fractal-server 2.3.11__py3-none-any.whl → 2.4.0__py3-none-any.whl

fractal_server/app/routes/auth/group_names.py

@@ -0,0 +1,34 @@
+"""
+Definition `/auth/group-names/` endpoints
+"""
+from fastapi import APIRouter
+from fastapi import Depends
+from fastapi import status
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlmodel import select
+
+from . import current_active_user
+from ...db import get_async_db
+from fractal_server.app.models import UserGroup
+from fractal_server.app.models import UserOAuth
+
+router_group_names = APIRouter()
+
+
+@router_group_names.get(
+    "/group-names/", response_model=list[str], status_code=status.HTTP_200_OK
+)
+async def get_list_user_group_names(
+    user: UserOAuth = Depends(current_active_user),
+    db: AsyncSession = Depends(get_async_db),
+) -> list[str]:
+    """
+    Return the available group names.
+
+    This endpoint is not restricted to superusers.
+    """
+    stm_all_groups = select(UserGroup)
+    res = await db.execute(stm_all_groups)
+    groups = res.scalars().all()
+    group_names = [group.name for group in groups]
+    return group_names

fractal_server/app/routes/auth/login.py

@@ -0,0 +1,25 @@
+"""
+Definition of `/auth/{login,logout}/`, `/auth/token/{login/logout}` routes.
+"""
+from fastapi import APIRouter
+
+from . import cookie_backend
+from . import fastapi_users
+from . import token_backend
+
+router_login = APIRouter()
+
+
+router_login.include_router(
+    fastapi_users.get_auth_router(token_backend),
+    prefix="/token",
+)
+router_login.include_router(
+    fastapi_users.get_auth_router(cookie_backend),
+)
+
+
+# Add trailing slash to all routes paths
+for route in router_login.routes:
+    if not route.path.endswith("/"):
+        route.path = f"{route.path}/"

fractal_server/app/routes/auth/oauth.py

@@ -0,0 +1,63 @@
+from fastapi import APIRouter
+
+from . import cookie_backend
+from . import fastapi_users
+from ....config import get_settings
+from ....syringe import Inject
+
+router_oauth = APIRouter()
+
+
+# OAUTH CLIENTS
+
+# NOTE: settings.OAUTH_CLIENTS are collected by
+# Settings.collect_oauth_clients(). If no specific client is specified in the
+# environment variables (e.g. by setting OAUTH_FOO_CLIENT_ID and
+# OAUTH_FOO_CLIENT_SECRET), this list is empty
+
+# FIXME:Dependency injection should be wrapped within a function call to make
+# it truly lazy. This function could then be called on startup of the FastAPI
+# app (cf. fractal_server.main)
+settings = Inject(get_settings)
+
+for client_config in settings.OAUTH_CLIENTS_CONFIG:
+    client_name = client_config.CLIENT_NAME.lower()
+
+    if client_name == "google":
+        from httpx_oauth.clients.google import GoogleOAuth2
+
+        client = GoogleOAuth2(
+            client_config.CLIENT_ID, client_config.CLIENT_SECRET
+        )
+    elif client_name == "github":
+        from httpx_oauth.clients.github import GitHubOAuth2
+
+        client = GitHubOAuth2(
+            client_config.CLIENT_ID, client_config.CLIENT_SECRET
+        )
+    else:
+        from httpx_oauth.clients.openid import OpenID
+
+        client = OpenID(
+            client_config.CLIENT_ID,
+            client_config.CLIENT_SECRET,
+            client_config.OIDC_CONFIGURATION_ENDPOINT,
+        )
+
+    router_oauth.include_router(
+        fastapi_users.get_oauth_router(
+            client,
+            cookie_backend,
+            settings.JWT_SECRET_KEY,
+            is_verified_by_default=False,
+            associate_by_email=True,
+            redirect_url=client_config.REDIRECT_URL,
+        ),
+        prefix=f"/{client_name}",
+    )
+
+
+# Add trailing slash to all routes' paths
+for route in router_oauth.routes:
+    if not route.path.endswith("/"):
+        route.path = f"{route.path}/"

fractal_server/app/routes/auth/register.py

@@ -0,0 +1,23 @@
+"""
+Definition of `/auth/register/` routes.
+"""
+from fastapi import APIRouter
+from fastapi import Depends
+
+from . import current_active_superuser
+from . import fastapi_users
+from ...schemas.user import UserCreate
+from ...schemas.user import UserRead
+
+router_register = APIRouter()
+
+router_register.include_router(
+    fastapi_users.get_register_router(UserRead, UserCreate),
+    dependencies=[Depends(current_active_superuser)],
+)
+
+
+# Add trailing slash to all routes' paths
+for route in router_register.routes:
+    if not route.path.endswith("/"):
+        route.path = f"{route.path}/"

fractal_server/app/routes/auth/router.py

@@ -0,0 +1,19 @@
+from fastapi import APIRouter
+
+from .current_user import router_current_user
+from .group import router_group
+from .group_names import router_group_names
+from .login import router_login
+from .oauth import router_oauth
+from .register import router_register
+from .users import router_users
+
+router_auth = APIRouter()
+
+router_auth.include_router(router_register)
+router_auth.include_router(router_current_user)
+router_auth.include_router(router_login)
+router_auth.include_router(router_group_names)
+router_auth.include_router(router_users)
+router_auth.include_router(router_group)
+router_auth.include_router(router_oauth)

