OpenSource
/
dify
Segui 4
Vota 0
Forka 0
Codice Problemi 0 Pull Requests 0 Rilasci 152 Wiki Attività
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7393 Commit
4 Rami (Branch)
Albero (Tree): cd47a47c3b
Rami (Branch) Tag
${ item.name }
Crea branch ${ searchTerm }
da 'cd47a47c3b'
${ noResults }
dify/api/services/datasource_provider_service.py

datasource_provider_service.py 42KB
Originale Normal View Cronologia

feat: knowledge pipeline (#25360) Signed-off-by: -LAN- <laipz8200@outlook.com> Co-authored-by: twwu <twwu@dify.ai> Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com> Co-authored-by: jyong <718720800@qq.com> Co-authored-by: Wu Tianwei <30284043+WTW0313@users.noreply.github.com> Co-authored-by: QuantumGhost <obelisk.reg+git@gmail.com> Co-authored-by: lyzno1 <yuanyouhuilyz@gmail.com> Co-authored-by: quicksand <quicksandzn@gmail.com> Co-authored-by: Jyong <76649700+JohnJyong@users.noreply.github.com> Co-authored-by: lyzno1 <92089059+lyzno1@users.noreply.github.com> Co-authored-by: zxhlyh <jasonapring2015@outlook.com> Co-authored-by: Yongtao Huang <yongtaoh2022@gmail.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Joel <iamjoel007@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: nite-knite <nkCoding@gmail.com> Co-authored-by: Hanqing Zhao <sherry9277@gmail.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: Harry <xh001x@hotmail.com>
1 mese fa
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975 
  1. import logging

  2. import time

  3. from collections.abc import Mapping

  4. from typing import Any

  5. 

  6. from flask_login import current_user

  7. from sqlalchemy.orm import Session

  8. 

  9. from configs import dify_config

  10. from constants import HIDDEN_VALUE, UNKNOWN_VALUE

  11. from core.helper import encrypter

  12. from core.helper.name_generator import generate_incremental_name

  13. from core.helper.provider_cache import NoOpProviderCredentialCache

  14. from core.model_runtime.entities.provider_entities import FormType

  15. from core.plugin.impl.datasource import PluginDatasourceManager

  16. from core.plugin.impl.oauth import OAuthHandler

  17. from core.tools.entities.tool_entities import CredentialType

  18. from core.tools.utils.encryption import ProviderConfigCache, ProviderConfigEncrypter, create_provider_encrypter

  19. from extensions.ext_database import db

  20. from extensions.ext_redis import redis_client

  21. from models.oauth import DatasourceOauthParamConfig, DatasourceOauthTenantParamConfig, DatasourceProvider

  22. from models.provider_ids import DatasourceProviderID

  23. from services.plugin.plugin_service import PluginService

  24. 

  25. logger = logging.getLogger(__name__)

  26. 

  27. 

  28. class DatasourceProviderService:

  29.     """

  30.     Model Provider Service

  31.     """

  32. 

  33.     def __init__(self) -> None:

  34.         self.provider_manager = PluginDatasourceManager()

  35. 

  36.     def remove_oauth_custom_client_params(self, tenant_id: str, datasource_provider_id: DatasourceProviderID):

  37.         """

  38.         remove oauth custom client params

  39.         """

  40.         with Session(db.engine) as session:

  41.             session.query(DatasourceOauthTenantParamConfig).filter_by(

  42.                 tenant_id=tenant_id,

  43.                 provider=datasource_provider_id.provider_name,

  44.                 plugin_id=datasource_provider_id.plugin_id,

  45.             ).delete()

  46.             session.commit()

  47. 

  48.     def decrypt_datasource_provider_credentials(

  49.         self,

  50.         tenant_id: str,

  51.         datasource_provider: DatasourceProvider,

  52.         plugin_id: str,

  53.         provider: str,

  54.     ) -> dict[str, Any]:

  55.         encrypted_credentials = datasource_provider.encrypted_credentials

  56.         credential_secret_variables = self.extract_secret_variables(

  57.             tenant_id=tenant_id,

  58.             provider_id=f"{plugin_id}/{provider}",

  59.             credential_type=CredentialType.of(datasource_provider.auth_type),

  60.         )

  61.         decrypted_credentials = encrypted_credentials.copy()

  62.         for key, value in decrypted_credentials.items():

  63.             if key in credential_secret_variables:

  64.                 decrypted_credentials[key] = encrypter.decrypt_token(tenant_id, value)

  65.         return decrypted_credentials

  66. 

  67.     def encrypt_datasource_provider_credentials(

  68.         self,

  69.         tenant_id: str,

  70.         provider: str,

  71.         plugin_id: str,

  72.         raw_credentials: Mapping[str, Any],

  73.         datasource_provider: DatasourceProvider,

  74.     ) -> dict[str, Any]:

  75.         provider_credential_secret_variables = self.extract_secret_variables(

  76.             tenant_id=tenant_id,

  77.             provider_id=f"{plugin_id}/{provider}",

  78.             credential_type=CredentialType.of(datasource_provider.auth_type),

  79.         )

  80.         encrypted_credentials = dict(raw_credentials)

  81.         for key, value in encrypted_credentials.items():

  82.             if key in provider_credential_secret_variables:

  83.                 encrypted_credentials[key] = encrypter.encrypt_token(tenant_id, value)

  84.         return encrypted_credentials

  85. 

