cornflow 1.1.2__py3-none-any.whl → 1.1.5__py3-none-any.whl

cornflow/app.py

@@ -1,6 +1,7 @@
 """
 Main file with the creation of the app logic
 """
+
 # Full imports
 import os
 import click
@@ -13,6 +14,8 @@ from flask_cors import CORS
 from flask_migrate import Migrate
 from flask_restful import Api
 from logging.config import dictConfig
+from werkzeug.middleware.dispatcher import DispatcherMiddleware
+from werkzeug.exceptions import NotFound
 
 # Module imports
 from cornflow.commands import (
@@ -112,6 +115,11 @@ def create_app(env_name="development", dataconn=None):
     app.cli.add_command(register_deployed_dags)
     app.cli.add_command(register_dag_permissions)
 
+    if app.config["APPLICATION_ROOT"] != "/" and app.config["EXTERNAL_APP"] == 0:
+        app.wsgi_app = DispatcherMiddleware(
+            NotFound(), {app.config["APPLICATION_ROOT"]: app.wsgi_app}
+        )
+
     return app
 
 

cornflow/config.py

@@ -5,6 +5,12 @@ from apispec.ext.marshmallow import MarshmallowPlugin
 
 
 class DefaultConfig(object):
+    """
+    Default configuration class
+    """
+
+    APPLICATION_ROOT = os.getenv("APPLICATION_ROOT", "/")
+    EXTERNAL_APP = int(os.getenv("EXTERNAL_APP", 0))
     SERVICE_NAME = os.getenv("SERVICE_NAME", "Cornflow")
     SECRET_TOKEN_KEY = os.getenv("SECRET_KEY")
     SECRET_BI_KEY = os.getenv("SECRET_BI_KEY")
@@ -22,6 +28,11 @@ class DefaultConfig(object):
     SIGNUP_ACTIVATED = int(os.getenv("SIGNUP_ACTIVATED", 1))
     CORNFLOW_SERVICE_USER = os.getenv("CORNFLOW_SERVICE_USER", "service_user")
 
+    # If service user is allow to log with username and password
+    SERVICE_USER_ALLOW_PASSWORD_LOGIN = int(
+        os.getenv("SERVICE_USER_ALLOW_PASSWORD_LOGIN", 1)
+    )
+
     # Open deployment (all dags accessible to all users)
     OPEN_DEPLOYMENT = os.getenv("OPEN_DEPLOYMENT", 1)
 
@@ -84,14 +95,17 @@ class DefaultConfig(object):
 
 
 class Development(DefaultConfig):
-
-    """ """
+    """
+    Configuration class for development
+    """
 
     ENV = "development"
 
 
 class Testing(DefaultConfig):
-    """ """
+    """
+    Configuration class for testing
+    """
 
     ENV = "testing"
     SQLALCHEMY_TRACK_MODIFICATIONS = False
@@ -109,8 +123,26 @@ class Testing(DefaultConfig):
     LOG_LEVEL = int(os.getenv("LOG_LEVEL", 10))
 
 
+class TestingOpenAuth(Testing):
+    """
+    Configuration class for testing some edge cases with Open Auth login
+    """
+
+    AUTH_TYPE = 0
+
+
+class TestingApplicationRoot(Testing):
+    """
+    Configuration class for testing with application root
+    """
+
+    APPLICATION_ROOT = "/test"
+
+
 class Production(DefaultConfig):
-    """ """
+    """
+    Configuration class for production
+    """
 
     ENV = "production"
     SQLALCHEMY_TRACK_MODIFICATIONS = False
@@ -121,4 +153,10 @@ class Production(DefaultConfig):
     PROPAGATE_EXCEPTIONS = True
 
 
-app_config = {"development": Development, "testing": Testing, "production": Production}
+app_config = {
+    "development": Development,
+    "testing": Testing,
+    "production": Production,
+    "testing-oauth": TestingOpenAuth,
+    "testing-root": TestingApplicationRoot,
+}

cornflow/endpoints/login.py

@@ -34,9 +34,11 @@ class LoginBaseEndpoint(BaseMetaResource):
     """
     Base endpoint to perform a login action from a user
     """
+
     def __init__(self):
         super().__init__()
         self.ldap_class = LDAPBase
+        self.user_role_association = UserRoleModel
 
     def log_in(self, **kwargs):
         """
@@ -102,7 +104,9 @@ class LoginBaseEndpoint(BaseMetaResource):
             raise InvalidCredentials()
         user = self.data_model.get_one_object(username=username)
         if not user:
-            current_app.logger.info(f"LDAP user {username} does not exist and is created")
+            current_app.logger.info(
+                f"LDAP user {username} does not exist and is created"
+            )
             email = ldap_obj.get_user_email(username)
             if not email:
                 email = ""
@@ -122,68 +126,115 @@ class LoginBaseEndpoint(BaseMetaResource):
 
         except IntegrityError as e:
             db.session.rollback()
-            current_app.logger.error(f"Integrity error on user role assignment on log in: {e}")
+            current_app.logger.error(
+                f"Integrity error on user role assignment on log in: {e}"
+            )
         except DBAPIError as e:
             db.session.rollback()
-            current_app.logger.error(f"Unknown error on user role assignment on log in: {e}")
+            current_app.logger.error(
+                f"Unknown error on user role assignment on log in: {e}"
+            )
 
         return user
 
-    def auth_oid_authenticate(self, token):
+    def auth_oid_authenticate(
+        self, token: str = None, username: str = None, password: str = None
+    ):
         """
-        Method  in charge of performing the log in with the token issued by an Open ID provider
+        Method  in charge of performing the log in with the token issued by an Open ID provider.
+        It has an exception and thus accepts username and password for service users if needed.
 
         :param str token: the token that the user has obtained from the Open ID provider
+        :param str username: the username of the user to log in
+        :param str password: the password of the user to log in
         :return: the user object or it raises an error if it has not been possible to log in
         :rtype: :class:`UserModel`
         """
-        oid_provider = int(current_app.config["OID_PROVIDER"])
 
-        client_id = current_app.config["OID_CLIENT_ID"]
-        tenant_id = current_app.config["OID_TENANT_ID"]
-        issuer = current_app.config["OID_ISSUER"]
+        if token:
 
-        if client_id is None or tenant_id is None or issuer is None:
-            raise ConfigurationError("The OID provider configuration is not valid")
+            oid_provider = int(current_app.config["OID_PROVIDER"])
 
-        if oid_provider == OID_AZURE:
-            decoded_token = self.auth_class().validate_oid_token(
-                token, client_id, tenant_id, issuer, oid_provider
-            )
+            client_id = current_app.config["OID_CLIENT_ID"]
+            tenant_id = current_app.config["OID_TENANT_ID"]
+            issuer = current_app.config["OID_ISSUER"]
 
-        elif oid_provider == OID_GOOGLE:
-            raise EndpointNotImplemented("The selected OID provider is not implemented")
-        elif oid_provider == OID_NONE:
-            raise EndpointNotImplemented("The OID provider configuration is not valid")
-        else:
-            raise EndpointNotImplemented("The OID provider configuration is not valid")
+            if client_id is None or tenant_id is None or issuer is None:
+                raise ConfigurationError("The OID provider configuration is not valid")
 
-        username = decoded_token["preferred_username"]
+            if oid_provider == OID_AZURE:
+                decoded_token = self.auth_class().validate_oid_token(
+                    token, client_id, tenant_id, issuer, oid_provider
+                )
 
-        user = self.data_model.get_one_object(username=username)
+            elif oid_provider == OID_GOOGLE:
+                raise EndpointNotImplemented(
+                    "The selected OID provider is not implemented"
+                )
+            elif oid_provider == OID_NONE:
+                raise EndpointNotImplemented(
+                    "The OID provider configuration is not valid"
+                )
+            else:
+                raise EndpointNotImplemented(
+                    "The OID provider configuration is not valid"
+                )
 
-        if not user:
-            current_app.logger.info(f"OpenID user {username} does not exist and is created")
+            username = decoded_token["preferred_username"]
+            email = decoded_token.get("email", f"{username}@test.org")
+            first_name = decoded_token.get("given_name", "")
+            last_name = decoded_token.get("family_name", "")
 
-            data = {"username": username, "email": username}
+            user = self.data_model.get_one_object(username=username)
 
-            user = self.data_model(data=data)
-            user.save()
+            if not user:
+                current_app.logger.info(
+                    f"OpenID user {username} does not exist and is created"
+                )
 
-            self.user_role_association(user.id)
+                data = {
+                    "username": username,
+                    "email": email,
+                    "first_name": first_name,
+                    "last_name": last_name,
+                }
 
-            user_role = self.user_role_association(
-                {"user_id": user.id, "role_id": int(current_app.config["DEFAULT_ROLE"])}
-            )
+                user = self.data_model(data=data)
+                user.save()
 
-            user_role.save()
+                user_role = self.user_role_association(
+                    {
+                        "user_id": user.id,
+                        "role_id": int(current_app.config["DEFAULT_ROLE"]),
+                    }
+                )
 
-        return user
+                user_role.save()
+
+            return user
+        elif (
+            username
+            and password
+            and current_app.config["SERVICE_USER_ALLOW_PASSWORD_LOGIN"] == 1
+        ):
+
+            user = self.auth_db_authenticate(username, password)
+
+            if user.is_service_user():
+                return user
+            else:
+                raise InvalidUsage("Invalid request")
+        else:
+            raise InvalidUsage("Invalid request")
 
 
 def check_last_password_change(user):
     if user.pwd_last_change:
-        if user.pwd_last_change + timedelta(days=int(current_app.config["PWD_ROTATION_TIME"])) < datetime.utcnow():
+        if (
+            user.pwd_last_change
+            + timedelta(days=int(current_app.config["PWD_ROTATION_TIME"]))
+            < datetime.utcnow()
+        ):
             return True
     return False
 

cornflow/schemas/user.py

@@ -1,12 +1,14 @@
 """
 This file contains the schemas used for the users defined in the application
 """
-from marshmallow import fields, Schema
+
+from marshmallow import fields, Schema, validates_schema, ValidationError
 from .instance import InstanceSchema
 
 
 class UserSchema(Schema):
     """ """
+
     id = fields.Int(dump_only=True)
     first_name = fields.Str()
     last_name = fields.Str()
@@ -66,9 +68,23 @@ class LoginEndpointRequest(Schema):
 class LoginOpenAuthRequest(Schema):
     """
     This is the schema used by the login endpoint with Open ID protocol
+    Validates that either a token is provided, or both username and password are present
     """
 
-    token = fields.Str(required=True)
+    token = fields.Str(required=False)
+    username = fields.Str(required=False)
+    password = fields.Str(required=False)
+
+    @validates_schema
+    def validate_fields(self, data, **kwargs):
+        if data.get("token") is None:
+            if not data.get("username") or not data.get("password"):
+                raise ValidationError(
+                    "A token needs to be provided when using Open ID authentication"
+                )
+        else:
+            if data.get("username") or data.get("password"):
+                raise ValidationError("The login needs to be done with a token only")
 
 
 class SignupRequest(Schema):

cornflow/shared/authentication/auth.py

@@ -14,6 +14,8 @@ from datetime import datetime, timedelta
 from flask import request, g, current_app, Request
 from functools import wraps
 from typing import Union, Tuple
+
+from jwt import DecodeError
 from werkzeug.datastructures import Headers
 
 # Imports from internal modules
@@ -103,7 +105,8 @@ class Auth:
             )
 
         payload = {
-            "exp": datetime.utcnow() + timedelta(hours=float(current_app.config["TOKEN_DURATION"])),
+            "exp": datetime.utcnow()
+            + timedelta(hours=float(current_app.config["TOKEN_DURATION"])),
             "iat": datetime.utcnow(),
             "sub": user_id,
         }
@@ -314,7 +317,10 @@ class Auth:
         :return: the key identifier
         :rtype: str
         """
-        headers = jwt.get_unverified_header(token)
+        try:
+            headers = jwt.get_unverified_header(token)
+        except DecodeError as err:
+            raise InvalidCredentials("Token is not valid")
         if not headers:
             raise InvalidCredentials("Token is missing the headers")
         try:
@@ -346,9 +352,9 @@ class Auth:
         try:
             response = requests.get(discovery_url)
             response.raise_for_status()
-        except requests.exceptions.HTTPError as error:
+        except requests.exceptions.HTTPError:
             raise CommunicationError(
-                f"Error getting issuer discovery meta from {discovery_url}", error
+                f"Error getting issuer discovery meta from {discovery_url}"
             )
         return response.json()
 

cornflow/shared/exceptions.py

@@ -2,6 +2,7 @@
 This file contains the different exceptions created to report errors and the handler that registers them
 on a flask REST API server
 """
+
 from flask import jsonify
 from webargs.flaskparser import parser
 from cornflow_client.constants import AirflowError
@@ -123,9 +124,11 @@ class ConfigurationError(InvalidUsage):
 
 
 INTERNAL_SERVER_ERROR_MESSAGE = "500 Internal Server Error"
-INTERNAL_SERVER_ERROR_MESSAGE_DETAIL = "The server encountered an internal error and was unable " \
-                                       "to complete your request. Either the server is overloaded or " \
-                                       "there is an error in the application."
+INTERNAL_SERVER_ERROR_MESSAGE_DETAIL = (
+    "The server encountered an internal error and was unable "
+    "to complete your request. Either the server is overloaded or "
+    "there is an error in the application."
+)
 
 
 def initialize_errorhandlers(app):
@@ -146,6 +149,7 @@ def initialize_errorhandlers(app):
     @app.errorhandler(InvalidData)
     @app.errorhandler(InvalidPatch)
     @app.errorhandler(ConfigurationError)
+    @app.errorhandler(CommunicationError)
     def handle_invalid_usage(error):
         """
         Method to handle the error given by the different exceptions.
@@ -187,10 +191,7 @@ def initialize_errorhandlers(app):
             status_code = error.code or status_code
             error_msg = f"{status_code} {error.name or INTERNAL_SERVER_ERROR_MESSAGE}"
             error_str = f"{error_msg}. {str(error.description or '') or INTERNAL_SERVER_ERROR_MESSAGE_DETAIL}"
-            response_dict = {
-                "message": error_msg,
-                "error": error_str
-            }
+            response_dict = {"message": error_msg, "error": error_str}
             response = jsonify(response_dict)
 
         elif app.config["ENV"] == "production":
@@ -202,7 +203,7 @@ def initialize_errorhandlers(app):
 
             response_dict = {
                 "message": INTERNAL_SERVER_ERROR_MESSAGE,
-                "error": INTERNAL_SERVER_ERROR_MESSAGE_DETAIL
+                "error": INTERNAL_SERVER_ERROR_MESSAGE_DETAIL,
             }
             response = jsonify(response_dict)
         else: