orchestrator-core 3.1.2rc4__py3-none-any.whl → 3.2.0rc1__py3-none-any.whl

orchestrator/graphql/resolvers/product_block.py

@@ -17,7 +17,7 @@ from orchestrator.graphql.resolvers.helpers import rows_from_statement
 from orchestrator.graphql.schemas.product_block import ProductBlock
 from orchestrator.graphql.types import GraphqlFilter, GraphqlSort, OrchestratorInfo
 from orchestrator.graphql.utils import create_resolver_error_handler, is_querying_page_data, to_graphql_result_page
-from orchestrator.graphql.utils.get_query_loaders import get_query_loaders
+from orchestrator.graphql.utils.get_query_loaders import get_query_loaders_for_gql_fields
 from orchestrator.utils.search_query import create_sqlalchemy_select
 
 logger = structlog.get_logger(__name__)
@@ -39,7 +39,7 @@ async def resolve_product_blocks(
         "resolve_product_blocks() called", range=[after, after + first], sort=sort_by, filter=pydantic_filter_by
     )
 
-    query_loaders = get_query_loaders(info, ProductBlockTable)
+    query_loaders = get_query_loaders_for_gql_fields(ProductBlockTable, info)
     select_stmt = select(ProductBlockTable)
     select_stmt = filter_product_blocks(select_stmt, pydantic_filter_by, _error_handler)
 

orchestrator/graphql/resolvers/resource_type.py

@@ -17,7 +17,7 @@ from orchestrator.graphql.resolvers.helpers import rows_from_statement
 from orchestrator.graphql.schemas.resource_type import ResourceType
 from orchestrator.graphql.types import GraphqlFilter, GraphqlSort, OrchestratorInfo
 from orchestrator.graphql.utils import create_resolver_error_handler, is_querying_page_data, to_graphql_result_page
-from orchestrator.graphql.utils.get_query_loaders import get_query_loaders
+from orchestrator.graphql.utils.get_query_loaders import get_query_loaders_for_gql_fields
 from orchestrator.utils.search_query import create_sqlalchemy_select
 
 logger = structlog.get_logger(__name__)
@@ -38,7 +38,7 @@ async def resolve_resource_types(
     logger.debug(
         "resolve_resource_types() called", range=[after, after + first], sort=sort_by, filter=pydantic_filter_by
     )
-    query_loaders = get_query_loaders(info, ResourceTypeTable)
+    query_loaders = get_query_loaders_for_gql_fields(ResourceTypeTable, info)
     select_stmt = select(ResourceTypeTable).options(*query_loaders)
     select_stmt = filter_resource_types(select_stmt, pydantic_filter_by, _error_handler)
 

orchestrator/graphql/resolvers/workflow.py

@@ -13,7 +13,7 @@ from orchestrator.graphql.resolvers.helpers import rows_from_statement
 from orchestrator.graphql.schemas.workflow import Workflow
 from orchestrator.graphql.types import GraphqlFilter, GraphqlSort, OrchestratorInfo
 from orchestrator.graphql.utils import create_resolver_error_handler, is_querying_page_data, to_graphql_result_page
-from orchestrator.graphql.utils.get_query_loaders import get_query_loaders
+from orchestrator.graphql.utils.get_query_loaders import get_query_loaders_for_gql_fields
 from orchestrator.utils.search_query import create_sqlalchemy_select
 
 logger = structlog.get_logger(__name__)
@@ -33,7 +33,7 @@ async def resolve_workflows(
     pydantic_sort_by: list[Sort] = [item.to_pydantic() for item in sort_by] if sort_by else []
     logger.debug("resolve_workflows() called", range=[after, after + first], sort=sort_by, filter=pydantic_filter_by)
 
-    query_loaders = get_query_loaders(info, WorkflowTable)
+    query_loaders = get_query_loaders_for_gql_fields(WorkflowTable, info)
     select_stmt = WorkflowTable.select().options(*query_loaders)
     select_stmt = filter_workflows(select_stmt, pydantic_filter_by, _error_handler)
 

orchestrator/graphql/utils/get_query_loaders.py

@@ -1,61 +1,19 @@
-from typing import Iterable
-
-import structlog
 from sqlalchemy.orm import Load
 
 from orchestrator.db.database import BaseModel as DbBaseModel
-from orchestrator.db.loaders import AttrLoader, join_attr_loaders, lookup_attr_loaders
+from orchestrator.db.loaders import (
+    get_query_loaders_for_model_paths,
+)
 from orchestrator.graphql.types import OrchestratorInfo
 from orchestrator.graphql.utils.get_selected_paths import get_selected_paths
 
