Milestone 2.0 - User scope views, Discoverable Groups & Patches

.pylintrc

@@ -78,12 +78,14 @@ disable=C0111,missing-docstring,
         R1721,unnecessary-comprehension,
         R1725,super-with-arguments,
         W0108,unnecessary-lambda,
+        W0143,comparison-with-callable,
         W0232,no-init,
         W0235,useless-super-delegation,
         W0613,unused-argument,
         W0640,cell-var-from-loop,
         W0703,broad-except,
         W0706,try-except-raise,
+        W0707,raise-missing-from,
         W1508,invalid-envvar-default
 
 # note: following errors are managed via isort tool, ignore false positives
@@ -468,7 +470,7 @@ valid-metaclass-classmethod-first-arg=cls
 
 # List of modules that can be imported at any level, not just the top level
 # one.
-allow-any-import-level=
+allow-any-import-level=magpie
 
 # Allow wildcard imports from modules that define __all__.
 allow-wildcard-with-all=no

.travis.yml

@@ -66,28 +66,30 @@ stages:
   - smoke-test  # try running the built/packaged docker image
 jobs:
   allow_failures:
-    - python: "2.7"  # deprecated support, but leave it while it remains easy to maintain
+    # leave versions while they remains easy to maintain
+    - python: "2.7"  # deprecated support (January 2020)
+    - python: "3.5"  # deprecated support (September 2020)
   include:
     # use stages to quick fail faster tests
     # these are extra to default 'test' stage with auto-matrix/env extension
     - stage: check
       name: "Linter Checks"
-      python: "3.6"
+      python: "3.7"
       os: linux
       script: make check
     - stage: check
       name: "Documentation Check"   # verify that build works
-      python: "3.6"
+      python: "3.7"
       os: linux
       script: make docs
     - stage: test
       name: "Coverage"
-      python: "3.6"
+      python: "3.7"
       os: linux
       script: make coverage
     - stage: smoke-test
       name: "Smoke Test"
-      python: "3.6"
+      python: "3.7"
       os: linux
       script: make test-docker
 script:

CHANGES.rst

@@ -66,6 +66,13 @@ Features / Changes
 * Avoid returning ``Service`` entries where user, group or both (according to request path and query options) does not
   actually have any permission set either directly on them or onto one of their respective children ``Resource``. This
   avoids unnecessarily exposing all ``Service`` for which the user cannot (or should not) be interacting with anyway.
+* Add ``TWITCHER_HOST`` as alternative configuration parameter to define the service public URL, to have a similar
+  naming convention as other use cases covered by ``MAGPIE_HOST`` and ``PHOENIX_HOST``.
+* Modify ``PHOENIX_PUSH`` to be *disabled* by default to be consistent across all locations where corresponding
+  feature is referenced (startup registration, CLI utility, API requests and UI checkbox option) and because this
+  option is an advanced extension not to be considered as default behavior.
+* Python 2.7 and Python 3.5 marked for deprecation (they remain in CI, but are not required to pass), as both
+  reached their EOL as of January/September 2020.
 
