infrahub-server 1.3.8__py3-none-any.whl → 1.4.0__py3-none-any.whl

infrahub/core/graph/schema.py

@@ -23,6 +23,14 @@ class GraphRelationship(BaseModel):
     direction: GraphRelDirection
 
 
+class GraphVertex(BaseModel):
+    default_label: str = "NULL"
+
+    @classmethod
+    def get_default_label(cls) -> str:
+        return cls.model_fields["default_label"].default
+
+
 # -----------------------------------------------------
 # Node
 # -----------------------------------------------------
@@ -61,7 +69,7 @@ class GraphNodeRelationships(BaseModel):
     )
 
 
-class GraphNodeNode(BaseModel):
+class GraphNodeNode(GraphVertex):
     default_label: str = "Node"  # Most node also have CoreNode
     properties: GraphNodeProperties
     relationships: GraphNodeRelationships
@@ -95,7 +103,7 @@ class GraphRelationshipRelationships(BaseModel):
     )
 
 
-class GraphRelationshipNode(BaseModel):
+class GraphRelationshipNode(GraphVertex):
     default_label: str = "Relationship"
     properties: GraphRelationshipProperties
     relationships: GraphRelationshipRelationships
@@ -133,7 +141,7 @@ class GraphAttributeRelationships(BaseModel):
     )
 
 
-class GraphAttributeNode(BaseModel):
+class GraphAttributeNode(GraphVertex):
     default_label: str = "Attribute"
     properties: GraphAttributeProperties
     relationships: GraphAttributeRelationships
@@ -168,19 +176,25 @@ class GraphAttributeValueRelationships(BaseModel):
     )
 
 
-class GraphAttributeValueNode(BaseModel):
+class GraphAttributeValueNode(GraphVertex):
     default_label: str = "AttributeValue"
     properties: GraphAttributeValueProperties
     relationships: GraphAttributeValueRelationships
 
 
-class GraphAttributeIPNetworkNode(BaseModel):
+class GraphAttributeValueIndexedNode(GraphVertex):
+    default_label: str = "AttributeValueIndexed"
+    properties: GraphAttributeValueProperties
+    relationships: GraphAttributeValueRelationships
+
+
+class GraphAttributeIPNetworkNode(GraphVertex):
     default_label: str = "AttributeIPNetwork"
     properties: GraphAttributeIPNetworkProperties
     relationships: GraphAttributeValueRelationships
 
 
-class GraphAttributeIPHostNode(BaseModel):
+class GraphAttributeIPHostNode(GraphVertex):
     default_label: str = "AttributeIPHost"
     properties: GraphAttributeIPHostProperties
     relationships: GraphAttributeValueRelationships
@@ -202,7 +216,7 @@ class GraphBooleanRelationships(BaseModel):
     )
 
 
-class GraphBooleanNode(BaseModel):
+class GraphBooleanNode(GraphVertex):
     default_label: str = "Boolean"
     properties: GraphBooleanProperties
     relationships: GraphBooleanRelationships
@@ -229,25 +243,32 @@ class GraphRelationshipDefault(BaseModel):
     hierarchy: Optional[str] = Field(None, description="Name of the hierarchy this relationship is part of")
 
