GT AI OS Community Edition v2.0.33

Security hardening release addressing CodeQL and Dependabot alerts: - Fix stack trace exposure in error responses - Add SSRF protection with DNS resolution checking - Implement proper URL hostname validation (replaces substring matching) - Add centralized path sanitization to prevent path traversal - Fix ReDoS vulnerability in email validation regex - Improve HTML sanitization in validation utilities - Fix capability wildcard matching in auth utilities - Update glob dependency to address CVE - Add CodeQL suppression comments for verified false positives 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-12 17:04:45 -05:00
commit b9dfb86260
746 changed files with 232071 additions and 0 deletions
--- a/apps/resource-cluster/app/clients/api_key_client.py
+++ b/apps/resource-cluster/app/clients/api_key_client.py
@@ -0,0 +1,219 @@
+"""
+API Key Client for fetching tenant-specific API keys from Control Panel.
+
+This client handles:
+- Fetching decrypted API keys from Control Panel's internal API
+- 5-minute in-memory caching to reduce database calls
+- Service-to-service authentication
+- NO FALLBACKS - per GT 2.0 principles
+"""
+import asyncio
+import logging
+import time
+from typing import Dict, Any, Optional
+from dataclasses import dataclass
+import httpx
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class CachedAPIKey:
+    """Cached API key entry with expiration tracking"""
+    api_key: str
+    api_secret: Optional[str]
+    metadata: Dict[str, Any]
+    fetched_at: float
+
+    def is_expired(self, ttl_seconds: int = 300) -> bool:
+        """Check if cache entry has expired (default 5 minutes)"""
+        return (time.time() - self.fetched_at) > ttl_seconds
+
+
+class APIKeyNotConfiguredError(Exception):
+    """Raised when no API key is configured for a tenant/provider"""
+    pass
+
+
+class APIKeyClient:
+    """
+    Client for fetching tenant API keys from Control Panel.
+
+    Features:
+    - 5-minute TTL cache for API keys
+    - Service-to-service authentication
+    - NO fallback to environment variables (per GT 2.0 NO FALLBACKS principle)
+    """
+
+    CACHE_TTL_SECONDS = 300  # 5 minutes
+
+    def __init__(
+        self,
+        control_panel_url: str,
+        service_auth_token: str,
+        service_name: str = "resource-cluster"
+    ):
+        self.control_panel_url = control_panel_url.rstrip('/')
+        self.service_auth_token = service_auth_token
+        self.service_name = service_name
+
+        # In-memory cache: key = "{tenant_domain}:{provider}"
+        self._cache: Dict[str, CachedAPIKey] = {}
+        self._cache_lock = asyncio.Lock()
+
+    def _get_headers(self) -> Dict[str, str]:
+        """Get headers for service-to-service authentication"""
+        return {
+            "X-Service-Auth": self.service_auth_token,
+            "X-Service-Name": self.service_name,
+            "Content-Type": "application/json"
+        }
+
+    async def get_api_key(
+        self,
+        tenant_domain: str,
+        provider: str
+    ) -> Dict[str, Any]:
+        """
+        Get decrypted API key for a tenant and provider.
+
+        Args:
+            tenant_domain: Tenant domain string (e.g., "test-company")
+            provider: API provider name (e.g., "groq")
+
+        Returns:
+            Dict with 'api_key', 'api_secret' (optional), 'metadata'
+
+        Raises:
+            APIKeyNotConfiguredError: If API key not configured or disabled
+            RuntimeError: If Control Panel unreachable
+        """
+        cache_key = f"{tenant_domain}:{provider}"
+
+        # Check cache first
+        async with self._cache_lock:
+            if cache_key in self._cache:
+                cached = self._cache[cache_key]
+                if not cached.is_expired(self.CACHE_TTL_SECONDS):
+                    logger.debug(f"API key cache hit for {cache_key}")
+                    return {
+                        "api_key": cached.api_key,
+                        "api_secret": cached.api_secret,
+                        "metadata": cached.metadata
+                    }
+
+        # Fetch from Control Panel
+        url = f"{self.control_panel_url}/internal/api-keys/{tenant_domain}/{provider}"
+
+        try:
+            async with httpx.AsyncClient(timeout=10.0) as client:
+                response = await client.get(url, headers=self._get_headers())
+
+                if response.status_code == 404:
+                    raise APIKeyNotConfiguredError(
+                        f"No API key configured for provider '{provider}' "
+                        f"for tenant '{tenant_domain}'. "
+                        f"Please configure a {provider.upper()} API key in the Control Panel."
