admin / Synapse-Cortex
publicSelf Hosted ITSM Tool with RBAC/Tenanting and MFA
Synapse-Cortex / Synapse-Cortexv2 / app / routers / vault.py
2094 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | from typing import Optional from fastapi import APIRouter, Depends, HTTPException, status from sqlalchemy.orm import Session from .. import models, schemas from ..ai.vault import VaultAlreadyExistsError, create_vault from ..audit import log_audit from ..database import get_db from ..deps import get_session_user router = APIRouter(prefix="/api/v1/admin/vault", tags=["vault"]) def _require_global_admin(user: Optional[models.User]) -> None: if not user: raise HTTPException(status.HTTP_401_UNAUTHORIZED) if user.role != models.UserRole.GLOBAL_ADMIN: raise HTTPException(status.HTTP_403_FORBIDDEN, detail="Only a global admin can manage the credential vault") @router.get("", response_model=schemas.VaultStatusOut) def get_vault_status(db: Session = Depends(get_db), user: Optional[models.User] = Depends(get_session_user)): _require_global_admin(user) tenant = db.get(models.Tenant, user.tenant_id) return schemas.VaultStatusOut(created=bool(tenant.vault_key_wrapped), created_at=tenant.vault_created_at) @router.post("", response_model=schemas.VaultCreateOut, status_code=status.HTTP_201_CREATED) def create_vault_endpoint(db: Session = Depends(get_db), user: Optional[models.User] = Depends(get_session_user)): """Creates this tenant's credential vault exactly once. There is no corresponding PATCH/rotate endpoint anywhere in the API - recreating the vault would make every already-vaulted credential and the stored Claude API key permanently undecryptable, so once created it can only ever be read as {created: true}, never regenerated.""" _require_global_admin(user) tenant = db.get(models.Tenant, user.tenant_id) try: raw_key = create_vault(tenant) except VaultAlreadyExistsError as exc: raise HTTPException(status.HTTP_409_CONFLICT, detail=str(exc)) log_audit(db, tenant_id=user.tenant_id, user_id=user.id, action="vault_create", detail={}) db.commit() db.refresh(tenant) return schemas.VaultCreateOut(created=True, created_at=tenant.vault_created_at, vault_key=raw_key) |