PyPI - apache-airflow-providers-fab - Versions diffs - 1.5.3__py3-none-any.whl → 2.0.0__py3-none-any.whl - Mend

apache-airflow-providers-fab 1.5.3py3-none-any.whl → 2.0.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (105) hide show

airflow/providers/fab/auth_manager/security_manager/override.py CHANGED Viewed

@@ -21,16 +21,11 @@ import copy
 import datetime
 import itertools
 import logging
-import os
-import random
 import uuid
-import warnings
-from typing import TYPE_CHECKING, Any, Callable, Collection, Container, Iterable, Mapping, Sequence
+from collections.abc import Collection, Iterable, Mapping
+from typing import TYPE_CHECKING, Any
 import jwt
-import packaging.version
-import re2
-from deprecated import deprecated
 from flask import flash, g, has_request_context, session
 from flask_appbuilder import const
 from flask_appbuilder.const import (
@@ -59,25 +54,21 @@ from flask_appbuilder.security.views import (
     AuthOAuthView,
     AuthOIDView,
     AuthRemoteUserView,
-    AuthView,
     RegisterUserModelView,
 )
-from flask_appbuilder.views import expose
 from flask_babel import lazy_gettext
-from flask_jwt_extended import JWTManager, current_user as current_user_jwt
+from flask_jwt_extended import JWTManager
 from flask_login import LoginManager
 from itsdangerous import want_bytes
 from markupsafe import Markup
-from sqlalchemy import and_, func, inspect, literal, or_, select
+from sqlalchemy import func, inspect, or_, select
 from sqlalchemy.exc import MultipleResultsFound
-from sqlalchemy.orm import Session, joinedload
+from sqlalchemy.orm import joinedload
 from werkzeug.security import check_password_hash, generate_password_hash
-from airflow import __version__ as airflow_version
-from airflow.auth.managers.utils.fab import get_method_from_fab_action_map
 from airflow.configuration import conf
-from airflow.exceptions import AirflowException, AirflowProviderDeprecationWarning, RemovedInAirflow3Warning
-from airflow.models import DagBag, DagModel
+from airflow.exceptions import AirflowException
+from airflow.models import DagBag
 from airflow.providers.fab.auth_manager.models import (
     Action,
     Permission,
@@ -85,7 +76,6 @@ from airflow.providers.fab.auth_manager.models import (
     Resource,
     Role,
     User,
-    assoc_permission_role,
 )
 from airflow.providers.fab.auth_manager.models.anonymous_user import AnonymousUser
 from airflow.providers.fab.auth_manager.security_manager.constants import EXISTING_ROLES
@@ -108,17 +98,24 @@ from airflow.providers.fab.auth_manager.views.user_edit import (
     CustomUserInfoEditView,
 )
 from airflow.providers.fab.auth_manager.views.user_stats import CustomUserStatsChartView
-from airflow.security import permissions
-from airflow.utils.session import NEW_SESSION, provide_session
-from airflow.www.extensions.init_auth_manager import get_auth_manager
-from airflow.www.security_manager import AirflowSecurityManagerV2
-from airflow.www.session import AirflowDatabaseSessionInterface
+from airflow.providers.fab.www.security import permissions
+from airflow.providers.fab.www.security_manager import AirflowSecurityManagerV2
+from airflow.providers.fab.www.session import (
+    AirflowDatabaseSessionInterface,
+    AirflowDatabaseSessionInterface as FabAirflowDatabaseSessionInterface,
+)
+from airflow.security.permissions import RESOURCE_BACKFILL
 if TYPE_CHECKING:
-    from airflow.auth.managers.base_auth_manager import ResourceMethod
-    from airflow.security.permissions import RESOURCE_ASSET
+    from airflow.providers.fab.www.security.permissions import (
+        RESOURCE_ASSET,
+        RESOURCE_ASSET_ALIAS,
+    )
 else:
-    from airflow.providers.common.compat.security.permissions import RESOURCE_ASSET
+    from airflow.providers.common.compat.security.permissions import (
+        RESOURCE_ASSET,
+        RESOURCE_ASSET_ALIAS,
+    )
 log = logging.getLogger(__name__)
@@ -131,29 +128,6 @@ log = logging.getLogger(__name__)
 MAX_NUM_DATABASE_USER_SESSIONS = 50000
-# The following logic patches the logout method within AuthView, so it supports POST method
-# to make CSRF protection effective. It is backward-compatible with Airflow versions <= 2.9.2 as it still
-# allows utilizing the GET method for them.
-# You could remove the patch and configure it when it is supported
-# natively by Flask-AppBuilder (https://github.com/dpgaspar/Flask-AppBuilder/issues/2248)
-if packaging.version.parse(packaging.version.parse(airflow_version).base_version) < packaging.version.parse(
-    "2.10.0"
-):
-    _methods = ["GET", "POST"]
-else:
-    _methods = ["POST"]
-class _ModifiedAuthView(AuthView):
-    @expose("/logout/", methods=_methods)
-    def logout(self):
-        return super().logout()
-for auth_view in [AuthDBView, AuthLDAPView, AuthOAuthView, AuthOIDView, AuthRemoteUserView]:
-    auth_view.__bases__ = (_ModifiedAuthView,)
 class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
     """
     This security manager overrides the default AirflowSecurityManager security manager.
