feat: 新增工具插件、系统日志、workflow配置及前端优化
1. 新增工具插件(edit_file, python_executor, search_file, shell_executor, write_file) 2. 新增系统事件日志模块和API 3. 新增workflow配置文件和详情API 4. 前端增加SSE、错误边界、设置引导等组件 5. 优化认证加密、速率限制、配置加载等工具模块 6. 删除废弃的cluster和health API 7. 补充单元测试和集成测试 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -28,7 +28,8 @@ if TYPE_CHECKING:
|
||||
|
||||
|
||||
ALGORITHM = "HS256"
|
||||
ACCESS_TOKEN_EXPIRE_MINUTES = 60 * 24
|
||||
ACCESS_TOKEN_EXPIRE_MINUTES = 60 * 2
|
||||
REFRESH_TOKEN_EXPIRE_DAYS = 7
|
||||
_INSECURE_SECRETS = {"secret", "114514", "changethiskey12345"}
|
||||
|
||||
|
||||
@@ -84,9 +85,51 @@ class Accessor:
|
||||
expire = datetime.now(timezone.utc) + timedelta(
|
||||
minutes=ACCESS_TOKEN_EXPIRE_MINUTES
|
||||
)
|
||||
to_encode.update({"exp": int(expire.timestamp())})
|
||||
to_encode.update({"exp": int(expire.timestamp()), "type": "access"})
|
||||
return jwt.encode(to_encode, _get_secret_key(), algorithm=ALGORITHM)
|
||||
|
||||
@staticmethod
|
||||
def _create_refresh_token(data: dict) -> str:
|
||||
"""生成长效 refresh token(默认 7 天有效期)。"""
|
||||
to_encode = data.copy()
|
||||
expire = datetime.now(timezone.utc) + timedelta(
|
||||
days=REFRESH_TOKEN_EXPIRE_DAYS
|
||||
)
|
||||
to_encode.update({"exp": int(expire.timestamp()), "type": "refresh"})
|
||||
return jwt.encode(to_encode, _get_secret_key(), algorithm=ALGORITHM)
|
||||
|
||||
@staticmethod
|
||||
def verify_refresh_token(token: str) -> TokenData:
|
||||
"""校验 refresh token 有效性并返回用户身份;过期或类型不对抛 401。"""
|
||||
try:
|
||||
payload = jwt.decode(token, _get_secret_key(), algorithms=[ALGORITHM])
|
||||
if payload.get("type") != "refresh":
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="无效的 refresh token",
|
||||
)
|
||||
return TokenData(**{k: v for k, v in payload.items() if k != "type"})
|
||||
except jwt.ExpiredSignatureError:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="Refresh token 已过期,请重新登录",
|
||||
)
|
||||
except (jwt.InvalidTokenError, ValidationError):
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="无效的 refresh token",
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
def refresh_access_token(refresh_token: str) -> dict:
|
||||
"""用 refresh token 换取新的 access token + refresh token 对。"""
|
||||
token_data = Accessor.verify_refresh_token(refresh_token)
|
||||
payload = {"user_id": token_data.user_id, "username": token_data.username}
|
||||
return {
|
||||
"access_token": Accessor._create_access_token(payload),
|
||||
"refresh_token": Accessor._create_refresh_token(payload),
|
||||
}
|
||||
|
||||
@staticmethod
|
||||
def verify_password(plain_password: str, hashed_password: str) -> bool:
|
||||
"""校验明文口令是否匹配数据库中存储的哈希。"""
|
||||
@@ -105,8 +148,8 @@ class Accessor:
|
||||
return Accessor._decode_token(token)
|
||||
|
||||
@staticmethod
|
||||
def login_hashed_password(user: "User", password: str) -> str:
|
||||
"""完成登录核验:找不到用户或密码错误抛 401,否则签发新令牌。"""
|
||||
def login_hashed_password(user: "User", password: str) -> dict:
|
||||
"""完成登录核验:找不到用户或密码错误抛 401,否则签发 access + refresh 令牌对。"""
|
||||
if not user:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
@@ -118,13 +161,21 @@ class Accessor:
|
||||
detail="用户名或密码错误",
|
||||
)
|
||||
token_payload = {"user_id": str(user.user_id), "username": user.user_name}
|
||||
return Accessor._create_access_token(data=token_payload)
|
||||
return {
|
||||
"access_token": Accessor._create_access_token(data=token_payload),
|
||||
"refresh_token": Accessor._create_refresh_token(data=token_payload),
|
||||
}
|
||||
|
||||
@staticmethod
|
||||
