dify

dify/api/services/enterprise/base.py

@@ -0,0 +1,55 @@
+import os
+from collections.abc import Mapping
+from typing import Any
+
+import httpx
+
+
+class BaseRequest:
+    proxies: Mapping[str, str] | None = {
+        "http": "",
+        "https": "",
+    }
+    base_url = ""
+    secret_key = ""
+    secret_key_header = ""
+
+    @classmethod
+    def _build_mounts(cls) -> dict[str, httpx.BaseTransport] | None:
+        if not cls.proxies:
+            return None
+
+        mounts: dict[str, httpx.BaseTransport] = {}
+        for scheme, value in cls.proxies.items():
+            if not value:
+                continue
+            key = f"{scheme}://" if not scheme.endswith("://") else scheme
+            mounts[key] = httpx.HTTPTransport(proxy=value)
+        return mounts or None
+
+    @classmethod
+    def send_request(
+        cls,
+        method: str,
+        endpoint: str,
+        json: Any | None = None,
+        params: Mapping[str, Any] | None = None,
+    ) -> Any:
+        headers = {"Content-Type": "application/json", cls.secret_key_header: cls.secret_key}
+        url = f"{cls.base_url}{endpoint}"
+        mounts = cls._build_mounts()
+        with httpx.Client(mounts=mounts) as client:
+            response = client.request(method, url, json=json, params=params, headers=headers)
+        return response.json()
+
+
+class EnterpriseRequest(BaseRequest):
+    base_url = os.environ.get("ENTERPRISE_API_URL", "ENTERPRISE_API_URL")
+    secret_key = os.environ.get("ENTERPRISE_API_SECRET_KEY", "ENTERPRISE_API_SECRET_KEY")
+    secret_key_header = "Enterprise-Api-Secret-Key"
+
+
+class EnterprisePluginManagerRequest(BaseRequest):
+    base_url = os.environ.get("ENTERPRISE_PLUGIN_MANAGER_API_URL", "ENTERPRISE_PLUGIN_MANAGER_API_URL")
+    secret_key = os.environ.get("ENTERPRISE_PLUGIN_MANAGER_API_SECRET_KEY", "ENTERPRISE_PLUGIN_MANAGER_API_SECRET_KEY")
+    secret_key_header = "Plugin-Manager-Inner-Api-Secret-Key"