@@ -214,8 +188,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
     jwt_manager = None
     """ Flask-JWT-Extended """
-    oid = None
-    """ Flask-OpenID OpenID """
     oauth = None
     oauth_remotes: dict[str, Any]
     """ Initialized (remote_app) providers dict {'provider_name', OBJ } """
@@ -238,11 +210,14 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_DEPENDENCIES),
         (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_CODE),
         (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_RUN),
+        (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_VERSION),
+        (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_WARNING),
         (permissions.ACTION_CAN_READ, RESOURCE_ASSET),
+        (permissions.ACTION_CAN_READ, RESOURCE_ASSET_ALIAS),
+        (permissions.ACTION_CAN_READ, RESOURCE_BACKFILL),
         (permissions.ACTION_CAN_READ, permissions.RESOURCE_CLUSTER_ACTIVITY),
         (permissions.ACTION_CAN_READ, permissions.RESOURCE_POOL),
         (permissions.ACTION_CAN_READ, permissions.RESOURCE_IMPORT_ERROR),
-        (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_WARNING),
         (permissions.ACTION_CAN_READ, permissions.RESOURCE_JOB),
         (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PASSWORD),
         (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_MY_PASSWORD),
@@ -306,8 +281,11 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_VARIABLE),
         (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_VARIABLE),
         (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_XCOM),
-        (permissions.ACTION_CAN_DELETE, RESOURCE_ASSET),
         (permissions.ACTION_CAN_CREATE, RESOURCE_ASSET),
+        (permissions.ACTION_CAN_DELETE, RESOURCE_ASSET),
+        (permissions.ACTION_CAN_CREATE, RESOURCE_BACKFILL),
+        (permissions.ACTION_CAN_EDIT, RESOURCE_BACKFILL),
+        (permissions.ACTION_CAN_DELETE, RESOURCE_BACKFILL),
     ]
     # [END security_op_perms]
@@ -554,7 +532,12 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         return self.update_user(user)
     def reset_user_sessions(self, user: User) -> None:
-        if isinstance(self.appbuilder.get_app.session_interface, AirflowDatabaseSessionInterface):
+        if isinstance(
+            self.appbuilder.get_app.session_interface, AirflowDatabaseSessionInterface
+        ) or isinstance(
+            self.appbuilder.get_app.session_interface,
+            FabAirflowDatabaseSessionInterface,
+        ):
             interface = self.appbuilder.get_app.session_interface
             session = interface.db.session
             user_session_model = interface.sql_session_model
@@ -726,34 +709,11 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         """The JMESPATH role to use for user registration."""
         return self.appbuilder.get_app.config["AUTH_USER_REGISTRATION_ROLE_JMESPATH"]
-    @property
-    def auth_remote_user_env_var(self) -> str:
-        return self.appbuilder.get_app.config["AUTH_REMOTE_USER_ENV_VAR"]
-    @property
-    def api_login_allow_multiple_providers(self):
-        return self.appbuilder.get_app.config["AUTH_API_LOGIN_ALLOW_MULTIPLE_PROVIDERS"]
     @property
     def auth_username_ci(self):
         """Get the auth username for CI."""
         return self.appbuilder.get_app.config.get("AUTH_USERNAME_CI", True)
-    @property
-    def auth_ldap_bind_first(self):
-        """LDAP bind first."""
-        return self.appbuilder.get_app.config["AUTH_LDAP_BIND_FIRST"]
-    @property
-    def openid_providers(self):
-        """Openid providers."""
-        return self.appbuilder.get_app.config["OPENID_PROVIDERS"]
-    @property
-    def auth_type_provider_name(self):
-        provider_to_auth_type = {AUTH_DB: "db", AUTH_LDAP: "ldap"}
-        return provider_to_auth_type.get(self.auth_type)
     @property
     def auth_user_registration(self):
         """Will user self registration be allowed."""
@@ -775,10 +735,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         return self.appbuilder.get_app.config["AUTH_ROLE_ADMIN"]
     @property
-    @deprecated(
-        reason="The 'oauth_whitelists' property is deprecated. Please use 'oauth_allow_list' instead.",
-        category=AirflowProviderDeprecationWarning,
-    )
     def oauth_whitelists(self):
         return self.oauth_allow_list
@@ -791,43 +747,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         """Get the builtin roles."""
         return self._builtin_roles
-    def create_admin_standalone(self) -> tuple[str | None, str | None]:
-        """Create an Admin user with a random password so that users can access airflow."""
-        from airflow.configuration import AIRFLOW_HOME, make_group_other_inaccessible
-        user_name = "admin"
-        # We want a streamlined first-run experience, but we do not want to
-        # use a preset password as people will inevitably run this on a public
-        # server. Thus, we make a random password and store it in AIRFLOW_HOME,
-        # with the reasoning that if you can read that directory, you can see
-        # the database credentials anyway.
