orchestrator-core 4.1.0rc1__py3-none-any.whl → 4.2.0rc1__py3-none-any.whl

orchestrator/__init__.py

@@ -13,7 +13,7 @@
 
 """This is the orchestrator workflow engine."""
 
-__version__ = "4.1.0rc1"
+__version__ = "4.2.0rc1"
 
 from orchestrator.app import OrchestratorCore
 from orchestrator.settings import app_settings

orchestrator/api/api_v1/endpoints/processes.py

@@ -25,7 +25,7 @@ from fastapi.param_functions import Body, Depends, Header
 from fastapi.routing import APIRouter
 from fastapi.websockets import WebSocket
 from fastapi_etag.dependency import CacheHit
-from more_itertools import chunked
+from more_itertools import chunked, last
 from sentry_sdk.tracing import trace
 from sqlalchemy import CompoundSelect, Select, select
 from sqlalchemy.orm import defer, joinedload
@@ -56,6 +56,7 @@ from orchestrator.services.processes import (
 )
 from orchestrator.services.settings import get_engine_settings
 from orchestrator.settings import app_settings
+from orchestrator.utils.auth import Authorizer
 from orchestrator.utils.enrich_process import enrich_process
 from orchestrator.websocket import (
     WS_CHANNELS,
@@ -63,7 +64,7 @@ from orchestrator.websocket import (
     broadcast_process_update_to_websocket,
     websocket_manager,
 )
-from orchestrator.workflow import ProcessStatus
+from orchestrator.workflow import ProcessStat, ProcessStatus, StepList, Workflow
 from pydantic_forms.types import JSON, State
 
 router = APIRouter()
@@ -86,6 +87,48 @@ def check_global_lock() -> None:
         )
 
 
+def get_current_steps(pstat: ProcessStat) -> StepList:
+    """Extract past and current steps from the ProcessStat."""
+    remaining_steps = pstat.log
+    past_steps = pstat.workflow.steps[: -len(remaining_steps)]
+    return StepList(past_steps + [pstat.log[0]])
+
+
+def get_auth_callbacks(steps: StepList, workflow: Workflow) -> tuple[Authorizer | None, Authorizer | None]:
+    """Iterate over workflow and prior steps to determine correct authorization callbacks for the current step.
+
+    It's safest to always iterate through the steps. We could track these callbacks statefully
+    as we progress through the workflow, but if we fail a step and the system restarts, the previous
+    callbacks will be lost if they're only available in the process state.
+
+    Priority:
+    - RESUME callback is explicit RESUME callback, else previous START/RESUME callback
+    - RETRY callback is explicit RETRY, else explicit RESUME, else previous RETRY
+    """
+    # Default to workflow start callbacks
+    auth_resume = workflow.authorize_callback
+    # auth_retry defaults to the workflow start callback if not otherwise specified.
+    # A workflow SHOULD have both callbacks set to not-None. This enforces the correct default regardless.
+    auth_retry = workflow.retry_auth_callback or auth_resume  # type: ignore[unreachable, truthy-function]
+
+    # Choose the most recently established value for resume.
+    auth_resume = last(filter(None, (step.resume_auth_callback for step in steps)), auth_resume)
+    # Choose the most recently established value for retry, unless there is a more recent value for resume.
+    auth_retry = last(
+        filter(None, (step.retry_auth_callback or step.resume_auth_callback for step in steps)), auth_retry
+    )
+    return auth_resume, auth_retry
+
+
+def can_be_resumed(status: ProcessStatus) -> bool:
+    return status in (
+        ProcessStatus.SUSPENDED,  # Can be resumed
+        ProcessStatus.FAILED,  # Can be retried
+        ProcessStatus.API_UNAVAILABLE,  # subtype of FAILED
+        ProcessStatus.INCONSISTENT_DATA,  # subtype of FAILED
+    )
+
+
 def resolve_user_name(
     *,
     reporter: Reporter | None,
@@ -115,6 +158,9 @@ def delete(process_id: UUID) -> None:
     if not process:
         raise_status(HTTPStatus.NOT_FOUND)
 
