infrahub-server 1.3.8__py3-none-any.whl → 1.4.0__py3-none-any.whl

infrahub/permissions/manager.py

@@ -48,6 +48,13 @@ class PermissionManager:
             specificity += 1
         return specificity
 
+    def is_super_admin(self) -> bool:
+        return self.resolve_global_permission(
+            permission_to_check=GlobalPermission(
+                action=GlobalPermissions.SUPER_ADMIN, decision=PermissionDecision.ALLOW_ALL
+            ),
+        )
+
     def report_object_permission(self, namespace: str, name: str, action: str) -> PermissionDecisionFlag:
         """Given a set of permissions, return the permission decision for a given kind and action."""
         highest_specificity: int = -1
@@ -94,11 +101,7 @@ class PermissionManager:
 
     def has_permission(self, permission: GlobalPermission | ObjectPermission) -> bool:
         """Tell if a permission is granted given the permissions loaded in memory."""
-        is_super_admin = self.resolve_global_permission(
-            permission_to_check=GlobalPermission(
-                action=GlobalPermissions.SUPER_ADMIN, decision=PermissionDecision.ALLOW_ALL
-            ),
-        )
+        is_super_admin = self.is_super_admin()
 
         if isinstance(permission, GlobalPermission):
             return self.resolve_global_permission(permission_to_check=permission) or is_super_admin

infrahub/pools/prefix.py

@@ -9,7 +9,9 @@ if TYPE_CHECKING:
     from infrahub.core.ipam.constants import IPNetworkType
 
 
-def get_next_available_prefix(pool: IPSet, prefix_length: int, prefix_ver: Literal[4, 6] = 4) -> IPNetworkType:
+def get_next_available_prefix(
+    pool: IPSet, prefix_length: int | None = None, prefix_ver: Literal[4, 6] = 4
+) -> IPNetworkType:
     """Get the next available prefix of a given prefix length from an IPSet.
 
     Args:
@@ -20,10 +22,7 @@ def get_next_available_prefix(pool: IPSet, prefix_length: int, prefix_ver: Liter
     Raises:
         ValueError: If there are no available subnets in the pool
     """
-    prefix_ver_map = {
-        4: ipaddress.IPv4Network,
-        6: ipaddress.IPv6Network,
-    }
+    prefix_ver_map = {4: ipaddress.IPv4Network, 6: ipaddress.IPv6Network}
 
     filtered_pool = IPSet([])
     for subnet in pool.iter_cidrs():
@@ -31,6 +30,9 @@ def get_next_available_prefix(pool: IPSet, prefix_length: int, prefix_ver: Liter
             filtered_pool.add(subnet)
 
     for cidr in filtered_pool.iter_cidrs():
+        if prefix_length is None:
+            return cidr
+
         if cidr.prefixlen <= prefix_length:
             next_available = ipaddress.ip_network(f"{cidr.network}/{prefix_length}")
             return next_available

infrahub/prefect_server/app.py

@@ -1,16 +1,47 @@
 from __future__ import annotations
 
+import asyncio
+import os
+
 from fastapi import APIRouter, FastAPI
 from prefect.server.api.server import create_app
 
 from . import events
+from .bootstrap import init_prefect
+
+GLOBAL_TASKMGR_INIT_LOCK = "global.taskmgr.init"
 
 router = APIRouter(prefix="/infrahub")
 
 router.include_router(events.router)
 
