tests: airflow 3 opa auth manager (and some reformatting)

Author: razvan

airflow/Dockerfile

@@ -11,18 +11,29 @@ FROM oci.stackable.tech/sdp/git-sync/git-sync:${GIT_SYNC} AS gitsync-image
 
 FROM stackable/image/shared/statsd-exporter AS statsd_exporter-builder
 
-FROM python:3.12-bookworm AS opa-auth-manager-builder
+FROM stackable/image/vector AS opa-auth-manager-builder
 
 ARG OPA_AUTH_MANAGER
+ARG PYTHON
 ARG UV
 
 COPY airflow/opa-auth-manager/${OPA_AUTH_MANAGER} /tmp/opa-auth-manager
 
 WORKDIR /tmp/opa-auth-manager
 
 RUN <<EOF
-pip install --no-cache-dir uv==${UV}
-uv run pytest
+microdnf update
+microdnf install python${PYTHON}-pip
+microdnf clean all
+
+pip${PYTHON} install --no-cache-dir uv==${UV}
+
+# This folder is required by the tests to set up an sqlite database
+mkdir /root/airflow
+
+# Warnings are disabled because they come from various third party testing libraries
+# that we have no control over.
+uv run pytest --disable-warnings
 uv build
 EOF
 

airflow/opa-auth-manager/airflow-3/opa_auth_manager/opa_fab_auth_manager.py

@@ -2,15 +2,15 @@
 Custom Auth manager for Airflow
 """
 
-from airflow.providers.fab.auth_manager.models import User
-from airflow.providers.fab.auth_manager.fab_auth_manager import FabAuthManager
+import json
+from typing import Optional, Union
 
+import requests
 from airflow.api_fastapi.auth.managers.base_auth_manager import ResourceMethod
-from airflow.configuration import conf
 from airflow.api_fastapi.auth.managers.models.resource_details import (
     AccessView,
-    AssetDetails,
     AssetAliasDetails,
+    AssetDetails,
     BackfillDetails,
     ConfigurationDetails,
     ConnectionDetails,
@@ -19,13 +19,13 @@
     PoolDetails,
     VariableDetails,
 )
+from airflow.configuration import conf
+from airflow.providers.fab.auth_manager.fab_auth_manager import FabAuthManager
+from airflow.providers.fab.auth_manager.models import User
 from airflow.stats import Stats
 from airflow.utils.log.logging_mixin import LoggingMixin
 from cachetools import TTLCache, cachedmethod
-from typing import Optional, Union
 from overrides import override
-import json
-import requests
 
 METRIC_NAME_OPA_CACHE_LIMIT_REACHED = "opa_cache_limit_reached"
 
@@ -246,7 +246,6 @@ def is_authorized_dag(
         :param user: the user to perform the action on. If not provided (or None), it uses the
             current user
         """
-
         self.log.debug("Check is_authorized_dag")
 
         if not access_entity:
@@ -259,6 +258,23 @@ def is_authorized_dag(
         else:
             dag_id = details.id
 
+        print(
+            OpaInput(
+                {
+                    "input": {
+                        "method": method,
+                        "access_entity": entity,
+                        "details": {
+                            "id": dag_id,
+                        },
+                        "user": {
+                            "id": user.get_id(),
+                            "name": user.get_name(),
+                        },
+                    }
+                }
+            ).to_dict()
+        )
         return self._is_authorized_in_opa(
             "is_authorized_dag",
             OpaInput(

airflow/opa-auth-manager/airflow-3/pyproject.toml

@@ -3,24 +3,20 @@ name = "opa-auth-manager"
 version = "0.1.0"
 description = "Auth manager for Airflow 3 which delegates the authorization to an Open Policy Agent"
 authors = [
-    { name = "Siegfried Weber", email="[email protected]"},
-    { name = "Razvan Daniel Mihai", email="[email protected]"}
+    { name = "Siegfried Weber", email = "[email protected]" },
+    { name = "Razvan Daniel Mihai", email = "[email protected]" },
 ]
 readme = "README.md"
 requires-python = ">=3.12,<3.13"
 
