PyPI - rucio - Versions diffs - 37.1.0.post1__py3-none-any.whl → 37.3.0__py3-none-any.whl - Mend

rucio 37.1.0.post1py3-none-any.whl → 37.3.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rucio might be problematic. Click here for more details.

Files changed (106) hide show

rucio/gateway/vo.py CHANGED Viewed

@@ -12,23 +12,19 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
-from typing import TYPE_CHECKING, Any, Optional
+from typing import Any, Optional
 from rucio.common import exception
 from rucio.common.schema import validate_schema
 from rucio.common.types import InternalAccount
 from rucio.core import identity
 from rucio.core import vo as vo_core
-from rucio.db.sqla.constants import IdentityType
-from rucio.db.sqla.session import read_session, transactional_session
+from rucio.db.sqla.constants import DatabaseOperationType, IdentityType
+from rucio.db.sqla.session import db_session
 from rucio.gateway.permission import has_permission
-if TYPE_CHECKING:
-    from sqlalchemy.orm import Session
-@transactional_session
-def add_vo(new_vo: str, issuer: str, description: Optional[str] = None, email: Optional[str] = None, vo: str = 'def', *, session: "Session") -> None:
+def add_vo(new_vo: str, issuer: str, description: Optional[str] = None, email: Optional[str] = None, vo: str = 'def') -> None:
     '''
     Add a new VO.
@@ -37,38 +33,38 @@ def add_vo(new_vo: str, issuer: str, description: Optional[str] = None, email: O
     :param email: A contact for the VO.
     :param issuer: The user issuing the command.
     :param vo: The vo of the user issuing the command.
-    :param session: The database session in use.
     '''
     new_vo = vo_core.map_vo(new_vo)
     validate_schema('vo', new_vo, vo=vo)
     kwargs = {}
-    auth_result = has_permission(issuer=issuer, action='add_vo', kwargs=kwargs, vo=vo, session=session)
-    if not auth_result.allowed:
-        raise exception.AccessDenied('Account {} cannot add a VO. {}'.format(issuer, auth_result.message))
-    vo_core.add_vo(vo=new_vo, description=description, email=email, session=session)
+    with db_session(DatabaseOperationType.WRITE) as session:
+        auth_result = has_permission(issuer=issuer, action='add_vo', kwargs=kwargs, vo=vo, session=session)
+        if not auth_result.allowed:
+            raise exception.AccessDenied('Account {} cannot add a VO. {}'.format(issuer, auth_result.message))
+        vo_core.add_vo(vo=new_vo, description=description, email=email, session=session)
-@read_session
-def list_vos(issuer: str, vo: str = 'def', *, session: "Session") -> list[dict[str, Any]]:
+def list_vos(issuer: str, vo: str = 'def') -> list[dict[str, Any]]:
     '''
     List the VOs.
     :param issuer: The user issuing the command.
     :param vo: The vo of the user issuing the command.
-    :param session: The database session in use.
     '''
     kwargs = {}
-    auth_result = has_permission(issuer=issuer, action='list_vos', kwargs=kwargs, vo=vo, session=session)
-    if not auth_result.allowed:
-        raise exception.AccessDenied('Account {} cannot list VOs. {}'.format(issuer, auth_result.message))
-    return vo_core.list_vos(session=session)
+    with db_session(DatabaseOperationType.READ) as session:
+        auth_result = has_permission(issuer=issuer, action='list_vos', kwargs=kwargs, vo=vo, session=session)
+        if not auth_result.allowed:
+            raise exception.AccessDenied('Account {} cannot list VOs. {}'.format(issuer, auth_result.message))
+        return vo_core.list_vos(session=session)
-@transactional_session
 def recover_vo_root_identity(
     root_vo: str,
     identity_key: str,
@@ -78,8 +74,6 @@ def recover_vo_root_identity(
     default: bool = False,
     password: Optional[str] = None,
     vo: str = 'def',
-    *,
-    session: "Session"
 ) -> None:
     """
     Adds a membership association between identity and the root account for given VO.
@@ -92,22 +86,22 @@ def recover_vo_root_identity(
     :param default: If True, the account should be used by default with the provided identity.
     :param password: Password if id_type is userpass.
     :param vo: the VO to act on.
-    :param session: The database session in use.
     """
     kwargs = {}
     root_vo = vo_core.map_vo(root_vo)
-    auth_result = has_permission(issuer=issuer, vo=vo, action='recover_vo_root_identity', kwargs=kwargs, session=session)
-    if not auth_result.allowed:
-        raise exception.AccessDenied('Account %s can not recover root identity. %s' % (issuer, auth_result.message))
-    account = InternalAccount('root', vo=root_vo)
+    with db_session(DatabaseOperationType.WRITE) as session:
+        auth_result = has_permission(issuer=issuer, vo=vo, action='recover_vo_root_identity', kwargs=kwargs, session=session)
+        if not auth_result.allowed:
+            raise exception.AccessDenied('Account %s can not recover root identity. %s' % (issuer, auth_result.message))
-    return identity.add_account_identity(identity=identity_key, type_=IdentityType[id_type.upper()], default=default,
-                                         email=email, account=account, password=password, session=session)
+        account = InternalAccount('root', vo=root_vo)
+        return identity.add_account_identity(identity=identity_key, type_=IdentityType[id_type.upper()], default=default,
+                                             email=email, account=account, password=password, session=session)
-@transactional_session
-def update_vo(updated_vo: str, parameters: dict[str, Any], issuer: str, vo: str = 'def', *, session: "Session") -> None:
+def update_vo(updated_vo: str, parameters: dict[str, Any], issuer: str, vo: str = 'def') -> None:
     """
     Update VO properties (email, description).
@@ -115,12 +109,13 @@ def update_vo(updated_vo: str, parameters: dict[str, Any], issuer: str, vo: str
     :param parameters: A dictionary with the new properties.
     :param issuer: The user issuing the command.
     :param vo: The VO of the user issusing the command.
-    :param session: The database session in use.
     """
     kwargs = {}
     updated_vo = vo_core.map_vo(updated_vo)
-    auth_result = has_permission(issuer=issuer, action='update_vo', kwargs=kwargs, vo=vo, session=session)
-    if not auth_result.allowed:
-        raise exception.AccessDenied('Account {} cannot update VO. {}'.format(issuer, auth_result.message))
-    return vo_core.update_vo(vo=updated_vo, parameters=parameters, session=session)
+    with db_session(DatabaseOperationType.WRITE) as session:
+        auth_result = has_permission(issuer=issuer, action='update_vo', kwargs=kwargs, vo=vo, session=session)
+        if not auth_result.allowed:
+            raise exception.AccessDenied('Account {} cannot update VO. {}'.format(issuer, auth_result.message))
+        return vo_core.update_vo(vo=updated_vo, parameters=parameters, session=session)

