Files
nas-tools/dashboard/backend/routers/opc_agents.py
T
Gan, Jimmy dac163d88c
Deploy Dashboard (Dev) / deploy-dev (push) Failing after 55s
Run Tests / Backend Tests (push) Successful in 2m2s
Run Tests / Test Summary (push) Failing after 12s
Run Tests / Frontend Tests (push) Failing after 2m4s
security: fix critical vulnerabilities (issues #2 and #3)
Issue #2: Unprotected Chat Summary Trigger (CRITICAL)
- Add authentication and admin authorization to /trigger endpoint
- Add path validation to prevent directory traversal
- Block access to system directories (/etc, /root, /sys, /proc, /boot)
- Add tests for unauthorized access and invalid paths

Issue #3: Exception Information Disclosure (HIGH)
- Replace raw exception messages with generic errors
- Log full exception details server-side with logger.exception()
- Affected files: auth.py, files.py, passkey.py, opc_agents.py
- Prevents information leakage about system architecture

Security Impact:
- Prevents unauthenticated file system writes
- Reduces reconnaissance opportunities for attackers
- Maintains security while preserving debugging capability

Tests: 214 passing, all security tests verified
2026-04-08 00:57:14 +08:00

130 lines
3.5 KiB
Python

"""
OPC Agents Router
"""
import logging
from fastapi import APIRouter, Depends, HTTPException, Request
from pydantic import BaseModel
from db import opc_db
from rbac import User, require_admin
router = APIRouter()
logger = logging.getLogger(__name__)
class AgentUpdate(BaseModel):
name: str | None = None
description: str | None = None
system_prompt: str | None = None
enabled: bool | None = None
class ExecutionApproval(BaseModel):
approved: bool
feedback: str | None = None
@router.get("/agents")
async def list_agents(
request: Request,
enabled_only: bool = True,
):
"""List all agents"""
user: User = request.state.user
agents = await opc_db.get_agents(enabled_only=enabled_only)
return {"items": agents}
@router.get("/agents/{agent_id}")
async def get_agent(
agent_id: str,
request: Request,
):
"""Get agent details"""
user: User = request.state.user
agent = await opc_db.get_agent(agent_id)
if not agent:
raise HTTPException(status_code=404, detail="Agent not found")
return agent
@router.put("/agents/{agent_id}", dependencies=[Depends(require_admin())])
async def update_agent(
agent_id: str,
updates: AgentUpdate,
request: Request,
):
"""Update agent configuration (admin only)"""
user: User = request.state.user
try:
agent = await opc_db.update_agent_config(
agent_id=agent_id,
name=updates.name,
description=updates.description,
system_prompt=updates.system_prompt,
enabled=updates.enabled,
)
return agent
except ValueError as e:
logger.exception("Failed to update agent %s", agent_id)
raise HTTPException(status_code=404, detail="Agent not found")
@router.post("/agents/{agent_id}/execute")
async def trigger_agent(
agent_id: str,
task_id: int,
request: Request,
):
"""Manually trigger agent execution"""
user: User = request.state.user
execution = await opc_db.create_agent_execution(task_id=task_id, agent_id=agent_id, actor=user.username)
return execution
@router.get("/executions")
async def list_executions(
request: Request,
task_id: int | None = None,
agent_id: str | None = None,
status: str | None = None,
limit: int = 50,
):
"""List agent executions"""
user: User = request.state.user
executions = await opc_db.get_agent_executions(task_id=task_id, agent_id=agent_id, status=status, limit=limit)
return {"items": executions}
@router.get("/executions/{execution_id}")
async def get_execution(
execution_id: int,
request: Request,
):
"""Get execution details"""
user: User = request.state.user
execution = await opc_db.get_agent_execution(execution_id)
if not execution:
raise HTTPException(status_code=404, detail="Execution not found")
return execution
@router.post("/executions/{execution_id}/approve")
async def approve_execution(
execution_id: int,
approval: ExecutionApproval,
request: Request,
):
"""Approve or reject agent execution (for CxO level actions)"""
user: User = request.state.user
try:
execution = await opc_db.approve_agent_execution(
execution_id=execution_id, approved=approval.approved, approved_by=user.username, feedback=approval.feedback
)
return execution
except ValueError as e:
logger.exception("Failed to approve agent execution %s", execution_id)
raise HTTPException(status_code=404, detail="Execution not found")