Validate auth composition contract in SDK

Author: durable-workflow-ops

README.md

@@ -394,6 +394,7 @@ manifests from `GET /api/cluster/info`:
 
 - `control_plane.version: "2"`
 - `control_plane.request_contract.schema: durable-workflow.v2.control-plane-request.contract` version `1`
+- `auth_composition_contract.schema: durable-workflow.v2.auth-composition.contract` version `1`
 - `worker_protocol.version: "1.0"`
 - `worker_protocol.external_task_input_contract.schema: durable-workflow.v2.external-task-input.contract` version `1`
 - `worker_protocol.external_task_result_contract.schema: durable-workflow.v2.external-task-result.contract` version `1`
@@ -402,6 +403,10 @@ The top-level server `version` is build identity only. The worker checks these
 protocol manifests at startup and fails closed when compatibility is missing,
 unknown, or undiscoverable.
 
+Carriers and support tooling can validate `auth_composition_contract` with
+`parse_auth_composition_contract()` before resolving connection, namespace,
+token, TLS, profile, and redacted effective-configuration diagnostics.
+
 External task carriers can validate fixture artifacts from
 `worker_protocol.external_task_input_contract.fixtures` with
 `parse_external_task_input_artifact()` and parse leased task envelopes with

docs/reference/auth_composition.md

@@ -0,0 +1,3 @@
+# Auth Composition
+
+::: durable_workflow.auth_composition

mkdocs.yml

@@ -64,6 +64,7 @@ nav:
   - Home: index.md
   - Reference:
       - Client: reference/client.md
+      - Auth composition: reference/auth_composition.md
       - Worker: reference/worker.md
       - Workflow: reference/workflow.md
       - Activity: reference/activity.md

src/durable_workflow/__init__.py

@@ -8,6 +8,14 @@
 
 from . import activity, sync, testing, workflow
 from .activity import ActivityContext, ActivityInfo
+from .auth_composition import (
+    AUTH_COMPOSITION_CONTRACT_SCHEMA,
+    AUTH_COMPOSITION_CONTRACT_VERSION,
+    AUTH_COMPOSITION_REQUIRED_EFFECTIVE_CONFIG_FIELDS,
+    AuthCompositionContract,
+    AuthCompositionContractError,
+    parse_auth_composition_contract,
+)
 from .client import (
     Client,
     ScheduleAction,
@@ -125,6 +133,11 @@
     "ChildWorkflowFailed",
     "Client",
     "ContinueAsNew",
+    "AUTH_COMPOSITION_CONTRACT_SCHEMA",
+    "AUTH_COMPOSITION_CONTRACT_VERSION",
+    "AUTH_COMPOSITION_REQUIRED_EFFECTIVE_CONFIG_FIELDS",
+    "AuthCompositionContract",
+    "AuthCompositionContractError",
     "NonRetryableError",
     "ReplayOutcome",
     "Replayer",
@@ -152,6 +165,7 @@
     "WorkflowList",
     "WorkflowPayloadDecodeError",
     "activity",
+    "parse_auth_composition_contract",
     "sync",
     "testing",
     "workflow",

