Merge branch 'master' into dependabot/github_actions/actions/setup-node-4.4.0

Author: pcrespov

api/specs/web-server/_users.py

@@ -4,31 +4,23 @@
 # pylint: disable=too-many-arguments
 
 
-from enum import Enum
 from typing import Annotated
 
-from _common import as_query
 from fastapi import APIRouter, Depends, status
 from models_library.api_schemas_webserver.users import (
+    MyFunctionPermissionsGet,
     MyPermissionGet,
     MyProfileGet,
     MyProfilePatch,
     MyTokenCreate,
     MyTokenGet,
-    UserAccountApprove,
-    UserAccountGet,
-    UserAccountReject,
-    UserAccountSearchQueryParams,
     UserGet,
-    UsersAccountListQueryParams,
     UsersSearch,
 )
 from models_library.api_schemas_webserver.users_preferences import PatchRequestBody
 from models_library.generics import Envelope
-from models_library.rest_pagination import Page
 from models_library.user_preferences import PreferenceIdentifier
 from simcore_service_webserver._meta import API_VTAG
-from simcore_service_webserver.users._common.schemas import PreRegisteredUserGet
 from simcore_service_webserver.users._notifications import (
     UserNotification,
     UserNotificationCreate,
@@ -128,6 +120,13 @@ async def mark_notification_as_read(
 async def list_user_permissions(): ...
 
 
+@router.get(
+    "/me/function-permissions",
+    response_model=Envelope[MyFunctionPermissionsGet],
+)
+async def list_user_functions_permissions(): ...
+
+
 #
 # USERS public
 #
@@ -139,56 +138,3 @@ async def list_user_permissions(): ...
     description="Search among users who are publicly visible to the caller (i.e., me) based on their privacy settings.",
 )
 async def search_users(_body: UsersSearch): ...
-
-
-#
-# USERS admin
-#
-
-_extra_tags: list[str | Enum] = ["admin"]
-
-
-@router.get(
-    "/admin/user-accounts",
-    response_model=Page[UserAccountGet],
-    tags=_extra_tags,
-)
-async def list_users_accounts(
-    _query: Annotated[as_query(UsersAccountListQueryParams), Depends()],
-): ...
-
-
-@router.post(
-    "/admin/user-accounts:approve",
-    status_code=status.HTTP_204_NO_CONTENT,
-    tags=_extra_tags,
-)
-async def approve_user_account(_body: UserAccountApprove): ...
-
-
-@router.post(
-    "/admin/user-accounts:reject",
-    status_code=status.HTTP_204_NO_CONTENT,
-    tags=_extra_tags,
-)
-async def reject_user_account(_body: UserAccountReject): ...
-
-
-@router.get(
-    "/admin/user-accounts:search",
-    response_model=Envelope[list[UserAccountGet]],
-    tags=_extra_tags,
-)
-async def search_user_accounts(
-    _query: Annotated[UserAccountSearchQueryParams, Depends()],
-):
-    # NOTE: see `Search` in `Common Custom Methods` in https://cloud.google.com/apis/design/custom_methods
-    ...
-
-
-@router.post(
-    "/admin/user-accounts:pre-register",
-    response_model=Envelope[UserAccountGet],
-    tags=_extra_tags,
-)
-async def pre_register_user_account(_body: PreRegisteredUserGet): ...

api/specs/web-server/_users_admin.py

@@ -0,0 +1,72 @@
+# pylint: disable=redefined-outer-name
+# pylint: disable=unused-argument
+# pylint: disable=unused-variable
+# pylint: disable=too-many-arguments
+
+
+from enum import Enum
+from typing import Annotated
+
+from _common import as_query
+from fastapi import APIRouter, Depends, status
+from models_library.api_schemas_webserver.users import (
+    UserAccountApprove,
+    UserAccountGet,
+    UserAccountReject,
+    UserAccountSearchQueryParams,
+    UsersAccountListQueryParams,
+)
+from models_library.generics import Envelope
+from models_library.rest_pagination import Page
+from simcore_service_webserver._meta import API_VTAG
+from simcore_service_webserver.users._common.schemas import PreRegisteredUserGet
+
+router = APIRouter(prefix=f"/{API_VTAG}", tags=["users"])
+
+_extra_tags: list[str | Enum] = ["admin"]
+
+
+@router.get(
+    "/admin/user-accounts",
+    response_model=Page[UserAccountGet],
+    tags=_extra_tags,
+)
+async def list_users_accounts(
+    _query: Annotated[as_query(UsersAccountListQueryParams), Depends()],
+): ...
+
+
+@router.post(
+    "/admin/user-accounts:approve",
+    status_code=status.HTTP_204_NO_CONTENT,
+    tags=_extra_tags,
+)
+async def approve_user_account(_body: UserAccountApprove): ...
+
+
+@router.post(
+    "/admin/user-accounts:reject",
+    status_code=status.HTTP_204_NO_CONTENT,
+    tags=_extra_tags,
+)
+async def reject_user_account(_body: UserAccountReject): ...
+
+
+@router.get(
+    "/admin/user-accounts:search",
+    response_model=Envelope[list[UserAccountGet]],
+    tags=_extra_tags,
+)
+async def search_user_accounts(
+    _query: Annotated[UserAccountSearchQueryParams, Depends()],
+):
+    # NOTE: see `Search` in `Common Custom Methods` in https://cloud.google.com/apis/design/custom_methods
+    ...
+
+
+@router.post(
+    "/admin/user-accounts:pre-register",
+    response_model=Envelope[UserAccountGet],
+    tags=_extra_tags,
+)
+async def pre_register_user_account(_body: PreRegisteredUserGet): ...

api/specs/web-server/openapi.py

@@ -26,6 +26,7 @@
         "_tags_groups",  # after _tags
         "_products",
         "_users",
+        "_users_admin",  # after _users
         "_wallets",
         # add-ons ---
         "_activity",

packages/models-library/src/models_library/api_schemas_webserver/users.py

@@ -377,3 +377,7 @@ class MyPermissionGet(OutputSchema):
     @classmethod
     def from_domain_model(cls, permission: UserPermission) -> Self:
         return cls(name=permission.name, allowed=permission.allowed)
+
+
+class MyFunctionPermissionsGet(OutputSchema):
+    write_functions: bool

packages/models-library/src/models_library/functions.py

@@ -11,6 +11,7 @@
 from models_library.products import ProductName
 from models_library.services_types import ServiceKey, ServiceVersion
 from models_library.users import UserID
+from models_library.utils.enums import StrAutoEnum
 from pydantic import BaseModel, ConfigDict, Field
 
 from .projects import ProjectID
@@ -301,6 +302,25 @@ class FunctionAccessRightsDB(BaseModel):
     )
 
 
+class FunctionUserApiAccessRights(BaseModel):
+    user_id: UserID
+    read_functions: bool = False
+    write_functions: bool = False
+    execute_functions: bool = False
+    read_function_jobs: bool = False
+    write_function_jobs: bool = False
+    execute_function_jobs: bool = False
+    read_function_job_collections: bool = False
+    write_function_job_collections: bool = False
+    execute_function_job_collections: bool = False
+
+    model_config = ConfigDict(
+        alias_generator=snake_to_camel,
+        populate_by_name=True,
+        extra="forbid",
+    )
+
+
 FunctionJobAccessRights: TypeAlias = FunctionAccessRights
 FunctionJobAccessRightsDB: TypeAlias = FunctionAccessRightsDB
 FunctionJobUserAccessRights: TypeAlias = FunctionUserAccessRights
@@ -310,3 +330,15 @@ class FunctionAccessRightsDB(BaseModel):
 FunctionJobCollectionAccessRightsDB: TypeAlias = FunctionAccessRightsDB
 FunctionJobCollectionUserAccessRights: TypeAlias = FunctionUserAccessRights
 FunctionJobCollectionGroupAccessRights: TypeAlias = FunctionGroupAccessRights
+
+
+class FunctionsApiAccessRights(StrAutoEnum):
+    READ_FUNCTIONS = "read_functions"
+    WRITE_FUNCTIONS = "write_functions"
+    EXECUTE_FUNCTIONS = "execute_functions"
+    READ_FUNCTION_JOBS = "read_function_jobs"
+    WRITE_FUNCTION_JOBS = "write_function_jobs"
+    EXECUTE_FUNCTION_JOBS = "execute_function_jobs"
+    READ_FUNCTION_JOB_COLLECTIONS = "read_function_job_collections"
+    WRITE_FUNCTION_JOB_COLLECTIONS = "write_function_job_collections"
+    EXECUTE_FUNCTION_JOB_COLLECTIONS = "execute_function_job_collections"

packages/models-library/src/models_library/functions_errors.py

@@ -99,3 +99,62 @@ class FunctionJobCollectionExecuteAccessDeniedError(FunctionBaseError):
         "Function job collection {function_job_collection_id} execute access denied for user {user_id}"
     )
     status_code: int = 403  # Forbidden
+
+
+class FunctionsReadApiAccessDeniedError(FunctionBaseError):
+    msg_template: str = "User {user_id} does not have the permission to read functions"
+    status_code: int = 403  # Forbidden
+
+
+class FunctionsWriteApiAccessDeniedError(FunctionBaseError):
+    msg_template: str = "User {user_id} does not have the permission to write functions"
+    status_code: int = 403  # Forbidden
+
+
+class FunctionsExecuteApiAccessDeniedError(FunctionBaseError):
+    msg_template: str = (
+        "User {user_id} does not have the permission to execute functions"
+    )
+    status_code: int = 403  # Forbidden
+
+
+class FunctionJobsReadApiAccessDeniedError(FunctionBaseError):
+    msg_template: str = (
+        "User {user_id} does not have the permission to read function jobs"
+    )
+    status_code: int = 403  # Forbidden
+
+
+class FunctionJobsWriteApiAccessDeniedError(FunctionBaseError):
+    msg_template: str = (
+        "User {user_id} does not have the permission to write function jobs"
+    )
+    status_code: int = 403  # Forbidden
+
+
+class FunctionJobsExecuteApiAccessDeniedError(FunctionBaseError):
+    msg_template: str = (
+        "User {user_id} does not have the permission to execute function jobs"
+    )
+    status_code: int = 403  # Forbidden
+
+
+class FunctionJobCollectionsReadApiAccessDeniedError(FunctionBaseError):
+    msg_template: str = (
+        "User {user_id} does not have the permission to read function job collections"
+    )
+    status_code: int = 403  # Forbidden
+
+
+class FunctionJobCollectionsWriteApiAccessDeniedError(FunctionBaseError):
+    msg_template: str = (
+        "User {user_id} does not have the permission to write function job collections"
+    )
+    status_code: int = 403  # Forbidden
+
+
+class FunctionJobCollectionsExecuteApiAccessDeniedError(FunctionBaseError):
+    msg_template: str = (
+        "User {user_id} does not have the permission to execute function job collections"
+    )
+    status_code: int = 403  # Forbidden

packages/postgres-database/src/simcore_postgres_database/migration/versions/4f6fd2586491_add_functions_api_access_rights.py

@@ -0,0 +1,72 @@
+"""Add functions api access rights
+
+Revision ID: 4f6fd2586491
+Revises: afb1ba08f3c2
+Create Date: 2025-06-13 12:14:59.317685+00:00
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "4f6fd2586491"
+down_revision = "afb1ba08f3c2"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table(
+        "funcapi_group_api_access_rights",
+        sa.Column("group_id", sa.BigInteger(), nullable=False),
+        sa.Column("product_name", sa.String(), nullable=False),
+        sa.Column("read_functions", sa.Boolean(), nullable=True),
+        sa.Column("write_functions", sa.Boolean(), nullable=True),
+        sa.Column("execute_functions", sa.Boolean(), nullable=True),
+        sa.Column("read_function_jobs", sa.Boolean(), nullable=True),
+        sa.Column("write_function_jobs", sa.Boolean(), nullable=True),
+        sa.Column("execute_function_jobs", sa.Boolean(), nullable=True),
+        sa.Column("read_function_job_collections", sa.Boolean(), nullable=True),
+        sa.Column("write_function_job_collections", sa.Boolean(), nullable=True),
+        sa.Column("execute_function_job_collections", sa.Boolean(), nullable=True),
+        sa.Column(
+            "created",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.Column(
+            "modified",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.ForeignKeyConstraint(
+            ["group_id"],
+            ["groups.gid"],
+            name="fk_func_access_to_groups_group_id",
+            onupdate="CASCADE",
+            ondelete="CASCADE",
+        ),
+        sa.ForeignKeyConstraint(
+            ["product_name"],
+            ["products.name"],
+            name="fk_func_access_to_products_product_name",
+            onupdate="CASCADE",
+            ondelete="CASCADE",
+        ),
+        sa.PrimaryKeyConstraint(
+            "group_id",
+            "product_name",
+            name="pk_func_group_product_name_to_api_access_rights",
+        ),
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table("funcapi_group_api_access_rights")
+    # ### end Alembic commands ###