 Bug Fixes
 ~~~~~~~~~~~~~~~~~~~~~
@@ -85,6 +92,8 @@ Bug Fixes
 * Fix minor HTML issues in mako templates.
 * Fix invalid generation of default ``postgres.env`` file from ``magpie.env.example``.
   File ``postgres.env.example`` will now be correctly employed as documented.
+* Make environment variable ``PHOENIX_PUSH`` refer to ``phoenix.push`` instead of ``magpie.phoenix_push`` to employ
+  same naming schema as all other variables.
 
 `1.11.0 <https://github.com/Ouranosinc/Magpie/tree/1.11.0>`_ (2020-06-19)
 ------------------------------------------------------------------------------------

Dockerfile.adapter

@@ -23,7 +23,7 @@ RUN apk update \
         supervisor \
         gcc \
         libffi-dev \
-        python-dev \
+        python3-dev \
         musl-dev \
         postgresql-dev \
     && pip install --no-cache-dir --upgrade pip setuptools \

Makefile

@@ -63,6 +63,7 @@ endif
 DOWNLOAD_CACHE ?= $(APP_ROOT)/downloads
 REPORTS_DIR ?= $(APP_ROOT)/reports
 PYTHON_VERSION ?= `python -c 'import platform; print(platform.python_version())'`
+PIP_XARGS ?= --use-feature=2020-resolver
 
 # choose conda installer depending on your OS
 CONDA_URL = https://repo.continuum.io/miniconda
@@ -119,20 +120,20 @@ version:	## display current version
 
 .PHONY: info
 info:		## display make information
-	@echo "Informations about your make execution:"
+	@echo "Information about your make execution:"
 	@echo "  OS Name                $(OS_NAME)"
 	@echo "  CPU Architecture       $(CPU_ARCH)"
 	@echo "  Conda Home             $(CONDA_HOME)"
 	@echo "  Conda Prefix           $(CONDA_ENV_PATH)"
 	@echo "  Conda Env Name         $(CONDA_ENV_NAME)"
 	@echo "  Conda Env Path         $(CONDA_ENV_REAL_ACTIVE_PATH)"
 	@echo "  Conda Binary           $(CONDA_BIN)"
-	@echo "  Conda Actication       $(CONDA_ENV_MODE)"
+	@echo "  Conda Activation       $(CONDA_ENV_MODE)"
 	@echo "  Conda Command          $(CONDA_CMD)"
 	@echo "  Application Root       $(APP_ROOT)"
 	@echo "  Application Name       $(APP_NAME)"
 	@echo "  Application Version    $(APP_VERSION)"
-	@echo "  Donwload Cache         $(DOWNLOAD_CACHE)"
+	@echo "  Download Cache         $(DOWNLOAD_CACHE)"
 	@echo "  Test Reports           $(REPORTS_DIR)"
 	@echo "  Docker Tag (magpie)    $(MAGPIE_DOCKER_TAG)"
 	@echo "  Docker Tag (twitcher)  $(TWITCHER_DOCKER_TAG)"
@@ -241,7 +242,7 @@ endif
 bump:	## bump version using VERSION specified as user input
 	@-echo "Updating package version ..."
 	@[ "${VERSION}" ] || ( echo ">> 'VERSION' is not set"; exit 1 )
-	@-bash -c '$(CONDA_CMD) test -f "$(CONDA_ENV_PATH)/bin/bump2version" || pip install bump2version'
+	@-bash -c '$(CONDA_CMD) test -f "$(CONDA_ENV_PATH)/bin/bump2version" || pip install $(PIP_XARGS) bump2version'
 	@-bash -c '$(CONDA_CMD) bump2version $(BUMP_XARGS) --new-version "${VERSION}" patch;'
 
 ## --- Installation targets --- ##
@@ -259,31 +260,38 @@ install: install-all	## alias for 'install-all' target
 .PHONY: install-all
 install-all: install-sys install-pkg install-dev install-docs	## install every dependency and package definition
 
+# note: don't use PIP_XARGS for install system package as it could be upgrade of pip that doesn't yet have those options
 .PHONY: install-sys
 install-sys: clean conda-env	## install system dependencies and required installers/runners
 	@echo "Installing system dependencies..."
 	@bash -c '$(CONDA_CMD) pip install --upgrade -r "$(APP_ROOT)/requirements-sys.txt"'
-	@bash -c '$(CONDA_CMD) pip install gunicorn'
+	@bash -c '$(CONDA_CMD) pip install $(PIP_XARGS) gunicorn'
 
 .PHONY: install-pkg
 install-pkg: install-sys	## install the package to the active Python's site-packages
 	@echo "Installing Magpie..."
+	@bash -c '$(CONDA_CMD) python setup.py install_egg_info'
+	@bash -c '$(CONDA_CMD) pip install $(PIP_XARGS) --upgrade -e "$(APP_ROOT)" --no-cache'
 	# TODO: remove when merged
 	# --- ensure fix is applied
 	@bash -c '$(CONDA_CMD) \
-		pip install --force-reinstall "https://github.com/fmigneault/authomatic/archive/httplib-port.zip#egg=Authomatic"'
+		pip install $(PIP_XARGS) --force-reinstall \
+			"https://github.com/fmigneault/authomatic/archive/httplib-port.zip#egg=Authomatic"'
 	# ---
-	@bash -c '$(CONDA_CMD) python setup.py install_egg_info'
