[ENH] Allow fetching of arbitrary user environments

[peytondmurray]

Fixes #857.

Description

This pull request:

• Adds the ability to specify a JSON web token (JWT) as a query parameter when making a GET request to the /environment/ endpoint. The response will include only environments visible to the specified JWT.
• Adds the ability to specify a role_mapping parameter for the corresponding Python API, conda_store_server.api.list_environments. The role mapping should be a dictionary of the same type used to configure role mappings in the conda_store_config.py, e.g. passing:

role_mapping={
  "*/*": ["editor"],
  "default/env": ["viewer"]
}

to list_environments would return only environments that match either of the two dictionary keys; the keys mean the same thing as they do in the conda_store_config.py:

"*/*" = match all namespace names and match all environment names
"default/env" = match any namespace named "default" and match any environment named "env"

• To enable this, I moved conda_store_server.server.auth.AuthenticationBackend.compile_arn_sql_like, which turns a role mapping key into a SQL-compatible regex that can be used to filter namespaces and backends, to conda_store_server._internal.utils.compile_arn_sql_like so that I could use it outside of the AuthenticationBackend. Doing this required updating a few different files, and I took the opportunity to define some useful type aliases, leave some type annotations, and add some docstrings.

Pull request checklist

• Did you test this change locally?
• Did you update the documentation (if required)?
• Did you add/update relevant tests for this change (if required)?

How to test

Tests of new functionality in both the REST API and the Python API were added, so CI should take care of this. You can also run them locally with pytest.

[netlify]

✅ Deploy Preview for conda-store canceled.

Name	Link
🔨 Latest commit	e08a0e9
🔍 Latest deploy log	https://app.netlify.com/sites/conda-store/deploys/66d7902238a9460008e32943

[trallard]

Thanks @peytondmurray I left a number of suggestions and questions.

Other questions as this was not entirely clear to me from the PR description and after seeing the tests.

1. As an end user if I want to use the REST API to get a list of envs I need to pass then

role_mapping={
  "*/*": ["editor"],
  "default/env": ["viewer"]
}

as a query parameter like environments?role_mapping? or how would you expect this to work?

2. if so, what happens if the user does not provide a role for example

role_mapping={
  "*/*",
}

is that even possible?

[peytondmurray]

Thanks @peytondmurray I left a number of suggestions and questions.

Other questions as this was not entirely clear to me from the PR description and after seeing the tests.

1. As an end user if I want to use the REST API to get a list of envs I need to pass then

role_mapping={
  "*/*": ["editor"],
  "default/env": ["viewer"]
}

as a query parameter like environments?role_mapping? or how would you expect this to work?

No, that's only for the Python API. For the REST API, you pass a JWT of the user you want to fetch environments for, e.g. /environment/?jwt=<jwt-of-whatever-user>.

2. if so, what happens if the user does not provide a role for example

role_mapping={
  "*/*",
}

is that even possible?

Role mappings are dictionaries, so this isn't currently possible - you need associated roles in order for this to work.

[trallard]

So for the REST API the default behavior is to just return all the environments a user has some access to.
No filtering through role or something else.

[peytondmurray]

No, sorry, I should have made that more clear - for the REST API, any user A who requests the environments that user B has access to must also have access to those environments, following the discussion we had previously.

This is the line that grabs the environments for B: https://github.com/peytondmurray/conda-store/blob/a71899b506ffe83d767ce7c0b50c58bda256599e/conda-store-server/conda_store_server/_internal/server/views/api.py#L687

and this is the line that filters those environments by those that are visible to the requester A: https://github.com/peytondmurray/conda-store/blob/a71899b506ffe83d767ce7c0b50c58bda256599e/conda-store-server/conda_store_server/_internal/server/views/api.py#L700

[trallard]

Right I did see the filtering when doing the code review this

No, that's only for the Python API. For the REST API, you pass a JWT of the user you want to fetch environments for, e.g. /environment/?jwt=.

was what confused me. So all good then.
Now, does the whole environment fetching need to be documented somewhere? I see the comments, which are good, but I'm thinking of end-users who might want to use this new functionality.

[peytondmurray]

100% agreed. Once the openapi.json reference is updated we'll have that. But maybe it make sense to start a document where some common uses cases are shown in examples?