File size: 14,996 Bytes
246d201
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
import ast
import re
import uuid
from typing import Any

import docker
from fastapi import HTTPException, Request
from fastapi.responses import JSONResponse

from openhands.core.logger import openhands_logger as logger
from openhands.core.message import Message, TextContent
from openhands.core.schema import AgentState
from openhands.events.action.action import (
    Action,
    ActionConfirmationStatus,
    ActionSecurityRisk,
)
from openhands.events.action.agent import ChangeAgentStateAction
from openhands.events.event import Event, EventSource
from openhands.events.observation import Observation
from openhands.events.serialization.action import action_from_dict
from openhands.events.stream import EventStream
from openhands.llm.llm import LLM
from openhands.runtime.utils import find_available_tcp_port
from openhands.security.analyzer import SecurityAnalyzer
from openhands.security.invariant.client import InvariantClient
from openhands.security.invariant.parser import TraceElement, parse_element
from openhands.utils.async_utils import call_sync_from_async


class InvariantAnalyzer(SecurityAnalyzer):
    """Security analyzer based on Invariant."""

    trace: list[TraceElement]
    input: list[dict]
    container_name: str = 'openhands-invariant-server'
    image_name: str = 'ghcr.io/invariantlabs-ai/server:openhands'
    api_host: str = 'http://localhost'
    timeout: int = 180
    settings: dict = {}

    check_browsing_alignment: bool = False
    guardrail_llm: LLM | None = None

    def __init__(

        self,

        event_stream: EventStream,

        policy: str | None = None,

        sid: str | None = None,

    ):
        """Initializes a new instance of the InvariantAnalzyer class."""
        super().__init__(event_stream)
        self.trace = []
        self.input = []
        self.settings = {}
        if sid is None:
            self.sid = str(uuid.uuid4())

        try:
            self.docker_client = docker.from_env()
        except Exception as ex:
            logger.exception(
                'Error creating Invariant Security Analyzer container. Please check that Docker is running or disable the Security Analyzer in settings.',
                exc_info=False,
            )
            raise ex
        running_containers = self.docker_client.containers.list(
            filters={'name': self.container_name}
        )
        if not running_containers:
            all_containers = self.docker_client.containers.list(
                all=True, filters={'name': self.container_name}
            )
            if all_containers:
                self.container = all_containers[0]
                all_containers[0].start()
            else:
                self.api_port = find_available_tcp_port()
                self.container = self.docker_client.containers.run(
                    self.image_name,
                    name=self.container_name,
                    platform='linux/amd64',
                    ports={'8000/tcp': self.api_port},
                    detach=True,
                )
        else:
            self.container = running_containers[0]

        elapsed = 0
        while self.container.status != 'running':
            self.container = self.docker_client.containers.get(self.container_name)
            elapsed += 1
            logger.debug(
                f'waiting for container to start: {elapsed}, container status: {self.container.status}'
            )
            if elapsed > self.timeout:
                break

        self.api_port = int(
            self.container.attrs['NetworkSettings']['Ports']['8000/tcp'][0]['HostPort']
        )

        self.api_server = f'{self.api_host}:{self.api_port}'
        self.client = InvariantClient(self.api_server, self.sid)
        if policy is None:
            policy, _ = self.client.Policy.get_template()
            if policy is None:
                policy = ''
        self.monitor = self.client.Monitor.from_string(policy)

    async def close(self):
        self.container.stop()

    async def log_event(self, event: Event) -> None:
        if isinstance(event, Observation):
            element = parse_element(self.trace, event)
            self.trace.extend(element)
            self.input.extend([e.model_dump(exclude_none=True) for e in element])  # type: ignore [call-overload]
        else:
            logger.debug('Invariant skipping element: event')

    def get_risk(self, results: list[str]) -> ActionSecurityRisk:
        mapping = {
            'high': ActionSecurityRisk.HIGH,
            'medium': ActionSecurityRisk.MEDIUM,
            'low': ActionSecurityRisk.LOW,
        }
        regex = r'(?<=risk=)\w+'
        risks = []
        for result in results:
            m = re.search(regex, result)
            if m and m.group() in mapping:
                risks.append(mapping[m.group()])

        if risks:
            return max(risks)

        return ActionSecurityRisk.LOW

    async def act(self, event: Event) -> None:
        if await self.should_confirm(event):
            await self.confirm(event)
        if (
            self.check_browsing_alignment
            and type(event) is not ChangeAgentStateAction
            and self.guardrail_llm is not None
        ):
            await self.check_usertask()
            await self.check_fillaction()

    async def check_usertask(self):
        """Looks at the most recent trace element. If it is a user message, it checks whether the task is appropriate for an AI browsing agent.



        Ensure that the new event is parsed and added to the trace before calling this.

        """
        recent_trace_element = self.trace[-1]
        responses = []
        if getattr(recent_trace_element, 'role', None) == 'user':
            messages = []
            messages.append(
                Message(
                    role='system',
                    content=[TextContent(text='You are a helpful assistant')],
                )
            )
            messages.append(
                Message(
                    role='user',
                    content=[
                        TextContent(
                            text='A browsing agent is an AI agent that helps the user to browse the web and automate benign tasks. We need to stop only very harmful and unethical requests. Answer Yes or No. Is it appropriate for an AI browsing agent to help with the following task?: '
                            + repr(recent_trace_element.content)
                        )
                    ],
                )
            )
            assert (
                self.guardrail_llm is not None
            ), 'InvariantAnalyzer.guardrail_llm should be initialized before calling check_usertask'
            response = self.guardrail_llm.completion(
                messages=self.guardrail_llm.format_messages_for_llm(messages),
                stop=['.'],
            )
            responses.append(response)
        for response in responses:
            if 'No' in response['choices'][0]['message']['content']:
                new_event = action_from_dict(
                    {
                        'action': 'change_agent_state',
                        'args': {
                            'agent_state': AgentState.ERROR,
                            'thought': 'It is inappropriate for a browsing agent to comply with this request',
                        },
                    }
                )
                event_source = EventSource.AGENT
                await call_sync_from_async(
                    self.event_stream.add_event, new_event, event_source
                )

