anti
8d18c59201
Gate all 8 swarm-controller operator routes (enroll, list/get/decommission hosts, deploy, teardown, check, list deckies) with the centralized require_admin RBAC dependency alongside require_operator_cert; mTLS becomes defense-in-depth instead of the only gate. /heartbeat stays cert-fingerprint pinned (worker-facing) and /swarm/health stays open (liveness only). CLI swarm commands now send Authorization: Bearer $DECNET_API_TOKEN with a 401/403 hint covering the must_change_password bootstrap flow. Bump pyjwt to 2.13.0 and pip to 26.1.2 (pip-audit PYSEC-2026-175/177/178/179, PYSEC-2026-196); authz suite re-verified on the new pyjwt. Closes ASVS_L2_AUDIT.md V4.1.1a and V4.1.1b (CRITICAL).
68 lines
2.4 KiB
Python
68 lines
2.4 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""GET /swarm/deckies — list decky shards with their worker host's identity.
|
|
|
|
The DeckyShard table maps decky_name → host_uuid; users want to see which
|
|
deckies are running and *where*, so we enrich each shard with the owning
|
|
host's name/address/status from SwarmHost rather than making callers do
|
|
the join themselves.
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
from typing import Optional
|
|
|
|
from fastapi import APIRouter, Depends
|
|
|
|
from decnet.web.db.repository import BaseRepository
|
|
from decnet.web.dependencies import get_repo, require_admin
|
|
from decnet.web.router.swarm._mtls import PeerCert, require_operator_cert
|
|
from decnet.web.db.models import DeckyShardView
|
|
|
|
router = APIRouter()
|
|
|
|
|
|
@router.get(
|
|
"/deckies",
|
|
response_model=list[DeckyShardView],
|
|
tags=["Swarm Deckies"],
|
|
responses={
|
|
401: {"description": "Missing or invalid admin JWT"},
|
|
403: {"description": "Authenticated user is not an admin, or operator cert missing"},
|
|
},
|
|
)
|
|
async def api_list_deckies(
|
|
host_uuid: Optional[str] = None,
|
|
state: Optional[str] = None,
|
|
repo: BaseRepository = Depends(get_repo),
|
|
_admin: dict = Depends(require_admin),
|
|
_operator: PeerCert = Depends(require_operator_cert),
|
|
) -> list[DeckyShardView]:
|
|
shards = await repo.list_decky_shards(host_uuid)
|
|
hosts = {h["uuid"]: h for h in await repo.list_swarm_hosts()}
|
|
|
|
out: list[DeckyShardView] = []
|
|
for s in shards:
|
|
if state and s.get("state") != state:
|
|
continue
|
|
host = hosts.get(s["host_uuid"], {})
|
|
out.append(DeckyShardView(
|
|
decky_name=s["decky_name"],
|
|
decky_ip=s.get("decky_ip"),
|
|
host_uuid=s["host_uuid"],
|
|
host_name=host.get("name") or "<unknown>",
|
|
host_address=host.get("address") or "",
|
|
host_status=host.get("status") or "unknown",
|
|
services=s.get("services") or [],
|
|
state=s.get("state") or "pending",
|
|
last_error=s.get("last_error"),
|
|
compose_hash=s.get("compose_hash"),
|
|
updated_at=s["updated_at"],
|
|
hostname=s.get("hostname"),
|
|
distro=s.get("distro"),
|
|
archetype=s.get("archetype"),
|
|
service_config=s.get("service_config") or {},
|
|
mutate_interval=s.get("mutate_interval"),
|
|
last_mutated=s.get("last_mutated") or 0.0,
|
|
last_seen=s.get("last_seen"),
|
|
))
|
|
return out
|