src/durable_workflow/auth_composition.py

@@ -0,0 +1,171 @@
+from __future__ import annotations
+
+from collections.abc import Mapping, Sequence
+from dataclasses import dataclass
+from typing import Any
+
+AUTH_COMPOSITION_CONTRACT_SCHEMA = "durable-workflow.v2.auth-composition.contract"
+AUTH_COMPOSITION_CONTRACT_VERSION = 1
+
+AUTH_COMPOSITION_REQUIRED_EFFECTIVE_CONFIG_FIELDS = (
+    "server_url",
+    "namespace",
+    "profile",
+    "auth",
+    "tls",
+    "identity",
+)
+
+
+@dataclass(frozen=True)
+class AuthCompositionContractError(ValueError):
+    """Raised when the server auth-composition manifest is not compatible."""
+
+    message: str
+
+    def __str__(self) -> str:
+        return self.message
+
+
+@dataclass(frozen=True)
+class AuthCompositionContract:
+    schema: str
+    version: int
+    connection_precedence: tuple[str, ...]
+    profile_precedence: tuple[str, ...]
+    canonical_environment: Mapping[str, str]
+    auth_material: Mapping[str, Mapping[str, Any]]
+    effective_config_required_fields: tuple[str, ...]
+    redaction_never_echo: tuple[str, ...]
+
+    @property
+    def supports_token_auth(self) -> bool:
+        token = self.auth_material.get("token")
+        return token is not None and token.get("status") == "supported"
+
+    @property
+    def reserves_mtls(self) -> bool:
+        mtls = self.auth_material.get("mtls")
+        return mtls is not None and mtls.get("status") == "reserved"
+
+    @property
+    def reserves_signed_headers(self) -> bool:
+        signed_headers = self.auth_material.get("signed_headers")
+        return signed_headers is not None and signed_headers.get("status") == "reserved"
+
+
+def parse_auth_composition_contract(manifest: Mapping[str, Any]) -> AuthCompositionContract:
+    """Parse and validate the v1 carrier auth-composition contract manifest."""
+
+    _require_value(manifest, "schema", AUTH_COMPOSITION_CONTRACT_SCHEMA)
+    _require_value(manifest, "version", AUTH_COMPOSITION_CONTRACT_VERSION)
+
+    precedence = _require_mapping(manifest, "precedence")
+    canonical_environment = _parse_str_mapping(_require_mapping(manifest, "canonical_environment"))
+    auth_material = _parse_auth_material(_require_mapping(manifest, "auth_material"))
+    effective_config = _require_mapping(manifest, "effective_config")
+    redaction = _require_mapping(manifest, "redaction")
+
+    required_fields = _require_str_sequence(effective_config, "required_fields")
+    missing_effective_fields = set(AUTH_COMPOSITION_REQUIRED_EFFECTIVE_CONFIG_FIELDS).difference(required_fields)
+    if missing_effective_fields:
+        fields = ", ".join(sorted(missing_effective_fields))
+        raise AuthCompositionContractError(
+            f"Auth composition contract effective_config.required_fields missing [{fields}]."
+        )
+
+    _require_env(canonical_environment, "server_url", "DURABLE_WORKFLOW_SERVER_URL")
+    _require_env(canonical_environment, "namespace", "DURABLE_WORKFLOW_NAMESPACE")
+    _require_env(canonical_environment, "auth_token", "DURABLE_WORKFLOW_AUTH_TOKEN")
+    _require_env(canonical_environment, "tls_verify", "DURABLE_WORKFLOW_TLS_VERIFY")
+    _require_env(canonical_environment, "profile", "DW_ENV")
+
+    token = auth_material.get("token")
+    if token is None or token.get("status") != "supported" or token.get("effective_config_value") != "redacted":
+        raise AuthCompositionContractError("Auth composition contract must support redacted token auth.")
+
+    for reserved in ("mtls", "signed_headers"):
+        material = auth_material.get(reserved)
+        if material is None or material.get("status") != "reserved":
+            raise AuthCompositionContractError(
+                f"Auth composition contract must reserve [{reserved}] auth material."
+            )
+
+    never_echo = _require_str_sequence(redaction, "never_echo")
+    for secret in ("bearer_tokens", "private_keys", "raw_authorization_headers"):
+        if secret not in never_echo:
+            raise AuthCompositionContractError(
+                f"Auth composition contract redaction.never_echo missing [{secret}]."
+            )
+
+    return AuthCompositionContract(
+        schema=AUTH_COMPOSITION_CONTRACT_SCHEMA,
+        version=AUTH_COMPOSITION_CONTRACT_VERSION,
+        connection_precedence=tuple(_require_str_sequence(precedence, "connection_values")),
+        profile_precedence=tuple(_require_str_sequence(precedence, "profile_selection")),
+        canonical_environment=canonical_environment,
+        auth_material=auth_material,
+        effective_config_required_fields=tuple(required_fields),
+        redaction_never_echo=tuple(never_echo),
+    )
+
+
+def _parse_auth_material(value: Mapping[str, Any]) -> Mapping[str, Mapping[str, Any]]:
+    parsed: dict[str, Mapping[str, Any]] = {}
+    for key, material in value.items():
+        if not isinstance(key, str):
+            raise AuthCompositionContractError("Auth composition auth_material keys must be strings.")
+        if not isinstance(material, Mapping):
+            raise AuthCompositionContractError(
+                f"Auth composition auth_material field [{key}] must be an object."
+            )
+        parsed[key] = material
+    return parsed
+
+
+def _parse_str_mapping(value: Mapping[str, Any]) -> Mapping[str, str]:
+    parsed: dict[str, str] = {}
+    for key, item in value.items():
+        if not isinstance(key, str):
+            raise AuthCompositionContractError("Auth composition mapping keys must be strings.")
+        if not isinstance(item, str):
+            raise AuthCompositionContractError(f"Auth composition field [{key}] must be a string.")
+        parsed[key] = item
+    return parsed
+
+
+def _require_mapping(value: Mapping[str, Any], key: str) -> Mapping[str, Any]:
+    if key not in value:
+        raise AuthCompositionContractError(f"Auth composition contract is missing required field [{key}].")
+    item = value[key]
+    if not isinstance(item, Mapping):
+        raise AuthCompositionContractError(f"Auth composition contract field [{key}] must be an object.")
+    return item
+
+
+def _require_str_sequence(value: Mapping[str, Any], key: str) -> Sequence[str]:
+    if key not in value:
+        raise AuthCompositionContractError(f"Auth composition contract is missing required field [{key}].")
+    item = value[key]
+    if not isinstance(item, Sequence) or isinstance(item, str | bytes):
+        raise AuthCompositionContractError(f"Auth composition contract field [{key}] must be a list.")
+    if not all(isinstance(element, str) for element in item):
+        raise AuthCompositionContractError(f"Auth composition contract field [{key}] must contain only strings.")
+    return item
+
+
+def _require_value(value: Mapping[str, Any], key: str, expected: object) -> None:
+    if key not in value:
+        raise AuthCompositionContractError(f"Auth composition contract is missing required field [{key}].")
+    if value[key] != expected:
+        raise AuthCompositionContractError(
+            f"Auth composition contract field [{key}] must be [{expected}], got [{value[key]}]."
+        )
+
+
+def _require_env(value: Mapping[str, str], key: str, expected: str) -> None:
+    actual = value.get(key)
+    if actual != expected:
+        raise AuthCompositionContractError(
+            f"Auth composition canonical_environment.{key} must be [{expected}], got [{actual}]."
+        )

