Skip to main content

SAP Connection Testing

Overview

Connection testing now follows the generalized connection model:
  • Workspace admins create named entries in workspace_connections
  • Connector auth keys are stored per connection in connection_secrets
  • Each user can store their own SAP username/password per connection in user_connection_credentials (encrypted)
This gives a clean split between:
  • Admin-managed infrastructure secrets (connector_key, host/sysnr/client/router)
  • User-managed SAP credentials (for permission-sensitive RFC execution)

Current setup flow

In Workspace Settings, the connection setup wizard runs in three steps:
  1. Enter SAP system details
  2. Deploy connector and verify connector URL reachability
  3. Test connection and save
Relevant frontend files:
  • src/frontend/components/connections/AddConnectionWizard.tsx
  • src/frontend/components/connections/ConnectionCard.tsx
  • src/frontend/components/SapCredentialForm.tsx
  • src/frontend/components/connection-test/useConnectionTest.ts

What the test checks

The connector test still validates the same SAP capabilities:
  • System info (RFC_SYSTEM_INFO)
  • User info and roles (USR02, AGR_USERS)
  • Core capability checks:
    • read_table
    • get_schema
    • read_dictionary
    • analyze_code
Status mapping:
  • ready: read_table + get_schema + read_dictionary pass
  • limited: read_table + get_schema pass, read_dictionary fails
  • blocked: read_table or get_schema fails
analyze_code remains non-blocking for overall status.

API endpoints

POST /api/workspaces/:workspaceId/connector-health

Checks whether a connector URL is reachable (GET /health) before saving a connection. Request: 
{ "connector_url": "http://127.0.0.1:8080" }
Response: 
{ "reachable": true, "status": "ok", "mockMode": false }
Notes:
  • Admin-only workspace access
  • URL is validated with SSRF protections before fetch

POST /api/workspaces/:workspaceId/test-connection-preview

Runs a test against unsaved connection settings. Request: 
{
  "connector_url": "http://127.0.0.1:8080",
  "connector_key": "aisi-connector-dev-key",
  "sap_username": "RFC_USER",
  "sap_password": "secret"
}
Response: 
{
  "result": {
    "connection_id": "preview",
    "status": "ready",
    "message": "Connection successful. All capabilities available."
  },
  "detected_system_type": "s4"
}
Notes:
  • Admin-only workspace access
  • detected_system_type is inferred from SAP release (>=1511 => s4, else ecc)

POST /api/workspaces/:workspaceId/test-connection

Runs test for a persisted connection and stores result on that connection row. Request: 
{ "connection_id": "<workspace_connection_id>" }
Response: 
{
  "result": {
    "connection_id": "<workspace_connection_id>",
    "status": "ready",
    "message": "Connection successful. All capabilities available."
  },
  "detected_system_type": "s4"
}
Notes:
  • Uses connection_secrets.connector_key for X-Connector-Key
  • Uses decrypted user credentials (if present) for X-SAP-User / X-SAP-Password
  • Persists:
    • workspace_connections.connection_test
    • workspace_connections.connection_tested_at
    • workspace_connections.system_type (auto-detected when available)

GET /api/workspaces/:workspaceId/connection-status

Returns cached connection test results. Optional query:
  • connection_id=<id> for a single connection
  • no query to return all workspace connection test records

Data storage

Connection-level storage

  • workspace_connections.connection_test (JSONB)
  • workspace_connections.connection_tested_at (timestamp)
  • workspace_connections.system_type (s4/ecc, nullable, auto-detected)

Secret and credential storage

  • connection_secrets
    • Admin-managed key/value secrets per connection
    • Includes connector_key (and optional sap_host, sap_sysnr, sap_client, sap_router_string)
  • user_connection_credentials
    • Per-user credentials per connection
    • Password is AES-256-GCM encrypted (encrypted_password, encryption_iv)
    • Encryption key: Worker ENCRYPTION_KEY env var

Security model

  • Connector URL validation uses the same SSRF protections as other connector calls
  • Connector API key remains required in real mode on the Java connector (CONNECTOR_API_KEY)
  • Worker never stores plain SAP passwords in Durable Object storage
  • User SAP passwords are decrypted only per request for connector calls

Files

Worker routes

  • src/routes/connection-test.ts
  • src/routes/credentials.ts

Worker helpers

  • src/lib/encryption.ts
  • src/tools/sap-connector-client.ts

Java connector

  • connector/src/main/java/com/aisi/connector/controller/ConnectionTestController.java
  • connector/src/main/java/com/aisi/connector/config/SapUserFilter.java
  • connector/src/main/java/com/aisi/connector/config/DynamicDestinationProvider.java

Not included (by design)

  • Deep authorization object introspection (for example full S_RFC/S_TABU_DIS breakdown)
  • Historical trend storage for every test execution (only latest status is persisted on connection)