Scaffolding: Federation gateway setup#299
Conversation
klpoland
added
feature
klpoland
changed the title
|
Added some dedicated API endpoints, serializers, and signals for federation and configuration that defaults to disabling federation sync. |
klpoland
force-pushed
the
feature-kpoland-federation-gateway-scaffolding
branch
2 times, most recently
from
9f94dfd to
83d51d0
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
klpoland
force-pushed
the
feature-kpoland-federation-gateway-scaffolding
branch
from
83d51d0 to
4bbcbed
Compare
lucaspar
added
the
migrations
|
|
||
| # Create files | ||
| minio_client = MinioClient() | ||
| minio_client = get_minio_client() |
There was a problem hiding this comment.
Test command calls missing upload method
Low Severity
This commit switches the dev command to get_minio_client(), which returns ObjectStoreFacade with MinIO-compatible methods like fput_object, but the upload loop still calls upload_file. That method is not defined on the facade or delegated MinIO client, so the command fails at runtime when uploading fixtures.
Reviewed by Cursor Bugbot for commit 2c09fae. Configure here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 3393c0f. Configure here.
| user=user, | ||
| source=KeySources.FederationSync, | ||
| description="Federation sync service (export endpoints only)", | ||
| ) |
There was a problem hiding this comment.
Command always rotates sync keys
Medium Severity
Each run of create_federation_sync_api_key deletes every existing FederationSync API key for the sync user before creating a new one. Re-running the command invalidates keys already configured in federation-sync without an explicit rotate flag.
Reviewed by Cursor Bugbot for commit 3393c0f. Configure here.
2 participants
Note
Medium Risk
Introduces a new internal export surface and changes global API-key auth/permissions; misconfiguration of CIDRs or operational flags could block sync or widen access, though export is off by default and sync keys are route-scoped.
Overview
Adds gateway-side federation scaffolding so a local
federation-syncservice can pull public metadata and react to changes, controlled byFEDERATION_ENABLEDand related env settings (documented in exampledjango.env).Internal export API is registered under
/api/.../federation/with list/detail endpoints for public finalized datasets and public captures. Responses use newDatasetFederationSerializer/CaptureFederationSerializerpayloads (includingsite_namefromFEDERATION_SITE_NAME). Access requires aFederationSyncAPI key, federation operational checks (sync health URL, Redis ping, presence of sync key), and client IP inFEDERATION_EXPORT_ALLOWED_CIDRS(defaults to private ranges).Change notifications:
post_savesignals on datasets/captures publish created/updated/deleted events to Redis (FEDERATION_EVENTS_CHANNEL) when federation is operational and the record is (or ceases to be) exportable.API key behavior:
APIKeyAuthenticationnow setsrequest.authto theUserAPIKeyobject. A globalDisallowFederationSyncKeypermission blocks sync keys from normal asset APIs; export routes use the inverseIsFederationSyncKey. Newcreate_federation_sync_api_keymanagement command and DB migration extendKeySourceswithfederation_sync.Also includes contract tests against sibling
sds_federationPydantic models, hardening/operational tests, and small dev-tool tweaks (fallow-cross-file-dupes.sh,create_test_filesimport paths).Reviewed by Cursor Bugbot for commit 3393c0f. Bugbot is set up for automated code reviews on this repo. Configure here.