AI-Cognitive-Leap/agnes-the-ai-analyst
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
agnes-the-ai-analyst/app/api/role_management.py
Petr Simecek 83ced81966
feat(auth): unified role management — UI + REST API + CLI + schema v9 (v0.11.4) (#73) 
* feat(auth): v9 schema — unified role management foundation (WIP)

Tasks 1-5, 10 of the role-management-complete plan. Foundation only,
follow-up commits add REST API, CLI, UI, and tests.

Schema v9:
- user_role_grants table: direct user → internal_role mapping
  (complementary to group_mappings). Drives PAT/headless auth and
  persists across sessions. Source field tracks 'direct' vs auto-seed.
- internal_roles.implies (JSON): transitive role hierarchy. core.admin
  implies core.km_admin → core.analyst → core.viewer. Resolver does BFS
  expand at lookup time.
- internal_roles.is_core (BOOL): distinguishes seeded core.* hierarchy
  from module-registered roles. UI renders them differently.
- v8→v9 migration: ADD COLUMN, CREATE TABLE, _seed_core_roles +
  _backfill_users_role_to_grants, then NULL legacy users.role values.
  DuckDB FK constraint blocks DROP COLUMN — sloupec zůstává jako
  deprecated artifact (UserRepository ignoruje), fyzický drop deferred.

Resolver:
- Regex extended to allow dotted namespace (core.admin,
  context_engineering.admin), max 64 chars total.
- expand_implies(role_keys, conn): BFS over implies JSON column.
- resolve_internal_roles signature gains optional user_id parameter;
  unions group-mapping resolution with user_role_grants direct grants
  before implies expansion.

require_internal_role:
- Two-path resolution: session cache (OAuth) → DB grants (PAT/headless
  fallback). PAT clients now legitimately satisfy gates without the
  OAuth round-trip, fixing the v8 limitation where every PAT-callable
  admin endpoint needed require_role(Role.ADMIN) instead of
  require_internal_role(...).

Backward-compat:
- require_role(Role.X) and require_admin become thin wrappers over
  require_internal_role(f"core.{role}"). Implies hierarchy preserves the
  legacy "at least this level" semantics automatically — no per-level
  comparison code needed.
- src/rbac.py helpers (is_admin, has_role, get_user_role,
  set_user_role, can_access_table, get_accessible_tables) all read from
  the resolver via _get_internal_role_keys.
- UserRepository.create() and update() now mirror role changes into
  user_role_grants via _grant_core_role helper. Preserves API while
  making the new table the source of truth.
- UserRepository.delete() pre-deletes user_role_grants rows
  (FK cascade — DuckDB doesn't auto-cascade).
- count_admins() reads user_role_grants ⨝ internal_roles instead of the
  now-NULL users.role column.

First consumer:
- app/api/admin.py module-level docstring documents the v9 pattern for
  future module authors. Existing require_role(Role.ADMIN) callsites
  flow through the wrapper; no behavior change for OAuth callers, and
  PAT callers gain access via direct grants.

Tests: full suite green (1396 passed, 6 skipped). Existing tests
exercise the new pathway transparently because UserRepository.create
auto-grants. New test_pat_caller_with_direct_grant_passes pins the
PAT-aware contract.

Schema: v9 (was v8). pyproject.toml + CHANGELOG bump deferred to the
final PR-prep commit.

* feat(auth): role management complete — REST API + CLI + UI + docs (v0.11.4)

Sjednocuje legacy users.role enum s v8 internal-roles foundation pod jeden
model s implies hierarchií, dodává admin UI + REST API + CLI pro správu
group mappings i přímých user grants, a dělá require_internal_role
PAT-aware tak, aby admin endpointy fungovaly uniformly napříč OAuth
i headless callery.

REST API (app/api/role_management.py, +496 LOC):
- 8 endpointů pod /api/admin: internal-roles list, group-mappings CRUD,
  users/{id}/role-grants CRUD, users/{id}/effective-roles debug.
- Všechny gated require_internal_role("core.admin"). Audit-log na každé
  mutaci (role_mapping.created/deleted, role_grant.created/deleted).
- Last-admin protection: refuse to delete the final core.admin grant
  (mirrors users.py:count_admins protection).
- Nový UserRoleGrantsRepository v src/repositories/user_role_grants.py.

