apache-airflow-providers-fab 1.5.3rc1__py3-none-any.whl → 2.0.0b1__py3-none-any.whl

airflow/providers/fab/www/package.json

@@ -0,0 +1,81 @@
+{
+  "name": "airflow-www",
+  "version": "1.0.0",
+  "description": "Apache Airflow is a platform to programmatically author, schedule and monitor workflows.",
+  "scripts": {
+    "test": "jest",
+    "dev": "NODE_ENV=development webpack --watch --progress --devtool eval-cheap-source-map --mode development",
+    "prod": "NODE_ENV=production node --max_old_space_size=4096 ./node_modules/webpack/bin/webpack.js --mode production --progress",
+    "build": "NODE_ENV=production webpack --progress --mode production",
+    "lint": "eslint --ignore-path=.eslintignore --max-warnings=0 --ext .js .",
+    "lint:fix": "eslint --fix --ignore-path=.eslintignore --ext .js .",
+    "format": "yarn prettier --write ."
+  },
+  "author": "Apache",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/apache/airflow.git"
+  },
+  "homepage": "https://airflow.apache.org/",
+  "keywords": [
+    "big",
+    "data",
+    "workflow",
+    "airflow",
+    "database",
+    "flask"
+  ],
+  "browserslist": {
+    "production": [
+      ">0.2%",
+      "not dead",
+      "not op_mini all"
+    ],
+    "development": [
+      "last 1 chrome version",
+      "last 1 firefox version",
+      "last 1 safari version"
+    ]
+  },
+  "devDependencies": {
+    "@babel/core": "^7.24.7",
+    "@babel/eslint-parser": "^7.24.7",
+    "@babel/plugin-transform-runtime": "^7.24.7",
+    "@babel/preset-env": "^7.24.7",
+    "babel-jest": "^27.3.1",
+    "babel-loader": "^9.1.0",
+    "clean-webpack-plugin": "^3.0.0",
+    "copy-webpack-plugin": "^6.0.3",
+    "css-loader": "5.2.7",
+    "css-minimizer-webpack-plugin": "^4.0.0",
+    "eslint": "^8.6.0",
+    "eslint-config-prettier": "^8.6.0",
+    "eslint-plugin-html": "^6.0.2",
+    "eslint-plugin-import": "^2.27.5",
+    "eslint-plugin-node": "^11.1.0",
+    "eslint-plugin-standard": "^4.0.1",
+    "file-loader": "^6.0.0",
+    "imports-loader": "^1.1.0",
+    "mini-css-extract-plugin": "^1.6.2",
+    "moment": "^2.29.4",
+    "moment-locales-webpack-plugin": "^1.2.0",
+    "prettier": "^2.8.4",
+    "style-loader": "^1.2.1",
+    "stylelint": "^15.10.1",
+    "terser-webpack-plugin": "<6.0.0",
+    "url-loader": "4.1.0",
+    "web-worker": "^1.2.0",
+    "webpack": "^5.94.0",
+    "webpack-cli": "^4.0.0",
+    "webpack-license-plugin": "^4.2.1",
+    "webpack-manifest-plugin": "^4.0.0"
+  },
+  "dependencies": {
+    "jquery-ui": "^1.14.1",
+    "moment-timezone": "^0.5.43"
+  },
+  "resolutions": {
+    "moment-timezone": ">=0.5.35"
+  }
+}

airflow/providers/fab/www/security/__init__.py

@@ -0,0 +1,17 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.

