e9d7af3cce
This squashes 13 commits from ma/staging plus a small docstring translation
into a single coherent unit. Three workstreams.
== RBAC v13 redesign ==
- Drops core.viewer/analyst/km_admin/admin hierarchy and the
internal_roles / group_mappings / user_role_grants / plugin_access tables.
- Replaced by user_group_members + resource_grants. Atomic v12→v13 backfill
wrapped in BEGIN/COMMIT; ROLLBACK leaves schema_version at 12 for retry.
- Two authorization primitives in app.auth.access:
require_admin — Admin-group god-mode
require_resource_access(rt, "{path}") — entity-scoped grants
Single DB lookup per request; no session cache; no implies BFS.
- /admin/access UI (single page) replaces /admin/role-mapping +
/admin/plugin-access. CLI `da admin group/grant *` replaces
`da admin role/mapping/grant-role/revoke-role/effective-roles`.
- ResourceType.TABLE listing-only — admins can record table grants,
runtime enforcement still flows through legacy dataset_permissions
(migration plan in docs/TODO-rbac-data-enforcement.md).
== Claude Code marketplace ==
- Aggregated /marketplace.zip + /marketplace.git/* (PAT-gated,
RBAC-filtered, content-addressed cache via dulwich).
- Admin god-mode dropped on the marketplace surface — admins curate
their own view via grants like everyone else.
- Bare-repo cache materializes per RBAC-filtered ETag; stale entries
not pruned in this iteration (disclaimed in git_backend.py docstring).
== #81 #83 #44 security/ops hardening ==
- #81 Group A — orchestrator ATTACH allow-listing (extension/url/alias).
- #81 Group B — Keboola extractor 3-state exit codes:
0 success / 1 total fail / 2 PARTIAL fail
Sync API logs PARTIAL FAILURE alert on exit 2. Operators with binary
alerting must teach it the new partial signal.
- #81 Group C — schema v10 view_ownership; rejects silent overwrite
of a prior connector's view name on collision.
- #81 Group D — extractor-side identifier validation.
- #83 — Jira webhook fail-closed when JIRA_WEBHOOK_SECRET unset
+ path-traversal fix.
- #44 — entire /api/scripts/* surface is admin-only (planted-script +
sandbox-bypass risk closed).
== Web UI polish + deploy fix ==
- /admin/access: live grant-count badges (no stale snapshot revert),
shared-header CSS link added to /catalog and /admin/{tables,permissions},
per-resource-type colored stripes.
- docker-compose.host-mount.yml: bind,rbind so dual-disk hosts don't
silently shadow sub-mounts and write state to the wrong disk.
== OSS vendor-neutralization (waves 1+2) ==
- scripts/grpn/ → scripts/ops/. Customer-specific identifiers
(project IDs, internal hostnames, dev/prod VM IPs, brand names)
replaced with placeholders across code, docs, Terraform, Caddyfile,
OAuth probe, and planning docs. Downstream infra repos that copied
scripts/grpn/agnes-tls-rotate.sh or agnes-auto-upgrade.sh must
update the path.
== Translation ==
- src/repositories/user_groups.py::ensure_system docstring translated
from Czech to English for codebase consistency.
Co-authored-by: Mina Rustamyan <mina@keboola.com>
147 lines
5.3 KiB
Python
147 lines
5.3 KiB
Python
"""Repository for the ``user_groups`` table.
|
|
|
|
A ``user_group`` is a named bucket admins create (e.g. ``data-team``,
|
|
``Engineering``) plus the two seeded ``is_system=TRUE`` groups ``Admin``
|
|
and ``Everyone``. Membership lives in
|
|
:mod:`src.repositories.user_group_members`; resource grants in
|
|
:mod:`src.repositories.resource_grants`.
|
|
|
|
System groups are write-protected — :exc:`SystemGroupProtected` is raised
|
|
on attempts to rename or delete them so the canonical ``Admin`` /
|
|
``Everyone`` names referenced from code (``app.auth.access``) cannot
|
|
disappear out from under the authorization layer.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
from datetime import datetime, timezone
|
|
from typing import Any, Dict, List, Optional
|
|
from uuid import uuid4
|
|
|
|
import duckdb
|
|
|
|
|
|
class SystemGroupProtected(Exception):
|
|
"""Raised when a mutation is attempted on a system user group (is_system=TRUE)."""
