Models endpoint

[AnthonyRonning]

Summary by CodeRabbit

• New Features
  • Added a new endpoint to securely proxy requests to the OpenAI models API for authenticated users.
• Chores
  • Updated PCR development and production history records with new entries reflecting recent measurements.

[coderabbitai]

Walkthrough

This update appends new PCR history records to both development and production JSON files and introduces a new asynchronous proxy endpoint /v1/models in the OpenAI web module. The new endpoint proxies model listing requests to the OpenAI API, with access control, error handling, caching, and encrypted JSON responses.

Changes

Files / Areas	Change Summary
pcrDevHistory.json, pcrProdHistory.json	Appended new PCR history entries with updated PCR0, PCR1, PCR2 values, timestamp, and signature.
src/web/openai.rs	Added async proxy_models handler for /v1/models route, including authentication, caching, proxy logic, and encryption. Router updated to register new route; relevant imports adjusted.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant WebServer
    participant OpenAI API

    Client->>WebServer: GET /v1/models (with headers, session, user)
    WebServer->>WebServer: Check user authentication (deny guest)
    WebServer->>WebServer: Check cache for models list
    alt Cache hit
        WebServer-->>Client: Return cached encrypted JSON response
    else Cache miss or expired
        WebServer->>OpenAI API: GET /v1/models (proxy, with headers)
        OpenAI API-->>WebServer: Response (status, body)
        alt Success
            WebServer->>WebServer: Parse and encrypt JSON response
            WebServer->>WebServer: Update cache with fresh data
            WebServer-->>Client: JSON (encrypted)
        else Failure
            WebServer->>WebServer: Log error details
            WebServer-->>Client: Internal server error
        end
    end

Loading

Possibly related PRs

• OpenSecretCloud/opensecret#26: Updates PCR verification flow, signing, and appending PCR0 values; closely related to PCR history management in this PR.
• OpenSecretCloud/opensecret#32: Also updates PCR history JSON files and introduces OAuth client ID handling; partially overlaps with PCR history updates here.

Poem

In the warren, new hashes hop in line,
PCRs recorded—secure by design.
A proxy appears for models to show,
Guarded and wrapped, encrypted flow.
With every new route and every new key,
The code grows strong as a rabbit’s decree!
🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 329d97e and 173fc84.

⛔ Files ignored due to path filters (2)

• pcrDev.json is excluded by !pcrDev.json
• pcrProd.json is excluded by !pcrProd.json

📒 Files selected for processing (3)

• pcrDevHistory.json (1 hunks)
• pcrProdHistory.json (1 hunks)
• src/web/openai.rs (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• pcrDevHistory.json
• pcrProdHistory.json
• src/web/openai.rs

⏰ Context from checks skipped due to timeout of 100000ms (1)

• GitHub Check: Development Reproducible Build

✨ Finishing Touches

• 📝 Generate Docstrings

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/web/openai.rs (1)

327-432: Consider refactoring to reduce code duplication.

The proxy_models function is well-implemented with proper access control, error handling, and encryption. However, there's significant code duplication between this function and proxy_openai:

• Guest user validation (lines 336-342 vs 52-58)
• OpenAI API key handling (lines 345-355 vs 90-100)
• HTTP client creation (lines 358-361 vs 103-106)
• Header forwarding logic (lines 373-382 vs 124-133)
• Error handling patterns (lines 397-413 vs 148-164)

Consider extracting common functionality into helper functions:

// Helper for guest user validation
fn validate_non_guest_user(user: &User) -> Result<(), ApiError> {
    if user.is_guest() {
        error!("Guest user attempted to access restricted endpoint: {}", user.uuid);
        return Err(ApiError::Unauthorized);
    }
    Ok(())
}