airflow/providers/fab/www/security/permissions.py

@@ -0,0 +1,126 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from typing import TypedDict
+
+# Resource Constants
+RESOURCE_ACTION = "Permissions"
+RESOURCE_ADMIN_MENU = "Admin"
+RESOURCE_AUDIT_LOG = "Audit Logs"
+RESOURCE_BACKFILL = "Backfills"
+RESOURCE_BROWSE_MENU = "Browse"
+RESOURCE_CONFIG = "Configurations"
+RESOURCE_CONNECTION = "Connections"
+RESOURCE_DAG = "DAGs"
+RESOURCE_DAG_CODE = "DAG Code"
+RESOURCE_DAG_DEPENDENCIES = "DAG Dependencies"
+RESOURCE_DAG_PREFIX = "DAG:"
+RESOURCE_DAG_RUN = "DAG Runs"
+RESOURCE_DAG_RUN_PREFIX = "DAG Run:"
+RESOURCE_DAG_VERSION = "DAG Versions"
+RESOURCE_DAG_WARNING = "DAG Warnings"
+RESOURCE_CLUSTER_ACTIVITY = "Cluster Activity"
+RESOURCE_ASSET = "Assets"
+RESOURCE_ASSET_ALIAS = "Asset Aliases"
+RESOURCE_DOCS = "Documentation"
+RESOURCE_DOCS_MENU = "Docs"
+RESOURCE_IMPORT_ERROR = "ImportError"
+RESOURCE_JOB = "Jobs"
+RESOURCE_MY_PASSWORD = "My Password"
+RESOURCE_MY_PROFILE = "My Profile"
+RESOURCE_PASSWORD = "Passwords"
+RESOURCE_PERMISSION = "Permission Views"  # Refers to a Perm <-> View mapping, not an MVC View.
+RESOURCE_PLUGIN = "Plugins"
+RESOURCE_POOL = "Pools"
+RESOURCE_PROVIDER = "Providers"
+RESOURCE_RESOURCE = "View Menus"
+RESOURCE_ROLE = "Roles"
+RESOURCE_SLA_MISS = "SLA Misses"
+RESOURCE_TASK_INSTANCE = "Task Instances"
+RESOURCE_TASK_LOG = "Task Logs"
+RESOURCE_TASK_RESCHEDULE = "Task Reschedules"
+RESOURCE_TRIGGER = "Triggers"
+RESOURCE_USER = "Users"
+RESOURCE_USER_STATS_CHART = "User Stats Chart"
+RESOURCE_VARIABLE = "Variables"
+RESOURCE_WEBSITE = "Website"
+RESOURCE_XCOM = "XComs"
+
+# Action Constants
+ACTION_CAN_CREATE = "can_create"
+ACTION_CAN_READ = "can_read"
+ACTION_CAN_EDIT = "can_edit"
+ACTION_CAN_DELETE = "can_delete"
+ACTION_CAN_ACCESS_MENU = "menu_access"
+DEPRECATED_ACTION_CAN_DAG_READ = "can_dag_read"
+DEPRECATED_ACTION_CAN_DAG_EDIT = "can_dag_edit"
+
+
+class ResourceDetails(TypedDict):
+    """Details of a resource (actions and prefix)."""
+
+    actions: set[str]
+    prefix: str
+
+
+# Keeping DAG_ACTIONS to keep the compatibility with outdated versions of FAB provider
+DAG_ACTIONS = {ACTION_CAN_READ, ACTION_CAN_EDIT, ACTION_CAN_DELETE}
+
+RESOURCE_DETAILS_MAP = {
+    RESOURCE_DAG: ResourceDetails(
+        actions={ACTION_CAN_READ, ACTION_CAN_EDIT, ACTION_CAN_DELETE}, prefix=RESOURCE_DAG_PREFIX
+    ),
+    RESOURCE_DAG_RUN: ResourceDetails(
+        actions={ACTION_CAN_READ, ACTION_CAN_CREATE, ACTION_CAN_DELETE, ACTION_CAN_ACCESS_MENU},
+        prefix=RESOURCE_DAG_RUN_PREFIX,
+    ),
+}
+PREFIX_LIST = [details["prefix"] for details in RESOURCE_DETAILS_MAP.values()]
+PREFIX_RESOURCES_MAP = {details["prefix"]: resource for resource, details in RESOURCE_DETAILS_MAP.items()}
+
+
+def resource_name(root_dag_id: str, resource: str) -> str:
+    """
+    Return the resource name for a DAG id.
+
+    Note that since a sub-DAG should follow the permission of its
+    parent DAG, you should pass ``DagModel.root_dag_id`` to this function,
+    for a subdag. A normal dag should pass the ``DagModel.dag_id``.
+    """
+    if root_dag_id in RESOURCE_DETAILS_MAP.keys():
+        return root_dag_id
+    if root_dag_id.startswith(tuple(PREFIX_RESOURCES_MAP.keys())):
+        return root_dag_id
+    return f"{RESOURCE_DETAILS_MAP[resource]['prefix']}{root_dag_id}"
+
+
+def resource_name_for_dag(root_dag_id: str) -> str:
+    """
+    Return the resource name for a DAG id.
+
+    Note that since a sub-DAG should follow the permission of its
+    parent DAG, you should pass ``DagModel.root_dag_id`` to this function,
+    for a subdag. A normal dag should pass the ``DagModel.dag_id``.
+
+    Note: This function is kept for backwards compatibility.
+    """
+    if root_dag_id == RESOURCE_DAG:
+        return root_dag_id
+    if root_dag_id.startswith(RESOURCE_DAG_PREFIX):
+        return root_dag_id
+    return f"{RESOURCE_DAG_PREFIX}{root_dag_id}"

airflow/providers/fab/www/security_appless.py

@@ -0,0 +1,44 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+from airflow.providers.fab.auth_manager.security_manager.override import FabAirflowSecurityManagerOverride
+
+if TYPE_CHECKING:
+    from sqlalchemy.orm import Session
+
+
+class FakeAppBuilder:
+    """
+    Stand-in class to replace a Flask App Builder.
+
+    The only purpose is to provide the ``self.appbuilder.get_session`` interface
+    for ``ApplessAirflowSecurityManager`` so it can be used without a real Flask
+    app, which is slow to create.
+    """
+
+    def __init__(self, session: Session | None = None) -> None:
+        self.get_session = session
+
+
+class ApplessAirflowSecurityManager(FabAirflowSecurityManagerOverride):
+    """Security Manager that doesn't need the whole flask app."""
+
+    def __init__(self, session: Session | None = None):
+        self.appbuilder = FakeAppBuilder(session)