rucio/vcsversion.py CHANGED Viewed

@@ -4,8 +4,8 @@ This file is automatically generated; Do not edit it. :)
 '''
 VERSION_INFO = {
     'final': True,
-    'version': '37.1.0.post1',
+    'version': '37.3.0',
     'branch_nick': 'release-37',
-    'revision_id': '420fea7843ab9f55e21b71eb93709f7621db8873',
-    'revno': 13642
+    'revision_id': '874ee3e820d3ff64ab941ccfe8a02906b5540066',
+    'revno': 13716
 }

rucio/web/rest/flaskapi/v1/accounts.py CHANGED Viewed

@@ -217,7 +217,7 @@ class Scopes(ErrorHandlingMethodView):
             description: Not acceptable
         """
         try:
-            scopes = get_scopes(account, vo=request.environ.get('vo'))
+            scopes = get_scopes(account, vo=request.environ['vo'])
         except AccountNotFound as error:
             return generate_http_error_flask(404, error)
@@ -264,7 +264,7 @@ class Scopes(ErrorHandlingMethodView):
             description: Scope already exists.
         """
         try:
-            add_scope(scope, account, issuer=request.environ.get('issuer'), vo=request.environ.get('vo'))
+            add_scope(scope, account, issuer=request.environ['issuer'], vo=request.environ['vo'])
         except InvalidObject as error:
             return generate_http_error_flask(400, error)
         except AccessDenied as error:

