perm sync validation framework (#4958)

* perm synce validation framework

* frontend fixes

* validate perm sync when getting runner

* attempt to fix integration tests

* added new file

* oops

* skipping salesforce test due to creds

* add todo

Author: evan-onyx

backend/ee/onyx/background/celery/tasks/doc_permission_syncing/tasks.py

@@ -425,6 +425,7 @@ def connector_permission_sync_generator_task(
                 created = validate_ccpair_for_user(
                     cc_pair.connector.id,
                     cc_pair.credential.id,
+                    cc_pair.access_type,
                     db_session,
                     enforce_creation=False,
                 )

backend/ee/onyx/connectors/perm_sync_valid.py

@@ -0,0 +1,28 @@
+from onyx.connectors.confluence.connector import ConfluenceConnector
+from onyx.connectors.google_drive.connector import GoogleDriveConnector
+from onyx.connectors.interfaces import BaseConnector
+
+
+def validate_confluence_perm_sync(connector: ConfluenceConnector) -> None:
+    """
+    Validate that the connector is configured correctly for permissions syncing.
+    """
+
+
+def validate_drive_perm_sync(connector: GoogleDriveConnector) -> None:
+    """
+    Validate that the connector is configured correctly for permissions syncing.
+    """
+
+
+def validate_perm_sync(connector: BaseConnector) -> None:
+    """
+    Override this if your connector needs to validate permissions syncing.
+    Raise an exception if invalid, otherwise do nothing.
+
+    Default is a no-op (always successful).
+    """
+    if isinstance(connector, ConfluenceConnector):
+        validate_confluence_perm_sync(connector)
+    elif isinstance(connector, GoogleDriveConnector):
+        validate_drive_perm_sync(connector)

backend/onyx/background/indexing/run_indexing.py

@@ -103,6 +103,8 @@ def _get_connector_runner(
         # validate the connector settings
         if not INTEGRATION_TESTS_MODE:
             runnable_connector.validate_connector_settings()
+            if attempt.connector_credential_pair.access_type == AccessType.SYNC:
+                runnable_connector.validate_perm_sync()
 
     except UnexpectedValidationError as e:
         logger.exception(

backend/onyx/connectors/factory.py

@@ -60,6 +60,7 @@
 from onyx.db.connector import fetch_connector_by_id
 from onyx.db.credentials import backend_update_credential_json
 from onyx.db.credentials import fetch_credential_by_id
+from onyx.db.enums import AccessType
 from onyx.db.models import Credential
 from shared_configs.contextvars import get_current_tenant_id
 
@@ -193,6 +194,7 @@ def instantiate_connector(
 def validate_ccpair_for_user(
     connector_id: int,
     credential_id: int,
+    access_type: AccessType,
     db_session: Session,
     enforce_creation: bool = True,
 ) -> bool:
@@ -235,4 +237,6 @@ def validate_ccpair_for_user(
             return False
 
     runnable_connector.validate_connector_settings()
+    if access_type == AccessType.SYNC:
+        runnable_connector.validate_perm_sync()
     return True

backend/onyx/connectors/interfaces.py

@@ -15,6 +15,7 @@
 from onyx.connectors.models import Document
 from onyx.connectors.models import SlimDocument
 from onyx.indexing.indexing_heartbeat import IndexingHeartbeatInterface
+from onyx.utils.variable_functionality import fetch_ee_implementation_or_noop
 
 SecondsSinceUnixEpoch = float
 
@@ -59,6 +60,18 @@ def validate_connector_settings(self) -> None:
         Default is a no-op (always successful).
         """
 
+    def validate_perm_sync(self) -> None:
+        """
+        Don't override this; add a function to perm_sync_valid.py in the ee package
+        to do permission sync validation
+        """
+        validate_connector_settings_fn = fetch_ee_implementation_or_noop(
+            "onyx.connectors.perm_sync_valid",
+            "validate_perm_sync",
+            noop_return_value=None,
+        )
+        validate_connector_settings_fn(self)
+
     def set_allow_images(self, value: bool) -> None:
         """Implement if the underlying connector wants to skip/allow image downloading
         based on the application level image analysis setting."""

backend/onyx/server/documents/cc_pair.py

@@ -466,7 +466,9 @@ def associate_credential_to_connector(
     )
 
     try:
-        validate_ccpair_for_user(connector_id, credential_id, db_session)
+        validate_ccpair_for_user(
+            connector_id, credential_id, metadata.access_type, db_session
+        )
 
         response = add_credential_to_connector(
             db_session=db_session,

backend/onyx/server/documents/connector.py

@@ -953,6 +953,7 @@ def create_connector_with_mock_credential(
         validate_ccpair_for_user(
             connector_id=connector_id,
             credential_id=credential_id,
+            access_type=connector_data.access_type,
             db_session=db_session,
         )
         response = add_credential_to_connector(

backend/onyx/server/documents/credential.py

@@ -104,6 +104,7 @@ def swap_credentials_for_connector(
     validate_ccpair_for_user(
         credential_swap_req.connector_id,
         credential_swap_req.new_credential_id,
+        credential_swap_req.access_type,
         db_session,
     )
 

backend/onyx/server/documents/models.py

@@ -106,6 +106,7 @@ def from_connector_db_model(
 class CredentialSwapRequest(BaseModel):
     new_credential_id: int
     connector_id: int
+    access_type: AccessType
 
 
 class CredentialDataUpdateRequest(BaseModel):

backend/tests/integration/tests/indexing/test_repeated_error_state.py

@@ -86,7 +86,7 @@ def test_repeated_error_state_detection_and_recovery(
             for ia in index_attempts_page.items
             if ia.status and ia.status.is_terminal()
         ]
-        if len(index_attempts) == NUM_REPEAT_ERRORS_BEFORE_REPEATED_ERROR_STATE:
+        if len(index_attempts) >= NUM_REPEAT_ERRORS_BEFORE_REPEATED_ERROR_STATE:
             break
 
         if time.monotonic() - start_time > 180: