Generic entity endpoint (#290)

Author: g-bar

app/config.py

@@ -39,7 +39,7 @@ class Settings(BaseSettings):
     LOG_CATCH: bool = True
     LOG_STANDARD_LOGGER: dict[str, str] = {"root": "INFO"}
 
-    KEYCLOAK_URL: str = "https://example.openbraininstitute.org/auth/realms/SBO"
+    KEYCLOAK_URL: str = "https://staging.openbraininstitute.org/auth/realms/SBO"
     AUTH_CACHE_MAXSIZE: int = 128  # items
     AUTH_CACHE_MAX_TTL: int = 300  # seconds
     AUTH_CACHE_INFO: bool = False

app/dependencies/auth.py

@@ -127,11 +127,14 @@ def _check_user_info(
         )
 
     user_info_response = deserialize_response(response, model_class=UserInfoResponse)
+
     is_authorized = user_info_response.is_authorized_for(
         virtual_lab_id=project_context.virtual_lab_id,
         project_id=project_context.project_id,
     )
+
     is_service_admin = user_info_response.is_service_admin(settings.APP_NAME)
+
     user_context = UserContext(
         profile=UserProfile.from_user_info(user_info_response),
         expiration=decoded.exp if decoded else None,
@@ -140,6 +143,7 @@ def _check_user_info(
         virtual_lab_id=project_context.virtual_lab_id,
         project_id=project_context.project_id,
         auth_error_reason=AuthErrorReason.NOT_AUTHORIZED_PROJECT if not is_authorized else None,
+        user_project_ids=user_info_response.user_project_ids(),
     )
 
     if not user_context.is_authorized:

app/routers/__init__.py

@@ -52,6 +52,8 @@
 
 router = APIRouter()
 router.include_router(root.router)
+
+
 authenticated_routers = [
     asset.router,
     brain_atlas.router,

app/routers/entity.py

@@ -1,14 +1,15 @@
 """Entity router."""
 
 from typing import Annotated
+from uuid import UUID
 
 from fastapi import APIRouter, Query
 
 from app.db.utils import EntityTypeWithBrainRegion
 from app.dependencies.auth import UserContextDep
 from app.dependencies.common import InBrainRegionDep
 from app.dependencies.db import SessionDep
-from app.schemas.entity import EntityCountRead
+from app.schemas.entity import EntityCountRead, EntityRead
 from app.service import entity as entity_service
 
 router = APIRouter(
@@ -36,3 +37,12 @@ def count_entities_by_type(
         entity_types=types,
         in_brain_region=in_brain_region,
     )
+
+
+@router.get("/{id_}")
+def read_one(
+    id_: UUID,
+    user_context: UserContextDep,
+    db: SessionDep,
+) -> EntityRead:
+    return entity_service.read_one(id_, db, user_context)

app/schemas/auth.py

@@ -1,3 +1,4 @@
+import re
 from typing import Self
 from uuid import UUID
 
@@ -105,6 +106,19 @@ def is_authorized_for(self, virtual_lab_id: UUID | None, project_id: UUID | None
                     ]
                 )
 
+    def user_project_ids(self) -> list[UUID]:
+        """Return the the list if project_ids the user is authorized for."""
+        pattern = r"/proj/[0-9a-fA-F-]+/([0-9a-fA-F-]+)/(admin|member)"
+
+        project_ids: set[UUID] = set()
+
+        for s in self.groups:
+            match = re.match(pattern, s)
+            if match:
+                project_ids.add(UUID(match.group(1)))
+
+        return list(project_ids)
+
 
 class UserProfile(BaseModel):
     """User profile representing a keycloak user."""
@@ -145,6 +159,7 @@ class UserContext(UserContextBase):
 
     virtual_lab_id: UUID | None = None
     project_id: UUID | None = None
+    user_project_ids: list[UUID] = []
 
 
 class UserContextWithProjectId(UserContextBase):

app/service/entity.py

@@ -1,6 +1,7 @@
 import uuid
 
 import sqlalchemy as sa
+from sqlalchemy.orm import Session
 
 import app.queries.entity
 from app.db.auth import constrain_to_accessible_entities
@@ -10,13 +11,12 @@
     ENTITY_TYPE_TO_CLASS,
     EntityTypeWithBrainRegion,
 )
-from app.dependencies.auth import UserContextDep
 from app.dependencies.common import InBrainRegionDep
-from app.dependencies.db import SessionDep
+from app.errors import ensure_result
 from app.filters.brain_region import get_family_query
 from app.repository.group import RepositoryGroup
 from app.schemas.auth import UserContext, UserContextWithProjectId
-from app.schemas.entity import EntityCountRead
+from app.schemas.entity import EntityCountRead, EntityRead
 
 
 def get_readable_entity(
@@ -55,8 +55,8 @@ def get_writable_entity(
 
 def count_entities_by_type(
     *,
-    user_context: UserContextDep,
-    db: SessionDep,
+    user_context: UserContext,
+    db: Session,
     entity_types: list[EntityTypeWithBrainRegion],
     in_brain_region: InBrainRegionDep,
 ) -> EntityCountRead:
@@ -114,3 +114,20 @@ def count_entities_by_type(
         results = EntityCountRead.model_validate(data)
 
