7147bac079
Follow-up to the RBAC v13 + marketplace work in the parent commit. Addresses
deferred Devin findings, gemini-flagged blockers, and adds three guard rails.
== Schema v14 — FK constraints on user_group_members + resource_grants ==
Adds DuckDB foreign-key constraints so cascade deletes can no longer leave
orphaned member / grant rows pointing at a deleted group_id (which were
relying on application-level cascades up to v13). Migration is RENAME →
CREATE-with-FK → INSERT → DROP, wrapped in BEGIN TRANSACTION so a partial
failure rolls back without leaving the DB at a half-applied schema.
== AGNES_ENABLE_TABLE_GRANTS feature flag (default off) ==
ResourceType.TABLE was shipped in the parent commit as listing-only — admins
can record grants but runtime enforcement still flows through legacy
dataset_permissions. To avoid the misleading-UX surface area, the chip is
hidden from /admin/access and POST /api/admin/grants returns 422 with the
env-var name in detail until the operator opts in. Existing TABLE rows in
resource_grants stay listable + deletable so cleanup is never blocked.
Helpers: is_resource_type_enabled(rt), enabled_resource_types().
== Break-glass admin CLI ==
`da admin break-glass <user>` adds the user to the Admin user_group with
source='system_seed' regardless of RBAC state. Bypasses authentication —
relies on filesystem access to ${DATA_DIR}/state/system.duckdb implying
host-level trust. Recovery path when the operator has locked themselves
out of /admin/access.
== Devin round-2 fixes (deferred on b4ec4c4) ==
- src/repositories/user_groups.py — narrow update() guard from blocking any
mutation on system groups to blocking name change only. Description edits
now pass through. Endpoint pre-check stays as defense-in-depth. Prior
behavior surfaced as a misleading 409 'Cannot rename a system group' on
description-only PATCH.
- app/api/access.py:delete_group — wrap cascade DELETEs + repo.delete in
BEGIN TRANSACTION / COMMIT / ROLLBACK. Prevents orphan rows if any
DELETE fails after the user_groups row is gone.
- app/marketplace_server/{packager,router}.py — split compute_etag_for_user()
from build_zip(); router resolves etag first and 304-shorts before any
file read or ZIP_DEFLATED. In-process cachetools.TTLCache (default 120s,
env-tunable via AGNES_MARKETPLACE_ETAG_TTL, set 0 to disable).
invalidate_etag_cache() called by sync to force re-hash on content drift.
== Tests ==
- TestTableGrantsFeatureFlag (4 cases) — endpoint exclude/include, grant
rejection/acceptance under the flag.
- test_v12_to_v13_finalize_rollback_on_failure — destructive: monkeypatches
_seed_system_groups to raise mid-transaction, asserts schema_version stays
at 12, legacy tables intact, new tables empty (rollback fired). Then
restores the real function and asserts the retry succeeds.
- test_update_system_group_description_allowed,
test_update_system_group_same_name_no_op — repo-level coverage of the
narrowed guard.
153 lines
5.5 KiB
Python
153 lines
5.5 KiB
Python
"""Repository for the ``user_groups`` table.
|
|
|
|
A ``user_group`` is a named bucket admins create (e.g. ``data-team``,
|
|
``Engineering``) plus the two seeded ``is_system=TRUE`` groups ``Admin``
|
|
and ``Everyone``. Membership lives in
|
|
:mod:`src.repositories.user_group_members`; resource grants in
|
|
:mod:`src.repositories.resource_grants`.
|
|
|
|
System groups are write-protected — :exc:`SystemGroupProtected` is raised
|
|
on attempts to rename or delete them so the canonical ``Admin`` /
|
|
``Everyone`` names referenced from code (``app.auth.access``) cannot
|
|
disappear out from under the authorization layer.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
from datetime import datetime, timezone
|
|
from typing import Any, Dict, List, Optional
|
|
from uuid import uuid4
|
|
|
|
import duckdb
|
|
|
|
|
|
class SystemGroupProtected(Exception):
|
|
"""Raised when a mutation is attempted on a system user group (is_system=TRUE)."""
