fix: remove old credentials from when removing tools

When removing the last tool that uses a credential, this change will remove the
old credential. The effect is that the user will have to authenticate the tool
again if a tool requiring that credential is added.

Signed-off-by: Donnie Adams <[email protected]>

Author: thedadams

pkg/controller/handlers/toolinfo/toolinfo.go

@@ -2,6 +2,7 @@ package toolinfo
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"github.com/gptscript-ai/go-gptscript"
@@ -87,6 +88,34 @@ func (h *Handler) SetToolInfoStatus(req router.Request, resp router.Response) (e
 	return nil
 }
 
+func (h *Handler) RemoveUnneededCredentials(req router.Request, _ router.Response) error {
+	creds, err := h.gptscript.ListCredentials(req.Ctx, gptscript.ListCredentialsOptions{
+		CredentialContexts: []string{req.Object.GetName()},
+	})
+	if err != nil || len(creds) == 0 {
+		return err
+	}
+
+	toolInfos := req.Object.(v1.ToolUser).GetToolInfos()
+	credentialNames := make(map[string]struct{}, len(toolInfos))
+
+	for _, cred := range toolInfos {
+		for _, name := range cred.CredentialNames {
+			credentialNames[name] = struct{}{}
+		}
+	}
+
+	for _, cred := range creds {
+		if _, ok := credentialNames[cred.ToolName]; !ok {
+			if err := h.gptscript.DeleteCredential(req.Ctx, req.Object.GetName(), cred.ToolName); err != nil && !errors.As(err, &gptscript.ErrNotFound{}) {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
 func (h *Handler) credentialNamesForNonToolReferences(ctx context.Context, name string) ([]string, error) {
 	prg, err := h.gptscript.LoadFile(ctx, name)
 	if err != nil {

pkg/controller/routes.go

@@ -74,6 +74,7 @@ func (c *Controller) setupRoutes() error {
 	root.Type(&v1.Workflow{}).HandlerFunc(cleanup.Cleanup)
 	root.Type(&v1.Workflow{}).HandlerFunc(alias.AssignAlias)
 	root.Type(&v1.Workflow{}).HandlerFunc(toolInfo.SetToolInfoStatus)
+	root.Type(&v1.Workflow{}).HandlerFunc(toolInfo.RemoveUnneededCredentials)
 	root.Type(&v1.Workflow{}).HandlerFunc(generationed.UpdateObservedGeneration)
 	root.Type(&v1.Workflow{}).FinalizeFunc(v1.WorkflowFinalizer, credentialCleanup.Remove)
 
@@ -87,6 +88,7 @@ func (c *Controller) setupRoutes() error {
 	root.Type(&v1.Agent{}).HandlerFunc(agents.BackPopulateAuthStatus)
 	root.Type(&v1.Agent{}).HandlerFunc(alias.AssignAlias)
 	root.Type(&v1.Agent{}).HandlerFunc(toolInfo.SetToolInfoStatus)
+	root.Type(&v1.Agent{}).HandlerFunc(toolInfo.RemoveUnneededCredentials)
 	root.Type(&v1.Agent{}).HandlerFunc(generationed.UpdateObservedGeneration)
 	root.Type(&v1.Agent{}).FinalizeFunc(v1.AgentFinalizer, credentialCleanup.Remove)