From 2281d3265423d01e60f8cc088de5a5730bb8a910 Mon Sep 17 00:00:00 2001
From: Fabian Mastenbroek <mail.fabianm@gmail.com>
Date: Sat, 15 May 2021 13:09:06 +0200
Subject: api: Migrate to Flask Restful

This change updates the API to use Flask Restful instead of our own
in-house REST library. This change reduces the maintenance effort and
allows us to drastically simplify the API implementation needed for the
OpenDC v2 API.
---
 opendc-web/opendc-web-api/opendc/api/scenarios.py | 81 +++++++++++++++++++++++
 1 file changed, 81 insertions(+)
 create mode 100644 opendc-web/opendc-web-api/opendc/api/scenarios.py

(limited to 'opendc-web/opendc-web-api/opendc/api/scenarios.py')

diff --git a/opendc-web/opendc-web-api/opendc/api/scenarios.py b/opendc-web/opendc-web-api/opendc/api/scenarios.py
new file mode 100644
index 00000000..b566950a
--- /dev/null
+++ b/opendc-web/opendc-web-api/opendc/api/scenarios.py
@@ -0,0 +1,81 @@
+#  Copyright (c) 2021 AtLarge Research
+#
+#  Permission is hereby granted, free of charge, to any person obtaining a copy
+#  of this software and associated documentation files (the "Software"), to deal
+#  in the Software without restriction, including without limitation the rights
+#  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+#  copies of the Software, and to permit persons to whom the Software is
+#  furnished to do so, subject to the following conditions:
+#
+#  The above copyright notice and this permission notice shall be included in all
+#  copies or substantial portions of the Software.
+#
+#  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+#  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+#  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+#  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+#  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+#  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+#  SOFTWARE.
+
+from flask import request
+from flask_restful import Resource
+from marshmallow import Schema, fields
+
+from opendc.models.scenario import Scenario as ScenarioModel, ScenarioSchema
+from opendc.models.portfolio import Portfolio
+from opendc.exts import current_user, requires_auth
+
+
+class Scenario(Resource):
+    """
+    A Scenario resource.
+    """
+    method_decorators = [requires_auth]
+
+    def get(self, scenario_id):
+        """Get scenario by identifier."""
+        scenario = ScenarioModel.from_id(scenario_id)
+        scenario.check_exists()
+        scenario.check_user_access(current_user['sub'], False)
+        data = scenario.obj
+        return {'data': data}
+
+    def put(self, scenario_id):
+        """Update this Scenarios name."""
+        schema = Scenario.PutSchema()
+        result = schema.load(request.json)
+
+        scenario = ScenarioModel.from_id(scenario_id)
+
+        scenario.check_exists()
+        scenario.check_user_access(current_user['sub'], True)
+
+        scenario.set_property('name', result['scenario']['name'])
+
+        scenario.update()
+        data = scenario.obj
+        return {'data': data}
+
+    def delete(self, scenario_id):
+        """Delete this Scenario."""
+        scenario = ScenarioModel.from_id(scenario_id)
+        scenario.check_exists()
+        scenario.check_user_access(current_user['sub'], True)
+
+        scenario_id = scenario.get_id()
+
+        portfolio = Portfolio.from_id(scenario.obj['portfolioId'])
+        portfolio.check_exists()
+        if scenario_id in portfolio.obj['scenarioIds']:
+            portfolio.obj['scenarioIds'].remove(scenario_id)
+        portfolio.update()
+
+        old_object = scenario.delete()
+        return {'data': old_object}
+
+    class PutSchema(Schema):
+        """
+        Schema for the put operation.
+        """
+        scenario = fields.Nested(ScenarioSchema, required=True)
-- 
cgit v1.2.3


From 45b73e4683cce35de79117c5b4a6919556d9644f Mon Sep 17 00:00:00 2001
From: Fabian Mastenbroek <mail.fabianm@gmail.com>
Date: Fri, 2 Jul 2021 14:26:23 +0200
Subject: api: Add stricter validation of input/output data

This change adds stricter validation of data that enters and leaves the
database. As a result, we clearly separate the database model from the
data model that the REST API exports.
---
 opendc-web/opendc-web-api/opendc/api/scenarios.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'opendc-web/opendc-web-api/opendc/api/scenarios.py')

diff --git a/opendc-web/opendc-web-api/opendc/api/scenarios.py b/opendc-web/opendc-web-api/opendc/api/scenarios.py
index b566950a..234bdec1 100644
--- a/opendc-web/opendc-web-api/opendc/api/scenarios.py
+++ b/opendc-web/opendc-web-api/opendc/api/scenarios.py
@@ -38,7 +38,7 @@ class Scenario(Resource):
         scenario = ScenarioModel.from_id(scenario_id)
         scenario.check_exists()
         scenario.check_user_access(current_user['sub'], False)
-        data = scenario.obj
+        data = ScenarioSchema().dump(scenario.obj)
         return {'data': data}
 
     def put(self, scenario_id):
@@ -54,7 +54,7 @@ class Scenario(Resource):
         scenario.set_property('name', result['scenario']['name'])
 
         scenario.update()
-        data = scenario.obj
+        data = ScenarioSchema().dump(scenario.obj)
         return {'data': data}
 
     def delete(self, scenario_id):
@@ -72,7 +72,8 @@ class Scenario(Resource):
         portfolio.update()
 
         old_object = scenario.delete()
-        return {'data': old_object}
+        data = ScenarioSchema().dump(old_object)
+        return {'data': data}
 
     class PutSchema(Schema):
         """
-- 
cgit v1.2.3


From fa7ffd9d1594a5bc9dba4fc65af0a4100988341b Mon Sep 17 00:00:00 2001
From: Fabian Mastenbroek <mail.fabianm@gmail.com>
Date: Fri, 2 Jul 2021 16:47:40 +0200
Subject: api: Restrict API scopes

This change adds support for restricting API scopes in the OpenDC API
server. This is necessary to make a distinction between runners and
regular users.
---
 opendc-web/opendc-web-api/opendc/api/scenarios.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'opendc-web/opendc-web-api/opendc/api/scenarios.py')

diff --git a/opendc-web/opendc-web-api/opendc/api/scenarios.py b/opendc-web/opendc-web-api/opendc/api/scenarios.py
index 234bdec1..eacb0b49 100644
--- a/opendc-web/opendc-web-api/opendc/api/scenarios.py
+++ b/opendc-web/opendc-web-api/opendc/api/scenarios.py
@@ -24,7 +24,7 @@ from marshmallow import Schema, fields
 
 from opendc.models.scenario import Scenario as ScenarioModel, ScenarioSchema
 from opendc.models.portfolio import Portfolio
-from opendc.exts import current_user, requires_auth
+from opendc.exts import current_user, requires_auth, has_scope
 
 
 class Scenario(Resource):
@@ -37,7 +37,11 @@ class Scenario(Resource):
         """Get scenario by identifier."""
         scenario = ScenarioModel.from_id(scenario_id)
         scenario.check_exists()
-        scenario.check_user_access(current_user['sub'], False)
+
+        # Users with scope runner can access all scenarios
+        if not has_scope('runner'):
+            scenario.check_user_access(current_user['sub'], False)
+
         data = ScenarioSchema().dump(scenario.obj)
         return {'data': data}
 
-- 
cgit v1.2.3