iron-providers 0.2.10

Semantic provider boundary for protocol-oriented LLM providers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169

//! Auth header generation
//!
//! Maps `ProviderCredential` plus `AuthStrategy` to auth headers.
//! This module is separate from HTTP client construction so auth can be
//! tested independently from transport assembly.

use crate::profile::{AuthStrategy, ProviderCredential};
use crate::{ProviderError, ProviderResult};
use reqwest::header::HeaderMap;

/// Map a credential and auth strategy to auth headers.
pub(crate) fn auth_headers(
    credential: &ProviderCredential,
    auth_strategy: &AuthStrategy,
    context: &str,
) -> ProviderResult<HeaderMap> {
    let mut headers = HeaderMap::new();
    let secret = credential.secret();

    match auth_strategy {
        AuthStrategy::NoAuth => {}
        AuthStrategy::BearerToken => {
            let val = reqwest::header::HeaderValue::from_str(&format!("Bearer {}", secret))
                .map_err(|e| {
                    ProviderError::invalid_request(format!(
                        "Invalid bearer token value for {}: {}",
                        context, e
                    ))
                })?;
            headers.insert(reqwest::header::AUTHORIZATION, val);
        }
        AuthStrategy::ApiKeyHeader { header_name } => {
            let key =
                reqwest::header::HeaderName::from_bytes(header_name.as_bytes()).map_err(|e| {
                    ProviderError::invalid_request(format!(
                        "Invalid header name '{}' for {}: {}",
                        header_name, context, e
                    ))
                })?;
            let val = reqwest::header::HeaderValue::from_str(secret).map_err(|e| {
                ProviderError::invalid_request(format!(
                    "Invalid API key value for {}: {}",
                    context, e
                ))
            })?;
            headers.insert(key, val);
        }
        AuthStrategy::Custom {
            header_name,
            prefix,
        } => {
            let value = match prefix {
                Some(p) => format!("{} {}", p, secret),
                None => secret.to_string(),
            };
            let key =
                reqwest::header::HeaderName::from_bytes(header_name.as_bytes()).map_err(|e| {
                    ProviderError::invalid_request(format!(
                        "Invalid custom header name '{}' for {}: {}",
                        header_name, context, e
                    ))
                })?;
            let val = reqwest::header::HeaderValue::from_str(&value).map_err(|e| {
                ProviderError::invalid_request(format!(
                    "Invalid custom header value for {}: {}",
                    context, e
                ))
            })?;
            headers.insert(key, val);
        }
    }

    Ok(headers)
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::profile::{AuthStrategy, ProviderCredential};

    #[test]
    fn test_bearer_token() {
        let credential = ProviderCredential::ApiKey("secret".into());
        let strategy = AuthStrategy::BearerToken;
        let headers = auth_headers(&credential, &strategy, "test").unwrap();
        assert_eq!(headers.get("authorization").unwrap(), "Bearer secret");
    }

    #[test]
    fn test_api_key_header() {
        let credential = ProviderCredential::ApiKey("secret".into());
        let strategy = AuthStrategy::ApiKeyHeader {
            header_name: "x-api-key".into(),
        };
        let headers = auth_headers(&credential, &strategy, "test").unwrap();
        assert_eq!(headers.get("x-api-key").unwrap(), "secret");
    }

    #[test]
    fn test_custom_header_with_prefix() {
        let credential = ProviderCredential::ApiKey("secret".into());
        let strategy = AuthStrategy::Custom {
            header_name: "x-custom".into(),
            prefix: Some("Token".into()),
        };
        let headers = auth_headers(&credential, &strategy, "test").unwrap();
        assert_eq!(headers.get("x-custom").unwrap(), "Token secret");
    }

    #[test]
    fn test_custom_header_without_prefix() {
        let credential = ProviderCredential::ApiKey("secret".into());
        let strategy = AuthStrategy::Custom {
            header_name: "x-custom".into(),
            prefix: None,
        };
        let headers = auth_headers(&credential, &strategy, "test").unwrap();
        assert_eq!(headers.get("x-custom").unwrap(), "secret");
    }

    #[test]
    fn test_invalid_header_name() {
        let credential = ProviderCredential::ApiKey("secret".into());
        let strategy = AuthStrategy::ApiKeyHeader {
            header_name: "bad header".into(),
        };
        let result = auth_headers(&credential, &strategy, "test");
        assert!(result.is_err());
        assert!(result
            .unwrap_err()
            .to_string()
            .contains("Invalid header name"));
    }

    #[test]
    fn test_invalid_header_value() {
        let credential = ProviderCredential::ApiKey("secret\0".into());
        let strategy = AuthStrategy::BearerToken;
        let result = auth_headers(&credential, &strategy, "test");
        assert!(result.is_err());
        assert!(result
            .unwrap_err()
            .to_string()
            .contains("Invalid bearer token value"));
    }

    #[test]
    fn test_no_auth_produces_no_headers() {
        let credential = ProviderCredential::NoAuth;
        let strategy = AuthStrategy::NoAuth;
        let headers = auth_headers(&credential, &strategy, "test").unwrap();
        assert!(headers.is_empty());
    }

    #[test]
    fn test_no_auth_no_authorization_header() {
        let credential = ProviderCredential::NoAuth;
        let strategy = AuthStrategy::NoAuth;
        let headers = auth_headers(&credential, &strategy, "test").unwrap();
        assert!(headers.get("authorization").is_none());
        assert!(headers.get("x-api-key").is_none());
    }

    #[test]
    fn test_blank_api_key_still_fails_validation() {
        let rt = crate::profile::RuntimeConfig::new("   ");
        assert!(rt.validate().is_err());
    }
}