gmakstutis/LightRAG
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
LightRAG/lightrag/security.py
Raphael MANSUY fe9b8ec02a
tests: stabilize integration tests + skip external services; fix multi-tenant API behavior and idempotency (#4) 
* feat: Implement multi-tenant architecture with tenant and knowledge base models

- Added data models for tenants, knowledge bases, and related configurations.
- Introduced role and permission management for users in the multi-tenant system.
- Created a service layer for managing tenants and knowledge bases, including CRUD operations.
- Developed a tenant-aware instance manager for LightRAG with caching and isolation features.
- Added a migration script to transition existing workspace-based deployments to the new multi-tenant architecture.

* chore: ignore lightrag/api/webui/assets/ directory

* chore: stop tracking lightrag/api/webui/assets (ignore in .gitignore)

* feat: Initialize LightRAG Multi-Tenant Stack with PostgreSQL

- Added README.md for project overview, setup instructions, and architecture details.
- Created docker-compose.yml to define services: PostgreSQL, Redis, LightRAG API, and Web UI.
- Introduced env.example for environment variable configuration.
- Implemented init-postgres.sql for PostgreSQL schema initialization with multi-tenant support.
- Added reproduce_issue.py for testing default tenant access via API.

* feat: Enhance TenantSelector and update related components for improved multi-tenant support

* feat: Enhance testing capabilities and update documentation

- Updated Makefile to include new test commands for various modes (compatibility, isolation, multi-tenant, security, coverage, and dry-run).
- Modified API health check endpoint in Makefile to reflect new port configuration.
- Updated QUICK_START.md and README.md to reflect changes in service URLs and ports.
- Added environment variables for testing modes in env.example.
- Introduced run_all_tests.sh script to automate testing across different modes.
- Created conftest.py for pytest configuration, including database fixtures and mock services.
- Implemented database helper functions for streamlined database operations in tests.
- Added test collection hooks to skip tests based on the current MULTITENANT_MODE.

* feat: Implement multi-tenant support with demo mode enabled by default

- Added multi-tenant configuration to the environment and Docker setup.
- Created pre-configured demo tenants (acme-corp and techstart) for testing.
- Updated API endpoints to support tenant-specific data access.
- Enhanced Makefile commands for better service management and database operations.
- Introduced user-tenant membership system with role-based access control.
- Added comprehensive documentation for multi-tenant setup and usage.
- Fixed issues with document visibility in multi-tenant environments.
- Implemented necessary database migrations for user memberships and legacy support.

* feat(audit): Add final audit report for multi-tenant implementation

- Documented overall assessment, architecture overview, test results, security findings, and recommendations.
- Included detailed findings on critical security issues and architectural concerns.

fix(security): Implement security fixes based on audit findings

- Removed global RAG fallback and enforced strict tenant context.
- Configured super-admin access and required user authentication for tenant access.
- Cleared localStorage on logout and improved error handling in WebUI.

chore(logs): Create task logs for audit and security fixes implementation

- Documented actions, decisions, and next steps for both audit and security fixes.
- Summarized test results and remaining recommendations.

chore(scripts): Enhance development stack management scripts

- Added scripts for cleaning, starting, and stopping the development stack.
- Improved output messages and ensured graceful shutdown of services.

feat(starter): Initialize PostgreSQL with AGE extension support

- Created initialization scripts for PostgreSQL extensions including uuid-ossp, vector, and AGE.
- Ensured successful installation and verification of extensions.

* feat: Implement auto-select for first tenant and KB on initial load in WebUI

- Removed WEBUI_INITIAL_STATE_FIX.md as the issue is resolved.
- Added useTenantInitialization hook to automatically select the first available tenant and KB on app load.
- Integrated the new hook into the Root component of the WebUI.
- Updated RetrievalTesting component to ensure a KB is selected before allowing user interaction.
- Created end-to-end tests for multi-tenant isolation and real service interactions.
- Added scripts for starting, stopping, and cleaning the development stack.
- Enhanced API and tenant routes to support tenant-specific pipeline status initialization.
- Updated constants for backend URL to reflect the correct port.
- Improved error handling and logging in various components.

* feat: Add multi-tenant support with enhanced E2E testing scripts and client functionality

* update client

* Add integration and unit tests for multi-tenant API, models, security, and storage

- Implement integration tests for tenant and knowledge base management endpoints in `test_tenant_api_routes.py`.
- Create unit tests for tenant isolation, model validation, and role permissions in `test_tenant_models.py`.
- Add security tests to enforce role-based permissions and context validation in `test_tenant_security.py`.
- Develop tests for tenant-aware storage operations and context isolation in `test_tenant_storage_phase3.py`.

* feat(e2e): Implement OpenAI model support and database reset functionality

* Add comprehensive test suite for gpt-5-nano compatibility

- Introduced tests for parameter normalization, embeddings, and entity extraction.
- Implemented direct API testing for gpt-5-nano.
- Validated .env configuration loading and OpenAI API connectivity.
- Analyzed reasoning token overhead with various token limits.
- Documented test procedures and expected outcomes in README files.
- Ensured all tests pass for production readiness.

