feat(auth): migrate from token-based to RAM signature authentication

Migrate authentication mechanism from token-based approach to RAM signature authentication for enhanced security. The changes replace the existing access token system with Alibaba Cloud's Resource Access Management (RAM) signature verification, requiring users to configure access key ID and secret for API calls. Updates include implementation of RAM signature generation, modification of authentication endpoints with '-ram' suffix, and comprehensive updates to all API clients across runtime, sandbox, and toolset modules.

This migration affects all API interactions within the SDK, including data API operations, browser automation endpoints, and OpenAI integration points. The new authentication system provides improved security through signature-based verification while maintaining backward compatibility for existing configurations.

The changes also include updates to test suites to validate the new authentication flow and ensure proper handling of both authenticated and unauthenticated requests.

将身份验证机制从基于令牌的方式迁移到 RAM 签名身份验证，以提高安全性。更改将现有的访问令牌系统替换为阿里云资源访问管理 (RAM) 签名验证，要求用户为 API 调用配置访问密钥 ID 和密钥。更新包括实现 RAM 签名生成、使用 '-ram' 后缀修改身份验证端点，以及对运行时、沙箱和工具集模块中的所有 API 客户端进行全面更新。

此迁移会影响 SDK 内的所有 API 交互，包括数据 API 操作、浏览器自动化端点和 OpenAI 集成点。新的身份验证系统通过基于签名的验证提供增强的安全性，同时保持现有配置的向后兼容性。

这些更改还包括更新测试套件以验证新的身份验证流程，并确保正确处理经过身份验证和未经身份验证的请求。

Change-Id: I2585151e1acab0f476d9ba9ed909aabd212e5f2c
Signed-off-by: OhYee <oyohyee@oyohyee.com>

Author: OhYee

agentrun/agent_runtime/__runtime_async_template.py

@@ -43,6 +43,8 @@ class AgentRuntime(
     delete, update, query, and endpoint/version management.
     """
 
+    _data_api: Dict[str, AgentRuntimeDataAPI] = {}
+
     @classmethod
     def __get_client(cls):
         """获取客户端实例 / Get client instance
@@ -462,16 +464,19 @@ async def invoke_openai_async(
         cfg = Config.with_configs(self._config, kwargs.get("config"))
         kwargs["config"] = cfg
 
-        if not self.__data_api:
-            self.__data_api: Dict[str, AgentRuntimeDataAPI] = {}
+        if not self._data_api:
+            self._data_api: Dict[str, AgentRuntimeDataAPI] = {}
 
-        if self.__data_api[agent_runtime_endpoint_name] is None:
-            self.__data_api[agent_runtime_endpoint_name] = AgentRuntimeDataAPI(
+        if (
+            agent_runtime_endpoint_name not in self._data_api
+            or self._data_api[agent_runtime_endpoint_name] is None
+        ):
+            self._data_api[agent_runtime_endpoint_name] = AgentRuntimeDataAPI(
                 agent_runtime_name=self.agent_runtime_name or "",
                 agent_runtime_endpoint_name=agent_runtime_endpoint_name or "",
                 config=cfg,
             )
 
-        return await self.__data_api[
+        return await self._data_api[
             agent_runtime_endpoint_name
         ].invoke_openai_async(**kwargs)

agentrun/agent_runtime/api/__data_async_template.py

@@ -37,8 +37,15 @@ async def invoke_openai_async(
         config = kwargs.get("config", None)
 
         cfg = Config.with_configs(self.config, config)
-        api_base = self.with_path("openai/v1")
-        _, headers, _ = self.auth(headers=cfg.get_headers())
+        api_base = self.with_path("openai/v1", config=cfg)
+        # Sign the actual request URL (OpenAI client will POST to base + /chat/completions)
+        chat_completions_url = api_base.rstrip("/") + "/chat/completions"
+        _, headers, _ = self.auth(
+            url=chat_completions_url,
+            headers=cfg.get_headers(),
+            config=cfg,
+            method="POST",
+        )
 
         from httpx import AsyncClient
         from openai import AsyncOpenAI

agentrun/agent_runtime/api/data.py

@@ -48,8 +48,15 @@ async def invoke_openai_async(
         config = kwargs.get("config", None)
 
         cfg = Config.with_configs(self.config, config)
-        api_base = self.with_path("openai/v1")
-        _, headers, _ = self.auth(headers=cfg.get_headers())
+        api_base = self.with_path("openai/v1", config=cfg)
+        # Sign the actual request URL (OpenAI client will POST to base + /chat/completions)
+        chat_completions_url = api_base.rstrip("/") + "/chat/completions"
+        _, headers, _ = self.auth(
+            url=chat_completions_url,
+            headers=cfg.get_headers(),
+            config=cfg,
+            method="POST",
+        )
 
         from httpx import AsyncClient
         from openai import AsyncOpenAI
@@ -77,8 +84,15 @@ def invoke_openai(
         config = kwargs.get("config", None)
 
