OPIK-547 Store and retrieve LLM provider api key (#845)

Author: BorisTkachenko

apps/opik-backend/config.yml

@@ -88,3 +88,6 @@ metadata:
 
 cors:
   enabled: ${CORS:-false}
+
+encryption:
+  key: ${OPIK_ENCRYPTION_KEY:-'GiTHubiLoVeYouAA'}

apps/opik-backend/src/main/java/com/comet/opik/OpikApplication.java

@@ -2,6 +2,7 @@
 
 import com.comet.opik.api.error.JsonInvalidFormatExceptionMapper;
 import com.comet.opik.infrastructure.ConfigurationModule;
+import com.comet.opik.infrastructure.EncryptionUtilsModule;
 import com.comet.opik.infrastructure.OpikConfiguration;
 import com.comet.opik.infrastructure.auth.AuthModule;
 import com.comet.opik.infrastructure.bi.BiModule;
@@ -69,7 +70,7 @@ public void initialize(Bootstrap<OpikConfiguration> bootstrap) {
                         .withPlugins(new SqlObjectPlugin(), new Jackson2Plugin()))
                 .modules(new DatabaseAnalyticsModule(), new IdGeneratorModule(), new AuthModule(), new RedisModule(),
                         new RateLimitModule(), new NameGeneratorModule(), new HttpModule(), new EventModule(),
-                        new ConfigurationModule(), new BiModule())
+                        new ConfigurationModule(), new BiModule(), new EncryptionUtilsModule())
                 .installers(JobGuiceyInstaller.class)
                 .listen(new OpikGuiceyLifecycleEventListener())
                 .enableAutoConfig()

apps/opik-backend/src/main/java/com/comet/opik/api/LlmProvider.java

@@ -0,0 +1,13 @@
+package com.comet.opik.api;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Getter;
+import lombok.RequiredArgsConstructor;
+
+@Getter
+@RequiredArgsConstructor
+public enum LlmProvider {
+
+    @JsonProperty("openai")
+    OPEN_AI;
+}

apps/opik-backend/src/main/java/com/comet/opik/api/ProviderApiKey.java

@@ -0,0 +1,49 @@
+package com.comet.opik.api;
+
+import com.comet.opik.utils.ProviderApiKeyDeserializer;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonView;
+import com.fasterxml.jackson.databind.PropertyNamingStrategies;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonNaming;
+import io.swagger.v3.oas.annotations.media.Schema;
+import jakarta.validation.constraints.NotBlank;
+import lombok.Builder;
+import lombok.NonNull;
+
+import java.time.Instant;
+import java.util.UUID;
+
+@Builder(toBuilder = true)
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
+public record ProviderApiKey(
+        @JsonView( {
+                View.Public.class}) @Schema(accessMode = Schema.AccessMode.READ_ONLY) UUID id,
+        @JsonView({View.Public.class, View.Write.class}) @NonNull LlmProvider provider,
+        @JsonView({
+                View.Write.class}) @NotBlank @JsonDeserialize(using = ProviderApiKeyDeserializer.class) String apiKey,
+        @JsonView({View.Public.class}) @Schema(accessMode = Schema.AccessMode.READ_ONLY) Instant createdAt,
+        @JsonView({View.Public.class}) @Schema(accessMode = Schema.AccessMode.READ_ONLY) String createdBy,
+        @JsonView({View.Public.class}) @Schema(accessMode = Schema.AccessMode.READ_ONLY) Instant lastUpdatedAt,
+        @JsonView({View.Public.class}) @Schema(accessMode = Schema.AccessMode.READ_ONLY) String lastUpdatedBy){
+    @Override
+    public String toString() {
+        return "ProviderApiKey{" +
+                "id=" + id +
+                ", provider='" + provider + '\'' +
+                ", createdAt=" + createdAt +
+                ", createdBy='" + createdBy + '\'' +
+                ", lastUpdatedAt=" + lastUpdatedAt +
+                ", lastUpdatedBy='" + lastUpdatedBy + '\'' +
+                '}';
+    }
+
+    public static class View {
+        public static class Write {
+        }
+
+        public static class Public {
+        }
+    }
+}

apps/opik-backend/src/main/java/com/comet/opik/api/ProviderApiKeyUpdate.java

@@ -0,0 +1,22 @@
+package com.comet.opik.api;
+
+import com.comet.opik.utils.ProviderApiKeyDeserializer;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.PropertyNamingStrategies;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonNaming;
+import jakarta.validation.constraints.NotBlank;
+import lombok.Builder;
+import lombok.Getter;
+import lombok.ToString;
+
+@Builder(toBuilder = true)
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
+@Getter
+public class ProviderApiKeyUpdate {
+    @ToString.Exclude
+    @NotBlank
+    @JsonDeserialize(using = ProviderApiKeyDeserializer.class)
+    String apiKey;
+}

apps/opik-backend/src/main/java/com/comet/opik/api/resources/v1/priv/LlmProviderApiKeyResource.java