// Helper for OpenAI client setup
fn create_openai_client(state: &AppState) -> Result<(Client<HttpsConnector<hyper::client::HttpConnector>, Body>, &str, &str), ApiError> {
    let openai_api_key = match &state.openai_api_key {
        Some(key) if !key.is_empty() => key,
        _ => {
            if is_default_openai_domain(&state.openai_api_base) {
                error!("OpenAI API key is required for OpenAI domain");
                return Err(ApiError::InternalServerError);
            }
            ""
        }
    };
    
    let https = HttpsConnector::new();
    let client = Client::builder()
        .pool_idle_timeout(Duration::from_secs(15))
        .build::<_, Body>(https);
        
    Ok((client, openai_api_key, &state.openai_api_base))
}

// Helper for forwarding headers
fn forward_request_headers(req_builder: hyper::http::request::Builder, headers: &HeaderMap) -> hyper::http::request::Builder {
    let mut req = req_builder;
    for (key, value) in headers.iter() {
        if key != header::HOST && key != header::AUTHORIZATION && key != header::CONTENT_LENGTH {
            if let (Ok(name), Ok(val)) = (
                HeaderName::from_bytes(key.as_ref()),
                HeaderValue::from_str(value.to_str().unwrap_or_default()),
            ) {
                req = req.header(name, val);
            }
        }
    }
    req
}

This would improve maintainability and reduce the risk of inconsistencies between the two proxy functions.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a84d991 and 8b63995.

⛔ Files ignored due to path filters (2)

• pcrDev.json is excluded by !pcrDev.json
• pcrProd.json is excluded by !pcrProd.json

📒 Files selected for processing (3)

• pcrDevHistory.json (1 hunks)
• pcrProdHistory.json (1 hunks)
• src/web/openai.rs (3 hunks)

⏰ Context from checks skipped due to timeout of 100000ms (2)

• GitHub Check: Greptile Review
• GitHub Check: Development Reproducible Build

🔇 Additional comments (5)

pcrDevHistory.json (1)

51-57: LGTM! Consistent PCR history entry structure.

The new PCR history entry follows the established format with proper hash values, timestamp, and signature. The structure is consistent with existing entries, maintaining data integrity for attestation purposes.

pcrProdHistory.json (1)

51-57: LGTM! Production PCR entry matches expected format.

The new production PCR history entry maintains consistency with the development environment structure and follows the established pattern. The timestamp difference from the dev environment is expected and appropriate.

src/web/openai.rs (3)

5-5: LGTM! Appropriate import addition.

The addition of encrypt_response and EncryptedResponse imports is necessary for the new models endpoint functionality.

---

11-12: LGTM! Required routing imports added.

The addition of get and Json imports is appropriate for implementing the new GET endpoint.

---

34-34: LGTM! Models endpoint route properly registered.

The new /v1/models GET route is correctly added to the router with the appropriate handler function.

[greptile-apps]

PR Summary

This PR implements a new /v1/models endpoint for OpenAI integration and updates PCR measurements across development and production environments.

• Added /v1/models GET endpoint in src/web/openai.rs to proxy OpenAI model listing requests
• Implemented guest user access prevention and API key validation for models endpoint
• Excluded billing checks for model listing requests unlike chat completions endpoint
• Updated PCR measurements in both dev (timestamp 1748624627) and prod (timestamp 1748624758) environments
• Maintained consistent PCR1 values while updating PCR0/PCR2 to reflect new system state

_{5 files reviewed, 2 comments
Edit PR Review Bot Settings | Greptile}

[greptile-apps]

PR Summary

(updates since last review)

Added caching mechanism for OpenAI models endpoint with a 5-minute TTL using ModelsCache struct and RwLock. The implementation includes proper concurrency handling and error recovery.

• Added ModelsCache struct with is_valid(), set(), and get() methods for managing cached model data
• Implemented thread-safe global cache using std::sync::OnceLock<RwLock<ModelsCache>>
• Added graceful cache miss handling with fallback to direct API calls
• Included proper error handling for cache read/write failures

_{5 file(s) reviewed, 1 comment(s)
Edit PR Review Bot Settings | Greptile}