Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(embedded): API get embedded dashboard config by uuid #19650

Merged
merged 5 commits into from
Apr 12, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
105 changes: 105 additions & 0 deletions superset/embedded/api.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
import logging
from typing import Optional

from flask import Response
from flask_appbuilder.api import expose, protect, safe
from flask_appbuilder.hooks import before_request
from flask_appbuilder.models.sqla.interface import SQLAInterface

from superset import is_feature_enabled
from superset.constants import MODEL_API_RW_METHOD_PERMISSION_MAP, RouteMethod
from superset.dashboards.schemas import EmbeddedDashboardResponseSchema
from superset.embedded.dao import EmbeddedDAO
from superset.embedded_dashboard.commands.exceptions import (
EmbeddedDashboardNotFoundError,
)
from superset.extensions import event_logger
from superset.models.embedded_dashboard import EmbeddedDashboard
from superset.reports.logs.schemas import openapi_spec_methods_override
from superset.views.base_api import BaseSupersetModelRestApi, statsd_metrics

logger = logging.getLogger(__name__)


class EmbeddedDashboardRestApi(BaseSupersetModelRestApi):
datamodel = SQLAInterface(EmbeddedDashboard)

@before_request
def ensure_embedded_enabled(self) -> Optional[Response]:
if not is_feature_enabled("EMBEDDED_SUPERSET"):
return self.response_404()
return None

include_route_methods = RouteMethod.GET
class_permission_name = "EmbeddedDashboard"
method_permission_name = MODEL_API_RW_METHOD_PERMISSION_MAP

resource_name = "embedded_dashboard"
allow_browser_login = True

openapi_spec_tag = "Embedded Dashboard"
openapi_spec_methods = openapi_spec_methods_override

embedded_response_schema = EmbeddedDashboardResponseSchema()

@expose("/<uuid>", methods=["GET"])
@protect()
@safe
@statsd_metrics
@event_logger.log_this_with_context(
action=lambda self, *args, **kwargs: f"{self.__class__.__name__}.get_embedded",
log_to_statsd=False,
)
# pylint: disable=arguments-differ, arguments-renamed)
def get(self, uuid: str) -> Response:
"""Response
Returns the dashboard's embedded configuration
---
get:
description: >-
Returns the dashboard's embedded configuration
parameters:
- in: path
schema:
type: string
name: uuid
description: The embedded configuration uuid
responses:
200:
description: Result contains the embedded dashboard configuration
content:
application/json:
schema:
type: object
properties:
result:
$ref: '#/components/schemas/EmbeddedDashboardResponseSchema'
401:
$ref: '#/components/responses/404'
500:
$ref: '#/components/responses/500'
"""
try:
embedded = EmbeddedDAO.find_by_id(uuid)
if not embedded:
raise EmbeddedDashboardNotFoundError()
result = self.embedded_response_schema.dump(embedded)
return self.response(200, result=result)
except EmbeddedDashboardNotFoundError:
return self.response_404()
34 changes: 34 additions & 0 deletions superset/embedded_dashboard/commands/exceptions.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
from typing import Optional

from flask_babel import lazy_gettext as _

from superset.commands.exceptions import ForbiddenError, ObjectNotFoundError


class EmbeddedDashboardNotFoundError(ObjectNotFoundError):
def __init__(
self,
embedded_dashboard_uuid: Optional[str] = None,
exception: Optional[Exception] = None,
) -> None:
super().__init__("EmbeddedDashboard", embedded_dashboard_uuid, exception)


class EmbeddedDashboardAccessDeniedError(ForbiddenError):
message = _("You don't have access to this embedded dashboard config.")
2 changes: 2 additions & 0 deletions superset/initialization/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ def init_views(self) -> None:
from superset.datasets.api import DatasetRestApi
from superset.datasets.columns.api import DatasetColumnsRestApi
from superset.datasets.metrics.api import DatasetMetricRestApi
from superset.embedded.api import EmbeddedDashboardRestApi
from superset.embedded.view import EmbeddedView
from superset.explore.form_data.api import ExploreFormDataRestApi
from superset.explore.permalink.api import ExplorePermalinkRestApi
Expand Down Expand Up @@ -208,6 +209,7 @@ def init_views(self) -> None:
appbuilder.add_api(DatasetRestApi)
appbuilder.add_api(DatasetColumnsRestApi)
appbuilder.add_api(DatasetMetricRestApi)
appbuilder.add_api(EmbeddedDashboardRestApi)
appbuilder.add_api(ExploreFormDataRestApi)
appbuilder.add_api(ExplorePermalinkRestApi)
appbuilder.add_api(FilterSetRestApi)
Expand Down
8 changes: 7 additions & 1 deletion superset/security/api.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@
from marshmallow import EXCLUDE, fields, post_load, Schema, ValidationError
from marshmallow_enum import EnumField

from superset.embedded_dashboard.commands.exceptions import (
EmbeddedDashboardNotFoundError,
)
from superset.extensions import event_logger
from superset.security.guest_token import GuestTokenResourceType

