orchestrator-core 4.0.4__py3-none-any.whl → 4.1.0__py3-none-any.whl

orchestrator/__init__.py

@@ -13,7 +13,7 @@
 
 """This is the orchestrator workflow engine."""
 
-__version__ = "4.0.4"
+__version__ = "4.1.0"
 
 from orchestrator.app import OrchestratorCore
 from orchestrator.settings import app_settings

orchestrator/api/api_v1/endpoints/processes.py

@@ -25,7 +25,7 @@ from fastapi.param_functions import Body, Depends, Header
 from fastapi.routing import APIRouter
 from fastapi.websockets import WebSocket
 from fastapi_etag.dependency import CacheHit
-from more_itertools import chunked
+from more_itertools import chunked, last
 from sentry_sdk.tracing import trace
 from sqlalchemy import CompoundSelect, Select, select
 from sqlalchemy.orm import defer, joinedload
@@ -56,6 +56,7 @@ from orchestrator.services.processes import (
 )
 from orchestrator.services.settings import get_engine_settings
 from orchestrator.settings import app_settings
+from orchestrator.utils.auth import Authorizer
 from orchestrator.utils.enrich_process import enrich_process
 from orchestrator.websocket import (
     WS_CHANNELS,
@@ -63,7 +64,7 @@ from orchestrator.websocket import (
     broadcast_process_update_to_websocket,
     websocket_manager,
 )
-from orchestrator.workflow import ProcessStatus
+from orchestrator.workflow import ProcessStat, ProcessStatus, StepList, Workflow
 from pydantic_forms.types import JSON, State
 
 router = APIRouter()
@@ -86,6 +87,48 @@ def check_global_lock() -> None:
         )
 
 
+def get_current_steps(pstat: ProcessStat) -> StepList:
+    """Extract past and current steps from the ProcessStat."""
+    remaining_steps = pstat.log
+    past_steps = pstat.workflow.steps[: -len(remaining_steps)]
+    return StepList(past_steps + [pstat.log[0]])
+
+
+def get_auth_callbacks(steps: StepList, workflow: Workflow) -> tuple[Authorizer | None, Authorizer | None]:
+    """Iterate over workflow and prior steps to determine correct authorization callbacks for the current step.
+
+    It's safest to always iterate through the steps. We could track these callbacks statefully
+    as we progress through the workflow, but if we fail a step and the system restarts, the previous
+    callbacks will be lost if they're only available in the process state.
+
+    Priority:
+    - RESUME callback is explicit RESUME callback, else previous START/RESUME callback
+    - RETRY callback is explicit RETRY, else explicit RESUME, else previous RETRY
+    """
+    # Default to workflow start callbacks
+    auth_resume = workflow.authorize_callback
+    # auth_retry defaults to the workflow start callback if not otherwise specified.
+    # A workflow SHOULD have both callbacks set to not-None. This enforces the correct default regardless.
+    auth_retry = workflow.retry_auth_callback or auth_resume  # type: ignore[unreachable, truthy-function]
+
+    # Choose the most recently established value for resume.
+    auth_resume = last(filter(None, (step.resume_auth_callback for step in steps)), auth_resume)
+    # Choose the most recently established value for retry, unless there is a more recent value for resume.
+    auth_retry = last(
+        filter(None, (step.retry_auth_callback or step.resume_auth_callback for step in steps)), auth_retry
+    )
+    return auth_resume, auth_retry
+
+
+def can_be_resumed(status: ProcessStatus) -> bool:
+    return status in (
+        ProcessStatus.SUSPENDED,  # Can be resumed
+        ProcessStatus.FAILED,  # Can be retried
+        ProcessStatus.API_UNAVAILABLE,  # subtype of FAILED
+        ProcessStatus.INCONSISTENT_DATA,  # subtype of FAILED
+    )
+
+
 def resolve_user_name(
     *,
     reporter: Reporter | None,
@@ -150,18 +193,25 @@ def new_process(
     dependencies=[Depends(check_global_lock, use_cache=False)],
 )
 def resume_process_endpoint(
-    process_id: UUID, request: Request, json_data: JSON = Body(...), user: str = Depends(user_name)
+    process_id: UUID,
+    request: Request,
+    json_data: JSON = Body(...),
+    user: str = Depends(user_name),
+    user_model: OIDCUserModel | None = Depends(authenticate),
 ) -> None:
     process = _get_process(process_id)
 
-    if process.last_status == ProcessStatus.COMPLETED:
-        raise_status(HTTPStatus.CONFLICT, "Resuming a completed workflow is not possible")
-
-    if process.last_status == ProcessStatus.RUNNING:
-        raise_status(HTTPStatus.CONFLICT, "Resuming a running workflow is not possible")
-
-    if process.last_status == ProcessStatus.RESUMED:
-        raise_status(HTTPStatus.CONFLICT, "Resuming a resumed workflow is not possible")
+    if not can_be_resumed(process.last_status):
+        raise_status(HTTPStatus.CONFLICT, f"Resuming a {process.last_status.lower()} workflow is not possible")
+
+    pstat = load_process(process)
+    auth_resume, auth_retry = get_auth_callbacks(get_current_steps(pstat), pstat.workflow)
+    if process.last_status == ProcessStatus.SUSPENDED:
+        if auth_resume is not None and not auth_resume(user_model):
+            raise_status(HTTPStatus.FORBIDDEN, "User is not authorized to resume step")
+    elif process.last_status == ProcessStatus.FAILED:
+        if auth_retry is not None and not auth_retry(user_model):
+            raise_status(HTTPStatus.FORBIDDEN, "User is not authorized to retry step")
 
     broadcast_invalidate_status_counts()
     broadcast_func = api_broadcast_process_data(request)

orchestrator/api/api_v1/endpoints/settings.py

@@ -22,11 +22,17 @@ from sqlalchemy.exc import SQLAlchemyError
 from oauth2_lib.fastapi import OIDCUserModel
 from orchestrator.api.error_handling import raise_status
 from orchestrator.db import EngineSettingsTable
-from orchestrator.schemas import EngineSettingsBaseSchema, EngineSettingsSchema, WorkerStatus
+from orchestrator.schemas import (
+    EngineSettingsBaseSchema,
+    EngineSettingsSchema,
+    WorkerStatus,
+)
 from orchestrator.security import authenticate
 from orchestrator.services import processes, settings
 from orchestrator.services.settings import generate_engine_global_status
+from orchestrator.services.settings_env_variables import get_all_exposed_settings
 from orchestrator.settings import ExecutorType, app_settings
+from orchestrator.utils.expose_settings import SettingsExposedSchema
 from orchestrator.utils.json import json_dumps
 from orchestrator.utils.redis import delete_keys_matching_pattern
 from orchestrator.utils.redis_client import create_redis_asyncio_client
@@ -169,3 +175,8 @@ def generate_engine_status_response(
     result = EngineSettingsSchema.model_validate(engine_settings)
     result.global_status = generate_engine_global_status(engine_settings)
     return result
+
+
+@router.get("/overview", response_model=list[SettingsExposedSchema])
+def get_exposed_settings() -> list[SettingsExposedSchema]:
+    return get_all_exposed_settings()

orchestrator/services/celery.py

@@ -19,6 +19,7 @@ import structlog
 from celery.result import AsyncResult
 from kombu.exceptions import ConnectionError, OperationalError
 
+from oauth2_lib.fastapi import OIDCUserModel
 from orchestrator import app_settings
 from orchestrator.api.error_handling import raise_status
 from orchestrator.db import ProcessTable, db
@@ -42,7 +43,11 @@ def _block_when_testing(task_result: AsyncResult) -> None:
 
 
 def _celery_start_process(
-    workflow_key: str, user_inputs: list[State] | None, user: str = SYSTEM_USER, **kwargs: Any
+    workflow_key: str,
+    user_inputs: list[State] | None,
+    user: str = SYSTEM_USER,
+    user_model: OIDCUserModel | None = None,
+    **kwargs: Any,
 ) -> UUID:
     """Client side call of Celery."""
     from orchestrator.services.tasks import NEW_TASK, NEW_WORKFLOW, get_celery_task
@@ -57,7 +62,7 @@ def _celery_start_process(
 
     task_name = NEW_TASK if wf_table.is_task else NEW_WORKFLOW
     trigger_task = get_celery_task(task_name)
-    pstat = create_process(workflow_key, user_inputs, user)
+    pstat = create_process(workflow_key, user_inputs=user_inputs, user=user, user_model=user_model)
     try:
         result = trigger_task.delay(pstat.process_id, workflow_key, user)
         _block_when_testing(result)

orchestrator/services/processes.py

@@ -467,9 +467,7 @@ def thread_start_process(
     user_model: OIDCUserModel | None = None,
     broadcast_func: BroadcastFunc | None = None,
 ) -> UUID:
-    pstat = create_process(workflow_key, user_inputs=user_inputs, user=user)
-    if not pstat.workflow.authorize_callback(user_model):
-        raise_status(HTTPStatus.FORBIDDEN, error_message_unauthorized(workflow_key))
+    pstat = create_process(workflow_key, user_inputs=user_inputs, user=user, user_model=user_model)
 
     _safe_logstep_with_func = partial(safe_logstep, broadcast_func=broadcast_func)
     return _run_process_async(pstat.process_id, lambda: runwf(pstat, _safe_logstep_with_func))
@@ -506,7 +504,6 @@ def thread_resume_process(
     *,
     user_inputs: list[State] | None = None,
     user: str | None = None,
-    user_model: OIDCUserModel | None = None,
     broadcast_func: BroadcastFunc | None = None,
 ) -> UUID:
     # ATTENTION!! When modifying this function make sure you make similar changes to `resume_workflow` in the test code
@@ -515,8 +512,6 @@ def thread_resume_process(
         user_inputs = [{}]
 
     pstat = load_process(process)
-    if not pstat.workflow.authorize_callback(user_model):
-        raise_status(HTTPStatus.FORBIDDEN, error_message_unauthorized(str(process.workflow_name)))
 
     if pstat.workflow == removed_workflow:
         raise ValueError("This workflow cannot be resumed")
@@ -556,7 +551,6 @@ def resume_process(
     *,
     user_inputs: list[State] | None = None,
     user: str | None = None,
-    user_model: OIDCUserModel | None = None,
     broadcast_func: BroadcastFunc | None = None,
 ) -> UUID:
     """Resume a failed or suspended process.
@@ -565,7 +559,6 @@ def resume_process(
         process: Process from database
         user_inputs: Optional user input from forms
         user: user who resumed this process
-        user_model: OIDCUserModel of user who resumed this process
         broadcast_func: Optional function to broadcast process data
 
     Returns:
@@ -573,8 +566,6 @@ def resume_process(
 
     """
     pstat = load_process(process)
-    if not pstat.workflow.authorize_callback(user_model):
-        raise_status(HTTPStatus.FORBIDDEN, error_message_unauthorized(str(process.workflow_name)))
 
     try:
         post_form(pstat.log[0].form, pstat.state.unwrap(), user_inputs=user_inputs or [])

orchestrator/services/settings_env_variables.py

@@ -0,0 +1,68 @@
+# Copyright 2019-2025 SURF.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from typing import Any, Dict, Type
+
+from pydantic import SecretStr as PydanticSecretStr
+from pydantic_core import MultiHostUrl
+from pydantic_settings import BaseSettings
+
+from orchestrator.utils.expose_settings import SecretStr as OrchSecretStr
+from orchestrator.utils.expose_settings import SettingsEnvVariablesSchema, SettingsExposedSchema
+
+EXPOSED_ENV_SETTINGS_REGISTRY: Dict[str, Type[BaseSettings]] = {}
+MASK = "**********"
+
+
+def expose_settings(settings_name: str, base_settings: Type[BaseSettings]) -> Type[BaseSettings]:
+    """Decorator to register settings classes."""
+    EXPOSED_ENV_SETTINGS_REGISTRY[settings_name] = base_settings
+    return base_settings
+
+
+def mask_value(key: str, value: Any) -> Any:
+    key_lower = key.lower()
+
+    if "secret" in key_lower or "password" in key_lower:
+        # Mask sensitive information
+        return MASK
+
+    if isinstance(value, PydanticSecretStr):
+        # Need to convert SecretStr to str for serialization
+        return str(value)
+
+    if isinstance(value, OrchSecretStr):
+        return MASK
+
+    # PostgresDsn is just MultiHostUrl with extra metadata (annotations)
+    if isinstance(value, MultiHostUrl):
+        # Convert PostgresDsn to str for serialization
+        return MASK
+
+    return value
+
+
+def get_all_exposed_settings() -> list[SettingsExposedSchema]:
+    """Return all registered settings as dicts."""
+
+    def _get_settings_env_variables(base_settings: Type[BaseSettings]) -> list[SettingsEnvVariablesSchema]:
+        """Get environment variables from settings."""
+        return [
+            SettingsEnvVariablesSchema(env_name=key, env_value=mask_value(key, value))
+            for key, value in base_settings.model_dump().items()  # type: ignore
+        ]
+
+    return [
+        SettingsExposedSchema(name=name, variables=_get_settings_env_variables(base_settings))
+        for name, base_settings in EXPOSED_ENV_SETTINGS_REGISTRY.items()
+    ]

orchestrator/settings.py

@@ -20,6 +20,8 @@ from pydantic import Field, NonNegativeInt, PostgresDsn, RedisDsn
 from pydantic_settings import BaseSettings
 
 from oauth2_lib.settings import oauth2lib_settings
+from orchestrator.services.settings_env_variables import expose_settings
+from orchestrator.utils.expose_settings import SecretStr as OrchSecretStr
 from pydantic_forms.types import strEnum
 
 
@@ -30,7 +32,7 @@ class ExecutorType(strEnum):
 
 class AppSettings(BaseSettings):
     TESTING: bool = True
-    SESSION_SECRET: str = "".join(secrets.choice(string.ascii_letters) for i in range(16))  # noqa: S311
+    SESSION_SECRET: OrchSecretStr = "".join(secrets.choice(string.ascii_letters) for i in range(16))  # type: ignore
     CORS_ORIGINS: str = "*"
     CORS_ALLOW_METHODS: list[str] = ["GET", "PUT", "PATCH", "POST", "DELETE", "OPTIONS", "HEAD"]
     CORS_ALLOW_HEADERS: list[str] = ["If-None-Match", "Authorization", "If-Match", "Content-Type"]
@@ -55,7 +57,7 @@ class AppSettings(BaseSettings):
     MAIL_PORT: int = 25
     MAIL_STARTTLS: bool = False
     CACHE_URI: RedisDsn = "redis://localhost:6379/0"  # type: ignore
-    CACHE_HMAC_SECRET: str | None = None  # HMAC signing key, used when pickling results in the cache
+    CACHE_HMAC_SECRET: OrchSecretStr | None = None  # HMAC signing key, used when pickling results in the cache
     REDIS_RETRY_COUNT: NonNegativeInt = Field(
         2, description="Number of retries for redis connection errors/timeouts, 0 to disable"
     )  # More info: https://redis-py.readthedocs.io/en/stable/retry.html
@@ -87,6 +89,8 @@ class AppSettings(BaseSettings):
     ENABLE_PROMETHEUS_METRICS_ENDPOINT: bool = False
     VALIDATE_OUT_OF_SYNC_SUBSCRIPTIONS: bool = False
     FILTER_BY_MODE: Literal["partial", "exact"] = "exact"
+    EXPOSE_SETTINGS: bool = False
+    EXPOSE_OAUTH_SETTINGS: bool = False
 
 
 app_settings = AppSettings()
@@ -94,3 +98,8 @@ app_settings = AppSettings()
 # Set oauth2lib_settings variables to the same (default) value of settings
 oauth2lib_settings.SERVICE_NAME = app_settings.SERVICE_NAME
 oauth2lib_settings.ENVIRONMENT = app_settings.ENVIRONMENT
+
+if app_settings.EXPOSE_SETTINGS:
+    expose_settings("app_settings", app_settings)  # type: ignore
+if app_settings.EXPOSE_OAUTH_SETTINGS:
+    expose_settings("oauth2lib_settings", oauth2lib_settings)  # type: ignore

orchestrator/utils/auth.py

@@ -0,0 +1,9 @@
+from collections.abc import Callable
+from typing import TypeAlias
+
+from oauth2_lib.fastapi import OIDCUserModel
+
+# This file is broken out separately to avoid circular imports.
+
+# Can instead use "type Authorizer = ..." in later Python versions.
+Authorizer: TypeAlias = Callable[[OIDCUserModel | None], bool]

orchestrator/utils/expose_settings.py

@@ -0,0 +1,45 @@
+# Copyright 2019-2025 SURF.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Utility module for exposing settings in a structured format.
+
+Unfortunately, this module needs to be imported from the utils and cannot be added to the schemas folder.
+This is due to circular import issues with the combination of schemas/settings.
+"""
+
+from typing import Any
+
+from pydantic import BaseModel
+from pydantic_core import core_schema
+
+
+class SecretStr(str):
+    """A string that is treated as a secret, for example, passwords or API keys.
+
+    This class is used to indicate that the string should not be logged or displayed in plaintext.
+    """
+
+    @classmethod
+    def __get_pydantic_core_schema__(cls, source_type, handler):  # type: ignore
+        # This method is used to define how the SecretStr type should be handled by Pydantic.
+        # With this implementation, it will fail validation.
+        return core_schema.no_info_plain_validator_function(cls)
+
+
+class SettingsEnvVariablesSchema(BaseModel):
+    env_name: str
+    env_value: Any
+
+
+class SettingsExposedSchema(BaseModel):
+    name: str
+    variables: list[SettingsEnvVariablesSchema]

orchestrator/workflow.py

@@ -45,6 +45,7 @@ from orchestrator.db import db, transactional
 from orchestrator.services.settings import get_engine_settings
 from orchestrator.targets import Target
 from orchestrator.types import ErrorDict, StepFunc
+from orchestrator.utils.auth import Authorizer
 from orchestrator.utils.docs import make_workflow_doc
 from orchestrator.utils.errors import error_state_to_dict
 from orchestrator.utils.state import form_inject_args, inject_args
@@ -80,6 +81,8 @@ class Step(Protocol):
     name: str
     form: InputFormGenerator | None
     assignee: Assignee | None
+    resume_auth_callback: Authorizer | None = None
+    retry_auth_callback: Authorizer | None = None
 
     def __call__(self, state: State) -> Process: ...
 
@@ -90,7 +93,8 @@ class Workflow(Protocol):
     __qualname__: str
     name: str
     description: str
-    authorize_callback: Callable[[OIDCUserModel | None], bool]
+    authorize_callback: Authorizer
+    retry_auth_callback: Authorizer
     initial_input_form: InputFormGenerator | None = None
     target: Target
     steps: StepList
@@ -99,13 +103,20 @@ class Workflow(Protocol):
 
 
 def make_step_function(
-    f: Callable, name: str, form: InputFormGenerator | None = None, assignee: Assignee | None = Assignee.SYSTEM
+    f: Callable,
+    name: str,
+    form: InputFormGenerator | None = None,
+    assignee: Assignee | None = Assignee.SYSTEM,
+    resume_auth_callback: Authorizer | None = None,
+    retry_auth_callback: Authorizer | None = None,
 ) -> Step:
     step_func = cast(Step, f)
 
     step_func.name = name
     step_func.form = form
     step_func.assignee = assignee
+    step_func.resume_auth_callback = resume_auth_callback
+    step_func.retry_auth_callback = retry_auth_callback
     return step_func
 
 
@@ -167,6 +178,7 @@ class StepList(list[Step]):
 
 
 def _handle_simple_input_form_generator(f: StateInputStepFunc) -> StateInputFormGenerator:
+    """Processes f into a form generator and injects a pre-hook for user authorization."""
     if inspect.isgeneratorfunction(f):
         return cast(StateInputFormGenerator, f)
     if inspect.isgenerator(f):
@@ -191,7 +203,8 @@ def make_workflow(
     initial_input_form: InputStepFunc | None,
     target: Target,
     steps: StepList,
-    authorize_callback: Callable[[OIDCUserModel | None], bool] | None = None,
+    authorize_callback: Authorizer | None = None,
+    retry_auth_callback: Authorizer | None = None,
 ) -> Workflow:
     @functools.wraps(f)
     def wrapping_function() -> NoReturn:
@@ -202,6 +215,10 @@ def make_workflow(
     wrapping_function.name = f.__name__  # default, will be changed by LazyWorkflowInstance
     wrapping_function.description = description
     wrapping_function.authorize_callback = allow if authorize_callback is None else authorize_callback
+    # If no retry auth policy is given, defer to policy for process creation.
+    wrapping_function.retry_auth_callback = (
+        wrapping_function.authorize_callback if retry_auth_callback is None else retry_auth_callback
+    )
 
     if initial_input_form is None:
         # We always need a form to prevent starting a workflow when no input is needed.
@@ -270,9 +287,16 @@ def retrystep(name: str) -> Callable[[StepFunc], Step]:
     return decorator
 
 
-def inputstep(name: str, assignee: Assignee) -> Callable[[InputStepFunc], Step]:
+def inputstep(
+    name: str,
+    assignee: Assignee,
+    resume_auth_callback: Authorizer | None = None,
+    retry_auth_callback: Authorizer | None = None,
+) -> Callable[[InputStepFunc], Step]:
     """Add user input step to workflow.
 
+    Any authorization callbacks will be attached to the resulting Step.
+
     IMPORTANT: In contrast to other workflow steps, the `@inputstep` wrapped function will not run in the
     workflow engine! This means that it must be free of side effects!
 
@@ -299,7 +323,14 @@ def inputstep(name: str, assignee: Assignee) -> Callable[[InputStepFunc], Step]:
         def suspend(state: State) -> Process:
             return Suspend(state)
 
-        return make_step_function(suspend, name, wrapper, assignee)
+        return make_step_function(
+            suspend,
+            name,
+            wrapper,
+            assignee,
+            resume_auth_callback=resume_auth_callback,
+            retry_auth_callback=retry_auth_callback,
+        )
 
     return decorator
 
@@ -479,7 +510,8 @@ def workflow(
     description: str,
     initial_input_form: InputStepFunc | None = None,
     target: Target = Target.SYSTEM,
-    authorize_callback: Callable[[OIDCUserModel | None], bool] | None = None,
+    authorize_callback: Authorizer | None = None,
+    retry_auth_callback: Authorizer | None = None,
 ) -> Callable[[Callable[[], StepList]], Workflow]:
     """Transform an initial_input_form and a step list into a workflow.
 
@@ -500,7 +532,13 @@ def workflow(
 
     def _workflow(f: Callable[[], StepList]) -> Workflow:
         return make_workflow(
-            f, description, initial_input_form_in_form_inject_args, target, f(), authorize_callback=authorize_callback
+            f,
+            description,
+            initial_input_form_in_form_inject_args,
+            target,
+            f(),
+            authorize_callback=authorize_callback,
+            retry_auth_callback=retry_auth_callback,
         )
 
     return _workflow

orchestrator/workflows/steps.py

@@ -23,6 +23,7 @@ from orchestrator.services.subscriptions import get_subscription
 from orchestrator.targets import Target
 from orchestrator.types import SubscriptionLifecycle
 from orchestrator.utils.json import to_serializable
+from orchestrator.websocket import sync_invalidate_subscription_cache
 from orchestrator.workflow import Step, step
 from pydantic_forms.types import State, UUIDstr
 
@@ -33,6 +34,7 @@ logger = structlog.get_logger(__name__)
 def resync(subscription: SubscriptionModel) -> State:
     """Transition a subscription to in sync."""
     subscription.insync = True
+    sync_invalidate_subscription_cache(subscription.subscription_id)
     return {"subscription": subscription}
 
 
@@ -93,6 +95,7 @@ def unsync(subscription_id: UUIDstr, __old_subscriptions__: dict | None = None)
     if not subscription.insync:
         raise ValueError("Subscription is already out of sync, cannot continue!")
     subscription.insync = False
+    sync_invalidate_subscription_cache(subscription.subscription_id)
 
     return {"subscription": subscription, "__old_subscriptions__": subscription_backup}
 

orchestrator/workflows/utils.py

@@ -20,12 +20,12 @@ from more_itertools import first_true
 from pydantic import field_validator, model_validator
 from sqlalchemy import select
 
-from oauth2_lib.fastapi import OIDCUserModel
 from orchestrator.db import ProductTable, SubscriptionTable, db
 from orchestrator.forms.validators import ProductId
 from orchestrator.services import subscriptions
 from orchestrator.targets import Target
 from orchestrator.types import SubscriptionLifecycle
+from orchestrator.utils.auth import Authorizer
 from orchestrator.utils.errors import StaleDataError
 from orchestrator.utils.state import form_inject_args
 from orchestrator.utils.validate_data_version import validate_data_version
@@ -201,7 +201,8 @@ def create_workflow(
     initial_input_form: InputStepFunc | None = None,
     status: SubscriptionLifecycle = SubscriptionLifecycle.ACTIVE,
     additional_steps: StepList | None = None,
-    authorize_callback: Callable[[OIDCUserModel | None], bool] | None = None,
+    authorize_callback: Authorizer | None = None,
+    retry_auth_callback: Authorizer | None = None,
 ) -> Callable[[Callable[[], StepList]], Workflow]:
     """Transform an initial_input_form and a step list into a workflow with a target=Target.CREATE.
 
@@ -234,6 +235,7 @@ def create_workflow(
             Target.CREATE,
             steplist,
             authorize_callback=authorize_callback,
+            retry_auth_callback=retry_auth_callback,
         )
 
     return _create_workflow
@@ -243,7 +245,8 @@ def modify_workflow(
     description: str,
     initial_input_form: InputStepFunc | None = None,
     additional_steps: StepList | None = None,
-    authorize_callback: Callable[[OIDCUserModel | None], bool] | None = None,
+    authorize_callback: Authorizer | None = None,
+    retry_auth_callback: Authorizer | None = None,
 ) -> Callable[[Callable[[], StepList]], Workflow]:
     """Transform an initial_input_form and a step list into a workflow.
 
@@ -278,6 +281,7 @@ def modify_workflow(
             Target.MODIFY,
             steplist,
             authorize_callback=authorize_callback,
+            retry_auth_callback=retry_auth_callback,
         )
 
     return _modify_workflow
@@ -287,7 +291,8 @@ def terminate_workflow(
     description: str,
     initial_input_form: InputStepFunc | None = None,
     additional_steps: StepList | None = None,
-    authorize_callback: Callable[[OIDCUserModel | None], bool] | None = None,
+    authorize_callback: Authorizer | None = None,
+    retry_auth_callback: Authorizer | None = None,
 ) -> Callable[[Callable[[], StepList]], Workflow]:
     """Transform an initial_input_form and a step list into a workflow.
 
@@ -323,6 +328,7 @@ def terminate_workflow(
             Target.TERMINATE,
             steplist,
             authorize_callback=authorize_callback,
+            retry_auth_callback=retry_auth_callback,
         )
 
     return _terminate_workflow

{orchestrator_core-4.0.4.dist-info → orchestrator_core-4.1.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: orchestrator-core
-Version: 4.0.4
+Version: 4.1.0
 Summary: This is the orchestrator workflow engine.
 Requires-Python: >=3.11,<3.14
 Classifier: Intended Audience :: Information Technology
@@ -39,7 +39,7 @@ Requires-Dist: more-itertools~=10.7.0
 Requires-Dist: itsdangerous
 Requires-Dist: Jinja2==3.1.6
 Requires-Dist: orjson==3.10.18
-Requires-Dist: prometheus-client==0.22.0
+Requires-Dist: prometheus-client==0.22.1
 Requires-Dist: psycopg2-binary==2.9.10
 Requires-Dist: pydantic[email]~=2.8.2
 Requires-Dist: pydantic-settings~=2.9.1
@@ -84,7 +84,7 @@ Requires-Dist: dirty-equals ; extra == "test"
 Requires-Dist: jsonref ; extra == "test"
 Requires-Dist: mypy==1.9 ; extra == "test"
 Requires-Dist: pyinstrument ; extra == "test"
-Requires-Dist: pytest==8.3.5 ; extra == "test"
+Requires-Dist: pytest==8.4.1 ; extra == "test"
 Requires-Dist: pytest-asyncio==0.21.2 ; extra == "test"
 Requires-Dist: pytest-codspeed ; extra == "test"
 Requires-Dist: pytest-cov ; extra == "test"

{orchestrator_core-4.0.4.dist-info → orchestrator_core-4.1.0.dist-info}/RECORD

@@ -1,14 +1,14 @@
-orchestrator/__init__.py,sha256=YVe09WczpF4MK2XPRNEAfLMjIE3YCIBlDRgfibiP9U8,1063
+orchestrator/__init__.py,sha256=DbrwQbPx3_QWT2Pl7cyt5TeORw36VLXtYZ5lA7oO9qA,1063
 orchestrator/app.py,sha256=7UrXKjBKNSEaSSXAd5ww_RdMFhFqE4yvfj8faS2MzAA,12089
 orchestrator/exception_handlers.py,sha256=UsW3dw8q0QQlNLcV359bIotah8DYjMsj2Ts1LfX4ClY,1268
 orchestrator/log_config.py,sha256=1tPRX5q65e57a6a_zEii_PFK8SzWT0mnA5w2sKg4hh8,1853
 orchestrator/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 orchestrator/security.py,sha256=iXFxGxab54aav7oHEKLAVkTgrQMJGHy6IYLojEnD7gI,2422
-orchestrator/settings.py,sha256=ep4RXOIZfYb5ws4qT_E_iiANMQR91pvOhQQCv1t8osw,3879
+orchestrator/settings.py,sha256=TFIv09JIKY-lXqd04lH_XEcijEEyheaz3zTcgeG8DEI,4339
 orchestrator/targets.py,sha256=WizBgnp8hWX9YLFUIju7ewSubiwQqinCvyiYNcXHbHI,802
 orchestrator/types.py,sha256=qzs7xx5AYRmKbpYRyJJP3wuDb0W0bcAzefCN0RWLAco,15459
 orchestrator/version.py,sha256=b58e08lxs47wUNXv0jXFO_ykpksmytuzEXD4La4W-NQ,1366
-orchestrator/workflow.py,sha256=T_3Z1PrlF70C16ehAthKRF1hd3jpwV-MREDVxSLfxOw,44063
+orchestrator/workflow.py,sha256=N4KGmH_Nf0U6nTxs62-qby7WVIoppHF6uKrZKCdxwfQ,45285
 orchestrator/api/__init__.py,sha256=GyHNfEFCGKQwRiN6rQmvSRH2iYX7npjMZn97n8XzmLU,571
 orchestrator/api/error_handling.py,sha256=YrPCxSa-DSa9KwqIMlXI-KGBGnbGIW5ukOPiikUH9E4,1502
 orchestrator/api/helpers.py,sha256=s0QRHYw8AvEmlkmRhuEzz9xixaZKUF3YuPzUVHkcoXk,6933
@@ -17,11 +17,11 @@ orchestrator/api/api_v1/__init__.py,sha256=GyHNfEFCGKQwRiN6rQmvSRH2iYX7npjMZn97n
 orchestrator/api/api_v1/api.py,sha256=m4iDktsSpzxUDaudkdgXeZ83a6B4wfc3pczQsa-Pb-8,2866
 orchestrator/api/api_v1/endpoints/__init__.py,sha256=GyHNfEFCGKQwRiN6rQmvSRH2iYX7npjMZn97n8XzmLU,571
 orchestrator/api/api_v1/endpoints/health.py,sha256=iaxs1XX1_250_gKNsspuULCV2GEMBjbtjsmfQTOvMAI,1284
-orchestrator/api/api_v1/endpoints/processes.py,sha256=i5GRoszvdmpZqOxSqON83DNuc0UIV-ohOqbAa0OhESE,13564
+orchestrator/api/api_v1/endpoints/processes.py,sha256=Ah_Dc9ONXDpaFzLTqSNdhkGPHC7vUBkWmx1fWsEwbzo,16076
 orchestrator/api/api_v1/endpoints/product_blocks.py,sha256=kZ6ywIOsS_S2qGq7RvZ4KzjvaS1LmwbGWR37AKRvWOw,2146
 orchestrator/api/api_v1/endpoints/products.py,sha256=BfFtwu9dZXEQbtKxYj9icc73GKGvAGMR5ytyf41nQlQ,3081
 orchestrator/api/api_v1/endpoints/resource_types.py,sha256=gGyuaDyOD0TAVoeFGaGmjDGnQ8eQQArOxKrrk4MaDzA,2145
-orchestrator/api/api_v1/endpoints/settings.py,sha256=orcwFqGiQ3Ala3mLm_27ChXPkUFoGUeGNaDZnEIk2Ak,5848
+orchestrator/api/api_v1/endpoints/settings.py,sha256=5s-k169podZjgGHUbVDmSQwpY_3Cs_Bbf2PPtZIkBcw,6184
 orchestrator/api/api_v1/endpoints/subscription_customer_descriptions.py,sha256=1_6LtgQleoq3M6z_W-Qz__Bj3OFUweoPrUqHMwSH6AM,3288
 orchestrator/api/api_v1/endpoints/subscriptions.py,sha256=V-ebvjtFEKlALx8SKX42SiNPM-GAgSMWbuaimyktUQQ,8758
 orchestrator/api/api_v1/endpoints/translations.py,sha256=dIWh_fCnZZUxJoGiNeJ49DK_xpf75IpR_0EIMSvzIvY,963
@@ -260,26 +260,29 @@ orchestrator/schemas/subscription.py,sha256=-jXyHZIed9Xlia18ksSDyenblNN6Q2yM2FlG
 orchestrator/schemas/subscription_descriptions.py,sha256=Ft_jw1U0bf9Z0U8O4OWfLlcl0mXCVT_qYVagBP3GbIQ,1262
 orchestrator/schemas/workflow.py,sha256=VqQ9XfV4fVd6MjY0LRRQzWBJHmlPsAamWfTwDx1cZkg,2102
 orchestrator/services/__init__.py,sha256=GyHNfEFCGKQwRiN6rQmvSRH2iYX7npjMZn97n8XzmLU,571
-orchestrator/services/celery.py,sha256=SmAUsN755yE7cZ3og92qTvPPeRIpdEKlbaLih7o38h8,5089
+orchestrator/services/celery.py,sha256=PsIgRBJsmA3vKwAUaqPq9ynLwDsXHY2ggDWc-nQAwgM,5232
 orchestrator/services/fixed_inputs.py,sha256=kyz7s2HLzyDulvcq-ZqefTw1om86COvyvTjz0_5CmgI,876
 orchestrator/services/input_state.py,sha256=HF7wl9fWdaAW8pdCCqbuYoKyNj8dY0g8Ff8vXis8z5A,2211
 orchestrator/services/process_broadcast_thread.py,sha256=D44YbjF8mRqGuznkRUV4SoRn1J0lfy_x1H508GnSVlU,4649
-orchestrator/services/processes.py,sha256=rTH6zLNsun3qDCPguz2LYS87MQR_LJREIPrgkGS6kwk,30494
+orchestrator/services/processes.py,sha256=gXWdsJK8m_KwM4g-8LBQMb1tEcjUJWWIKmqobTE7OmU,29903
 orchestrator/services/products.py,sha256=BP4KyE8zO-8z7Trrs5T6zKBOw53S9BfBJnHWI3p6u5Y,1943
 orchestrator/services/resource_types.py,sha256=_QBy_JOW_X3aSTqH0CuLrq4zBJL0p7Q-UDJUcuK2_qc,884
 orchestrator/services/settings.py,sha256=HEWfFulgoEDwgfxGEO__QTr5fDiwNBEj1UhAeTAdbLQ,3159
+orchestrator/services/settings_env_variables.py,sha256=U2xz0h3bOAE8wWQF2iCp5jf-2v0NUOOCTecNTouB1jY,2496
 orchestrator/services/subscription_relations.py,sha256=9C126TUfFvyBe7y4x007kH_dvxJ9pZ1zSnaWeH6HC5k,12261
 orchestrator/services/subscriptions.py,sha256=nr2HI89nC0lYjzTh2j-lEQ5cPQK43LNZv3gvP6jbepw,27189
 orchestrator/services/tasks.py,sha256=NjPkuauQoh9UJDcjA7OcKFgPk0i6NoKdDO7HlpGbBJ8,6575
 orchestrator/services/translations.py,sha256=GyP8soUFGej8AS8uulBsk10CCK6Kwfjv9AHMFm3ElQY,1713
 orchestrator/services/workflows.py,sha256=iEkt2OBuTwkDru4V6ZSKatnw0b96ZdPV-VQqeZ9EOgU,4015
 orchestrator/utils/__init__.py,sha256=GyHNfEFCGKQwRiN6rQmvSRH2iYX7npjMZn97n8XzmLU,571
+orchestrator/utils/auth.py,sha256=IWn0amdquLobt1mRNwhgKT0ErCBjLGDtLdsDuaY8rlE,309
 orchestrator/utils/crypt.py,sha256=18eNamYWMllPkxyRtWIde3FDr3rSF74R5SAL6WsCj9Y,5584
 orchestrator/utils/datetime.py,sha256=a1WQ_yvu7MA0TiaRpC5avwbOSFdrj4eMrV4a7I2sD5Q,1477
 orchestrator/utils/deprecation_logger.py,sha256=oqju7ecJcB_r7cMnldaOAA79QUZYS_h69IkDrFV9nAg,875
 orchestrator/utils/docs.py,sha256=GbyD61oKn1yVYaphUKHCBvrWEWJDTQfRc_VEbVb-zgU,6172
 orchestrator/utils/enrich_process.py,sha256=o_QSy5Q4wn1SMHhzVOw6bp7uhDXr7GhAIWRDDMWUVO4,4699
 orchestrator/utils/errors.py,sha256=6FxvXrITmRjP5bYnJJ3CxjAwA5meNjRAVYouz4TWKkU,4653
+orchestrator/utils/expose_settings.py,sha256=0NOjLBifQy4k2zUYJ31QjGQCaXEQ1zB4UtCle7XglAM,1640
 orchestrator/utils/fixed_inputs.py,sha256=pnL6I_19VMp_Bny8SYjSzVFNvTFDyeCxFFOWGhTnDiQ,2665
 orchestrator/utils/functional.py,sha256=X1MDNwHmkU3-8mFb21m31HGlcfc5TygliXR0sXN3-rU,8304
 orchestrator/utils/get_subscription_dict.py,sha256=hctkFvD3U6LpygNwz2uesRMdnXSY-PaohBqPATsi9r4,694
@@ -299,15 +302,15 @@ orchestrator/websocket/managers/memory_websocket_manager.py,sha256=lF5EEx1iFMCGE
 orchestrator/workflows/__init__.py,sha256=NzIGGI-8SNAwCk2YqH6sHhEWbgAY457ntDwjO15N8v4,4131
 orchestrator/workflows/modify_note.py,sha256=l6QtijRPv8gnHxzwTz_4nWIPcZ0FcKQh_yFbtjYEDMg,2163
 orchestrator/workflows/removed_workflow.py,sha256=V0Da5TEdfLdZZKD38ig-MTp3_IuE7VGqzHHzvPYQmLI,909
-orchestrator/workflows/steps.py,sha256=ulpheoHaCOE1qh71Bja4KW4pItQh1Z6q4QU4tn5GtNk,6067
-orchestrator/workflows/utils.py,sha256=yBwfITlseimyLEzbwI0ehOAlr-xI1N3WGVudFz4boXk,13778
+orchestrator/workflows/steps.py,sha256=l2YokXOzNazvMXB8DEi5WCif97yZl0Ui0-o9OoMSvUw,6275
+orchestrator/workflows/utils.py,sha256=9j0hQOvGnjXUuVUMMzSIpdiyT5NzijhLh1sBXbd5QJA,14008
 orchestrator/workflows/tasks/__init__.py,sha256=GyHNfEFCGKQwRiN6rQmvSRH2iYX7npjMZn97n8XzmLU,571
 orchestrator/workflows/tasks/cleanup_tasks_log.py,sha256=BfWYbPXhnLAHUJ0mlODDnjZnQQAvKCZJDVTwbwOWI04,1624
 orchestrator/workflows/tasks/resume_workflows.py,sha256=MzJqlSXUvKStkT7NGzxZyRlfAer_ezYm-kjUqaZi0yc,2359
 orchestrator/workflows/tasks/validate_product_type.py,sha256=paG-NAY1bdde3Adt8zItkcBKf5Pxw6f5ngGW6an6dYU,3192
 orchestrator/workflows/tasks/validate_products.py,sha256=GZJBoFF-WMphS7ghMs2-gqvV2iL1F0POhk0uSNt93n0,8510
 orchestrator/workflows/translations/en-GB.json,sha256=ST53HxkphFLTMjFHonykDBOZ7-P_KxksktZU3GbxLt0,846
-orchestrator_core-4.0.4.dist-info/licenses/LICENSE,sha256=b-aA5OZQuuBATmLKo_mln8CQrDPPhg3ghLzjPjLn4Tg,11409
-orchestrator_core-4.0.4.dist-info/WHEEL,sha256=G2gURzTEtmeR8nrdXUJfNiB3VYVxigPQ-bEQujpNiNs,82
-orchestrator_core-4.0.4.dist-info/METADATA,sha256=EDGeOW4AxLgPbD6ZQDojlTPd8H3j4GOpD1vfWg-MgKA,5070
-orchestrator_core-4.0.4.dist-info/RECORD,,
+orchestrator_core-4.1.0.dist-info/licenses/LICENSE,sha256=b-aA5OZQuuBATmLKo_mln8CQrDPPhg3ghLzjPjLn4Tg,11409
+orchestrator_core-4.1.0.dist-info/WHEEL,sha256=G2gURzTEtmeR8nrdXUJfNiB3VYVxigPQ-bEQujpNiNs,82
+orchestrator_core-4.1.0.dist-info/METADATA,sha256=jU0NSrnz4d5GFIaNE58_68_qIVp5pO-7XL9quPvEf8c,5070
+orchestrator_core-4.1.0.dist-info/RECORD,,