def hash_password(password: str) -> str:
|
||||
"""对明文口令做强哈希;空值或长度不足 6 位会抛 ValueError。"""
|
||||
"""对明文口令做强哈希;空值或不满足复杂度要求会抛 ValueError。"""
|
||||
if not password:
|
||||
raise ValueError("密码不能为空")
|
||||
if len(password) < 6:
|
||||
raise ValueError("密码长度不能小于 6 位")
|
||||
if len(password) < 8:
|
||||
raise ValueError("密码长度不能小于 8 位")
|
||||
has_upper = any(c.isupper() for c in password)
|
||||
has_lower = any(c.islower() for c in password)
|
||||
has_digit = any(c.isdigit() for c in password)
|
||||
if not (has_upper and has_lower and has_digit):
|
||||
raise ValueError("密码必须包含大写字母、小写字母和数字")
|
||||
return password_hasher.hash(password)
|
||||
|
||||
@@ -0,0 +1,60 @@
|
||||
"""Workflow 配置文件管理:读取、缓存、热重载。
|
||||
|
||||
配置文件路径:``config/workflow.yaml``(相对于项目根目录)。
|
||||
采用模块级单例 + 文件修改时间检测,保证:
|
||||
- 首次调用时懒加载
|
||||
- reload_workflow_config() 显式触发重载
|
||||
- 工作流引擎调 get_workflow_config() 始终拿到最新生效值
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
from pathlib import Path
|
||||
from typing import Any
|
||||
|
||||
import yaml
|
||||
from pydantic import BaseModel, Field
|
||||
|
||||
_CONFIG_DIR = Path(__file__).resolve().parent.parent.parent / "config"
|
||||
_WORKFLOW_YAML = _CONFIG_DIR / "workflow.yaml"
|
||||
|
||||
|
||||
class RetryConfig(BaseModel):
|
||||
max_attempts: int = Field(default=5, ge=1, le=100)
|
||||
|
||||
|
||||
class WorkflowConfig(BaseModel):
|
||||
retry: RetryConfig = Field(default_factory=RetryConfig)
|
||||
|
||||
|
||||
_current: WorkflowConfig | None = None
|
||||
|
||||
|
||||
def _load_from_disk() -> WorkflowConfig:
|
||||
if not _WORKFLOW_YAML.exists():
|
||||
return WorkflowConfig()
|
||||
with open(_WORKFLOW_YAML, "r", encoding="utf-8") as f:
|
||||
data = yaml.safe_load(f) or {}
|
||||
return WorkflowConfig.model_validate(data)
|
||||
|
||||
|
||||
def get_workflow_config() -> WorkflowConfig:
|
||||
global _current
|
||||
if _current is None:
|
||||
_current = _load_from_disk()
|
||||
return _current
|
||||
|
||||
|
||||
def reload_workflow_config() -> WorkflowConfig:
|
||||
global _current
|
||||
_current = _load_from_disk()
|
||||
return _current
|
||||
|
||||
|
||||
def save_workflow_config(config: WorkflowConfig) -> None:
|
||||
_WORKFLOW_YAML.parent.mkdir(parents=True, exist_ok=True)
|
||||
data = config.model_dump()
|
||||
with open(_WORKFLOW_YAML, "w", encoding="utf-8") as f:
|
||||
yaml.dump(data, f, default_flow_style=False, allow_unicode=True)
|
||||
reload_workflow_config()
|
||||
@@ -125,6 +125,19 @@ async def get_all_toolsets_for_scope(scope: str) -> List[Any]:
|
||||
return toolsets
|
||||
|
||||
|
||||
async def get_retrieval_toolsets_for_scope(scope: str) -> List[Any]:
|
||||
"""仅返回 retrieval 工具集(system_node 专用)。不含 generation 和 MCP 工具。"""
|
||||
toolsets: List[Any] = []
|
||||
try:
|
||||
gsm = ray_actor_hook("global_state_machine").global_state_machine
|
||||
retrieval = await gsm.get_retrieval_toolsets_for_scope.remote(scope)
|
||||
if retrieval:
|
||||
toolsets.extend(retrieval)
|
||||
except Exception as e:
|
||||
logger.error(f"Failed to load retrieval toolsets ({scope}): {e}")
|
||||
return toolsets
|
||||
|
||||
|
||||
async def list_mcp_tools_for_configs(
|
||||
configs: Dict[str, Dict[str, Any]],
|
||||
) -> List[Dict[str, Any]]:
|
||||
|
||||
@@ -0,0 +1,45 @@
|
||||
import time
|
||||
from collections import defaultdict
|
||||
from typing import Dict, Tuple
|
||||
|
||||
from fastapi import HTTPException, Request
|
||||
|
||||
|
||||
class InMemoryRateLimiter:
|
||||
"""基于滑动窗口的内存限流器。
|
||||
|
||||
按 IP 地址追踪请求次数,超出阈值时抛出 429。
|
||||
适用于单实例部署;集群部署应替换为 Redis 后端。
|
||||
"""
|
||||
|
||||
def __init__(self, max_requests: int = 5, window_seconds: int = 60):
|
||||
self._max_requests = max_requests
|
||||
self._window_seconds = window_seconds
|
||||
self._requests: Dict[str, list[float]] = defaultdict(list)
|
||||
|
||||
def _get_client_ip(self, request: Request) -> str:
|
||||
forwarded = request.headers.get("X-Forwarded-For")
|
||||
if forwarded:
|
||||
return forwarded.split(",")[0].strip()
|
||||
return request.client.host if request.client else "unknown"
|
||||
|
||||
def _cleanup(self, key: str, now: float) -> None:
|
||||
cutoff = now - self._window_seconds
|
||||
self._requests[key] = [
|
||||
t for t in self._requests[key] if t > cutoff
|
||||
]
|
||||
|
||||
def check(self, request: Request) -> None:
|
||||
now = time.time()
|
||||
key = self._get_client_ip(request)
|
||||
self._cleanup(key, now)
|
||||
if len(self._requests[key]) >= self._max_requests:
|
||||
raise HTTPException(
|
||||
status_code=429,
|
||||
detail="请求过于频繁,请稍后再试",
|
||||
)
|
||||
self._requests[key].append(now)
|
||||
|
||||
|
||||
register_limiter = InMemoryRateLimiter(max_requests=5, window_seconds=60)
|
||||
login_limiter = InMemoryRateLimiter(max_requests=10, window_seconds=60)
|
||||
@@ -11,6 +11,7 @@
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
import time
|
||||
import ray
|
||||
from functools import lru_cache
|
||||
|
||||
@@ -47,14 +48,57 @@ def clear_actor_cache():
|
||||
_get_cached_actor_handle.cache_clear()
|
||||
|
||||
|
||||
def ray_actor_hook(*actor_names: str):
|
||||
def wait_for_actor(
|
||||
actor_name: str, *, timeout: float = 10.0, interval: float = 0.5
|
||||
):
|
||||
"""阻塞等待某个 actor 就绪,返回其句柄。
|
||||
|
||||
用于"启动期 / ray task 入口刚拉起"这类场景——被依赖的 actor 可能还没注册。
|
||||
在 ``timeout`` 内按 ``interval`` 轮询 ``ray.get_actor``;拿到就立即返回,
|
||||
超时则抛带清晰上下文的 ``TimeoutError``(而不是裸 ``ValueError``)。
|
||||
|
||||
Args:
|
||||
actor_name: actor 注册名
|
||||
timeout: 最长等待秒数;``<=0`` 表示只试一次(等价于直接取句柄)
|
||||
interval: 轮询间隔秒数
|
||||
|
||||
Raises:
|
||||
TimeoutError: 超时仍未就绪。原始异常通过 ``raise ... from`` 链保留。
|
||||
"""
|
||||
deadline = time.monotonic() + max(timeout, 0.0)
|
||||
last_err: Exception | None = None
|
||||
while True:
|
||||
try:
|
||||
return _get_cached_actor_handle(actor_name)
|
||||
except Exception as e: # ray.get_actor 失败一般是 ValueError
|
||||
last_err = e
|
||||
# 失败不能让 lru_cache 留下脏数据(异常本身不会被缓存,
|
||||
# 但若底层换实现,这里清一次更稳妥)
|
||||
if time.monotonic() >= deadline:
|
||||
raise TimeoutError(
|
||||
f"等待 actor {actor_name!r} 就绪超时({timeout}s):{last_err}"
|
||||
) from last_err
|
||||
time.sleep(interval)
|
||||
|
||||
|
||||
def ray_actor_hook(*actor_names: str, timeout: float = 0.0, interval: float = 0.5):
|
||||
"""按名字批量取出 Ray Actor 句柄,组装成一个 ``ActorList`` 返回。
|
||||
|
||||
例:``actors = ray_actor_hook("postgres_database", "global_state_machine")``,
|
||||
随后即可用 ``actors.postgres_database`` 拿到对应句柄。
|
||||
|
||||
Args:
|
||||
timeout: ``>0`` 时对每个 actor 走 ``wait_for_actor`` 等待就绪(启动期用);
|
||||
缺省 ``0`` 保持原"快速失败"语义——actor 不在立即抛异常。
|
||||
interval: 等待轮询间隔,仅在 ``timeout>0`` 时生效。
|
||||
"""
|
||||
actor_list = ActorList()
|
||||
for actor_name in actor_names:
|
||||
handle = _get_cached_actor_handle(actor_name)
|
||||
if timeout > 0:
|
||||
handle = wait_for_actor(
|
||||
actor_name, timeout=timeout, interval=interval
|
||||
)
|
||||
else:
|
||||
handle = _get_cached_actor_handle(actor_name)
|
||||
setattr(actor_list, actor_name, handle)
|
||||
return actor_list
|
||||
|
||||
Reference in New Issue
Block a user