fractal_server/app/routes/auth/users.py

@@ -0,0 +1,192 @@
+"""
+Definition of `/auth/users/` routes
+"""
+from fastapi import APIRouter
+from fastapi import Depends
+from fastapi import HTTPException
+from fastapi import status
+from fastapi_users import exceptions
+from fastapi_users import schemas
+from fastapi_users.router.common import ErrorCode
+from sqlalchemy.exc import IntegrityError
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlmodel import col
+from sqlmodel import func
+from sqlmodel import select
+
+from . import current_active_superuser
+from ...db import get_async_db
+from ...schemas.user import UserRead
+from ...schemas.user import UserUpdate
+from ...schemas.user import UserUpdateWithNewGroupIds
+from ._aux_auth import _get_single_user_with_group_ids
+from fractal_server.app.models import LinkUserGroup
+from fractal_server.app.models import UserGroup
+from fractal_server.app.models import UserOAuth
+from fractal_server.app.routes.auth._aux_auth import _user_or_404
+from fractal_server.app.security import get_user_manager
+from fractal_server.app.security import UserManager
+from fractal_server.logger import set_logger
+
+router_users = APIRouter()
+
+
+logger = set_logger(__name__)
+
+
+@router_users.get("/users/{user_id}/", response_model=UserRead)
+async def get_user(
+    user_id: int,
+    group_ids: bool = True,
+    superuser: UserOAuth = Depends(current_active_superuser),
+    db: AsyncSession = Depends(get_async_db),
+) -> UserRead:
+    user = await _user_or_404(user_id, db)
+    if group_ids:
+        user_with_group_ids = await _get_single_user_with_group_ids(user, db)
+        return user_with_group_ids
+    else:
+        return user
+
+
+@router_users.patch("/users/{user_id}/", response_model=UserRead)
+async def patch_user(
+    user_id: int,
+    user_update: UserUpdateWithNewGroupIds,
+    current_superuser: UserOAuth = Depends(current_active_superuser),
+    user_manager: UserManager = Depends(get_user_manager),
+    db: AsyncSession = Depends(get_async_db),
+):
+    """
+    Custom version of the PATCH-user route from `fastapi-users`.
+
+    In order to keep the fastapi-users logic in place (which is convenient to
+    update user attributes), we split the endpoint into two branches. We either
+    go through the fastapi-users-based attribute-update branch, or through the
+    branch where we establish new user/group relationships.
+
+    Note that we prevent making both changes at the same time, since it would
+    be more complex to guarantee that endpoint error would leave the database
+    in the same state as before the API call.
+    """
+
+    # We prevent simultaneous editing of both user attributes and user/group
+    # associations
+    user_update_dict_without_groups = user_update.dict(
+        exclude_unset=True, exclude={"new_group_ids"}
+    )
+    edit_attributes = user_update_dict_without_groups != {}
+    edit_groups = user_update.new_group_ids is not None
+    if edit_attributes and edit_groups:
+        raise HTTPException(
+            status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
+            detail=(
+                "Cannot modify both user attributes and group membership. "
+                "Please make two independent PATCH calls"
+            ),
+        )
+
+    # Check that user exists
+    user_to_patch = await _user_or_404(user_id, db)
+
+    if edit_groups:
+        # Establish new user/group relationships
+
+        # Check that all required groups exist
+        # Note: The reason for introducing `col` is as in
+        # https://sqlmodel.tiangolo.com/tutorial/where/#type-annotations-and-errors,
+        stm = select(func.count()).where(
+            col(UserGroup.id).in_(user_update.new_group_ids)
+        )
+        res = await db.execute(stm)
+        number_matching_groups = res.scalar()
+        if number_matching_groups != len(user_update.new_group_ids):
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail=(
+                    "Not all requested groups (IDs: "
+                    f"{user_update.new_group_ids}) exist."
+                ),
+            )
+
+        for new_group_id in user_update.new_group_ids:
+            link = LinkUserGroup(user_id=user_id, group_id=new_group_id)
+            db.add(link)
+
+        try:
+            await db.commit()
+        except IntegrityError as e:
+            error_msg = (
+                f"Cannot link groups with IDs {user_update.new_group_ids} "
+                f"to user {user_id}. "
+                "Likely reason: one of these links already exists.\n"
+                f"Original error: {str(e)}"
+            )
+            logger.info(error_msg)
+            raise HTTPException(
+                status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
+                detail=error_msg,
+            )
+
+        patched_user = user_to_patch
+
+    elif edit_attributes:
+        # Modify user attributes
+        try:
+            user_update_without_groups = UserUpdate(
+                **user_update_dict_without_groups
+            )
+            user = await user_manager.update(
+                user_update_without_groups,
+                user_to_patch,
+                safe=False,
+                request=None,
+            )
+            patched_user = schemas.model_validate(UserOAuth, user)
+        except exceptions.InvalidPasswordException as e:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail={
+                    "code": ErrorCode.UPDATE_USER_INVALID_PASSWORD,
+                    "reason": e.reason,
+                },
+            )
+    else:
+        # Nothing to do, just continue
+        patched_user = user_to_patch
+
+    # Enrich user object with `group_ids` attribute
+    patched_user_with_group_ids = await _get_single_user_with_group_ids(
+        patched_user, db
+    )
+
+    return patched_user_with_group_ids
+
+
+@router_users.get("/users/", response_model=list[UserRead])
+async def list_users(
+    user: UserOAuth = Depends(current_active_superuser),
+    db: AsyncSession = Depends(get_async_db),
+):
+    """
+    Return list of all users
+    """
+    stm = select(UserOAuth)
+    res = await db.execute(stm)
+    user_list = res.scalars().unique().all()
+
+    # Get all user/group links
+    stm_all_links = select(LinkUserGroup)
+    res = await db.execute(stm_all_links)
+    links = res.scalars().all()
+
+    # TODO: possible optimizations for this construction are listed in
+    # https://github.com/fractal-analytics-platform/fractal-server/issues/1742
+    for ind, user in enumerate(user_list):
+        user_list[ind] = dict(
+            user.model_dump(),
+            group_ids=[
+                link.group_id for link in links if link.user_id == user.id
+            ],
+        )
+    return user_list

fractal_server/app/schemas/user.py

@@ -16,6 +16,7 @@ __all__ = (
     "UserRead",
     "UserUpdate",
     "UserCreate",
+    "UserUpdateWithNewGroupIds",
 )
 