-	@bash -c '$(CONDA_CMD) pip install --upgrade -e "$(APP_ROOT)" --no-cache'
+
+.PHONY: install-req
+install-req: conda-env	 ## install package base requirements without installing main package
+	@bash -c '$(CONDA_CMD) pip install $(PIP_XARGS) -r "$(APP_ROOT)/requirements.txt"'
+	@echo "Successfully installed base requirements."
 
 .PHONY: install-docs
 install-docs: conda-env  ## install package requirements for documentation generation
-	@bash -c '$(CONDA_CMD) pip install -r "$(APP_ROOT)/requirements-docs.txt"'
+	@bash -c '$(CONDA_CMD) pip install $(PIP_XARGS) -r "$(APP_ROOT)/requirements-doc.txt"'
 	@echo "Successfully installed docs requirements."
 
 .PHONY: install-dev
 install-dev: conda-env	## install package requirements for development and testing
-	@bash -c '$(CONDA_CMD) pip install -r "$(APP_ROOT)/requirements-dev.txt"'
+	@bash -c '$(CONDA_CMD) pip install $(PIP_XARGS) -r "$(APP_ROOT)/requirements-dev.txt"'
 	@echo "Successfully installed dev requirements."
 
 ## --- Launchers targets --- ##

ci/magpie.env

@@ -4,7 +4,7 @@ MAGPIE_POSTGRES_PASSWORD=qwerty
 MAGPIE_POSTGRES_HOST=localhost
 MAGPIE_POSTGRES_PORT=5432
 MAGPIE_POSTGRES_DB=magpie
-MAGPIE_URL=localhost/magpie
+MAGPIE_URL=http://localhost/magpie
 MAGPIE_SECRET=magpie
 MAGPIE_ADMIN_GROUP=administrators
 MAGPIE_ADMIN_USER=admin

docs/conf.py

@@ -15,10 +15,10 @@
 
 # pylint: disable=C0103,invalid-name
 
+import json
 import os
 import re
 import sys
-import json
 
 # If extensions (or modules to document with autodoc) are in another
 # directory, add these directories to sys.path here. If the directory is

docs/configuration.rst

@@ -583,7 +583,25 @@ Following settings define parameters required by `Twitcher`_ (OWS Security Proxy
 
   .. note::
     Using this parameter to define `Twitcher`_'s path assumes that it resides under the same server domain as the
-    `Magpie` instance being configured (ie: hostname is inferred from resolved ``MAGPIE_URL`` or equivalent settings).
+    `Magpie` instance being configured (ie: hostname is inferred from resolved value amongst ``MAGPIE_URL``,
+    ``MAGPIE_HOST``, ``TWITCHER_HOST`` and ``HOSTNAME`` settings or environment variables).
+
+  .. warning::
+    Path is intended to be employed with `Twitcher`_ residing side-by-side with `Magpie`. Therefore, prefix
+    ``/twitcher`` is added unless already explicitly provided. To employ another path without prefix, consider
+    instead providing it with the full URL using ``TWITCHER_PROTECTED_URL`` parameter.
+
+- | ``TWITCHER_HOST``
+  | (Default: None)
+
+  .. versionadded:: 2.0.0
+
+  Specifies the explicit hostname to employ in combination with ``TWITCHER_PROTECTED_PATH`` to form the complete base
+  service protected URL. Ignored if ``TWITCHER_PROTECTED_URL`` was provided directly.
+
+  .. note::
+    The resulting URL will take the form ``https://{TWITCHER_HOST}[/twitcher]{TWITCHER_PROTECTED_PATH}`` to imitate
+    the resolution of ``TWITCHER_PROTECTED_URL`` considering provided ``TWITCHER_PROTECTED_PATH``.
 
 - | ``TWITCHER_PROTECTED_URL``
   | (Default: *see note*)
@@ -592,8 +610,9 @@ Following settings define parameters required by `Twitcher`_ (OWS Security Proxy
   specifying an alternative domain where a remote `Twitcher`_ instance could reside.
 
   .. note::
-    When not provided, attempts to infer the value by combining the environment variable ``HOSTNAME``, an optional
-    ``/twitcher`` prefix (as needed to match incoming request) and the value provided by ``TWITCHER_PROTECTED_PATH``.
+    When not provided, attempts to infer the value by combining the environment variable ``HOSTNAME`` or
+    ``TWITCHER_HOSTNAME``, and an optional ``/twitcher`` prefix (as needed to match incoming request) and the
+    value provided by ``TWITCHER_PROTECTED_PATH``.
 
 
 Please note that although `Twitcher`_ URL references are needed to configure interactive parameters with `Magpie`, the

docs/glossary.rst

@@ -34,6 +34,12 @@ Glossary
         identified through :term:`Authentication` methods. This process typically falls into the hands of a
         :term:`Proxy` application.
 
+    Context User
+        Specific :term:`User` that is being targeted by a request from specified value for the ``{user_name}`` request
+        path variable. The contextual :term:`User` of the request *could* correspond to the :term:`Logged User` if the
