Skip to content

Commit

Permalink
feat(embedded): API get embedded dashboard config by uuid (#19650)
Browse files Browse the repository at this point in the history
* feat(embedded): get embedded dashboard config by uuid

* add tests and validation

* remove accidentally commit

* fix tests
  • Loading branch information
Lily Kuang authored Apr 12, 2022
1 parent 59dda1f commit 224769b
Show file tree
Hide file tree
Showing 7 changed files with 246 additions and 3 deletions.
105 changes: 105 additions & 0 deletions superset/embedded/api.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
import logging
from typing import Optional

from flask import Response
from flask_appbuilder.api import expose, protect, safe
from flask_appbuilder.hooks import before_request
from flask_appbuilder.models.sqla.interface import SQLAInterface

from superset import is_feature_enabled
from superset.constants import MODEL_API_RW_METHOD_PERMISSION_MAP, RouteMethod
from superset.dashboards.schemas import EmbeddedDashboardResponseSchema
from superset.embedded.dao import EmbeddedDAO
from superset.embedded_dashboard.commands.exceptions import (
EmbeddedDashboardNotFoundError,
)
from superset.extensions import event_logger
from superset.models.embedded_dashboard import EmbeddedDashboard
from superset.reports.logs.schemas import openapi_spec_methods_override
from superset.views.base_api import BaseSupersetModelRestApi, statsd_metrics

logger = logging.getLogger(__name__)


class EmbeddedDashboardRestApi(BaseSupersetModelRestApi):
datamodel = SQLAInterface(EmbeddedDashboard)

@before_request
def ensure_embedded_enabled(self) -> Optional[Response]:
if not is_feature_enabled("EMBEDDED_SUPERSET"):
return self.response_404()
return None

include_route_methods = RouteMethod.GET
class_permission_name = "EmbeddedDashboard"
method_permission_name = MODEL_API_RW_METHOD_PERMISSION_MAP

resource_name = "embedded_dashboard"
allow_browser_login = True

openapi_spec_tag = "Embedded Dashboard"
openapi_spec_methods = openapi_spec_methods_override

embedded_response_schema = EmbeddedDashboardResponseSchema()

@expose("/<uuid>", methods=["GET"])
@protect()
@safe
@statsd_metrics
@event_logger.log_this_with_context(
action=lambda self, *args, **kwargs: f"{self.__class__.__name__}.get_embedded",
log_to_statsd=False,
)
# pylint: disable=arguments-differ, arguments-renamed)
def get(self, uuid: str) -> Response:
"""Response
Returns the dashboard's embedded configuration
---
get:
description: >-
Returns the dashboard's embedded configuration
parameters:
- in: path
schema:
type: string
name: uuid
description: The embedded configuration uuid
responses:
200:
description: Result contains the embedded dashboard configuration
content:
application/json:
schema:
type: object
properties:
result:
$ref: '#/components/schemas/EmbeddedDashboardResponseSchema'
401:
$ref: '#/components/responses/404'
500:
$ref: '#/components/responses/500'
"""
try:
embedded = EmbeddedDAO.find_by_id(uuid)
if not embedded:
raise EmbeddedDashboardNotFoundError()
result = self.embedded_response_schema.dump(embedded)
return self.response(200, result=result)
except EmbeddedDashboardNotFoundError:
return self.response_404()
34 changes: 34 additions & 0 deletions superset/embedded_dashboard/commands/exceptions.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
from typing import Optional

from flask_babel import lazy_gettext as _

from superset.commands.exceptions import ForbiddenError, ObjectNotFoundError


class EmbeddedDashboardNotFoundError(ObjectNotFoundError):
def __init__(
self,
embedded_dashboard_uuid: Optional[str] = None,
exception: Optional[Exception] = None,
) -> None:
super().__init__("EmbeddedDashboard", embedded_dashboard_uuid, exception)


class EmbeddedDashboardAccessDeniedError(ForbiddenError):
message = _("You don't have access to this embedded dashboard config.")
2 changes: 2 additions & 0 deletions superset/initialization/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ def init_views(self) -> None:
from superset.datasets.api import DatasetRestApi
from superset.datasets.columns.api import DatasetColumnsRestApi
from superset.datasets.metrics.api import DatasetMetricRestApi
from superset.embedded.api import EmbeddedDashboardRestApi
from superset.embedded.view import EmbeddedView
from superset.explore.form_data.api import ExploreFormDataRestApi
from superset.explore.permalink.api import ExplorePermalinkRestApi
Expand Down Expand Up @@ -208,6 +209,7 @@ def init_views(self) -> None:
appbuilder.add_api(DatasetRestApi)
appbuilder.add_api(DatasetColumnsRestApi)
appbuilder.add_api(DatasetMetricRestApi)
appbuilder.add_api(EmbeddedDashboardRestApi)
appbuilder.add_api(ExploreFormDataRestApi)
appbuilder.add_api(ExplorePermalinkRestApi)
appbuilder.add_api(FilterSetRestApi)
Expand Down
8 changes: 7 additions & 1 deletion superset/security/api.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@
from marshmallow import EXCLUDE, fields, post_load, Schema, ValidationError
from marshmallow_enum import EnumField

from superset.embedded_dashboard.commands.exceptions import (
EmbeddedDashboardNotFoundError,
)
from superset.extensions import event_logger
from superset.security.guest_token import GuestTokenResourceType

