traceroot-ai
diff --git a/‎rest/config/traces_and_logs.py‎
Lines changed: 4 additions & 0 deletions b/‎rest/config/traces_and_logs.py‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎rest/dao/mongodb_dao.py‎
Lines changed: 30 additions & 0 deletions b/‎rest/dao/mongodb_dao.py‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎rest/routers/explore.py‎
Lines changed: 84 additions & 18 deletions b/‎rest/routers/explore.py‎
Lines changed: 84 additions & 18 deletions
diff --git a/‎rest/service/provider.py‎
Lines changed: 12 additions & 2 deletions b/‎rest/service/provider.py‎
Lines changed: 12 additions & 2 deletions
diff --git a/‎rest/utils/encryption.py‎
Lines changed: 123 additions & 0 deletions b/‎rest/utils/encryption.py‎
Lines changed: 123 additions & 0 deletions
@@ -11,6 +11,10 @@
 class GetTracesAndLogsSinceDateRequest(BaseModel):
     """Request model for getting traces and logs since a specific date."""
     since_date: datetime
+    trace_provider: str = "aws"
+    log_provider: str = "aws"
+    trace_region: str | None = None
+    log_region: str | None = None
 
     @field_validator('since_date')
     @classmethod
 
@@ -90,3 +90,33 @@ async def get_credentials_by_token(
     ) -> dict[str,
               Any] | None:
         pass
+
+    async def get_trace_provider_config(
+        self,
+        user_email: str,
+    ) -> dict[str,
+              Any] | None:
+        """Get trace provider configuration for a user from MongoDB.
+
+        Args:
+            user_email (str): The user's email
+
+        Returns:
+            dict[str, Any] | None: The trace provider config if found, None otherwise
+        """
+        return None
+
+    async def get_log_provider_config(
+        self,
+        user_email: str,
+    ) -> dict[str,
+              Any] | None:
+        """Get log provider configuration for a user from MongoDB.
+
+        Args:
+            user_email (str): The user's email
+
+        Returns:
+            dict[str, Any] | None: The log provider config if found, None otherwise
+        """
+        return None
@@ -1,6 +1,5 @@
 import asyncio
 import logging
-import os
 from collections import deque
 from datetime import datetime, timezone
 from typing import Any
@@ -106,11 +105,11 @@ def __init__(
         self.cache = SimpleMemoryCache(ttl=60 * 10)
         self._setup_routes()
 
-    def get_observe_provider(self, request: Request) -> ObservabilityProvider:
+    async def get_observe_provider(self, request: Request) -> ObservabilityProvider:
         """Get observability provider based on request.
 
         For local mode, always use the default Jaeger provider.
-        For non-local mode, use default AWS provider unless request specifies Tencent.
+        For non-local mode, fetch provider configuration from request params and MongoDB.
 
         Args:
             request: FastAPI request object
@@ -121,15 +120,82 @@ def get_observe_provider(self, request: Request) -> ObservabilityProvider:
         if self.local_mode:
             return self.default_observe_provider
 
-        # Check if request requires Tencent provider
-        # For now, check REST_OBSERVE_PROVIDER env var
-        # TODO: Check user settings from request to determine provider
-        provider_type = os.getenv("REST_OBSERVE_PROVIDER", "aws").lower()
+        # Extract provider parameters from request
+        query_params = request.query_params
+        trace_provider = query_params.get("trace_provider", "aws")
+        log_provider = query_params.get("log_provider", "aws")
+        trace_region = query_params.get("trace_region")
+        log_region = query_params.get("log_region")
 