 
+async def _init_prefect() -> None:
+    # Import there in case we are running Prefect within a testsuite using the original Prefect container
+    from infrahub import lock
+    from infrahub.lock import initialize_lock
+    from infrahub.services import InfrahubServices
+    from infrahub.workers.dependencies import get_cache
+
+    cache = await get_cache()
+    service = await InfrahubServices.new(cache=cache)
+    initialize_lock(service=service)
+
+    async with lock.registry.get(name=GLOBAL_TASKMGR_INIT_LOCK):
+        await init_prefect()
+
+
 def create_infrahub_prefect() -> FastAPI:
+    if (
+        os.getenv("PREFECT_API_BLOCKS_REGISTER_ON_START") == "false"
+        and os.getenv("PREFECT_API_DATABASE_MIGRATE_ON_START") == "false"
+    ):
+        # We are probably running distributed mode
+        from infrahub import config
+
+        config.SETTINGS.initialize_and_exit()
+        asyncio.run(_init_prefect())
+
     app = create_app()
     api_app: FastAPI = app.__dict__["api_app"]
     api_app.include_router(router=router)

infrahub/prefect_server/bootstrap.py

@@ -0,0 +1,18 @@
+import asyncio
+
+from prefect.server.database import provide_database_interface
+from prefect.server.models.block_registration import run_block_auto_registration
+
+
+async def init_prefect() -> None:
+    db = provide_database_interface()
+
+    await db.create_db()
+    session = await db.session()
+
+    async with session:
+        await run_block_auto_registration(session=session)
+
+
+if __name__ == "__main__":
+    asyncio.run(init_prefect())

