fix: 支持 AgentRun render-only REST 入口 (#170)
Co-authored-by: AgentRun Codex <agentrun-codex@users.noreply.github.com>
This commit is contained in:
@@ -3,6 +3,8 @@ export type JsonValue = JsonPrimitive | JsonValue[] | { [key: string]: JsonValue
|
||||
export type JsonRecord = { [key: string]: JsonValue };
|
||||
|
||||
export type FailureKind =
|
||||
| "auth-missing"
|
||||
| "auth-failed"
|
||||
| "schema-invalid"
|
||||
| "tenant-policy-denied"
|
||||
| "secret-unavailable"
|
||||
|
||||
+102
@@ -0,0 +1,102 @@
|
||||
import { existsSync, readFileSync } from "node:fs";
|
||||
import type { IncomingMessage } from "node:http";
|
||||
import { AgentRunError } from "../common/errors.js";
|
||||
import type { JsonRecord } from "../common/types.js";
|
||||
|
||||
export interface ManagerAuthConfig {
|
||||
apiKey: string | null;
|
||||
source: string;
|
||||
required?: boolean;
|
||||
}
|
||||
|
||||
export function managerServerAuthConfigFromEnv(env: NodeJS.ProcessEnv = process.env): ManagerAuthConfig {
|
||||
const direct = normalizedSecret(env.AGENTRUN_API_KEY);
|
||||
if (direct) return { apiKey: direct, source: "AGENTRUN_API_KEY", required: true };
|
||||
const file = normalizedSecret(env.AGENTRUN_API_KEY_FILE);
|
||||
if (file) {
|
||||
const fileKey = readEnvFileSecret(file, ["AGENTRUN_API_KEY", "HWLAB_API_KEY"]);
|
||||
return { apiKey: fileKey, source: "AGENTRUN_API_KEY_FILE", required: true };
|
||||
}
|
||||
return { apiKey: null, source: "not-configured", required: false };
|
||||
}
|
||||
|
||||
export function managerClientAuthConfigFromEnv(env: NodeJS.ProcessEnv = process.env): ManagerAuthConfig {
|
||||
const agentRunKey = normalizedSecret(env.AGENTRUN_API_KEY);
|
||||
if (agentRunKey) return { apiKey: agentRunKey, source: "AGENTRUN_API_KEY" };
|
||||
const hwlabKey = normalizedSecret(env.HWLAB_API_KEY);
|
||||
if (hwlabKey) return { apiKey: hwlabKey, source: "HWLAB_API_KEY" };
|
||||
const agentRunFile = normalizedSecret(env.AGENTRUN_API_KEY_FILE);
|
||||
if (agentRunFile) return { apiKey: readEnvFileSecret(agentRunFile, ["AGENTRUN_API_KEY", "HWLAB_API_KEY"]), source: "AGENTRUN_API_KEY_FILE" };
|
||||
const hwlabFile = normalizedSecret(env.HWLAB_API_KEY_FILE);
|
||||
if (hwlabFile) return { apiKey: readEnvFileSecret(hwlabFile, ["HWLAB_API_KEY", "AGENTRUN_API_KEY"]), source: "HWLAB_API_KEY_FILE" };
|
||||
return { apiKey: null, source: "not-configured" };
|
||||
}
|
||||
|
||||
export function assertManagerRequestAuthorized(req: IncomingMessage, path: string, auth: ManagerAuthConfig): void {
|
||||
if (isManagerPublicPath(path)) return;
|
||||
if (!auth.apiKey) {
|
||||
if (auth.required !== true) return;
|
||||
throw new AgentRunError("auth-missing", "agentrun-mgr API key is not configured", {
|
||||
httpStatus: 503,
|
||||
details: { auth: managerAuthSummary(auth) },
|
||||
});
|
||||
}
|
||||
const actual = bearerToken(req.headers.authorization);
|
||||
if (actual !== auth.apiKey) {
|
||||
throw new AgentRunError("auth-failed", "agentrun-mgr API requires Authorization: Bearer <redacted>", {
|
||||
httpStatus: 401,
|
||||
details: { auth: managerAuthSummary(auth) },
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
export function managerAuthSummary(auth: ManagerAuthConfig): JsonRecord {
|
||||
return {
|
||||
required: auth.required === true || auth.apiKey !== null,
|
||||
scheme: "Bearer",
|