 
@@ -34,6 +35,8 @@ class UserRead(schemas.BaseUser[int]):
     cache_dir: Optional[str]
     username: Optional[str]
     slurm_accounts: list[str]
+    group_names: Optional[list[str]] = None
+    group_ids: Optional[list[int]] = None
 
 
 class UserUpdate(schemas.BaseUserUpdate):
@@ -100,6 +103,14 @@ class UserUpdateStrict(BaseModel, extra=Extra.forbid):
     )
 
 
+class UserUpdateWithNewGroupIds(UserUpdate):
+    new_group_ids: Optional[list[int]] = None
+
+    _val_unique = validator("new_group_ids", allow_reuse=True)(
+        val_unique_list("new_group_ids")
+    )
+
+
 class UserCreate(schemas.BaseUserCreate):
     """
     Schema for `User` creation.

fractal_server/app/schemas/user_group.py

@@ -0,0 +1,65 @@
+from datetime import datetime
+from typing import Optional
+
+from pydantic import BaseModel
+from pydantic import Extra
+from pydantic import Field
+from pydantic import validator
+
+from ._validators import val_unique_list
+
+
+__all__ = (
+    "UserGroupRead",
+    "UserGroupUpdate",
+    "UserGroupCreate",
+)
+
+
+class UserGroupRead(BaseModel):
+    """
+    Schema for `UserGroup` read
+
+    NOTE: `user_ids` does not correspond to a column of the `UserGroup` table,
+    but it is rather computed dynamically in relevant endpoints.
+
+    Attributes:
+        id: Group ID
+        name: Group name
+        timestamp_created: Creation timestamp
+        user_ids: IDs of users of this group
+    """
+
+    id: int
+    name: str
+    timestamp_created: datetime
+    user_ids: Optional[list[int]] = None
+
+
+class UserGroupCreate(BaseModel, extra=Extra.forbid):
+    """
+    Schema for `UserGroup` creation
+
+    Attributes:
+        name: Group name
+    """
+
+    name: str
+
+
+class UserGroupUpdate(BaseModel, extra=Extra.forbid):
+    """
+    Schema for `UserGroup` update
+
+    NOTE: `new_user_ids` does not correspond to a column of the `UserGroup`
+    table, but it is rather used to create new `LinkUserGroup` rows.
+
+    Attributes:
+        new_user_ids: IDs of groups to be associated to user.
+    """
+
+    new_user_ids: list[int] = Field(default_factory=list)
+
+    _val_unique = validator("new_user_ids", allow_reuse=True)(
+        val_unique_list("new_user_ids")
+    )

fractal_server/app/security/__init__.py

@@ -29,41 +29,38 @@ All routes are registerd under the `auth/` prefix.
 import contextlib
 from typing import Any
 from typing import AsyncGenerator
-from typing import Dict
 from typing import Generic
 from typing import Optional
 from typing import Type
 
 from fastapi import Depends
+from fastapi import Request
 from fastapi_users import BaseUserManager
-from fastapi_users import FastAPIUsers
 from fastapi_users import IntegerIDMixin
-from fastapi_users.authentication import AuthenticationBackend
-from fastapi_users.authentication import BearerTransport
-from fastapi_users.authentication import CookieTransport
-from fastapi_users.authentication import JWTStrategy
 from fastapi_users.db.base import BaseUserDatabase
 from fastapi_users.exceptions import InvalidPasswordException
 from fastapi_users.exceptions import UserAlreadyExists
 from fastapi_users.models import ID
 from fastapi_users.models import OAP
 from fastapi_users.models import UP
-from sqlalchemy.exc import IntegrityError
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload
 from sqlmodel import func
 from sqlmodel import select
 
-from ...config import get_settings
-from ...syringe import Inject
 from ..db import get_async_db
-from fractal_server.app.models.security import OAuthAccount
-from fractal_server.app.models.security import UserOAuth as User
+from fractal_server.app.db import get_sync_db
+from fractal_server.app.models import LinkUserGroup
+from fractal_server.app.models import OAuthAccount
+from fractal_server.app.models import UserGroup
+from fractal_server.app.models import UserOAuth
 from fractal_server.app.schemas.user import UserCreate
 from fractal_server.logger import get_logger
 
 logger = get_logger(__name__)
 
