apache-airflow-providers-fab 1.5.3rc1__py3-none-any.whl → 2.0.0__py3-none-any.whl

airflow/providers/fab/auth_manager/views/permissions.py

@@ -23,7 +23,7 @@ from flask_appbuilder.security.views import (
 )
 from flask_babel import lazy_gettext
 
-from airflow.security import permissions
+from airflow.providers.fab.www.security import permissions
 
 
 class ActionModelView(PermissionModelView):

airflow/providers/fab/auth_manager/views/roles_list.py

@@ -18,7 +18,7 @@ from __future__ import annotations
 
 from flask_appbuilder.security.views import RoleModelView
 
-from airflow.security import permissions
+from airflow.providers.fab.www.security import permissions
 
 
 class CustomRoleModelView(RoleModelView):

airflow/providers/fab/auth_manager/views/user.py

@@ -28,7 +28,7 @@ from flask_appbuilder.security.views import (
     UserRemoteUserModelView,
 )
 
-from airflow.security import permissions
+from airflow.providers.fab.www.security import permissions
 
 
 class MultiResourceUserMixin:

airflow/providers/fab/auth_manager/views/user_edit.py

@@ -22,7 +22,7 @@ from flask_appbuilder.security.views import (
     UserInfoEditView,
 )
 
-from airflow.security import permissions
+from airflow.providers.fab.www.security import permissions
 
 
 class CustomUserInfoEditView(UserInfoEditView):

airflow/providers/fab/auth_manager/views/user_stats.py

@@ -18,7 +18,7 @@ from __future__ import annotations
 
 from flask_appbuilder.security.views import UserStatsChartView
 
-from airflow.security import permissions
+from airflow.providers.fab.www.security import permissions
 
 
 class CustomUserStatsChartView(UserStatsChartView):

airflow/providers/fab/get_provider_info.py

@@ -15,8 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 
-# NOTE! THIS FILE IS AUTOMATICALLY GENERATED AND WILL BE
-# OVERWRITTEN WHEN PREPARING PACKAGES.
+# NOTE! THIS FILE IS AUTOMATICALLY GENERATED AND WILL BE OVERWRITTEN!
 #
 # IF YOU WANT TO MODIFY THIS FILE, YOU SHOULD MODIFY THE TEMPLATE
 # `get_provider_info_TEMPLATE.py.jinja2` IN the `dev/breeze/src/airflow_breeze/templates` DIRECTORY
@@ -27,38 +26,6 @@ def get_provider_info():
         "package-name": "apache-airflow-providers-fab",
         "name": "Fab",
         "description": "`Flask App Builder <https://flask-appbuilder.readthedocs.io/>`__\n",
-        "state": "ready",
-        "source-date-epoch": 1738677661,
-        "versions": [
-            "1.5.3",
-            "1.5.2",
-            "1.5.1",
-            "1.5.0",
-            "1.4.1",
-            "1.4.0",
-            "1.3.0",
-            "1.2.2",
-            "1.2.1",
-            "1.2.0",
-            "1.1.1",
-            "1.1.0",
-            "1.0.4",
-            "1.0.3",
-            "1.0.2",
-            "1.0.1",
-            "1.0.0",
-        ],
-        "dependencies": [
-            "apache-airflow>=2.9.0",
-            "apache-airflow-providers-common-compat>=1.2.1",
-            "flask>=2.2,<2.3",
-            "flask-appbuilder==4.5.3",
-            "flask-login>=0.6.2",
-            "google-re2>=1.0",
-            "jmespath>=0.7.0",
-        ],
-        "additional-extras": [{"name": "kerberos", "dependencies": ["kerberos>=1.3.0"]}],
-        "devel-dependencies": ["kerberos>=1.3.0"],
         "config": {
             "fab": {
                 "description": "This section contains configs specific to FAB provider.",
@@ -84,6 +51,34 @@ def get_provider_info():
                         "example": None,
                         "default": "True",
                     },
+                    "auth_backends": {
+                        "description": "Comma separated list of auth backends to authenticate users of the API.\n",
+                        "version_added": "2.0.0",
+                        "type": "string",
+                        "example": None,
+                        "default": "airflow.providers.fab.auth_manager.api.auth.backend.session",
+                    },
+                    "config_file": {
+                        "description": "Path of webserver config file used for configuring the webserver parameters\n",
+                        "version_added": "2.0.0",
+                        "type": "string",
+                        "example": None,
+                        "default": "{AIRFLOW_HOME}/webserver_config.py",
+                    },
+                    "session_backend": {
+                        "description": "The type of backend used to store web session data, can be ``database`` or ``securecookie``. For the\n``database`` backend, sessions are store in the database and they can be\nmanaged there (for example when you reset password of the user, all sessions for that user are\ndeleted). For the ``securecookie`` backend, sessions are stored in encrypted cookies on the client\nside. The ``securecookie`` mechanism is 'lighter' than database backend, but sessions are not\ndeleted when you reset password of the user, which means that other than waiting for expiry time,\nthe only way to invalidate all sessions for a user is to change secret_key and restart webserver\n(which also invalidates and logs out all other user's sessions).\n\nWhen you are using ``database`` backend, make sure to keep your database session table small\nby periodically running ``airflow db clean --table session`` command, especially if you have\nautomated API calls that will create a new session for each call rather than reuse the sessions\nstored in browser cookies.\n",
+                        "version_added": "2.0.0",
+                        "type": "string",
+                        "example": "securecookie",
+                        "default": "database",
+                    },
+                    "session_lifetime_minutes": {
+                        "description": "The UI cookie lifetime in minutes. User will be logged out from UI after\n``[fab] session_lifetime_minutes`` of non-activity\n",
+                        "version_added": "2.0.0",
+                        "type": "integer",
+                        "example": None,
+                        "default": "43200",
+                    },
                 },
             }
         },

airflow/providers/fab/www/airflow_flask_app.py

@@ -0,0 +1,31 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, Any
+
+from flask import Flask
+
+if TYPE_CHECKING:
+    from airflow.models.dagbag import DagBag
+
+
+class AirflowApp(Flask):
+    """Airflow Flask Application."""
+
+    dag_bag: DagBag
+    api_auth: list[Any]

airflow/providers/fab/www/api_connexion/__init__.py

@@ -0,0 +1,17 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.

airflow/providers/fab/www/api_connexion/exceptions.py

@@ -0,0 +1,197 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from http import HTTPStatus
+from typing import TYPE_CHECKING, Any
+
+import werkzeug
+from connexion import FlaskApi, ProblemException, problem
+
+from airflow.utils.docs import get_docs_url
+
+if TYPE_CHECKING:
+    import flask
+
+doc_link = get_docs_url("stable-rest-api-ref.html")
+
+EXCEPTIONS_LINK_MAP = {
+    400: f"{doc_link}#section/Errors/BadRequest",
+    404: f"{doc_link}#section/Errors/NotFound",
+    405: f"{doc_link}#section/Errors/MethodNotAllowed",
+    401: f"{doc_link}#section/Errors/Unauthenticated",
+    409: f"{doc_link}#section/Errors/AlreadyExists",
+    403: f"{doc_link}#section/Errors/PermissionDenied",
+    500: f"{doc_link}#section/Errors/Unknown",
+}
+
+
+def common_error_handler(exception: BaseException) -> flask.Response:
+    """Use to capture connexion exceptions and add link to the type field."""
+    if isinstance(exception, ProblemException):
+        link = EXCEPTIONS_LINK_MAP.get(exception.status)
+        if link:
+            response = problem(
+                status=exception.status,
+                title=exception.title,
+                detail=exception.detail,
+                type=link,
+                instance=exception.instance,
+                headers=exception.headers,
+                ext=exception.ext,
+            )
+        else:
+            response = problem(
+                status=exception.status,
+                title=exception.title,
+                detail=exception.detail,
+                type=exception.type,
+                instance=exception.instance,
+                headers=exception.headers,
+                ext=exception.ext,
+            )
+    else:
+        if not isinstance(exception, werkzeug.exceptions.HTTPException):
+            exception = werkzeug.exceptions.InternalServerError()
+
+        response = problem(title=exception.name, detail=exception.description, status=exception.code)
+
+    return FlaskApi.get_response(response)
+
+
+class NotFound(ProblemException):
+    """Raise when the object cannot be found."""
+
+    def __init__(
+        self,
+        title: str = "Not Found",
+        detail: str | None = None,
+        headers: dict | None = None,
+        **kwargs: Any,
+    ) -> None:
+        super().__init__(
+            status=HTTPStatus.NOT_FOUND,
+            type=EXCEPTIONS_LINK_MAP[404],
+            title=title,
+            detail=detail,
+            headers=headers,
+            **kwargs,
+        )
+
+
+class BadRequest(ProblemException):
+    """Raise when the server processes a bad request."""
+
+    def __init__(
+        self,
+        title: str = "Bad Request",
+        detail: str | None = None,
+        headers: dict | None = None,
+        **kwargs: Any,
+    ) -> None:
+        super().__init__(
+            status=HTTPStatus.BAD_REQUEST,
+            type=EXCEPTIONS_LINK_MAP[400],
+            title=title,
+            detail=detail,
+            headers=headers,
+            **kwargs,
+        )
+
+
+class Unauthenticated(ProblemException):
+    """Raise when the user is not authenticated."""
+
+    def __init__(
+        self,
+        title: str = "Unauthorized",
+        detail: str | None = None,
+        headers: dict | None = None,
+        **kwargs: Any,
+    ):
+        super().__init__(
+            status=HTTPStatus.UNAUTHORIZED,
+            type=EXCEPTIONS_LINK_MAP[401],
+            title=title,
+            detail=detail,
+            headers=headers,
+            **kwargs,
+        )
+
+
+class PermissionDenied(ProblemException):
+    """Raise when the user does not have the required permissions."""
+
+    def __init__(
+        self,
+        title: str = "Forbidden",
+        detail: str | None = None,
+        headers: dict | None = None,
+        **kwargs: Any,
+    ) -> None:
+        super().__init__(
+            status=HTTPStatus.FORBIDDEN,
+            type=EXCEPTIONS_LINK_MAP[403],
+            title=title,
+            detail=detail,
+            headers=headers,
+            **kwargs,
+        )
+
+
+class Conflict(ProblemException):
+    """Raise when there is some conflict."""
+
+    def __init__(
+        self,
