apache-airflow-providers-fab 2.0.2rc1__py3-none-any.whl → 2.1.0__py3-none-any.whl

airflow/providers/fab/__init__.py

@@ -29,11 +29,11 @@ from airflow import __version__ as airflow_version
 
 __all__ = ["__version__"]
 
-__version__ = "2.0.2"
+__version__ = "2.1.0"
 
 if packaging.version.parse(packaging.version.parse(airflow_version).base_version) < packaging.version.parse(
-    "3.0.0"
+    "3.0.2"
 ):
     raise RuntimeError(
-        f"The package `apache-airflow-providers-fab:{__version__}` needs Apache Airflow 3.0.0+"
+        f"The package `apache-airflow-providers-fab:{__version__}` needs Apache Airflow 3.0.2+"
     )

airflow/providers/fab/auth_manager/api_endpoints/role_and_permission_endpoint.py

@@ -123,6 +123,8 @@ def patch_role(*, role_name: str, update_mask: UpdateMask = None) -> APIResponse
     """Update a role."""
     security_manager = cast("FabAuthManager", get_auth_manager()).security_manager
     body = request.json
+    if body is None:
+        raise BadRequest("Request body is required")
     try:
         data = role_schema.load(body)
     except ValidationError as err:
@@ -156,6 +158,8 @@ def post_role() -> APIResponse:
     """Create a new role."""
     security_manager = cast("FabAuthManager", get_auth_manager()).security_manager
     body = request.json
+    if body is None:
+        raise BadRequest("Request body is required")
     try:
         data = role_schema.load(body)
     except ValidationError as err:

airflow/providers/fab/auth_manager/api_endpoints/user_endpoint.py

@@ -88,6 +88,8 @@ def get_users(*, limit: int, order_by: str = "id", offset: str | None = None) ->
 @requires_access_custom_view("POST", permissions.RESOURCE_USER)
 def post_user() -> APIResponse:
     """Create a new user."""
+    if request.json is None:
+        raise BadRequest("Request body is required")
     try:
         data = user_schema.load(request.json)
     except ValidationError as e:
@@ -131,6 +133,8 @@ def post_user() -> APIResponse:
 @requires_access_custom_view("PUT", permissions.RESOURCE_USER)
 def patch_user(*, username: str, update_mask: UpdateMask = None) -> APIResponse:
     """Update a user."""
+    if request.json is None:
+        raise BadRequest("Request body is required")
     try:
         data = user_schema.load(request.json)
     except ValidationError as e:

airflow/providers/fab/auth_manager/fab_auth_manager.py

@@ -566,7 +566,7 @@ class FabAuthManager(BaseAuthManager[User]):
 
         if details and details.id:
             # Check whether the user has permissions to access a specific DAG
-            resource_dag_name = self._resource_name(details.id, RESOURCE_DAG)
+            resource_dag_name = permissions.resource_name(details.id, RESOURCE_DAG)
             return self._is_authorized(method=method, resource_type=resource_dag_name, user=user)
 
         return False
@@ -592,7 +592,7 @@ class FabAuthManager(BaseAuthManager[User]):
 
         if details and details.id:
             # Check whether the user has permissions to access a specific DAG Run permission on a DAG Level
-            resource_dag_name = self._resource_name(details.id, RESOURCE_DAG_RUN)
+            resource_dag_name = permissions.resource_name(details.id, RESOURCE_DAG_RUN)
             return self._is_authorized(method=method, resource_type=resource_dag_name, user=user)
 
         return False
@@ -624,19 +624,6 @@ class FabAuthManager(BaseAuthManager[User]):
             raise AirflowException(f"Unknown DAG access entity: {dag_access_entity}")
         return _MAP_DAG_ACCESS_ENTITY_TO_FAB_RESOURCE_TYPE[dag_access_entity]
 