||||
source: auth.source,
|
||||
valuesPrinted: false,
|
||||
};
|
||||
}
|
||||
|
||||
export function managerAuthorizationHeader(apiKey: string | null): string | null {
|
||||
return apiKey ? `Bearer ${apiKey}` : null;
|
||||
}
|
||||
|
||||
function isManagerPublicPath(path: string): boolean {
|
||||
return path === "/health" || path === "/health/live" || path === "/health/readiness";
|
||||
}
|
||||
|
||||
function bearerToken(value: string | string[] | undefined): string | null {
|
||||
const header = Array.isArray(value) ? value[0] : value;
|
||||
if (!header) return null;
|
||||
const match = header.match(/^Bearer\s+(.+)$/iu);
|
||||
return match ? normalizedSecret(match[1]) : null;
|
||||
}
|
||||
|
||||
function readEnvFileSecret(file: string, keys: string[]): string | null {
|
||||
if (!existsSync(file)) return null;
|
||||
const text = readFileSync(file, "utf8");
|
||||
for (const line of text.split(/\r?\n/u)) {
|
||||
const trimmed = line.trim();
|
||||
if (!trimmed || trimmed.startsWith("#")) continue;
|
||||
const match = trimmed.match(/^([A-Za-z_][A-Za-z0-9_]*)=(.*)$/u);
|
||||
if (!match || !keys.includes(match[1] ?? "")) continue;
|
||||
return normalizedSecret(unquoteEnvValue(match[2] ?? ""));
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
function unquoteEnvValue(value: string): string {
|
||||
const trimmed = value.trim();
|
||||
if ((trimmed.startsWith('"') && trimmed.endsWith('"')) || (trimmed.startsWith("'") && trimmed.endsWith("'"))) {
|
||||
return trimmed.slice(1, -1);
|
||||
}
|
||||
return trimmed;
|
||||
}
|
||||
|
||||
function normalizedSecret(value: string | undefined | null): string | null {
|
||||
if (typeof value !== "string") return null;
|
||||
const trimmed = value.trim();
|
||||
return trimmed.length > 0 ? trimmed : null;
|
||||
}
|
||||
+11
-3
@@ -1,8 +1,13 @@
|
||||
import type { JsonRecord, JsonValue } from "../common/types.js";
|
||||
import { AgentRunError } from "../common/errors.js";
|
||||
import { managerAuthorizationHeader, managerClientAuthConfigFromEnv } from "./auth.js";
|
||||
|
||||
export interface ManagerClientOptions {
|
||||
apiKey?: string | null;
|
||||
}
|
||||
|
||||
export class ManagerClient {
|
||||
constructor(readonly baseUrl: string) {}
|
||||
constructor(readonly baseUrl: string, readonly options: ManagerClientOptions = {}) {}
|
||||
|
||||
async get(path: string): Promise<JsonValue> {
|
||||
return this.request("GET", path);
|
||||
@@ -25,9 +30,12 @@ export class ManagerClient {
|
||||
}
|
||||
|
||||
private async request(method: string, path: string, body?: JsonValue): Promise<JsonValue> {
|
||||
const init: RequestInit = { method };
|
||||
const headers: Record<string, string> = {};
|
||||
const authHeader = managerAuthorizationHeader(this.options.apiKey === undefined ? managerClientAuthConfigFromEnv().apiKey : this.options.apiKey);
|
||||
if (authHeader) headers.authorization = authHeader;
|
||||
const init: RequestInit = { method, headers };
|
||||
if (body !== undefined) {
|
||||
init.headers = { "content-type": "application/json" };
|
||||
headers["content-type"] = "application/json";
|
||||
init.body = JSON.stringify(body);
|
||||
}
|
||||
const response = await fetch(new URL(path, this.baseUrl), init);
|
||||
|
||||
+8
-3
@@ -14,6 +14,7 @@ import { runnerJobStatusSummary } from "./runner-job-status.js";
|
||||
