beer-garden · TheBurchLog · Jul 25, 2024 · Feb 20, 2024 · Feb 20, 2024 · Feb 20, 2024
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,16 @@
 Brewtils Changelog
 ==================
 
+3.27.0
+------
+TBD
+
+- New Models for User, UserToken, Role, and AliasUserMap
+- Must upgrade to a minimum version of Beer Garden 3.27.0 to support new authentication models. If authentication is not enabled, upgrade
+  is not required. 
+- Removed 2.0 Legacy support for Principle and LegacyRole models
+- Fixed bug in SystemClient to properly assign requester field from parent request
+
 3.26.4
 ------
 7/12/24

diff --git a/brewtils/auto_decorator.py b/brewtils/auto_decorator.py
@@ -1,7 +1,6 @@
 from inspect import Parameter as InspectParameter  # noqa
 from inspect import signature
 
-
 from brewtils.models import Command, Parameter
 
 

diff --git a/brewtils/models.py b/brewtils/models.py
@@ -21,9 +21,7 @@
     "Event",
     "Events",
     "Queue",
-    "Principal",
-    "LegacyRole",
-    "RefreshToken",
+    "UserToken",
     "Job",
     "RequestFile",
     "File",
@@ -37,6 +35,8 @@
     "Garden",
     "Operation",
     "Resolvable",
+    "Role",
+    "User",
     "Subscriber",
     "Topic",
 ]
@@ -92,7 +92,7 @@ class Events(Enum):
     USER_UPDATED = 44
     USERS_IMPORTED = 45
     ROLE_UPDATED = 46
-    ROLES_IMPORTED = 47
+    ROLE_DELETED = 47
     COMMAND_PUBLISHING_BLOCKLIST_SYNC = 48
     COMMAND_PUBLISHING_BLOCKLIST_REMOVE = 49
     COMMAND_PUBLISHING_BLOCKLIST_UPDATE = 50
@@ -103,6 +103,13 @@ class Events(Enum):
     # Next: 57
 
 
+class Permissions(Enum):
+    READ_ONLY = 1
+    OPERATOR = 2
+    PLUGIN_ADMIN = 3
+    GARDEN_ADMIN = 4
+
+
 class BaseModel(object):
     schema = None
 
@@ -1110,81 +1117,32 @@ def __repr__(self):
         return "<Queue: name=%s, size=%s>" % (self.name, self.size)
 
 
-class Principal(BaseModel):
-    schema = "PrincipalSchema"
+class UserToken(BaseModel):
+    schema = "UserTokenSchema"
 
     def __init__(
         self,
         id=None,  # noqa # shadows built-in
+        uuid=None,
+        issued_at=None,
+        expires_at=None,
         username=None,
-        roles=None,
-        permissions=None,
-        preferences=None,
-        metadata=None,
     ):
         self.id = id
+        self.uuid = uuid
+        self.issued_at = issued_at
+        self.expires_at = expires_at
         self.username = username
-        self.roles = roles
-        self.permissions = permissions
-        self.preferences = preferences
-        self.metadata = metadata
 
     def __str__(self):
         return "%s" % self.username
 
     def __repr__(self):
-        return "<Principal: username=%s, roles=%s, permissions=%s>" % (
+        return "<UserToken: uuid=%s, issued_at=%s, expires_at=%s, username=%s>" % (
+            self.uuid,
+            self.issued_at,
+            self.expires_at,
             self.username,
-            self.roles,
-            self.permissions,
-        )
-
-
-class LegacyRole(BaseModel):
-    schema = "LegacyRoleSchema"
-
-    def __init__(
-        self,
-        id=None,  # noqa # shadows built-in
-        name=None,
-        description=None,
-        permissions=None,
-    ):
-        self.id = id
-        self.name = name
-        self.description = description
-        self.permissions = permissions
-
-    def __str__(self):
-        return "%s" % self.name
-
-    def __repr__(self):
-        return "<LegacyRole: name=%s, permissions=%s>" % (self.name, self.permissions)
-
-
-class RefreshToken(BaseModel):
-    schema = "RefreshTokenSchema"
-
-    def __init__(
-        self,
-        id=None,  # noqa # shadows built-in
-        issued=None,
-        expires=None,
-        payload=None,
-    ):
-        self.id = id
-        self.issued = issued
-        self.expires = expires
-        self.payload = payload or {}
-
-    def __str__(self):
-        return "%s" % self.payload
-
-    def __repr__(self):
-        return "<RefreshToken: issued=%s, expires=%s, payload=%s>" % (
-            self.issued,
-            self.expires,
-            self.payload,
         )
 
 
@@ -1471,6 +1429,8 @@ def __init__(
         parent=None,
         children=None,
         metadata=None,
+        default_user=None,
+        shared_users=None,
     ):
         self.id = id
         self.name = name
@@ -1488,6 +1448,9 @@ def __init__(
         self.children = children
         self.metadata = metadata or {}
 
+        self.default_user = default_user
+        self.shared_users = shared_users
+
     def __str__(self):
         return "%s" % self.name
 
@@ -1658,6 +1621,150 @@ def __repr__(self):
         )
 
