Compare commits

..

3 Commits

Author SHA1 Message Date
mpeltriaux 93d29982a6 Merge pull request '538_API_share_with_ids' (#539) from 538_API_share_with_ids into master
Reviewed-on: #539
2026-05-14 13:04:59 +00:00
mpeltriaux 59a1bdfb1c # API team ID based sharing
* extents api sharing via team name with team id, so that both ways are supported now
* updates tests
2026-05-14 15:04:24 +02:00
mpeltriaux 056a92b068 # API Refactoring sharing
* refactors team and user sharing by splitting into more maintainable blocks of code
2026-05-14 13:58:26 +02:00
10 changed files with 107 additions and 203 deletions
-36
View File
@@ -1,36 +0,0 @@
# Nutze ein schlankes Python-Image
FROM python:3.13-slim-bullseye
ENV PYTHONUNBUFFERED 1
WORKDIR /konova
# Installiere System-Abhängigkeiten
RUN apt-get update && apt-get install -y --no-install-recommends \
gdal-bin redis-server nginx \
&& rm -rf /var/lib/apt/lists/* # Platz sparen
# Erstelle benötigte Verzeichnisse & setze Berechtigungen
RUN mkdir -p /var/log/nginx /var/log/gunicorn /var/lib/nginx /tmp/nginx_client_body \
&& touch /var/log/nginx/access.log /var/log/nginx/error.log \
&& chown -R root:root /var/log/nginx /var/lib/nginx /tmp/nginx_client_body
# Kopiere und installiere Python-Abhängigkeiten
COPY ./requirements.txt /konova/
RUN pip install --upgrade pip && pip install --no-cache-dir -r requirements.txt
# Entferne Standard-Nginx-Site und ersetze sie durch eigene Config
RUN rm -rf /etc/nginx/sites-enabled/default
COPY ./nginx.conf /etc/nginx/conf.d
# Kopiere restliche Projektdateien
COPY . /konova/
# Sammle statische Dateien
RUN python manage.py collectstatic --noinput
# Exponiere Ports
#EXPOSE 80 6379 8000
# Setze Entrypoint
ENTRYPOINT ["/konova/docker-entrypoint.sh"]
-56
View File
@@ -4,7 +4,6 @@ the database postgresql and the css library bootstrap as well as the icon packag
fontawesome for a modern look, following best practices from the industry.
## Background processes
### !!! For non-docker run
Konova uses celery for background processing. To start the worker you need to run
```shell
$ celery -A konova worker -l INFO
@@ -19,58 +18,3 @@ Technical documention is provided in the projects git wiki.
A user documentation is not available (and not needed, yet).
# Docker
To run the docker-compose as expected, you need to take the following steps:
1. Create a database containing docker, using an appropriate Dockerfile, e.g. the following
```
version: '3.3'
services:
postgis:
image: postgis/postgis
restart: always
container_name: postgis-docker
ports:
- 5433:5432
volumes:
- db-volume:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=postgres
- POSTGRES_USER=postgres
networks:
- db-network-bridge
networks:
db-network-bridge:
driver: "bridge"
volumes:
db-volume:
```
This Dockerfile creates a Docker container running postgresql and postgis, creates the default superuser postgres,
creates a named volume for persisting the database and creates a new network bridge, which **must be used by any other
container, which wants to write/read on this database**.
2. Make sure the name of the network bridge above matches the network in the konova docker-compose.yml
3. Get into the running postgis container (`docker exec -it postgis-docker bash`) and create new databases, users and so on. Make sure the database `konova` exists now!
4. Replace all `CHANGE_ME_xy` values inside of konova/docker-compose.yml for your installation. Make sure the `SSO_HOST` holds the proper SSO host, e.g. for the arnova project `arnova.example.org` (Arnova must be installed and the webserver configured as well, of course)
5. Take a look on konova/settings.py and konova/sub_settings/django_settings.py. Again: Replace all occurences of `CHANGE_ME` with proper values for your installation.
1. Make sure you have the proper host strings added to `ALLOWED_HOSTS` inside of django_settings.py.
6. Build and run the docker setup using `docker-compose build` and `docker-compose start` from the main directory of this project (where the docker-compose.yml lives)
7. Run migrations! To do so, get into the konova service container (`docker exec -it konova-docker bash`) and run the needed commands (`python manage.py makemigrations LIST_OF_ALL_MIGRATABLE_APPS`, then `python manage.py migrate`)
8. Run the setup command `python manage.py setup` and follow the instructions on the CLI
9. To enable **SMTP** mail support, make sure your host machine (the one where the docker container run) has the postfix service configured properly. Make sure the `mynetworks` variable is xtended using the docker network bridge ip, created in the postgis container and used by the konova services.
1. **Hint**: You can find out this easily by trying to perform a test mail in the running konova web application (which will fail, of course). Then take a look to the latest entries in `/var/log/mail.log` on your host machine. The failed IP will be displayed there.
2. **Please note**: This installation guide is based on SMTP using postfix!
3. Restart the postfix service on your host machine to reload the new configuration (`service postfix restart`)
10. Finally, make sure your host machine webserver passes incoming requests properly to the docker nginx webserver of konova. A proper nginx config for the host machine may look like this:
```
server {
server_name konova.domain.org;
location / {
proxy_pass http://localhost:KONOVA_NGINX_DOCKER_PORT/;
proxy_set_header Host $host;
}
}
```
+19 -1
View File
@@ -30,4 +30,22 @@ class ExternalIdentifier(models.Model):
)
def __str__(self):
return f"{self.external_id} -> {self.internal_id}"
return f"{self.external_id} -> {self.internal_id}"
@staticmethod
def resolve_external_identifier(external_identifier: str):
""" Returns a ExternalIdentifier object, if the given parameter could be resolved as an external identifier.
Args:
external_identifier (str): An external identifier.
Returns:
ExternalIdentifier | None
"""
if external_identifier:
try:
obj = ExternalIdentifier.objects.get(external_id=external_identifier)
return obj
except ExternalIdentifier.DoesNotExist:
pass
return None
+16 -9
View File
@@ -31,9 +31,10 @@ class APIV1SharingTestCase(BaseAPIV1TestCase):
def setUpTestData(cls):
super().setUpTestData()
def _run_share_request(self, url, user_list: list):
def _run_share_request(self, url, user_list: list, team_list: list):
data = {
"users": user_list
"users": user_list,
"teams": team_list
}
data = json.dumps(data)
response = self.client.put(
@@ -58,16 +59,22 @@ class APIV1SharingTestCase(BaseAPIV1TestCase):
self.superuser.username,
self.user.username,
]
team_list = [
str(self.team.id),
]
response = self._run_share_request(url, user_list)
response = self._run_share_request(url, user_list, team_list)
# Must fail, since performing user has no access on requested object
self.assertEqual(response.status_code, 500)
self.assertTrue(len(json.loads(response.content.decode("utf-8")).get("errors", [])) > 0)
# Add performing user to shared access users and rerun the request
# Add performing user to shared access users, switch from team id to team name and rerun the request
obj.users.add(self.superuser)
response = self._run_share_request(url, user_list)
team_list = [
self.team.name
]
response = self._run_share_request(url, user_list, team_list)
shared_users = obj.shared_users
self.assertEqual(response.status_code, 200)
@@ -84,14 +91,14 @@ class APIV1SharingTestCase(BaseAPIV1TestCase):
share_url = reverse("api:v1:intervention-share", args=(self.intervention.id,))
# Expect the first request to work properly
self.intervention.users.add(self.superuser)
response = self._run_share_request(share_url, [self.superuser.username])
response = self._run_share_request(share_url, [self.superuser.username], [str(self.team.id)])
self.assertEqual(response.status_code, 200)
# Change the token
self.header_data["HTTP_ksptoken"] = f"{self.superuser.api_token.token}__X"
# Expect the request to fail now
response = self._run_share_request(share_url, [self.superuser.username])
response = self._run_share_request(share_url, [self.superuser.username], [])
self.assertEqual(response.status_code, 403)
def test_api_intervention_sharing(self):
@@ -144,11 +151,11 @@ class APIV1SharingTestCase(BaseAPIV1TestCase):
self.assertEqual(self.intervention.users.count(), 1)
