cmdbox 0.5.3.1__py3-none-any.whl → 0.6.0__py3-none-any.whl

cmdbox/app/options.py

@@ -1,6 +1,6 @@
 from cmdbox.app import common, feature, web
 from cmdbox.app.commons import module
-from fastapi import Request
+from fastapi import Request, WebSocket
 from fastapi.routing import APIRoute
 from datetime import datetime
 from pathlib import Path
@@ -49,6 +49,7 @@ class Options:
         self.aliases_loaded_cli = False
         self.aliases_loaded_web = False
         self.audit_loaded = False
+        self.agentrule_loaded = False
         self.init_options()
 
     def get_mode_keys(self) -> List[str]:
@@ -345,6 +346,7 @@ class Options:
                 svcmd = fobj.get_svcmd()
                 if svcmd is not None:
                     self._options["svcmd"][svcmd] = fobj
+                opt['use_agent'] = self.check_agentrule(mode, cmd, logger)
         self.init_debugoption()
     
     def is_features_loaded(self, ftype:str) -> bool:
@@ -396,6 +398,8 @@ class Options:
                 return
             if type(yml['features'][ftype]) is not list:
                 raise Exception(f'features.yml is invalid. (The “features.{ftype} element must be a list. {ftype}={yml["features"][ftype]})')
+            # featureモジュール読込みの前にagentruleの読み込み
+            self.load_features_agentrule(logger)
             for data in yml['features'][ftype]:
                 if type(data) is not dict:
                     raise Exception(f'features.yml is invalid. (The “features.{ftype}” element must be a list element must be a dictionary. data={data})')
@@ -415,6 +419,7 @@ class Options:
                 func(data['package'], data['prefix'], exclude_modules, appcls, ver, logger, self.is_features_loaded(ftype))
                 self.features_loaded[ftype] = True
 
+
     def load_features_args(self, args_dict:Dict[str, Any]):
         yml = self.features_yml_data
         if yml is None:
@@ -658,6 +663,54 @@ class Options:
         self.audit_search_args['cmd'] = cmd
         self.audit_loaded = True
 
+    def load_features_agentrule(self, logger:logging.Logger):
+        yml = self.features_yml_data
+        if yml is None: return
+        if self.agentrule_loaded: return
+        if 'agentrule' not in yml: return
+        if 'policy' not in yml['agentrule']:
+            raise Exception('features.yml is invalid. (The agentrule element must have "policy" specified.)')
+        if yml['agentrule']['policy'] not in ['allow', 'deny']:
+            raise Exception('features.yml is invalid. (The policy element must specify allow or deny.)')
+        if 'rules' not in yml['agentrule']:
+            raise Exception('features.yml is invalid. (The agentrule element must have "rules" specified.)')
+        for rule in yml['agentrule']['rules']:
+            if 'mode' not in rule:
+                rule['mode'] = None
+            if 'cmds' not in rule:
+                rule['cmds'] = []
+            if rule['mode'] is None and len(rule['cmds']) > 0:
+                raise Exception('features.yml is invalid. (When “cmds” is specified, “mode” must be specified.)')
+            if 'rule' not in rule:
+                raise Exception('features.yml is invalid. (The agentrule.rules element must have "rule" specified.)')
+        self.agentrule_loaded = True
+
+    def check_agentrule(self, mode:str, cmd:str, logger:logging.Logger) -> bool:
+        """
+        エージェントが使用してよいコマンドかどうかをチェックします
+
+        Args:
+            mode (str): モード
+            cmd (str): コマンド
+
+        Returns:
+            bool: 認可されたかどうか
+        """
+        if not self.agentrule_loaded:
+            return False
+        # コマンドチェック
+        jadge = self.features_yml_data['agentrule']['policy']
+        for rule in self.features_yml_data['agentrule']['rules']:
+            if rule['mode'] is not None:
+                if rule['mode'] != mode:
+                    continue
+                if len([c for c in rule['cmds'] if cmd == c]) <= 0:
+                    continue
+            jadge = rule['rule']
+        if logger.level == logging.DEBUG:
+            logger.debug(f"agent rule: mode={mode}, cmd={cmd}: {jadge}")
+        return jadge == 'allow'
+
     AT_USER = 'user'
     AT_ADMIN = 'admin'
     AT_SYSTEM = 'system'
@@ -779,7 +832,7 @@ class Options:
             elif isinstance(arg, feature.Feature):
                 func_feature = arg
                 opt['clmsg_src'] = func_feature.__class__.__name__
-            elif isinstance(arg, Request):
+            elif isinstance(arg, Request) or isinstance(arg, WebSocket):
                 if 'signin' in arg.session and arg.session['signin'] is not None and 'name' in arg.session['signin']:
                     opt['clmsg_user'] = arg.session['signin']['name']
                     if opt['audit_type'] is None:

cmdbox/app/web.py

@@ -1,11 +1,12 @@
 from cmdbox.app import common, options
-from cmdbox.app.auth.signin import Signin
+from cmdbox.app.auth import signin, signin_saml
 from cmdbox.app.commons import module
-from fastapi import FastAPI, Request, Response, HTTPException
-from fastapi.responses import RedirectResponse
+from fastapi import FastAPI, Request, Response
 from pathlib import Path
+from starlette.applications import Starlette
 from starlette.middleware.sessions import SessionMiddleware
-from typing import Any, Dict, List, Tuple
+from starlette.routing import Mount
+from typing import Any, Dict, List
 from uvicorn.config import Config
 import asyncio
 import copy
@@ -31,7 +32,7 @@ class Web:
     def __init__(self, logger:logging.Logger, data:Path, appcls=None, ver=None,
                  redis_host:str = "localhost", redis_port:int = 6379, redis_password:str = None, svname:str = 'server',
                  client_only:bool=False, doc_root:Path=None, gui_html:str=None, filer_html:str=None, result_html:str=None, users_html:str=None,
-                 audit_html:str=None, assets:List[str]=None, signin_html:str=None, signin_file:str=None, gui_mode:bool=False,
+                 audit_html:str=None, agent_html:str=None, assets:List[str]=None, signin_html:str=None, signin_file:str=None, gui_mode:bool=False,
                  web_features_packages:List[str]=None, web_features_prefix:List[str]=None):
         """
         cmdboxクライアント側のwebapiサービス
@@ -52,6 +53,7 @@ class Web:
             result_html (str, optional): 結果のHTMLファイル. Defaults to None.
             users_html (str, optional): ユーザーのHTMLファイル. Defaults to None.
             audit_html (str, optional): 監査のHTMLファイル. Defaults to None.
+            agent_html (str, optional): エージェントのHTMLファイル. Defaults to None.
             assets (List[str], optional): 静的ファイルのリスト. Defaults to None.
             signin_html (str, optional): ログイン画面のHTMLファイル. Defaults to None.
             signin_file (str, optional): ログイン情報のファイル. Defaults to args.signin_file.
@@ -78,6 +80,7 @@ class Web:
         self.result_html = Path(result_html) if result_html is not None else Path(__file__).parent.parent / 'web' / 'result.html'
         self.users_html = Path(users_html) if users_html is not None else Path(__file__).parent.parent / 'web' / 'users.html'
         self.audit_html = Path(audit_html) if audit_html is not None else Path(__file__).parent.parent / 'web' / 'audit.html'
+        self.agent_html = Path(agent_html) if agent_html is not None else Path(__file__).parent.parent / 'web' / 'agent.html'
         self.assets = []
         if assets is not None:
             if not isinstance(assets, list):
@@ -97,6 +100,7 @@ class Web:
         self.result_html_data = None
         self.users_html_data = None
         self.audit_html_data = None
+        self.agent_html_data = None
         self.assets_data = None
         self.signin_html_data = None
         self.gui_mode = gui_mode
@@ -106,18 +110,21 @@ class Web:
         self.pipes_path = self.data / ".pipes"
         self.users_path = self.data / ".users"
         self.audit_path = self.data / '.audit'
+        self.agent_path = self.data / '.agent'
         self.static_root = Path(__file__).parent.parent / 'web'
         common.mkdirs(self.cmds_path)
         common.mkdirs(self.pipes_path)
         common.mkdirs(self.users_path)
         common.mkdirs(self.audit_path)
+        common.mkdirs(self.agent_path)
         self.pipe_th = None
         self.img_queue = queue.Queue(1000)
         self.cb_queue = queue.Queue(1000)
         self.options = options.Options.getInstance()
         self.webcap_client = requests.Session()
-        signin_file_data = Signin.load_signin_file(self.signin_file)
-        self.signin = Signin(self.logger, self.signin_file, signin_file_data, self.appcls, self.ver)
+        signin_file_data = signin.Signin.load_signin_file(self.signin_file)
+        self.signin = signin.Signin(self.logger, self.signin_file, signin_file_data, self.appcls, self.ver)
+        self.signin_saml = signin_saml.SigninSAML(self.logger, self.signin_file, signin_file_data, self.appcls, self.ver)
 
