e9d7af3cce
This squashes 13 commits from ma/staging plus a small docstring translation
into a single coherent unit. Three workstreams.
== RBAC v13 redesign ==
- Drops core.viewer/analyst/km_admin/admin hierarchy and the
internal_roles / group_mappings / user_role_grants / plugin_access tables.
- Replaced by user_group_members + resource_grants. Atomic v12→v13 backfill
wrapped in BEGIN/COMMIT; ROLLBACK leaves schema_version at 12 for retry.
- Two authorization primitives in app.auth.access:
require_admin — Admin-group god-mode
require_resource_access(rt, "{path}") — entity-scoped grants
Single DB lookup per request; no session cache; no implies BFS.
- /admin/access UI (single page) replaces /admin/role-mapping +
/admin/plugin-access. CLI `da admin group/grant *` replaces
`da admin role/mapping/grant-role/revoke-role/effective-roles`.
- ResourceType.TABLE listing-only — admins can record table grants,
runtime enforcement still flows through legacy dataset_permissions
(migration plan in docs/TODO-rbac-data-enforcement.md).
== Claude Code marketplace ==
- Aggregated /marketplace.zip + /marketplace.git/* (PAT-gated,
RBAC-filtered, content-addressed cache via dulwich).
- Admin god-mode dropped on the marketplace surface — admins curate
their own view via grants like everyone else.
- Bare-repo cache materializes per RBAC-filtered ETag; stale entries
not pruned in this iteration (disclaimed in git_backend.py docstring).
== #81 #83 #44 security/ops hardening ==
- #81 Group A — orchestrator ATTACH allow-listing (extension/url/alias).
- #81 Group B — Keboola extractor 3-state exit codes:
0 success / 1 total fail / 2 PARTIAL fail
Sync API logs PARTIAL FAILURE alert on exit 2. Operators with binary
alerting must teach it the new partial signal.
- #81 Group C — schema v10 view_ownership; rejects silent overwrite
of a prior connector's view name on collision.
- #81 Group D — extractor-side identifier validation.
- #83 — Jira webhook fail-closed when JIRA_WEBHOOK_SECRET unset
+ path-traversal fix.
- #44 — entire /api/scripts/* surface is admin-only (planted-script +
sandbox-bypass risk closed).
== Web UI polish + deploy fix ==
- /admin/access: live grant-count badges (no stale snapshot revert),
shared-header CSS link added to /catalog and /admin/{tables,permissions},
per-resource-type colored stripes.
- docker-compose.host-mount.yml: bind,rbind so dual-disk hosts don't
silently shadow sub-mounts and write state to the wrong disk.
== OSS vendor-neutralization (waves 1+2) ==
- scripts/grpn/ → scripts/ops/. Customer-specific identifiers
(project IDs, internal hostnames, dev/prod VM IPs, brand names)
replaced with placeholders across code, docs, Terraform, Caddyfile,
OAuth probe, and planning docs. Downstream infra repos that copied
scripts/grpn/agnes-tls-rotate.sh or agnes-auto-upgrade.sh must
update the path.
== Translation ==
- src/repositories/user_groups.py::ensure_system docstring translated
from Czech to English for codebase consistency.
Co-authored-by: Mina Rustamyan <mina@keboola.com>
128 lines
4.6 KiB
Python
128 lines
4.6 KiB
Python
"""Tests for scripts and settings API endpoints."""
|
|
|
|
import os
|
|
import pytest
|
|
from fastapi.testclient import TestClient
|
|
|
|
|
|
@pytest.fixture
|
|
def client(tmp_path, monkeypatch):
|
|
monkeypatch.setenv("DATA_DIR", str(tmp_path))
|
|
monkeypatch.setenv("JWT_SECRET_KEY", "test-secret-32chars-minimum!!!!!")
