feat(api): Enforce AGENTA_ACCESS_* domain and email controls in OSS#4674
Open
jp-agenta wants to merge 2 commits into
Open
feat(api): Enforce AGENTA_ACCESS_* domain and email controls in OSS#4674jp-agenta wants to merge 2 commits into
jp-agenta wants to merge 2 commits into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
dosubot
Bot
added
size:XS
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
💤 Files with no reviewable changes (2)
📝 WalkthroughSummary by CodeRabbit
WalkthroughThe ChangesAuthorization-Blocking EE-Gating Removal
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
dosubot
Bot
added
size:M
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 6407431f-ebfe-4c12-b543-cb9ebedf9e25
⛔ Files ignored due to path filters (4)
api/uv.lockis excluded by!**/*.lockclients/python/uv.lockis excluded by!**/*.locksdks/python/uv.lockis excluded by!**/*.lockservices/uv.lockis excluded by!**/*.lock
📒 Files selected for processing (19)
api/entrypoints/worker_evaluations.pyapi/entrypoints/worker_events.pyapi/entrypoints/worker_webhooks.pyapi/oss/src/core/events/streaming.pyapi/oss/src/core/tracing/streaming.pyapi/oss/tests/legacy/conftest.pyapi/oss/tests/legacy/workflows/core/tests.pyapi/pyproject.tomlclients/python/pyproject.tomldocs/openapi-cleanup/research.mdhosting/kubernetes/helm/Chart.yamlsdks/python/oss/tests/legacy/new_tests/conftest.pysdks/python/oss/tests/legacy/new_tests/workflows/core/tests.pysdks/python/pyproject.tomlservices/pyproject.tomlweb/ee/package.jsonweb/oss/package.jsonweb/package.jsonweb/packages/agenta-api-client/package.json
✅ Files skipped from review due to trivial changes (10)
- sdks/python/pyproject.toml
- web/package.json
- clients/python/pyproject.toml
- web/packages/agenta-api-client/package.json
- web/ee/package.json
- web/oss/package.json
- hosting/kubernetes/helm/Chart.yaml
- services/pyproject.toml
- docs/openapi-cleanup/research.md
- api/pyproject.toml
is_auth_info_blocked() early-returned False outside EE, so the four AGENTA_ACCESS_* env vars were parsed but never enforced in OSS. Deleting the gate activates the shared blocklist/allowlist logic in both editions.
is_auth_info_blocked no longer reads is_ee, so patching it raised AttributeError; the tests now exercise the path both editions share.
junaway
force-pushed
the
feat/oss-access-vars
branch
from
931297c to
23c813f
Compare
dosubot
Bot
added
size:XS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
OSS already parses all four access env vars (
AGENTA_ACCESS_ALLOWED_DOMAINS,AGENTA_ACCESS_ALLOWED_OWNER_EMAILS,AGENTA_ACCESS_BLOCKED_DOMAINS,AGENTA_ACCESS_BLOCKED_EMAILS) through the sharedAccessConfig, but never enforces them:is_auth_info_blocked()early-returnsFalsewhen not running EE. Sequencing step 3 of the convergence plan (docs/designs/oss-ee-convergence/assessment-a-oss-multi-org.md).Changes
Deletes the
if not is_ee(): return Falsegate inis_auth_info_blocked()(oss/src/core/auth/helper.py). That is the whole change: parsing, normalization, and the exact-or-subdomain matcher are already shared, so OSS now gets identical blocklist/allowlist semantics on every auth path that callsensure_auth_info_not_blocked.AGENTA_ACCESS_ALLOWED_OWNER_EMAILSis enforced bycan_create_organization, which moves into OSS with the org-creation PR (#4673); nothing more is needed here.Tests / notes
ruff formatandruff checkpass.oss/tests/pytest/unit/auth/test_helper.pyupdated: they stubbed the now-deletedis_eeimport (which would raise AttributeError) and now exercise the enforcement path both editions share.AGENTA_ACCESS_BLOCKED_EMAILS/BLOCKED_DOMAINSare unset, the PostHog-backed fallback blocklists now also apply (same as EE).What to QA
AGENTA_ACCESS_BLOCKED_EMAILS=bad@x.com: signup/signin as that email is denied with "Access Denied."AGENTA_ACCESS_ALLOWED_DOMAINS=mycorp.com: a@mycorp.com(or subdomain) email signs in; any other domain is denied.🤖 Generated with Claude Code