-logger = structlog.get_logger(__name__)
-
-
-def _split_path(query_path: str) -> Iterable[str]:
-    yield from (field for field in query_path.split(".") if field != "page")
 
-
-def get_query_loaders(info: OrchestratorInfo, root_model: type[DbBaseModel]) -> list[Load]:
+def get_query_loaders_for_gql_fields(root_model: type[DbBaseModel], info: OrchestratorInfo) -> list[Load]:
     """Get sqlalchemy query loaders for the given GraphQL query.
 
     Based on the GraphQL query's selected fields, returns the required DB loaders to use
     in SQLALchemy's `.options()` for efficiently quering (nested) relationships.
     """
-    # Strip page and sort by length to find the longest match first
-    query_paths = [path.removeprefix("page.") for path in get_selected_paths(info)]
-    query_paths.sort(key=lambda x: x.count("."), reverse=True)
-
-    def get_loader_for_path(query_path: str) -> tuple[str, Load | None]:
-        next_model = root_model
-
-        matched_fields: list[str] = []
-        path_loaders: list[AttrLoader] = []
-
-        for field in _split_path(query_path):
-            if not (attr_loaders := lookup_attr_loaders(next_model, field)):
-                break
-
-            matched_fields.append(field)
-            path_loaders.extend(attr_loaders)
-            next_model = attr_loaders[-1].next_model
-
-        return ".".join(matched_fields), join_attr_loaders(path_loaders)
-
-    query_loaders: dict[str, Load] = {}
-
-    for path in query_paths:
-        matched_path, loader = get_loader_for_path(path)
-        if not matched_path or not loader or matched_path in query_loaders:
-            continue
-        if any(known_path.startswith(f"{matched_path}.") for known_path in query_loaders):
-            continue
-        query_loaders[matched_path] = loader
+    model_paths = [path.removeprefix("page.") for path in get_selected_paths(info)]
 
-    loaders = list(query_loaders.values())
-    logger.debug(
-        "Generated query loaders",
-        root_model=root_model,
-        query_paths=query_paths,
-        query_loaders=[str(i.path) for i in loaders],
-    )
-    return loaders
+    return get_query_loaders_for_model_paths(root_model, model_paths)

orchestrator/graphql/utils/get_subscription_product_blocks.py

@@ -70,7 +70,14 @@ def get_all_product_blocks(subscription: dict[str, Any], _tags: list[str] | None
     return list(locate_product_block(subscription))
 
 
-pb_instance_property_keys = ("id", "parent", "owner_subscription_id", "subscription_instance_id", "in_use_by_relations")
+pb_instance_property_keys = (
+    "id",
+    "parent",
+    "owner_subscription_id",
+    "subscription_instance_id",
+    "in_use_by_relations",
+    "in_use_by_ids",
+)
 
 
 async def get_subscription_product_blocks(

orchestrator/migrations/versions/schema/2025-03-06_42b3d076a85b_subscription_instance_as_json_function.py

@@ -0,0 +1,33 @@
+"""Add postgres function subscription_instance_as_json.
+
+Revision ID: 42b3d076a85b
+Revises: bac6be6f2b4f
+Create Date: 2025-03-06 15:03:09.477225
+
+"""
+
+from pathlib import Path
+
+from alembic import op
+from sqlalchemy import text
+
+# revision identifiers, used by Alembic.
+revision = "42b3d076a85b"
+down_revision = "bac6be6f2b4f"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    conn = op.get_bind()
+
+    revision_file_path = Path(__file__)
+    with open(revision_file_path.with_suffix(".sql")) as f:
+        conn.execute(text(f.read()))
+
+
+def downgrade() -> None:
+    conn = op.get_bind()
+
+    conn.execute(text("DROP FUNCTION IF EXISTS subscription_instance_as_json;"))
+    conn.execute(text("DROP FUNCTION IF EXISTS subscription_instance_fields_as_json;"))

orchestrator/migrations/versions/schema/2025-03-06_42b3d076a85b_subscription_instance_as_json_function.sql

