infrahub-server 1.5.0b1__py3-none-any.whl → 1.5.0b2__py3-none-any.whl

infrahub/api/internal.py

@@ -161,6 +161,8 @@ class SearchResultAPI(BaseModel):
 async def search_docs(
     query: str, limit: int | None = None, _: AccountSession = Depends(get_current_user)
 ) -> list[SearchResultAPI]:
+    if not query:
+        return []
     smart_query = smart_queries(query)
     search_results = search_docs_loader.heading_index.search(smart_query)
     heading_results = [

infrahub/api/oauth2.py

@@ -11,14 +11,16 @@ from opentelemetry import trace
 
 from infrahub import config, models
 from infrahub.api.dependencies import get_db
-from infrahub.auth import get_groups_from_provider, signin_sso_account
-from infrahub.exceptions import GatewayError, ProcessingError
+from infrahub.auth import (
+    get_groups_from_provider,
+    signin_sso_account,
+    validate_auth_response,
+)
+from infrahub.exceptions import ProcessingError
 from infrahub.log import get_logger
 from infrahub.message_bus.types import KVTTL
 
 if TYPE_CHECKING:
-    import httpx
-
     from infrahub.database import InfrahubDatabase
     from infrahub.services import InfrahubServices
 
@@ -95,7 +97,7 @@ async def token(
     }
 
     token_response = await service.http.post(provider.token_url, data=token_data)
-    _validate_response(response=token_response)
+    validate_auth_response(response=token_response, provider_type="OAuth 2.0")
 
     with trace.get_tracer(__name__).start_as_current_span("sso_token_request") as span:
         span.set_attribute("token_request_data", ujson.dumps(token_response.json()))
@@ -107,12 +109,17 @@ async def token(
     else:
         userinfo_response = await service.http.post(provider.userinfo_url, headers=headers)
 
-    _validate_response(response=userinfo_response)
+    validate_auth_response(response=userinfo_response, provider_type="OAuth 2.0")
     user_info = userinfo_response.json()
     sso_groups = user_info.get("groups", []) or await get_groups_from_provider(
         provider=provider, service=service, payload=payload, user_info=user_info
     )
 
+    log.info(
+        "SSO user authenticated",
+        body={"user_name": user_info.get("name"), "groups": sso_groups},
+    )
+
     if not sso_groups and config.SETTINGS.security.sso_user_default_group:
         sso_groups = [config.SETTINGS.security.sso_user_default_group]
 
@@ -134,16 +141,3 @@ async def token(
     return models.UserTokenWithUrl(
         access_token=user_token.access_token, refresh_token=user_token.refresh_token, final_url=stored_final_url
     )
-
-
-def _validate_response(response: httpx.Response) -> None:
-    if 200 <= response.status_code <= 299:
-        return
-
-    log.error(
-        "Invalid response from the OAuth provider",
-        url=response.url,
-        status_code=response.status_code,
-        body=response.json(),
-    )
-    raise GatewayError(message="Invalid response from Authentication provider")

infrahub/api/oidc.py

@@ -13,14 +13,16 @@ from pydantic import BaseModel, HttpUrl
 
 from infrahub import config, models
 from infrahub.api.dependencies import get_db
-from infrahub.auth import get_groups_from_provider, signin_sso_account
-from infrahub.exceptions import GatewayError, ProcessingError
+from infrahub.auth import (
+    get_groups_from_provider,
+    signin_sso_account,
+    validate_auth_response,
+)
+from infrahub.exceptions import ProcessingError
 from infrahub.log import get_logger
 from infrahub.message_bus.types import KVTTL
 
 if TYPE_CHECKING:
-    import httpx
-
     from infrahub.database import InfrahubDatabase
     from infrahub.services import InfrahubServices
 
