apache-airflow-providers-fab 3.0.0rc1__py3-none-any.whl → 3.1.0rc1__py3-none-any.whl

airflow/providers/fab/auth_manager/security_manager/override.py

@@ -19,6 +19,7 @@ from __future__ import annotations
 
 import copy
 import datetime
+import importlib
 import itertools
 import logging
 import uuid
@@ -59,13 +60,14 @@ from flask_jwt_extended import JWTManager
 from flask_login import LoginManager
 from itsdangerous import want_bytes
 from markupsafe import Markup, escape
+from packaging.version import Version
 from sqlalchemy import delete, func, inspect, or_, select
 from sqlalchemy.exc import MultipleResultsFound
 from sqlalchemy.orm import joinedload
 from werkzeug.security import check_password_hash, generate_password_hash
 
 from airflow.configuration import conf
-from airflow.exceptions import AirflowException
+from airflow.providers.common.compat.sdk import AirflowException
 from airflow.providers.fab.auth_manager.models import (
     Action,
     Group,
@@ -122,11 +124,17 @@ if AIRFLOW_V_3_1_PLUS:
         with create_session() as session:
             yield from DBDagBag().iter_all_latest_version_dags(session=session)
 else:
-    from airflow.models.dagbag import DagBag  # type: ignore[attr-defined, no-redef]
+    try:
+        from airflow.models.dagbag import DagBag
+    except (ImportError, AttributeError):
+        DagBag = None
 
     def _iter_dags() -> Iterable[DAG | SerializedDAG]:
-        dagbag = DagBag(read_dags_from_db=True)  # type: ignore[call-arg]
-        dagbag.collect_dags_from_db()  # type: ignore[attr-defined]
+        if DagBag is None:
+            return []
+        dagbag = DagBag(read_dags_from_db=True)
+        if hasattr(dagbag, "collect_dags_from_db"):
+            dagbag.collect_dags_from_db()
         return dagbag.dags.values()
 
 
@@ -725,6 +733,10 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         """The JMESPATH role to use for user registration."""
         return current_app.config["AUTH_USER_REGISTRATION_ROLE_JMESPATH"]
 
+    @property
+    def auth_remote_user_env_var(self) -> str:
+        return current_app.config["AUTH_REMOTE_USER_ENV_VAR"]
+
     @property
     def auth_username_ci(self):
         """Get the auth username for CI."""
@@ -790,10 +802,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         current_app.config.setdefault("AUTH_ROLES_SYNC_AT_LOGIN", False)
         current_app.config.setdefault("AUTH_API_LOGIN_ALLOW_MULTIPLE_PROVIDERS", False)
 
-        from packaging.version import Version
-        from werkzeug import __version__ as werkzeug_version
-
-        parsed_werkzeug_version = Version(werkzeug_version)
+        parsed_werkzeug_version = Version(importlib.metadata.version("werkzeug"))
         if parsed_werkzeug_version < Version("3.0.0"):
             current_app.config.setdefault("FAB_PASSWORD_HASH_METHOD", "pbkdf2:sha256")
             current_app.config.setdefault(
@@ -1040,7 +1049,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                             self.remove_permission_from_role(role, perm)
 
         # Adding the access control permissions
-        for rolename, resource_actions in access_control.items():
+        for rolename, resource_actions_raw in access_control.items():
             role = self.find_role(rolename)
             if not role:
                 raise AirflowException(
@@ -1048,9 +1057,12 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                     f"'{rolename}', but that role does not exist"
                 )
 
-            if not isinstance(resource_actions, dict):
-                # Support for old-style access_control where only the actions are specified
-                resource_actions = {permissions.RESOURCE_DAG: set(resource_actions)}
+            # Support for old-style access_control where only the actions are specified
+            resource_actions = (
+                resource_actions_raw
+                if isinstance(resource_actions_raw, dict)
+                else {permissions.RESOURCE_DAG: set(resource_actions_raw)}
+            )
 
             for resource_name, actions in resource_actions.items():
                 if resource_name not in self.RESOURCE_DETAILS_MAP:
@@ -1644,7 +1656,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             return perm
         resource = self.create_resource(resource_name)
         if resource is None:
-            log.error(const.LOGMSG_ERR_SEC_ADD_PERMVIEW, f"Resource creation failed {resource_name}")
+            log.error(const.LOGMSG_ERR_SEC_ADD_PERMVIEW, "Resource creation failed %s", resource_name)
             return None
         action = self.create_action(action_name)
         perm = self.permission_model()
@@ -2205,6 +2217,36 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         # decode - if empty string, default to fallback, otherwise take first element
         return raw_value[0].decode("utf-8") or fallback
 
+    def auth_user_remote_user(self, username):
+        """
+        REMOTE_USER user Authentication.
+
+        :param username: user's username for remote auth
+        """
+        user = self.find_user(username=username)
+
+        # User does not exist, create one if auto user registration.
+        if user is None and self.auth_user_registration:
+            user = self.add_user(
+                # All we have is REMOTE_USER, so we set
+                # the other fields to blank.
+                username=username,
+                first_name=username,
+                last_name="-",
+                email=username + "@email.notfound",
+                role=self.find_role(self.auth_user_registration_role),
+            )
+
+        # If user does not exist on the DB and not auto user registration,
+        # or user is inactive, go away.
+        elif user is None or (not user.is_active):
+            log.info(LOGMSG_WAR_SEC_LOGIN_FAILED, username)
+            return None
+
+        self._rotate_session_id()
+        self.update_user_auth_stat(user)
+        return user
+
     """
     ---------------
     Private methods

airflow/providers/fab/migrations/versions/{0001_1_4_0_create_ab_tables_if_missing.py → 0000_1_4_0_create_ab_tables_if_missing.py}

@@ -139,8 +139,8 @@ def upgrade() -> None:
         if_not_exists=True,
     )
     with op.batch_alter_table("ab_group_role", schema=None) as batch_op:
-        batch_op.create_index("idx_group_id", ["group_id"], unique=False)
-        batch_op.create_index("idx_group_role_id", ["role_id"], unique=False)
+        batch_op.create_index("idx_group_id", ["group_id"], unique=False, if_not_exists=True)
+        batch_op.create_index("idx_group_role_id", ["role_id"], unique=False, if_not_exists=True)
 
     op.create_table(
         "ab_permission_view",
@@ -175,8 +175,8 @@ def upgrade() -> None:
         if_not_exists=True,
     )
     with op.batch_alter_table("ab_user_group", schema=None) as batch_op:
-        batch_op.create_index("idx_user_group_id", ["group_id"], unique=False)
-        batch_op.create_index("idx_user_id", ["user_id"], unique=False)
+        batch_op.create_index("idx_user_group_id", ["group_id"], unique=False, if_not_exists=True)
+        batch_op.create_index("idx_user_id", ["user_id"], unique=False, if_not_exists=True)
 
     op.create_table(
         "ab_user_role",

airflow/providers/fab/version_compat.py

@@ -33,3 +33,4 @@ def get_base_airflow_version_tuple() -> tuple[int, int, int]:
 
 
 AIRFLOW_V_3_1_PLUS = get_base_airflow_version_tuple() >= (3, 1, 0)
+AIRFLOW_V_3_1_1_PLUS = get_base_airflow_version_tuple() >= (3, 1, 1)

airflow/providers/fab/www/api_connexion/parameters.py

@@ -17,21 +17,16 @@
 from __future__ import annotations
 
 import logging
-from collections.abc import Callable, Container
+from collections.abc import Callable
 from functools import wraps
 from typing import TYPE_CHECKING, Any, TypeVar, cast
 
-from pendulum.parsing import ParserError
-from sqlalchemy import text
-
 from airflow.configuration import conf
 from airflow.providers.fab.www.api_connexion.exceptions import BadRequest
-from airflow.utils import timezone
 
 if TYPE_CHECKING:
     from datetime import datetime
 
-    from sqlalchemy.sql import Select
 
 log = logging.getLogger(__name__)
 
@@ -42,24 +37,6 @@ def validate_istimezone(value: datetime) -> None:
         raise BadRequest("Invalid datetime format", detail="Naive datetime is disallowed")
 
 
-def format_datetime(value: str) -> datetime:
-    """
-    Format datetime objects.
-
-    Datetime format parser for args since connexion doesn't parse datetimes
-    https://github.com/zalando/connexion/issues/476
-
-    This should only be used within connection views because it raises 400
-    """
-    value = value.strip()
-    if value[-1] != "Z":
-        value = value.replace(" ", "+")
-    try:
-        return timezone.parse(value)
-    except (ParserError, TypeError) as err:
-        raise BadRequest("Incorrect datetime argument", detail=str(err))
-
-
 def check_limit(value: int) -> int:
     """
     Check the limit does not exceed configured value.
@@ -107,25 +84,3 @@ def format_parameters(params_formatters: dict[str, Callable[[Any], Any]]) -> Cal
         return cast("T", wrapped_function)
 
     return format_parameters_decorator
-
-
-def apply_sorting(
-    query: Select,
-    order_by: str,
-    to_replace: dict[str, str] | None = None,
-    allowed_attrs: Container[str] | None = None,
-) -> Select:
-    """Apply sorting to query."""
-    lstriped_orderby = order_by.lstrip("-")
-    if allowed_attrs and lstriped_orderby not in allowed_attrs:
-        raise BadRequest(
-            detail=f"Ordering with '{lstriped_orderby}' is disallowed or "
-            f"the attribute does not exist on the model"
-        )
-    if to_replace:
-        lstriped_orderby = to_replace.get(lstriped_orderby, lstriped_orderby)
-    if order_by[0] == "-":
-        order_by = f"{lstriped_orderby} desc"
-    else:
-        order_by = f"{lstriped_orderby} asc"
-    return query.order_by(text(order_by))

