cornflow 1.2.3a4__tar.gz → 1.2.3a5__tar.gz

{cornflow-1.2.3a4/cornflow.egg-info → cornflow-1.2.3a5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cornflow
-Version: 1.2.3a4
+Version: 1.2.3a5
 Summary: cornflow is an open source multi-solver optimization server with a REST API built using flask.
 Home-page: https://github.com/baobabsoluciones/cornflow
 Author: baobab soluciones
@@ -14,7 +14,7 @@ Requires-Dist: alembic==1.9.2
 Requires-Dist: apispec<=6.3.0
 Requires-Dist: cachetools==5.3.3
 Requires-Dist: click<=8.1.7
-Requires-Dist: cornflow-client>=1.2.3.a4
+Requires-Dist: cornflow-client>=1.2.3.a5
 Requires-Dist: cryptography<=44.0.1
 Requires-Dist: disposable-email-domains>=0.0.86
 Requires-Dist: Flask==2.3.2

{cornflow-1.2.3a4 → cornflow-1.2.3a5}/cornflow/commands/auxiliar.py

@@ -14,12 +14,13 @@ from cornflow.shared.const import ROLES_MAP
 
 def get_all_external(external_app):
     """
-    Get all resources and extra permissions.
+    Get all resources, extra permissions, and custom roles actions.
     external_app: If provided, it will get the resources and extra permissions for the external app.
     """
     if external_app is None:
         resources_to_register = resources
         extra_permissions = EXTRA_PERMISSION_ASSIGNATION
+        custom_roles_actions = {}
         if current_app.config["ALARMS_ENDPOINTS"]:
             resources_to_register = resources + alarms_resources
     else:
@@ -33,13 +34,18 @@ def get_all_external(external_app):
         except AttributeError:
             extra_permissions = EXTRA_PERMISSION_ASSIGNATION
 
+        try:
+            custom_roles_actions = external_module.shared.const.CUSTOM_ROLES_ACTIONS
+        except AttributeError:
+            custom_roles_actions = {}
+
         if current_app.config["ALARMS_ENDPOINTS"]:
             resources_to_register = (
                 external_module.endpoints.resources + resources + alarms_resources
             )
         else:
             resources_to_register = external_module.endpoints.resources + resources
-    return resources_to_register, extra_permissions
+    return resources_to_register, extra_permissions, custom_roles_actions
 
 
 def get_all_resources(resources_to_register):

{cornflow-1.2.3a4 → cornflow-1.2.3a5}/cornflow/commands/permissions.py

@@ -19,15 +19,22 @@ def register_base_permissions_command(external_app: str = None, verbose: bool =
     external_app: If provided, it will register the permissions for the external app.
     verbose: If True, it will print the permissions that are being registered.
     """
-    # Get all resources and extra permissions
-    resources_to_register, extra_permissions = get_all_external(external_app)
+    # Get all resources, extra permissions, and custom roles actions
+    resources_to_register, extra_permissions, custom_roles_actions = get_all_external(
+        external_app
+    )
+
     # Get all views in the database
     views_in_db = {view.name: view.id for view in ViewModel.get_all_objects()}
     permissions_in_db, permissions_in_db_keys = get_db_permissions()
+
     # Get all resources and roles with access
     resources_roles_with_access = get_all_resources(resources_to_register)
+
     # Get the new roles and base permissions assignation
-    base_permissions_assignation = get_base_permissions(resources_roles_with_access)
+    base_permissions_assignation = get_base_permissions(
+        resources_roles_with_access, custom_roles_actions
+    )
     # Get the permissions to register and delete
     permissions_tuples = get_permissions_in_code_as_tuples(
         resources_to_register,
@@ -165,11 +172,11 @@ def get_permissions_in_code_as_tuples(
     return permissions_tuples
 
 
-def get_base_permissions(resources_roles_with_access):
+def get_base_permissions(resources_roles_with_access, custom_roles_actions):
     """
     Get the new roles and base permissions assignation.
-    new_roles_to_add: List of new roles to add.
     resources_roles_with_access: Dictionary of resources and roles with access.
+    custom_roles_actions: Dictionary mapping custom roles to their allowed actions.
     """
     # Get all custom roles (both new and existing) that appear in ROLES_WITH_ACCESS
     all_custom_roles_in_access = set(
@@ -181,12 +188,24 @@ def get_base_permissions(resources_roles_with_access):
         ]
     )
 
+    # Validate that all custom roles are defined in custom_roles_actions
+    undefined_roles = all_custom_roles_in_access - set(custom_roles_actions.keys())
+    if undefined_roles:
+        raise ValueError(
+            f"The following custom roles are used in code but not defined in CUSTOM_ROLES_ACTIONS: {undefined_roles}. "
+            f"Please define their allowed actions in the CUSTOM_ROLES_ACTIONS dictionary in shared/const.py."
+        )
+
     # Create extended permission assignation including all custom roles
-    # For custom roles (not in ALL_DEFAULT_ROLES), only grant GET access
-    base_permissions_assignation = BASE_PERMISSION_ASSIGNATION + [
-        (custom_role, GET_ACTION) for custom_role in all_custom_roles_in_access
+    # For custom roles, use the actions defined in custom_roles_actions
+    custom_permissions = [
+        (custom_role, action)
+        for custom_role in all_custom_roles_in_access
+        for action in custom_roles_actions[custom_role]
     ]
 
+    base_permissions_assignation = BASE_PERMISSION_ASSIGNATION + custom_permissions
+
     return base_permissions_assignation
 
 

{cornflow-1.2.3a4 → cornflow-1.2.3a5}/cornflow/commands/roles.py

@@ -10,7 +10,7 @@ def register_roles_command(external_app: str = None, verbose: bool = True):
         get_new_roles_to_add,
     )
 
-    resources_to_register, extra_permissions = get_all_external(external_app)
+    resources_to_register, extra_permissions, _ = get_all_external(external_app)
     resources_roles_with_access = get_all_resources(resources_to_register)
     new_roles_to_add = get_new_roles_to_add(
         extra_permissions, resources_roles_with_access

{cornflow-1.2.3a4 → cornflow-1.2.3a5}/cornflow/shared/const.py

@@ -1,7 +1,7 @@
 """
 In this file we import the values for different constants on cornflow server
 """
-CORNFLOW_VERSION = "1.2.3.a4"
+CORNFLOW_VERSION = "1.2.3.a5"
 INTERNAL_TOKEN_ISSUER = "cornflow"
 
 # endpoints responses for health check

{cornflow-1.2.3a4 → cornflow-1.2.3a5}/cornflow/tests/unit/test_external_role_creation.py

@@ -13,6 +13,7 @@ from cornflow.shared.const import (
     PATCH_ACTION,
     DELETE_ACTION,
     GET_ACTION,
+    PUT_ACTION,
 )
 
 
@@ -106,6 +107,13 @@ class ExternalRoleCreationTestCase(CustomTestCase):
             (VIEWER_ROLE, POST_ACTION, "scheduling_optimizer"),
             (PLANNER_ROLE, DELETE_ACTION, "quality_control"),
         ]
+        # Define permissions for custom roles used in endpoints
+        mock_const.CUSTOM_ROLES_ACTIONS = {
+            # Default permission for role 888
+            888: [GET_ACTION],
+            # Default permission for role 777
+            777: [GET_ACTION],
+        }
         mock_shared.const = mock_const
         mock_external_app.shared = mock_shared
 
@@ -206,6 +214,17 @@ class ExternalRoleCreationTestCase(CustomTestCase):
             (10000, POST_ACTION, "production_planning"),
             (999, PATCH_ACTION, "quality_control"),
         ]
+        # Define permissions for custom roles used in endpoints (888, 777) and test roles (10000, 999)
+        mock_const.CUSTOM_ROLES_ACTIONS = {
+            # Used in endpoints
+            888: [GET_ACTION],
+            # Used in endpoints
+            777: [GET_ACTION],
+            # Used in test
+            10000: [GET_ACTION],
+            # Used in test
+            999: [GET_ACTION],
+        }
         mock_shared.const = mock_const
         mock_external_app.shared = mock_shared
 
@@ -224,6 +243,7 @@ class ExternalRoleCreationTestCase(CustomTestCase):
         mock_const.EXTRA_PERMISSION_ASSIGNATION = [
             (10000, POST_ACTION, "production_planning"),
         ]
+        # Keep the same CUSTOM_ROLES_ACTIONS (role definitions don't change)
 
         # Re-run permissions registration
         access_init_command(verbose=True)
@@ -266,6 +286,13 @@ class ExternalRoleCreationTestCase(CustomTestCase):
         mock_const = MagicMock()
         # Don't set EXTRA_PERMISSION_ASSIGNATION to trigger AttributeError
         del mock_const.EXTRA_PERMISSION_ASSIGNATION
+        # Define permissions for custom roles used in endpoints
+        mock_const.CUSTOM_ROLES_ACTIONS = {
+            # Used in endpoints
+            888: [GET_ACTION],
+            # Used in endpoints
+            777: [GET_ACTION],
+        }
         mock_shared.const = mock_const
         mock_external_app.shared = mock_shared
 
@@ -304,6 +331,13 @@ class ExternalRoleCreationTestCase(CustomTestCase):
             (VIEWER_ROLE, POST_ACTION, "production_planning"),  # Extend standard role
             (PLANNER_ROLE, DELETE_ACTION, "quality_control"),  # Extend standard role
         ]
+        # Define permissions for custom roles used in endpoints
+        mock_const.CUSTOM_ROLES_ACTIONS = {
+            # Used in endpoints
+            888: [GET_ACTION],
+            # Used in endpoints
+            777: [GET_ACTION],
+        }
         mock_shared.const = mock_const
         mock_external_app.shared = mock_shared
 
@@ -385,6 +419,13 @@ class ExternalRoleCreationTestCase(CustomTestCase):
         mock_shared_initial = MagicMock()
         mock_const_initial = MagicMock()
         mock_const_initial.EXTRA_PERMISSION_ASSIGNATION = []
+        # Define permissions for custom roles used in test endpoints
+        mock_const_initial.CUSTOM_ROLES_ACTIONS = {
+            # Used in test endpoints
+            888: [GET_ACTION],
+            # Used in test endpoints
+            777: [GET_ACTION],
+        }
         mock_shared_initial.const = mock_const_initial
         mock_external_app_initial.shared = mock_shared_initial
 
@@ -459,6 +500,13 @@ class ExternalRoleCreationTestCase(CustomTestCase):
         mock_shared_updated = MagicMock()
         mock_const_updated = MagicMock()
         mock_const_updated.EXTRA_PERMISSION_ASSIGNATION = []  # Empty list
+        # Define permissions for custom roles used in test endpoints
+        mock_const_updated.CUSTOM_ROLES_ACTIONS = {
+            # Used in test endpoints
+            888: [GET_ACTION],
+            # Used in test endpoints
+            777: [GET_ACTION],
+        }
         mock_shared_updated.const = mock_const_updated
         mock_external_app_updated.shared = mock_shared_updated
 
@@ -534,6 +582,204 @@ class ExternalRoleCreationTestCase(CustomTestCase):
             f"Permissions for remaining views should still exist. Found views: {set(all_view_names)}",
         )
 
+    @patch("cornflow.commands.auxiliar.import_module")
+    @patch("cornflow.commands.views.import_module")
+    @patch.dict(
+        os.environ, {"EXTERNAL_APP": "1", "EXTERNAL_APP_MODULE": "external_test_app"}
+    )
+    def test_custom_roles_actions_success(
+        self, mock_import_views, mock_import_auxiliar
+    ):
+        """
+        Test that custom roles get their defined actions from CUSTOM_ROLES_ACTIONS
+        """
+        # Mock external app configuration
+        mock_external_app = MagicMock()
+
+        # Mock the shared.const module with CUSTOM_ROLES_ACTIONS
+        mock_shared = MagicMock()
+        mock_const = MagicMock()
+        mock_const.EXTRA_PERMISSION_ASSIGNATION = []
+        # Define custom roles actions
+        mock_const.CUSTOM_ROLES_ACTIONS = {
+            # Custom role with multiple actions
+            888: [
+                GET_ACTION,
+                POST_ACTION,
+                PUT_ACTION,
+            ],
+            # Another custom role with different actions
+            777: [
+                GET_ACTION,
+                PATCH_ACTION,
+            ],
+        }
+        mock_shared.const = mock_const
+        mock_external_app.shared = mock_shared
+
+        # Mock the endpoints.resources with fake external app endpoints
+        mock_endpoints = MagicMock()
+        mock_endpoints.resources = self._create_mock_external_app_resources()
+        mock_external_app.endpoints = mock_endpoints
+
+        mock_import_views.return_value = mock_external_app
+        mock_import_auxiliar.return_value = mock_external_app
+
+        # Mock the database session for testing
+        with patch.object(db.session, "commit"):
+            with patch.object(db.session, "rollback"):
+                # Run the complete access initialization
+                access_init_command(verbose=True)
+
+                # Verify that custom permissions were created with the correct actions
+                from cornflow.models import PermissionViewRoleModel
+
+                # Get all permissions for role 888
+                permissions_888 = PermissionViewRoleModel.query.filter_by(
+                    role_id=888
+                ).all()
+                actions_888 = {perm.action_id for perm in permissions_888}
+
+                # Get all permissions for role 777
+                permissions_777 = PermissionViewRoleModel.query.filter_by(
+                    role_id=777
+                ).all()
+                actions_777 = {perm.action_id for perm in permissions_777}
+
+                # Verify role 888 has GET, POST, PUT actions
+                expected_actions_888 = {GET_ACTION, POST_ACTION, PUT_ACTION}
+                self.assertTrue(
+                    expected_actions_888.issubset(actions_888),
+                    f"Role 888 should have actions {expected_actions_888}, but got {actions_888}",
+                )
+
+                # Verify role 777 has GET, PATCH actions
+                expected_actions_777 = {GET_ACTION, PATCH_ACTION}
+                self.assertTrue(
+                    expected_actions_777.issubset(actions_777),
+                    f"Role 777 should have actions {expected_actions_777}, but got {actions_777}",
+                )
+
+                # Verify that role 888 does NOT have actions that were not defined
+                # We check that no DELETE or PATCH actions exist for role 888
+                forbidden_actions_888 = {DELETE_ACTION, PATCH_ACTION}
+                actual_forbidden_888 = actions_888.intersection(forbidden_actions_888)
+                self.assertEqual(
+                    len(actual_forbidden_888),
+                    0,
+                    f"Role 888 should not have actions {forbidden_actions_888}, but found {actual_forbidden_888}",
+                )
+
+                # Verify that role 777 does NOT have actions that were not defined
+                # We check that no POST, PUT, DELETE actions exist for role 777
+                forbidden_actions_777 = {POST_ACTION, PUT_ACTION, DELETE_ACTION}
+                actual_forbidden_777 = actions_777.intersection(forbidden_actions_777)
+                self.assertEqual(
+                    len(actual_forbidden_777),
+                    0,
+                    f"Role 777 should not have actions {forbidden_actions_777}, but found {actual_forbidden_777}",
+                )
+
+    @patch("cornflow.commands.auxiliar.import_module")
+    @patch("cornflow.commands.views.import_module")
+    @patch.dict(
+        os.environ, {"EXTERNAL_APP": "1", "EXTERNAL_APP_MODULE": "external_test_app"}
+    )
+    def test_custom_roles_actions_error_on_undefined_role(
+        self, mock_import_views, mock_import_auxiliar
+    ):
+        """
+        Test that an error is raised when a custom role is used but not defined in CUSTOM_ROLES_ACTIONS
+        """
+        # Mock external app configuration
+        mock_external_app = MagicMock()
+
+        # Mock the shared.const module with CUSTOM_ROLES_ACTIONS that doesn't include role 888
+        mock_shared = MagicMock()
+        mock_const = MagicMock()
+        mock_const.EXTRA_PERMISSION_ASSIGNATION = []
+        # Define custom roles permissions but MISSING role 888 which is used in endpoints
+        mock_const.CUSTOM_ROLES_ACTIONS = {
+            # Only define role 777, but role 888 is used in endpoints
+            777: [
+                GET_ACTION,
+                PATCH_ACTION,
+            ],
+        }
+        mock_shared.const = mock_const
+        mock_external_app.shared = mock_shared
+
+        # Mock the endpoints.resources with fake external app endpoints that use role 888
+        mock_endpoints = MagicMock()
+        mock_endpoints.resources = (
+            self._create_mock_external_app_resources()
+        )  # This includes role 888
+        mock_external_app.endpoints = mock_endpoints
+
+        mock_import_views.return_value = mock_external_app
+        mock_import_auxiliar.return_value = mock_external_app
+
+        # Verify that a ValueError is raised for undefined role 888
+        with self.assertRaises(ValueError) as context:
+            access_init_command(verbose=True)
+
+        # Verify the error message contains the undefined role
+        error_message = str(context.exception)
+        self.assertIn("888", error_message)
+        self.assertIn("CUSTOM_ROLES_ACTIONS", error_message)
+        self.assertIn("not defined", error_message)
+
+    @patch("cornflow.commands.auxiliar.import_module")
+    @patch("cornflow.commands.views.import_module")
+    @patch.dict(
+        os.environ, {"EXTERNAL_APP": "1", "EXTERNAL_APP_MODULE": "external_test_app"}
+    )
+    def test_custom_roles_actions_fallback_when_not_defined(
+        self, mock_import_views, mock_import_auxiliar
+    ):
+        """
+        Test that the system falls back gracefully when CUSTOM_ROLES_ACTIONS is not defined
+        but no custom roles are used
+        """
+        # Mock external app configuration
+        mock_external_app = MagicMock()
+
+        # Mock the shared.const module WITHOUT CUSTOM_ROLES_ACTIONS
+        mock_shared = MagicMock()
+        mock_const = MagicMock()
+        mock_const.EXTRA_PERMISSION_ASSIGNATION = []
+        # Don't set CUSTOM_ROLES_ACTIONS to trigger AttributeError
+        # This simulates an external app that doesn't define the new constant
+        mock_shared.const = mock_const
+        mock_external_app.shared = mock_shared
+
+        # Mock endpoints that only use standard roles (no custom roles)
+        mock_production_endpoint = MagicMock()
+        # Only standard role
+        mock_production_endpoint.ROLES_WITH_ACCESS = [PLANNER_ROLE]
+        mock_production_endpoint.DESCRIPTION = "Production planning endpoint"
+
+        mock_resources = [
+            {
+                "endpoint": "production_planning",
+                "urls": "/production-planning/",
+                "resource": mock_production_endpoint,
+            }
+        ]
+
+        mock_endpoints = MagicMock()
+        mock_endpoints.resources = mock_resources
+        mock_external_app.endpoints = mock_endpoints
+
+        mock_import_views.return_value = mock_external_app
+        mock_import_auxiliar.return_value = mock_external_app
+
+        # Should not raise any exceptions since no custom roles are used
+        try:
+            access_init_command(verbose=True)
+        except Exception as e:
+            self.fail(f"access_init_command raised an exception when it shouldn't: {e}")
+
 
 if __name__ == "__main__":
     unittest.main()

{cornflow-1.2.3a4 → cornflow-1.2.3a5/cornflow.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cornflow
-Version: 1.2.3a4
+Version: 1.2.3a5
 Summary: cornflow is an open source multi-solver optimization server with a REST API built using flask.
 Home-page: https://github.com/baobabsoluciones/cornflow
 Author: baobab soluciones
@@ -14,7 +14,7 @@ Requires-Dist: alembic==1.9.2
 Requires-Dist: apispec<=6.3.0
 Requires-Dist: cachetools==5.3.3
 Requires-Dist: click<=8.1.7
-Requires-Dist: cornflow-client>=1.2.3.a4
+Requires-Dist: cornflow-client>=1.2.3.a5
 Requires-Dist: cryptography<=44.0.1
 Requires-Dist: disposable-email-domains>=0.0.86
 Requires-Dist: Flask==2.3.2

{cornflow-1.2.3a4 → cornflow-1.2.3a5}/cornflow.egg-info/requires.txt

@@ -2,7 +2,7 @@ alembic==1.9.2
 apispec<=6.3.0
 cachetools==5.3.3
 click<=8.1.7
-cornflow-client>=1.2.3.a4
+cornflow-client>=1.2.3.a5
 cryptography<=44.0.1
 disposable-email-domains>=0.0.86
 Flask==2.3.2

{cornflow-1.2.3a4 → cornflow-1.2.3a5}/requirements.txt

@@ -2,7 +2,7 @@ alembic==1.9.2
 apispec<=6.3.0
 cachetools==5.3.3
 click<=8.1.7
-cornflow-client>=1.2.3.a4
+cornflow-client>=1.2.3.a5
 cryptography<=44.0.1
 disposable-email-domains>=0.0.86
 Flask==2.3.2

{cornflow-1.2.3a4 → cornflow-1.2.3a5}/setup.py

@@ -9,7 +9,7 @@ with open("requirements.txt", "r") as fh:
 
 setuptools.setup(
     name="cornflow",
-    version="1.2.3.a4",
+    version="1.2.3.a5",
     author="baobab soluciones",
     author_email="cornflow@baobabsoluciones.es",
     description="cornflow is an open source multi-solver optimization server with a REST API built using flask.",