+FRACTAL_DEFAULT_GROUP_NAME = "All"
+
 
 class SQLModelUserDatabaseAsync(Generic[UP, ID], BaseUserDatabase[UP, ID]):
     """
@@ -125,7 +122,7 @@ class SQLModelUserDatabaseAsync(Generic[UP, ID], BaseUserDatabase[UP, ID]):
             return user
         return None
 
-    async def create(self, create_dict: Dict[str, Any]) -> UP:
+    async def create(self, create_dict: dict[str, Any]) -> UP:
         """Create a user."""
         user = self.user_model(**create_dict)
         self.session.add(user)
@@ -133,7 +130,7 @@ class SQLModelUserDatabaseAsync(Generic[UP, ID], BaseUserDatabase[UP, ID]):
         await self.session.refresh(user)
         return user
 
-    async def update(self, user: UP, update_dict: Dict[str, Any]) -> UP:
+    async def update(self, user: UP, update_dict: dict[str, Any]) -> UP:
         for key, value in update_dict.items():
             setattr(user, key, value)
         self.session.add(user)
@@ -146,7 +143,7 @@ class SQLModelUserDatabaseAsync(Generic[UP, ID], BaseUserDatabase[UP, ID]):
         await self.session.commit()
 
     async def add_oauth_account(
-        self, user: UP, create_dict: Dict[str, Any]
+        self, user: UP, create_dict: dict[str, Any]
     ) -> UP:  # noqa
         if self.oauth_account_model is None:
             raise NotImplementedError()
@@ -160,7 +157,7 @@ class SQLModelUserDatabaseAsync(Generic[UP, ID], BaseUserDatabase[UP, ID]):
         return user
 
     async def update_oauth_account(
-        self, user: UP, oauth_account: OAP, update_dict: Dict[str, Any]
+        self, user: UP, oauth_account: OAP, update_dict: dict[str, Any]
     ) -> UP:
         if self.oauth_account_model is None:
             raise NotImplementedError()
@@ -176,13 +173,14 @@ class SQLModelUserDatabaseAsync(Generic[UP, ID], BaseUserDatabase[UP, ID]):
 async def get_user_db(
     session: AsyncSession = Depends(get_async_db),
 ) -> AsyncGenerator[SQLModelUserDatabaseAsync, None]:
-    yield SQLModelUserDatabaseAsync(session, User, OAuthAccount)
+    yield SQLModelUserDatabaseAsync(session, UserOAuth, OAuthAccount)
 
 
-class UserManager(IntegerIDMixin, BaseUserManager[User, int]):
-    async def validate_password(self, password: str, user: User) -> None:
+class UserManager(IntegerIDMixin, BaseUserManager[UserOAuth, int]):
+    async def validate_password(self, password: str, user: UserOAuth) -> None:
         # check password length
-        min_length, max_length = 4, 100
+        min_length = 4
+        max_length = 100
         if len(password) < min_length:
             raise InvalidPasswordException(
                 f"The password is too short (minimum length: {min_length})."
@@ -192,6 +190,38 @@ class UserManager(IntegerIDMixin, BaseUserManager[User, int]):
                 f"The password is too long (maximum length: {min_length})."
             )
 
+    async def on_after_register(
+        self, user: UserOAuth, request: Optional[Request] = None
+    ):
+        logger.info(
+            f"New-user registration completed ({user.id=}, {user.email=})."
+        )
+        async for db in get_async_db():
+            # Find default group
+            stm = select(UserGroup).where(
+                UserGroup.name == FRACTAL_DEFAULT_GROUP_NAME
+            )
+            res = await db.execute(stm)
+            default_group = res.scalar_one_or_none()
+            if default_group is None:
+                logger.error(
+                    f"No group found with name {FRACTAL_DEFAULT_GROUP_NAME}"
+                )
+            else:
+                logger.warning(
+                    f"START adding {user.email} user to group "
+                    f"{default_group.id=}."
+                )
+                link = LinkUserGroup(
+                    user_id=user.id, group_id=default_group.id
+                )
+                db.add(link)
+                await db.commit()
+                logger.warning(
+                    f"END   adding {user.email} user to group "
+                    f"{default_group.id=}."
+                )
+
 
 async def get_user_manager(
     user_db: SQLModelUserDatabaseAsync = Depends(get_user_db),
@@ -199,53 +229,6 @@ async def get_user_manager(
     yield UserManager(user_db)
 
