chore(api): remove legacy systemd allowlist

2026-02-27 12:39:34 +01:00
parent b21d2cb2ac
commit 65395cf7e8
1 changed files with 0 additions and 51 deletions
@@ -15,7 +15,6 @@ app = FastAPI(title="Podman MVP Control Plane", root_path="/api")
 SESSION = requests_unixsocket.Session()
 PODMAN_API_BASE = "http+unix://%2Frun%2Fuser%2F1000%2Fpodman%2Fpodman.sock/v5.4.2"
 BASE_DIR = os.path.dirname(os.path.abspath(__file__))
-ALLOWLIST_FILE = os.getenv("ALLOWLIST_FILE", os.path.join(BASE_DIR, "allowed_units.txt"))
 WORKLOADS_DIR = "/app/workloads"

 # --- STATS CACHE (contract-neutral; in-memory) ---
@@ -775,50 +774,6 @@ def inspect_container(name: str):
    return _podman_get_json(f"{PODMAN_API_BASE}/libpod/containers/{name}/json")


-# --- SYSTEMD allowlist ---
-def read_allowlist():
-    units = []
-    if os.path.exists(ALLOWLIST_FILE):
-        with open(ALLOWLIST_FILE, "r") as f:
-            for line in f:
-                u = line.strip()
-                if u and u.endswith(".service"):
-                    units.append(u)
-    return sorted(set(units))
-
-
-def list_unit_files():
-    # fallback (als allowlist leeg is): probeer systemctl list-unit-files
-    code, out = _systemctl(["systemctl", "--user", "list-unit-files", "--type=service", "--no-pager"])
-    if code != 0:
-        return []
-    units = []
-    for line in out.splitlines():
-        parts = line.split()
-        if parts and parts[0].endswith(".service"):
-            units.append(parts[0])
-    return sorted(set(units))
-
-
-def unit_state(unit):
-    # active state
-    _, active = _systemctl(["systemctl", "--user", "is-active", unit])
-    active = active.splitlines()[0].strip() if active else "unknown"
-    # enabled state (kan falen in container-context)
-    code, enabled_out = _systemctl(["systemctl", "--user", "is-enabled", unit])
-    enabled = enabled_out.splitlines()[0].strip() if (enabled_out and code == 0) else "unknown"
-    return active, enabled
-
-
-@app.get("/systemd/allowlist")
-def systemd_allowlist():
-    units = read_allowlist()
-    allow_mode = len(units) > 0
-    if not units:
-        units = list_unit_files()
-    return {"allow_mode": allow_mode, "units": units}
-
-
@app.post("/daemon-reload")
 def api_daemon_reload():
    try:
@@ -836,12 +791,6 @@ def api_daemon_reload():
 def api_action(action: str, unit: str):
    if action not in ("status", "start", "stop", "restart"):
        raise HTTPException(status_code=400, detail="Invalid action")
-
-    units = read_allowlist()
-    allow_mode = len(units) > 0
-    if allow_mode and unit not in units:
-        raise HTTPException(status_code=403, detail="Unit not allowed by allowlist")
-
    cmd = ["systemctl", "--user", action, unit]
    code, out = _run_systemctl_action(action, unit)
    return {"cmd": " ".join(cmd), "exit": code, "output": out}