src/durable_workflow/worker.py

@@ -29,6 +29,12 @@
 
 from . import serializer
 from .activity import ActivityContext, ActivityInfo, _set_context
+from .auth_composition import (
+    AUTH_COMPOSITION_CONTRACT_SCHEMA,
+    AUTH_COMPOSITION_CONTRACT_VERSION,
+    AuthCompositionContractError,
+    parse_auth_composition_contract,
+)
 from .client import (
     CONTROL_PLANE_REQUEST_CONTRACT_SCHEMA,
     CONTROL_PLANE_REQUEST_CONTRACT_VERSION,
@@ -196,6 +202,18 @@ def _validate_server_compatibility(info: dict[str, Any]) -> None:
             f"{worker_protocol_version!r}; sdk-python 0.2.x requires {PROTOCOL_VERSION!r}."
         )
 
+    auth_composition = info.get("auth_composition_contract")
+    if not isinstance(auth_composition, dict):
+        raise RuntimeError(
+            "Server compatibility error: missing auth_composition_contract; "
+            f"expected {AUTH_COMPOSITION_CONTRACT_SCHEMA} v{AUTH_COMPOSITION_CONTRACT_VERSION}."
+        )
+
+    try:
+        parse_auth_composition_contract(auth_composition)
+    except AuthCompositionContractError as exc:
+        raise RuntimeError(f"Server compatibility error: unsupported auth_composition_contract: {exc}") from exc
+
 
 def _server_supports_query_tasks(info: dict[str, Any]) -> bool:
     worker_protocol = info.get("worker_protocol")