@@ -0,0 +1,40 @@
+CREATE OR REPLACE FUNCTION subscription_instance_fields_as_json(sub_inst_id uuid)
+    RETURNS jsonb
+    LANGUAGE sql
+    STABLE PARALLEL SAFE AS
+$func$
+select jsonb_object_agg(rts.key, rts.val)
+from (select attr.key,
+             attr.val
+      from subscription_instances si
+               join product_blocks pb ON si.product_block_id = pb.product_block_id
+               cross join lateral (
+          values ('subscription_instance_id', to_jsonb(si.subscription_instance_id)),
+                 ('owner_subscription_id', to_jsonb(si.subscription_id)),
+                 ('name', to_jsonb(pb.name))
+          ) as attr(key, val)
+      where si.subscription_instance_id = sub_inst_id
+      union all
+      select rt.resource_type                            key,
+             jsonb_agg(siv.value ORDER BY siv.value ASC) val
+      from subscription_instance_values siv
+               join resource_types rt on siv.resource_type_id = rt.resource_type_id
+      where siv.subscription_instance_id = sub_inst_id
+      group by rt.resource_type) as rts
+$func$;
+
+
+CREATE OR REPLACE FUNCTION subscription_instance_as_json(sub_inst_id uuid)
+    RETURNS jsonb
+    LANGUAGE sql
+    STABLE PARALLEL SAFE AS
+$func$
+select subscription_instance_fields_as_json(sub_inst_id) ||
+       coalesce(jsonb_object_agg(depends_on.block_name, depends_on.block_instances), '{}'::jsonb)
+from (select sir.domain_model_attr                                                                    block_name,
+             jsonb_agg(subscription_instance_as_json(sir.depends_on_id) ORDER BY sir.order_id ASC) as block_instances
+      from subscription_instance_relations sir
+      where sir.in_use_by_id = sub_inst_id
+        and sir.domain_model_attr is not null
+      group by block_name) as depends_on
+$func$;

orchestrator/services/processes.py

@@ -1,4 +1,4 @@
-# Copyright 2019-2020 SURF, GÉANT.
+# Copyright 2019-2025 SURF, GÉANT, ESnet.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@@ -24,15 +24,10 @@ from sqlalchemy.exc import SQLAlchemyError
 from sqlalchemy.orm import joinedload
 
 from nwastdlib.ex import show_ex
+from oauth2_lib.fastapi import OIDCUserModel
 from orchestrator.api.error_handling import raise_status
 from orchestrator.config.assignee import Assignee
-from orchestrator.db import (
-    EngineSettingsTable,
-    ProcessStepTable,
-    ProcessSubscriptionTable,
-    ProcessTable,
-    db,
-)
+from orchestrator.db import EngineSettingsTable, ProcessStepTable, ProcessSubscriptionTable, ProcessTable, db
 from orchestrator.distlock import distlock_manager
 from orchestrator.schemas.engine_settings import WorkerStatus
 from orchestrator.services.input_state import store_input_state
@@ -414,10 +409,15 @@ def _run_process_async(process_id: UUID, f: Callable) -> UUID:
     return process_id
 
 
+def error_message_unauthorized(workflow_key: str) -> str:
+    return f"User is not authorized to execute '{workflow_key}' workflow"
+
+
 def create_process(
     workflow_key: str,
     user_inputs: list[State] | None = None,
     user: str = SYSTEM_USER,
+    user_model: OIDCUserModel | None = None,
 ) -> ProcessStat:
     # ATTENTION!! When modifying this function make sure you make similar changes to `run_workflow` in the test code
 
@@ -430,6 +430,9 @@ def create_process(
     if not workflow:
         raise_status(HTTPStatus.NOT_FOUND, "Workflow does not exist")
 
+    if not workflow.authorize_callback(user_model):
+        raise_status(HTTPStatus.FORBIDDEN, error_message_unauthorized(workflow_key))
+
     initial_state = {
         "process_id": process_id,
         "reporter": user,
@@ -449,6 +452,7 @@ def create_process(
         state=Success(state | initial_state),
         log=workflow.steps,
         current_user=user,
+        user_model=user_model,
     )
 
     _db_create_process(pstat)
@@ -460,9 +464,12 @@ def thread_start_process(
     workflow_key: str,
     user_inputs: list[State] | None = None,
     user: str = SYSTEM_USER,
+    user_model: OIDCUserModel | None = None,
     broadcast_func: BroadcastFunc | None = None,
 ) -> UUID:
     pstat = create_process(workflow_key, user_inputs=user_inputs, user=user)
+    if not pstat.workflow.authorize_callback(user_model):
+        raise_status(HTTPStatus.FORBIDDEN, error_message_unauthorized(workflow_key))
 
     _safe_logstep_with_func = partial(safe_logstep, broadcast_func=broadcast_func)
     return _run_process_async(pstat.process_id, lambda: runwf(pstat, _safe_logstep_with_func))
@@ -472,6 +479,7 @@ def start_process(
     workflow_key: str,
     user_inputs: list[State] | None = None,
     user: str = SYSTEM_USER,
+    user_model: OIDCUserModel | None = None,
     broadcast_func: BroadcastFunc | None = None,
 ) -> UUID:
     """Start a process for workflow.
@@ -480,6 +488,7 @@ def start_process(
         workflow_key: name of workflow
         user_inputs: List of form inputs from frontend
         user: User who starts this process
+        user_model: Full OIDCUserModel with claims, etc
         broadcast_func: Optional function to broadcast process data
 
     Returns:
@@ -487,7 +496,9 @@ def start_process(
 
     """
     start_func = get_execution_context()["start"]
-    return start_func(workflow_key, user_inputs=user_inputs, user=user, broadcast_func=broadcast_func)
+    return start_func(
+        workflow_key, user_inputs=user_inputs, user=user, user_model=user_model, broadcast_func=broadcast_func
+    )
 
 
 def thread_resume_process(
@@ -495,6 +506,7 @@ def thread_resume_process(
     *,
     user_inputs: list[State] | None = None,
     user: str | None = None,
+    user_model: OIDCUserModel | None = None,
     broadcast_func: BroadcastFunc | None = None,
 ) -> UUID:
     # ATTENTION!! When modifying this function make sure you make similar changes to `resume_workflow` in the test code
@@ -503,6 +515,8 @@ def thread_resume_process(
         user_inputs = [{}]
 
     pstat = load_process(process)
+    if not pstat.workflow.authorize_callback(user_model):
+        raise_status(HTTPStatus.FORBIDDEN, error_message_unauthorized(str(process.workflow_name)))
 
     if pstat.workflow == removed_workflow:
         raise ValueError("This workflow cannot be resumed")
@@ -542,6 +556,7 @@ def resume_process(
     *,
     user_inputs: list[State] | None = None,
     user: str | None = None,
+    user_model: OIDCUserModel | None = None,
     broadcast_func: BroadcastFunc | None = None,
 ) -> UUID:
     """Resume a failed or suspended process.
@@ -550,6 +565,7 @@ def resume_process(
         process: Process from database
         user_inputs: Optional user input from forms
         user: user who resumed this process
+        user_model: OIDCUserModel of user who resumed this process
         broadcast_func: Optional function to broadcast process data
 
     Returns:
@@ -557,6 +573,9 @@ def resume_process(
 
     """
     pstat = load_process(process)
+    if not pstat.workflow.authorize_callback(user_model):
+        raise_status(HTTPStatus.FORBIDDEN, error_message_unauthorized(str(process.workflow_name)))
+
     try:
         post_form(pstat.log[0].form, pstat.state.unwrap(), user_inputs=user_inputs or [])
     except FormValidationError:

orchestrator/services/subscriptions.py

@@ -22,6 +22,7 @@ from uuid import UUID
 
 import more_itertools
 import structlog
+from more_itertools import first
 from sqlalchemy import Text, cast, not_, select
 from sqlalchemy.exc import SQLAlchemyError
 from sqlalchemy.orm import Query, aliased, joinedload
@@ -41,7 +42,11 @@ from orchestrator.db.models import (
     SubscriptionInstanceRelationTable,
     SubscriptionMetadataTable,
 )
+from orchestrator.db.queries.subscription import (
+    eagerload_all_subscription_instances_only_inuseby,
+)
 from orchestrator.domain.base import SubscriptionModel
+from orchestrator.domain.context_cache import cache_subscription_models
 from orchestrator.targets import Target
 from orchestrator.types import SubscriptionLifecycle
 from orchestrator.utils.datetime import nowtz
@@ -594,13 +599,15 @@ def convert_to_in_use_by_relation(obj: Any) -> dict[str, str]:
 
 def build_extended_domain_model(subscription_model: SubscriptionModel) -> dict:
     """Create a subscription dict from the SubscriptionModel with additional keys."""
-    stmt = select(SubscriptionCustomerDescriptionTable).filter(
+    from orchestrator.settings import app_settings
+
+    stmt = select(SubscriptionCustomerDescriptionTable).where(
         SubscriptionCustomerDescriptionTable.subscription_id == subscription_model.subscription_id
     )
     customer_descriptions = list(db.session.scalars(stmt))
 
-    subscription = subscription_model.model_dump()
-    paths = product_block_paths(subscription)
+    with cache_subscription_models():
+        subscription = subscription_model.model_dump()
 
     def inject_in_use_by_ids(path_to_block: str) -> None:
         if not (in_use_by_subs := getattr_in(subscription_model, f"{path_to_block}.in_use_by")):
@@ -611,15 +618,38 @@ def build_extended_domain_model(subscription_model: SubscriptionModel) -> dict:
         update_in(subscription, f"{path_to_block}.in_use_by_ids", in_use_by_ids)
         update_in(subscription, f"{path_to_block}.in_use_by_relations", in_use_by_relations)
 
-    # find all product blocks, check if they have in_use_by and inject the in_use_by_ids into the subscription dict.
-    for path in paths:
-        inject_in_use_by_ids(path)
+    if app_settings.ENABLE_SUBSCRIPTION_MODEL_OPTIMIZATIONS:
+        # TODO #900 remove toggle and make this path the default
+        # query all subscription instances and inject the in_use_by_ids/in_use_by_relations into the subscription dict.
+        instance_to_in_use_by = {
+            instance.subscription_instance_id: instance.in_use_by
+            for instance in eagerload_all_subscription_instances_only_inuseby(subscription_model.subscription_id)
+        }
+        inject_in_use_by_ids_v2(subscription, instance_to_in_use_by)
+    else:
+        # find all product blocks, check if they have in_use_by and inject the in_use_by_ids into the subscription dict.
+        for path in product_block_paths(subscription):
+            inject_in_use_by_ids(path)
 
     subscription["customer_descriptions"] = customer_descriptions
 
     return subscription
 
 
+def inject_in_use_by_ids_v2(dikt: dict, instance_to_in_use_by: dict[UUID, Sequence[SubscriptionInstanceTable]]) -> None:
+    for value in dikt.values():
+        if isinstance(value, dict):
+            inject_in_use_by_ids_v2(value, instance_to_in_use_by)
+        elif isinstance(value, list) and isinstance(first(value, None), dict):
+            for item in value:
+                inject_in_use_by_ids_v2(item, instance_to_in_use_by)
+
+    if subscription_instance_id := dikt.get("subscription_instance_id"):
+        in_use_by_subs = instance_to_in_use_by[subscription_instance_id]
+        dikt["in_use_by_ids"] = [i.subscription_instance_id for i in in_use_by_subs]
+        dikt["in_use_by_relations"] = [convert_to_in_use_by_relation(instance) for instance in in_use_by_subs]
+
+
 def format_special_types(subscription: dict) -> dict:
     """Modifies the subscription dict in-place, formatting special types to string.
 

orchestrator/settings.py

@@ -87,6 +87,9 @@ class AppSettings(BaseSettings):
     ENABLE_GRAPHQL_STATS_EXTENSION: bool = False
     VALIDATE_OUT_OF_SYNC_SUBSCRIPTIONS: bool = False
     FILTER_BY_MODE: Literal["partial", "exact"] = "exact"
+    ENABLE_SUBSCRIPTION_MODEL_OPTIMIZATIONS: bool = (
+        True  # True=ignore cache + optimized DB queries; False=use cache + unoptimized DB queries. Remove in #900
+    )
 
 
 app_settings = AppSettings()

orchestrator/utils/functional.py

@@ -241,3 +241,12 @@ def to_ranges(i: Iterable[int]) -> Iterable[range]:
     for _, g in itertools.groupby(enumerate(i), lambda t: t[1] - t[0]):
         group = list(g)
         yield range(group[0][1], group[-1][1] + 1)
+
+
+K = TypeVar("K")
+V = TypeVar("V")
+
+
+def group_by_key(items: Iterable[tuple[K, V]]) -> dict[K, list[V]]:
+    groups = itertools.groupby(items, key=lambda item: item[0])
+    return {key: [item[1] for item in group] for key, group in groups}

orchestrator/utils/redis.py

@@ -55,6 +55,12 @@ def to_redis(subscription: dict[str, Any]) -> str | None:
 
 def from_redis(subscription_id: UUID) -> tuple[PY_JSON_TYPES, str] | None:
     log = logger.bind(subscription_id=subscription_id)
+
+    if app_settings.ENABLE_SUBSCRIPTION_MODEL_OPTIMIZATIONS:
+        # TODO #900 remove toggle and remove usage of this function in get_subscription_dict
+        log.warning("Using SubscriptionModel optimization, not loading subscription from cache")
+        return None
+
     if caching_models_enabled():
         log.debug("Try to retrieve subscription from cache")
         obj = cache.get(f"orchestrator:domain:{subscription_id}")

orchestrator/workflow.py

@@ -1,4 +1,4 @@
-# Copyright 2019-2025 SURF, GÉANT.
+# Copyright 2019-2025 SURF, GÉANT, ESnet.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@@ -39,6 +39,7 @@ from structlog.contextvars import bound_contextvars
 from structlog.stdlib import BoundLogger
 
 from nwastdlib import const, identity
+from oauth2_lib.fastapi import OIDCUserModel
 from orchestrator.config.assignee import Assignee
 from orchestrator.db import db, transactional
 from orchestrator.services.settings import get_engine_settings
@@ -89,6 +90,7 @@ class Workflow(Protocol):
     __qualname__: str
     name: str
     description: str
+    authorize_callback: Callable[[OIDCUserModel | None], bool]
     initial_input_form: InputFormGenerator | None = None
     target: Target
     steps: StepList
@@ -178,12 +180,18 @@ def _handle_simple_input_form_generator(f: StateInputStepFunc) -> StateInputForm
     return form_generator
 
 
+def allow(_: OIDCUserModel | None) -> bool:
+    """Default function to return True in absence of user-defined authorize function."""
+    return True
+
+
 def make_workflow(
     f: Callable,
     description: str,
     initial_input_form: InputStepFunc | None,
     target: Target,
     steps: StepList,
+    authorize_callback: Callable[[OIDCUserModel | None], bool] | None = None,
 ) -> Workflow:
     @functools.wraps(f)
     def wrapping_function() -> NoReturn:
@@ -193,6 +201,7 @@ def make_workflow(
 
     wrapping_function.name = f.__name__  # default, will be changed by LazyWorkflowInstance
     wrapping_function.description = description
+    wrapping_function.authorize_callback = allow if authorize_callback is None else authorize_callback
 
     if initial_input_form is None:
         # We always need a form to prevent starting a workflow when no input is needed.
@@ -459,7 +468,10 @@ def focussteps(key: str) -> Callable[[Step | StepList], StepList]:
 
 
 def workflow(
-    description: str, initial_input_form: InputStepFunc | None = None, target: Target = Target.SYSTEM
+    description: str,
+    initial_input_form: InputStepFunc | None = None,
+    target: Target = Target.SYSTEM,
+    authorize_callback: Callable[[OIDCUserModel | None], bool] | None = None,
 ) -> Callable[[Callable[[], StepList]], Workflow]:
     """Transform an initial_input_form and a step list into a workflow.
 
@@ -479,7 +491,9 @@ def workflow(
         initial_input_form_in_form_inject_args = form_inject_args(initial_input_form)
 
     def _workflow(f: Callable[[], StepList]) -> Workflow:
-        return make_workflow(f, description, initial_input_form_in_form_inject_args, target, f())
+        return make_workflow(
+            f, description, initial_input_form_in_form_inject_args, target, f(), authorize_callback=authorize_callback
+        )
 
     return _workflow
 
@@ -491,13 +505,14 @@ class ProcessStat:
     state: Process
     log: StepList
     current_user: str
+    user_model: OIDCUserModel | None = None
 
     def update(self, **vs: Any) -> ProcessStat:
         """Update ProcessStat.
 
         >>> pstat = ProcessStat('', None, {}, [], "")
         >>> pstat.update(state={"a": "b"})
-        ProcessStat(process_id='', workflow=None, state={'a': 'b'}, log=[], current_user='')
+        ProcessStat(process_id='', workflow=None, state={'a': 'b'}, log=[], current_user='', user_model=None)
         """
         return ProcessStat(**{**asdict(self), **vs})
 

orchestrator/workflows/utils.py

@@ -1,4 +1,4 @@
-# Copyright 2019-2020 SURF, GÉANT.
+# Copyright 2019-2025 SURF, GÉANT, ESnet.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@@ -20,6 +20,7 @@ from more_itertools import first_true
 from pydantic import field_validator, model_validator
 from sqlalchemy import select
 
+from oauth2_lib.fastapi import OIDCUserModel
 from orchestrator.db import ProductTable, SubscriptionTable, db
 from orchestrator.forms.validators import ProductId
 from orchestrator.services import subscriptions
@@ -30,7 +31,7 @@ from orchestrator.utils.errors import StaleDataError
 from orchestrator.utils.redis import caching_models_enabled
 from orchestrator.utils.state import form_inject_args
 from orchestrator.utils.validate_data_version import validate_data_version
-from orchestrator.workflow import StepList, Workflow, conditional, done, init, make_workflow, step
+from orchestrator.workflow import Step, StepList, Workflow, begin, conditional, done, init, make_workflow, step
 from orchestrator.workflows.steps import (
     cache_domain_models,
     refresh_subscription_search_index,
@@ -205,6 +206,7 @@ def create_workflow(
     initial_input_form: InputStepFunc | None = None,
     status: SubscriptionLifecycle = SubscriptionLifecycle.ACTIVE,
     additional_steps: StepList | None = None,
+    authorize_callback: Callable[[OIDCUserModel | None], bool] | None = None,
 ) -> Callable[[Callable[[], StepList]], Workflow]:
     """Transform an initial_input_form and a step list into a workflow with a target=Target.CREATE.
 
@@ -231,7 +233,14 @@ def create_workflow(
             >> done
         )
 
-        return make_workflow(f, description, create_initial_input_form_generator, Target.CREATE, steplist)
+        return make_workflow(
+            f,
+            description,
+            create_initial_input_form_generator,
+            Target.CREATE,
+            steplist,
+            authorize_callback=authorize_callback,
+        )
 
     return _create_workflow
 
@@ -240,6 +249,7 @@ def modify_workflow(
     description: str,
     initial_input_form: InputStepFunc | None = None,
     additional_steps: StepList | None = None,
+    authorize_callback: Callable[[OIDCUserModel | None], bool] | None = None,
 ) -> Callable[[Callable[[], StepList]], Workflow]:
     """Transform an initial_input_form and a step list into a workflow.
 
@@ -269,7 +279,14 @@ def modify_workflow(
             >> done
         )
 
-        return make_workflow(f, description, wrapped_modify_initial_input_form_generator, Target.MODIFY, steplist)
+        return make_workflow(
+            f,
+            description,
+            wrapped_modify_initial_input_form_generator,
+            Target.MODIFY,
+            steplist,
+            authorize_callback=authorize_callback,
+        )
 
     return _modify_workflow
 
@@ -278,6 +295,7 @@ def terminate_workflow(
     description: str,
     initial_input_form: InputStepFunc | None = None,
     additional_steps: StepList | None = None,
+    authorize_callback: Callable[[OIDCUserModel | None], bool] | None = None,
 ) -> Callable[[Callable[[], StepList]], Workflow]:
     """Transform an initial_input_form and a step list into a workflow.
 
@@ -308,7 +326,14 @@ def terminate_workflow(
             >> done
         )
 
-        return make_workflow(f, description, wrapped_terminate_initial_input_form_generator, Target.TERMINATE, steplist)
+        return make_workflow(
+            f,
+            description,
+            wrapped_terminate_initial_input_form_generator,
+            Target.TERMINATE,
+            steplist,
+            authorize_callback=authorize_callback,
+        )
 
     return _terminate_workflow
 
@@ -344,6 +369,16 @@ def validate_workflow(description: str) -> Callable[[Callable[[], StepList]], Wo
     return _validate_workflow
 
 
+def ensure_provisioning_status(modify_steps: Step | StepList) -> StepList:
+    """Decorator to ensure subscription modifications are executed only during Provisioning status."""
+    return (
+        begin
+        >> set_status(SubscriptionLifecycle.PROVISIONING)
+        >> modify_steps
+        >> set_status(SubscriptionLifecycle.ACTIVE)
+    )
+
+
 @step("Equalize workflow step count")
 def obsolete_step() -> None:
     """Equalize workflow step counts.