feat(server): implement Resource Scoping for tasks and push notifications

[sokoliva]

Description

Introduces caller indentity isolation to ensure clients only access authorized resources, as mandated by the A2A spec.

• Add 'owner' field to TaskMixin and PushNotificationConfig database models.
• Add 'last_updated' field to TaskMixin for optimized sorting and indexing.
• Update DatabaseTaskStore, InMemoryTaskStore and DatabasePushNotificationConfigStore to use OwnerResolver.
• Add Resource Scoping related Unit tests.
• Add Alembic configuration to enable users to update their own databases with non-optional owner field in tasks table.

Note

• In src/a2a/server/tasks/database_task_store.py list method, Gemini suggested a refactor of pagination. I thoroughly reviewed it and comfirmed that the logic is the same and that readability of code improved so I decided to accept it.
• It seems there was a functional bug in InMemoryPushNotificationConfigStore delete_info method. When config_id is None and only task_id was provided it would search for configs mapped to task_id with config.id=task_id, contrary to delete_info method of DatabasePushNotificationConfigStore where if config_id is None, all configurations for the task are deleted. Unfortunately, I did not find intended behavior in the spec, but behavior of DatabasePushNotificationConfigStore's delete_info seems more logical.

Breaking changes

• added non-optional owner field to the Task Model. Use alembic configuration to update your database.

• Ensure the tests and linter pass (Run bash scripts/format.sh from the repository root to format)

• Appropriate docs were updated (if necessary)

Fixes #610 🦕

[gemini-code-assist]

Summary of Changes

Hello @sokoliva, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the server's data management capabilities by implementing robust resource scoping for tasks and push notification configurations, ensuring that users can only access their own data. It also introduces a flexible 'ListTasks' API, enabling efficient retrieval and management of tasks with advanced filtering and pagination. The integration of Alembic provides a structured approach to future database schema evolution.

Highlights

• Resource Scoping Implementation: Introduced an 'owner' field to 'TaskMixin' and 'PushNotificationConfig' database models, along with an 'OwnerResolver' to enforce caller identity isolation for tasks and push notification configurations.
• Task Listing API: Added a new 'ListTasks' API endpoint across gRPC, JSON-RPC, and REST transports, supporting filtering, pagination, and sorting by 'last_updated' timestamp.
• Database Migration Setup: Integrated Alembic for managing database schema migrations, including an initial migration to add the 'owner' column to the 'tasks' table.
• Performance Enhancements: Added a 'last_updated' field to 'TaskMixin' and an index on '(owner, last_updated)' to optimize task retrieval and sorting.

