AIP-84 Add Auth to plugins (#47504)

* AIP-84 Add Auth to plugins * Better return type * fix: fix import path change --------- Co-authored-by: Wei Lee <[email protected]>
apache · Mar 11, 2025 · 637525c · 637525c
1 parent 802cb87
commit 637525c
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 2 deletions.
diff --git a/airflow/api_fastapi/core_api/openapi/v1-generated.yaml b/airflow/api_fastapi/core_api/openapi/v1-generated.yaml
@@ -4078,6 +4078,8 @@ paths:
       - Plugin
       summary: Get Plugins
       operationId: get_plugins
+      security:
+      - OAuth2PasswordBearer: []
       parameters:
       - name: limit
         in: query

diff --git a/airflow/api_fastapi/core_api/routes/public/plugins.py b/airflow/api_fastapi/core_api/routes/public/plugins.py
@@ -19,15 +19,22 @@
 
 from typing import cast
 
+from fastapi import Depends
+
+from airflow.api_fastapi.auth.managers.models.resource_details import AccessView
 from airflow.api_fastapi.common.parameters import QueryLimit, QueryOffset
 from airflow.api_fastapi.common.router import AirflowRouter
 from airflow.api_fastapi.core_api.datamodels.plugins import PluginCollectionResponse, PluginResponse
+from airflow.api_fastapi.core_api.security import requires_access_view
 from airflow.plugins_manager import get_plugin_info
 
 plugins_router = AirflowRouter(tags=["Plugin"], prefix="/plugins")
 
 
-@plugins_router.get("")
+@plugins_router.get(
+    "",
+    dependencies=[Depends(requires_access_view(AccessView.PLUGINS))],
+)
 def get_plugins(
     limit: QueryLimit,
     offset: QueryOffset,

diff --git a/airflow/api_fastapi/core_api/security.py b/airflow/api_fastapi/core_api/security.py
@@ -26,6 +26,7 @@
 from airflow.api_fastapi.app import get_auth_manager
 from airflow.api_fastapi.auth.managers.models.base_user import BaseUser
 from airflow.api_fastapi.auth.managers.models.resource_details import (
+    AccessView,
     AssetAliasDetails,
     AssetDetails,
     ConfigurationDetails,
@@ -177,6 +178,20 @@ def inner(
     return inner
 
 
+def requires_access_view(access_view: AccessView) -> Callable[[Request, BaseUser | None], None]:
+    def inner(
+        request: Request,
+        user: Annotated[BaseUser | None, Depends(get_user)] = None,
+    ) -> None:
+        _requires_access(
+            is_authorized_callback=lambda: get_auth_manager().is_authorized_view(
+                access_view=access_view, user=user
+            ),
+        )
+
+    return inner
+
+
 def requires_access_asset_alias(method: ResourceMethod) -> Callable:
     def inner(
         request: Request,

diff --git a/tests/api_fastapi/core_api/routes/public/test_plugins.py b/tests/api_fastapi/core_api/routes/public/test_plugins.py
@@ -21,7 +21,7 @@
 pytestmark = pytest.mark.db_test
 
 
-class TestGetConnections:
+class TestGetPlugins:
     @pytest.mark.parametrize(
         "query_params, expected_total_entries, expected_names",
         [
@@ -62,3 +62,11 @@ def test_should_respond_200(
         body = response.json()
         assert body["total_entries"] == expected_total_entries
         assert [plugin["name"] for plugin in body["plugins"]] == expected_names
+
+    def test_should_response_401(self, unauthenticated_test_client):
+        response = unauthenticated_test_client.get("/public/plugins")
+        assert response.status_code == 401
+
+    def test_should_response_403(self, unauthorized_test_client):
+        response = unauthorized_test_client.get("/public/plugins")
+        assert response.status_code == 403