-        password_path = os.path.join(AIRFLOW_HOME, "standalone_admin_password.txt")
-        user_exists = self.find_user(user_name) is not None
-        we_know_password = os.path.isfile(password_path)
-        # If the user does not exist, make a random password and make it
-        if not user_exists:
-            print(f"FlaskAppBuilder Authentication Manager: Creating {user_name} user")
-            if (role := self.find_role("Admin")) is None:
-                raise AirflowException("Unable to find role 'Admin'")
-            # password does not contain visually similar characters: ijlIJL1oO0
-            password = "".join(random.choices("abcdefghkmnpqrstuvwxyzABCDEFGHKMNPQRSTUVWXYZ23456789", k=16))
-            with open(password_path, "w") as file:
-                file.write(password)
-            make_group_other_inaccessible(password_path)
-            self.add_user(user_name, "Admin", "User", "admin@example.com", role, password)
-            print(f"FlaskAppBuilder Authentication Manager: Created {user_name} user")
-        # If the user does exist, and we know its password, read the password
-        elif user_exists and we_know_password:
-            with open(password_path) as file:
-                password = file.read().strip()
-        # Otherwise we don't know the password
-        else:
-            password = None
-        return user_name, password
     def _init_config(self):
         """
         Initialize config.
@@ -904,15 +823,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         :meta private:
         """
         app = self.appbuilder.get_app
-        if self.auth_type == AUTH_OID:
-            from flask_openid import OpenID
-            log.warning(
-                "AUTH_OID is deprecated and will be removed in version 5. "
-                "Migrate to other authentication methods."
-            )
-            self.oid = OpenID(app)
         if self.auth_type == AUTH_OAUTH:
             from authlib.integrations.flask_client import OAuth
@@ -985,91 +895,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             log.exception(const.LOGMSG_ERR_SEC_CREATE_DB)
             exit(1)
-    def get_readable_dags(self, user) -> Iterable[DagModel]:
-        """Get the DAGs readable by authenticated user."""
-        warnings.warn(
-            "`get_readable_dags` has been deprecated. Please use `get_auth_manager().get_permitted_dag_ids` "
-            "instead.",
-            RemovedInAirflow3Warning,
-            stacklevel=2,
-        )
-        with warnings.catch_warnings():
-            warnings.simplefilter("ignore", RemovedInAirflow3Warning)
-            return self.get_accessible_dags([permissions.ACTION_CAN_READ], user)
-    def get_editable_dags(self, user) -> Iterable[DagModel]:
-        """Get the DAGs editable by authenticated user."""
-        warnings.warn(
-            "`get_editable_dags` has been deprecated. Please use `get_auth_manager().get_permitted_dag_ids` "
-            "instead.",
-            RemovedInAirflow3Warning,
-            stacklevel=2,
-        )
-        with warnings.catch_warnings():
-            warnings.simplefilter("ignore", RemovedInAirflow3Warning)
-            return self.get_accessible_dags([permissions.ACTION_CAN_EDIT], user)
-    @provide_session
-    def get_accessible_dags(
-        self,
-        user_actions: Container[str] | None,
-        user,
-        session: Session = NEW_SESSION,
-    ) -> Iterable[DagModel]:
-        warnings.warn(
-            "`get_accessible_dags` has been deprecated. Please use "
-            "`get_auth_manager().get_permitted_dag_ids` instead.",
-            RemovedInAirflow3Warning,
-            stacklevel=3,
-        )
-        dag_ids = self.get_accessible_dag_ids(user, user_actions, session)
-        return session.scalars(select(DagModel).where(DagModel.dag_id.in_(dag_ids)))
-    @provide_session
-    def get_accessible_dag_ids(
-        self,
-        user,
-        user_actions: Container[str] | None = None,
-        session: Session = NEW_SESSION,
-    ) -> set[str]:
-        warnings.warn(
-            "`get_accessible_dag_ids` has been deprecated. Please use "
-            "`get_auth_manager().get_permitted_dag_ids` instead.",
-            RemovedInAirflow3Warning,
-            stacklevel=3,
-        )
-        if not user_actions:
-            user_actions = [permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ]
-        method_from_fab_action_map = get_method_from_fab_action_map()
-        user_methods: Container[ResourceMethod] = [
-            method_from_fab_action_map[action]
-            for action in method_from_fab_action_map
-            if action in user_actions
-        ]
-        return get_auth_manager().get_permitted_dag_ids(user=user, methods=user_methods, session=session)
-    @staticmethod
-    def get_readable_dag_ids(user=None) -> set[str]:
-        """Get the DAG IDs readable by authenticated user."""
-        return get_auth_manager().get_permitted_dag_ids(methods=["GET"], user=user)
-    @staticmethod
-    def get_editable_dag_ids(user=None) -> set[str]:
-        """Get the DAG IDs editable by authenticated user."""
-        return get_auth_manager().get_permitted_dag_ids(methods=["PUT"], user=user)
-    def can_access_some_dags(self, action: str, dag_id: str | None = None) -> bool:
-        """Check if user has read or write access to some dags."""
