infrahub-server 1.1.1__py3-none-any.whl → 1.1.2__py3-none-any.whl

infrahub/api/artifact.py

@@ -5,20 +5,20 @@ from typing import TYPE_CHECKING
 from fastapi import APIRouter, Body, Depends, Request, Response
 from pydantic import BaseModel, Field
 
-from infrahub.api.dependencies import BranchParams, get_branch_params, get_current_user, get_db
+from infrahub.api.dependencies import BranchParams, get_branch_params, get_current_user, get_db, get_permission_manager
 from infrahub.core import registry
 from infrahub.core.account import ObjectPermission
 from infrahub.core.constants import GLOBAL_BRANCH_NAME, InfrahubKind, PermissionAction
 from infrahub.core.protocols import CoreArtifactDefinition
-from infrahub.database import InfrahubDatabase  # noqa: TCH001
-from infrahub.exceptions import NodeNotFoundError, PermissionDeniedError
+from infrahub.database import InfrahubDatabase  # noqa: TC001
+from infrahub.exceptions import NodeNotFoundError
 from infrahub.git.models import RequestArtifactDefinitionGenerate
 from infrahub.log import get_logger
 from infrahub.permissions.constants import PermissionDecisionFlag
 from infrahub.workflows.catalogue import REQUEST_ARTIFACT_DEFINITION_GENERATE
 
 if TYPE_CHECKING:
-    from infrahub.auth import AccountSession
+    from infrahub.permissions import PermissionManager
 
 log = get_logger()
 router = APIRouter(prefix="/artifact")
@@ -61,25 +61,18 @@ async def generate_artifact(
     ),
     db: InfrahubDatabase = Depends(get_db),
     branch_params: BranchParams = Depends(get_branch_params),
-    account_session: AccountSession = Depends(get_current_user),
+    permission_manager: PermissionManager = Depends(get_permission_manager),
 ) -> None:
     permission_decision = (
         PermissionDecisionFlag.ALLOW_DEFAULT
         if branch_params.branch.name in (GLOBAL_BRANCH_NAME, registry.default_branch)
         else PermissionDecisionFlag.ALLOW_OTHER
     )
-    for permission in [
+    permissions = [
         ObjectPermission(namespace="Core", name="Artifact", action=action.value, decision=permission_decision)
         for action in (PermissionAction.CREATE, PermissionAction.UPDATE)
-    ]:
-        has_permission = False
-        for permission_backend in registry.permission_backends:
-            if has_permission := await permission_backend.has_permission(
-                db=db, account_session=account_session, permission=permission, branch=branch_params.branch
-            ):
-                break
-        if not has_permission:
-            raise PermissionDeniedError(f"You do not have the following permission: {permission}")
+    ]
+    permission_manager.raise_for_permissions(permissions=permissions)
 
     # Verify that the artifact definition exists for the requested branch
     artifact_definition = await registry.manager.get_one_by_id_or_default_filter(

infrahub/api/dependencies.py

@@ -8,11 +8,12 @@ from pydantic import BaseModel, ConfigDict
 
 from infrahub import config
 from infrahub.auth import AccountSession, authentication_token, validate_jwt_access_token, validate_jwt_refresh_token
-from infrahub.core.branch import Branch  # noqa: TCH001
+from infrahub.core.branch import Branch  # noqa: TC001
 from infrahub.core.registry import registry
 from infrahub.core.timestamp import Timestamp
-from infrahub.database import InfrahubDatabase  # noqa: TCH001
+from infrahub.database import InfrahubDatabase  # noqa: TC001
 from infrahub.exceptions import AuthorizationError
+from infrahub.permissions import PermissionManager
 
 if TYPE_CHECKING:
     from neo4j import AsyncSession
@@ -120,3 +121,15 @@ async def get_current_user(
         return account_session
 
