285 lines
9.2 KiB
Rust
285 lines
9.2 KiB
Rust
use super::traits::{Tool, ToolResult};
|
|
use crate::config::Config;
|
|
use crate::cron::{self, JobType};
|
|
use crate::security::SecurityPolicy;
|
|
use async_trait::async_trait;
|
|
use chrono::Utc;
|
|
use serde_json::json;
|
|
use std::sync::Arc;
|
|
|
|
pub struct CronRunTool {
|
|
config: Arc<Config>,
|
|
security: Arc<SecurityPolicy>,
|
|
}
|
|
|
|
impl CronRunTool {
|
|
pub fn new(config: Arc<Config>, security: Arc<SecurityPolicy>) -> Self {
|
|
Self { config, security }
|
|
}
|
|
}
|
|
|
|
#[async_trait]
|
|
impl Tool for CronRunTool {
|
|
fn name(&self) -> &str {
|
|
"cron_run"
|
|
}
|
|
|
|
fn description(&self) -> &str {
|
|
"Force-run a cron job immediately and record run history"
|
|
}
|
|
|
|
fn parameters_schema(&self) -> serde_json::Value {
|
|
json!({
|
|
"type": "object",
|
|
"properties": {
|
|
"job_id": { "type": "string" },
|
|
"approved": {
|
|
"type": "boolean",
|
|
"description": "Set true to explicitly approve medium/high-risk shell commands in supervised mode",
|
|
"default": false
|
|
}
|
|
},
|
|
"required": ["job_id"]
|
|
})
|
|
}
|
|
|
|
async fn execute(&self, args: serde_json::Value) -> anyhow::Result<ToolResult> {
|
|
if !self.config.cron.enabled {
|
|
return Ok(ToolResult {
|
|
success: false,
|
|
output: String::new(),
|
|
error: Some("cron is disabled by config (cron.enabled=false)".to_string()),
|
|
});
|
|
}
|
|
|
|
let job_id = match args.get("job_id").and_then(serde_json::Value::as_str) {
|
|
Some(v) if !v.trim().is_empty() => v,
|
|
_ => {
|
|
return Ok(ToolResult {
|
|
success: false,
|
|
output: String::new(),
|
|
error: Some("Missing 'job_id' parameter".to_string()),
|
|
});
|
|
}
|
|
};
|
|
let approved = args
|
|
.get("approved")
|
|
.and_then(serde_json::Value::as_bool)
|
|
.unwrap_or(false);
|
|
|
|
if !self.security.can_act() {
|
|
return Ok(ToolResult {
|
|
success: false,
|
|
output: String::new(),
|
|
error: Some("Security policy: read-only mode, cannot perform 'cron_run'".into()),
|
|
});
|
|
}
|
|
|
|
if self.security.is_rate_limited() {
|
|
return Ok(ToolResult {
|
|
success: false,
|
|
output: String::new(),
|
|
error: Some("Rate limit exceeded: too many actions in the last hour".into()),
|
|
});
|
|
}
|
|
|
|
let job = match cron::get_job(&self.config, job_id) {
|
|
Ok(job) => job,
|
|
Err(e) => {
|
|
return Ok(ToolResult {
|
|
success: false,
|
|
output: String::new(),
|
|
error: Some(e.to_string()),
|
|
});
|
|
}
|
|
};
|
|
|
|
if matches!(job.job_type, JobType::Shell) {
|
|
if let Err(reason) = self
|
|
.security
|
|
.validate_command_execution(&job.command, approved)
|
|
{
|
|
return Ok(ToolResult {
|
|
success: false,
|
|
output: String::new(),
|
|
error: Some(reason),
|
|
});
|
|
}
|
|
}
|
|
|
|
if !self.security.record_action() {
|
|
return Ok(ToolResult {
|
|
success: false,
|
|
output: String::new(),
|
|
error: Some("Rate limit exceeded: action budget exhausted".into()),
|
|
});
|
|
}
|
|
|
|
let started_at = Utc::now();
|
|
let (success, output) =
|
|
Box::pin(cron::scheduler::execute_job_now(&self.config, &job)).await;
|
|
let finished_at = Utc::now();
|
|
let duration_ms = (finished_at - started_at).num_milliseconds();
|
|
let status = if success { "ok" } else { "error" };
|
|
|
|
let _ = cron::record_run(
|
|
&self.config,
|
|
&job.id,
|
|
started_at,
|
|
finished_at,
|
|
status,
|
|
Some(&output),
|
|
duration_ms,
|
|
);
|
|
let _ = cron::record_last_run(&self.config, &job.id, finished_at, success, &output);
|
|
|
|
Ok(ToolResult {
|
|
success,
|
|
output: serde_json::to_string_pretty(&json!({
|
|
"job_id": job.id,
|
|
"status": status,
|
|
"duration_ms": duration_ms,
|
|
"output": output
|
|
}))?,
|
|
error: if success {
|
|
None
|
|
} else {
|
|
Some("cron job execution failed".to_string())
|
|
},
|
|
})
|
|
}
|
|
}
|
|
|
|
#[cfg(test)]
|
|
mod tests {
|
|
use super::*;
|
|
use crate::config::Config;
|
|
use crate::security::AutonomyLevel;
|
|
use tempfile::TempDir;
|
|
|
|
async fn test_config(tmp: &TempDir) -> Arc<Config> {
|
|
let config = Config {
|
|
workspace_dir: tmp.path().join("workspace"),
|
|