+                    )
+
+                if response.status_code == 401:
+                    raise RuntimeError("Service authentication failed - check SERVICE_AUTH_TOKEN")
+
+                if response.status_code == 403:
+                    raise RuntimeError(f"Service '{self.service_name}' not authorized")
+
+                response.raise_for_status()
+                data = response.json()
+
+                # Update cache
+                async with self._cache_lock:
+                    self._cache[cache_key] = CachedAPIKey(
+                        api_key=data["api_key"],
+                        api_secret=data.get("api_secret"),
+                        metadata=data.get("metadata", {}),
+                        fetched_at=time.time()
+                    )
+
+                logger.info(f"Fetched API key for tenant '{tenant_domain}' provider '{provider}'")
+                return {
+                    "api_key": data["api_key"],
+                    "api_secret": data.get("api_secret"),
+                    "metadata": data.get("metadata", {})
+                }
+
+        except httpx.HTTPStatusError as e:
+            logger.error(f"Control Panel API error: {e.response.status_code}")
+            if e.response.status_code == 404:
+                raise APIKeyNotConfiguredError(
+                    f"No API key configured for provider '{provider}' "
+                    f"for tenant '{tenant_domain}'"
+                )
+            raise RuntimeError(f"Control Panel API error: HTTP {e.response.status_code}")
+        except httpx.RequestError as e:
+            logger.error(f"Control Panel unreachable: {e}")
+            raise RuntimeError(f"Control Panel unreachable at {self.control_panel_url}")
+
+    async def invalidate_cache(
+        self,
+        tenant_domain: Optional[str] = None,
+        provider: Optional[str] = None
+    ):
+        """
+        Invalidate cached entries.
+
+        Args:
+            tenant_domain: If provided, only invalidate for this tenant
+            provider: If provided with tenant_domain, only invalidate this provider
+        """
+        async with self._cache_lock:
+            if tenant_domain is None:
+                # Clear all
+                self._cache.clear()
+                logger.info("Cleared all API key caches")
+            elif provider:
+                # Clear specific tenant+provider
+                cache_key = f"{tenant_domain}:{provider}"
+                if cache_key in self._cache:
+                    del self._cache[cache_key]
+                    logger.info(f"Cleared cache for {cache_key}")
+            else:
+                # Clear all for tenant
+                keys_to_remove = [k for k in self._cache if k.startswith(f"{tenant_domain}:")]
+                for key in keys_to_remove:
+                    del self._cache[key]
+                logger.info(f"Cleared cache for tenant: {tenant_domain}")
+
+    def get_cache_stats(self) -> Dict[str, Any]:
+        """Get cache statistics for monitoring"""
+        now = time.time()
+        valid_count = sum(
+            1 for k in self._cache.values()
+            if not k.is_expired(self.CACHE_TTL_SECONDS)
+        )
+
+        return {
+            "total_entries": len(self._cache),
+            "valid_entries": valid_count,
+            "cache_ttl_seconds": self.CACHE_TTL_SECONDS
+        }
+
+
+# Singleton instance
+_api_key_client: Optional[APIKeyClient] = None
+
+
+def get_api_key_client() -> APIKeyClient:
+    """Get or create the singleton API key client"""
+    global _api_key_client
+
+    if _api_key_client is None:
+        from app.core.config import get_settings
+        settings = get_settings()
+
+        _api_key_client = APIKeyClient(
+            control_panel_url=settings.control_panel_url,
+            service_auth_token=settings.service_auth_token,
+            service_name="resource-cluster"
+        )
+
+    return _api_key_client