@@ -0,0 +1,108 @@
+package com.comet.opik.api.resources.v1.priv;
+
+import com.codahale.metrics.annotation.Timed;
+import com.comet.opik.api.ProviderApiKey;
+import com.comet.opik.api.ProviderApiKeyUpdate;
+import com.comet.opik.api.error.ErrorMessage;
+import com.comet.opik.domain.LlmProviderApiKeyService;
+import com.comet.opik.infrastructure.auth.RequestContext;
+import com.fasterxml.jackson.annotation.JsonView;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.headers.Header;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.parameters.RequestBody;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.inject.Inject;
+import jakarta.inject.Provider;
+import jakarta.validation.Valid;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.PATCH;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.Context;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.UriInfo;
+import lombok.NonNull;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+import java.util.UUID;
+
+@Path("/v1/private/llm-provider-key")
+@Produces(MediaType.APPLICATION_JSON)
+@Consumes(MediaType.APPLICATION_JSON)
+@Timed
+@Slf4j
+@RequiredArgsConstructor(onConstructor_ = @Inject)
+@Tag(name = "LlmProviderKey", description = "LLM Provider Key")
+public class LlmProviderApiKeyResource {
+
+    private final @NonNull LlmProviderApiKeyService llmProviderApiKeyService;
+    private final @NonNull Provider<RequestContext> requestContext;
+
+    @GET
+    @Path("{id}")
+    @Operation(operationId = "getLlmProviderApiKeyById", summary = "Get LLM Provider's ApiKey by id", description = "Get LLM Provider's ApiKey by id", responses = {
+            @ApiResponse(responseCode = "200", description = "ProviderApiKey resource", content = @Content(schema = @Schema(implementation = ProviderApiKey.class))),
+            @ApiResponse(responseCode = "404", description = "Not found", content = @Content(schema = @Schema(implementation = ErrorMessage.class)))})
+    @JsonView({ProviderApiKey.View.Public.class})
+    public Response getById(@PathParam("id") UUID id) {
+
+        String workspaceId = requestContext.get().getWorkspaceId();
+
+        log.info("Getting Provider's ApiKey by id '{}' on workspace_id '{}'", id, workspaceId);
+
+        ProviderApiKey providerApiKey = llmProviderApiKeyService.get(id, workspaceId);
+
+        log.info("Got Provider's ApiKey by id '{}' on workspace_id '{}'", id, workspaceId);
+
+        return Response.ok().entity(providerApiKey).build();
+    }
+
+    @POST
+    @Operation(operationId = "storeLlmProviderApiKey", summary = "Store LLM Provider's ApiKey", description = "Store LLM Provider's ApiKey", responses = {
+            @ApiResponse(responseCode = "201", description = "Created", headers = {
+                    @Header(name = "Location", required = true, example = "${basePath}/v1/private/proxy/api_key/{apiKeyId}", schema = @Schema(implementation = String.class))}),
+            @ApiResponse(responseCode = "401", description = "Bad Request", content = @Content(schema = @Schema(implementation = ErrorMessage.class))),
+            @ApiResponse(responseCode = "403", description = "Access forbidden", content = @Content(schema = @Schema(implementation = ErrorMessage.class)))
+    })
+    public Response saveApiKey(
+            @RequestBody(content = @Content(schema = @Schema(implementation = ProviderApiKey.class))) @JsonView(ProviderApiKey.View.Write.class) @Valid ProviderApiKey providerApiKey,
+            @Context UriInfo uriInfo) {
+        String workspaceId = requestContext.get().getWorkspaceId();
+        String userName = requestContext.get().getUserName();
+        log.info("Save api key for provider '{}', on workspace_id '{}'", providerApiKey.provider(), workspaceId);
+        var providerApiKeyId = llmProviderApiKeyService.saveApiKey(providerApiKey, userName, workspaceId).id();
+        log.info("Saved api key for provider '{}', on workspace_id '{}'", providerApiKey.provider(), workspaceId);
+
+        var uri = uriInfo.getAbsolutePathBuilder().path("/%s".formatted(providerApiKeyId)).build();
+
+        return Response.created(uri).build();
+    }
+
+    @PATCH
+    @Path("{id}")
+    @Operation(operationId = "updateLlmProviderApiKey", summary = "Update LLM Provider's ApiKey", description = "Update LLM Provider's ApiKey", responses = {
+            @ApiResponse(responseCode = "204", description = "No Content"),
+            @ApiResponse(responseCode = "401", description = "Bad Request", content = @Content(schema = @Schema(implementation = ErrorMessage.class))),
+            @ApiResponse(responseCode = "403", description = "Access forbidden", content = @Content(schema = @Schema(implementation = ErrorMessage.class))),
+            @ApiResponse(responseCode = "404", description = "Not found", content = @Content(schema = @Schema(implementation = ErrorMessage.class)))
+    })
+    public Response updateApiKey(@PathParam("id") UUID id,
+            @RequestBody(content = @Content(schema = @Schema(implementation = ProviderApiKeyUpdate.class))) @Valid ProviderApiKeyUpdate providerApiKeyUpdate) {
+        String workspaceId = requestContext.get().getWorkspaceId();
+        String userName = requestContext.get().getUserName();
+
+        log.info("Updating api key for provider with id '{}' on workspaceId '{}'", id, workspaceId);
+        llmProviderApiKeyService.updateApiKey(id, providerApiKeyUpdate, userName, workspaceId);
+        log.info("Updated api key for provider with id '{}' on workspaceId '{}'", id, workspaceId);
+
+        return Response.noContent().build();
+    }
+}