airflow/providers/fab/www/app.py

@@ -18,6 +18,7 @@
 from __future__ import annotations
 
 from datetime import timedelta
+from functools import cache
 from os.path import isabs
 
 from flask import Flask
@@ -30,7 +31,7 @@ from airflow.api_fastapi.app import get_auth_manager
 from airflow.configuration import conf
 from airflow.exceptions import AirflowConfigException
 from airflow.logging_config import configure_logging
-from airflow.providers.fab.www.extensions.init_appbuilder import init_appbuilder
+from airflow.providers.fab.www.extensions.init_appbuilder import AirflowAppBuilder
 from airflow.providers.fab.www.extensions.init_jinja_globals import init_jinja_globals
 from airflow.providers.fab.www.extensions.init_manifest_files import configure_manifest_files
 from airflow.providers.fab.www.extensions.init_security import init_api_auth
@@ -44,8 +45,6 @@ from airflow.providers.fab.www.extensions.init_views import (
 from airflow.providers.fab.www.extensions.init_wsgi_middlewares import init_wsgi_middleware
 from airflow.providers.fab.www.utils import get_session_lifetime_config
 
-app: Flask | None = None
-
 # Initializes at the module level, so plugins can access it.
 # See: /docs/plugins.rst
 csrf = CSRFProtect()
@@ -85,6 +84,8 @@ def create_app(enable_plugins: bool):
     csrf.init_app(flask_app)
 
     db = SQLAlchemy(flask_app)
+    if settings.Session is None:
+        raise RuntimeError("Session not configured. Call configure_orm() first.")
     db.session = settings.Session
 
     configure_logging()
@@ -92,7 +93,12 @@ def create_app(enable_plugins: bool):
     init_api_auth(flask_app)
 
     with flask_app.app_context():
-        init_appbuilder(flask_app, enable_plugins=enable_plugins)
+        AirflowAppBuilder(
+            app=flask_app,
+            session=db.session(),
+            base_template="airflow/main.html",
+            enable_plugins=enable_plugins,
+        )
         init_error_handlers(flask_app)
         # In two scenarios a Flask application can be created:
         # - To support Airflow 2 plugins relying on Flask (``enable_plugins`` is True)
@@ -112,15 +118,12 @@ def create_app(enable_plugins: bool):
     return flask_app
 
 
+@cache
 def cached_app():
     """Return cached instance of Airflow WWW app."""
-    global app
-    if not app:
-        app = create_app()
-    return app
+    return create_app()
 
 
 def purge_cached_app():
     """Remove the cached version of the app in global state."""
-    global app
-    app = None
+    cached_app.cache_clear()

airflow/providers/fab/www/extensions/init_appbuilder.py

@@ -42,7 +42,7 @@ from airflow import settings
 from airflow.api_fastapi.app import create_auth_manager, get_auth_manager
 from airflow.configuration import conf
 from airflow.providers.fab.www.security_manager import AirflowSecurityManagerV2
-from airflow.providers.fab.www.views import FabIndexView
+from airflow.providers.fab.www.views import FabIndexView, redirect
 
 if TYPE_CHECKING:
     from flask import Flask
@@ -216,6 +216,7 @@ class AirflowAppBuilder:
         from airflow.providers.fab.www.views import get_safe_url
 
         fab_sec_views.get_safe_redirect = get_safe_url
+        fab_sec_views.redirect = redirect
 
     def _init_extension(self, app):
         app.appbuilder = self
@@ -473,7 +474,7 @@ class AirflowAppBuilder:
             baseview=baseview,
             cond=cond,
         )
-        if self.app:
+        if current_app:
             self._add_permissions_menu(name)
             if category:
                 self._add_permissions_menu(category)
@@ -592,6 +593,8 @@ class AirflowAppBuilder:
 
 def init_appbuilder(app: Flask, enable_plugins: bool) -> AirflowAppBuilder:
     """Init `Flask App Builder <https://flask-appbuilder.readthedocs.io/en/latest/>`__."""
+    if settings.Session is None:
+        raise RuntimeError("Session not configured. Call configure_orm() first.")
     return AirflowAppBuilder(
         app=app,
         session=settings.Session(),

airflow/providers/fab/www/extensions/init_security.py

@@ -20,7 +20,7 @@ import logging
 from importlib import import_module
 
 from airflow.configuration import conf
-from airflow.exceptions import AirflowException
+from airflow.providers.common.compat.sdk import AirflowException
 
 log = logging.getLogger(__name__)