Merge pull request #1088 from jroberts2600/panw-prisma-airs-plugin

Add panw-prisma-airs plugin with tests and update config/index

Author: VisargD

conf.json

@@ -7,7 +7,8 @@
     "pillar",
     "patronus",
     "pangea",
-    "promptsecurity"
+    "promptsecurity",
+    "panw-prisma-airs"
   ],
   "credentials": {
     "portkey": {

plugins/index.ts

@@ -46,6 +46,7 @@ import { handler as azurePii } from './azure/pii';
 import { handler as azureContentSafety } from './azure/contentSafety';
 import { handler as promptSecurityProtectPrompt } from './promptsecurity/protectPrompt';
 import { handler as promptSecurityProtectResponse } from './promptsecurity/protectResponse';
+import { handler as panwPrismaAirsintercept } from './panw-prisma-airs/intercept';
 import { handler as defaultjwt } from './default/jwt';
 
 export const plugins = {
@@ -128,4 +129,7 @@ export const plugins = {
     protectPrompt: promptSecurityProtectPrompt,
     protectResponse: promptSecurityProtectResponse,
   },
+  'panw-prisma-airs': {
+    intercept: panwPrismaAirsintercept,
+  },
 };

plugins/panw-prisma-airs/intercept.ts

@@ -0,0 +1,68 @@
+import {
+  HookEventType,
+  PluginContext,
+  PluginHandler,
+  PluginParameters,
+} from '../types';
+import { getText, post } from '../utils';
+
+const AIRS_URL =
+  'https://service.api.aisecurity.paloaltonetworks.com/v1/scan/sync/request';
+
+const fetchAIRS = async (payload: any, apiKey: string, timeout?: number) => {
+  const opts = {
+    headers: { 'x-pan-token': apiKey },
+  };
+  return post(AIRS_URL, payload, opts, timeout);
+};
+
+export const handler: PluginHandler = async (
+  ctx: PluginContext,
+  params: PluginParameters,
+  hook: HookEventType
+) => {
+  const apiKey =
+    (params.credentials?.AIRS_API_KEY as string | undefined) ||
+    process.env.AIRS_API_KEY ||
+    '';
+
+  let verdict = true;
+  let data: any = null;
+  let error: any = null;
+
+  try {
+    const text = getText(ctx, hook); // prompt or response
+
+    const payload = {
+      tr_id:
+        typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function'
+          ? crypto.randomUUID()
+          : Math.random().toString(36).substring(2) + Date.now().toString(36),
+      ai_profile: {
+        profile_name: params.profile_name ?? 'dev-block-all-profile',
+      },
+      metadata: {
+        ai_model: params.ai_model ?? 'unknown-model',
+        app_user: params.app_user ?? 'portkey-gateway',
+      },
+      contents: [
+        { [hook === 'beforeRequestHook' ? 'prompt' : 'response']: text },
+      ],
+    };
+
+    const res: any = await fetchAIRS(payload, apiKey, params.timeout);
+
+    if (!res || typeof res.action !== 'string') {
+      throw new Error('Malformed AIRS response');
+    }
+    if (res.action === 'block') {
+      verdict = false;
+    }
+    data = res;
+  } catch (e: any) {
+    error = e;
+    verdict = false;
+  }
+
+  return { verdict, data, error };
+};

plugins/panw-prisma-airs/manifest.json

@@ -0,0 +1,30 @@
+{
+  "id": "panwPrismaAirs",
+  "name": "PANW Prisma AIRS Guardrail",
+  "description": "Blocks prompt/response when Palo Alto Networks Prisma AI Runtime Security returns action=block.",
+  "credentials": [
+    {
+      "id": "AIRS_API_KEY",
+      "name": "AIRS API Key",
+      "type": "string",
+      "required": true
+    }
+  ],
+  "functions": [
+    {
+      "id": "intercept",
+      "name": "PANW Prisma AIRS Guardrail",
+      "type": "guardrail",
+      "supportedHooks": ["beforeRequestHook", "afterRequestHook"],
+      "parameters": {
+        "type": "object",
+        "properties": {
+          "profile_name": { "type": "string" },
+          "ai_model": { "type": "string" },
+          "app_user": { "type": "string" }
+        },
+        "required": ["profile_name"]
+      }
+    }
+  ]
+}

plugins/panw-prisma-airs/panw.airs.test.ts

@@ -0,0 +1,27 @@
+import { handler as panwPrismaAirsHandler } from './intercept';
+
+describe('PANW Prisma AIRS Guardrail', () => {
+  const mockContext = {
+    request: { text: 'This is a test prompt.' },
+    response: { text: 'This is a test response.' },
+  };
+
+  const params = {
+    credentials: { AIRS_API_KEY: 'dummy-key' },
+    profile_name: 'test-profile',
+    ai_model: 'gpt-unit-test',
+    app_user: 'unit-tester',
+    timeout: 3000,
+  };
+
+  it('should return a result object with verdict, data, and error', async () => {
+    const result = await panwPrismaAirsHandler(
+      mockContext,
+      params,
+      'beforeRequestHook'
+    );
+    expect(result).toHaveProperty('verdict');
+    expect(result).toHaveProperty('data');
+    expect(result).toHaveProperty('error');
+  });
+});