|
|
monkeypatch.setenv("SCRIPT_TIMEOUT", "10")
|
|
|
|
from app.main import create_app
|
|
from src.db import get_system_db
|
|
from src.repositories.users import UserRepository
|
|
from src.repositories.sync_settings import DatasetPermissionRepository
|
|
from app.auth.jwt import create_access_token
|
|
|
|
from tests.helpers.auth import grant_admin
|
|
|
|
conn = get_system_db()
|
|
user_repo = UserRepository(conn)
|
|
user_repo.create(id="admin1", email="admin@acme.com", name="Admin", role="admin")
|
|
user_repo.create(id="analyst1", email="analyst@acme.com", name="Analyst", role="analyst")
|
|
grant_admin(conn, "admin1")
|
|
|
|
perm_repo = DatasetPermissionRepository(conn)
|
|
perm_repo.grant("analyst1", "sales", "read")
|
|
perm_repo.grant("analyst1", "support", "read")
|
|
conn.close()
|
|
|
|
app = create_app()
|
|
test_client = TestClient(app)
|
|
admin_token = create_access_token("admin1", "admin@acme.com", "admin")
|
|
analyst_token = create_access_token("analyst1", "analyst@acme.com", "analyst")
|
|
|
|
return test_client, admin_token, analyst_token
|
|
|
|
|
|
class TestScriptsAPI:
|
|
def test_list_scripts_empty(self, client):
|
|
c, admin_token, _ = client
|
|
resp = c.get("/api/scripts", headers={"Authorization": f"Bearer {admin_token}"})
|
|
assert resp.status_code == 200
|
|
assert resp.json()["count"] == 0
|
|
|
|
def test_deploy_and_list(self, client):
|
|
c, admin_token, _ = client
|
|
headers = {"Authorization": f"Bearer {admin_token}"}
|
|
|
|
resp = c.post("/api/scripts/deploy", json={
|
|
"name": "hello", "source": "print('hello world')",
|
|
}, headers=headers)
|
|
assert resp.status_code == 201
|
|
script_id = resp.json()["id"]
|
|
|
|
resp = c.get("/api/scripts", headers=headers)
|
|
assert resp.json()["count"] == 1
|
|
|
|
def test_run_script(self, client):
|
|
c, admin_token, _ = client
|
|
headers = {"Authorization": f"Bearer {admin_token}"}
|
|
|
|
resp = c.post("/api/scripts/run", json={
|
|
"source": "print('hello from script')", "name": "test",
|
|
}, headers=headers)
|
|
assert resp.status_code == 200
|
|
data = resp.json()
|
|
assert data["exit_code"] == 0
|
|
assert "hello from script" in data["stdout"]
|
|
|
|
def test_run_blocked_import(self, client):
|
|
c, admin_token, _ = client
|
|
headers = {"Authorization": f"Bearer {admin_token}"}
|
|
|
|
resp = c.post("/api/scripts/run", json={
|
|
"source": "import subprocess; subprocess.run(['ls'])", "name": "bad",
|
|
}, headers=headers)
|
|
assert resp.status_code == 400
|
|
detail = resp.json()["detail"]
|
|
assert "disallowed" in detail or "Blocked" in detail
|
|
|
|
def test_deploy_run_undeploy(self, client):
|
|
c, admin_token, _ = client
|
|
admin_headers = {"Authorization": f"Bearer {admin_token}"}
|
|
|
|
resp = c.post("/api/scripts/deploy", json={
|
|
"name": "calc", "source": "print(2+2)", "schedule": "0 8 * * MON",
|
|
}, headers=admin_headers)
|
|
script_id = resp.json()["id"]
|
|
|
|
resp = c.post(f"/api/scripts/{script_id}/run", headers=admin_headers)
|
|
assert resp.status_code == 200
|
|
assert "4" in resp.json()["stdout"]
|
|
|
|
# Undeploy (requires admin)
|
|
resp = c.delete(f"/api/scripts/{script_id}", headers=admin_headers)
|
|
assert resp.status_code == 204
|
|
|
|
|
|
class TestSettingsAPI:
|
|
def test_get_settings(self, client):
|
|
c, _, analyst_token = client
|
|
resp = c.get("/api/settings", headers={"Authorization": f"Bearer {analyst_token}"})
|
|
assert resp.status_code == 200
|
|
data = resp.json()
|
|
assert data["user_id"] == "analyst1"
|
|
assert len(data["permissions"]) == 2
|
|
|
|
def test_enable_dataset(self, client):
|
|
c, _, analyst_token = client
|
|
headers = {"Authorization": f"Bearer {analyst_token}"}
|
|
|
|
resp = c.put("/api/settings/dataset", json={
|
|
"dataset": "sales", "enabled": True,
|
|
}, headers=headers)
|
|
assert resp.status_code == 200
|
|
assert resp.json()["enabled"] is True
|
|
|
|
def test_enable_unauthorized_dataset(self, client):
|
|
c, _, analyst_token = client
|
|
headers = {"Authorization": f"Bearer {analyst_token}"}
|
|
|
|
resp = c.put("/api/settings/dataset", json={
|
|
"dataset": "hr_secret", "enabled": True,
|
|
}, headers=headers)
|
|
assert resp.status_code == 403
|