         cfg = Config.with_configs(self.config, config)
-        api_base = self.with_path("openai/v1")
-        _, headers, _ = self.auth(headers=cfg.get_headers())
+        api_base = self.with_path("openai/v1", config=cfg)
+        # Sign the actual request URL (OpenAI client will POST to base + /chat/completions)
+        chat_completions_url = api_base.rstrip("/") + "/chat/completions"
+        _, headers, _ = self.auth(
+            url=chat_completions_url,
+            headers=cfg.get_headers(),
+            config=cfg,
+            method="POST",
+        )
 
         from httpx import Client
         from openai import OpenAI

agentrun/agent_runtime/runtime.py

@@ -53,6 +53,8 @@ class AgentRuntime(
     delete, update, query, and endpoint/version management.
     """
 
+    _data_api: Dict[str, AgentRuntimeDataAPI] = {}
+
     @classmethod
     def __get_client(cls):
         """获取客户端实例 / Get client instance
@@ -867,17 +869,20 @@ async def invoke_openai_async(
         cfg = Config.with_configs(self._config, kwargs.get("config"))
         kwargs["config"] = cfg
 
-        if not self.__data_api:
-            self.__data_api: Dict[str, AgentRuntimeDataAPI] = {}
+        if not self._data_api:
+            self._data_api: Dict[str, AgentRuntimeDataAPI] = {}
 
-        if self.__data_api[agent_runtime_endpoint_name] is None:
-            self.__data_api[agent_runtime_endpoint_name] = AgentRuntimeDataAPI(
+        if (
+            agent_runtime_endpoint_name in self._data_api
+            and self._data_api[agent_runtime_endpoint_name] is None
+        ):
+            self._data_api[agent_runtime_endpoint_name] = AgentRuntimeDataAPI(
                 agent_runtime_name=self.agent_runtime_name or "",
                 agent_runtime_endpoint_name=agent_runtime_endpoint_name or "",
                 config=cfg,
             )
 
-        return await self.__data_api[
+        return await self._data_api[
             agent_runtime_endpoint_name
         ].invoke_openai_async(**kwargs)
 
@@ -889,16 +894,19 @@ def invoke_openai(
         cfg = Config.with_configs(self._config, kwargs.get("config"))
         kwargs["config"] = cfg
 
-        if not self.__data_api:
-            self.__data_api: Dict[str, AgentRuntimeDataAPI] = {}
+        if not self._data_api:
+            self._data_api: Dict[str, AgentRuntimeDataAPI] = {}
 
-        if self.__data_api[agent_runtime_endpoint_name] is None:
-            self.__data_api[agent_runtime_endpoint_name] = AgentRuntimeDataAPI(
+        if (
+            agent_runtime_endpoint_name not in self._data_api
+            or self._data_api[agent_runtime_endpoint_name] is None
+        ):
+            self._data_api[agent_runtime_endpoint_name] = AgentRuntimeDataAPI(
                 agent_runtime_name=self.agent_runtime_name or "",
                 agent_runtime_endpoint_name=agent_runtime_endpoint_name or "",
                 config=cfg,
             )
 
-        return self.__data_api[agent_runtime_endpoint_name].invoke_openai(
+        return self._data_api[agent_runtime_endpoint_name].invoke_openai(
             **kwargs
         )

agentrun/sandbox/api/__aio_data_async_template.py

@@ -103,9 +103,13 @@ def sync_playwright(
         from .playwright_sync import BrowserPlaywrightSync
 
         cfg = Config.with_configs(self.config, config)
-        _, headers, _ = self.auth(headers=cfg.get_headers(), config=cfg)
+
+        url = self.get_cdp_url(record=record)
+        url, headers, _ = self.auth(
+            url=url, headers=cfg.get_headers(), config=cfg
+        )
         return BrowserPlaywrightSync(
-            self.get_cdp_url(record=record),
+            url,
             browser_type=browser_type,
             headers=headers,
         )
@@ -119,9 +123,13 @@ def async_playwright(
         from .playwright_async import BrowserPlaywrightAsync
 
         cfg = Config.with_configs(self.config, config)
-        _, headers, _ = self.auth(headers=cfg.get_headers(), config=cfg)
+
+        url = self.get_cdp_url(record=record)
+        url, headers, _ = self.auth(
+            url=url, headers=cfg.get_headers(), config=cfg
+        )
         return BrowserPlaywrightAsync(
-            self.get_cdp_url(record=record),
+            url,
             browser_type=browser_type,
             headers=headers,
         )

agentrun/sandbox/api/__browser_data_async_template.py

@@ -92,9 +92,13 @@ def sync_playwright(
         from .playwright_sync import BrowserPlaywrightSync
 
         cfg = Config.with_configs(self.config, config)
-        _, headers, _ = self.auth(headers=cfg.get_headers(), config=cfg)
+
+        url = self.get_cdp_url(record=record)
+        url, headers, _ = self.auth(
+            url=url, headers=cfg.get_headers(), config=cfg
+        )
         return BrowserPlaywrightSync(
-            self.get_cdp_url(record=record),
+            url,
             browser_type=browser_type,
             headers=headers,
         )
@@ -108,9 +112,13 @@ def async_playwright(
         from .playwright_async import BrowserPlaywrightAsync
 
         cfg = Config.with_configs(self.config, config)
-        _, headers, _ = self.auth(headers=cfg.get_headers(), config=cfg)
+
+        url = self.get_cdp_url(record=record)
+        url, headers, _ = self.auth(
+            url=url, headers=cfg.get_headers(), config=cfg
+        )
         return BrowserPlaywrightAsync(
-            self.get_cdp_url(record=record),
+            url,
             browser_type=browser_type,
             headers=headers,
         )

agentrun/sandbox/api/aio_data.py

@@ -113,9 +113,13 @@ def sync_playwright(
         from .playwright_sync import BrowserPlaywrightSync
 
         cfg = Config.with_configs(self.config, config)
-        _, headers, _ = self.auth(headers=cfg.get_headers(), config=cfg)
+
+        url = self.get_cdp_url(record=record)
+        url, headers, _ = self.auth(
+            url=url, headers=cfg.get_headers(), config=cfg
+        )
         return BrowserPlaywrightSync(
-            self.get_cdp_url(record=record),
+            url,
             browser_type=browser_type,
             headers=headers,
         )
@@ -129,9 +133,13 @@ def async_playwright(
         from .playwright_async import BrowserPlaywrightAsync
 
         cfg = Config.with_configs(self.config, config)
-        _, headers, _ = self.auth(headers=cfg.get_headers(), config=cfg)
+
+        url = self.get_cdp_url(record=record)
+        url, headers, _ = self.auth(
+            url=url, headers=cfg.get_headers(), config=cfg
+        )
         return BrowserPlaywrightAsync(
-            self.get_cdp_url(record=record),
+            url,
             browser_type=browser_type,
             headers=headers,
         )

agentrun/sandbox/api/browser_data.py

@@ -102,9 +102,13 @@ def sync_playwright(
         from .playwright_sync import BrowserPlaywrightSync
 
         cfg = Config.with_configs(self.config, config)
-        _, headers, _ = self.auth(headers=cfg.get_headers(), config=cfg)
+
+        url = self.get_cdp_url(record=record)
+        url, headers, _ = self.auth(
+            url=url, headers=cfg.get_headers(), config=cfg
+        )
         return BrowserPlaywrightSync(
-            self.get_cdp_url(record=record),
+            url,
             browser_type=browser_type,
             headers=headers,
         )
@@ -118,9 +122,13 @@ def async_playwright(
         from .playwright_async import BrowserPlaywrightAsync
 
         cfg = Config.with_configs(self.config, config)
-        _, headers, _ = self.auth(headers=cfg.get_headers(), config=cfg)
+
+        url = self.get_cdp_url(record=record)
+        url, headers, _ = self.auth(
+            url=url, headers=cfg.get_headers(), config=cfg
+        )
         return BrowserPlaywrightAsync(
-            self.get_cdp_url(record=record),
+            url,
             browser_type=browser_type,
             headers=headers,
         )

agentrun/toolset/__toolset_async_template.py

@@ -94,11 +94,18 @@ def _get_openapi_auth_defaults(
         return headers, query
 
     def _get_openapi_base_url(self) -> Optional[str]:
-        return pydash.get(
-            self,
-            "status.outputs.urls.intranet_url",
-            None,
-        ) or pydash.get(self, "status.outputs.urls.internet_url", None)
+        import os
+
+        fc_region = os.getenv("FC_REGION")
+        arn = pydash.get(self, "status.outputs.function_arn", "")
+
+        if fc_region and arn and pydash.get(arn.split(":"), "[2]"):
+            # 在同一个 region，则使用内网地址
+            return pydash.get(
+                self,
+                "status.outputs.urls.intranet_url",
+                None,
+            )
 
     async def get_async(self, config: Optional[Config] = None):
         if self.name is None:

agentrun/toolset/api/openapi.py

@@ -829,6 +829,8 @@ def invoke_tool(
         request_kwargs, timeout, raise_for_status = self._prepare_request(
             name, arguments, config
         )
+
+        print(request_kwargs)
         with httpx.Client(timeout=timeout) as client:
             response = client.request(**request_kwargs)
             if raise_for_status:
@@ -943,6 +945,7 @@ def _walk(node: Any):
 
     def _extract_base_url(self, schema: Dict[str, Any]) -> Optional[str]:
         servers = schema.get("servers") or []
+        print("======", servers)
         return self._pick_server_url(servers)
 
     def _convert_to_native(self, value: Any) -> Any: