anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0c10869e2657a2723784f6c7236f723aea7da0f2
DECNET/decnet/web/router/swarm_updates/api_rollback_host.py
anti 245975a6dd fix(security): close LOW ASVS findings — env bypass, SSE/deployment authz, CN fail-close, password byte-limit, exception leaks, BUG-12..16 
Auth/session (V2.1.7, V4.1.5, V4.1.6, V2.1.4/V2.1.5):
- env secret validation no longer bypassed by attacker-injectable PYTEST* env;
  gated on explicit DECNET_TESTING=1 (set only in conftest).
- must_change_password now enforced on the SSE header-JWT path, not just ticket mint.
- GET /system/deployment-mode requires viewer auth (was leaking role + topology size).
- CreateUser/ResetUser passwords min_length=12; passwords >72 bytes rejected
  explicitly instead of bcrypt silently truncating.

Swarm ingestion (V9.1.3, BUG-16):
- Log listener hard-rejects peers with unparseable/empty cert CN (fail closed,
  ingests nothing) instead of tagging 'unknown'.
- Shutdown handlers no longer swallow real errors (narrowed to CancelledError).

Info leakage (V7.1.2, V14.1.2):
- Exception text sanitized on swarm-update, health, tarpit, realism, file-drop,
  blank-topology endpoints (raw tc/docker stderr, DB/Docker errors logged
  server-side, generic detail returned). pyproject license corrected to AGPL-3.0.

Correctness (BUG-12..16):
- BUG-12 atomic credential upsert (UNIQUE constraint + IntegrityError retry,
  consistent principal_key canonicalization).
- BUG-13 rule-tail watermark uses >= with seen-id dedup (no same-second drop).
- BUG-14 worker wake cleared before wait (no lost wake during tick).
- BUG-15 intel gather tolerates an unexpected provider raise.
- BUG-16 see above.

Already-closed (verified, no change): V2.1.6, V5.1.3, V9.1.2. Accept-risk +
documented: V2.1.8 cache window, V3.1.3 idle timeout. Tests added for every fix;
unanimous adversarial review after two refute-fix rounds.
2026-06-10 13:27:14 -04:00

79 lines
3.0 KiB
Python
Raw Blame History

# SPDX-License-Identifier: AGPL-3.0-or-later
"""POST /swarm-updates/rollback — manual rollback on a single host.
Calls the worker updater's ``/rollback`` which swaps the ``current``
symlink back to ``releases/prev``. Fails with 404 if the target has no
previous release slot.
"""
from __future__ import annotations
from fastapi import APIRouter, Depends, HTTPException
from decnet.logging import get_logger
from decnet.swarm.updater_client import UpdaterClient
from decnet.web.db.models import RollbackRequest, RollbackResponse
from decnet.web.db.repository import BaseRepository
from decnet.web.dependencies import get_repo, require_admin
log = get_logger("swarm_updates.rollback")
router = APIRouter()
@router.post(
"/rollback",
response_model=RollbackResponse,
tags=["Swarm Updates"],
responses={
400: {"description": "Bad Request (malformed JSON body or host has no updater bundle)"},
401: {"description": "Could not validate credentials"},
403: {"description": "Insufficient permissions"},
404: {"description": "Unknown host, or no previous release slot on the worker"},
422: {"description": "Request body validation error"},
},
)
async def api_rollback_host(
req: RollbackRequest,
admin: dict = Depends(require_admin),
repo: BaseRepository = Depends(get_repo),
) -> RollbackResponse:
host = await repo.get_swarm_host_by_uuid(req.host_uuid)
if host is None:
raise HTTPException(status_code=404, detail=f"Unknown host: {req.host_uuid}")
if not host.get("updater_cert_fingerprint"):
raise HTTPException(
status_code=400,
detail=f"Host '{host['name']}' has no updater bundle — nothing to roll back.",
)
try:
async with UpdaterClient(host=host) as u:
r = await u.rollback()
except Exception: # noqa: BLE001
log.exception("swarm_updates.rollback transport failure host=%s", host["name"])
return RollbackResponse(
host_uuid=host["uuid"], host_name=host["name"],
status="failed",
detail="transport failure",
)
body = r.json() if r.content else {}
if r.status_code == 404:
# No previous release — surface as 404 so the UI can render the
# "nothing to roll back" state distinctly from a transport error.
raise HTTPException(
status_code=404,
detail=body.get("detail") if isinstance(body, dict) else "No previous release on worker.",
)
if r.status_code != 200:
return RollbackResponse(
host_uuid=host["uuid"], host_name=host["name"],
status="failed", http_status=r.status_code,
detail=(body.get("error") or body.get("detail")) if isinstance(body, dict) else None,
)
return RollbackResponse(
host_uuid=host["uuid"], host_name=host["name"],
status="rolled-back", http_status=r.status_code,
detail=body.get("status") if isinstance(body, dict) else None,
)
Reference in New Issue View Git Blame Copy Permalink