-    def _resource_name(self, dag_id: str, resource_type: str) -> str:
-        """
-        Return the FAB resource name for a DAG id.
-
-        :param dag_id: the DAG id
-
-        :meta private:
-        """
-        root_dag_id = self._get_root_dag_id(dag_id)
-        if hasattr(permissions, "resource_name"):
-            return getattr(permissions, "resource_name")(root_dag_id, resource_type)
-        return getattr(permissions, "resource_name_for_dag")(root_dag_id)
-
     @staticmethod
     def _get_user_permissions(user: User):
         """
@@ -651,23 +638,6 @@ class FabAuthManager(BaseAuthManager[User]):
             return []
         return getattr(user, "perms") or []
 
-    def _get_root_dag_id(self, dag_id: str) -> str:
-        """
-        Return the root DAG id in case of sub DAG, return the DAG id otherwise.
-
-        :param dag_id: the DAG id
-
-        :meta private:
-        """
-        if not self.appbuilder:
-            raise AirflowException("AppBuilder is not initialized.")
-
-        if "." in dag_id and hasattr(DagModel, "root_dag_id"):
-            return self.appbuilder.get_session.scalar(
-                select(DagModel.dag_id, DagModel.root_dag_id).where(DagModel.dag_id == dag_id).limit(1)
-            )
-        return dag_id
-
     def _sync_appbuilder_roles(self):
         """
         Sync appbuilder roles to DB.

airflow/providers/fab/auth_manager/models/__init__.py

@@ -102,11 +102,37 @@ assoc_permission_role = Table(
     "ab_permission_view_role",
     Model.metadata,
     Column("id", Integer, primary_key=True),
-    Column("permission_view_id", Integer, ForeignKey("ab_permission_view.id")),
-    Column("role_id", Integer, ForeignKey("ab_role.id")),
+    Column(
+        "permission_view_id",
+        Integer,
+        ForeignKey("ab_permission_view.id", ondelete="CASCADE"),
+    ),
+    Column("role_id", Integer, ForeignKey("ab_role.id", ondelete="CASCADE")),
     UniqueConstraint("permission_view_id", "role_id"),
 )
 
+assoc_user_group = Table(
+    "ab_user_group",
+    Model.metadata,
+    Column("id", Integer, primary_key=True),
+    Column("user_id", Integer, ForeignKey("ab_user.id", ondelete="CASCADE")),
+    Column("group_id", Integer, ForeignKey("ab_group.id", ondelete="CASCADE")),
+    UniqueConstraint("user_id", "group_id"),
+    Index("idx_user_id", "user_id"),
+    Index("idx_user_group_id", "group_id"),
+)
+
+assoc_group_role = Table(
+    "ab_group_role",
+    Model.metadata,
+    Column("id", Integer, primary_key=True),
+    Column("group_id", Integer, ForeignKey("ab_group.id", ondelete="CASCADE")),
+    Column("role_id", Integer, ForeignKey("ab_role.id", ondelete="CASCADE")),
+    UniqueConstraint("group_id", "role_id"),
+    Index("idx_group_id", "group_id"),
+    Index("idx_group_role_id", "role_id"),
+)
+
 
 class Role(Model):
     """Represents a user role to which permissions can be assigned."""
@@ -115,7 +141,29 @@ class Role(Model):
 
     id = Column(Integer, primary_key=True)
     name = Column(String(64), unique=True, nullable=False)
-    permissions = relationship("Permission", secondary=assoc_permission_role, backref="role", lazy="joined")
+    permissions = relationship(
+        "Permission",
+        secondary=assoc_permission_role,
+        backref="role",
+        lazy="joined",
+        passive_deletes=True,
+    )
+
+    def __repr__(self):
+        return self.name
+
+
+class Group(Model):
+    """Represents a user group."""
+
+    __tablename__ = "ab_group"
+
+    id = Column(Integer, primary_key=True)
+    name = Column(String(100), unique=True, nullable=False)
+    label = Column(String(150))
+    description = Column(String(512))
+    users = relationship("User", secondary=assoc_user_group, backref="groups", passive_deletes=True)
+    roles = relationship("Role", secondary=assoc_group_role, backref="groups", passive_deletes=True)
 
     def __repr__(self):
         return self.name
@@ -148,8 +196,8 @@ assoc_user_role = Table(
     "ab_user_role",
     Model.metadata,
     Column("id", Integer, primary_key=True),
-    Column("user_id", Integer, ForeignKey("ab_user.id")),
-    Column("role_id", Integer, ForeignKey("ab_role.id")),
+    Column("user_id", Integer, ForeignKey("ab_user.id", ondelete="CASCADE")),
+    Column("role_id", Integer, ForeignKey("ab_role.id", ondelete="CASCADE")),
     UniqueConstraint("user_id", "role_id"),
 )
 
