# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import os import logging import hmac from google.cloud import secretmanager from google.api_core.gapic_v1.client_info import ClientInfo from google.api_core.exceptions import NotFound, PermissionDenied from .constants import USER_AGENT def validate_api_key(api_key: str): """Validates an API key against the stored API key from Secret Manager. Args: api_key: The API key to validate. Returns: True if the API key is valid, False otherwise. """ devai_api_key = get_secret_value("DEVAI_API_KEY") if api_key is None or api_key == "" or devai_api_key is None: return False return is_valid_api_key(api_key, devai_api_key) def is_valid_api_key(passed_key, stored_key): """Compares an API key securely using hmac.compare_digest(). Args: passed_key: The API key to check, provided by the user. stored_key: The API key to validate against, retrieved from secure storage. Returns: True if the keys match, False otherwise. """ return hmac.compare_digest(passed_key.encode('utf-8'), stored_key.encode('utf-8')) def ensure_env_variable(var_name): """Ensures an environment variable is set. Args: var_name: The name of the environment variable to check. Returns: The value of the environment variable. Raises: EnvironmentError: If the environment variable is not set. """ value = os.getenv(var_name) if value is None: raise EnvironmentError(f"Required environment variable '{var_name}' is not set.") return value def get_secret_value( secret_id: str) -> str: """Retrieves a secret value from Google Secret Manager. Args: secret_id: The ID of the secret to retrieve. Returns: The secret value as a string, or None if the secret is not found or the user lacks permission. Raises: EnvironmentError: if PROJECT_ID is not defined. Exception: For any other unexpected error when getting the secret from the secret manager. """ try: project_id = ensure_env_variable('PROJECT_ID') logging.info("PROJECT_ID:", project_id) client = secretmanager.SecretManagerServiceClient( client_info=ClientInfo(user_agent=USER_AGENT) ) name = f"projects/{project_id}/secrets/{secret_id}/versions/latest" try: response = client.access_secret_version(name=name) payload = response.payload.data.decode("utf-8") logging.info(f"Successfully retrieved secret ID: {secret_id} in project {project_id}") return payload except PermissionDenied as e: logging.warning(f"Insufficient permissions to access secret {secret_id} in project {project_id}: {e}") return None except NotFound: logging.info(f"Secret ID not found: {secret_id} in project {project_id}") return None except Exception as e: # Catching a broader range of potential errors logging.error(f"An unexpected error occurred while retrieving secret '{secret_id}': {e}") return None except EnvironmentError as e: logging.error(e)