Expand Down Expand Up @@ -142,13 +145,16 @@ def guest_token(self) -> Response:
"""
try:
body = guest_token_create_schema.load(request.json)
self.appbuilder.sm.validate_guest_token_resources(body["resources"])

# todo validate stuff:
# make sure the resource ids are valid
# make sure username doesn't reference an existing user
# check rls rules for validity?
token = self.appbuilder.sm.create_guest_access_token(
body["user"], body["resources"], body["rls"]
)
return self.response(200, token=token)
except EmbeddedDashboardNotFoundError as error:
return self.response_400(message=error.message)
except ValidationError as error:
return self.response_400(message=error.messages)
18 changes: 18 additions & 0 deletions superset/security/manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -1313,6 +1313,24 @@ def _get_guest_token_jwt_audience() -> str:
audience = audience()
return audience

@staticmethod
def validate_guest_token_resources(resources: GuestTokenResources) -> None:
# pylint: disable=import-outside-toplevel
from superset.embedded.dao import EmbeddedDAO
from superset.embedded_dashboard.commands.exceptions import (
EmbeddedDashboardNotFoundError,
)
from superset.models.dashboard import Dashboard

for resource in resources:
if resource["type"] == GuestTokenResourceType.DASHBOARD.value:
# TODO (embedded): remove this check once uuids are rolled out
dashboard = Dashboard.get(str(resource["id"]))
if not dashboard:
embedded = EmbeddedDAO.find_by_id(str(resource["id"]))
if not embedded:
raise EmbeddedDashboardNotFoundError()

def create_guest_access_token(
self,
user: GuestTokenUser,
Expand Down
53 changes: 53 additions & 0 deletions tests/integration_tests/embedded/api_tests.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# isort:skip_file
"""Tests for security api methods"""
from unittest import mock

import pytest

from superset import db
from superset.embedded.dao import EmbeddedDAO
from superset.models.dashboard import Dashboard
from tests.integration_tests.base_tests import SupersetTestCase
from tests.integration_tests.fixtures.birth_names_dashboard import (
load_birth_names_dashboard_with_slices,
load_birth_names_data,
)


class TestEmbeddedDashboardApi(SupersetTestCase):
resource_name = "embedded_dashboard"

@pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
@mock.patch.dict(
"superset.extensions.feature_flag_manager._feature_flags",
EMBEDDED_SUPERSET=True,
)
def test_get_embedded_dashboard(self):
self.login("admin")
self.dash = db.session.query(Dashboard).filter_by(slug="births").first()
self.embedded = EmbeddedDAO.upsert(self.dash, [])
uri = f"api/v1/{self.resource_name}/{self.embedded.uuid}"
response = self.client.get(uri)
self.assert200(response)

def test_get_embedded_dashboard_non_found(self):
self.login("admin")
uri = f"api/v1/{self.resource_name}/bad-uuid"
response = self.client.get(uri)
self.assert404(response)
29 changes: 27 additions & 2 deletions tests/integration_tests/security/api_tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,18 @@
import json

import jwt
import pytest

from tests.integration_tests.base_tests import SupersetTestCase
from flask_wtf.csrf import generate_csrf
from superset import db
from superset.embedded.dao import EmbeddedDAO
from superset.models.dashboard import Dashboard
from superset.utils.urls import get_url_host
from tests.integration_tests.base_tests import SupersetTestCase
from tests.integration_tests.fixtures.birth_names_dashboard import (
load_birth_names_dashboard_with_slices,
load_birth_names_data,
)


class TestSecurityCsrfApi(SupersetTestCase):
Expand Down Expand Up @@ -78,10 +86,13 @@ def test_post_guest_token_unauthorized(self):
response = self.client.post(self.uri)
self.assert403(response)

@pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
def test_post_guest_token_authorized(self):
self.dash = db.session.query(Dashboard).filter_by(slug="births").first()
self.embedded = EmbeddedDAO.upsert(self.dash, [])
self.login(username="admin")
user = {"username": "bob", "first_name": "Bob", "last_name": "Also Bob"}
resource = {"type": "dashboard", "id": "blah"}
resource = {"type": "dashboard", "id": str(self.embedded.uuid)}
rls_rule = {"dataset": 1, "clause": "1=1"}
params = {"user": user, "resources": [resource], "rls": [rls_rule]}

Expand All @@ -99,3 +110,17 @@ def test_post_guest_token_authorized(self):
)
self.assertEqual(user, decoded_token["user"])
self.assertEqual(resource, decoded_token["resources"][0])

@pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
def test_post_guest_token_bad_resources(self):
self.login(username="admin")
user = {"username": "bob", "first_name": "Bob", "last_name": "Also Bob"}
resource = {"type": "dashboard", "id": "bad-id"}
rls_rule = {"dataset": 1, "clause": "1=1"}
params = {"user": user, "resources": [resource], "rls": [rls_rule]}

response = self.client.post(
self.uri, data=json.dumps(params), content_type="application/json"
)

self.assert400(response)