Skip to content

[ROB-2694] holmes-oauth #2047

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Avi-Robusta wants to merge 1 commit into
base: master
Choose a base branch
from
+57 −0
Open

[ROB-2694] holmes-oauth #2047

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions helm/robusta/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@ lightActions:
- holmes_conversation
- holmes_issue_chat
- holmes_chat
- holmes_oauth
- list_pods
- kubectl_describe
- fetch_resource_yaml
Expand Down
16 changes: 16 additions & 0 deletions src/robusta/core/model/base_params.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,7 @@ class ToolApprovalDecision(BaseModel):
tool_call_id: str
approved: bool
save_prefixes: Optional[List[str]] = None # Prefixes to remember for session
decision: Optional[Dict[str, Any]] = None # Structured decision data (e.g. OAuth callback params). Parsed by Holmes.


class HolmesChatParams(HolmesParams):
Expand Down Expand Up @@ -216,6 +217,21 @@ class HolmesIssueChatParams(HolmesChatParams):
context: HolmesIssueChatParamsContext


class HolmesOAuthParams(HolmesParams):
"""
Forwards OAuth callback data to Holmes.
Params are intentionally generic (extra=allow) — the actual contract
is defined by Holmes and can evolve without runner changes.

:var toolset_name: The MCP toolset to authenticate
"""

toolset_name: str

class Config:
extra = "allow"


class HolmesConversationParams(HolmesParams):
"""
:var resource: The resource related to this investigation. A resource has a `name` and `kind`, and may have `namespace` and `node`
Expand Down
40 changes: 40 additions & 0 deletions src/robusta/core/playbooks/internal/ai_integration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
HolmesChatParams,
HolmesConversationParams,
HolmesIssueChatParams,
HolmesOAuthParams,
ResourceInfo,
)
from robusta.core.model.events import ExecutionBaseEvent
Expand Down Expand Up @@ -385,6 +386,45 @@ def holmes_chat(event: ExecutionBaseEvent, params: HolmesChatParams):
handle_holmes_error(e)


@action
def holmes_oauth(event: ExecutionBaseEvent, params: HolmesOAuthParams):
"""
Forwards OAuth callback data to Holmes for token exchange and storage.

This action is a thin pass-through — the actual OAuth contract is defined
in Holmes. Params use extra=allow so Holmes can evolve the contract
(e.g. add new fields) without requiring runner changes.
"""
holmes_url = HolmesDiscovery.find_holmes_url(params.holmes_url)
if not holmes_url:
raise ActionException(
ErrorCodes.HOLMES_DISCOVERY_FAILED,
"Robusta couldn't connect to the Holmes client.",
)

try:
params_dict = params.dict(exclude={"holmes_url", "model"})
Copy link
Copy Markdown
Contributor

@moshemorad moshemorad Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Those are the only 2 var in HolmesParams why we inheriting it only to exclude those fields?

result = requests.post(
f"{holmes_url}/api/oauth/callback",
json=params_dict,
)
Comment on lines +407 to +410
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify outbound requests in this module and whether they set explicit timeouts.
rg -nP 'requests\.post\(' src/robusta/core/playbooks/internal/ai_integration.py -A6 -B2

Repository: robusta-dev/robusta

Length of output: 2804

Add an explicit timeout to the OAuth callback request.

Line 407 issues an outbound HTTP call without timeout; a stalled connection can hang action processing indefinitely. This is part of a broader pattern in the file—all requests.post() calls lack explicit timeouts and should be addressed similarly.

Proposed fix 
+HOLMES_OAUTH_TIMEOUT = (5, 30)  # connect, read (seconds)
+
         result = requests.post(
             f"{holmes_url}/api/oauth/callback",
             json=params_dict,
+            timeout=HOLMES_OAUTH_TIMEOUT,
         )
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
result = requests.post(
f"{holmes_url}/api/oauth/callback",
json=params_dict,
)
HOLMES_OAUTH_TIMEOUT = (5, 30) # connect, read (seconds)
result = requests.post(
f"{holmes_url}/api/oauth/callback",
json=params_dict,
timeout=HOLMES_OAUTH_TIMEOUT,
)
🧰 Tools
🪛 Ruff (0.15.9)

[error] 407-407: Probable use of requests call without timeout

(S113)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/robusta/core/playbooks/internal/ai_integration.py` around lines 407 -
410, The outgoing OAuth callback request (the call assigning result =
requests.post(...)) has no timeout and may hang; modify this call and every
other requests.post() in src/robusta/core/playbooks/internal/ai_integration.py
to pass an explicit timeout argument (e.g., timeout=DEFAULT_REQUEST_TIMEOUT),
define DEFAULT_REQUEST_TIMEOUT as a module-level constant (or read from config)
near the top of the file, and replace hardcoded numeric literals everywhere with
that constant so timeouts are consistent across functions that use
requests.post() (use the existing holmes_url/params_dict symbols to locate the
specific call to change).

result.raise_for_status()
response_data = result.json()

finding = Finding(
Copy link
Copy Markdown
Contributor

@moshemorad moshemorad Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need this finding?

title="Holmes OAuth",
aggregation_key="HolmesOAuthResult",
subject=FindingSubject(subject_type=FindingSubjectType.TYPE_NONE),
finding_type=FindingType.AI_ANALYSIS,
failure=not response_data.get("success", False),
)
event.add_finding(finding)

except Exception as e:
logging.exception("Failed to complete Holmes OAuth callback")
handle_holmes_error(e)


def stream_and_render_graphs(url, holmes_req, event):
with requests.post(
url,
Expand Down
Loading