import { createSessionPvc, deleteSessionPvc, getSessionPvcSummary, refreshSessionPvcSummary, runSessionStorageGc } from "./session-pvc.js";
|
||||
import type { SessionPvcSummary } from "./session-pvc.js";
|
||||
import type { SessionPvcOptions } from "./session-pvc.js";
|
||||
import { assertManagerRequestAuthorized, managerAuthSummary, managerServerAuthConfigFromEnv, type ManagerAuthConfig } from "./auth.js";
|
||||
import { getProviderProfileConfig, getProviderProfileValidation, listBackendCapabilities, listProviderProfiles, removeProviderProfile, setProviderProfileConfig, setProviderProfileCredential, showProviderProfile, validateProviderProfile } from "./provider-profiles.js";
|
||||
import { listToolCredentials, setGithubSshToolCredential, showToolCredential } from "./tool-credentials.js";
|
||||
import { aipodSpecFromInput, applyAipodSpec, deleteAipodSpec, listAipodSpecs, renderAipodSpecByName, showAipodSpec } from "../common/aipod-specs.js";
|
||||
@@ -53,6 +54,7 @@ export interface ManagerServerOptions {
|
||||
providerProfileOptions?: { namespace?: string; kubectlCommand?: string };
|
||||
toolCredentialOptions?: { namespace?: string; kubectlCommand?: string };
|
||||
aipodSpecDir?: string;
|
||||
auth?: ManagerAuthConfig;
|
||||
}
|
||||
|
||||
export interface StartedManagerServer {
|
||||
@@ -69,12 +71,15 @@ export async function startManagerServer(options: ManagerServerOptions = {}): Pr
|
||||
const providerProfileDefaults = options.providerProfileOptions;
|
||||
const toolCredentialDefaults = options.toolCredentialOptions;
|
||||
const aipodSpecDir = options.aipodSpecDir ?? process.env.AGENTRUN_AIPOD_SPEC_DIR;
|
||||
const auth = options.auth ?? managerServerAuthConfigFromEnv();
|
||||
const authSummary = managerAuthSummary(auth);
|
||||
const server = createServer(async (req, res) => {
|
||||
const traceId = `trc_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`;
|
||||
try {
|
||||
const method = req.method ?? "GET";
|
||||
const url = new URL(req.url ?? "/", "http://agentrun.local");
|
||||
const data = await route({ method, url, body: await readBody(req), store, sourceCommit, ...(runnerJobDefaults ? { runnerJobDefaults } : {}), ...(sessionPvcDefaults ? { sessionPvcDefaults } : {}), ...(providerProfileDefaults ? { providerProfileDefaults } : {}), ...(toolCredentialDefaults ? { toolCredentialDefaults } : {}), ...(aipodSpecDir ? { aipodSpecDir } : {}) });
|
||||
assertManagerRequestAuthorized(req, url.pathname, auth);
|
||||
const data = await route({ method, url, body: await readBody(req), store, sourceCommit, authSummary, ...(runnerJobDefaults ? { runnerJobDefaults } : {}), ...(sessionPvcDefaults ? { sessionPvcDefaults } : {}), ...(providerProfileDefaults ? { providerProfileDefaults } : {}), ...(toolCredentialDefaults ? { toolCredentialDefaults } : {}), ...(aipodSpecDir ? { aipodSpecDir } : {}) });
|
||||
writeJson(res, 200, { ok: true, data, traceId });
|
||||
} catch (error) {
|
||||
const agentError = normalizeError(error);
|
||||
@@ -237,12 +242,12 @@ function compactRecoveryActions(value: JsonValue | undefined): JsonValue[] {
|
||||
});
|
||||
}
|
||||
|
||||
