-
Notifications
You must be signed in to change notification settings - Fork 593
Feat/webCaseCenter #615
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Feat/webCaseCenter #615
Changes from all commits
1016d08
28b7e04
c3146d7
8fe0351
0d69f17
066272b
d43818f
5aa71ec
db1bd84
8d4f2ae
2355d65
c3d72ef
bdd54ce
498ab2f
700ae7d
91ba368
0d38305
a2581a9
5fd56e6
3dddd16
773e58e
9c5f490
60711d7
e2fa455
3f3ce4c
319ee1f
02e537b
78cd722
f805f29
c42d21f
11ae1b2
94457ef
21a0404
b365870
9dca70b
f9750fa
971a0ab
8666604
9ad7669
e9f00e1
43126b0
3c67584
2c127c5
de06ed9
841cc03
ac10da4
a22425d
31104ce
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -71,6 +71,52 @@ pub struct ServerConfig { | |
| /// Example: mysql://cube:cube_pass@127.0.0.1:3306/cube_mvp | ||
| #[serde(default = "default_database_url")] | ||
| pub database_url: Option<String>, | ||
|
|
||
| /// Default template ID used by the Examples runner. | ||
| /// Env var: CUBE_TEMPLATE_ID | ||
| #[serde(default = "default_template_id")] | ||
| pub default_template_id: Option<String>, | ||
|
|
||
| /// CubeAPI URL used by the Examples runner (passed as CUBE_API_URL to scripts). | ||
| /// Env var: CUBE_API_URL (default "http://127.0.0.1:3000") | ||
| #[serde(default = "default_cube_api_url")] | ||
| pub cube_api_url: Option<String>, | ||
|
|
||
| /// CubeProxy node IP for bypassing DNS resolution (passed as CUBE_PROXY_NODE_IP). | ||
| /// Env var: CUBE_PROXY_NODE_IP | ||
| #[serde(default)] | ||
| pub cube_proxy_node_ip: Option<String>, | ||
|
|
||
| /// CubeProxy HTTP port (passed as CUBE_PROXY_PORT_HTTP). | ||
| /// Env var: CUBE_PROXY_PORT_HTTP (no default; omitted when unset) | ||
| #[serde(default = "default_cube_proxy_port_http")] | ||
| pub cube_proxy_port_http: Option<u16>, | ||
|
|
||
| /// Base URL of the sandbox proxy used to reach in-sandbox services | ||
| /// (envd / Jupyter). Env var: AGENTHUB_SANDBOX_PROXY_URL (default | ||
| /// "http://127.0.0.1"). | ||
| #[serde(default = "default_sandbox_proxy_url")] | ||
| pub sandbox_proxy_url: String, | ||
|
|
||
| /// `Authorization` header value used for internal service-to-service auth | ||
| /// with the in-sandbox envd / Jupyter endpoints. | ||
| /// | ||
| /// **Security**: this is a credential and must never be hardcoded in | ||
| /// business logic. It is sourced from the environment so deployments can | ||
| /// rotate it without code changes. Env var: CUBE_API_ENVD_AUTH (default | ||
| /// `Basic cm9vdDo=`, i.e. the envd built-in `root:` with an empty | ||
| /// password — override it in any non-local environment). | ||
| #[serde(default = "default_envd_auth")] | ||
| pub envd_auth: String, | ||
|
|
||
| /// Fallback CUBE_API_KEY injected into example subprocesses when the | ||
| /// parent process does not export CUBE_API_KEY. | ||
| /// | ||
| /// Intended for sandbox/demo deployments to provide an out-of-the-box | ||
| /// experience. In production, leave this unset and export CUBE_API_KEY | ||
| /// directly. Env var: CUBE_API_DEFAULT_KEY | ||
| #[serde(default = "default_api_key")] | ||
| pub default_api_key: Option<String>, | ||
| } | ||
|
|
||
| fn default_bind() -> String { | ||
|
|
@@ -109,6 +155,35 @@ fn default_database_url() -> Option<String> { | |
| .ok() | ||
| .or_else(default_cube_sandbox_mysql_url) | ||
| } | ||
| fn default_template_id() -> Option<String> { | ||
| std::env::var("CUBE_TEMPLATE_ID") | ||
| .ok() | ||
| .filter(|s| !s.is_empty()) | ||
| } | ||
| fn default_cube_api_url() -> Option<String> { | ||
| std::env::var("CUBE_API_URL") | ||
| .ok() | ||
| .filter(|s| !s.is_empty()) | ||
| .or_else(|| Some("http://127.0.0.1:3000".to_string())) | ||
| } | ||
|
|
||
| fn default_cube_proxy_port_http() -> Option<u16> { | ||
| std::env::var("CUBE_PROXY_PORT_HTTP") | ||
| .ok() | ||
| .and_then(|s| s.parse().ok()) | ||
| } | ||
| fn default_sandbox_proxy_url() -> String { | ||
| std::env::var("AGENTHUB_SANDBOX_PROXY_URL").unwrap_or_else(|_| "http://127.0.0.1".to_string()) | ||
| } | ||
| fn default_envd_auth() -> String { | ||
| std::env::var("CUBE_API_ENVD_AUTH").unwrap_or_else(|_| "Basic cm9vdDo=".to_string()) | ||
| } | ||
| fn default_api_key() -> Option<String> { | ||
| std::env::var("CUBE_API_DEFAULT_KEY") | ||
| .ok() | ||
| .filter(|s| !s.is_empty()) | ||
| .or_else(|| Some("cube_0000000000000000000000000000000000000000".to_string())) | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Security: Hardcoded fallback API key When Suggestion: Remove the hardcoded fallback and require explicit configuration. Log a loud warning at startup if the env var is unset. |
||
| } | ||
|
|
||
| fn default_cube_sandbox_mysql_url() -> Option<String> { | ||
| let host = std::env::var("CUBE_SANDBOX_MYSQL_HOST").ok()?; | ||
|
|
@@ -148,6 +223,13 @@ impl Default for ServerConfig { | |
| log_prefix: default_log_prefix(), | ||
| auth_callback_url: None, | ||
| database_url: default_database_url(), | ||
| default_template_id: default_template_id(), | ||
| cube_api_url: default_cube_api_url(), | ||
| cube_proxy_node_ip: None, | ||
| cube_proxy_port_http: default_cube_proxy_port_http(), | ||
| sandbox_proxy_url: default_sandbox_proxy_url(), | ||
| envd_auth: default_envd_auth(), | ||
| default_api_key: default_api_key(), | ||
| } | ||
| } | ||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| // Copyright (c) 2024 Tencent Inc. | ||
| // SPDX-License-Identifier: Apache-2.0 | ||
| // | ||
| //! Example registry and topology templates. | ||
| //! | ||
| //! Pure-data modules with no async dependencies; they are consumed by | ||
| //! [`crate::services::examples::ExampleService`]. | ||
|
|
||
| pub mod registry; | ||
| pub mod topology; | ||
|
|
||
| pub use registry::{file_languages, scenario_registry, FileSpec, ScenarioSpec}; | ||
| pub use topology::{topology_with_status, TopologyGraph}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security: Default envd_auth is a well-known base64 value
The default
Basic cm9vdDo=decodes toroot:with an empty password — the envd built-in default. This shared credential is sent to every sandbox's Jupyter/envd endpoint. Anyone who learns it (including by running code in their own sandbox and observing request headers) can access the in-sandbox services of other sandboxes. Use per-sandbox credentials (the sandbox detail already includes anenvd_access_tokenfield) instead of a cluster-wide shared secret.