|
|
|
|
|
|
class UserGroupsRepository:
|
|
def __init__(self, conn: duckdb.DuckDBPyConnection):
|
|
self.conn = conn
|
|
|
|
_SELECT_COLS = "id, name, description, is_system, created_at, created_by"
|
|
|
|
def list_all(self) -> List[Dict[str, Any]]:
|
|
rows = self.conn.execute(
|
|
f"SELECT {self._SELECT_COLS} FROM user_groups ORDER BY name"
|
|
).fetchall()
|
|
columns = [d[0] for d in self.conn.description]
|
|
return [dict(zip(columns, r)) for r in rows]
|
|
|
|
def get(self, group_id: str) -> Optional[Dict[str, Any]]:
|
|
row = self.conn.execute(
|
|
f"SELECT {self._SELECT_COLS} FROM user_groups WHERE id = ?",
|
|
[group_id],
|
|
).fetchone()
|
|
if not row:
|
|
return None
|
|
columns = [d[0] for d in self.conn.description]
|
|
return dict(zip(columns, row))
|
|
|
|
def get_by_name(self, name: str) -> Optional[Dict[str, Any]]:
|
|
row = self.conn.execute(
|
|
f"SELECT {self._SELECT_COLS} FROM user_groups WHERE name = ?",
|
|
[name],
|
|
).fetchone()
|
|
if not row:
|
|
return None
|
|
columns = [d[0] for d in self.conn.description]
|
|
return dict(zip(columns, row))
|
|
|
|
def create(
|
|
self,
|
|
name: str,
|
|
description: Optional[str] = None,
|
|
created_by: Optional[str] = None,
|
|
is_system: bool = False,
|
|
) -> Dict[str, Any]:
|
|
group_id = uuid4().hex
|
|
self.conn.execute(
|
|
"INSERT INTO user_groups (id, name, description, is_system, created_at, created_by) "
|
|
"VALUES (?, ?, ?, ?, ?, ?)",
|
|
[group_id, name, description, is_system, datetime.now(timezone.utc), created_by],
|
|
)
|
|
return self.get(group_id) # type: ignore[return-value]
|
|
|
|
def ensure(
|
|
self, name: str, description: Optional[str] = None
|
|
) -> Dict[str, Any]:
|
|
"""Idempotent get-or-create for claim-driven groups.
|
|
|
|
Existing row is returned unchanged (preserves `is_system` and
|
|
description — a later Google-sync call must not override an admin's
|
|
manual description edit).
|
|
"""
|
|
existing = self.get_by_name(name)
|
|
if existing:
|
|
return existing
|
|
return self.create(
|
|
name=name,
|
|
description=description or "Auto-created from Google Workspace claim",
|
|
created_by="system:google-sync",
|
|
)
|
|
|
|
def ensure_system(self, name: str, description: str) -> Dict[str, Any]:
|
|
"""Idempotently ensure a system group exists.
|
|
|
|
If a group with the given name exists (manually created by an admin),
|
|
promote it to system (is_system=TRUE). Otherwise create a new one.
|
|
"""
|
|
existing = self.get_by_name(name)
|
|
if existing:
|
|
if not existing.get("is_system"):
|
|
self.conn.execute(
|
|
"UPDATE user_groups SET is_system = TRUE WHERE id = ?",
|
|
[existing["id"]],
|
|
)
|
|
existing = self.get(existing["id"]) # type: ignore[assignment]
|
|
return existing # type: ignore[return-value]
|
|
return self.create(name=name, description=description, is_system=True)
|
|
|
|
def update(
|
|
self,
|
|
group_id: str,
|
|
*,
|
|
name: Optional[str] = None,
|
|
description: Optional[str] = None,
|
|
) -> None:
|
|
# Block rename of system groups — the canonical names "Admin" /
|
|
# "Everyone" are referenced from `app.auth.access` and the
|
|
# marketplace filter and must not move. Description edits are
|
|
# cosmetic and allowed (admins curate them in /admin/access).
|
|
existing = self.get(group_id)
|
|
if (
|
|
existing
|
|
and existing.get("is_system")
|
|
and name is not None
|
|
and name != existing["name"]
|
|
):
|
|
raise SystemGroupProtected(
|
|
f"group {existing.get('name')!r} is a system group and cannot be renamed"
|
|
)
|
|
sets: List[str] = []
|
|
params: List[Any] = []
|
|
if name is not None:
|
|
sets.append("name = ?")
|
|
params.append(name)
|
|
if description is not None:
|
|
sets.append("description = ?")
|
|
params.append(description)
|
|
if not sets:
|
|
return
|
|
params.append(group_id)
|
|
self.conn.execute(
|
|
f"UPDATE user_groups SET {', '.join(sets)} WHERE id = ?", params
|
|
)
|
|
|
|
def delete(self, group_id: str) -> None:
|
|
existing = self.get(group_id)
|
|
if existing and existing.get("is_system"):
|
|
raise SystemGroupProtected(
|
|
f"group {existing.get('name')!r} is a system group and cannot be deleted"
|
|
)
|
|
self.conn.execute("DELETE FROM user_groups WHERE id = ?", [group_id])
|