CLI (cli/commands/admin.py extension, +258 LOC):
- da admin role list / show <key>
- da admin mapping list / create <group-id> <role-key> / delete <id>
- da admin grant-role <email> <role-key>
- da admin revoke-role <email> <role-key>
- da admin effective-roles <email>
- Všechno přes typer + PAT auth, --json flag, response-shape tolerantní.

UI (admin_role_mapping.html + admin_user_detail.html + nav + user list):
- Nová stránka /admin/role-mapping: internal_roles read-only table +
  group_mappings table with create/delete forms.
- Nová stránka /admin/users/{id}: core role single-select + capabilities
  multi-checkbox + effective-roles debug (direct + group + expanded).
- Existing user list dostává "Detail" link na novou stránku.
- Nav link na /admin/role-mapping.

Tests: +85 nových testů přes 4 nové soubory:
- test_schema_v9_migration.py (8) — fresh install + v8→v9 backfill +
  legacy column NULL semantics + unknown-role fallback + invariants.
- test_api_role_management.py (33) — všech 8 endpointů, happy + error
  paths, audit-log assertions, last-admin protection.
- test_cli_admin_role.py (25 + 1 conditional) — typer subcommands,
  text + json output, PAT integration smoke.
- test_admin_role_mapping_ui.py (9) + test_admin_user_capabilities_ui.py (10)
  — page rendering, auth gating, form contracts, JS hooks.
Full suite: 1482 passed, 6 skipped (was 1396 → +86, žádné regrese).

Docs:
- docs/internal-roles.md kompletní rewrite — odstranil "no UI yet",
  přidal hierarchy diagram, dual-path resolution, dotted-namespace
  convention, admin workflow přes UI/CLI/REST, refresh semantics
  for group mappings vs direct grants, migration notes.
- CLAUDE.md schema v8 → v9.
- CHANGELOG.md [0.11.4] s BREAKING marker pro users.role NULL
  semantics + complete Added/Changed/Removed/Internal sekce.
- pyproject.toml: 0.11.3 → 0.11.4.

Sequencing: po mergi tohoto PR Pabu rebasuje pabu/local-dev (PR #72)
na main, jeho schema migrations se posouvají z v9/v10/v11 na v10/v11/v12.

Implementation breakdown:
- Sequential (já): foundation tasks — schema v9, resolver, PAT-aware
  require_internal_role, backward-compat wrappers, rbac refactor,
  UserRepository auto-grant.
- Parallel sub-agents (3 worktrees, ~10 min): REST API, CLI, UI.
- Sequential (já): integrace, docs/CHANGELOG/version, schema tests,
  fullsuite verification.

* fix(auth): address Devin review on PR #73 — three regressions

Three concrete bugs caught in Devin's PR review, all fixed in this commit.

1. **users.role hydration on read** (the big one):
   v8→v9 migration NULLs users.role for every existing user, but a long
   tail of read sites still inspect user["role"] directly:
   - app/web/templates/_app_header.html:15 — admin nav gate
   - app/web/templates/_app_header.html:36-37 — role badge in dropdown
   - app/web/router.py:319-321 — UserInfo.is_admin/is_analyst/is_privileged
   - app/web/router.py:489 — corporate memory is_km_admin
   - app/api/catalog.py:54 — admin "see all tables" bypass
   - app/api/sync.py:215 — admin "see all sync states" bypass

   Without a fix, every existing admin loses the entire admin nav (and
   API admin bypasses) immediately after upgrade — a serious regression.

   Fix: new helper _hydrate_legacy_role() in app/auth/dependencies.py
   maps the highest-level core.* grant back into user["role"] as the
   legacy enum string. Called from get_current_user() on both auth paths
   (LOCAL_DEV_MODE + JWT/PAT). Idempotent — skips when role is already
   populated. Net effect: every pre-v9 callsite keeps working transparently
   for both OAuth and PAT callers, with one extra DB round-trip per
   authenticated request (same cost as the existing PAT-aware
   require_internal_role fallback).