# Try to add another user via API -> must work!
response = self._run_share_request(share_url, [self.superuser.username, self.user.username])
response = self._run_share_request(share_url, [self.superuser.username, self.user.username], [])
self.assertEqual(response.status_code, 200)
self.assertEqual(self.intervention.users.count(), 2)
# Now try to remove the user again -> expect no changes at all to the shared user list
response = self._run_share_request(share_url, [self.superuser.username])
response = self._run_share_request(share_url, [self.superuser.username], [])
self.assertEqual(response.status_code, 200)
self.assertEqual(self.intervention.users.count(), 2)
+1 -7
View File
@@ -179,13 +179,7 @@ class AbstractModelAPISerializerV1(AbstractModelAPISerializer):
Returns:
ExternalIdentifier | None
"""
if external_identifier:
try:
obj = ExternalIdentifier.objects.get(external_id=external_identifier)
return obj
except ObjectDoesNotExist:
pass
return None
return ExternalIdentifier.resolve_external_identifier(external_identifier)
def _check_external_identifier_on_entry_creation(self, external_identifier):
""" Special check for POST processing:
+68 -19
View File
@@ -6,13 +6,14 @@ Created on: 21.01.22
"""
import json
import uuid
from django.db.models import QuerySet
from django.db.models import QuerySet, Q
from django.http import JsonResponse, HttpRequest
from django.views import View
from django.views.decorators.csrf import csrf_exempt
from api.models import APIUserToken
from api.models import APIUserToken, ExternalIdentifier
from api.settings import KSP_TOKEN_HEADER_IDENTIFIER, KSP_USER_HEADER_IDENTIFIER
from compensation.models import EcoAccount
from ema.models import Ema
@@ -205,6 +206,10 @@ class AbstractModelShareAPIView(AbstractAPIView):
"""
try:
external_identifier = ExternalIdentifier.resolve_external_identifier(id)
if external_identifier:
id = external_identifier.internal_id
users = self._get_shared_users_of_object(id)
teams = self._get_shared_teams_of_object(id)
except Exception as e:
@@ -237,6 +242,9 @@ class AbstractModelShareAPIView(AbstractAPIView):
"""
try:
external_identifier = ExternalIdentifier.resolve_external_identifier(id)
if external_identifier:
id = external_identifier.internal_id
success = self._process_put_body(request.body, id)
except Exception as e:
return self._return_error_response(e)
@@ -309,22 +317,36 @@ class AbstractModelShareAPIView(AbstractAPIView):
raise ValueError("Shared user list must not be empty!")
new_teams = content.get("teams", [])
self.__process_user_sharing(new_users, obj)
self.__process_team_sharing(new_teams, obj)
return True
def __process_user_sharing(self, user_list: list, obj):
""" Processes API sharing for user payload
Args:
user_list (list): A list of users to share the obj with
obj (BaseObject): The shareable object
Returns:
"""
# Eliminate duplicates
new_users = list(dict.fromkeys(new_users))
new_teams = list(dict.fromkeys(new_teams))
new_users = list(dict.fromkeys(user_list))
# Make sure each of these names exist as a user
new_users_objs = []
for user in new_users:
new_users_objs.append(User.objects.get(username=user))
# Make sure each of these names exist as a user
new_teams_objs = []
for team_name in new_teams:
new_teams_objs.append(Team.objects.get(name=team_name))
try:
user_obj = User.objects.get(username=user)
except User.DoesNotExist:
raise AssertionError(f"User with username {user} does not exist")
new_users_objs.append(user_obj)
if self.user.is_default_group_only():
# Default only users are not allowed to remove other users from having access. They can only add new ones!
# So we need to keep the ones that already have access from being removed!
new_users_to_be_added = User.objects.filter(
username__in=new_users
).exclude(
@@ -332,17 +354,44 @@ class AbstractModelShareAPIView(AbstractAPIView):
)
new_users_objs = obj.shared_users.union(new_users_to_be_added)
new_teams_to_be_added = Team.objects.filter(
name__in=new_teams
).exclude(
id__in=obj.shared_teams
)
new_teams_objs = obj.shared_teams.union(new_teams_to_be_added)
obj.share_with_user_list(new_users_objs)
obj.share_with_team_list(new_teams_objs)
return True
def __process_team_sharing(self, team_list: list, obj):
""" Processes API sharing for team payload
Args:
team_list (list): A list of teams to share the obj with
obj (BaseObject): The shareable object
Returns:
"""
# Eliminate duplicates
new_teams = list(dict.fromkeys(team_list))
# Resolve team names or ids into objects
new_team_ids = []
for team in new_teams:
try:
uuid.UUID(team)
try:
new_team_ids.append(Team.objects.get(id=team).id)
except Team.DoesNotExist:
raise AssertionError(f"Team with id {team} does not exist!")