 
-GRAPH_SCHEMA: dict[str, dict[str, Any]] = {
-    "nodes": {
-        "Node": GraphNodeNode,
-        "Relationship": GraphRelationshipNode,
-        "Attribute": GraphAttributeNode,
-        "AttributeValue": GraphAttributeValueNode,
-        "AttributeIPNetwork": GraphAttributeIPNetworkNode,
-        "AttributeIPHost": GraphAttributeIPHostNode,
-        "Boolean": GraphBooleanNode,
-    },
-    "relationships": {
-        # Ignoring IS_PART_OF for now, because there is a bit of cleanup required
-        # "IS_PART_OF": GraphRelationshipIsPartOf,
-        "HAS_VALUE": GraphRelationshipDefault,
-        "HAS_ATTRIBUTE": GraphRelationshipDefault,
-        "IS_RELATED": GraphRelationshipDefault,
-        "HAS_SOURCE": GraphRelationshipDefault,
-        "HAS_OWNER": GraphRelationshipDefault,
-        "IS_VISIBLE": GraphRelationshipDefault,
-        "IS_PROTECTED": GraphRelationshipDefault,
-    },
-}
+def get_graph_schema() -> dict[str, dict[str, Any]]:
+    """Generate the graph schema dictionary containing nodes and relationships."""
+    graph_node_list: list[type[GraphVertex]] = [
+        GraphNodeNode,
+        GraphRelationshipNode,
+        GraphAttributeNode,
+        GraphAttributeValueNode,
+        GraphAttributeValueIndexedNode,
+        GraphAttributeIPNetworkNode,
+        GraphAttributeIPHostNode,
+        GraphBooleanNode,
+    ]
+    return {
+        "nodes": {graph_node.get_default_label(): graph_node for graph_node in graph_node_list},
+        "relationships": {
+            # Ignoring IS_PART_OF for now, because there is a bit of cleanup required
+            # "IS_PART_OF": GraphRelationshipIsPartOf,
+            "HAS_VALUE": GraphRelationshipDefault,
+            "HAS_ATTRIBUTE": GraphRelationshipDefault,
+            "IS_RELATED": GraphRelationshipDefault,
+            "HAS_SOURCE": GraphRelationshipDefault,
+            "HAS_OWNER": GraphRelationshipDefault,
+            "IS_VISIBLE": GraphRelationshipDefault,
+            "IS_PROTECTED": GraphRelationshipDefault,
+        },
+    }
+
+
+GRAPH_SCHEMA: dict[str, dict[str, Any]] = get_graph_schema()

infrahub/core/initialization.py

@@ -1,4 +1,5 @@
 import importlib
+from collections.abc import Sequence
 from typing import TYPE_CHECKING
 from uuid import uuid4
 
@@ -16,15 +17,16 @@ from infrahub.core.constants import (
     PermissionDecision,
 )
 from infrahub.core.graph import GRAPH_VERSION
-from infrahub.core.graph.index import attr_value_index, node_indexes, rel_indexes
+from infrahub.core.graph.index import node_indexes, rel_indexes
 from infrahub.core.manager import NodeManager
 from infrahub.core.node import Node
 from infrahub.core.node.ipam import BuiltinIPPrefix
 from infrahub.core.node.permissions import CoreGlobalPermission, CoreObjectPermission
+from infrahub.core.node.proposed_change import CoreProposedChange
 from infrahub.core.node.resource_manager.ip_address_pool import CoreIPAddressPool
 from infrahub.core.node.resource_manager.ip_prefix_pool import CoreIPPrefixPool
 from infrahub.core.node.resource_manager.number_pool import CoreNumberPool
-from infrahub.core.protocols import CoreAccount
+from infrahub.core.protocols import CoreAccount, CoreAccountGroup, CoreAccountRole
 from infrahub.core.root import Root
 from infrahub.core.schema import SchemaRoot, core_models, internal_schema
 from infrahub.core.schema.manager import SchemaManager
@@ -35,7 +37,7 @@ from infrahub.exceptions import DatabaseError
 from infrahub.graphql.manager import GraphQLSchemaManager
 from infrahub.log import get_logger
 from infrahub.menu.utils import create_default_menu
-from infrahub.permissions import PermissionBackend
+from infrahub.permissions import PermissionBackend, get_or_create_global_permission
 from infrahub.storage import InfrahubObjectStorage
 
 if TYPE_CHECKING:
@@ -117,6 +119,7 @@ async def initialize_registry(db: InfrahubDatabase, initialize: bool = False) ->
     registry.node[InfrahubKind.NUMBERPOOL] = CoreNumberPool
     registry.node[InfrahubKind.GLOBALPERMISSION] = CoreGlobalPermission
     registry.node[InfrahubKind.OBJECTPERMISSION] = CoreObjectPermission
+    registry.node[InfrahubKind.PROPOSEDCHANGE] = CoreProposedChange
 
