infrahub-server 1.1.1__py3-none-any.whl → 1.1.3__py3-none-any.whl

infrahub/permissions/local_backend.py

@@ -3,11 +3,9 @@ from __future__ import annotations
 from typing import TYPE_CHECKING
 
 from infrahub import config
-from infrahub.core.account import GlobalPermission, ObjectPermission, fetch_permissions, fetch_role_permissions
-from infrahub.core.constants import GlobalPermissions, PermissionDecision
+from infrahub.core.account import fetch_permissions, fetch_role_permissions
 from infrahub.core.manager import NodeManager
 from infrahub.core.protocols import CoreAccountRole
-from infrahub.permissions.constants import PermissionDecisionFlag
 
 from .backend import PermissionBackend
 
@@ -15,79 +13,14 @@ if TYPE_CHECKING:
     from infrahub.auth import AccountSession
     from infrahub.core.branch import Branch
     from infrahub.database import InfrahubDatabase
-    from infrahub.permissions.constants import AssignedPermissions
+    from infrahub.permissions.types import AssignedPermissions
 
+__all__ = ["LocalPermissionBackend"]
 
-class LocalPermissionBackend(PermissionBackend):
-    wildcard_values = ["*"]
-    wildcard_actions = ["any"]
-
-    def _compute_specificity(self, permission: ObjectPermission) -> int:
-        specificity = 0
-        if permission.namespace not in self.wildcard_values:
-            specificity += 1
-        if permission.name not in self.wildcard_values:
-            specificity += 1
-        if permission.action not in self.wildcard_actions:
-            specificity += 1
-        if not permission.decision & PermissionDecisionFlag.ALLOW_ALL:
-            specificity += 1
-        return specificity
-
-    def report_object_permission(
-        self, permissions: list[ObjectPermission], namespace: str, name: str, action: str
-    ) -> PermissionDecisionFlag:
-        """Given a set of permissions, return the permission decision for a given kind and action."""
-        highest_specificity: int = -1
-        combined_decision = PermissionDecisionFlag.DENY
-
-        for permission in permissions:
-            if (
-                permission.namespace in [namespace, *self.wildcard_values]
-                and permission.name in [name, *self.wildcard_values]
-                and permission.action in [action, *self.wildcard_actions]
-            ):
-                permission_decision = PermissionDecisionFlag(value=permission.decision)
-                # Compute the specifity of a permission to keep the decision of the most specific if two or more permissions overlap
-                specificity = self._compute_specificity(permission=permission)
-                if specificity > highest_specificity:
-                    combined_decision = permission_decision
-                    highest_specificity = specificity
-                elif specificity == highest_specificity and permission_decision != PermissionDecisionFlag.DENY:
-                    combined_decision |= permission_decision
-
-        return combined_decision
-
-    def resolve_object_permission(
-        self, permissions: list[ObjectPermission], permission_to_check: ObjectPermission
-    ) -> bool:
-        """Compute the permissions and check if the one provided is allowed."""
-        required_decision = PermissionDecisionFlag(value=permission_to_check.decision)
-        combined_decision = self.report_object_permission(
-            permissions=permissions,
-            namespace=permission_to_check.namespace,
-            name=permission_to_check.name,
-            action=permission_to_check.action,
-        )
-
-        return combined_decision & required_decision == required_decision
-
-    def resolve_global_permission(
-        self, permissions: list[GlobalPermission], permission_to_check: GlobalPermission
-    ) -> bool:
-        grant_permission = False
-
-        for permission in permissions:
-            if permission.action == permission_to_check.action:
-                # Early exit on deny as deny preempt allow
-                if permission.decision == PermissionDecisionFlag.DENY:
-                    return False
-                grant_permission = True
-
-        return grant_permission
 
+class LocalPermissionBackend(PermissionBackend):
     async def load_permissions(
-        self, db: InfrahubDatabase, account_session: AccountSession, branch: Branch
+        self, db: InfrahubDatabase, branch: Branch, account_session: AccountSession
     ) -> AssignedPermissions:
         if not account_session.authenticated:
             anonymous_permissions: AssignedPermissions = {"global_permissions": [], "object_permissions": []}
@@ -103,33 +36,3 @@ class LocalPermissionBackend(PermissionBackend):
             return anonymous_permissions
 