  86.     def get_datasource_credentials(

  87.         self,

  88.         tenant_id: str,

  89.         provider: str,

  90.         plugin_id: str,

  91.         credential_id: str | None = None,

  92.     ) -> dict[str, Any]:

  93.         """

  94.         get credential by id

  95.         """

  96.         with Session(db.engine) as session:

  97.             if credential_id:

  98.                 datasource_provider = (

  99.                     session.query(DatasourceProvider).filter_by(tenant_id=tenant_id, id=credential_id).first()

  100.                 )

  101.             else:

  102.                 datasource_provider = (

  103.                     session.query(DatasourceProvider)

  104.                     .filter_by(tenant_id=tenant_id, provider=provider, plugin_id=plugin_id)

  105.                     .order_by(DatasourceProvider.is_default.desc(), DatasourceProvider.created_at.asc())

  106.                     .first()

  107.                 )

  108.             if not datasource_provider:

  109.                 return {}

  110.             # refresh the credentials

  111.             if datasource_provider.expires_at != -1 and (datasource_provider.expires_at - 60) < int(time.time()):

  112.                 decrypted_credentials = self.decrypt_datasource_provider_credentials(

  113.                     tenant_id=tenant_id,

  114.                     datasource_provider=datasource_provider,

  115.                     plugin_id=plugin_id,

  116.                     provider=provider,

  117.                 )

  118.                 datasource_provider_id = DatasourceProviderID(f"{plugin_id}/{provider}")

  119.                 provider_name = datasource_provider_id.provider_name

  120.                 redirect_uri = (

  121.                     f"{dify_config.CONSOLE_API_URL}/console/api/oauth/plugin/"

  122.                     f"{datasource_provider_id}/datasource/callback"

  123.                 )

  124.                 system_credentials = self.get_oauth_client(tenant_id, datasource_provider_id)

  125.                 refreshed_credentials = OAuthHandler().refresh_credentials(

  126.                     tenant_id=tenant_id,

  127.                     user_id=current_user.id,

  128.                     plugin_id=datasource_provider_id.plugin_id,

  129.                     provider=provider_name,

  130.                     redirect_uri=redirect_uri,

  131.                     system_credentials=system_credentials or {},

  132.                     credentials=decrypted_credentials,

  133.                 )

  134.                 datasource_provider.encrypted_credentials = self.encrypt_datasource_provider_credentials(

  135.                     tenant_id=tenant_id,

  136.                     raw_credentials=refreshed_credentials.credentials,

  137.                     provider=provider,

  138.                     plugin_id=plugin_id,

  139.                     datasource_provider=datasource_provider,

  140.                 )

  141.                 datasource_provider.expires_at = refreshed_credentials.expires_at

  142.                 session.commit()

  143. 

  144.             return self.decrypt_datasource_provider_credentials(

  145.                 tenant_id=tenant_id,

  146.                 datasource_provider=datasource_provider,

  147.                 plugin_id=plugin_id,

  148.                 provider=provider,

  149.             )

  150. 

  151.     def get_all_datasource_credentials_by_provider(

  152.         self,

  153.         tenant_id: str,

  154.         provider: str,

  155.         plugin_id: str,

  156.     ) -> list[dict[str, Any]]:

  157.         """

  158.         get all datasource credentials by provider

  159.         """

  160.         with Session(db.engine) as session:

  161.             datasource_providers = (

  162.                 session.query(DatasourceProvider)

  163.                 .filter_by(tenant_id=tenant_id, provider=provider, plugin_id=plugin_id)

  164.                 .order_by(DatasourceProvider.is_default.desc(), DatasourceProvider.created_at.asc())

  165.                 .all()

  166.             )

  167.             if not datasource_providers:

  168.                 return []

  169.             # refresh the credentials

  170.             real_credentials_list = []

  171.             for datasource_provider in datasource_providers:

  172.                 decrypted_credentials = self.decrypt_datasource_provider_credentials(

  173.                     tenant_id=tenant_id,

  174.                     datasource_provider=datasource_provider,

  175.                     plugin_id=plugin_id,

  176.                     provider=provider,

  177.                 )

  178.                 datasource_provider_id = DatasourceProviderID(f"{plugin_id}/{provider}")

  179.                 provider_name = datasource_provider_id.provider_name

  180.                 redirect_uri = (

  181.                     f"{dify_config.CONSOLE_API_URL}/console/api/oauth/plugin/"

  182.                     f"{datasource_provider_id}/datasource/callback"

  183.                 )

  184.                 system_credentials = self.get_oauth_client(tenant_id, datasource_provider_id)

  185.                 refreshed_credentials = OAuthHandler().refresh_credentials(

  186.                     tenant_id=tenant_id,

  187.                     user_id=current_user.id,

  188.                     plugin_id=datasource_provider_id.plugin_id,

  189.                     provider=provider_name,

  190.                     redirect_uri=redirect_uri,

  191.                     system_credentials=system_credentials or {},

  192.                     credentials=decrypted_credentials,

  193.                 )

  194.                 datasource_provider.encrypted_credentials = self.encrypt_datasource_provider_credentials(

  195.                     tenant_id=tenant_id,

  196.                     raw_credentials=refreshed_credentials.credentials,

  197.                     provider=provider,

  198.                     plugin_id=plugin_id,

  199.                     datasource_provider=datasource_provider,

  200.                 )

  201.                 datasource_provider.expires_at = refreshed_credentials.expires_at

  202.                 real_credentials = self.decrypt_datasource_provider_credentials(

  203.                     tenant_id=tenant_id,

  204.                     datasource_provider=datasource_provider,

  205.                     plugin_id=plugin_id,

  206.                     provider=provider,

  207.                 )

  208.                 real_credentials_list.append(real_credentials)

  209.             session.commit()

  210. 