dify/api/services/enterprise/enterprise_service.py

@@ -0,0 +1,114 @@
+from datetime import datetime
+
+from pydantic import BaseModel, Field
+
+from services.enterprise.base import EnterpriseRequest
+
+
+class WebAppSettings(BaseModel):
+    access_mode: str = Field(
+        description="Access mode for the web app. Can be 'public', 'private', 'private_all', 'sso_verified'",
+        default="private",
+        alias="accessMode",
+    )
+
+
+class EnterpriseService:
+    @classmethod
+    def get_info(cls):
+        return EnterpriseRequest.send_request("GET", "/info")
+
+    @classmethod
+    def get_workspace_info(cls, tenant_id: str):
+        return EnterpriseRequest.send_request("GET", f"/workspace/{tenant_id}/info")
+
+    @classmethod
+    def get_app_sso_settings_last_update_time(cls) -> datetime:
+        data = EnterpriseRequest.send_request("GET", "/sso/app/last-update-time")
+        if not data:
+            raise ValueError("No data found.")
+        try:
+            # parse the UTC timestamp from the response
+            return datetime.fromisoformat(data)
+        except ValueError as e:
+            raise ValueError(f"Invalid date format: {data}") from e
+
+    @classmethod
+    def get_workspace_sso_settings_last_update_time(cls) -> datetime:
+        data = EnterpriseRequest.send_request("GET", "/sso/workspace/last-update-time")
+        if not data:
+            raise ValueError("No data found.")
+        try:
+            # parse the UTC timestamp from the response
+            return datetime.fromisoformat(data)
+        except ValueError as e:
+            raise ValueError(f"Invalid date format: {data}") from e
+
+    class WebAppAuth:
+        @classmethod
+        def is_user_allowed_to_access_webapp(cls, user_id: str, app_id: str):
+            params = {"userId": user_id, "appId": app_id}
+            data = EnterpriseRequest.send_request("GET", "/webapp/permission", params=params)
+
+            return data.get("result", False)
+
+        @classmethod
+        def batch_is_user_allowed_to_access_webapps(cls, user_id: str, app_ids: list[str]):
+            if not app_ids:
+                return {}
+            body = {"userId": user_id, "appIds": app_ids}
+            data = EnterpriseRequest.send_request("POST", "/webapp/permission/batch", json=body)
+            if not data:
+                raise ValueError("No data found.")
+            return data.get("permissions", {})
+
+        @classmethod
+        def get_app_access_mode_by_id(cls, app_id: str) -> WebAppSettings:
+            if not app_id:
+                raise ValueError("app_id must be provided.")
+            params = {"appId": app_id}
+            data = EnterpriseRequest.send_request("GET", "/webapp/access-mode/id", params=params)
+            if not data:
+                raise ValueError("No data found.")
+            return WebAppSettings.model_validate(data)
+
+        @classmethod
+        def batch_get_app_access_mode_by_id(cls, app_ids: list[str]) -> dict[str, WebAppSettings]:
+            if not app_ids:
+                return {}
+            body = {"appIds": app_ids}
+            data: dict[str, str] = EnterpriseRequest.send_request("POST", "/webapp/access-mode/batch/id", json=body)
+            if not data:
+                raise ValueError("No data found.")
+
+            if not isinstance(data["accessModes"], dict):
+                raise ValueError("Invalid data format.")
+
+            ret = {}
+            for key, value in data["accessModes"].items():
+                curr = WebAppSettings()
+                curr.access_mode = value
+                ret[key] = curr
+
+            return ret
+
+        @classmethod
+        def update_app_access_mode(cls, app_id: str, access_mode: str):
+            if not app_id:
+                raise ValueError("app_id must be provided.")
+            if access_mode not in ["public", "private", "private_all"]:
+                raise ValueError("access_mode must be either 'public', 'private', or 'private_all'")
+
+            data = {"appId": app_id, "accessMode": access_mode}
+
+            response = EnterpriseRequest.send_request("POST", "/webapp/access-mode", json=data)
+
+            return response.get("result", False)
+
+        @classmethod
+        def cleanup_webapp(cls, app_id: str):
+            if not app_id:
+                raise ValueError("app_id must be provided.")
+
+            body = {"appId": app_id}
+            EnterpriseRequest.send_request("DELETE", "/webapp/clean", json=body)

dify/api/services/enterprise/plugin_manager_service.py

@@ -0,0 +1,57 @@
+import enum
+import logging
+
+from pydantic import BaseModel
+
+from services.enterprise.base import EnterprisePluginManagerRequest
+from services.errors.base import BaseServiceError
+
+logger = logging.getLogger(__name__)
+
+
+class PluginCredentialType(enum.Enum):
+    MODEL = 0  # must be 0 for API contract compatibility
+    TOOL = 1  # must be 1 for API contract compatibility
+
+    def to_number(self):
+        return self.value
+
+
+class CheckCredentialPolicyComplianceRequest(BaseModel):
+    dify_credential_id: str
+    provider: str
+    credential_type: PluginCredentialType
+
+    def model_dump(self, **kwargs):
+        data = super().model_dump(**kwargs)
+        data["credential_type"] = self.credential_type.to_number()
+        return data
+
+
+class CredentialPolicyViolationError(BaseServiceError):
+    pass
+
+
+class PluginManagerService:
+    @classmethod
+    def check_credential_policy_compliance(cls, body: CheckCredentialPolicyComplianceRequest):
+        try:
+            ret = EnterprisePluginManagerRequest.send_request(
+                "POST", "/check-credential-policy-compliance", json=body.model_dump()
+            )
+            if not isinstance(ret, dict) or "result" not in ret:
+                raise ValueError("Invalid response format from plugin manager API")
+        except Exception as e:
+            raise CredentialPolicyViolationError(
+                f"error occurred while checking credential policy compliance: {e}"
+            ) from e
+
+        if not ret.get("result", False):
+            raise CredentialPolicyViolationError("Credentials not available: Please use ENTERPRISE global credentials")
+
+        logging.debug(
+            "Credential policy compliance checked for %s with credential %s, result: %s",
+            body.provider,
+            body.dify_credential_id,
+            ret.get("result", False),
+        )