         return await fetch_permissions(db=db, account_id=account_session.account_id, branch=branch)
-
-    async def has_permission(
-        self,
-        db: InfrahubDatabase,
-        account_session: AccountSession,
-        permission: GlobalPermission | ObjectPermission,
-        branch: Branch,
-    ) -> bool:
-        granted_permissions = await self.load_permissions(db=db, account_session=account_session, branch=branch)
-        is_super_admin = self.resolve_global_permission(
-            permissions=granted_permissions["global_permissions"],
-            permission_to_check=GlobalPermission(
-                action=GlobalPermissions.SUPER_ADMIN, decision=PermissionDecision.ALLOW_ALL
-            ),
-        )
-
-        if isinstance(permission, GlobalPermission):
-            return (
-                self.resolve_global_permission(
-                    permissions=granted_permissions["global_permissions"], permission_to_check=permission
-                )
-                or is_super_admin
-            )
-
-        return (
-            self.resolve_object_permission(
-                permissions=granted_permissions["object_permissions"], permission_to_check=permission
-            )
-            or is_super_admin
-        )

infrahub/permissions/manager.py

@@ -0,0 +1,135 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, Sequence
+
+from infrahub.core import registry
+from infrahub.core.account import GlobalPermission
+from infrahub.core.constants import GlobalPermissions, PermissionDecision
+from infrahub.exceptions import PermissionDeniedError
+from infrahub.permissions.constants import GLOBAL_PERMISSION_DENIAL_MESSAGE, PermissionDecisionFlag
+
+if TYPE_CHECKING:
+    from infrahub.auth import AccountSession
+    from infrahub.core.account import ObjectPermission
+    from infrahub.core.branch import Branch
+    from infrahub.database import InfrahubDatabase
+    from infrahub.permissions.types import AssignedPermissions
+
+__all__ = ["PermissionManager"]
+
+
+class PermissionManager:
+    wildcard_values = ["*"]
+    wildcard_actions = ["any"]
+
+    def __init__(self, account_session: AccountSession) -> None:
+        self.account_session = account_session
+        self.permissions: AssignedPermissions = {"global_permissions": [], "object_permissions": []}
+
+    async def load_permissions(self, db: InfrahubDatabase, branch: Branch) -> None:
+        """Load permissions from the configured backends into memory."""
+        for permission_backend in registry.permission_backends:
+            backend_permissions = await permission_backend.load_permissions(
+                db=db, branch=branch, account_session=self.account_session
+            )
+            self.permissions["global_permissions"].extend(backend_permissions["global_permissions"])
+            self.permissions["object_permissions"].extend(backend_permissions["object_permissions"])
+
+    def _compute_specificity(self, permission: ObjectPermission) -> int:
+        """Return how specific a permission is."""
+        specificity = 0
+        if permission.namespace not in self.wildcard_values:
+            specificity += 1
+        if permission.name not in self.wildcard_values:
+            specificity += 1
+        if permission.action not in self.wildcard_actions:
+            specificity += 1
+        if not permission.decision & PermissionDecisionFlag.ALLOW_ALL:
+            specificity += 1
+        return specificity
+
+    def report_object_permission(self, namespace: str, name: str, action: str) -> PermissionDecisionFlag:
+        """Given a set of permissions, return the permission decision for a given kind and action."""
+        highest_specificity: int = -1
+        combined_decision = PermissionDecisionFlag.DENY
+
+        for permission in self.permissions["object_permissions"]:
+            if (
+                permission.namespace in [namespace, *self.wildcard_values]
+                and permission.name in [name, *self.wildcard_values]
+                and permission.action in [action, *self.wildcard_actions]
+            ):
+                permission_decision = PermissionDecisionFlag(value=permission.decision)
+                # Compute the specifity of a permission to keep the decision of the most specific if two or more permissions overlap
+                specificity = self._compute_specificity(permission=permission)
+                if specificity > highest_specificity:
+                    combined_decision = permission_decision
+                    highest_specificity = specificity
+                elif specificity == highest_specificity and permission_decision != PermissionDecisionFlag.DENY:
+                    combined_decision |= permission_decision
+
+        return combined_decision
+
+    def resolve_object_permission(self, permission_to_check: ObjectPermission) -> bool:
+        """Compute the permissions and check if the one provided is granted."""
+        required_decision = PermissionDecisionFlag(value=permission_to_check.decision)
+        combined_decision = self.report_object_permission(
+            namespace=permission_to_check.namespace, name=permission_to_check.name, action=permission_to_check.action
+        )
+
+        return combined_decision & required_decision == required_decision
+
+    def resolve_global_permission(self, permission_to_check: GlobalPermission) -> bool:
+        """Tell if a global permission is granted."""
+        grant_permission = False
+
+        for permission in self.permissions["global_permissions"]:
+            if permission.action == permission_to_check.action:
+                # Early exit on deny as deny preempt allow
+                if permission.decision == PermissionDecisionFlag.DENY:
+                    return False
+                grant_permission = True
+
+        return grant_permission
+
+    def has_permission(self, permission: GlobalPermission | ObjectPermission) -> bool:
+        """Tell if a permission is granted given the permissions loaded in memory."""
+        is_super_admin = self.resolve_global_permission(
+            permission_to_check=GlobalPermission(
+                action=GlobalPermissions.SUPER_ADMIN, decision=PermissionDecision.ALLOW_ALL
+            ),
+        )
+
+        if isinstance(permission, GlobalPermission):
+            return self.resolve_global_permission(permission_to_check=permission) or is_super_admin
+
+        return self.resolve_object_permission(permission_to_check=permission) or is_super_admin
+
+    def has_permissions(self, permissions: Sequence[GlobalPermission | ObjectPermission]) -> bool:
+        """Same as `has_permission` but for multiple permissions, return `True` only if all permissions are granted."""
+        return all(self.has_permission(permission=permission) for permission in permissions)
+
+    def raise_for_permission(self, permission: GlobalPermission | ObjectPermission, message: str = "") -> None:
+        """Same as `has_permission` but raise a `PermissionDeniedError` if the permission is not granted."""
+        if self.has_permission(permission=permission):
+            return
+
+        if not message:
+            if isinstance(permission, GlobalPermission) and permission.action in GLOBAL_PERMISSION_DENIAL_MESSAGE:
+                message = GLOBAL_PERMISSION_DENIAL_MESSAGE[permission.action]
+            else:
+                message = f"You do not have the following permission: {permission!s}"
+
+        raise PermissionDeniedError(message=message)
+
+    def raise_for_permissions(
+        self, permissions: Sequence[GlobalPermission | ObjectPermission], message: str = ""
+    ) -> None:
+        """Same as `has_permissions` but raise a `PermissionDeniedError` if any of the permissions is not granted."""
+        if self.has_permissions(permissions=permissions):
+            return
+
+        if not message:
+            message = f"You do not have one of the following permissions: {' | '.join([str(p) for p in permissions])}"
+
+        raise PermissionDeniedError(message=message)

