Files
wehub-resource-sync fed8b2eed7
Backend release / release (push) Waiting to run
Bandit Security Scan / bandit_scan (push) Waiting to run
Build and push multi-arch DocsGPT Docker image / build (linux/amd64, ubuntu-latest, amd64) (push) Waiting to run
Build and push multi-arch DocsGPT Docker image / build (linux/arm64, ubuntu-24.04-arm, arm64) (push) Waiting to run
Build and push multi-arch DocsGPT Docker image / manifest (push) Blocked by required conditions
Build and push DocsGPT FE Docker image for development / build (linux/amd64, ubuntu-latest, amd64) (push) Waiting to run
Build and push DocsGPT FE Docker image for development / build (linux/arm64, ubuntu-24.04-arm, arm64) (push) Waiting to run
Build and push DocsGPT FE Docker image for development / manifest (push) Blocked by required conditions
Python linting / ruff (push) Waiting to run
Run python tests with pytest / Run tests and count coverage (3.12) (push) Waiting to run
React Widget Build / build (push) Waiting to run
chore: import upstream snapshot with attribution
2026-07-13 13:28:29 +08:00

131 lines
4.6 KiB
Python

"""Grant, revoke, or list the ``admin`` role for DocsGPT users.
Manual admin grants are the bootstrap mechanism for RBAC: the first admin is
created here (there is no UI to grant admin until you already are one), and that
admin can then manage others. Grants are written to ``user_roles`` with
``source='manual'`` and take effect on the user's next request (persisted RBAC
applies under ``AUTH_TYPE=oidc``; ``user_id`` is the OIDC ``sub``).
Usage::
python scripts/grant_admin.py <user_id> # grant admin
python scripts/grant_admin.py <user_id> --revoke # revoke the manual admin grant
python scripts/grant_admin.py --list # list current admins
python scripts/grant_admin.py <user_id> --force # grant even if no users row exists
Exit codes:
0 — success
1 — bad usage / user not found (without --force)
2 — database error
"""
from __future__ import annotations
import argparse
import logging
import sys
from pathlib import Path
# Make the project root importable regardless of cwd.
sys.path.insert(0, str(Path(__file__).resolve().parents[1]))
import dotenv # noqa: E402
dotenv.load_dotenv()
from application.storage.db.repositories.auth_events import AuthEventsRepository # noqa: E402
from application.storage.db.repositories.user_roles import UserRolesRepository # noqa: E402
from application.storage.db.repositories.users import UsersRepository # noqa: E402
from application.storage.db.session import db_readonly, db_session # noqa: E402
logging.basicConfig(level=logging.WARNING, format="%(levelname)s %(message)s")
logger = logging.getLogger("grant_admin")
ACTOR = "cli"
def _list_admins() -> int:
with db_readonly() as conn:
admins = UserRolesRepository(conn).list_admins()
if not admins:
print("No admins found.")
return 0
print(f"{'user_id':40} {'sources':20} granted_at")
for row in admins:
sources = ",".join(row.get("sources") or [])
print(f"{row['user_id']:40} {sources:20} {row.get('granted_at')}")
return 0
def _grant(user_id: str, force: bool) -> int:
with db_session() as conn:
if not force:
if UsersRepository(conn).get(user_id) is None:
print(
f"No users row for {user_id!r}. The user must have signed in at least "
f"once, or pass --force to grant anyway (creates a dangling grant).",
file=sys.stderr,
)
return 1
inserted = UserRolesRepository(conn).grant(
user_id, "admin", source="manual", granted_by=ACTOR
)
if inserted:
AuthEventsRepository(conn).insert(
user_id,
"role_granted",
metadata={"role": "admin", "source": "manual", "granted_by": ACTOR},
)
print(f"Granted admin to {user_id!r}.")
else:
print(f"{user_id!r} already has a manual admin grant; nothing to do.")
return 0
def _revoke(user_id: str) -> int:
with db_session() as conn:
removed = UserRolesRepository(conn).revoke(user_id, "admin", source="manual")
if removed:
AuthEventsRepository(conn).insert(
user_id,
"role_revoked",
metadata={"role": "admin", "source": "manual", "revoked_by": ACTOR},
)
print(f"Revoked the manual admin grant from {user_id!r}.")
else:
print(
f"{user_id!r} has no manual admin grant. "
f"(OIDC-group grants are managed by group membership, not this script.)"
)
return 0
def main(argv: list[str] | None = None) -> int:
parser = argparse.ArgumentParser(description="Manage the admin role for DocsGPT users.")
parser.add_argument("user_id", nargs="?", help="The user's auth sub (OIDC subject id).")
parser.add_argument("--revoke", action="store_true", help="Revoke the manual admin grant.")
parser.add_argument("--list", action="store_true", help="List current admins and exit.")
parser.add_argument(
"--force", action="store_true", help="Grant even if no users row exists yet."
)
args = parser.parse_args(argv)
if args.list:
action = _list_admins
elif not args.user_id:
parser.error("user_id is required unless --list is given.")
elif args.revoke:
action = lambda: _revoke(args.user_id) # noqa: E731
else:
action = lambda: _grant(args.user_id, args.force) # noqa: E731
try:
return action()
except Exception:
logger.error("Database operation failed", exc_info=True)
return 2
if __name__ == "__main__":
raise SystemExit(main())