     raise AuthorizationError("Authentication is required")
+
+
+async def get_permission_manager(
+    db: InfrahubDatabase = Depends(get_db),
+    branch_params: BranchParams = Depends(get_branch_params),
+    account_session: AccountSession = Depends(get_current_user),
+) -> PermissionManager:
+    """Return a `PermissionManager` for an account session based on a branch."""
+    permission_manager = PermissionManager(account_session=account_session)
+    await permission_manager.load_permissions(db=db, branch=branch_params.branch)
+
+    return permission_manager

infrahub/api/diff/diff.py

@@ -7,7 +7,7 @@ from fastapi import APIRouter, Depends, Request
 
 from infrahub.api.dependencies import get_branch_dep, get_current_user, get_db
 from infrahub.core import registry
-from infrahub.core.branch import Branch  # noqa: TCH001
+from infrahub.core.branch import Branch  # noqa: TC001
 from infrahub.core.diff.artifacts.calculator import ArtifactDiffCalculator
 from infrahub.core.diff.branch_differ import BranchDiffer
 from infrahub.core.diff.model.diff import (
@@ -15,7 +15,7 @@ from infrahub.core.diff.model.diff import (
     BranchDiffFile,
     BranchDiffRepository,
 )
-from infrahub.database import InfrahubDatabase  # noqa: TCH001
+from infrahub.database import InfrahubDatabase  # noqa: TC001
 
 if TYPE_CHECKING:
     from infrahub.services import InfrahubServices

infrahub/api/file.py

@@ -5,15 +5,10 @@ from typing import TYPE_CHECKING, Optional, Union
 from fastapi import APIRouter, Depends, Request
 from starlette.responses import PlainTextResponse
 
-from infrahub.api.dependencies import (
-    BranchParams,
-    get_branch_params,
-    get_current_user,
-    get_db,
-)
+from infrahub.api.dependencies import BranchParams, get_branch_params, get_current_user, get_db
 from infrahub.core.constants import InfrahubKind
 from infrahub.core.manager import NodeManager
-from infrahub.database import InfrahubDatabase  # noqa: TCH001
+from infrahub.database import InfrahubDatabase  # noqa: TC001
 from infrahub.exceptions import CommitNotFoundError, PropagatedFromWorkerError
 from infrahub.message_bus.messages import GitFileGet, GitFileGetResponse
 

infrahub/api/menu.py

@@ -4,17 +4,17 @@ from typing import TYPE_CHECKING
 
 from fastapi import APIRouter, Depends
 
-from infrahub.api.dependencies import get_branch_dep, get_current_user, get_db
+from infrahub.api.dependencies import get_branch_dep, get_db, get_permission_manager
 from infrahub.core import registry
-from infrahub.core.branch import Branch  # noqa: TCH001
+from infrahub.core.branch import Branch  # noqa: TC001
 from infrahub.core.protocols import CoreMenuItem
 from infrahub.log import get_logger
 from infrahub.menu.generator import generate_restricted_menu
-from infrahub.menu.models import Menu  # noqa: TCH001
+from infrahub.menu.models import Menu  # noqa: TC001
 
 if TYPE_CHECKING:
-    from infrahub.auth import AccountSession
     from infrahub.database import InfrahubDatabase
+    from infrahub.permissions import PermissionManager
 
 
 log = get_logger()
@@ -25,10 +25,12 @@ router = APIRouter(prefix="/menu")
 async def get_menu(
     db: InfrahubDatabase = Depends(get_db),
     branch: Branch = Depends(get_branch_dep),
-    account_session: AccountSession = Depends(get_current_user),
+    permission_manager: PermissionManager = Depends(get_permission_manager),
 ) -> Menu:
     log.info("menu_request", branch=branch.name)
 
     menu_items = await registry.manager.query(db=db, schema=CoreMenuItem, branch=branch, prefetch_relationships=True)
-    menu = await generate_restricted_menu(db=db, branch=branch, account=account_session, menu_items=menu_items)
+    menu = await generate_restricted_menu(
+        db=db, branch=branch, menu_items=menu_items, account_permissions=permission_manager
+    )
     return menu.to_rest()

infrahub/api/oauth2.py

@@ -25,8 +25,8 @@ router = APIRouter(prefix="/oauth2")
 
 
 def _get_redirect_url(request: Request, provider_name: str) -> str:
-    """This function is mostly to support local development when the frontend runs on different ports compared to the API."""
-    base_url = config.SETTINGS.dev.frontend_url or str(request.base_url)
+    """Return public redirect URL."""
+    base_url = config.SETTINGS.main.public_url or str(request.base_url)
     return urljoin(base_url, f"auth/oauth2/{provider_name}/callback")
 
 
@@ -40,7 +40,7 @@ async def authorize(request: Request, provider_name: str, final_url: str | None
     )
 
     redirect_uri = _get_redirect_url(request=request, provider_name=provider_name)
-    final_url = final_url or config.SETTINGS.dev.frontend_url or str(request.base_url)
+    final_url = final_url or config.SETTINGS.main.public_url or str(request.base_url)
 
     authorization_uri, state = client.create_authorization_url(
         url=provider.authorization_url, redirect_uri=redirect_uri, scope=provider.scopes, final_url=final_url

infrahub/api/oidc.py

@@ -54,8 +54,8 @@ class OIDCDiscoveryConfig(BaseModel):
 
 
 def _get_redirect_url(request: Request, provider_name: str) -> str:
-    """This function is mostly to support local development when the frontend runs on different ports compared to the API."""
-    base_url = config.SETTINGS.dev.frontend_url or str(request.base_url)
+    """Return public redirect URL."""
+    base_url = config.SETTINGS.main.public_url or str(request.base_url)
     return urljoin(base_url, f"auth/oidc/{provider_name}/callback")
 
 
@@ -75,7 +75,7 @@ async def authorize(request: Request, provider_name: str, final_url: str | None
     )
 
     redirect_uri = _get_redirect_url(request=request, provider_name=provider_name)
-    final_url = final_url or config.SETTINGS.dev.frontend_url or str(request.base_url)
+    final_url = final_url or config.SETTINGS.main.public_url or str(request.base_url)
 
     authorization_uri, state = client.create_authorization_url(
         url=str(oidc_config.authorization_endpoint), redirect_uri=redirect_uri, scope=provider.scopes

infrahub/api/query.py

@@ -10,7 +10,7 @@ from infrahub.api.dependencies import BranchParams, get_branch_params, get_curre
 from infrahub.core import registry
 from infrahub.core.constants import InfrahubKind
 from infrahub.core.protocols import CoreGraphQLQuery
-from infrahub.database import InfrahubDatabase  # noqa: TCH001
+from infrahub.database import InfrahubDatabase  # noqa: TC001
 from infrahub.graphql.analyzer import InfrahubGraphQLQueryAnalyzer
 from infrahub.graphql.api.dependencies import build_graphql_query_permission_checker
 from infrahub.graphql.initialization import prepare_graphql_params
@@ -57,7 +57,7 @@ async def execute_query(
         db=db, id=query_id, kind=CoreGraphQLQuery, branch=branch_params.branch, at=branch_params.at
     )
 
-    gql_params = prepare_graphql_params(
+    gql_params = await prepare_graphql_params(
         db=db, branch=branch_params.branch, at=branch_params.at, account_session=account_session
     )
     analyzed_query = InfrahubGraphQLQueryAnalyzer(

infrahub/api/schema.py

@@ -13,28 +13,28 @@ from pydantic import (
 from starlette.responses import JSONResponse
 
