merge dev -> main

wimblow · web-flow · commit 3d78709c177a · 2025-08-28T11:42:37.000+02:00
maj main
review already done on develop MR
diff --git a/README.md b/README.md
@@ -43,6 +43,23 @@ Le projet est structuré en trois composants principaux :
 - **ContextualCompressorProvider** (Contetual Compressor)
     - BloomZ = "BloomzRerank"
 
+## Secret Keys
+
+Types disponibles :  
+- **RawSecretKey** : stocke directement la valeur du secret.  
+  - Champ principal : `secret`  
+  - Alias rétro-compatible : `value` (encore utilisable pour compatibilité, mais à éviter dans les nouvelles configurations).
+- **AwsSecretKey** : référence un secret dans **AWS Secrets Manager**.  
+- **KubernetesSecretKey** : référence un secret dans **Kubernetes Secrets**.  
+- **GcpSecretKey** : référence un secret dans **GCP Secret Manager**.
+
+### GCP Secret Manager
+
+Pour utiliser `GcpSecretKey`, un `project_id` GCP doit être disponible.  
+Il est résolu automatiquement de la façon suivante :
+
+1. Si la variable d’environnement `GCP_PROJECT_ID` est définie -> elle est utilisée directement.  
+2. Sinon, le `project_id` est automatiquement détecté à partir des credentials Google (`GOOGLE_APPLICATION_CREDENTIALS`).  
 
 ## Settings
 
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "tock-genai-core"
-version = "1.3.1"
+version = "1.4.0"
 description = ""
 authors = ["Baptiste Le Goff <baptiste.le-goff@arkea.com>"]
 readme = "README.md"
@@ -20,6 +20,9 @@ pydantic-settings = "^2.7.1"
 text-generation = "^0.7.0"
 tiktoken = "^0.8.0"
 uvicorn = "^0.34.0"
+boto3 = "^1.35.96"
+google-cloud-secret-manager = "^2.22.0"
+google-api-core = "^2.25.1"
 
 [tool.poetry.group.dev.dependencies]
 pylint = "^3.3.6"
diff --git a/src/tock_genai_core/__init__.py b/src/tock_genai_core/__init__.py
@@ -1,3 +1,3 @@
 # -*- coding: utf-8 -*-
 
-__version__ = "1.3.1"
+__version__ = "1.4.0"
diff --git a/src/tock_genai_core/models/security/aws_secret_key/aws_secret_key.py b/src/tock_genai_core/models/security/aws_secret_key/aws_secret_key.py
@@ -5,11 +5,8 @@
 A class for AWS Secret Key.
 Used to store the secret name managed in AWS Secrets Manager.
 
-Authors:
-    * Baptiste Le Goff: baptiste.le-goff@arkea.com
-    * Killian Mahé: killian.mahe@partnre.com
-    * Luigi Bokalli: luigi.bokalli@partnre.com
-    * Noé Chabanon: noe.chabanon@partnre.com
+Author:
+    * Louis-Marie Toudoire louis-marie.toudoire@partnre.com
 """
 from typing import Literal
 
