Support OAuth Integration for Plugin Tools (#22550)

Co-authored-by: zxhlyh <jasonapring2015@outlook.com> Co-authored-by: Yeuoly <admin@srmxy.cn>
2025-07-17 17:18:44 +08:00
parent 965e952336
commit a4ef900916
89 changed files with 5516 additions and 875 deletions
--- a/api/services/tools/tools_transform_service.py
+++ b/api/services/tools/tools_transform_service.py
@@ -5,21 +5,23 @@ from typing import Any, Optional, Union, cast
 from yarl import URL

 from configs import dify_config
+from core.helper.provider_cache import ToolProviderCredentialsCache
 from core.mcp.types import Tool as MCPTool
 from core.tools.__base.tool import Tool
 from core.tools.__base.tool_runtime import ToolRuntime
 from core.tools.builtin_tool.provider import BuiltinToolProviderController
 from core.tools.custom_tool.provider import ApiToolProviderController
-from core.tools.entities.api_entities import ToolApiEntity, ToolProviderApiEntity
+from core.tools.entities.api_entities import ToolApiEntity, ToolProviderApiEntity, ToolProviderCredentialApiEntity
 from core.tools.entities.common_entities import I18nObject
 from core.tools.entities.tool_bundle import ApiToolBundle
 from core.tools.entities.tool_entities import (
    ApiProviderAuthType,
+    CredentialType,
    ToolParameter,
    ToolProviderType,
 )
 from core.tools.plugin_tool.provider import PluginToolProviderController
-from core.tools.utils.configuration import ProviderConfigEncrypter
+from core.tools.utils.encryption import create_provider_encrypter, create_tool_provider_encrypter
 from core.tools.workflow_as_tool.provider import WorkflowToolProviderController
 from core.tools.workflow_as_tool.tool import WorkflowTool
 from models.tools import ApiToolProvider, BuiltinToolProvider, MCPToolProvider, WorkflowToolProvider
@@ -119,7 +121,12 @@ class ToolTransformService:
            result.plugin_unique_identifier = provider_controller.plugin_unique_identifier

        # get credentials schema
-        schema = {x.to_basic_provider_config().name: x for x in provider_controller.get_credentials_schema()}
+        schema = {
+            x.to_basic_provider_config().name: x
+            for x in provider_controller.get_credentials_schema_by_type(
+                CredentialType.of(db_provider.credential_type) if db_provider else CredentialType.API_KEY
+            )
+        }

        for name, value in schema.items():
            if result.masked_credentials:
@@ -136,15 +143,23 @@ class ToolTransformService:
                credentials = db_provider.credentials

                # init tool configuration
-                tool_configuration = ProviderConfigEncrypter(
+                encrypter, _ = create_provider_encrypter(
                    tenant_id=db_provider.tenant_id,
-                    config=[x.to_basic_provider_config() for x in provider_controller.get_credentials_schema()],
-                    provider_type=provider_controller.provider_type.value,
-                    provider_identity=provider_controller.entity.identity.name,
+                    config=[
+                        x.to_basic_provider_config()
+                        for x in provider_controller.get_credentials_schema_by_type(
+                            CredentialType.of(db_provider.credential_type)
+                        )
+                    ],
+                    cache=ToolProviderCredentialsCache(
+                        tenant_id=db_provider.tenant_id,
+                        provider=db_provider.provider,
+                        credential_id=db_provider.id,
+                    ),
                )
                # decrypt the credentials and mask the credentials
-                decrypted_credentials = tool_configuration.decrypt(data=credentials)
-                masked_credentials = tool_configuration.mask_tool_credentials(data=decrypted_credentials)
+                decrypted_credentials = encrypter.decrypt(data=credentials)
+                masked_credentials = encrypter.mask_tool_credentials(data=decrypted_credentials)

                result.masked_credentials = masked_credentials
                result.original_credentials = decrypted_credentials
@@ -287,16 +302,14 @@ class ToolTransformService:

        if decrypt_credentials:
            # init tool configuration
-            tool_configuration = ProviderConfigEncrypter(
+            encrypter, _ = create_tool_provider_encrypter(
                tenant_id=db_provider.tenant_id,
-                config=[x.to_basic_provider_config() for x in provider_controller.get_credentials_schema()],
-                provider_type=provider_controller.provider_type.value,
-                provider_identity=provider_controller.entity.identity.name,
+                controller=provider_controller,
            )

            # decrypt the credentials and mask the credentials
-            decrypted_credentials = tool_configuration.decrypt(data=credentials)
-            masked_credentials = tool_configuration.mask_tool_credentials(data=decrypted_credentials)
+            decrypted_credentials = encrypter.decrypt(data=credentials)
+            masked_credentials = encrypter.mask_tool_credentials(data=decrypted_credentials)

            result.masked_credentials = masked_credentials

@@ -306,7 +319,6 @@ class ToolTransformService:
    def convert_tool_entity_to_api_entity(
        tool: Union[ApiToolBundle, WorkflowTool, Tool],
        tenant_id: str,
-        credentials: dict | None = None,
        labels: list[str] | None = None,
    ) -> ToolApiEntity:
        """
@@ -316,7 +328,7 @@ class ToolTransformService:
            # fork tool runtime
            tool = tool.fork_tool_runtime(
                runtime=ToolRuntime(
-                    credentials=credentials or {},
+                    credentials={},
                    tenant_id=tenant_id,
                )
            )
@@ -357,6 +369,19 @@ class ToolTransformService:
                labels=labels or [],
            )

+    @staticmethod
+    def convert_builtin_provider_to_credential_entity(
+        provider: BuiltinToolProvider, credentials: dict
+    ) -> ToolProviderCredentialApiEntity:
+        return ToolProviderCredentialApiEntity(
+            id=provider.id,
+            name=provider.name,
+            provider=provider.provider,
+            credential_type=CredentialType.of(provider.credential_type),
+            is_default=provider.is_default,
+            credentials=credentials,
+        )
+
    @staticmethod
    def convert_mcp_schema_to_parameter(schema: dict) -> list["ToolParameter"]:
        """