   3 regression tests in tests/test_schema_v9_migration.py:
   - test_hydration_recovers_role_from_user_role_grants
   - test_hydration_returns_highest_grant (multi-grant → highest wins)
   - test_hydration_falls_back_to_viewer_when_no_grants (safe fallback)

2. **CLI effective-roles TypeError**:
   API returns direct/group as List[Dict] (RoleGrantResponse-shaped),
   but the CLI did ', '.join(direct) which raises TypeError on dicts.
   Tests masked it because mocks used bare string lists. Replaced
   raw .join() with a _names() helper that extracts role_key from
   each item, falling back to str() for legacy mock shapes.

3. **UI template field-name mismatch**:
   admin_user_detail.html JS reads data.groups but the API serializes
   the field as group (singular, per EffectiveRolesResponse pydantic).
   Currently benign because the API always returns group:[], but the
   field would silently disappear once the group-derived view is wired
   up. Added data.group as the primary lookup, kept the legacy aliases
   for shape-drift tolerance.

Full suite: 1485 passed (was 1482, +3 hydration tests), 6 skipped, no
regressions.

* fix(auth): Devin review #2 + UX self-service + RBAC docs rename

Three threads landed in one commit because they share the same
auth/role surface and CHANGELOG entry.

Devin review #73 second round (2 actionable findings):

- _hydrate_legacy_role no longer short-circuits on truthy users.role.
  The role-management endpoints (POST/DELETE /api/admin/users/{id}/
  role-grants + the changeCoreRole UI flow) only mutate
  user_role_grants — they don't update the legacy column. The early
  return trusted that stale value, so a user downgraded via the new
  REST/UI kept role="admin" in their dict on subsequent requests,
  which fooled _is_admin_user_dict (src/rbac.py) and the catalog/sync
  admin-bypass short-circuits into retaining elevated table access
  even though require_internal_role correctly denied the API gates.
  Always re-resolves now, making user_role_grants the single source
  of truth on every authenticated request. Cost: one DB round-trip
  per request — same as the existing PAT-aware fallback. Pinned by
  test_hydration_ignores_stale_legacy_role_after_grant_revoke.

- Dev-bypass (app/auth/dependencies.py) and OAuth callback
  (app/auth/providers/google.py) now pass user_id to
  resolve_internal_roles so direct grants land in
  session["internal_roles"] alongside group-mapped roles. Pre-fix,
  every admin-gated request fell through to the per-request DB
  fallback inside require_internal_role and the dev-bypass log line
  read "resolved 0 internal role(s)" for an obviously-admin user.
  test_session_internal_roles_populated updated to assert union.

User-visible UX (also addresses local-test feedback):

- HTTP 500 on /admin/users post-v8→v9 migration — UserResponse.role
  is required str, but legacy users.role was NULL-ed by the
  migration. _to_response in app/api/users.py now routes every dict
  through _hydrate_legacy_role; same fix lifts the silent no-op of
  last-admin protection in update_user/delete_user (the role-equality
  short-circuits would skip the count_admins guard for migrated
  admins). Three regression tests under TestAPIUsersPostMigration.

- /profile is now a real self-service detail page for *every*
  signed-in user (not just admins). Three new server-side sections:
  Effective roles (resolver output as chip cloud), Direct grants
  (rows in user_role_grants with source label), Roles via groups
  (which Cloud Identity / dev group grants which role for the
  current user). Non-admins finally see *why* a feature is or isn't
  accessible. Admins additionally see a deep-link to
  /admin/users/{id} for editing their own grants.

- /admin/role-mapping group-id picker. New "Known groups" panel
  above the create form: clickable chips for the calling admin's
  own session.google_groups (tagged "your group") merged with
  external_group_ids already used in existing mappings (tagged
  "already mapped"). Click a chip → fills the form. Empty-state
  copy points operators at LOCAL_DEV_GROUPS / Google sign-in
  instead of leaving them to guess Cloud Identity opaque IDs from
  memory.

