Skip to content

🔒 Require editor role for kagent proxy endpoints#16561

Merged
kubestellar-hive[bot] merged 3 commits into
mainfrom
fix/16491
Jun 3, 2026
Merged

🔒 Require editor role for kagent proxy endpoints#16561
kubestellar-hive[bot] merged 3 commits into
mainfrom
fix/16491

Conversation

@kubestellar-hive
Copy link
Copy Markdown
Contributor

@kubestellar-hive kubestellar-hive Bot commented Jun 2, 2026
edited
Loading

Fixes #16491

Adds role-based authorization to kagent proxy endpoints to prevent viewer-role users from invoking agents and tools.

  • Requires editor or admin role for /api/kagent/agents, /api/kagent/chat, and /api/kagent/tools/call
  • Adds audit logging for all kagent invocations with user identity
  • Returns 403 Forbidden for insufficient permissions

Copilot AI review requested due to automatic review settings June 2, 2026 19:32
@kubestellar-hive kubestellar-hive Bot added agent/scanner Filed by the scanner agent hive/hive-v1 Hive instance hive-v1 labels Jun 2, 2026
@kubestellar-prow kubestellar-prow Bot added the dco-signoff: yes Indicates the PR's author has signed the DCO. label Jun 2, 2026
Copilot AI reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@netlify
Copy link
Copy Markdown

netlify Bot commented Jun 2, 2026
edited
Loading

Deploy Preview for kubestellarconsole ready!

Name Link
🔨 Latest commit a8fc67b
🔍 Latest deploy log https://app.netlify.com/projects/kubestellarconsole/deploys/6a1f78c80750fb000871ac7a
😎 Deploy Preview https://deploy-preview-16561.console-deploy-preview.kubestellar.io
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@kubestellar-prow
Copy link
Copy Markdown
Contributor

kubestellar-prow Bot commented Jun 2, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign eeshaansa for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 2, 2026

👋 Hey @kubestellar-hive[bot] — thanks for opening this PR!

🤖 This project is developed exclusively using AI coding assistants.

Please do not attempt to code anything for this project manually.
All contributions should be authored using an AI coding tool such as:

This ensures consistency in code style, architecture patterns, test coverage,
and commit quality across the entire codebase.

This is an automated message.

@github-actions github-actions Bot added the ai-generated Pull request generated by AI label Jun 2, 2026
@kubestellar-prow kubestellar-prow Bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jun 2, 2026
@kubestellar-prow kubestellar-prow Bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jun 2, 2026
@kubestellar-prow kubestellar-prow Bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 2, 2026
@kubestellar-hive kubestellar-hive Bot changed the title 🔒 Require editor role for kagent proxy endpoints 🔒 Add authorization checks to kagent proxy endpoints Jun 2, 2026
@kubestellar-hive kubestellar-hive Bot changed the title 🔒 Add authorization checks to kagent proxy endpoints � Require editor role for kagent proxy endpoints Jun 2, 2026
@kubestellar-hive kubestellar-hive Bot changed the title � Require editor role for kagent proxy endpoints 🔒 Require editor role for kagent proxy endpoints Jun 3, 2026
github-actions Bot and others added 3 commits June 3, 2026 00:43
@github-actions
🔒 Add authorization checks to kagent proxy endpoints
cf94bb6 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@github-actions
🔒 Require editor role for kagent proxy endpoints
32954e0 
Add authorization checks to kagent Chat and CallTool handlers to
prevent viewer-role users from invoking agents and tools.

- Require editor or admin role for /api/kagent/chat
- Require editor or admin role for /api/kagent/tools/call
- Log all kagent invocations with user identity for audit

Fixes CWE-862: Missing Authorization

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@github-actions
🔒 Require editor role for kagent proxy endpoints
a8fc67b 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@kubestellar-prow kubestellar-prow Bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jun 3, 2026
@kubestellar-hive kubestellar-hive Bot merged commit e5acbfe into main Jun 3, 2026
33 of 34 checks passed
@kubestellar-prow kubestellar-prow Bot deleted the fix/16491 branch June 3, 2026 01:13
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 3, 2026

Thank you for your contribution! Your PR has been merged.

Check out what's new:

Stay connected: Slack #kubestellar-dev | Multi-Cluster Survey

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 3, 2026

Post-merge build verification passed

Both Go and frontend builds compiled successfully against merge commit e5acbfeebaef88bee9fbe1242190f4d006d11c88.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 3, 2026

✅ Post-Merge Verification: passed

Commit: e5acbfeebaef88bee9fbe1242190f4d006d11c88
Specs run: smoke.spec.ts
Report: https://github.com/kubestellar/console/actions/runs/26857677855

kubestellar-hive Bot added a commit that referenced this pull request Jun 3, 2026
@kubestellar-hive @github-actions
🔒 Require editor role for kagent proxy endpoints (#16561)
d97850e 
* 🔒 Add authorization checks to kagent proxy endpoints

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

* 🔒 Require editor role for kagent proxy endpoints

Add authorization checks to kagent Chat and CallTool handlers to
prevent viewer-role users from invoking agents and tools.

- Require editor or admin role for /api/kagent/chat
- Require editor or admin role for /api/kagent/tools/call
- Log all kagent invocations with user identity for audit

Fixes CWE-862: Missing Authorization

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

* 🔒 Require editor role for kagent proxy endpoints

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

---------

Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

agent/scanner Filed by the scanner agent ai-generated Pull request generated by AI dco-signoff: yes Indicates the PR's author has signed the DCO. hive/hive-v1 Hive instance hive-v1 size/M Denotes a PR that changes 30-99 lines, ignoring generated files. tier/2-standard

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[sec-check] Kagent proxy allows any authenticated user to invoke arbitrary agents and tools without authorization (CWE-862)

1 participant