infrahub/permissions/report.py

@@ -6,21 +6,20 @@ from infrahub.core import registry
 from infrahub.core.account import GlobalPermission
 from infrahub.core.constants import GLOBAL_BRANCH_NAME, GlobalPermissions, InfrahubKind, PermissionDecision
 from infrahub.core.schema.node_schema import NodeSchema
-from infrahub.permissions.constants import AssignedPermissions, BranchRelativePermissionDecision, PermissionDecisionFlag
-from infrahub.permissions.local_backend import LocalPermissionBackend
+from infrahub.permissions.constants import BranchRelativePermissionDecision, PermissionDecisionFlag
 
 if TYPE_CHECKING:
-    from infrahub.auth import AccountSession
     from infrahub.core.branch import Branch
     from infrahub.core.schema import MainSchemaTypes
-    from infrahub.database import InfrahubDatabase
-    from infrahub.permissions.backend import PermissionBackend
+    from infrahub.permissions.manager import PermissionManager
     from infrahub.permissions.types import KindPermissions
 
 
+__all__ = ["report_schema_permissions"]
+
+
 def get_permission_report(  # noqa: PLR0911
-    backend: PermissionBackend,
-    permissions: AssignedPermissions,
+    permission_manager: PermissionManager,
     branch: Branch,
     node: MainSchemaTypes,
     action: str,
@@ -56,9 +55,7 @@ def get_permission_report(  # noqa: PLR0911
             )
 
     is_default_branch = branch.name in (GLOBAL_BRANCH_NAME, registry.default_branch)
-    decision = backend.report_object_permission(
-        permissions=permissions["object_permissions"], namespace=node.namespace, name=node.name, action=action
-    )
+    decision = permission_manager.report_object_permission(namespace=node.namespace, name=node.name, action=action)
 
     if (
         decision == PermissionDecisionFlag.ALLOW_ALL
@@ -75,16 +72,12 @@ def get_permission_report(  # noqa: PLR0911
 