Operational fixes:

- Scheduler log-noise: every cron tick produced a
  POST /auth/token 401 because the auto-fetch fallback called the
  endpoint with just an email (no password) and silently fell
  through. Removed the broken path entirely. Operators set
  SCHEDULER_API_TOKEN (long-lived PAT) in production; in
  LOCAL_DEV_MODE the dev-bypass auto-authenticates the un-tokenized
  request, so jobs continue to work.

Docs:

- docs/internal-roles.md → docs/RBAC.md (git mv preserves history).
  Standard industry term, more discoverable for engineers grepping
  for RBAC in a new repo. Restructured: Quickstart-by-role
  (operator / end-user / module author), step-by-step
  Module-author workflow with code examples (register key, gate
  endpoint, declare implies, write contract test), naming pitfalls,
  refresh semantics. CLAUDE.md gets a new
  "Extensibility → RBAC" section pointing contributors at the doc
  before they add gated endpoints. Cross-refs in app/api/admin.py
  + tests/test_role_resolver.py updated.

Tests: 293 in the auth/role/scheduler/UI test set passed, 0 regressions.

* fix(auth): Devin review #3 — login flows + RBAC docs

Two new findings on commit 7d1c048, both real and addressed.

Finding 1 (BUG, HTTP 500): every auth login flow loaded users via
UserRepository.get_by_email and passed user["role"] straight to
create_access_token, Pydantic response models, and _set_login_cookie
without going through _hydrate_legacy_role. Post-v9 the legacy column
is NULL for migrated users, and TokenResponse.role is a required str —
so POST /auth/token raised ValidationError → HTTP 500 for any v8-admin
trying to log in via password. Same root cause produced non-crashing
but semantically wrong JWTs (role: null) from Google OAuth, password
web flows, and email magic-link verification.

Fix: hydrate inline in every login flow before reading user["role"]:
- app/auth/router.py — POST /auth/token (the crash site)
- app/auth/providers/google.py — OAuth callback (was just stale JWT)
- app/auth/providers/password.py — 5 flows: JSON login, web login,
  JSON setup, web reset confirm, web setup confirm
- app/auth/providers/email.py — centralized in _consume_token,
  covers both /verify endpoints

New regression class TestAuthLoginFlowsPostMigration pins both the
no-crash and the correct-role contracts for all four legacy levels
(viewer/analyst/km_admin/admin) on POST /auth/token.

Finding 2 (DOCS): docs/RBAC.md showed register_internal_role() being
called with implies=[...], but the function signature is (key, *,
display_name, description, owner_module). A module author copying the
example would TypeError at import time. The implies field on
internal_roles IS honored at runtime by expand_implies, but the
registry-side write path (register_internal_role + InternalRoleSpec +
sync_registered_roles_to_db) doesn't exist yet — implies is currently
seeded only for the core.* hierarchy via _seed_core_roles in src/db.py.

Rewrote the Implies hierarchy and Module-author workflow sections to
document what's actually supported in 0.11.4 and what a future change
would need to add. The "for cross-module hierarchies, register each
level + grant both" pattern works today.

Tests: 322 in the auth/role/scheduler/UI/password test set passed,
0 regressions.

* fix(db): _seed_core_roles actually runs on every connect (Devin review #4)

Devin flagged that the docstring on `_seed_core_roles` promised per-connect
execution as a safety net for accidental DELETEs and in-code seed changes,
but the only call sites lived inside `if current < SCHEMA_VERSION:` — so
once a DB was on v9 the function never ran again, and the docstring lied.

Picked option (b) from the review (actually call it on every startup) over
option (a) (fix the docstring) because the safety net is genuinely useful:
- recovery from accidental admin DELETE on internal_roles,
- in-code _CORE_ROLES_SEED tweaks (display_name/description/implies)
  ship without a manual SQL deploy,
- fresh installs and migrations stop needing their own seed call sites.

Tail call gated by `get_schema_version(conn) <= SCHEMA_VERSION` so the
future-version-is-noop rollback contract still holds — a v9 binary won't
touch a DB that's been upgraded past v9.

