feat: Add legacy pilot support in management (dirac-admin-add-pilot)

Robin VAN DE MERGHEL · Robin VAN DE MERGHEL · commit 4ba2c9b97b5c · 2025-07-04T13:47:51.000+02:00
diff --git a/diracx-routers/src/diracx/routers/pilots/access_policies.py b/diracx-routers/src/diracx/routers/pilots/access_policies.py
@@ -7,7 +7,7 @@
 from fastapi import Depends, HTTPException, status
 
 from diracx.core.models import VectorSearchOperator, VectorSearchSpec
-from diracx.core.properties import SERVICE_ADMINISTRATOR
+from diracx.core.properties import GENERIC_PILOT, SERVICE_ADMINISTRATOR
 from diracx.db.sql.job.db import JobDB
 from diracx.db.sql.pilots.db import PilotAgentsDB
 from diracx.logic.pilots.query import get_pilots_by_stamp
@@ -39,20 +39,32 @@ async def policy(
         pilot_stamps: list[str] | None = None,
         job_db: JobDB | None = None,
         job_ids: list[int] | None = None,
+        allow_legacy_pilots: bool = False
     ):
         assert action, "action is a mandatory parameter"
 
         # Users can query
         # NOTE: Add into queries a VO constraint
         # To manage pilots, user have to be an admin
-        if (
-            action == ActionType.MANAGE_PILOTS
-            and SERVICE_ADMINISTRATOR not in user_info.properties
-        ):
-            raise HTTPException(
-                status_code=status.HTTP_403_FORBIDDEN,
-                detail="You don't have the permission to manage pilots.",
-            )
+        # In some special cases (described with allow_legacy_pilots), we can allow pilots
+        if action == ActionType.MANAGE_PILOTS:
+
+            # To make it clear, we separate
+            is_an_admin = SERVICE_ADMINISTRATOR in user_info.properties
+            is_a_pilot_if_allowed = allow_legacy_pilots and GENERIC_PILOT in user_info.properties
+
+            if not is_an_admin and not is_a_pilot_if_allowed:
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="You don't have the permission to manage pilots.",
+                )
+
+        if action == ActionType.READ_PILOT_FIELDS:
+            if GENERIC_PILOT in user_info.properties:
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="Pilots can't read other pilots info."
+                )
 
         #
         # Additional checks if job_ids or pilot_stamps are provided
diff --git a/diracx-routers/src/diracx/routers/pilots/management.py b/diracx-routers/src/diracx/routers/pilots/management.py
@@ -3,6 +3,7 @@
 from http import HTTPStatus
 from typing import Annotated
 
+from diracx.core.properties import GENERIC_PILOT
 from fastapi import Body, Depends, HTTPException, Query, status
 
 from diracx.core.exceptions import (
@@ -65,7 +66,19 @@ async def add_pilot_stamps(
     If a pilot stamp already exists, it will block the insertion.
     """
     # TODO: Verify that grid types, sites, destination sites, etc. are valids
-    await check_permissions(action=ActionType.MANAGE_PILOTS)
+    await check_permissions(
+        action=ActionType.MANAGE_PILOTS,
+        allow_legacy_pilots=True # dirac-admin-add-pilot
+    )
+
+    # Prevent someone who stole a pilot X509 to create thousands of pilots at a time
+    # (It would be still able to create thousands of pilots, but slower)
+    if GENERIC_PILOT in user_info.properties:
+        if len(pilot_stamps) != 1:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="As a pilot, you can only create yourself."
+            )
 
     try:
         await register_new_pilots(
@@ -183,6 +196,7 @@ async def update_pilot_fields(
     ],
     pilot_db: PilotAgentsDB,
     check_permissions: CheckPilotManagementPolicyCallable,
+    user_info: Annotated[AuthorizedUserInfo, Depends(verify_dirac_access_token)],
 ):
     """Modify a field of a pilot.
 
@@ -191,9 +205,23 @@ async def update_pilot_fields(
     # Ensures stamps validity
     pilot_stamps = [mapping.PilotStamp for mapping in pilot_stamps_to_fields_mapping]
     await check_permissions(
-        action=ActionType.MANAGE_PILOTS, pilot_db=pilot_db, pilot_stamps=pilot_stamps
+        action=ActionType.MANAGE_PILOTS, 
+        pilot_db=pilot_db, 
+        pilot_stamps=pilot_stamps,
+        allow_legacy_pilots=True # dirac-admin-add-pilot
     )
 
+    # Prevent someone who stole a pilot X509 to modify thousands of pilots at a time
+    # (It would be still able to modify thousands of pilots, but slower)
+    # We are not able to affirm that this pilots modifies itself
+    if GENERIC_PILOT in user_info.properties:
+        if len(pilot_stamps) != 1:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="As a pilot, you can only modify yourself."
+            )
+
+
     await update_pilots_fields(
         pilot_db=pilot_db,
         pilot_stamps_to_fields_mapping=pilot_stamps_to_fields_mapping,