-dependencies = [
-    "requests==2.32.*",
-    "cachetools==5.5.*",
-    "overrides==7.7.*",
-]
+dependencies = ["requests==2.32.*", "cachetools==5.5.*", "overrides==7.7.*"]
 
 [dependency-groups]
 dev = [
     "apache-airflow~=3.0.1",
-    "pylint==3.3.*",
+    "apache-airflow-devel-common<=0.1.1",
     "apache-airflow-providers-fab==2.0.*",
-    "pytest~=8.3.3"
+    "pytest~=8.3.3",
 ]
 
 [build-system]

airflow/opa-auth-manager/airflow-3/tests/test_opa_fab_auth_manager.py

@@ -1,4 +1,230 @@
-def test_todo():
-    # This is a placeholder test function.
-    # Replace with actual test logic.
-    assert True
+#
+# To make these tests relevant we would have to package the OPA auth manager as
+# an Airflow provider and use `breeze` to set up a docker environment with Airflow
+# and an SQLite database.
+#
+# Then we could run these tests against the Airflow instance and use the Airflow API to
+# actually test the effect of Rego policies on user authorization.
+#
+from unittest import mock
+from unittest.mock import Mock
+
+import pytest
+from airflow.api_fastapi.auth.managers.models.resource_details import (
+    DagAccessEntity,
+    DagDetails,
+)
+from airflow.providers.fab.www.extensions.init_appbuilder import init_appbuilder
+from airflow.providers.fab.www.security.permissions import (
+    ACTION_CAN_CREATE,
+    ACTION_CAN_DELETE,
+    ACTION_CAN_EDIT,
+    ACTION_CAN_READ,
+    RESOURCE_DAG,
+    RESOURCE_DAG_RUN,
+    RESOURCE_TASK_INSTANCE,
+)
+from flask import Flask
+from tests_common.test_utils.config import conf_vars
+
+from opa_auth_manager.opa_fab_auth_manager import OpaFabAuthManager
+
+
+@pytest.fixture
+def flask_app():
+    with conf_vars(
+        {
+            (
+                "core",
+                "auth_manager",
+            ): "opa_auth_manager.opa_fab_auth_manager.OpaFabAuthManager",
+        }
+    ):
+        yield Flask(__name__)
+
+
+@pytest.fixture
+def auth_manager_with_appbuilder(flask_app):
+    flask_app.config["AUTH_RATE_LIMITED"] = False
+    flask_app.config["SERVER_NAME"] = "localhost"
+
+    appbuilder = init_appbuilder(flask_app, enable_plugins=False)
+    auth_manager = OpaFabAuthManager()
+    auth_manager.appbuilder = appbuilder
+    auth_manager.init_flask_resources()
+    return auth_manager
+
+
+class TestOpaFabAuthManager:
+    @pytest.mark.parametrize(
+        "method, dag_access_entity, dag_details, user_permissions, expected_opa_result, expected_result",
+        [
+            # Scenario 1 #
+            # With global permissions on Dags
+            (
+                "GET",
+                None,
+                None,
+                [(ACTION_CAN_READ, RESOURCE_DAG)],
+                True,
+                True,
+            ),
+            # On specific DAG with global permissions on Dags
+            (
+                "GET",
+                None,
+                DagDetails(id="test_dag_id"),
+                [(ACTION_CAN_READ, RESOURCE_DAG)],
+                True,
+                True,
+            ),
+            # With permission on a specific DAG
+            (
+                "GET",
+                None,
+                DagDetails(id="test_dag_id"),
+                [
+                    (ACTION_CAN_READ, "DAG:test_dag_id"),
+                    (ACTION_CAN_READ, "DAG:test_dag_id2"),
+                ],
+                True,
+                True,
+            ),
+            # Without permission on a specific DAG (wrong method)
+            (
+                "POST",
+                None,
+                DagDetails(id="test_dag_id"),
+                [(ACTION_CAN_READ, "DAG:test_dag_id")],
+                False,
+                False,
+            ),
+            # Without permission on a specific DAG
+            (
+                "GET",
+                None,
+                DagDetails(id="test_dag_id2"),
+                [(ACTION_CAN_READ, "DAG:test_dag_id")],
+                False,
+                False,
+            ),
+            # Without permission on DAGs
+            (
+                "GET",
+                None,
+                None,
+                [(ACTION_CAN_READ, "resource_test")],
+                False,
+                False,
+            ),
+            # Scenario 2 #
+            # With global permissions on DAGs
+            (
+                "GET",
+                DagAccessEntity.RUN,
+                DagDetails(id="test_dag_id"),
+                [(ACTION_CAN_READ, RESOURCE_DAG), (ACTION_CAN_READ, RESOURCE_DAG_RUN)],
+                True,
+                True,
+            ),
+            # Without read permissions on a specific DAG
+            (
+                "GET",
+                DagAccessEntity.TASK_INSTANCE,
+                DagDetails(id="test_dag_id"),
+                [(ACTION_CAN_READ, RESOURCE_TASK_INSTANCE)],
+                False,
+                False,
+            ),
+            # With read permissions on a specific DAG but not on the DAG run
+            (
+                "GET",
+                DagAccessEntity.TASK_INSTANCE,
+                DagDetails(id="test_dag_id"),
+                [
+                    (ACTION_CAN_READ, "DAG:test_dag_id"),
+                    (ACTION_CAN_READ, RESOURCE_TASK_INSTANCE),
+                ],
+                False,
+                False,
+            ),
+            # With read permissions on a specific DAG but not on the DAG run
+            (
+                "GET",
+                DagAccessEntity.TASK_INSTANCE,
+                DagDetails(id="test_dag_id"),
+                [
+                    (ACTION_CAN_READ, "DAG:test_dag_id"),
+                    (ACTION_CAN_READ, RESOURCE_TASK_INSTANCE),
+                    (ACTION_CAN_READ, RESOURCE_DAG_RUN),
+                ],
+                True,
+                True,
+            ),
+            # With edit permissions on a specific DAG and read on the DAG access entity
+            (
+                "DELETE",
+                DagAccessEntity.TASK,
+                DagDetails(id="test_dag_id"),
+                [
+                    (ACTION_CAN_EDIT, "DAG:test_dag_id"),
+                    (ACTION_CAN_DELETE, RESOURCE_TASK_INSTANCE),
+                ],
+                True,
+                True,
+            ),
+            # With edit permissions on a specific DAG and read on the DAG access entity
+            (
+                "POST",
+                DagAccessEntity.RUN,
+                DagDetails(id="test_dag_id"),
+                [
+                    (ACTION_CAN_EDIT, "DAG:test_dag_id"),
+                    (ACTION_CAN_CREATE, RESOURCE_DAG_RUN),
+                ],
+                True,
+                True,
+            ),
+            # Without permissions to edit the DAG
+            (
+                "POST",
+                DagAccessEntity.RUN,
+                DagDetails(id="test_dag_id"),
+                [(ACTION_CAN_CREATE, RESOURCE_DAG_RUN)],
+                False,
+                False,
+            ),
+            # Without read permissions on a specific DAG
+            (
+                "GET",
+                DagAccessEntity.TASK_LOGS,
+                DagDetails(id="test_dag_id"),
+                [(ACTION_CAN_READ, RESOURCE_TASK_INSTANCE)],
+                False,
+                False,
+            ),
+        ],
+    )
+    def test_is_authorized_dag(
+        self,
+        method,
+        dag_access_entity,
+        dag_details,
+        user_permissions,
+        expected_opa_result,
+        expected_result,
+        auth_manager_with_appbuilder,
+    ):
+        user = Mock()
+        user.perms = user_permissions
+        with mock.patch.object(
+            OpaFabAuthManager, "_is_authorized_in_opa"
+        ) as mock_is_authorized_in_opa:
+            mock_is_authorized_in_opa.return_value = expected_opa_result
+            result = auth_manager_with_appbuilder.is_authorized_dag(
+                method=method,
+                access_entity=dag_access_entity,
+                details=dag_details,
+                user=user,
+            )
+            assert result == expected_result