Test coverage: new TestSeedCoreRolesSafetyNet class (3 tests) pins the
three contracts — deleted row re-seeds, mutated display_name re-syncs
from in-code seed, applied_at on schema_version doesn't churn on
already-current DBs. Existing TestMigrationSafety::test_future_version_is_noop
still passes (verified against the gating logic).
2026-04-27 02:23:01 +02:00

496 lines
17 KiB
Python
Raw Blame History

"""Admin REST API for v9 role management.
Three resource families, all under ``/api/admin``:
- ``/internal-roles`` — read-only listing of capabilities.
- ``/group-mappings`` — Cloud Identity group → role binds.
- ``/users/{user_id}/role-grants`` — direct user → role grants.
- ``/users/{user_id}/effective-roles`` — debug view of resolved keys.
Every endpoint is gated by ``require_internal_role("core.admin")`` rather than
the legacy ``require_role(Role.ADMIN)`` so PAT-aware callers (CLI scripts that
bear a personal access token) succeed via the resolver's ``user_role_grants``
fallback. See ``app/auth/role_resolver.py`` for the two-path resolution.
Mutations write to ``audit_log`` so changes to the privilege matrix are
reconstructable from a single table — the same discipline ``app/api/users.py``
applies to user CRUD.
"""
import json
import logging
import uuid
from typing import Any, Dict, List, Optional
import duckdb
from fastapi import APIRouter, Depends, HTTPException
from pydantic import BaseModel
from app.auth.dependencies import _get_db
from app.auth.role_resolver import (
require_internal_role,
resolve_internal_roles,
)
from src.repositories.audit import AuditRepository
from src.repositories.group_mappings import GroupMappingsRepository
from src.repositories.internal_roles import InternalRolesRepository
from src.repositories.user_role_grants import UserRoleGrantsRepository
from src.repositories.users import UserRepository
logger = logging.getLogger(__name__)
router = APIRouter(prefix="/api/admin", tags=["role-management"])
# --- Pydantic request/response models ----------------------------------------
class CreateGroupMappingRequest(BaseModel):
external_group_id: str
role_key: str
class CreateRoleGrantRequest(BaseModel):
role_key: str
class InternalRoleResponse(BaseModel):
id: str
key: str
display_name: str
description: Optional[str] = None
owner_module: Optional[str] = None
is_core: bool = False
# implies is stored as a JSON-encoded VARCHAR (DuckDB legacy compat —
# see src/db.py); we parse it before returning so clients see a real list.
implies: List[str] = []
class GroupMappingResponse(BaseModel):
id: str
external_group_id: str
internal_role_id: str
role_key: str
role_display_name: str
assigned_at: Optional[str] = None
assigned_by: Optional[str] = None
class RoleGrantResponse(BaseModel):
id: str
user_id: str
internal_role_id: str
role_key: str
role_display_name: str
role_is_core: bool = False
granted_at: Optional[str] = None
granted_by: Optional[str] = None
source: str = "direct"
class EffectiveRolesResponse(BaseModel):
direct: List[RoleGrantResponse]
group: List[Dict[str, Any]]
expanded: List[str]
# --- Helpers -----------------------------------------------------------------
def _audit(
conn: duckdb.DuckDBPyConnection,
actor_id: str,
action: str,
resource: str,
params: Optional[dict] = None,
) -> None:
"""Best-effort audit insert. Never blocks the endpoint on failure."""
try:
AuditRepository(conn).log(
user_id=actor_id, action=action, resource=resource, params=params,
)
except Exception: # pragma: no cover — defensive only
logger.exception("audit insert failed for %s/%s", action, resource)
def _parse_implies(raw: Any) -> List[str]:
"""Decode the implies VARCHAR-as-JSON column. Empty list on bad input.
Mirrors the defensive parsing in ``role_resolver.expand_implies`` —
legacy rows that predate the v9 default could still be NULL or
malformed, and the listing endpoint shouldn't 500 on them.
"""
if not raw:
return []
try:
decoded = json.loads(raw)
