apache-airflow-providers-fab 2.0.0rc2__py3-none-any.whl → 2.0.0rc4__py3-none-any.whl

airflow/providers/fab/__init__.py

@@ -32,8 +32,8 @@ __all__ = ["__version__"]
 __version__ = "2.0.0"
 
 if packaging.version.parse(packaging.version.parse(airflow_version).base_version) < packaging.version.parse(
-    "3.0.0.dev0"
+    "3.0.0"
 ):
     raise RuntimeError(
-        f"The package `apache-airflow-providers-fab:{__version__}` needs Apache Airflow 3.0.0.dev0+"
+        f"The package `apache-airflow-providers-fab:{__version__}` needs Apache Airflow 3.0.0+"
     )

airflow/providers/fab/auth_manager/cli_commands/utils.py

@@ -51,7 +51,7 @@ def _return_appbuilder(app: Flask) -> AirflowAppBuilder:
 def get_application_builder() -> Generator[AirflowAppBuilder, None, None]:
     static_folder = os.path.join(os.path.dirname(airflow.__file__), "www", "static")
     flask_app = Flask(__name__, static_folder=static_folder)
-    webserver_config = conf.get_mandatory_value("webserver", "config_file")
+    webserver_config = conf.get_mandatory_value("fab", "config_file")
     with flask_app.app_context():
         # Enable customizations in webserver_config.py to be applied via Flask.current_app.
         flask_app.config.from_pyfile(webserver_config, silent=True)

airflow/providers/fab/auth_manager/fab_auth_manager.py

@@ -155,7 +155,7 @@ _MAP_ACCESS_VIEW_TO_FAB_RESOURCE_TYPE = {
 
 _MAP_MENU_ITEM_TO_FAB_RESOURCE_TYPE = {
     MenuItem.ASSETS: RESOURCE_ASSET,
-    MenuItem.ASSET_EVENTS: RESOURCE_ASSET,
+    MenuItem.AUDIT_LOG: RESOURCE_AUDIT_LOG,
     MenuItem.CONNECTIONS: RESOURCE_CONNECTION,
     MenuItem.DAGS: RESOURCE_DAG,
     MenuItem.DOCS: RESOURCE_DOCS,
@@ -181,7 +181,7 @@ class FabAuthManager(BaseAuthManager[User]):
 
     @cached_property
     def apiserver_endpoint(self) -> str:
-        return conf.get("api", "base_url")
+        return conf.get("api", "base_url", fallback="/")
 
     @staticmethod
     def get_cli_commands() -> list[CLICommand]:
@@ -647,6 +647,9 @@ class FabAuthManager(BaseAuthManager[User]):
 
         :meta private:
         """
+        # If the user gets deleted while being logged in
+        if not user:
+            return []
         return getattr(user, "perms") or []
 
     def _get_root_dag_id(self, dag_id: str) -> str:

airflow/providers/fab/auth_manager/security_manager/override.py

@@ -704,6 +704,11 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         """The mapping of auth roles."""
         return self.appbuilder.get_app.config["AUTH_ROLES_MAPPING"]
 
+    @property
+    def auth_user_registration_role_jmespath(self) -> str:
+        """The JMESPATH role to use for user registration."""
+        return self.appbuilder.get_app.config["AUTH_USER_REGISTRATION_ROLE_JMESPATH"]
+
     @property
     def auth_username_ci(self):
         """Get the auth username for CI."""
@@ -729,6 +734,10 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         """Get the admin role."""
         return self.appbuilder.get_app.config["AUTH_ROLE_ADMIN"]
 
+    @property
+    def oauth_whitelists(self):
+        return self.oauth_allow_list
+
     def create_builtin_roles(self):
         """Return FAB builtin roles."""
         return self.appbuilder.get_app.config.get("FAB_ROLES", {})
@@ -1933,6 +1942,100 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             log.info(LOGMSG_WAR_SEC_LOGIN_FAILED, username)
             return None
 
+    def set_oauth_session(self, provider, oauth_response):
+        """Set the current session with OAuth user secrets."""
+        # Get this provider key names for token_key and token_secret
+        token_key = self.get_oauth_token_key_name(provider)
+        token_secret = self.get_oauth_token_secret_name(provider)
+        # Save users token on encrypted session cookie
+        session["oauth"] = (
+            oauth_response[token_key],
+            oauth_response.get(token_secret, ""),
+        )
+        session["oauth_provider"] = provider
+
+    def get_oauth_token_key_name(self, provider):
+        """
+        Return the token_key name for the oauth provider.
+
+        If none is configured defaults to oauth_token
+        this is configured using OAUTH_PROVIDERS and token_key key.
+        """
+        for _provider in self.oauth_providers:
+            if _provider["name"] == provider:
+                return _provider.get("token_key", "oauth_token")
+
+    def get_oauth_token_secret_name(self, provider):
+        """
+        Get the ``token_secret`` name for the oauth provider.
+
+        If none is configured, defaults to ``oauth_secret``. This is configured
+        using ``OAUTH_PROVIDERS`` and ``token_secret``.
+        """
+        for _provider in self.oauth_providers:
+            if _provider["name"] == provider:
+                return _provider.get("token_secret", "oauth_token_secret")
+
+    def auth_user_oauth(self, userinfo):
+        """
+        Authenticate user with OAuth.
+
+        :userinfo: dict with user information
+                   (keys are the same as User model columns)
+        """
+        # extract the username from `userinfo`
+        if "username" in userinfo:
+            username = userinfo["username"]
+        elif "email" in userinfo:
+            username = userinfo["email"]
+        else:
+            log.error("OAUTH userinfo does not have username or email %s", userinfo)
+            return None
+
+        # If username is empty, go away
+        if (username is None) or username == "":
+            return None
+
+        # Search the DB for this user
+        user = self.find_user(username=username)
+
+        # If user is not active, go away
+        if user and (not user.is_active):
+            return None
+
+        # If user is not registered, and not self-registration, go away
+        if (not user) and (not self.auth_user_registration):
+            return None
+
+        # Sync the user's roles
+        if user and self.auth_roles_sync_at_login:
+            user.roles = self._oauth_calculate_user_roles(userinfo)
+            log.debug("Calculated new roles for user=%r as: %s", username, user.roles)
+
+        # If the user is new, register them
+        if (not user) and self.auth_user_registration:
+            user = self.add_user(
+                username=username,
+                first_name=userinfo.get("first_name", ""),
+                last_name=userinfo.get("last_name", ""),
+                email=userinfo.get("email", "") or f"{username}@email.notfound",
+                role=self._oauth_calculate_user_roles(userinfo),
+            )
+            log.debug("New user registered: %s", user)
+
+            # If user registration failed, go away
+            if not user:
+                log.error("Error creating a new OAuth user %s", username)
+                return None
+
+        # LOGIN SUCCESS (only if user is now registered)
+        if user:
+            self._rotate_session_id()
+            self.update_user_auth_stat(user)
+            return user
+        else:
+            return None
+
     def get_oauth_user_info(self, provider: str, resp: dict[str, Any]) -> dict[str, Any]:
         """
         There are different OAuth APIs with different ways to retrieve user info.
@@ -2079,7 +2182,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         We need to do this upon successful authentication when using the
         database session backend.
         """
-        if conf.get("webserver", "SESSION_BACKEND") == "database":
+        if conf.get("fab", "SESSION_BACKEND") == "database":
             session.sid = str(uuid.uuid4())
 
