async function verifyAndBuildServiceAccountSecret(
providerId: string,
fields: ServiceAccountSecretFields
): Promise<ServiceAccountSecretResult> {
if (providerId === ATLASSIAN_SERVICE_ACCOUNT_PROVIDER_ID) {
const { apiToken, domain } = fields
if (!apiToken || !domain) {
throw new ServiceAccountSecretError(
'apiToken and domain are required for Atlassian service account credentials'
)
}
const normalizedDomain = normalizeAtlassianDomain(domain)
const validation = await validateAtlassianServiceAccount(apiToken, normalizedDomain)
const blob = JSON.stringify({
type: ATLASSIAN_SERVICE_ACCOUNT_SECRET_TYPE,
apiToken,
domain: normalizedDomain,
cloudId: validation.cloudId,
atlassianAccountId: validation.accountId,
})
const { encrypted } = await encryptSecret(blob)
return {
providerId: ATLASSIAN_SERVICE_ACCOUNT_PROVIDER_ID,
encryptedServiceAccountKey: encrypted,
displayName: validation.displayName,
auditMetadata: {
atlassianDomain: normalizedDomain,
atlassianCloudId: validation.cloudId,
},
}
}
if (providerId === SLACK_CUSTOM_BOT_PROVIDER_ID) {
const { signingSecret, botToken } = fields
if (!signingSecret || !botToken) {
throw new ServiceAccountSecretError(
'signingSecret and botToken are required for a custom Slack bot credential'
)
}
// Verify the token and derive the workspace/team identity (never trusted
// from the client) via auth.test.
let teamId: string
let botUserId: string | undefined
let teamName: string | undefined
try {
const auth = await fetchSlackTeamId(botToken)
teamId = auth.teamId
botUserId = auth.userId
teamName = auth.teamName
} catch (error) {
throw new ServiceAccountSecretError(
`Could not verify the Slack bot token: ${getErrorMessage(error)}`
)
}
const blob = JSON.stringify({
type: SLACK_CUSTOM_BOT_SECRET_TYPE,
signingSecret,
botToken,
teamId,
botUserId,
teamName,
})
const { encrypted } = await encryptSecret(blob)
return {
providerId: SLACK_CUSTOM_BOT_PROVIDER_ID,
encryptedServiceAccountKey: encrypted,
displayName: teamName || 'Slack bot',
auditMetadata: { slackTeamId: teamId },
botUserId,
}
}
const { serviceAccountJson } = fields
if (!serviceAccountJson) {
throw new ServiceAccountSecretError(
'serviceAccountJson is required for service account credentials'
)
}
const jsonParseResult = serviceAccountJsonSchema.safeParse(serviceAccountJson)
if (!jsonParseResult.success) {
throw new ServiceAccountSecretError(
getValidationErrorMessage(jsonParseResult.error, 'Invalid service account JSON')
)
}
const { encrypted } = await encryptSecret(serviceAccountJson)
return {
providerId: 'google-service-account',
encryptedServiceAccountKey: encrypted,
displayName: jsonParseResult.data.client_email,
auditMetadata: {},
}
}