diff --git a/api/services/enterprise/rbac_service.py b/api/services/enterprise/rbac_service.py index 8b1b3fc25d..bf34447918 100644 --- a/api/services/enterprise/rbac_service.py +++ b/api/services/enterprise/rbac_service.py @@ -108,14 +108,17 @@ class AccessMatrixItem(_RBACModel): account_ids: list[str] = Field(default_factory=list) -class ResourceAccessMatrix(_RBACModel): - resource_type: str - resource_id: str = "" +class AppAccessMatrix(_RBACModel): + app_id: str = "" + items: list[AccessMatrixItem] = Field(default_factory=list) + + +class DatasetAccessMatrix(_RBACModel): + dataset_id: str = "" items: list[AccessMatrixItem] = Field(default_factory=list) class WorkspaceAccessMatrix(_RBACModel): - resource_type: str items: list[AccessMatrixItem] = Field(default_factory=list) @@ -425,7 +428,7 @@ class RBACService: # ------------------------------------------------------------------ class AppAccess: @staticmethod - def matrix(tenant_id: str, account_id: str | None, app_id: str) -> ResourceAccessMatrix: + def matrix(tenant_id: str, account_id: str | None, app_id: str) -> AppAccessMatrix: data = _inner_call( "GET", f"{_INNER_PREFIX}/apps/access-policy", @@ -433,7 +436,7 @@ class RBACService: account_id=account_id, params={"app_id": app_id}, ) - return ResourceAccessMatrix.model_validate(data or {}) + return AppAccessMatrix.model_validate(data or {}) @staticmethod def list_role_bindings( @@ -508,7 +511,7 @@ class RBACService: # ------------------------------------------------------------------ class DatasetAccess: @staticmethod - def matrix(tenant_id: str, account_id: str | None, dataset_id: str) -> ResourceAccessMatrix: + def matrix(tenant_id: str, account_id: str | None, dataset_id: str) -> DatasetAccessMatrix: data = _inner_call( "GET", f"{_INNER_PREFIX}/datasets/access-policy", @@ -516,7 +519,7 @@ class RBACService: account_id=account_id, params={"dataset_id": dataset_id}, ) - return ResourceAccessMatrix.model_validate(data or {}) + return DatasetAccessMatrix.model_validate(data or {}) @staticmethod def list_role_bindings( diff --git a/api/tests/unit_tests/services/enterprise/test_rbac_service.py b/api/tests/unit_tests/services/enterprise/test_rbac_service.py index 04640c5037..27ce50b76b 100644 --- a/api/tests/unit_tests/services/enterprise/test_rbac_service.py +++ b/api/tests/unit_tests/services/enterprise/test_rbac_service.py @@ -206,12 +206,13 @@ class TestAccessPolicies: class TestResourceAccess: def test_app_matrix(self, mock_send: MagicMock): - mock_send.return_value = {"resource_type": "app", "resource_id": "app-1", "items": []} - svc.RBACService.AppAccess.matrix("tenant-1", "acct-1", "app-1") + mock_send.return_value = {"app_id": "app-1", "items": []} + out = svc.RBACService.AppAccess.matrix("tenant-1", "acct-1", "app-1") call = _call_args(mock_send) assert call.method == "GET" assert call.endpoint == "/rbac/apps/access-policy" assert call.params == {"app_id": "app-1"} + assert out.app_id == "app-1" def test_app_replace_role_bindings(self, mock_send: MagicMock): mock_send.return_value = {"data": []} @@ -238,13 +239,21 @@ class TestResourceAccess: class TestWorkspaceAccess: def test_app_matrix(self, mock_send: MagicMock): - mock_send.return_value = {"resource_type": "app", "items": []} + mock_send.return_value = {"items": []} svc.RBACService.WorkspaceAccess.app_matrix("tenant-1") call = _call_args(mock_send) assert call.method == "GET" assert call.endpoint == "/rbac/workspace/apps/access-policy" assert call.params is None + def test_dataset_matrix(self, mock_send: MagicMock): + mock_send.return_value = {"items": []} + svc.RBACService.WorkspaceAccess.dataset_matrix("tenant-1") + call = _call_args(mock_send) + assert call.method == "GET" + assert call.endpoint == "/rbac/workspace/datasets/access-policy" + assert call.params is None + def test_dataset_replace_role_bindings(self, mock_send: MagicMock): mock_send.return_value = {"data": []} payload = svc.ReplaceRoleBindings(role_keys=["workspace.editor"])