config_path: tmp.path().join("config.toml"),
|
|
..Config::default()
|
|
};
|
|
tokio::fs::create_dir_all(&config.workspace_dir)
|
|
.await
|
|
.unwrap();
|
|
Arc::new(config)
|
|
}
|
|
|
|
fn test_security(cfg: &Config) -> Arc<SecurityPolicy> {
|
|
Arc::new(SecurityPolicy::from_config(
|
|
&cfg.autonomy,
|
|
&cfg.workspace_dir,
|
|
))
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn force_runs_job_and_records_history() {
|
|
let tmp = TempDir::new().unwrap();
|
|
let cfg = test_config(&tmp).await;
|
|
let job = cron::add_job(&cfg, "*/5 * * * *", "echo run-now").unwrap();
|
|
let tool = CronRunTool::new(cfg.clone(), test_security(&cfg));
|
|
|
|
let result = tool.execute(json!({ "job_id": job.id })).await.unwrap();
|
|
assert!(result.success, "{:?}", result.error);
|
|
|
|
let runs = cron::list_runs(&cfg, &job.id, 10).unwrap();
|
|
assert_eq!(runs.len(), 1);
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn errors_for_missing_job() {
|
|
let tmp = TempDir::new().unwrap();
|
|
let cfg = test_config(&tmp).await;
|
|
let tool = CronRunTool::new(cfg.clone(), test_security(&cfg));
|
|
|
|
let result = tool
|
|
.execute(json!({ "job_id": "missing-job-id" }))
|
|
.await
|
|
.unwrap();
|
|
assert!(!result.success);
|
|
assert!(result.error.unwrap_or_default().contains("not found"));
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn blocks_run_in_read_only_mode() {
|
|
let tmp = TempDir::new().unwrap();
|
|
let mut config = Config {
|
|
workspace_dir: tmp.path().join("workspace"),
|
|
config_path: tmp.path().join("config.toml"),
|
|
..Config::default()
|
|
};
|
|
std::fs::create_dir_all(&config.workspace_dir).unwrap();
|
|
let job = cron::add_job(&config, "*/5 * * * *", "echo run-now").unwrap();
|
|
config.autonomy.level = AutonomyLevel::ReadOnly;
|
|
let cfg = Arc::new(config);
|
|
let tool = CronRunTool::new(cfg.clone(), test_security(&cfg));
|
|
|
|
let result = tool.execute(json!({ "job_id": job.id })).await.unwrap();
|
|
assert!(!result.success);
|
|
assert!(result.error.unwrap_or_default().contains("read-only"));
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn shell_run_requires_approval_for_medium_risk() {
|
|
let tmp = TempDir::new().unwrap();
|
|
let mut config = Config {
|
|
workspace_dir: tmp.path().join("workspace"),
|
|
config_path: tmp.path().join("config.toml"),
|
|
..Config::default()
|
|
};
|
|
config.autonomy.level = AutonomyLevel::Supervised;
|
|
config.autonomy.allowed_commands = vec!["touch".into()];
|
|
std::fs::create_dir_all(&config.workspace_dir).unwrap();
|
|
let cfg = Arc::new(config);
|
|
// Create with explicit approval so the job persists for the run test.
|
|
let job = cron::add_shell_job_with_approval(
|
|
&cfg,
|
|
None,
|
|
cron::Schedule::Cron {
|
|
expr: "*/5 * * * *".into(),
|
|
tz: None,
|
|
},
|
|
"touch cron-run-approval",
|
|
true,
|
|
)
|
|
.unwrap();
|
|
let tool = CronRunTool::new(cfg.clone(), test_security(&cfg));
|
|
|
|
// Without approval, the tool-level policy check blocks medium-risk commands.
|
|
let denied = tool.execute(json!({ "job_id": job.id })).await.unwrap();
|
|
assert!(!denied.success);
|
|
assert!(denied
|
|
.error
|
|
.unwrap_or_default()
|
|
.contains("explicit approval"));
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn blocks_run_when_rate_limited() {
|
|
let tmp = TempDir::new().unwrap();
|
|
let mut config = Config {
|
|
workspace_dir: tmp.path().join("workspace"),
|
|
config_path: tmp.path().join("config.toml"),
|
|
..Config::default()
|
|
};
|
|
config.autonomy.level = AutonomyLevel::Full;
|
|
config.autonomy.max_actions_per_hour = 0;
|
|
std::fs::create_dir_all(&config.workspace_dir).unwrap();
|
|
let cfg = Arc::new(config);
|
|
let job = cron::add_job(&cfg, "*/5 * * * *", "echo run-now").unwrap();
|
|
let tool = CronRunTool::new(cfg.clone(), test_security(&cfg));
|
|
|
|
let result = tool.execute(json!({ "job_id": job.id })).await.unwrap();
|
|
assert!(!result.success);
|
|
assert!(result
|
|
.error
|
|
.unwrap_or_default()
|
|
.contains("Rate limit exceeded"));
|
|
assert!(cron::list_runs(&cfg, &job.id, 10).unwrap().is_empty());
|
|
}
|
|
}
|