return list(decoded) if isinstance(decoded, list) else []
except (TypeError, ValueError):
return []
def _internal_role_to_response(row: Dict[str, Any]) -> InternalRoleResponse:
return InternalRoleResponse(
id=row["id"],
key=row["key"],
display_name=row["display_name"],
description=row.get("description"),
owner_module=row.get("owner_module"),
is_core=bool(row.get("is_core", False)),
implies=_parse_implies(row.get("implies")),
)
def _group_mapping_to_response(row: Dict[str, Any]) -> GroupMappingResponse:
return GroupMappingResponse(
id=row["id"],
external_group_id=row["external_group_id"],
internal_role_id=row["internal_role_id"],
role_key=row.get("internal_role_key", ""),
role_display_name=row.get("internal_role_display_name", ""),
assigned_at=str(row["assigned_at"]) if row.get("assigned_at") else None,
assigned_by=row.get("assigned_by"),
)
def _role_grant_to_response(row: Dict[str, Any]) -> RoleGrantResponse:
return RoleGrantResponse(
id=row["id"],
user_id=row["user_id"],
internal_role_id=row["internal_role_id"],
role_key=row.get("role_key", ""),
role_display_name=row.get("role_display_name", ""),
role_is_core=bool(row.get("role_is_core", False)),
granted_at=str(row["granted_at"]) if row.get("granted_at") else None,
granted_by=row.get("granted_by"),
source=row.get("source") or "direct",
)
def _resolve_role_or_404(
conn: duckdb.DuckDBPyConnection, role_key: str,
) -> Dict[str, Any]:
"""Fetch internal_role row by key or raise 404. Used by POST handlers.
Centralizes the validation so every mutator surfaces the same 404
detail when an admin types a stale or unknown key.
"""
role = InternalRolesRepository(conn).get_by_key(role_key)
if not role:
raise HTTPException(
status_code=404,
detail=f"Internal role '{role_key}' does not exist",
)
return role
def _count_active_admins(conn: duckdb.DuckDBPyConnection) -> int:
"""Mirror of UserRepository.count_admins(active_only=True).
Inlined here rather than instantiating UserRepository on every delete
request — the SQL is short and we already hold the connection. Deleting
a grant must refuse to cross zero so the system never locks itself out
of its own admin endpoints.
"""
result = conn.execute(
"""SELECT COUNT(DISTINCT u.id)
FROM users u
JOIN user_role_grants g ON g.user_id = u.id
JOIN internal_roles r ON g.internal_role_id = r.id
WHERE r.key = 'core.admin'
AND COALESCE(u.active, TRUE) = TRUE"""
).fetchone()
return int(result[0]) if result else 0
# --- Internal roles -----------------------------------------------------------
@router.get("/internal-roles", response_model=List[InternalRoleResponse])
async def list_internal_roles(
user: dict = Depends(require_internal_role("core.admin")),
conn: duckdb.DuckDBPyConnection = Depends(_get_db),
):
"""List every registered internal role.
Read-only — admins map external groups onto these via
``/group-mappings``; they don't create roles in the UI. Module authors
register roles in code (``register_internal_role``) and the startup hook
syncs them into ``internal_roles``.
"""
rows = InternalRolesRepository(conn).list_all()
return [_internal_role_to_response(r) for r in rows]
# --- Group mappings ----------------------------------------------------------
@router.get("/group-mappings", response_model=List[GroupMappingResponse])
async def list_group_mappings(
user: dict = Depends(require_internal_role("core.admin")),
conn: duckdb.DuckDBPyConnection = Depends(_get_db),
):
"""List external-group → internal-role mappings.
Joined with ``internal_roles`` so the UI can render the role's key +
display name without a second round trip.
"""
rows = GroupMappingsRepository(conn).list_all()
return [_group_mapping_to_response(r) for r in rows]
@router.post(
"/group-mappings",
response_model=GroupMappingResponse,
status_code=201,
)
async def create_group_mapping(
payload: CreateGroupMappingRequest,
user: dict = Depends(require_internal_role("core.admin")),
conn: duckdb.DuckDBPyConnection = Depends(_get_db),
