cornflow 1.2.2__tar.gz → 1.2.3a2__tar.gz

{cornflow-1.2.2/cornflow.egg-info → cornflow-1.2.3a2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cornflow
-Version: 1.2.2
+Version: 1.2.3a2
 Summary: cornflow is an open source multi-solver optimization server with a REST API built using flask.
 Home-page: https://github.com/baobabsoluciones/cornflow
 Author: baobab soluciones
@@ -14,7 +14,7 @@ Requires-Dist: alembic==1.9.2
 Requires-Dist: apispec<=6.3.0
 Requires-Dist: cachetools==5.3.3
 Requires-Dist: click<=8.1.7
-Requires-Dist: cornflow-client>=1.2.2
+Requires-Dist: cornflow-client>=1.2.0
 Requires-Dist: cryptography<=44.0.1
 Requires-Dist: disposable-email-domains>=0.0.86
 Requires-Dist: Flask==2.3.2

{cornflow-1.2.2 → cornflow-1.2.3a2}/cornflow/commands/permissions.py

@@ -4,8 +4,14 @@ from importlib import import_module
 from cornflow.shared.const import (
     BASE_PERMISSION_ASSIGNATION,
     EXTRA_PERMISSION_ASSIGNATION,
+    ROLES_MAP,
+    GET_ACTION,
+    PATCH_ACTION,
+    POST_ACTION,
+    PUT_ACTION,
+    DELETE_ACTION,
 )
-from cornflow.models import ViewModel, PermissionViewRoleModel
+from cornflow.models import ViewModel, PermissionViewRoleModel, RoleModel
 from cornflow.shared import db
 from flask import current_app
 from sqlalchemy.exc import DBAPIError, IntegrityError
@@ -14,6 +20,7 @@ from sqlalchemy.exc import DBAPIError, IntegrityError
 def register_base_permissions_command(external_app: str = None, verbose: bool = False):
     if external_app is None:
         from cornflow.endpoints import resources, alarms_resources
+
         resources_to_register = resources
         if current_app.config["ALARMS_ENDPOINTS"]:
             resources_to_register = resources + alarms_resources
@@ -31,6 +38,21 @@ def register_base_permissions_command(external_app: str = None, verbose: bool =
         (perm.role_id, perm.action_id, perm.api_view_id) for perm in permissions_in_db
     ]
     resources_names = [resource["endpoint"] for resource in resources_to_register]
+    roles_in_db = [role.name for role in RoleModel.get_all_objects()]
+    # Check which roles are not in ROLES_MAP
+    roles_not_in_map = [role for role in roles_in_db if role not in ROLES_MAP.keys()]
+    complete_base_assignation = BASE_PERMISSION_ASSIGNATION.copy()
+    if len(roles_not_in_map) > 0:
+        # We add to the complete_base_assignation the roles that are not in ROLES_MAP
+        for role in roles_not_in_map:
+            for action in [
+                GET_ACTION,
+                PATCH_ACTION,
+                POST_ACTION,
+                PUT_ACTION,
+                DELETE_ACTION,
+            ]:
+                complete_base_assignation.append((role, action))
 
     # Create base permissions
     permissions_in_app = [
@@ -41,7 +63,7 @@ def register_base_permissions_command(external_app: str = None, verbose: bool =
                 "api_view_id": views_in_db[view["endpoint"]],
             }
         )
-        for role, action in BASE_PERMISSION_ASSIGNATION
+        for role, action in complete_base_assignation
         for view in resources_to_register
         if role in view["resource"].ROLES_WITH_ACCESS
     ] + [
@@ -79,9 +101,9 @@ def register_base_permissions_command(external_app: str = None, verbose: bool =
 
     # TODO: for now the permission are not going to get deleted just in case.
     #  We are just going to register new permissions
-    # if len(permissions_to_delete) > 0:
-    #     for permission in permissions_to_delete:
-    #         db.session.delete(permission)
+    if len(permissions_to_delete) > 0:
+        for permission in permissions_to_delete:
+            db.session.delete(permission)
 
     try:
         db.session.commit()

{cornflow-1.2.2 → cornflow-1.2.3a2}/cornflow/shared/const.py

@@ -1,7 +1,7 @@
 """
 In this file we import the values for different constants on cornflow server
 """
-CORNFLOW_VERSION = "1.2.2"
+CORNFLOW_VERSION = "1.2.3a2"
 INTERNAL_TOKEN_ISSUER = "cornflow"
 
 # endpoints responses for health check

{cornflow-1.2.2 → cornflow-1.2.3a2}/cornflow/tests/unit/test_commands.py

@@ -29,6 +29,7 @@ from cornflow.app import (
     register_dag_permissions,
     register_roles,
     register_views,
+    register_base_assignations,
 )
 from cornflow.commands.dag import register_deployed_dags_command_test
 from cornflow.endpoints import resources, alarms_resources
@@ -494,3 +495,149 @@ class TestCommands(TestCase):
             },
         )
         self.assertEqual(403, response.status_code)
+
+    def test_permissions_not_deleted_when_roles_removed_from_code(self):
+        """
+        Test that permissions are NOT deleted when roles are removed from ROLES_WITH_ACCESS.
+
+        This test demonstrates the current bug: when a role is removed from
+        ROLES_WITH_ACCESS in an endpoint's code, the corresponding permissions
+        in the database are not automatically deleted. This happens because
+        the deletion logic in register_base_permissions_command is commented out.
+
+        The test should currently FAIL to demonstrate the bug exists.
+        """
+        # First, initialize the access system normally
+        self.runner.invoke(access_init)
+
+        # Get the original ROLES_WITH_ACCESS for ExampleDataListEndpoint
+        from cornflow.endpoints.example_data import ExampleDataListEndpoint
+
+        original_roles = ExampleDataListEndpoint.ROLES_WITH_ACCESS.copy()
+
+        # Verify initial permissions are created for all three roles
+        # Get the view ID for the endpoint
+        from cornflow.models import ViewModel
+
+        view = ViewModel.query.filter_by(name="example-data").first()
+        self.assertIsNotNone(view, "example-data view should exist")
+
+        # Check permissions exist for all original roles
+        from cornflow.shared.const import ACTIONS_MAP
+        from cornflow.models import PermissionViewRoleModel
+
+        # Check GET action permissions (action_id=1 is typically GET)
+        get_action_id = 1
+        initial_permissions = PermissionViewRoleModel.query.filter_by(
+            api_view_id=view.id, action_id=get_action_id
+        ).all()
+
+        initial_role_ids = [perm.role_id for perm in initial_permissions]
+        self.assertEqual(
+            len(original_roles),
+            len(initial_permissions),
+            f"Should have permissions for all {len(original_roles)} original roles",
+        )
+
+        # Now simulate removing PLANNER_ROLE from ROLES_WITH_ACCESS
+        from cornflow.shared.const import PLANNER_ROLE, VIEWER_ROLE, ADMIN_ROLE
+
+        modified_roles = [VIEWER_ROLE, ADMIN_ROLE]  # Remove PLANNER_ROLE
+
+        # Temporarily modify the ROLES_WITH_ACCESS
+        ExampleDataListEndpoint.ROLES_WITH_ACCESS = modified_roles
+
+        try:
+
+            # Run the permission registration again
+            # (this simulates redeploying the app with modified roles)
+            self.runner.invoke(register_base_assignations, ["-v"])
+
+            # Check permissions after the "code change"
+            updated_permissions = PermissionViewRoleModel.query.filter_by(
+                api_view_id=view.id, action_id=get_action_id
+            ).all()
+
+            updated_role_ids = [perm.role_id for perm in updated_permissions]
+
+            # THIS IS THE BUG: The permission for PLANNER_ROLE should be deleted
+            # but it's not because the deletion logic is commented out
+            # So we expect this assertion to FAIL, demonstrating the bug
+            self.assertEqual(
+                len(modified_roles),
+                len(updated_permissions),
+                f"After removing PLANNER_ROLE from code, should only have {len(modified_roles)} permissions, "
+                f"but still has {len(updated_permissions)} permissions. "
+                f"This demonstrates the bug: permissions are not deleted when roles are removed from ROLES_WITH_ACCESS.",
+            )
+
+            # Also check that PLANNER_ROLE permission was actually removed
+            planner_permissions = [
+                perm for perm in updated_permissions if perm.role_id == PLANNER_ROLE
+            ]
+            self.assertEqual(
+                0,
+                len(planner_permissions),
+                "PLANNER_ROLE permission should have been deleted but still exists",
+            )
+
+        finally:
+            # Restore original ROLES_WITH_ACCESS to avoid affecting other tests
+            ExampleDataListEndpoint.ROLES_WITH_ACCESS = original_roles
+
+    def test_custom_role_permissions_are_preserved(self):
+        """
+        Test that permissions for custom roles (not in ROLES_MAP) are preserved
+        during permission synchronization.
+
+        This test verifies that when permissions are synchronized, only permissions
+        for roles defined in ROLES_MAP are subject to deletion, while custom roles
+        added manually to the database are preserved.
+        """
+        # First, initialize the access system normally
+        self.runner.invoke(access_init)
+
+        # Get a view to work with
+        from cornflow.models import ViewModel, PermissionViewRoleModel, RoleModel
+
+        view = ViewModel.query.filter_by(name="example-data").first()
+        self.assertIsNotNone(view, "example-data view should exist")
+
+        # Create a custom role that is NOT in ROLES_MAP
+        custom_role_id = 999  # Use an ID that's not in ROLES_MAP
+        custom_role = RoleModel({"id": custom_role_id, "name": "custom_role"})
+        custom_role.save()
+
+        # Create a permission for this custom role
+        from cornflow.shared.const import GET_ACTION
+
+        custom_permission = PermissionViewRoleModel(
+            {"role_id": custom_role_id, "action_id": GET_ACTION, "api_view_id": view.id}
+        )
+        custom_permission.save()
+
+        # Verify the custom permission exists
+        custom_perms_before = PermissionViewRoleModel.query.filter_by(
+            role_id=custom_role_id, action_id=GET_ACTION, api_view_id=view.id
+        ).all()
+        self.assertEqual(
+            1, len(custom_perms_before), "Custom permission should exist before sync"
+        )
+
+        # Run permission synchronization (this would previously delete custom role permissions)
+        self.runner.invoke(register_base_assignations, ["-v"])
+
+        # Verify the custom permission still exists after synchronization
+        custom_perms_after = PermissionViewRoleModel.query.filter_by(
+            role_id=custom_role_id, action_id=GET_ACTION, api_view_id=view.id
+        ).all()
+        self.assertEqual(
+            1,
+            len(custom_perms_after),
+            "Custom role permission should be preserved after synchronization. "
+            "Permissions should only be deleted for roles defined in ROLES_MAP.",
+        )
+
+        # Clean up
+        custom_permission.delete()
+        custom_role.delete()

{cornflow-1.2.2 → cornflow-1.2.3a2/cornflow.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cornflow
-Version: 1.2.2
+Version: 1.2.3a2
 Summary: cornflow is an open source multi-solver optimization server with a REST API built using flask.
 Home-page: https://github.com/baobabsoluciones/cornflow
 Author: baobab soluciones
@@ -14,7 +14,7 @@ Requires-Dist: alembic==1.9.2
 Requires-Dist: apispec<=6.3.0
 Requires-Dist: cachetools==5.3.3
 Requires-Dist: click<=8.1.7
-Requires-Dist: cornflow-client>=1.2.2
+Requires-Dist: cornflow-client>=1.2.0
 Requires-Dist: cryptography<=44.0.1
 Requires-Dist: disposable-email-domains>=0.0.86
 Requires-Dist: Flask==2.3.2

{cornflow-1.2.2 → cornflow-1.2.3a2}/cornflow.egg-info/requires.txt

@@ -2,7 +2,7 @@ alembic==1.9.2
 apispec<=6.3.0
 cachetools==5.3.3
 click<=8.1.7
-cornflow-client>=1.2.2
+cornflow-client>=1.2.0
 cryptography<=44.0.1
 disposable-email-domains>=0.0.86
 Flask==2.3.2

{cornflow-1.2.2 → cornflow-1.2.3a2}/requirements.txt

@@ -2,7 +2,7 @@ alembic==1.9.2
 apispec<=6.3.0
 cachetools==5.3.3
 click<=8.1.7
-cornflow-client>=1.2.2
+cornflow-client>=1.2.0
 cryptography<=44.0.1
 disposable-email-domains>=0.0.86
 Flask==2.3.2

{cornflow-1.2.2 → cornflow-1.2.3a2}/setup.py

@@ -9,7 +9,7 @@ with open("requirements.txt", "r") as fh:
 
 setuptools.setup(
     name="cornflow",
-    version="1.2.2",
+    version="1.2.3a2",
     author="baobab soluciones",
     author_email="cornflow@baobabsoluciones.es",
     description="cornflow is an open source multi-solver optimization server with a REST API built using flask.",