4fa84fce8a
- Add OPCAuthz module with fine-grained access control
- Users can only view/modify tasks they created or are assigned to
- Admins have full access to all resources
- Members can trigger PM agent, only admins can trigger CTO/COO
- Only admins can approve CxO-level agent executions
- Track task creator in metadata for authorization
- Add metadata column with default '{}' to tasks table
- Filter task and execution lists based on user permissions
- Add 10 integration tests for authorization logic
174 lines
4.9 KiB
Python
174 lines
4.9 KiB
Python
"""
|
|
OPC Agents Router
|
|
"""
|
|
|
|
import logging
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException, Request
|
|
from pydantic import BaseModel
|
|
|
|
from db import opc_db
|
|
from opc_authz import OPCAuthz
|
|
from rbac import User, require_admin
|
|
|
|
router = APIRouter()
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
class AgentUpdate(BaseModel):
|
|
name: str | None = None
|
|
description: str | None = None
|
|
system_prompt: str | None = None
|
|
enabled: bool | None = None
|
|
|
|
|
|
class ExecutionApproval(BaseModel):
|
|
approved: bool
|
|
feedback: str | None = None
|
|
|
|
|
|
@router.get("/agents")
|
|
async def list_agents(
|
|
request: Request,
|
|
enabled_only: bool = True,
|
|
):
|
|
"""List all agents"""
|
|
user: User = request.state.user
|
|
agents = await opc_db.get_agents(enabled_only=enabled_only)
|
|
return {"items": agents}
|
|
|
|
|
|
@router.get("/agents/{agent_id}")
|
|
async def get_agent(
|
|
agent_id: str,
|
|
request: Request,
|
|
):
|
|
"""Get agent details"""
|
|
user: User = request.state.user
|
|
agent = await opc_db.get_agent(agent_id)
|
|
if not agent:
|
|
raise HTTPException(status_code=404, detail="Agent not found")
|
|
return agent
|
|
|
|
|
|
@router.put("/agents/{agent_id}", dependencies=[Depends(require_admin())])
|
|
async def update_agent(
|
|
agent_id: str,
|
|
updates: AgentUpdate,
|
|
request: Request,
|
|
):
|
|
"""Update agent configuration (admin only)"""
|
|
user: User = request.state.user
|
|
try:
|
|
agent = await opc_db.update_agent_config(
|
|
agent_id=agent_id,
|
|
name=updates.name,
|
|
description=updates.description,
|
|
system_prompt=updates.system_prompt,
|
|
enabled=updates.enabled,
|
|
)
|
|
return agent
|
|
except ValueError as e:
|
|
logger.exception("Failed to update agent %s", agent_id)
|
|
raise HTTPException(status_code=404, detail="Agent not found")
|
|
|
|
|
|
@router.post("/agents/{agent_id}/execute")
|
|
async def trigger_agent(
|
|
agent_id: str,
|
|
task_id: int,
|
|
request: Request,
|
|
):
|
|
"""Manually trigger agent execution"""
|
|
user: User = request.state.user
|
|
|
|
# Check if user can trigger this agent
|
|
OPCAuthz.require_agent_trigger(user, agent_id)
|
|
|
|
# Get task to check authorization
|
|
task = await opc_db.get_task_by_id(task_id)
|
|
if not task:
|
|
raise HTTPException(status_code=404, detail="Task not found")
|
|
|
|
# Check if user can modify this task
|
|
OPCAuthz.require_task_modify(user, task)
|
|
|
|
execution = await opc_db.create_agent_execution(task_id=task_id, agent_id=agent_id, actor=user.username)
|
|
return execution
|
|
|
|
|
|
@router.get("/executions")
|
|
async def list_executions(
|
|
request: Request,
|
|
task_id: int | None = None,
|
|
agent_id: str | None = None,
|
|
status: str | None = None,
|
|
limit: int = 50,
|
|
):
|
|
"""List agent executions"""
|
|
user: User = request.state.user
|
|
executions = await opc_db.get_agent_executions(task_id=task_id, agent_id=agent_id, status=status, limit=limit)
|
|
|
|
# Get all tasks for filtering
|
|
if user.role != "admin":
|
|
# Fetch tasks to check authorization
|
|
task_ids = list(set(e["task_id"] for e in executions))
|
|
tasks = []
|
|
for tid in task_ids:
|
|
task = await opc_db.get_task_by_id(tid)
|
|
if task:
|
|
tasks.append(task)
|
|
tasks_by_id = {t["id"]: t for t in tasks}
|
|
executions = OPCAuthz.filter_executions(user, executions, tasks_by_id)
|
|
|
|
return {"items": executions}
|
|
|
|
|
|
@router.get("/executions/{execution_id}")
|
|
async def get_execution(
|
|
execution_id: int,
|
|
request: Request,
|
|
):
|
|
"""Get execution details"""
|
|
user: User = request.state.user
|
|
execution = await opc_db.get_agent_execution(execution_id)
|
|
if not execution:
|
|
raise HTTPException(status_code=404, detail="Execution not found")
|
|
|
|
# Get task to check authorization
|
|
task = await opc_db.get_task_by_id(execution["task_id"])
|
|
if not task:
|
|
raise HTTPException(status_code=404, detail="Task not found")
|
|
|
|
# Check authorization
|
|
OPCAuthz.require_execution_view(user, execution, task)
|
|
|
|
return execution
|
|
|
|
|
|
@router.post("/executions/{execution_id}/approve")
|
|
async def approve_execution(
|
|
execution_id: int,
|
|
approval: ExecutionApproval,
|
|
request: Request,
|
|
):
|
|
"""Approve or reject agent execution (for CxO level actions)"""
|
|
user: User = request.state.user
|
|
|
|
# Get execution
|
|
execution = await opc_db.get_agent_execution(execution_id)
|
|
if not execution:
|
|
raise HTTPException(status_code=404, detail="Execution not found")
|
|
|
|
# Check authorization (only admins can approve)
|
|
OPCAuthz.require_execution_approve(user, execution)
|
|
|
|
try:
|
|
execution = await opc_db.approve_agent_execution(
|
|
execution_id=execution_id, approved=approval.approved, approved_by=user.username, feedback=approval.feedback
|
|
)
|
|
return execution
|
|
except ValueError as e:
|
|
logger.exception("Failed to approve agent execution %s", execution_id)
|
|
raise HTTPException(status_code=404, detail="Execution not found")
|