):
"""Bind an external Cloud Identity group to an internal role.
409 when the (external_group_id, role_key) pair is already mapped —
the table has a UNIQUE constraint on (external_group_id, internal_role_id).
"""
role = _resolve_role_or_404(conn, payload.role_key)
repo = GroupMappingsRepository(conn)
# Pre-flight existence check: clearer 409 than letting the FK / UNIQUE
# constraint fire with a DuckDB-shaped error message.
for existing in repo.list_by_external_group(payload.external_group_id):
if existing["internal_role_id"] == role["id"]:
raise HTTPException(
status_code=409,
detail=(
f"Group '{payload.external_group_id}' is already mapped "
f"to role '{payload.role_key}'"
),
)
mapping_id = str(uuid.uuid4())
repo.create(
id=mapping_id,
external_group_id=payload.external_group_id,
internal_role_id=role["id"],
assigned_by=user.get("email"),
)
_audit(
conn, user["id"], "role_mapping.created",
f"mapping:{mapping_id}",
{
"external_group_id": payload.external_group_id,
"role_key": payload.role_key,
},
)
created = repo.get_by_id(mapping_id) or {}
# get_by_id doesn't join — fetch the role display fields manually for
# the response. Cheap and avoids touching the repo signature.
created["internal_role_key"] = role["key"]
created["internal_role_display_name"] = role["display_name"]
return _group_mapping_to_response(created)
@router.delete("/group-mappings/{mapping_id}", status_code=204)
async def delete_group_mapping(
mapping_id: str,
user: dict = Depends(require_internal_role("core.admin")),
conn: duckdb.DuckDBPyConnection = Depends(_get_db),
):
"""Remove a group mapping by id. 404 when missing."""
repo = GroupMappingsRepository(conn)
existing = repo.get_by_id(mapping_id)
if not existing:
raise HTTPException(
status_code=404, detail=f"Group mapping '{mapping_id}' not found"
)
repo.delete(mapping_id)
_audit(
conn, user["id"], "role_mapping.deleted",
f"mapping:{mapping_id}",
{
"external_group_id": existing.get("external_group_id"),
"internal_role_id": existing.get("internal_role_id"),
},
)
# --- User role grants --------------------------------------------------------
@router.get(
"/users/{user_id}/role-grants",
response_model=List[RoleGrantResponse],
)
async def list_user_role_grants(
user_id: str,
user: dict = Depends(require_internal_role("core.admin")),
conn: duckdb.DuckDBPyConnection = Depends(_get_db),
):
"""List a user's direct role grants — both ``direct`` and ``auto-seed``.
404 when the user_id doesn't exist so admins can distinguish "user has no
grants" (200 + empty list) from "user does not exist" (404).
"""
if not UserRepository(conn).get_by_id(user_id):
raise HTTPException(
status_code=404, detail=f"User '{user_id}' not found"
)
rows = UserRoleGrantsRepository(conn).list_for_user(user_id)
return [_role_grant_to_response(r) for r in rows]
@router.post(
"/users/{user_id}/role-grants",
response_model=RoleGrantResponse,
status_code=201,
)
async def create_user_role_grant(
user_id: str,
payload: CreateRoleGrantRequest,
user: dict = Depends(require_internal_role("core.admin")),
conn: duckdb.DuckDBPyConnection = Depends(_get_db),
):
"""Grant ``role_key`` to ``user_id`` directly. Source is ``'direct'``.
409 when the user already holds the role (UNIQUE constraint on
(user_id, internal_role_id)).
"""
target = UserRepository(conn).get_by_id(user_id)
if not target:
raise HTTPException(
status_code=404, detail=f"User '{user_id}' not found"
)
role = _resolve_role_or_404(conn, payload.role_key)
grants_repo = UserRoleGrantsRepository(conn)
for existing in grants_repo.list_for_user(user_id):
if existing["internal_role_id"] == role["id"]:
raise HTTPException(
status_code=409,
detail=(
f"User '{user_id}' already holds role "
f"'{payload.role_key}'"
),
)
grant_id = str(uuid.uuid4())
try:
grants_repo.create(
id=grant_id,
user_id=user_id,
internal_role_id=role["id"],
granted_by=user.get("email"),
source="direct",
)
except duckdb.ConstraintException as e:
# Race vs. the pre-flight check above — duplicate key arrived between
# the two calls. Surface as 409 too for client consistency.
raise HTTPException(status_code=409, detail=str(e))
_audit(
conn, user["id"], "role_grant.created",
f"grant:{grant_id}",
{
"target_user_id": user_id,
"target_email": target.get("email"),
"role_key": payload.role_key,
},
)
created = grants_repo.get(grant_id) or {}
# get() doesn't join — supplement with role display fields.
created["role_key"] = role["key"]
created["role_display_name"] = role["display_name"]
created["role_is_core"] = bool(role.get("is_core", False))
return _role_grant_to_response(created)
@router.delete(
"/users/{user_id}/role-grants/{grant_id}",
status_code=204,
)
async def delete_user_role_grant(
user_id: str,
grant_id: str,
user: dict = Depends(require_internal_role("core.admin")),
conn: duckdb.DuckDBPyConnection = Depends(_get_db),
):
"""Revoke a grant. 404 when missing.
Refuses to delete the last active core.admin grant in the system —
same lockout-protection logic as ``UserRepository.count_admins``.
Without this guard an admin could delete their own (and the only)
core.admin grant and leave nobody able to call this endpoint.
"""
grants_repo = UserRoleGrantsRepository(conn)
grant = grants_repo.get(grant_id)
if not grant or grant.get("user_id") != user_id:
raise HTTPException(
status_code=404, detail=f"Grant '{grant_id}' not found"
)
# Look up the role so we can check whether this is the last core.admin
# holder. Cheap — single row by id.
role = InternalRolesRepository(conn).get_by_id(
grant["internal_role_id"]
)
if role and role.get("key") == "core.admin":
if _count_active_admins(conn) <= 1:
raise HTTPException(
status_code=409,
detail="Cannot revoke the last active core.admin grant",
)
grants_repo.delete(grant_id)
_audit(
conn, user["id"], "role_grant.deleted",
f"grant:{grant_id}",
{
"target_user_id": user_id,
"internal_role_id": grant.get("internal_role_id"),
"role_key": role.get("key") if role else None,
},
)
# --- Effective roles (debug) --------------------------------------------------
@router.get(
"/users/{user_id}/effective-roles",
response_model=EffectiveRolesResponse,
)
async def get_effective_roles(
user_id: str,
user: dict = Depends(require_internal_role("core.admin")),
conn: duckdb.DuckDBPyConnection = Depends(_get_db),
):
"""Debug view: direct grants + group memberships + expanded role keys.
The ``group`` field is best-effort: when the calling admin happens to be
inspecting their own user_id and the request carries a session with
cached ``google_groups``, we surface those for the resolver join. For
cross-user debugging or PAT callers we return ``[]`` — Cloud Identity
group membership for arbitrary users isn't queryable from this API
surface (Google's directory.groups.list is the source of truth and isn't
re-fetched here).
``expanded`` is the resolver's authoritative output for the target user
— direct grants only, since we cannot reliably enumerate the user's
Cloud Identity groups from a server-side context.
"""
if not UserRepository(conn).get_by_id(user_id):
raise HTTPException(
status_code=404, detail=f"User '{user_id}' not found"
)
grant_rows = UserRoleGrantsRepository(conn).list_for_user(user_id)
direct = [_role_grant_to_response(r) for r in grant_rows]
# Direct-grant expansion via the resolver. Pass external_groups=[] —
# we don't have a reliable way to enumerate the target user's groups
# without their session, so the expanded set reflects user_role_grants
# only. This matches what require_internal_role does for PAT callers.
expanded = resolve_internal_roles([], conn, user_id=user_id)
# Group view: only useful when the admin asks about themselves AND
# signed in via OAuth. Otherwise return [] — better than fabricating data.
group: List[Dict[str, Any]] = []
return EffectiveRolesResponse(
direct=direct, group=group, expanded=expanded,
)
Reference in a new issue View git blame Copy permalink