fix: 限定 Aipod 工具凭据最小集合
This commit is contained in:
@@ -579,8 +579,10 @@ export function agentRunExecutionPolicyWithLaneCredentials(basePolicy: Record<st
|
||||
},
|
||||
};
|
||||
});
|
||||
const toolCredentialRefs = includeToolCredentials ? agentRunToolCredentialRefs(spec) : [];
|
||||
if (includeToolCredentials) validateBasePolicyToolCredentials(basePolicy, toolCredentialRefs, target);
|
||||
const laneToolCredentialRefs = includeToolCredentials ? agentRunToolCredentialRefs(spec) : [];
|
||||
const toolCredentialRefs = includeToolCredentials
|
||||
? selectBasePolicyToolCredentials(basePolicy, laneToolCredentialRefs, target)
|
||||
: [];
|
||||
const toolCredentials = toolCredentialRefs.map((credential) => {
|
||||
if (credential.secretRef.namespace !== spec.runtime.namespace) {
|
||||
throw new AgentRunRestError("validation-failed", `toolCredential ${credential.tool} Secret ${credential.secretRef.name} is in namespace ${credential.secretRef.namespace}, expected target lane namespace ${spec.runtime.namespace}`);
|
||||
@@ -626,14 +628,16 @@ export function agentRunToolCredentialRefs(spec: AgentRunLaneSpec): AgentRunTool
|
||||
}));
|
||||
}
|
||||
|
||||
function validateBasePolicyToolCredentials(basePolicy: Record<string, unknown>, laneCredentials: readonly AgentRunToolCredentialRef[], target: AgentRunSessionPolicyTarget): void {
|
||||
const rawCredentials = record(basePolicy.secretScope).toolCredentials;
|
||||
if (rawCredentials === undefined || rawCredentials === null) return;
|
||||
function selectBasePolicyToolCredentials(basePolicy: Record<string, unknown>, laneCredentials: readonly AgentRunToolCredentialRef[], target: AgentRunSessionPolicyTarget): AgentRunToolCredentialRef[] {
|
||||
const secretScope = record(basePolicy.secretScope);
|
||||
if (!Object.hasOwn(secretScope, "toolCredentials")) return [...laneCredentials];
|
||||
const rawCredentials = secretScope.toolCredentials;
|
||||
if (!Array.isArray(rawCredentials)) {
|
||||
throw new AgentRunRestError("validation-failed", "executionPolicy.secretScope.toolCredentials must be an array when lane tool credentials are enabled");
|
||||
}
|
||||
const laneByIdentity = new Map(laneCredentials.map((credential) => [`${credential.tool}\0${credential.purpose}`, credential]));
|
||||
const seen = new Set<string>();
|
||||
const selected: AgentRunToolCredentialRef[] = [];
|
||||
for (const [index, rawCredential] of rawCredentials.entries()) {
|
||||
const credential = record(rawCredential);
|
||||
const tool = stringOrNull(credential.tool);
|
||||
@@ -664,7 +668,9 @@ function validateBasePolicyToolCredentials(basePolicy: Record<string, unknown>,
|
||||
if (!toolCredentialProjectionMatches(record(credential.projection), laneCredential.projection)) {
|
||||
throw new AgentRunRestError("validation-failed", `executionPolicy toolCredential ${tool}/${purpose} projection conflicts with YAML lane ${target.spec.nodeId}/${target.spec.lane}`);
|
||||
}
|
||||
selected.push(laneCredential);
|
||||
}
|
||||
return selected;
|
||||
}
|
||||
|
||||
function normalizedCredentialKeys(value: unknown): string[] | null {
|
||||
|
||||
Reference in New Issue
Block a user