-        if provider_type == "tencent":
-            return ObservabilityProvider.create_tencent_provider()
-        else:
-            return self.default_observe_provider
+        # Get user email to fetch MongoDB config
+        user_email, _, _ = get_user_credentials(request)
+
+        # Prepare configurations
+        trace_config: dict[str, Any] = {}
+        log_config: dict[str, Any] = {}
+
+        # For Tencent, fetch credentials from MongoDB
+        if trace_provider == "tencent":
+            trace_provider_config = await self.db_client.get_trace_provider_config(
+                user_email
+            )
+            if trace_provider_config and trace_provider_config.get("tencentTraceConfig"):
+                tencent_config = trace_provider_config["tencentTraceConfig"]
+                trace_config = {
+                    "region": trace_region or tencent_config.get("region",
+                                                                 "ap-hongkong"),
+                    "secret_id": tencent_config.get("secretId"),
+                    "secret_key": tencent_config.get("secretKey"),
+                    "apm_instance_id": tencent_config.get("apmInstanceId"),
+                }
+            else:
+                # Fallback to region only if no MongoDB config
+                trace_config = {"region": trace_region or "ap-hongkong"}
+        elif trace_provider == "aws":
+            trace_config = {"region": trace_region}
+        elif trace_provider == "jaeger":
+            # Fetch jaeger config from MongoDB if available
+            trace_provider_config = await self.db_client.get_trace_provider_config(
+                user_email
+            )
+            if trace_provider_config and trace_provider_config.get("jaegerTraceConfig"):
+                jaeger_config = trace_provider_config["jaegerTraceConfig"]
+                trace_config = {"url": jaeger_config.get("endpoint")}
+            else:
+                trace_config = {}
+
+        if log_provider == "tencent":
+            log_provider_config = await self.db_client.get_log_provider_config(user_email)
+            if log_provider_config and log_provider_config.get("tencentLogConfig"):
+                tencent_config = log_provider_config["tencentLogConfig"]
+                log_config = {
+                    "region": log_region or tencent_config.get("region",
+                                                               "ap-hongkong"),
+                    "secret_id": tencent_config.get("secretId"),
+                    "secret_key": tencent_config.get("secretKey"),
+                    "cls_topic_id": tencent_config.get("clsTopicId"),
+                }
+            else:
+                # Fallback to region only if no MongoDB config
+                log_config = {"region": log_region or "ap-hongkong"}
+        elif log_provider == "aws":
+            log_config = {"region": log_region}
+        elif log_provider == "jaeger":
+            # Fetch jaeger config from MongoDB if available
+            log_provider_config = await self.db_client.get_log_provider_config(user_email)
+            if log_provider_config and log_provider_config.get("jaegerLogConfig"):
+                jaeger_config = log_provider_config["jaegerLogConfig"]
+                log_config = {"url": jaeger_config.get("endpoint")}
+            else:
+                log_config = {}
+
+        # Create and return the provider
+        return ObservabilityProvider.create(
+            trace_provider=trace_provider,
+            log_provider=log_provider,
+            trace_config=trace_config,
+            log_config=log_config,
+        )
 
     def _setup_routes(self):
         r"""Set up API routes"""
@@ -341,7 +407,7 @@ async def list_traces(
         # If trace_id is provided, fetch that specific trace directly
         if trace_id:
             try:
-                observe_provider = self.get_observe_provider(request)
+                observe_provider = await self.get_observe_provider(request)
 
                 # Use the new get_trace_by_id method which handles everything
                 trace = await observe_provider.trace_client.get_trace_by_id(
@@ -435,7 +501,7 @@ async def list_traces(
             return resp.model_dump()
 
         try:
-            observe_provider = self.get_observe_provider(request)
+            observe_provider = await self.get_observe_provider(request)
             traces: list[Trace] = await observe_provider.trace_client.get_recent_traces(
                 start_time=start_time,
                 end_time=end_time,
@@ -554,7 +620,7 @@ async def get_logs_by_trace_id(
             return resp.model_dump()
 
         try:
-            observe_provider = self.get_observe_provider(request)
+            observe_provider = await self.get_observe_provider(request)
             logs: TraceLogs = await observe_provider.log_client.get_logs_by_trace_id(
                 trace_id=req_data.trace_id,
                 start_time=req_data.start_time,
@@ -721,7 +787,7 @@ async def post_chat(
             is_github_pr = github_related.is_github_pr
 
         # Get the trace #######################################################
-        observe_provider = self.get_observe_provider(request)
+        observe_provider = await self.get_observe_provider(request)
         selected_trace: Trace | None = None
 
         # If we have a trace_id, fetch it directly
@@ -777,7 +843,7 @@ async def post_chat(
         keys = (trace_id, start_time, end_time, log_group_name)
         logs: TraceLogs | None = await self.cache.get(keys)
         if logs is None:
-            observe_provider = self.get_observe_provider(request)
+            observe_provider = await self.get_observe_provider(request)
             logs = await observe_provider.log_client.get_logs_by_trace_id(
                 trace_id=trace_id,
                 start_time=start_time,
@@ -1014,7 +1080,7 @@ async def get_traces_and_logs_since_date(
 
         try:
             # Get comprehensive traces and logs data since the specified date
-            observe_provider = self.get_observe_provider(request)
+            observe_provider = await self.get_observe_provider(request)
             usage_data = await get_user_traces_and_logs_since_payment(
                 user_sub=user_sub,
                 last_payment_date=req_data.since_date,
@@ -1086,7 +1152,7 @@ async def _filter_traces_by_log_content(
             # from semicolon-separated logs
 
             # Single query to get all matching trace IDs
-            observe_provider = self.get_observe_provider(request)
+            observe_provider = await self.get_observe_provider(request)
             matching_trace_ids = \
                 await observe_provider.log_client.get_trace_ids_from_logs(
                     start_time=start_time,
 
