Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion conf.json
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@
"pangea",
"promptsecurity",
"panw-prisma-airs",
"walledai"
"walledai",
"zscaler"
],
"credentials": {
"portkey": {
Expand Down
88 changes: 52 additions & 36 deletions plugins/build.ts
Original file line number Diff line number Diff line change
@@ -1,43 +1,59 @@
import conf from '../conf.json';
import fs from 'fs';
import path from 'path';
import { fileURLToPath } from 'url';

const pluginsEnabled = conf.plugins_enabled;

let importStrings: any = [];
let funcStrings: any = {};
let funcs: any = {};

for (const plugin of pluginsEnabled) {
const manifest = await import(`./${plugin}/manifest.json`);
const functions = manifest.functions.map((func: any) => func.id);
importStrings = [
...importStrings,
...functions.map(
(func: any) =>
`import { handler as ${manifest.id}${func} } from "./${plugin}/${func}"`
),
];

funcs[plugin] = {};
functions.forEach((func: any) => {
funcs[plugin][func] = func;
});

funcStrings[plugin] = [];
for (let key in funcs[plugin]) {
funcStrings[plugin].push(`"${key}": ${manifest.id}${funcs[plugin][key]}`);
const __filename = fileURLToPath(import.meta.url);
const __dirname = path.dirname(__filename);

async function buildPlugins() {
const conf = JSON.parse(
fs.readFileSync(path.join(__dirname, '../conf.json'), 'utf-8')
);
const pluginsEnabled = conf.plugins_enabled;

let importStrings: any = [];
let funcStrings: any = {};
let funcs: any = {};

for (const plugin of pluginsEnabled) {
const manifestPath = path.join(__dirname, plugin, 'manifest.json');
const manifestContent = fs.readFileSync(manifestPath, 'utf-8');
const manifest = JSON.parse(manifestContent);
const safePluginId = manifest.id.replace(/-/g, '');
const functions = manifest.functions.map((func: any) => func.id);
importStrings = [
...importStrings,
...functions.map(
(func: any) =>
`import { handler as ${safePluginId}${func.replace(/-/g, '')} } from "./${plugin}/${func}"`
),
];

funcs[plugin] = {};
functions.forEach((func: any) => {
funcs[plugin][func] = func;
});

funcStrings[plugin] = [];
for (let key in funcs[plugin]) {
funcStrings[plugin].push(
`"${key}": ${safePluginId}${funcs[plugin][key].replace(/-/g, '')}`
);
}
}
}

const indexFilePath = './plugins/index.ts';
const indexFilePath = './plugins/index.ts';

let finalFuncStrings: any = [];
for (let key in funcStrings) {
finalFuncStrings.push(
`\n "${key}": {\n ${funcStrings[key].join(',\n ')}\n }`
);
}
let finalFuncStrings: any = [];
for (let key in funcStrings) {
finalFuncStrings.push(
`\n "${key}": {\n ${funcStrings[key].join(',\n ')}\n }`
);
}

const content = `${importStrings.join('\n')}\n\nexport const plugins = {${finalFuncStrings}\n};\n`;
const content = `${importStrings.join('\n')}\n\nexport const plugins = {${finalFuncStrings}\n};\n`;

fs.writeFileSync(indexFilePath, content);
}

fs.writeFileSync(indexFilePath, content);
buildPlugins();
148 changes: 148 additions & 0 deletions plugins/zscaler/main-function.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
import {
HookEventType,
PluginContext,
type PluginHandler,
PluginParameters,
} from '../types';
import { post, getText } from '../utils';

const ZSCALER_EXECUTE_POLICY_URL =
'https://api.zseclipse.net/v1/detection/execute-policy';

interface ZscalerCredentials {
zscalerApiKey: string;
}

interface ZscalerPluginParameters {
policyId: string;
}

interface ZscalerExecutePolicyRequest {
policyId: string;
direction: 'IN' | 'OUT';
content: any;
}

interface ZscalerExecutePolicyResponse {
action: 'ALLOW' | 'BLOCK';
detectorResponses?: Record<string, any>;
}

export const handler: PluginHandler<ZscalerCredentials> = async (
context: PluginContext,
parameters: PluginParameters<ZscalerCredentials>,
eventType: HookEventType
) => {
let error: Error | null = null;
let verdict = true;
let data: Record<string, any> = {};

const credentials = parameters.credentials as ZscalerCredentials | undefined;
const pluginParams = parameters.parameters as ZscalerPluginParameters;

