mirror of
https://github.com/langgenius/dify.git
synced 2026-05-20 16:57:01 +08:00
cf5ebe9430
Ports service_api/app/{completion,workflow}.py to bearer-authed
/openapi/v1/apps/<app_id>/{info,chat-messages,completion-messages,workflows/run}.
Architecture:
- New controllers/openapi/auth/ package: Pipeline + Step protocol over
one mutable Context. Endpoints attach via @APP_PIPELINE.guard(scope=...)
— single attachment point; forgetting auth is structurally impossible.
- Pipeline order: BearerCheck -> ScopeCheck -> AppResolver -> AppAuthzCheck
-> CallerMount.
- Strategies vary along independent axes: AclStrategy (EE webapp-auth inner
API) vs MembershipStrategy (CE TenantAccountJoin); AccountMounter vs
EndUserMounter dispatched by SubjectType.
- App is in URL path (not header). Each non-GET has typed Pydantic Request;
each non-SSE response has typed Pydantic Response. Bearer-as-identity:
body 'user' field stripped, ignored if present.
Adds InvokeFrom.OPENAPI enum variant. Emits app.run.openapi audit log
on successful invocation via standard logger extra={"audit": True, ...}
convention.
62 lines
1.6 KiB
Python
62 lines
1.6 KiB
Python
from unittest.mock import MagicMock
|
|
|
|
import pytest
|
|
from flask import Flask
|
|
|
|
from controllers.openapi.auth.context import Context
|
|
from controllers.openapi.auth.pipeline import Pipeline
|
|
|
|
|
|
def test_run_invokes_each_step_in_order():
|
|
calls = []
|
|
|
|
class S:
|
|
def __init__(self, tag):
|
|
self.tag = tag
|
|
|
|
def __call__(self, ctx):
|
|
calls.append(self.tag)
|
|
|
|
Pipeline(S("a"), S("b"), S("c")).run(Context(request=MagicMock(), required_scope="x"))
|
|
assert calls == ["a", "b", "c"]
|
|
|
|
|
|
def test_run_short_circuits_on_raise():
|
|
calls = []
|
|
|
|
class Boom:
|
|
def __call__(self, ctx):
|
|
raise RuntimeError("boom")
|
|
|
|
class Tail:
|
|
def __call__(self, ctx):
|
|
calls.append("ran")
|
|
|
|
with pytest.raises(RuntimeError):
|
|
Pipeline(Boom(), Tail()).run(Context(request=MagicMock(), required_scope="x"))
|
|
assert calls == []
|
|
|
|
|
|
def test_guard_decorator_runs_pipeline_and_unpacks_handler_kwargs():
|
|
seen = {}
|
|
|
|
class FakeStep:
|
|
def __call__(self, ctx):
|
|
ctx.app = "APP"
|
|
ctx.caller = "CALLER"
|
|
ctx.caller_kind = "account"
|
|
|
|
pipeline = Pipeline(FakeStep())
|
|
|
|
@pipeline.guard(scope="apps:run")
|
|
def handler(app_model, caller, caller_kind):
|
|
seen["app_model"] = app_model
|
|
seen["caller"] = caller
|
|
seen["caller_kind"] = caller_kind
|
|
return "ok"
|
|
|
|
app = Flask(__name__)
|
|
with app.test_request_context("/x", method="POST"):
|
|
assert handler() == "ok"
|
|
assert seen == {"app_model": "APP", "caller": "CALLER", "caller_kind": "account"}
|