infrahub/proposed_change/action_checker.py

@@ -0,0 +1,206 @@
+from __future__ import annotations
+
+from abc import ABC, abstractmethod
+from dataclasses import dataclass
+from typing import TYPE_CHECKING
+
+from infrahub.core.account import GlobalPermission
+from infrahub.core.constants import GlobalPermissions, PermissionDecision
+from infrahub.exceptions import ValidationError
+
+from .checker import verify_proposed_change_is_mergeable
+from .constants import ProposedChangeAction, ProposedChangeState
+
+if TYPE_CHECKING:
+    from collections.abc import Sequence
+
+    from infrahub.core.protocols import CoreGenericAccount, CoreProposedChange
+    from infrahub.graphql.initialization import GraphqlContext
+
+
+class Check(ABC):
+    @abstractmethod
+    async def evaluate(
+        self,
+        proposed_change: CoreProposedChange,
+        proposed_change_author: CoreGenericAccount,
+        graphql_context: GraphqlContext,
+    ) -> None: ...
+
+
+class IsAuthor(Check):
+    async def evaluate(
+        self,
+        proposed_change: CoreProposedChange,  # noqa: ARG002
+        proposed_change_author: CoreGenericAccount,
+        graphql_context: GraphqlContext,
+    ) -> None:
+        if proposed_change_author.id != graphql_context.active_account_session.account_id:
+            raise ValidationError("You are not the author of the proposed change")
+
+
+class StateIs(Check):
+    def __init__(self, expected: Sequence[ProposedChangeState]) -> None:
+        self.expected = expected
+
+    async def evaluate(
+        self,
+        proposed_change: CoreProposedChange,
+        proposed_change_author: CoreGenericAccount,  # noqa: ARG002
+        graphql_context: GraphqlContext,  # noqa: ARG002
+    ) -> None:
+        if proposed_change.state.value.value not in self.expected:
+            raise ValidationError(f"The proposed change is not {', '.join([i.value for i in self.expected])}")
+
+
+class DraftIs(Check):
+    def __init__(self, expected: bool) -> None:
+        self.expected = expected
+
+    async def evaluate(
+        self,
+        proposed_change: CoreProposedChange,
+        proposed_change_author: CoreGenericAccount,  # noqa: ARG002
+        graphql_context: GraphqlContext,  # noqa: ARG002
+    ) -> None:
+        if proposed_change.is_draft.value != self.expected:
+            if self.expected:
+                raise ValidationError("The proposed change is not a draft")
+            raise ValidationError("The proposed change is a draft")
+
+
+class HasPermission(Check):
+    def __init__(self, permission: GlobalPermission) -> None:
+        self.permission = permission
+
+    async def evaluate(
+        self,
+        proposed_change: CoreProposedChange,  # noqa: ARG002
+        proposed_change_author: CoreGenericAccount,  # noqa: ARG002
+        graphql_context: GraphqlContext,
+    ) -> None:
+        if not graphql_context.active_permissions.has_permission(permission=self.permission):
+            raise ValidationError("You do not have the permission to perform this action")
+
+
+class IsMergeable(Check):
+    async def evaluate(
+        self,
+        proposed_change: CoreProposedChange,
+        proposed_change_author: CoreGenericAccount,  # noqa: ARG002
+        graphql_context: GraphqlContext,
+    ) -> None:
+        try:
+            await verify_proposed_change_is_mergeable(
+                proposed_change=proposed_change,  # type: ignore[arg-type]
+                db=graphql_context.db,
+                account_session=graphql_context.active_account_session,
+            )
+        except ValueError as exc:
+            raise ValidationError(str(exc)) from exc
+
+
+@dataclass
+class ActionRule:
+    action: ProposedChangeAction
+    checks: list[Check]
+
+    async def evaluate(
+        self,
+        proposed_change: CoreProposedChange,
+        proposed_change_author: CoreGenericAccount,
+        graphql_context: GraphqlContext,
+    ) -> dict[str, str | bool | None]:
+        for check in self.checks:
+            try:
+                await check.evaluate(
+                    proposed_change=proposed_change,
+                    proposed_change_author=proposed_change_author,
+                    graphql_context=graphql_context,
+                )
+            except ValidationError as exc:
+                return {"action": self.action.value, "available": False, "unavailability_reason": exc.message}
+
+        return {"action": self.action.value, "available": True, "unavailability_reason": None}
+
+
+class ActionRulesEvaluator:
+    def __init__(self, rules: list[ActionRule]):
+        self.rules = rules
+
+    async def evaluate(
+        self,
+        proposed_change: CoreProposedChange,
+        proposed_change_author: CoreGenericAccount,
+        graphql_context: GraphqlContext,
+    ) -> list[dict[str, str | bool | None]]:
+        report: list[dict[str, str | bool | None]] = []
+        for rule in self.rules:
+            report.append(
+                await rule.evaluate(
+                    proposed_change=proposed_change,
+                    proposed_change_author=proposed_change_author,
+                    graphql_context=graphql_context,
+                )
+            )
+        return report
+
+
+MERGE_PROPOSED_CHANGE_PERMISSION = GlobalPermission(
+    action=GlobalPermissions.MERGE_PROPOSED_CHANGE.value,
+    decision=PermissionDecision.ALLOW_ALL.value,
+)
+REVIEW_PROPOSED_CHANGE_PERMISSION = GlobalPermission(
+    action=GlobalPermissions.REVIEW_PROPOSED_CHANGE.value,
+    decision=PermissionDecision.ALLOW_ALL.value,
+)
+
+ACTION_RULES = [
+    ActionRule(action=ProposedChangeAction.OPEN, checks=[StateIs(expected=[ProposedChangeState.CLOSED])]),
+    ActionRule(action=ProposedChangeAction.CLOSE, checks=[StateIs(expected=[ProposedChangeState.OPEN])]),
+    ActionRule(
+        action=ProposedChangeAction.SET_DRAFT,
+        checks=[IsAuthor(), StateIs(expected=[ProposedChangeState.OPEN]), DraftIs(expected=False)],
+    ),
+    ActionRule(
+        action=ProposedChangeAction.UNSET_DRAFT,
+        checks=[IsAuthor(), StateIs(expected=[ProposedChangeState.OPEN]), DraftIs(expected=True)],
+    ),
+    ActionRule(
+        action=ProposedChangeAction.APPROVE,
+        checks=[
+            StateIs(expected=[ProposedChangeState.OPEN]),
+            HasPermission(permission=REVIEW_PROPOSED_CHANGE_PERMISSION),
+        ],
+    ),
+    ActionRule(
+        action=ProposedChangeAction.CANCEL_APPROVE,
+        checks=[
+            StateIs(expected=[ProposedChangeState.OPEN]),
+            HasPermission(permission=REVIEW_PROPOSED_CHANGE_PERMISSION),
+        ],
+    ),
+    ActionRule(
+        action=ProposedChangeAction.REJECT,
+        checks=[
+            StateIs(expected=[ProposedChangeState.OPEN]),
+            HasPermission(permission=REVIEW_PROPOSED_CHANGE_PERMISSION),
+        ],
+    ),
+    ActionRule(
+        action=ProposedChangeAction.CANCEL_REJECT,
+        checks=[
+            StateIs(expected=[ProposedChangeState.OPEN]),
+            HasPermission(permission=REVIEW_PROPOSED_CHANGE_PERMISSION),
+        ],
+    ),
+    ActionRule(
+        action=ProposedChangeAction.MERGE,
+        checks=[
+            StateIs(expected=[ProposedChangeState.OPEN]),
+            DraftIs(expected=False),
+            HasPermission(permission=MERGE_PROPOSED_CHANGE_PERMISSION),
+            IsMergeable(),
+        ],
+    ),
+]

infrahub/proposed_change/approval_revoker.py

@@ -0,0 +1,40 @@
+import logging
+from abc import ABC, abstractmethod
+
+from fast_depends import Depends, inject
+
+from infrahub.database import InfrahubDatabase
+
+log = logging.getLogger(__name__)
+
+
+class ApprovalRevoker(ABC):
+    @abstractmethod
+    async def revoke_approvals_on_updated_pcs(
+        self,
+        db: InfrahubDatabase,
+        proposed_changes_ids: list[str] | None,
+    ) -> None:
+        raise NotImplementedError()
+
+
+class ApprovalRevokerCommunity(ApprovalRevoker):
+    async def revoke_approvals_on_updated_pcs(
+        self,
+        db: InfrahubDatabase,  # noqa: ARG002
+        proposed_changes_ids: list[str] | None,  # noqa: ARG002
+    ) -> None:
+        raise ValueError("Revoking existing approvals based on branch changes is an enterprise feature.")
+
+
+def get_approval_revoker() -> ApprovalRevoker:
+    return ApprovalRevokerCommunity()
+
+
+@inject
+async def do_revoke_approvals_on_updated_pcs(
+    db: InfrahubDatabase,
+    proposed_changes_ids: list[str] | None = None,
+    approval_revoker: ApprovalRevoker = Depends(get_approval_revoker),  # noqa: B008
+) -> None:
+    await approval_revoker.revoke_approvals_on_updated_pcs(db=db, proposed_changes_ids=proposed_changes_ids)

infrahub/proposed_change/branch_diff.py

@@ -6,6 +6,7 @@ from typing import TYPE_CHECKING, cast
 
 from infrahub.exceptions import ResourceNotFoundError
 from infrahub.message_bus.types import KVTTL
+from infrahub.workers.dependencies import get_cache
 
 if TYPE_CHECKING:
     from uuid import UUID
@@ -54,7 +55,8 @@ async def set_diff_summary_cache(pipeline_id: UUID, diff_summary: list[NodeDiff]
     )
 
 
-async def get_diff_summary_cache(pipeline_id: UUID, cache: InfrahubCache) -> list[NodeDiff]:
+async def get_diff_summary_cache(pipeline_id: UUID) -> list[NodeDiff]:
+    cache = await get_cache()
     summary_payload = await cache.get(
         key=f"proposed_change:pipeline:pipeline_id:{pipeline_id}:diff_summary",
     )

