feat(sandbox): artifact browser

2026-05-04 01:18:05 +08:00 · 2026-01-26 14:05:06 +08:00
parent 453844b9e8
commit 39799b9db7
9 changed files with 846 additions and 0 deletions
--- a/api/controllers/console/init.py
+++ b/api/controllers/console/init.py
@ -32,6 +32,7 @@ for module_name in RESOURCE_MODULES:

 # Ensure resource modules are imported so route decorators are evaluated.
 # Import other controllers
+# Sandbox file browser
 from . import (
    admin,
    apikey,
@ -39,6 +40,7 @@ from . import (
    feature,
    init_validate,
    ping,
+    sandbox_files,
    setup,
    spec,
    version,
@ -199,6 +201,7 @@ __all__ = [
    "rag_pipeline_import",
    "rag_pipeline_workflow",
    "recommended_app",
+    "sandbox_files",
    "sandbox_providers",
    "saved_message",
    "setup",
--- a/api/controllers/console/sandbox_files.py
+++ b/api/controllers/console/sandbox_files.py
@ -0,0 +1,87 @@
+from __future__ import annotations
+
+from flask import request
+from flask_restx import Resource, fields
+from pydantic import BaseModel, Field
+
+from controllers.console import console_ns
+from controllers.console.wraps import account_initialization_required, setup_required
+from libs.login import current_account_with_tenant, login_required
+from services.sandbox.sandbox_file_service import SandboxFileService
+
+DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
+
+
+class SandboxFileListQuery(BaseModel):
+    path: str | None = Field(default=None, description="Workspace relative path")
+    recursive: bool = Field(default=False, description="List recursively")
+
+
+class SandboxFileDownloadRequest(BaseModel):
+    path: str = Field(..., description="Workspace relative file path")
+
+
+console_ns.schema_model(
+    SandboxFileListQuery.__name__,
+    SandboxFileListQuery.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
+)
+console_ns.schema_model(
+    SandboxFileDownloadRequest.__name__,
+    SandboxFileDownloadRequest.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
+)
+
+
+SANDBOX_FILE_NODE_FIELDS = {
+    "path": fields.String,
+    "is_dir": fields.Boolean,
+    "size": fields.Raw,
+    "mtime": fields.Raw,
+}
+
+
+SANDBOX_FILE_DOWNLOAD_TICKET_FIELDS = {
+    "download_url": fields.String,
+    "expires_in": fields.Integer,
+    "export_id": fields.String,
+}
+
+
+sandbox_file_node_model = console_ns.model("SandboxFileNode", SANDBOX_FILE_NODE_FIELDS)
+sandbox_file_download_ticket_model = console_ns.model(
+    "SandboxFileDownloadTicket", SANDBOX_FILE_DOWNLOAD_TICKET_FIELDS
+)
+
+
+@console_ns.route("/sandboxes/<string:sandbox_id>/files")
+class SandboxFilesApi(Resource):
+    @setup_required
+    @login_required
+    @account_initialization_required
+    @console_ns.expect(console_ns.models[SandboxFileListQuery.__name__])
+    @console_ns.marshal_list_with(sandbox_file_node_model)
+    def get(self, sandbox_id: str):
+        args = SandboxFileListQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore[arg-type]
+        _, tenant_id = current_account_with_tenant()
+        return [
+            e.__dict__
+            for e in SandboxFileService.list_files(
+                tenant_id=tenant_id,
+                sandbox_id=sandbox_id,
+                path=args.path,
+                recursive=args.recursive,
+            )
+        ]
+
+
+@console_ns.route("/sandboxes/<string:sandbox_id>/files/download")
+class SandboxFileDownloadApi(Resource):
+    @setup_required
+    @login_required
+    @account_initialization_required
+    @console_ns.expect(console_ns.models[SandboxFileDownloadRequest.__name__])
+    @console_ns.marshal_with(sandbox_file_download_ticket_model)
+    def post(self, sandbox_id: str):
+        payload = SandboxFileDownloadRequest.model_validate(console_ns.payload or {})
+        _, tenant_id = current_account_with_tenant()
+        res = SandboxFileService.download_file(tenant_id=tenant_id, sandbox_id=sandbox_id, path=payload.path)
+        return res.__dict__
--- a/api/controllers/files/init.py