         if self.logger.level == logging.DEBUG:
             self.logger.debug(f"web init parameter: data={self.data} -> {self.data.absolute() if self.data is not None else None}")
@@ -131,6 +138,7 @@ class Web:
             self.logger.debug(f"web init parameter: result_html={self.result_html} -> {self.result_html.absolute() if self.result_html is not None else None}")
             self.logger.debug(f"web init parameter: users_html={self.users_html} -> {self.users_html.absolute() if self.users_html is not None else None}")
             self.logger.debug(f"web init parameter: audit_html={self.audit_html} -> {self.audit_html.absolute() if self.audit_html is not None else None}")
+            self.logger.debug(f"web init parameter: agent_html={self.agent_html} -> {self.agent_html.absolute() if self.agent_html is not None else None}")
             self.logger.debug(f"web init parameter: assets={self.assets} -> {[a.absolute() for a in self.assets] if self.assets is not None else None}")
             self.logger.debug(f"web init parameter: signin_html={self.signin_html} -> {self.signin_html.absolute() if self.signin_html is not None else None}")
             self.logger.debug(f"web init parameter: signin_file={self.signin_file} -> {self.signin_file.absolute() if self.signin_file is not None else None}")
@@ -140,6 +148,8 @@ class Web:
             self.logger.debug(f"web init parameter: cmds_path={self.cmds_path} -> {self.cmds_path.absolute() if self.cmds_path is not None else None}")
             self.logger.debug(f"web init parameter: pipes_path={self.pipes_path} -> {self.pipes_path.absolute() if self.pipes_path is not None else None}")
             self.logger.debug(f"web init parameter: users_path={self.users_path} -> {self.users_path.absolute() if self.users_path is not None else None}")
+            self.logger.debug(f"web init parameter: audit_path={self.audit_path} -> {self.audit_path.absolute() if self.audit_path is not None else None}")
+            self.logger.debug(f"web init parameter: agent_path={self.agent_path} -> {self.agent_path.absolute() if self.agent_path is not None else None}")
 