 
 async def report_schema_permissions(
-    db: InfrahubDatabase, schemas: list[MainSchemaTypes], account_session: AccountSession, branch: Branch
+    branch: Branch, permission_manager: PermissionManager, schemas: list[MainSchemaTypes]
 ) -> list[KindPermissions]:
-    perm_backend = LocalPermissionBackend()
-    permissions = await perm_backend.load_permissions(db=db, account_session=account_session, branch=branch)
-
     global_permission_report: dict[GlobalPermissions, bool] = {}
     for perm in GlobalPermissions:
-        global_permission_report[perm] = perm_backend.resolve_global_permission(
-            permissions=permissions["global_permissions"],
-            permission_to_check=GlobalPermission(action=perm.value, decision=PermissionDecision.ALLOW_ALL.value),
+        global_permission_report[perm] = permission_manager.resolve_global_permission(
+            permission_to_check=GlobalPermission(action=perm.value, decision=PermissionDecision.ALLOW_ALL.value)
         )
 
     permission_objects: list[KindPermissions] = []
@@ -93,32 +86,28 @@ async def report_schema_permissions(
             {
                 "kind": node.kind,
                 "create": get_permission_report(
-                    backend=perm_backend,
-                    permissions=permissions,
+                    permission_manager=permission_manager,
                     branch=branch,
                     node=node,
                     action="create",
                     global_permission_report=global_permission_report,
                 ),
                 "delete": get_permission_report(
-                    backend=perm_backend,
-                    permissions=permissions,
+                    permission_manager=permission_manager,
                     branch=branch,
                     node=node,
                     action="delete",
                     global_permission_report=global_permission_report,
                 ),
                 "update": get_permission_report(
-                    backend=perm_backend,
-                    permissions=permissions,
+                    permission_manager=permission_manager,
                     branch=branch,
                     node=node,
                     action="update",
                     global_permission_report=global_permission_report,
                 ),
                 "view": get_permission_report(
-                    backend=perm_backend,
-                    permissions=permissions,
+                    permission_manager=permission_manager,
                     branch=branch,
                     node=node,
                     action="view",

infrahub/permissions/types.py

@@ -3,9 +3,15 @@ from __future__ import annotations
 from typing import TYPE_CHECKING, TypedDict
 
 if TYPE_CHECKING:
+    from infrahub.core.account import GlobalPermission, ObjectPermission
     from infrahub.permissions.constants import BranchRelativePermissionDecision
 
 
+class AssignedPermissions(TypedDict):
+    global_permissions: list[GlobalPermission]
+    object_permissions: list[ObjectPermission]
+
+
 class KindPermissions(TypedDict):
     kind: str
     create: BranchRelativePermissionDecision

infrahub/proposed_change/tasks.py

@@ -11,7 +11,7 @@ from infrahub_sdk.protocols import CoreGeneratorDefinition, CoreProposedChange
 from prefect import flow, task
 from prefect.cache_policies import NONE
 from prefect.client.schemas.objects import (
-    State,  # noqa: TCH002
+    State,  # noqa: TC002
 )
 from prefect.logging import get_run_logger
 from prefect.states import Completed, Failed

infrahub/task_manager/models.py

@@ -1,5 +1,4 @@
 from collections import defaultdict
-from typing import DefaultDict
 from uuid import UUID
 
 from prefect.client.schemas.objects import Log as PrefectLog
@@ -8,16 +7,46 @@ from pydantic import BaseModel, Field
 from .constants import LOG_LEVEL_MAPPING
 
 
+class RelatedNodeInfo(BaseModel):
+    id: str
+    kind: str | None = None
+
+
 class RelatedNodesInfo(BaseModel):
-    id: dict[UUID, str] = Field(default_factory=dict)
-    kind: dict[UUID, str | None] = Field(default_factory=dict)
+    flows: dict[UUID, dict[str, RelatedNodeInfo]] = Field(default_factory=lambda: defaultdict(dict))
+    nodes: dict[str, RelatedNodeInfo] = Field(default_factory=dict)
+
+    def add_nodes(self, flow_id: UUID, node_ids: list[str]) -> None:
+        for node_id in node_ids:
+            self.add_node(flow_id=flow_id, node_id=node_id)
+
+    def add_node(self, flow_id: UUID, node_id: str) -> None:
+        if node_id not in self.nodes:
+            node = RelatedNodeInfo(id=node_id)
+            self.nodes[node_id] = node
+        self.flows[flow_id][node_id] = self.nodes[node_id]
+
+    def get_related_nodes(self, flow_id: UUID) -> list[RelatedNodeInfo]:
+        if flow_id not in self.flows or len(self.flows[flow_id].keys()) == 0:
+            return []
+        return list(self.flows[flow_id].values())
+
+    def get_related_nodes_as_dict(self, flow_id: UUID) -> list[dict[str, str | None]]:
+        if flow_id not in self.flows or len(self.flows[flow_id].keys()) == 0:
+            return []
+        return [item.model_dump() for item in list(self.flows[flow_id].values())]
+
+    def get_first_related_node(self, flow_id: UUID) -> RelatedNodeInfo | None:
+        if nodes := self.get_related_nodes(flow_id=flow_id):
+            return nodes[0]
+        return None
 