@@ -170,7 +218,9 @@ class User(Model, BaseUser):
     last_login = Column(DateTime)
     login_count = Column(Integer)
     fail_login_count = Column(Integer)
-    roles = relationship("Role", secondary=assoc_user_role, backref="user", lazy="selectin")
+    roles = relationship(
+        "Role", secondary=assoc_user_role, backref="user", lazy="selectin", passive_deletes=True
+    )
     created_on = Column(DateTime, default=datetime.datetime.now, nullable=True)
     changed_on = Column(DateTime, default=datetime.datetime.now, nullable=True)
 

airflow/providers/fab/auth_manager/models/anonymous_user.py

@@ -37,13 +37,17 @@ class AnonymousUser(AnonymousUserMixin, BaseUser):
         if not self._roles:
             public_role = current_app.config.get("AUTH_ROLE_PUBLIC", None)
             self._roles = {current_app.appbuilder.sm.find_role(public_role)} if public_role else set()
-        return self._roles
+        return list(self._roles)
 
     @roles.setter
     def roles(self, roles):
         self._roles = roles
         self._perms = set()
 
+    @property
+    def groups(self):
+        return []
+
     @property
     def perms(self):
         if not self._perms:

airflow/providers/fab/auth_manager/security_manager/override.py

@@ -55,6 +55,7 @@ from flask_appbuilder.security.views import (
     AuthOIDView,
     AuthRemoteUserView,
     RegisterUserModelView,
+    UserGroupModelView,
 )
 from flask_babel import lazy_gettext
 from flask_jwt_extended import JWTManager
@@ -71,6 +72,7 @@ from airflow.exceptions import AirflowException
 from airflow.models import DagBag
 from airflow.providers.fab.auth_manager.models import (
     Action,
+    Group,
     Permission,
     RegisterUser,
     Resource,
@@ -100,10 +102,7 @@ from airflow.providers.fab.auth_manager.views.user_edit import (
 from airflow.providers.fab.auth_manager.views.user_stats import CustomUserStatsChartView
 from airflow.providers.fab.www.security import permissions
 from airflow.providers.fab.www.security_manager import AirflowSecurityManagerV2
-from airflow.providers.fab.www.session import (
-    AirflowDatabaseSessionInterface,
-    AirflowDatabaseSessionInterface as FabAirflowDatabaseSessionInterface,
-)
+from airflow.providers.fab.www.session import AirflowDatabaseSessionInterface
 from airflow.security.permissions import RESOURCE_BACKFILL
 
 if TYPE_CHECKING:
@@ -149,6 +148,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
     """ Models """
     user_model = User
     role_model = Role
+    group_model = Group
     action_model = Action
     resource_model = Resource
     permission_model = Permission
@@ -173,6 +173,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
     actionmodelview = ActionModelView
     permissionmodelview = PermissionPairModelView
     rolemodelview = CustomRoleModelView
+    groupmodelview = UserGroupModelView
     registeruser_model = RegisterUser
     registerusermodelview = RegisterUserModelView
     resourcemodelview = ResourceModelView
@@ -450,7 +451,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         role_view = self.appbuilder.add_view(
             self.rolemodelview,
             "List Roles",
-            icon="fa-group",
+            icon="fa-user-gear",
             label=lazy_gettext("List Roles"),
             category="Security",
             category_icon="fa-cogs",
@@ -532,12 +533,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         return self.update_user(user)
 
