fractal-server 2.3.10__py3-none-any.whl → 2.4.0a0__py3-none-any.whl

fractal_server/app/routes/auth/group_names.py

@@ -0,0 +1,34 @@
+"""
+Definition `/auth/group-names/` endpoints
+"""
+from fastapi import APIRouter
+from fastapi import Depends
+from fastapi import status
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlmodel import select
+
+from . import current_active_user
+from ...db import get_async_db
+from fractal_server.app.models import UserGroup
+from fractal_server.app.models import UserOAuth
+
+router_group_names = APIRouter()
+
+
+@router_group_names.get(
+    "/group-names/", response_model=list[str], status_code=status.HTTP_200_OK
+)
+async def get_list_user_group_names(
+    user: UserOAuth = Depends(current_active_user),
+    db: AsyncSession = Depends(get_async_db),
+) -> list[str]:
+    """
+    Return the available group names.
+
+    This endpoint is not restricted to superusers.
+    """
+    stm_all_groups = select(UserGroup)
+    res = await db.execute(stm_all_groups)
+    groups = res.scalars().all()
+    group_names = [group.name for group in groups]
+    return group_names

fractal_server/app/routes/auth/login.py

@@ -0,0 +1,25 @@
+"""
+Definition of `/auth/{login,logout}/`, `/auth/token/{login/logout}` routes.
+"""
+from fastapi import APIRouter
+
+from . import cookie_backend
+from . import fastapi_users
+from . import token_backend
+
+router_login = APIRouter()
+
+
+router_login.include_router(
+    fastapi_users.get_auth_router(token_backend),
+    prefix="/token",
+)
+router_login.include_router(
+    fastapi_users.get_auth_router(cookie_backend),
+)
+
+
+# Add trailing slash to all routes paths
+for route in router_login.routes:
+    if not route.path.endswith("/"):
+        route.path = f"{route.path}/"

fractal_server/app/routes/auth/oauth.py

@@ -0,0 +1,63 @@
+from fastapi import APIRouter
+
+from . import cookie_backend
+from . import fastapi_users
+from ....config import get_settings
+from ....syringe import Inject
+
+router_oauth = APIRouter()
+
+
+# OAUTH CLIENTS
+
+# NOTE: settings.OAUTH_CLIENTS are collected by
+# Settings.collect_oauth_clients(). If no specific client is specified in the
+# environment variables (e.g. by setting OAUTH_FOO_CLIENT_ID and
+# OAUTH_FOO_CLIENT_SECRET), this list is empty
+
+# FIXME:Dependency injection should be wrapped within a function call to make
+# it truly lazy. This function could then be called on startup of the FastAPI
+# app (cf. fractal_server.main)
+settings = Inject(get_settings)
+
+for client_config in settings.OAUTH_CLIENTS_CONFIG:
+    client_name = client_config.CLIENT_NAME.lower()
+
+    if client_name == "google":
+        from httpx_oauth.clients.google import GoogleOAuth2
+
+        client = GoogleOAuth2(
+            client_config.CLIENT_ID, client_config.CLIENT_SECRET
+        )
+    elif client_name == "github":
+        from httpx_oauth.clients.github import GitHubOAuth2
+
+        client = GitHubOAuth2(
+            client_config.CLIENT_ID, client_config.CLIENT_SECRET
+        )
+    else:
+        from httpx_oauth.clients.openid import OpenID
+
+        client = OpenID(
+            client_config.CLIENT_ID,
+            client_config.CLIENT_SECRET,
+            client_config.OIDC_CONFIGURATION_ENDPOINT,
+        )
+
+    router_oauth.include_router(
+        fastapi_users.get_oauth_router(
+            client,
+            cookie_backend,
+            settings.JWT_SECRET_KEY,
+            is_verified_by_default=False,
+            associate_by_email=True,
+            redirect_url=client_config.REDIRECT_URL,
+        ),
+        prefix=f"/{client_name}",
+    )
+
+
+# Add trailing slash to all routes' paths
+for route in router_oauth.routes:
+    if not route.path.endswith("/"):
+        route.path = f"{route.path}/"

fractal_server/app/routes/auth/register.py

@@ -0,0 +1,23 @@
+"""
+Definition of `/auth/register/` routes.
+"""
+from fastapi import APIRouter
+from fastapi import Depends
+
+from . import current_active_superuser
+from . import fastapi_users
+from ...schemas.user import UserCreate
+from ...schemas.user import UserRead
+
+router_register = APIRouter()
+
+router_register.include_router(
+    fastapi_users.get_register_router(UserRead, UserCreate),
+    dependencies=[Depends(current_active_superuser)],
+)
+
+
+# Add trailing slash to all routes' paths
+for route in router_register.routes:
+    if not route.path.endswith("/"):
+        route.path = f"{route.path}/"

fractal_server/app/routes/auth/router.py

@@ -0,0 +1,19 @@
+from fastapi import APIRouter
+
+from .current_user import router_current_user
+from .group import router_group
+from .group_names import router_group_names
+from .login import router_login
+from .oauth import router_oauth
+from .register import router_register
+from .users import router_users
+
+router_auth = APIRouter()
+
+router_auth.include_router(router_register)
+router_auth.include_router(router_current_user)
+router_auth.include_router(router_login)
+router_auth.include_router(router_group_names)
+router_auth.include_router(router_users)
+router_auth.include_router(router_group)
+router_auth.include_router(router_oauth)

fractal_server/app/routes/auth/users.py

@@ -0,0 +1,103 @@
+"""
+Definition of `/auth/users/` routes
+"""
+from fastapi import APIRouter
+from fastapi import Depends
+from fastapi import HTTPException
+from fastapi import status
+from fastapi_users import exceptions
+from fastapi_users import schemas
+from fastapi_users.router.common import ErrorCode
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlmodel import select
+
+from . import current_active_superuser
+from ...db import get_async_db
+from ...schemas.user import UserRead
+from ...schemas.user import UserUpdate
+from ._aux_auth import _get_single_user_with_group_ids
+from fractal_server.app.models import LinkUserGroup
+from fractal_server.app.models import UserOAuth
+from fractal_server.app.routes.auth._aux_auth import _user_or_404
+from fractal_server.app.security import get_user_manager
+from fractal_server.app.security import UserManager
+
+router_users = APIRouter()
+
+
+@router_users.get("/users/{user_id}/", response_model=UserRead)
+async def get_user(
+    user_id: int,
+    group_ids: bool = True,
+    superuser: UserOAuth = Depends(current_active_superuser),
+    db: AsyncSession = Depends(get_async_db),
+) -> UserRead:
+    user = await _user_or_404(user_id, db)
+    if group_ids:
+        user_with_group_ids = await _get_single_user_with_group_ids(user, db)
+        return user_with_group_ids
+    else:
+        return user
+
+
+@router_users.patch("/users/{user_id}/", response_model=UserRead)
+async def patch_user(
+    user_id: int,
+    user_update: UserUpdate,
+    current_superuser: UserOAuth = Depends(current_active_superuser),
+    user_manager: UserManager = Depends(get_user_manager),
+    db: AsyncSession = Depends(get_async_db),
+):
+    """
+    Custom version of the PATCH-user route from `fastapi-users`.
+    """
+
+    user_to_patch = await _user_or_404(user_id, db)
+
+    try:
+        user = await user_manager.update(
+            user_update, user_to_patch, safe=False, request=None
+        )
+        patched_user = schemas.model_validate(UserOAuth, user)
+    except exceptions.InvalidPasswordException as e:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail={
+                "code": ErrorCode.UPDATE_USER_INVALID_PASSWORD,
+                "reason": e.reason,
+            },
+        )
+
+    patched_user_with_group_ids = await _get_single_user_with_group_ids(
+        patched_user, db
+    )
+
+    return patched_user_with_group_ids
+
+
+@router_users.get("/users/", response_model=list[UserRead])
+async def list_users(
+    user: UserOAuth = Depends(current_active_superuser),
+    db: AsyncSession = Depends(get_async_db),
+):
+    """
+    Return list of all users
+    """
+    stm = select(UserOAuth)
+    res = await db.execute(stm)
+    user_list = res.scalars().unique().all()
+
+    # Get all user/group links
+    stm_all_links = select(LinkUserGroup)
+    res = await db.execute(stm_all_links)
+    links = res.scalars().all()
+
+    # FIXME GROUPS: this must be optimized
+    for ind, user in enumerate(user_list):
+        user_list[ind] = dict(
+            user.model_dump(),
+            group_ids=[
+                link.group_id for link in links if link.user_id == user.id
+            ],
+        )
+    return user_list

