Skip to content

feat: add missing CRUD hooks and auth event hooks #2450

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dpgaspar wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: add missing CRUD hooks and auth event hooks #2450

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions flask_appbuilder/security/manager.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -975,6 +975,27 @@ def reset_password(self, userid, password):
)
self.update_user(user)

def on_user_login(self, user) -> None:
"""Called after a successful user login.
Override to add custom logic (e.g., audit logging).

:param user: The authenticated user model
"""

def on_user_login_failed(self, user) -> None:
"""Called after a failed user login attempt.
Override to add custom logic (e.g., audit logging).

:param user: The identified (but not authenticated) user model
"""

def on_user_logout(self, user) -> None:
"""Called when a user logs out.
Override to add custom logic (e.g., audit logging).

:param user: The user model that is logging out
"""

def update_user_auth_stat(self, user, success=True):
"""
Update user authentication stats upon successful/unsuccessful
Expand All @@ -997,8 +1018,10 @@ def update_user_auth_stat(self, user, success=True):
user.login_count += 1
user.last_login = datetime.datetime.now()
user.fail_login_count = 0
self.on_user_login(user)
else:
user.fail_login_count += 1
self.on_user_login_failed(user)
self.update_user(user)

def auth_user_db(self, username, password):
Expand Down
2 changes: 2 additions & 0 deletions flask_appbuilder/security/sqla/apis/group/api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ def post(self):

self.pre_add(model)
self.datamodel.add(model)
self.post_add(model)

return self.response(201, id=model.id)

Expand Down Expand Up @@ -216,6 +217,7 @@ def put(self, pk):
model.users = users
self.pre_update(model)
self.datamodel.edit(model)
self.post_update(model)
return self.response(
200,
**{API_RESULT_RES_KEY: self.edit_model_schema.dump(item, many=False)},
Expand Down
2 changes: 2 additions & 0 deletions flask_appbuilder/security/sqla/apis/user/api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,7 @@ def post(self):

self.pre_add(model)
self.datamodel.add(model)
self.post_add(model)
return self.response(201, id=model.id)
except ValidationError as error:
return self.response_400(message=error.messages)
Expand Down Expand Up @@ -281,6 +282,7 @@ def put(self, pk):

self.pre_update(model, item)
self.datamodel.edit(model)
self.post_update(model)
return self.response(
200,
**{API_RESULT_RES_KEY: self.edit_model_schema.dump(item, many=False)},
Expand Down
28 changes: 28 additions & 0 deletions flask_appbuilder/security/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -577,9 +577,22 @@ class AuthView(BaseView):
def login(self):
pass

def _get_authenticated_user(self):
"""Resolve the current user before logout clears the session.
Returns the User model or None if not authenticated.
Note: g.user is a LocalProxy that becomes anonymous after
logout_user(), so we must resolve it beforehand.
"""
if g.user is not None and g.user.is_authenticated:
return self.appbuilder.sm.get_user_by_id(g.user.id)
return None

@expose("/logout/")
def logout(self):
user = self._get_authenticated_user()
logout_user()
if user is not None:
self.appbuilder.sm.on_user_logout(user)
return redirect(
current_app.config.get(
"LOGOUT_REDIRECT_URL", self.appbuilder.get_url_for_index
Expand Down Expand Up @@ -865,7 +878,10 @@ def slo(self) -> WerkzeugResponse:
try:
idp = session.get("saml_idp")
if not idp:
user = self._get_authenticated_user()
logout_user()
if user is not None:
self.appbuilder.sm.on_user_logout(user)
return redirect(self.appbuilder.get_url_for_index)

url, should_logout = self.appbuilder.sm.get_saml_logout_redirect_url(
Expand All @@ -874,16 +890,25 @@ def slo(self) -> WerkzeugResponse:
session_index=session.get("saml_session_index"),
)
if should_logout:
user = self._get_authenticated_user()
logout_user()
if user is not None:
self.appbuilder.sm.on_user_logout(user)
return redirect(url or self.appbuilder.get_url_for_index)

except (OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError) as e:
log.error("SAML SLO validation error: %s", e)
user = self._get_authenticated_user()
logout_user()
if user is not None:
self.appbuilder.sm.on_user_logout(user)
return redirect(self.appbuilder.get_url_for_index)
except ValueError as e:
log.error("SAML SLO configuration error: %s", e)
user = self._get_authenticated_user()
logout_user()
if user is not None:
self.appbuilder.sm.on_user_logout(user)
return redirect(self.appbuilder.get_url_for_index)

@expose("/logout/")
Expand All @@ -895,7 +920,10 @@ def logout(self) -> WerkzeugResponse:
return redirect(url_for(".slo"))
except Exception:
pass
user = self._get_authenticated_user()
logout_user()
if user is not None:
self.appbuilder.sm.on_user_logout(user)
return redirect(
current_app.config.get(
"LOGOUT_REDIRECT_URL", self.appbuilder.get_url_for_index
Expand Down
245 changes: 245 additions & 0 deletions tests/test_hooks.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,245 @@
import logging
import os
from unittest.mock import MagicMock
import uuid

from flask import Flask
from flask_appbuilder import AppBuilder
from flask_appbuilder.security.sqla.models import Group, User
from flask_appbuilder.utils.legacy import get_sqla_class
from tests.base import FABTestCase
from tests.const import PASSWORD_ADMIN, USERNAME_ADMIN


log = logging.getLogger(__name__)


def _uid():
return uuid.uuid4().hex[:8]


class UserApiHooksTestCase(FABTestCase):
"""Test that post_add and post_update hooks are called on UserApi."""

def setUp(self):
self.app = Flask(__name__)
self.basedir = os.path.abspath(os.path.dirname(__file__))
self.app.config.from_object("tests.config_security_api")

self.ctx = self.app.app_context()
self.ctx.push()
SQLA = get_sqla_class()
self.db = SQLA(self.app)
self.appbuilder = AppBuilder(self.app, self.db.session)
self.create_default_users(self.appbuilder)

# Patch hooks on the registered UserApi view
self.user_api = None
for view in self.appbuilder.baseviews:
if view.__class__.__name__ == "UserApi":
self.user_api = view
break
self.assertIsNotNone(self.user_api, "UserApi view not found")
self.user_api.post_add = MagicMock()
self.user_api.post_update = MagicMock()
self._created_users = []

def tearDown(self):
for username in self._created_users:
user = self.appbuilder.sm.find_user(username=username)
if user:
self.appbuilder.session.delete(user)
self.appbuilder.session.commit()
self.ctx.pop()

def test_post_add_called_on_create_user(self):
client = self.app.test_client()
token = self.login(client, USERNAME_ADMIN, PASSWORD_ADMIN)

uid = _uid()
role = self.appbuilder.sm.find_role("Admin")
username = f"hook_add_{uid}"
payload = {
"active": True,
"email": f"hook_add_{uid}@fab.com",
"first_name": "hook",
"last_name": "test",
"password": "password",
"roles": [role.id],
"username": username,
}
rv = self.auth_client_post(client, token, "api/v1/security/users/", payload)
self.assertEqual(rv.status_code, 201)
self._created_users.append(username)
self.user_api.post_add.assert_called_once()
called_model = self.user_api.post_add.call_args[0][0]
self.assertIsInstance(called_model, User)
self.assertEqual(called_model.username, username)

def test_post_update_called_on_edit_user(self):
client = self.app.test_client()
token = self.login(client, USERNAME_ADMIN, PASSWORD_ADMIN)

uid = _uid()
edit_username = f"hook_edit_{uid}"
role = self.appbuilder.sm.find_role("Admin")
user = self.appbuilder.sm.add_user(
username=edit_username,
first_name="hook",
last_name="edit",
email=f"hook_edit_{uid}@fab.com",
role=role,
password="password",
)
self._created_users.append(edit_username)

rv = self.auth_client_put(
client,
token,
f"api/v1/security/users/{user.id}",
{"first_name": "updated_hook"},
)
self.assertEqual(rv.status_code, 200)
self.user_api.post_update.assert_called_once()
called_model = self.user_api.post_update.call_args[0][0]
self.assertIsInstance(called_model, User)
self.assertEqual(called_model.first_name, "updated_hook")


class GroupApiHooksTestCase(FABTestCase):
"""Test that post_add and post_update hooks are called on GroupApi."""

def setUp(self):
self.app = Flask(__name__)
self.basedir = os.path.abspath(os.path.dirname(__file__))
self.app.config.from_object("tests.config_api")
self.app.config["FAB_ADD_SECURITY_API"] = True

self.ctx = self.app.app_context()
self.ctx.push()
SQLA = get_sqla_class()
self.db = SQLA(self.app)
self.appbuilder = AppBuilder(self.app, self.db.session)
self.create_default_users(self.appbuilder)

# Patch hooks on the registered GroupApi view
self.group_api = None
for view in self.appbuilder.baseviews:
if view.__class__.__name__ == "GroupApi":
self.group_api = view
break
self.assertIsNotNone(self.group_api, "GroupApi view not found")
self.group_api.post_add = MagicMock()
self.group_api.post_update = MagicMock()

def tearDown(self):
groups = self.appbuilder.session.query(Group).all()
for group in groups:
group.users = []
group.roles = []
self.appbuilder.session.delete(group)
self.appbuilder.session.commit()
self.appbuilder.session.close()
self.ctx.pop()

def test_post_add_called_on_create_group(self):
client = self.app.test_client()
token = self.login(client, USERNAME_ADMIN, PASSWORD_ADMIN)

payload = {
"name": "hook_test_group",
"label": "Hook Test",
"description": "Test group for hooks",
}
rv = self.auth_client_post(client, token, "api/v1/security/groups/", payload)
self.assertEqual(rv.status_code, 201)
self.group_api.post_add.assert_called_once()
called_model = self.group_api.post_add.call_args[0][0]
self.assertIsInstance(called_model, Group)
self.assertEqual(called_model.name, "hook_test_group")

def test_post_update_called_on_edit_group(self):
client = self.app.test_client()
token = self.login(client, USERNAME_ADMIN, PASSWORD_ADMIN)

group = self.appbuilder.sm.add_group("hook_edit_group", "label", "description")
self.appbuilder.session.commit()

rv = self.auth_client_put(
client,
token,
f"api/v1/security/groups/{group.id}",
{"label": "updated_label"},
)
self.assertEqual(rv.status_code, 200)
self.group_api.post_update.assert_called_once()
called_model = self.group_api.post_update.call_args[0][0]
self.assertIsInstance(called_model, Group)


class AuthEventHooksTestCase(FABTestCase):
"""Test on_user_login, on_user_login_failed, and on_user_logout hooks."""

def setUp(self):
self.app = Flask(__name__)
self.basedir = os.path.abspath(os.path.dirname(__file__))
self.app.config.from_object("tests.config_security_api")

self.ctx = self.app.app_context()
self.ctx.push()
SQLA = get_sqla_class()
self.db = SQLA(self.app)
self.appbuilder = AppBuilder(self.app, self.db.session)
self.create_default_users(self.appbuilder)

# Patch auth hooks on the security manager
self.appbuilder.sm.on_user_login = MagicMock()
self.appbuilder.sm.on_user_login_failed = MagicMock()
self.appbuilder.sm.on_user_logout = MagicMock()

def tearDown(self):
self.ctx.pop()

def test_on_user_login_called_on_successful_login(self):
client = self.app.test_client()
rv = self._login(client, USERNAME_ADMIN, PASSWORD_ADMIN)
self.assertEqual(rv.status_code, 200)

self.appbuilder.sm.on_user_login.assert_called_once()
called_user = self.appbuilder.sm.on_user_login.call_args[0][0]
self.assertEqual(called_user.username, USERNAME_ADMIN)
self.appbuilder.sm.on_user_login_failed.assert_not_called()

def test_on_user_login_failed_called_on_bad_password(self):
client = self.app.test_client()
rv = self._login(client, USERNAME_ADMIN, "wrong_password")
self.assertEqual(rv.status_code, 401)

self.appbuilder.sm.on_user_login_failed.assert_called_once()
called_user = self.appbuilder.sm.on_user_login_failed.call_args[0][0]
self.assertEqual(called_user.username, USERNAME_ADMIN)
self.appbuilder.sm.on_user_login.assert_not_called()

def test_on_user_logout_called_on_logout(self):
client = self.app.test_client()
# Login via browser (session-based) so logout works
self.browser_login(client, USERNAME_ADMIN, PASSWORD_ADMIN)

# Verify user is logged in by accessing a protected resource
rv = client.get("/logout/", follow_redirects=False)
self.assertIn(rv.status_code, (301, 302))

self.appbuilder.sm.on_user_logout.assert_called_once()
called_user = self.appbuilder.sm.on_user_logout.call_args[0][0]
self.assertIsNotNone(called_user)
self.assertEqual(called_user.username, USERNAME_ADMIN)

def test_hooks_receive_correct_user_object(self):
"""Verify hooks receive the actual User model instance."""
client = self.app.test_client()
rv = self._login(client, USERNAME_ADMIN, PASSWORD_ADMIN)
self.assertEqual(rv.status_code, 200)

called_user = self.appbuilder.sm.on_user_login.call_args[0][0]
self.assertIsInstance(called_user, User)
self.assertTrue(called_user.is_authenticated)
Loading