-        if dag_id and dag_id != "~":
-            root_dag_id = self._get_root_dag_id(dag_id)
-            return self.has_access(action, self._resource_name(root_dag_id, permissions.RESOURCE_DAG))
-        user = g.user
-        if action == permissions.ACTION_CAN_READ:
-            return any(self.get_readable_dag_ids(user))
-        return any(self.get_editable_dag_ids(user))
     def get_all_permissions(self) -> set[tuple[str, str]]:
         """Return all permissions as a set of tuples with the action and resource names."""
         return set(
@@ -1096,8 +921,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         dags = dagbag.dags.values()
         for dag in dags:
-            # TODO: Remove this when the minimum version of Airflow is bumped to 3.0
-            root_dag_id = (getattr(dag, "parent_dag", None) or dag).dag_id
+            root_dag_id = dag.dag_id
             for resource_name, resource_values in self.RESOURCE_DETAILS_MAP.items():
                 dag_resource_name = self._resource_name(root_dag_id, resource_name)
                 for action_name in resource_values["actions"]:
@@ -1107,23 +931,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             if dag.access_control is not None:
                 self.sync_perm_for_dag(root_dag_id, dag.access_control)
-    def prefixed_dag_id(self, dag_id: str) -> str:
-        """Return the permission name for a DAG id."""
-        warnings.warn(
-            "`prefixed_dag_id` has been deprecated. "
-            "Please use `airflow.security.permissions.resource_name` instead.",
-            RemovedInAirflow3Warning,
-            stacklevel=2,
-        )
-        root_dag_id = self._get_root_dag_id(dag_id)
-        return self._resource_name(root_dag_id, permissions.RESOURCE_DAG)
-    def is_dag_resource(self, resource_name: str) -> bool:
-        """Determine if a resource belongs to a DAG or all DAGs."""
-        if resource_name == permissions.RESOURCE_DAG:
-            return True
-        return resource_name.startswith(permissions.RESOURCE_DAG_PREFIX)
     def sync_perm_for_dag(
         self,
         dag_id: str,
@@ -1183,7 +990,11 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         def _get_or_create_dag_permission(action_name: str, dag_resource_name: str) -> Permission | None:
             perm = self.get_permission(action_name, dag_resource_name)
             if not perm:
-                self.log.info("Creating new action '%s' on resource '%s'", action_name, dag_resource_name)
+                self.log.info(
+                    "Creating new action '%s' on resource '%s'",
+                    action_name,
+                    dag_resource_name,
+                )
                 perm = self.create_permission(action_name, dag_resource_name)
             return perm
@@ -1268,6 +1079,8 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                 action = self.create_permission(action_name, resource_name)
                 if self.auth_role_admin not in self.builtin_roles:
                     admin_role = self.find_role(self.auth_role_admin)
+                    if not admin_role:
+                        admin_role = self.add_role(self.auth_role_admin)
                     self.add_permission_to_role(admin_role, action)
         else:
             # Permissions on this view exist but....
@@ -1310,31 +1123,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             role_admin = self.find_role(self.auth_role_admin)
             self.add_permission_to_role(role_admin, perm)
-    def security_cleanup(self, baseviews, menus):
-        """
-        Cleanup all unused permissions from the database.
-        :param baseviews: A list of BaseViews class
-        :param menus: Menu class
-        """
-        resources = self.get_all_resources()
-        roles = self.get_all_roles()
-        for resource in resources:
-            found = False
-            for baseview in baseviews:
-                if resource.name == baseview.class_permission_name:
-                    found = True
-                    break
-            if menus.find(resource.name):
-                found = True
-            if not found:
-                permissions = self.get_resource_permissions(resource)
-                for permission in permissions:
-                    for role in roles:
-                        self.remove_permission_from_role(role, permission)
-                    self.delete_permission(permission.action.name, resource.name)
-                self.delete_resource(resource.name)
     def sync_roles(self) -> None:
         """
         Initialize default and custom roles with related permissions.
@@ -1414,57 +1202,9 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         if deleted_count:
             self.log.info("Deleted %s faulty permissions", deleted_count)
-    def permission_exists_in_one_or_more_roles(
-        self, resource_name: str, action_name: str, role_ids: list[int]
-    ) -> bool:
-        """
-        Efficiently check if a certain permission exists on a list of role ids; used by `has_access`.
-        :param resource_name: The view's name to check if exists on one of the roles
-        :param action_name: The permission name to check if exists
-        :param role_ids: a list of Role ids
-        :return: Boolean
-        """
-        q = (
-            self.appbuilder.get_session.query(self.permission_model)
-            .join(
-                assoc_permission_role,
-                and_(self.permission_model.id == assoc_permission_role.c.permission_view_id),
-            )
-            .join(self.role_model)
-            .join(self.action_model)
-            .join(self.resource_model)
-            .filter(
-                self.resource_model.name == resource_name,
-                self.action_model.name == action_name,
-                self.role_model.id.in_(role_ids),
-            )
-            .exists()
-        )
-        # Special case for MSSQL/Oracle (works on PG and MySQL > 8)
-        # Note: We need to keep MSSQL compatibility as long as this provider package
-        #       might still be updated by Airflow prior 2.9.0 users with MSSQL
-        if self.appbuilder.get_session.bind.dialect.name in ("mssql", "oracle"):
-            return self.appbuilder.get_session.query(literal(True)).filter(q).scalar()
-        return self.appbuilder.get_session.query(q).scalar()
     def perms_include_action(self, perms, action_name):
         return any(perm.action and perm.action.name == action_name for perm in perms)
-    def init_role(self, role_name, perms) -> None:
-        """
-        Initialize the role with actions and related resources.