fractal_server/app/runner/v2/__init__.py

@@ -194,15 +194,11 @@ async def submit_workflow(
                     folder=str(WORKFLOW_DIR_REMOTE), user=slurm_user
                 )
             elif FRACTAL_RUNNER_BACKEND == "slurm_ssh":
+                # Folder creation is deferred to _process_workflow
                 WORKFLOW_DIR_REMOTE = (
                     Path(settings.FRACTAL_SLURM_SSH_WORKING_BASE_DIR)
                     / WORKFLOW_DIR_LOCAL.name
                 )
-                # FIXME SSH: move mkdir to executor, likely within handshake
-                fractal_ssh.mkdir(
-                    folder=str(WORKFLOW_DIR_REMOTE),
-                )
-                logger.info(f"Created {str(WORKFLOW_DIR_REMOTE)} via SSH.")
             else:
                 logger.error(
                     "Invalid FRACTAL_RUNNER_BACKEND="

fractal_server/app/runner/v2/_slurm_ssh/__init__.py

@@ -25,10 +25,15 @@ from .....ssh._fabric import FractalSSH
 from ....models.v2 import DatasetV2
 from ....models.v2 import WorkflowV2
 from ...async_wrap import async_wrap
+from ...exceptions import JobExecutionError
 from ...executors.slurm.ssh.executor import FractalSlurmSSHExecutor
 from ...set_start_and_last_task_index import set_start_and_last_task_index
 from ..runner import execute_tasks_v2
 from ._submit_setup import _slurm_submit_setup
+from fractal_server.logger import set_logger
+
+
+logger = set_logger(__name__)
 
 
 def _process_workflow(
@@ -60,6 +65,18 @@ def _process_workflow(
     if isinstance(worker_init, str):
         worker_init = worker_init.split("\n")
 
+    # Create main remote folder
+    try:
+        fractal_ssh.mkdir(folder=str(workflow_dir_remote))
+        logger.info(f"Created {str(workflow_dir_remote)} via SSH.")
+    except Exception as e:
+        error_msg = (
+            f"Could not create {str(workflow_dir_remote)} via SSH.\n"
+            f"Original error: {str(e)}."
+        )
+        logger.error(error_msg)
+        raise JobExecutionError(info=error_msg)
+
     with FractalSlurmSSHExecutor(
         fractal_ssh=fractal_ssh,
         workflow_dir_local=workflow_dir_local,

fractal_server/app/schemas/user.py

@@ -34,6 +34,8 @@ class UserRead(schemas.BaseUser[int]):
     cache_dir: Optional[str]
     username: Optional[str]
     slurm_accounts: list[str]
+    group_names: Optional[list[str]] = None
+    group_ids: Optional[list[int]] = None
 
 
 class UserUpdate(schemas.BaseUserUpdate):

fractal_server/app/schemas/user_group.py

@@ -0,0 +1,57 @@
+from datetime import datetime
+from typing import Optional
+
+from pydantic import BaseModel
+from pydantic import Extra
+from pydantic import Field
+
+__all__ = (
+    "UserGroupRead",
+    "UserGroupUpdate",
+    "UserGroupCreate",
+)
+
+
+class UserGroupRead(BaseModel):
+    """
+    Schema for `UserGroup` read
+
+    NOTE: `user_ids` does not correspond to a column of the `UserGroup` table,
+    but it is rather computed dynamically in relevant endpoints.
+
+    Attributes:
+        id: Group ID
+        name: Group name
+        timestamp_created: Creation timestamp
+        user_ids: IDs of users of this group
+    """
+
+    id: int
+    name: str
+    timestamp_created: datetime
+    user_ids: Optional[list[int]] = None
+
+
+class UserGroupCreate(BaseModel, extra=Extra.forbid):
+    """
+    Schema for `UserGroup` creation
+
+    Attributes:
+        name: Group name
+    """
+
+    name: str
+
+
+class UserGroupUpdate(BaseModel, extra=Extra.forbid):
+    """
+    Schema for `UserGroup` update
+
+    NOTE: `new_user_ids` does not correspond to a column of the `UserGroup`
+    table, but it is rather used to create new `LinkUserGroup` rows.
+
+    Attributes:
+        new_user_ids: IDs of groups to be associated to user.
+    """
+
+    new_user_ids: list[int] = Field(default_factory=list)

fractal_server/app/security/__init__.py

@@ -29,19 +29,14 @@ All routes are registerd under the `auth/` prefix.
 import contextlib
 from typing import Any
 from typing import AsyncGenerator
-from typing import Dict
 from typing import Generic
 from typing import Optional
 from typing import Type
 
 from fastapi import Depends
+from fastapi import Request
 from fastapi_users import BaseUserManager
-from fastapi_users import FastAPIUsers
 from fastapi_users import IntegerIDMixin
-from fastapi_users.authentication import AuthenticationBackend
-from fastapi_users.authentication import BearerTransport
-from fastapi_users.authentication import CookieTransport
-from fastapi_users.authentication import JWTStrategy
 from fastapi_users.db.base import BaseUserDatabase
 from fastapi_users.exceptions import InvalidPasswordException
 from fastapi_users.exceptions import UserAlreadyExists
@@ -54,16 +49,19 @@ from sqlalchemy.orm import selectinload
 from sqlmodel import func
 from sqlmodel import select
 
-from ...config import get_settings
-from ...syringe import Inject
 from ..db import get_async_db
-from fractal_server.app.models.security import OAuthAccount
-from fractal_server.app.models.security import UserOAuth as User
+from fractal_server.app.db import get_sync_db
+from fractal_server.app.models import LinkUserGroup
+from fractal_server.app.models import OAuthAccount
+from fractal_server.app.models import UserGroup
+from fractal_server.app.models import UserOAuth
 from fractal_server.app.schemas.user import UserCreate
 from fractal_server.logger import get_logger
 
 logger = get_logger(__name__)
 
+FRACTAL_DEFAULT_GROUP_NAME = "All"
+
 
 class SQLModelUserDatabaseAsync(Generic[UP, ID], BaseUserDatabase[UP, ID]):
     """
@@ -125,7 +123,7 @@ class SQLModelUserDatabaseAsync(Generic[UP, ID], BaseUserDatabase[UP, ID]):
             return user
         return None
 
-    async def create(self, create_dict: Dict[str, Any]) -> UP:
+    async def create(self, create_dict: dict[str, Any]) -> UP:
         """Create a user."""
         user = self.user_model(**create_dict)
         self.session.add(user)
@@ -133,7 +131,7 @@ class SQLModelUserDatabaseAsync(Generic[UP, ID], BaseUserDatabase[UP, ID]):
         await self.session.refresh(user)
         return user
 
-    async def update(self, user: UP, update_dict: Dict[str, Any]) -> UP:
+    async def update(self, user: UP, update_dict: dict[str, Any]) -> UP:
         for key, value in update_dict.items():
             setattr(user, key, value)
         self.session.add(user)
@@ -146,7 +144,7 @@ class SQLModelUserDatabaseAsync(Generic[UP, ID], BaseUserDatabase[UP, ID]):
         await self.session.commit()
 
     async def add_oauth_account(
-        self, user: UP, create_dict: Dict[str, Any]
+        self, user: UP, create_dict: dict[str, Any]
     ) -> UP:  # noqa
         if self.oauth_account_model is None:
             raise NotImplementedError()
@@ -160,7 +158,7 @@ class SQLModelUserDatabaseAsync(Generic[UP, ID], BaseUserDatabase[UP, ID]):
         return user
 