async function route({ method, url, body, store, sourceCommit, runnerJobDefaults, sessionPvcDefaults, providerProfileDefaults, toolCredentialDefaults, aipodSpecDir }: { method: string; url: URL; body: unknown; store: AgentRunStore; sourceCommit: string; runnerJobDefaults?: NonNullable<ManagerServerOptions["runnerJobDefaults"]>; sessionPvcDefaults?: NonNullable<ManagerServerOptions["sessionPvcOptions"]>; providerProfileDefaults?: NonNullable<ManagerServerOptions["providerProfileOptions"]>; toolCredentialDefaults?: NonNullable<ManagerServerOptions["toolCredentialOptions"]>; aipodSpecDir?: string }): Promise<JsonValue> {
|
||||
async function route({ method, url, body, store, sourceCommit, authSummary, runnerJobDefaults, sessionPvcDefaults, providerProfileDefaults, toolCredentialDefaults, aipodSpecDir }: { method: string; url: URL; body: unknown; store: AgentRunStore; sourceCommit: string; authSummary?: JsonRecord; runnerJobDefaults?: NonNullable<ManagerServerOptions["runnerJobDefaults"]>; sessionPvcDefaults?: NonNullable<ManagerServerOptions["sessionPvcOptions"]>; providerProfileDefaults?: NonNullable<ManagerServerOptions["providerProfileOptions"]>; toolCredentialDefaults?: NonNullable<ManagerServerOptions["toolCredentialOptions"]>; aipodSpecDir?: string }): Promise<JsonValue> {
|
||||
const path = url.pathname;
|
||||
if (method === "GET" && (path === "/health" || path === "/health/live" || path === "/health/readiness")) {
|
||||
const database = await store.health();
|
||||
const ready = path === "/health/live" ? true : database.ready;
|
||||
return { serviceId: "agentrun-mgr", live: true, ready, database, sourceCommit, runnerWorkReady: staticWorkReadyCapabilitySummary(), secretRefs: { databaseUrl: database.adapter === "postgres" ? "redacted" : "not-used", valuesPrinted: false } };
|
||||
return { serviceId: "agentrun-mgr", live: true, ready, database, sourceCommit, auth: authSummary ?? null, runnerWorkReady: staticWorkReadyCapabilitySummary(), secretRefs: { databaseUrl: database.adapter === "postgres" ? "redacted" : "not-used", valuesPrinted: false } };
|
||||
}
|
||||
if (method === "GET" && path === "/api/v1/backends") return await listBackendCapabilities(providerProfileDefaults) as JsonValue;
|
||||
if (method === "GET" && path === "/api/v1/tool-credentials") return await listToolCredentials(toolCredentialDefaults) as JsonValue;
|
||||
|
||||
@@ -231,6 +231,7 @@ function runnerEnv(options: RunnerJobRenderOptions, context: { namespace: string
|
||||
const codexHome = selectedSecret?.runtimeMountPath ?? defaultRuntimeHome(options.run.backendProfile);
|
||||
return dedupeEnvVars([
|
||||
{ name: "AGENTRUN_MGR_URL", value: options.managerUrl },
|
||||
{ name: "AGENTRUN_API_KEY", valueFrom: { secretKeyRef: { name: "agentrun-v01-api-key", key: "HWLAB_API_KEY" } } },
|
||||
{ name: "AGENTRUN_RUN_ID", value: options.run.id },
|
||||
{ name: "AGENTRUN_COMMAND_ID", value: options.commandId },
|
||||
{ name: "AGENTRUN_ATTEMPT_ID", value: context.attemptId },
|
||||
|
||||
@@ -18,13 +18,36 @@ const selfTest: SelfTestCase = async () => {
|
||||
assert.equal(((health.runnerWorkReady as { valuesPrinted?: unknown } | undefined)?.valuesPrinted), false);
|
||||
assert.ok((((health.runnerWorkReady as { requiredImageTools?: string[] } | undefined)?.requiredImageTools) ?? []).includes("npm"));
|
||||
assert.equal(health.secretRefs?.valuesPrinted, false);
|
||||
await assertManagerAuthBoundary();
|
||||
await assertLongResultUsesTerminalAssistant(client, store);
|
||||
return { name: "manager-memory", tests: ["manager-memory-lifecycle", "manager-result-long-trace"] };
|
||||
return { name: "manager-memory", tests: ["manager-memory-lifecycle", "manager-auth-boundary", "manager-result-long-trace"] };
|
||||
} finally {
|
||||
await new Promise<void>((resolve) => server.server.close(() => resolve()));
|
||||
}
|
||||
};
|
||||
|
||||
async function assertManagerAuthBoundary(): Promise<void> {
|
||||
const store = new MemoryAgentRunStore();
|
||||
const server = await startManagerServer({ port: 0, host: "127.0.0.1", sourceCommit: "self-test", store, auth: { apiKey: "self-test-secret", source: "self-test" } });
|
||||
try {
|
||||
const healthResponse = await fetch(new URL("/health/readiness", server.baseUrl));
|
||||
assert.equal(healthResponse.status, 200);
|
||||
const healthEnvelope = await healthResponse.json() as JsonRecord;
|
||||
assert.equal(healthEnvelope.ok, true);
|
||||
const deniedResponse = await fetch(new URL("/api/v1/queue/tasks", server.baseUrl));
|
||||
assert.equal(deniedResponse.status, 401);
|
||||
const deniedEnvelope = await deniedResponse.json() as JsonRecord;
|
||||
assert.equal(deniedEnvelope.ok, false);
|
||||
assert.equal(deniedEnvelope.failureKind, "auth-failed");
|
||||
assert.equal((deniedEnvelope.message as string).includes("Bearer"), true);
|
||||
const client = new ManagerClient(server.baseUrl, { apiKey: "self-test-secret" });
|
||||
const page = await client.get("/api/v1/queue/tasks") as JsonRecord;
|
||||
assert.equal(Array.isArray(page.items), true);
|
||||
} finally {
|
||||
await new Promise<void>((resolve) => server.server.close(() => resolve()));
|
||||
}
|
||||
}
|
||||
|
||||
async function assertLongResultUsesTerminalAssistant(client: ManagerClient, store: MemoryAgentRunStore): Promise<void> {
|
||||
const run = store.createRun({
|
||||
tenantId: "unidesk",
|
||||
|
||||
@@ -33,6 +33,10 @@ type SelfTestRunContext = Pick<SelfTestContext, "workspace" | "codexHome"> & Par
|
||||
export async function createSelfTestContext(root: string): Promise<SelfTestContext> {
|
||||
const tmp = await mkdtemp(path.join(os.tmpdir(), "agentrun-selftest-"));
|
||||
const previousSelftestWorkReadyBinPath = process.env.AGENTRUN_SELFTEST_WORK_READY_BIN_PATH;
|
||||
const previousAgentRunApiKey = process.env.AGENTRUN_API_KEY;
|
||||
const previousAgentRunApiKeyFile = process.env.AGENTRUN_API_KEY_FILE;
|
||||
delete process.env.AGENTRUN_API_KEY;
|
||||
delete process.env.AGENTRUN_API_KEY_FILE;
|
||||
const codexHome = path.join(tmp, "codex-home");
|
||||
const deepseekHome = path.join(tmp, "deepseek-home");
|
||||
const minimaxM3Home = path.join(tmp, "minimax-m3-home");
|
||||
@@ -67,6 +71,10 @@ export async function createSelfTestContext(root: string): Promise<SelfTestConte
|
||||
cleanup: async () => {
|
||||
if (previousSelftestWorkReadyBinPath === undefined) delete process.env.AGENTRUN_SELFTEST_WORK_READY_BIN_PATH;
|
||||
else process.env.AGENTRUN_SELFTEST_WORK_READY_BIN_PATH = previousSelftestWorkReadyBinPath;
|
||||
if (previousAgentRunApiKey === undefined) delete process.env.AGENTRUN_API_KEY;
|
||||
else process.env.AGENTRUN_API_KEY = previousAgentRunApiKey;
|
||||
if (previousAgentRunApiKeyFile === undefined) delete process.env.AGENTRUN_API_KEY_FILE;
|
||||
else process.env.AGENTRUN_API_KEY_FILE = previousAgentRunApiKeyFile;
|
||||
await rm(tmp, { recursive: true, force: true });
|
||||
},
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user