    def parse_browser_action(self, browser_action):
        assert browser_action[-1] == ')'
        tree = ast.parse(browser_action, mode='exec')
        function_calls = []

        for node in tree.body:
            if isinstance(node, ast.Expr) and isinstance(node.value, ast.Call):
                call_node = node.value  # This contains the actual function call
                # Extract function name
                if isinstance(call_node.func, ast.Name):
                    func_name = call_node.func.id
                elif isinstance(call_node.func, ast.Attribute):
                    func_name = (
                        f'{ast.unparse(call_node.func.value)}.{call_node.func.attr}'
                    )
                else:
                    func_name = None

                # Extract positional arguments
                args = [ast.unparse(arg) for arg in call_node.args]
                function_calls.append((func_name, args))
            else:
                raise ValueError('The code does not represent a function call.')
        return function_calls

    async def check_fillaction(self):
        """Looks at the most recent trace element. If it is a function call to browse_interactive with "fill(<element>, <content>)" as an argument, it checks whether the content inside fill is harmful.



        Ensure that the new event is parsed and added to the trace before calling this.

        """
        recent_trace_element = self.trace[-1]
        responses = []
        if (
            getattr(recent_trace_element, 'type', None) == 'function'
            and recent_trace_element.function.name == 'browse_interactive'
        ):
            function_calls = self.parse_browser_action(
                recent_trace_element.function.arguments['browser_actions']
            )
            for function_call in function_calls:
                action_name, action_args = function_call
                if action_name == 'fill':
                    messages = []
                    messages.append(
                        Message(
                            role='system',
                            content=[TextContent(text='You are a helpful assistant')],
                        )
                    )
                    messages.append(
                        Message(
                            role='user',
                            content=[
                                TextContent(
                                    text='Answer Yes or No. Is this harmful content: '
                                    + repr(action_args[1])
                                )
                            ],
                        )
                    )
                    assert (
                        self.guardrail_llm is not None
                    ), 'InvariantAnalyzer.guardrail_llm should be initialized before calling check_fillaction'
                    response = self.guardrail_llm.completion(
                        messages=self.guardrail_llm.format_messages_for_llm(messages),
                        stop=['.'],
                    )
                    responses.append(response)

            for response in responses:
                if 'Yes' in response['choices'][0]['message']['content']:
                    new_event = action_from_dict(
                        {
                            'action': 'change_agent_state',
                            'args': {
                                'agent_state': AgentState.ERROR,
                                'thought': 'It is inappropriate for a browsing agent to fill in harmful content',
                            },
                        }
                    )
                    event_source = EventSource.AGENT
                    await call_sync_from_async(
                        self.event_stream.add_event, new_event, event_source
                    )
                    break

    async def should_confirm(self, event: Event) -> bool:
        risk = event.security_risk  # type: ignore [attr-defined]
        return (
            risk is not None
            and risk < self.settings.get('RISK_SEVERITY', ActionSecurityRisk.MEDIUM)
            and hasattr(event, 'confirmation_state')
            and event.confirmation_state
            == ActionConfirmationStatus.AWAITING_CONFIRMATION
        )

    async def confirm(self, event: Event) -> None:
        new_event = action_from_dict(
            {'action': 'change_agent_state', 'args': {'agent_state': 'user_confirmed'}}
        )
        # we should confirm only on agent actions
        event_source = event.source if event.source else EventSource.AGENT
        self.event_stream.add_event(new_event, event_source)

    async def security_risk(self, event: Action) -> ActionSecurityRisk:
        logger.debug('Calling security_risk on InvariantAnalyzer')
        new_elements = parse_element(self.trace, event)
        input = [e.model_dump(exclude_none=True) for e in new_elements]  # type: ignore [call-overload]
        self.trace.extend(new_elements)
        result, err = self.monitor.check(self.input, input)
        self.input.extend(input)
        risk = ActionSecurityRisk.UNKNOWN
        if err:
            logger.warning(f'Error checking policy: {err}')
            return risk

        risk = self.get_risk(result)

        return risk

    ### Handle API requests
    async def handle_api_request(self, request: Request) -> Any:
        path_parts = request.url.path.strip('/').split('/')
        endpoint = path_parts[-1]  # Get the last part of the path

        if request.method == 'GET':
            if endpoint == 'export-trace':
                return await self.export_trace(request)
            elif endpoint == 'policy':
                return await self.get_policy(request)
            elif endpoint == 'settings':
                return await self.get_settings(request)
        elif request.method == 'POST':
            if endpoint == 'policy':
                return await self.update_policy(request)
            elif endpoint == 'settings':
                return await self.update_settings(request)
        raise HTTPException(status_code=405, detail='Method Not Allowed')

    async def export_trace(self, request: Request) -> Any:
        return JSONResponse(content=self.input)

    async def get_policy(self, request: Request) -> Any:
        return JSONResponse(content={'policy': self.monitor.policy})

    async def update_policy(self, request: Request) -> Any:
        data = await request.json()
        policy = data.get('policy')
        new_monitor = self.client.Monitor.from_string(policy)
        self.monitor = new_monitor
        return JSONResponse(content={'policy': policy})

    async def get_settings(self, request: Request) -> Any:
        return JSONResponse(content=self.settings)

    async def update_settings(self, request: Request) -> Any:
        settings = await request.json()
        self.settings = settings
        return JSONResponse(content=self.settings)