 
+class User(BaseModel):
+    schema = "UserSchema"
+
+    def __init__(
+        self,
+        username=None,
+        id=None,
+        password=None,
+        roles=None,
+        local_roles=None,
+        upstream_roles=None,
+        user_alias_mapping=None,
+        metadata=None,
+        is_remote=False,
+        protected=False,
+        file_generated=False,
+    ):
+        self.username = username
+        self.id = id
+        self.password = password
+        self.roles = roles or []
+        self.local_roles = local_roles or []
+        self.upstream_roles = upstream_roles or []
+        self.is_remote = is_remote
+        self.user_alias_mapping = user_alias_mapping or []
+        self.metadata = metadata or {}
+        self.protected = protected
+        self.file_generated = file_generated
+
+    def __str__(self):
+        return "%s: %s" % (self.username, self.roles)
+
+    def __repr__(self):
+        return "<User: username=%s, roles=%s>" % (
+            self.username,
+            self.roles,
+        )
+
+    def __eq__(self, other):
+        if not isinstance(other, User):
+            # don't attempt to compare against unrelated types
+            return NotImplemented
+
+        return (
+            self.username == other.username
+            and self.roles == other.roles
+            and self.upstream_roles == other.upstream_roles
+            and self.is_remote == other.is_remote
+            and self.user_alias_mapping == other.user_alias_mapping
+            and self.protected == other.protected
+            and self.file_generated == other.file_generated
+        )
+
+
+class Role(BaseModel):
+    schema = "RoleSchema"
+
+    # TODO: REMOVE after DB model Updated with Permissions enum
+    PERMISSION_TYPES = {
+        "GARDEN_ADMIN",
+        "PLUGIN_ADMIN",
+        "OPERATOR",
+        "READ_ONLY",  # Default value if not role is provided
+    }
+
+    def __init__(
+        self,
+        name,
+        permission=None,
+        description=None,
+        id=None,
+        scope_gardens=None,
+        scope_namespaces=None,
+        scope_systems=None,
+        scope_instances=None,
+        scope_versions=None,
+        scope_commands=None,
+        protected=False,
+        file_generated=False,
+    ):
+        self.name = name
+        self.permission = permission or Permissions.READ_ONLY.name
+        self.description = description
+        self.id = id
+        self.scope_gardens = scope_gardens or []
+        self.scope_namespaces = scope_namespaces or []
+        self.scope_systems = scope_systems or []
+        self.scope_instances = scope_instances or []
+        self.scope_versions = scope_versions or []
+        self.scope_commands = scope_commands or []
+        self.protected = protected
+        self.file_generated = file_generated
+
+    def __str__(self):
+        return "%s" % (self.name)
+
+    def __repr__(self):
+        return (
+            "<Role: id=%s, name=%s, description=%s, permission=%s, scope_garden=%s, "
+            "scope_namespaces=%s, scope_systems=%s, scope_instances=%s, "
+            "scope_versions=%s, scope_commands=%s>"
+        ) % (
+            self.id,
+            self.name,
+            self.description,
+            self.permission,
+            self.scope_gardens,
+            self.scope_namespaces,
+            self.scope_systems,
+            self.scope_instances,
+            self.scope_versions,
+            self.scope_commands,
+        )
+
+    def __eq__(self, other):
+        if not isinstance(other, Role):
+            # don't attempt to compare against unrelated types
+            return NotImplemented
+
+        return (
+            self.name == other.name
+            and self.description == other.description
+            and self.permission == other.permission
+            and self.scope_gardens == other.scope_gardens
+            and self.scope_namespaces == other.scope_namespaces
+            and self.scope_systems == other.scope_systems
+            and self.scope_instances == other.scope_instances
+            and self.scope_versions == other.scope_versions
+            and self.scope_commands == other.scope_commands
+        )
+
+
+class UpstreamRole(Role):
+    schema = "UpstreamRoleSchema"
+
+
+class AliasUserMap(BaseModel):
+    schema = "AliasUserMapSchema"
+
+    def __init__(self, target_garden, username):
+        self.target_garden = target_garden
+        self.username = username
+
+
 class Subscriber(BaseModel):
     schema = "SubscriberSchema"
 

diff --git a/brewtils/request_handling.py b/brewtils/request_handling.py
@@ -10,8 +10,8 @@
 import six
 from requests import ConnectionError as RequestsConnectionError
 
-from brewtils.decorators import _parse_method
 import brewtils.plugin
+from brewtils.decorators import _parse_method
 from brewtils.errors import (
     BGGivesUpError,
     DiscardMessageException,
@@ -61,6 +61,7 @@ def process_command(self, request):
 
         if parent_request:
             request.parent = Request(id=str(parent_request.id))
+            request.requester = parent_request.requester
             request.has_parent = True
 
         # check for kwargs on the target command

diff --git a/brewtils/rest/client.py b/brewtils/rest/client.py
@@ -23,12 +23,19 @@ def enable_auth(method):
 
     @functools.wraps(method)
     def wrapper(self, *args, **kwargs):
+
+        # Load Token initially if authentication settings are provided
+        if not self.session.headers.get("Authorization") and (
+            (self.username and self.password) or self.client_cert
+        ):
+            self.get_tokens()
+
         original_response = method(self, *args, **kwargs)
 
         if original_response.status_code != 401:
             return original_response
 
-        # Try to use credentials
+        # Refresh Token if expired and caused 401
         if (self.username and self.password) or self.client_cert:
             credential_response = self.get_tokens()
 

diff --git a/brewtils/rest/easy_client.py b/brewtils/rest/easy_client.py
@@ -1089,17 +1089,15 @@ def forward(self, operation, **kwargs):
             SchemaParser.serialize_operation(operation), **kwargs
         )
 
-    @wrap_response(
-        parse_method="parse_principal", parse_many=False, default_exc=FetchError
-    )
+    @wrap_response(parse_method="parse_user", parse_many=False, default_exc=FetchError)
     def get_user(self, user_identifier):
         """Find a user
 
         Args:
             user_identifier (str): User ID or username
 
         Returns:
-            Principal: The User
+            User: The User
 
         """
         return self.client.get_user(user_identifier)
@@ -1108,7 +1106,7 @@ def who_am_i(self):
         """Find user using the current set of credentials
 
         Returns:
-            Principal: The User
+            User: The User
 
         """
         return self.get_user(self.client.username or "anonymous")