PyPI - cornflow - Versions diffs - 1.2.3a3__py3-none-any.whl → 1.2.3a5__py3-none-any.whl - Mend

cornflow 1.2.3a3py3-none-any.whl → 1.2.3a5py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

cornflow/app.py +1 -1
cornflow/cli/roles.py +1 -1
cornflow/cli/service.py +32 -4
cornflow/commands/access.py +14 -3
cornflow/commands/auxiliar.py +106 -0
cornflow/commands/permissions.py +183 -102
cornflow/commands/roles.py +15 -14
cornflow/commands/views.py +171 -41
cornflow/shared/authentication/auth.py +3 -3
cornflow/shared/const.py +1 -1
cornflow/tests/unit/test_commands.py +0 -193
cornflow/tests/unit/test_external_role_creation.py +785 -0
{cornflow-1.2.3a3.dist-info → cornflow-1.2.3a5.dist-info}/METADATA +2 -2
{cornflow-1.2.3a3.dist-info → cornflow-1.2.3a5.dist-info}/RECORD +17 -15
{cornflow-1.2.3a3.dist-info → cornflow-1.2.3a5.dist-info}/WHEEL +0 -0
{cornflow-1.2.3a3.dist-info → cornflow-1.2.3a5.dist-info}/entry_points.txt +0 -0
{cornflow-1.2.3a3.dist-info → cornflow-1.2.3a5.dist-info}/top_level.txt +0 -0

cornflow/commands/views.py CHANGED Viewed

@@ -1,9 +1,11 @@
 # Imports from external libraries
-from flask import current_app
+import sys
 from importlib import import_module
+from flask import current_app
 from sqlalchemy.exc import DBAPIError, IntegrityError
-import sys
+from cornflow.endpoints import resources, alarms_resources
 # Imports from internal libraries
 from cornflow.models import ViewModel
@@ -11,45 +13,21 @@ from cornflow.shared import db
 def register_views_command(external_app: str = None, verbose: bool = False):
+    """
+    Register views for the application.
+    external_app: If provided, it will register the views for the external app.
+    verbose: If True, it will print the views that are being registered.
+    """
+    resources_to_register = get_resources_to_register(external_app)
+    views_registered_urls_all_attributes = get_database_view()
+    views_to_register, views_registered_urls_all_attributes = get_views_to_register(
+        resources_to_register, views_registered_urls_all_attributes
+    )
+    views_to_delete, views_to_update = get_views_to_update_and_delete(
+        resources_to_register, views_registered_urls_all_attributes
+    )
-    if external_app is None:
-        from cornflow.endpoints import resources, alarms_resources
-        resources_to_register = resources
-        if current_app.config["ALARMS_ENDPOINTS"]:
-            resources_to_register = resources + alarms_resources
-    elif external_app is not None:
-        sys.path.append("./")
-        external_module = import_module(external_app)
-        resources_to_register = external_module.endpoints.resources
-    else:
-        resources_to_register = []
-        exit()
-    views_registered = [view.name for view in ViewModel.get_all_objects()]
-    views_to_register = [
-        ViewModel(
-            {
-                "name": view["endpoint"],
-                "url_rule": view["urls"],
-                "description": view["resource"].DESCRIPTION,
-            }
-        )
-        for view in resources_to_register
-        if view["endpoint"] not in views_registered
-    ]
-    if len(views_to_register) > 0:
-        db.session.bulk_save_objects(views_to_register)
-    try:
-        db.session.commit()
-    except IntegrityError as e:
-        db.session.rollback()
-        current_app.logger.error(f"Integrity error on views register: {e}")
-    except DBAPIError as e:
-        db.session.rollback()
-        current_app.logger.error(f"Unknow error on views register: {e}")
+    load_changes_to_db(views_to_delete, views_to_register, views_to_update)
     if "postgres" in str(db.session.get_bind()):
         db.engine.execute(
@@ -68,3 +46,155 @@ def register_views_command(external_app: str = None, verbose: bool = False):
             current_app.logger.info("No new endpoints to be registered")
     return True
+def load_changes_to_db(views_to_delete, views_to_register, views_to_update):
+    """
+    Load changes to the database.
+    views_to_delete: List of views to delete.
+    views_to_register: List of views to register.
+    views_to_update: List of views to update.
+    """
+    if len(views_to_register) > 0:
+        db.session.bulk_save_objects(views_to_register)
+    if len(views_to_update) > 0:
+        db.session.bulk_update_mappings(ViewModel, views_to_update)
+    # If the list views_to_delete is not empty, we will iterate over it and delete the views
+    # If it is empty, we will not delete any view since we are iterating over an empty list
+    for view_id in views_to_delete:
+        view_to_delete = ViewModel.get_one_object(idx=view_id)
+        if view_to_delete:
+            view_to_delete.delete()
+    try:
+        db.session.commit()
+    except IntegrityError as e:
+        db.session.rollback()
+        current_app.logger.error(f"Integrity error on views register: {e}")
+    except DBAPIError as e:
+        db.session.rollback()
+        current_app.logger.error(f"Unknow error on views register: {e}")
+def get_views_to_delete(
+    all_resources_to_register_views_endpoints, views_registered_urls_all_attributes
+):
+    """
+    Get the views to delete.
+    Views to delete: exist in registered views but not in resources to register.
+    """
+    return [
+        view_attrs["id"]
+        for view_name, view_attrs in views_registered_urls_all_attributes.items()
+        if view_name not in all_resources_to_register_views_endpoints
+    ]
+def get_views_to_update(
+    all_resources_to_register_views_endpoints, views_registered_urls_all_attributes
+):
+    """
+    Get the views to update.
+    Views to update: exist in both but with different url_rule or description.
+    """
+    return [
+        {
+            "id": view_attrs["id"],
+            "name": view_name,
+            "url_rule": all_resources_to_register_views_endpoints[view_name][
+                "url_rule"
+            ],
+            "description": all_resources_to_register_views_endpoints[view_name][
+                "description"
+            ],
+        }
+        for view_name, view_attrs in views_registered_urls_all_attributes.items()
+        if view_name in all_resources_to_register_views_endpoints
+        and (
+            view_attrs["url_rule"]
+            != all_resources_to_register_views_endpoints[view_name]["url_rule"]
+            or view_attrs["description"]
+            != all_resources_to_register_views_endpoints[view_name]["description"]
+        )
+    ]
+def get_views_to_update_and_delete(
+    resources_to_register, views_registered_urls_all_attributes
+):
+    """
+    Get the views to update and delete.
+    all_resources_to_register_views_endpoints: Dictionary of all resources to register views endpoints.
+    views_registered_urls_all_attributes: Dictionary of views registered urls all attributes.
+    """
+    all_resources_to_register_views_endpoints = {
+        view["endpoint"]: {
+            "url_rule": view["urls"],
+            "description": view["resource"].DESCRIPTION,
+        }
+        for view in resources_to_register
+    }
+    views_to_delete = get_views_to_delete(
+        all_resources_to_register_views_endpoints, views_registered_urls_all_attributes
+    )
+    views_to_update = get_views_to_update(
+        all_resources_to_register_views_endpoints, views_registered_urls_all_attributes
+    )
+    return views_to_delete, views_to_update
+def get_views_to_register(resources_to_register, views_registered_urls_all_attributes):
+    """
+    Get the views to register.
+    resources_to_register: List of resources to register.
+    """
+    views_to_register = [
+        ViewModel(
+            {
+                "name": view["endpoint"],
+                "url_rule": view["urls"],
+                "description": view["resource"].DESCRIPTION,
+            }
+        )
+        for view in resources_to_register
+        if view["endpoint"] not in views_registered_urls_all_attributes.keys()
+    ]
+    return views_to_register, views_registered_urls_all_attributes
+def get_database_view():
+    """
+    Get the database views.
+    """
+    views_registered_urls_all_attributes = {
+        view.name: {
+            "url_rule": view.url_rule,
+            "description": view.description,
+            "id": view.id,
+        }
+        for view in ViewModel.get_all_objects()
+    }
+    return views_registered_urls_all_attributes
+def get_resources_to_register(external_app):
+    if external_app is None:
+        resources_to_register = resources
+        if current_app.config["ALARMS_ENDPOINTS"]:
+            resources_to_register = resources + alarms_resources
+            current_app.logger.info(" ALARMS ENDPOINTS ENABLED ")
+    else:
+        current_app.logger.info(f" USING EXTERNAL APP: {external_app} ")
+        sys.path.append("./")
+        external_module = import_module(external_app)
+        if current_app.config["ALARMS_ENDPOINTS"]:
+            resources_to_register = (
+                external_module.endpoints.resources + resources + alarms_resources
+            )
+        else:
+            resources_to_register = external_module.endpoints.resources + resources
+    return resources_to_register

cornflow/shared/authentication/auth.py CHANGED Viewed

@@ -396,10 +396,10 @@ class Auth:
                 "The permission for this endpoint is not in the database."
             )
             raise NoPermission(
-                error="You do not have permission to access this endpoint",
+                error="The permission for this endpoint is not in the database.",
                 status_code=403,
                 log_txt=f"Error while user {user_id} tries to access endpoint. "
-                f"The user does not permission to access. ",
+                f"The permission for this endpoint is not in the database.",
             )
         for role in user_roles:
@@ -414,7 +414,7 @@ class Auth:
             error="You do not have permission to access this endpoint",
             status_code=403,
             log_txt=f"Error while user {user_id} tries to access endpoint {view_id} with action {action_id}. "
-            f"The user does not permission to access. ",
+            f"The user does not have permission to access. ",
         )
     @staticmethod

cornflow/shared/const.py CHANGED Viewed

@@ -1,7 +1,7 @@
 """
 In this file we import the values for different constants on cornflow server
 """
-CORNFLOW_VERSION = "1.2.3a3"
+CORNFLOW_VERSION = "1.2.3.a5"
 INTERNAL_TOKEN_ISSUER = "cornflow"
 # endpoints responses for health check

cornflow/tests/unit/test_commands.py CHANGED Viewed

@@ -29,7 +29,6 @@ from cornflow.app import (
     register_dag_permissions,
     register_roles,
     register_views,
-    register_base_assignations,
 )
 from cornflow.commands.dag import register_deployed_dags_command_test
 from cornflow.endpoints import resources, alarms_resources
@@ -495,195 +494,3 @@ class TestCommands(TestCase):
             },
         )
         self.assertEqual(403, response.status_code)
-    def test_permissions_not_deleted_when_roles_removed_from_code(self):
-        """
-        Test that permissions are NOT deleted when roles are removed from ROLES_WITH_ACCESS.
-        This test demonstrates the current bug: when a role is removed from
-        ROLES_WITH_ACCESS in an endpoint's code, the corresponding permissions
-        in the database are not automatically deleted. This happens because
-        the deletion logic in register_base_permissions_command is commented out.
-        The test should currently FAIL to demonstrate the bug exists.
-        """
-        # First, initialize the access system normally
-        self.runner.invoke(access_init)
-        # Get the original ROLES_WITH_ACCESS for ExampleDataListEndpoint
-        from cornflow.endpoints.example_data import ExampleDataListEndpoint
-        original_roles = ExampleDataListEndpoint.ROLES_WITH_ACCESS.copy()
-        # Verify initial permissions are created for all three roles
-        # Get the view ID for the endpoint
-        from cornflow.models import ViewModel
-        view = ViewModel.query.filter_by(name="example-data").first()
-        self.assertIsNotNone(view, "example-data view should exist")
-        # Check permissions exist for all original roles
-        from cornflow.shared.const import ACTIONS_MAP
-        from cornflow.models import PermissionViewRoleModel
-        # Check GET action permissions (action_id=1 is typically GET)
-        get_action_id = 1
-        initial_permissions = PermissionViewRoleModel.query.filter_by(
-            api_view_id=view.id, action_id=get_action_id
-        ).all()
-        initial_role_ids = [perm.role_id for perm in initial_permissions]
-        self.assertEqual(
-            len(original_roles),
-            len(initial_permissions),
-            f"Should have permissions for all {len(original_roles)} original roles",
-        )
-        # Now simulate removing PLANNER_ROLE from ROLES_WITH_ACCESS
-        from cornflow.shared.const import PLANNER_ROLE, VIEWER_ROLE, ADMIN_ROLE
-        modified_roles = [VIEWER_ROLE, ADMIN_ROLE]  # Remove PLANNER_ROLE
-        # Temporarily modify the ROLES_WITH_ACCESS
-        ExampleDataListEndpoint.ROLES_WITH_ACCESS = modified_roles
-        try:
-            # Run the permission registration again
-            # (this simulates redeploying the app with modified roles)
-            self.runner.invoke(register_base_assignations, ["-v"])
-            # Check permissions after the "code change"
-            updated_permissions = PermissionViewRoleModel.query.filter_by(
-                api_view_id=view.id, action_id=get_action_id
-            ).all()
-            updated_role_ids = [perm.role_id for perm in updated_permissions]
-            # THIS IS THE BUG: The permission for PLANNER_ROLE should be deleted
-            # but it's not because the deletion logic is commented out
-            # So we expect this assertion to FAIL, demonstrating the bug
-            self.assertEqual(
-                len(modified_roles),
-                len(updated_permissions),
-                f"After removing PLANNER_ROLE from code, should only have {len(modified_roles)} permissions, "
-                f"but still has {len(updated_permissions)} permissions. "
-                f"This demonstrates the bug: permissions are not deleted when roles are removed from ROLES_WITH_ACCESS.",
-            )
-            # Also check that PLANNER_ROLE permission was actually removed
-            planner_permissions = [
-                perm for perm in updated_permissions if perm.role_id == PLANNER_ROLE
-            ]
-            self.assertEqual(
-                0,
-                len(planner_permissions),
-                "PLANNER_ROLE permission should have been deleted but still exists",
-            )
-        finally:
-            # Restore original ROLES_WITH_ACCESS to avoid affecting other tests
-            ExampleDataListEndpoint.ROLES_WITH_ACCESS = original_roles
-    def test_custom_role_permissions_are_preserved(self):
-        """
-        Test that custom roles (not in ROLES_MAP) are automatically detected
-        and assigned complete permissions during synchronization.
-        This test verifies that when permissions are synchronized:
-        1. Custom roles in the database are automatically detected
-        2. They are assigned all actions (GET, PATCH, POST, PUT, DELETE)
-        3. These permissions are created for all endpoints where the role has access
-        """
-        # First, initialize the access system normally
-        self.runner.invoke(access_init)
-        # Get a view to work with
-        from cornflow.models import ViewModel, PermissionViewRoleModel, RoleModel
-        view = ViewModel.query.filter_by(name="example-data").first()
-        self.assertIsNotNone(view, "example-data view should exist")
-        # Create a custom role that is NOT in ROLES_MAP
-        custom_role_id = 999  # Use an ID that's not in ROLES_MAP
-        custom_role = RoleModel({"id": custom_role_id, "name": "custom_role"})
-        custom_role.save()
-        # Temporarily add the custom role to ExampleDataListEndpoint ROLES_WITH_ACCESS
-        from cornflow.endpoints.example_data import ExampleDataListEndpoint
-        original_roles = ExampleDataListEndpoint.ROLES_WITH_ACCESS.copy()
-        ExampleDataListEndpoint.ROLES_WITH_ACCESS = original_roles + [custom_role_id]
-        try:
-            # Count permissions before synchronization
-            perms_before = PermissionViewRoleModel.query.filter_by(
-                role_id=custom_role_id, api_view_id=view.id
-            ).count()
-            self.assertEqual(
-                0, perms_before, "No custom permissions should exist initially"
-            )
-            # Run permission synchronization - this should auto-detect the custom role
-            self.runner.invoke(register_base_assignations, ["-v"])
-            # Verify that ALL actions have been assigned to the custom role
-            from cornflow.shared.const import (
-                GET_ACTION,
-                PATCH_ACTION,
-                POST_ACTION,
-                PUT_ACTION,
-                DELETE_ACTION,
-            )
-            expected_actions = [
-                GET_ACTION,
-                PATCH_ACTION,
-                POST_ACTION,
-                PUT_ACTION,
-                DELETE_ACTION,
-            ]
-            for action in expected_actions:
-                permission = PermissionViewRoleModel.query.filter_by(
-                    role_id=custom_role_id, action_id=action, api_view_id=view.id
-                ).first()
-                self.assertIsNotNone(
-                    permission,
-                    f"Custom role should have permission for action {action}. "
-                    f"The system should auto-detect custom roles and assign complete permissions.",
-                )
-            # Verify total count of permissions for custom role
-            total_perms = PermissionViewRoleModel.query.filter_by(
-                role_id=custom_role_id, api_view_id=view.id
-            ).count()
-            self.assertEqual(
-                len(expected_actions),
-                total_perms,
-                f"Custom role should have {len(expected_actions)} permissions (all actions)",
-            )
-            # Test that running sync again doesn't duplicate permissions
-            self.runner.invoke(register_base_assignations, ["-v"])
-            total_perms_after_second_sync = PermissionViewRoleModel.query.filter_by(
-                role_id=custom_role_id, api_view_id=view.id
-            ).count()
-            self.assertEqual(
-                len(expected_actions),
-                total_perms_after_second_sync,
-                "Permissions should not be duplicated on subsequent syncs",
-            )
-        finally:
-            # Clean up
-            # Delete permissions first (due to foreign key constraints)
-            permissions_to_delete = PermissionViewRoleModel.query.filter_by(
-                role_id=custom_role_id
-            ).all()
-            for perm in permissions_to_delete:
-                perm.delete()
-            custom_role.delete()
-            # Restore original ROLES_WITH_ACCESS
-            ExampleDataListEndpoint.ROLES_WITH_ACCESS = original_roles

cornflow 1.2.3a3__py3-none-any.whl → 1.2.3a5__py3-none-any.whl

cornflow 1.2.3a3py3-none-any.whl → 1.2.3a5py3-none-any.whl