tests/test_auth_composition.py

@@ -0,0 +1,120 @@
+import copy
+from typing import Any
+
+import pytest
+
+from durable_workflow.auth_composition import (
+    AUTH_COMPOSITION_CONTRACT_SCHEMA,
+    AUTH_COMPOSITION_CONTRACT_VERSION,
+    AuthCompositionContractError,
+    parse_auth_composition_contract,
+)
+
+
+def auth_composition_manifest() -> dict[str, Any]:
+    return {
+        "schema": AUTH_COMPOSITION_CONTRACT_SCHEMA,
+        "version": AUTH_COMPOSITION_CONTRACT_VERSION,
+        "scope": "external_execution_carriers",
+        "unknown_field_policy": "ignore_additive_reject_unknown_required",
+        "precedence": {
+            "connection_values": ["flag", "environment", "selected_profile", "default"],
+            "profile_selection": ["flag_env", "DW_ENV", "current_profile", "default_profile"],
+        },
+        "canonical_environment": {
+            "server_url": "DURABLE_WORKFLOW_SERVER_URL",
+            "namespace": "DURABLE_WORKFLOW_NAMESPACE",
+            "auth_token": "DURABLE_WORKFLOW_AUTH_TOKEN",
+            "tls_verify": "DURABLE_WORKFLOW_TLS_VERIFY",
+            "profile": "DW_ENV",
+        },
+        "auth_material": {
+            "token": {
+                "status": "supported",
+                "transport": "bearer_authorization_header",
+                "persisted_as": "secret_reference_or_profile_env_reference",
+                "effective_config_value": "redacted",
+            },
+            "mtls": {
+                "status": "reserved",
+                "persisted_as": "certificate_and_key_references",
+                "effective_config_value": "references_only",
+            },
+            "signed_headers": {
+                "status": "reserved",
+                "persisted_as": "key_reference_and_header_allowlist",
+                "effective_config_value": "references_only",
+            },
+        },
+        "effective_config": {
+            "required_fields": ["server_url", "namespace", "profile", "auth", "tls", "identity"],
+            "source_values": ["flag", "environment", "selected_profile", "profile_env", "default", "server"],
+        },
+        "redaction": {
+            "never_echo": [
+                "bearer_tokens",
+                "private_keys",
+                "shared_signature_keys",
+                "client_certificate_private_key_material",
+                "raw_authorization_headers",
+            ],
+            "allowed_diagnostics": [
+                "redacted",
+                "secret_reference_name",
+                "environment_variable_name",
+                "profile_name",
+                "certificate_reference_name",
+                "key_reference_name",
+            ],
+        },
+    }
+
+
+def test_auth_composition_contract_parses_server_manifest() -> None:
+    contract = parse_auth_composition_contract(auth_composition_manifest())
+
+    assert contract.schema == "durable-workflow.v2.auth-composition.contract"
+    assert contract.version == 1
+    assert contract.connection_precedence == ("flag", "environment", "selected_profile", "default")
+    assert contract.profile_precedence == ("flag_env", "DW_ENV", "current_profile", "default_profile")
+    assert contract.canonical_environment["auth_token"] == "DURABLE_WORKFLOW_AUTH_TOKEN"
+    assert contract.supports_token_auth is True
+    assert contract.reserves_mtls is True
+    assert contract.reserves_signed_headers is True
+    assert "identity" in contract.effective_config_required_fields
+    assert "bearer_tokens" in contract.redaction_never_echo
+
+
+@pytest.mark.parametrize(
+    ("path", "value", "message"),
+    [
+        (("schema",), "wrong.schema", "schema"),
+        (("version",), 2, "version"),
+        (("canonical_environment", "auth_token"), "TOKEN", "auth_token"),
+        (("auth_material", "token", "effective_config_value"), "plain", "token auth"),
+        (("auth_material", "mtls", "status"), "supported", "mtls"),
+        (("redaction", "never_echo"), ["private_keys", "raw_authorization_headers"], "bearer_tokens"),
+        (("effective_config", "required_fields"), ["server_url"], "namespace"),
+    ],
+)
+def test_auth_composition_contract_rejects_incompatible_manifest(
+    path: tuple[str, ...], value: object, message: str
+) -> None:
+    manifest = auth_composition_manifest()
+    cursor: dict[str, Any] = manifest
+    for key in path[:-1]:
+        cursor = cursor[key]
+    cursor[path[-1]] = value
+
+    with pytest.raises(AuthCompositionContractError, match=message):
+        parse_auth_composition_contract(manifest)
+
+
+def test_auth_composition_contract_ignores_additive_fields() -> None:
+    manifest = copy.deepcopy(auth_composition_manifest())
+    manifest["future"] = {"ignored": True}
+    manifest["auth_material"]["extensions"] = {"status": "reserved"}
+
+    contract = parse_auth_composition_contract(manifest)
+
+    assert contract.auth_material["extensions"]["status"] == "reserved"