diff --git a/src/tock_genai_core/models/security/gcp_secret_key/__init__.py b/src/tock_genai_core/models/security/gcp_secret_key/__init__.py
@@ -0,0 +1,2 @@
+# -*- coding: utf-8 -*-
+from .gcp_secret_key import GcpSecretKey
diff --git a/src/tock_genai_core/models/security/gcp_secret_key/gcp_secret_key.py b/src/tock_genai_core/models/security/gcp_secret_key/gcp_secret_key.py
@@ -0,0 +1,41 @@
+# -*- coding: utf-8 -*-
+"""
+GcpSecretKey
+
+A class for GCP Secret Key.
+Used to store the secret name managed in GCP Secrets Manager.
+
+Author:
+    * Louis-Marie Toudoire louis-marie.toudoire@partnre.com
+"""
+from typing import Literal
+
+from pydantic import Field
+
+from tock_genai_core.models.security.secret_key import BaseSecretKey
+from tock_genai_core.models.security.secret_key_type import SecretKeyType
+
+
+class GcpSecretKey(BaseSecretKey):
+    """
+    A class for GCP Secret Key.
+    Used to store the secret name managed in GCP Secret Manager.
+
+    Attributes
+    ----------
+    type: Literal[SecretKeyType.GCP_SECRETS_MANAGER]
+        The Secret Key type (default: SecretKeyType.GCP_SECRETS_MANAGER )
+    secret_name: str
+        The secret name managed in GCP Secret Manager
+    """
+
+    type: Literal[SecretKeyType.GCP_SECRETS_MANAGER] = Field(
+        description="The Secret Key type.",
+        examples=[SecretKeyType.GCP_SECRETS_MANAGER],
+        default=SecretKeyType.GCP_SECRETS_MANAGER,
+    )
+    secret_name: str = Field(
+        description="The secret name managed in GCP Secret Manager.",
+        examples=["PROD/App/openaiapi_key"],
+        min_length=1,
+    )
diff --git a/src/tock_genai_core/models/security/raw_secret_key/raw_secret_key.py b/src/tock_genai_core/models/security/raw_secret_key/raw_secret_key.py
@@ -38,4 +38,4 @@ class RawSecretKey(BaseSecretKey):
         examples=[SecretKeyType.RAW],
         default=SecretKeyType.RAW,
     )
-    value: str = Field(description="The secret value.", examples=["145d-ff455g-e4r5gf"], min_length=1)
+    secret: str = Field(description="The secret value.", examples=["145d-ff455g-e4r5gf"], min_length=1, alias="value")
diff --git a/src/tock_genai_core/models/security/secret_key_type.py b/src/tock_genai_core/models/security/secret_key_type.py
@@ -20,3 +20,4 @@ class SecretKeyType(str, Enum):
     RAW = "Raw"
     AWS_SECRETS_MANAGER = "AwsSecretsManager"
     KUBERNETES_SECRET = "KubeSecret"
+    GCP_SECRETS_MANAGER = "GcpSecretManager"
diff --git a/src/tock_genai_core/models/security/security_type.py b/src/tock_genai_core/models/security/security_type.py
@@ -3,10 +3,11 @@
 from pydantic import Field
 
 from tock_genai_core.models.security.aws_secret_key import AwsSecretKey
+from tock_genai_core.models.security.gcp_secret_key import GcpSecretKey
 from tock_genai_core.models.security.raw_secret_key import RawSecretKey
 from tock_genai_core.models.security.kube_secret_key import KubernetesSecretKey
 
 SecretKey = Annotated[
-    Union[RawSecretKey, AwsSecretKey, KubernetesSecretKey],
+    Union[RawSecretKey, AwsSecretKey, KubernetesSecretKey, GcpSecretKey],
     Field(discriminator="type"),
 ]
diff --git a/src/tock_genai_core/services/security/security_service.py b/src/tock_genai_core/services/security/security_service.py
@@ -1,9 +1,13 @@
+import os
 from typing import Optional, Union, Dict
 
+from tock_genai_core.models.security.gcp_secret_key import GcpSecretKey
 from tock_genai_core.models.security.security_type import SecretKey
 from tock_genai_core.models.security.raw_secret_key import RawSecretKey
 from tock_genai_core.models.security.aws_secret_key import AwsSecretKey
 from tock_genai_core.models.security.kube_secret_key import KubernetesSecretKey
+from tock_genai_core.utils.aws.aws_secrets_manager_client import AWSSecretsManagerClient
+from tock_genai_core.utils.gcp.gcp_secret_manager_client import GCPSecretManagerClient
 
 
 def get_nested_value(data_dict, keys_str):
@@ -40,19 +44,21 @@ def fetch_secret_key_value(secret_key: SecretKey) -> Optional[Union[str, Dict[st
     Returns
     -------
     Optional[Union[str, Dict[str, str]]]
-        The value of the secret key, which can either be a string or a dictionary. If no value is found,
-        a ConfigurationError is raised for `AppNameSecretKey`.
+        The value of the secret key, which can either be a string or a dictionary.
 
     Raises
     ------
     NotImplementedError
-        If the secret key type is not yet implemented (AwsSecretKey, KubernetesSecretKey).
-    ConfigurationError
-        If the `AppNameSecretKey` cannot be found in the configuration.
+        If the secret key type is not yet implemented (e.g. KubernetesSecretKey).
+    RuntimeError
+        If the GCP project_id cannot be determined.
     """
     if isinstance(secret_key, RawSecretKey):
-        return secret_key.value
+        return secret_key.secret
     elif isinstance(secret_key, AwsSecretKey):
-        raise NotImplementedError()
+        return AWSSecretsManagerClient().get_secret(secret_key.secret_name)
     elif isinstance(secret_key, KubernetesSecretKey):
         raise NotImplementedError()
+    elif isinstance(secret_key, GcpSecretKey):
+        project_id = os.getenv("GCP_PROJECT_ID")  # Will be None if not set
+        return GCPSecretManagerClient(project_id=project_id).get_secret(secret_key.secret_name)
diff --git a/src/tock_genai_core/utils/__init__.py b/src/tock_genai_core/utils/__init__.py
diff --git a/src/tock_genai_core/utils/aws/__init__.py b/src/tock_genai_core/utils/aws/__init__.py
diff --git a/src/tock_genai_core/utils/aws/aws_secrets_manager_client.py b/src/tock_genai_core/utils/aws/aws_secrets_manager_client.py
@@ -0,0 +1,67 @@
+# -*- coding: utf-8 -*-
+"""
+AWSSecretsManagerClient
+
+Minimal AWS Secrets Manager client.
+Used to fetch secrets from AWS Secrets Manager.
+
+Author:
+    * Louis-Marie Toudoire louis-marie.toudoire@partnre.com
+"""
+
+import json
+import logging
+from typing import Union
+
+import boto3
+from botocore.exceptions import ClientError
+
+logger = logging.getLogger(__name__)
+
+
+class AWSSecretsManagerClient:
+    """AWS Secrets Manager Client."""
+
+    def __init__(self):
+        self.client = boto3.client(service_name="secretsmanager")
+
+    def get_secret(self, secret_name: str) -> Union[str, dict, None]:
+        """
+        Retrieve individual secret by name, using the get_secret_value API.
+
+        Parameters
+        ----------
+        secret_name : str
+            The name of the secret to be fetched.
+
+        Returns
+        -------
+        Union[str, dict, None]
+        The secret as a raw string, as a dictionary if the secret is JSON, or None if the secret is empty.
+
+        Raises
+        ------
+        ClientError
+            If AWS Secrets Manager returns an error.
+        Exception
+            For any other unexpected error.
+        """
+        try:
+            response = self.client.get_secret_value(SecretId=secret_name)
+            secret_string = response.get("SecretString")
+            if secret_string is None:
+                logger.warning(f"Secret {secret_name} retrieved but has no SecretString field.")
+                return None
+
+            # Try to parse as JSON, else return raw string
+            try:
+                return json.loads(secret_string)
+            except json.JSONDecodeError:
+                return secret_string
+
+        except ClientError as e:
+            logger.error(f"Error retrieving secret {secret_name}: {e}")
+            raise
+        except Exception as e:
+            logger.error(f"Unexpected error retrieving secret {secret_name}: {e}")
+            raise
diff --git a/src/tock_genai_core/utils/gcp/__init__.py b/src/tock_genai_core/utils/gcp/__init__.py
diff --git a/src/tock_genai_core/utils/gcp/gcp_secret_manager_client.py b/src/tock_genai_core/utils/gcp/gcp_secret_manager_client.py
@@ -0,0 +1,85 @@
+# -*- coding: utf-8 -*-
+"""
+GCPSecretManagerClient
+
+Minimal GCP Secret Manager client.
+Used to fetch secrets from Google Cloud Secret Manager.
+
+Author:
+    * Louis-Marie Toudoire louis-marie.toudoire@partnre.com
+"""
+
+import json
+import logging
+from typing import Union, Optional
+
+from google.api_core.exceptions import NotFound
