argus-alm 0.14.2__py3-none-any.whl → 0.15.2__py3-none-any.whl

argus/backend/service/user.py

@@ -0,0 +1,308 @@
+from datetime import datetime
+import functools
+import hashlib
+import os
+import base64
+from uuid import UUID
+from time import time
+from hashlib import sha384
+
+from flask import current_app, flash, g, redirect, request, session, url_for
+import requests
+from werkzeug.security import generate_password_hash, check_password_hash
+
+from argus.backend.db import ScyllaCluster
+from argus.backend.error_handlers import APIException
+from argus.backend.models.web import User, UserOauthToken, UserRoles, WebFileStorage
+from argus.backend.util.common import FlaskView
+
+
+class UserServiceException(Exception):
+    pass
+
+
+class GithubOrganizationMissingError(Exception):
+    pass
+
+
+class UserService:
+    def __init__(self) -> None:
+        self.cluster = ScyllaCluster.get()
+        self.session = self.cluster.session
+
+    @staticmethod
+    def check_roles(roles: list[UserRoles] | UserRoles, user: User) -> bool:
+        if not user:
+            return False
+        if isinstance(roles, str):
+            return roles in user.roles
+        elif isinstance(roles, list):
+            for role in roles:
+                if role in user.roles:
+                    return True
+        return False
+
+    def github_callback(self, req_code: str) -> dict | None:
+        if "gh" not in current_app.config.get("LOGIN_METHODS", []):
+            raise UserServiceException("Github Login is disabled")
+        oauth_response = requests.post(
+            "https://github.com/login/oauth/access_token",
+            headers={
+                "Accept": "application/json",
+            },
+            params={
+                "code": req_code,
+                "client_id": current_app.config.get("GITHUB_CLIENT_ID"),
+                "client_secret": current_app.config.get("GITHUB_CLIENT_SECRET"),
+            }
+        )
+
+        oauth_data = oauth_response.json()
+
+        user_info = requests.get(
+            "https://api.github.com/user",
+            headers={
+                "Accept": "application/json",
+                "Authorization": f"token {oauth_data.get('access_token')}"
+            }
+        ).json()
+        email_info = requests.get(
+            "https://api.github.com/user/emails",
+            headers={
+                "Accept": "application/json",
+                "Authorization": f"token {oauth_data.get('access_token')}"
+            }
+        ).json()
+
+        organizations = requests.get(
+            "https://api.github.com/user/orgs",
+            headers={
+                "Accept": "application/json",
+                "Authorization": f"token {oauth_data.get('access_token')}"
+            }
+        ).json()
+
+        temp_password = None
+        required_organizations = current_app.config.get("GITHUB_REQUIRED_ORGANIZATIONS")
+        if required_organizations:
+            logins = set([org["login"] for org in organizations])
+            required_organizations = set(required_organizations)
+            if len(logins.intersection(required_organizations)) == 0:
+                raise GithubOrganizationMissingError(
+                    "Not a member of a required organization or missing organization scope")
+
+        try:
+            user = User.get(username=user_info.get("login"))
+        except User.DoesNotExist:
+            user = User()
+            user.username = user_info.get("login")
+            # pick only scylladb.com emails
+            scylla_email = next(iter([email.get("email")
+                                for email in email_info if email.get("email").endswith("@scylladb.com")]), None)
+            primary_email = next(iter([email.get("email")
+                                 for email in email_info if email.get("primary") and email.get("verified")]), None)
+            user.email = scylla_email or primary_email
+            user.full_name = user_info.get("name", user_info.get("login"))
+            user.registration_date = datetime.utcnow()
+            user.roles = ["ROLE_USER"]
+            temp_password = base64.encodebytes(
+                os.urandom(48)).decode("ascii").strip()
+            user.password = generate_password_hash(temp_password)
+
+            avatar_url: str = user_info.get("avatar_url")
+            avatar = requests.get(avatar_url).content
+            avatar_name = avatar_url.split("/")[-1]
+            filename, filepath = self.save_profile_picture_to_disk(avatar_name, avatar, user.username)
+
+            web_file = WebFileStorage()
+            web_file.filename = filename
+            web_file.filepath = filepath
+            web_file.save()
+            user.picture_id = web_file.id
+            user.save()
+
+        try:
+            tokens = list(UserOauthToken.filter(user_id=user.id).all())
+            github_token = [
+                token for token in tokens if token["kind"] == "github"][0]
+            github_token.token = oauth_data.get('access_token')
+            github_token.save()
+        except (UserOauthToken.DoesNotExist, IndexError):
+            github_token = UserOauthToken()
+            github_token.kind = "github"
+            github_token.user_id = user.id
+            github_token.token = oauth_data.get('access_token')
+            github_token.save()
+
+        redirect_target = session.get("redirect_target")
+        session.clear()
+        session["user_id"] = str(user.id)
+        session["redirect_target"] = redirect_target
+        if temp_password:
+            return {
+                "password": temp_password,
+                "first_login": True
+            }
+        return None
+
+    def get_users(self) -> dict:
+        users = User.all()
+        return {str(user.id): user.to_json() for user in users}
+
+    def get_users_privileged(self) -> dict:
+        users = User.all()
+        users = {str(user.id): dict(user.items()) for user in users}
+        for user in users.values():
+            user.pop("password")
+            user.pop("api_token")
+
+        return users
+
+    def generate_token(self, user: User):
+        token_digest = f"{user.username}-{int(time())}-{base64.encodebytes(os.urandom(128)).decode(encoding='utf-8')}"
+        new_token = base64.encodebytes(sha384(token_digest.encode(encoding="utf-8")
+                                              ).digest()).decode(encoding="utf-8").strip()
+        user.api_token = new_token
+        user.save()
+        return new_token
+
+    def update_email(self, user: User, new_email: str):
+        user.email = new_email
+        user.save()
+
+        return True
+
+    def toggle_admin(self, user_id: str):
+        user: User = User.get(id=user_id)
+
+        if user.id == g.user.id:
+            raise UserServiceException("Cannot toggle admin role from yourself.")
+
+        is_admin = UserService.check_roles(UserRoles.Admin, user)
+
+        if is_admin:
+            user.roles.remove(UserRoles.Admin)
+        else:
+            user.set_as_admin()
+
+        user.save()
+        return True
+
+    def delete_user(self, user_id: str):
+        user: User = User.get(id=user_id)
+        if user.id == g.user.id:
+            raise UserServiceException("Cannot delete user that you are logged in as.")
+
+        if user.is_admin():
+            raise UserServiceException("Cannot delete admin users. Unset admin flag before deleting")
+
+        user.delete()
+
+        return True
+
+    def update_password(self, user: User, old_password: str, new_password: str, force=False):
+        if not check_password_hash(user.password, old_password) and not force:
+            raise UserServiceException("Incorrect old password")
+
+        if not new_password:
+            raise UserServiceException("Empty new password")
+
+        if len(new_password) < 5:
+            raise UserServiceException("New password is too short")
+
+        user.password = generate_password_hash(new_password)
+        user.save()
+
+        return True
+
+    def update_name(self, user: User, new_name: str):
+        user.full_name = new_name
+        user.save()
+
+    def save_profile_picture_to_disk(self, original_filename: str, filedata: bytes, suffix: str):
+        filename_fragment = hashlib.sha256(os.urandom(64)).hexdigest()[:10]
+        filename = f"profile_{suffix}_{filename_fragment}"
+        filepath = f"storage/profile_pictures/{filename}"
+        with open(filepath, "wb") as file:
+            file.write(filedata)
+
+        return original_filename, filepath
+
+    def update_profile_picture(self, filename: str, filepath: str):
+        web_file = WebFileStorage()
+        web_file.filename = filename
+        web_file.filepath = filepath
+        web_file.save()
+
+        try:
+            if old_picture_id := g.user.picture_id:
+                old_file = WebFileStorage.get(id=old_picture_id)
+                os.unlink(old_file.filepath)
+                old_file.delete()
+        except Exception as exc:
+            print(exc)
+
+        g.user.picture_id = web_file.id
+        g.user.save()
+
+
+def login_required(view: FlaskView):
+    @functools.wraps(view)
+    def wrapped_view(*args, **kwargs):
+        if g.user is None and not getattr(view, "api_view", False):
+            flash(message='Unauthorized, please login', category='error')
+            session["redirect_target"] = request.full_path
+            return redirect(url_for('auth.login'))
+        elif g.user is None and getattr(view, "api_view", True):
+            return {
+                "status": "error",
+                "message": "Authorization required"
+            }, 403
+
+        return view(*args, **kwargs)
+
+    return wrapped_view
+
+
+def api_login_required(view: FlaskView):
+    view.api_view = True
+    return login_required(view)
+
+
+def check_roles(needed_roles: list[str] | str = None):
+    def inner(view: FlaskView):
+        @functools.wraps(view)
+        def wrapped_view(*args, **kwargs):
+            if not UserService.check_roles(needed_roles, g.user):
+                flash(message='Not authorized to access this area', category='error')
+                return redirect(url_for('main.home'))
+
+            return view(*args, **kwargs)
+
+        return wrapped_view
+    return inner
+
+
+def load_logged_in_user():
+    user_id = session.get('user_id')
+    auth_header = request.headers.get("Authorization")
+
+    if user_id:
+        try:
+            g.user = User.get(id=UUID(user_id))
+            return
+        except User.DoesNotExist:
+            session.clear()
+
+    if auth_header:
+        try:
+            auth_schema, *auth_data = auth_header.split()
+            if auth_schema == "token":
+                token = auth_data[0]
+                g.user = User.get(api_token=token)
+                return
+        except IndexError as exception:
+            raise APIException("Malformed authorization header") from exception
+        except User.DoesNotExist as exception:
+            raise APIException("User not found for supplied token") from exception
+    g.user = None

argus/backend/service/views.py

@@ -0,0 +1,219 @@
+import datetime
+import logging
+from functools import partial, reduce
+from typing import TypedDict
+from uuid import UUID
+
+from cassandra.cqlengine.models import Model
+from argus.backend.models.plan import ArgusReleasePlan
+from argus.backend.models.web import ArgusGroup, ArgusRelease, ArgusTest, ArgusUserView, User
+from argus.backend.plugins.loader import all_plugin_models
+from argus.backend.service.test_lookup import TestLookup
+from argus.backend.util.common import chunk, current_user
+
+LOGGER = logging.getLogger(__name__)
+
+
+class UserViewException(Exception):
+    pass
+
+
+class ViewUpdateRequest(TypedDict):
+    name: str
+    description: str
+    display_name: str
+    tests: list[str]
+    widget_settings: str
+    plan_id: str | None
+
+
+class UserViewService:
+    def create_view(self, name: str, items: list[str], widget_settings: str, description: str = None, display_name: str = None, plan_id: UUID = None) -> ArgusUserView:
+        try:
+            name_check = ArgusUserView.get(name=name)
+            raise UserViewException(
+                f"View with name {name} already exists: {name_check.id}", name, name_check, name_check.id)
+        except ArgusUserView.DoesNotExist:
+            pass
+        view = ArgusUserView()
+        view.name = name
+        view.display_name = display_name or name
+        view.description = description
+        view.widget_settings = widget_settings
+        view.plan_id = plan_id
+        view.tests = []
+        entities = self.parse_view_entity_list(items)
+        view.tests = entities["tests"]
+        view.release_ids = entities["release"]
+        view.group_ids = entities["group"]
+        view.user_id = current_user().id
+
+        view.save()
+        return view
+
+    def parse_view_entity_list(self, entity_list: list[str]) -> dict[str, list[str]]:
+        entities = {
+            "release": [],
+            "group": [],
+            "tests": []
+        }
+        for entity in entity_list:
+            entity_type, entity_id = entity.split(":")
+            match (entity_type):
+                case "release":
+                    entities["tests"].extend(t.id for t in ArgusTest.filter(release_id=entity_id).all())
+                    entities["release"].append(entity_id)
+                case "group":
+                    entities["tests"].extend(t.id for t in ArgusTest.filter(group_id=entity_id).all())
+                    entities["group"].append(entity_id)
+                case "test":
+                    entities["tests"].append(entity_id)
+        return entities
+
+    def test_lookup(self, query: str):
+        return TestLookup.test_lookup(query)
+
+    def update_view(self, view_id: str | UUID, update_data: ViewUpdateRequest) -> bool:
+        view: ArgusUserView = ArgusUserView.get(id=view_id)
+        if view.user_id != current_user().id and not current_user().is_admin():
+            raise UserViewException("Unable to modify other users' views")
+        for key in ["user_id", "id"]:
+            update_data.pop(key, None)
+        items = update_data.pop("items")
+        for k, value in update_data.items():
+            view[k] = value
+        view.tests = []
+        view.release_ids = []
+        view.group_ids = []
+        for entity in items:
+            entity_type, entity_id = entity.split(":")
+            match (entity_type):
+                case "release":
+                    view.tests.extend(t.id for t in ArgusTest.filter(release_id=entity_id).all())
+                    view.release_ids.append(entity_id)
+                case "group":
+                    view.tests.extend(t.id for t in ArgusTest.filter(group_id=entity_id).all())
+                    view.group_ids.append(entity_id)
+                case "test":
+                    view.tests.append(entity_id)
+        view.last_updated = datetime.datetime.utcnow()
+        view.save()
+        return True
+
+    def delete_view(self, view_id: str | UUID) -> bool:
+        view = ArgusUserView.get(id=view_id)
+        if view.user_id != current_user().id and not current_user().is_admin():
+            raise UserViewException("Unable to modify other users' views")
+        view.delete()
+
+        return True
+
+    def get_view(self, view_id: str | UUID) -> ArgusUserView:
+        view: ArgusUserView = ArgusUserView.get(id=view_id)
+        if datetime.datetime.utcnow() - (view.last_updated or datetime.datetime.fromtimestamp(0)) > datetime.timedelta(hours=1):
+            self.refresh_stale_view(view)
+        return view
+
+    def get_view_by_name(self, view_name: str) -> ArgusUserView:
+        view: ArgusUserView = ArgusUserView.get(name=view_name)
+        if datetime.datetime.utcnow() - (view.last_updated or datetime.datetime.fromtimestamp(0)) > datetime.timedelta(hours=1):
+            self.refresh_stale_view(view)
+        return view
+
+    def get_all_views(self, user: User | None = None) -> list[ArgusUserView]:
+        if user:
+            return list(ArgusUserView.filter(user_id=user.id).all())
+        return list(ArgusUserView.filter().all())
+
+    def resolve_view_tests(self, view_id: str | UUID) -> list[ArgusTest]:
+        view = ArgusUserView.get(id=view_id)
+        return self.resolve_tests_by_id(view.tests)
+
+    def resolve_tests_by_id(self, test_ids: list[str | UUID]) -> list[ArgusTest]:
+        tests = []
+        for batch in chunk(test_ids):
+            tests.extend(ArgusTest.filter(id__in=batch).all())
+
+        return tests
+
+    def batch_resolve_entity(self, entity: Model, param_name: str, entity_ids: list[UUID]) -> list[Model]:
+        result = []
+        for batch in chunk(entity_ids):
+            result.extend(entity.filter(**{f"{param_name}__in": batch}).allow_filtering().all())
+        return result
+
+    def refresh_stale_view(self, view: ArgusUserView):
+        if view.plan_id:
+            try:
+                view.tests = [test.id for test in self.resolve_tests_by_id(ArgusReleasePlan.get(id=view.plan_id).tests)]
+                view.group_ids = ArgusReleasePlan.get(id=view.plan_id).groups
+            except ArgusReleasePlan.DoesNotExist:
+                LOGGER.warning("Dangling view %s from non-existent release plan %s", view.id, view.plan_id)
+                return view
+        else:
+            view.tests = [test.id for test in self.resolve_view_tests(view.id)]
+        all_tests = set(view.tests)
+        all_tests.update(test.id for test in self.batch_resolve_entity(ArgusTest, "group_id", view.group_ids))
+        all_tests.update(test.id for test in self.batch_resolve_entity(ArgusTest, "release_id", view.release_ids))
+        view.tests = list(all_tests)
+        view.last_updated = datetime.datetime.utcnow()
+        view.save()
+
+        return view
+
+    def resolve_releases_for_tests(self, tests: list[ArgusTest]):
+        releases = []
+        unique_release_ids = reduce(lambda releases, test: releases.add(test.release_id) or releases, tests, set())
+        for batch in chunk(unique_release_ids):
+            releases.extend(ArgusRelease.filter(id__in=batch).all())
+
+        return releases
+
+    def resolve_groups_for_tests(self, tests: list[ArgusTest]):
+        releases = []
+        unique_release_ids = reduce(lambda groups, test: groups.add(test.group_id) or groups, tests, set())
+        for batch in chunk(unique_release_ids):
+            releases.extend(ArgusGroup.filter(id__in=batch).all())
+
+        return releases
+
+    def get_versions_for_view(self, view_id: str | UUID) -> list[str]:
+        tests = self.resolve_view_tests(view_id)
+        unique_versions = {ver for plugin in all_plugin_models()
+                           for ver in plugin.get_distinct_versions_for_view(tests=tests)}
+
+        return sorted(list(unique_versions), reverse=True)
+
+    def resolve_view_for_edit(self, view_id: str | UUID) -> dict:
+        view: ArgusUserView = ArgusUserView.get(id=view_id)
+        resolved = dict(view)
+        view_groups = self.batch_resolve_entity(ArgusGroup, "id", view.group_ids)
+        view_releases = self.batch_resolve_entity(ArgusRelease, "id", view.release_ids)
+        view_tests = self.resolve_view_tests(view.id)
+        all_groups = {group.id: partial(TestLookup.index_mapper, type="group")(group)
+                      for group in self.resolve_releases_for_tests(view_tests)}
+        all_releases = {release.id: partial(TestLookup.index_mapper, type="release")(release)
+                        for release in self.resolve_releases_for_tests(view_tests)}
+        entities_by_id = {
+            entity.id: partial(TestLookup.index_mapper, type="release" if isinstance(
+                entity, ArgusRelease) else "group")(entity)
+            for container in [view_releases, view_groups]
+            for entity in container
+        }
+
+        items = []
+        for test in view_tests:
+            if not (entities_by_id.get(test.group_id) or entities_by_id.get(test.release_id)):
+                item = dict(test)
+                item["type"] = "test"
+                items.append(item)
+
+        items = [*entities_by_id.values(), *items]
+        for entity in items:
+            entity["group"] = all_groups.get(entity.get("group_id"), {}).get(
+                "pretty_name") or all_groups.get(entity.get("group_id"), {}).get("name")
+            entity["release"] = all_releases.get(entity.get("release_id"), {}).get(
+                "pretty_name") or all_releases.get(entity.get("release_id"), {}).get("name")
+
+        resolved["items"] = items
+        return resolved