     # ---------------------------------------------------
     # Instantiate permission backends
@@ -129,8 +132,6 @@ async def add_indexes(db: InfrahubDatabase) -> None:
         index_manager: IndexManagerBase = IndexManagerMemgraph(db=db)
     index_manager = IndexManagerNeo4j(db=db)
 
-    if config.SETTINGS.experimental_features.value_db_index:
-        node_indexes.append(attr_value_index)
     index_manager.init(nodes=node_indexes, rels=rel_indexes)
     log.debug("Loading database indexes ..")
     await index_manager.add()
@@ -321,7 +322,7 @@ async def create_ipam_namespace(
     return obj
 
 
-async def create_super_administrator_role(db: InfrahubDatabase) -> Node:
+async def create_super_administrator_role(db: InfrahubDatabase) -> CoreAccountRole:
     permission = await Node.init(db=db, schema=InfrahubKind.GLOBALPERMISSION)
     await permission.new(
         db=db,
@@ -333,15 +334,15 @@ async def create_super_administrator_role(db: InfrahubDatabase) -> Node:
     log.info(f"Created global permission: {GlobalPermissions.SUPER_ADMIN}")
 
     role_name = "Super Administrator"
-    obj = await Node.init(db=db, schema=InfrahubKind.ACCOUNTROLE)
-    await obj.new(db=db, name=role_name, permissions=[permission])
-    await obj.save(db=db)
+    role = await Node.init(db=db, schema=CoreAccountRole)
+    await role.new(db=db, name=role_name, permissions=[permission])
+    await role.save(db=db)
     log.info(f"Created account role: {role_name}")
 
-    return obj
+    return role
 
 
-async def create_default_roles(db: InfrahubDatabase) -> Node:
+async def create_default_role(db: InfrahubDatabase) -> CoreAccountRole:
     repo_permission = await Node.init(db=db, schema=InfrahubKind.GLOBALPERMISSION)
     await repo_permission.new(
         db=db,
@@ -370,20 +371,13 @@ async def create_default_roles(db: InfrahubDatabase) -> Node:
     await proposed_change_permission.save(db=db)
 
     # Other permissions, created to keep references of them from the start
-    for permission_action, permission_description in (
-        (GlobalPermissions.EDIT_DEFAULT_BRANCH, "Allow a user to change data in the default branch"),
-        (GlobalPermissions.MANAGE_ACCOUNTS, "Allow a user to manage accounts, account roles and account groups"),
-        (GlobalPermissions.MANAGE_PERMISSIONS, "Allow a user to manage permissions"),
-        (GlobalPermissions.MERGE_BRANCH, "Allow a user to merge branches"),
+    for permission_action in (
+        GlobalPermissions.EDIT_DEFAULT_BRANCH,
+        GlobalPermissions.MANAGE_ACCOUNTS,
+        GlobalPermissions.MANAGE_PERMISSIONS,
+        GlobalPermissions.MERGE_BRANCH,
     ):
-        permission = await Node.init(db=db, schema=InfrahubKind.GLOBALPERMISSION)
-        await permission.new(
-            db=db,
-            action=permission_action.value,
-            decision=PermissionDecision.ALLOW_ALL.value,
-            description=permission_description,
-        )
-        await permission.save(db=db)
+        await get_or_create_global_permission(db=db, permission=permission_action)
 
     view_permission = await Node.init(db=db, schema=InfrahubKind.OBJECTPERMISSION)
     await view_permission.new(
@@ -408,7 +402,7 @@ async def create_default_roles(db: InfrahubDatabase) -> Node:
     await modify_permission.save(db=db)
 
     role_name = "General Access"
-    role = await Node.init(db=db, schema=InfrahubKind.ACCOUNTROLE)
+    role = await Node.init(db=db, schema=CoreAccountRole)
     await role.new(
         db=db,
         name=role_name,
@@ -423,16 +417,42 @@ async def create_default_roles(db: InfrahubDatabase) -> Node:
     await role.save(db=db)
     log.info(f"Created account role: {role_name}")
 
