feat: add global viewer role and global token support#596
Open
sap-yuan wants to merge 19 commits into
Open
Conversation
Collaborator
sap-yuan
commented
Mar 20, 2026
sap-yuan
commented
- Add 'viewer' role (level 15) to OPA admin policy
- Allow viewer role GET-only access to all resources
- Add global_token database table (migration 00045)
- Add encode_global_token() in token.py
- Support 'global' token type in ibflask.py normalize_token()
- Add global token CRUD API endpoints under /admin/global-tokens
- Update OPA projects policy for global token read access
- Add 'viewer' role (level 15) to OPA admin policy - Allow viewer role GET-only access to all resources - Add global_token database table (migration 00045) - Add encode_global_token() in token.py - Support 'global' token type in ibflask.py normalize_token() - Add global token CRUD API endpoints under /admin/global-tokens - Update OPA projects policy for global token read access
sap-yuan
force-pushed
the
feat/global-viewer-role
branch
from
f3f932b to
7c686f2
Compare
added 17 commits
April 22, 2026 15:09
Each user can now create, revoke, and inspect personal viewer tokens (global tokens) scoped to their own projects. Key changes: Backend: - Migration 00046: add user_id + created_at to global_token; add global_token_access_log table for per-request audit trail - ibflask: validate_global_token now sets real user_id so project queries are collaborator-filtered; after_request hook writes access log - New handler at /api/v1/user/global-tokens (CRUD + access log) for any logged-in user; admin/global-tokens simplified to read-only audit - projects.py: removed "global token sees all projects" branch; both user and global tokens now use the same collaborator-scoped query - OPA: user.rego rules for personal token management; admin.rego drops blanket global-token admin access; projects_projects.rego enforces collaborator check for global token project access Frontend: - UserGlobalTokens.vue: personal token page (create/revoke/access log) - AdminGlobalTokens.vue: rewritten as admin-only read-only audit view - UserTokenService.js: user-level token API service - Nav: "My Tokens" added for all users; Admin menu shows "Tokens (Audit)"
Add a second section to the My Tokens page that lists all project-level tokens grouped by project, for projects where the user has admin rights. Reuses existing per-project token endpoints — no backend changes needed.
Covers list, create, delete, and access-log endpoints including ownership enforcement and unauthorized access checks. Also adds TRUNCATE for the new global_token tables to the shared setUp so FK constraints don't interfere with other test classes.
… tests Use a single TRUNCATE statement for global_token_access_log and global_token to satisfy PostgreSQL FK constraint requirements. Extract TOKEN_URL and ACCESS_LOG_URL class constants to remove duplicated format strings.
PostgreSQL requires all FK-linked tables to appear in the same TRUNCATE statement. global_token references "user", and global_token_access_log references global_token, so all three must be truncated together.
PostgreSQL blocks TRUNCATE on any table that is referenced by FK constraints in other tables, unless all referencing tables are truncated in the same statement. Collapsed all 14 separate TRUNCATE calls into one to cover the full dependency graph: global_token chain, collaborator, auth_token, jobs, builds, commits, repositories, etc.
…e format
Three bugs in the global token API handler:
1. g.db.execute() returns None, so `if num == 0` never triggered — fixed by
selecting first to verify ownership before deleting
2. execute_many_dict returns raw datetime objects — fixed with _serialize_row
helper that converts datetime to ISO strings
3. abort(404) returns Flask error format without 'status' key — fixed by
returning explicit {'status': 404} dict with HTTP 404 status code
…e Fonts store.js referenced deleteAdminGlobalToken in the mutations map but the function was never defined, causing a ReferenceError at module load time that crashed the Vue app before it could mount (blank page, no API calls). Also load Google Fonts asynchronously (media="print" + onload) to avoid render-blocking on SAP internal networks where fonts.googleapis.com is unreachable.
- Add infrabox/local-dev/ with docker-compose, seed.sql and README for running the full backend stack locally (postgres, minio, opa, api) - Add infrabox/test/api/docker-compose.override.yml for running API integration tests locally without modifying the original compose file - Add webpack proxyTable in dashboard-client config to forward /api to localhost:8090 during local development - Remove Read/Write scope checkboxes from Global Viewer Tokens creation form; all global tokens are now hardcoded as read-only (scope_pull=true, scope_push=false)
- Replace hardcoded passwords with ${INFRABOX_DB_PASSWORD} from .env
- Add .env.example as the template; .env is gitignored
- Makefile wraps start/stop/logs/frontend into single-word commands
- seed.sql now inserts a default admin user (admin@local.dev / admin123)
so no manual bcrypt generation is needed on first run
- README rewritten around the new Quick Start flow
Seed data now includes: - alice@local.dev (user) — Owner on project-alpha, Developer on project-beta - bob@local.dev (user) — no project access - project-alpha, project-beta, project-gamma (upload type) Mirrors the manual verification scenario: a global token issued by alice should list only alpha and beta, and be denied on gamma.
Global tokens with scope_pull are now allowed by OPA to list projects, but the handler was still using INNER JOIN collaborator which filtered to only the token creator's projects. Add a dedicated query path that returns all projects when the caller holds a global pull token.
Account-related items should appear before the logout action.
Design intent (per OPA test comment) is that the Python side filters by collaborator membership — global tokens see only projects where the token creator is a collaborator, same as regular users.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.