Merge pull request #27 from trustyai-explainability/builtInDetectors

FEAT: Migrate built-in detectors to python, add file-validation detectors

Author: saichandrapandraju

.github/workflows/build-and-push-hf.yaml

@@ -55,34 +55,44 @@ jobs:
           echo "SHA: ${{ github.event.pull_request.head.sha }}"
           echo "MAIN IMAGE AT: ${{ vars.QUAY_RELEASE_REPO }}:latest"
           echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}"
+          echo "Built-In Detector CI IMAGE AT: quay.io/trustyai/regex-detector-ci:${{ github.event.pull_request.head.sha }}"
 
       # Set environments depending on context
       - name: Set CI environment
         if:  env.BUILD_CONTEXT == 'ci'
         run: |
           echo "TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
           echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-huggingface-runtime-ci" >> $GITHUB_ENV
+          echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/regex-detector-ci" >> $GITHUB_ENV
       - name: Set main-branch environment
         if:  env.BUILD_CONTEXT == 'main'
         run: |
           echo "TAG=latest" >> $GITHUB_ENV
           echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV
+          echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/regex-detector" >> $GITHUB_ENV
       - name: Set tag environment
         if: env.BUILD_CONTEXT == 'tag'
         run: |
           echo "TAG=${{ github.ref_name }}" >> $GITHUB_ENV
           echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV
+          echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/regex-detector" >> $GITHUB_ENV
       #
       # Run docker commands
       - name: Put expiry date on CI-tagged image
         if:  env.BUILD_CONTEXT == 'ci'
-        run: echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.hf
+        run: |
+          echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.hf
+          echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.builtIn
       - name: Build image
         run: docker build -t ${{ env.IMAGE_NAME }}:$TAG -f detectors/Dockerfile.hf detectors
       - name: Log in to Quay
         run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io
       - name: Push to Quay CI repo
         run: docker push ${{ env.IMAGE_NAME }}:$TAG
+      - name: Build built-in detector image
+        run: docker build -t ${{ env.BUILTIN_IMAGE_NAME }}:$TAG -f detectors/Dockerfile.builtIn detectors
+      - name: Push to Quay CI repo
+        run: docker push ${{ env.BUILTIN_IMAGE_NAME }}:$TAG
 
       # Leave comment
       - uses: peter-evans/find-comment@v3
@@ -104,6 +114,7 @@ jobs:
             PR image build completed successfully!
             
             📦 [PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}`
+            📦 [PR image](https://quay.io/trustyai/regex-detector-ci?tab=tags): `quay.io/trustyai/regex-detector-ci:${{ github.event.pull_request.head.sha }}`
       - name: Trivy scan
         uses: aquasecurity/[email protected]
         with:
@@ -115,8 +126,22 @@ jobs:
           exit-code: '0'
           ignore-unfixed: false
           vuln-type: 'os,library'
-
+      - name: Trivy scan, built-in image
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'image'
+          image-ref: "${{ env.BUILTIN_IMAGE_NAME }}:${{ env.TAG }}"
+          format: 'sarif'
+          output: 'trivy-results-built-in.sarif'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+          exit-code: '0'
+          ignore-unfixed: false
+          vuln-type: 'os,library'
       - name: Update Security tab
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'
+      - name: Update Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results-built-in.sarif'

detectors/Dockerfile.builtIn

@@ -0,0 +1,26 @@
+FROM registry.access.redhat.com/ubi9/ubi-minimal as base
+RUN microdnf update -y && \
+    microdnf install -y --nodocs \
+        python-pip python-devel && \
+    pip install --upgrade --no-cache-dir pip wheel && \
+    microdnf clean all
+
+# FROM icr.io/fm-stack/ubi9-minimal-py39-torch as builder
+FROM base as builder
+
+COPY ./common/requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY ./built_in/requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+FROM builder
+
+WORKDIR /app
+ARG CACHEBUST=1
+RUN echo "$CACHEBUST"
+COPY ./common /app/detectors/common
+COPY ./built_in/* /app
+
+EXPOSE 8080
+CMD ["uvicorn", "app:app", "--workers", "4", "--host", "0.0.0.0", "--port", "8080", "--log-config", "/app/detectors/common/log_conf.yaml"]