+    if not process.is_task:
+        raise_status(HTTPStatus.BAD_REQUEST)
+
     db.session.delete(db.session.get(ProcessTable, process_id))
     db.session.commit()
 
@@ -150,18 +196,25 @@ def new_process(
     dependencies=[Depends(check_global_lock, use_cache=False)],
 )
 def resume_process_endpoint(
-    process_id: UUID, request: Request, json_data: JSON = Body(...), user: str = Depends(user_name)
+    process_id: UUID,
+    request: Request,
+    json_data: JSON = Body(...),
+    user: str = Depends(user_name),
+    user_model: OIDCUserModel | None = Depends(authenticate),
 ) -> None:
     process = _get_process(process_id)
 
-    if process.last_status == ProcessStatus.COMPLETED:
-        raise_status(HTTPStatus.CONFLICT, "Resuming a completed workflow is not possible")
-
-    if process.last_status == ProcessStatus.RUNNING:
-        raise_status(HTTPStatus.CONFLICT, "Resuming a running workflow is not possible")
+    if not can_be_resumed(process.last_status):
+        raise_status(HTTPStatus.CONFLICT, f"Resuming a {process.last_status.lower()} workflow is not possible")
 
-    if process.last_status == ProcessStatus.RESUMED:
-        raise_status(HTTPStatus.CONFLICT, "Resuming a resumed workflow is not possible")
+    pstat = load_process(process)
+    auth_resume, auth_retry = get_auth_callbacks(get_current_steps(pstat), pstat.workflow)
+    if process.last_status == ProcessStatus.SUSPENDED:
+        if auth_resume is not None and not auth_resume(user_model):
+            raise_status(HTTPStatus.FORBIDDEN, "User is not authorized to resume step")
+    elif process.last_status == ProcessStatus.FAILED:
+        if auth_retry is not None and not auth_retry(user_model):
+            raise_status(HTTPStatus.FORBIDDEN, "User is not authorized to retry step")
 
     broadcast_invalidate_status_counts()
     broadcast_func = api_broadcast_process_data(request)
@@ -220,7 +273,7 @@ def update_progress_on_awaiting_process_endpoint(
 @router.put(
     "/resume-all", response_model=ProcessResumeAllSchema, dependencies=[Depends(check_global_lock, use_cache=False)]
 )
-async def resume_all_processess_endpoint(request: Request, user: str = Depends(user_name)) -> dict[str, int]:
+async def resume_all_processes_endpoint(request: Request, user: str = Depends(user_name)) -> dict[str, int]:
     """Retry all task processes in status Failed, Waiting, API Unavailable or Inconsistent Data.
 
     The retry is started in the background, returning status 200 and number of processes in message.

orchestrator/api/api_v1/endpoints/subscriptions.py

@@ -47,10 +47,12 @@ from orchestrator.services.subscriptions import (
     subscription_workflows,
 )
 from orchestrator.settings import app_settings
+from orchestrator.targets import Target
 from orchestrator.types import SubscriptionLifecycle
 from orchestrator.utils.deprecation_logger import deprecated_endpoint
 from orchestrator.utils.get_subscription_dict import get_subscription_dict
 from orchestrator.websocket import sync_invalidate_subscription_cache
+from orchestrator.workflows import get_workflow
 
 router = APIRouter()
 
@@ -100,6 +102,25 @@ def _filter_statuses(filter_statuses: str | None = None) -> list[str]:
     return statuses
 
 
+def _authorized_subscription_workflows(
+    subscription: SubscriptionTable, current_user: OIDCUserModel | None
+) -> dict[str, list[dict[str, list[Any] | str]]]:
+    subscription_workflows_dict = subscription_workflows(subscription)
+
+    for workflow_target in Target.values():
+        for workflow_dict in subscription_workflows_dict[workflow_target.lower()]:
+            workflow = get_workflow(workflow_dict["name"])
+            if not workflow:
+                continue
+            if (
+                not workflow.authorize_callback(current_user)  # The current user isn't allowed to run this workflow
+                and "reason" not in workflow_dict  # and there isn't already a reason why this workflow cannot run
+            ):
+                workflow_dict["reason"] = "subscription.insufficient_workflow_permissions"
+
+    return subscription_workflows_dict
+
+
 @router.get(
     "/domain-model/{subscription_id}",
     response_model=SubscriptionDomainModelSchema | None,
@@ -169,7 +190,9 @@ def subscriptions_search(
     description="This endpoint is deprecated and will be removed in a future release. Please use the GraphQL query",
     dependencies=[Depends(deprecated_endpoint)],
 )
-def subscription_workflows_by_id(subscription_id: UUID) -> dict[str, list[dict[str, list[Any] | str]]]:
+def subscription_workflows_by_id(
+    subscription_id: UUID, current_user: OIDCUserModel | None = Depends(authenticate)
+) -> dict[str, list[dict[str, list[Any] | str]]]:
     subscription = db.session.get(
         SubscriptionTable,
         subscription_id,
@@ -181,7 +204,7 @@ def subscription_workflows_by_id(subscription_id: UUID) -> dict[str, list[dict[s
     if not subscription:
         raise_status(HTTPStatus.NOT_FOUND)
 
-    return subscription_workflows(subscription)
+    return _authorized_subscription_workflows(subscription, current_user)
 
 
 @router.put("/{subscription_id}/set_in_sync", response_model=None, status_code=HTTPStatus.OK)

orchestrator/cli/generator/templates/create_product.j2

@@ -11,7 +11,6 @@ from pydantic_forms.types import FormGenerator, State, UUIDstr
 
 from orchestrator.forms import FormPage
 from orchestrator.forms.validators import Divider, Label, CustomerId, MigrationSummary
-from orchestrator.targets import Target
 from orchestrator.types import SubscriptionLifecycle
 from orchestrator.workflow import StepList, begin, step
 from orchestrator.workflows.steps import store_process_subscription
@@ -119,6 +118,6 @@ def create_{{ product.variable }}() -> StepList:
     return (
         begin
         >> construct_{{ product.variable }}_model
-        >> store_process_subscription(Target.CREATE)
+        >> store_process_subscription()
         # TODO add provision step(s)
     )

orchestrator/db/models.py

@@ -117,7 +117,7 @@ class ProcessTable(BaseModel):
     is_task = mapped_column(Boolean, nullable=False, server_default=text("false"), index=True)
 
     steps = relationship(
-        "ProcessStepTable", cascade="delete", passive_deletes=True, order_by="asc(ProcessStepTable.executed_at)"
+        "ProcessStepTable", cascade="delete", passive_deletes=True, order_by="asc(ProcessStepTable.completed_at)"
     )
     input_states = relationship("InputStateTable", cascade="delete", order_by="desc(InputStateTable.input_time)")
     process_subscriptions = relationship("ProcessSubscriptionTable", back_populates="process", passive_deletes=True)
@@ -141,7 +141,8 @@ class ProcessStepTable(BaseModel):
     status = mapped_column(String(50), nullable=False)
     state = mapped_column(pg.JSONB(), nullable=False)
     created_by = mapped_column(String(255), nullable=True)
-    executed_at = mapped_column(UtcTimestamp, server_default=text("statement_timestamp()"), nullable=False)
+    completed_at = mapped_column(UtcTimestamp, server_default=text("statement_timestamp()"), nullable=False)
+    started_at = mapped_column(UtcTimestamp, server_default=text("statement_timestamp()"), nullable=False)
     commit_hash = mapped_column(String(40), nullable=True, default=GIT_COMMIT_HASH)
 
 
@@ -154,7 +155,9 @@ class ProcessSubscriptionTable(BaseModel):
     )
     subscription_id = mapped_column(UUIDType, ForeignKey("subscriptions.subscription_id"), nullable=False, index=True)
     created_at = mapped_column(UtcTimestamp, server_default=text("current_timestamp()"), nullable=False)
-    workflow_target = mapped_column(String(255), nullable=False, server_default=Target.CREATE)
+
+    # FIXME: workflow_target is already stored in the workflow table, this column should get removed in a later release.
+    workflow_target = mapped_column(String(255), nullable=True)
 
     process = relationship("ProcessTable", back_populates="process_subscriptions")
     subscription = relationship("SubscriptionTable", back_populates="processes")

orchestrator/graphql/schemas/process.py

@@ -6,14 +6,17 @@ from strawberry.federation.schema_directives import Key
 from strawberry.scalars import JSON
 
 from oauth2_lib.strawberry import authenticated_field
+from orchestrator.api.api_v1.endpoints.processes import get_auth_callbacks, get_current_steps
 from orchestrator.db import ProcessTable, ProductTable, db
 from orchestrator.graphql.pagination import EMPTY_PAGE, Connection
 from orchestrator.graphql.schemas.customer import CustomerType
 from orchestrator.graphql.schemas.helpers import get_original_model
 from orchestrator.graphql.schemas.product import ProductType
-from orchestrator.graphql.types import GraphqlFilter, GraphqlSort, OrchestratorInfo
+from orchestrator.graphql.types import FormUserPermissionsType, GraphqlFilter, GraphqlSort, OrchestratorInfo
 from orchestrator.schemas.process import ProcessSchema, ProcessStepSchema
+from orchestrator.services.processes import load_process
 from orchestrator.settings import app_settings
+from orchestrator.workflows import get_workflow
 
 if TYPE_CHECKING:
     from orchestrator.graphql.schemas.subscription import SubscriptionInterface
@@ -29,7 +32,11 @@ class ProcessStepType:
     name: strawberry.auto
     status: strawberry.auto
     created_by: strawberry.auto
-    executed: strawberry.auto
+    executed: strawberry.auto = strawberry.field(
+        deprecation_reason="Deprecated, use 'started' and 'completed' for step start and completion times"
+    )
+    started: strawberry.auto
+    completed: strawberry.auto
     commit_hash: strawberry.auto
     state: JSON | None
     state_delta: JSON | None
@@ -74,6 +81,18 @@ class ProcessType:
             shortcode=app_settings.DEFAULT_CUSTOMER_SHORTCODE,
         )
 
+    @strawberry.field(description="Returns user permissions for operations on this process")  # type: ignore
+    def user_permissions(self, info: OrchestratorInfo) -> FormUserPermissionsType:
+        oidc_user = info.context.get_current_user
+        workflow = get_workflow(self.workflow_name)
+        process = load_process(db.session.get(ProcessTable, self.process_id))  # type: ignore[arg-type]
+        auth_resume, auth_retry = get_auth_callbacks(get_current_steps(process), workflow)  # type: ignore[arg-type]
+
+        return FormUserPermissionsType(
+            retryAllowed=auth_retry and auth_retry(oidc_user),  # type: ignore[arg-type]
+            resumeAllowed=auth_resume and auth_resume(oidc_user),  # type: ignore[arg-type]
+        )
+
     @authenticated_field(description="Returns list of subscriptions of the process")  # type: ignore
     async def subscriptions(
         self,

orchestrator/graphql/schemas/product.py

@@ -52,21 +52,20 @@ class ProductType:
         return await resolve_subscriptions(info, filter_by_with_related_subscriptions, sort_by, first, after)
 
     @strawberry.field(description="Returns list of all nested productblock names")  # type: ignore
-    async def all_pb_names(self) -> list[str]:
-
+    async def all_product_block_names(self) -> list[str]:
         model = get_original_model(self, ProductTable)
 
-        def get_all_pb_names(product_blocks: list[ProductBlockTable]) -> Iterable[str]:
+        def get_names(product_blocks: list[ProductBlockTable], visited: set) -> Iterable[str]:
             for product_block in product_blocks:
+                if product_block.product_block_id in visited:
+                    continue
+                visited.add(product_block.product_block_id)
                 yield product_block.name
-
                 if product_block.depends_on:
-                    yield from get_all_pb_names(product_block.depends_on)
-
-        names: list[str] = list(get_all_pb_names(model.product_blocks))
-        names.sort()
+                    yield from get_names(product_block.depends_on, visited)
 
-        return names
+        names = set(get_names(model.product_blocks, set()))
+        return sorted(names)
 
