Merge feat/agentos-auth-rbac-refresh: ingest cak_ auth + introspect path fix

abhi-bhat-lyzr · abhi-bhat-lyzr · commit 25f2b865bc73 · 2026-06-07T14:46:52.000+05:30
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -108,7 +108,7 @@ Resources stamped with `ownerGroup`/`ownerUser` are **hard-isolated**: a non-adm
 - On the **SDK** side: `AGENTOS_INGEST_URL` (e.g. `https://<host>/agentos/api/ingest/events`) + optional `AGENTOS_INGEST_TOKEN` (sent as `Authorization: Bearer …`). No Mongo creds.
 - On the **server** side: `MONGO_URL` + `MONGO_DATABASE` (this is the DB the collections above live in).
 
-**Behaviour:** when `AGENTOS_INGEST_URL` is set, the SDK's default telemetry pipeline auto-attaches `AgentOSHttpSink` (gated on the `[agentos]` extra, which is now `httpx`-based). Each event carries a stable `event_id` so the server's writes are idempotent on retry. ⚠️ When the server's `AGENTOS_INGEST_TOKEN` is unset the ingest route is **open** (anonymous writes) — set it on any network-exposed deployment.
+**Behaviour:** when `AGENTOS_INGEST_URL` is set, the SDK's default telemetry pipeline auto-attaches `AgentOSHttpSink` (gated on the `[agentos]` extra, which is now `httpx`-based). Each event carries a stable `event_id` so the server's writes are idempotent on retry. **Ingest auth** (`ingest-auth.ts`): the SDK presents the **same `cak_` API key it uses everywhere** as the ingest `Bearer`, and the server validates it via `apiKeyStore.verify` (the same path the CAS introspection uses). A legacy static `AGENTOS_INGEST_TOKEN` string is still accepted for back-compat. ⚠️ Only when **no `cak_` is presented AND `AGENTOS_INGEST_TOKEN` is unset** does the route fall **open** (anonymous writes) — present a key (or set the token) on any network-exposed deployment. A presented `cak_` is always validated (invalid → 401, Mongo-down → 503), never waved through.
 
 ---
 
@@ -122,7 +122,7 @@ Resources stamped with `ownerGroup`/`ownerUser` are **hard-isolated**: a non-adm
 
 **Authorization — DB-backed roles.** Keycloak emits role *names* (`realm_access.roles`) + `groups`; AgentOS owns what each role *can do* via the `roles` collection (editable in Settings→Roles). `authenticate → resolvePermissions → authorize(perm)` gates every dashboard route. Permission catalog is code-defined (`auth/permissions.ts`).
 
-**Three guards / trust boundaries** (`app.ts`): SERVICE `/agentos/api/ingest/*` (`requireIngestAuth`, fails open) + `/agentos/api/keys/*` (`requireIntrospectionAuth`, fails closed); DASHBOARD `/agentos/api/v1/*` (`authenticate`); OBS `/v1/*`. `cak_` API keys authenticate at the dashboard boundary too (→ service principal with `groups=[key.group]`).
+**Three guards / trust boundaries** (`app.ts`): SERVICE `/agentos/api/ingest/*` (`requireIngestAuth` — validates the presented `cak_` API key via `apiKeyStore`, legacy `AGENTOS_INGEST_TOKEN` as back-compat, open only when neither is present) + `/agentos/api/keys/*` (`requireIntrospectionAuth`, fails closed); DASHBOARD `/agentos/api/v1/*` (`authenticate`); OBS `/v1/*`. `cak_` API keys authenticate at the dashboard boundary too (→ service principal with `groups=[key.group]`).
 
 **Groups = read-only from Keycloak Admin API** (Settings→Groups). If a user's token lacks the `groups` claim, the server backfills groups from the Admin API at login/refresh (`auth/keycloak-admin.ts:listUserGroups`).
 
