Add configured object external payload storage

durable-workflow-ops · durable-workflow-ops · commit a70ceea7adc5 · 2026-04-22T10:31:19.000Z
Add object external payload storage driver
diff --git a/app/Http/Controllers/Api/NamespaceController.php b/app/Http/Controllers/Api/NamespaceController.php
@@ -141,6 +141,7 @@ public function updateExternalStorage(Request $request, string $namespace): Json
             'config' => ['nullable', 'array'],
             'config.uri' => ['nullable', 'string', 'max:2048'],
             'config.bucket' => ['nullable', 'string', 'max:255'],
+            'config.disk' => ['nullable', 'string', 'max:255'],
             'config.prefix' => ['nullable', 'string', 'max:1024'],
             'config.region' => ['nullable', 'string', 'max:128'],
             'config.endpoint' => ['nullable', 'string', 'max:2048'],
diff --git a/app/Http/Controllers/Api/StorageController.php b/app/Http/Controllers/Api/StorageController.php
@@ -4,14 +4,18 @@
 
 use App\Models\WorkflowNamespace;
 use App\Support\ControlPlaneProtocol;
+use App\Support\NamespaceExternalPayloadStorage;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
-use Illuminate\Support\Facades\File;
-use Illuminate\Support\Str;
 use Illuminate\Validation\Rule;
+use Workflow\V2\Contracts\ExternalPayloadStorageDriver;
 
 class StorageController
 {
+    public function __construct(
+        private readonly NamespaceExternalPayloadStorage $externalPayloadStorage,
+    ) {}
+
     public function test(Request $request): JsonResponse
     {
         if ($response = ControlPlaneProtocol::rejectUnsupported($request)) {
@@ -37,24 +41,34 @@ public function test(Request $request): JsonResponse
             return $this->diagnosticError('external_storage_disabled', 'External payload storage is disabled for this namespace.', $namespace, $driver);
         }
 
-        if ($driver !== 'local') {
+        if ($driver !== ($policy['driver'] ?? null)) {
             return $this->diagnosticError(
                 'storage_driver_unavailable',
-                'The server can persist this storage policy, but only the local diagnostic driver can run a round-trip test in this release.',
+                'The requested external payload storage driver is not configured for this namespace.',
                 $namespace,
                 $driver,
                 ['supported_diagnostic_drivers' => ['local']],
             );
         }
 
-        $directory = $this->localDirectory($policy, $namespace);
+        $storage = $this->externalPayloadStorage->driverFor($namespace);
+
+        if ($storage === null) {
+            return $this->diagnosticError(
+                'storage_driver_unavailable',
+                'The server can persist this storage policy, but the configured storage driver is not available in this runtime.',
+                $namespace,
+                $driver,
+                ['supported_diagnostic_drivers' => ['local', 's3', 'gcs', 'azure']],
+            );
+        }
 
         return ControlPlaneProtocol::json([
             'status' => 'passed',
             'namespace' => $namespace,
             'driver' => $driver,
-            'small_payload' => $this->roundTrip($directory, 'small', (int) $validated['small_payload_bytes']),
-            'large_payload' => $this->roundTrip($directory, 'large', (int) $validated['large_payload_bytes']),
+            'small_payload' => $this->roundTrip($storage, 'small', (int) $validated['small_payload_bytes']),
+            'large_payload' => $this->roundTrip($storage, 'large', (int) $validated['large_payload_bytes']),
         ]);
     }
 
@@ -74,27 +88,13 @@ private function diagnosticError(
         ] + $extra, 422);
     }
 
-    private function localDirectory(array $policy, string $namespace): string
+    private function roundTrip(ExternalPayloadStorageDriver $storage, string $kind, int $bytes): array
     {
-        $uri = $policy['config']['uri'] ?? null;
-        if (is_string($uri) && str_starts_with($uri, 'file://')) {
-            return rtrim(substr($uri, 7), '/');
-        }
-
-        return storage_path('app/external-payloads/'.$namespace);
-    }
-
-    private function roundTrip(string $directory, string $kind, int $bytes): array
-    {
-        File::ensureDirectoryExists($directory);
-
-        $path = $directory.'/storage-test-'.$kind.'-'.(string) Str::uuid().'.bin';
         $payload = str_repeat($kind === 'small' ? 's' : 'l', $bytes);
         $expectedHash = hash('sha256', $payload);
-
-        file_put_contents($path, $payload);
-        $read = file_get_contents($path);
-        @unlink($path);
+        $uri = $storage->put($payload, $expectedHash, 'storage-test-'.$kind);
+        $read = $storage->get($uri);
+        $storage->delete($uri);
 
         if ($read !== $payload) {
             throw new \RuntimeException('External storage round trip failed integrity verification.');
@@ -104,7 +104,7 @@ private function roundTrip(string $directory, string $kind, int $bytes): array
             'status' => 'passed',
             'bytes' => $bytes,
             'sha256' => $expectedHash,
-            'reference_uri' => 'file://'.$path,
+            'reference_uri' => $uri,
         ];
     }
 }
diff --git a/app/Support/FilesystemExternalPayloadStorage.php b/app/Support/FilesystemExternalPayloadStorage.php
@@ -0,0 +1,106 @@
+<?php
+
+namespace App\Support;
+
+use Illuminate\Support\Facades\Storage;
+use InvalidArgumentException;
+use RuntimeException;
+use Workflow\V2\Contracts\ExternalPayloadStorageDriver;
+
+class FilesystemExternalPayloadStorage implements ExternalPayloadStorageDriver
+{
+    public function __construct(
+        private readonly string $disk,
+        private readonly string $scheme,
+        private readonly string $bucket,
+        private readonly string $prefix = '',
+    ) {}
+
+    public function put(string $data, string $sha256, string $codec): string
+    {
+        $this->validateSha256($sha256);
+
+        $key = $this->keyFor($sha256, $codec);
+
+        if (Storage::disk($this->disk)->put($key, $data) === false) {
+            throw new RuntimeException(sprintf('Unable to write external payload [%s].', $this->uriFor($key)));
+        }
+
+        return $this->uriFor($key);
+    }
+
+    public function get(string $uri): string
+    {
+        $key = $this->keyFromUri($uri);
+
+        if (! Storage::disk($this->disk)->exists($key)) {
+            throw new RuntimeException(sprintf('Unable to read external payload [%s].', $uri));
+        }
+
+        return Storage::disk($this->disk)->get($key);
+    }
+
+    public function delete(string $uri): void
+    {
+        $key = $this->keyFromUri($uri);
+
+        if (Storage::disk($this->disk)->exists($key)) {
+            Storage::disk($this->disk)->delete($key);
+        }
+    }
+
+    private function keyFor(string $sha256, string $codec): string
+    {
+        $codecSegment = $this->safeCodecSegment($codec);
+
+        return $this->prefix.$codecSegment.'/'.substr($sha256, 0, 2).'/'.$sha256;
+    }
+
+    private function uriFor(string $key): string
+    {
+        return $this->scheme.'://'.$this->bucket.'/'.$key;
+    }
+
+    private function keyFromUri(string $uri): string
+    {
+        $parts = parse_url($uri);
+
+        if (($parts['scheme'] ?? null) !== $this->scheme) {
+            throw new InvalidArgumentException(sprintf(
+                'External payload URI scheme must be [%s].',
+                $this->scheme,
+            ));
+        }
+
+        if (($parts['host'] ?? '') !== $this->bucket) {
+            throw new InvalidArgumentException(sprintf(
+                'External payload URI bucket must be [%s].',
+                $this->bucket,
+            ));
+        }
+
+        $key = ltrim(rawurldecode($parts['path'] ?? ''), '/');
+
+        if ($key === '' || str_contains($key, '..') || ! str_starts_with($key, $this->prefix)) {
+            throw new InvalidArgumentException('External payload URI is outside the configured storage prefix.');
+        }
+
+        return $key;
+    }
+
+    private function validateSha256(string $sha256): void
+    {
+        if (! preg_match('/\A[a-f0-9]{64}\z/i', $sha256)) {
+            throw new InvalidArgumentException('sha256 must be a hex digest.');
+        }
+    }
+
+    private function safeCodecSegment(string $codec): string
+    {
+        if (! preg_match('/\A[A-Za-z0-9_.-]+\z/', $codec)) {
+            throw new InvalidArgumentException('Codec contains characters that are unsafe for external storage keys.');
+        }
+
+        return $codec;
+    }
+}
diff --git a/app/Support/NamespaceExternalPayloadStorage.php b/app/Support/NamespaceExternalPayloadStorage.php
@@ -20,11 +20,27 @@ public function driverFor(?string $namespace): ?ExternalPayloadStorageDriver
 
         $driver = $policy['driver'] ?? null;
 
-        if ($driver !== 'local') {
-            return null;
+        if ($driver === 'local') {
+            return new LocalFilesystemExternalPayloadStorage($this->localRoot($policy, $namespace));
         }
 
-        return new LocalFilesystemExternalPayloadStorage($this->localRoot($policy, $namespace));
+        if (in_array($driver, ['s3', 'gcs', 'azure'], true)) {
+            $disk = $policy['config']['disk'] ?? null;
+            $bucket = $policy['config']['bucket'] ?? null;
+
+            if (! is_string($disk) || $disk === '' || ! is_string($bucket) || $bucket === '') {
+                return null;
+            }
+
+            return new FilesystemExternalPayloadStorage(
+                disk: $disk,
+                scheme: $driver,
+                bucket: $bucket,
+                prefix: $this->prefix($policy),
+            );
+        }
+
+        return null;
     }
 
     /**
@@ -40,4 +56,18 @@ private function localRoot(array $policy, string $namespace): string
 
         return storage_path('app/external-payloads/'.$namespace);
     }
+
+    /**
+     * @param  array<string, mixed>  $policy
+     */
+    private function prefix(array $policy): string
+    {
+        $prefix = $policy['config']['prefix'] ?? '';
+
+        if (! is_string($prefix) || $prefix === '') {
+            return '';
+        }
+
+        return trim($prefix, '/').'/';
+    }
 }
diff --git a/tests/Feature/ExternalPayloadStorageTest.php b/tests/Feature/ExternalPayloadStorageTest.php
@@ -6,6 +6,7 @@
 use App\Support\ControlPlaneProtocol;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 use Illuminate\Support\Facades\File;
+use Illuminate\Support\Facades\Storage;
 use Tests\TestCase;
 
 class ExternalPayloadStorageTest extends TestCase
@@ -106,6 +107,41 @@ public function test_local_storage_diagnostic_round_trips_small_and_large_payloa
         $this->assertSame([], glob($this->storageDirectory.'/storage-test-*.bin') ?: []);
     }
 
+    public function test_configured_object_storage_diagnostic_round_trips_payloads(): void
+    {
+        Storage::fake('external-payload-objects');
+
+        $this->createNamespace('billing', [
+            'driver' => 's3',
+            'enabled' => true,
+            'threshold_bytes' => 32,
+            'config' => [
+                'disk' => 'external-payload-objects',
+                'bucket' => 'dw-payloads',
+                'prefix' => 'diagnostics/',
+            ],
+        ]);
+
+        $response = $this->postJson('/api/storage/test', [
+            'small_payload_bytes' => 16,
+            'large_payload_bytes' => 64,
+        ], ['X-Namespace' => 'billing']);
+
+        $smallHash = hash('sha256', str_repeat('s', 16));
+
+        $response->assertOk()
+            ->assertJsonPath('status', 'passed')
+            ->assertJsonPath('namespace', 'billing')
+            ->assertJsonPath('driver', 's3')
+            ->assertJsonPath('small_payload.status', 'passed')
+            ->assertJsonPath('small_payload.bytes', 16)
+            ->assertJsonPath('small_payload.reference_uri', 's3://dw-payloads/diagnostics/storage-test-small/'.substr($smallHash, 0, 2).'/'.$smallHash)
+            ->assertJsonPath('large_payload.status', 'passed')
+            ->assertJsonPath('large_payload.bytes', 64);
+
+        $this->assertSame([], Storage::disk('external-payload-objects')->allFiles());
+    }
+
     public function test_storage_diagnostic_reports_unconfigured_and_unavailable_drivers(): void
     {
         $this->createNamespace('default');
diff --git a/tests/Feature/HistoryRetentionTest.php b/tests/Feature/HistoryRetentionTest.php
@@ -10,6 +10,7 @@
 use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\File;
 use Illuminate\Support\Facades\Queue;
+use Illuminate\Support\Facades\Storage;
 use Tests\Feature\Concerns\ServerTestHelpers;
 use Tests\Fixtures\ExternalGreetingWorkflow;
 use Tests\TestCase;
@@ -332,6 +333,55 @@ public function test_retention_pass_blocks_external_payload_prune_when_driver_is
         $this->assertNotNull(WorkflowRunSummary::find($runId));
     }
 
+    public function test_retention_pass_deletes_configured_object_storage_references(): void
+    {
+        Queue::fake();
+        Storage::fake('retention-object-payloads');
+
+        $this->createNamespace('default');
+        WorkflowNamespace::where('name', 'default')->update([
+            'external_payload_storage' => [
+                'driver' => 's3',
+                'enabled' => true,
+                'config' => [
+                    'disk' => 'retention-object-payloads',
+                    'bucket' => 'dw-payloads',
+                    'prefix' => 'retention/',
+                ],
+            ],
+        ]);
+
+        $runId = $this->createExpiredClosedRun('default', 'wf-prune-external-s3-configured');
+        $payload = 'large encoded payload bytes';
+        $key = 'retention/avro/'.substr(hash('sha256', $payload), 0, 2).'/'.hash('sha256', $payload);
+
+        Storage::disk('retention-object-payloads')->put($key, $payload);
+
+        WorkflowHistoryEvent::query()->create([
+            'workflow_run_id' => $runId,
+            'sequence' => 999,
+            'event_type' => HistoryEventType::ActivityCompleted->value,
+            'payload' => [
+                'result' => [
+                    'external_storage' => $this->externalStorageReference('s3://dw-payloads/'.$key, $payload),
+                ],
+            ],
+            'recorded_at' => now(),
+        ]);
+
+        Storage::disk('retention-object-payloads')->assertExists($key);
+
+        $this->withHeaders($this->apiHeaders())
+            ->postJson('/api/system/retention/pass')
+            ->assertOk()
+            ->assertJsonPath('processed', 1)
+            ->assertJsonPath('pruned', 1)
+            ->assertJsonPath('results.0.external_payloads_deleted', 1);
+
+        Storage::disk('retention-object-payloads')->assertMissing($key);
+        $this->assertNull(WorkflowRunSummary::find($runId));
+    }
+
     public function test_retention_pass_with_specific_run_ids(): void
     {
         $this->createNamespace('default');
