Merge branch 'develop' into feature/agent-loop

# Conflicts:
#	backend/pyproject.toml
#	backend/utils/context_utils.py

Author: Dallas98

backend/agents/create_agent_info.py

@@ -3,7 +3,6 @@
 import logging
 from typing import List, Optional
 from urllib.parse import urljoin
-from datetime import datetime
 
 from jinja2 import Template, StrictUndefined
 from nexent.core.utils.observer import MessageObserver
@@ -485,7 +484,6 @@ async def create_agent_config(
     # Get skills list for prompt template
     skills = _get_skills_for_template(agent_id, tenant_id, version_no)
 
-    time_str = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
     is_manager = len(managed_agents) > 0 or len(external_a2a_agents) > 0
 
     render_kwargs = {
@@ -500,7 +498,6 @@ async def create_agent_config(
         "APP_DESCRIPTION": app_description,
         "memory_list": memory_list,
         "knowledge_base_summary": knowledge_base_summary,
-        "time": time_str,
         "user_id": user_id,
     }
     system_prompt = Template(prompt_template["system_prompt"], undefined=StrictUndefined).render(render_kwargs)
@@ -529,7 +526,6 @@ async def create_agent_config(
             few_shots=few_shots_prompt,
             app_name=app_name,
             app_description=app_description,
-            time_str=time_str,
             user_id=user_id,
             language=language,
             is_manager=is_manager,

backend/apps/cas_app.py

@@ -0,0 +1,156 @@
+import html
+import logging
+from http import HTTPStatus
+from typing import Optional
+from urllib.parse import parse_qs, urlsplit
+
+from fastapi import APIRouter, HTTPException, Query, Request
+from fastapi.responses import HTMLResponse, JSONResponse, RedirectResponse
+
+from services.cas_service import (
+    CAS_SERVER_URL,
+    CasAuthenticationError,
+    build_login_url,
+    build_renew_url,
+    get_cas_config,
+    login_with_ticket,
+    renew_with_ticket,
+    revoke_from_logout_request,
+)
+
+logger = logging.getLogger(__name__)
+router = APIRouter(prefix="/user/cas", tags=["cas"])
+
+
+@router.get("/config")
+async def config():
+    return JSONResponse(
+        status_code=HTTPStatus.OK,
+        content={"message": "success", "data": get_cas_config()},
+    )
+
+
+@router.get("/login")
+async def login(redirect: str = Query("/", description="URL to return to after login")):
+    try:
+        login_url = _require_cas_server_redirect(build_login_url(redirect))
+        return RedirectResponse(url=login_url, status_code=HTTPStatus.FOUND)
+    except CasAuthenticationError as exc:
+        logger.warning("CAS login rejected: %s", exc)
+        raise HTTPException(status_code=HTTPStatus.BAD_REQUEST, detail="CAS login is not available")
+
+
+@router.get("/callback")
+async def callback(ticket: str = "", redirect: str = "/"):
+    try:
+        result = await login_with_ticket(ticket, redirect)
+        return JSONResponse(
+            status_code=HTTPStatus.OK,
+            content={"message": "CAS login successful", "data": result},
+        )
+    except CasAuthenticationError as exc:
+        logger.warning("CAS callback rejected: %s", exc)
+        raise HTTPException(status_code=HTTPStatus.UNAUTHORIZED, detail="CAS authentication failed")
+    except Exception as exc:
+        logger.error(f"CAS callback failed: {exc}")
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail="CAS login failed")
+
+
+@router.post("/callback")
+async def callback_logout(request: Request, logout_request: Optional[str] = None):
+    return await _handle_logout_request(request, logout_request, endpoint="callback")
+
+
+@router.get("/renew")
+async def renew():
+    try:
+        return RedirectResponse(url=build_renew_url(), status_code=HTTPStatus.FOUND)
+    except CasAuthenticationError as exc:
+        logger.warning("CAS renew rejected: %s", exc)
+        return _renew_html(False, "CAS renew failed")
+
+
+@router.get("/renew_callback")
+async def renew_callback(ticket: str = ""):
+    if not ticket:
+        return _renew_html(False, "CAS session is not active")
+    try:
+        result = await renew_with_ticket(ticket)
+        return JSONResponse(
+            status_code=HTTPStatus.OK,
+            content={"message": "CAS renew successful", "data": result},
+        )
+    except Exception as exc:
+        logger.warning(f"CAS renew failed: {exc}")
+        return _renew_html(False, "CAS renew failed")
+
+
+@router.post("/logout_callback")
+async def logout_callback(
+    request: Request,
+    logout_request: Optional[str] = None,
+):
+    return await _handle_logout_request(request, logout_request, endpoint="logout_callback")
+
+
+async def _handle_logout_request(
+    request: Request,
+    logout_request: Optional[str] = None,
+    endpoint: str = "unknown",
+):
+    logout_request = await _extract_logout_request(request, logout_request)
+    logger.info(
+        "CAS SLO %s received logoutRequest: present=%s length=%s",
+        endpoint,
+        bool(logout_request),
+        len(logout_request or ""),
+    )
+    result = revoke_from_logout_request(logout_request)
+    logger.info("CAS SLO %s revoke result: %s", endpoint, result)
+    return JSONResponse(
+        status_code=HTTPStatus.OK,
+        content={"message": "success", "data": result},
+    )
+
+
+async def _extract_logout_request(request: Request, logout_request: Optional[str] = None) -> str:
+    if logout_request:
+        return logout_request
+
+    query_logout_request = request.query_params.get("logoutRequest") or request.query_params.get("logout_request")
+    if query_logout_request:
+        return query_logout_request
+
+    body = await request.body()
+    raw_body = body.decode("utf-8") if body else ""
+    if not raw_body:
+        return ""
+
+    parsed = parse_qs(raw_body)
+    return (parsed.get("logoutRequest") or parsed.get("logout_request") or [raw_body])[0]
+
+
+def _renew_html(success: bool, reason: str = "") -> HTMLResponse:
+    status = "success" if success else "failed"
+    safe_reason = html.escape(reason)
+    return HTMLResponse(
+        status_code=HTTPStatus.OK,
+        content=f"""<!doctype html>
+<html><body><script>
+window.parent && window.parent.postMessage({{ type: "cas-renew-{status}", reason: "{safe_reason}" }}, window.location.origin);
+</script></body></html>""",
+    )
+
+
+def _require_cas_server_redirect(url: str) -> str:
+    parsed_url = urlsplit(url)
+    parsed_cas = urlsplit(CAS_SERVER_URL)
+    if (
+        parsed_url.scheme not in {"http", "https"}
+        or not parsed_url.netloc
+        or parsed_url.scheme != parsed_cas.scheme
+        or parsed_url.netloc != parsed_cas.netloc
+    ):
+        logger.warning("Blocked CAS redirect outside configured server: %s", url)
+        raise CasAuthenticationError("Invalid CAS redirect URL")
+    return url

