agent: gate MemAgentMemcgSet and MemAgentCompactSet behind agent policy

The mem_agent_memcg_set and mem_agent_compact_set handlers in rpc.rs
were the only AgentService methods that did not call is_allowed() before
executing. Because the policy engine was never consulted, no OPA/Rego
policy — including the strict default-deny policy generated by genpolicy
— could deny these requests.

Add is_allowed(&config).await? as the first statement of both handlers,
matching the pattern used by every other handler in the file.

Generated-By: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit is contained in:
stevenhorsman
2026-06-25 16:25:50 +01:00
parent ffcc42d984
commit 95b57b025c

View File

@@ -1807,6 +1807,7 @@ impl agent_ttrpc::AgentService for AgentService {
_ctx: &::ttrpc::r#async::TtrpcContext,
config: protocols::agent::MemAgentMemcgConfig,
) -> ::ttrpc::Result<Empty> {
is_allowed(&config).await?;
if let Some(ma) = &self.oma {
ma.memcg_set_config_async(mem_agent_memcgconfig_to_memcg_optionconfig(&config))
.await
@@ -1831,6 +1832,7 @@ impl agent_ttrpc::AgentService for AgentService {
_ctx: &::ttrpc::r#async::TtrpcContext,
config: protocols::agent::MemAgentCompactConfig,
) -> ::ttrpc::Result<Empty> {
is_allowed(&config).await?;
if let Some(ma) = &self.oma {
ma.compact_set_config_async(mem_agent_compactconfig_to_compact_optionconfig(&config))
.await