kubiya-control-plane-api 0.9.15__py3-none-any.whl

control_plane_api/app/lib/templating/validator.py

@@ -0,0 +1,201 @@
+"""
+Template validation logic.
+
+Validates templates against a context to ensure all variables can be resolved.
+"""
+
+import structlog
+from typing import List
+from control_plane_api.app.lib.templating.types import (
+    TemplateContext,
+    TemplateVariable,
+    TemplateVariableType,
+    ValidationResult,
+    ValidationError,
+    ParseResult,
+)
+from control_plane_api.app.lib.templating.engine import TemplateEngine, get_default_engine
+
+logger = structlog.get_logger()
+
+
+class TemplateValidator:
+    """
+    Validates templates against a context.
+
+    Checks that all variables referenced in a template have values available
+    in the provided context.
+    """
+
+    def __init__(self, engine: TemplateEngine = None):
+        """
+        Initialize the validator with a template engine.
+
+        Args:
+            engine: Template engine to use. If None, uses default engine.
+        """
+        self.engine = engine if engine is not None else get_default_engine()
+
+    def validate(self, template: str, context: TemplateContext) -> ValidationResult:
+        """
+        Validate a template against a context.
+
+        Performs the following checks:
+        1. Template syntax is valid
+        2. All referenced secrets exist in context
+        3. All referenced env vars exist in context
+        4. All simple variables exist in context
+
+        Args:
+            template: Template string to validate
+            context: Template context with available values
+
+        Returns:
+            ValidationResult with errors and warnings
+        """
+        # First parse the template
+        parse_result: ParseResult = self.engine.parse(template)
+
+        # If parsing failed, return those errors
+        if not parse_result.is_valid:
+            return ValidationResult(
+                valid=False,
+                errors=parse_result.errors,
+                warnings=[],
+                variables=parse_result.variables
+            )
+
+        # Now validate each variable against the context
+        errors: List[ValidationError] = []
+        warnings: List[str] = []
+
+        # Validate secret variables
+        for var in parse_result.secret_variables:
+            secret_name = var.display_name
+            if secret_name not in context.secrets:
+                errors.append(ValidationError(
+                    message=f"Secret '{secret_name}' not found in context",
+                    variable=var,
+                    position=var.start,
+                    code="MISSING_SECRET"
+                ))
+                logger.debug(
+                    "missing_secret",
+                    secret_name=secret_name,
+                    position=var.start
+                )
+
+        # Validate environment variables
+        for var in parse_result.env_variables:
+            env_var_name = var.display_name
+            if env_var_name not in context.env_vars:
+                errors.append(ValidationError(
+                    message=f"Environment variable '{env_var_name}' not found in context",
+                    variable=var,
+                    position=var.start,
+                    code="MISSING_ENV_VAR"
+                ))
+                logger.debug(
+                    "missing_env_var",
+                    env_var_name=env_var_name,
+                    position=var.start
+                )
+
+        # Validate simple variables
+        for var in parse_result.simple_variables:
+            if var.name not in context.variables:
+                errors.append(ValidationError(
+                    message=f"Variable '{var.name}' not found in context",
+                    variable=var,
+                    position=var.start,
+                    code="MISSING_VARIABLE"
+                ))
+                logger.debug(
+                    "missing_variable",
+                    variable_name=var.name,
+                    position=var.start
+                )
+
+        # Validate graph node variables
+        for var in parse_result.graph_variables:
+            node_id = var.display_name
+
+            # Check if node is in pre-populated context
+            if context.graph_nodes and node_id in context.graph_nodes:
+                continue  # Node is available
+
+            # Node not in context - check if we can fetch it
+            if not context.graph_api_base or not context.graph_api_key:
+                errors.append(ValidationError(
+                    message=(
+                        f"Graph node '{node_id}' not in context and "
+                        f"context graph API not configured"
+                    ),
+                    variable=var,
+                    position=var.start,
+                    code="MISSING_GRAPH_NODE"
+                ))
+                logger.debug(
+                    "missing_graph_node_config",
+                    node_id=node_id,
+                    position=var.start,
+                    has_api_base=bool(context.graph_api_base),
+                    has_api_key=bool(context.graph_api_key)
+                )
+            # If API is configured, node will be fetched on-demand during compilation
+            # We don't validate existence here to avoid unnecessary API calls
+
+        # Generate warnings for unused context values
+        # (This helps catch typos or configuration issues)
+        if not errors:  # Only show warnings if validation passed
+            # Check for unused secrets
+            used_secrets = {v.display_name for v in parse_result.secret_variables}
+            unused_secrets = set(context.secrets.keys()) - used_secrets
+            if unused_secrets:
+                warnings.append(
+                    f"Unused secrets in context: {', '.join(sorted(unused_secrets))}"
+                )
+
+            # Check for unused env vars
+            used_env_vars = {v.display_name for v in parse_result.env_variables}
+            unused_env_vars = set(context.env_vars.keys()) - used_env_vars
+            if unused_env_vars:
+                warnings.append(
+                    f"Unused environment variables in context: {', '.join(sorted(unused_env_vars))}"
+                )
+
+            # Check for unused simple variables
+            used_variables = {v.name for v in parse_result.simple_variables}
+            unused_variables = set(context.variables.keys()) - used_variables
+            if unused_variables:
+                warnings.append(
+                    f"Unused variables in context: {', '.join(sorted(unused_variables))}"
+                )
+
+        return ValidationResult(
+            valid=len(errors) == 0,
+            errors=errors,
+            warnings=warnings,
+            variables=parse_result.variables
+        )
+
+    def validate_syntax_only(self, template: str) -> ValidationResult:
+        """
+        Validate only the syntax of a template without checking context.
+
+        Useful for validating templates before a context is available.
+
+        Args:
+            template: Template string to validate
+
+        Returns:
+            ValidationResult with syntax errors only
+        """
+        parse_result: ParseResult = self.engine.parse(template)
+
+        return ValidationResult(
+            valid=parse_result.is_valid,
+            errors=parse_result.errors,
+            warnings=[],
+            variables=parse_result.variables
+        )

control_plane_api/app/lib/temporal_client.py

@@ -0,0 +1,232 @@
+"""Temporal client for Agent Control Plane API"""
+
+import os
+from pathlib import Path
+from typing import Optional
+import structlog
+from temporalio.client import Client, TLSConfig
+
+logger = structlog.get_logger()
+
+_temporal_client: Optional[Client] = None
+
+
+async def get_temporal_client() -> Client:
+    """
+    Get or create Temporal client singleton.
+
+    DEPRECATED: This uses shared admin credentials from env vars.
+    For org-specific credentials, use get_temporal_client_for_org() instead.
+
+    Supports mTLS authentication for Temporal Cloud.
+    This client is used by the API to submit workflows.
+
+    Returns:
+        Temporal client instance
+    """
+    global _temporal_client
+
+    if _temporal_client is not None:
+        return _temporal_client
+
+    # Get Temporal configuration with defaults matching worker_queues.py
+    temporal_host = os.environ.get("TEMPORAL_HOST", "us-east-1.aws.api.temporal.io:7233")
+    temporal_namespace = os.environ.get("TEMPORAL_NAMESPACE", "agent-control-plane.lpagu")
+    # Check for API key in multiple possible env var names
+    temporal_api_key = (
+        os.environ.get("TEMPORAL_API_KEY") or
+        os.environ.get("TEMPORAL_CLOUD_ADMIN_TOKEN")
+    )
+    # Strip whitespace and newlines from all env vars (common issue with env vars)
+    if temporal_host:
+        temporal_host = temporal_host.strip()
+    if temporal_namespace:
+        temporal_namespace = temporal_namespace.strip()
+    if temporal_api_key:
+        temporal_api_key = temporal_api_key.strip()
+    temporal_cert_path = os.environ.get("TEMPORAL_CLIENT_CERT_PATH")
+    temporal_key_path = os.environ.get("TEMPORAL_CLIENT_KEY_PATH")
+
+    try:
+        # Check if connecting to Temporal Cloud
+        is_cloud = "tmprl.cloud" in temporal_host or "api.temporal.io" in temporal_host
+
+        if is_cloud:
+            # Check authentication method: API Key or mTLS
+            if temporal_api_key:
+                # API Key authentication
+                logger.info("temporal_auth_method", method="api_key")
+
+                # Connect with TLS and API key
+                _temporal_client = await Client.connect(
+                    temporal_host,
+                    namespace=temporal_namespace,
+                    tls=TLSConfig(),  # TLS without client cert
+                    rpc_metadata={"authorization": f"Bearer {temporal_api_key}"}
+                )
+            elif temporal_cert_path:
+                # mTLS authentication
+                logger.info("temporal_auth_method", method="mtls")
+
+                # Load client certificate
+                cert_path = Path(temporal_cert_path)
+                if not cert_path.exists():
+                    raise FileNotFoundError(
+                        f"Temporal client certificate not found at {cert_path}"
+                    )
+
+                with open(cert_path, "rb") as f:
+                    cert_content = f.read()
+
+                # Check if private key is in same file or separate
+                if b"BEGIN PRIVATE KEY" in cert_content or b"BEGIN RSA PRIVATE KEY" in cert_content:
+                    # Key is in the same file
+                    client_cert = cert_content
+                    client_key = cert_content
+                else:
+                    # Key must be in separate file
+                    if not temporal_key_path:
+                        raise ValueError(
+                            "Private key not found in certificate file and no separate key path configured. "
+                            "Please provide TEMPORAL_CLIENT_KEY_PATH environment variable."
+                        )
+                    key_path = Path(temporal_key_path)
+                    with open(key_path, "rb") as f:
+                        client_key = f.read()
+                    client_cert = cert_content
+
+                # Create TLS config for mTLS
+                tls_config = TLSConfig(
+                    client_cert=client_cert,
+                    client_private_key=client_key,
+                )
+
+                # Connect to Temporal Cloud with mTLS
+                _temporal_client = await Client.connect(
+                    temporal_host,
+                    namespace=temporal_namespace,
+                    tls=tls_config,
+                )
+            else:
+                raise ValueError(
+                    "For Temporal Cloud connection, either TEMPORAL_API_KEY or TEMPORAL_CLIENT_CERT_PATH must be provided"
+                )
+        else:
+            # Local Temporal server (no authentication required)
+            _temporal_client = await Client.connect(
+                temporal_host,
+                namespace=temporal_namespace,
+            )
+
+        logger.info(
+            "temporal_client_connected",
+            host=temporal_host,
+            namespace=temporal_namespace,
+        )
+
+        return _temporal_client
+
+    except Exception as e:
+        logger.error("temporal_client_connection_failed", error=str(e))
+        raise
+
+
+async def get_temporal_client_for_org(
+    namespace: str,
+    api_key: str,
+    host: Optional[str] = None,
+) -> Client:
+    """
+    Create Temporal client for specific organization.
+
+    This creates a new client instance with org-specific credentials.
+    Should be used for all workflow operations to ensure proper multi-tenant isolation.
+
+    Args:
+        namespace: Temporal namespace (e.g., "kubiya-ai.lpagu")
+        api_key: Temporal API key for the namespace (empty for local Temporal)
+        host: Temporal host (optional, uses TEMPORAL_HOST env var if not provided)
+
+    Returns:
+        Temporal client instance configured for the organization
+
+    Raises:
+        Exception: If connection fails
+
+    Example:
+        client = await get_temporal_client_for_org(
+            namespace="kubiya-ai.lpagu",
+            api_key="temporal-api-key-123",
+            host="us-east-1.aws.api.temporal.io:7233"
+        )
+    """
+    if not host:
+        host = os.environ.get("TEMPORAL_HOST", "us-east-1.aws.api.temporal.io:7233")
+
+    # Strip whitespace
+    host = host.strip()
+    namespace = namespace.strip()
+    api_key = api_key.strip() if api_key else ""
+
+    try:
+        # Check if connecting to Temporal Cloud
+        is_cloud = "tmprl.cloud" in host or "api.temporal.io" in host
+
+        if is_cloud:
+            if not api_key:
+                raise ValueError("API key is required for Temporal Cloud")
+
+            logger.info(
+                "creating_temporal_client_for_org",
+                namespace=namespace,
+                host=host,
+                auth_method="api_key"
+            )
+
+            # Connect with TLS and API key
+            client = await Client.connect(
+                host,
+                namespace=namespace,
+                tls=TLSConfig(),
+                rpc_metadata={"authorization": f"Bearer {api_key}"}
+            )
+        else:
+            # Local Temporal server
+            logger.info(
+                "creating_temporal_client_for_org",
+                namespace=namespace,
+                host=host,
+                auth_method="none"
+            )
+
+            client = await Client.connect(
+                host,
+                namespace=namespace,
+            )
+
+        logger.info(
+            "temporal_client_created_for_org",
+            namespace=namespace,
+            host=host,
+        )
+
+        return client
+
+    except Exception as e:
+        logger.error(
+            "temporal_client_creation_failed",
+            error=str(e),
+            namespace=namespace,
+            host=host
+        )
+        raise
+
+
+async def close_temporal_client() -> None:
+    """Close the Temporal client connection"""
+    global _temporal_client
+
+    if _temporal_client is not None:
+        await _temporal_client.close()
+        _temporal_client = None
+        logger.info("temporal_client_closed")

control_plane_api/app/lib/temporal_credentials_cache.py

@@ -0,0 +1,178 @@
+"""Temporal credentials caching service.
+
+This module provides caching functionality for organization-specific Temporal
+credentials fetched from the Kubiya API. Credentials are cached in Redis with
+TTL calculated from the credentials expiry time.
+"""
+
+import json
+from datetime import datetime
+from typing import Optional, Dict
+import structlog
+
+from control_plane_api.app.lib.redis_client import get_redis_client
+
+logger = structlog.get_logger()
+
+
+def get_credentials_cache_key(org_id: str) -> str:
+    """
+    Generate cache key for organization's Temporal credentials.
+
+    Args:
+        org_id: Organization ID (slug or UUID)
+
+    Returns:
+        Cache key in format: temporal:credentials:{org_id}
+    """
+    return f"temporal:credentials:{org_id}"
+
+
+async def get_cached_temporal_credentials(org_id: str) -> Optional[Dict]:
+    """
+    Get cached Temporal credentials for organization.
+
+    Args:
+        org_id: Organization ID
+
+    Returns:
+        Cached credentials dict or None if not found
+
+    Example:
+        {
+            "apiKey": "...",
+            "namespace": "org-slug.lpagu",
+            "org": "org-slug",
+            "ttl": "2026-01-07T14:38:20Z"
+        }
+    """
+    redis = get_redis_client()
+    if not redis:
+        return None
+
+    try:
+        cache_key = get_credentials_cache_key(org_id)
+        cached_data = await redis.get(cache_key)
+
+        if cached_data:
+            logger.debug("temporal_credentials_cache_hit", org_id=org_id)
+            if isinstance(cached_data, bytes):
+                cached_data = cached_data.decode('utf-8')
+            return json.loads(cached_data)
+
+        logger.debug("temporal_credentials_cache_miss", org_id=org_id)
+        return None
+
+    except Exception as e:
+        logger.warning(
+            "temporal_credentials_cache_read_failed",
+            error=str(e),
+            org_id=org_id
+        )
+        return None
+
+
+async def cache_temporal_credentials(org_id: str, credentials: Dict) -> None:
+    """
+    Cache Temporal credentials for organization with TTL.
+
+    The TTL is calculated from the credentials.ttl field if present,
+    otherwise defaults to 1 hour. TTL is clamped between 60 seconds
+    and 7 days.
+
+    Args:
+        org_id: Organization ID
+        credentials: Credentials dict with optional 'ttl' field
+
+    Example:
+        await cache_temporal_credentials(
+            "kubiya-ai",
+            {
+                "apiKey": "...",
+                "namespace": "kubiya-ai.lpagu",
+                "org": "kubiya-ai",
+                "ttl": "2026-01-07T14:38:20Z"
+            }
+        )
+    """
+    redis = get_redis_client()
+    if not redis:
+        return
+
+    try:
+        cache_key = get_credentials_cache_key(org_id)
+
+        # Calculate TTL from credentials.ttl field
+        ttl_str = credentials.get("ttl")
+        if ttl_str:
+            try:
+                # Parse ISO 8601 timestamp
+                ttl_datetime = datetime.fromisoformat(ttl_str.replace('Z', '+00:00'))
+                now = datetime.now(ttl_datetime.tzinfo)
+                ttl_seconds = int((ttl_datetime - now).total_seconds())
+
+                # Ensure reasonable TTL (min 60s, max 7 days)
+                ttl_seconds = max(60, min(ttl_seconds, 7 * 24 * 3600))
+
+                logger.debug(
+                    "ttl_calculated_from_expiry",
+                    org_id=org_id,
+                    ttl_seconds=ttl_seconds,
+                    expires_at=ttl_str
+                )
+            except Exception as e:
+                logger.warning(
+                    "ttl_parse_failed_using_default",
+                    error=str(e),
+                    ttl_str=ttl_str
+                )
+                ttl_seconds = 3600  # Default 1 hour
+        else:
+            ttl_seconds = 3600  # Default 1 hour
+
+        # Store credentials as JSON
+        await redis.set(
+            cache_key,
+            json.dumps(credentials),
+            ex=ttl_seconds
+        )
+
+        logger.info(
+            "temporal_credentials_cached",
+            org_id=org_id,
+            ttl_seconds=ttl_seconds,
+            namespace=credentials.get("namespace")
+        )
+
+    except Exception as e:
+        logger.warning(
+            "temporal_credentials_cache_write_failed",
+            error=str(e),
+            org_id=org_id
+        )
+
+
+async def invalidate_temporal_credentials_cache(org_id: str) -> None:
+    """
+    Invalidate cached Temporal credentials for organization.
+
+    This is useful for forcing a credential refresh, for example
+    when credentials are rotated or revoked.
+
+    Args:
+        org_id: Organization ID
+    """
+    redis = get_redis_client()
+    if not redis:
+        return
+
+    try:
+        cache_key = get_credentials_cache_key(org_id)
+        await redis.delete(cache_key)
+        logger.info("temporal_credentials_cache_invalidated", org_id=org_id)
+    except Exception as e:
+        logger.warning(
+            "temporal_credentials_cache_invalidation_failed",
+            error=str(e),
+            org_id=org_id
+        )