backend/apps/config_app.py

@@ -32,6 +32,7 @@
 from apps.monitoring_app import router as monitoring_router
 from apps.a2a_server_app import router as a2a_server_router
 from apps.haotian_app import router as haotian_router
+from apps.cas_app import router as cas_router
 from consts.const import IS_SPEED_MODE
 from services.prompt_template_service import sync_system_default_prompt_template
 
@@ -73,6 +74,7 @@ async def sync_default_prompt_template_on_startup():
     app.include_router(user_management_router)
 
 app.include_router(oauth_router)
+app.include_router(cas_router)
 
 app.include_router(summary_router)
 app.include_router(prompt_router)

backend/apps/user_management_app.py

@@ -19,12 +19,13 @@
     ValidationError,
 )
 from consts.error_code import ErrorCode
+from services.cas_service import build_logout_url, CasAuthenticationError
 from services.user_management_service import get_authorized_client, validate_token, \
     check_auth_service_health, signup_user_with_invitation, signin_user, refresh_user_token, \
     get_session_by_authorization, get_user_info, create_token, list_tokens_by_user, delete_token, \
     update_password
 from services.user_service import delete_user_and_cleanup
-from utils.auth_utils import get_current_user_id
+from utils.auth_utils import get_current_user_id, extract_session_id_from_authorization
 