     def _get_microsoft_jwks(self) -> list[dict[str, Any]]:
@@ -2272,3 +2375,31 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             flash(Markup(text), level)
         else:
             getattr(log, level)(text.replace("<br>", "\n").replace("<b>", "*").replace("</b>", "*"))
+
+    def _oauth_calculate_user_roles(self, userinfo) -> list[str]:
+        user_role_objects = set()
+
+        # apply AUTH_ROLES_MAPPING
+        if self.auth_roles_mapping:
+            user_role_keys = userinfo.get("role_keys", [])
+            user_role_objects.update(self.get_roles_from_keys(user_role_keys))
+
+        # apply AUTH_USER_REGISTRATION_ROLE
+        if self.auth_user_registration:
+            registration_role_name = self.auth_user_registration_role
+
+            # if AUTH_USER_REGISTRATION_ROLE_JMESPATH is set,
+            # use it for the registration role
+            if self.auth_user_registration_role_jmespath:
+                import jmespath
+
+                registration_role_name = jmespath.search(self.auth_user_registration_role_jmespath, userinfo)
+
+            # lookup registration role in flask db
+            fab_role = self.find_role(registration_role_name)
+            if fab_role:
+                user_role_objects.add(fab_role)
+            else:
+                log.warning("Can't find AUTH_USER_REGISTRATION role: %s", registration_role_name)
+
+        return list(user_role_objects)

airflow/providers/fab/get_provider_info.py

@@ -26,27 +26,6 @@ def get_provider_info():
         "package-name": "apache-airflow-providers-fab",
         "name": "Fab",
         "description": "`Flask App Builder <https://flask-appbuilder.readthedocs.io/>`__\n",
-        "state": "not-ready",
-        "source-date-epoch": 1741121873,
-        "versions": [
-            "2.0.0",
-            "1.5.2",
-            "1.5.1",
-            "1.5.0",
-            "1.4.1",
-            "1.4.0",
-            "1.3.0",
-            "1.2.2",
-            "1.2.1",
-            "1.2.0",
-            "1.1.1",
-            "1.1.0",
-            "1.0.4",
-            "1.0.3",
-            "1.0.2",
-            "1.0.1",
-            "1.0.0",
-        ],
         "config": {
             "fab": {
                 "description": "This section contains configs specific to FAB provider.",
@@ -74,28 +53,34 @@ def get_provider_info():
                     },
                     "auth_backends": {
                         "description": "Comma separated list of auth backends to authenticate users of the API.\n",
-                        "version_added": "2.3.0",
+                        "version_added": "2.0.0",
                         "type": "string",
                         "example": None,
                         "default": "airflow.providers.fab.auth_manager.api.auth.backend.session",
                     },
+                    "config_file": {
+                        "description": "Path of webserver config file used for configuring the webserver parameters\n",
+                        "version_added": "2.0.0",
+                        "type": "string",
+                        "example": None,
+                        "default": "{AIRFLOW_HOME}/webserver_config.py",
+                    },
+                    "session_backend": {
+                        "description": "The type of backend used to store web session data, can be ``database`` or ``securecookie``. For the\n``database`` backend, sessions are store in the database and they can be\nmanaged there (for example when you reset password of the user, all sessions for that user are\ndeleted). For the ``securecookie`` backend, sessions are stored in encrypted cookies on the client\nside. The ``securecookie`` mechanism is 'lighter' than database backend, but sessions are not\ndeleted when you reset password of the user, which means that other than waiting for expiry time,\nthe only way to invalidate all sessions for a user is to change secret_key and restart webserver\n(which also invalidates and logs out all other user's sessions).\n\nWhen you are using ``database`` backend, make sure to keep your database session table small\nby periodically running ``airflow db clean --table session`` command, especially if you have\nautomated API calls that will create a new session for each call rather than reuse the sessions\nstored in browser cookies.\n",
+                        "version_added": "2.0.0",
+                        "type": "string",
+                        "example": "securecookie",
+                        "default": "database",
+                    },
+                    "session_lifetime_minutes": {
+                        "description": "The UI cookie lifetime in minutes. User will be logged out from UI after\n``[fab] session_lifetime_minutes`` of non-activity\n",
+                        "version_added": "2.0.0",
+                        "type": "integer",
+                        "example": None,
+                        "default": "43200",
+                    },
                 },
             }
         },
         "auth-managers": ["airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager"],
-        "dependencies": [
-            "apache-airflow>=3.0.0.dev0",
-            "apache-airflow-providers-common-compat>=1.2.1",
-            "blinker>=1.6.2",
-            "flask>=2.2.1,<2.3",
-            "flask-appbuilder==4.5.3",
-            "flask-login>=0.6.2",
-            "flask-session>=0.4.0,<0.6",
-            "flask-wtf>=1.1.0",
-            "connexion[flask]>=2.14.2,<3.0",
-            "jmespath>=0.7.0",
-            "werkzeug>=2.2,<4",
-        ],
-        "optional-dependencies": {"kerberos": ["kerberos>=1.3.0"]},
-        "devel-dependencies": ["kerberos>=1.3.0", "requests_kerberos>=0.14.0"],
     }