     def get_unique_related_node_ids(self) -> list[str]:
-        return list(set(list(self.id.values())))
+        return list(self.nodes.keys())
 
 
 class FlowLogs(BaseModel):
-    logs: DefaultDict[UUID, list[PrefectLog]] = Field(default_factory=lambda: defaultdict(list))
+    logs: defaultdict[UUID, list[PrefectLog]] = Field(default_factory=lambda: defaultdict(list))
 
     def to_graphql(self, flow_id: UUID) -> list[dict]:
         return [

infrahub/task_manager/task.py

@@ -69,15 +69,16 @@ class PrefectTask:
             ]
             if not related_node_ids:
                 continue
-            related_nodes.id[flow.id] = related_node_ids[0]
+            related_nodes.add_nodes(flow_id=flow.id, node_ids=related_node_ids)
 
         if unique_related_node_ids := related_nodes.get_unique_related_node_ids():
             query = await NodeGetKindQuery.init(db=db, ids=unique_related_node_ids)
             await query.execute(db=db)
             unique_related_node_ids_kind = await query.get_node_kind_map()
 
-            for flow_id, node_id in related_nodes.id.items():
-                related_nodes.kind[flow_id] = unique_related_node_ids_kind.get(node_id, None)
+            for node_id, node_kind in unique_related_node_ids_kind.items():
+                if node_id in related_nodes.nodes:
+                    related_nodes.nodes[node_id].kind = node_kind
 
         return related_nodes
 
@@ -223,7 +224,11 @@ class PrefectTask:
                 if "progress" in node_fields:
                     progress_flow = await cls._get_progress(client=client, flow_ids=[flow.id for flow in flows])
 
-                if "related_node" in node_fields or "related_node_kind" in node_fields:
+                if (
+                    "related_nodes" in node_fields
+                    or "related_node" in node_fields
+                    or "related_node_kind" in node_fields
+                ):
                     related_nodes_info = await cls._get_related_nodes(db=db, flows=flows)
 
                 if "workflow" in node_fields:
@@ -238,6 +243,8 @@ class PrefectTask:
                     if log_fields:
                         logs = logs_flow.to_graphql(flow_id=flow.id)
 
+                    related_node = related_nodes_info.get_first_related_node(flow_id=flow.id)
+
                     nodes.append(
                         {
                             "node": {
@@ -251,8 +258,9 @@ class PrefectTask:
                                 "branch": await cls._extract_branch_name(flow=flow),
                                 "tags": flow.tags,
                                 "workflow": workflow_names.get(flow.flow_id, None),
-                                "related_node": related_nodes_info.id.get(flow.id, None),
-                                "related_node_kind": related_nodes_info.kind.get(flow.id, None),
+                                "related_node": related_node.id if related_node else None,
+                                "related_node_kind": related_node.kind if related_node else None,
+                                "related_nodes": related_nodes_info.get_related_nodes_as_dict(flow_id=flow.id),
                                 "created_at": flow.created.to_iso8601_string(),  # type: ignore
                                 "updated_at": flow.updated.to_iso8601_string(),  # type: ignore
                                 "start_time": flow.start_time.to_iso8601_string() if flow.start_time else None,

infrahub/visuals.py

@@ -1,5 +1,3 @@
-from typing import List
-
 COLOR_SELECTION = [
     "#ed6a5a",
     "#f4f1bb",
@@ -24,7 +22,7 @@ COLOR_SELECTION = [
 ]
 
 
-def select_color(existing: List[str]) -> str:
+def select_color(existing: list[str]) -> str:
     """Select a color from a predefined list without including anything from a list of existing colors."""
     for color in COLOR_SELECTION:
         if color not in existing: