Admin check fix (#390)

* Admin check fix

* More admin routes unified

* fix admin check

* Submodule change

Author: JWittmeyer

alembic/versions/1133d27823e3_helper_admin_field.py

@@ -0,0 +1,28 @@
+"""helper admin field
+
+Revision ID: 1133d27823e3
+Revises: b2c3d4e5f6a7
+Create Date: 2026-02-23 09:42:28.698186
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '1133d27823e3'
+down_revision = 'b2c3d4e5f6a7'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('user', sa.Column('is_admin', sa.Boolean(), nullable=True))
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column('user', 'is_admin')
+    # ### end Alembic commands ###

controller/auth/kratos.py

@@ -129,6 +129,7 @@ def __parse_identity_to_simple(identity: Dict[str, Any]) -> Dict[str, str]:
         "mail": None,
         "firstName": None,
         "lastName": None,
+        "is_admin": get_identity_is_admin(identity),
     }
     if "traits" in identity:
         r["mail"] = identity["traits"]["email"]
@@ -305,3 +306,17 @@ def get_admin_users_by_public_metadata() -> List[Dict[str, Any]]:
         ][0]["verified"]:
             admins.append(cache[key]["simple"])
     return admins
+
+
+def get_identity_is_admin(identity: Dict[str, Any]) -> bool:
+
+    if (identity.get("metadata_public") or {}).get("role") == "ADMIN" and identity[
+        "verifiable_addresses"
+    ][0]["verified"]:
+        return True
+    if (
+        identity["traits"]["email"].split("@")[1] == "kern.ai"
+        and identity["verifiable_addresses"][0]["verified"]
+    ):
+        return True
+    return False

controller/auth/manager.py

@@ -1,5 +1,5 @@
 import re
-from typing import Any, Dict, List, Optional
+from typing import Any, Dict, List, Optional, Tuple
 
 from controller.auth import kratos
 from fastapi import Request
@@ -16,12 +16,20 @@
 from submodules.model.business_objects.user import check_email_in_full_admin
 from submodules.model.models import Organization, Project, User
 import sqlalchemy
+from dataclasses import dataclass
+from .kratos import get_identity_is_admin
 
 DEV_USER_ID = "741df1c2-a531-43b6-b259-df23bc78e9a2"
 
 EMAIL_RE = re.compile(r"^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$")
 
 
+@dataclass(frozen=True)
+class AdminData:
+    is_admin: bool
+    is_full_admin: bool
+
+
 def get_organization_id_by_info(info) -> Organization:
     user = get_user_by_info(info)
     if not user or not user.organization_id:
@@ -90,8 +98,8 @@ def check_project_access(info, project_id: str) -> None:
         raise AuthManagerError("Project not found")
 
 
-def check_admin_access(info) -> None:
-    if not check_is_admin(info.context["request"]):
+def check_admin_access(request_state: Any) -> None:
+    if not request_state.adm.is_admin:
         raise AuthManagerError("Admin access required")
 
 
@@ -114,25 +122,26 @@ def check_project_access_from_user_id(
     return True
 
 
-def check_is_admin(request: Any) -> bool:
+
+def __check_is_admin_header(request: Request) -> Tuple[bool, bool]:
     if "Authorization" in request.headers:
         jwt_decoded: Dict[str, Any] = jwt.decode(
             request.headers["Authorization"].split(" ")[1],
             options={"verify_signature": False},
         )
-        subject: Dict[str, Any] = jwt_decoded["session"]["identity"]
-        if (
-            subject["traits"]["email"].split("@")[1] == "kern.ai"
-            and subject["verifiable_addresses"][0]["verified"]
-        ):
-            return True
-        elif (
-            # subject metadata_public can be None so we use or {} instead of get with default
-            (subject.get("metadata_public") or {}).get("role") == "ADMIN"
-            and subject["verifiable_addresses"][0]["verified"]
-        ):
-            return True
-    return False
+        identity = jwt_decoded["session"]["identity"]
+        email = identity["traits"]["email"]
+
+        return get_identity_is_admin(identity), check_email_in_full_admin(email)
+    return False, False
+
+
+def parse_admin_info(request: Any) -> None:
+    is_admin, is_full_admin = __check_is_admin_header(request)
+    request.state.adm = AdminData(
+        is_admin=is_admin,
+        is_full_admin=is_full_admin,
+    )
 