@@ -69,7 +71,7 @@ async def authorize(request: Request, provider_name: str, final_url: str | None
     service: InfrahubServices = request.app.state.service
 
     response = await service.http.get(url=provider.discovery_url)
-    _validate_response(response=response)
+    validate_auth_response(response=response, provider_type="OIDC")
     oidc_config = OIDCDiscoveryConfig(**response.json())
 
     with trace.get_tracer(__name__).start_as_current_span("sso_oauth2_client_configuration") as span:
@@ -129,12 +131,12 @@ async def token(
     }
 
     discovery_response = await service.http.get(url=provider.discovery_url)
-    _validate_response(response=discovery_response)
+    validate_auth_response(response=discovery_response, provider_type="OIDC")
 
     oidc_config = OIDCDiscoveryConfig(**discovery_response.json())
 
     token_response = await service.http.post(str(oidc_config.token_endpoint), data=token_data)
-    _validate_response(response=token_response)
+    validate_auth_response(response=token_response, provider_type="OIDC")
 
     with trace.get_tracer(__name__).start_as_current_span("sso_token_request") as span:
         span.set_attribute("token_request_data", ujson.dumps(token_response.json()))
@@ -147,7 +149,7 @@ async def token(
     else:
         userinfo_response = await service.http.post(str(oidc_config.userinfo_endpoint), headers=headers)
 
-    _validate_response(response=userinfo_response)
+    validate_auth_response(response=userinfo_response, provider_type="OIDC")
     user_info: dict[str, Any] = userinfo_response.json()
     sso_groups = (
         user_info.get("groups")
@@ -157,6 +159,11 @@ async def token(
         or await get_groups_from_provider(provider=provider, service=service, payload=payload, user_info=user_info)
     )
 
+    log.info(
+        "SSO user authenticated",
+        body={"user_name": user_info.get("name"), "groups": sso_groups},
+    )
+
     if not sso_groups and config.SETTINGS.security.sso_user_default_group:
         sso_groups = [config.SETTINGS.security.sso_user_default_group]
 
@@ -180,19 +187,6 @@ async def token(
     )
 
 
-def _validate_response(response: httpx.Response) -> None:
-    if 200 <= response.status_code <= 299:
-        return
-
-    log.error(
-        "Invalid response from the OIDC provider",
-        url=response.url,
-        status_code=response.status_code,
-        body=response.json(),
-    )
-    raise GatewayError(message="Invalid response from Authentication provider")
-
-
 async def _get_id_token_groups(
     oidc_config: OIDCDiscoveryConfig, service: InfrahubServices, payload: dict[str, Any], client_id: str
 ) -> list[str]:

infrahub/api/schema.py

@@ -26,7 +26,15 @@ from infrahub.core.models import (  # noqa: TC001
     SchemaDiff,
     SchemaUpdateValidationResult,
 )
-from infrahub.core.schema import GenericSchema, MainSchemaTypes, NodeSchema, ProfileSchema, SchemaRoot, TemplateSchema
+from infrahub.core.schema import (
+    GenericSchema,
+    MainSchemaTypes,
+    NodeSchema,
+    ProfileSchema,
+    SchemaRoot,
+    SchemaWarning,
+    TemplateSchema,
+)
 from infrahub.core.schema.constants import SchemaNamespace  # noqa: TC001
 from infrahub.core.validators.models.validate_migration import (
     SchemaValidateMigrationData,
@@ -130,6 +138,9 @@ class SchemaUpdate(BaseModel):
     hash: str = Field(..., description="The new hash for the entire schema")
     previous_hash: str = Field(..., description="The previous hash for the entire schema")
     diff: SchemaDiff = Field(..., description="The modifications to the schema")
+    warnings: list[SchemaWarning] = Field(
+        default_factory=list, description="Warnings encountered while loading the schema"
+    )
 
     @computed_field
     def schema_updated(self) -> bool:
@@ -307,8 +318,10 @@ async def load_schema(
     log.info("schema_load_request", branch=branch.name)
 
     errors: list[str] = []
+    warnings: list[SchemaWarning] = []
     for schema in schemas.schemas:
         errors += schema.validate_namespaces()
+        warnings += schema.gather_warnings()
 
     if errors:
         raise SchemaNotValidError(message=", ".join(errors))
@@ -402,7 +415,7 @@ async def load_schema(
     )
     await service.event.send(event=event)
 
-    return SchemaUpdate(hash=updated_hash, previous_hash=original_hash, diff=result.diff)
+    return SchemaUpdate(hash=updated_hash, previous_hash=original_hash, diff=result.diff, warnings=warnings)
 
