feat(auth): migrate from token-based to RAM signature authentication#65
Merged
feat(auth): migrate from token-based to RAM signature authentication#65
Conversation
Migrate authentication mechanism from token-based approach to RAM signature authentication for enhanced security. The changes replace the existing access token system with Alibaba Cloud's Resource Access Management (RAM) signature verification, requiring users to configure access key ID and secret for API calls. Updates include implementation of RAM signature generation, modification of authentication endpoints with '-ram' suffix, and comprehensive updates to all API clients across runtime, sandbox, and toolset modules. This migration affects all API interactions within the SDK, including data API operations, browser automation endpoints, and OpenAI integration points. The new authentication system provides improved security through signature-based verification while maintaining backward compatibility for existing configurations. The changes also include updates to test suites to validate the new authentication flow and ensure proper handling of both authenticated and unauthenticated requests. 将身份验证机制从基于令牌的方式迁移到 RAM 签名身份验证,以提高安全性。更改将现有的访问令牌系统替换为阿里云资源访问管理 (RAM) 签名验证,要求用户为 API 调用配置访问密钥 ID 和密钥。更新包括实现 RAM 签名生成、使用 '-ram' 后缀修改身份验证端点,以及对运行时、沙箱和工具集模块中的所有 API 客户端进行全面更新。 此迁移会影响 SDK 内的所有 API 交互,包括数据 API 操作、浏览器自动化端点和 OpenAI 集成点。新的身份验证系统通过基于签名的验证提供增强的安全性,同时保持现有配置的向后兼容性。 这些更改还包括更新测试套件以验证新的身份验证流程,并确保正确处理经过身份验证和未经身份验证的请求。 Change-Id: I2585151e1acab0f476d9ba9ed909aabd212e5f2c Signed-off-by: OhYee <oyohyee@oyohyee.com>
…rmatting Add explicit return None statements in ToolSet methods and improve code formatting for better readability and consistency across the codebase. 在 ToolSet 方法中添加显式的返回语句并改进代码格式 在 ToolSet 方法中添加显式的 return None 语句,并改进代码格式以提高代码库的一致性和可读性。 Change-Id: Icd499f1ccb977bc443f690d81b0694535dc1b99a Signed-off-by: OhYee <oyohyee@oyohyee.com>
The _get_openapi_base_url method was refactored to remove complex FC region logic and simplify URL selection. The implementation now prioritizes intranet URLs when available, falling back to internet URLs. This change improves code readability and maintainability while maintaining the same functional behavior. Additionally, comprehensive test suites were added for RAM signature helper functions, ControlAPI client methods, and exception handling to ensure robust authentication and error management. 测试套件已增加以验证 RAM 签名辅助函数、ControlAPI 客户端方法和异常处理, 确保身份验证和错误管理的健壮性。 Change-Id: Ia9d8ff6d2bfd37ec858413f13686fcee8fd6d912 Signed-off-by: OhYee <oyohyee@oyohyee.com>
…endpoints adds comprehensive RAM signature authentication support for both OpenAPI and MCP tool invocations. introduces automatic URL rewriting to -ram endpoints when targeting agentrun-data domains, dynamic signature generation per request, and proper header injection. enhances error handling with detailed logging for HTTP status failures and removes deprecated debug functions. The implementation includes: - httpx Auth handler for dynamic RAM signature calculation per request - automatic URL rewriting from agentrun-data to -ram endpoints - enhanced MCP session with RAM authentication support - improved OpenAPI tool invocation with RAM signature injection - better error logging for failed requests - conditional intranet URL usage based on FC_REGION environment variable - unified MCP URL resolution with fallback mechanisms BREAKING CHANGE: replaces assertion-based error handling with ValueError exceptions in MCP URL resolution feat(auth): 为 agentrun-data 端点实现 RAM 签名认证 为 OpenAPI 和 MCP 工具调用添加了全面的 RAM 签名认证支持。引入了自动 URL 重写为 -ram 端点、动态签名生成和适当的头信息注入。增强了错误处理并提供详细的 HTTP 状态失败日志,移除了已弃用的调试函数。 实现包括: - 用于每个请求动态计算 RAM 签名的 httpx Auth 处理器 - 自动将 agentrun-data 重写为 -ram 端点的 URL - 支持 RAM 认证的增强 MCP 会话 - 具有 RAM 签名注入的改进 OpenAPI 工具调用 - 针对失败请求的改进错误日志 - 基于 FC_REGION 环境变量的条件内网 URL 使用 - 具有回退机制的统一 MCP URL 解析 重大变更:将 MCP URL 解析中的断言错误处理替换为 ValueError 异常 BREAKING CHANGE: replaces assertion-based error handling with ValueError exceptions in MCP URL resolution 重大变更: 在 MCP URL 解析中将基于断言的错误处理替换为 ValueError 异常 Change-Id: I415cb816f44f6eca78b7165b96b1fce8fd7d3404 Co-authored-by: Copilot <copilot@github.com> Signed-off-by: OhYee <oyohyee@oyohyee.com>