-    group_name = "Infrahub Users"
-    group = await Node.init(db=db, schema=InfrahubKind.ACCOUNTGROUP)
-    await group.new(db=db, name=group_name, roles=[role])
-    await group.save(db=db)
-    log.info(f"Created account group: {group_name}")
+    return role
+
+
+async def create_proposed_change_reviewer_role(db: InfrahubDatabase) -> CoreAccountRole:
+    edit_default_branch_permission = await get_or_create_global_permission(
+        db=db, permission=GlobalPermissions.EDIT_DEFAULT_BRANCH
+    )
+    reviewer_permission = await get_or_create_global_permission(
+        db=db, permission=GlobalPermissions.REVIEW_PROPOSED_CHANGE
+    )
+
+    proposed_change_update_permission = await Node.init(db=db, schema=InfrahubKind.OBJECTPERMISSION)
+    await proposed_change_update_permission.new(
+        db=db,
+        name="ProposedChange",
+        namespace="Core",
+        action=PermissionAction.UPDATE.value,
+        decision=PermissionDecision.ALLOW_ALL.value,
+        description="Allow a user to update proposed changes",
+    )
+    await proposed_change_update_permission.save(db=db)
+
+    role_name = "Proposed Change Reviewer"
+    role = await Node.init(db=db, schema=CoreAccountRole)
+    await role.new(
+        db=db,
+        name=role_name,
+        permissions=[edit_default_branch_permission, reviewer_permission, proposed_change_update_permission],
+    )
+    await role.save(db=db)
+    log.info(f"Created account role: {role_name}")
 
     return role
 
 
-async def create_anonymous_role(db: InfrahubDatabase) -> Node:
+async def create_anonymous_role(db: InfrahubDatabase) -> CoreAccountRole:
     deny_permission = await Node.init(db=db, schema=InfrahubKind.OBJECTPERMISSION)
     await deny_permission.new(
         db=db, name="*", namespace="*", action=PermissionAction.ANY.value, decision=PermissionDecision.DENY.value
@@ -445,7 +465,7 @@ async def create_anonymous_role(db: InfrahubDatabase) -> Node:
         hfid=["*", "*", PermissionAction.VIEW.value, str(PermissionDecision.ALLOW_ALL.value)],
     )
 
-    role = await Node.init(db=db, schema=InfrahubKind.ACCOUNTROLE)
+    role = await Node.init(db=db, schema=CoreAccountRole)
     await role.new(
         db=db, name=config.SETTINGS.main.anonymous_access_role, permissions=[deny_permission, view_permission]
     )
@@ -455,23 +475,39 @@ async def create_anonymous_role(db: InfrahubDatabase) -> Node:
     return role
 
 
-async def create_super_administrators_group(
-    db: InfrahubDatabase, role: Node, admin_accounts: list[CoreAccount]
-) -> Node:
-    group_name = "Super Administrators"
-    group = await Node.init(db=db, schema=InfrahubKind.ACCOUNTGROUP)
-    await group.new(db=db, name=group_name, roles=[role])
+async def create_accounts_group(
+    db: InfrahubDatabase, name: str, roles: Sequence[CoreAccountRole], accounts: Sequence[CoreAccount]
+) -> CoreAccountGroup:
+    group = await Node.init(db=db, schema=CoreAccountGroup)
+    await group.new(db=db, name=name, roles=list(roles))
     await group.save(db=db)
-    log.info(f"Created account group: {group_name}")
+    log.info(f"Created account group: {name}")
 
-    for admin_account in admin_accounts:
-        await group.members.add(db=db, data=admin_account)  # type: ignore[attr-defined]
-        await group.members.save(db=db)  # type: ignore[attr-defined]
-        log.info(f"Assigned account group: {group_name} to {admin_account.name.value}")
+    for account in accounts:
+        await group.members.add(db=db, data=account)  # type: ignore[arg-type]
+        await group.members.save(db=db)
+        log.info(f"Assigned account group: {name} to {account.name.value}")
 
     return group
 
 
+async def create_default_account_groups(
+    db: InfrahubDatabase,
+    admin_accounts: Sequence[CoreAccount] | None = None,
+    accounts: Sequence[CoreAccount] | None = None,
+) -> None:
+    administrator_role = await create_super_administrator_role(db=db)
+    await create_accounts_group(
+        db=db, name="Super Administrators", roles=[administrator_role], accounts=admin_accounts or []
+    )
+
+    default_role = await create_default_role(db=db)
+    proposed_change_reviewer_role = await create_proposed_change_reviewer_role(db=db)
+    await create_accounts_group(
+        db=db, name="Infrahub Users", roles=[default_role, proposed_change_reviewer_role], accounts=accounts or []
+    )
+
+
 async def first_time_initialization(db: InfrahubDatabase) -> None:
     # --------------------------------------------------
     # Create the default Branch
@@ -522,12 +558,10 @@ async def first_time_initialization(db: InfrahubDatabase) -> None:
         )
 
     # --------------------------------------------------
-    # Create Global Permissions and assign them
+    # Create default account roles, groups and permissions
     # --------------------------------------------------
-    administrator_role = await create_super_administrator_role(db=db)
-    await create_super_administrators_group(db=db, role=administrator_role, admin_accounts=admin_accounts)
+    await create_default_account_groups(db=db, admin_accounts=admin_accounts)
 
-    await create_default_roles(db=db)
     if config.SETTINGS.main.allow_anonymous_access:
         await create_anonymous_role(db=db)
 

infrahub/core/ipam/tasks.py

@@ -5,7 +5,7 @@ from prefect import flow
 
 from infrahub.core import registry
 from infrahub.core.ipam.reconciler import IpamReconciler
-from infrahub.services import InfrahubServices
+from infrahub.workers.dependencies import get_database
 from infrahub.workflows.utils import add_branch_tag
 
 from .model import IpamNodeDetails
@@ -20,8 +20,9 @@ if TYPE_CHECKING:
     description="Ensure the IPAM Tree is up to date",
     persist_result=False,
 )
-async def ipam_reconciliation(branch: str, ipam_node_details: list[IpamNodeDetails], service: InfrahubServices) -> None:
-    async with service.database.start_session() as db:
+async def ipam_reconciliation(branch: str, ipam_node_details: list[IpamNodeDetails]) -> None:
+    database = await get_database()
+    async with database.start_session() as db:
         branch_obj = await registry.get_branch(db=db, branch=branch)
 
         await add_branch_tag(branch_name=branch_obj.name)

infrahub/core/merge.py

@@ -26,7 +26,7 @@ if TYPE_CHECKING:
     from infrahub.core.schema.manager import SchemaDiff
     from infrahub.core.schema.schema_branch import SchemaBranch
     from infrahub.database import InfrahubDatabase
-    from infrahub.services import InfrahubServices
+    from infrahub.services.adapters.workflow import InfrahubWorkflow
 
 
 log = get_logger()
@@ -42,7 +42,7 @@ class BranchMerger:
         diff_repository: DiffRepository,
         diff_locker: DiffLocker,
         destination_branch: Branch | None = None,
-        service: InfrahubServices | None = None,
+        workflow: InfrahubWorkflow | None = None,
     ):
         self.source_branch = source_branch
         self.destination_branch: Branch = destination_branch or registry.get_branch_from_registry()
@@ -58,7 +58,7 @@ class BranchMerger:
         self._destination_schema: SchemaBranch | None = None
         self._initial_source_schema: SchemaBranch | None = None
 
-        self._service = service
+        self._workflow = workflow
 
     @property
     def source_schema(self) -> SchemaBranch:
@@ -81,10 +81,10 @@ class BranchMerger:
         raise ValueError("_initial_source_schema hasn't been initialized")
 
