PyPI - fractal-server - Versions diffs - 2.17.1a1__py3-none-any.whl → 2.18.0__py3-none-any.whl - Mend

fractal-server 2.17.1a1py3-none-any.whl → 2.18.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (225) hide show

fractal_server/app/routes/auth/_aux_auth.py CHANGED Viewed

@@ -1,19 +1,27 @@
+from os.path import normpath
+from pathlib import Path
 from fastapi import HTTPException
 from fastapi import status
 from sqlalchemy.ext.asyncio import AsyncSession
+from sqlmodel import and_
 from sqlmodel import asc
+from sqlmodel import not_
+from sqlmodel import or_
 from sqlmodel import select
 from fractal_server.app.models.linkusergroup import LinkUserGroup
+from fractal_server.app.models.linkuserproject import LinkUserProjectV2
 from fractal_server.app.models.security import UserGroup
 from fractal_server.app.models.security import UserOAuth
+from fractal_server.app.models.v2.dataset import DatasetV2
+from fractal_server.app.models.v2.project import ProjectV2
 from fractal_server.app.schemas.user import UserRead
 from fractal_server.app.schemas.user_group import UserGroupRead
 from fractal_server.config import get_settings
 from fractal_server.logger import set_logger
 from fractal_server.syringe import Inject
 logger = set_logger(__name__)
@@ -36,7 +44,7 @@ async def _get_single_user_with_groups(
     stm_groups = (
         select(UserGroup)
-        .join(LinkUserGroup)
+        .join(LinkUserGroup, LinkUserGroup.group_id == UserGroup.id)
         .where(LinkUserGroup.user_id == user.id)
         .order_by(asc(LinkUserGroup.timestamp_created))
     )
@@ -179,3 +187,94 @@ async def _verify_user_belongs_to_group(
                     f"to UserGroup {user_group_id}"
                 ),
             )
+async def _check_project_dirs_update(
+    *,
+    old_project_dirs: list[str],
+    new_project_dirs: list[str],
+    user_id: int,
+    db: AsyncSession,
+) -> None:
+    """
+    Raises 422 if by replacing user's `project_dirs` with new ones we are
+    removing the access to a `zarr_dir` used by some dataset.
+    Note both `old_project_dirs` and `new_project_dirs` have been
+    normalized through `os.path.normpath`, which notably strips any trailing
+    `/` character. To be safe, we also re-normalize them within this function.
+    """
+    # Create a list of all the old project dirs that will lose privileges.
+    # E.g.:
+    #   old_project_dirs = ["/a", "/b", "/c/d", "/e/f"]
+    #   new_project_dirs = ["/a", "/c", "/e/f/g1", "/e/f/g2"]
+    #   removed_project_dirs == ["/b", "/e/f"]
+    removed_project_dirs = [
+        old_project_dir
+        for old_project_dir in old_project_dirs
+        if not any(
+            Path(old_project_dir).is_relative_to(new_project_dir)
+            for new_project_dir in new_project_dirs
+        )
+    ]
+    if removed_project_dirs:
+        # Query all the `zarr_dir`s linked to the user such that `zarr_dir`
+        # starts with one of the project dirs in `removed_project_dirs`.
+        stmt = (
+            select(DatasetV2.zarr_dir)
+            .join(ProjectV2, ProjectV2.id == DatasetV2.project_id)
+            .join(
+                LinkUserProjectV2,
+                LinkUserProjectV2.project_id == ProjectV2.id,
+            )
+            .where(LinkUserProjectV2.user_id == user_id)
+            .where(LinkUserProjectV2.is_verified.is_(True))
+            .where(
+                or_(
+                    *[
+                        DatasetV2.zarr_dir.startswith(normpath(old_project_dir))
+                        for old_project_dir in removed_project_dirs
+                    ]
+                )
+            )
+        )
+        if new_project_dirs:
+            stmt = stmt.where(
+                and_(
+                    *[
+                        not_(
+                            DatasetV2.zarr_dir.startswith(
+                                normpath(new_project_dir)
+                            )
+                        )
+                        for new_project_dir in new_project_dirs
+                    ]
+                )
+            )
+        res = await db.execute(stmt)
+        # Raise 422 if one of the query results is relative to a path in
+        # `removed_project_dirs`, but its not relative to any path in
+        # `new_project_dirs`.
+        if any(
+            (
+                any(
+                    Path(zarr_dir).is_relative_to(old_project_dir)
+                    for old_project_dir in removed_project_dirs
+                )
+                and not any(
+                    Path(zarr_dir).is_relative_to(new_project_dir)
+                    for new_project_dir in new_project_dirs
+                )
+            )
+            for zarr_dir in res.scalars().all()
+        ):
+            raise HTTPException(
+                status_code=status.HTTP_422_UNPROCESSABLE_CONTENT,
+                detail=(
+                    "You tried updating the user project_dirs, removing "
+                    f"{removed_project_dirs}. This operation is not possible, "
+                    "because it would make the user loose access to some of "
+                    "their dataset zarr directories."
+                ),
+            )

fractal_server/app/routes/auth/current_user.py CHANGED Viewed

@@ -1,7 +1,6 @@
 """
 Definition of `/auth/current-user/` endpoints
 """
-import os
 from fastapi import APIRouter
 from fastapi import Depends
@@ -9,13 +8,10 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from sqlmodel import select
 from fractal_server.app.db import get_async_db
-from fractal_server.app.models import LinkUserGroup
 from fractal_server.app.models import Profile
 from fractal_server.app.models import Resource
-from fractal_server.app.models import UserGroup
 from fractal_server.app.models import UserOAuth
 from fractal_server.app.routes.auth import current_user_act
-from fractal_server.app.routes.auth import current_user_act_ver
 from fractal_server.app.routes.auth._aux_auth import (
     _get_single_user_with_groups,
 )
@@ -23,11 +19,8 @@ from fractal_server.app.schemas import UserProfileInfo
 from fractal_server.app.schemas.user import UserRead
 from fractal_server.app.schemas.user import UserUpdate
 from fractal_server.app.schemas.user import UserUpdateStrict
-from fractal_server.app.security import get_user_manager
 from fractal_server.app.security import UserManager
-from fractal_server.config import DataAuthScheme
-from fractal_server.config import get_data_settings
-from fractal_server.syringe import Inject
+from fractal_server.app.security import get_user_manager
 router_current_user = APIRouter()
@@ -87,9 +80,8 @@ async def get_current_user_profile_info(
 ) -> UserProfileInfo:
     stm = (
         select(Resource, Profile)
-        .join(UserOAuth)
+        .join(UserOAuth, Profile.id == UserOAuth.profile_id)
         .where(Resource.id == Profile.resource_id)
-        .where(Profile.id == UserOAuth.profile_id)
         .where(UserOAuth.id == current_user.id)
     )
     res = await db.execute(stm)
@@ -106,59 +98,3 @@ async def get_current_user_profile_info(
         )
     return response_data
-@router_current_user.get(
-    "/current-user/allowed-viewer-paths/", response_model=list[str]
-)
-async def get_current_user_allowed_viewer_paths(
-    current_user: UserOAuth = Depends(current_user_act_ver),
-    db: AsyncSession = Depends(get_async_db),
-) -> list[str]:
-    """
-    Returns the allowed viewer paths for current user, according to the
-    selected FRACTAL_DATA_AUTH_SCHEME
-    """
-    data_settings = Inject(get_data_settings)
-    authorized_paths = []
-    if data_settings.FRACTAL_DATA_AUTH_SCHEME == DataAuthScheme.NONE:
-        return authorized_paths
-    # Append `project_dir` to the list of authorized paths
-    authorized_paths.append(current_user.project_dir)
-    # If auth scheme is "users-folders" and `slurm_user` is set,
-    # build and append the user folder
-    if (
-        data_settings.FRACTAL_DATA_AUTH_SCHEME == DataAuthScheme.USERS_FOLDERS
-        and current_user.profile_id is not None
-    ):
-        profile = await db.get(Profile, current_user.profile_id)
-        if profile is not None and profile.username is not None:
-            base_folder = data_settings.FRACTAL_DATA_BASE_FOLDER
-            user_folder = os.path.join(base_folder, profile.username)
-            authorized_paths.append(user_folder)
-    if data_settings.FRACTAL_DATA_AUTH_SCHEME == DataAuthScheme.VIEWER_PATHS:
-        # Returns the union of `viewer_paths` for all user's groups
-        cmd = (
-            select(UserGroup.viewer_paths)
-            .join(LinkUserGroup)
-            .where(LinkUserGroup.group_id == UserGroup.id)
-            .where(LinkUserGroup.user_id == current_user.id)
-        )
-        res = await db.execute(cmd)
-        viewer_paths_nested = res.scalars().all()
-        # Flatten a nested object and make its elements unique
-        all_viewer_paths_set = {
-            path
-            for _viewer_paths in viewer_paths_nested
-            for path in _viewer_paths
-        }
-        authorized_paths.extend(all_viewer_paths_set)
-    return authorized_paths

fractal_server/app/routes/auth/group.py CHANGED Viewed

@@ -1,6 +1,7 @@
 """
 Definition of `/auth/group/` routes
 """
 from fastapi import APIRouter
 from fastapi import Depends
 from fastapi import HTTPException
@@ -9,22 +10,22 @@ from fastapi import status
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlmodel import select
-from . import current_superuser_act
-from ._aux_auth import _get_default_usergroup_id_or_none
-from ._aux_auth import _get_single_usergroup_with_user_ids
-from ._aux_auth import _user_or_404
-from ._aux_auth import _usergroup_or_404
 from fractal_server.app.db import get_async_db
 from fractal_server.app.models import LinkUserGroup
 from fractal_server.app.models import UserGroup
 from fractal_server.app.models import UserOAuth
 from fractal_server.app.schemas.user_group import UserGroupCreate
 from fractal_server.app.schemas.user_group import UserGroupRead
-from fractal_server.app.schemas.user_group import UserGroupUpdate
 from fractal_server.config import get_settings
 from fractal_server.logger import set_logger
 from fractal_server.syringe import Inject
+from . import current_superuser_act
+from ._aux_auth import _get_default_usergroup_id_or_none
+from ._aux_auth import _get_single_usergroup_with_user_ids
+from ._aux_auth import _user_or_404
+from ._aux_auth import _usergroup_or_404
 logger = set_logger(__name__)
@@ -99,41 +100,13 @@ async def create_single_group(
         )
     # Create and return new group
-    new_group = UserGroup(
-        name=group_create.name, viewer_paths=group_create.viewer_paths
-    )
+    new_group = UserGroup(name=group_create.name)
     db.add(new_group)
     await db.commit()
     return dict(new_group.model_dump(), user_ids=[])
-@router_group.patch(
-    "/group/{group_id}/",
-    response_model=UserGroupRead,
-    status_code=status.HTTP_200_OK,
-)
-async def update_single_group(
-    group_id: int,
-    group_update: UserGroupUpdate,
-    user: UserOAuth = Depends(current_superuser_act),
-    db: AsyncSession = Depends(get_async_db),
-) -> UserGroupRead:
-    group = await _usergroup_or_404(group_id, db)
-    # Patch `viewer_paths`
-    if group_update.viewer_paths is not None:
-        group.viewer_paths = group_update.viewer_paths
-        db.add(group)
-        await db.commit()
-    updated_group = await _get_single_usergroup_with_user_ids(
-        group_id=group_id, db=db
-    )
-    return updated_group
 @router_group.delete("/group/{group_id}/", status_code=204)
 async def delete_single_group(
     group_id: int,

fractal_server/app/routes/auth/login.py CHANGED Viewed

@@ -1,6 +1,7 @@
 """
 Definition of `/auth/{login,logout}/`, `/auth/token/{login/logout}` routes.
 """
 from fastapi import APIRouter
 from . import cookie_backend

fractal_server/app/routes/auth/oauth.py CHANGED Viewed

@@ -4,13 +4,14 @@ from httpx_oauth.clients.google import GoogleOAuth2
 from httpx_oauth.clients.openid import OpenID
 from httpx_oauth.clients.openid import OpenIDConfigurationError
-from . import cookie_backend
-from . import fastapi_users
+from fractal_server.config import OAuthSettings
 from fractal_server.config import get_oauth_settings
 from fractal_server.config import get_settings
-from fractal_server.config import OAuthSettings
 from fractal_server.syringe import Inject
+from . import cookie_backend
+from . import fastapi_users
 def _create_client_github(cfg: OAuthSettings) -> GitHubOAuth2:
     return GitHubOAuth2(

fractal_server/app/routes/auth/register.py CHANGED Viewed

@@ -1,13 +1,15 @@
 """
 Definition of `/auth/register/` routes.
 """
 from fastapi import APIRouter
 from fastapi import Depends
+from fractal_server.app.schemas.user import UserCreate
+from fractal_server.app.schemas.user import UserRead
 from . import current_superuser_act
 from . import fastapi_users
-from ...schemas.user import UserCreate
-from ...schemas.user import UserRead
 router_register = APIRouter()

fractal_server/app/routes/auth/router.py CHANGED Viewed

@@ -6,6 +6,7 @@ from .login import router_login
 from .oauth import get_oauth_router
 from .register import router_register
 from .users import router_users
+from .viewer_paths import router_viewer_paths
 router_auth = APIRouter()
@@ -14,6 +15,7 @@ router_auth.include_router(router_current_user)
 router_auth.include_router(router_login)
 router_auth.include_router(router_users)
 router_auth.include_router(router_group)
+router_auth.include_router(router_viewer_paths)
 router_oauth = get_oauth_router()
 if router_oauth is not None:
     router_auth.include_router(router_oauth)

fractal_server/app/routes/auth/users.py CHANGED Viewed

@@ -1,6 +1,7 @@
 """
 Definition of `/auth/users/` routes
 """
 from fastapi import APIRouter
 from fastapi import Depends
 from fastapi import HTTPException
@@ -11,24 +12,25 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from sqlmodel import func
 from sqlmodel import select
-from . import current_superuser_act
-from ...db import get_async_db
-from ...schemas.user import UserRead
-from ...schemas.user import UserUpdate
-from ._aux_auth import _get_default_usergroup_id_or_none
-from ._aux_auth import _get_single_user_with_groups
+from fractal_server.app.db import get_async_db
 from fractal_server.app.models import LinkUserGroup
 from fractal_server.app.models import UserGroup
 from fractal_server.app.models import UserOAuth
 from fractal_server.app.models.v2 import Profile
 from fractal_server.app.routes.auth._aux_auth import _user_or_404
+from fractal_server.app.schemas.user import UserRead
+from fractal_server.app.schemas.user import UserUpdate
 from fractal_server.app.schemas.user import UserUpdateGroups
-from fractal_server.app.security import get_user_manager
 from fractal_server.app.security import UserManager
+from fractal_server.app.security import get_user_manager
 from fractal_server.config import get_settings
 from fractal_server.logger import set_logger
 from fractal_server.syringe import Inject
+from . import current_superuser_act
+from ._aux_auth import _check_project_dirs_update
+from ._aux_auth import _get_default_usergroup_id_or_none
+from ._aux_auth import _get_single_user_with_groups
 router_users = APIRouter()
@@ -73,6 +75,14 @@ async def patch_user(
                 detail=f"Profile {user_update.profile_id} not found.",
             )
+    if user_update.project_dirs is not None:
+        await _check_project_dirs_update(
+            old_project_dirs=user_to_patch.project_dirs,
+            new_project_dirs=user_update.project_dirs,
+            user_id=user_id,
+            db=db,
+        )
     # Modify user attributes
     try:
         user = await user_manager.update(
@@ -197,13 +207,12 @@ async def set_user_groups(
     # Remove/create links as needed
     for link in links_to_remove:
         logger.info(
-            f"Removing LinkUserGroup with {link.user_id=} "
-            f"and {link.group_id=}."
+            f"Removing LinkUserGroup with {link.user_id=} and {link.group_id=}."
         )
         await db.delete(link)
     for group_id in ids_links_to_add:
         logger.info(
-            f"Creating new LinkUserGroup with {user_id=} " f"and {group_id=}."
+            f"Creating new LinkUserGroup with {user_id=} and {group_id=}."
         )
         db.add(LinkUserGroup(user_id=user_id, group_id=group_id))
     await db.commit()

fractal_server/app/routes/auth/viewer_paths.py ADDED Viewed

@@ -0,0 +1,43 @@
+from fastapi import APIRouter
+from fastapi import Depends
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlmodel import select
+from fractal_server.app.db import get_async_db
+from fractal_server.app.models import UserOAuth
+from fractal_server.app.models.linkuserproject import LinkUserProjectV2
+from fractal_server.app.models.v2.dataset import DatasetV2
+from fractal_server.app.models.v2.project import ProjectV2
+from fractal_server.app.routes.auth import current_user_act_ver
+router_viewer_paths = APIRouter()
+@router_viewer_paths.get(
+    "/current-user/allowed-viewer-paths/", response_model=list[str]
+)
+async def get_current_user_allowed_viewer_paths(
+    include_shared_projects: bool = True,
+    current_user: UserOAuth = Depends(current_user_act_ver),
+    db: AsyncSession = Depends(get_async_db),
+) -> list[str]:
+    """
+    Returns the allowed viewer paths for current user.
+    """
+    authorized_paths = current_user.project_dirs.copy()
+    if include_shared_projects:
+        res = await db.execute(
+            select(DatasetV2.zarr_dir)
+            .join(ProjectV2, ProjectV2.id == DatasetV2.project_id)
+            .join(
+                LinkUserProjectV2, LinkUserProjectV2.project_id == ProjectV2.id
+            )
+            .where(LinkUserProjectV2.user_id == current_user.id)
+            .where(LinkUserProjectV2.is_verified.is_(True))
+        )
+        authorized_paths.extend(res.unique().scalars().all())
+        # Note that `project_dirs` and the `db.execute` result may have some
+        # common elements, and then this list may have non-unique items.
+    return authorized_paths

fractal_server/app/routes/aux/_job.py CHANGED Viewed

@@ -1,6 +1,6 @@
 from pathlib import Path
-from ...models.v2 import JobV2
+from fractal_server.app.models.v2 import JobV2
 from fractal_server.runner.filenames import SHUTDOWN_FILENAME

fractal_server/app/routes/aux/_runner.py CHANGED Viewed

@@ -1,9 +1,9 @@
 from fastapi import HTTPException
 from fastapi import status
-from ....config import get_settings
-from ....syringe import Inject
 from fractal_server.app.schemas.v2 import ResourceType
+from fractal_server.config import get_settings
+from fractal_server.syringe import Inject
 def _backend_supports_shutdown(backend: str) -> bool:

fractal_server/app/routes/pagination.py CHANGED Viewed

@@ -4,8 +4,8 @@ from typing import TypeVar
 from fastapi import HTTPException
 from pydantic import BaseModel
 from pydantic import Field
-from pydantic import model_validator
 from pydantic import ValidationError
+from pydantic import model_validator
 T = TypeVar("T")

fractal_server/app/schemas/user.py CHANGED Viewed

@@ -8,12 +8,18 @@ from pydantic import EmailStr
 from pydantic import Field
 from fractal_server.string_tools import validate_cmd
-from fractal_server.types import AbsolutePathStr
+from fractal_server.types import ListUniqueAbsolutePathStr
 from fractal_server.types import ListUniqueNonEmptyString
 from fractal_server.types import ListUniqueNonNegativeInt
 from fractal_server.types import NonEmptyStr
+def _validate_cmd_list(value: list[str]) -> list[str]:
+    for v in value:
+        validate_cmd(v)
+    return value
 class OAuthAccountRead(BaseModel):
     """
     Schema for storing essential `OAuthAccount` information within
@@ -38,20 +44,17 @@ class UserRead(schemas.BaseUser[int]):
         group_ids_names:
         oauth_accounts:
         profile_id:
+        project_dirs:
+        slurm_accounts:
     """
     group_ids_names: list[tuple[int, str]] | None = None
     oauth_accounts: list[OAuthAccountRead]
     profile_id: int | None = None
-    project_dir: str
+    project_dirs: list[str]
     slurm_accounts: list[str]
-def _validate_cmd(value: str) -> str:
-    validate_cmd(value)
-    return value
 class UserUpdate(schemas.BaseUserUpdate):
     """
     Schema for `User` update.
@@ -63,7 +66,7 @@ class UserUpdate(schemas.BaseUserUpdate):
         is_superuser:
         is_verified:
         profile_id:
-        project_dir:
+        project_dirs:
         slurm_accounts:
     """
@@ -74,9 +77,9 @@ class UserUpdate(schemas.BaseUserUpdate):
     is_superuser: bool = None
     is_verified: bool = None
     profile_id: int | None = None
-    project_dir: Annotated[
-        AbsolutePathStr, AfterValidator(_validate_cmd)
-    ] = None
+    project_dirs: Annotated[
+        ListUniqueAbsolutePathStr, AfterValidator(_validate_cmd_list)
+    ] = Field(default=None, min_length=1)
     slurm_accounts: ListUniqueNonEmptyString = None
@@ -98,10 +101,14 @@ class UserCreate(schemas.BaseUserCreate):
     Attributes:
         profile_id:
+        project_dirs:
+        slurm_accounts:
     """
     profile_id: int | None = None
-    project_dir: Annotated[AbsolutePathStr, AfterValidator(_validate_cmd)]
+    project_dirs: Annotated[
+        ListUniqueAbsolutePathStr, AfterValidator(_validate_cmd_list)
+    ] = Field(min_length=1)
     slurm_accounts: list[str] = Field(default_factory=list)
@@ -109,6 +116,8 @@ class UserUpdateGroups(BaseModel):
     """
     Schema for `POST /auth/users/{user_id}/set-groups/`
+    Attributes:
+        group_ids:
     """
     model_config = ConfigDict(extra="forbid")
@@ -117,6 +126,14 @@ class UserUpdateGroups(BaseModel):
 class UserProfileInfo(BaseModel):
+    """
+    Attributes:
+        has_profile:
+        resource_name:
+        profile_name:
+        username:
+    """
     has_profile: bool
     resource_name: str | None = None
     profile_name: str | None = None

fractal_server/app/schemas/user_group.py CHANGED Viewed

@@ -2,16 +2,13 @@ from datetime import datetime
 from pydantic import BaseModel
 from pydantic import ConfigDict
-from pydantic import Field
 from pydantic import field_serializer
 from pydantic.types import AwareDatetime
-from fractal_server.types import ListUniqueAbsolutePathStr
 from fractal_server.types import NonEmptyStr
 __all__ = (
     "UserGroupRead",
-    "UserGroupUpdate",
     "UserGroupCreate",
 )
@@ -34,7 +31,6 @@ class UserGroupRead(BaseModel):
     name: str
     timestamp_created: AwareDatetime
     user_ids: list[int] | None = None
-    viewer_paths: list[str]
     @field_serializer("timestamp_created")
     def serialize_datetime(v: datetime) -> str:
@@ -52,14 +48,3 @@ class UserGroupCreate(BaseModel):
     model_config = ConfigDict(extra="forbid")
     name: NonEmptyStr
-    viewer_paths: ListUniqueAbsolutePathStr = Field(default_factory=list)
-class UserGroupUpdate(BaseModel):
-    """
-    Schema for `UserGroup` update
-    """
-    model_config = ConfigDict(extra="forbid")
-    viewer_paths: ListUniqueAbsolutePathStr = None

fractal-server 2.17.1a1__py3-none-any.whl → 2.18.0__py3-none-any.whl

fractal-server 2.17.1a1py3-none-any.whl → 2.18.0py3-none-any.whl