apache-airflow-providers-fab 3.0.1__py3-none-any.whl → 3.1.1rc1__py3-none-any.whl

airflow/providers/fab/auth_manager/security_manager/override.py

@@ -67,7 +67,7 @@ from sqlalchemy.orm import joinedload
 from werkzeug.security import check_password_hash, generate_password_hash
 
 from airflow.configuration import conf
-from airflow.exceptions import AirflowException
+from airflow.providers.common.compat.sdk import AirflowException
 from airflow.providers.fab.auth_manager.models import (
     Action,
     Group,
@@ -101,7 +101,6 @@ from airflow.providers.fab.version_compat import AIRFLOW_V_3_1_PLUS
 from airflow.providers.fab.www.security import permissions
 from airflow.providers.fab.www.security_manager import AirflowSecurityManagerV2
 from airflow.providers.fab.www.session import AirflowDatabaseSessionInterface
-from airflow.security.permissions import RESOURCE_BACKFILL
 
 if TYPE_CHECKING:
     from airflow.providers.fab.www.security.permissions import (
@@ -109,7 +108,7 @@ if TYPE_CHECKING:
         RESOURCE_ASSET_ALIAS,
     )
     from airflow.sdk import DAG
-    from airflow.serialization.serialized_objects import SerializedDAG
+    from airflow.serialization.definitions.dag import SerializedDAG
 else:
     from airflow.providers.common.compat.security.permissions import (
         RESOURCE_ASSET,
@@ -124,11 +123,17 @@ if AIRFLOW_V_3_1_PLUS:
         with create_session() as session:
             yield from DBDagBag().iter_all_latest_version_dags(session=session)
 else:
-    from airflow.models.dagbag import DagBag  # type: ignore[attr-defined, no-redef]
+    try:
+        from airflow.models.dagbag import DagBag
+    except (ImportError, AttributeError):
+        DagBag = None
 
     def _iter_dags() -> Iterable[DAG | SerializedDAG]:
-        dagbag = DagBag(read_dags_from_db=True)  # type: ignore[call-arg]
-        dagbag.collect_dags_from_db()  # type: ignore[attr-defined]
+        if DagBag is None:
+            return []
+        dagbag = DagBag(read_dags_from_db=True)
+        if hasattr(dagbag, "collect_dags_from_db"):
+            dagbag.collect_dags_from_db()
         return dagbag.dags.values()
 
 
@@ -230,7 +235,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_WARNING),
         (permissions.ACTION_CAN_READ, RESOURCE_ASSET),
         (permissions.ACTION_CAN_READ, RESOURCE_ASSET_ALIAS),
-        (permissions.ACTION_CAN_READ, RESOURCE_BACKFILL),
+        (permissions.ACTION_CAN_READ, permissions.RESOURCE_BACKFILL),
         (permissions.ACTION_CAN_READ, permissions.RESOURCE_CLUSTER_ACTIVITY),
         (permissions.ACTION_CAN_READ, permissions.RESOURCE_POOL),
         (permissions.ACTION_CAN_READ, permissions.RESOURCE_IMPORT_ERROR),
@@ -302,9 +307,9 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_XCOM),
         (permissions.ACTION_CAN_CREATE, RESOURCE_ASSET),
         (permissions.ACTION_CAN_DELETE, RESOURCE_ASSET),
-        (permissions.ACTION_CAN_CREATE, RESOURCE_BACKFILL),
-        (permissions.ACTION_CAN_EDIT, RESOURCE_BACKFILL),
-        (permissions.ACTION_CAN_DELETE, RESOURCE_BACKFILL),
+        (permissions.ACTION_CAN_CREATE, permissions.RESOURCE_BACKFILL),
+        (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_BACKFILL),
+        (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_BACKFILL),
     ]
     # [END security_op_perms]
 
@@ -727,6 +732,10 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         """The JMESPATH role to use for user registration."""
         return current_app.config["AUTH_USER_REGISTRATION_ROLE_JMESPATH"]
 
+    @property
+    def auth_remote_user_env_var(self) -> str:
+        return current_app.config["AUTH_REMOTE_USER_ENV_VAR"]
+
     @property
     def auth_username_ci(self):
         """Get the auth username for CI."""
@@ -1039,7 +1048,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                             self.remove_permission_from_role(role, perm)
 
         # Adding the access control permissions
-        for rolename, resource_actions in access_control.items():
+        for rolename, resource_actions_raw in access_control.items():
             role = self.find_role(rolename)
             if not role:
                 raise AirflowException(
@@ -1047,9 +1056,12 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                     f"'{rolename}', but that role does not exist"
                 )
 
-            if not isinstance(resource_actions, dict):
-                # Support for old-style access_control where only the actions are specified
-                resource_actions = {permissions.RESOURCE_DAG: set(resource_actions)}
+            # Support for old-style access_control where only the actions are specified
+            resource_actions = (
+                resource_actions_raw
+                if isinstance(resource_actions_raw, dict)
+                else {permissions.RESOURCE_DAG: set(resource_actions_raw)}
+            )
 
             for resource_name, actions in resource_actions.items():
                 if resource_name not in self.RESOURCE_DETAILS_MAP:
@@ -1643,7 +1655,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             return perm
         resource = self.create_resource(resource_name)
         if resource is None:
-            log.error(const.LOGMSG_ERR_SEC_ADD_PERMVIEW, f"Resource creation failed {resource_name}")
+            log.error(const.LOGMSG_ERR_SEC_ADD_PERMVIEW, "Resource creation failed %s", resource_name)
             return None
         action = self.create_action(action_name)
         perm = self.permission_model()
@@ -2006,7 +2018,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             if _provider["name"] == provider:
                 return _provider.get("token_secret", "oauth_token_secret")
 
-    def auth_user_oauth(self, userinfo):
+    def auth_user_oauth(self, userinfo, rotate_session_id=True):
         """
         Authenticate user with OAuth.
 
@@ -2060,7 +2072,8 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
 
         # LOGIN SUCCESS (only if user is now registered)
         if user:
-            self._rotate_session_id()
+            if rotate_session_id:
+                self._rotate_session_id()
             self.update_user_auth_stat(user)
             return user
         return None
@@ -2204,6 +2217,36 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         # decode - if empty string, default to fallback, otherwise take first element
         return raw_value[0].decode("utf-8") or fallback
 
+    def auth_user_remote_user(self, username):
+        """
+        REMOTE_USER user Authentication.
+
+        :param username: user's username for remote auth
+        """
+        user = self.find_user(username=username)
+
+        # User does not exist, create one if auto user registration.
+        if user is None and self.auth_user_registration:
+            user = self.add_user(
+                # All we have is REMOTE_USER, so we set
+                # the other fields to blank.
+                username=username,
+                first_name=username,
+                last_name="-",
+                email=username + "@email.notfound",
+                role=self.find_role(self.auth_user_registration_role),
+            )
+
+        # If user does not exist on the DB and not auto user registration,
+        # or user is inactive, go away.
+        elif user is None or (not user.is_active):
+            log.info(LOGMSG_WAR_SEC_LOGIN_FAILED, username)
+            return None
+
+        self._rotate_session_id()
+        self.update_user_auth_stat(user)
+        return user
+
     """
     ---------------
     Private methods

airflow/providers/fab/version_compat.py

@@ -34,3 +34,4 @@ def get_base_airflow_version_tuple() -> tuple[int, int, int]:
 
 AIRFLOW_V_3_1_PLUS = get_base_airflow_version_tuple() >= (3, 1, 0)
 AIRFLOW_V_3_1_1_PLUS = get_base_airflow_version_tuple() >= (3, 1, 1)
+AIRFLOW_V_3_2_PLUS = get_base_airflow_version_tuple() >= (3, 2, 0)

airflow/providers/fab/www/api_connexion/parameters.py

@@ -17,21 +17,16 @@
 from __future__ import annotations
 
 import logging
-from collections.abc import Callable, Container
+from collections.abc import Callable
 from functools import wraps
 from typing import TYPE_CHECKING, Any, TypeVar, cast
 
-from pendulum.parsing import ParserError
-from sqlalchemy import text
-
 from airflow.configuration import conf
 from airflow.providers.fab.www.api_connexion.exceptions import BadRequest
-from airflow.utils import timezone
 
 if TYPE_CHECKING:
     from datetime import datetime
 
-    from sqlalchemy.sql import Select
 
 log = logging.getLogger(__name__)
 
@@ -42,24 +37,6 @@ def validate_istimezone(value: datetime) -> None:
         raise BadRequest("Invalid datetime format", detail="Naive datetime is disallowed")
 
 
-def format_datetime(value: str) -> datetime:
-    """
-    Format datetime objects.
-
-    Datetime format parser for args since connexion doesn't parse datetimes
-    https://github.com/zalando/connexion/issues/476
-
-    This should only be used within connection views because it raises 400
-    """
-    value = value.strip()
-    if value[-1] != "Z":
-        value = value.replace(" ", "+")
-    try:
-        return timezone.parse(value)
-    except (ParserError, TypeError) as err:
-        raise BadRequest("Incorrect datetime argument", detail=str(err))
-
-
 def check_limit(value: int) -> int:
     """
     Check the limit does not exceed configured value.
@@ -107,25 +84,3 @@ def format_parameters(params_formatters: dict[str, Callable[[Any], Any]]) -> Cal
         return cast("T", wrapped_function)
 
     return format_parameters_decorator
-
-
-def apply_sorting(
-    query: Select,
-    order_by: str,
-    to_replace: dict[str, str] | None = None,
-    allowed_attrs: Container[str] | None = None,
-) -> Select:
-    """Apply sorting to query."""
-    lstriped_orderby = order_by.lstrip("-")
-    if allowed_attrs and lstriped_orderby not in allowed_attrs:
-        raise BadRequest(
-            detail=f"Ordering with '{lstriped_orderby}' is disallowed or "
-            f"the attribute does not exist on the model"
-        )
-    if to_replace:
-        lstriped_orderby = to_replace.get(lstriped_orderby, lstriped_orderby)
-    if order_by[0] == "-":
-        order_by = f"{lstriped_orderby} desc"
-    else:
-        order_by = f"{lstriped_orderby} asc"
-    return query.order_by(text(order_by))

airflow/providers/fab/www/app.py

@@ -18,6 +18,7 @@
 from __future__ import annotations
 
 from datetime import timedelta
+from functools import cache
 from os.path import isabs
 
 from flask import Flask
@@ -30,7 +31,7 @@ from airflow.api_fastapi.app import get_auth_manager
 from airflow.configuration import conf
 from airflow.exceptions import AirflowConfigException
 from airflow.logging_config import configure_logging
-from airflow.providers.fab.www.extensions.init_appbuilder import init_appbuilder
+from airflow.providers.fab.www.extensions.init_appbuilder import AirflowAppBuilder
 from airflow.providers.fab.www.extensions.init_jinja_globals import init_jinja_globals
 from airflow.providers.fab.www.extensions.init_manifest_files import configure_manifest_files
 from airflow.providers.fab.www.extensions.init_security import init_api_auth
@@ -44,8 +45,6 @@ from airflow.providers.fab.www.extensions.init_views import (
 from airflow.providers.fab.www.extensions.init_wsgi_middlewares import init_wsgi_middleware
 from airflow.providers.fab.www.utils import get_session_lifetime_config
 
-app: Flask | None = None
-
 # Initializes at the module level, so plugins can access it.
 # See: /docs/plugins.rst
 csrf = CSRFProtect()
@@ -85,6 +84,8 @@ def create_app(enable_plugins: bool):
     csrf.init_app(flask_app)
 
     db = SQLAlchemy(flask_app)
+    if settings.Session is None:
+        raise RuntimeError("Session not configured. Call configure_orm() first.")
     db.session = settings.Session
 
     configure_logging()
@@ -92,7 +93,12 @@ def create_app(enable_plugins: bool):
     init_api_auth(flask_app)
 
     with flask_app.app_context():
-        init_appbuilder(flask_app, enable_plugins=enable_plugins)
+        AirflowAppBuilder(
+            app=flask_app,
+            session=db.session(),
+            base_template="airflow/main.html",
+            enable_plugins=enable_plugins,
+        )
         init_error_handlers(flask_app)
         # In two scenarios a Flask application can be created:
         # - To support Airflow 2 plugins relying on Flask (``enable_plugins`` is True)
@@ -112,15 +118,12 @@ def create_app(enable_plugins: bool):
     return flask_app
 
 
+@cache
 def cached_app():
     """Return cached instance of Airflow WWW app."""
-    global app
-    if not app:
-        app = create_app()
-    return app
+    return create_app()
 
 
 def purge_cached_app():
     """Remove the cached version of the app in global state."""
-    global app
-    app = None
+    cached_app.cache_clear()

airflow/providers/fab/www/extensions/init_appbuilder.py

@@ -42,7 +42,7 @@ from airflow import settings
 from airflow.api_fastapi.app import create_auth_manager, get_auth_manager
 from airflow.configuration import conf
 from airflow.providers.fab.www.security_manager import AirflowSecurityManagerV2
-from airflow.providers.fab.www.views import FabIndexView
+from airflow.providers.fab.www.views import FabIndexView, redirect
 
 if TYPE_CHECKING:
     from flask import Flask
@@ -216,6 +216,7 @@ class AirflowAppBuilder:
         from airflow.providers.fab.www.views import get_safe_url
 
         fab_sec_views.get_safe_redirect = get_safe_url
+        fab_sec_views.redirect = redirect
 
     def _init_extension(self, app):
         app.appbuilder = self
@@ -473,7 +474,7 @@ class AirflowAppBuilder:
             baseview=baseview,
             cond=cond,
         )
-        if self.app:
+        if current_app:
             self._add_permissions_menu(name)
             if category:
                 self._add_permissions_menu(category)
@@ -592,6 +593,8 @@ class AirflowAppBuilder:
 
 def init_appbuilder(app: Flask, enable_plugins: bool) -> AirflowAppBuilder:
     """Init `Flask App Builder <https://flask-appbuilder.readthedocs.io/en/latest/>`__."""
+    if settings.Session is None:
+        raise RuntimeError("Session not configured. Call configure_orm() first.")
     return AirflowAppBuilder(
         app=app,
         session=settings.Session(),

airflow/providers/fab/www/extensions/init_security.py

@@ -20,7 +20,7 @@ import logging
 from importlib import import_module
 
 from airflow.configuration import conf
-from airflow.exceptions import AirflowException
+from airflow.providers.common.compat.sdk import AirflowException
 
 log = logging.getLogger(__name__)
 

airflow/providers/fab/www/extensions/init_views.py

@@ -26,7 +26,7 @@ from connexion.exceptions import BadRequestProblem, ProblemException
 from flask import request
 
 from airflow.api_fastapi.app import get_auth_manager
-from airflow.providers.fab.version_compat import AIRFLOW_V_3_1_PLUS
+from airflow.providers.fab.version_compat import AIRFLOW_V_3_1_PLUS, AIRFLOW_V_3_2_PLUS
 from airflow.providers.fab.www.api_connexion.exceptions import common_error_handler
 
 if TYPE_CHECKING:
@@ -102,11 +102,17 @@ def init_plugins(app):
     """Integrate Flask and FAB with plugins."""
     from airflow import plugins_manager
 
-    plugins_manager.initialize_flask_plugins()
+    if AIRFLOW_V_3_2_PLUS:
+        blueprints, appbuilder_views, appbuilder_menu_links = plugins_manager.get_flask_plugins()
+    else:
+        plugins_manager.initialize_flask_plugins()  # type: ignore
+        blueprints = plugins_manager.flask_blueprints  # type: ignore
+        appbuilder_views = plugins_manager.flask_appbuilder_views  # type: ignore
+        appbuilder_menu_links = plugins_manager.flask_appbuilder_menu_links  # type: ignore
 
     appbuilder = app.appbuilder
 
-    for view in plugins_manager.flask_appbuilder_views:
+    for view in appbuilder_views:
         name = view.get("name")
         if name:
             filtered_view_kwargs = {k: v for k, v in view.items() if k not in ["view"]}
@@ -124,13 +130,11 @@ def init_plugins(app):
     # Since Airflow 3.1 flask_appbuilder_menu_links are added to the Airflow 3 UI
     # navbar..
     if not AIRFLOW_V_3_1_PLUS:
-        for menu_link in sorted(
-            plugins_manager.flask_appbuilder_menu_links, key=lambda x: (x.get("category", ""), x["name"])
-        ):
+        for menu_link in sorted(appbuilder_menu_links, key=lambda x: (x.get("category", ""), x["name"])):
             log.debug("Adding menu link %s to %s", menu_link["name"], menu_link["href"])
             appbuilder.add_link(**menu_link)
 
-    for blue_print in plugins_manager.flask_blueprints:
+    for blue_print in blueprints:
         log.debug("Adding blueprint %s:%s", blue_print["name"], blue_print["blueprint"].import_name)
         app.register_blueprint(blue_print["blueprint"])