fractal-server 2.17.0a4__py3-none-any.whl → 2.17.0a6__py3-none-any.whl

fractal_server/app/routes/auth/users.py

@@ -6,28 +6,23 @@ from fastapi import Depends
 from fastapi import HTTPException
 from fastapi import status
 from fastapi_users import exceptions
-from fastapi_users import schemas
 from fastapi_users.router.common import ErrorCode
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlmodel import func
 from sqlmodel import select
 
-from . import current_active_superuser
+from . import current_superuser_act
 from ...db import get_async_db
 from ...schemas.user import UserRead
 from ...schemas.user import UserUpdate
-from ..aux.validate_user_settings import verify_user_has_settings
 from ._aux_auth import _get_default_usergroup_id
 from ._aux_auth import _get_single_user_with_groups
 from ._aux_auth import FRACTAL_DEFAULT_GROUP_NAME
 from fractal_server.app.models import LinkUserGroup
 from fractal_server.app.models import UserGroup
 from fractal_server.app.models import UserOAuth
-from fractal_server.app.models import UserSettings
 from fractal_server.app.models.v2 import Profile
 from fractal_server.app.routes.auth._aux_auth import _user_or_404
-from fractal_server.app.schemas import UserSettingsRead
-from fractal_server.app.schemas import UserSettingsUpdate
 from fractal_server.app.schemas.user import UserUpdateGroups
 from fractal_server.app.security import get_user_manager
 from fractal_server.app.security import UserManager
@@ -43,7 +38,7 @@ logger = set_logger(__name__)
 async def get_user(
     user_id: int,
     group_ids_names: bool = True,
-    superuser: UserOAuth = Depends(current_active_superuser),
+    superuser: UserOAuth = Depends(current_superuser_act),
     db: AsyncSession = Depends(get_async_db),
 ) -> UserRead:
     user = await _user_or_404(user_id, db)
@@ -57,7 +52,7 @@ async def get_user(
 async def patch_user(
     user_id: int,
     user_update: UserUpdate,
-    current_superuser: UserOAuth = Depends(current_active_superuser),
+    current_superuser: UserOAuth = Depends(current_superuser_act),
     user_manager: UserManager = Depends(get_user_manager),
     db: AsyncSession = Depends(get_async_db),
 ):
@@ -84,7 +79,7 @@ async def patch_user(
             safe=False,
             request=None,
         )
-        validated_user = schemas.model_validate(UserOAuth, user.model_dump())
+        validated_user = UserOAuth.model_validate(user.model_dump())
         patched_user = await db.get(
             UserOAuth, validated_user.id, populate_existing=True
         )
@@ -113,7 +108,7 @@ async def patch_user(
 @router_users.get("/users/", response_model=list[UserRead])
 async def list_users(
     profile_id: int | None = None,
-    user: UserOAuth = Depends(current_active_superuser),
+    user: UserOAuth = Depends(current_superuser_act),
     db: AsyncSession = Depends(get_async_db),
 ):
     """
@@ -148,7 +143,7 @@ async def list_users(
 async def set_user_groups(
     user_id: int,
     user_update: UserUpdateGroups,
-    superuser: UserOAuth = Depends(current_active_superuser),
+    superuser: UserOAuth = Depends(current_superuser_act),
     db: AsyncSession = Depends(get_async_db),
 ) -> UserRead:
     # Preliminary check that all objects exist in the db
@@ -210,40 +205,3 @@ async def set_user_groups(
     user_with_groups = await _get_single_user_with_groups(user, db)
 
     return user_with_groups
-
-
-@router_users.get(
-    "/users/{user_id}/settings/", response_model=UserSettingsRead
-)
-async def get_user_settings(
-    user_id: int,
-    superuser: UserOAuth = Depends(current_active_superuser),
-    db: AsyncSession = Depends(get_async_db),
-) -> UserSettingsRead:
-    user = await _user_or_404(user_id=user_id, db=db)
-    verify_user_has_settings(user)
-    user_settings = await db.get(UserSettings, user.user_settings_id)
-    return user_settings
-
-
-@router_users.patch(
-    "/users/{user_id}/settings/", response_model=UserSettingsRead
-)
-async def patch_user_settings(
-    user_id: int,
-    settings_update: UserSettingsUpdate,
-    superuser: UserOAuth = Depends(current_active_superuser),
-    db: AsyncSession = Depends(get_async_db),
-) -> UserSettingsRead:
-    user = await _user_or_404(user_id=user_id, db=db)
-    verify_user_has_settings(user)
-    user_settings = await db.get(UserSettings, user.user_settings_id)
-
-    for k, v in settings_update.model_dump(exclude_unset=True).items():
-        setattr(user_settings, k, v)
-
-    db.add(user_settings)
-    await db.commit()
-    await db.refresh(user_settings)
-
-    return user_settings

fractal_server/app/schemas/__init__.py

@@ -1,3 +1,2 @@
 from .user import *  # noqa: F401, F403
 from .user_group import *  # noqa: F401, F403
-from .user_settings import *  # noqa: F401, F403

fractal_server/app/schemas/user.py

@@ -1,9 +1,15 @@
+from typing import Annotated
+
 from fastapi_users import schemas
+from pydantic import AfterValidator
 from pydantic import BaseModel
 from pydantic import ConfigDict
 from pydantic import EmailStr
 from pydantic import Field
 
+from fractal_server.string_tools import validate_cmd
+from fractal_server.types import AbsolutePathStr
+from fractal_server.types import ListUniqueNonEmptyString
 from fractal_server.types import ListUniqueNonNegativeInt
 from fractal_server.types import NonEmptyStr
 
@@ -37,6 +43,13 @@ class UserRead(schemas.BaseUser[int]):
     group_ids_names: list[tuple[int, str]] | None = None
     oauth_accounts: list[OAuthAccountRead]
     profile_id: int | None = None
+    project_dir: str
+    slurm_accounts: list[str]
+
+
+def _validate_cmd(value: str) -> str:
+    validate_cmd(value)
+    return value
 
 
 class UserUpdate(schemas.BaseUserUpdate):
@@ -50,6 +63,8 @@ class UserUpdate(schemas.BaseUserUpdate):
         is_superuser:
         is_verified:
         profile_id:
+        project_dir:
+        slurm_accounts:
     """
 
     model_config = ConfigDict(extra="forbid")
@@ -59,6 +74,10 @@ class UserUpdate(schemas.BaseUserUpdate):
     is_superuser: bool = None
     is_verified: bool = None
     profile_id: int | None = None
+    project_dir: Annotated[
+        AbsolutePathStr, AfterValidator(_validate_cmd)
+    ] = None
+    slurm_accounts: ListUniqueNonEmptyString = None
 
 
 class UserUpdateStrict(BaseModel):
@@ -66,9 +85,11 @@ class UserUpdateStrict(BaseModel):
     Schema for `User` self-editing.
 
     Attributes:
+        slurm_accounts:
     """
 
     model_config = ConfigDict(extra="forbid")
+    slurm_accounts: ListUniqueNonEmptyString = None
 
 
 class UserCreate(schemas.BaseUserCreate):
@@ -80,6 +101,8 @@ class UserCreate(schemas.BaseUserCreate):
     """
 
     profile_id: int | None = None
+    project_dir: Annotated[AbsolutePathStr, AfterValidator(_validate_cmd)]
+    slurm_accounts: list[str] = Field(default_factory=list)
 
 
 class UserUpdateGroups(BaseModel):

fractal_server/app/schemas/v2/__init__.py

@@ -52,6 +52,7 @@ from .task_group import TaskGroupActivityStatusV2  # noqa F401
 from .task_group import TaskGroupActivityV2Read  # noqa F401
 from .task_group import TaskGroupCreateV2  # noqa F401
 from .task_group import TaskGroupCreateV2Strict  # noqa F401
+from .task_group import TaskGroupReadSuperuser  # noqa F401
 from .task_group import TaskGroupReadV2  # noqa F401
 from .task_group import TaskGroupUpdateV2  # noqa F401
 from .task_group import TaskGroupV2OriginEnum  # noqa F401

fractal_server/app/schemas/v2/task_group.py

@@ -37,6 +37,7 @@ class TaskGroupActivityActionV2(StrEnum):
 class TaskGroupCreateV2(BaseModel):
     model_config = ConfigDict(extra="forbid")
     user_id: int
+    resource_id: int
     user_group_id: int | None = None
     active: bool = True
     origin: TaskGroupV2OriginEnum
@@ -95,6 +96,10 @@ class TaskGroupReadV2(BaseModel):
         return v.isoformat()
 
 
+class TaskGroupReadSuperuser(TaskGroupReadV2):
+    resource_id: int
+
+
 class TaskGroupUpdateV2(BaseModel):
     model_config = ConfigDict(extra="forbid")
     user_group_id: int | None = None

fractal_server/app/security/__init__.py

@@ -1,14 +1,3 @@
-# Copyright 2022 (C) Friedrich Miescher Institute for Biomedical Research and
-# University of Zurich
-#
-# Original authors:
-# Jacopo Nespolo <jacopo.nespolo@exact-lab.it>
-# Tommaso Comparin <tommaso.comparin@exact-lab.it>
-#
-# This file is part of Fractal and was originally developed by eXact lab S.r.l.
-# <exact-lab.it> under contract with Liberali Lab from the Friedrich Miescher
-# Institute for Biomedical Research and Pelkmans Lab from the University of
-# Zurich.
 """
 Auth subsystem
 
@@ -30,6 +19,7 @@ import contextlib
 from collections.abc import AsyncGenerator
 from typing import Any
 from typing import Generic
+from typing import Self
 
 from fastapi import Depends
 from fastapi import Request
@@ -55,10 +45,12 @@ from fractal_server.app.models import LinkUserGroup
 from fractal_server.app.models import OAuthAccount
 from fractal_server.app.models import UserGroup
 from fractal_server.app.models import UserOAuth
-from fractal_server.app.models import UserSettings
 from fractal_server.app.schemas.user import UserCreate
-from fractal_server.app.security.signup_email import mail_new_oauth_signup
+from fractal_server.app.security.signup_email import (
+    send_fractal_email_or_log_failure,
+)
 from fractal_server.config import get_email_settings
+from fractal_server.config import get_settings
 from fractal_server.logger import set_logger
 from fractal_server.syringe import Inject
 
@@ -209,6 +201,131 @@ class UserManager(IntegerIDMixin, BaseUserManager[UserOAuth, int]):
                 f"The password is too long (maximum length: {min_length})."
             )
 
+    async def oauth_callback(
+        self: Self,
+        oauth_name: str,
+        access_token: str,
+        account_id: str,
+        account_email: str,
+        expires_at: int | None = None,
+        refresh_token: str | None = None,
+        request: Request | None = None,
+        *,
+        associate_by_email: bool = False,
+        is_verified_by_default: bool = False,
+    ) -> UserOAuth:
+        """
+        Handle the callback after a successful OAuth authentication.
+
+        This method extends the corresponding `BaseUserManager` method of
+        > fastapi-users v14.0.1, Copyright (c) 2019 François Voron, MIT License
+
+        If the user already exists with this OAuth account, the token is
+        updated.
+
+        If a user with the same e-mail already exists and `associate_by_email`
+        is True, the OAuth account is associated to this user.
+        Otherwise, the `UserNotExists` exception is raised.
+
+        If the user does not exist, send an email to the Fractal admins (if
+        configured) and respond with a 400 error status. NOTE: This is the
+        function branch where the `fractal-server` implementation deviates
+        from the original `fastapi-users` one.
+
+        :param oauth_name: Name of the OAuth client.
+        :param access_token: Valid access token for the service provider.
+        :param account_id: models.ID of the user on the service provider.
+        :param account_email: E-mail of the user on the service provider.
+        :param expires_at: Optional timestamp at which the access token
+        expires.
+        :param refresh_token: Optional refresh token to get a
+        fresh access token from the service provider.
+        :param request: Optional FastAPI request that
+        triggered the operation, defaults to None
+        :param associate_by_email: If True, any existing user with the same
+        e-mail address will be associated to this user. Defaults to False.
+        :param is_verified_by_default: If True, the `is_verified` flag will be
+        set to `True` on newly created user. Make sure the OAuth Provider you
+        are using does verify the email address before enabling this flag.
+        Defaults to False.
+        :return: A user.
+        """
+        from fastapi import HTTPException
+        from fastapi import status
+        from fastapi_users import exceptions
+
+        oauth_account_dict = {
+            "oauth_name": oauth_name,
+            "access_token": access_token,
+            "account_id": account_id,
+            "account_email": account_email,
+            "expires_at": expires_at,
+            "refresh_token": refresh_token,
+        }
+
+        try:
+            user = await self.get_by_oauth_account(oauth_name, account_id)
+        except exceptions.UserNotExists:
+            try:
+                # Associate account
+                user = await self.get_by_email(account_email)
+                if not associate_by_email:
+                    raise exceptions.UserAlreadyExists()
+                user = await self.user_db.add_oauth_account(
+                    user, oauth_account_dict
+                )
+            except exceptions.UserNotExists:
+                # (0) Log
+                logger.warning(
+                    f"Self-registration attempt by {account_email}."
+                )
+
+                # (1) Prepare user-facing error message
+                settings = Inject(get_settings)
+                error_msg = (
+                    "Thank you for registering for the Fractal service. "
+                    "Administrators have been informed to configure your "
+                    "account and will get back to you."
+                )
+                if settings.FRACTAL_HELP_URL is not None:
+                    error_msg = (
+                        f"{error_msg}\n"
+                        "You can find more information about the onboarding "
+                        f"process at {settings.FRACTAL_HELP_URL}."
+                    )
+
+                # (2) Send email to admins
+                email_settings = Inject(get_email_settings)
+                send_fractal_email_or_log_failure(
+                    subject="New OAuth self-registration",
+                    msg=(
+                        f"User '{account_email}' tried to "
+                        "self-register through OAuth.\n"
+                        "Please create the Fractal account manually.\n"
+                        "Here is the error message displayed to the "
+                        f"user:\n{error_msg}"
+                    ),
+                    email_settings=email_settings.public,
+                )
+
+                # (3) Raise
+                raise HTTPException(
+                    status_code=status.HTTP_400_BAD_REQUEST,
+                    detail=error_msg,
+                )
+        else:
+            # Update oauth
+            for existing_oauth_account in user.oauth_accounts:
+                if (
+                    existing_oauth_account.account_id == account_id
+                    and existing_oauth_account.oauth_name == oauth_name
+                ):
+                    user = await self.user_db.update_oauth_account(
+                        user, existing_oauth_account, oauth_account_dict
+                    )
+
+        return user
+
     async def on_after_register(
         self, user: UserOAuth, request: Request | None = None
     ):
@@ -216,7 +333,6 @@ class UserManager(IntegerIDMixin, BaseUserManager[UserOAuth, int]):
             f"New-user registration completed ({user.id=}, {user.email=})."
         )
         async for db in get_async_db():
-            # Find default group
             stm = select(UserGroup).where(
                 UserGroup.name == FRACTAL_DEFAULT_GROUP_NAME
             )
@@ -236,38 +352,6 @@ class UserManager(IntegerIDMixin, BaseUserManager[UserOAuth, int]):
                     f"Added {user.email} user to group {default_group.id=}."
                 )
 
-            this_user = await db.get(UserOAuth, user.id)
-
-            this_user.settings = UserSettings()
-            await db.merge(this_user)
-            await db.commit()
-            await db.refresh(this_user)
-            logger.info(
-                f"Associated empty settings (id={this_user.user_settings_id}) "
-                f"to '{this_user.email}'."
-            )
-
-            # Send mail section
-            email_settings = Inject(get_email_settings)
-
-            if this_user.oauth_accounts and email_settings.public is not None:
-                try:
-                    logger.info(
-                        "START sending email about new signup to "
-                        f"{email_settings.public.recipients}."
-                    )
-                    mail_new_oauth_signup(
-                        msg=f"New user registered: '{this_user.email}'.",
-                        email_settings=email_settings.public,
-                    )
-                    logger.info("END sending email about new signup.")
-                except Exception as e:
-                    logger.error(
-                        "ERROR sending notification email after oauth "
-                        f"registration of {this_user.email}. "
-                        f"Original error: '{e}'."
-                    )
-
 
 async def get_user_manager(
     user_db: SQLModelUserDatabaseAsync = Depends(get_user_db),
@@ -283,6 +367,8 @@ get_user_manager_context = contextlib.asynccontextmanager(get_user_manager)
 async def _create_first_user(
     email: str,
     password: str,
+    project_dir: str,
+    profile_id: int | None = None,
     is_superuser: bool = False,
     is_verified: bool = False,
 ) -> None:
@@ -331,6 +417,8 @@ async def _create_first_user(
                     kwargs = dict(
                         email=email,
                         password=password,
+                        project_dir=project_dir,
+                        profile_id=profile_id,
                         is_superuser=is_superuser,
                         is_verified=is_verified,
                     )

fractal_server/app/security/signup_email.py

@@ -2,47 +2,65 @@ import smtplib
 from email.message import EmailMessage
 from email.utils import formataddr
 
-from cryptography.fernet import Fernet
-
 from fractal_server.config import PublicEmailSettings
+from fractal_server.logger import set_logger
+
+logger = set_logger(__name__)
 
 
-def mail_new_oauth_signup(msg: str, email_settings: PublicEmailSettings):
+def send_fractal_email_or_log_failure(
+    *,
+    subject: str,
+    msg: str,
+    email_settings: PublicEmailSettings | None,
+):
     """
-    Send an email using the specified settings to notify a new OAuth signup.
+    Send an email using the specified settings, or log about failure.
     """
 
-    mail_msg = EmailMessage()
-    mail_msg.set_content(msg)
-    mail_msg["From"] = formataddr(
-        (email_settings.sender, email_settings.sender)
-    )
-    mail_msg["To"] = ", ".join(
-        [
-            formataddr((recipient, recipient))
-            for recipient in email_settings.recipients
-        ]
-    )
-    mail_msg[
-        "Subject"
-    ] = f"[Fractal, {email_settings.instance_name}] New OAuth signup"
+    if email_settings is None:
+        logger.error(
+            f"Cannot send email with {subject=}, because {email_settings=}."
+        )
 
-    with smtplib.SMTP(
-        email_settings.smtp_server, email_settings.port
-    ) as server:
-        server.ehlo()
-        if email_settings.use_starttls:
-            server.starttls()
+    try:
+        logger.info(f"START sending email with {subject=}.")
+        mail_msg = EmailMessage()
+        mail_msg.set_content(msg)
+        mail_msg["From"] = formataddr(
+            (email_settings.sender, email_settings.sender)
+        )
+        mail_msg["To"] = ", ".join(
+            [
+                formataddr((recipient, recipient))
+                for recipient in email_settings.recipients
+            ]
+        )
+        mail_msg[
+            "Subject"
+        ] = f"[Fractal, {email_settings.instance_name}] {subject}"
+        with smtplib.SMTP(
+            email_settings.smtp_server,
+            email_settings.port,
+        ) as server:
             server.ehlo()
-        if email_settings.use_login:
-            password = (
-                Fernet(email_settings.encryption_key.get_secret_value())
-                .decrypt(email_settings.encrypted_password.get_secret_value())
-                .decode("utf-8")
+            if email_settings.use_starttls:
+                server.starttls()
+                server.ehlo()
+            if email_settings.use_login:
+                server.login(
+                    user=email_settings.sender,
+                    password=email_settings.password.get_secret_value(),
+                )
+            server.sendmail(
+                from_addr=email_settings.sender,
+                to_addrs=email_settings.recipients,
+                msg=mail_msg.as_string(),
             )
-            server.login(user=email_settings.sender, password=password)
-        server.sendmail(
-            from_addr=email_settings.sender,
-            to_addrs=email_settings.recipients,
-            msg=mail_msg.as_string(),
+        logger.info(f"END sending email with {subject=}.")
+
+    except Exception as e:
+        logger.error(
+            "Could not send self-registration email, "
+            f"original error: {str(e)}."
         )

fractal_server/config/__init__.py

@@ -1,3 +1,5 @@
+from ._data import DataAuthScheme  # noqa F401
+from ._data import DataSettings
 from ._database import DatabaseSettings
 from ._email import EmailSettings
 from ._email import PublicEmailSettings  # noqa F401
@@ -19,3 +21,7 @@ def get_email_settings(email_settings=EmailSettings()) -> EmailSettings:
 
 def get_oauth_settings(oauth_settings=OAuthSettings()) -> OAuthSettings:
     return oauth_settings
+
+
+def get_data_settings(data_settings=DataSettings()) -> DataSettings:
+    return data_settings

fractal_server/config/_data.py

@@ -0,0 +1,68 @@
+from enum import StrEnum
+from typing import Self
+
+from pydantic import model_validator
+from pydantic_settings import BaseSettings
+from pydantic_settings import SettingsConfigDict
+
+from ._settings_config import SETTINGS_CONFIG_DICT
+from fractal_server.types import AbsolutePathStr
+
+
+class DataAuthScheme(StrEnum):
+    VIEWER_PATHS = "viewer-paths"
+    USERS_FOLDERS = "users-folders"
+    NONE = "none"
+
+
+class DataSettings(BaseSettings):
+    """
+    Settings for the `fractal-data` integration.
+    """
+
+    model_config = SettingsConfigDict(**SETTINGS_CONFIG_DICT)
+
+    FRACTAL_DATA_AUTH_SCHEME: DataAuthScheme = "none"
+    """
+    Defines how the list of allowed viewer paths is built.
+
+    This variable affects the `GET /auth/current-user/allowed-viewer-paths/`
+    response, which is then consumed by
+    [fractal-data](https://github.com/fractal-analytics-platform/fractal-data).
+
+    Options:
+
+    - "viewer-paths": The list of allowed viewer paths will include the user's
+      `project_dir` along with any path defined in user groups' `viewer_paths`
+      attributes.
+    - "users-folders": The list will consist of the user's `project_dir` and a
+       user-specific folder. The user folder is constructed by concatenating
+       the base folder `FRACTAL_DATA_BASE_FOLDER` with the user's profile
+       `username`.
+    - "none": An empty list will be returned, indicating no access to
+       viewer paths. Useful when vizarr viewer is not used.
+    """
+
+    FRACTAL_DATA_BASE_FOLDER: AbsolutePathStr | None = None
+    """
+    Base path to Zarr files that will be served by fractal-vizarr-viewer;
+    This variable is required and used only when
+    FRACTAL_DATA_AUTHORIZATION_SCHEME is set to "users-folders".
+    """
+
+    @model_validator(mode="after")
+    def check(self: Self) -> Self:
+        """
+        `FRACTAL_DATA_BASE_FOLDER` is required when
+        `FRACTAL_DATA_AUTHORIZATION_SCHEME` is set to `"users-folders"`.
+        """
+        if (
+            self.FRACTAL_DATA_AUTH_SCHEME == DataAuthScheme.USERS_FOLDERS
+            and self.FRACTAL_DATA_BASE_FOLDER is None
+        ):
+            raise ValueError(
+                "FRACTAL_DATA_BASE_FOLDER is required when "
+                "FRACTAL_DATA_AUTH_SCHEME is set to "
+                "users-folders"
+            )
+        return self