fix listing stacked credentials

Signed-off-by: Grant Linville <[email protected]>

Author: g-linville

pkg/credentials/dbstore.go

@@ -14,6 +14,7 @@ import (
 	"github.com/adrg/xdg"
 	"github.com/glebarez/sqlite"
 	"github.com/gptscript-ai/gptscript/pkg/config"
+	"golang.org/x/exp/maps"
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -302,28 +303,59 @@ func (d *DBStore) Remove(ctx context.Context, toolName string) error {
 }
 
 func (d *DBStore) List(ctx context.Context) ([]Credential, error) {
-	var (
-		dbCreds []GptscriptCredential
-		err     error
-	)
-	if err = d.db.WithContext(ctx).Where("context = ?", first(d.credCtxs)).Find(&dbCreds).Error; err != nil {
+	if first(d.credCtxs) == AllCredentialContexts {
+		return d.listAll(ctx)
+	}
+
+	credsByContext := make(map[string][]GptscriptCredential)
+	for _, credCtx := range d.credCtxs {
+		var creds []GptscriptCredential
+		if err := d.db.WithContext(ctx).Where("context = ?", credCtx).Find(&creds).Error; err != nil {
+			return nil, fmt.Errorf("failed to list credentials: %w", err)
+		}
+		credsByContext[credCtx] = creds
+	}
+
+	// Go through the contexts in reverse order so that higher priority contexts override lower ones.
+	credsByName := make(map[string]Credential)
+	for i := len(d.credCtxs) - 1; i >= 0; i-- {
+		for _, dbCred := range credsByContext[d.credCtxs[i]] {
+			dbCred, err := d.decryptCred(ctx, dbCred)
+			if err != nil {
+				return nil, fmt.Errorf("failed to decrypt credential: %w", err)
+			}
+
+			cred, err := dbCredToCred(dbCred)
+			if err != nil {
+				return nil, fmt.Errorf("failed to convert GptscriptCredential to Credential: %w", err)
+			}
+
+			credsByName[cred.ToolName] = cred
+		}
+	}
+
+	return maps.Values(credsByName), nil
+}
+
+func (d *DBStore) listAll(ctx context.Context) ([]Credential, error) {
+	var allCreds []GptscriptCredential
+	if err := d.db.WithContext(ctx).Find(&allCreds).Error; err != nil {
 		return nil, fmt.Errorf("failed to list credentials: %w", err)
 	}
 
-	var credentials []Credential
-	for _, dbCred := range dbCreds {
-		dbCred, err = d.decryptCred(ctx, dbCred)
+	var creds []Credential
+	for _, dbCred := range allCreds {
+		dbCred, err := d.decryptCred(ctx, dbCred)
 		if err != nil {
 			return nil, fmt.Errorf("failed to decrypt credential: %w", err)
 		}
 
-		credential, err := dbCredToCred(dbCred)
+		cred, err := dbCredToCred(dbCred)
 		if err != nil {
 			return nil, fmt.Errorf("failed to convert GptscriptCredential to Credential: %w", err)
 		}
-
-		credentials = append(credentials, credential)
+		creds = append(creds, cred)
 	}
 
-	return credentials, nil
+	return creds, nil
 }

pkg/credentials/dbstore_test.go

@@ -25,7 +25,8 @@ func TestDBStore(t *testing.T) {
 		RefreshToken: "myrefreshtoken",
 	}
 
-	cfg, _ := config.ReadCLIConfig("")
+	cfg, err := config.ReadCLIConfig("")
+	require.NoError(t, err)
 
 	// Set up the store
 	store, err := NewDBStore(context.Background(), cfg, []string{credCtx})
@@ -60,3 +61,74 @@ func TestDBStore(t *testing.T) {
 	// Delete the credential
 	require.NoError(t, store.Remove(context.Background(), credential.ToolName))
 }
+
+func TestDBStoreStackedContexts(t *testing.T) {
+	const (
+		credCtx1 = "testing1"
+		credCtx2 = "testing2"
+	)
+
+	bytes := make([]byte, 16)
+	_, err := rand.Read(bytes)
+	require.NoError(t, err)
+
+	credential1 := Credential{
+		Context:  credCtx1,
+		ToolName: fmt.Sprintf("%x", bytes),
+		Type:     CredentialTypeTool,
+		Env:      map[string]string{"ENV_VAR": "value"},
+	}
+
+	credential2 := Credential{
+		Context:  credCtx2,
+		ToolName: fmt.Sprintf("%x", bytes),
+		Type:     CredentialTypeTool,
+		Env:      map[string]string{"ENV_VAR": "value"},
+	}
+
+	cfg, err := config.ReadCLIConfig("")
+	require.NoError(t, err)
+
+	// Set up the stores
+	store1, err := NewDBStore(context.Background(), cfg, []string{credCtx1})
+	require.NoError(t, err)
+	store2, err := NewDBStore(context.Background(), cfg, []string{credCtx2})
+	require.NoError(t, err)
+
+	// Create both credentials
+	require.NoError(t, store1.Add(context.Background(), credential1))
+	require.NoError(t, store2.Add(context.Background(), credential2))
+
+	// Set up a store with both contexts
+	storeBoth, err := NewDBStore(context.Background(), cfg, []string{credCtx1, credCtx2})
+	require.NoError(t, err)
+
+	// Get the credential. We should get credential1.
+	cred, found, err := storeBoth.Get(context.Background(), credential1.ToolName)
+	require.NoError(t, err)
+	require.True(t, found)
+	require.Equal(t, credential1.ToolName, cred.ToolName)
+	require.Equal(t, credential1.Context, cred.Context)
+	require.Equal(t, credential1.Env, cred.Env)
+
+	// List credentials. We should only get credential1.
+	list, err := storeBoth.List(context.Background())
+	require.NoError(t, err)
+
+	found = false
+	for _, c := range list {
+		if c.ToolName == credential1.ToolName {
+			require.Equal(t, credential1.Env, c.Env)
+			require.Equal(t, credential1.Context, c.Context)
+			found = true
+			break
+		} else {
+			require.Fail(t, "unexpected credential found")
+		}
+	}
+	require.True(t, found)
+
+	// Delete both credentials
+	require.NoError(t, store1.Remove(context.Background(), credential1.ToolName))
+	require.NoError(t, store2.Remove(context.Background(), credential2.ToolName))
+}