except ValueError:
# entry is a name and not a uuid -> try to resolve as name!
try:
new_team_ids.append(Team.objects.get(name=team).id)
except Team.DoesNotExist:
raise AssertionError(f"Team with name {team} does not exist!")
new_team_objs = Team.objects.filter(id__in=new_team_ids)
if self.user.is_default_group_only():
# Default only users are not allowed to remove other users from having access. They can only add new ones!
# So we need to keep the ones that already have access from being removed!
new_team_objs = obj.shared_teams.union(new_team_objs)
obj.share_with_team_list(new_team_objs)
class InterventionAPIShareView(AbstractModelShareAPIView):
model = Intervention
-21
View File
@@ -1,21 +0,0 @@
services:
konova:
external_links:
- postgis:db
- arnova-nginx-server:arnova
build: .
image: "ksp/konova:x.y"
container_name: "konova-docker"
command: ./docker-entrypoint.sh
restart: always
volumes:
- /data/apps/konova/uploaded_files:/konova_uploaded_files
ports:
- "1337:80"
# Instead of an own, new network, we need to connect to the existing one, which is provided by the postgis container
# NOTE: THIS NETWORK MUST EXIST
networks:
default:
name: postgis_nat_it_backend
external: true
-27
View File
@@ -1,27 +0,0 @@
#!/bin/bash
set -e # Beende Skript bei Fehlern
set -o pipefail # Fehler in Pipelines nicht ignorieren
# Starte Redis
redis-server --daemonize yes
# Starte Celery Worker im Hintergrund
celery -A konova worker --loglevel=info &
# Starte Nginx als Hintergrundprozess
nginx -g "daemon off;" &
# Setze Gunicorn Worker-Anzahl (Standard: (2*CPUs)+1)
WORKERS=${GUNICORN_WORKERS:-$((2 * $(nproc) + 1))}
# Stelle sicher, dass Logs existieren
mkdir -p /var/log/gunicorn
touch /var/log/gunicorn/access.log /var/log/gunicorn/error.log
# Starte Gunicorn als Hauptprozess
exec gunicorn --workers="$WORKERS" konova.wsgi:application \
--bind=0.0.0.0:8000 \
--access-logfile /var/log/gunicorn/access.log \
--error-logfile /var/log/gunicorn/error.log \
--access-logformat '%({x-real-ip}i)s via %(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"'
+3 -2
View File
@@ -191,10 +191,11 @@ STATICFILES_DIRS = [
]
# EMAIL (see https://docs.djangoproject.com/en/dev/topics/email/)
# CHANGE_ME !!! ONLY FOR DEVELOPMENT !!!
if DEBUG:
# ONLY FOR DEVELOPMENT NEEDED
EMAIL_BACKEND = 'django.core.mail.backends.filebased.EmailBackend'
EMAIL_FILE_PATH = '/tmp/app-messages'
EMAIL_FILE_PATH = '/tmp/app-messages' # change this to a proper location
DEFAULT_FROM_EMAIL = env("DEFAULT_FROM_EMAIL") # The default email address for the 'from' element
SERVER_EMAIL = DEFAULT_FROM_EMAIL # The default email sender address, which is used by Django to send errors via mail
-25
View File
@@ -1,25 +0,0 @@
server {
listen 80;
client_max_body_size 25M;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_redirect off;
proxy_cache_bypass $http_upgrade;
}
location /static/ {
alias /konova/static/;
access_log /var/log/nginx/access.log;
autoindex off;
types {
text/css css;
application/javascript js;
}
}
error_log /var/log/nginx/error.log;
}