Commit 94e7452
authored
feat(agents): collapse denied agent route access to 404 instead of 403 (#271)
## Related work
Parent ticket: AGX1-242 - AgentEx authorization dual-write.
This change is part of a 4-PR stack across 3 repos.
| Repo | PR | Purpose |
|---|---|---|
| scaleapi/scaleapi |
[scaleapi/scaleapi#146335](scaleapi/scaleapi#146335)
| merged flag registry update for the shared AgentEx resources rollout
flags |
| scaleapi/agentex |
[scaleapi/agentex#364](scaleapi/agentex#364) |
agentex-auth routes each auth verb to one backend target |
| scaleapi/scale-agentex |
[#270](#270)
| registers agentex resources in the authorization graph and grants
agent/task ownership |
| **scaleapi/scale-agentex** | **this PR** | **denied direct agent
access collapses to 404** |
**Merge/deploy order:**
[scaleapi/scaleapi#146335](scaleapi/scaleapi#146335)
is merged; deploy
[scaleapi/agentex#364](scaleapi/agentex#364),
then merge/deploy
[#270](#270),
then this PR. Rollout per account is: enable
`fgac-agentex-resources-dual-write`, backfill existing resources into
Spark, then enable `fgac-agentex-resources` reads.
## What
Collapses denied direct agent access from 403 to 404 for agent lookups
by id, name, and query. Allowed checks pass through unchanged, and list
behavior is unchanged (the list route already filters to authorized
ids).
## Why
Returning 403 for a specific agent id or name reveals that the agent
exists; returning 404 makes "not found" and "exists but not visible to
this caller" indistinguishable. This is read-side behavior only.
## Testing
- Unit tests for the agent and task authorization route behavior.
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
This PR extends the authorization shortcut helpers to collapse denied
agent checks from 403 to 404, preventing cross-tenant existence probing
via error-code differentiation.
- Adds `_check_agent_or_collapse_to_404` and wires it into all three
shortcuts (`DAuthorizedId`, `DAuthorizedQuery`, `DAuthorizedName`) for
`AgentexResourceType.agent`; the earlier review concern about
`DAuthorizedQuery` (`GET /events` list endpoint) is addressed in this
diff.
- Introduces 263-line unit test suite (`test_agents_authz.py`) covering
the helper directly plus each shortcut's agent path, and updates
`test_schedules_authz.py` / `test_tasks_authz.py` to reflect the new
expected behavior.
<details><summary><h3>Confidence Score: 5/5</h3></summary>
Safe to merge; all three agent-lookup shortcuts collapse denied checks
to 404 and the earlier concern about DAuthorizedQuery on the events list
endpoint is resolved in this diff.
The change is narrow and consistent: one new helper function wired into
three existing shortcuts, each path exercised by dedicated unit tests.
DAuthorizedBodyId is only used for task resources so it requires no
changes. The updated schedule and task tests correctly reflect the new
collapse behavior.
No files require special attention.
</details>
<h3>Important Files Changed</h3>
| Filename | Overview |
|----------|----------|
| agentex/src/utils/authorization_shortcuts.py | Adds
_check_agent_or_collapse_to_404 and applies it in DAuthorizedId,
DAuthorizedQuery, and DAuthorizedName; all three agent-lookup paths now
collapse AuthorizationError to 404. DAuthorizedBodyId is unaffected and
only used with task resources. |
| agentex/tests/unit/api/test_agents_authz.py | New test file covering
the helper, DAuthorizedId, DAuthorizedQuery, DAuthorizedName, and
list-filtering for agent resources; denied/absent/allowed cases are all
represented. |
| agentex/tests/unit/api/test_schedules_authz.py | Updates
TestCreateParentAgentCheck to expect ItemDoesNotExist (404) instead of
AuthorizationError (403) on a denied parent-agent check, consistent with
the new behavior in DAuthorizedId for agents. |
| agentex/tests/unit/api/test_tasks_authz.py | Renames
test_non_task_name_skips_wrap to test_agent_name_collapses_to_404 and
flips the expected exception from AuthorizationError to
ItemDoesNotExist, aligning with the agent-name collapse now in
DAuthorizedName. |
</details>
<details><summary><h3>Flowchart</h3></summary>
```mermaid
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Caller Request] --> B{Authorization Shortcut}
B -->|DAuthorizedId agent| C[_check_agent_or_collapse_to_404]
B -->|DAuthorizedName agent| D[repo.get name to id then _check_agent_or_collapse_to_404]
B -->|DAuthorizedQuery agent| E[_check_agent_or_collapse_to_404]
C --> F{authorization.check}
D --> F
E --> F
F -->|Allowed| G[Pass through - return resource id]
F -->|AuthorizationError denied| H[raise ItemDoesNotExist - HTTP 404]
style H fill:#f96,color:#000
style G fill:#6f6,color:#000
```
</details>
<sub>Reviews (10): Last reviewed commit: ["feat(agents): collapse denied
agent
rout..."](99106f8)
| [Re-trigger
Greptile](https://app.greptile.com/api/retrigger?id=35397402)</sub>
<!-- /greptile_comment -->1 parent 7c0700a commit 94e7452
4 files changed
Lines changed: 317 additions & 10 deletions
File tree
- agentex
- src/utils
- tests/unit/api
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
| 5 | + | |
| 6 | + | |
5 | 7 | | |
6 | 8 | | |
7 | 9 | | |
| |||
15 | 17 | | |
16 | 18 | | |
17 | 19 | | |
18 | | - | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
19 | 24 | | |
20 | 25 | | |
21 | 26 | | |
| |||
39 | 44 | | |
40 | 45 | | |
41 | 46 | | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
42 | 70 | | |
43 | 71 | | |
44 | 72 | | |
| |||
74 | 102 | | |
75 | 103 | | |
76 | 104 | | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
77 | 108 | | |
78 | 109 | | |
79 | 110 | | |
| |||
116 | 147 | | |
117 | 148 | | |
118 | 149 | | |
| 150 | + | |
| 151 | + | |
119 | 152 | | |
120 | 153 | | |
121 | 154 | | |
| |||
200 | 233 | | |
201 | 234 | | |
202 | 235 | | |
| 236 | + | |
| 237 | + | |
| 238 | + | |
203 | 239 | | |
204 | 240 | | |
205 | 241 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
| 157 | + | |
| 158 | + | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
| 185 | + | |
| 186 | + | |
| 187 | + | |
| 188 | + | |
| 189 | + | |
| 190 | + | |
| 191 | + | |
| 192 | + | |
| 193 | + | |
| 194 | + | |
| 195 | + | |
| 196 | + | |
| 197 | + | |
| 198 | + | |
| 199 | + | |
| 200 | + | |
| 201 | + | |
| 202 | + | |
| 203 | + | |
| 204 | + | |
| 205 | + | |
| 206 | + | |
| 207 | + | |
| 208 | + | |
| 209 | + | |
| 210 | + | |
| 211 | + | |
| 212 | + | |
| 213 | + | |
| 214 | + | |
| 215 | + | |
| 216 | + | |
| 217 | + | |
| 218 | + | |
| 219 | + | |
| 220 | + | |
| 221 | + | |
| 222 | + | |
| 223 | + | |
| 224 | + | |
| 225 | + | |
| 226 | + | |
| 227 | + | |
| 228 | + | |
| 229 | + | |
| 230 | + | |
| 231 | + | |
| 232 | + | |
| 233 | + | |
| 234 | + | |
| 235 | + | |
| 236 | + | |
| 237 | + | |
| 238 | + | |
| 239 | + | |
| 240 | + | |
| 241 | + | |
| 242 | + | |
| 243 | + | |
| 244 | + | |
| 245 | + | |
| 246 | + | |
| 247 | + | |
| 248 | + | |
| 249 | + | |
| 250 | + | |
| 251 | + | |
| 252 | + | |
| 253 | + | |
| 254 | + | |
| 255 | + | |
| 256 | + | |
| 257 | + | |
| 258 | + | |
| 259 | + | |
| 260 | + | |
| 261 | + | |
| 262 | + | |
| 263 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
190 | 190 | | |
191 | 191 | | |
192 | 192 | | |
193 | | - | |
| 193 | + | |
| 194 | + | |
194 | 195 | | |
195 | 196 | | |
196 | 197 | | |
| |||
215 | 216 | | |
216 | 217 | | |
217 | 218 | | |
218 | | - | |
| 219 | + | |
219 | 220 | | |
220 | 221 | | |
221 | 222 | | |
222 | 223 | | |
223 | 224 | | |
224 | | - | |
225 | | - | |
| 225 | + | |
| 226 | + | |
| 227 | + | |
226 | 228 | | |
227 | | - | |
| 229 | + | |
| 230 | + | |
| 231 | + | |
| 232 | + | |
| 233 | + | |
228 | 234 | | |
229 | 235 | | |
230 | 236 | | |
| |||
0 commit comments