     async def update_oauth_account(
-        self, user: UP, oauth_account: OAP, update_dict: Dict[str, Any]
+        self, user: UP, oauth_account: OAP, update_dict: dict[str, Any]
     ) -> UP:
         if self.oauth_account_model is None:
             raise NotImplementedError()
@@ -176,13 +174,14 @@ class SQLModelUserDatabaseAsync(Generic[UP, ID], BaseUserDatabase[UP, ID]):
 async def get_user_db(
     session: AsyncSession = Depends(get_async_db),
 ) -> AsyncGenerator[SQLModelUserDatabaseAsync, None]:
-    yield SQLModelUserDatabaseAsync(session, User, OAuthAccount)
+    yield SQLModelUserDatabaseAsync(session, UserOAuth, OAuthAccount)
 
 
-class UserManager(IntegerIDMixin, BaseUserManager[User, int]):
-    async def validate_password(self, password: str, user: User) -> None:
+class UserManager(IntegerIDMixin, BaseUserManager[UserOAuth, int]):
+    async def validate_password(self, password: str, user: UserOAuth) -> None:
         # check password length
-        min_length, max_length = 4, 100
+        min_length = 4
+        max_length = 100
         if len(password) < min_length:
             raise InvalidPasswordException(
                 f"The password is too short (minimum length: {min_length})."
@@ -192,6 +191,38 @@ class UserManager(IntegerIDMixin, BaseUserManager[User, int]):
                 f"The password is too long (maximum length: {min_length})."
             )
 
+    async def on_after_register(
+        self, user: UserOAuth, request: Optional[Request] = None
+    ):
+        logger.info(
+            f"New-user registration completed ({user.id=}, {user.email=})."
+        )
+        async for db in get_async_db():
+            # Find default group
+            stm = select(UserGroup).where(
+                UserGroup.name == FRACTAL_DEFAULT_GROUP_NAME
+            )
+            res = await db.execute(stm)
+            default_group = res.scalar_one_or_none()
+            if default_group is None:
+                logger.error(
+                    f"No group found with name {FRACTAL_DEFAULT_GROUP_NAME}"
+                )
+            else:
+                logger.warning(
+                    f"START adding {user.email} user to group "
+                    f"{default_group.id=}."
+                )
+                link = LinkUserGroup(
+                    user_id=user.id, group_id=default_group.id
+                )
+                db.add(link)
+                await db.commit()
+                logger.warning(
+                    f"END   adding {user.email} user to group "
+                    f"{default_group.id=}."
+                )
+
 
 async def get_user_manager(
     user_db: SQLModelUserDatabaseAsync = Depends(get_user_db),
@@ -199,53 +230,6 @@ async def get_user_manager(
     yield UserManager(user_db)
 
 
-bearer_transport = BearerTransport(tokenUrl="/auth/token/login")
-cookie_transport = CookieTransport(cookie_samesite="none")
-
-
-def get_jwt_strategy() -> JWTStrategy:
-    settings = Inject(get_settings)
-    return JWTStrategy(
-        secret=settings.JWT_SECRET_KEY,  # type: ignore
-        lifetime_seconds=settings.JWT_EXPIRE_SECONDS,
-    )
-
-
-def get_jwt_cookie_strategy() -> JWTStrategy:
-    settings = Inject(get_settings)
-    return JWTStrategy(
-        secret=settings.JWT_SECRET_KEY,  # type: ignore
-        lifetime_seconds=settings.COOKIE_EXPIRE_SECONDS,
-    )
-
-
-token_backend = AuthenticationBackend(
-    name="bearer-jwt",
-    transport=bearer_transport,
-    get_strategy=get_jwt_strategy,
-)
-cookie_backend = AuthenticationBackend(
-    name="cookie-jwt",
-    transport=cookie_transport,
-    get_strategy=get_jwt_cookie_strategy,
-)
-
-
-fastapi_users = FastAPIUsers[User, int](
-    get_user_manager,
-    [token_backend, cookie_backend],
-)
-
-
-# Create dependencies for users
-current_active_user = fastapi_users.current_user(active=True)
-current_active_verified_user = fastapi_users.current_user(
-    active=True, verified=True
-)
-current_active_superuser = fastapi_users.current_user(
-    active=True, superuser=True
-)
-
 get_async_session_context = contextlib.asynccontextmanager(get_async_db)
 get_user_db_context = contextlib.asynccontextmanager(get_user_db)
 get_user_manager_context = contextlib.asynccontextmanager(get_user_manager)
@@ -286,9 +270,9 @@ async def _create_first_user(
 
             if is_superuser is True:
                 # If a superuser already exists, exit
-                stm = select(User).where(
-                    User.is_superuser == True  # noqa E712
-                )
+                stm = select(UserOAuth).where(  # noqa
+                    UserOAuth.is_superuser == True  # noqa
+                )  # noqa
                 res = await session.execute(stm)
                 existing_superuser = res.scalars().first()
                 if existing_superuser is not None:
@@ -319,3 +303,23 @@ async def _create_first_user(
 
     except UserAlreadyExists:
         logger.warning(f"User {email} already exists")
+
+
+def _create_first_group():
+    logger.info(
+        f"START _create_first_group, with name {FRACTAL_DEFAULT_GROUP_NAME}"
+    )
+    with next(get_sync_db()) as db:
+        group_all = db.execute(select(UserGroup))
+        if group_all.scalars().one_or_none() is None:
+            first_group = UserGroup(name=FRACTAL_DEFAULT_GROUP_NAME)
+            db.add(first_group)
+            db.commit()
+            logger.info(f"Created group {FRACTAL_DEFAULT_GROUP_NAME}")
+        else:
+            logger.info(
+                f"Group {FRACTAL_DEFAULT_GROUP_NAME} already exists, skip."
+            )
+    logger.info(
+        f"END   _create_first_group, with name {FRACTAL_DEFAULT_GROUP_NAME}"
+    )

fractal_server/data_migrations/2_4_0.py

@@ -0,0 +1,61 @@
+import logging
+
+from packaging.version import parse
+from sqlalchemy import select
+
+import fractal_server
+from fractal_server.app.db import get_sync_db
+from fractal_server.app.models import LinkUserGroup
+from fractal_server.app.models import UserGroup
+from fractal_server.app.models import UserOAuth
+from fractal_server.app.security import FRACTAL_DEFAULT_GROUP_NAME
+
+
+def _check_current_version(*, expected_version: str):
+    # Check that this module matches with the current version
+    module_version = parse(expected_version)
+    current_version = parse(fractal_server.__VERSION__)
+    if (
+        current_version.major != module_version.major
+        or current_version.minor != module_version.minor
+        or current_version.micro != module_version.micro
+    ):
+        raise RuntimeError(
+            f"{fractal_server.__VERSION__=} not matching with {__file__=}"
+        )
+
+
+def fix_db():
+    logger = logging.getLogger("fix_db")
+    logger.warning("START execution of fix_db function")
+    _check_current_version(expected_version="2.4.0")
+
+    with next(get_sync_db()) as db:
+        # Find default group
+        stm = select(UserGroup).where(
+            UserGroup.name == FRACTAL_DEFAULT_GROUP_NAME
+        )
+        res = db.execute(stm)
+        default_group = res.scalar_one_or_none()
+        if default_group is None:
+            raise RuntimeError("Default group not found, exit.")
+        logger.warning(
+            "Default user group exists: "
+            f"{default_group.id=}, {default_group.name=}."
+        )
+
+        # Find
+        stm = select(UserOAuth)
+        users = db.execute(stm).scalars().unique().all()
+        for user in sorted(users, key=lambda x: x.id):
+            logger.warning(
+                f"START adding {user.id=} ({user.email=}) to default group."
+            )
+            link = LinkUserGroup(user_id=user.id, group_id=default_group.id)
+            db.add(link)
+            db.commit()
+            logger.warning(
+                f"END   adding {user.id=} ({user.email=}) to default group."
+            )
+
+    logger.warning("END of execution of fix_db function")