airflow/providers/fab/www/security_manager.py

@@ -0,0 +1,122 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from typing import Callable
+
+from flask import g
+from flask_limiter import Limiter
+from flask_limiter.util import get_remote_address
+
+from airflow.api_fastapi.app import get_auth_manager
+from airflow.providers.fab.www.utils import CustomSQLAInterface, get_method_from_fab_action_map
+from airflow.utils.log.logging_mixin import LoggingMixin
+
+EXISTING_ROLES = {
+    "Admin",
+    "Viewer",
+    "User",
+    "Op",
+    "Public",
+}
+
+
+class AirflowSecurityManagerV2(LoggingMixin):
+    """
+    Minimal security manager needed to run a Flask application.
+
+    This one is used to run the Flask application needed to run Airflow 2 plugins unless Fab auth manager
+    is configured in the environment. In that case, ``FabAirflowSecurityManagerOverride`` is used.
+    """
+
+    def __init__(self, appbuilder) -> None:
+        super().__init__()
+        self.appbuilder = appbuilder
+
+        # Setup Flask-Limiter
+        self.limiter = self.create_limiter()
+
+        # Go and fix up the SQLAInterface used from the stock one to our subclass.
+        # This is needed to support the "hack" where we had to edit
+        # FieldConverter.conversion_table in place in utils
+        for attr in dir(self):
+            if attr.endswith("view"):
+                view = getattr(self, attr, None)
+                if view and getattr(view, "datamodel", None):
+                    view.datamodel = CustomSQLAInterface(view.datamodel.obj)
+
+    @staticmethod
+    def before_request():
+        """Run hook before request."""
+        if hasattr(get_auth_manager(), "get_user"):
+            g.user = get_auth_manager().get_user()
+
+    def create_limiter(self) -> Limiter:
+        app = self.appbuilder.get_app
+        limiter = Limiter(key_func=app.config.get("RATELIMIT_KEY_FUNC", get_remote_address))
+        limiter.init_app(app)
+        return limiter
+
+    def has_access(
+        self, action_name: str, resource_name: str, user=None, resource_pk: str | None = None
+    ) -> bool:
+        """
+        Verify whether a given user could perform a certain action on the given resource.
+
+        Example actions might include can_read, can_write, can_delete, etc.
+
+        This function is called by FAB when accessing a view. See
+        https://github.com/dpgaspar/Flask-AppBuilder/blob/c6fecdc551629e15467fde5d06b4437379d90592/flask_appbuilder/security/decorators.py#L134
+
+        :param action_name: action_name on resource (e.g can_read, can_edit).
+        :param resource_name: name of view-menu or resource.
+        :param user: user
+        :param resource_pk: the resource primary key (e.g. the connection ID)
+        :return: Whether user could perform certain action on the resource.
+        """
+        if not user:
+            user = g.user
+
+        is_authorized_method = self._get_auth_manager_is_authorized_method(resource_name)
+        return is_authorized_method(action_name, resource_pk, user)
+
+    def add_limit_view(self, baseview):
+        if not baseview.limits:
+            return
+
+        for limit in baseview.limits:
+            self.limiter.limit(
+                limit_value=limit.limit_value,
+                key_func=limit.key_func,
+                per_method=limit.per_method,
+                methods=limit.methods,
+                error_message=limit.error_message,
+                exempt_when=limit.exempt_when,
+                override_defaults=limit.override_defaults,
+                deduct_when=limit.deduct_when,
+                on_breach=limit.on_breach,
+                cost=limit.cost,
+            )(baseview.blueprint)
+
+    def _get_auth_manager_is_authorized_method(self, fab_resource_name: str) -> Callable:
+        # The user is trying to access a page specific to the auth manager
+        # (e.g. the user list view in FabAuthManager) or a page defined in a plugin
+        return lambda action, resource_pk, user: get_auth_manager().is_authorized_custom_view(
+            method=get_method_from_fab_action_map().get(action, action),
+            resource_name=fab_resource_name,
+            user=user,
+        )

airflow/providers/fab/www/session.py

@@ -0,0 +1,41 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from flask import request
+from flask.sessions import SecureCookieSessionInterface
+from flask_session.sessions import SqlAlchemySessionInterface
+
+
+class SessionExemptMixin:
+    """Exempt certain blueprints/paths from autogenerated sessions."""
+
+    def save_session(self, *args, **kwargs):
+        """Prevent creating session from REST API and health requests."""
+        if request.blueprint == "/api/v1":
+            return None
+        if request.path == "/health":
+            return None
+        return super().save_session(*args, **kwargs)
+
+
+class AirflowDatabaseSessionInterface(SessionExemptMixin, SqlAlchemySessionInterface):
+    """Session interface that exempts some routes and stores session data in the database."""
+
+
+class AirflowSecureCookieSessionInterface(SessionExemptMixin, SecureCookieSessionInterface):
+    """Session interface that exempts some routes and stores session data in a signed cookie."""