fractal-server 2.16.5__py3-none-any.whl → 2.17.0__py3-none-any.whl

fractal_server/app/routes/auth/oauth.py

@@ -1,50 +1,66 @@
 from fastapi import APIRouter
+from httpx_oauth.clients.github import GitHubOAuth2
+from httpx_oauth.clients.google import GoogleOAuth2
+from httpx_oauth.clients.openid import OpenID
+from httpx_oauth.clients.openid import OpenIDConfigurationError
 
 from . import cookie_backend
 from . import fastapi_users
-from ....config import get_settings
-from ....syringe import Inject
+from fractal_server.config import get_oauth_settings
+from fractal_server.config import get_settings
+from fractal_server.config import OAuthSettings
+from fractal_server.syringe import Inject
 
-router_oauth = APIRouter()
 
+def _create_client_github(cfg: OAuthSettings) -> GitHubOAuth2:
+    return GitHubOAuth2(
+        client_id=cfg.OAUTH_CLIENT_ID.get_secret_value(),
+        client_secret=cfg.OAUTH_CLIENT_SECRET.get_secret_value(),
+    )
 
-# OAUTH CLIENTS
 
-# NOTE: settings.OAUTH_CLIENTS are collected by
-# Settings.collect_oauth_clients(). If no specific client is specified in the
-# environment variables (e.g. by setting OAUTH_FOO_CLIENT_ID and
-# OAUTH_FOO_CLIENT_SECRET), this list is empty
+def _create_client_google(cfg: OAuthSettings) -> GoogleOAuth2:
+    return GoogleOAuth2(
+        client_id=cfg.OAUTH_CLIENT_ID.get_secret_value(),
+        client_secret=cfg.OAUTH_CLIENT_SECRET.get_secret_value(),
+    )
 
-# FIXME:Dependency injection should be wrapped within a function call to make
-# it truly lazy. This function could then be called on startup of the FastAPI
-# app (cf. fractal_server.main)
-settings = Inject(get_settings)
 
-for client_config in settings.OAUTH_CLIENTS_CONFIG:
-    client_name = client_config.CLIENT_NAME.lower()
+def _create_client_oidc(cfg: OAuthSettings) -> OpenID:
+    try:
+        open_id = OpenID(
+            client_id=cfg.OAUTH_CLIENT_ID.get_secret_value(),
+            client_secret=cfg.OAUTH_CLIENT_SECRET.get_secret_value(),
+            openid_configuration_endpoint=cfg.OAUTH_OIDC_CONFIG_ENDPOINT.get_secret_value(),  # noqa
+        )
+    except OpenIDConfigurationError as e:
+        OAUTH_OIDC_CONFIG_ENDPOINT = (
+            cfg.OAUTH_OIDC_CONFIG_ENDPOINT.get_secret_value()
+        )
+        raise RuntimeError(
+            f"Cannot initialize OpenID client. Original error: '{e}'. "
+            f"Hint: is {OAUTH_OIDC_CONFIG_ENDPOINT=} reachable?"
+        )
+    return open_id
 
-    if client_name == "google":
-        from httpx_oauth.clients.google import GoogleOAuth2
 
-        client = GoogleOAuth2(
-            client_config.CLIENT_ID,
-            client_config.CLIENT_SECRET.get_secret_value(),
-        )
-    elif client_name == "github":
-        from httpx_oauth.clients.github import GitHubOAuth2
+def get_oauth_router() -> APIRouter | None:
+    """
+    Get the `APIRouter` object for OAuth endpoints.
+    """
+    router_oauth = APIRouter()
+    settings = Inject(get_settings)
+    oauth_settings = Inject(get_oauth_settings)
+    if not oauth_settings.is_set:
+        return None
 
-        client = GitHubOAuth2(
-            client_config.CLIENT_ID,
-            client_config.CLIENT_SECRET.get_secret_value(),
-        )
+    client_name = oauth_settings.OAUTH_CLIENT_NAME
+    if client_name == "google":
+        client = _create_client_google(oauth_settings)
+    elif client_name == "github":
+        client = _create_client_github(oauth_settings)
     else:
-        from httpx_oauth.clients.openid import OpenID
-
-        client = OpenID(
-            client_config.CLIENT_ID,
-            client_config.CLIENT_SECRET.get_secret_value(),
-            client_config.OIDC_CONFIGURATION_ENDPOINT,
-        )
+        client = _create_client_oidc(oauth_settings)
 
     router_oauth.include_router(
         fastapi_users.get_oauth_router(
@@ -53,13 +69,14 @@ for client_config in settings.OAUTH_CLIENTS_CONFIG:
             settings.JWT_SECRET_KEY,
             is_verified_by_default=False,
             associate_by_email=True,
-            redirect_url=client_config.REDIRECT_URL,
+            redirect_url=oauth_settings.OAUTH_REDIRECT_URL,
         ),
         prefix=f"/{client_name}",
     )
 
+    # Add trailing slash to all routes' paths
+    for route in router_oauth.routes:
+        if not route.path.endswith("/"):
+            route.path = f"{route.path}/"
 
-# Add trailing slash to all routes' paths
-for route in router_oauth.routes:
-    if not route.path.endswith("/"):
-        route.path = f"{route.path}/"
+    return router_oauth

fractal_server/app/routes/auth/register.py

@@ -4,7 +4,7 @@ Definition of `/auth/register/` routes.
 from fastapi import APIRouter
 from fastapi import Depends
 
-from . import current_active_superuser
+from . import current_superuser_act
 from . import fastapi_users
 from ...schemas.user import UserCreate
 from ...schemas.user import UserRead
@@ -13,7 +13,7 @@ router_register = APIRouter()
 
 router_register.include_router(
     fastapi_users.get_register_router(UserRead, UserCreate),
-    dependencies=[Depends(current_active_superuser)],
+    dependencies=[Depends(current_superuser_act)],
 )
 
 

fractal_server/app/routes/auth/router.py

@@ -3,7 +3,7 @@ from fastapi import APIRouter
 from .current_user import router_current_user
 from .group import router_group
 from .login import router_login
-from .oauth import router_oauth
+from .oauth import get_oauth_router
 from .register import router_register
 from .users import router_users
 
@@ -14,4 +14,6 @@ router_auth.include_router(router_current_user)
 router_auth.include_router(router_login)
 router_auth.include_router(router_users)
 router_auth.include_router(router_group)
-router_auth.include_router(router_oauth)
+router_oauth = get_oauth_router()
+if router_oauth is not None:
+    router_auth.include_router(router_oauth)

fractal_server/app/routes/auth/users.py

@@ -6,31 +6,29 @@ from fastapi import Depends
 from fastapi import HTTPException
 from fastapi import status
 from fastapi_users import exceptions
-from fastapi_users import schemas
 from fastapi_users.router.common import ErrorCode
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlmodel import func
 from sqlmodel import select
 
-from . import current_active_superuser
+from . import current_superuser_act
 from ...db import get_async_db
 from ...schemas.user import UserRead
 from ...schemas.user import UserUpdate
-from ..aux.validate_user_settings import verify_user_has_settings
-from ._aux_auth import _get_default_usergroup_id
+from ._aux_auth import _get_default_usergroup_id_or_none
 from ._aux_auth import _get_single_user_with_groups
-from ._aux_auth import FRACTAL_DEFAULT_GROUP_NAME
 from fractal_server.app.models import LinkUserGroup
 from fractal_server.app.models import UserGroup
 from fractal_server.app.models import UserOAuth
-from fractal_server.app.models import UserSettings
+from fractal_server.app.models.v2 import Profile
 from fractal_server.app.routes.auth._aux_auth import _user_or_404
-from fractal_server.app.schemas import UserSettingsRead
-from fractal_server.app.schemas import UserSettingsUpdate
 from fractal_server.app.schemas.user import UserUpdateGroups
 from fractal_server.app.security import get_user_manager
 from fractal_server.app.security import UserManager
+from fractal_server.config import get_settings
 from fractal_server.logger import set_logger
+from fractal_server.syringe import Inject
+
 
 router_users = APIRouter()
 
@@ -42,7 +40,7 @@ logger = set_logger(__name__)
 async def get_user(
     user_id: int,
     group_ids_names: bool = True,
-    superuser: UserOAuth = Depends(current_active_superuser),
+    superuser: UserOAuth = Depends(current_superuser_act),
     db: AsyncSession = Depends(get_async_db),
 ) -> UserRead:
     user = await _user_or_404(user_id, db)
@@ -56,7 +54,7 @@ async def get_user(
 async def patch_user(
     user_id: int,
     user_update: UserUpdate,
-    current_superuser: UserOAuth = Depends(current_active_superuser),
+    current_superuser: UserOAuth = Depends(current_superuser_act),
     user_manager: UserManager = Depends(get_user_manager),
     db: AsyncSession = Depends(get_async_db),
 ):
@@ -67,6 +65,14 @@ async def patch_user(
     # Check that user exists
     user_to_patch = await _user_or_404(user_id, db)
 
+    if user_update.profile_id is not None:
+        profile = await db.get(Profile, user_update.profile_id)
+        if profile is None:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail=f"Profile {user_update.profile_id} not found.",
+            )
+
     # Modify user attributes
     try:
         user = await user_manager.update(
@@ -75,7 +81,7 @@ async def patch_user(
             safe=False,
             request=None,
         )
-        validated_user = schemas.model_validate(UserOAuth, user.model_dump())
+        validated_user = UserOAuth.model_validate(user.model_dump())
         patched_user = await db.get(
             UserOAuth, validated_user.id, populate_existing=True
         )
@@ -103,13 +109,16 @@ async def patch_user(
 
 @router_users.get("/users/", response_model=list[UserRead])
 async def list_users(
-    user: UserOAuth = Depends(current_active_superuser),
+    profile_id: int | None = None,
+    user: UserOAuth = Depends(current_superuser_act),
     db: AsyncSession = Depends(get_async_db),
 ):
     """
     Return list of all users
     """
     stm = select(UserOAuth)
+    if profile_id is not None:
+        stm = stm.where(UserOAuth.profile_id == profile_id)
     res = await db.execute(stm)
     user_list = res.scalars().unique().all()
 
@@ -136,9 +145,10 @@ async def list_users(
 async def set_user_groups(
     user_id: int,
     user_update: UserUpdateGroups,
-    superuser: UserOAuth = Depends(current_active_superuser),
+    superuser: UserOAuth = Depends(current_superuser_act),
     db: AsyncSession = Depends(get_async_db),
 ) -> UserRead:
+    settings = Inject(get_settings)
     # Preliminary check that all objects exist in the db
     user = await _user_or_404(user_id=user_id, db=db)
     target_group_ids = user_update.group_ids
@@ -154,13 +164,16 @@ async def set_user_groups(
         )
 
     # Check that default group is not being removed
-    default_group_id = await _get_default_usergroup_id(db=db)
-    if default_group_id not in target_group_ids:
+    default_group_id_or_none = await _get_default_usergroup_id_or_none(db=db)
+    if (
+        default_group_id_or_none is not None
+        and default_group_id_or_none not in target_group_ids
+    ):
         raise HTTPException(
             status_code=status.HTTP_422_UNPROCESSABLE_CONTENT,
             detail=(
                 f"Cannot remove user from "
-                f"'{FRACTAL_DEFAULT_GROUP_NAME}' group.",
+                f"'{settings.FRACTAL_DEFAULT_GROUP_NAME}' group.",
             ),
         )
 
@@ -198,40 +211,3 @@ async def set_user_groups(
     user_with_groups = await _get_single_user_with_groups(user, db)
 
     return user_with_groups
-
-
-@router_users.get(
-    "/users/{user_id}/settings/", response_model=UserSettingsRead
-)
-async def get_user_settings(
-    user_id: int,
-    superuser: UserOAuth = Depends(current_active_superuser),
-    db: AsyncSession = Depends(get_async_db),
-) -> UserSettingsRead:
-    user = await _user_or_404(user_id=user_id, db=db)
-    verify_user_has_settings(user)
-    user_settings = await db.get(UserSettings, user.user_settings_id)
-    return user_settings
-
-
-@router_users.patch(
-    "/users/{user_id}/settings/", response_model=UserSettingsRead
-)
-async def patch_user_settings(
-    user_id: int,
-    settings_update: UserSettingsUpdate,
-    superuser: UserOAuth = Depends(current_active_superuser),
-    db: AsyncSession = Depends(get_async_db),
-) -> UserSettingsRead:
-    user = await _user_or_404(user_id=user_id, db=db)
-    verify_user_has_settings(user)
-    user_settings = await db.get(UserSettings, user.user_settings_id)
-
-    for k, v in settings_update.model_dump(exclude_unset=True).items():
-        setattr(user_settings, k, v)
-
-    db.add(user_settings)
-    await db.commit()
-    await db.refresh(user_settings)
-
-    return user_settings

fractal_server/app/routes/aux/_runner.py

@@ -3,10 +3,11 @@ from fastapi import status
 
 from ....config import get_settings
 from ....syringe import Inject
+from fractal_server.app.schemas.v2 import ResourceType
 
 
 def _backend_supports_shutdown(backend: str) -> bool:
-    if backend in ["slurm", "slurm_ssh"]:
+    if backend in [ResourceType.SLURM_SUDO, ResourceType.SLURM_SSH]:
         return True
     else:
         return False

fractal_server/app/routes/aux/validate_user_profile.py

@@ -0,0 +1,62 @@
+from fastapi import HTTPException
+from fastapi import status
+from pydantic import ValidationError
+
+from fractal_server.app.db import AsyncSession
+from fractal_server.app.models import Profile
+from fractal_server.app.models import Resource
+from fractal_server.app.models import UserOAuth
+from fractal_server.app.schemas.v2.profile import cast_serialize_profile
+from fractal_server.app.schemas.v2.resource import cast_serialize_resource
+from fractal_server.logger import set_logger
+
+logger = set_logger(__name__)
+
+
+async def user_has_profile_or_422(*, user: UserOAuth) -> None:
+    if user.profile_id is None:
+        raise HTTPException(
+            status_code=status.HTTP_422_UNPROCESSABLE_CONTENT,
+            detail=(
+                f"User {user.email} is not associated to a computational "
+                "profile. Please contact an admin."
+            ),
+        )
+
+
+async def validate_user_profile(
+    *,
+    user: UserOAuth,
+    db: AsyncSession,
+) -> tuple[Resource, Profile]:
+    """
+    Validate profile and resource associated to a given user.
+
+    Note: this only returns non-db-bound objects.
+    """
+    await user_has_profile_or_422(user=user)
+    profile = await db.get(Profile, user.profile_id)
+    resource = await db.get(Resource, profile.resource_id)
+    try:
+        cast_serialize_resource(
+            resource.model_dump(exclude={"id", "timestamp_created"}),
+        )
+        cast_serialize_profile(
+            profile.model_dump(exclude={"resource_id", "id"}),
+        )
+        db.expunge(resource)
+        db.expunge(profile)
+
+        return resource, profile
+
+    except ValidationError as e:
+        error_msg = (
+            "User resource/profile are not valid for "
+            f"resource type '{resource.type}'. "
+            f"Original error: {str(e)}"
+        )
+        logger.warning(error_msg)
+        raise HTTPException(
+            status_code=status.HTTP_422_UNPROCESSABLE_CONTENT,
+            detail=error_msg,
+        )

fractal_server/app/schemas/__init__.py

@@ -1,3 +1,2 @@
 from .user import *  # noqa: F401, F403
 from .user_group import *  # noqa: F401, F403
-from .user_settings import *  # noqa: F401, F403

fractal_server/app/schemas/user.py

@@ -1,19 +1,18 @@
+from typing import Annotated
+
 from fastapi_users import schemas
+from pydantic import AfterValidator
 from pydantic import BaseModel
 from pydantic import ConfigDict
 from pydantic import EmailStr
 from pydantic import Field
 
+from fractal_server.string_tools import validate_cmd
+from fractal_server.types import AbsolutePathStr
+from fractal_server.types import ListUniqueNonEmptyString
 from fractal_server.types import ListUniqueNonNegativeInt
 from fractal_server.types import NonEmptyStr
 
-__all__ = (
-    "UserRead",
-    "UserUpdate",
-    "UserUpdateGroups",
-    "UserCreate",
-)
-
 
 class OAuthAccountRead(BaseModel):
     """
@@ -36,12 +35,21 @@ class UserRead(schemas.BaseUser[int]):
     Schema for `User` read from database.
 
     Attributes:
-        username:
+        group_ids_names:
+        oauth_accounts:
+        profile_id:
     """
 
-    username: str | None = None
     group_ids_names: list[tuple[int, str]] | None = None
     oauth_accounts: list[OAuthAccountRead]
+    profile_id: int | None = None
+    project_dir: str
+    slurm_accounts: list[str]
+
+
+def _validate_cmd(value: str) -> str:
+    validate_cmd(value)
+    return value
 
 
 class UserUpdate(schemas.BaseUserUpdate):
@@ -49,16 +57,27 @@ class UserUpdate(schemas.BaseUserUpdate):
     Schema for `User` update.
 
     Attributes:
-        username:
+        password:
+        email:
+        is_active:
+        is_superuser:
+        is_verified:
+        profile_id:
+        project_dir:
+        slurm_accounts:
     """
 
     model_config = ConfigDict(extra="forbid")
-    username: NonEmptyStr = None
     password: NonEmptyStr = None
     email: EmailStr = None
     is_active: bool = None
     is_superuser: bool = None
     is_verified: bool = None
+    profile_id: int | None = None
+    project_dir: Annotated[
+        AbsolutePathStr, AfterValidator(_validate_cmd)
+    ] = None
+    slurm_accounts: ListUniqueNonEmptyString = None
 
 
 class UserUpdateStrict(BaseModel):
@@ -66,9 +85,11 @@ class UserUpdateStrict(BaseModel):
     Schema for `User` self-editing.
 
     Attributes:
+        slurm_accounts:
     """
 
     model_config = ConfigDict(extra="forbid")
+    slurm_accounts: ListUniqueNonEmptyString = None
 
 
 class UserCreate(schemas.BaseUserCreate):
@@ -76,10 +97,12 @@ class UserCreate(schemas.BaseUserCreate):
     Schema for `User` creation.
 
     Attributes:
-        username:
+        profile_id:
     """
 
-    username: NonEmptyStr = None
+    profile_id: int | None = None
+    project_dir: Annotated[AbsolutePathStr, AfterValidator(_validate_cmd)]
+    slurm_accounts: list[str] = Field(default_factory=list)
 
 
 class UserUpdateGroups(BaseModel):
@@ -91,3 +114,10 @@ class UserUpdateGroups(BaseModel):
     model_config = ConfigDict(extra="forbid")
 
     group_ids: ListUniqueNonNegativeInt = Field(min_length=1)
+
+
+class UserProfileInfo(BaseModel):
+    has_profile: bool
+    resource_name: str | None = None
+    profile_name: str | None = None
+    username: str | None = None

fractal_server/app/schemas/user_group.py

@@ -7,6 +7,7 @@ from pydantic import field_serializer
 from pydantic.types import AwareDatetime
 
 from fractal_server.types import ListUniqueAbsolutePathStr
+from fractal_server.types import NonEmptyStr
 
 __all__ = (
     "UserGroupRead",
@@ -50,7 +51,7 @@ class UserGroupCreate(BaseModel):
 
     model_config = ConfigDict(extra="forbid")
 
-    name: str
+    name: NonEmptyStr
     viewer_paths: ListUniqueAbsolutePathStr = Field(default_factory=list)
 
 

fractal_server/app/schemas/v2/__init__.py

@@ -22,9 +22,20 @@ from .job import JobStatusTypeV2  # noqa F401
 from .job import JobUpdateV2  # noqa F401
 from .manifest import ManifestV2  # noqa F401
 from .manifest import TaskManifestV2  # noqa F401
+from .profile import ProfileCreate  # noqa F401
+from .profile import ProfileRead  # noqa F401
+from .profile import ValidProfileLocal  # noqa F401
+from .profile import ValidProfileSlurmSSH  # noqa F401
+from .profile import ValidProfileSlurmSudo  # noqa F401
 from .project import ProjectCreateV2  # noqa F401
 from .project import ProjectReadV2  # noqa F401
 from .project import ProjectUpdateV2  # noqa F401
+from .resource import ResourceCreate  # noqa F401
+from .resource import ResourceRead  # noqa F401
+from .resource import ResourceType  # noqa F401
+from .resource import ValidResourceLocal  # noqa F401
+from .resource import ValidResourceSlurmSSH  # noqa F401
+from .resource import ValidResourceSlurmSudo  # noqa F401
 from .status_legacy import WorkflowTaskStatusTypeV2  # noqa F401
 from .task import TaskCreateV2  # noqa F401
 from .task import TaskExportV2  # noqa F401
@@ -41,6 +52,7 @@ from .task_group import TaskGroupActivityStatusV2  # noqa F401
 from .task_group import TaskGroupActivityV2Read  # noqa F401
 from .task_group import TaskGroupCreateV2  # noqa F401
 from .task_group import TaskGroupCreateV2Strict  # noqa F401
+from .task_group import TaskGroupReadSuperuser  # noqa F401
 from .task_group import TaskGroupReadV2  # noqa F401
 from .task_group import TaskGroupUpdateV2  # noqa F401
 from .task_group import TaskGroupV2OriginEnum  # noqa F401

fractal_server/app/schemas/v2/profile.py

@@ -0,0 +1,78 @@
+from typing import Annotated
+from typing import Any
+
+from pydantic import BaseModel
+from pydantic import Discriminator
+from pydantic import Tag
+from pydantic import validate_call
+
+from .resource import ResourceType
+from fractal_server.types import AbsolutePathStr
+from fractal_server.types import NonEmptyStr
+
+
+class ValidProfileLocal(BaseModel):
+    name: NonEmptyStr
+    resource_type: ResourceType
+    username: None = None
+    ssh_key_path: None = None
+    jobs_remote_dir: None = None
+    tasks_remote_dir: None = None
+
+
+class ValidProfileSlurmSudo(BaseModel):
+    name: NonEmptyStr
+    resource_type: ResourceType
+    username: NonEmptyStr
+    ssh_key_path: None = None
+    jobs_remote_dir: None = None
+    tasks_remote_dir: None = None
+
+
+class ValidProfileSlurmSSH(BaseModel):
+    name: NonEmptyStr
+    resource_type: ResourceType
+    username: NonEmptyStr
+    ssh_key_path: AbsolutePathStr
+    jobs_remote_dir: AbsolutePathStr
+    tasks_remote_dir: AbsolutePathStr
+
+
+def get_discriminator_value(v: Any) -> str:
+    # See https://github.com/fastapi/fastapi/discussions/12941
+    if isinstance(v, dict):
+        return v.get("resource_type", None)
+    return getattr(v, "resource_type", None)
+
+
+ProfileCreate = Annotated[
+    Annotated[ValidProfileLocal, Tag(ResourceType.LOCAL)]
+    | Annotated[ValidProfileSlurmSudo, Tag(ResourceType.SLURM_SUDO)]
+    | Annotated[ValidProfileSlurmSSH, Tag(ResourceType.SLURM_SSH)],
+    Discriminator(get_discriminator_value),
+]
+
+
+class ProfileRead(BaseModel):
+    id: int
+    name: str
+    resource_id: int
+    resource_type: str
+    username: str | None = None
+    ssh_key_path: str | None = None
+    jobs_remote_dir: str | None = None
+    tasks_remote_dir: str | None = None
+
+
+@validate_call
+def cast_serialize_profile(_data: ProfileCreate) -> dict[str, Any]:
+    """
+    Cast/serialize round-trip for `Profile` data.
+
+    We use `@validate_call` because `ProfileeCreate` is a `Union` type and it
+    cannot be instantiated directly.
+
+    Return:
+        Serialized version of a valid profile object.
+    """
+    return _data.model_dump()