Changelog

• alembic.ini
  • Configured Alembic for database migrations.
• alembic/README
  • Documented Alembic migration commands and troubleshooting.
• alembic/env.py
  • Configured Alembic environment for asynchronous SQLAlchemy operations.
• alembic/script.py.mako
  • Provided a Mako template for generating new Alembic migration scripts.
• alembic/versions/6419d2d130f6_add_owner_to_task.py
  • Added an initial migration script to introduce a non-nullable 'owner' column to the 'tasks' table with a default value.
• pyproject.toml
  • Added Alembic tool configuration.
• src/a2a/client/base_client.py
  • Updated imports and added an abstract 'list_tasks' method to the base client.
• src/a2a/client/client.py
  • Updated imports and added an abstract 'list_tasks' method to the client interface.
• src/a2a/client/transports/base.py
  • Updated imports and added an abstract 'list_tasks' method to the base transport.
• src/a2a/client/transports/grpc.py
  • Implemented the 'list_tasks' method for the gRPC transport, including proto conversions and default page size.
• src/a2a/client/transports/jsonrpc.py
  • Implemented the 'list_tasks' method for the JSON-RPC transport, handling request/response models and error cases.
• src/a2a/client/transports/rest.py
  • Implemented the 'list_tasks' method for the REST transport, including query parameter conversion and handling.
• src/a2a/grpc/a2a_pb2.py
  • Generated new protobuf definitions to include 'ListTasksRequest' and 'ListTasksResponse' messages and the 'ListTasks' service method.
• src/a2a/grpc/a2a_pb2.pyi
  • Updated the protobuf type hints to include 'ListTasksRequest' and 'ListTasksResponse'.
• src/a2a/grpc/a2a_pb2_grpc.py
  • Generated new gRPC service code to include the 'ListTasks' method.
• src/a2a/server/apps/jsonrpc/jsonrpc_app.py
  • Updated to recognize and process 'ListTasksRequest' for JSON-RPC.
• src/a2a/server/models.py
  • Added 'datetime' import, 'Index' import, 'owner' and 'last_updated' fields to 'TaskMixin', and 'owner' field to 'PushNotificationConfigMixin'.
  • Defined a table argument for a combined index on 'owner' and 'last_updated'.
• src/a2a/server/owner_resolver.py
  • Added a new module defining 'OwnerResolver' type and a default 'resolve_user_scope' function.
• src/a2a/server/request_handlers/default_request_handler.py
  • Implemented the 'on_list_tasks' method, handling filtering, pagination, artifact exclusion, and history length application.
• src/a2a/server/request_handlers/grpc_handler.py
  • Implemented the gRPC handler for the new 'ListTasks' method.
• src/a2a/server/request_handlers/jsonrpc_handler.py
  • Implemented the JSON-RPC handler for the new 'tasks/list' method.
• src/a2a/server/request_handlers/request_handler.py
  • Added an abstract 'on_list_tasks' method to the base request handler interface.
• src/a2a/server/request_handlers/response_helpers.py
  • Updated type definitions to support 'ListTasksResult' in JSON-RPC responses.
• src/a2a/server/request_handlers/rest_handler.py
  • Implemented the REST handler for 'list_tasks' and adjusted 'list_push_notifications' to be unimplemented.
• src/a2a/server/tasks/database_push_notification_config_store.py
  • Modified methods ('init', '_to_orm', 'set_info', 'get_info', 'delete_info') to incorporate owner-based scoping for push notification configurations.
• src/a2a/server/tasks/database_task_store.py
  • Modified methods ('init', '_to_orm', 'save', 'get', 'delete') to incorporate owner-based scoping and 'last_updated' field.
  • Implemented the 'list' method with filtering, sorting, and pagination.
• src/a2a/server/tasks/inmemory_task_store.py
  • Modified methods ('init', 'save', 'get', 'delete') to incorporate owner-based scoping.
  • Implemented the 'list' method with filtering, sorting, and pagination.
• src/a2a/server/tasks/push_notification_config_store.py
  • Updated abstract methods to include 'ServerCallContext' for owner resolution.
• src/a2a/server/tasks/task_store.py
  • Introduced 'TasksPage' model and an abstract 'list' method for task pagination.
• src/a2a/types.py
  • Added new Pydantic models for 'ListTasksParams', 'ListTasksRequest', 'ListTasksResult', and 'ListTasksSuccessResponse', and updated relevant type unions.
• src/a2a/utils/constants.py
  • Added 'DEFAULT_LIST_TASKS_PAGE_SIZE' constant.
• src/a2a/utils/proto_utils.py
  • Added utility functions for converting between 'ListTasksParams'/'ListTasksResult' and their protobuf equivalents.
• src/a2a/utils/task.py
  • Added utility functions 'encode_page_token' and 'decode_page_token' for base64 encoding/decoding of pagination tokens.
• tests/client/test_client_factory.py
  • Updated client transport extension assertions.
• tests/client/transports/test_grpc_client.py
  • Added test cases for the new 'list_tasks' gRPC client method.
• tests/client/transports/test_jsonrpc_client.py
  • Added test cases for the new 'list_tasks' JSON-RPC client method.
• tests/extensions/test_common.py
  • Added 'pytest' import.
• tests/integration/test_client_server_integration.py
  • Added integration tests for 'list_tasks' across HTTP (JSON-RPC, REST) and gRPC transports.
• tests/server/request_handlers/test_default_request_handler.py
  • Added unit tests for the 'on_list_tasks' method, covering success, artifact exclusion, and history length.
  • Updated 'on_message_send' calls to pass context to 'task_store.get'.
• tests/server/request_handlers/test_grpc_handler.py
  • Added unit tests for the 'ListTasks' gRPC handler.
• tests/server/request_handlers/test_jsonrpc_handler.py
  • Added unit tests for the 'list_tasks' JSON-RPC handler.
• tests/server/tasks/test_database_push_notification_config_store.py
  • Added 'TestUser' class and tests for owner-based resource scoping in the database push notification config store.
• tests/server/tasks/test_database_task_store.py
  • Added 'TestUser' class and extensive tests for 'list_tasks' with various filters, pagination, and owner-based scoping in the database task store.
• tests/server/tasks/test_inmemory_task_store.py
  • Added 'TestUser' class and extensive tests for 'list_tasks' with various filters, pagination, and owner-based scoping in the in-memory task store.
• tests/server/test_owner_resolver.py
  • Added a new test file with unit tests for the 'resolve_user_scope' function.
• tests/utils/test_proto_utils.py
  • Added unit tests for the new 'list_tasks_request' and 'list_tasks_result' proto utility conversions.
• tests/utils/test_task.py
  • Added unit tests for the new 'encode_page_token' and 'decode_page_token' utility functions.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/linter.yaml
  • .github/workflows/unit-tests.yml
• Ignored by pattern: CHANGELOG.md (1)
  • CHANGELOG.md

Activity

• The author, sokoliva, initiated this pull request to implement caller identity isolation for tasks and push notifications, addressing issue [Feat]: Resource Scoping #610.
• The PR also aims to optimize task retrieval by adding a 'last_updated' field and indexing.
• A checklist is included in the PR description, indicating the author's intention to ensure tests and linter pass, and that appropriate documentation is updated.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces resource scoping by adding an owner field to tasks and push notification configurations, which is a great step towards multi-tenancy and security. The implementation across the database and in-memory stores is consistent. I've also noticed the addition of Alembic for database migrations, which is excellent for managing schema changes. My feedback focuses on improving the Alembic configuration, strengthening the data model for timestamps, and making the owner resolution logic more robust.

[ishymko]

nit: this code uses a bit different pattern compared to get, I suggest to either use fallback to an empty dict in both places or explicit if here as well.

Same for delete. Maybe a helper private get_owner_tasks can be useful here.

[ishymko]

nit: I suggest linking original docs via comment here and remove commented out values as they add some noise to the file.

[ishymko]

Question on the developer experience here: if one needs to migrate their database - which steps are required? Currently readme mixes information for the package developers on how to add more migrations with the usage for integrations (how to run migrations).

I also believe that it assumes cloning the repository in order to run them, as it usually doesn't happen when one just uses package as a dependency. This creates some risk as one should make sure they switched to the appropriate commit to avoid applying migrations from main branch not yet released to PyPi?

Is it possible to distribute migrations together with the package itself and provide instructions on running them against the installed package version? We can also consider optional parameter which one may use to automatically apply migrations at runtime (default to False).

References:

• https://stackoverflow.com/q/73633063
• Allow --config to be a Python package or a file relative to that package sqlalchemy/alembic#1104