     def init_webfeatures(self, app:FastAPI):
         self.filemenu = dict()
@@ -149,7 +159,10 @@ class Web:
         if self.options.is_features_loaded('web'):
             return
         # webfeatureの読込み
+        self.wf_dep = []
         def wf_route(pk, prefix, excludes, w, app, appcls, ver, logger):
+            if pk in w.wf_dep: return
+            w.wf_dep.append(pk)
             for wf in module.load_webfeatures(pk, prefix, excludes, appcls=appcls, ver=ver, logger=logger):
                 wf.route(self, app)
                 self.filemenu = {**self.filemenu, **wf.filemenu(w)}
@@ -348,12 +361,12 @@ class Web:
         if 'hash' not in user or user['hash'] == '':
             raise ValueError(f"User hash is not found or empty. ({user})")
         hash = user['hash']
-        if hash!='oauth2' and ('password' not in user or user['password'] == ''):
+        if hash!='oauth2' and hash!='saml' and ('password' not in user or user['password'] == ''):
             raise ValueError(f"User password is not found or empty. ({user})")
         if 'email' not in user:
             raise ValueError(f"User email is not found. ({user})")
-        if hash=='oauth2' and (user['email'] is None or user['email']==''):
-            raise ValueError(f"Required when `email` is `oauth2`. ({user})")
+        if (hash=='oauth2' or hash=='saml') and (user['email'] is None or user['email']==''):
+            raise ValueError(f"Required when `email` is `oauth2` or `saml`. ({user})")
         if 'groups' not in user or type(user['groups']) is not list:
             raise ValueError(f"User groups is not found or empty. ({user})")
         for gn in user['groups']:
@@ -363,13 +376,13 @@ class Web:
             raise ValueError(f"User uid is already exists. ({user})")
         if len([u for u in signin_data['users'] if u['name'] == user['name']]) > 0:
             raise ValueError(f"User name is already exists. ({user})")
-        if hash not in ['oauth2', 'plain', 'md5', 'sha1', 'sha256']:
+        if hash not in ['oauth2', 'saml', 'plain', 'md5', 'sha1', 'sha256']:
             raise ValueError(f"User hash is not supported. ({user})")
         jadge, msg = self.signin.check_password_policy(user['name'], '', user['password'])
         if not jadge:
             raise ValueError(msg)
         if hash != 'plain':
-            user['password'] = common.hash_password(user['password'], hash if hash != 'oauth2' else 'sha1')
+            user['password'] = common.hash_password(user['password'], hash if hash != 'oauth2' and hash != 'saml' else 'sha1')
         else:
             user['password'] = user['password']
         signin_data['users'].append(user)
@@ -405,8 +418,8 @@ class Web:
         if 'email' not in user:
             raise ValueError(f"User email is not found. ({user})")
         hash = user['hash']
-        if hash=='oauth2' and (user['email'] is None or user['email']==''):
-            raise ValueError(f"Required when `email` is `oauth2`. ({user})")
+        if (hash=='oauth2' or hash=='saml') and (user['email'] is None or user['email']==''):
+            raise ValueError(f"Required when `email` is `oauth2` or `saml`. ({user})")
         if 'groups' not in user or type(user['groups']) is not list:
             raise ValueError(f"User groups is not found or empty. ({user})")
         for gn in user['groups']:
@@ -416,7 +429,7 @@ class Web:
             raise ValueError(f"User uid is not found. ({user})")
         if len([u for u in signin_data['users'] if u['name'] == user['name']]) <= 0:
             raise ValueError(f"User name is not found. ({user})")
-        if hash not in ['oauth2', 'plain', 'md5', 'sha1', 'sha256']:
+        if hash not in ['oauth2', 'saml', 'plain', 'md5', 'sha1', 'sha256']:
             raise ValueError(f"User hash is not supported. ({user})")
         for u in signin_data['users']:
             if u['uid'] == user['uid']:
@@ -426,7 +439,7 @@ class Web:
                     if not jadge:
                         raise ValueError(msg)
                     if hash != 'plain':
-                        u['password'] = common.hash_password(user['password'], hash if hash != 'oauth2' else 'sha1')
+                        u['password'] = common.hash_password(user['password'], hash if hash != 'oauth2' and hash != 'saml' else 'sha1')
                     else:
                         u['password'] = user['password']
                     # パスワード更新日時の保存
@@ -665,7 +678,8 @@ class Web:
     def start(self, allow_host:str="0.0.0.0", listen_port:int=8081, ssl_listen_port:int=8443,
               ssl_cert:Path=None, ssl_key:Path=None, ssl_keypass:str=None, ssl_ca_certs:Path=None,
               session_domain:str=None, session_path:str='/', session_secure:bool=False, session_timeout:int=900, outputs_key:List[str]=[],
-              guvicorn_workers:int=-1, guvicorn_timeout:int=30):
+              guvicorn_workers:int=-1, guvicorn_timeout:int=30,
+              agent_runner=None, mcp=None, mcp_listen_port=9081, mcp_ssl_listen_port=9443):
         """
         Webサーバを起動する
 
@@ -684,6 +698,10 @@ class Web:
             outputs_key (list, optional): 出力キー. Defaults to [].
             guvicorn_workers (int, optional): Gunicornワーカー数. Defaults to -1.
             guvicorn_timeout (int, optional): Gunicornタイムアウト. Defaults to 30.
+            agent_runner (Runner, optional): エージェントランナー. Defaults to None.
+            mcp (MCP, optional): MCP. Defaults to None.
+            mcp_listen_port (int, optional): MCPリスンポート. Defaults to 9081.
+            mcp_ssl_listen_port (int, optional): MCP SSLリスンポート. Defaults to 9443.
         """
         self.allow_host = allow_host
         self.listen_port = listen_port
@@ -699,6 +717,10 @@ class Web:
         self.session_timeout = session_timeout
         self.guvicorn_workers = guvicorn_workers
         self.guvicorn_timeout = guvicorn_timeout
+        self.agent_runner = agent_runner
+        self.mcp = mcp
+        self.mcp_listen_port = mcp_listen_port
+        self.mcp_ssl_listen_port = mcp_ssl_listen_port
         if self.logger.level == logging.DEBUG:
             self.logger.debug(f"web start parameter: allow_host={self.allow_host}")
             self.logger.debug(f"web start parameter: listen_port={self.listen_port}")
@@ -714,7 +736,81 @@ class Web:
             self.logger.debug(f"web start parameter: session_timeout={self.session_timeout}")
             self.logger.debug(f"web start parameter: guvicorn_worker={self.guvicorn_workers}")
             self.logger.debug(f"web start parameter: guvicorn_timeout={self.guvicorn_timeout}")
+            self.logger.debug(f"web start parameter: agent_runner={self.agent_runner}")
+            self.logger.debug(f"web start parameter: mcp={self.mcp}")
+            self.logger.debug(f"web start parameter: mcp_listen_port={self.mcp_listen_port}")
+            self.logger.debug(f"web start parameter: mcp_ssl_listen_port={self.mcp_ssl_listen_port}")
+
+        if self.agent_runner is not None:
+            # google.adkが大きいので必要な時にだけ読込む
+            from google.adk.sessions import BaseSessionService, Session
+            async def create_agent_session(session_service:BaseSessionService, user_id:str, session_id:str=None) -> Session:
+                """
+                セッションを作成します
+
+                Args:
+                    session_service (BaseSessionService): セッションサービス
+                    user_id (str): ユーザーID
+                    session_id (str): セッションID
+
+                Returns:
+                    Any: セッション
+                """
+                if session_id is None:
+                    session_id = common.random_string(32)
+                session = await session_service.get_session(app_name=self.ver.__appid__, user_id=user_id, session_id=session_id)
+                if session is None:
+                    session = await session_service.create_session(app_name=self.ver.__appid__, user_id=user_id, session_id=session_id)
+                return session
+            self.create_agent_session = create_agent_session
+            async def list_agent_sessions(session_service:BaseSessionService, user_id:str, session_id:str=None) -> List[Session]:
+                """
+                セッションをリストします
+
+                Args:
+                    session_service (BaseSessionService): セッションサービス
+                    user_id (str): ユーザーID
+
+                Returns:
+                    List[Session]: セッションリスト
+                """
+                if session_id is None:
+                    sessions = await session_service.list_sessions(app_name=self.ver.__appid__, user_id=user_id)
+                    ret = []
+                    for s in sessions.sessions:
+                        ret.append(await session_service.get_session(app_name=self.ver.__appid__, user_id=user_id, session_id=s.id))
+                    return ret
+                else:
+                    session = await session_service.get_session(app_name=self.ver.__appid__, user_id=user_id, session_id=session_id)
+                    if session is None:
+                        return []
+                    return [session]
+            self.list_agent_sessions = list_agent_sessions
+            async def delete_agent_session(session_service:BaseSessionService, user_id:str, session_id:str) -> bool:
+                """
+                セッションを削除します
+
+                Args:
+                    session_service (BaseSessionService): セッションサービス
+                    user_id (str): ユーザーID
+                    session_id (str): セッションID
+
+                Returns:
+                    bool: 成功した場合はTrue, 失敗した場合はFalse
+                """
+                return await session_service.delete_session(app_name=self.ver.__appid__, user_id=user_id, session_id=session_id)
+            self.delete_agent_session = delete_agent_session
 
+        """
+        if self.mcp is not None:
+            # MCPをFastAPIにマウント
+            mcp_app:Starlette = self.mcp.streamable_http_app()
+            app = FastAPI(lifespan=self.mcp.settings.lifespan)
+            app.mount("/mcp", mcp_app)
+            #app.include_router(mcp_app.router)
+        else:
+            app = FastAPI()
+        """
         app = FastAPI()
         @app.middleware("http")
         async def set_context_cookie(req:Request, call_next):
@@ -732,19 +828,32 @@ class Web:
 
         self.is_running = True
         #uvicorn.run(app, host=self.allow_host, port=self.listen_port, workers=2)
-        th = ThreadedUvicorn(self.logger, config=Config(app=app, host=self.allow_host, port=self.listen_port),
+        http_config = Config(app=app, host=self.allow_host, port=self.listen_port)
+        th = ThreadedUvicorn(self.logger, config=http_config,
                              guvicorn_config=dict(workers=self.guvicorn_workers, timeout=self.guvicorn_timeout))
         th.start()
+        if self.mcp is not None and self.ssl_cert is None and self.ssl_key is None:
+            mcp_app:Starlette = self.mcp.streamable_http_app()
+            http_config = Config(app=mcp_app, host=self.allow_host, port=self.mcp_listen_port)
+            mcp_th = ThreadedUvicorn(self.logger, config=http_config, force_uvicorn=True)
+            mcp_th.start()
         browser_port = self.listen_port
         th_ssl = None
         if self.ssl_cert is not None and self.ssl_key is not None:
-            th_ssl = ThreadedUvicorn(self.logger,
-                                     config=Config(app=app, host=self.allow_host, port=self.ssl_listen_port,
-                                                   ssl_certfile=self.ssl_cert, ssl_keyfile=self.ssl_key,
-                                                   ssl_keyfile_password=self.ssl_keypass, ssl_ca_certs=self.ssl_ca_certs),
+            https_config = Config(app=app, host=self.allow_host, port=self.ssl_listen_port,
+                                  ssl_certfile=self.ssl_cert, ssl_keyfile=self.ssl_key,
+                                  ssl_keyfile_password=self.ssl_keypass, ssl_ca_certs=self.ssl_ca_certs)
+            th_ssl = ThreadedUvicorn(self.logger, config=https_config,
                                      guvicorn_config=dict(workers=self.guvicorn_workers, timeout=self.guvicorn_timeout))
             th_ssl.start()
             browser_port = self.ssl_listen_port
+            if self.mcp is not None:
+                mcp_app:Starlette = self.mcp.streamable_http_app()
+                https_config = Config(app=mcp_app, host=self.allow_host, port=self.mcp_ssl_listen_port,
+                                      ssl_certfile=self.ssl_cert, ssl_keyfile=self.ssl_key,
+                                      ssl_keyfile_password=self.ssl_keypass, ssl_ca_certs=self.ssl_ca_certs)
+                mcp_th_ssl = ThreadedUvicorn(self.logger, config=https_config, force_uvicorn=True)
+                mcp_th_ssl.start()
         try:
             if self.gui_mode:
                 webbrowser.open(f'http://localhost:{browser_port}/gui')
@@ -753,12 +862,20 @@ class Web:
             while self.is_running:
                 gevent.sleep(1)
             th.stop()
+            if self.mcp is not None:
+                mcp_th.stop()
             if th_ssl is not None:
                 th_ssl.stop()
+                if self.mcp is not None:
+                    mcp_th_ssl.stop()
         except KeyboardInterrupt:
             th.stop()
+            if self.mcp is not None:
+                mcp_th.stop()
             if th_ssl is not None:
                 th_ssl.stop()
+                if self.mcp is not None:
+                    mcp_th_ssl.stop()
 
     def stop(self):
         """
@@ -779,13 +896,24 @@ class Web:
             self.logger.info(f"Exit web.")
 
 class ThreadedUvicorn:
-    def __init__(self, logger:logging.Logger, config:Config, guvicorn_config:Dict[str, Any]):
+    def __init__(self, logger:logging.Logger, config:Config, guvicorn_config:Dict[str, Any]=None, force_uvicorn:bool=False):
         self.logger = logger
         self.guvicorn_config = guvicorn_config
-        if platform.system() == "Windows":
+        self.force_uvicorn = True if platform.system() == "Windows" else force_uvicorn
+        stderr_handler = common.create_log_handler(stderr=True)
+        stdout_handler = common.create_log_handler(stderr=False)
+        if self.force_uvicorn:
+            # loggerの設定
+            common.reset_logger("uvicorn")
+            common.reset_logger("uvicorn.error")
+            common.reset_logger("uvicorn.access")
             self.server = uvicorn.Server(config)
             self.thread = RaiseThread(daemon=True, target=self.server.run)
         else:
+            # loggerの設定
+            common.reset_logger("gunicorn.error")
+            common.reset_logger("gunicorn.access")
+
             from gunicorn.app.wsgiapp import WSGIApplication
             class App(WSGIApplication):
                 def __init__(self, app, options):
@@ -822,7 +950,7 @@ class ThreadedUvicorn:
             #self.thread = RaiseThread(daemon=True, target=self.server.run)
 
     def start(self):
-        if platform.system() == "Windows":
+        if self.force_uvicorn:
             asyncio.set_event_loop_policy(asyncio.WindowsSelectorEventLoopPolicy())
             self.thread.start()
             asyncio.run(self.wait_for_started())
@@ -836,7 +964,7 @@ class ThreadedUvicorn:
             await asyncio.sleep(0.1)
 
     def stop(self):
-        if platform.system() == "Windows":
+        if self.force_uvicorn:
             if self.thread.is_alive():
                 self.server.should_exit = True
                 self.thread.raise_exception()
@@ -846,7 +974,7 @@ class ThreadedUvicorn:
             self.server.started = False
 
     def is_alive(self):
-        if platform.system() == "Windows":
+        if self.force_uvicorn:
             return self.thread.is_alive()
         else:
             return self.server.started

cmdbox/extensions/features.yml

@@ -37,6 +37,24 @@ aliases:                                # Specify the alias for the specified co
                                         #   e.g. /{1}_exec
         move:                           # Specify whether to move the regular expression group of the source to the target.
                                         #   e.g. true
+agentrule:                              # Specifies a list of rules that determine which commands the agent can execute.
+  policy: deny                          # Specify the default policy for the rule. The value can be allow or deny.
+  rules:                                # Specify the rules for the commands that the agent can execute according to the group to which the user belongs.
+  - mode: audit                         # Specify the "mode" as the condition for applying the rule.
+    cmds: [search, write]               # Specify the "cmd" to which the rule applies. Multiple items can be specified in a list.
+    rule: allow                         # Specifies whether the specified command is allowed or not. Values are allow or deny.
+  - mode: client
+    cmds: [file_copy, file_download, file_list, file_mkdir, file_move, file_remove, file_rmdir, file_upload, server_info]
+    rule: allow
+  - mode: cmd
+    cmds: [list, load]
+    rule: allow
+  - mode: server
+    cmds: [list]
+    rule: allow
+  - mode: web
+    cmds: [gencert, genpass, group_list, user_list]
+    rule: allow
 audit:
   enabled: true                         # Specify whether to enable the audit function.
   write:

cmdbox/extensions/sample_project/sample/extensions/features.yml

@@ -46,3 +46,26 @@ aliases:                                # Specify the alias for the specified co
                                         #   e.g. /{1}_exec
         move:                           # Specify whether to move the regular expression group of the source to the target.
                                         #   e.g. true
+audit:
+  enabled: true                         # Specify whether to enable the audit function.
+  write:
+    mode: audit                         # Specify the mode of the feature to be writed.
+    cmd: write                          # Specify the command to be writed.
+  search:
+    mode: audit                         # Specify the mode of the feature to be searched.
+    cmd: search                         # Specify the command to be searched.
+  options:                              # Specify the options for the audit function.
+    host: localhost                     # Specify the service host of the audit Redis server.However, if it is specified as a command line argument, it is ignored.
+    port: 6379                          # Specify the service port of the audit Redis server.However, if it is specified as a command line argument, it is ignored.
+    password: password                  # Specify the access password of the audit Redis server.However, if it is specified as a command line argument, it is ignored.
+    svname: cmdbox                      # Specify the audit service name of the inference server.However, if it is specified as a command line argument, it is ignored.
+    retry_count: 3                      # Specifies the number of reconnections to the audit Redis server.If less than 0 is specified, reconnection is forever.
+    retry_interval: 1                   # Specifies the number of seconds before reconnecting to the audit Redis server.
+    timeout: 15                         # Specify the maximum waiting time until the server responds.
+    pg_enabled: False                   # Specify True if using the postgresql database server.
+    pg_host: localhost                  # Specify the postgresql host.
+    pg_port: 5432                       # Specify the postgresql port.
+    pg_user: postgres                   # Specify the postgresql user name.
+    pg_password: password               # Specify the postgresql password.
+    pg_dbname: audit                    # Specify the postgresql database name.
+    retention_period_days: 365          # Specify the number of days to retain audit logs.