+from google.cloud import secretmanager
+from google.auth import default as google_auth_default
+
+logger = logging.getLogger(__name__)
+
+
+class GCPSecretManagerClient:
+    """Minimal GCP Secret Manager Client."""
+
+    def __init__(self, project_id: Optional[str] = None):
+        """
+        Initialize the client.
+
+        Parameters
+        ----------
+        project_id : Optional[str]
+            The GCP project ID where the secrets are stored.
+            - If provided: use it directly (same approach as Orchestrator).
+            - If not provided: try to auto-detect from Google application credentials.
+        """
+        if project_id:
+            # Case 1: project_id explicitly provided (e.g. env var GCP_PROJECT_ID or orchestrator config)
+            self.project_id = project_id
+            self.client = secretmanager.SecretManagerServiceClient()
+        else:
+            # Case 2: auto-detection from GOOGLE_APPLICATION_CREDENTIALS or default credentials
+            creds, detected_project_id = google_auth_default()
+            if not detected_project_id:
+                raise RuntimeError(
+                    "Unable to determine the project_id. "
+                    "Either set GCP_PROJECT_ID or configure GOOGLE_APPLICATION_CREDENTIALS."
+                )
+            self.project_id = detected_project_id
+            self.client = secretmanager.SecretManagerServiceClient(credentials=creds)
+
+    def get_secret(self, secret_name: str) -> Union[str, dict, None]:
+        """
+        Retrieve individual secret by name, using the access_secret_version API.
+
+        Parameters
+        ----------
+        secret_name : str
+            The name of the secret to be fetched.
+
+        Returns
+        -------
+        Union[str, dict, None]
+            The secret as a raw string, as a dictionary if the content is JSON, or None if the secret has no payload.
+        """
+        resource_name = f"projects/{self.project_id}/secrets/{secret_name}/versions/latest"
+
+        try:
+            response = self.client.access_secret_version(name=resource_name)
+            secret_string = response.payload.data.decode("UTF-8")
+            if not secret_string:
+                logger.warning(f"Secret {secret_name} retrieved but has no payload.")
+                return None
+
+            try:
+                return json.loads(secret_string)
+            except json.JSONDecodeError:
+                return secret_string
+
+        except NotFound:
+            logger.error(f"The requested secret {secret_name} was not found in project {self.project_id}.")
+            raise
+        except Exception as e:
+            logger.error(f"Unexpected error retrieving secret {secret_name}: {e}")
+            raise

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`# -- coding: utf-8 --`
`2`	`2`
`3`		`-__version__ = "1.3.1"`
	`3`	`+__version__ = "1.4.0"`
-Original file line number
+Diff line change
 A class for AWS Secret Key.
 Used to store the secret name managed in AWS Secrets Manager.
 -Authors:
 -    * Baptiste Le Goff: [email protected]
 -    * Killian Mahé: [email protected]
 -    * Luigi Bokalli: [email protected]
 -    * Noé Chabanon: [email protected]
 +Author:
 +    * Louis-Marie Toudoire [email protected]
 """
 from typing import Literal
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# -- coding: utf-8 --`
	`2`	`+from .gcp_secret_key import GcpSecretKey`
Original file line number	Diff line number	Diff line change
`@@ -38,4 +38,4 @@ class RawSecretKey(BaseSecretKey):`
`38`	`38`	`examples=[SecretKeyType.RAW],`
`39`	`39`	`default=SecretKeyType.RAW,`
`40`	`40`	`)`
`41`		`- value: str = Field(description="The secret value.", examples=["145d-ff455g-e4r5gf"], min_length=1)`
	`41`	`+ secret: str = Field(description="The secret value.", examples=["145d-ff455g-e4r5gf"], min_length=1, alias="value")`