 
 def check_is_single_organization() -> bool:
@@ -148,11 +157,7 @@ def extract_state_info(request: Request, key: str) -> Any:
             user = get_user_by_info(request.state.info)
             if user and user.organization_id:
                 value = str(user.organization_id)
-        elif key == "is_admin":
-            value = check_is_admin(request)
-        elif key == "log_request":
-            # lazy and => db access only if admin is true
-            if extract_state_info(request, "is_admin"):
+        elif key == "log_request" and request.state.adm.is_admin:
                 value = organization.log_admin_requests(
                     extract_state_info(request, "organization_id")
                 )
@@ -168,15 +173,10 @@ def extract_state_info(request: Request, key: str) -> Any:
 def check_is_full_admin(request: Any) -> bool:
     if request.url.hostname == "localhost" and request.url.port == 7051:
         return True
-    if check_is_admin(request):
-        jwt_decoded: Dict[str, Any] = jwt.decode(
-            request.headers["Authorization"].split(" ")[1],
-            options={"verify_signature": False},
-        )
-        subject: Dict[str, Any] = jwt_decoded["session"]["identity"]
-        if check_email_in_full_admin(subject["traits"]["email"]):
-            return True
-    return False
+    state = getattr(request.state, "adm", None)
+    if not state:
+        raise AuthManagerError("Admin state is not set in request.state.adm")
+    return state.is_full_admin
 
 
 def invite_users(

controller/organization/manager.py

@@ -105,7 +105,7 @@ def delete_organization(name: str) -> None:
     all_users = user.get_all(org.id)
     unassigned = False
     for u in all_users:
-        if (u.email or "").endswith("@kern.ai"):
+        if u.is_admin:
             unassigned = True
             u.organization_id = None
     if unassigned:

controller/user/manager.py

@@ -181,6 +181,7 @@ def __migrate_kratos_users():
         if user_id not in users_kratos or users_kratos[user_id] is None:
             continue
         user_identity = users_kratos[user_id]["identity"]
+
         if user_database.email != user_identity["traits"]["email"]:
             user_database.email = user_identity["traits"]["email"]
         if (
@@ -210,5 +211,6 @@ def __migrate_kratos_users():
         )
         if user_database.sso_provider != sso_provider:
             user_database.sso_provider = sso_provider
-
+        if user_database.is_admin != users_kratos[user_id]["simple"]["is_admin"]:
+            user_database.is_admin = users_kratos[user_id]["simple"]["is_admin"]
     general.commit()

fast_api/routes/comment.py

@@ -34,7 +34,7 @@ def get_all_comments(request: Request):
         if project_id:
             auth_manager.check_project_access(request.state.info, project_id)
         else:
-            auth_manager.check_admin_access(request.state.info)
+            auth_manager.check_admin_access(request.state)
 
         if comment_id:
             data = manager.get_comment_by_comment_id(user_id, comment_id)
@@ -65,7 +65,7 @@ def create_comment(request: Request, body: CreateCommentBody = Body(...)):
     if body.project_id:
         auth_manager.check_project_access(request.state.info, body.project_id)
     else:
-        auth_manager.check_admin_access(request.state.info)
+        auth_manager.check_admin_access(request.state)
 
     if body.xftype == CommentCategory.USER.value:
         user_id = body.xfkey
@@ -92,7 +92,7 @@ def delete_comment(
     if body.project_id:
         auth_manager.check_project_access(request.state.info, body.project_id)
     else:
-        auth_manager.check_admin_access(request.state.info)
+        auth_manager.check_admin_access(request.state)
 
     user_id = auth_manager.get_user_id_by_info(request.state.info)
     manager.delete_comment(body.comment_id, user_id)
@@ -117,7 +117,7 @@ def update_comment(
     if body.project_id:
         auth_manager.check_project_access(request.state.info, body.project_id)
     else:
-        auth_manager.check_admin_access(request.state.info)
+        auth_manager.check_admin_access(request.state)
 
     user = auth_manager.get_user_by_info(request.state.info)
     item = manager.update_comment(body.comment_id, user, body.changes)
@@ -137,5 +137,5 @@ def update_comment(
 @router.get("/get-unique-comments-keys-for")
 def get_unique_comments_keys_for(request: Request, xftype: str):
     if xftype in [CommentCategory.ORGANIZATION.value, CommentCategory.USER.value]:
-        auth_manager.check_admin_access(request.state.info)
+        auth_manager.check_admin_access(request.state)
     return manager.get_unique_comments_keys_for(xftype)

fast_api/routes/inbox_mail.py

@@ -17,7 +17,7 @@
 
 @router.post("")
 def create_inbox_mail_by_thread(request: Request, inbox_mail: InboxMailCreateRequest):
-    user_is_admin = auth_manager.check_is_admin(request)
+    user_is_admin = auth_manager.check_admin_access(request.state)
     user = auth_manager.get_user_by_info(request.state.info)
 
     if inbox_mail.threadId:
@@ -52,7 +52,7 @@ def create_inbox_mail_by_thread(request: Request, inbox_mail: InboxMailCreateReq
 