+++ b/api/controllers/files/init.py
@ -19,6 +19,7 @@ from . import (
    app_assets_upload,
    image_preview,
    sandbox_archive,
+    sandbox_file_downloads,
    storage_download,
    tool_files,
    upload,
@ -34,6 +35,7 @@ __all__ = [
    "files_ns",
    "image_preview",
    "sandbox_archive",
+    "sandbox_file_downloads",
    "storage_download",
    "tool_files",
    "upload",
--- a/api/controllers/files/sandbox_file_downloads.py
+++ b/api/controllers/files/sandbox_file_downloads.py
@ -0,0 +1,96 @@
+from urllib.parse import quote
+from uuid import UUID
+
+from flask import Response, request
+from flask_restx import Resource
+from pydantic import BaseModel, Field
+from werkzeug.exceptions import Forbidden, NotFound
+
+from controllers.files import files_ns
+from core.sandbox.security.sandbox_file_signer import SandboxFileDownloadPath, SandboxFileSigner
+from extensions.ext_storage import storage
+
+DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
+
+
+class SandboxFileDownloadQuery(BaseModel):
+    expires_at: int = Field(..., description="Unix timestamp when the link expires")
+    nonce: str = Field(..., description="Random string for signature")
+    sign: str = Field(..., description="HMAC signature")
+
+
+files_ns.schema_model(
+    SandboxFileDownloadQuery.__name__,
+    SandboxFileDownloadQuery.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
+)
+
+
+@files_ns.route(
+    "/sandbox-file-downloads/<string:tenant_id>/<string:sandbox_id>/<string:export_id>/<path:filename>/download"
+)
+class SandboxFileDownloadDownloadApi(Resource):
+    def get(self, tenant_id: str, sandbox_id: str, export_id: str, filename: str):
+        args = SandboxFileDownloadQuery.model_validate(request.args.to_dict(flat=True))
+
+        try:
+            export_path = SandboxFileDownloadPath(
+                tenant_id=UUID(tenant_id),
+                sandbox_id=UUID(sandbox_id),
+                export_id=export_id,
+                filename=filename,
+            )
+        except ValueError as exc:
+            raise Forbidden(str(exc)) from exc
+
+        if not SandboxFileSigner.verify_download_signature(
+            export_path=export_path,
+            expires_at=args.expires_at,
+            nonce=args.nonce,
+            sign=args.sign,
+        ):
+            raise Forbidden("Invalid or expired download link")
+
+        try:
+            generator = storage.load_stream(export_path.get_storage_key())
+        except FileNotFoundError as exc:
+            raise NotFound("File not found") from exc
+
+        encoded_filename = quote(filename.split("/")[-1])
+
+        return Response(
+            generator,
+            mimetype="application/octet-stream",
+            direct_passthrough=True,
+            headers={
+                "Content-Disposition": f"attachment; filename*=UTF-8''{encoded_filename}",
+            },
+        )
+
+
+@files_ns.route(
+    "/sandbox-file-downloads/<string:tenant_id>/<string:sandbox_id>/<string:export_id>/<path:filename>/upload"
+)
+class SandboxFileDownloadUploadApi(Resource):
+    def put(self, tenant_id: str, sandbox_id: str, export_id: str, filename: str):
+        args = SandboxFileDownloadQuery.model_validate(request.args.to_dict(flat=True))
+
+        try:
+            export_path = SandboxFileDownloadPath(
+                tenant_id=UUID(tenant_id),
+                sandbox_id=UUID(sandbox_id),
+                export_id=export_id,
+                filename=filename,
+            )
+        except ValueError as exc:
+            raise Forbidden(str(exc)) from exc
+
+        if not SandboxFileSigner.verify_upload_signature(
+            export_path=export_path,
+            expires_at=args.expires_at,
+            nonce=args.nonce,
+            sign=args.sign,
+        ):
+            raise Forbidden("Invalid or expired upload link")
+
+        storage.save(export_path.get_storage_key(), request.get_data())
+        return Response(status=204)