Catalyst / admin/Synapse-Cortex 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / Synapse-Cortex

public

Self Hosted ITSM Tool with RBAC/Tenanting and MFA

Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
Synapse-Cortex / Synapse-Cortexv2 / app / routers / vault.py 2094 B · main
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
from typing import Optional

from fastapi import APIRouter, Depends, HTTPException, status
from sqlalchemy.orm import Session

from .. import models, schemas
from ..ai.vault import VaultAlreadyExistsError, create_vault
from ..audit import log_audit
from ..database import get_db
from ..deps import get_session_user

router = APIRouter(prefix="/api/v1/admin/vault", tags=["vault"])


def _require_global_admin(user: Optional[models.User]) -> None:
    if not user:
        raise HTTPException(status.HTTP_401_UNAUTHORIZED)
    if user.role != models.UserRole.GLOBAL_ADMIN:
        raise HTTPException(status.HTTP_403_FORBIDDEN, detail="Only a global admin can manage the credential vault")


@router.get("", response_model=schemas.VaultStatusOut)
def get_vault_status(db: Session = Depends(get_db), user: Optional[models.User] = Depends(get_session_user)):
    _require_global_admin(user)
    tenant = db.get(models.Tenant, user.tenant_id)
    return schemas.VaultStatusOut(created=bool(tenant.vault_key_wrapped), created_at=tenant.vault_created_at)


@router.post("", response_model=schemas.VaultCreateOut, status_code=status.HTTP_201_CREATED)
def create_vault_endpoint(db: Session = Depends(get_db), user: Optional[models.User] = Depends(get_session_user)):
    """Creates this tenant's credential vault exactly once. There is no
    corresponding PATCH/rotate endpoint anywhere in the API - recreating
    the vault would make every already-vaulted credential and the stored
    Claude API key permanently undecryptable, so once created it can only
    ever be read as {created: true}, never regenerated."""
    _require_global_admin(user)
    tenant = db.get(models.Tenant, user.tenant_id)

    try:
        raw_key = create_vault(tenant)
    except VaultAlreadyExistsError as exc:
        raise HTTPException(status.HTTP_409_CONFLICT, detail=str(exc))

    log_audit(db, tenant_id=user.tenant_id, user_id=user.id, action="vault_create", detail={})
    db.commit()
    db.refresh(tenant)
    return schemas.VaultCreateOut(created=True, created_at=tenant.vault_created_at, vault_key=raw_key)