Spaces:
Runtime error
Runtime error
File size: 7,075 Bytes
b6ecafa | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 | import { NextRequest, NextResponse } from 'next/server'
import { createHash } from 'node:crypto'
import { requireRole } from '@/lib/auth'
import { config } from '@/lib/config'
import { logger } from '@/lib/logger'
import path from 'node:path'
function gatewayUrl(p: string): string {
return `http://${config.gatewayHost}:${config.gatewayPort}${p}`
}
function execApprovalsPath(): string {
return path.join(config.openclawHome, 'exec-approvals.json')
}
function computeHash(raw: string): string {
return createHash('sha256').update(raw, 'utf8').digest('hex')
}
/**
* GET /api/exec-approvals - Fetch pending execution approval requests
* GET /api/exec-approvals?action=allowlist - Fetch per-agent allowlists
*/
export async function GET(request: NextRequest) {
const auth = requireRole(request, 'operator')
if ('error' in auth) return NextResponse.json({ error: auth.error }, { status: auth.status })
const action = request.nextUrl.searchParams.get('action')
if (action === 'allowlist') {
return getAllowlist()
}
const controller = new AbortController()
const timeout = setTimeout(() => controller.abort(), 5000)
try {
const res = await fetch(gatewayUrl('/api/exec-approvals'), {
signal: controller.signal,
headers: { 'Accept': 'application/json' },
})
clearTimeout(timeout)
if (!res.ok) {
logger.warn({ status: res.status }, 'Gateway exec-approvals endpoint returned error')
return NextResponse.json({ approvals: [] })
}
const data = await res.json()
return NextResponse.json(data)
} catch (err: any) {
clearTimeout(timeout)
if (err.name === 'AbortError') {
logger.warn('Gateway exec-approvals request timed out')
} else {
logger.warn({ err }, 'Gateway exec-approvals unreachable')
}
return NextResponse.json({ approvals: [] })
}
}
async function getAllowlist(): Promise<NextResponse> {
const filePath = execApprovalsPath()
try {
const { readFile } = require('fs/promises')
const raw = await readFile(filePath, 'utf-8')
const parsed = JSON.parse(raw)
const agents: Record<string, { pattern: string }[]> = {}
if (parsed?.agents && typeof parsed.agents === 'object') {
for (const [agentId, agentConfig] of Object.entries(parsed.agents)) {
const cfg = agentConfig as any
if (Array.isArray(cfg?.allowlist)) {
agents[agentId] = cfg.allowlist.map((e: any) => ({ pattern: String(e?.pattern ?? '') }))
} else {
agents[agentId] = []
}
}
}
return NextResponse.json({ agents, hash: computeHash(raw) })
} catch (err: any) {
if (err.code === 'ENOENT') {
return NextResponse.json({ agents: {}, hash: computeHash('') })
}
logger.warn({ err }, 'Failed to read exec-approvals config')
return NextResponse.json({ error: `Failed to read config: ${err.message}` }, { status: 500 })
}
}
/**
* PUT /api/exec-approvals - Save allowlist changes
* Body: { agents: Record<string, { pattern: string }[]>, hash?: string }
*/
export async function PUT(request: NextRequest) {
const auth = requireRole(request, 'operator')
if ('error' in auth) return NextResponse.json({ error: auth.error }, { status: auth.status })
let body: { agents: Record<string, { pattern: string }[]>; hash?: string }
try {
body = await request.json()
} catch {
return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 })
}
if (!body.agents || typeof body.agents !== 'object') {
return NextResponse.json({ error: 'Missing required field: agents' }, { status: 400 })
}
const filePath = execApprovalsPath()
try {
const { readFile, writeFile, mkdir } = require('fs/promises')
const { existsSync } = require('fs')
let parsed: any = { version: 1, agents: {} }
try {
const raw = await readFile(filePath, 'utf-8')
parsed = JSON.parse(raw)
if (body.hash) {
const serverHash = computeHash(raw)
if (body.hash !== serverHash) {
return NextResponse.json(
{ error: 'Config has been modified. Please reload and try again.', code: 'CONFLICT' },
{ status: 409 },
)
}
}
} catch (err: any) {
if (err.code !== 'ENOENT') throw err
}
if (!parsed.agents) parsed.agents = {}
for (const [agentId, patterns] of Object.entries(body.agents)) {
if (!parsed.agents[agentId]) parsed.agents[agentId] = {}
if (patterns.length === 0) {
delete parsed.agents[agentId].allowlist
} else {
parsed.agents[agentId].allowlist = patterns.map((p: { pattern: string }) => ({
pattern: String(p.pattern ?? ''),
}))
}
}
const dir = path.dirname(filePath)
if (!existsSync(dir)) {
await mkdir(dir, { recursive: true })
}
const newRaw = JSON.stringify(parsed, null, 2) + '\n'
await writeFile(filePath, newRaw, { mode: 0o600 })
return NextResponse.json({ ok: true, hash: computeHash(newRaw) })
} catch (err: any) {
logger.error({ err }, 'Failed to save exec-approvals config')
return NextResponse.json({ error: `Failed to save: ${err.message}` }, { status: 500 })
}
}
/**
* POST /api/exec-approvals - Respond to an execution approval request
* Body: { id: string, action: 'approve' | 'deny' | 'always_allow', reason?: string }
*/
export async function POST(request: NextRequest) {
const auth = requireRole(request, 'operator')
if ('error' in auth) return NextResponse.json({ error: auth.error }, { status: auth.status })
let body: { id: string; action: string; reason?: string }
try {
body = await request.json()
} catch {
return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 })
}
if (!body.id || typeof body.id !== 'string') {
return NextResponse.json({ error: 'Missing required field: id' }, { status: 400 })
}
const validActions = ['approve', 'deny', 'always_allow']
if (!validActions.includes(body.action)) {
return NextResponse.json({ error: `Invalid action. Must be one of: ${validActions.join(', ')}` }, { status: 400 })
}
const controller = new AbortController()
const timeout = setTimeout(() => controller.abort(), 5000)
try {
const res = await fetch(gatewayUrl('/api/exec-approvals/respond'), {
method: 'POST',
signal: controller.signal,
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
id: body.id,
action: body.action,
reason: body.reason,
}),
})
clearTimeout(timeout)
const data = await res.json()
return NextResponse.json(data, { status: res.status })
} catch (err: any) {
clearTimeout(timeout)
if (err.name === 'AbortError') {
logger.error('Gateway exec-approvals respond request timed out')
return NextResponse.json({ error: 'Gateway request timed out' }, { status: 504 })
}
logger.error({ err }, 'Gateway exec-approvals respond failed')
return NextResponse.json({ error: 'Gateway unreachable' }, { status: 502 })
}
}
|