     return results
+
+
+def read_one(
+    id_: uuid.UUID,
+    db: Session,
+    user_context: UserContext,
+) -> EntityRead:
+    with ensure_result(f"Entity {id_} not found or forbidden"):
+        query = sa.select(Entity).where(
+            Entity.id == id_,
+            sa.or_(
+                Entity.authorized_public.is_(True),
+                Entity.authorized_project_id.in_(user_context.user_project_ids),
+            ),
+        )
+        row = db.execute(query).unique().scalar_one()
+        return EntityRead.model_validate(row)

tests/conftest.py

@@ -118,8 +118,9 @@ def user_context_user_1():
         expiration=None,
         is_authorized=True,
         is_service_admin=False,
-        virtual_lab_id=VIRTUAL_LAB_ID,
-        project_id=PROJECT_ID,
+        virtual_lab_id=UUID(VIRTUAL_LAB_ID),
+        project_id=UUID(PROJECT_ID),
+        user_project_ids=[UUID(PROJECT_ID)],
     )
 
 
@@ -134,8 +135,8 @@ def user_context_user_2():
         expiration=None,
         is_authorized=True,
         is_service_admin=False,
-        virtual_lab_id=UNRELATED_VIRTUAL_LAB_ID,
-        project_id=UNRELATED_PROJECT_ID,
+        virtual_lab_id=UUID(UNRELATED_VIRTUAL_LAB_ID),
+        project_id=UUID(UNRELATED_PROJECT_ID),
     )
 
 

tests/test_auth.py

@@ -96,6 +96,7 @@ def test_user_verified_ok(httpx_mock, request_mock, is_admin, is_token_jwt, proj
         is_service_admin=is_admin,
         virtual_lab_id=project_context.virtual_lab_id,
         project_id=project_context.project_id,
+        user_project_ids=[uuid.UUID(PROJECT_ID)],
     )
 
 

tests/test_entity.py

@@ -1,4 +1,5 @@
 from app.db.model import IonChannelModel
+from app.schemas.morphology import ReconstructionMorphologyRead
 
 from .utils import (
     PROJECT_ID,
@@ -11,6 +12,79 @@
 ROUTE = "/entity"
 
 
+def test_get_entity(client, brain_region_id, species_id, strain_id, license_id):
+    morph = assert_request(
+        client.post,
+        url="/reconstruction-morphology",
+        json={
+            "brain_region_id": str(brain_region_id),
+            "species_id": str(species_id),
+            "strain_id": str(strain_id),
+            "description": "Test morph",
+            "name": "Test morph",
+            "location": {"x": 10, "y": 20, "z": 30},
+            "legacy_id": ["Test Legacy ID"],
+            "license_id": str(license_id),
+        },
+    ).json()
+
+    data = assert_request(client.get, url=f"{ROUTE}/{morph['id']}").json()
+
+    assert data["type"] == "reconstruction_morphology"
+
+
+def test_get_entity_no_auth(
+    client, client_user_2, brain_region_id, species_id, strain_id, license_id
+):
+    morph = assert_request(
+        client_user_2.post,
+        url="/reconstruction-morphology",
+        json={
+            "brain_region_id": str(brain_region_id),
+            "species_id": str(species_id),
+            "strain_id": str(strain_id),
+            "description": "Test morph",
+            "name": "Test morph",
+            "location": {"x": 10, "y": 20, "z": 30},
+            "legacy_id": ["Test Legacy ID"],
+            "license_id": str(license_id),
+        },
+    ).json()
+
+    res = client.get(url=f"{ROUTE}/{morph['id']}")
+
+    assert res.status_code == 404
+
+
+def test_public_unrelated_project_accessible(
+    client, client_user_2, brain_region_id, species_id, strain_id, license_id
+):
+    morph = assert_request(
+        client_user_2.post,
+        url="/reconstruction-morphology",
+        json={
+            "authorized_public": True,
+            "brain_region_id": str(brain_region_id),
+            "species_id": str(species_id),
+            "strain_id": str(strain_id),
+            "description": "Test morph",
+            "name": "Test morph",
+            "location": {"x": 10, "y": 20, "z": 30},
+            "legacy_id": ["Test Legacy ID"],
+            "license_id": str(license_id),
+        },
+    ).json()
+
+    data = assert_request(client.get, url=f"{ROUTE}/{morph['id']}").json()
+    assert data["type"] == "reconstruction_morphology"
+
+    morph_detail = assert_request(
+        client.get, url=f"/reconstruction-morphology/{morph['id']}"
+    ).json()
+
+    assert ReconstructionMorphologyRead.model_validate(morph_detail)
+
+
 def test_count_entities_validation_errors(client):
     """Test validation errors for the count endpoint."""
     response = client.get(f"{ROUTE}/counts")