This is an automated email from the ASF dual-hosted git repository. jhtimmins pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push: new 79b4bc9 Removes unused state transitions to handle auto-changing view permissions. (#19153) 79b4bc9 is described below commit 79b4bc9f5288221837d4bebc0b6ac8a7cc85d341 Author: James Timmins <ja...@astronomer.io> AuthorDate: Tue Nov 2 09:04:01 2021 -0700 Removes unused state transitions to handle auto-changing view permissions. (#19153) * Remove unused FAB state transitions. * Remove unused FAB constant. --- airflow/www/fab_security/manager.py | 148 ------------------------------------ 1 file changed, 148 deletions(-) diff --git a/airflow/www/fab_security/manager.py b/airflow/www/fab_security/manager.py index 1d4ef8f..460099c 100644 --- a/airflow/www/fab_security/manager.py +++ b/airflow/www/fab_security/manager.py @@ -39,7 +39,6 @@ from flask_appbuilder.const import ( LOGMSG_WAR_SEC_LOGIN_FAILED, LOGMSG_WAR_SEC_NO_USER, LOGMSG_WAR_SEC_NOLDAP_OBJ, - PERMISSION_PREFIX, ) from flask_appbuilder.security.api import SecurityApi from flask_appbuilder.security.registerviews import ( @@ -1466,153 +1465,6 @@ class BaseSecurityManager: self.remove_permission_from_role(role, permission) self.delete_permission(permission.action.name, resource.name) self.delete_resource(resource.name) - self.security_converge(baseviews, menus) - - @staticmethod - def _get_new_old_permissions(baseview) -> Dict: - ret = {} - for method_name, permission_name in baseview.method_permission_name.items(): - old_permission_name = baseview.previous_method_permission_name.get(method_name) - # Actions do not get prefix when normally defined - if hasattr(baseview, "actions") and baseview.actions.get(old_permission_name): - permission_prefix = "" - else: - permission_prefix = PERMISSION_PREFIX - if old_permission_name: - if PERMISSION_PREFIX + permission_name not in ret: - ret[PERMISSION_PREFIX + permission_name] = {permission_prefix + old_permission_name} - else: - ret[PERMISSION_PREFIX + permission_name].add(permission_prefix + old_permission_name) - return ret - - @staticmethod - def _add_state_transition( - state_transition: Dict, - old_resource_name: str, - old_action_name: str, - resource_name: str, - action_name: str, - ) -> None: - old_perm = state_transition["add"].get((old_resource_name, old_action_name)) - if old_perm: - state_transition["add"][(old_resource_name, old_action_name)].add((resource_name, action_name)) - else: - state_transition["add"][(old_resource_name, old_action_name)] = {(resource_name, action_name)} - state_transition["del_role_pvm"].add((old_resource_name, old_action_name)) - state_transition["del_views"].add(old_resource_name) - state_transition["del_perms"].add(old_action_name) - - @staticmethod - def _update_del_transitions(state_transitions: Dict, baseviews: List) -> None: - """ - Mutates state_transitions, loop baseviews and prunes all - views and permissions that are not to delete because references - exist. - - :param baseview: - :param state_transitions: - :return: - """ - for baseview in baseviews: - state_transitions["del_views"].discard(baseview.class_permission_name) - for permission in baseview.base_permissions: - state_transitions["del_role_pvm"].discard((baseview.class_permission_name, permission)) - state_transitions["del_perms"].discard(permission) - - def create_state_transitions(self, baseviews: List, menus: List) -> Dict: - """ - Creates a Dict with all the necessary vm/permission transitions - - Dict: { - "add": {(<VM>, <PERM>): ((<VM>, PERM), ... )} - "del_role_pvm": ((<VM>, <PERM>), ...) - "del_views": (<VM>, ... ) - "del_perms": (<PERM>, ... ) - } - - :param baseviews: List with all the registered BaseView, BaseApi - :param menus: List with all the menu entries - :return: Dict with state transitions - """ - state_transitions = { - "add": {}, - "del_role_pvm": set(), - "del_views": set(), - "del_perms": set(), - } - for baseview in baseviews: - add_all_flag = False - new_view_name = baseview.class_permission_name - permission_mapping = self._get_new_old_permissions(baseview) - if baseview.previous_class_permission_name: - old_view_name = baseview.previous_class_permission_name - add_all_flag = True - else: - new_view_name = baseview.class_permission_name - old_view_name = new_view_name - for new_perm_name in baseview.base_permissions: - if add_all_flag: - old_perm_names = permission_mapping.get(new_perm_name) - old_perm_names = old_perm_names or (new_perm_name,) - for old_perm_name in old_perm_names: - self._add_state_transition( - state_transitions, - old_view_name, - old_perm_name, - new_view_name, - new_perm_name, - ) - else: - old_perm_names = permission_mapping.get(new_perm_name) or set() - for old_perm_name in old_perm_names: - self._add_state_transition( - state_transitions, - old_view_name, - old_perm_name, - new_view_name, - new_perm_name, - ) - self._update_del_transitions(state_transitions, baseviews) - return state_transitions - - def security_converge(self, baseviews: List, menus: List, dry=False) -> Dict: - """ - Converges overridden permissions on all registered views/api - will compute all necessary operations from `class_permissions_name`, - `previous_class_permission_name`, method_permission_name`, - `previous_method_permission_name` class attributes. - - :param baseviews: List of registered views/apis - :param menus: List of menu items - :param dry: If True will not change DB - :return: Dict with the necessary operations (state_transitions) - """ - state_transitions = self.create_state_transitions(baseviews, menus) - if dry: - return state_transitions - if not state_transitions: - log.info("No state transitions found") - return {} - log.debug(f"State transitions: {state_transitions}") - roles = self.get_all_roles() - for role in roles: - perms = list(role.permissions) - for perm in perms: - new_perm_states = state_transitions["add"].get((perm.resource.name, perm.action.name)) - if not new_perm_states: - continue - for new_perm_state in new_perm_states: - new_perm = self.create_permission(new_perm_state[1], new_perm_state[0]) - self.add_permission_to_role(role, new_perm) - if (perm.resource.name, perm.permission.name) in state_transitions["del_role_pvm"]: - self.remove_permission_from_role(role, perm) - for perm in state_transitions["del_role_pvm"]: - self.delete_permission(perm[1], perm[0], cascade=False) - for resource_name in state_transitions["del_views"]: - self.delete_resource(resource_name) - for action_name in state_transitions["del_perms"]: - self.delete_action(action_name) - return state_transitions def find_register_user(self, registration_hash): """Generic function to return user registration"""