Add a check_write_permissions option to update function job/out 🐛 (#8325)

Author: wvangeit

packages/service-library/src/servicelib/rabbitmq/rpc_interfaces/webserver/functions/functions_rpc_interface.py

@@ -1,4 +1,5 @@
 import logging
+from typing import Literal
 
 from models_library.api_schemas_webserver import WEBSERVER_RPC_NAMESPACE
 from models_library.api_schemas_webserver.functions import (
@@ -18,6 +19,7 @@
 )
 from models_library.functions import (
     FunctionClass,
+    FunctionGroupAccessRights,
     FunctionJobStatus,
     FunctionOutputs,
     FunctionUserAccessRights,
@@ -418,6 +420,7 @@ async def update_function_job_status(
     product_name: ProductName,
     function_job_id: FunctionJobID,
     job_status: FunctionJobStatus,
+    check_write_permissions: bool = True,
 ) -> FunctionJobStatus:
     result = await rabbitmq_rpc_client.request(
         WEBSERVER_RPC_NAMESPACE,
@@ -426,6 +429,7 @@ async def update_function_job_status(
         job_status=job_status,
         user_id=user_id,
         product_name=product_name,
+        check_write_permissions=check_write_permissions,
     )
     return TypeAdapter(FunctionJobStatus).validate_python(result)
 
@@ -438,6 +442,7 @@ async def update_function_job_outputs(
     product_name: ProductName,
     function_job_id: FunctionJobID,
     outputs: FunctionOutputs,
+    check_write_permissions: bool = True,
 ) -> FunctionOutputs:
     result = await rabbitmq_rpc_client.request(
         WEBSERVER_RPC_NAMESPACE,
@@ -446,6 +451,7 @@ async def update_function_job_outputs(
         outputs=outputs,
         user_id=user_id,
         product_name=product_name,
+        check_write_permissions=check_write_permissions,
     )
     return TypeAdapter(FunctionOutputs).validate_python(result)
 
@@ -578,3 +584,37 @@ async def get_functions_user_api_access_rights(
         product_name=product_name,
     )
     return TypeAdapter(FunctionUserApiAccessRights).validate_python(result)
+
+
+@log_decorator(_logger, level=logging.DEBUG)
+async def set_group_permissions(
+    rabbitmq_rpc_client: RabbitMQRPCClient,
+    *,
+    user_id: UserID,
+    product_name: ProductName,
+    object_type: Literal["function", "function_job", "function_job_collection"],
+    object_ids: list[FunctionID | FunctionJobID | FunctionJobCollectionID],
+    permission_group_id: int,
+    read: bool | None = None,
+    write: bool | None = None,
+    execute: bool | None = None,
+) -> list[
+    tuple[
+        FunctionID | FunctionJobID | FunctionJobCollectionID, FunctionGroupAccessRights
+    ]
+]:
+    result = await rabbitmq_rpc_client.request(
+        WEBSERVER_RPC_NAMESPACE,
+        TypeAdapter(RPCMethodName).validate_python("set_group_permissions"),
+        user_id=user_id,
+        product_name=product_name,
+        object_type=object_type,
+        object_ids=object_ids,
+        permission_group_id=permission_group_id,
+        read=read,
+        write=write,
+        execute=execute,
+    )
+    return TypeAdapter(
+        list[tuple[FunctionID | FunctionJobID, FunctionGroupAccessRights]]
+    ).validate_python(result)

services/api-server/src/simcore_service_api_server/_service_function_jobs.py

@@ -203,6 +203,7 @@ async def inspect_function_job(
             user_id=self.user_id,
             product_name=self.product_name,
             job_status=new_job_status,
+            check_write_permissions=False,
         )
 
     async def create_function_job_inputs(  # pylint: disable=no-self-use
@@ -529,4 +530,5 @@ async def function_job_outputs(
             user_id=user_id,
             product_name=product_name,
             outputs=new_outputs,
+            check_write_permissions=False,
         )

