dac163d88c
Issue #2: Unprotected Chat Summary Trigger (CRITICAL) - Add authentication and admin authorization to /trigger endpoint - Add path validation to prevent directory traversal - Block access to system directories (/etc, /root, /sys, /proc, /boot) - Add tests for unauthorized access and invalid paths Issue #3: Exception Information Disclosure (HIGH) - Replace raw exception messages with generic errors - Log full exception details server-side with logger.exception() - Affected files: auth.py, files.py, passkey.py, opc_agents.py - Prevents information leakage about system architecture Security Impact: - Prevents unauthenticated file system writes - Reduces reconnaissance opportunities for attackers - Maintains security while preserving debugging capability Tests: 214 passing, all security tests verified
130 lines
3.5 KiB
Python
130 lines
3.5 KiB
Python
"""
|
|
OPC Agents Router
|
|
"""
|
|
|
|
import logging
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException, Request
|
|
from pydantic import BaseModel
|
|
|
|
from db import opc_db
|
|
from rbac import User, require_admin
|
|
|
|
router = APIRouter()
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
class AgentUpdate(BaseModel):
|
|
name: str | None = None
|
|
description: str | None = None
|
|
system_prompt: str | None = None
|
|
enabled: bool | None = None
|
|
|
|
|
|
class ExecutionApproval(BaseModel):
|
|
approved: bool
|
|
feedback: str | None = None
|
|
|
|
|
|
@router.get("/agents")
|
|
async def list_agents(
|
|
request: Request,
|
|
enabled_only: bool = True,
|
|
):
|
|
"""List all agents"""
|
|
user: User = request.state.user
|
|
agents = await opc_db.get_agents(enabled_only=enabled_only)
|
|
return {"items": agents}
|
|
|
|
|
|
@router.get("/agents/{agent_id}")
|
|
async def get_agent(
|
|
agent_id: str,
|
|
request: Request,
|
|
):
|
|
"""Get agent details"""
|
|
user: User = request.state.user
|
|
agent = await opc_db.get_agent(agent_id)
|
|
if not agent:
|
|
raise HTTPException(status_code=404, detail="Agent not found")
|
|
return agent
|
|
|
|
|
|
@router.put("/agents/{agent_id}", dependencies=[Depends(require_admin())])
|
|
async def update_agent(
|
|
agent_id: str,
|
|
updates: AgentUpdate,
|
|
request: Request,
|
|
):
|
|
"""Update agent configuration (admin only)"""
|
|
user: User = request.state.user
|
|
try:
|
|
agent = await opc_db.update_agent_config(
|
|
agent_id=agent_id,
|
|
name=updates.name,
|
|
description=updates.description,
|
|
system_prompt=updates.system_prompt,
|
|
enabled=updates.enabled,
|
|
)
|
|
return agent
|
|
except ValueError as e:
|
|
logger.exception("Failed to update agent %s", agent_id)
|
|
raise HTTPException(status_code=404, detail="Agent not found")
|
|
|
|
|
|
@router.post("/agents/{agent_id}/execute")
|
|
async def trigger_agent(
|
|
agent_id: str,
|
|
task_id: int,
|
|
request: Request,
|
|
):
|
|
"""Manually trigger agent execution"""
|
|
user: User = request.state.user
|
|
execution = await opc_db.create_agent_execution(task_id=task_id, agent_id=agent_id, actor=user.username)
|
|
return execution
|
|
|
|
|
|
@router.get("/executions")
|
|
async def list_executions(
|
|
request: Request,
|
|
task_id: int | None = None,
|
|
agent_id: str | None = None,
|
|
status: str | None = None,
|
|
limit: int = 50,
|
|
):
|
|
"""List agent executions"""
|
|
user: User = request.state.user
|
|
executions = await opc_db.get_agent_executions(task_id=task_id, agent_id=agent_id, status=status, limit=limit)
|
|
return {"items": executions}
|
|
|
|
|
|
@router.get("/executions/{execution_id}")
|
|
async def get_execution(
|
|
execution_id: int,
|
|
request: Request,
|
|
):
|
|
"""Get execution details"""
|
|
user: User = request.state.user
|
|
execution = await opc_db.get_agent_execution(execution_id)
|
|
if not execution:
|
|
raise HTTPException(status_code=404, detail="Execution not found")
|
|
return execution
|
|
|
|
|
|
@router.post("/executions/{execution_id}/approve")
|
|
async def approve_execution(
|
|
execution_id: int,
|
|
approval: ExecutionApproval,
|
|
request: Request,
|
|
):
|
|
"""Approve or reject agent execution (for CxO level actions)"""
|
|
user: User = request.state.user
|
|
try:
|
|
execution = await opc_db.approve_agent_execution(
|
|
execution_id=execution_id, approved=approval.approved, approved_by=user.username, feedback=approval.feedback
|
|
)
|
|
return execution
|
|
except ValueError as e:
|
|
logger.exception("Failed to approve agent execution %s", execution_id)
|
|
raise HTTPException(status_code=404, detail="Execution not found")
|