mirror of
https://github.com/langgenius/dify.git
synced 2026-05-27 12:26:15 +08:00
9b25980b09
Replace the single mutable-context Pipeline with a two-phase, condition-driven system dispatched by token type. New architecture: - TokenType(StrEnum) replaces source: str on AuthContext / TokenKind - AuthPipeline: pure prepare→auth step runner; no guard() - PipelineRoute: binds AuthPipeline to an optional required_edition gate - PipelineRouter: single guard() entry point; runs edition/license/token-type pre-gates then dispatches to the registered pipeline for the token type - Cond / When: composable predicates for conditional step dispatch - AuthData: frozen Pydantic model produced by the prepare phase; carries token_id so endpoints don't need to call get_auth_ctx() for identity fields - Edition enum + current_edition(): CE / EE / SAAS discriminator Two pipelines in composition.py: - account_pipeline — OAUTH_ACCOUNT tokens - external_sso_pipeline — OAUTH_EXTERNAL_SSO tokens (EE enforced at route level) All /openapi/v1 endpoints migrated to auth_router.guard(). Old context.py, steps.py, strategies.py, surface_gate.py deleted. WORKSPACE_READ scope added; cached_verdicts renamed to membership_cache.
63 lines
1.5 KiB
Python
63 lines
1.5 KiB
Python
from __future__ import annotations
|
|
|
|
import uuid
|
|
from enum import StrEnum
|
|
from typing import Literal
|
|
|
|
from pydantic import BaseModel, ConfigDict, Field
|
|
|
|
from configs import dify_config
|
|
from libs.oauth_bearer import Scope, TokenType
|
|
from models.account import Account, Tenant
|
|
from models.model import App, EndUser
|
|
from services.enterprise.enterprise_service import WebAppAccessMode
|
|
|
|
|
|
class Edition(StrEnum):
|
|
CE = "ce"
|
|
EE = "ee"
|
|
SAAS = "saas"
|
|
|
|
|
|
def current_edition() -> Edition:
|
|
if dify_config.EDITION == "CLOUD":
|
|
return Edition.SAAS
|
|
if dify_config.ENTERPRISE_ENABLED:
|
|
return Edition.EE
|
|
return Edition.CE
|
|
|
|
|
|
class ExternalIdentity(BaseModel):
|
|
model_config = ConfigDict(frozen=True)
|
|
|
|
email: str
|
|
issuer: str | None = None
|
|
|
|
|
|
class RequestContext(BaseModel):
|
|
model_config = ConfigDict(frozen=True)
|
|
|
|
token_type: TokenType
|
|
scope: Scope | None = None
|
|
path_params: dict[str, str]
|
|
|
|
|
|
class AuthData(BaseModel):
|
|
model_config = ConfigDict(frozen=True, arbitrary_types_allowed=True)
|
|
|
|
required_scope: Scope | None = None
|
|
token_type: TokenType
|
|
account_id: uuid.UUID | None = None
|
|
token_hash: str
|
|
token_id: uuid.UUID | None = None
|
|
scopes: frozenset[Scope]
|
|
tenants: dict[str, bool] = Field(default_factory=dict)
|
|
external_identity: ExternalIdentity | None = None
|
|
|
|
app: App | None = None
|
|
tenant: Tenant | None = None
|
|
app_access_mode: WebAppAccessMode | None = None
|
|
|
|
caller: Account | EndUser | None = None
|
|
caller_kind: Literal["account", "end_user"] | None = None
|