 
 load_dotenv()
@@ -150,7 +151,18 @@ async def logout(request: Request):
     authorization = request.headers.get("Authorization")
     try:
         # Make logout idempotent: if no token or token expired, still return success
+        session_id = None
+        cas_logout_url = ""
         if authorization:
+            session_id = extract_session_id_from_authorization(authorization)
+            if session_id:
+                from database.cas_session_db import revoke_cas_session_by_session_id
+
+                revoke_cas_session_by_session_id(session_id, actor="user")
+                try:
+                    cas_logout_url = build_logout_url()
+                except CasAuthenticationError as cas_err:
+                    logging.warning(f"CAS logout URL is unavailable: {str(cas_err)}")
             client = get_authorized_client(authorization)
             try:
                 client.auth.sign_out()
@@ -159,7 +171,12 @@ async def logout(request: Request):
                 logging.warning(
                     f"Sign out encountered an error but will be ignored: {str(signout_err)}")
         return JSONResponse(status_code=HTTPStatus.OK,
-                            content={"message": "Logout successful"})
+                            content={
+                                "message": "Logout successful",
+                                "data": {
+                                    "cas_logout_url": cas_logout_url
+                                }
+                            })
 
     except Exception as e:
         logging.error(f"User logout failed: {str(e)}")
@@ -214,6 +231,10 @@ async def get_user_information(request: Request):
         if not user_info:
             raise UnauthorizedError("User information not found")
 
+        user_info["user"]["auth_provider"] = (
+            "cas" if extract_session_id_from_authorization(authorization) else "local"
+        )
+
         return JSONResponse(status_code=HTTPStatus.OK,
                             content={"message": "Success",
                                      "data": user_info})

backend/consts/const.py

@@ -90,6 +90,31 @@ class VectorDatabaseType(str, Enum):
 OAUTH_CA_BUNDLE = os.getenv("OAUTH_CA_BUNDLE", "")
 
 
+# CAS SSO Configuration
+CAS_ENABLED = os.getenv("CAS_ENABLED", "false").lower() in ("true", "1", "yes", "on")
+CAS_SERVER_URL = os.getenv("CAS_SERVER_URL", "").rstrip("/")
+CAS_VALIDATE_PATH = os.getenv("CAS_VALIDATE_PATH", "/p3/serviceValidate")
+CAS_CALLBACK_BASE_URL = os.getenv("CAS_CALLBACK_BASE_URL", OAUTH_CALLBACK_BASE_URL).rstrip("/")
+# CAS login mode:
+# - disabled: disable CAS login entry and automatic CAS redirects.
+# - button: show CAS as an optional login entry.
+# - force: automatically redirect unauthenticated users to CAS login.
+CAS_LOGIN_MODE = os.getenv("CAS_LOGIN_MODE", "disabled").lower()
+CAS_USER_ATTRIBUTE = os.getenv("CAS_USER_ATTRIBUTE", "")
+CAS_EMAIL_ATTRIBUTE = os.getenv("CAS_EMAIL_ATTRIBUTE", "email")
+CAS_ROLE_ATTRIBUTE = os.getenv("CAS_ROLE_ATTRIBUTE", "role")
+CAS_TENANT_ATTRIBUTE = os.getenv("CAS_TENANT_ATTRIBUTE", "tenant_id")
+CAS_ROLE_MAP_JSON = os.getenv("CAS_ROLE_MAP_JSON", "")
+CAS_SESSION_MAX_AGE_SECONDS = int(os.getenv("CAS_SESSION_MAX_AGE_SECONDS", "3600") or 3600)
+LOCAL_SESSION_MAX_AGE_SECONDS = int(os.getenv("LOCAL_SESSION_MAX_AGE_SECONDS", "3600") or 3600)
+CAS_RENEW_BEFORE_SECONDS = int(os.getenv("CAS_RENEW_BEFORE_SECONDS", "300") or 300)
+CAS_RENEW_TIMEOUT_SECONDS = int(os.getenv("CAS_RENEW_TIMEOUT_SECONDS", "10") or 10)
+CAS_SYNTHETIC_EMAIL_DOMAIN = os.getenv("CAS_SYNTHETIC_EMAIL_DOMAIN", "cas.local")
+CAS_LOGOUT_URL = os.getenv("CAS_LOGOUT_URL", "")
+CAS_SSL_VERIFY = os.getenv("CAS_SSL_VERIFY", "true").lower() == "true"
+CAS_CA_BUNDLE = os.getenv("CAS_CA_BUNDLE", "")
+
+
 # ===== To be migrated to frontend configuration =====
 # Email Configuration
 IMAP_SERVER = os.getenv('IMAP_SERVER')