 
 @router.post("/check")
@@ -417,8 +430,10 @@ async def check_schema(
     log.info("schema_check_request", branch=branch.name)
 
     errors: list[str] = []
+    warnings: list[SchemaWarning] = []
     for schema in schemas.schemas:
         errors += schema.validate_namespaces()
+        warnings += schema.gather_warnings()
 
     if errors:
         raise SchemaNotValidError(message=", ".join(errors))
@@ -445,4 +460,10 @@ async def check_schema(
     if error_messages:
         raise SchemaNotValidError(message=",\n".join(error_messages))
 
-    return JSONResponse(status_code=202, content={"diff": result.diff.model_dump()})
+    return JSONResponse(
+        status_code=202,
+        content={
+            "diff": result.diff.model_dump(),
+            "warnings": [warning.model_dump(mode="json") for warning in warnings],
+        },
+    )

infrahub/artifacts/models.py

@@ -25,7 +25,8 @@ class CheckArtifactCreate(BaseModel):
     target_kind: str = Field(..., description="The kind of the target object for this artifact")
     target_name: str = Field(..., description="Name of the artifact target")
     artifact_id: str | None = Field(default=None, description="The id of the artifact if it previously existed")
-    query: str = Field(..., description="The name of the query to use when collecting data")
+    query: str = Field(..., description="The name of the query to use when collecting data")  # Deprecated
+    query_id: str = Field(..., description="The id of the query to use when collecting data")
     timeout: int = Field(..., description="Timeout for requests used to generate this artifact")
     variables: dict = Field(..., description="Input variables when generating the artifact")
     validator_id: str = Field(..., description="The ID of the validator")

infrahub/auth.py

@@ -3,27 +3,37 @@ from __future__ import annotations
 import uuid
 from datetime import UTC, datetime, timedelta
 from enum import Enum
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, Any
 
 import bcrypt
 import jwt
 from pydantic import BaseModel
 
 from infrahub import config, models
-from infrahub.config import SecurityOAuth2Google, SecurityOAuth2Settings, SecurityOIDCGoogle, SecurityOIDCSettings
+from infrahub.config import (
+    SecurityOAuth2Google,
+    SecurityOAuth2Settings,
+    SecurityOIDCGoogle,
+    SecurityOIDCSettings,
+)
 from infrahub.core.account import validate_token
 from infrahub.core.constants import AccountStatus, InfrahubKind
 from infrahub.core.manager import NodeManager
 from infrahub.core.node import Node
 from infrahub.core.protocols import CoreAccount, CoreAccountGroup
 from infrahub.core.registry import registry
-from infrahub.exceptions import AuthorizationError, NodeNotFoundError
+from infrahub.exceptions import AuthorizationError, GatewayError, NodeNotFoundError
+from infrahub.log import get_logger
 
 if TYPE_CHECKING:
+    import httpx
+
     from infrahub.core.protocols import CoreGenericAccount
     from infrahub.database import InfrahubDatabase
     from infrahub.services import InfrahubServices
 
+log = get_logger()
+
 
 class AuthType(str, Enum):
     NONE = "none"
@@ -256,3 +266,127 @@ async def get_groups_from_provider(
                 return [membership["groupKey"]["id"] for membership in group_memberships["memberships"]]
 
     return []
+
+
+def safe_get_response_body(response: httpx.Response, raise_error_on_empty_body: bool = True) -> str | dict[str, Any]:
+    """Safely extract response body from HTTP response. If the response body cannot be JSON parsed or is empty,
+    it raises a GatewayError.
+
+    Args:
+        response: The HTTP response object
+        raise_error_on_empty_body: Whether to raise an error if the response body is empty
+
+    Returns:
+        The response body as JSON dict if possible, otherwise as text
+
+    Raises:
+        GatewayError: When the response body cannot be parsed or is empty
+    """
+    # Try to parse as JSON first
+    try:
+        return response.json()
+    except Exception as json_error:
+        try:
+            # Try to get as text
+            text_body = response.text
+            if not text_body.strip() and raise_error_on_empty_body:  # Check for empty or whitespace-only response
+                log.error(
+                    "Empty response body from authentication provider",
+                    url=str(response.url),
+                    status_code=response.status_code,
+                )
+                raise GatewayError(message="Authentication provider returned an empty response") from json_error
+        except Exception:
+            log.error(
+                "Unable to read response body from authentication provider",
+                url=str(response.url),
+                status_code=response.status_code,
+            )
+            raise GatewayError(message="Unable to read response from authentication provider") from json_error
+
+    # Here it means we got a text response but not JSON
+    return text_body
+
+
+def extract_auth_error_message(response_body: str | dict[str, Any], base_message: str) -> str:
+    """Extract error message from OAuth 2.0/OIDC provider response following RFC 6749.
+
+    Args:
+        response_body: The response body from the authentication provider
+        base_message: Base error message to use if no specific error is found
+
+    Returns:
+        Formatted error message with provider details if available
+    """
+    if not isinstance(response_body, dict):
+        return base_message
+
+    # RFC 6749 standard error response format
+    error_description = response_body.get("error_description")
+    error_code = response_body.get("error")
+
+    if error_description:
+        return f"{base_message}: {error_description}"
+    if error_code:
+        return f"{base_message}: {error_code}"
+
+    return base_message
+
+
+def validate_auth_response(response: httpx.Response, provider_type: str = "authentication") -> None:
+    """Validate HTTP response from OAuth 2.0/OIDC provider and raise appropriate errors.
+
+    Args:
+        response: The HTTP response from the authentication provider
+        provider_type: Type of provider for logging (e.g., "OAuth 2.0", "OIDC")
+
+    Raises:
+        GatewayError: When the response indicates an error or invalid state
+    """
+    # If the status code is successful, simply return
+    if 200 <= response.status_code <= 299:
+        # Verify that we can read the response body safely and it is not empty
+        safe_get_response_body(response)
+        return
+
+    # Prepare variables with default values for logging
+    response_body = safe_get_response_body(response, raise_error_on_empty_body=False)
+    log_message: str = f"Unexpected response from {provider_type} provider"
+    base_msg: str = "Unexpected response from authentication provider."
+
+    # Handle specific HTTP status codes with appropriate error messages
+    match response.status_code:
+        case 400:
+            log_message = f"Bad request to {provider_type} provider"
+            base_msg = "Bad request to authentication provider. Please try again later or contact your administrator."
+
+        case 401:
+            log_message = f"Unauthorized request to {provider_type} provider"
+            base_msg = (
+                "Unauthorized request to authentication provider. Please try again later or contact your administrator."
+            )
+
+        case 403:
+            log_message = f"Forbidden request to {provider_type} provider"
+            base_msg = (
+                "Access forbidden by authentication provider. Please try again later or contact your administrator."
+            )
+
+        case 404:
+            log_message = f"Resource not found for {provider_type} provider"
+            base_msg = (
+                "Authentication provider endpoint not found. Please try again later or contact your administrator."
+            )
+
+        case 429:
+            log_message = f"Rate limited by {provider_type} provider"
+            base_msg = "Rate limited by authentication provider. Please try again later."
+
+        case status_code if 500 <= status_code <= 599:
+            log_message = f"Server error from {provider_type} provider"
+            base_msg = "Authentication provider is experiencing server issues. Please try again later or contact your administrator."
+
+    # Print proper log and raise gateway error
+    log.error(log_message, url=str(response.url), status_code=response.status_code, body=response_body)
+    error_msg = extract_auth_error_message(response_body, base_msg)
+    raise GatewayError(message=error_msg)

infrahub/cli/__init__.py

@@ -7,6 +7,7 @@ from infrahub.core.initialization import initialization
 from ..workers.dependencies import get_database
 from .context import CliContext
 from .db import app as db_app
+from .dev import app as dev_app
 from .events import app as events_app
 from .git_agent import app as git_app
 from .server import app as server_app
@@ -27,6 +28,7 @@ app.add_typer(git_app, name="git-agent", hidden=True)
 app.add_typer(db_app, name="db")
 app.add_typer(events_app, name="events", help="Interact with the events system.", hidden=True)
 app.add_typer(tasks_app, name="tasks", hidden=True)
+app.add_typer(dev_app, name="dev", help="Internal development commands.")
 app.command(name="upgrade")(upgrade_cmd)