+        reference resolves to itself, but this is not necessarily the case. See further details and examples provided
+        in section :ref:`Route Access`.
+
     Cookies
         Set of :term:`Authentication` identifiers primarily employed by `Magpie` HTTP requests to determine the
         :term:`Logged User`.
@@ -75,11 +81,13 @@ Glossary
         :py:data:`magpie.constants.MAGPIE_DEFAULT_PROVIDER` constant.
 
     Logged User
-        Specific :term:`User` that corresponds to the active request session. This :term:`User` can automatically be
-        referenced to (instead of usual ``{user_name}`` path variable) in applicable requests using special value
-        configured with :py:data:`magpie.constants.MAGPIE_LOGGED_USER`. When not logged in, this
-        :term:`User` is considered to be :py:data:`magpie.constants.MAGPIE_ANONYMOUS_USER`. Otherwise, it is whoever
-        the :term:`Authentication` mechanism identifies.
+        More specific use-case of :term:`Request User` that simultaneously corresponds to the active request session
+        :term:`User` as well at the referenced :term:`Context User` from the path variable. This :term:`User` can be
+        automatically retrieved in applicable requests using in the request path the special constant value defined by
+        :py:data:`magpie.constants.MAGPIE_LOGGED_USER`, or using its literal :term:`User` name.
+        When not logged in, this :term:`User` is considered to be equivalent to explicitly requesting
+        :py:data:`magpie.constants.MAGPIE_ANONYMOUS_USER`. Otherwise, it is whoever the
+        :term:`Authentication` mechanism identifies with token extracted from request :term:`Cookies`.
 
     Permission
         Element that defines which rules are applicable for a given combination of :term:`User` and/or :term:`Group`
@@ -104,6 +112,14 @@ Glossary
         to make them available to anyone including even unauthenticated sessions. See also :ref:`Public Access` section
         for implementation details to achieve this result.
 
+    Request User
+        Active request session :term:`User` that can be retrieved by calling ``request.user`` with resolution of
+        :term:`Authentication` headers within the request (:term:`User` is ``None`` if unauthenticated,
+        i.e.: :py:data:`magpie.constants.MAGPIE_ANONYMOUS_USER`). This is not the same as the :term:`Context User`
+        extracted from ``{user_name}`` path variable, except for the special case covered by :term:`Logged User`'s
+        definition. The request :term:`User` could send request that work on another :term:`Context User` than itself
+        if sufficient :term:`Access Permission` is granted. See also :ref:`Route Access` for further details.
+
     Resource
         Entity on which :term:`User` and :term:`Group` can be associated to applicable :term:`Permission` respectively
         for the contextual :term:`Service` under which it resides. This element can represent relatively *anything*.

docs/installation.rst

@@ -1,9 +1,9 @@
 .. _installation:
 .. include:: references.rst
 
-************
+=============
 Installation
-************
+=============
 
 At the command line::
 
@@ -29,3 +29,17 @@ If you want the full setup for development (including dependencies for test exec
 You can run the Magpie container with a ``docker-compose.yml`` for a local setup (see `docker-compose.yml.example`_)
 
 .. _`docker-compose.yml.example`: https://github.com/Ouranosinc/Magpie/tree/master/docker-compose.yml.example
+
+
+Backward Compatibility
+--------------------------
+
+`Magpie` remains available for following obsolete and backward compatible versions.
+
+- Python 2.7 (end of life on January 1st, 2020)
+- Python 3.5 (end of life on September 13th, 2020)
+
+Older versions than ones listed above are unsupported. These oldest versions remain tested in `Travis-CI` and deployment
+procedure for traceability, but are not guaranteed to work, nor provide all functional or security features and will not
+be actively maintained. If you identify a easy fix for such an older version, please submit an `issue`_ to be considered
+for integration. It is greatly recommended to upgrade your Python version to receive all applicable security patches.