     def reset_user_sessions(self, user: User) -> None:
-        if isinstance(
-            self.appbuilder.get_app.session_interface, AirflowDatabaseSessionInterface
-        ) or isinstance(
-            self.appbuilder.get_app.session_interface,
-            FabAirflowDatabaseSessionInterface,
-        ):
+        if isinstance(self.appbuilder.get_app.session_interface, AirflowDatabaseSessionInterface):
             interface = self.appbuilder.get_app.session_interface
             session = interface.db.session
             user_session_model = interface.sql_session_model
@@ -859,6 +855,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             self.registerusermodelview.datamodel = SQLAInterface(self.registeruser_model)
 
         self.rolemodelview.datamodel = SQLAInterface(self.role_model)
+        self.groupmodelview.datamodel = SQLAInterface(self.group_model)
         self.actionmodelview.datamodel = SQLAInterface(self.action_model)
         self.resourcemodelview.datamodel = SQLAInterface(self.resource_model)
         self.permissionmodelview.datamodel = SQLAInterface(self.permission_model)
@@ -875,7 +872,8 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         try:
             engine = self.get_session.get_bind(mapper=None, clause=None)
             inspector = inspect(engine)
-            if "ab_user" not in inspector.get_table_names():
+            existing_tables = inspector.get_table_names()
+            if "ab_user" not in existing_tables or "ab_group" not in existing_tables:
                 log.info(const.LOGMSG_INF_SEC_NO_DB)
                 Base.metadata.create_all(engine)
                 log.info(const.LOGMSG_INF_SEC_ADD_DB)
@@ -921,15 +919,14 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         dags = dagbag.dags.values()
 
         for dag in dags:
-            root_dag_id = dag.dag_id
             for resource_name, resource_values in self.RESOURCE_DETAILS_MAP.items():
-                dag_resource_name = self._resource_name(root_dag_id, resource_name)
+                dag_resource_name = permissions.resource_name(dag.dag_id, resource_name)
                 for action_name in resource_values["actions"]:
                     if (action_name, dag_resource_name) not in perms:
                         self._merge_perm(action_name, dag_resource_name)
 
             if dag.access_control is not None:
-                self.sync_perm_for_dag(root_dag_id, dag.access_control)
+                self.sync_perm_for_dag(dag.dag_id, dag.access_control)
 
     def sync_perm_for_dag(
         self,
@@ -949,7 +946,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         :return:
         """
         for resource_name, resource_values in self.RESOURCE_DETAILS_MAP.items():
-            dag_resource_name = self._resource_name(dag_id, resource_name)
+            dag_resource_name = permissions.resource_name(dag_id, resource_name)
             for dag_action_name in resource_values["actions"]:
                 self.create_permission(dag_action_name, dag_resource_name)
 
@@ -962,17 +959,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                 dag_id,
             )
 
-    def _resource_name(self, dag_id: str, resource_name: str) -> str:
-        """
-        Get the resource name from permissions.
-
-        This method is to keep compatibility with new FAB versions
-        running with old airflow versions.
-        """
-        if hasattr(permissions, "resource_name"):
-            return getattr(permissions, "resource_name")(dag_id, resource_name)
-        return getattr(permissions, "resource_name_for_dag")(dag_id)
-
     def _sync_dag_view_permissions(
         self,
         dag_id: str,
@@ -1000,7 +986,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
 
         # Revoking stale permissions for all possible DAG level resources
         for resource_name in self.RESOURCE_DETAILS_MAP.keys():
-            dag_resource_name = self._resource_name(dag_id, resource_name)
+            dag_resource_name = permissions.resource_name(dag_id, resource_name)
             if resource := self.get_resource(dag_resource_name):
                 existing_dag_perms = self.get_resource_permissions(resource)
                 for perm in existing_dag_perms:
@@ -1043,7 +1029,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                         f"The set of valid resource names is: {self.RESOURCE_DETAILS_MAP.keys()}"
                     )
 
-                dag_resource_name = self._resource_name(dag_id, resource_name)
+                dag_resource_name = permissions.resource_name(dag_id, resource_name)
                 self.log.debug("Syncing DAG-level permissions for DAG '%s'", dag_resource_name)
 
                 invalid_actions = set(actions) - self.RESOURCE_DETAILS_MAP[resource_name]["actions"]
@@ -1323,15 +1309,20 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
 
     def add_user(
         self,
-        username,
-        first_name,
-        last_name,
-        email,
-        role,
-        password="",
-        hashed_password="",
+        username: str,
+        first_name: str,
+        last_name: str,
+        email: str,
+        role: list[Role] | Role | None = None,
+        password: str = "",
+        hashed_password: str = "",
+        groups: list[Group] | None = None,
     ):
         """Create a user."""
+        roles: list[Role] = []
+        if role:
+            roles = role if isinstance(role, list) else [role]
+
         try:
             user = self.user_model()
             user.first_name = first_name
@@ -1340,7 +1331,8 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             user.email = email
             user.active = True
             self.get_session.add(user)
-            user.roles = role if isinstance(role, list) else [role]
+            user.roles = roles
+            user.groups = groups or []
             if hashed_password:
                 user.password = hashed_password
             else:
@@ -1704,7 +1696,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         """
         if user is None:
             user = g.user
-        return user.roles
+        return user.roles + [role for group in user.groups for role in group.roles]
 
     """
     --------------------

airflow/providers/fab/get_provider_info.py

@@ -30,6 +30,20 @@ def get_provider_info():
             "fab": {
                 "description": "This section contains configs specific to FAB provider.",
                 "options": {
+                    "access_denied_message": {
+                        "description": "The message displayed when a user attempts to execute actions beyond their authorised privileges.\n",
+                        "version_added": "2.1.0",
+                        "type": "string",
+                        "example": None,
+                        "default": "Access is Denied",
+                    },
+                    "expose_hostname": {
+                        "description": "Expose hostname in the web server\n",
+                        "version_added": "2.1.0",
+                        "type": "string",
+                        "example": None,
+                        "default": "False",
+                    },
                     "auth_rate_limited": {
                         "description": "Boolean for enabling rate limiting on authentication endpoints.\n",
                         "version_added": "1.0.2",
@@ -79,6 +93,48 @@ def get_provider_info():
                         "example": None,
                         "default": "43200",
                     },
+                    "enable_proxy_fix": {
+                        "description": "Enable werkzeug ``ProxyFix`` middleware for reverse proxy\n",
+                        "version_added": "2.1.0",
+                        "type": "boolean",
+                        "example": None,
+                        "default": "False",
+                    },
+                    "proxy_fix_x_for": {
+                        "description": "Number of values to trust for ``X-Forwarded-For``.\nSee `Werkzeug: X-Forwarded-For Proxy Fix\n<https://werkzeug.palletsprojects.com/en/2.3.x/middleware/proxy_fix/>`__ for more details.\n",
+                        "version_added": "2.1.0",
+                        "type": "integer",
+                        "example": None,
+                        "default": "1",
+                    },
+                    "proxy_fix_x_proto": {
+                        "description": "Number of values to trust for ``X-Forwarded-Proto``.\nSee `Werkzeug: X-Forwarded-For Proxy Fix\n<https://werkzeug.palletsprojects.com/en/2.3.x/middleware/proxy_fix/>`__ for more details.\n",
+                        "version_added": "2.1.0",
+                        "type": "integer",
+                        "example": None,
+                        "default": "1",
+                    },
+                    "proxy_fix_x_host": {
+                        "description": "Number of values to trust for ``X-Forwarded-Host``.\nSee `Werkzeug: X-Forwarded-For Proxy Fix\n<https://werkzeug.palletsprojects.com/en/2.3.x/middleware/proxy_fix/>`__ for more details.\n",
+                        "version_added": "2.1.0",
+                        "type": "integer",
+                        "example": None,
+                        "default": "1",
+                    },
+                    "proxy_fix_x_port": {
+                        "description": "Number of values to trust for ``X-Forwarded-Port``.\nSee `Werkzeug: X-Forwarded-For Proxy Fix\n<https://werkzeug.palletsprojects.com/en/2.3.x/middleware/proxy_fix/>`__ for more details.\n",
+                        "version_added": "2.1.0",
+                        "type": "integer",
+                        "example": None,
+                        "default": "1",
+                    },
+                    "proxy_fix_x_prefix": {
+                        "description": "Number of values to trust for ``X-Forwarded-Prefix``.\nSee `Werkzeug: X-Forwarded-For Proxy Fix\n<https://werkzeug.palletsprojects.com/en/2.3.x/middleware/proxy_fix/>`__ for more details.\n",
+                        "version_added": "2.1.0",
+                        "type": "integer",
+                        "example": None,
+                        "default": "1",
+                    },
                 },
             }
         },