 from infrahub import lock
-from infrahub.api.dependencies import get_branch_dep, get_current_user, get_db
+from infrahub.api.dependencies import get_branch_dep, get_current_user, get_db, get_permission_manager
 from infrahub.api.exceptions import SchemaNotValidError
 from infrahub.core import registry
 from infrahub.core.account import GlobalPermission
-from infrahub.core.branch import Branch  # noqa: TCH001
+from infrahub.core.branch import Branch  # noqa: TC001
 from infrahub.core.constants import GLOBAL_BRANCH_NAME, GlobalPermissions, PermissionDecision
 from infrahub.core.migrations.schema.models import SchemaApplyMigrationData
-from infrahub.core.models import (  # noqa: TCH001
+from infrahub.core.models import (  # noqa: TC001
     SchemaBranchHash,
     SchemaDiff,
     SchemaUpdateValidationResult,
 )
 from infrahub.core.schema import GenericSchema, MainSchemaTypes, NodeSchema, ProfileSchema, SchemaRoot
-from infrahub.core.schema.constants import SchemaNamespace  # noqa: TCH001
+from infrahub.core.schema.constants import SchemaNamespace  # noqa: TC001
 from infrahub.core.validators.models.validate_migration import (
     SchemaValidateMigrationData,
     SchemaValidatorPathResponseData,
 )
-from infrahub.database import InfrahubDatabase  # noqa: TCH001
+from infrahub.database import InfrahubDatabase  # noqa: TC001
 from infrahub.events import EventMeta
 from infrahub.events.schema_action import SchemaUpdatedEvent
-from infrahub.exceptions import MigrationError, PermissionDeniedError
+from infrahub.exceptions import MigrationError
 from infrahub.log import get_log_data, get_logger
 from infrahub.types import ATTRIBUTE_PYTHON_TYPES
 from infrahub.worker import WORKER_IDENTITY
@@ -45,6 +45,7 @@ if TYPE_CHECKING:
 
     from infrahub.auth import AccountSession
     from infrahub.core.schema.schema_branch import SchemaBranch
+    from infrahub.permissions import PermissionManager
     from infrahub.services import InfrahubServices
 
 
@@ -248,43 +249,25 @@ async def load_schema(
     db: InfrahubDatabase = Depends(get_db),
     branch: Branch = Depends(get_branch_dep),
     account_session: AccountSession = Depends(get_current_user),
+    permission_manager: PermissionManager = Depends(get_permission_manager),
 ) -> SchemaUpdate:
-    has_permission = False
-    has_branch_permission = branch.name not in (GLOBAL_BRANCH_NAME, registry.default_branch)
-    for permission_backend in registry.permission_backends:
-        if not has_permission:
-            has_permission = await permission_backend.has_permission(
-                db=db,
-                account_session=account_session,
-                permission=GlobalPermission(
-                    action=GlobalPermissions.MANAGE_SCHEMA.value,
-                    decision=(
-                        PermissionDecision.ALLOW_DEFAULT
-                        if branch.name in (GLOBAL_BRANCH_NAME, registry.default_branch)
-                        else PermissionDecision.ALLOW_OTHER
-                    ).value,
-                ),
-                branch=branch,
-            )
-
-        if not has_branch_permission:
-            has_branch_permission = await permission_backend.has_permission(
-                db=db,
-                account_session=account_session,
-                permission=GlobalPermission(
-                    action=GlobalPermissions.EDIT_DEFAULT_BRANCH.value,
-                    decision=PermissionDecision.ALLOW_DEFAULT.value,
-                ),
-                branch=branch,
-            )
-
-        if has_permission and has_branch_permission:
-            break
+    permission_manager.raise_for_permission(
+        permission=GlobalPermission(
+            action=GlobalPermissions.MANAGE_SCHEMA.value,
+            decision=(
+                PermissionDecision.ALLOW_DEFAULT
+                if branch.name in (GLOBAL_BRANCH_NAME, registry.default_branch)
+                else PermissionDecision.ALLOW_OTHER
+            ).value,
+        )
+    )
 