Expand Down Expand Up @@ -142,13 +145,16 @@ def guest_token(self) -> Response:
"""
try:
body = guest_token_create_schema.load(request.json)
self.appbuilder.sm.validate_guest_token_resources(body["resources"])

# todo validate stuff:
# make sure the resource ids are valid
# make sure username doesn't reference an existing user
# check rls rules for validity?
token = self.appbuilder.sm.create_guest_access_token(
body["user"], body["resources"], body["rls"]
)
return self.response(200, token=token)
except EmbeddedDashboardNotFoundError as error:
return self.response_400(message=error.message)
except ValidationError as error:
return self.response_400(message=error.messages)
18 changes: 18 additions & 0 deletions superset/security/manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -1313,6 +1313,24 @@ def _get_guest_token_jwt_audience() -> str:
audience = audience()
return audience

@staticmethod
def validate_guest_token_resources(resources: GuestTokenResources) -> None:
# pylint: disable=import-outside-toplevel
from superset.embedded.dao import EmbeddedDAO
from superset.embedded_dashboard.commands.exceptions import (
EmbeddedDashboardNotFoundError,
)
from superset.models.dashboard import Dashboard

for resource in resources:
if resource["type"] == GuestTokenResourceType.DASHBOARD.value:
# TODO (embedded): remove this check once uuids are rolled out
dashboard = Dashboard.get(str(resource["id"]))
if not dashboard:
embedded = EmbeddedDAO.find_by_id(str(resource["id"]))
if not embedded:
raise EmbeddedDashboardNotFoundError()

def create_guest_access_token(
self,
user: GuestTokenUser,
Expand Down
53 changes: 53 additions & 0 deletions tests/integration_tests/embedded/api_tests.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# isort:skip_file
"""Tests for security api methods"""
from unittest import mock

import pytest

from superset import db
from superset.embedded.dao import EmbeddedDAO
from superset.models.dashboard import Dashboard
from tests.integration_tests.base_tests import SupersetTestCase
from tests.integration_tests.fixtures.birth_names_dashboard import (
load_birth_names_dashboard_with_slices,
load_birth_names_data,
)


class TestEmbeddedDashboardApi(SupersetTestCase):
resource_name = "embedded_dashboard"

@pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
@mock.patch.dict(
"superset.extensions.feature_flag_manager._feature_flags",
EMBEDDED_SUPERSET=True,
)
def test_get_embedded_dashboard(self):
self.login("admin")
self.dash = db.session.query(Dashboard).filter_by(slug="births").first()
self.embedded = EmbeddedDAO.upsert(self.dash, [])
uri = f"api/v1/{self.resource_name}/{self.embedded.uuid}"
response = self.client.get(uri)
self.assert200(response)

def test_get_embedded_dashboard_non_found(self):
self.login("admin")
uri = f"api/v1/{self.resource_name}/bad-uuid"
response = self.client.get(uri)
self.assert404(response)
29 changes: 27 additions & 2 deletions tests/integration_tests/security/api_tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,18 @@
import json

import jwt
import pytest

from tests.integration_tests.base_tests import SupersetTestCase
from flask_wtf.csrf import generate_csrf
from superset import db
from superset.embedded.dao import EmbeddedDAO
from superset.models.dashboard import Dashboard
from superset.utils.urls import get_url_host
from tests.integration_tests.base_tests import SupersetTestCase
from tests.integration_tests.fixtures.birth_names_dashboard import (
load_birth_names_dashboard_with_slices,
load_birth_names_data,
)


class TestSecurityCsrfApi(SupersetTestCase):
Expand Down Expand Up @@ -78,10 +86,13 @@ def test_post_guest_token_unauthorized(self):
response = self.client.post(self.uri)
self.assert403(response)

@pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
def test_post_guest_token_authorized(self):
self.dash = db.session.query(Dashboard).filter_by(slug="births").first()
self.embedded = EmbeddedDAO.upsert(self.dash, [])
self.login(username="admin")
user = {"username": "bob", "first_name": "Bob", "last_name": "Also Bob"}
resource = {"type": "dashboard", "id": "blah"}
resource = {"type": "dashboard", "id": str(self.embedded.uuid)}
rls_rule = {"dataset": 1, "clause": "1=1"}
params = {"user": user, "resources": [resource], "rls": [rls_rule]}

Expand All @@ -99,3 +110,17 @@ def test_post_guest_token_authorized(self):
)
self.assertEqual(user, decoded_token["user"])
self.assertEqual(resource, decoded_token["resources"][0])

@pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
def test_post_guest_token_bad_resources(self):
self.login(username="admin")
user = {"username": "bob", "first_name": "Bob", "last_name": "Also Bob"}
resource = {"type": "dashboard", "id": "bad-id"}
rls_rule = {"dataset": 1, "clause": "1=1"}
params = {"user": user, "resources": [resource], "rls": [rls_rule]}

response = self.client.post(
self.uri, data=json.dumps(params), content_type="application/json"
)

self.assert400(response)

0 comments on commit 224769b

Please sign in to comment.