cmdbox/extensions/sample_project/sample/extensions/user_list.yml

@@ -2,9 +2,9 @@ users:                         # A list of users, each of which is a map that co
 - uid: 1                       # An ID that identifies a user. No two users can have the same ID.
   name: admin                  # A name that identifies the user. No two users can have the same name.
   password: admin              # The user's password. The value is hashed with the hash function specified in the next hash field.
-  hash: plain                  # The hash function used to hash the password, which can be plain, md5, sha1, or sha256, or oauth2.
+  hash: plain                  # The hash function used to hash the password, which can be plain, md5, sha1, or sha256, or oauth2, or saml.
   groups: [admin]              # A list of groups to which the user belongs, as specified in the groups field.
-  email: admin@aaa.bbb.jp      # The email address of the user, used when authenticating using the provider specified in the oauth2 field.
+  email: admin@aaa.bbb.jp      # The email address of the user, used when authenticating using the provider specified in the oauth2 or saml field.
 - uid: 101
   name: user01
   password: b75705d7e35e7014521a46b532236ec3
@@ -36,7 +36,6 @@ groups:                        # A list of groups, each of which is a map that c
 - gid: 103
   name: editor
   parent: user
-
 cmdrule:                       # A list of command rules, Specify a rule that determines whether or not a command is executable when executed by a user in web mode.
   policy: deny                 # Specify the default policy for the rule. The value can be allow or deny.
   rules:                       # Specify rules to allow or deny execution of the command, depending on the group the user belongs to.
@@ -50,6 +49,10 @@ cmdrule:                       # A list of command rules, Specify a rule that de
     mode: server
     cmds: [list]
     rule: allow
+  - groups: [user, guest]
+    mode: audit
+    cmds: [write]
+    rule: allow
   - groups: [user, guest]
     mode: web
     cmds: [genpass]
@@ -70,6 +73,7 @@ pathrule:                      # List of RESTAPI rules, rules that determine whe
     rule: allow
   - groups: [user]
     paths: [/signin, /assets, /bbforce_cmd, /copyright, /dosignin, /dosignout, /password/change,
+            /gui/user_data/load, /gui/user_data/save, /gui/user_data/delete,
             /exec_cmd, /exec_pipe, /filer, /gui, /get_server_opt, /usesignout, /versions_cmdbox, /versions_used]
     rule: allow
   - groups: [readonly]
@@ -105,7 +109,8 @@ oauth2:                             # OAuth2 settings.
       client_secret: XXXXXXXXXXX    # Specify Google's OAuth2 client secret.
       redirect_uri: https://localhost:8443/oauth2/google/callback # Specify Google's OAuth2 redirect URI.
       scope: ['email']              # Specify the scope you want to retrieve with Google's OAuth2. Usually, just reading the email is sufficient.
-      signin_module:                # Specify the module name that implements the sign-in. see, cmdbox.app.signin.SignIn
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.google_signin
       note:                         # Specify a description such as Google's OAuth2 reference site.
       - https://developers.google.com/identity/protocols/oauth2/web-server?hl=ja#httprest
     github:                         # OAuth2 settings for GitHub.
@@ -114,7 +119,8 @@ oauth2:                             # OAuth2 settings.
       client_secret: XXXXXXXXXXX    # Specify the GitHub OAuth2 client secret.
       redirect_uri: https://localhost:8443/oauth2/github/callback # Specify the OAuth2 redirect URI for GitHub.
       scope: ['user:email']         # Specify the scope you want to get from GitHub's OAuth2. Usually, just reading the email is sufficient.
-      signin_module:                # Specify the module name that implements the sign-in. see, cmdbox.app.signin.SignIn
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.github_signin
       note:                         # Specify a description, such as a reference site for OAuth2 on GitHub.
       - https://docs.github.com/ja/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#scopes
     azure:                          # OAuth2 settings for Azure AD.
@@ -124,6 +130,34 @@ oauth2:                             # OAuth2 settings.
       client_secret: XXXXXXXXXXX    # Specify the Azure AD OAuth2 client secret.
       redirect_uri: https://localhost:8443/oauth2/azure/callback # Specify the OAuth2 redirect URI for Azure AD.
       scope: ['openid', 'profile', 'email', 'https://graph.microsoft.com/mail.read']
-      signin_module:                # Specify the module name that implements the sign-in. see, cmdbox.app.signin.SignIn
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.azure_signin
       note:                         # Specify a description, such as a reference site for Azure AD's OAuth2.
       - https://learn.microsoft.com/ja-jp/entra/identity-platform/v2-oauth2-auth-code-flow
+saml:                               # SAML settings.
+  providers:                        # This is a per-provider setting for OAuth2.
+    azure:                          # SAML settings for Azure AD.
+      enabled: false                # Specify whether to enable SAML authentication for Azure AD.
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.azure_signin_saml # Specify the python3-saml configuration.
+                                    # see) https://github.com/SAML-Toolkits/python3-saml
+      sp:
+        entityId: https://localhost:8443/
+        assertionConsumerService:
+          url: https://localhost:8443/saml/azure/callback
+          binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
+        attributeConsumingService: {}
+        singleLogoutService:
+          binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+        NameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+        x509cert: ''
+        privateKey: ''
+      idp:
+        entityId: https://sts.windows.net/{tenant-id}/
+        singleSignOnService:
+          url: https://login.microsoftonline.com/{tenant-id}/saml2
+          binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+        x509cert: XXXXXXXXXXX
+        singleLogoutService: {}
+        certFingerprint: ''
+        certFingerprintAlgorithm: sha1