-    if not has_permission:
-        raise PermissionDeniedError("You are not allowed to manage the schema")
-    if not has_branch_permission:
-        raise PermissionDeniedError("You are not allowed to edit the schema in the default branch")
+    if branch.name in (GLOBAL_BRANCH_NAME, registry.default_branch):
+        permission_manager.raise_for_permission(
+            permission=GlobalPermission(
+                action=GlobalPermissions.EDIT_DEFAULT_BRANCH.value, decision=PermissionDecision.ALLOW_DEFAULT.value
+            ),
+        )
 
     service: InfrahubServices = request.app.state.service
     log.info("schema_load_request", branch=branch.name)

infrahub/api/transformation.py

@@ -19,7 +19,7 @@ from infrahub.core.protocols import (
     CoreTransformJinja2,
     CoreTransformPython,
 )
-from infrahub.database import InfrahubDatabase  # noqa: TCH001
+from infrahub.database import InfrahubDatabase  # noqa: TC001
 from infrahub.exceptions import TransformError
 from infrahub.graphql.initialization import prepare_graphql_params
 from infrahub.graphql.utils import extract_data
@@ -61,7 +61,7 @@ async def transform_python(
             message="Repository doesn't have a commit",
         )
 
-    gql_params = prepare_graphql_params(db=request.app.state.db, branch=branch_params.branch, at=branch_params.at)
+    gql_params = await prepare_graphql_params(db=request.app.state.db, branch=branch_params.branch, at=branch_params.at)
 
     result = await graphql(
         schema=gql_params.schema,
@@ -120,7 +120,7 @@ async def transform_jinja2(
             message="Repository doesn't have a commit",
         )
 
-    gql_params = prepare_graphql_params(db=request.app.state.db, branch=branch_params.branch, at=branch_params.at)
+    gql_params = await prepare_graphql_params(db=request.app.state.db, branch=branch_params.branch, at=branch_params.at)
 
     result = await graphql(
         schema=gql_params.schema,

infrahub/auth.py

@@ -22,8 +22,6 @@ if TYPE_CHECKING:
     from infrahub.core.protocols import CoreGenericAccount
     from infrahub.database import InfrahubDatabase
 
-# from ..datatypes import AuthResult
-
 
 class AuthType(str, Enum):
     NONE = "none"

infrahub/computed_attribute/models.py

@@ -4,7 +4,7 @@ from collections import defaultdict
 from dataclasses import dataclass, field
 from typing import TYPE_CHECKING
 
-from prefect.events.schemas.automations import Automation  # noqa: TCH002
+from prefect.events.schemas.automations import Automation  # noqa: TC002
 from pydantic import BaseModel, Field
 from typing_extensions import Self
 

infrahub/computed_attribute/tasks.py

@@ -4,7 +4,7 @@ from datetime import timedelta
 from typing import TYPE_CHECKING, Any
 
 import ujson
-from infrahub_sdk.protocols import CoreNode  # noqa: TCH002
+from infrahub_sdk.protocols import CoreNode  # noqa: TC002
 from prefect import flow
 from prefect.automations import AutomationCore
 from prefect.client.orchestration import get_client

infrahub/config.py

@@ -153,6 +153,10 @@ class MainSettings(BaseSettings):
         default=["infrahub.permissions.LocalPermissionBackend"],
         description="List of modules to handle permissions, they will be run in the given order",
     )
+    public_url: Optional[str] = Field(
+        default=None,
+        description="Define the public URL of the Infrahub, might be required for OAuth2 and OIDC depending on your infrastructure.",
+    )
 
     @field_validator("docs_index_path", mode="before")
     @classmethod
@@ -256,10 +260,6 @@ class DevelopmentSettings(BaseSettings):
 
     model_config = SettingsConfigDict(env_prefix="INFRAHUB_DEV_")
 
-    frontend_url: Optional[str] = Field(
-        default=None,
-        description="Define the URL of the frontend, useful for OAuth2 development when the frontend and backend use different ports.",
-    )
     frontend_redirect_sso: bool = Field(
         default=False,
         description="Indicates of the frontend should be responsible for the SSO redirection",

infrahub/core/account.py

@@ -12,7 +12,7 @@ from infrahub.core.registry import registry
 if TYPE_CHECKING:
     from infrahub.core.branch import Branch
     from infrahub.database import InfrahubDatabase
-    from infrahub.permissions.constants import AssignedPermissions
+    from infrahub.permissions import AssignedPermissions
 