|
|
|
|
|
|
class UserGroupsRepository:
|
|
def __init__(self, conn: duckdb.DuckDBPyConnection):
|
|
self.conn = conn
|
|
|
|
_SELECT_COLS = "id, name, description, is_system, created_at, created_by"
|
|
|
|
def list_all(self) -> List[Dict[str, Any]]:
|
|
rows = self.conn.execute(
|
|
f"SELECT {self._SELECT_COLS} FROM user_groups ORDER BY name"
|
|
).fetchall()
|
|
columns = [d[0] for d in self.conn.description]
|
|
return [dict(zip(columns, r)) for r in rows]
|
|
|
|
def get(self, group_id: str) -> Optional[Dict[str, Any]]:
|
|
row = self.conn.execute(
|
|
f"SELECT {self._SELECT_COLS} FROM user_groups WHERE id = ?",
|
|
[group_id],
|
|
).fetchone()
|
|
if not row:
|
|
return None
|
|
columns = [d[0] for d in self.conn.description]
|
|
return dict(zip(columns, row))
|
|
|
|
def get_by_name(self, name: str) -> Optional[Dict[str, Any]]:
|
|
row = self.conn.execute(
|
|
f"SELECT {self._SELECT_COLS} FROM user_groups WHERE name = ?",
|
|
[name],
|
|
).fetchone()
|
|
if not row:
|
|
return None
|
|
columns = [d[0] for d in self.conn.description]
|
|
return dict(zip(columns, row))
|
|
|
|
def create(
|
|
self,
|
|
name: str,
|
|
description: Optional[str] = None,
|
|
created_by: Optional[str] = None,
|
|
is_system: bool = False,
|
|
) -> Dict[str, Any]:
|
|
group_id = uuid4().hex
|
|
self.conn.execute(
|
|
"INSERT INTO user_groups (id, name, description, is_system, created_at, created_by) "
|
|
"VALUES (?, ?, ?, ?, ?, ?)",
|
|
[group_id, name, description, is_system, datetime.now(timezone.utc), created_by],
|
|
)
|
|
return self.get(group_id) # type: ignore[return-value]
|
|
|
|
def ensure(
|
|
self, name: str, description: Optional[str] = None
|
|
) -> Dict[str, Any]:
|
|
"""Idempotent get-or-create for claim-driven groups.
|
|
|
|
Existing row is returned unchanged (preserves `is_system` and
|
|
description — a later Google-sync call must not override an admin's
|
|
manual description edit).
|
|
"""
|
|
existing = self.get_by_name(name)
|
|
if existing:
|
|
return existing
|
|
return self.create(
|
|
name=name,
|
|
description=description or "Auto-created from Google Workspace claim",
|
|
created_by="system:google-sync",
|
|
)
|
|
|
|
def ensure_system(self, name: str, description: str) -> Dict[str, Any]:
|
|
"""Idempotently ensure a system group exists.
|
|
|
|
If a group with the given name exists (manually created by an admin),
|
|
promote it to system (is_system=TRUE). Otherwise create a new one.
|
|
"""
|
|
existing = self.get_by_name(name)
|
|
if existing:
|
|
if not existing.get("is_system"):
|
|
self.conn.execute(
|
|
"UPDATE user_groups SET is_system = TRUE WHERE id = ?",
|
|
[existing["id"]],
|
|
)
|
|
existing = self.get(existing["id"]) # type: ignore[assignment]
|
|
return existing # type: ignore[return-value]
|
|
return self.create(name=name, description=description, is_system=True)
|
|
|
|
def update(
|
|
self,
|
|
group_id: str,
|
|
*,
|
|
name: Optional[str] = None,
|
|
description: Optional[str] = None,
|
|
) -> None:
|
|
# Block mutation of system groups — name/description are seeded and
|
|
# callers must not be able to rename "Admin" / "Everyone" out from
|
|
# under the marketplace filter.
|
|
existing = self.get(group_id)
|
|
if existing and existing.get("is_system"):
|
|
raise SystemGroupProtected(
|
|
f"group {existing.get('name')!r} is a system group and cannot be modified"
|
|
)
|
|
sets: List[str] = []
|
|
params: List[Any] = []
|
|
if name is not None:
|
|
sets.append("name = ?")
|
|
params.append(name)
|
|
if description is not None:
|
|
sets.append("description = ?")
|
|
params.append(description)
|
|
if not sets:
|
|
return
|
|
params.append(group_id)
|
|
self.conn.execute(
|
|
f"UPDATE user_groups SET {', '.join(sets)} WHERE id = ?", params
|
|
)
|
|
|
|
def delete(self, group_id: str) -> None:
|
|
existing = self.get(group_id)
|
|
if existing and existing.get("is_system"):
|
|
raise SystemGroupProtected(
|
|
f"group {existing.get('name')!r} is a system group and cannot be deleted"
|
|
)
|
|
self.conn.execute("DELETE FROM user_groups WHERE id = ?", [group_id])
|