anti
8d18c59201
Gate all 8 swarm-controller operator routes (enroll, list/get/decommission hosts, deploy, teardown, check, list deckies) with the centralized require_admin RBAC dependency alongside require_operator_cert; mTLS becomes defense-in-depth instead of the only gate. /heartbeat stays cert-fingerprint pinned (worker-facing) and /swarm/health stays open (liveness only). CLI swarm commands now send Authorization: Bearer $DECNET_API_TOKEN with a 401/403 hint covering the must_change_password bootstrap flow. Bump pyjwt to 2.13.0 and pip to 26.1.2 (pip-audit PYSEC-2026-175/177/178/179, PYSEC-2026-196); authz suite re-verified on the new pyjwt. Closes ASVS_L2_AUDIT.md V4.1.1a and V4.1.1b (CRITICAL).
35 lines
1.2 KiB
Python
35 lines
1.2 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""GET /swarm/hosts/{uuid} — fetch a single worker by UUID."""
|
|
from __future__ import annotations
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException
|
|
|
|
from decnet.web.db.repository import BaseRepository
|
|
from decnet.web.dependencies import get_repo, require_admin
|
|
from decnet.web.router.swarm._mtls import PeerCert, require_operator_cert
|
|
from decnet.web.db.models import SwarmHostView
|
|
|
|
router = APIRouter()
|
|
|
|
|
|
@router.get(
|
|
"/hosts/{uuid}",
|
|
response_model=SwarmHostView,
|
|
tags=["Swarm Hosts"],
|
|
responses={
|
|
401: {"description": "Missing or invalid admin JWT"},
|
|
403: {"description": "Authenticated user is not an admin, or operator cert missing"},
|
|
404: {"description": "No host with this UUID is enrolled"},
|
|
},
|
|
)
|
|
async def api_get_host(
|
|
uuid: str,
|
|
repo: BaseRepository = Depends(get_repo),
|
|
_admin: dict = Depends(require_admin),
|
|
_operator: PeerCert = Depends(require_operator_cert),
|
|
) -> SwarmHostView:
|
|
row = await repo.get_swarm_host_by_uuid(uuid)
|
|
if row is None:
|
|
raise HTTPException(status_code=404, detail="host not found")
|
|
return SwarmHostView(**row)
|