 
 # pylint: disable=redefined-builtin
@@ -35,15 +35,7 @@ class GlobalPermission:
         if len(parts) != 3 and parts[0] != "global":
             raise ValueError(f"{input} is not a valid format for a Global permission")
 
-        # FIXME there is probably a better way to convert the decision
-        decision = PermissionDecision.DENY
-        if parts[2] == "allow_default":
-            decision = PermissionDecision.ALLOW_DEFAULT
-        elif parts[2] == "allow_all":
-            decision = PermissionDecision.ALLOW_ALL
-        elif parts[2] == "allow_other":
-            decision = PermissionDecision.ALLOW_OTHER
-        return cls(action=str(parts[1]), decision=decision)
+        return cls(action=parts[1], decision=PermissionDecision[parts[2].upper()])
 
 
 @dataclass

infrahub/core/branch/models.py

@@ -8,7 +8,7 @@ from pydantic import Field, field_validator
 from infrahub.core.constants import (
     GLOBAL_BRANCH_NAME,
 )
-from infrahub.core.models import SchemaBranchHash  # noqa: TCH001
+from infrahub.core.models import SchemaBranchHash  # noqa: TC001
 from infrahub.core.node.standard import StandardNode
 from infrahub.core.query import QueryType
 from infrahub.core.query.branch import (

infrahub/core/branch/tasks.py

@@ -8,7 +8,7 @@ from prefect import flow, get_run_logger
 from prefect.automations import AutomationCore
 from prefect.client.orchestration import get_client
 from prefect.client.schemas.filters import DeploymentFilter, DeploymentFilterName
-from prefect.client.schemas.objects import State  # noqa: TCH002
+from prefect.client.schemas.objects import State  # noqa: TC002
 from prefect.events.actions import RunDeployment
 from prefect.events.schemas.automations import EventTrigger, Posture
 from prefect.states import Completed, Failed
@@ -30,7 +30,7 @@ from infrahub.core.validators.tasks import schema_validate_migrations
 from infrahub.dependencies.registry import get_component_registry
 from infrahub.events.branch_action import BranchCreateEvent, BranchDeleteEvent, BranchRebaseEvent
 from infrahub.exceptions import BranchNotFoundError, MergeFailedError, ValidationError
-from infrahub.graphql.mutations.models import BranchCreateModel  # noqa: TCH001
+from infrahub.graphql.mutations.models import BranchCreateModel  # noqa: TC001
 from infrahub.log import get_log_data
 from infrahub.message_bus import Meta, messages
 from infrahub.services import services
@@ -70,7 +70,7 @@ async def rebase_branch(branch: str) -> None:
             service=service,
         )
         diff_repository = await component_registry.get_component(DiffRepository, db=db, branch=obj)
-        enriched_diff = await diff_coordinator.update_branch_diff(base_branch=base_branch, diff_branch=obj)
+        enriched_diff = await diff_coordinator.update_branch_diff_and_return(base_branch=base_branch, diff_branch=obj)
         if enriched_diff.get_all_conflicts():
             raise ValidationError(
                 f"Branch {obj.name} contains conflicts with the default branch that must be addressed."
@@ -185,6 +185,7 @@ async def merge_branch(branch: str) -> None:
             try:
                 await merger.merge()
             except Exception as exc:
+                log.exception("Merge failed, beginning rollback")
                 await merger.rollback()
                 raise MergeFailedError(branch_name=branch) from exc
             await merger.update_schema()

infrahub/core/diff/combiner.py

@@ -320,6 +320,7 @@ class DiffCombiner:
                 combined_relationship = EnrichedDiffRelationship(
                     name=later_relationship.name,
                     label=later_relationship.label,
+                    identifier=later_relationship.identifier,
                     cardinality=later_relationship.cardinality,
                     changed_at=later_relationship.changed_at or earlier_relationship.changed_at,
                     action=combined_action,