  211.             return real_credentials_list

  212. 

  213.     def update_datasource_provider_name(

  214.         self, tenant_id: str, datasource_provider_id: DatasourceProviderID, name: str, credential_id: str

  215.     ):

  216.         """

  217.         update datasource provider name

  218.         """

  219.         with Session(db.engine) as session:

  220.             target_provider = (

  221.                 session.query(DatasourceProvider)

  222.                 .filter_by(

  223.                     tenant_id=tenant_id,

  224.                     id=credential_id,

  225.                     provider=datasource_provider_id.provider_name,

  226.                     plugin_id=datasource_provider_id.plugin_id,

  227.                 )

  228.                 .first()

  229.             )

  230.             if target_provider is None:

  231.                 raise ValueError("provider not found")

  232. 

  233.             if target_provider.name == name:

  234.                 return

  235. 

  236.             # check name is exist

  237.             if (

  238.                 session.query(DatasourceProvider)

  239.                 .filter_by(

  240.                     tenant_id=tenant_id,

  241.                     name=name,

  242.                     provider=datasource_provider_id.provider_name,

  243.                     plugin_id=datasource_provider_id.plugin_id,

  244.                 )

  245.                 .count()

  246.                 > 0

  247.             ):

  248.                 raise ValueError("Authorization name is already exists")

  249. 

  250.             target_provider.name = name

  251.             session.commit()

  252.         return

  253. 

  254.     def set_default_datasource_provider(

  255.         self, tenant_id: str, datasource_provider_id: DatasourceProviderID, credential_id: str

  256.     ):

  257.         """

  258.         set default datasource provider

  259.         """

  260.         with Session(db.engine) as session:

  261.             # get provider

  262.             target_provider = (

  263.                 session.query(DatasourceProvider)

  264.                 .filter_by(

  265.                     tenant_id=tenant_id,

  266.                     id=credential_id,

  267.                     provider=datasource_provider_id.provider_name,

  268.                     plugin_id=datasource_provider_id.plugin_id,

  269.                 )

  270.                 .first()

  271.             )

  272.             if target_provider is None:

  273.                 raise ValueError("provider not found")

  274. 

  275.             # clear default provider

  276.             session.query(DatasourceProvider).filter_by(

  277.                 tenant_id=tenant_id,

  278.                 provider=target_provider.provider,

  279.                 plugin_id=target_provider.plugin_id,

  280.                 is_default=True,

  281.             ).update({"is_default": False})

  282. 

  283.             # set new default provider

  284.             target_provider.is_default = True

  285.             session.commit()

  286.         return {"result": "success"}

  287. 

  288.     def setup_oauth_custom_client_params(

  289.         self,

  290.         tenant_id: str,

  291.         datasource_provider_id: DatasourceProviderID,

  292.         client_params: dict | None,

  293.         enabled: bool | None,

  294.     ):

  295.         """

  296.         setup oauth custom client params

  297.         """

  298.         if client_params is None and enabled is None:

  299.             return

  300.         with Session(db.engine) as session:

  301.             tenant_oauth_client_params = (

  302.                 session.query(DatasourceOauthTenantParamConfig)

  303.                 .filter_by(

  304.                     tenant_id=tenant_id,

  305.                     provider=datasource_provider_id.provider_name,

  306.                     plugin_id=datasource_provider_id.plugin_id,

  307.                 )

  308.                 .first()

  309.             )

  310. 

  311.             if not tenant_oauth_client_params:

  312.                 tenant_oauth_client_params = DatasourceOauthTenantParamConfig(

  313.                     tenant_id=tenant_id,

  314.                     provider=datasource_provider_id.provider_name,

  315.                     plugin_id=datasource_provider_id.plugin_id,

  316.                     client_params={},

  317.                     enabled=False,

  318.                 )

  319.                 session.add(tenant_oauth_client_params)

  320. 

  321.             if client_params is not None:

  322.                 encrypter, _ = self.get_oauth_encrypter(tenant_id, datasource_provider_id)

  323.                 original_params = (

  324.                     encrypter.decrypt(tenant_oauth_client_params.client_params) if tenant_oauth_client_params else {}

  325.                 )

  326.                 new_params: dict = {

  327.                     key: value if value != HIDDEN_VALUE else original_params.get(key, UNKNOWN_VALUE)

  328.                     for key, value in client_params.items()

  329.                 }

  330.                 tenant_oauth_client_params.client_params = encrypter.encrypt(new_params)

  331. 

  332.             if enabled is not None:

  333.                 tenant_oauth_client_params.enabled = enabled

  334.             session.commit()

  335. 

  336.     def is_system_oauth_params_exist(self, datasource_provider_id: DatasourceProviderID) -> bool:

  337.         """

  338.         check if system oauth params exist

  339.         """

  340.         with Session(db.engine).no_autoflush as session:

  341.             return (

  342.                 session.query(DatasourceOauthParamConfig)

  343.                 .filter_by(provider=datasource_provider_id.provider_name, plugin_id=datasource_provider_id.plugin_id)

  344.                 .first()

  345.                 is not None

  346.             )

  347. 

