fractal-analytics-platform · tcompa · Sep 10, 2024 · Sep 6, 2024 · Sep 6, 2024 · Sep 6, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,22 @@
 **Note**: Numbers like (\#1234) point to closed Pull Requests on the fractal-server repository.
 
+# 2.4.0
+
+* App:
+    * Move creation of first user from application startup into `fractalctl set-db` command (\#1738).
+    * Add creation of default user group into `fractalctl set-db` command (\#1738).
+    * Create `update-db-script` for current version, that adds all users to default group (\#1738).
+* API:
+    * Added `/auth/group/` and `/auth/group-names/` routers (\#1738).
+    * Implement `/auth/users/{id}/` POST/PATCH routes in `fractal-server` (\#1738).
+    * Add `UserManager.on_after_register` hook to add new users to default user group (\#1738).
+* Database:
+    * Added new `usergroup` and `linkusergroup` tables (\#1738).
+* Internal
+    * Refactored `fractal_server.app.auth` and `fractal_server.app.security` (\#1738)/
+    * Export all relevant modules in `app.models`, since it matters e.g. for `autogenerate`-ing migration scripts (\#1738).
+
+
 # 2.3.11
 
 * SSH runner:

diff --git a/benchmarks/populate_db/populate_db_script.py b/benchmarks/populate_db/populate_db_script.py
@@ -1,14 +1,9 @@
-from passlib.context import CryptContext
-
-from fractal_server.app.db import get_sync_db
-from fractal_server.app.models.security import UserOAuth
 from fractal_server.app.schemas.user import UserCreate
 from fractal_server.app.schemas.v2 import DatasetImportV2
 from fractal_server.app.schemas.v2 import JobCreateV2
 from fractal_server.app.schemas.v2 import ProjectCreateV2
 from fractal_server.app.schemas.v2 import WorkflowCreateV2
 from fractal_server.app.schemas.v2 import WorkflowTaskCreateV2
-from scripts.client import DEFAULT_CREDENTIALS
 from scripts.client import FractalClient
 
 
@@ -37,25 +32,6 @@ def create_image_list(n_images: int) -> list:
     return images_list
 
 
-def create_first_user() -> None:
-    context = CryptContext(schemes=["bcrypt"], deprecated="auto")
-    hashed_password = context.hash(DEFAULT_CREDENTIALS["password"])
-
-    user_db = UserOAuth(
-        email=DEFAULT_CREDENTIALS["username"],
-        hashed_password=hashed_password,
-        username="admin",
-        slurm_user="slurm",
-        is_superuser=True,
-        is_verified=True,
-    )
-
-    with next(get_sync_db()) as session:
-        session.add(user_db)
-        session.commit()
-        print("Admin created!")
-
-
 def _create_user_client(
     _admin: FractalClient, user_identifier: str
 ) -> FractalClient:
@@ -255,7 +231,6 @@ def _user_flow_job(
 
 
 if __name__ == "__main__":
-    create_first_user()
     admin = FractalClient()
 
     working_task = admin.add_working_task()

diff --git a/fractal_server/__main__.py b/fractal_server/__main__.py
@@ -1,8 +1,10 @@
 import argparse as ap
+import asyncio
 import sys
 
 import uvicorn
 
+
 parser = ap.ArgumentParser(description="fractal-server commands")
 
 subparsers = parser.add_subparsers(title="Commands", dest="cmd", required=True)
@@ -75,12 +77,33 @@ def set_db():
     import alembic.config
     from pathlib import Path
     import fractal_server
+    from fractal_server.app.security import _create_first_user
+    from fractal_server.app.security import _create_first_group
+    from fractal_server.syringe import Inject
+    from fractal_server.config import get_settings
 
     alembic_ini = Path(fractal_server.__file__).parent / "alembic.ini"
     alembic_args = ["-c", alembic_ini.as_posix(), "upgrade", "head"]
-
-    print(f"Run alembic.config, with argv={alembic_args}")
+    print(f"START: Run alembic.config, with argv={alembic_args}")
     alembic.config.main(argv=alembic_args)
+    print("END: alembic.config")
+    # Insert default group
+    print("START: Default group creation")
+    _create_first_group()
+    print("END: Default group creation")
+    # NOTE: It will be fixed with #1739
+    settings = Inject(get_settings)
+    print("START: First user creation")
+    asyncio.run(
+        _create_first_user(
+            email=settings.FRACTAL_DEFAULT_ADMIN_EMAIL,
+            password=settings.FRACTAL_DEFAULT_ADMIN_PASSWORD,
+            username=settings.FRACTAL_DEFAULT_ADMIN_USERNAME,
+            is_superuser=True,
+            is_verified=True,
+        )
+    )
+    print("END: First user creation")
 
 
 def update_db_data():