airflow/providers/fab/www/app.py

@@ -17,6 +17,7 @@
 # under the License.
 from __future__ import annotations
 
+from datetime import timedelta
 from os.path import isabs
 
 from flask import Flask
@@ -40,6 +41,7 @@ from airflow.providers.fab.www.extensions.init_views import (
     init_error_handlers,
     init_plugins,
 )
+from airflow.providers.fab.www.utils import get_session_lifetime_config
 
 app: Flask | None = None
 
@@ -56,6 +58,12 @@ def create_app(enable_plugins: bool):
     flask_app.secret_key = conf.get("webserver", "SECRET_KEY")
     flask_app.config["SQLALCHEMY_DATABASE_URI"] = conf.get("database", "SQL_ALCHEMY_CONN")
     flask_app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
+    flask_app.config["PERMANENT_SESSION_LIFETIME"] = timedelta(minutes=get_session_lifetime_config())
+
+    webserver_config = conf.get_mandatory_value("fab", "config_file")
+    # Enable customizations in webserver_config.py to be applied via Flask.current_app.
+    with flask_app.app_context():
+        flask_app.config.from_pyfile(webserver_config, silent=True)
 
     url = make_url(flask_app.config["SQLALCHEMY_DATABASE_URI"])
     if url.drivername == "sqlite" and url.database and not isabs(url.database):

airflow/providers/fab/www/extensions/init_appbuilder.py

@@ -533,6 +533,10 @@ class AirflowAppBuilder:
     def get_url_for_login_with(self, next_url: str | None = None) -> str:
         return get_auth_manager().get_url_login(next_url=next_url)
 
+    @property
+    def get_url_for_login(self):
+        return get_auth_manager().get_url_login()
+
     def get_url_for_locale(self, lang):
         return url_for(
             f"{self.bm.locale_view.endpoint}.{self.bm.locale_view.default_view}",

airflow/providers/fab/www/extensions/init_session.py

@@ -29,7 +29,7 @@ from airflow.providers.fab.www.session import (
 def init_airflow_session_interface(app):
     """Set airflow session interface."""
     config = app.config.copy()
-    selected_backend = conf.get("webserver", "SESSION_BACKEND")
+    selected_backend = conf.get("fab", "SESSION_BACKEND")
     # A bit of a misnomer - normally cookies expire whenever the browser is closed
     # or when they hit their expiry datetime, whichever comes first. "Permanent"
     # cookies only expire when they hit their expiry datetime, and can outlive
@@ -59,6 +59,6 @@ def init_airflow_session_interface(app):
     else:
         raise AirflowConfigException(
             "Unrecognized session backend specified in "
-            f"web_server_session_backend: '{selected_backend}'. Please set "
+            f"[fab] session_backend: '{selected_backend}'. Please set "
             "this to either 'database' or 'securecookie'."
         )