Asyncronous notification for mf enforcement rules (#1804)

SofiaSazonova · Sofia Sazonova · petrkalos · web-flow · commit 12f5893bd813 · 2025-07-03T23:04:38.000+03:00
bugfixes ### Feature or Bugfix  - When MF enforcement rule is created, entity owners are notified asynchronously. MF enforcement rule is created and return immidiately - fix for delete_mf_enforcement_rule - small typos ### Detail - <feature1 or bug1> - <feature2 or bug2> ### Relates - <URL or Ticket> ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: Sofia Sazonova <sazonova@amazon.co.uk> Co-authored-by: Petros Kalos <kalosp@amazon.com>
diff --git a/backend/dataall/modules/metadata_forms/__init__.py b/backend/dataall/modules/metadata_forms/__init__.py
@@ -1,7 +1,9 @@
-from typing import List, Type
-
+from typing import List, Type, Set
+import logging
 from dataall.base.loader import ModuleInterface, ImportMode
 
+log = logging.getLogger(__name__)
+
 
 class MetadataFormsApiModuleInterface(ModuleInterface):
     """Implements ModuleInterface for Metadata Forms GraphQl lambda"""
@@ -19,3 +21,19 @@ def depends_on() -> List[Type['ModuleInterface']]:
         from dataall.modules.datasets_base import DatasetBaseApiModuleInterface
 
         return [DatasetBaseApiModuleInterface]
+
+
+class MetadataFormAsyncHandlersModuleInterface(ModuleInterface):
+    """Implements ModuleInterface for metadataform async lambda"""
+
+    @staticmethod
+    def is_supported(modes: Set[ImportMode]):
+        return ImportMode.HANDLERS in modes
+
+    def __init__(self):
+        import dataall.modules.metadata_forms.handlers
+        import dataall.modules.metadata_forms.db.metadata_form_models
+        import dataall.modules.metadata_forms.db.metadata_form_repository
+        import dataall.modules.metadata_forms.services.metadata_form_enforcement_service
+
+        log.info('Metadata Form handlers have been imported')
diff --git a/backend/dataall/modules/metadata_forms/db/metadata_form_repository.py b/backend/dataall/modules/metadata_forms/db/metadata_form_repository.py
@@ -391,7 +391,5 @@ def update_version_in_rules(session, uri, version):
 
     @staticmethod
     def delete_rule(session, rule_uri):
-        session.query(MetadataFormEnforcementRule).filter(
-            MetadataFormEnforcementRule.metadataFormUri == rule_uri
-        ).delete()
+        session.query(MetadataFormEnforcementRule).filter(MetadataFormEnforcementRule.uri == rule_uri).delete()
         session.commit()
diff --git a/backend/dataall/modules/metadata_forms/handlers/__init__.py b/backend/dataall/modules/metadata_forms/handlers/__init__.py
@@ -0,0 +1,3 @@
+from dataall.modules.metadata_forms.handlers import metadata_form_handler
+
+__all__ = ['metadata_form_handler']
diff --git a/backend/dataall/modules/metadata_forms/handlers/metadata_form_handler.py b/backend/dataall/modules/metadata_forms/handlers/metadata_form_handler.py
@@ -0,0 +1,13 @@
+from dataall.core.tasks.service_handlers import Worker
+from dataall.core.tasks.db.task_models import Task
+from dataall.modules.metadata_forms.services.metadata_form_enforcement_service import MetadataFormEnforcementService
+
+
+class EcsMetadataFormHandler:
+    @staticmethod
+    @Worker.handler(path='metadata_form.enforcement.notify')
+    def notify_owners_of_enforcement(engine, task: Task):
+        with engine.scoped_session() as session:
+            MetadataFormEnforcementService.notify_owners_of_enforcement(
+                session=session, rule_uri=task.targetUri, mf_name=task.payload.get('mf_name', 'Unknown name')
+            )
diff --git a/backend/dataall/modules/metadata_forms/services/metadata_form_enforcement_service.py b/backend/dataall/modules/metadata_forms/services/metadata_form_enforcement_service.py
@@ -1,7 +1,9 @@
 from typing import List
 from dataall.base.context import get_context
-from dataall.base.db import exceptions
+from dataall.base.db import exceptions, Engine
 from dataall.base.db.paginator import paginate_list
+from dataall.core.tasks.db.task_models import Task
+from dataall.core.tasks.service_handlers import Worker
 from dataall.core.environment.db.environment_repositories import EnvironmentRepository
 from dataall.core.environment.db.environment_models import Environment
 from dataall.core.organizations.db.organization_models import Organization
@@ -68,6 +70,20 @@ class MetadataFormEnforcementService:
     def _get_entity_uri(session, data):
         return data.get('homeEntity')
 
+    @classmethod
+    def notify_owners_of_enforcement(cls, session, rule_uri: str, mf_name: str) -> bool:
+        affected_entities = MetadataFormEnforcementService._get_affected_entities(session=session, uri=rule_uri)
+        for entity in affected_entities:
+            if entity['owner']:
+                NotificationRepository.create_notification(
+                    session,
+                    recipient=entity['owner'],
+                    target_uri=f'{entity["uri"]}|{entity["type"]}',
+                    message=f'Usage of metadata form "{mf_name}" was enforced for {entity["uri"]} {entity["type"]}',
+                    notification_type='METADATA_FORM_ENFORCED',
+                )
+        return True
+
     @staticmethod
     @TenantPolicyService.has_tenant_permission(MANAGE_METADATA_FORMS)
     @MetadataFormAccessService.can_perform(ENFORCE_METADATA_FORM)
@@ -79,154 +95,148 @@ def create_mf_enforcement_rule(uri, data):
             version = MetadataFormRepository.get_metadata_form_version_number_latest(session, uri)
             rule = MetadataFormRepository.create_mf_enforcement_rule(session, uri, data, version)
 
-            affected_entities = MetadataFormEnforcementService.get_affected_entities(rule.uri, rule=rule)
-            for entity in affected_entities:
-                if entity['owner']:
-                    NotificationRepository.create_notification(
-                        session,
-                        recipient=entity['owner'],
-                        target_uri=f'{entity["uri"]}|{entity["type"]}',
-                        message=f'Usage of metadata form "{mf.name}" was enforced for {entity["uri"]} {entity["type"]}',
-                        notification_type='METADATA_FORM_ENFORCED',
-                    )
+            task = Task(
+                targetUri=rule.uri,
+                action='metadata_form.enforcement.notify',
+                payload={'mf_name': mf.name},
+            )
+            session.add(task)
+            session.commit()
+
+        Worker.queue(engine=get_context().db_engine, task_ids=[task.taskUri])
 
         return rule
 
     @staticmethod
-    def get_affected_organizations(uri, rule=None) -> List[Organization]:
-        with get_context().db_engine.scoped_session() as session:
-            if not rule:
-                rule = MetadataFormRepository.get_mf_enforcement_rule_by_uri(session, uri)
-            if rule.level == MetadataFormEnforcementScope.Global.value:
-                return OrganizationRepository.query_all_active_organizations(session)
-            if rule.level == MetadataFormEnforcementScope.Organization.value:
-                return [OrganizationRepository.get_organization_by_uri(session, rule.homeEntity)]
-            return []
+    def _get_affected_organizations(session, uri, rule=None) -> List[Organization]:
+        if not rule:
+            rule = MetadataFormRepository.get_mf_enforcement_rule_by_uri(session, uri)
+        if rule.level == MetadataFormEnforcementScope.Global.value:
+            return OrganizationRepository.query_all_active_organizations(session)
+        if rule.level == MetadataFormEnforcementScope.Organization.value:
+            return [OrganizationRepository.get_organization_by_uri(session, rule.homeEntity)]
+        return []
 
     @staticmethod
-    def get_affected_environments(uri, rule=None) -> List[Environment]:
-        with get_context().db_engine.scoped_session() as session:
-            if not rule:
-                rule = MetadataFormRepository.get_mf_enforcement_rule_by_uri(session, uri)
-            if rule.level == MetadataFormEnforcementScope.Global.value:
-                return EnvironmentRepository.query_all_active_environments(session)
-            if rule.level == MetadataFormEnforcementScope.Organization.value:
-                return OrganizationRepository.query_organization_environments(
-                    session, uri=rule.homeEntity, filter=None
-                ).all()
-            if rule.level == MetadataFormEnforcementScope.Environment.value:
-                return [EnvironmentRepository.get_environment_by_uri(session, rule.homeEntity)]
-            return []
+    def _get_affected_environments(session, uri, rule=None) -> List[Environment]:
+        if not rule:
+            rule = MetadataFormRepository.get_mf_enforcement_rule_by_uri(session, uri)
+        if rule.level == MetadataFormEnforcementScope.Global.value:
+            return EnvironmentRepository.query_all_active_environments(session)
+        if rule.level == MetadataFormEnforcementScope.Organization.value:
+            return OrganizationRepository.query_organization_environments(
+                session, uri=rule.homeEntity, filter=None
+            ).all()
+        if rule.level == MetadataFormEnforcementScope.Environment.value:
+            return [EnvironmentRepository.get_environment_by_uri(session, rule.homeEntity)]
+        return []
 
     @staticmethod
-    def get_affected_datasets(uri, rule=None) -> List[DatasetBase]:
-        with get_context().db_engine.scoped_session() as session:
-            if not rule:
-                rule = MetadataFormRepository.get_mf_enforcement_rule_by_uri(session, uri)
-            if rule.level == MetadataFormEnforcementScope.Global.value:
-                return DatasetListRepository.query_datasets(session).all()
-            if rule.level == MetadataFormEnforcementScope.Organization.value:
-                return DatasetListRepository.query_datasets(session, organizationUri=rule.homeEntity).all()
-            if rule.level == MetadataFormEnforcementScope.Environment.value:
-                return DatasetListRepository.query_datasets(session, environmentUri=rule.homeEntity).all()
-            if rule.level == MetadataFormEnforcementScope.Dataset.value:
-                return [DatasetBaseRepository.get_dataset_by_uri(session, rule.homeEntity)]
-            return []
+    def _get_affected_datasets(session, uri, rule=None) -> List[DatasetBase]:
+        if not rule:
+            rule = MetadataFormRepository.get_mf_enforcement_rule_by_uri(session, uri)
+        if rule.level == MetadataFormEnforcementScope.Global.value:
+            return DatasetListRepository.query_datasets(session).all()
+        if rule.level == MetadataFormEnforcementScope.Organization.value:
+            return DatasetListRepository.query_datasets(session, organizationUri=rule.homeEntity).all()
+        if rule.level == MetadataFormEnforcementScope.Environment.value:
+            return DatasetListRepository.query_datasets(session, environmentUri=rule.homeEntity).all()
+        if rule.level == MetadataFormEnforcementScope.Dataset.value:
+            return [DatasetBaseRepository.get_dataset_by_uri(session, rule.homeEntity)]
+        return []
 
     @staticmethod
-    def get_attachement_for_rule(rule, entityUri) -> AttachedMetadataForm:
-        with get_context().db_engine.scoped_session() as session:
-            return MetadataFormRepository.query_all_attached_metadata_forms_for_entity(
-                session,
-                entityUri=entityUri,
-                metadataFormUri=rule.metadataFormUri,
-                version=rule.version,
-            ).first()
+    def _get_attachement_for_rule(session, rule, entityUri) -> AttachedMetadataForm:
+        return MetadataFormRepository.query_all_attached_metadata_forms_for_entity(
+            session,
+            entityUri=entityUri,
+            metadataFormUri=rule.metadataFormUri,
+            version=rule.version,
+        ).first()
 
     @staticmethod
-    def form_affected_entity_object(type, entity: MetadataFormEntity, rule):
+    def _form_affected_entity_object(session, type, entity: MetadataFormEntity, rule):
         return {
             'type': type,
             'name': entity.entity_name(),
             'uri': entity.uri(),
             'owner': entity.owner_name(),
-            'attached': MetadataFormEnforcementService.get_attachement_for_rule(rule, entity.uri()),
+            'attached': MetadataFormEnforcementService._get_attachement_for_rule(session, rule, entity.uri()),
         }
 
     @staticmethod
-    def get_affected_entities(uri, rule=None):
+    def _get_affected_entities(session, uri, rule=None):
         affected_entities = []
-        with get_context().db_engine.scoped_session() as session:
-            if not rule:
-                rule = MetadataFormRepository.get_mf_enforcement_rule_by_uri(session, uri)
+        if not rule:
+            rule = MetadataFormRepository.get_mf_enforcement_rule_by_uri(session, uri)
+
+        orgs = MetadataFormEnforcementService._get_affected_organizations(session, uri, rule)
+        if MetadataFormEntityTypes.Organization.value in rule.entityTypes:
+            affected_entities.extend(
+                [
+                    MetadataFormEnforcementService._form_affected_entity_object(
+                        session, MetadataFormEntityTypes.Organization.value, o, rule
+                    )
+                    for o in orgs
+                ]
+            )
 
-            orgs = MetadataFormEnforcementService.get_affected_organizations(uri, rule)
-            if MetadataFormEntityTypes.Organization.value in rule.entityTypes:
-                affected_entities.extend(
-                    [
-                        MetadataFormEnforcementService.form_affected_entity_object(
-                            MetadataFormEntityTypes.Organization.value, o, rule
-                        )
-                        for o in orgs
-                    ]
-                )
+        envs = MetadataFormEnforcementService._get_affected_environments(session, uri, rule)
+        if MetadataFormEntityTypes.Environment.value in rule.entityTypes:
+            affected_entities.extend(
+                [
+                    MetadataFormEnforcementService._form_affected_entity_object(
+                        session, MetadataFormEntityTypes.Environment.value, e, rule
+                    )
+                    for e in envs
+                ]
+            )
 
-            envs = MetadataFormEnforcementService.get_affected_environments(uri, rule)
-            if MetadataFormEntityTypes.Environment.value in rule.entityTypes:
-                affected_entities.extend(
-                    [
-                        MetadataFormEnforcementService.form_affected_entity_object(
-                            MetadataFormEntityTypes.Environment.value, e, rule
-                        )
-                        for e in envs
-                    ]
-                )
+        datasets = []
+        if MetadataFormEntityManager.is_registered(
+            MetadataFormEntityTypes.S3Dataset.value
+        ) or MetadataFormEntityManager.is_registered(MetadataFormEntityTypes.RDDataset.value):
+            datasets = MetadataFormEnforcementService._get_affected_datasets(session, uri, rule)
+            affected_entities.extend(
+                [
+                    MetadataFormEnforcementService._form_affected_entity_object(
+                        session, ds.datasetType.value + '-Dataset', ds, rule
+                    )
+                    for ds in datasets
+                    if ds.datasetType.value + '-Dataset' in rule.entityTypes
+                    and MetadataFormEntityManager.is_registered(ds.datasetType.value + '-Dataset')
+                ]
+            )
 
-            datasets = []
-            if MetadataFormEntityManager.is_registered(
-                MetadataFormEntityTypes.S3Dataset.value
-            ) or MetadataFormEntityManager.is_registered(MetadataFormEntityTypes.RDDataset.value):
-                datasets = MetadataFormEnforcementService.get_affected_datasets(uri, rule)
-                affected_entities.extend(
-                    [
-                        MetadataFormEnforcementService.form_affected_entity_object(
-                            ds.datasetType.value + '-Dataset', ds, rule
-                        )
-                        for ds in datasets
-                        if ds.datasetType.value + '-Dataset' in rule.entityTypes
-                        and MetadataFormEntityManager.is_registered(ds.datasetType.value + '-Dataset')
-                    ]
-                )
+        entity_types = set(rule.entityTypes[:]) - {
+            MetadataFormEntityTypes.Organization.value,
+            MetadataFormEntityTypes.Environment.value,
+            MetadataFormEntityTypes.RDDataset.value,
+            MetadataFormEntityTypes.S3Dataset.value,
+        }
 