rucio/web/rest/flaskapi/v1/auth.py CHANGED Viewed

@@ -916,6 +916,9 @@ class GSS(ErrorHandlingMethodView):
         appid = request.headers.get('X-Rucio-AppID', default='unknown')
         ip = request.headers.get('X-Forwarded-For', default=request.remote_addr)
+        if not account or not gsscred:
+            return generate_http_error_flask(400, ValueError.__name__, 'Account and REMOTE_USER must be set.')
         try:
             result = get_auth_token_gss(account, gsscred, appid, ip, vo=vo)
         except AccessDenied:
@@ -1212,6 +1215,9 @@ class SSH(ErrorHandlingMethodView):
         appid = request.headers.get('X-Rucio-AppID', default='unknown')
         ip = request.headers.get('X-Forwarded-For', default=request.remote_addr)
+        if not account or not signature:
+            return generate_http_error_flask(400, ValueError.__name__, 'Account and SSH signature must be set.')
         try:
             result = get_auth_token_ssh(account, signature, appid, ip, vo=vo)
         except AccessDenied:
@@ -1332,6 +1338,9 @@ class SSHChallengeToken(ErrorHandlingMethodView):
         appid = request.headers.get('X-Rucio-AppID', default='unknown')
         ip = request.headers.get('X-Forwarded-For', default=request.remote_addr)
+        if not account:
+            return generate_http_error_flask(400, ValueError.__name__, 'Account must be set.')
         result = get_ssh_challenge_token(account, appid, ip, vo=vo)
         if not result:
@@ -1452,6 +1461,9 @@ class SAML(ErrorHandlingMethodView):
         appid = request.headers.get('X-Rucio-AppID', default='unknown')
         ip = request.headers.get('X-Forwarded-For', default=request.remote_addr)
+        if not account:
+            return generate_http_error_flask(400, ValueError.__name__, 'Account must be set.')
         if saml_nameid:
             try:
                 result = get_auth_token_saml(account, saml_nameid, appid, ip, vo=vo)
@@ -1592,6 +1604,9 @@ class Validate(ErrorHandlingMethodView):
         token = request.headers.get('X-Rucio-Auth-Token', default=None)
+        if not token:
+            return generate_http_error_flask(400, ValueError.__name__, 'Token must be set.')
         result = validate_auth_token(token)
         if not result:
             return generate_http_error_flask(

rucio/web/rest/flaskapi/v1/common.py CHANGED Viewed

@@ -15,11 +15,13 @@
 import itertools
 import json
 import logging
+import os
 import re
 from configparser import NoOptionError, NoSectionError
 from functools import wraps
 from time import time
 from typing import TYPE_CHECKING, Any, Literal, Optional, TypeVar, Union
+from urllib.parse import unquote_plus
 import flask
 from flask.views import MethodView
@@ -46,6 +48,9 @@ if TYPE_CHECKING:
 ResponseTypeVar = TypeVar('ResponseTypeVar', bound=flask.wrappers.Response)
+RUCIO_HTTPD_ENCODED_SLASHES_NO_DECODE = os.environ.get('RUCIO_HTTPD_ENCODED_SLASHES_NO_DECODE',
+                                                       'false').lower() == 'true'
 class CORSMiddleware:
     """
@@ -143,6 +148,9 @@ def request_auth_env() -> Optional['ResponseReturnValue']:
     auth_token = flask.request.headers.get('X-Rucio-Auth-Token', default=None)
+    if not auth_token:
+        return generate_http_error_flask(400, ValueError.__name__, 'Token must be set.')
     try:
         auth = validate_auth_token(auth_token)
     except CannotAuthenticate:
@@ -211,6 +219,18 @@ def parse_scope_name(scope_name: str, vo: Optional[str]) -> tuple[str, ...]:
     :returns: a (scope, name) tuple.
     """
+    if RUCIO_HTTPD_ENCODED_SLASHES_NO_DECODE:
+        if scope_name.count('/') != 1:
+            # scope and name are always separated by a single slash ('/', unencoded) in the request.
+            # If the server is configured with the 'NoDecode' option, other slashes will be encoded.
+            # This is just a sanity check that should never happen.
+            raise ValueError(f"Could not parse '{scope_name}' ({scope_name=}) with encoded '/' into scope and name.")
+        scope, name = scope_name.split('/', 1)
+        name = unquote_plus(name)
+        return scope, name
     if not vo:
         vo = 'def'