// :white_check_mark: FAIL OPEN (aligned with other plugins)
if (!credentials?.zscalerApiKey) {
return {
error: new Error('Zscaler AI Guard API Key must be configured.'),
verdict: true,
data,
};
}

if (!pluginParams?.policyId) {
return {
error: new Error('Zscaler AI Guard Policy ID must be configured.'),
verdict: true,
data,
};
}

const contentToScan = getText(context, eventType);

if (!contentToScan) {
return {
error: new Error('No content found to scan.'),
verdict: true,
data,
};
}

const direction = eventType === 'beforeRequestHook' ? 'IN' : 'OUT';

const zscalerRequest: ZscalerExecutePolicyRequest = {
policyId: pluginParams.policyId,
direction,
content: contentToScan,
};

try {
const headers = {
'Content-Type': 'application/json',
Authorization: `Bearer ${credentials.zscalerApiKey}`,
};

const response: ZscalerExecutePolicyResponse = await post(
ZSCALER_EXECUTE_POLICY_URL,
zscalerRequest,
{ headers },
10000
);

data = {
zscalerAction: response.action,
detectorResponses: response.detectorResponses,
};

// :white_check_mark: Check top-level action
let isBlocked = response.action === 'BLOCK';

// :white_check_mark: Also check individual detectors (if present)
if (response.detectorResponses) {
const detectorBlocked = Object.values(response.detectorResponses).some(
(detector: any) => detector?.action === 'BLOCK'
);

isBlocked = isBlocked || detectorBlocked;
}

verdict = !isBlocked;

if (!verdict) {
error = new Error(
'Zscaler AI Guard blocked the content with action: BLOCK'
);
}
} catch (e: unknown) {
verdict = false;

const maybeError = e as any;
const status = maybeError?.response?.status;

// :white_check_mark: Proper 429 handling (your test will now pass)
if (status === 429) {
error = new Error('Zscaler AI Guard rate limit exceeded. Status: 429');
}
// :white_check_mark: Proper 5xx handling
else if (status && status >= 500 && status < 600) {
error = new Error(
`Zscaler AI Guard API returned a server error. Status: ${status}`
);
}
// :white_check_mark: Normal JS Error
else if (e instanceof Error) {
error = e;
}
// :white_check_mark: Fallback
else {
error = new Error('An unknown error occurred during Zscaler API call.');
}

data = { originalError: error.message };
}

return {
error,
verdict,
data,
};
};
45 changes: 45 additions & 0 deletions plugins/zscaler/manifest.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
{
"id": "zscalerAiGuard",
"name": "Zscaler AI Guard",
"version": "1.0.0",
"description": "Integrates Zscaler AI Guard for advanced GenAI security, including DLP and prompt injection detection.",
"author": "Zscaler",
"credentials": {
"type": "object",
"properties": {
"zscalerApiKey": {
"type": "string",
"label": "Zscaler AI Guard API Key",
"description": "The API Key generated from your Zscaler AI Guard tenant.",
"encrypted": true
}
},
"required": ["zscalerApiKey"]
},
"functions": [
{
"name": "Zscaler AI Guard Check",
"id": "zscalerAiGuardCheck",
"supportedHooks": ["beforeRequestHook", "afterRequestHook"],
"type": "guardrail",
"description": [
{
"type": "subHeading",
"text": "Performs Zscaler AI Guard policy checks on prompts and LLM responses."
}
],
"parameters": {
"type": "object",
"properties": {
"policyId": {
"type": "string",
"label": "Zscaler Policy ID",
"description": "The ID of the Zscaler Detections Policy to execute.",
"required": true
}
},
"required": ["policyId"]
}
}
]
}
Loading