* kg(postgres_impl): ensure AGE extension is loaded in session and configure graph initialization

* dev: add hybrid dev helper scripts, Makefile, docker-compose.dev-db and local development docs

* feat(dev): add dev helper scripts and local development documentation for hybrid setup

* feat(multi-tenant): add detailed specifications and logs for multi-tenant improvements, including UX, backend handling, and ingestion pipeline

* feat(migration): add generated tenant/kb columns, indexes, triggers; drop unused tables; update schema and docs

* test(backward-compat): adapt tests to new StorageNameSpace/TenantService APIs (use concrete dummy storages)

* chore: multi-tenant and UX updates — docs, webui, storage, tenant service adjustments

* tests: stabilize integration tests + skip external services; fix multi-tenant API behavior and idempotency

- gpt5_nano_compatibility: add pytest-asyncio markers, skip when OPENAI key missing, prevent module-level asyncio.run collection, add conftest
- Ollama tests: add server availability check and skip markers; avoid pytest collection warnings by renaming helper classes
- Graph storage tests: rename interactive test functions to avoid pytest collection
- Document & Tenant routes: support external_ids for idempotency; ensure HTTPExceptions are re-raised
- LightRAG core: support external_ids in apipeline_enqueue_documents and idempotent logic
- Tests updated to match API changes (tenant routes & document routes)
- Add logs and scripts for inspection and audit
2025-12-04 16:04:21 +08:00

192 lines
6.1 KiB
Python
Raw Blame History

"""Security utilities for multi-tenant validation and sanitization."""
from pathlib import Path
from typing import Tuple
import uuid
from fastapi import HTTPException, status
import logging
logger = logging.getLogger(__name__)
def validate_uuid(value: str, param_name: str = "id") -> str:
"""Validate that a string is a valid UUID format.
Args:
value: String to validate
param_name: Name of parameter (for error messages)
Returns:
The validated UUID string
Raises:
HTTPException: If value is not a valid UUID
"""
if not value or not value.strip():
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=f"Invalid {param_name}: empty value"
)
try:
# Validate UUID format
uuid.UUID(value.strip())
return value.strip()
except ValueError:
logger.warning(f"Invalid UUID format for {param_name}: {value}")
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=f"Invalid {param_name} format"
)
def validate_identifier(value: str, param_name: str = "id") -> str:
"""Validate that a string is a safe identifier (UUID or slug).
Accepts both UUID format and string slugs (alphanumeric with hyphens/underscores).
Used for tenant_id and kb_id which can be either UUIDs or human-readable strings.
Args:
value: String to validate
param_name: Name of parameter (for error messages)
Returns:
The validated identifier string
Raises:
HTTPException: If value is empty or contains unsafe characters
"""
if not value or not value.strip():
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=f"Invalid {param_name}: empty value"
)
value = value.strip()
# Try UUID first
try:
uuid.UUID(value)
return value
except ValueError:
pass # Not a UUID, check if it's a valid slug
# Validate as slug: alphanumeric, hyphens, underscores only
# This prevents path traversal (no slashes) and injection attacks
import re
if not re.match(r'^[a-zA-Z0-9_-]+$', value):
logger.warning(f"Invalid identifier format for {param_name}: {value}")
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=f"Invalid {param_name} format. Must be UUID or alphanumeric with hyphens/underscores only."
)
# Limit length to prevent abuse
if len(value) > 255:
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=f"Invalid {param_name}: too long (max 255 characters)"
)
return value
def validate_working_directory(
base_dir: str,
tenant_id: str,
kb_id: str
) -> Tuple[Path, str]:
"""Validate and create safe working directory for tenant/KB.
This function does the following:
1. Validates tenant_id and kb_id are safe identifiers (UUID or slug)
2. Creates the directory path safely
3. Verifies the resolved path stays within base_dir (prevents path traversal)
4. Returns both the path and composite workspace identifier
Args:
base_dir: Base working directory for all tenants
tenant_id: Tenant identifier (UUID or slug like 'acme-corp')
kb_id: Knowledge base identifier (UUID or slug like 'kb-main')
Returns:
Tuple of (validated_path, composite_workspace_id)
Raises:
HTTPException: If validation fails or path traversal detected
"""
# Validate identifiers (accepts both UUIDs and slugs)
tenant_id = validate_identifier(tenant_id, "tenant_id")
kb_id = validate_identifier(kb_id, "kb_id")
try:
# Create and resolve paths
base_path = Path(base_dir).resolve()
tenant_path = (base_path / tenant_id / kb_id).resolve()
# Critical security check: verify path stays within base_dir
if not tenant_path.is_relative_to(base_path):
logger.error(
f"Path traversal attempt detected: base={base_path}, "
f"requested={tenant_path}, tenant={tenant_id}, kb={kb_id}"
)
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="Invalid path detected"
)
# Create composite workspace identifier
composite_workspace = f"{tenant_id}:{kb_id}"
logger.debug(
f"Validated working directory: path={tenant_path}, workspace={composite_workspace}"
)
return tenant_path, composite_workspace
except (OSError, RuntimeError) as e:
logger.error(f"Error validating working directory: {e}")
raise HTTPException(
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
detail="Failed to validate working directory"
)
def sanitize_identifier(value: str, max_length: int = 255) -> str:
"""Sanitize an identifier string for safe use.
Removes or replaces potentially dangerous characters while preserving
readability. Used for names, descriptions, etc. - not UUIDs.
Args:
value: String to sanitize
max_length: Maximum allowed length
Returns:
Sanitized string
Raises:
HTTPException: If value is empty or too long after sanitization
"""
if not value or not value.strip():
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="Value cannot be empty"
)
# Remove null bytes and control characters
sanitized = "".join(c for c in value if ord(c) >= 32 and c != "\x7f")
# Remove path separators
sanitized = sanitized.replace("/", "").replace("\\", "")
# Strip and limit length
sanitized = sanitized.strip()[:max_length]
if not sanitized:
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="Invalid value after sanitization"
)
return sanitized
Reference in a new issue View git blame Copy permalink