Merge branch 'develop' into 'fb-utc-22'

Workflow run: https://github.com/HumanSignal/label-studio/actions/runs/15350785737

Author: mcanu

.github/workflows/git-command.yml

@@ -30,8 +30,6 @@ jobs:
           token: ${{ secrets.GIT_PAT }}
           repository: ${{ github.event.client_payload.pull_request.head.repo.full_name }}
           ref: ${{ github.event.client_payload.pull_request.head.ref }}
-          submodules: 'recursive'
-          fetch-depth: 0
 
       - name: Checkout Actions Hub
         uses: actions/checkout@v4
@@ -52,7 +50,8 @@ jobs:
         uses: ./.github/actions-hub/actions/git-merge
         with:
           base_branch: ${{ github.event.client_payload.slash_command.args.unnamed.arg2 || github.event.client_payload.pull_request.base.ref }}
-          head_branch: ${{ github.event.client_payload.pull_request.head.ref }}
+          base_repository: ${{ github.event.client_payload.pull_request.base.repo.full_name }}
+          head_sha: ${{ github.event.client_payload.pull_request.head.sha }}
           our_files: "pyproject.toml poetry.lock web"
 
       - name: Git Push

.gitleaks.toml

@@ -8,6 +8,7 @@ description = "Global allow list"
 stopwords = [
     '''keyEntities''',
     '''shiftKey''',
+    '''duplicated''',
 ]
 paths = [
     '''gitleaks\.toml''',

docs/source/guide/release_notes/onprem/2.24.0.md

@@ -38,6 +38,9 @@ When you open Label Studio, you will see a new Home page. Here you can find link
 
 ![Screenshot of home page](/images/releases/2-24-home.png)
 
+!!! note
+    The home page is not available for environments using whitelabeling. 
+
 #### Annotator Evaluation settings
 
 There is a new Annotator Evaluation section under **Settings > Quality**.

docs/source/guide/storage.md

@@ -382,9 +382,9 @@ After you [configure access to your S3 bucket](#Configure-access-to-your-S3-buck
     - In the **Session Token** field, specify a session token of the temporary security credentials for an AWS account with access to your S3 bucket.
     - (Optional) Enable **Treat every bucket object as a source file** if your bucket contains BLOB storage files such as JPG, MP3, or similar file types. This setting creates a URL for each bucket object to use for labeling. Leave this option disabled if you have multiple JSON files in the bucket with one task per JSON file.
     - (Optional) Enable **Recursive scan** to perform recursive scans over the bucket contents if you have nested folders in your S3 bucket.
-    - Choose whether to disable **Use pre-signed URLs**. 
-        - All s3://... links will be resolved on the fly and converted to https URLs, if this option is on. 
-        - All s3://... objects will be preloaded into Label Studio tasks as base64 codes, if this option is off. It's not recommended way, because Label Studio task payload will be huge and UI will slow down. Also it requires GET permissions from your storage. 
+    - Choose whether to disable [**Use pre-signed URLs**](#Pre-signed-URLs-vs-storage-proxies). 
+        - **ON** - Label Studio generates a pre-signed URL to load media. 
+        - **OFF** - Label Studio proxies media using its own backend.  
     - Adjust the counter for how many minutes the pre-signed URLs are valid.
 8. Click **Add Storage**.
 
@@ -547,7 +547,9 @@ In the Label Studio UI, do the following to set up the connection:
     - In the **External ID** field, specify the external ID that identifies Label Studio to your AWS account. You can find the external ID on your **Organization** page.
     - Enable **Treat every bucket object as a source file** if your bucket contains BLOB storage files such as JPG, MP3, or similar file types. This setting creates a URL for each bucket object to use for labeling. Leave this option disabled if you have multiple JSON files in the bucket with one task per JSON file.
     - Enable **Recursive scan** to perform recursive scans over the bucket contents if you have nested folders in your S3 bucket.
-    - Choose whether to disable **Use pre-signed URLs**. If your tasks contain s3://... links, they must be pre-signed in order to be displayed in the browser.
+    - Choose whether to disable [**Use pre-signed URLs**](#Pre-signed-URLs-vs-storage-proxies). 
+      - **ON** - Label Studio generates a pre-signed URL to load media. 
+      - **OFF** - Label Studio proxies media using its own backend.  
     - Adjust the counter for how many minutes the pre-signed URLs are valid.
 8. Click **Add Storage**.
 