     @property
-    def service(self) -> InfrahubServices:
-        if not self._service:
-            raise ValueError("BranchMerger hasn't been initialized with a service object")
-        return self._service
+    def workflow(self) -> InfrahubWorkflow:
+        if not self._workflow:
+            raise ValueError("BranchMerger hasn't been initialized with a workflow object")
+        return self._workflow
 
     async def get_initial_source_branch(self) -> SchemaBranch:
         """Retrieve the schema of the source branch when the branch was created.
@@ -246,6 +246,4 @@ class BranchMerger:
                     destination_branch_id=str(self.destination_branch.get_uuid()),
                     default_branch=repo.default_branch.value,
                 )
-                await self.service.workflow.submit_workflow(
-                    workflow=GIT_REPOSITORIES_MERGE, parameters={"model": model}
-                )
+                await self.workflow.submit_workflow(workflow=GIT_REPOSITORIES_MERGE, parameters={"model": model})

infrahub/core/migrations/__init__.py

@@ -1,3 +1,4 @@
+from .schema.attribute_kind_update import AttributeKindUpdateMigration
 from .schema.attribute_name_update import AttributeNameUpdateMigration
 from .schema.node_attribute_add import NodeAttributeAddMigration
 from .schema.node_attribute_remove import NodeAttributeRemoveMigration
@@ -17,6 +18,7 @@ MIGRATION_MAP: dict[str, type[SchemaMigration] | None] = {
     "node.relationship.remove": PlaceholderDummyMigration,
     "attribute.name.update": AttributeNameUpdateMigration,
     "attribute.branch.update": None,
+    "attribute.kind.update": AttributeKindUpdateMigration,
     "relationship.branch.update": None,
     "relationship.direction.update": None,
     "relationship.identifier.update": PlaceholderDummyMigration,

infrahub/core/migrations/graph/__init__.py

@@ -37,6 +37,8 @@ from .m032_cleanup_orphaned_branch_relationships import Migration032
 from .m033_deduplicate_relationship_vertices import Migration033
 from .m034_find_orphaned_schema_fields import Migration034
 from .m035_orphan_relationships import Migration035
+from .m036_drop_attr_value_index import Migration036
+from .m037_index_attr_vals import Migration037
 
 if TYPE_CHECKING:
     from infrahub.core.root import Root
@@ -79,6 +81,8 @@ MIGRATIONS: list[type[GraphMigration | InternalSchemaMigration | ArbitraryMigrat
     Migration033,
     Migration034,
     Migration035,
+    Migration036,
+    Migration037,
 ]
 
 

infrahub/core/migrations/graph/m036_drop_attr_value_index.py

@@ -0,0 +1,45 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, Sequence
+
+from infrahub.constants.database import IndexType
+from infrahub.core.migrations.shared import MigrationResult
+from infrahub.core.query import Query  # noqa: TC001
+from infrahub.database import DatabaseType
+from infrahub.database.index import IndexItem
+from infrahub.database.neo4j import IndexManagerNeo4j
+
+from ..shared import GraphMigration
+
+if TYPE_CHECKING:
+    from infrahub.database import InfrahubDatabase
+
+
+INDEX_TO_DELETE = IndexItem(name="attr_value", label="AttributeValue", properties=["value"], type=IndexType.RANGE)
+
+
+class Migration036(GraphMigration):
+    name: str = "036_drop_attr_value_index"
+    queries: Sequence[type[Query]] = []
+    minimum_version: int = 35
+
+    async def execute(self, db: InfrahubDatabase) -> MigrationResult:
+        result = MigrationResult()
+
+        # Only execute this migration for Neo4j
+        if db.db_type != DatabaseType.NEO4J:
+            return result
+
+        try:
+            index_manager = IndexManagerNeo4j(db=db)
+            index_manager.init(nodes=[INDEX_TO_DELETE], rels=[])
+            await index_manager.drop()
+        except Exception as exc:
+            result.errors.append(str(exc))
+            return result
+
+        return result
+
+    async def validate_migration(self, db: InfrahubDatabase) -> MigrationResult:  # noqa: ARG002
+        result = MigrationResult()
+        return result