-            entity_types = set(rule.entityTypes[:]) - {
-                MetadataFormEntityTypes.Organization.value,
-                MetadataFormEntityTypes.Environment.value,
-                MetadataFormEntityTypes.RDDataset.value,
-                MetadataFormEntityTypes.S3Dataset.value,
-            }
-
-            for entity_type in entity_types:
-                entity_class = MetadataFormEntityManager.get_resource(entity_type)
-                level = ENTITY_SCOPE_BY_TYPE[entity_type]
-                all_entities = session.query(entity_class)
-                if level == MetadataFormEnforcementScope.Organization:
-                    all_entities = all_entities.filter(
-                        entity_class.organizationUri.in_([org.organizationUri for org in orgs])
-                    )
-                if level == MetadataFormEnforcementScope.Environment:
-                    all_entities = all_entities.filter(
-                        entity_class.environmentUri.in_([env.environmentUri for env in envs])
-                    )
-                if level == MetadataFormEnforcementScope.Dataset:
-                    all_entities = all_entities.filter(entity_class.datasetUri.in_([ds.datasetUri for ds in datasets]))
-                all_entities = all_entities.all()
-                affected_entities.extend(
-                    [
-                        MetadataFormEnforcementService.form_affected_entity_object(entity_type, e, rule)
-                        for e in all_entities
-                    ]
+        for entity_type in entity_types:
+            entity_class = MetadataFormEntityManager.get_resource(entity_type)
+            level = ENTITY_SCOPE_BY_TYPE[entity_type]
+            all_entities = session.query(entity_class)
+            if level == MetadataFormEnforcementScope.Organization:
+                all_entities = all_entities.filter(
+                    entity_class.organizationUri.in_([org.organizationUri for org in orgs])
+                )
+            if level == MetadataFormEnforcementScope.Environment:
+                all_entities = all_entities.filter(
+                    entity_class.environmentUri.in_([env.environmentUri for env in envs])
                 )
-            return affected_entities
+            if level == MetadataFormEnforcementScope.Dataset:
+                all_entities = all_entities.filter(entity_class.datasetUri.in_([ds.datasetUri for ds in datasets]))
+            all_entities = all_entities.all()
+            affected_entities.extend(
+                [
+                    MetadataFormEnforcementService._form_affected_entity_object(session, entity_type, e, rule)
+                    for e in all_entities
+                ]
+            )
+        return affected_entities
 
     @staticmethod
     def list_mf_enforcement_rules(uri):
@@ -236,11 +246,13 @@ def list_mf_enforcement_rules(uri):
     @staticmethod
     def paginate_mf_affected_entities(uri, data=None):
         data = data or {}
-        return paginate_list(
-            items=MetadataFormEnforcementService.get_affected_entities(uri),
-            page=data.get('page', 1),
-            page_size=data.get('pageSize', 10),
-        ).to_dict()
+
+        with get_context().db_engine.scoped_session() as session:
+            return paginate_list(
+                items=MetadataFormEnforcementService._get_affected_entities(session=session, uri=uri),
+                page=data.get('page', 1),
+                page_size=data.get('pageSize', 10),
+            ).to_dict()
 
     @staticmethod
     def resolve_home_entity(uri, rule=None):
@@ -283,6 +295,8 @@ def get_rules_that_affect_entity(entity_type, entity_uri):
         entity_scope = ENTITY_SCOPE_BY_TYPE[entity_type]
         with get_context().db_engine.scoped_session() as session:
             entity = session.query(entity_class).get(entity_uri)
+            if not entity:
+                return []
             parent_dataset_uri, parent_env_uri, parent_org_uri = None, None, None
 
             if entity_scope == MetadataFormEnforcementScope.Dataset:
@@ -339,7 +353,7 @@ def get_rules_that_affect_entity(entity_type, entity_uri):
                 )
 
             for r in all_rules:
-                attached = MetadataFormEnforcementService.get_attachement_for_rule(r, entity_uri)
+                attached = MetadataFormEnforcementService._get_attachement_for_rule(session, r, entity_uri)
                 r.attached = attached.uri if attached else None
                 r.metadataFormName = MetadataFormRepository.get_metadata_form(session, r.metadataFormUri).name
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+from dataall.modules.metadata_forms.handlers import metadata_form_handler`
	`2`	`+`
	`3`	`+__all__ = ['metadata_form_handler']`