@@ -686,7 +688,9 @@ In the Label Studio UI, do the following to set up the connection:
 7. Adjust the remaining optional parameters:
     - In the **File Filter Regex** field, specify a regular expression to filter bucket objects. Use `.*` to collect all objects.
     - Enable **Treat every bucket object as a source file** if your bucket contains BLOB storage files such as JPG, MP3, or similar file types. This setting creates a URL for each bucket object to use for labeling, such as `gs://my-gcs-bucket/image.jpg`. Leave this option disabled if you have multiple JSON files in the bucket with one task per JSON file.
-    - Choose whether to disable **Use pre-signed URLs**. If your tasks contain gs://... links, they must be pre-signed in order to be displayed in the browser.
+    - Choose whether to disable [**Use pre-signed URLs**](#Pre-signed-URLs-vs-storage-proxies).
+      - **ON** - Label Studio generates a pre-signed URL to load media. 
+      - **OFF** - Label Studio proxies media using its own backend.  
     - Adjust the counter for how many minutes the pre-signed URLs are valid.
 8. In the **Google Application Credentials** field, add a JSON file with the GCS credentials you created to manage authentication for your bucket. 
 
@@ -951,7 +955,7 @@ Before you begin, ensure you are in the correct project:
 4. Under **Add a provider pool**, complete the following fields:
 
     * **Select a provider**: Select AWS. This is the location where the Label Studio components responsible for issuing requests are stored. 
-    * **Provider name**: Enter `Label Studio Production` or another display name. 
+    * **Provider name**: Enter `Label Studio App Production` (you can use a different display name, but you need to ensure that the corresponding provider ID is still `label-studio-app-production`)
     * **Provider ID**: Enter `label-studio-app-production`.
     * **AWS Account ID**: Enter `490065312183`.
 
@@ -964,15 +968,15 @@ Before you begin, ensure you are in the correct project:
     * Click **Edit mapping** and then add the following: 
 
         - `google.subject = assertion.arn`
-        - `attribute.aws_role = assertion.arn`
+        - `attribute.aws_role = assertion.arn.contains('assumed-role') ? assertion.arn.extract('{account_arn}assumed-role/') + 'assumed-role/' + assertion.arn.extract('assumed-role/{role_name}/') : assertion.arn` (this might be filled in by default)
         - `attribute.aws_account = assertion.account`
         - `attribute.external_id = assertion.external_id`
 
 6. Click **Save**. 
 
 7. Go to **IAM & Admin > Service Accounts** and find the service account you want to allow AWS (Label Studio) to impersonate. See [Service account permissions](#Service-account-permissions) above. 
 
-8. From the **Permissions** tab, click **Grant Access**. 
+8. From the **Principals with access** tab, click **Grant Access**. 
 
     ![Screenshot of grant access button](/images/storages/gcs-grant-access.png)
 
@@ -994,10 +998,10 @@ Before you begin, ensure you are in the correct project:
 Before setting up your connection in Label Studio, note the following (you will be asked to provide them)
 
 * Your pool ID - available from **IAM & Admin > Workload Identity Pools** 
-* Your provider ID - available from **IAM & Admin > Workload Identity Pools** 
+* Your provider ID - available from **IAM & Admin > Workload Identity Pools** (this should be `label-studio-app-production`)
 * Your service account email - available from **IAM & Admin > Service Accounts**. Select the service account and the email is listed under **Details**.  
-* Your Google project number - available from **IAM & Admin > Settings**. 
-* Your Google project ID - available from **IAM & Admin > Settings**. 
+* Your Google project number - available from **IAM & Admin > Settings**
+* Your Google project ID - available from **IAM & Admin > Settings**
 
