jason810496 commented on code in PR #57199: URL: https://github.com/apache/airflow/pull/57199#discussion_r2462738507
########## providers/fab/src/airflow/providers/fab/auth_manager/api_fastapi/routes/roles.py: ########## @@ -0,0 +1,64 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +from __future__ import annotations + +from fastapi import Depends +from starlette import status +from starlette.exceptions import HTTPException + +from airflow.api_fastapi.app import get_auth_manager +from airflow.api_fastapi.common.router import AirflowRouter +from airflow.api_fastapi.core_api.openapi.exceptions import create_openapi_http_exception_doc +from airflow.api_fastapi.core_api.security import get_user +from airflow.providers.fab.auth_manager.api_fastapi.datamodels.roles import RoleBody, RoleResponse +from airflow.providers.fab.auth_manager.api_fastapi.services.roles import FABAuthManagerRoles +from airflow.providers.fab.auth_manager.cli_commands.utils import get_application_builder +from airflow.providers.fab.www.security import permissions + +roles_router = AirflowRouter(prefix="/fab/v1", tags=["FabAuthManager"]) + + +def requires_fab_custom_view(method: str, resource_name: str): + def _check(user=Depends(get_user)): + if not get_auth_manager().is_authorized_custom_view( + method=method, resource_name=resource_name, user=user + ): + raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Forbidden") + + return _check + + +@roles_router.post( + "/roles", + response_model=RoleResponse, + status_code=status.HTTP_200_OK, Review Comment: if we already added the `-> RoleResponse` type annotation, then we don't need the `response_model=RoleResponse`. ```suggestion ``` ########## providers/fab/src/airflow/providers/fab/auth_manager/api_fastapi/routes/roles.py: ########## @@ -0,0 +1,64 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +from __future__ import annotations + +from fastapi import Depends +from starlette import status +from starlette.exceptions import HTTPException + +from airflow.api_fastapi.app import get_auth_manager +from airflow.api_fastapi.common.router import AirflowRouter +from airflow.api_fastapi.core_api.openapi.exceptions import create_openapi_http_exception_doc +from airflow.api_fastapi.core_api.security import get_user +from airflow.providers.fab.auth_manager.api_fastapi.datamodels.roles import RoleBody, RoleResponse +from airflow.providers.fab.auth_manager.api_fastapi.services.roles import FABAuthManagerRoles +from airflow.providers.fab.auth_manager.cli_commands.utils import get_application_builder +from airflow.providers.fab.www.security import permissions + +roles_router = AirflowRouter(prefix="/fab/v1", tags=["FabAuthManager"]) + + +def requires_fab_custom_view(method: str, resource_name: str): + def _check(user=Depends(get_user)): + if not get_auth_manager().is_authorized_custom_view( + method=method, resource_name=resource_name, user=user + ): + raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Forbidden") + + return _check + Review Comment: It would be better to move the `requires_fab_custom_view` to service module as well. Since Airflow Core API follows this convension. ########## providers/fab/src/airflow/providers/fab/auth_manager/api_fastapi/routes/roles.py: ########## @@ -0,0 +1,64 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +from __future__ import annotations + +from fastapi import Depends +from starlette import status +from starlette.exceptions import HTTPException Review Comment: ```suggestion from fastapi import Depends, HTTPException, status ``` ########## providers/fab/src/airflow/providers/fab/auth_manager/api_fastapi/routes/roles.py: ########## @@ -0,0 +1,64 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +from __future__ import annotations + +from fastapi import Depends +from starlette import status +from starlette.exceptions import HTTPException + +from airflow.api_fastapi.app import get_auth_manager +from airflow.api_fastapi.common.router import AirflowRouter +from airflow.api_fastapi.core_api.openapi.exceptions import create_openapi_http_exception_doc +from airflow.api_fastapi.core_api.security import get_user +from airflow.providers.fab.auth_manager.api_fastapi.datamodels.roles import RoleBody, RoleResponse +from airflow.providers.fab.auth_manager.api_fastapi.services.roles import FABAuthManagerRoles +from airflow.providers.fab.auth_manager.cli_commands.utils import get_application_builder +from airflow.providers.fab.www.security import permissions + +roles_router = AirflowRouter(prefix="/fab/v1", tags=["FabAuthManager"]) + + +def requires_fab_custom_view(method: str, resource_name: str): + def _check(user=Depends(get_user)): + if not get_auth_manager().is_authorized_custom_view( + method=method, resource_name=resource_name, user=user + ): + raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Forbidden") + + return _check + + +@roles_router.post( + "/roles", + response_model=RoleResponse, + status_code=status.HTTP_200_OK, + responses=create_openapi_http_exception_doc( + [ + status.HTTP_400_BAD_REQUEST, + status.HTTP_401_UNAUTHORIZED, + status.HTTP_403_FORBIDDEN, + status.HTTP_409_CONFLICT, + status.HTTP_422_UNPROCESSABLE_CONTENT, Review Comment: ```suggestion ``` The 200 and 422 status codes are already included in FastAPI internally. ########## providers/fab/tests/unit/fab/auth_manager/api_fastapi/routes/test_roles.py: ########## @@ -0,0 +1,124 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +from __future__ import annotations + +import types +from contextlib import contextmanager +from unittest.mock import MagicMock, patch + +import pytest + +from airflow.api_fastapi.core_api.security import get_user +from airflow.providers.fab.auth_manager.api_fastapi.datamodels.roles import RoleResponse + + +@contextmanager +def _noop_cm(): + yield None + + [email protected]_test +class TestRoles: + @patch("airflow.providers.fab.auth_manager.api_fastapi.routes.roles.FABAuthManagerRoles") + @patch("airflow.providers.fab.auth_manager.api_fastapi.routes.roles.get_auth_manager") + @patch( + "airflow.providers.fab.auth_manager.api_fastapi.routes.roles.get_application_builder", + return_value=_noop_cm(), + ) + def test_create_role(self, mock_get_application_builder, mock_get_auth_manager, mock_roles, test_client): + dummy_user = types.SimpleNamespace(id=1, username="tester") + test_client.app.dependency_overrides[get_user] = lambda: dummy_user + + mgr = MagicMock() + mgr.is_authorized_custom_view.return_value = True + mock_get_auth_manager.return_value = mgr + + dummy_out = RoleResponse(name="my_new_role", permissions=[]) + mock_roles.create_role.return_value = dummy_out + + try: + resp = test_client.post("/fab/v1/roles", json={"name": "my_new_role", "actions": []}) + assert resp.status_code == 200 + assert resp.json() == dummy_out.model_dump(by_alias=True) + mock_roles.create_role.assert_called_once() + finally: + test_client.app.dependency_overrides.pop(get_user, None) + + @patch("airflow.providers.fab.auth_manager.api_fastapi.routes.roles.get_auth_manager") + @patch( + "airflow.providers.fab.auth_manager.api_fastapi.routes.roles.get_application_builder", + return_value=_noop_cm(), + ) + def test_create_role_forbidden(self, mock_get_application_builder, mock_get_auth_manager, test_client): + dummy_user = types.SimpleNamespace(id=1, username="tester") + test_client.app.dependency_overrides[get_user] = lambda: dummy_user + + mgr = MagicMock() + mgr.is_authorized_custom_view.return_value = False + mock_get_auth_manager.return_value = mgr + + try: + resp = test_client.post("/fab/v1/roles", json={"name": "r", "actions": []}) + assert resp.status_code == 403 + assert resp.json()["detail"] == "Forbidden" + finally: + test_client.app.dependency_overrides.pop(get_user, None) + + @patch("airflow.providers.fab.auth_manager.api_fastapi.routes.roles.FABAuthManagerRoles") + @patch("airflow.providers.fab.auth_manager.api_fastapi.routes.roles.get_auth_manager") + @patch( + "airflow.providers.fab.auth_manager.api_fastapi.routes.roles.get_application_builder", + return_value=_noop_cm(), + ) + def test_create_role_validation_422_empty_name( + self, mock_get_application_builder, mock_get_auth_manager, mock_roles, test_client + ): + dummy_user = types.SimpleNamespace(id=1, username="tester") + test_client.app.dependency_overrides[get_user] = lambda: dummy_user + mgr = MagicMock() + mgr.is_authorized_custom_view.return_value = True + mock_get_auth_manager.return_value = mgr + + try: + resp = test_client.post("/fab/v1/roles", json={"name": "", "actions": []}) + assert resp.status_code == 422 + mock_roles.create_role.assert_not_called() + finally: + test_client.app.dependency_overrides.pop(get_user, None) + + @patch("airflow.providers.fab.auth_manager.api_fastapi.routes.roles.FABAuthManagerRoles") + @patch("airflow.providers.fab.auth_manager.api_fastapi.routes.roles.get_auth_manager") + @patch( + "airflow.providers.fab.auth_manager.api_fastapi.routes.roles.get_application_builder", + return_value=_noop_cm(), + ) + def test_create_role_validation_422_missing_name( + self, mock_get_application_builder, mock_get_auth_manager, mock_roles, test_client + ): + dummy_user = types.SimpleNamespace(id=1, username="tester") + test_client.app.dependency_overrides[get_user] = lambda: dummy_user + mgr = MagicMock() + mgr.is_authorized_custom_view.return_value = True + mock_get_auth_manager.return_value = mgr Review Comment: It seems we could consolidate the duplicate `dependency_overrides` setup as a helper function. Or maybe refactor as a new fixture that reference `test_client` fixture, then we could also handle the `test_client.app.dependency_overrides.pop` teardown in the new fixture as well. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