airflow/providers/fab/www/app.py

@@ -41,6 +41,7 @@ from airflow.providers.fab.www.extensions.init_views import (
     init_error_handlers,
     init_plugins,
 )
+from airflow.providers.fab.www.extensions.init_wsgi_middlewares import init_wsgi_middleware
 from airflow.providers.fab.www.utils import get_session_lifetime_config
 
 app: Flask | None = None
@@ -103,6 +104,7 @@ def create_app(enable_plugins: bool):
         init_jinja_globals(flask_app, enable_plugins=enable_plugins)
         init_xframe_protection(flask_app)
         init_airflow_session_interface(flask_app)
+        init_wsgi_middleware(flask_app)
     return flask_app
 
 

airflow/providers/fab/www/auth.py

@@ -61,7 +61,7 @@ log = logging.getLogger(__name__)
 
 
 def get_access_denied_message():
-    return conf.get("webserver", "access_denied_message")
+    return conf.get("fab", "access_denied_message")
 
 
 def has_access_with_pk(f):
@@ -145,7 +145,7 @@ def _has_access(*, is_authorized: bool, func: Callable, args, kwargs):
         return (
             render_template(
                 "airflow/no_roles_permissions.html",
-                hostname=get_hostname() if conf.getboolean("webserver", "EXPOSE_HOSTNAME") else "",
+                hostname=get_hostname() if conf.getboolean("fab", "EXPOSE_HOSTNAME") else "",
                 logout_url=get_fab_auth_manager().get_url_logout(),
             ),
             403,
@@ -217,7 +217,7 @@ def has_access_dag(method: ResourceMethod, access_entity: DagAccessEntity | None
                 return (
                     render_template(
                         "airflow/no_roles_permissions.html",
-                        hostname=get_hostname() if conf.getboolean("webserver", "EXPOSE_HOSTNAME") else "",
+                        hostname=get_hostname() if conf.getboolean("fab", "EXPOSE_HOSTNAME") else "",
                         logout_url=get_auth_manager().get_url_logout(),
                     ),
                     403,

airflow/providers/fab/www/extensions/init_jinja_globals.py

@@ -37,7 +37,7 @@ def init_jinja_globals(app, enable_plugins: bool):
     elif server_timezone == "utc":
         server_timezone = "UTC"
 
-    expose_hostname = conf.getboolean("webserver", "EXPOSE_HOSTNAME")
+    expose_hostname = conf.getboolean("fab", "EXPOSE_HOSTNAME")
     hostname = get_hostname() if expose_hostname else "redact"
 
     try:

airflow/providers/fab/www/extensions/init_wsgi_middlewares.py

@@ -0,0 +1,41 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+from werkzeug.middleware.proxy_fix import ProxyFix
+
+from airflow.configuration import conf
+
+if TYPE_CHECKING:
+    from flask import Flask
+
+
+def init_wsgi_middleware(flask_app: Flask) -> None:
+    """Handle X-Forwarded-* headers and base_url support."""
+    # Apply ProxyFix middleware
+    if conf.getboolean("fab", "ENABLE_PROXY_FIX"):
+        flask_app.wsgi_app = ProxyFix(  # type: ignore
+            flask_app.wsgi_app,
+            x_for=conf.getint("fab", "PROXY_FIX_X_FOR", fallback=1),
+            x_proto=conf.getint("fab", "PROXY_FIX_X_PROTO", fallback=1),
+            x_host=conf.getint("fab", "PROXY_FIX_X_HOST", fallback=1),
+            x_port=conf.getint("fab", "PROXY_FIX_X_PORT", fallback=1),
+            x_prefix=conf.getint("fab", "PROXY_FIX_X_PREFIX", fallback=1),
+        )