Update RAM data domains to support both agentrun-data and funagent-data-pre endpoints, and refine the endpoint resolution logic for RAM authentication. Improve code formatting and remove unnecessary config parameter from get_base_url method. 更新 RAM 数据域以支持 agentrun-data 和 funagent-data-pre 端点, 并优化 RAM 认证的端点解析逻辑。 改进代码格式并从 get_base_url 方法中移除不必要的 config 参数。 Change-Id: I94555e7dda35fc7b40b232a456d074caacd97024 Co-authored-by: Copilot <copilot@github.com> Signed-off-by: OhYee <oyohyee@oyohyee.com>
Makefile now conditionally applies the Tsinghua PyPI mirror only when not running in CI environment, allowing CI to use default package sources while maintaining local development speed. Makefile 现在根据是否在 CI 环境中运行来有条件地应用清华 PyPI 镜像, 在 CI 中使用默认包源,同时保持本地开发速度。 test(integration): add type ignore for astream call overload issue Added type ignore annotation for astream call overload issue in LangChain integration test to resolve type checking errors while maintaining functionality. 在 LangChain 集成测试中为 astream 调用重载问题添加类型忽略注解, 在保持功能的同时解决类型检查错误。 Change-Id: I9b573359f60941aa40936e29f33b6e56248cd810 Signed-off-by: OhYee <oyohyee@oyohyee.com>
Update DataAPI methods to accept optional config parameter for flexible authentication configuration. This change allows passing custom config for RAM authentication scenarios while maintaining backward compatibility. The get_base_url method now accepts an optional config parameter, and the with_path method also supports optional config injection. Internal calls have been updated to properly propagate the config. 更新 DataAPI 以支持可选的配置参数 更新 DataAPI 方法以接受可选的配置参数,用于灵活的身份验证配置。此更改允许为 RAM 身份验证场景传递自定义配置, 同时保持向后兼容性。 get_base_url 方法现在接受一个可选的配置参数,with_path 方法也支持可选的配置注入。 内部调用已更新为正确传播配置。 Change-Id: Idd69af8d0f65e91733c3e02f1606b883fe5a9a4e Co-authored-by: Copilot <copilot@github.com> Signed-off-by: OhYee <oyohyee@oyohyee.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migrate authentication mechanism from token-based approach to RAM signature authentication for enhanced security. The changes replace the existing access token system with Alibaba Cloud's Resource Access Management (RAM) signature verification, requiring users to configure access key ID and secret for API calls. Updates include implementation of RAM signature generation, modification of authentication endpoints with '-ram' suffix, and comprehensive updates to all API clients across runtime, sandbox, and toolset modules.
This migration affects all API interactions within the SDK, including data API operations, browser automation endpoints, and OpenAI integration points. The new authentication system provides improved security through signature-based verification while maintaining backward compatibility for existing configurations.
The changes also include updates to test suites to validate the new authentication flow and ensure proper handling of both authenticated and unauthenticated requests.
将身份验证机制从基于令牌的方式迁移到 RAM 签名身份验证,以提高安全性。更改将现有的访问令牌系统替换为阿里云资源访问管理 (RAM) 签名验证,要求用户为 API 调用配置访问密钥 ID 和密钥。更新包括实现 RAM 签名生成、使用 '-ram' 后缀修改身份验证端点,以及对运行时、沙箱和工具集模块中的所有 API 客户端进行全面更新。
此迁移会影响 SDK 内的所有 API 交互,包括数据 API 操作、浏览器自动化端点和 OpenAI 集成点。新的身份验证系统通过基于签名的验证提供增强的安全性,同时保持现有配置的向后兼容性。
这些更改还包括更新测试套件以验证新的身份验证流程,并确保正确处理经过身份验证和未经身份验证的请求。
Change-Id: I2585151e1acab0f476d9ba9ed909aabd212e5f2c
Fix bugs
Bug detail
Pull request tasks
Update docs
Reason for update
Pull request tasks
Add contributor
Contributed content
Content detail
Others
Reason for update