PyPI - cornflow - Versions diffs - 1.1.5__tar.gz → 1.2.0a1__tar.gz - Mend

cornflow 1.1.5tar.gz → 1.2.0a1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (185) hide show

{cornflow-1.1.5/cornflow.egg-info → cornflow-1.2.0a1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: cornflow
-Version: 1.1.5
+Version: 1.2.0a1
 Summary: Cornflow is an open source multi-solver optimization server with a REST API built using flask.
 Home-page: https://github.com/baobabsoluciones/cornflow
 Author: baobab soluciones
@@ -13,7 +13,7 @@ Requires-Python: >=3.9
 Requires-Dist: alembic==1.9.2
 Requires-Dist: apispec<=6.3.0
 Requires-Dist: click<=8.1.7
-Requires-Dist: cornflow-client>=1.1.0
+Requires-Dist: cornflow-client==1.2.0a1
 Requires-Dist: cryptography<=42.0.5
 Requires-Dist: disposable-email-domains>=0.0.86
 Requires-Dist: Flask==2.3.2
@@ -40,6 +40,7 @@ Requires-Dist: requests<=2.32.3
 Requires-Dist: SQLAlchemy==1.3.21
 Requires-Dist: webargs<=8.3.0
 Requires-Dist: Werkzeug==3.0.6
+Requires-Dist: cachetools==5.3.3
 Dynamic: author
 Dynamic: author-email
 Dynamic: classifier

{cornflow-1.1.5 → cornflow-1.2.0a1}/cornflow/app.py RENAMED Viewed

@@ -37,7 +37,7 @@ from cornflow.endpoints.signup import SignUpEndpoint
 from cornflow.shared import db, bcrypt
 from cornflow.shared.compress import init_compress
 from cornflow.shared.const import AUTH_DB, AUTH_LDAP, AUTH_OID
-from cornflow.shared.exceptions import initialize_errorhandlers
+from cornflow.shared.exceptions import initialize_errorhandlers, ConfigurationError
 from cornflow.shared.log_config import log_config
@@ -62,11 +62,11 @@ def create_app(env_name="development", dataconn=None):
     CORS(app)
     bcrypt.init_app(app)
     db.init_app(app)
-    migrate = Migrate(app=app, db=db)
+    Migrate(app=app, db=db)
     if "sqlite" in app.config["SQLALCHEMY_DATABASE_URI"]:
-        def _fk_pragma_on_connect(dbapi_con, con_record):
+        def _fk_pragma_on_connect(dbapi_con, _con_record):
             dbapi_con.execute("pragma foreign_keys=ON")
         with app.app_context():
@@ -100,6 +100,11 @@ def create_app(env_name="development", dataconn=None):
         api.add_resource(LoginEndpoint, "/login/", endpoint="login")
     elif auth_type == AUTH_OID:
         api.add_resource(LoginOpenAuthEndpoint, "/login/", endpoint="login")
+    else:
+        raise ConfigurationError(
+            error="Invalid authentication type",
+            log_txt="Error while configuring authentication. The authentication type is not valid."
+        )
     initialize_errorhandlers(app)
     init_compress(app)

{cornflow-1.1.5 → cornflow-1.2.0a1}/cornflow/cli/service.py RENAMED Viewed

@@ -16,7 +16,14 @@ from cornflow.commands import (
     update_schemas_command,
     update_dag_registry_command,
 )
-from cornflow.shared.const import AUTH_DB, ADMIN_ROLE, SERVICE_ROLE
+from cornflow.shared.const import (
+    AUTH_DB,
+    AUTH_LDAP,
+    AUTH_OID,
+    ADMIN_ROLE,
+    SERVICE_ROLE,
+    PLANNER_ROLE,
+)
 from cornflow.shared import db
 from cryptography.fernet import Fernet
 from flask_migrate import Migrate, upgrade
@@ -83,11 +90,11 @@ def init_cornflow_service():
     os.environ["SIGNUP_ACTIVATED"] = str(signup_activated)
     user_access_all_objects = os.getenv("USER_ACCESS_ALL_OBJECTS", 0)
     os.environ["USER_ACCESS_ALL_OBJECTS"] = str(user_access_all_objects)
-    default_role = os.getenv("DEFAULT_ROLE", 2)
+    default_role = int(os.getenv("DEFAULT_ROLE", PLANNER_ROLE))
     os.environ["DEFAULT_ROLE"] = str(default_role)
     # Check LDAP parameters for active directory and show message
-    if os.getenv("AUTH_TYPE") == 2:
+    if os.getenv("AUTH_TYPE") == AUTH_LDAP:
         print(
             "WARNING: Cornflow will be deployed with LDAP Authorization. Please review your ldap auth configuration."
         )
@@ -129,10 +136,11 @@ def init_cornflow_service():
         app = create_app(environment, cornflow_db_conn)
         with app.app_context():
             path = f"{os.path.dirname(cornflow.__file__)}/migrations"
-            migrate = Migrate(app=app, db=db, directory=path)
+            Migrate(app=app, db=db, directory=path)
             upgrade()
             access_init_command(verbose=False)
-            if auth == 1 or auth == 0:
+            if auth == AUTH_DB or auth == AUTH_OID:
+                # create cornflow admin user
                 create_user_with_role(
                     cornflow_admin_user,
                     cornflow_admin_email,
@@ -188,7 +196,7 @@ def init_cornflow_service():
             migrate = Migrate(app=app, db=db, directory=path)
             upgrade()
             access_init_command(verbose=False)
-            if auth == 1 or auth == 0:
+            if auth == AUTH_DB or auth == AUTH_OID:
                 # create cornflow admin user
                 create_user_with_role(
                     cornflow_admin_user,

{cornflow-1.1.5 → cornflow-1.2.0a1}/cornflow/config.py RENAMED Viewed

@@ -1,5 +1,5 @@
 import os
-from .shared.const import AUTH_DB, PLANNER_ROLE
+from .shared.const import AUTH_DB, PLANNER_ROLE, AUTH_OID
 from apispec import APISpec
 from apispec.ext.marshmallow import MarshmallowPlugin
@@ -28,7 +28,7 @@ class DefaultConfig(object):
     SIGNUP_ACTIVATED = int(os.getenv("SIGNUP_ACTIVATED", 1))
     CORNFLOW_SERVICE_USER = os.getenv("CORNFLOW_SERVICE_USER", "service_user")
-    # If service user is allow to log with username and password
+    # If service user is allowed to log with username and password
     SERVICE_USER_ALLOW_PASSWORD_LOGIN = int(
         os.getenv("SERVICE_USER_ALLOW_PASSWORD_LOGIN", 1)
     )
@@ -59,11 +59,9 @@ class DefaultConfig(object):
     LDAP_PROTOCOL_VERSION = int(os.getenv("LDAP_PROTOCOL_VERSION", 3))
     LDAP_USE_TLS = os.getenv("LDAP_USE_TLS", "False")
-    # OpenID login -> Default Azure
-    OID_PROVIDER = os.getenv("OID_PROVIDER", 0)
-    OID_CLIENT_ID = os.getenv("OID_CLIENT_ID")
-    OID_TENANT_ID = os.getenv("OID_TENANT_ID")
-    OID_ISSUER = os.getenv("OID_ISSUER")
+    # OpenID Connect configuration
+    OID_PROVIDER = os.getenv("OID_PROVIDER")
+    OID_EXPECTED_AUDIENCE = os.getenv("OID_EXPECTED_AUDIENCE")
     # APISPEC:
     APISPEC_SPEC = APISpec(
@@ -127,8 +125,9 @@ class TestingOpenAuth(Testing):
     """
     Configuration class for testing some edge cases with Open Auth login
     """
-    AUTH_TYPE = 0
+    AUTH_TYPE = AUTH_OID
+    OID_PROVIDER = "https://test-provider.example.com"
+    OID_EXPECTED_AUDIENCE = "test-audience-id"
 class TestingApplicationRoot(Testing):
@@ -158,5 +157,5 @@ app_config = {
     "testing": Testing,
     "production": Production,
     "testing-oauth": TestingOpenAuth,
-    "testing-root": TestingApplicationRoot,
+    "testing-root": TestingApplicationRoot
 }

{cornflow-1.1.5 → cornflow-1.2.0a1}/cornflow/endpoints/login.py RENAMED Viewed

@@ -1,9 +1,9 @@
 """
-External endpoint for the user to login to the cornflow webserver
+External endpoint for the user to log in to the cornflow webserver
 """
 # Partial imports
-from flask import current_app
+from flask import current_app, request
 from flask_apispec import use_kwargs, doc
 from sqlalchemy.exc import IntegrityError, DBAPIError
 from datetime import datetime, timedelta
@@ -18,15 +18,11 @@ from cornflow.shared.const import (
     AUTH_DB,
     AUTH_LDAP,
     AUTH_OID,
-    OID_AZURE,
-    OID_GOOGLE,
-    OID_NONE,
 )
 from cornflow.shared.exceptions import (
     ConfigurationError,
     InvalidCredentials,
     InvalidUsage,
-    EndpointNotImplemented,
 )
@@ -45,7 +41,7 @@ class LoginBaseEndpoint(BaseMetaResource):
         This method is in charge of performing the log in of the user
         :param kwargs: keyword arguments passed for the login, these can be username, password or a token
-        :return: the response of the login or it raises an error. The correct response is a dict
+        :return: the response of the login, or it raises an error. The correct response is a dict
         with the newly issued token and the user id, and a status code of 200
         :rtype: dict
         """
@@ -55,10 +51,24 @@ class LoginBaseEndpoint(BaseMetaResource):
         if auth_type == AUTH_DB:
             user = self.auth_db_authenticate(**kwargs)
             response.update({"change_password": check_last_password_change(user)})
+            current_app.logger.info(f"User {user.id} logged in successfully using database authentication")
         elif auth_type == AUTH_LDAP:
             user = self.auth_ldap_authenticate(**kwargs)
+            current_app.logger.info(f"User {user.id} logged in successfully using LDAP authentication")
         elif auth_type == AUTH_OID:
-            user = self.auth_oid_authenticate(**kwargs)
+            if (kwargs.get('username') and kwargs.get('password')):
+                if not current_app.config.get("SERVICE_USER_ALLOW_PASSWORD_LOGIN", 0):
+                    raise InvalidUsage("Must provide a token in Authorization header. Cannot log in with username and password", 400)
+                user = self.auth_oid_authenticate(username=kwargs['username'], password=kwargs['password'])
+                current_app.logger.info(f"Service user {user.id} logged in successfully using password")
+                token = self.auth_class.generate_token(user.id)
+            else:
+                token = self.auth_class().get_token_from_header(request.headers)
+                user = self.auth_oid_authenticate(token=token)
+                current_app.logger.info(f"User {user.id} logged in successfully using OpenID authentication")
+            response.update({"token": token, "id": user.id})
+            return response, 200
         else:
             raise ConfigurationError()
@@ -77,7 +87,7 @@ class LoginBaseEndpoint(BaseMetaResource):
         :param str username: the username of the user to log in
         :param str password:  the password of the user to log in
-        :return: the user object or it raises an error if it has not been possible to log in
+        :return: the user object, or it raises an error if it has not been possible to log in
         :rtype: :class:`UserModel`
         """
         user = self.data_model.get_one_object(username=username)
@@ -96,7 +106,7 @@ class LoginBaseEndpoint(BaseMetaResource):
         :param str username: the username of the user to log in
         :param str password:  the password of the user to log in
-        :return: the user object or it raises an error if it has not been possible to log in
+        :return: the user object, or it raises an error if it has not been possible to log in
         :rtype: :class:`UserModel`
         """
         ldap_obj = self.ldap_class(current_app.config)
@@ -137,61 +147,45 @@ class LoginBaseEndpoint(BaseMetaResource):
         return user
-    def auth_oid_authenticate(
-        self, token: str = None, username: str = None, password: str = None
-    ):
+    def auth_oid_authenticate(self, token: str = None, username: str = None, password: str = None):
         """
-        Method  in charge of performing the log in with the token issued by an Open ID provider.
-        It has an exception and thus accepts username and password for service users if needed.
+        Method in charge of performing the authentication using OpenID Connect tokens.
+        Supports any OIDC provider configured via provider_url.
-        :param str token: the token that the user has obtained from the Open ID provider
-        :param str username: the username of the user to log in
-        :param str password: the password of the user to log in
-        :return: the user object or it raises an error if it has not been possible to log in
+        :param str token: the JWT token from the OIDC provider
+        :param str username: username for service users
+        :param str password: password for service users
+        :return: the user object, or it raises an error if it has not been possible to log in
         :rtype: :class:`UserModel`
         """
+        print("[auth_oid_authenticate] Starting OpenID authentication")
         if token:
-            oid_provider = int(current_app.config["OID_PROVIDER"])
-            client_id = current_app.config["OID_CLIENT_ID"]
-            tenant_id = current_app.config["OID_TENANT_ID"]
-            issuer = current_app.config["OID_ISSUER"]
-            if client_id is None or tenant_id is None or issuer is None:
-                raise ConfigurationError("The OID provider configuration is not valid")
-            if oid_provider == OID_AZURE:
-                decoded_token = self.auth_class().validate_oid_token(
-                    token, client_id, tenant_id, issuer, oid_provider
-                )
-            elif oid_provider == OID_GOOGLE:
-                raise EndpointNotImplemented(
-                    "The selected OID provider is not implemented"
-                )
-            elif oid_provider == OID_NONE:
-                raise EndpointNotImplemented(
-                    "The OID provider configuration is not valid"
-                )
-            else:
-                raise EndpointNotImplemented(
-                    "The OID provider configuration is not valid"
+            print("[auth_oid_authenticate] Authenticating with token")
+            decoded_token = self.auth_class().decode_token(token)
+            print(f"[auth_oid_authenticate] Token decoded successfully: {decoded_token}")
+            username = decoded_token.get('username')
+            if not username:
+                print("[auth_oid_authenticate] Missing username in token claims")
+                raise InvalidCredentials(
+                    "Invalid token: missing username claim",
+                    log_txt="Token validation failed: missing username claim",
+                    status_code=400
                 )
-            username = decoded_token["preferred_username"]
-            email = decoded_token.get("email", f"{username}@test.org")
-            first_name = decoded_token.get("given_name", "")
-            last_name = decoded_token.get("family_name", "")
+            print(f"[auth_oid_authenticate] Looking up user: {username}")
             user = self.data_model.get_one_object(username=username)
             if not user:
+                print(f"[auth_oid_authenticate] Creating new user: {username}")
                 current_app.logger.info(
                     f"OpenID user {username} does not exist and is created"
                 )
+                email = decoded_token.get('email', f"{username}@cornflow.org")
+                first_name = decoded_token.get('given_name', '')
+                last_name = decoded_token.get('family_name', '')
                 data = {
                     "username": username,
                     "email": email,
@@ -208,27 +202,30 @@ class LoginBaseEndpoint(BaseMetaResource):
                         "role_id": int(current_app.config["DEFAULT_ROLE"]),
                     }
                 )
                 user_role.save()
             return user
         elif (
             username
             and password
-            and current_app.config["SERVICE_USER_ALLOW_PASSWORD_LOGIN"] == 1
         ):
             user = self.auth_db_authenticate(username, password)
             if user.is_service_user():
                 return user
-            else:
-                raise InvalidUsage("Invalid request")
+            raise InvalidUsage("Invalid request")
         else:
             raise InvalidUsage("Invalid request")
 def check_last_password_change(user):
+    """
+    Check if the user needs to change their password based on the password rotation time.
+    :param user: The user object to check
+    :return: True if password needs to be changed, False otherwise
+    :rtype: bool
+    """
     if user.pwd_last_change:
         if (
             user.pwd_last_change

{cornflow-1.1.5 → cornflow-1.2.0a1}/cornflow/schemas/user.py RENAMED Viewed

@@ -67,24 +67,10 @@ class LoginEndpointRequest(Schema):
 class LoginOpenAuthRequest(Schema):
     """
-    This is the schema used by the login endpoint with Open ID protocol
-    Validates that either a token is provided, or both username and password are present
+    Schema for the login request with OpenID authentication
     """
-    token = fields.Str(required=False)
-    username = fields.Str(required=False)
-    password = fields.Str(required=False)
-    @validates_schema
-    def validate_fields(self, data, **kwargs):
-        if data.get("token") is None:
-            if not data.get("username") or not data.get("password"):
-                raise ValidationError(
-                    "A token needs to be provided when using Open ID authentication"
-                )
-        else:
-            if data.get("username") or data.get("password"):
-                raise ValidationError("The login needs to be done with a token only")
+    username = fields.String(required=False)
+    password = fields.String(required=False)
 class SignupRequest(Schema):

cornflow 1.1.5__tar.gz → 1.2.0a1__tar.gz

cornflow 1.1.5tar.gz → 1.2.0a1tar.gz