  348.     def is_tenant_oauth_params_enabled(self, tenant_id: str, datasource_provider_id: DatasourceProviderID) -> bool:

  349.         """

  350.         check if tenant oauth params is enabled

  351.         """

  352.         return (

  353.             db.session.query(DatasourceOauthTenantParamConfig)

  354.             .filter_by(

  355.                 tenant_id=tenant_id,

  356.                 provider=datasource_provider_id.provider_name,

  357.                 plugin_id=datasource_provider_id.plugin_id,

  358.                 enabled=True,

  359.             )

  360.             .count()

  361.             > 0

  362.         )

  363. 

  364.     def get_tenant_oauth_client(

  365.         self, tenant_id: str, datasource_provider_id: DatasourceProviderID, mask: bool = False

  366.     ) -> dict[str, Any] | None:

  367.         """

  368.         get tenant oauth client

  369.         """

  370.         tenant_oauth_client_params = (

  371.             db.session.query(DatasourceOauthTenantParamConfig)

  372.             .filter_by(

  373.                 tenant_id=tenant_id,

  374.                 provider=datasource_provider_id.provider_name,

  375.                 plugin_id=datasource_provider_id.plugin_id,

  376.             )

  377.             .first()

  378.         )

  379.         if tenant_oauth_client_params:

  380.             encrypter, _ = self.get_oauth_encrypter(tenant_id, datasource_provider_id)

  381.             if mask:

  382.                 return encrypter.mask_tool_credentials(encrypter.decrypt(tenant_oauth_client_params.client_params))

  383.             else:

  384.                 return encrypter.decrypt(tenant_oauth_client_params.client_params)

  385.         return None

  386. 

  387.     def get_oauth_encrypter(

  388.         self, tenant_id: str, datasource_provider_id: DatasourceProviderID

  389.     ) -> tuple[ProviderConfigEncrypter, ProviderConfigCache]:

  390.         """

  391.         get oauth encrypter

  392.         """

  393.         datasource_provider = self.provider_manager.fetch_datasource_provider(

  394.             tenant_id=tenant_id, provider_id=str(datasource_provider_id)

  395.         )

  396.         if not datasource_provider.declaration.oauth_schema:

  397.             raise ValueError("Datasource provider oauth schema not found")

  398. 

  399.         client_schema = datasource_provider.declaration.oauth_schema.client_schema

  400.         return create_provider_encrypter(

  401.             tenant_id=tenant_id,

  402.             config=[x.to_basic_provider_config() for x in client_schema],

  403.             cache=NoOpProviderCredentialCache(),

  404.         )

  405. 

  406.     def get_oauth_client(self, tenant_id: str, datasource_provider_id: DatasourceProviderID) -> dict[str, Any] | None:

  407.         """

  408.         get oauth client

  409.         """

  410.         provider = datasource_provider_id.provider_name

  411.         plugin_id = datasource_provider_id.plugin_id

  412.         with Session(db.engine).no_autoflush as session:

  413.             # get tenant oauth client params

  414.             tenant_oauth_client_params = (

  415.                 session.query(DatasourceOauthTenantParamConfig)

  416.                 .filter_by(

  417.                     tenant_id=tenant_id,

  418.                     provider=provider,

  419.                     plugin_id=plugin_id,

  420.                     enabled=True,

  421.                 )

  422.                 .first()

  423.             )

  424.             if tenant_oauth_client_params:

  425.                 encrypter, _ = self.get_oauth_encrypter(tenant_id, datasource_provider_id)

  426.                 return encrypter.decrypt(tenant_oauth_client_params.client_params)

  427. 

  428.             provider_controller = self.provider_manager.fetch_datasource_provider(

  429.                 tenant_id=tenant_id, provider_id=str(datasource_provider_id)

  430.             )

  431.             is_verified = PluginService.is_plugin_verified(tenant_id, provider_controller.plugin_unique_identifier)

  432.             if is_verified:

  433.                 # fallback to system oauth client params

  434.                 oauth_client_params = (

  435.                     session.query(DatasourceOauthParamConfig).filter_by(provider=provider, plugin_id=plugin_id).first()

  436.                 )

  437.                 if oauth_client_params:

  438.                     return oauth_client_params.system_credentials

  439. 

  440.             raise ValueError(f"Please configure oauth client params(system/tenant) for {plugin_id}/{provider}")

  441. 

  442.     @staticmethod

  443.     def generate_next_datasource_provider_name(

  444.         session: Session, tenant_id: str, provider_id: DatasourceProviderID, credential_type: CredentialType

  445.     ) -> str:

  446.         db_providers = (

  447.             session.query(DatasourceProvider)

  448.             .filter_by(

  449.                 tenant_id=tenant_id,

  450.                 provider=provider_id.provider_name,

  451.                 plugin_id=provider_id.plugin_id,

  452.             )

  453.             .all()

  454.         )

  455.         return generate_incremental_name(

  456.             [provider.name for provider in db_providers],

  457.             f"{credential_type.get_name()}",

  458.         )

  459. 

  460.     def reauthorize_datasource_oauth_provider(

  461.         self,

  462.         name: str | None,

  463.         tenant_id: str,

  464.         provider_id: DatasourceProviderID,

  465.         avatar_url: str | None,

  466.         expire_at: int,

  467.         credentials: dict,

  468.         credential_id: str,

  469.     ) -> None:

  470.         """

  471.         update datasource oauth provider

  472.         """

  473.         with Session(db.engine) as session:

  474.             lock = f"datasource_provider_create_lock:{tenant_id}_{provider_id}_{CredentialType.OAUTH2.value}"

  475.             with redis_client.lock(lock, timeout=20):

  476.                 target_provider = (

  477.                     session.query(DatasourceProvider).filter_by(id=credential_id, tenant_id=tenant_id).first()

  478.                 )

  479.                 if target_provider is None:

  480.                     raise ValueError("provider not found")

  481. 

