Skip to content

FEAT: Security & Azure deployment for CoPyRIT GUI#1554

Open
adrian-gavrila wants to merge 169 commits intomicrosoft:mainfrom
adrian-gavrila:adrian-gavrila/frontend-attack-view
Open

FEAT: Security & Azure deployment for CoPyRIT GUI#1554
adrian-gavrila wants to merge 169 commits intomicrosoft:mainfrom
adrian-gavrila:adrian-gavrila/frontend-attack-view

Conversation

@adrian-gavrila
Copy link
Copy Markdown
Contributor

@adrian-gavrila adrian-gavrila commented Mar 31, 2026
edited
Loading

Changes

  • Authentication: Users sign in via Microsoft Entra ID -> frontend handles login and attaches tokens to every API request -> backend validates those tokens and checks group membership to control access. Auth is automatically disabled for local development.
  • Security headers: Adds standard browser security headers (Content Security Policy, Strict Transport Security, X-Frame-Options, Cache-Control, and others).
  • Infrastructure: Bicep template that provisions resources to host the GUI in Azure — container environment, container registry, logging, managed identity, Key Vault integration, and optional private networking.
  • Deployment pipeline: Azure DevOps pipeline that builds the container image, pushes it, and deploys to a test environment with opt-in production promotion.
  • Docker: Updated for token-based auth in Azure (managed identity) and locally (service principal).

Tests & docs

  • Frontend auth tests (AuthProvider, msalConfig, API service).
  • Deployment guide (infra/README.md) and Docker quickstart (docker/QUICKSTART.md) updated.

romanlutz and others added 30 commits February 28, 2026 14:49
@romanlutz
Add run_initializers_async, Entra auth, and config-file support
0d10970 
- Add run_initializers_async to pyrit.setup for programmatic initialization
- Switch AIRTInitializer to Entra (Azure AD) auth, removing API key requirements
- Add --config-file flag to pyrit_backend CLI
- Use PyRIT configuration loader in FrontendCore and pyrit_backend
- Update AIRTTargetInitializer with new target types

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@romanlutz
Expand memory interface and models for attack results
a9993ab 
- Add conversation_stats model and attack_result extensions
- Add get_attack_results with filtering by harm categories, labels,
  attack type, and converter types to memory interface
- Implement SQLite-specific JSON filtering for attack results
- Add memory_models field for targeted_harm_categories
- Add prompt_metadata support to openai image/video/response targets
- Fix missing return statements in SQLite harm_category and label filters

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@romanlutz
Merge branch 'romanlutz/memory-models-expansion' into romanlutz/backe…
792dc8c 
…nd-attack-api
@romanlutz
Add attack-centric backend API with conversations and streaming
3cfc605 
- Add attack CRUD routes with conversation management
- Add message sending with target dispatch and response handling
- Add attack mappers for domain-to-DTO conversion with signed blob URLs
- Add attack service with video remix support and piece persistence
- Expand target service and routes with registry-based target management
- Add version endpoint with database info

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@romanlutz
Frontend attack view with conversations, history, labels, and config
65a4182 
- Add attack-centric chat UI with multi-conversation support
- Add conversation panel with branching and message actions
- Add attack history view with filtering
- Add labels bar for attack metadata
- Add target configuration with create dialog
- Add message mapper utilities for backend/frontend translation
- Add video playback support with signed blob URLs
- Add InputBox with attachment support and auto-expand
- Update dev.py with --detach, logs, and process management
- Add e2e tests for chat, config, and flow scenarios

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@romanlutz
Merge remote-tracking branch 'origin/main' into romanlutz/frontend_at…
f6db5bf 
…tack_view
@romanlutz
fix: auto-fixed ruff format issues
0aff59d
@romanlutz
fix: address ruff and mypy lint issues
c27f2be
@romanlutz
fix: remove unused type: ignore comments, ruff format
c16196d
@romanlutz
Merge remote-tracking branch 'origin/main' into romanlutz/backend-att…
c08b76f 
…ack-api
@romanlutz
fix: auto ruff format fixes
0a4280d
@romanlutz
fix: address ruff and mypy lint issues
96d5839
@romanlutz
fix: ruff format
14fb53f
@romanlutz
fix: resolve merge conflicts, align service->memory naming
ad31d5b 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@romanlutz
fix: E731 lambda, E501 line length, service->memory naming
f8950ff 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@romanlutz
Merge remote-tracking branch 'origin/main' into romanlutz/frontend_at…
4e4c247 
…tack_view
@romanlutz
Merge remote-tracking branch 'origin/main' into romanlutz/backend-att…
84f2c9d 
…ack-api
@romanlutz
Merge remote-tracking branch 'origin/main' into romanlutz/frontend_at…
14168cc 
…tack_view
@romanlutz
Merge remote-tracking branch 'origin/main' into romanlutz/backend-att…
4440cfd 
…ack-api
@romanlutz
fix: address copilot comments - imports, API contract, security, acce…
484fcb9 
…ssibility

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@romanlutz
fix: address copilot comments - security, cleanup, API contract
b48e23f 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@romanlutz
Merge remote-tracking branch 'origin/main' into romanlutz/frontend_at…
8c8d4aa 
…tack_view
@romanlutz
Merge remote-tracking branch 'origin/main' into romanlutz/backend-att…
6bd4737 
…ack-api
@romanlutz
Fix mypy: pass datetime directly instead of isoformat string
fe500fc 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@romanlutz
Merge remote-tracking branch 'origin/main' into romanlutz/backend-att…
2e5d4c3 
…ack-api
@romanlutz
Merge remote-tracking branch 'romanlutz/romanlutz/backend-attack-api'…
7770b52 
… into romanlutz/backend-attack-api
@romanlutz
Use TargetCapabilities for supports_multi_turn in backend API
421d4a9 
- Rename supports_multiturn_chat to supports_multi_turn to align with TargetCapabilities field
- Use target_obj.capabilities.supports_multi_turn instead of isinstance check
- Update tests to set capabilities on mock targets

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@romanlutz
Revert run_initializers_async extraction, use double initialize_pyrit…
2949d05 
…_async

Reverts the separate run_initializers_async function and restores the
original pattern where run_scenario_async calls initialize_pyrit_async
a second time with initializers. This avoids a larger refactor.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@romanlutz
Address PR review comments: quick fixes
8324f50 
- Catch ValueError in get_conversation_messages route, return 400
- Fix target_registry_name field description
- Simplify redundant except (ValueError, Exception) to except Exception
- Fix docstring: converter_classes -> converter_types
- Fix test assertions: converter_types -> converter_classes (matches memory API)
- Remove dead tests for deleted helper methods
- Restore azure_openai_video target config to match main

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@romanlutz
Move video remix injection logic from AttackService to OpenAIVideoTarget
b3670dc 
- Move _inject_video_id_from_history and _strip_video_pieces methods from
  AttackService to OpenAIVideoTarget where they belong
- Update _validate_request to accept video_path pieces and check for
  video_path+image_path conflicts
- Add ValueError when video_path is present but no video_id can be resolved
- Add 7 unit tests for the inject/strip logic
- Remove video-specific logic from attack_service._send_and_store_message

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Fix ESLint: replace require() with dynamic import() in msalConfig tests
a324b30 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
behnam-o
behnam-o reviewed Mar 31, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
hannahwestra25
hannahwestra25 reviewed Apr 1, 2026
View reviewed changes
Adrian Gavrila and others added 4 commits April 1, 2026 12:46
Switch from custom access scope to Graph User.Read for auth
df79b5f 
- Change getApiScopes to request https://graph.microsoft.com/User.Read
- Reuse shared getApiScopes in api.ts instead of duplicate
- Update backend token validation audience to graph.microsoft.com
- Update test assertions for new scope
- Enables groups overage resolution via Graph API

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Correcting import path for getApiScopes
2fa7ad2
Adding --no-cache to the docker build to prevent stale frontend bundles.
e90c541
updating targets airt to target airt
a3391a6
ValbuenaVC
ValbuenaVC reviewed Apr 1, 2026
View reviewed changes
Adrian Gavrila and others added 4 commits April 2, 2026 15:18
Address PR microsoft#1554 review comments
88dc9d1 
- Replace toBeInTheDocument with toBeVisible for user-facing assertions
- Add afterEach restoreAllMocks for full test isolation
- Refactor AuthConfig from global cache to React Context
- Rename useMsal instance to msalInstance for clarity
- Extract _authenticate_request_async from dispatch method
- Replace magic number with removeprefix for Bearer token parsing
- Rename overage methods/comments for clarity
- Add _client_id usage comment in auth middleware
- Clarify .azure directory mount in Docker run script
- Standardize Entra ID vs Azure terminology in docs
- Expand acronyms and add links in infra README
- Add what-if preview section to infra README

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Pre-commit hooks
60af27f
Fix ESLint warning and container security violation
7f2ea0e 
- Extract AuthConfigContext to separate file (react-refresh/only-export-components)
- Replace ghcr.io/astral-sh/uv container image with install script to comply
  with Microsoft container security policy (CSSC)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@adrian-gavrila
Merge branch 'main' into adrian-gavrila/frontend-attack-view
98175d4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@romanlutz romanlutz romanlutz left review comments

@ValbuenaVC ValbuenaVC ValbuenaVC left review comments

@behnam-o behnam-o behnam-o left review comments

@hannahwestra25 hannahwestra25 hannahwestra25 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@adrian-gavrila @romanlutz @ValbuenaVC @behnam-o @hannahwestra25