@@ -51,7 +51,12 @@ def create_log_client(
         if provider == ObservabilityProviderType.AWS:
             return AWSLogClient(aws_region=kwargs.get('region'))
         elif provider == ObservabilityProviderType.TENCENT:
-            return TencentLogClient(tencent_region=kwargs.get('region'))
+            return TencentLogClient(
+                tencent_region=kwargs.get('region'),
+                secret_id=kwargs.get('secret_id'),
+                secret_key=kwargs.get('secret_key'),
+                cls_topic_id=kwargs.get('cls_topic_id')
+            )
         elif provider == ObservabilityProviderType.JAEGER:
             return JaegerLogClient(jaeger_url=kwargs.get('url'))
         else:
@@ -79,7 +84,12 @@ def create_trace_client(
         if provider == ObservabilityProviderType.AWS:
             return AWSTraceClient(aws_region=kwargs.get('region'))
         elif provider == ObservabilityProviderType.TENCENT:
-            return TencentTraceClient(tencent_region=kwargs.get('region'))
+            return TencentTraceClient(
+                tencent_region=kwargs.get('region'),
+                secret_id=kwargs.get('secret_id'),
+                secret_key=kwargs.get('secret_key'),
+                apm_instance_id=kwargs.get('apm_instance_id')
+            )
         elif provider == ObservabilityProviderType.JAEGER:
             return JaegerTraceClient(jaeger_url=kwargs.get('url'))
         else:
 
@@ -0,0 +1,123 @@
+import base64
+import hashlib
+import os
+from typing import Optional
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+
+
+def get_encryption_secret() -> str:
+    """Get encryption secret from environment variable.
+
+    Returns:
+        str: The encryption secret key
+    """
+    secret = os.getenv("SECRET_ENCRYPT_KEY")
+    if not secret:
+        # Fallback to "LOCAL" for local development
+        secret = "LOCAL"
+    return secret
+
+
+def get_key(secret: str) -> bytes:
+    """Generate AES-256 key from secret using SHA256.
+
+    Args:
+        secret (str): The secret key string
+
+    Returns:
+        bytes: 32-byte key for AES-256
+    """
+    return hashlib.sha256(secret.encode()).digest()
+
+
+def decrypt_value(encrypted_value: str) -> Optional[str]:
+    """Decrypt a value using AES-256-CBC.
+
+    Args:
+        encrypted_value (str): Base64-encoded encrypted value (IV + ciphertext)
+
+    Returns:
+        Optional[str]: Decrypted string value, or None if decryption fails
+    """
+    if not encrypted_value:
+        return None
+
+    # Always use "LOCAL" to match frontend behavior
+    # Client-side encryption cannot truly be secret in browser
+    secrets_to_try = [
+        "LOCAL",  # Primary key used by frontend
+    ]
+
+    for secret in secrets_to_try:
+        try:
+            key = get_key(secret)
+
+            # Decode from base64
+            data = base64.b64decode(encrypted_value)
+
+            # Extract IV (first 16 bytes) and encrypted data
+            iv = data[:16]
+            encrypted = data[16:]
+
+            # Create cipher and decrypt
+            cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
+            decryptor = cipher.decryptor()
+            decrypted = decryptor.update(encrypted) + decryptor.finalize()
+
+            # Remove PKCS7 padding
+            pad_len = decrypted[-1]
+
+            # Validate padding length (must be 1-16 for AES)
+            if pad_len < 1 or pad_len > 16:
+                raise ValueError(f"Invalid padding length: {pad_len}")
+
+            # Validate PKCS7 padding - all padding bytes should have the same value
+            padding_bytes = decrypted[-pad_len:]
+            if not all(b == pad_len for b in padding_bytes):
+                raise ValueError("Invalid PKCS7 padding")
+
+            unpadded = decrypted[:-pad_len]
+            result = unpadded.decode('utf-8')
+            return result
+        except Exception:
+            continue
+
+    # If all secrets failed
+    return None
+
+
+def encrypt_value(value: str) -> Optional[str]:
+    """Encrypt a value using AES-256-CBC.
+
+    Args:
+        value (str): Plain text value to encrypt
+
+    Returns:
+        Optional[str]: Base64-encoded encrypted value, or None if encryption fails
+    """
+    if not value:
+        return None
+
+    try:
+        secret = get_encryption_secret()
+        key = get_key(secret)
+
+        # Generate random IV
+        iv = os.urandom(16)
+
+        # Add PKCS7 padding
+        pad_len = 16 - (len(value) % 16)
+        padded = value + chr(pad_len) * pad_len
+
+        # Create cipher and encrypt
+        cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
+        encryptor = cipher.encryptor()
+        encrypted = encryptor.update(padded.encode()) + encryptor.finalize()
+
+        # Combine IV and encrypted data, then base64 encode
+        return base64.b64encode(iv + encrypted).decode('utf-8')
+    except Exception as e:
+        print(f"Error encrypting value: {e}")
+        return None