ironflow-api 2.18.9

REST API for ironflow run management and observability
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

//! `GET /api/v1/internal/secrets/:key` -- Get a secret by key (worker only).

use axum::extract::{Path, State};
use axum::response::IntoResponse;
use chrono::{DateTime, Utc};
use serde::Serialize;
use uuid::Uuid;

use ironflow_store::entities::Secret;

use crate::error::ApiError;
use crate::response::ok;
use crate::state::AppState;

/// Internal secret response that INCLUDES the decrypted value.
///
/// Unlike the public `SecretResponse`, this is only sent to the worker
/// over the internal API (protected by WORKER_TOKEN).
#[derive(Serialize)]
struct InternalSecretResponse {
    id: Uuid,
    key: String,
    value: String,
    created_at: DateTime<Utc>,
    updated_at: DateTime<Utc>,
}

impl From<Secret> for InternalSecretResponse {
    fn from(s: Secret) -> Self {
        Self {
            id: s.id,
            key: s.key,
            value: s.value,
            created_at: s.created_at,
            updated_at: s.updated_at,
        }
    }
}

/// Get a decrypted secret by key. Worker-only (WORKER_TOKEN auth).
pub async fn get_secret(
    State(state): State<AppState>,
    Path(key): Path<String>,
) -> Result<impl IntoResponse, ApiError> {
    let secret = state
        .store
        .get_secret(&key)
        .await?
        .ok_or(ApiError::SecretNotFound(key))?;

    Ok(ok(InternalSecretResponse::from(secret)))
}

#[cfg(test)]
mod tests {
    use axum::Router;
    use axum::body::Body;
    use axum::http::{Request, StatusCode};
    use axum::routing::get;
    use http_body_util::BodyExt;
    use ironflow_core::providers::claude::ClaudeCodeProvider;
    use ironflow_engine::engine::Engine;
    use ironflow_engine::notify::Event;
    use ironflow_store::crypto::MasterKey;
    use ironflow_store::memory::InMemoryStore;
    use ironflow_store::store::Store;
    use serde_json::Value as JsonValue;
    use std::sync::Arc;
    use tokio::sync::broadcast;
    use tower::ServiceExt;

    use super::*;

    fn test_state() -> AppState {
        let mut in_mem_store = InMemoryStore::new();
        let master_key = MasterKey::from_bytes(&[42u8; 32]).unwrap();
        in_mem_store.set_master_key(master_key);
        let store: Arc<dyn Store> = Arc::new(in_mem_store);
        let provider = Arc::new(ClaudeCodeProvider::new());
        let engine = Arc::new(Engine::new(store.clone(), provider));
        let jwt_config = Arc::new(ironflow_auth::jwt::JwtConfig {
            secret: "test-secret".to_string(),
            access_token_ttl_secs: 900,
            refresh_token_ttl_secs: 604800,
            cookie_domain: None,
            cookie_secure: false,
        });
        let (event_sender, _) = broadcast::channel::<Event>(1);
        AppState::new(
            store,
            engine,
            jwt_config,
            "test-worker-token".to_string(),
            event_sender,
        )
    }

    #[tokio::test]
    async fn get_secret_returns_decrypted_value() {
        let state = test_state();
        state
            .store
            .set_secret("db-password", "super-secret")
            .await
            .unwrap();

        let app = Router::new()
            .route("/{key}", get(get_secret))
            .with_state(state);

        let req = Request::builder()
            .uri("/db-password")
            .method("GET")
            .body(Body::empty())
            .unwrap();

        let resp = app.oneshot(req).await.unwrap();
        assert_eq!(resp.status(), StatusCode::OK);

        let body = resp.into_body().collect().await.unwrap().to_bytes();
        let json_val: JsonValue = serde_json::from_slice(&body).unwrap();
        assert_eq!(json_val["data"]["key"], "db-password");
        assert_eq!(json_val["data"]["value"], "super-secret");
    }

    #[tokio::test]
    async fn get_secret_not_found() {
        let state = test_state();

        let app = Router::new()
            .route("/{key}", get(get_secret))
            .with_state(state);

        let req = Request::builder()
            .uri("/nonexistent")
            .method("GET")
            .body(Body::empty())
            .unwrap();

        let resp = app.oneshot(req).await.unwrap();
        assert_eq!(resp.status(), StatusCode::NOT_FOUND);
    }
}