rucio/web/rest/flaskapi/v1/config.py CHANGED Viewed

@@ -46,9 +46,9 @@ class Config(ErrorHandlingMethodView):
             description: Not acceptable
         """
         res = {}
-        for section in config.sections(issuer=request.environ.get('issuer'), vo=request.environ.get('vo')):
+        for section in config.sections(issuer=request.environ['issuer'], vo=request.environ['vo']):
             res[section] = {}
-            for item in config.items(section, issuer=request.environ.get('issuer'), vo=request.environ.get('vo')):
+            for item in config.items(section, issuer=request.environ['issuer'], vo=request.environ['vo']):
                 res[section][item[0]] = item[1]
         return jsonify(res), 200
@@ -87,7 +87,7 @@ class Config(ErrorHandlingMethodView):
                 return generate_http_error_flask(400, ValueError.__name__, '')
             for option, value in section_config.items():
                 try:
-                    config.set(section=section, option=option, value=value, issuer=request.environ.get('issuer'), vo=request.environ.get('vo'))
+                    config.set(section=section, option=option, value=value, issuer=request.environ['issuer'], vo=request.environ['vo'])
                 except ConfigurationError:
                     return generate_http_error_flask(400, 'ConfigurationError', f"Could not set value '{value}' for section '{section}' option '{option}'")
         return 'Created', 201
@@ -137,7 +137,7 @@ class Section(ErrorHandlingMethodView):
             description: Not acceptable
         """
         res = {}
-        for item in config.items(section, issuer=request.environ.get('issuer'), vo=request.environ.get('vo')):
+        for item in config.items(section, issuer=request.environ['issuer'], vo=request.environ['vo']):
             res[item[0]] = item[1]
         if res == {}:
@@ -190,7 +190,7 @@ class OptionGetDel(ErrorHandlingMethodView):
             description: Not acceptable
         """
         try:
-            result = config.get(section=section, option=option, issuer=request.environ.get('issuer'), vo=request.environ.get('vo'))
+            result = config.get(section=section, option=option, issuer=request.environ['issuer'], vo=request.environ['vo'])
             return jsonify(result), 200
         except AccessDenied as error:
             return generate_http_error_flask(401, error, f"Access to '{section}' option '{option}' denied")
@@ -223,7 +223,7 @@ class OptionGetDel(ErrorHandlingMethodView):
           401:
             description: Invalid Auth Token
         """
-        config.remove_option(section=section, option=option, issuer=request.environ.get('issuer'), vo=request.environ.get('vo'))
+        config.remove_option(section=section, option=option, issuer=request.environ['issuer'], vo=request.environ['vo'])
         return '', 200
@@ -275,7 +275,7 @@ class OptionSet(ErrorHandlingMethodView):
                   enum: ['Could not set value {} for section {} option {}']
           """
         try:
-            config.set(section=section, option=option, value=value, issuer=request.environ.get('issuer'), vo=request.environ.get('vo'))
+            config.set(section=section, option=option, value=value, issuer=request.environ['issuer'], vo=request.environ['vo'])
             return 'Created', 201
         except ConfigurationError as error:
             return generate_http_error_flask(500, error, f"Could not set value '{value}' for section '{section}' option '{option}'")

rucio/web/rest/flaskapi/v1/credentials.py CHANGED Viewed

@@ -12,12 +12,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, cast
 from flask import Flask, request
 from werkzeug.datastructures import Headers
-from rucio.common.constants import RSE_BASE_SUPPORTED_PROTOCOL_OPERATIONS, SUPPORTED_SIGN_URL_SERVICES
+from rucio.common.constants import RSE_BASE_SUPPORTED_PROTOCOL_OPERATIONS, RSE_BASE_SUPPORTED_PROTOCOL_OPERATIONS_LITERAL, SUPPORTED_SIGN_URL_SERVICES, SUPPORTED_SIGN_URL_SERVICES_LITERAL
 from rucio.common.exception import CannotAuthenticate
 from rucio.gateway.credential import get_signed_url
 from rucio.web.rest.flaskapi.authenticated_bp import AuthenticatedBlueprint
@@ -163,28 +163,35 @@ class SignURL(ErrorHandlingMethodView):
         headers = self.get_headers()
         vo = extract_vo(request.headers)
         account = request.headers.get('X-Rucio-Account', default=None)
-        appid = request.headers.get('X-Rucio-AppID', default='unknown')
-        ip = request.headers.get('X-Forwarded-For', default=request.remote_addr)
-        if 'rse' not in request.args:
-            return generate_http_error_flask(400, ValueError.__name__, 'Parameter "rse" not found', headers=headers)
+        if account is None:
+            return generate_http_error_flask(400, ValueError.__name__, 'Parameter "account" not found.', headers=headers)
         rse = request.args.get('rse')
+        if rse is None:
+            return generate_http_error_flask(400, ValueError.__name__, 'Parameter "rse" not found', headers=headers)
+        url = request.args.get('url')
+        if url is None:
+            return generate_http_error_flask(400, ValueError.__name__, 'Parameter "url" not found', headers=headers)
         lifetime = request.args.get('lifetime', type=int, default=600)
         service = request.args.get('svc', default='gcs')
         operation = request.args.get('op', default='read')
-        if 'url' not in request.args:
-            return generate_http_error_flask(400, ValueError.__name__, 'Parameter "url" not found', headers=headers)
-        url = request.args.get('url')
         if service not in SUPPORTED_SIGN_URL_SERVICES:
-            return generate_http_error_flask(400, ValueError.__name__, 'Parameter "svc" must be either empty(=gcs), gcs, s3 or swift', headers=headers)
+            return generate_http_error_flask(400, ValueError.__name__, 'Parameter "svc" must be either empty (which defaults to "gcs"), "gcs", "s3" or "swift"', headers=headers)
+        service = cast("SUPPORTED_SIGN_URL_SERVICES_LITERAL", service)
         if operation not in RSE_BASE_SUPPORTED_PROTOCOL_OPERATIONS:
-            return generate_http_error_flask(400, ValueError.__name__, 'Parameter "op" must be either empty(=read), read, write, or delete.', headers=headers)
+            return generate_http_error_flask(400, ValueError.__name__, 'Parameter "op" must be either empty (which defaults to "read"), "read", "write", or "delete".', headers=headers)
+        operation = cast("RSE_BASE_SUPPORTED_PROTOCOL_OPERATIONS_LITERAL", service)
-        result = get_signed_url(account, appid, ip, rse=rse, service=service, operation=operation, url=url, lifetime=lifetime, vo=vo)
+        result = get_signed_url(account, rse=rse, service=service, operation=operation, url=url, lifetime=lifetime, vo=vo)
         if not result:
             return generate_http_error_flask(401, CannotAuthenticate.__name__, f'Cannot generate signed URL for account {account}', headers=headers)

rucio 37.1.0.post1__py3-none-any.whl → 37.3.0__py3-none-any.whl

Potentially problematic release.

rucio 37.1.0.post1py3-none-any.whl → 37.3.0py3-none-any.whl