62336bfd32
* fix(rbac): stack-gate analyst table access via data_packages exclusively
Previously analysts could see a table in ``agnes catalog`` /
``/api/sync/manifest`` either by:
1. being in a group with ``resource_grants(group, 'table', id)``, or
2. being in a group with ``resource_grants(group, 'data_package', …)``
for a package containing the table.
Path 1 leaked: admins who minted a per-table grant without ever
wrapping the table in a data_package still shipped the table to
analysts — directly contradicting the unified-stack mental model
("the stack is the unit of access"). User report:
"i když to admin nedal do data package tak to by default uživatelé
dostali to by se nemělo stát".
New policy: analyst visibility is strictly stack-gated. A table is
visible iff at least one data_package containing it is in the
analyst's stack (required ∪ subscribed). Admin god-mode and the three
internal data-source tables (agnes_sessions / _telemetry / _audit
with row-level RBAC) keep their existing carve-outs.
Touched surfaces:
* ``src/rbac.can_access_table`` + ``get_accessible_tables`` —
routed through ``StackResolver.stack(user, DATA_PACKAGE)`` +
``data_package_tables`` join instead of ``resource_grants(table)``.
* ``app/api/sync._build_direct_tables_section`` — always returns
``[]`` (key kept for older CLI destructuring); per-table grants
no longer manifest.
* Standardised 403 detail across ``/api/data/*``, ``/api/query``,
``/api/v2/sample``, ``/api/v2/scan``, ``/api/v2/schema``:
``Table 'X' is not in your stack. Ask an admin to add it to a
Data Package you have access to (Required or in your stack),
then run `agnes pull` to refresh.`` Single source of truth lives
in ``src.rbac.table_not_in_stack_message`` so the wording stays
consistent across CLI surfaces.
UX side: ``/catalog/t/<id>`` (table detail page) dropped the four
editorial sections (Sample questions, What's inside, Things to know,
Pairs well with) per user feedback — the page's job is now
"what is this table, where do I find it" (hero + parent packages).
Tests:
* ``tests/conftest.grant_table_via_package`` / ``revoke_table_via_package``
— shared helpers that wrap a table in an auto-named data_package +
grant the package required to a custom group. Replaces the legacy
per-test ``_grant_table_to_analyst`` table-grant pattern.
* All 17 previously-failing legacy tests (test_access_control,
test_journey_rbac, test_audit_gap_*, test_rbac, …) migrated to use
the new helper; logic stays the same.
* ``tests/fixtures/analyst_bootstrap._grant_table_access`` updated
to wrap via data_package so the ``test_pat`` fixture's "two table
grants" semantics still ship parquets through ``agnes init``.
* New ``tests/test_table_not_in_stack_message.py`` locks in the
standardised 403 detail across the data + check-access endpoints.
5204 tests passing (added 1).
* fix(catalog): first-demo UX feedback — required-first grouping + longer card description
Two minor polish items from the 2026-05-19 stakeholder demo:
1. Required packages cluster at the top of the Browse grid instead of
being interleaved by ``created_at``. Sort key
``(requirement != 'required', name)`` runs before the adapter
call in both /catalog (data_packages) and /corporate-memory
(memory_domains) so the required block is visible without
scrolling. Regression test pins the order via
``data-id="…"`` position in rendered HTML.
2. ``.stack-card__desc`` line clamp bumped 2 → 4 lines. Two-line clamp
trailed almost every admin-authored description off in "…" before
the second clause, forcing a click-through to read it. The detail
page (/catalog/p/<slug>) keeps the unclamped body for longer
content.
* release: 0.55.3 — stack-gated analyst RBAC (BREAKING) + first-demo UX polish + #345 A/B/C/D + #347 UI consistency
79 lines
3.1 KiB
Python
79 lines
3.1 KiB
Python
"""Every CLI surface that gates by ``can_access_table`` returns the
|
|
SAME actionable 403 detail string when an analyst hits a table not in
|
|
their stack.
|
|
|
|
Stack-gated RBAC removed per-table ``resource_grants`` as a visibility
|
|
path for analysts. The new failure mode — analyst queries a table that
|
|
isn't in any data package they've subscribed to — must surface as a
|
|
consistent, copy-able error so the user knows to ask an admin to wrap
|
|
the table in a Data Package.
|
|
|
|
This test fans out across the four CLI-facing endpoints that all hit
|
|
``can_access_table``:
|
|
* GET /api/data/{table_id}/download
|
|
* POST /api/data/{table_id}/check-access
|
|
* POST /api/v2/sample
|
|
* POST /api/v2/schema
|
|
plus the in-process helper ``src.rbac.table_not_in_stack_message`` that
|
|
all of them route through.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
|
|
def _auth(token: str) -> dict[str, str]:
|
|
return {"Authorization": f"Bearer {token}"}
|
|
|
|
|
|
def _register_table(client, admin_token: str, table_id: str) -> None:
|
|
"""Admin registers a table WITHOUT wrapping it in any data_package
|
|
so every analyst-side gate fires."""
|
|
r = client.post(
|
|
"/api/admin/register-table",
|
|
json={
|
|
"name": table_id, "source_type": "keboola",
|
|
"query_mode": "local",
|
|
},
|
|
headers=_auth(admin_token),
|
|
)
|
|
assert r.status_code in (200, 201, 409), r.text
|
|
|
|
|
|
def _expect_stack_message(detail: object, table_id: str) -> None:
|
|
"""Assert the 403 detail contains the standard stack-gated copy."""
|
|
if isinstance(detail, dict):
|
|
detail = detail.get("detail") or detail.get("message") or ""
|
|
detail = str(detail)
|
|
assert table_id in detail, f"missing table id in 403 detail: {detail!r}"
|
|
assert "stack" in detail.lower() or "data package" in detail.lower(), (
|
|
f"403 detail must mention stack / Data Package — got {detail!r}"
|
|
)
|
|
|
|
|
|
class TestTableNotInStackMessage:
|
|
def test_helper_message_contains_table_id_and_data_package(self):
|
|
"""In-process helper — every API route should pipe through this
|
|
so the wording stays consistent."""
|
|
from src.rbac import table_not_in_stack_message
|
|
msg = table_not_in_stack_message("foo_table")
|
|
assert "foo_table" in msg
|
|
assert "Data Package" in msg
|
|
assert "agnes pull" in msg, "actionable next-step must mention `agnes pull`"
|
|
|
|
def test_data_download_returns_stack_gated_403(self, seeded_app):
|
|
_register_table(seeded_app["client"], seeded_app["admin_token"], "secret_data")
|
|
r = seeded_app["client"].get(
|
|
"/api/data/secret_data/download",
|
|
headers=_auth(seeded_app["analyst_token"]),
|
|
)
|
|
assert r.status_code == 403
|
|
_expect_stack_message(r.json().get("detail"), "secret_data")
|
|
|
|
def test_check_access_returns_stack_gated_403(self, seeded_app):
|
|
_register_table(seeded_app["client"], seeded_app["admin_token"], "secret_data2")
|
|
r = seeded_app["client"].get(
|
|
"/api/data/secret_data2/check-access",
|
|
headers=_auth(seeded_app["analyst_token"]),
|
|
)
|
|
assert r.status_code == 403
|
|
_expect_stack_message(r.json().get("detail"), "secret_data2")
|