detectors/built_in/app.py

@@ -0,0 +1,44 @@
+from fastapi import HTTPException
+
+from base_detector_registry import BaseDetectorRegistry
+from regex_detectors import RegexDetectorRegistry
+from file_type_detectors import FileTypeDetectorRegistry
+
+from prometheus_fastapi_instrumentator import Instrumentator
+from detectors.common.scheme import ContentAnalysisHttpRequest,  ContentsAnalysisResponse
+from detectors.common.app import DetectorBaseAPI as FastAPI
+
+app = FastAPI()
+Instrumentator().instrument(app).expose(app)
+
+
+registry : dict[str, BaseDetectorRegistry] = {
+    "regex": RegexDetectorRegistry(),
+    "file_type": FileTypeDetectorRegistry(),
+}
+
+@app.post("/api/v1/text/contents", response_model=ContentsAnalysisResponse)
+def detect_content(request: ContentAnalysisHttpRequest):
+    detections = []
+    for content in request.contents:
+        message_detections = []
+        for detector_kind, detector_registry in registry.items():
+            if detector_kind in request.detector_params:
+                try:
+                    message_detections += detector_registry.handle_request(content, request.detector_params)
+                except HTTPException as e:
+                    raise e
+                except Exception as e:
+                    raise HTTPException(status_code=500) from e
+        detections.append(message_detections)
+    return ContentsAnalysisResponse(root=detections)
+
+
+@app.get("/registry")
+def get_registry():
+    result = {}
+    for detector_type, detector_registry in registry.items():
+        result[detector_type] = {}
+        for detector_name, detector_fn in detector_registry.get_registry().items():
+            result[detector_type][detector_name] = detector_fn.__doc__
+    return result

detectors/built_in/base_detector_registry.py

@@ -0,0 +1,15 @@
+from abc import ABC, abstractmethod
+from typing import List
+
+from detectors.common.scheme import ContentAnalysisResponse
+
+class BaseDetectorRegistry(ABC):
+    def __init__(self):
+        self.registry = None
+
+    @abstractmethod
+    def handle_request(self, content: str, detector_params: dict) -> List[ContentAnalysisResponse]:
+        pass
+    
+    def get_registry(self):
+        return self.registry