     @strawberry.field(description="Return product blocks")  # type: ignore
     async def product_blocks(self) -> list[Annotated["ProductBlock", strawberry.lazy(".product_block")]]:

orchestrator/graphql/schemas/workflow.py

@@ -5,6 +5,7 @@ import strawberry
 from orchestrator.config.assignee import Assignee
 from orchestrator.db import WorkflowTable
 from orchestrator.graphql.schemas.helpers import get_original_model
+from orchestrator.graphql.types import OrchestratorInfo
 from orchestrator.schemas import StepSchema, WorkflowSchema
 from orchestrator.workflows import get_workflow
 
@@ -30,3 +31,11 @@ class Workflow:
     @strawberry.field(description="Return all steps for this workflow")  # type: ignore
     def steps(self) -> list[Step]:
         return [Step(name=step.name, assignee=step.assignee) for step in get_workflow(self.name).steps]  # type: ignore
+
+    @strawberry.field(description="Return whether the currently logged-in used is allowed to start this workflow")  # type: ignore
+    def is_allowed(self, info: OrchestratorInfo) -> bool:
+        oidc_user = info.context.get_current_user
+        workflow_table = get_original_model(self, WorkflowTable)
+        workflow = get_workflow(workflow_table.name)
+
+        return workflow.authorize_callback(oidc_user)  # type: ignore

orchestrator/graphql/types.py

@@ -1,4 +1,4 @@
-# Copyright 2022-2023 SURF, GÉANT.
+# Copyright 2022-2025 SURF, GÉANT.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@@ -132,6 +132,12 @@ SCALAR_OVERRIDES: ScalarOverrideType = {
 }
 
 
+@strawberry.type(description="User permissions on a specific process")
+class FormUserPermissionsType:
+    retryAllowed: bool
+    resumeAllowed: bool
+
+
 @strawberry.type(description="Generic class to capture errors")
 class MutationError:
     message: str = strawberry.field(description="Error message")

orchestrator/migrations/versions/schema/2025-07-01_93fc5834c7e5_changed_timestamping_fields_in_process_steps.py

@@ -0,0 +1,65 @@
+"""Changed timestamping fields in process_steps.
+
+Revision ID: 93fc5834c7e5
+Revises: 4b58e336d1bf
+Create Date: 2025-07-01 14:20:44.755694
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+from orchestrator import db
+
+# revision identifiers, used by Alembic.
+revision = "93fc5834c7e5"
+down_revision = "4b58e336d1bf"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column(
+        "process_steps",
+        sa.Column(
+            "started_at",
+            db.UtcTimestamp(timezone=True),
+            server_default=sa.text("statement_timestamp()"),
+            nullable=False,
+        ),
+    )
+    op.alter_column("process_steps", "executed_at", new_column_name="completed_at")
+    # conn = op.get_bind()
+    # sa.select
+    # ### end Alembic commands ###
+    # Backfill started_at field correctly using proper aliasing
+    op.execute(
+        """
+        WITH backfill_started_at AS (
+            SELECT
+                ps1.stepid,
+                COALESCE(prev.completed_at, p.started_at) AS new_started_at
+            FROM process_steps ps1
+            JOIN processes p ON ps1.pid = p.pid
+            LEFT JOIN LATERAL (
+                SELECT ps2.completed_at
+                FROM process_steps ps2
+                WHERE ps2.pid = ps1.pid AND ps2.completed_at < ps1.completed_at
+                ORDER BY ps2.completed_at DESC
+                LIMIT 1
+            ) prev ON true
+        )
+        UPDATE process_steps
+        SET started_at = b.new_started_at
+        FROM backfill_started_at b
+        WHERE process_steps.stepid = b.stepid;
+    """
+    )
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column("process_steps", "started_at")
+    op.alter_column("process_steps", "completed_at", new_column_name="executed_at")
+    # ### end Alembic commands ###

orchestrator/migrations/versions/schema/2025-07-04_4b58e336d1bf_deprecating_workflow_target_in_.py

@@ -0,0 +1,30 @@
+"""Deprecating workflow target in ProcessSubscriptionTable.
+
+Revision ID: 4b58e336d1bf
+Revises: 161918133bec
+Create Date: 2025-07-04 15:27:23.814954
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "4b58e336d1bf"
+down_revision = "161918133bec"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    op.alter_column("processes_subscriptions", "workflow_target", existing_type=sa.VARCHAR(length=255), nullable=True)
+
+
+def downgrade() -> None:
+    op.alter_column(
+        "processes_subscriptions",
+        "workflow_target",
+        existing_type=sa.VARCHAR(length=255),
+        nullable=False,
+        existing_server_default=sa.text("'CREATE'::character varying"),
+    )

orchestrator/schemas/process.py

@@ -49,7 +49,11 @@ class ProcessStepSchema(OrchestratorBaseModel):
     name: str
     status: str
     created_by: str | None = None
-    executed: datetime | None = None
+    executed: datetime | None = Field(
+        None, deprecated="Deprecated, use 'started' and 'completed' for step start and completion times"
+    )
+    started: datetime | None = None
+    completed: datetime | None = None
     commit_hash: str | None = None
     state: dict[str, Any] | None = None
     state_delta: dict[str, Any] | None = None

orchestrator/services/celery.py

@@ -19,6 +19,7 @@ import structlog
 from celery.result import AsyncResult
 from kombu.exceptions import ConnectionError, OperationalError
 
+from oauth2_lib.fastapi import OIDCUserModel
 from orchestrator import app_settings
 from orchestrator.api.error_handling import raise_status
 from orchestrator.db import ProcessTable, db
@@ -42,7 +43,11 @@ def _block_when_testing(task_result: AsyncResult) -> None:
 
 
 def _celery_start_process(
-    workflow_key: str, user_inputs: list[State] | None, user: str = SYSTEM_USER, **kwargs: Any
+    workflow_key: str,
+    user_inputs: list[State] | None,
+    user: str = SYSTEM_USER,
+    user_model: OIDCUserModel | None = None,
+    **kwargs: Any,
 ) -> UUID:
     """Client side call of Celery."""
     from orchestrator.services.tasks import NEW_TASK, NEW_WORKFLOW, get_celery_task
@@ -57,7 +62,7 @@ def _celery_start_process(
 
     task_name = NEW_TASK if wf_table.is_task else NEW_WORKFLOW
     trigger_task = get_celery_task(task_name)
-    pstat = create_process(workflow_key, user_inputs, user)
+    pstat = create_process(workflow_key, user_inputs=user_inputs, user=user, user_model=user_model)
     try:
         result = trigger_task.delay(pstat.process_id, workflow_key, user)
         _block_when_testing(result)

orchestrator/services/processes.py

@@ -12,6 +12,7 @@
 # limitations under the License.
 from collections.abc import Callable, Sequence
 from concurrent.futures.thread import ThreadPoolExecutor
+from datetime import datetime
 from functools import partial
 from http import HTTPStatus
 from typing import Any
@@ -19,6 +20,7 @@ from uuid import UUID, uuid4
 
 import structlog
 from deepmerge.merger import Merger
+from pytz import utc
 from sqlalchemy import delete, select
 from sqlalchemy.exc import SQLAlchemyError
 from sqlalchemy.orm import joinedload
@@ -206,6 +208,10 @@ def _get_current_step_to_update(
     finally:
         step_state.pop("__remove_keys", None)
 
+    # We don't have __last_step_started in __remove_keys because the way __remove_keys is populated appears like it would overwrite
+    # what's put there in the step decorator in certain cases (step groups and callback steps)
+    step_start_time = step_state.pop("__last_step_started_at", None)
+
     if process_state.isfailed() or process_state.iswaiting():
         if (
             last_db_step is not None
@@ -216,7 +222,7 @@ def _get_current_step_to_update(
         ):
             state_ex_info = {
                 "retries": last_db_step.state.get("retries", 0) + 1,
-                "executed_at": last_db_step.state.get("executed_at", []) + [str(last_db_step.executed_at)],
+                "completed_at": last_db_step.state.get("completed_at", []) + [str(last_db_step.completed_at)],
             }
 
             # write new state info and execution date
@@ -236,10 +242,13 @@ def _get_current_step_to_update(
             state=step_state,
             created_by=stat.current_user,
         )
+    # Since the Start step does not have a __last_step_started_at in it's state, we effectively assume it is instantaneous.
+    now = nowtz()
+    current_step.started_at = datetime.fromtimestamp(step_start_time or now.timestamp(), tz=utc)
 