infrahub/proposed_change/checker.py

@@ -0,0 +1,45 @@
+from abc import ABC, abstractmethod
+
+from fast_depends import Depends, inject
+
+from infrahub.auth import AccountSession
+from infrahub.core.node import Node
+from infrahub.database import InfrahubDatabase
+
+
+class ProposedChangeChecker(ABC):
+    # We can't use CoreProposedChange type instead of Node as fast_depends enforces pydantic runtime type checks.
+    @abstractmethod
+    async def verify_proposed_change_is_mergeable(
+        self, proposed_change: Node, db: InfrahubDatabase, account_session: AccountSession
+    ) -> None:
+        """
+        Raise an error if proposed change cannot be merged.
+        """
+
+        raise NotImplementedError()
+
+
+class ProposedChangeCheckerCommunity(ProposedChangeChecker):
+    async def verify_proposed_change_is_mergeable(
+        self, proposed_change: Node, db: InfrahubDatabase, account_session: AccountSession
+    ) -> None:
+        pass
+
+
+def get_proposed_change_checker() -> ProposedChangeChecker:
+    return ProposedChangeCheckerCommunity()
+
+
+# We can't use CoreProposedChange type instead of Node as fast_depends enforces pydantic runtime type checks.
+@inject
+async def verify_proposed_change_is_mergeable(
+    proposed_change: Node,
+    db: InfrahubDatabase,
+    account_session: AccountSession,
+    pc_checker: ProposedChangeChecker = Depends(get_proposed_change_checker),  # noqa: B008
+) -> None:
+    # type ignore due to fast-depends enforcing pydantic checks
+    await pc_checker.verify_proposed_change_is_mergeable(
+        proposed_change=proposed_change, db=db, account_session=account_session
+    )

infrahub/proposed_change/constants.py

@@ -4,6 +4,13 @@ from infrahub.exceptions import ValidationError
 from infrahub.utils import InfrahubStringEnum
 
 
+class ProposedChangeApprovalDecision(InfrahubStringEnum):
+    APPROVE = "approve"
+    CANCEL_APPROVE = "cancel-approve"
+    REJECT = "reject"
+    CANCEL_REJECT = "cancel-reject"
+
+
 class ProposedChangeState(InfrahubStringEnum):
     OPEN = "open"
     MERGED = "merged"
@@ -11,18 +18,29 @@ class ProposedChangeState(InfrahubStringEnum):
     CLOSED = "closed"
     CANCELED = "canceled"
 
+    @property
+    def is_completed(self) -> bool:
+        """Check if the proposed change is in a completed state."""
+        return self != ProposedChangeState.OPEN
+
     def validate_state_check_run(self) -> None:
         if self == ProposedChangeState.OPEN:
             return
 
         raise ValidationError(input_value="Unable to trigger check on proposed changes that aren't in the open state")
 
-    def validate_editability(self) -> None:
-        if self in [ProposedChangeState.CANCELED, ProposedChangeState.MERGED, ProposedChangeState.MERGED]:
+    def validate_updatable(self) -> None:
+        if self.is_completed:
             raise ValidationError(
                 input_value=f"A proposed change in the {self.value} state is not allowed to be updated"
             )
 
+    def validate_reviewable(self) -> None:
+        if self.is_completed:
+            raise ValidationError(
+                input_value=f"A proposed change in the {self.value} state is not allowed to be reviewed"
+            )
+
     def validate_state_transition(self, updated_state: ProposedChangeState) -> None:
         if self == ProposedChangeState.OPEN:
             return
@@ -34,3 +52,15 @@ class ProposedChangeState(InfrahubStringEnum):
             raise ValidationError(
                 input_value="A closed proposed change is only allowed to transition to the open state"
             )
+
+
+class ProposedChangeAction(InfrahubStringEnum):
+    OPEN = "open"
+    CLOSE = "close"
+    SET_DRAFT = "set-draft"
+    UNSET_DRAFT = "unset-draft"
+    MERGE = "merge"
+    APPROVE = "approve"
+    CANCEL_APPROVE = "cancel-approve"
+    REJECT = "reject"
+    CANCEL_REJECT = "cancel-reject"