detectors/built_in/file_type_detectors.py

@@ -0,0 +1,203 @@
+import json
+from fastapi import HTTPException
+
+import jsonschema
+import xml.etree.ElementTree as ET
+import xmlschema
+import yaml
+
+from typing import List, Optional
+
+from base_detector_registry import BaseDetectorRegistry
+from detectors.common.scheme import ContentAnalysisResponse
+
+
+def is_valid_json(s: str) -> Optional[ContentAnalysisResponse]:
+    """Detect if the text contents is not valid JSON"""
+    try:
+        json.loads(s)
+        return None
+    except (ValueError, TypeError):
+        return ContentAnalysisResponse(
+            start=0,
+            end=len(s),
+            text=s,
+            detection="invalid_json",
+            detection_type= "file_type",
+            score=1.0
+        )
+
+
+def is_valid_json_schema(s: str, schema: str) -> Optional[ContentAnalysisResponse]:
+    """Detect if the text contents does not satisfy a provided JSON schema. To specify a schema, replace $SCHEMA with a JSON schema."""
+    is_valid = is_valid_json(s)
+    if is_valid is None:
+        msg_data = json.loads(s)
+    else:
+        return is_valid
+
+
+    # validate that the schema is valid json
+    try:
+        schema_data = json.loads(schema)
+    except (ValueError, TypeError):
+        return ContentAnalysisResponse(
+            start=0,
+            end=len(schema),
+            text=s,
+            detection="invalid_schema",
+            detection_type="file_type",
+            score=1.0
+        )
+
+    # validate the schema against the message
+    try:
+        jsonschema.validate(instance=msg_data, schema=schema_data)
+        return None
+    except jsonschema.ValidationError as e:
+        return ContentAnalysisResponse(
+            start=0,
+            end=len(s),
+            text=s,
+            detection="json_schema_mismatch",
+            detection_type="file_type",
+            score=1.0
+        )
+
+
+def is_valid_yaml(s: str) -> Optional[ContentAnalysisResponse]:
+    """Detect if the text contents is not valid YAML"""
+    try:
+        yaml.safe_load(s)
+        return None
+    except Exception:
+        return ContentAnalysisResponse(
+            start=0,
+            end=len(s),
+            text=s,
+            detection="invalid_yaml",
+            detection_type="file_type",
+            score=1.0,
+        )
+
+def is_valid_yaml_schema(s: str, schema) -> Optional[ContentAnalysisResponse]:
+    """Detect if the text contents does not satisfy a provided schema. To specify a schema, replace $SCHEMA with a JSON schema. That's not a typo, you validate YAML with a JSON schema!"""
+    is_valid = is_valid_yaml(s)
+    if is_valid is None:
+        msg_data = yaml.safe_load(s)
+    else:
+        return is_valid
+
+    # validate that the schema is valid json
+    try:
+        schema_data = json.loads(schema)
+    except (ValueError, TypeError):
+        return ContentAnalysisResponse(
+            start=0,
+            end=len(schema),
+            text=s,
+            detection="invalid_schema",
+            detection_type="file_type",
+            score=1.0
+        )
+
+    # validate the schema against the message
+    try:
+        jsonschema.validate(instance=msg_data, schema=schema_data)
+        return None
+    except jsonschema.ValidationError as e:
+        return ContentAnalysisResponse(
+            start=0,
+            end=len(s),
+            text=s,
+            detection="yaml_schema_mismatch",
+            detection_type="file_type",
+            score=1.0
+        )
+
+
+def is_valid_xml(s: str) -> Optional[ContentAnalysisResponse]:
+    """Detect if the text contents is not valid XML"""
+    try:
+        ET.fromstring(s)
+        return None
+    except Exception:
+        return ContentAnalysisResponse(
+            start=0,
+            end=len(s),
+            text=s,
+            detection="invalid_xml",
+            detection_type="file_type",
+            score=1.0,
+        )
+
+
+def is_valid_xml_schema(s: str, schema) -> Optional[ContentAnalysisResponse]:
+    """Detect if the text contents does not satisfy a provided XML schema. To specify a schema, replace $SCHEMA with an XML Schema Definition (XSD)"""
+    is_valid = is_valid_xml(s)
+    if is_valid is not None:
+        return is_valid
+    try:
+        # schema is expected to be a string containing the XSD
+        xs = xmlschema.XMLSchema(schema)
+    except Exception:
+        return ContentAnalysisResponse(
+            start=0,
+            end=len(schema),
+            text=s,
+            detection="invalid_xml_schema",
+            detection_type="file_type",
+            score=1.0
+        )
+
+    try:
+        xs.validate(s)
+        return None
+    except xmlschema.XMLSchemaValidationError:
+        return ContentAnalysisResponse(
+            start=0,
+            end=len(s),
+            text=s,
+            detection="xml_schema_mismatch",
+            detection_type="file_type",
+            score=1.0
+        )
+
+
+
+class FileTypeDetectorRegistry(BaseDetectorRegistry):
+    def __init__(self):
+        self.registry = {
+            "json": is_valid_json,
+            "xml": is_valid_xml,
+            "yaml": is_valid_yaml,
+            "json-with-schema:$SCHEMA": is_valid_json_schema,
+            "xml-with-schema:$SCHEMA": is_valid_xml_schema,
+            "yaml-with-schema:$SCHEMA": is_valid_yaml_schema,
+        }
+
+    def handle_request(self, content: str, detector_params: dict) -> List[ContentAnalysisResponse]:
+        detections = []
+        if "file_type" in detector_params and isinstance(detector_params["file_type"], (list, str)):
+            file_types = detector_params["file_type"]
+            file_types = [file_types] if isinstance(file_types, str) else file_types
+            for file_type in file_types:
+                if file_type.startswith("json-with-schema"):
+                    result = is_valid_json_schema(content, file_type.split("json-with-schema:")[1])
+                    if result is not None:
+                        detections += [result]
+                elif file_type.startswith("yaml-with-schema"):
+                    result = is_valid_yaml_schema(content, file_type.split("yaml-with-schema:")[1])
+                    if result is not None:
+                        detections += [result]
+                elif file_type.startswith("xml-with-schema"):
+                    result = is_valid_xml_schema(content, file_type.split("xml-with-schema:")[1])
+                    if result is not None:
+                        detections += [result]
+                elif file_type in self.registry:
+                    result = self.registry[file_type](content)
+                    if result is not None:
+                        detections += [result]
+                else:
+                    raise HTTPException(status_code=400, detail=f"Unrecognized file type: {file_type}")
+        return detections