services/api-server/src/simcore_service_api_server/services_rpc/wb_api_server.py

@@ -587,13 +587,15 @@ async def update_function_job_status(
         user_id: UserID,
         product_name: ProductName,
         job_status: FunctionJobStatus,
+        check_write_permissions: bool = True,
     ) -> FunctionJobStatus:
         return await functions_rpc_interface.update_function_job_status(
             self._client,
             function_job_id=function_job_id,
             user_id=user_id,
             product_name=product_name,
             job_status=job_status,
+            check_write_permissions=check_write_permissions,
         )
 
     async def update_function_job_outputs(
@@ -603,13 +605,15 @@ async def update_function_job_outputs(
         user_id: UserID,
         product_name: ProductName,
         outputs: FunctionOutputs,
+        check_write_permissions: bool = True,
     ) -> FunctionOutputs:
         return await functions_rpc_interface.update_function_job_outputs(
             self._client,
             function_job_id=function_job_id,
             user_id=user_id,
             product_name=product_name,
             outputs=outputs,
+            check_write_permissions=check_write_permissions,
         )
 
     async def find_cached_function_jobs(

services/web/server/src/simcore_service_webserver/functions/_controller/_functions_rest.py

@@ -169,7 +169,7 @@ async def register_function(request: web.Request) -> web.Response:
 @login_required
 @permission_required("function.read")
 @handle_rest_requests_exceptions
-async def list_functions(request: web.Request) -> web.Response:
+async def list_functions(request: web.Request) -> web.Response:  # noqa: C901
     query_params: FunctionsListQueryParams = parse_request_query_parameters_as(
         FunctionsListQueryParams, request
     )

services/web/server/src/simcore_service_webserver/functions/_controller/_functions_rpc.py

@@ -1,9 +1,12 @@
+from typing import Literal
+
 from aiohttp import web
 from models_library.api_schemas_webserver import WEBSERVER_RPC_NAMESPACE
 from models_library.functions import (
     Function,
     FunctionAccessRights,
     FunctionClass,
+    FunctionGroupAccessRights,
     FunctionID,
     FunctionInputs,
     FunctionInputSchema,
@@ -43,6 +46,7 @@
     UnsupportedFunctionClassError,
     UnsupportedFunctionJobClassError,
 )
+from models_library.groups import GroupID
 from models_library.products import ProductName
 from models_library.rest_ordering import OrderBy
 from models_library.rest_pagination import PageMetaInfoLimitOffset
@@ -495,39 +499,55 @@ async def get_function_job_outputs(
     )
 
 
-@router.expose(reraise_if_error_type=(FunctionJobIDNotFoundError,))
+@router.expose(
+    reraise_if_error_type=(
+        FunctionJobIDNotFoundError,
+        FunctionJobWriteAccessDeniedError,
+        FunctionJobReadAccessDeniedError,
+    )
+)
 async def update_function_job_status(
     app: web.Application,
     *,
     user_id: UserID,
     product_name: ProductName,
     function_job_id: FunctionJobID,
     job_status: FunctionJobStatus,
+    check_write_permissions: bool = True,
 ) -> FunctionJobStatus:
     return await _functions_service.update_function_job_status(
         app=app,
         user_id=user_id,
         product_name=product_name,
         function_job_id=function_job_id,
         job_status=job_status,
+        check_write_permissions=check_write_permissions,
     )
 
 
-@router.expose(reraise_if_error_type=(FunctionJobIDNotFoundError,))
+@router.expose(
+    reraise_if_error_type=(
+        FunctionJobIDNotFoundError,
+        FunctionJobWriteAccessDeniedError,
+        FunctionJobReadAccessDeniedError,
+    )
+)
 async def update_function_job_outputs(
     app: web.Application,
     *,
     user_id: UserID,
     product_name: ProductName,
     function_job_id: FunctionJobID,
     outputs: FunctionOutputs,
+    check_write_permissions: bool = True,
 ) -> FunctionOutputs:
     return await _functions_service.update_function_job_outputs(
         app=app,
         user_id=user_id,
         product_name=product_name,
         function_job_id=function_job_id,
         outputs=outputs,
+        check_write_permissions=check_write_permissions,
     )
 
 
@@ -586,3 +606,33 @@ async def get_functions_user_api_access_rights(
 async def register_rpc_routes_on_startup(app: web.Application):
     rpc_server = get_rabbitmq_rpc_server(app)
     await rpc_server.register_router(router, WEBSERVER_RPC_NAMESPACE, app)
+
+
+@router.expose(reraise_if_error_type=())
+async def set_group_permissions(
+    app: web.Application,
+    *,
+    user_id: UserID,
+    permission_group_id: GroupID,
+    product_name: ProductName,
+    object_type: Literal["function", "function_job", "function_job_collection"],
+    object_ids: list[FunctionID | FunctionJobID | FunctionJobCollectionID],
+    read: bool | None = None,
+    write: bool | None = None,
+    execute: bool | None = None,
+) -> list[
+    tuple[
+        FunctionID | FunctionJobID | FunctionJobCollectionID, FunctionGroupAccessRights
+    ]
+]:
+    return await _functions_service.set_group_permissions(
+        app=app,
+        user_id=user_id,
+        permission_group_id=permission_group_id,
+        product_name=product_name,
+        object_type=object_type,
+        object_ids=object_ids,
+        read=read,
+        write=write,
+        execute=execute,
+    )

services/web/server/src/simcore_service_webserver/functions/_functions_repository.py

@@ -663,22 +663,10 @@ async def update_function_job_status(
     app: web.Application,
     connection: AsyncConnection | None = None,
     *,
-    user_id: UserID,
-    product_name: ProductName,
     function_job_id: FunctionJobID,
     job_status: FunctionJobStatus,
 ) -> FunctionJobStatus:
     async with transaction_context(get_asyncpg_engine(app), connection) as transaction:
-        await check_user_permissions(
-            app,
-            connection=transaction,
-            user_id=user_id,
-            product_name=product_name,
-            object_type="function_job",
-            object_id=function_job_id,
-            permissions=["write"],
-        )
-
         result = await transaction.execute(
             function_jobs_table.update()
             .where(function_jobs_table.c.uuid == function_job_id)
@@ -697,22 +685,10 @@ async def update_function_job_outputs(
     app: web.Application,
     connection: AsyncConnection | None = None,
     *,
-    user_id: UserID,
-    product_name: ProductName,
     function_job_id: FunctionJobID,
     outputs: FunctionOutputs,
 ) -> FunctionOutputs:
     async with transaction_context(get_asyncpg_engine(app), connection) as transaction:
-        await check_user_permissions(
-            app,
-            connection=transaction,
-            user_id=user_id,
-            product_name=product_name,
-            object_type="function_job",
-            object_id=function_job_id,
-            permissions=["write"],
-        )
-
         result = await transaction.execute(
             function_jobs_table.update()
             .where(function_jobs_table.c.uuid == function_job_id)
@@ -1141,11 +1117,15 @@ async def set_group_permissions(
     permission_group_id: GroupID,
     product_name: ProductName,
     object_type: Literal["function", "function_job", "function_job_collection"],
-    object_ids: list[UUID],
+    object_ids: list[FunctionID | FunctionJobID | FunctionJobCollectionID],
     read: bool | None = None,
     write: bool | None = None,
     execute: bool | None = None,
-) -> list[tuple[UUID, FunctionGroupAccessRights]]:
+) -> list[
+    tuple[
+        FunctionID | FunctionJobID | FunctionJobCollectionID, FunctionGroupAccessRights
+    ]
+]:
     async with pass_or_acquire_connection(get_asyncpg_engine(app), connection) as conn:
         for object_id in object_ids:
             await check_user_permissions(
@@ -1245,8 +1225,13 @@ async def _internal_get_group_permissions(
     *,
     product_name: ProductName,
     object_type: Literal["function", "function_job", "function_job_collection"],
-    object_ids: list[UUID],
-) -> list[tuple[UUID, list[FunctionGroupAccessRights]]]:
+    object_ids: list[FunctionID | FunctionJobID | FunctionJobCollectionID],
+) -> list[
+    tuple[
+        FunctionID | FunctionJobID | FunctionJobCollectionID,
+        list[FunctionGroupAccessRights],
+    ]
+]:
     access_rights_table = None
     field_name = None
     if object_type == "function":