+        title="Conflict",
+        detail: str | None = None,
+        headers: dict | None = None,
+        **kwargs: Any,
+    ):
+        super().__init__(
+            status=HTTPStatus.CONFLICT,
+            type=EXCEPTIONS_LINK_MAP[409],
+            title=title,
+            detail=detail,
+            headers=headers,
+            **kwargs,
+        )
+
+
+class AlreadyExists(Conflict):
+    """Raise when the object already exists."""
+
+
+class Unknown(ProblemException):
+    """Returns a response body and status code for HTTP 500 exception."""
+
+    def __init__(
+        self,
+        title: str = "Internal Server Error",
+        detail: str | None = None,
+        headers: dict | None = None,
+        **kwargs: Any,
+    ) -> None:
+        super().__init__(
+            status=HTTPStatus.INTERNAL_SERVER_ERROR,
+            type=EXCEPTIONS_LINK_MAP[500],
+            title=title,
+            detail=detail,
+            headers=headers,
+            **kwargs,
+        )

airflow/providers/fab/www/api_connexion/parameters.py

@@ -0,0 +1,131 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+import logging
+from collections.abc import Container
+from functools import wraps
+from typing import TYPE_CHECKING, Any, Callable, TypeVar, cast
+
+from pendulum.parsing import ParserError
+from sqlalchemy import text
+
+from airflow.configuration import conf
+from airflow.providers.fab.www.api_connexion.exceptions import BadRequest
+from airflow.utils import timezone
+
+if TYPE_CHECKING:
+    from datetime import datetime
+
+    from sqlalchemy.sql import Select
+
+log = logging.getLogger(__name__)
+
+
+def validate_istimezone(value: datetime) -> None:
+    """Validate that a datetime is not naive."""
+    if not value.tzinfo:
+        raise BadRequest("Invalid datetime format", detail="Naive datetime is disallowed")
+
+
+def format_datetime(value: str) -> datetime:
+    """
+    Format datetime objects.
+
+    Datetime format parser for args since connexion doesn't parse datetimes
+    https://github.com/zalando/connexion/issues/476
+
+    This should only be used within connection views because it raises 400
+    """
+    value = value.strip()
+    if value[-1] != "Z":
+        value = value.replace(" ", "+")
+    try:
+        return timezone.parse(value)
+    except (ParserError, TypeError) as err:
+        raise BadRequest("Incorrect datetime argument", detail=str(err))
+
+
+def check_limit(value: int) -> int:
+    """
+    Check the limit does not exceed configured value.
+
+    This checks the limit passed to view and raises BadRequest if
+    limit exceed user configured value
+    """
+    max_val = conf.getint("api", "maximum_page_limit")  # user configured max page limit
+    fallback = conf.getint("api", "fallback_page_limit")
+
+    if value > max_val:
+        log.warning(
+            "The limit param value %s passed in API exceeds the configured maximum page limit %s",
+            value,
+            max_val,
+        )
+        return max_val
+    if value == 0:
+        return fallback
+    if value < 0:
+        raise BadRequest("Page limit must be a positive integer")
+    return value
+
+
+T = TypeVar("T", bound=Callable)
+
+
+def format_parameters(params_formatters: dict[str, Callable[[Any], Any]]) -> Callable[[T], T]:
+    """
+    Create a decorator to convert parameters using given formatters.
+
+    Using it allows you to separate parameter formatting from endpoint logic.
+
+    :param params_formatters: Map of key name and formatter function
+    """
+
+    def format_parameters_decorator(func: T) -> T:
+        @wraps(func)
+        def wrapped_function(*args, **kwargs):
+            for key, formatter in params_formatters.items():
+                if key in kwargs:
+                    kwargs[key] = formatter(kwargs[key])
+            return func(*args, **kwargs)
+
+        return cast("T", wrapped_function)
+
+    return format_parameters_decorator
+
+
+def apply_sorting(
+    query: Select,
+    order_by: str,
+    to_replace: dict[str, str] | None = None,
+    allowed_attrs: Container[str] | None = None,
+) -> Select:
+    """Apply sorting to query."""
+    lstriped_orderby = order_by.lstrip("-")
+    if allowed_attrs and lstriped_orderby not in allowed_attrs:
+        raise BadRequest(
+            detail=f"Ordering with '{lstriped_orderby}' is disallowed or "
+            f"the attribute does not exist on the model"
+        )
+    if to_replace:
+        lstriped_orderby = to_replace.get(lstriped_orderby, lstriped_orderby)
+    if order_by[0] == "-":
+        order_by = f"{lstriped_orderby} desc"
+    else:
+        order_by = f"{lstriped_orderby} asc"
+    return query.order_by(text(order_by))