-        :param role_name:
-        :param perms:
-        """
-        warnings.warn(
-            "`init_role` has been deprecated. Please use `bulk_sync_roles` instead.",
-            RemovedInAirflow3Warning,
-            stacklevel=2,
-        )
-        self.bulk_sync_roles([{"role": role_name, "perms": perms}])
     def bulk_sync_roles(self, roles: Iterable[dict[str, Any]]) -> None:
         """Sync the provided roles and permissions."""
         existing_roles = self._get_all_roles_with_permissions()
@@ -1483,15 +1223,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                 if perm not in role.permissions:
                     self.add_permission_to_role(role, perm)
-    def sync_resource_permissions(self, perms: Iterable[tuple[str, str]] | None = None) -> None:
-        """Populate resource-based permissions."""
-        if not perms:
-            return
-        for action_name, resource_name in perms:
-            self.create_resource(resource_name)
-            self.create_permission(action_name, resource_name)
     """
     -----------
     Role entity
@@ -1575,7 +1306,10 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                     if fab_role:
                         _roles.add(fab_role)
                     else:
-                        log.warning("Can't find role specified in AUTH_ROLES_MAPPING: %s", fab_role_name)
+                        log.warning(
+                            "Can't find role specified in AUTH_ROLES_MAPPING: %s",
+                            fab_role_name,
+                        )
         return _roles
     def get_public_role(self):
@@ -1683,13 +1417,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                 log.error("Multiple results found for user with email %s", email)
                 return None
-    def find_register_user(self, registration_hash):
-        return self.get_session.scalar(
-            select(self.registeruser_mode)
-            .where(self.registeruser_model.registration_hash == registration_hash)
-            .limit(1)
-        )
     def update_user(self, user: User) -> bool:
         try:
             self.get_session.merge(user)
@@ -1839,38 +1566,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                 self.get_session.rollback()
         return resource
-    def get_all_resources(self) -> list[Resource]:
-        """Get all existing resource records."""
-        return self.get_session.query(self.resource_model).all()
-    def delete_resource(self, name: str) -> bool:
-        """
-        Delete a Resource from the backend.
-        :param name:
-            name of the resource
-        """
-        resource = self.get_resource(name)
-        if not resource:
-            log.warning(const.LOGMSG_WAR_SEC_DEL_VIEWMENU, name)
-            return False
-        try:
-            perms = (
-                self.get_session.query(self.permission_model)
-                .filter(self.permission_model.resource == resource)
-                .all()
-            )
-            if perms:
-                log.warning(const.LOGMSG_WAR_SEC_DEL_VIEWMENU_PVM, resource, perms)
-                return False
-            self.get_session.delete(resource)
-            self.get_session.commit()
-            return True
-        except Exception as e:
-            log.error(const.LOGMSG_ERR_SEC_DEL_PERMISSION, e)
-            self.get_session.rollback()
-            return False
     """
     ---------------
     Permission entity
@@ -2000,13 +1695,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                 log.error(const.LOGMSG_ERR_SEC_DEL_PERMROLE, e)
                 self.get_session.rollback()
-    def get_oid_identity_url(self, provider_name: str) -> str | None:
-        """Return the OIDC identity provider URL."""
-        for provider in self.openid_providers:
-            if provider.get("name") == provider_name:
-                return provider.get("url")
-        return None
     @staticmethod
     def get_user_roles(user=None):
         """
@@ -2209,6 +1897,20 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                 log.error(e)
                 return None
+    def check_password(self, username, password) -> bool:
+        """
+        Check if the password is correct for the username.
+        :param username: the username
+        :param password: the password
+        """
+        user = self.find_user(username=username)
+        if user is None:
+            user = self.find_user(email=username)
+        if user is None:
+            return False
+        return check_password_hash(user.password, password)
     def auth_user_db(self, username, password):
         """
         Authenticate user, auth db style.
@@ -2240,31 +1942,99 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             log.info(LOGMSG_WAR_SEC_LOGIN_FAILED, username)
             return None
-    def oauth_user_info_getter(
-        self,
-        func: Callable[[AirflowSecurityManagerV2, str, dict[str, Any] | None], dict[str, Any]],
-    ):
+    def set_oauth_session(self, provider, oauth_response):
+        """Set the current session with OAuth user secrets."""
+        # Get this provider key names for token_key and token_secret
+        token_key = self.get_oauth_token_key_name(provider)
+        token_secret = self.get_oauth_token_secret_name(provider)
+        # Save users token on encrypted session cookie
+        session["oauth"] = (
+            oauth_response[token_key],
+            oauth_response.get(token_secret, ""),
+        )
+        session["oauth_provider"] = provider
+    def get_oauth_token_key_name(self, provider):
         """
-        Get OAuth user info for all the providers.
+        Return the token_key name for the oauth provider.
-        Receives provider and response return a dict with the information returned from the provider.
-        The returned user info dict should have its keys with the same name as the User Model.
+        If none is configured defaults to oauth_token
+        this is configured using OAUTH_PROVIDERS and token_key key.