@@ -417,7 +417,7 @@ pnpm build && pnpm start                  # node dist/index.js
 | `COOKIE_SECURE` | derived from `NODE_ENV` | Force `true` / `false` explicitly |
 | `AGENTOS_SESSION_SECRET` | random per boot | HMAC secret for the signed BFF cookies (`agentos_session`/`agentos_refresh`). **Set to a stable value in prod** or every session is invalidated on restart |
 | `API_AUTH_USER` + `API_AUTH_PASS` | unset | **Legacy** — no longer gates the dashboard (SSO does, §2.6b). Now only used to build the Basic header for outbound loopback calls to the harness (`caAuthHeader`) |
-| `AGENTOS_INGEST_TOKEN` | unset | Bearer token guarding `POST /agentos/api/ingest/events` (the Python SDK's telemetry ingest). When unset the route is **open** (anonymous writes to registry/logs/sessions) — set it on any network-exposed pod. The SDK must send the same value as `AGENTOS_INGEST_TOKEN`. |
+| `AGENTOS_INGEST_TOKEN` | unset | **Legacy/back-compat** static Bearer for `POST /agentos/api/ingest/events`. Ingest now primarily validates the SDK's `cak_` **API key** (via `apiKeyStore`, the same key it presents to the CAS) — so the normal path needs no separate token: the SDK just sends its `cak_`. This static token is still accepted if presented verbatim. The route is **open** only when no `cak_` is presented *and* this is unset — set one or the other on any network-exposed pod. |
 | **Auth / RBAC** (§2.6b) | — | `KEYCLOAK_ISSUER_URL`, `OIDC_CLIENT_ID`, `OIDC_CLIENT_SECRET` (+ optional `OIDC_AUDIENCE`/`OIDC_REDIRECT_URI`/`OIDC_POST_LOGOUT_URI`/`OIDC_ROLES_CLAIM`/`OIDC_GROUPS_CLAIM`); `AGENTOS_DEFAULT_ROLE`, `AGENTOS_BOOTSTRAP_ADMINS`, `AGENTOS_DEV_AUTH=1` (local only); `KEYCLOAK_ADMIN_CLIENT_ID`/`SECRET` for the Groups view + group backfill. Provision with `pnpm provision:keycloak`. |
 | **Git credentials** (§2.6c) | unset | `AGENTOS_CREDENTIALS_KEY` (base64 32B; **fail-closed** for credentials CRUD/resolve) + optional `AGENTOS_CREDENTIALS_KEY_OLD` for rotation. |
 | `AGENTOS_API_KEY_PEPPER` / `AGENTOS_INTROSPECTION_SECRET` | unset | HMAC pepper for `api_keys` hashing; shared secret guarding `/agentos/api/keys/introspect` (harness↔server) |
diff --git a/packages/agentos-server/src/ingest-auth.test.ts b/packages/agentos-server/src/ingest-auth.test.ts
@@ -0,0 +1,128 @@
+// Unit tests for requireIngestAuth. api-key-store is mocked so the cak_
+// validation path is exercised without Mongo.
+
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+
+const h = vi.hoisted(() => ({ verify: vi.fn() }));
+vi.mock("./stores/api-key-store.js", () => ({
+  apiKeyStore: { verify: h.verify },
+  KEY_PREFIX: "cak_",
+}));
+
+import { requireIngestAuth } from "./ingest-auth.js";
+
+function ctx(authHeader?: string) {
+  const req = {
+    header: (n: string) => (n.toLowerCase() === "authorization" ? authHeader : undefined),
+  } as unknown as import("express").Request;
+  let statusCode = 0;
+  let jsonBody: unknown;
+  const res = {
+    status(c: number) {
+      statusCode = c;
+      return this;
+    },
+    json(b: unknown) {
+      jsonBody = b;
+      return this;
+    },
+  } as unknown as import("express").Response;
+  let passed = false;
+  const next = () => {
+    passed = true;
+  };
+  return {
+    req,
+    res,
+    next,
+    passed: () => passed,
+    status: () => statusCode,
+    body: () => jsonBody as { error?: { code?: string } },
+  };
+}
+
+const ORIGINAL = process.env["AGENTOS_INGEST_TOKEN"];
+
+beforeEach(() => {
+  h.verify.mockReset();
+  delete process.env["AGENTOS_INGEST_TOKEN"];
+});
+
+afterEach(() => {
+  if (ORIGINAL === undefined) delete process.env["AGENTOS_INGEST_TOKEN"];
+  else process.env["AGENTOS_INGEST_TOKEN"] = ORIGINAL;
+});
+
+describe("requireIngestAuth — cak_ API key", () => {
+  it("accepts a valid cak_ key (verified via apiKeyStore)", async () => {
+    h.verify.mockResolvedValue({ active: true, principal: "key_abc", roleIds: [], scopes: ["*"] });
+    const c = ctx("Bearer cak_validkey");
+    await requireIngestAuth(c.req, c.res, c.next);
+    expect(c.passed()).toBe(true);