 
-bearer_transport = BearerTransport(tokenUrl="/auth/token/login")
-cookie_transport = CookieTransport(cookie_samesite="none")
-
-
-def get_jwt_strategy() -> JWTStrategy:
-    settings = Inject(get_settings)
-    return JWTStrategy(
-        secret=settings.JWT_SECRET_KEY,  # type: ignore
-        lifetime_seconds=settings.JWT_EXPIRE_SECONDS,
-    )
-
-
-def get_jwt_cookie_strategy() -> JWTStrategy:
-    settings = Inject(get_settings)
-    return JWTStrategy(
-        secret=settings.JWT_SECRET_KEY,  # type: ignore
-        lifetime_seconds=settings.COOKIE_EXPIRE_SECONDS,
-    )
-
-
-token_backend = AuthenticationBackend(
-    name="bearer-jwt",
-    transport=bearer_transport,
-    get_strategy=get_jwt_strategy,
-)
-cookie_backend = AuthenticationBackend(
-    name="cookie-jwt",
-    transport=cookie_transport,
-    get_strategy=get_jwt_cookie_strategy,
-)
-
-
-fastapi_users = FastAPIUsers[User, int](
-    get_user_manager,
-    [token_backend, cookie_backend],
-)
-
-
-# Create dependencies for users
-current_active_user = fastapi_users.current_user(active=True)
-current_active_verified_user = fastapi_users.current_user(
-    active=True, verified=True
-)
-current_active_superuser = fastapi_users.current_user(
-    active=True, superuser=True
-)
-
 get_async_session_context = contextlib.asynccontextmanager(get_async_db)
 get_user_db_context = contextlib.asynccontextmanager(get_user_db)
 get_user_manager_context = contextlib.asynccontextmanager(get_user_manager)
@@ -286,9 +269,9 @@ async def _create_first_user(
 
             if is_superuser is True:
                 # If a superuser already exists, exit
-                stm = select(User).where(
-                    User.is_superuser == True  # noqa E712
-                )
+                stm = select(UserOAuth).where(  # noqa
+                    UserOAuth.is_superuser == True  # noqa
+                )  # noqa
                 res = await session.execute(stm)
                 existing_superuser = res.scalars().first()
                 if existing_superuser is not None:
@@ -311,11 +294,25 @@ async def _create_first_user(
                     user = await user_manager.create(UserCreate(**kwargs))
                     logger.info(f"User {user.email} created")
 
-    except IntegrityError:
-        logger.warning(
-            f"Creation of user {email} failed with IntegrityError "
-            "(likely due to concurrent attempts from different workers)."
-        )
-
     except UserAlreadyExists:
         logger.warning(f"User {email} already exists")
+
+
+def _create_first_group():
+    logger.info(
+        f"START _create_first_group, with name {FRACTAL_DEFAULT_GROUP_NAME}"
+    )
+    with next(get_sync_db()) as db:
+        group_all = db.execute(select(UserGroup))
+        if group_all.scalars().one_or_none() is None:
+            first_group = UserGroup(name=FRACTAL_DEFAULT_GROUP_NAME)
+            db.add(first_group)
+            db.commit()
+            logger.info(f"Created group {FRACTAL_DEFAULT_GROUP_NAME}")
+        else:
+            logger.info(
+                f"Group {FRACTAL_DEFAULT_GROUP_NAME} already exists, skip."
+            )
+    logger.info(
+        f"END   _create_first_group, with name {FRACTAL_DEFAULT_GROUP_NAME}"
+    )