+        """
+        for _provider in self.oauth_providers:
+            if _provider["name"] == provider:
+                return _provider.get("token_key", "oauth_token")
+    def get_oauth_token_secret_name(self, provider):
+        """
+        Get the ``token_secret`` name for the oauth provider.
+        If none is configured, defaults to ``oauth_secret``. This is configured
+        using ``OAUTH_PROVIDERS`` and ``token_secret``.
+        """
+        for _provider in self.oauth_providers:
+            if _provider["name"] == provider:
+                return _provider.get("token_secret", "oauth_token_secret")
-        Use it like this an example for GitHub ::
+    def auth_user_oauth(self, userinfo):
+        """
+        Authenticate user with OAuth.
-            @appbuilder.sm.oauth_user_info_getter
-            def my_oauth_user_info(sm, provider, response=None):
-                if provider == "github":
-                    me = sm.oauth_remotes[provider].get("user")
-                    return {"username": me.data.get("login")}
-                return {}
+        :userinfo: dict with user information
+                   (keys are the same as User model columns)
         """
+        # extract the username from `userinfo`
+        if "username" in userinfo:
+            username = userinfo["username"]
+        elif "email" in userinfo:
+            username = userinfo["email"]
+        else:
+            log.error("OAUTH userinfo does not have username or email %s", userinfo)
+            return None
-        def wraps(provider: str, response: dict[str, Any] | None = None) -> dict[str, Any]:
-            return func(self, provider, response)
+        # If username is empty, go away
+        if (username is None) or username == "":
+            return None
-        self.oauth_user_info = wraps
-        return wraps
+        # Search the DB for this user
+        user = self.find_user(username=username)
+        # If user is not active, go away
+        if user and (not user.is_active):
+            return None
+        # If user is not registered, and not self-registration, go away
+        if (not user) and (not self.auth_user_registration):
+            return None
+        # Sync the user's roles
+        if user and self.auth_roles_sync_at_login:
+            user.roles = self._oauth_calculate_user_roles(userinfo)
+            log.debug("Calculated new roles for user=%r as: %s", username, user.roles)
+        # If the user is new, register them
+        if (not user) and self.auth_user_registration:
+            user = self.add_user(
+                username=username,
+                first_name=userinfo.get("first_name", ""),
+                last_name=userinfo.get("last_name", ""),
+                email=userinfo.get("email", "") or f"{username}@email.notfound",
+                role=self._oauth_calculate_user_roles(userinfo),
+            )
+            log.debug("New user registered: %s", user)
+            # If user registration failed, go away
+            if not user:
+                log.error("Error creating a new OAuth user %s", username)
+                return None
+        # LOGIN SUCCESS (only if user is now registered)
+        if user:
+            self._rotate_session_id()
+            self.update_user_auth_stat(user)
+            return user
+        else:
+            return None
     def get_oauth_user_info(self, provider: str, resp: dict[str, Any]) -> dict[str, Any]:
         """
@@ -2387,183 +2157,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         log.debug("Token Get: %s", token)
         return token
-    def check_authorization(
-        self,
-        perms: Sequence[tuple[str, str]] | None = None,
-        dag_id: str | None = None,
-    ) -> bool:
-        """Check the logged-in user has the specified permissions."""
-        if not perms:
-            return True
-        for perm in perms:
-            if perm in (
-                (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
-                (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG),
-                (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_DAG),
-            ):
-                can_access_all_dags = self.has_access(*perm)
-                if not can_access_all_dags:
-                    action = perm[0]
-                    if not self.can_access_some_dags(action, dag_id):
-                        return False
-            elif not self.has_access(*perm):
-                return False
-        return True
-    def set_oauth_session(self, provider, oauth_response):
-        """Set the current session with OAuth user secrets."""
-        # Get this provider key names for token_key and token_secret
-        token_key = self.get_oauth_token_key_name(provider)
-        token_secret = self.get_oauth_token_secret_name(provider)
-        # Save users token on encrypted session cookie
-        session["oauth"] = (
-            oauth_response[token_key],
-            oauth_response.get(token_secret, ""),
-        )
-        session["oauth_provider"] = provider
-    def get_oauth_token_key_name(self, provider):
-        """
-        Return the token_key name for the oauth provider.
-        If none is configured defaults to oauth_token
-        this is configured using OAUTH_PROVIDERS and token_key key.
-        """
-        for _provider in self.oauth_providers:
-            if _provider["name"] == provider:
-                return _provider.get("token_key", "oauth_token")
-    def get_oauth_token_secret_name(self, provider):
-        """
-        Get the ``token_secret`` name for the oauth provider.
-        If none is configured, defaults to ``oauth_secret``. This is configured
-        using ``OAUTH_PROVIDERS`` and ``token_secret``.
-        """
-        for _provider in self.oauth_providers:
-            if _provider["name"] == provider:
-                return _provider.get("token_secret", "oauth_token_secret")
-    def auth_user_oauth(self, userinfo):
-        """
-        Authenticate user with OAuth.
-        :userinfo: dict with user information
-                   (keys are the same as User model columns)
-        """
-        # extract the username from `userinfo`
-        if "username" in userinfo:
-            username = userinfo["username"]
-        elif "email" in userinfo:
-            username = userinfo["email"]
-        else:
-            log.error("OAUTH userinfo does not have username or email %s", userinfo)
-            return None
-        # If username is empty, go away
-        if (username is None) or username == "":
-            return None
-        # Search the DB for this user
-        user = self.find_user(username=username)
-        # If user is not active, go away
-        if user and (not user.is_active):
-            return None
-        # If user is not registered, and not self-registration, go away
-        if (not user) and (not self.auth_user_registration):
-            return None
-        # Sync the user's roles
-        if user and self.auth_roles_sync_at_login:
-            user.roles = self._oauth_calculate_user_roles(userinfo)
-            log.debug("Calculated new roles for user=%r as: %s", username, user.roles)
-        # If the user is new, register them
-        if (not user) and self.auth_user_registration:
-            user = self.add_user(
-                username=username,
-                first_name=userinfo.get("first_name", ""),
-                last_name=userinfo.get("last_name", ""),
-                email=userinfo.get("email", "") or f"{username}@email.notfound",
-                role=self._oauth_calculate_user_roles(userinfo),
-            )
-            log.debug("New user registered: %s", user)
-            # If user registration failed, go away
-            if not user:
-                log.error("Error creating a new OAuth user %s", username)
-                return None
-        # LOGIN SUCCESS (only if user is now registered)
-        if user:
-            self._rotate_session_id()
-            self.update_user_auth_stat(user)
-            return user
-        else:
-            return None
-    def auth_user_oid(self, email):
-        """
-        Openid user Authentication.
-        :param email: user's email to authenticate
-        """
-        user = self.find_user(email=email)
-        if user is None or (not user.is_active):
-            log.info(LOGMSG_WAR_SEC_LOGIN_FAILED, email)
-            return None
-        else:
-            self._rotate_session_id()
-            self.update_user_auth_stat(user)
-            return user
-    def auth_user_remote_user(self, username):
-        """
-        REMOTE_USER user Authentication.
-        :param username: user's username for remote auth
-        """
-        user = self.find_user(username=username)
-        # User does not exist, create one if auto user registration.
-        if user is None and self.auth_user_registration:
-            user = self.add_user(
-                # All we have is REMOTE_USER, so we set
-                # the other fields to blank.
-                username=username,
-                first_name=username,
-                last_name="-",
-                email=username + "@email.notfound",
-                role=self.find_role(self.auth_user_registration_role),
-            )
-        # If user does not exist on the DB and not auto user registration,
-        # or user is inactive, go away.
-        elif user is None or (not user.is_active):
-            log.info(LOGMSG_WAR_SEC_LOGIN_FAILED, username)
-            return None
-        self._rotate_session_id()
-        self.update_user_auth_stat(user)
-        return user
-    def get_user_menu_access(self, menu_names: list[str] | None = None) -> set[str]:
-        if get_auth_manager().is_logged_in():
-            return self._get_user_permission_resources(g.user, "menu_access", resource_names=menu_names)
-        elif current_user_jwt:
-            return self._get_user_permission_resources(
-                # the current_user_jwt is a lazy proxy, so we need to ignore type checking
-                current_user_jwt,  # type: ignore[arg-type]
-                "menu_access",
-                resource_names=menu_names,
-            )
-        else:
-            return self._get_user_permission_resources(None, "menu_access", resource_names=menu_names)
     @staticmethod
     def ldap_extract_list(ldap_dict: dict[str, list[bytes]], field_name: str) -> list[str]:
         raw_list = ldap_dict.get(field_name, [])
@@ -2589,7 +2182,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         We need to do this upon successful authentication when using the
         database session backend.
         """
-        if conf.get("webserver", "SESSION_BACKEND") == "database":
+        if conf.get("fab", "SESSION_BACKEND") == "database":
             session.sid = str(uuid.uuid4())
     def _get_microsoft_jwks(self) -> list[dict[str, Any]]:
@@ -2658,7 +2251,10 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         # perform the LDAP search
         log.debug(
-            "LDAP search for %r with fields %s in scope %r", filter_str, request_fields, self.auth_ldap_search
+            "LDAP search for %r with fields %s in scope %r",
+            filter_str,
+            request_fields,
+            self.auth_ldap_search,
         )
         raw_search_result = con.search_s(
             self.auth_ldap_search, ldap.SCOPE_SUBTREE, filter_str, request_fields
@@ -2721,77 +2317,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         return list(user_role_objects)
-    def _oauth_calculate_user_roles(self, userinfo) -> list[str]:
-        user_role_objects = set()
-        # apply AUTH_ROLES_MAPPING
-        if self.auth_roles_mapping:
-            user_role_keys = userinfo.get("role_keys", [])
-            user_role_objects.update(self.get_roles_from_keys(user_role_keys))
-        # apply AUTH_USER_REGISTRATION_ROLE
-        if self.auth_user_registration:
-            registration_role_name = self.auth_user_registration_role
-            # if AUTH_USER_REGISTRATION_ROLE_JMESPATH is set,
-            # use it for the registration role
-            if self.auth_user_registration_role_jmespath:
-                import jmespath
-                registration_role_name = jmespath.search(self.auth_user_registration_role_jmespath, userinfo)
-            # lookup registration role in flask db
-            fab_role = self.find_role(registration_role_name)
-            if fab_role:
-                user_role_objects.add(fab_role)
-            else:
-                log.warning("Can't find AUTH_USER_REGISTRATION role: %s", registration_role_name)
-        return list(user_role_objects)
-    def _get_user_permission_resources(
-        self, user: User | None, action_name: str, resource_names: list[str] | None = None
-    ) -> set[str]:
-        """
-        Get resource names with a certain action name that a user has access to.