 @router.get("/thread/{thread_id}")
 def get_inbox_mails_by_thread(request: Request, thread_id: str) -> List[Dict[str, Any]]:
-    user_is_admin = auth_manager.check_is_admin(request)
+    user_is_admin = auth_manager.check_admin_access(request.state)
 
     user = auth_manager.get_user_by_info(request.state.info)
 
@@ -72,7 +72,7 @@ def get_inbox_mail_thread_overview_paginated(
     limit: int = 10,
     filters: Optional[List[str]] = Query(default=None),
 ):
-    user_is_admin = auth_manager.check_is_admin(request)
+    user_is_admin = auth_manager.check_admin_access(request.state)
     user = auth_manager.get_user_by_info(request.state.info)
     mail = inbox_mail_manager.get_inbox_mail_threads_overview(
         org_id=user.organization_id,
@@ -91,7 +91,7 @@ def update_inbox_mail_thread_progress(
     thread_id: str,
     inbox_mail_thread_update: UpdateInboxMailThreadProgressRequest,
 ):
-    user_is_admin = auth_manager.check_is_admin(request)
+    user_is_admin = auth_manager.check_admin_access(request.state)
     user = auth_manager.get_user_by_info(request.state.info)
 
     inbox_mail_thread = inbox_mail_go.get_inbox_mail_thread_by_id(thread_id=thread_id)
@@ -133,7 +133,7 @@ def delete_inbox_mail_by_id(request: Request, mail_id: str):
 
 @router.get("/new")
 def has_new_inbox_mails(request: Request):
-    user_is_admin = auth_manager.check_is_admin(request)
+    user_is_admin = auth_manager.check_admin_access(request.state)
     user = auth_manager.get_user_by_info(request.state.info)
 
     total_new_inbox_mails = inbox_mail_manager.get_new_inbox_mails_info(
@@ -150,7 +150,7 @@ def has_new_inbox_mails(request: Request):
 
 @router.put("/thread/{thread_id}/unread/project")
 def update_inbox_mail_threads_unread_by_project(request: Request, thread_id: str):
-    user_is_admin = auth_manager.check_is_admin(request)
+    user_is_admin = auth_manager.check_admin_access(request.state)
     if not user_is_admin:
         raise HTTPException(status_code=403, detail="Not authorized")
     inbox_mail_thread = inbox_mail_go.get_inbox_mail_thread_by_id(thread_id=thread_id)
@@ -165,7 +165,7 @@ def update_inbox_mail_threads_unread_by_project(request: Request, thread_id: str
 
 @router.put("/thread/{thread_id}/unread/content")
 def update_inbox_mail_threads_unread_by_content(request: Request, thread_id: str):
-    user_is_admin = auth_manager.check_is_admin(request)
+    user_is_admin = auth_manager.check_admin_access(request.state)
     if not user_is_admin:
         raise HTTPException(status_code=403, detail="Not authorized")
     inbox_mail_thread = inbox_mail_go.get_inbox_mail_thread_by_id(thread_id=thread_id)
@@ -180,7 +180,7 @@ def update_inbox_mail_threads_unread_by_content(request: Request, thread_id: str
 
 @router.put("/thread/{thread_id}/unread-last")
 def mark_inbox_mail_thread_as_unread(request: Request, thread_id: str):
-    user_is_admin = auth_manager.check_is_admin(request)
+    user_is_admin = auth_manager.check_admin_access(request.state)
     if not user_is_admin:
         raise HTTPException(status_code=403, detail="Not authorized")
     inbox_mail_thread = inbox_mail_go.get_inbox_mail_thread_by_id(thread_id=thread_id)
@@ -193,7 +193,7 @@ def mark_inbox_mail_thread_as_unread(request: Request, thread_id: str):
 
 @router.delete("/thread/{thread_id}/similar")
 def delete_similar_system_threads(request: Request, thread_id: str):
-    user_is_admin = auth_manager.check_is_admin(request)
+    user_is_admin = auth_manager.check_admin_access(request.state)
     if not user_is_admin:
         raise HTTPException(status_code=403, detail="Not authorized")