     # Always explicitly set this instead of leaving it to the database to prevent failing tests
     # Test will fail if multiple steps have the same timestamp
-    current_step.executed_at = nowtz()
+    current_step.completed_at = now
     return current_step
 
 
@@ -467,9 +476,7 @@ def thread_start_process(
     user_model: OIDCUserModel | None = None,
     broadcast_func: BroadcastFunc | None = None,
 ) -> UUID:
-    pstat = create_process(workflow_key, user_inputs=user_inputs, user=user)
-    if not pstat.workflow.authorize_callback(user_model):
-        raise_status(HTTPStatus.FORBIDDEN, error_message_unauthorized(workflow_key))
+    pstat = create_process(workflow_key, user_inputs=user_inputs, user=user, user_model=user_model)
 
     _safe_logstep_with_func = partial(safe_logstep, broadcast_func=broadcast_func)
     return _run_process_async(pstat.process_id, lambda: runwf(pstat, _safe_logstep_with_func))
@@ -506,7 +513,6 @@ def thread_resume_process(
     *,
     user_inputs: list[State] | None = None,
     user: str | None = None,
-    user_model: OIDCUserModel | None = None,
     broadcast_func: BroadcastFunc | None = None,
 ) -> UUID:
     # ATTENTION!! When modifying this function make sure you make similar changes to `resume_workflow` in the test code
@@ -515,8 +521,6 @@ def thread_resume_process(
         user_inputs = [{}]
 
     pstat = load_process(process)
-    if not pstat.workflow.authorize_callback(user_model):
-        raise_status(HTTPStatus.FORBIDDEN, error_message_unauthorized(str(process.workflow_name)))
 
     if pstat.workflow == removed_workflow:
         raise ValueError("This workflow cannot be resumed")
@@ -556,7 +560,6 @@ def resume_process(
     *,
     user_inputs: list[State] | None = None,
     user: str | None = None,
-    user_model: OIDCUserModel | None = None,
     broadcast_func: BroadcastFunc | None = None,
 ) -> UUID:
     """Resume a failed or suspended process.
@@ -565,7 +568,6 @@ def resume_process(
         process: Process from database
         user_inputs: Optional user input from forms
         user: user who resumed this process
-        user_model: OIDCUserModel of user who resumed this process
         broadcast_func: Optional function to broadcast process data
 
     Returns:
@@ -573,8 +575,6 @@ def resume_process(
 
     """
     pstat = load_process(process)
-    if not pstat.workflow.authorize_callback(user_model):
-        raise_status(HTTPStatus.FORBIDDEN, error_message_unauthorized(str(process.workflow_name)))
 
     try:
         post_form(pstat.log[0].form, pstat.state.unwrap(), user_inputs=user_inputs or [])

orchestrator/utils/auth.py

@@ -0,0 +1,9 @@
+from collections.abc import Callable
+from typing import TypeAlias
+
+from oauth2_lib.fastapi import OIDCUserModel
+
+# This file is broken out separately to avoid circular imports.
+
+# Can instead use "type Authorizer = ..." in later Python versions.
+Authorizer: TypeAlias = Callable[[OIDCUserModel | None], bool]

orchestrator/utils/enrich_process.py

@@ -57,7 +57,9 @@ def enrich_step_details(step: ProcessStepTable, previous_step: ProcessStepTable
 
     return {
         "name": step.name,
-        "executed": step.executed_at.timestamp(),
+        "executed": step.completed_at.timestamp(),
+        "started": step.started_at.timestamp(),
+        "completed": step.completed_at.timestamp(),
         "status": step.status,
         "state": step.state,
         "created_by": step.created_by,
@@ -103,7 +105,7 @@ def enrich_process(process: ProcessTable, p_stat: ProcessStat | None = None) ->
         "is_task": process.is_task,
         "workflow_id": process.workflow_id,
         "workflow_name": process.workflow.name,
-        "workflow_target": process.process_subscriptions[0].workflow_target if process.process_subscriptions else None,
+        "workflow_target": process.workflow.target,
         "failed_reason": process.failed_reason,
         "created_by": process.created_by,
         "started_at": process.started_at,