-        Mainly used to fetch all menu permissions on a single db call, will also
-        check public permissions and builtin roles
-        """
-        if not resource_names:
-            resource_names = []
-        db_role_ids = []
-        if user is None:
-            # include public role
-            roles = [self.get_public_role()]
-        else:
-            roles = user.roles
-        # First check against builtin (statically configured) roles
-        # because no database query is needed
-        result = set()
-        for role in roles:
-            if role.name in self.builtin_roles:
-                for resource_name in resource_names:
-                    if self._has_access_builtin_roles(role, action_name, resource_name):
-                        result.add(resource_name)
-            else:
-                db_role_ids.append(role.id)
-        # Then check against database-stored roles
-        role_resource_names = [
-            perm.resource.name for perm in self.filter_roles_by_perm_with_action(action_name, db_role_ids)
-        ]
-        result.update(role_resource_names)
-        return result
-    def _has_access_builtin_roles(self, role, action_name: str, resource_name: str) -> bool:
-        """Check permission on builtin role."""
-        perms = self.builtin_roles.get(role.name, [])
-        for _resource_name, _action_name in perms:
-            if re2.match(_resource_name, resource_name) and re2.match(_action_name, action_name):
-                return True
-        return False
     def _merge_perm(self, action_name: str, resource_name: str) -> None:
         """
         Add the new (action, resource) to assoc_permission_role if it doesn't exist.
@@ -2831,7 +2356,11 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             (action_name, resource_name): viewmodel
             for action_name, resource_name, viewmodel in (
                 self.appbuilder.get_session.execute(
-                    select(self.action_model.name, self.resource_model.name, self.permission_model)
+                    select(
+                        self.action_model.name,
+                        self.resource_model.name,
+                        self.permission_model,
+                    )
                     .join(self.permission_model.action)
                     .join(self.permission_model.resource)
                     .where(~self.resource_model.name.like(f"{permissions.RESOURCE_DAG_PREFIX}%"))
@@ -2839,32 +2368,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             )
         }
-    def filter_roles_by_perm_with_action(self, action_name: str, role_ids: list[int]):
-        """Find roles with permission."""
-        return (
-            self.appbuilder.get_session.query(self.permission_model)
-            .join(
-                assoc_permission_role,
-                and_(self.permission_model.id == assoc_permission_role.c.permission_view_id),
-            )
-            .join(self.role_model)
-            .join(self.action_model)
-            .join(self.resource_model)
-            .filter(
-                self.action_model.name == action_name,
-                self.role_model.id.in_(role_ids),
-            )
-        ).all()
-    def _get_root_dag_id(self, dag_id: str) -> str:
-        # TODO: The "root_dag_id" check can be remove when the minimum version of Airflow is bumped to 3.0
-        if "." in dag_id and hasattr(DagModel, "root_dag_id"):
-            dm = self.appbuilder.get_session.execute(
-                select(DagModel.dag_id, DagModel.root_dag_id).where(DagModel.dag_id == dag_id)
-            ).one()
-            return dm.root_dag_id or dm.dag_id
-        return dag_id
     @staticmethod
     def _cli_safe_flash(text: str, level: str) -> None:
         """Show a flash in a web context or prints a message if not."""
@@ -2872,3 +2375,31 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             flash(Markup(text), level)
         else:
             getattr(log, level)(text.replace("<br>", "\n").replace("<b>", "*").replace("</b>", "*"))
+    def _oauth_calculate_user_roles(self, userinfo) -> list[str]:
+        user_role_objects = set()
+        # apply AUTH_ROLES_MAPPING
+        if self.auth_roles_mapping:
+            user_role_keys = userinfo.get("role_keys", [])
+            user_role_objects.update(self.get_roles_from_keys(user_role_keys))
+        # apply AUTH_USER_REGISTRATION_ROLE
+        if self.auth_user_registration:
+            registration_role_name = self.auth_user_registration_role
+            # if AUTH_USER_REGISTRATION_ROLE_JMESPATH is set,
+            # use it for the registration role
+            if self.auth_user_registration_role_jmespath:
+                import jmespath
+                registration_role_name = jmespath.search(self.auth_user_registration_role_jmespath, userinfo)
+            # lookup registration role in flask db
+            fab_role = self.find_role(registration_role_name)
+            if fab_role:
+                user_role_objects.add(fab_role)
+            else:
+                log.warning("Can't find AUTH_USER_REGISTRATION role: %s", registration_role_name)
+        return list(user_role_objects)

apache-airflow-providers-fab 1.5.3__py3-none-any.whl → 2.0.0__py3-none-any.whl

apache-airflow-providers-fab 1.5.3py3-none-any.whl → 2.0.0py3-none-any.whl