  482.                 db_provider_name = name

  483.                 if not db_provider_name:

  484.                     db_provider_name = target_provider.name

  485.                 else:

  486.                     name_conflict = (

  487.                         session.query(DatasourceProvider)

  488.                         .filter_by(

  489.                             tenant_id=tenant_id,

  490.                             name=db_provider_name,

  491.                             provider=provider_id.provider_name,

  492.                             plugin_id=provider_id.plugin_id,

  493.                             auth_type=CredentialType.OAUTH2.value,

  494.                         )

  495.                         .count()

  496.                     )

  497.                     if name_conflict > 0:

  498.                         db_provider_name = generate_incremental_name(

  499.                             [

  500.                                 provider.name

  501.                                 for provider in session.query(DatasourceProvider).filter_by(

  502.                                     tenant_id=tenant_id,

  503.                                     provider=provider_id.provider_name,

  504.                                     plugin_id=provider_id.plugin_id,

  505.                                 )

  506.                             ],

  507.                             db_provider_name,

  508.                         )

  509. 

  510.                 provider_credential_secret_variables = self.extract_secret_variables(

  511.                     tenant_id=tenant_id, provider_id=f"{provider_id}", credential_type=CredentialType.OAUTH2

  512.                 )

  513.                 for key, value in credentials.items():

  514.                     if key in provider_credential_secret_variables:

  515.                         credentials[key] = encrypter.encrypt_token(tenant_id, value)

  516. 

  517.                 target_provider.expires_at = expire_at

  518.                 target_provider.encrypted_credentials = credentials

  519.                 target_provider.avatar_url = avatar_url or target_provider.avatar_url

  520.                 session.commit()

  521. 

  522.     def add_datasource_oauth_provider(

  523.         self,

  524.         name: str | None,

  525.         tenant_id: str,

  526.         provider_id: DatasourceProviderID,

  527.         avatar_url: str | None,

  528.         expire_at: int,

  529.         credentials: dict,

  530.     ) -> None:

  531.         """

  532.         add datasource oauth provider

  533.         """

  534.         credential_type = CredentialType.OAUTH2

  535.         with Session(db.engine) as session:

  536.             lock = f"datasource_provider_create_lock:{tenant_id}_{provider_id}_{credential_type.value}"

  537.             with redis_client.lock(lock, timeout=60):

  538.                 db_provider_name = name

  539.                 if not db_provider_name:

  540.                     db_provider_name = self.generate_next_datasource_provider_name(

  541.                         session=session,

  542.                         tenant_id=tenant_id,

  543.                         provider_id=provider_id,

  544.                         credential_type=credential_type,

  545.                     )

  546.                 else:

  547.                     if (

  548.                         session.query(DatasourceProvider)

  549.                         .filter_by(

  550.                             tenant_id=tenant_id,

  551.                             name=db_provider_name,

  552.                             provider=provider_id.provider_name,

  553.                             plugin_id=provider_id.plugin_id,

  554.                             auth_type=credential_type.value,

  555.                         )

  556.                         .count()

  557.                         > 0

  558.                     ):

  559.                         db_provider_name = generate_incremental_name(

  560.                             [

  561.                                 provider.name

  562.                                 for provider in session.query(DatasourceProvider).filter_by(

  563.                                     tenant_id=tenant_id,

  564.                                     provider=provider_id.provider_name,

  565.                                     plugin_id=provider_id.plugin_id,

  566.                                 )

  567.                             ],

  568.                             db_provider_name,

  569.                         )

  570. 

  571.                 provider_credential_secret_variables = self.extract_secret_variables(

  572.                     tenant_id=tenant_id, provider_id=f"{provider_id}", credential_type=credential_type

  573.                 )

  574.                 for key, value in credentials.items():

  575.                     if key in provider_credential_secret_variables:

  576.                         credentials[key] = encrypter.encrypt_token(tenant_id, value)

  577. 

  578.                 datasource_provider = DatasourceProvider(

  579.                     tenant_id=tenant_id,

  580.                     name=db_provider_name,

  581.                     provider=provider_id.provider_name,

  582.                     plugin_id=provider_id.plugin_id,

  583.                     auth_type=credential_type.value,

  584.                     encrypted_credentials=credentials,

  585.                     avatar_url=avatar_url or "default",

  586.                     expires_at=expire_at,

  587.                 )

  588.                 session.add(datasource_provider)

  589.                 session.commit()

  590. 

  591.     def add_datasource_api_key_provider(

  592.         self,

  593.         name: str | None,

  594.         tenant_id: str,

  595.         provider_id: DatasourceProviderID,

  596.         credentials: dict,

  597.     ) -> None:

  598.         """

  599.         validate datasource provider credentials.

  600. 

  601.         :param tenant_id:

  602.         :param provider:

  603.         :param credentials:

  604.         """

  605.         provider_name = provider_id.provider_name

  606.         plugin_id = provider_id.plugin_id

  607.         with Session(db.engine) as session:

  608.             lock = f"datasource_provider_create_lock:{tenant_id}_{provider_id}_{CredentialType.API_KEY}"

  609.             with redis_client.lock(lock, timeout=20):

  610.                 db_provider_name = name or self.generate_next_datasource_provider_name(

  611.                     session=session,

  612.                     tenant_id=tenant_id,

  613.                     provider_id=provider_id,

  614.                     credential_type=CredentialType.API_KEY,

  615.                 )

  616. 

  617.                 # check name is exist

  618.                 if (

  619.                     session.query(DatasourceProvider)

  620.                     .filter_by(tenant_id=tenant_id, plugin_id=plugin_id, provider=provider_name, name=db_provider_name)

  621.                     .count()

  622.                     > 0

  623.                 ):

  624.                     raise ValueError("Authorization name is already exists")

  625. 

  626.                 try:

  627.                     self.provider_manager.validate_provider_credentials(

  628.                         tenant_id=tenant_id,

  629.                         user_id=current_user.id,

  630.                         provider=provider_name,

  631.                         plugin_id=plugin_id,

  632.                         credentials=credentials,

  633.                     )

  634.                 except Exception as e:

  635.                     raise ValueError(f"Failed to validate credentials: {str(e)}")

  636. 

  637.                 provider_credential_secret_variables = self.extract_secret_variables(

  638.                     tenant_id=tenant_id, provider_id=f"{provider_id}", credential_type=CredentialType.API_KEY

  639.                 )

  640.                 for key, value in credentials.items():

  641.                     if key in provider_credential_secret_variables:

  642.                         # if send [__HIDDEN__] in secret input, it will be same as original value

  643.                         credentials[key] = encrypter.encrypt_token(tenant_id, value)

  644.                 datasource_provider = DatasourceProvider(

  645.                     tenant_id=tenant_id,

  646.                     name=db_provider_name,

  647.                     provider=provider_name,

  648.                     plugin_id=plugin_id,

  649.                     auth_type=CredentialType.API_KEY.value,

  650.                     encrypted_credentials=credentials,

  651.                 )

  652.                 session.add(datasource_provider)

  653.                 session.commit()

  654. 

  655.     def extract_secret_variables(self, tenant_id: str, provider_id: str, credential_type: CredentialType) -> list[str]:

  656.         """

  657.         Extract secret input form variables.

  658. 

  659.         :param credential_form_schemas:

  660.         :return:

  661.         """

  662.         datasource_provider = self.provider_manager.fetch_datasource_provider(

  663.             tenant_id=tenant_id, provider_id=provider_id

  664.         )

  665.         credential_form_schemas = []

  666.         if credential_type == CredentialType.API_KEY:

  667.             credential_form_schemas = list(datasource_provider.declaration.credentials_schema)

  668.         elif credential_type == CredentialType.OAUTH2:

  669.             if not datasource_provider.declaration.oauth_schema:

  670.                 raise ValueError("Datasource provider oauth schema not found")

  671.             credential_form_schemas = list(datasource_provider.declaration.oauth_schema.credentials_schema)

  672.         else:

  673.             raise ValueError(f"Invalid credential type: {credential_type}")

  674. 

  675.         secret_input_form_variables = []

  676.         for credential_form_schema in credential_form_schemas:

  677.             if credential_form_schema.type.value == FormType.SECRET_INPUT.value:

  678.                 secret_input_form_variables.append(credential_form_schema.name)

  679. 

  680.         return secret_input_form_variables

  681. 

  682.     def list_datasource_credentials(self, tenant_id: str, provider: str, plugin_id: str) -> list[dict]:

  683.         """

  684.         list datasource credentials with obfuscated sensitive fields.

  685. 

  686.         :param tenant_id: workspace id

  687.         :param provider_id: provider id

  688.         :return:

  689.         """

  690.         # Get all provider configurations of the current workspace

  691.         datasource_providers: list[DatasourceProvider] = (

  692.             db.session.query(DatasourceProvider)

  693.             .where(

  694.                 DatasourceProvider.tenant_id == tenant_id,

  695.                 DatasourceProvider.provider == provider,

  696.                 DatasourceProvider.plugin_id == plugin_id,

  697.             )

  698.             .all()

  699.         )

  700.         if not datasource_providers:

  701.             return []

  702.         copy_credentials_list = []

  703.         default_provider = (

  704.             db.session.query(DatasourceProvider.id)

  705.             .filter_by(tenant_id=tenant_id, provider=provider, plugin_id=plugin_id)

  706.             .order_by(DatasourceProvider.is_default.desc(), DatasourceProvider.created_at.asc())

  707.             .first()

  708.         )

  709.         default_provider_id = default_provider.id if default_provider else None

  710.         for datasource_provider in datasource_providers:

  711.             encrypted_credentials = datasource_provider.encrypted_credentials

  712.             # Get provider credential secret variables

  713.             credential_secret_variables = self.extract_secret_variables(

  714.                 tenant_id=tenant_id,

  715.                 provider_id=f"{plugin_id}/{provider}",

  716.                 credential_type=CredentialType.of(datasource_provider.auth_type),

  717.             )

  718. 

  719.             # Obfuscate provider credentials

  720.             copy_credentials = encrypted_credentials.copy()

  721.             for key, value in copy_credentials.items():

  722.                 if key in credential_secret_variables:

  723.                     copy_credentials[key] = encrypter.obfuscated_token(value)

  724.             copy_credentials_list.append(

  725.                 {

  726.                     "credential": copy_credentials,

  727.                     "type": datasource_provider.auth_type,

  728.                     "name": datasource_provider.name,

  729.                     "avatar_url": datasource_provider.avatar_url,

  730.                     "id": datasource_provider.id,

  731.                     "is_default": default_provider_id and datasource_provider.id == default_provider_id,

  732.                 }

  733.             )

  734. 

  735.         return copy_credentials_list

  736. 

  737.     def get_all_datasource_credentials(self, tenant_id: str) -> list[dict]:

  738.         """

  739.         get datasource credentials.

  740. 

  741.         :return:

  742.         """

  743.         # get all plugin providers

  744.         manager = PluginDatasourceManager()

  745.         datasources = manager.fetch_installed_datasource_providers(tenant_id)

  746.         datasource_credentials = []

  747.         for datasource in datasources:

  748.             datasource_provider_id = DatasourceProviderID(f"{datasource.plugin_id}/{datasource.provider}")

  749.             credentials = self.list_datasource_credentials(

  750.                 tenant_id=tenant_id, provider=datasource.provider, plugin_id=datasource.plugin_id

  751.             )

  752.             redirect_uri = (

  753.                 f"{dify_config.CONSOLE_API_URL}/console/api/oauth/plugin/{datasource_provider_id}/datasource/callback"

  754.             )

  755.             datasource_credentials.append(

  756.                 {

  757.                     "provider": datasource.provider,

  758.                     "plugin_id": datasource.plugin_id,

  759.                     "plugin_unique_identifier": datasource.plugin_unique_identifier,

  760.                     "icon": datasource.declaration.identity.icon,

  761.                     "name": datasource.declaration.identity.name.split("/")[-1],

  762.                     "label": datasource.declaration.identity.label.model_dump(),

  763.                     "description": datasource.declaration.identity.description.model_dump(),

  764.                     "author": datasource.declaration.identity.author,

  765.                     "credentials_list": credentials,

  766.                     "credential_schema": [

  767.                         credential.model_dump() for credential in datasource.declaration.credentials_schema

  768.                     ],

  769.                     "oauth_schema": {

  770.                         "client_schema": [

  771.                             client_schema.model_dump()

  772.                             for client_schema in datasource.declaration.oauth_schema.client_schema

  773.                         ],

  774.                         "credentials_schema": [

  775.                             credential_schema.model_dump()

  776.                             for credential_schema in datasource.declaration.oauth_schema.credentials_schema

  777.                         ],

  778.                         "oauth_custom_client_params": self.get_tenant_oauth_client(

  779.                             tenant_id, datasource_provider_id, mask=True

  780.                         ),

  781.                         "is_oauth_custom_client_enabled": self.is_tenant_oauth_params_enabled(

  782.                             tenant_id, datasource_provider_id

  783.                         ),

  784.                         "is_system_oauth_params_exists": self.is_system_oauth_params_exist(datasource_provider_id),

  785.                         "redirect_uri": redirect_uri,

  786.                     }

  787.                     if datasource.declaration.oauth_schema

  788.                     else None,

  789.                 }

  790.             )

  791.         return datasource_credentials

  792. 

  793.     def get_hard_code_datasource_credentials(self, tenant_id: str) -> list[dict]:

  794.         """

  795.         get hard code datasource credentials.

  796. 

  797.         :return:

  798.         """

  799.         # get all plugin providers

  800.         manager = PluginDatasourceManager()

  801.         datasources = manager.fetch_installed_datasource_providers(tenant_id)

  802.         datasource_credentials = []

  803.         for datasource in datasources:

  804.             if datasource.plugin_id in [

  805.                 "langgenius/firecrawl_datasource",

  806.                 "langgenius/notion_datasource",

  807.                 "langgenius/jina_datasource",

  808.             ]:

  809.                 datasource_provider_id = DatasourceProviderID(f"{datasource.plugin_id}/{datasource.provider}")

  810.                 credentials = self.list_datasource_credentials(

  811.                     tenant_id=tenant_id, provider=datasource.provider, plugin_id=datasource.plugin_id

  812.                 )

  813.                 redirect_uri = "{}/console/api/oauth/plugin/{}/datasource/callback".format(

  814.                     dify_config.CONSOLE_API_URL, datasource_provider_id

  815.                 )

  816.                 datasource_credentials.append(

  817.                     {

  818.                         "provider": datasource.provider,

  819.                         "plugin_id": datasource.plugin_id,

  820.                         "plugin_unique_identifier": datasource.plugin_unique_identifier,

  821.                         "icon": datasource.declaration.identity.icon,

  822.                         "name": datasource.declaration.identity.name.split("/")[-1],

  823.                         "label": datasource.declaration.identity.label.model_dump(),

  824.                         "description": datasource.declaration.identity.description.model_dump(),

  825.                         "author": datasource.declaration.identity.author,

  826.                         "credentials_list": credentials,

  827.                         "credential_schema": [

  828.                             credential.model_dump() for credential in datasource.declaration.credentials_schema

  829.                         ],

  830.                         "oauth_schema": {

  831.                             "client_schema": [

  832.                                 client_schema.model_dump()

  833.                                 for client_schema in datasource.declaration.oauth_schema.client_schema

  834.                             ],

  835.                             "credentials_schema": [

  836.                                 credential_schema.model_dump()

  837.                                 for credential_schema in datasource.declaration.oauth_schema.credentials_schema

  838.                             ],

  839.                             "oauth_custom_client_params": self.get_tenant_oauth_client(

  840.                                 tenant_id, datasource_provider_id, mask=True

  841.                             ),

  842.                             "is_oauth_custom_client_enabled": self.is_tenant_oauth_params_enabled(

  843.                                 tenant_id, datasource_provider_id

  844.                             ),

  845.                             "is_system_oauth_params_exists": self.is_system_oauth_params_exist(datasource_provider_id),

  846.                             "redirect_uri": redirect_uri,

  847.                         }

  848.                         if datasource.declaration.oauth_schema

  849.                         else None,

  850.                     }

  851.                 )

  852.         return datasource_credentials

  853. 

  854.     def get_real_datasource_credentials(self, tenant_id: str, provider: str, plugin_id: str) -> list[dict]:

  855.         """

  856.         get datasource credentials.

  857. 

  858.         :param tenant_id: workspace id

  859.         :param provider_id: provider id

  860.         :return:

  861.         """

  862.         # Get all provider configurations of the current workspace

  863.         datasource_providers: list[DatasourceProvider] = (

  864.             db.session.query(DatasourceProvider)

  865.             .where(

  866.                 DatasourceProvider.tenant_id == tenant_id,

  867.                 DatasourceProvider.provider == provider,

  868.                 DatasourceProvider.plugin_id == plugin_id,

  869.             )

  870.             .all()

  871.         )

  872.         if not datasource_providers:

  873.             return []

  874.         copy_credentials_list = []

  875.         for datasource_provider in datasource_providers:

  876.             encrypted_credentials = datasource_provider.encrypted_credentials

  877.             # Get provider credential secret variables

  878.             credential_secret_variables = self.extract_secret_variables(

  879.                 tenant_id=tenant_id,

  880.                 provider_id=f"{plugin_id}/{provider}",

  881.                 credential_type=CredentialType.of(datasource_provider.auth_type),

  882.             )

  883. 

  884.             # Obfuscate provider credentials

  885.             copy_credentials = encrypted_credentials.copy()

  886.             for key, value in copy_credentials.items():

  887.                 if key in credential_secret_variables:

  888.                     copy_credentials[key] = encrypter.decrypt_token(tenant_id, value)

  889.             copy_credentials_list.append(

  890.                 {

  891.                     "credentials": copy_credentials,

  892.                     "type": datasource_provider.auth_type,

  893.                 }

  894.             )

  895. 

  896.         return copy_credentials_list

  897. 

  898.     def update_datasource_credentials(

  899.         self, tenant_id: str, auth_id: str, provider: str, plugin_id: str, credentials: dict | None, name: str | None

  900.     ) -> None:

  901.         """

  902.         update datasource credentials.

  903.         """

  904.         with Session(db.engine) as session:

  905.             datasource_provider = (

  906.                 session.query(DatasourceProvider)

  907.                 .filter_by(tenant_id=tenant_id, id=auth_id, provider=provider, plugin_id=plugin_id)

  908.                 .first()

  909.             )

  910.             if not datasource_provider:

  911.                 raise ValueError("Datasource provider not found")

  912.             # update name

  913.             if name and name != datasource_provider.name:

  914.                 if (

  915.                     session.query(DatasourceProvider)

  916.                     .filter_by(tenant_id=tenant_id, name=name, provider=provider, plugin_id=plugin_id)

  917.                     .count()

  918.                     > 0

  919.                 ):

  920.                     raise ValueError("Authorization name is already exists")

  921.                 datasource_provider.name = name

  922. 

  923.             # update credentials

  924.             if credentials:

  925.                 secret_variables = self.extract_secret_variables(

  926.                     tenant_id=tenant_id,

  927.                     provider_id=f"{plugin_id}/{provider}",

  928.                     credential_type=CredentialType.of(datasource_provider.auth_type),

  929.                 )

  930.                 original_credentials = {

  931.                     key: value if key not in secret_variables else encrypter.decrypt_token(tenant_id, value)

  932.                     for key, value in datasource_provider.encrypted_credentials.items()

  933.                 }

  934.                 new_credentials = {

  935.                     key: value if value != HIDDEN_VALUE else original_credentials.get(key, UNKNOWN_VALUE)

  936.                     for key, value in credentials.items()

  937.                 }

  938.                 try:

  939.                     self.provider_manager.validate_provider_credentials(

  940.                         tenant_id=tenant_id,

  941.                         user_id=current_user.id,

  942.                         provider=provider,

  943.                         plugin_id=plugin_id,

  944.                         credentials=new_credentials,

  945.                     )

  946.                 except Exception as e:

  947.                     raise ValueError(f"Failed to validate credentials: {str(e)}")

  948. 

  949.                 encrypted_credentials = {}

  950.                 for key, value in new_credentials.items():

  951.                     if key in secret_variables:

  952.                         encrypted_credentials[key] = encrypter.encrypt_token(tenant_id, value)

  953.                     else:

  954.                         encrypted_credentials[key] = value

  955. 

  956.                 datasource_provider.encrypted_credentials = encrypted_credentials

  957.             session.commit()

  958. 

  959.     def remove_datasource_credentials(self, tenant_id: str, auth_id: str, provider: str, plugin_id: str) -> None:

  960.         """

  961.         remove datasource credentials.

  962. 

  963.         :param tenant_id: workspace id

  964.         :param provider: provider name

  965.         :param plugin_id: plugin id

  966.         :return:

  967.         """

  968.         datasource_provider = (

  969.             db.session.query(DatasourceProvider)

  970.             .filter_by(tenant_id=tenant_id, id=auth_id, provider=provider, plugin_id=plugin_id)

  971.             .first()

  972.         )

  973.         if datasource_provider:

  974.             db.session.delete(datasource_provider)

  975.             db.session.commit()