airflow/providers/fab/www/api_connexion/security.py

@@ -0,0 +1,84 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from functools import wraps
+from typing import TYPE_CHECKING, Callable, TypeVar, cast
+
+from flask import Response, current_app
+
+from airflow.api_fastapi.app import get_auth_manager
+from airflow.providers.fab.www.api_connexion.exceptions import PermissionDenied, Unauthenticated
+
+if TYPE_CHECKING:
+    from airflow.api_fastapi.auth.managers.base_auth_manager import ResourceMethod
+    from airflow.providers.fab.www.airflow_flask_app import AirflowApp
+
+T = TypeVar("T", bound=Callable)
+
+
+def check_authentication() -> None:
+    """Check that the request has valid authorization information."""
+    for auth in cast("AirflowApp", current_app).api_auth:
+        response = auth.requires_authentication(Response)()
+        if response.status_code == 200:
+            return
+
+    # since this handler only checks authentication, not authorization,
+    # we should always return 401
+    raise Unauthenticated(headers=response.headers)
+
+
+def _requires_access(*, is_authorized_callback: Callable[[], bool], func: Callable, args, kwargs) -> bool:
+    """
+    Define the behavior whether the user is authorized to access the resource.
+
+    :param is_authorized_callback: callback to execute to figure whether the user is authorized to access
+        the resource
+    :param func: the function to call if the user is authorized
+    :param args: the arguments of ``func``
+    :param kwargs: the keyword arguments ``func``
+
+    :meta private:
+    """
+    check_authentication()
+    if is_authorized_callback():
+        return func(*args, **kwargs)
+    raise PermissionDenied()
+
+
+def requires_access_custom_view(
+    method: ResourceMethod,
+    resource_name: str,
+) -> Callable[[T], T]:
+    def requires_access_decorator(func: T):
+        @wraps(func)
+        def decorated(*args, **kwargs):
+            return _requires_access(
+                is_authorized_callback=lambda: get_auth_manager().is_authorized_custom_view(
+                    method=method,
+                    resource_name=resource_name,
+                    user=get_auth_manager().get_user(),
+                ),
+                func=func,
+                args=args,
+                kwargs=kwargs,
+            )
+
+        return cast("T", decorated)
+
+    return requires_access_decorator

airflow/providers/fab/www/api_connexion/types.py

@@ -0,0 +1,30 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from collections.abc import Mapping, Sequence
+from typing import Any, Optional, Union
+
+from flask import Response
+
+APIResponse = Union[
+    Response,
+    tuple[object, int],  # For '(NoContent, 201)'.
+    Mapping[str, Any],  # JSON.
+]
+
+UpdateMask = Optional[Sequence[str]]