apps/opik-backend/src/main/java/com/comet/opik/domain/LlmProviderApiKeyDAO.java

@@ -0,0 +1,38 @@
+package com.comet.opik.domain;
+
+import com.comet.opik.api.ProviderApiKey;
+import com.comet.opik.infrastructure.db.UUIDArgumentFactory;
+import org.jdbi.v3.sqlobject.config.RegisterArgumentFactory;
+import org.jdbi.v3.sqlobject.config.RegisterConstructorMapper;
+import org.jdbi.v3.sqlobject.customizer.Bind;
+import org.jdbi.v3.sqlobject.customizer.BindMethods;
+import org.jdbi.v3.sqlobject.statement.SqlQuery;
+import org.jdbi.v3.sqlobject.statement.SqlUpdate;
+
+import java.util.Optional;
+import java.util.UUID;
+
+@RegisterConstructorMapper(ProviderApiKey.class)
+@RegisterArgumentFactory(UUIDArgumentFactory.class)
+public interface LlmProviderApiKeyDAO {
+
+    @SqlUpdate("INSERT INTO llm_provider_api_key (id, provider, workspace_id, api_key, created_by, last_updated_by) VALUES (:bean.id, :bean.provider, :workspaceId, :bean.apiKey, :bean.createdBy, :bean.lastUpdatedBy)")
+    void save(@Bind("workspaceId") String workspaceId,
+            @BindMethods("bean") ProviderApiKey providerApiKey);
+
+    @SqlUpdate("UPDATE llm_provider_api_key SET " +
+            "api_key = :apiKey, " +
+            "last_updated_by = :lastUpdatedBy " +
+            "WHERE id = :id AND workspace_id = :workspaceId")
+    void update(@Bind("id") UUID id,
+            @Bind("workspaceId") String workspaceId,
+            @Bind("apiKey") String encryptedApiKey,
+            @Bind("lastUpdatedBy") String lastUpdatedBy);
+
+    @SqlQuery("SELECT * FROM llm_provider_api_key WHERE id = :id AND workspace_id = :workspaceId")
+    ProviderApiKey findById(@Bind("id") UUID id, @Bind("workspaceId") String workspaceId);
+
+    default Optional<ProviderApiKey> fetch(UUID id, String workspaceId) {
+        return Optional.ofNullable(findById(id, workspaceId));
+    }
+}

apps/opik-backend/src/main/java/com/comet/opik/domain/LlmProviderApiKeyService.java

@@ -0,0 +1,118 @@
+package com.comet.opik.domain;
+
+import com.comet.opik.api.ProviderApiKey;
+import com.comet.opik.api.ProviderApiKeyUpdate;
+import com.comet.opik.api.error.EntityAlreadyExistsException;
+import com.comet.opik.api.error.ErrorMessage;
+import com.google.inject.ImplementedBy;
+import jakarta.inject.Inject;
+import jakarta.inject.Singleton;
+import jakarta.ws.rs.NotFoundException;
+import jakarta.ws.rs.core.Response;
+import lombok.NonNull;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.jdbi.v3.core.statement.UnableToExecuteStatementException;
+import ru.vyarus.guicey.jdbi3.tx.TransactionTemplate;
+
+import java.sql.SQLIntegrityConstraintViolationException;
+import java.util.List;
+import java.util.UUID;
+
+import static com.comet.opik.infrastructure.db.TransactionTemplateAsync.READ_ONLY;
+import static com.comet.opik.infrastructure.db.TransactionTemplateAsync.WRITE;
+
+@ImplementedBy(LlmProviderApiKeyServiceImpl.class)
+public interface LlmProviderApiKeyService {
+
+    ProviderApiKey get(UUID id, String workspaceId);
+    ProviderApiKey saveApiKey(ProviderApiKey providerApiKey, String userName, String workspaceId);
+    void updateApiKey(UUID id, ProviderApiKeyUpdate providerApiKeyUpdate, String userName, String workspaceId);
+}
+
+@Slf4j
+@Singleton
+@RequiredArgsConstructor(onConstructor_ = @Inject)
+class LlmProviderApiKeyServiceImpl implements LlmProviderApiKeyService {
+
+    private static final String PROVIDER_API_KEY_ALREADY_EXISTS = "Api key for this provider already exists";
+    private final @NonNull IdGenerator idGenerator;
+    private final @NonNull TransactionTemplate template;
+
+    @Override
+    public ProviderApiKey get(UUID id, String workspaceId) {
+        log.info("Getting provider api key with id '{}', workspaceId '{}'", id, workspaceId);
+
+        ProviderApiKey providerApiKey = template.inTransaction(READ_ONLY, handle -> {
+
+            var repository = handle.attach(LlmProviderApiKeyDAO.class);
+
+            return repository.fetch(id, workspaceId).orElseThrow(this::createNotFoundError);
+        });
+        log.info("Got provider api key with id '{}', workspaceId '{}'", id, workspaceId);
+
+        return providerApiKey.toBuilder()
+                .build();
+    }
+
+    @Override
+    public ProviderApiKey saveApiKey(@NonNull ProviderApiKey providerApiKey, String userName, String workspaceId) {
+        UUID apiKeyId = idGenerator.generateId();
+
+        var newProviderApiKey = providerApiKey.toBuilder()
+                .id(apiKeyId)
+                .createdBy(userName)
+                .lastUpdatedBy(userName)
+                .build();
+
+        try {
+            template.inTransaction(WRITE, handle -> {
+
+                var repository = handle.attach(LlmProviderApiKeyDAO.class);
+                repository.save(workspaceId, newProviderApiKey);
+
+                return newProviderApiKey;
+            });
+
+            return get(apiKeyId, workspaceId);
+        } catch (UnableToExecuteStatementException e) {
+            if (e.getCause() instanceof SQLIntegrityConstraintViolationException) {
+                throw newConflict();
+            } else {
+                throw e;
+            }
+        }
+    }
+
+    @Override
+    public void updateApiKey(@NonNull UUID id, @NonNull ProviderApiKeyUpdate providerApiKeyUpdate, String userName,
+            String workspaceId) {
+
+        template.inTransaction(WRITE, handle -> {
+
+            var repository = handle.attach(LlmProviderApiKeyDAO.class);
+
+            ProviderApiKey providerApiKey = repository.fetch(id, workspaceId)
+                    .orElseThrow(this::createNotFoundError);
+
+            repository.update(providerApiKey.id(),
+                    workspaceId,
+                    providerApiKeyUpdate.getApiKey(),
+                    userName);
+
+            return null;
+        });
+    }
+
+    private EntityAlreadyExistsException newConflict() {
+        log.info(PROVIDER_API_KEY_ALREADY_EXISTS);
+        return new EntityAlreadyExistsException(new ErrorMessage(List.of(PROVIDER_API_KEY_ALREADY_EXISTS)));
+    }
+
+    private NotFoundException createNotFoundError() {
+        String message = "Provider api key not found";
+        log.info(message);
+        return new NotFoundException(message,
+                Response.status(Response.Status.NOT_FOUND).entity(new ErrorMessage(List.of(message))).build());
+    }
+}

apps/opik-backend/src/main/java/com/comet/opik/infrastructure/EncryptionConfig.java

@@ -0,0 +1,16 @@
+package com.comet.opik.infrastructure;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.NotNull;
+import lombok.Data;
+import lombok.ToString;
+
+@Data
+public class EncryptionConfig {
+
+    @Valid
+    @JsonProperty
+    @NotNull @ToString.Exclude
+    private String key;
+}