e9d7af3cce
This squashes 13 commits from ma/staging plus a small docstring translation
into a single coherent unit. Three workstreams.
== RBAC v13 redesign ==
- Drops core.viewer/analyst/km_admin/admin hierarchy and the
internal_roles / group_mappings / user_role_grants / plugin_access tables.
- Replaced by user_group_members + resource_grants. Atomic v12→v13 backfill
wrapped in BEGIN/COMMIT; ROLLBACK leaves schema_version at 12 for retry.
- Two authorization primitives in app.auth.access:
require_admin — Admin-group god-mode
require_resource_access(rt, "{path}") — entity-scoped grants
Single DB lookup per request; no session cache; no implies BFS.
- /admin/access UI (single page) replaces /admin/role-mapping +
/admin/plugin-access. CLI `da admin group/grant *` replaces
`da admin role/mapping/grant-role/revoke-role/effective-roles`.
- ResourceType.TABLE listing-only — admins can record table grants,
runtime enforcement still flows through legacy dataset_permissions
(migration plan in docs/TODO-rbac-data-enforcement.md).
== Claude Code marketplace ==
- Aggregated /marketplace.zip + /marketplace.git/* (PAT-gated,
RBAC-filtered, content-addressed cache via dulwich).
- Admin god-mode dropped on the marketplace surface — admins curate
their own view via grants like everyone else.
- Bare-repo cache materializes per RBAC-filtered ETag; stale entries
not pruned in this iteration (disclaimed in git_backend.py docstring).
== #81 #83 #44 security/ops hardening ==
- #81 Group A — orchestrator ATTACH allow-listing (extension/url/alias).
- #81 Group B — Keboola extractor 3-state exit codes:
0 success / 1 total fail / 2 PARTIAL fail
Sync API logs PARTIAL FAILURE alert on exit 2. Operators with binary
alerting must teach it the new partial signal.
- #81 Group C — schema v10 view_ownership; rejects silent overwrite
of a prior connector's view name on collision.
- #81 Group D — extractor-side identifier validation.
- #83 — Jira webhook fail-closed when JIRA_WEBHOOK_SECRET unset
+ path-traversal fix.
- #44 — entire /api/scripts/* surface is admin-only (planted-script +
sandbox-bypass risk closed).
== Web UI polish + deploy fix ==
- /admin/access: live grant-count badges (no stale snapshot revert),
shared-header CSS link added to /catalog and /admin/{tables,permissions},
per-resource-type colored stripes.
- docker-compose.host-mount.yml: bind,rbind so dual-disk hosts don't
silently shadow sub-mounts and write state to the wrong disk.
== OSS vendor-neutralization (waves 1+2) ==
- scripts/grpn/ → scripts/ops/. Customer-specific identifiers
(project IDs, internal hostnames, dev/prod VM IPs, brand names)
replaced with placeholders across code, docs, Terraform, Caddyfile,
OAuth probe, and planning docs. Downstream infra repos that copied
scripts/grpn/agnes-tls-rotate.sh or agnes-auto-upgrade.sh must
update the path.
== Translation ==
- src/repositories/user_groups.py::ensure_system docstring translated
from Czech to English for codebase consistency.
Co-authored-by: Mina Rustamyan <mina@keboola.com>
61 lines
2 KiB
Python
61 lines
2 KiB
Python
"""FastAPI router for the aggregated marketplace endpoint.
|
|
|
|
Two GET routes:
|
|
- /marketplace/info → JSON summary (diagnostic / admin)
|
|
- /marketplace.zip → ZIP download with ETag / If-None-Match
|
|
|
|
Both gated by the existing `get_current_user` dependency (Bearer PAT or cookie).
|
|
The git smart-HTTP channel lives in git_router.py and is mounted separately
|
|
because it needs raw WSGI I/O that FastAPI doesn't model natively.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import logging
|
|
|
|
import duckdb
|
|
from fastapi import APIRouter, Depends, Request
|
|
from fastapi.responses import JSONResponse, Response
|
|
|
|
from app.auth.dependencies import _get_db, get_current_user
|
|
from app.marketplace_server import packager
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
router = APIRouter(tags=["marketplace"])
|
|
|
|
|
|
@router.get("/marketplace/info")
|
|
async def marketplace_info(
|
|
user: dict = Depends(get_current_user),
|
|
conn: duckdb.DuckDBPyConnection = Depends(_get_db),
|
|
) -> JSONResponse:
|
|
info = packager.build_info(conn, user)
|
|
return JSONResponse(info)
|
|
|
|
|
|
@router.get("/marketplace.zip")
|
|
async def marketplace_zip(
|
|
request: Request,
|
|
user: dict = Depends(get_current_user),
|
|
conn: duckdb.DuckDBPyConnection = Depends(_get_db),
|
|
) -> Response:
|
|
if_none_match = request.headers.get("if-none-match", "").strip().strip('"')
|
|
|
|
# Compute the ETag cheaply (DB query + file hash scan) before doing the
|
|
# expensive ZIP build (file reads + compression). The common case — a
|
|
# Claude Code SessionStart hook with a matching ETag — returns 304
|
|
# without any file IO or ZIP work.
|
|
etag = packager.compute_zip_etag(conn, user)
|
|
if if_none_match and if_none_match == etag:
|
|
return Response(status_code=304, headers={"ETag": f'"{etag}"'})
|
|
|
|
data, etag = packager.build_zip(conn, user)
|
|
return Response(
|
|
content=data,
|
|
media_type="application/zip",
|
|
headers={
|
|
"ETag": f'"{etag}"',
|
|
"Content-Disposition": 'attachment; filename="agnes-marketplace.zip"',
|
|
},
|
|
)
|