diff --git a/fractal_server/app/models/__init__.py b/fractal_server/app/models/__init__.py
@@ -1,5 +1,11 @@
-from .v1 import Project  # noqa: F401
-from .v2 import ProjectV2  # noqa: F401
-
-# We include the project models to avoid issues with LinkUserProject
-# (sometimes taking place in alembic autogenerate)
+"""
+Note that this module is imported from `fractal_server/migrations/env.py`,
+thus we should always export all relevant database models from here or they
+will not be picked up by alembic.
+"""
+from .linkusergroup import LinkUserGroup  # noqa: F401
+from .linkuserproject import LinkUserProject  # noqa: F401
+from .linkuserproject import LinkUserProjectV2  # noqa: F401
+from .security import *  # noqa
+from .v1 import *  # noqa
+from .v2 import *  # noqa
diff --git a/fractal_server/app/models/linkusergroup.py b/fractal_server/app/models/linkusergroup.py
@@ -0,0 +1,11 @@
+from sqlmodel import Field
+from sqlmodel import SQLModel
+
+
+class LinkUserGroup(SQLModel, table=True):
+    """
+    Crossing table between User and UserGroup
+    """
+
+    group_id: int = Field(foreign_key="usergroup.id", primary_key=True)
+    user_id: int = Field(foreign_key="user_oauth.id", primary_key=True)
diff --git a/fractal_server/app/models/security.py b/fractal_server/app/models/security.py
@@ -9,19 +9,23 @@
 #
 # Copyright 2022 (C) Friedrich Miescher Institute for Biomedical Research and
 # University of Zurich
+from datetime import datetime
 from typing import Optional
 
 from pydantic import EmailStr
 from sqlalchemy import Column
+from sqlalchemy.types import DateTime
 from sqlalchemy.types import JSON
 from sqlmodel import Field
 from sqlmodel import Relationship
 from sqlmodel import SQLModel
 
+from fractal_server.utils import get_timestamp
+
 
 class OAuthAccount(SQLModel, table=True):
     """
-    OAuth account model
+    ORM model for OAuth accounts (`oauthaccount` database table).
 
     This class is based on fastapi_users_db_sqlmodel::SQLModelBaseOAuthAccount.
     Original Copyright: 2021 François Voron, released under MIT licence.
@@ -56,7 +60,7 @@ class Config:
 
 class UserOAuth(SQLModel, table=True):
     """
-    User model
+    ORM model for the `user_oauth` database table.
 
     This class is a modification of SQLModelBaseUserDB from from
     fastapi_users_db_sqlmodel. Original Copyright: 2022 François Voron,
@@ -74,7 +78,6 @@ class UserOAuth(SQLModel, table=True):
         cache_dir:
         username:
         oauth_accounts:
-        project_list:
     """
 
     __tablename__ = "user_oauth"
@@ -103,3 +106,21 @@ class UserOAuth(SQLModel, table=True):
 
     class Config:
         orm_mode = True
+
+
+class UserGroup(SQLModel, table=True):
+    """
+    ORM model for the `usergroup` database table.
+
+    Attributes:
+        id: ID of the group
+        name: Name of the group
+        timestamp_created: Time of creation
+    """
+
+    id: Optional[int] = Field(default=None, primary_key=True)
+    name: str = Field(unique=True)
+    timestamp_created: datetime = Field(
+        default_factory=get_timestamp,
+        sa_column=Column(DateTime(timezone=True), nullable=False),
+    )
diff --git a/fractal_server/app/models/v1/project.py b/fractal_server/app/models/v1/project.py
@@ -10,7 +10,7 @@
 from . import LinkUserProject
 from ....utils import get_timestamp
 from ...schemas.v1.project import _ProjectBaseV1
-from ..security import UserOAuth
+from fractal_server.app.models import UserOAuth
 
 
 class Project(_ProjectBaseV1, SQLModel, table=True):

diff --git a/fractal_server/app/models/v2/project.py b/fractal_server/app/models/v2/project.py
@@ -7,9 +7,9 @@
 from sqlmodel import Relationship
 from sqlmodel import SQLModel
 
-from . import LinkUserProjectV2
-from ....utils import get_timestamp
-from ..security import UserOAuth
+from .. import LinkUserProjectV2
+from fractal_server.app.models import UserOAuth
+from fractal_server.utils import get_timestamp
 
 
 class ProjectV2(SQLModel, table=True):

diff --git a/fractal_server/app/routes/admin/v1.py b/fractal_server/app/routes/admin/v1.py
@@ -21,7 +21,6 @@
 from ....zip_tools import _zip_folder_to_byte_stream_iterator
 from ...db import AsyncSession
 from ...db import get_async_db
-from ...models.security import UserOAuth as User
 from ...models.v1 import ApplyWorkflow
 from ...models.v1 import Dataset
 from ...models.v1 import JobStatusTypeV1
@@ -33,9 +32,10 @@
 from ...schemas.v1 import DatasetReadV1
 from ...schemas.v1 import ProjectReadV1
 from ...schemas.v1 import WorkflowReadV1
-from ...security import current_active_superuser
 from ..aux._job import _write_shutdown_file
 from ..aux._runner import _check_shutdown_is_supported
+from fractal_server.app.models import UserOAuth
+from fractal_server.app.routes.auth import current_active_superuser
 
 router_admin_v1 = APIRouter()
 
@@ -63,7 +63,7 @@ async def view_project(
     user_id: Optional[int] = None,
     timestamp_created_min: Optional[datetime] = None,
     timestamp_created_max: Optional[datetime] = None,
-    user: User = Depends(current_active_superuser),
+    user: UserOAuth = Depends(current_active_superuser),
     db: AsyncSession = Depends(get_async_db),
 ) -> list[ProjectReadV1]:
     """
@@ -80,7 +80,7 @@ async def view_project(
         stm = stm.where(Project.id == id)
 
     if user_id is not None:
-        stm = stm.where(Project.user_list.any(User.id == user_id))
+        stm = stm.where(Project.user_list.any(UserOAuth.id == user_id))
     if timestamp_created_min is not None:
         timestamp_created_min = _convert_to_db_timestamp(timestamp_created_min)
         stm = stm.where(Project.timestamp_created >= timestamp_created_min)
@@ -103,7 +103,7 @@ async def view_workflow(
     name_contains: Optional[str] = None,
     timestamp_created_min: Optional[datetime] = None,
     timestamp_created_max: Optional[datetime] = None,
-    user: User = Depends(current_active_superuser),
+    user: UserOAuth = Depends(current_active_superuser),
     db: AsyncSession = Depends(get_async_db),
 ) -> list[WorkflowReadV1]:
     """
@@ -119,7 +119,7 @@ async def view_workflow(
 
     if user_id is not None:
         stm = stm.join(Project).where(
-            Project.user_list.any(User.id == user_id)
+            Project.user_list.any(UserOAuth.id == user_id)
         )
     if id is not None:
         stm = stm.where(Workflow.id == id)
@@ -153,7 +153,7 @@ async def view_dataset(
     type: Optional[str] = None,
     timestamp_created_min: Optional[datetime] = None,
     timestamp_created_max: Optional[datetime] = None,
-    user: User = Depends(current_active_superuser),
+    user: UserOAuth = Depends(current_active_superuser),
     db: AsyncSession = Depends(get_async_db),
 ) -> list[DatasetReadV1]:
     """
@@ -170,7 +170,7 @@ async def view_dataset(
 
     if user_id is not None:
         stm = stm.join(Project).where(
-            Project.user_list.any(User.id == user_id)
+            Project.user_list.any(UserOAuth.id == user_id)
         )
     if id is not None:
         stm = stm.where(Dataset.id == id)
@@ -211,7 +211,7 @@ async def view_job(
     end_timestamp_min: Optional[datetime] = None,
     end_timestamp_max: Optional[datetime] = None,
     log: bool = True,
-    user: User = Depends(current_active_superuser),
+    user: UserOAuth = Depends(current_active_superuser),
     db: AsyncSession = Depends(get_async_db),
 ) -> list[ApplyWorkflowReadV1]:
     """
@@ -243,7 +243,7 @@ async def view_job(
         stm = stm.where(ApplyWorkflow.id == id)
     if user_id is not None:
         stm = stm.join(Project).where(
-            Project.user_list.any(User.id == user_id)
+            Project.user_list.any(UserOAuth.id == user_id)
         )
     if project_id is not None:
         stm = stm.where(ApplyWorkflow.project_id == project_id)
@@ -282,7 +282,7 @@ async def view_job(
 async def view_single_job(
     job_id: int = None,
     show_tmp_logs: bool = False,
-    user: User = Depends(current_active_superuser),
+    user: UserOAuth = Depends(current_active_superuser),
     db: AsyncSession = Depends(get_async_db),
 ) -> ApplyWorkflowReadV1:
 
@@ -311,7 +311,7 @@ async def view_single_job(
 async def update_job(
     job_update: ApplyWorkflowUpdateV1,
     job_id: int,
-    user: User = Depends(current_active_superuser),
+    user: UserOAuth = Depends(current_active_superuser),
     db: AsyncSession = Depends(get_async_db),
 ) -> Optional[ApplyWorkflowReadV1]:
     """
@@ -344,7 +344,7 @@ async def update_job(
 @router_admin_v1.get("/job/{job_id}/stop/", status_code=202)
 async def stop_job(
     job_id: int,
-    user: User = Depends(current_active_superuser),
+    user: UserOAuth = Depends(current_active_superuser),
     db: AsyncSession = Depends(get_async_db),
 ) -> Response:
     """
@@ -371,7 +371,7 @@ async def stop_job(
 )
 async def download_job_logs(
     job_id: int,
-    user: User = Depends(current_active_superuser),
+    user: UserOAuth = Depends(current_active_superuser),
     db: AsyncSession = Depends(get_async_db),
 ) -> StreamingResponse:
     """