[cli] feat: add trust-all-requesters switch to anti-agent

paolino · paolino · commit 92aaca6a0aa5 · 2025-09-19T10:44:59.000+01:00
diff --git a/cli/CD/anti-agent/docker-compose.yaml b/cli/CD/anti-agent/docker-compose.yaml
@@ -17,7 +17,7 @@ services:
     restart:
       always
     privileged: true
-    command: "--poll-interval 60 --days 1"
+    command: "--poll-interval 60 --days 1 --trust-all-requesters"
     volumes:
       - tmp:/tmp
          # Mount CA certificates, curl seems not to find them when the pkgs.cacert is included in the image
diff --git a/cli/src/User/Agent/Process.hs b/cli/src/User/Agent/Process.hs
@@ -4,7 +4,7 @@ The process
 - monitors the antithesis recipients email inbox for new test results.
 - monitors the running test-run facts
 - publish a report-test transaction for each new result found.
-- automatically accepts pending test-runs from trusted creators, downloading their assets and pushing them to Antithesis.
+- automatically accepts pending test-runs from trusted requesters, downloading their assets and pushing them to Antithesis.
 
 Trickery:
 - To avoid pushing to Antithesis twice the same test-run, we have to track also the test-runs that are changing state (pending->running or running->done).
@@ -123,6 +123,13 @@ parseArgs =
             secretsFileOption
             processOptionsParser
 
+data Requesters = Some [Username] | AnyRequester
+    deriving (Eq, Show)
+
+allowRequester :: Requesters -> Username -> Bool
+allowRequester AnyRequester _ = True
+allowRequester (Some users) user = user `elem` users
+
 data ProcessOptions = ProcessOptions
     { poAuth :: Auth
     , poPollIntervalSeconds :: Int
@@ -132,7 +139,7 @@ data ProcessOptions = ProcessOptions
     , poAntithesisEmail :: EmailUser
     , poAntithesisEmailPassword :: EmailPassword
     , poDays :: Int
-    , poTrustedCreators :: [Username]
+    , poTrustedRequesters :: Requesters
     , poRegistry :: Registry
     , poAntithesisAuth :: AntithesisAuth
     , poVerbose :: Bool
@@ -149,7 +156,7 @@ processOptionsParser =
         <*> agentEmailOption
         <*> agentEmailPasswordOption
         <*> daysOption
-        <*> creatorsOption
+        <*> requestersOption
         <*> registryOption
         <*> antithesisAuthOption
         <*> verboseOption
@@ -164,172 +171,189 @@ verboseOption =
         , value False
         ]
 
-creatorsOption :: Parser [Username]
-creatorsOption =
+someRequestersOption :: Parser Requesters
+someRequestersOption =
     let fromOption =
             many
                 $ Username
                     <$> strOption
-                        [ long "trusted-test-creator"
+                        [ long "trusted-test-requester"
                         , short 'c'
                         , metavar "GITHUB_USERNAME"
                         , help
-                            "GitHub username of a trusted test-run creator. \
-                            \Can be specified multiple times to add multiple trusted creators. \
-                            \All test-runs pending from trusted creators will be run by the agent."
+                            "GitHub username of a trusted test-run requester. \
+                            \Can be specified multiple times to add multiple trusted requesters. \
+                            \All test-runs pending from trusted requesters will be run by the agent."
                         ]
         fromConfig =
             fmap (fromMaybe [])
                 $ optional
                 $ fmap Username
                     <$> setting
                         [ conf "trustedRequesters"
-                        , help "List of trusted test-run creators GitHub usernames."
+                        , help "List of trusted test-run requesters GitHub usernames."
                         , metavar "GITHUB_USERNAMES"
                         ]
-    in  (<>) <$> fromOption <*> fromConfig
+    in  fmap Some $ (<>) <$> fromOption <*> fromConfig
+
+allRequestersOption :: Parser Requesters
+allRequestersOption =
+    setting
+        [ long "trust-all-requesters"
+        , help
+            "Trust all test-run requesters. All pending test-runs will be run by the agent."
+        , switch AnyRequester
+        ]
+
+requestersOption :: Parser Requesters
+requestersOption = allRequestersOption <|> someRequestersOption
 
 agentProcess
     :: ProcessOptions
     -> IO ()
-agentProcess opts@ProcessOptions{poPollIntervalSeconds, poVerbose} = do
-    putStrLn "Starting agent process service..."
-    forever $ runExceptT $ do
-        results <- liftIO $ pollEmails opts
-        loggin
-            $ "Found " ++ show (length results) ++ " email results."
-        efacts <- liftIO $ pollTestRuns opts
-        (pendingTests, runningTests, doneTests, stateChanging) <- case efacts of
-            ValidationFailure err -> do
-                loggin $ "Failed to get test-run facts: " ++ show err
-                throwE ()
-            ValidationSuccess facts -> pure facts
+agentProcess
+    opts@ProcessOptions
+        { poPollIntervalSeconds
+        , poVerbose
+        , poTrustedRequesters
+        } = do
+        putStrLn "Starting agent process service..."
+        forever $ runExceptT $ do
+            results <- liftIO $ pollEmails opts
+            loggin
+                $ "Found " ++ show (length results) ++ " email results."
+            efacts <- liftIO $ pollTestRuns opts
+            (pendingTests, runningTests, doneTests, stateChanging) <- case efacts of
+                ValidationFailure err -> do
+                    loggin $ "Failed to get test-run facts: " ++ show err
+                    throwE ()
+                ValidationSuccess facts -> pure facts
 
-        loggin
-            $ "Found "
-                ++ show (length pendingTests)
-                ++ " pending tests (excluding changing state), "
-                ++ show (length runningTests)
-                ++ " running tests (excluding changing state), and "
-                ++ show (length doneTests)
-                ++ " done tests (excluding changing state). and "
-                ++ show (length stateChanging)
-                ++ " changing state tests."
-        for_ results $ \result@Result{description} -> do
-            let sameKey :: [Fact TestRun v] -> Maybe (Fact TestRun v)
-                sameKey = find $ (description ==) . factKey
-                matchingTests =
-                    Left <$> sameKey runningTests
-                        <|> Right <$> sameKey doneTests
-                TestRunId trId = mkTestRunId description
-            case matchingTests of
-                Nothing ->
-                    loggin
-                        $ "No matching test-run found in facts for email result: "
-                            ++ trId
-                Just (Left (Fact testRun testState)) -> do
-                    loggin
-                        $ "Publishing result for test-run: "
-                            ++ show testRun
-                    eres <- liftIO $ submitDone opts (testRunDuration testState) result
-                    case eres of
-                        ValidationFailure err ->
-                            loggin
-                                $ "Failed to publish result for test-run "
-                                    ++ trId
-                                    ++ ": "
-                                    ++ show err
-                        ValidationSuccess txHash ->
-                            loggin
-                                $ "Published result for test-run "
-                                    ++ trId
-                                    ++ " in transaction "
-                                    ++ show txHash
-                Just (Right _) -> when poVerbose $ do
-                    loggin
-                        $ "Test-run "
-                            ++ trId
-                            ++ " has email result and is already in done state."
-        for_ pendingTests $ \(Fact testRun _) -> runExceptT $ do
-            let TestRunId trId = mkTestRunId testRun
-                user = requester testRun
-                testId = mkTestRunId testRun
-            if user `elem` poTrustedCreators opts
-                then do
-                    loggin
-                        $ "Test-run "
-                            ++ trId
-                            ++ " is pending from trusted creator "
-                            ++ show user
-                            ++ ", starting it."
-                    withSystemTempDirectory "antithesis-agent-" $ \directoryPath -> do
-                        let directory = Directory directoryPath
-                        dres <- liftIO $ downloadAssets opts directory testId
-                        case dres of
-                            ValidationFailure err -> do
+            loggin
+                $ "Found "
+                    ++ show (length pendingTests)
+                    ++ " pending tests (excluding changing state), "
+                    ++ show (length runningTests)
+                    ++ " running tests (excluding changing state), and "
+                    ++ show (length doneTests)
+                    ++ " done tests (excluding changing state). and "
+                    ++ show (length stateChanging)
+                    ++ " changing state tests."
+            for_ results $ \result@Result{description} -> do
+                let sameKey :: [Fact TestRun v] -> Maybe (Fact TestRun v)
+                    sameKey = find $ (description ==) . factKey
+                    matchingTests =
+                        Left <$> sameKey runningTests
+                            <|> Right <$> sameKey doneTests
+                    TestRunId trId = mkTestRunId description
+                case matchingTests of
+                    Nothing ->
+                        loggin
+                            $ "No matching test-run found in facts for email result: "
+                                ++ trId
+                    Just (Left (Fact testRun testState)) -> do
+                        loggin
+                            $ "Publishing result for test-run: "
+                                ++ show testRun
+                        eres <- liftIO $ submitDone opts (testRunDuration testState) result
+                        case eres of
+                            ValidationFailure err ->
                                 loggin
-                                    $ "Failed to download assets for test-run "
+                                    $ "Failed to publish result for test-run "
                                         ++ trId
                                         ++ ": "
                                         ++ show err
-                                throwE ()
-                            ValidationSuccess _ -> pure ()
-                        pushes <- liftIO $ pushTest opts directory testId
-                        case pushes of
+                            ValidationSuccess txHash ->
+                                loggin
+                                    $ "Published result for test-run "
+                                        ++ trId
+                                        ++ " in transaction "
+                                        ++ show txHash
+                    Just (Right _) -> when poVerbose $ do
+                        loggin
+                            $ "Test-run "
+                                ++ trId
+                                ++ " has email result and is already in done state."
+            for_ pendingTests $ \(Fact testRun _) -> runExceptT $ do
+                let TestRunId trId = mkTestRunId testRun
+                    user = requester testRun
+                    testId = mkTestRunId testRun
+                if allowRequester poTrustedRequesters user
+                    then do
+                        loggin
+                            $ "Test-run "
+                                ++ trId
+                                ++ " is pending from trusted requester "
+                                ++ show user
+                                ++ ", starting it."
+                        withSystemTempDirectory "antithesis-agent-" $ \directoryPath -> do
+                            let directory = Directory directoryPath
+                            dres <- liftIO $ downloadAssets opts directory testId
+                            case dres of
+                                ValidationFailure err -> do
+                                    loggin
+                                        $ "Failed to download assets for test-run "
+                                            ++ trId
+                                            ++ ": "
+                                            ++ show err
+                                    throwE ()
+                                ValidationSuccess _ -> pure ()
+                            pushes <- liftIO $ pushTest opts directory testId
+                            case pushes of
+                                ValidationFailure err -> do
+                                    loggin
+                                        $ "Failed to push test-run "
+                                            ++ trId
+                                            ++ ": "
+                                            ++ show err
+                                    throwE ()
+                                ValidationSuccess _ -> do
+                                    loggin
+                                        $ "Pushed test-run "
+                                            ++ trId
+                                            ++ " to Antithesis."
+                        eres <- liftIO $ submitRunning opts testId
+                        case eres of
                             ValidationFailure err -> do
                                 loggin
-                                    $ "Failed to push test-run "
+                                    $ "Failed to accept test-run "
                                         ++ trId
                                         ++ ": "
                                         ++ show err
-                                throwE ()
-                            ValidationSuccess _ -> do
+                            ValidationSuccess txHash ->
                                 loggin
-                                    $ "Pushed test-run "
+                                    $ "Accepted test-run "
                                         ++ trId
-                                        ++ " to Antithesis."
-                    eres <- liftIO $ submitRunning opts testId
-                    case eres of
-                        ValidationFailure err -> do
-                            loggin
-                                $ "Failed to accept test-run "
-                                    ++ trId
-                                    ++ ": "
-                                    ++ show err
-                        ValidationSuccess txHash ->
-                            loggin
-                                $ "Accepted test-run "
-                                    ++ trId
-                                    ++ " in transaction "
-                                    ++ show txHash
-                else
-                    loggin
-                        $ "Test-run "
-                            ++ trId
-                            ++ " is pending from untrusted creator "
-                            ++ show user
-                            ++ ", waiting for it to start running."
-        for_ runningTests $ \(Fact testRun _) -> do
-            let TestRunId trId = mkTestRunId testRun
-                sameKey = (== testRun) . description
-            case find sameKey results of
-                Just _ -> pure ()
-                Nothing ->
-                    loggin
-                        $ "Test-run "
-                            ++ trId
-                            ++ " is still running, waiting for it to complete."
-        for_ stateChanging $ \testRun -> do
-            let TestRunId trId = mkTestRunId testRun
+                                        ++ " in transaction "
+                                        ++ show txHash
+                    else
+                        loggin
+                            $ "Test-run "
+                                ++ trId
+                                ++ " is pending from untrusted requester "
+                                ++ show user
+                                ++ ", waiting for it to start running."
+            for_ runningTests $ \(Fact testRun _) -> do
+                let TestRunId trId = mkTestRunId testRun
+                    sameKey = (== testRun) . description
+                case find sameKey results of
+                    Just _ -> pure ()
+                    Nothing ->
+                        loggin
+                            $ "Test-run "
+                                ++ trId
+                                ++ " is still running, waiting for it to complete."
+            for_ stateChanging $ \testRun -> do
+                let TestRunId trId = mkTestRunId testRun
+                loggin
+                    $ "Test-run "
+                        ++ trId
+                        ++ " is changing state (pending->running or running->done), waiting for it to settle."
             loggin
-                $ "Test-run "
-                    ++ trId
-                    ++ " is changing state (pending->running or running->done), waiting for it to settle."
-        loggin
-            $ "Sleeping for "
-                ++ show poPollIntervalSeconds
-                ++ " seconds..."
-        liftIO $ threadDelay (poPollIntervalSeconds * 1000000)
+                $ "Sleeping for "
+                    ++ show poPollIntervalSeconds
+                    ++ " seconds..."
+            liftIO $ threadDelay (poPollIntervalSeconds * 1000000)
 
 loggin :: MonadIO m => String -> m ()
 loggin = liftIO . putStrLn