+    expect(h.verify).toHaveBeenCalledWith("cak_validkey");
+  });
+
+  it("rejects an inactive/unknown cak_ key with 401", async () => {
+    h.verify.mockResolvedValue(null);
+    const c = ctx("Bearer cak_revoked");
+    await requireIngestAuth(c.req, c.res, c.next);
+    expect(c.passed()).toBe(false);
+    expect(c.status()).toBe(401);
+    expect(c.body().error?.code).toBe("UNAUTHENTICATED");
+  });
+
+  it("fails closed with 503 when key verification throws (Mongo down)", async () => {
+    h.verify.mockRejectedValue(new Error("connection refused"));
+    const c = ctx("Bearer cak_whatever");
+    await requireIngestAuth(c.req, c.res, c.next);
+    expect(c.passed()).toBe(false);
+    expect(c.status()).toBe(503);
+    expect(c.body().error?.code).toBe("KEY_VERIFICATION_UNAVAILABLE");
+  });
+
+  it("never consults the legacy token for a cak_ key", async () => {
+    process.env["AGENTOS_INGEST_TOKEN"] = "cak_validkey"; // even if it matches verbatim
+    h.verify.mockResolvedValue(null);
+    const c = ctx("Bearer cak_validkey");
+    await requireIngestAuth(c.req, c.res, c.next);
+    expect(c.status()).toBe(401); // a cak_ must be a real key, not string-equal to the legacy token
+  });
+});
+
+describe("requireIngestAuth — legacy static token (back-compat)", () => {
+  it("accepts a matching AGENTOS_INGEST_TOKEN", async () => {
+    process.env["AGENTOS_INGEST_TOKEN"] = "s3cr3t";
+    const c = ctx("Bearer s3cr3t");
+    await requireIngestAuth(c.req, c.res, c.next);
+    expect(c.passed()).toBe(true);
+    expect(h.verify).not.toHaveBeenCalled();
+  });
+
+  it("rejects a wrong token with 401", async () => {
+    process.env["AGENTOS_INGEST_TOKEN"] = "s3cr3t";
+    const c = ctx("Bearer nope");
+    await requireIngestAuth(c.req, c.res, c.next);
+    expect(c.status()).toBe(401);
+  });
+
+  it("rejects when token is configured but none is presented", async () => {
+    process.env["AGENTOS_INGEST_TOKEN"] = "s3cr3t";
+    const c = ctx(undefined);
+    await requireIngestAuth(c.req, c.res, c.next);
+    expect(c.status()).toBe(401);
+  });
+});
+
+describe("requireIngestAuth — open mode", () => {
+  it("passes when no token is configured and none is presented (network policy)", async () => {
+    const c = ctx(undefined);
+    await requireIngestAuth(c.req, c.res, c.next);
+    expect(c.passed()).toBe(true);
+  });
+
+  it("passes a non-cak bearer when no token is configured", async () => {
+    const c = ctx("Bearer some-random-thing");
+    await requireIngestAuth(c.req, c.res, c.next);
+    expect(c.passed()).toBe(true);
+  });
+});
diff --git a/packages/agentos-server/src/ingest-auth.ts b/packages/agentos-server/src/ingest-auth.ts
@@ -1,23 +1,60 @@
 // Machine-to-machine auth for the telemetry ingest endpoint.
 //
 // The dashboard's cookie/Basic `requireAuth` is for browsers; the Python SDK
-// posts events headless, so the ingest route gets its own bearer-token guard
-// keyed on AGENTOS_INGEST_TOKEN. When the env is unset the route is OPEN
-// (relies on network policy) — same philosophy as API_AUTH_* in auth.ts.
+// posts events headless. The SDK uses ONE credential everywhere — the `cak_`
+// API key it already presents to the ComputerAgent server — so ingest verifies
+// that same key (via `apiKeyStore`, the same path the CAS introspection uses)
+// rather than a separate shared secret.
+//
+// Auth resolution order:
+//   1. Bearer `cak_…`            → validate against `api_keys` (active/not
+//                                   revoked/not expired). Invalid → 401.
+//   2. Bearer <AGENTOS_INGEST_TOKEN>  → legacy shared-secret, kept for
+//                                   back-compat with older deployments.
+//   3. Neither presented AND no AGENTOS_INGEST_TOKEN configured → OPEN
+//                                   (relies on network policy — same philosophy
+//                                   as API_AUTH_* in auth.ts). Once a `cak_` is
+//                                   presented it is always validated, never
+//                                   waved through.
 
 import type { RequestHandler } from "express";
 import { timingSafeEqual } from "node:crypto";
+import { apiKeyStore, KEY_PREFIX } from "./stores/api-key-store.js";
 
-export const requireIngestAuth: RequestHandler = (req, res, next) => {
-  const expected = process.env["AGENTOS_INGEST_TOKEN"];
-  if (!expected) return next(); // open — network policy only
+function unauthenticated(res: Parameters<RequestHandler>[1]): void {
+  res.status(401).json({ error: { code: "UNAUTHENTICATED" } });
+}
 
+export const requireIngestAuth: RequestHandler = async (req, res, next) => {
   const header = req.header("authorization") ?? "";
   const prefix = "Bearer ";
-  if (header.startsWith(prefix)) {
-    const got = Buffer.from(header.slice(prefix.length), "utf8");
-    const want = Buffer.from(expected, "utf8");
-    if (got.length === want.length && timingSafeEqual(got, want)) return next();
+  const presented = header.startsWith(prefix) ? header.slice(prefix.length) : "";
+
+  // (1) API key — the same `cak_` key the SDK uses everywhere.
+  if (presented.startsWith(KEY_PREFIX)) {
+    try {
+      const result = await apiKeyStore.verify(presented);
+      if (result) return next();
+      return unauthenticated(res); // recognized shape, but inactive/revoked/unknown
+    } catch (err) {
+      // Validation infra (Mongo) is down — fail closed, but distinguish from a
+      // bad key so the caller can retry rather than treating it as a 401.
+      console.warn("[agentos-server] ingest key verification failed:", (err as Error).message);
+      return res.status(503).json({ error: { code: "KEY_VERIFICATION_UNAVAILABLE" } });
+    }
   }
-  res.status(401).json({ error: { code: "UNAUTHENTICATED" } });
+
+  // (2) Back-compat: legacy static shared ingest token.
+  const expected = process.env["AGENTOS_INGEST_TOKEN"];
+  if (expected) {
+    if (presented) {
+      const got = Buffer.from(presented, "utf8");
+      const want = Buffer.from(expected, "utf8");
+      if (got.length === want.length && timingSafeEqual(got, want)) return next();
+    }
+    return unauthenticated(res);
+  }
+
+  // (3) Nothing presented and nothing configured → open (network policy only).
+  return next();
 };
diff --git a/packages/agentos-server/src/routes/keys-introspect.ts b/packages/agentos-server/src/routes/keys-introspect.ts
@@ -9,7 +9,9 @@ import { resolveEffectivePermissions } from "../auth/authorize.js";
 
 export const keysIntrospectRouter: IRouter = Router();
 
-keysIntrospectRouter.post("/keys/introspect", async (req, res, next) => {
+// Mounted at `/agentos/api/keys`, so this is `/agentos/api/keys/introspect`
+// (matches the CAS verifier URL + every doc/comment referencing the endpoint).
+keysIntrospectRouter.post("/introspect", async (req, res, next) => {
   try {
     const key = (req.body as { key?: unknown } | undefined)?.key;
     if (typeof key !== "string" || !key) {
diff --git a/packages/agentos-server/src/stores/telemetry-projection.test.ts b/packages/agentos-server/src/stores/telemetry-projection.test.ts
@@ -130,7 +130,8 @@ describe("projectEvent — full run", () => {
     // agent_registry — library source (harness_mode), prefix-stripped model.
     const reg = docsOf("agent_registry");
     expect(reg).toHaveLength(1);
-    expect(reg[0]._id).toBe("bot-A");
+    // Registry is ObjectId-keyed; `name` is the unique business key.
+    expect(reg[0].name).toBe("bot-A");
     expect(reg[0].harness).toBe("claude-agent-sdk");
     expect(reg[0].source.type).toBe("library");
     expect(reg[0].model).toBe("claude-x");