 </details>
 
@@ -1013,9 +1017,9 @@ Select the **GCS (WIF auth)** storage type and then complete the following field
 | ------------------------------------------ | ------------------------------------------------- |
 | Bucket Name                                | Enter the name of the Google Cloud bucket. |
 | Bucket Prefix                              | Optionally, enter the folder name within the bucket that you would like to use.  For example, `data-set-1` or `data-set-1/subfolder-2`.  |
-| File Name Filter                           | Specify a regular expression to filter bucket objects. Use `.*` to collect all objects. |
-| Treat every bucket object as a source file | Enable this option if your bucket contains BLOB storage files such as JPG, MP3, or similar file types. This setting creates a URL for each bucket object to use for labeling, such as `gs://my-gcs-bucket/image.jpg`. Leave this option disabled if you have multiple JSON files in the bucket with one task per JSON file. |
-| Use pre-signed URLs                        | If your tasks contain `gs://…` links, they must be pre-signed in order to be displayed in the browser. |
+| File Name Filter                           | Optionally, specify a regular expression to filter bucket objects. |
+| [Treat every bucket object as a source file](#Treat-every-bucket-object-as-a-source-file) | Enable this option if your bucket contains BLOB storage files such as JPG, MP3, or similar file types. This setting creates a URL for each bucket object to use for labeling, such as `gs://my-gcs-bucket/image.jpg`. Leave this option disabled if you have are specifying your tasks in JSON files. |
+| [Use pre-signed URLs](#Pre-signed-URLs-vs-storage-proxies)                        | **ON** - Label Studio generates a pre-signed URL to load media. <br /> **OFF** - Label Studio proxies media using its own backend. |
 | Pre-signed URL counter                     | Adjust the counter for how many minutes the pre-signed URLs are valid. |
 | Workload Identity Pool ID                  | This is the ID you specified when creating the Work Identity Pool. You can find this in Google Cloud Console under **IAM & Admin > Workload Identity Pools**. |
 | Workload Identity Provider ID              | This is the ID you specified when setting up the provider. You can find this in Google Cloud Console under **IAM & Admin > Workload Identity Pools**. |
@@ -1140,7 +1144,9 @@ In the Label Studio UI, do the following to set up the connection:
     - In the **Account Name** field, specify the account name for the Azure storage. You can also set this field as an environment variable,`AZURE_BLOB_ACCOUNT_NAME`.
     - In the **Account Key** field, specify the secret key to access the storage account. You can also set this field as an environment variable,`AZURE_BLOB_ACCOUNT_KEY`.
     - Enable **Treat every bucket object as a source file** if your bucket contains BLOB storage files such as JPG, MP3, or similar file types. This setting creates a URL for each bucket object to use for labeling, for example `azure-blob://container-name/image.jpg`. Leave this option disabled if you have multiple JSON files in the bucket with one task per JSON file. 
-    - Choose whether to disable **Use pre-signed URLs**, or [shared access signatures](https://docs.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature). If your tasks contain azure-blob://... links, they must be pre-signed in order to be displayed in the browser.    
+    - Choose whether to disable [**Use pre-signed URLs**](#Pre-signed-URLs-vs-storage-proxies), or [shared access signatures](https://docs.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature). 
+      - **ON** - Label Studio generates a pre-signed URL to load media. 
+      - **OFF** - Label Studio proxies media using its own backend.    
     - Adjust the counter for how many minutes the shared access signatures are valid.
 8. Click **Add Storage**.
 9. Repeat these steps for **Target Storage** to sync completed data annotations to a container.

docs/themes/v2/source/images/storages/gcs-grant-access.png

@@ -45,6 +45,8 @@ class AllPermissions(BaseModel):
     model_provider_connection_view: str = 'model_provider_connection.view'
     model_provider_connection_change: str = 'model_provider_connection.change'
     model_provider_connection_delete: str = 'model_provider_connection.delete'
+    webhooks_view: str = 'webhooks.view'
+    webhooks_change: str = 'webhooks.change'
 
 
 all_permissions = AllPermissions()

label_studio/core/permissions.py

@@ -144,41 +144,43 @@ def restore_storage_links_for_duplicated_tasks(duplicates) -> None:
     total_restored_links = 0
     for data in list(duplicates):
         tasks = duplicates[data]
-        source = None
+
+        def _get_storagelink(task):
+            for link in classes:
+                if link_id := task.get(link):
+                    return classes[link], link_id
+            return None
 
         # find first task with existing StorageLink
+        tasks_without_storagelinks = []
+        tasks_with_storagelinks = []
         for task in tasks:
-            for link in classes:
-                if link in task and task[link] is not None:
-                    # we don't support case when there are many storage links in duplicated tasks
-                    if source is not None:
-                        source = None
-                        break
-                    source = (
-                        task,
-                        classes[link],
-                        task[link],
-                    )  # last arg is a storage link id
+            if _get_storagelink(task):
+                tasks_with_storagelinks.append(task)
+            else:
+                tasks_without_storagelinks.append(task)
 
         # add storage links to duplicates
-        if source:
-            storage_link_class = source[1]  # get link name
-            for task in tasks:
-                if task['id'] != source[0]['id']:
-                    # get already existing StorageLink
-                    link_instance = storage_link_class.objects.get(id=source[2])
-
-                    # assign existing StorageLink to other duplicated tasks
-                    link = storage_link_class(
-                        task_id=task['id'],
-                        key=link_instance.key,
-                        row_index=link_instance.row_index,
-                        row_group=link_instance.row_group,
-                        storage=link_instance.storage,
-                    )
-                    link.save()
-                    total_restored_links += 1
-                    logger.info(f"Restored storage link for task {task['id']} from source task {source[0]['id']}")
+        if tasks_with_storagelinks:
+            # we don't support case when there are many storage links in duplicated tasks
+            storage_link_class, storage_link_id = _get_storagelink(tasks_with_storagelinks[0])
+            # get already existing StorageLink
+            link_instance = storage_link_class.objects.get(id=storage_link_id)
+
+            for task in tasks_without_storagelinks:
+                # assign existing StorageLink to other duplicated tasks
+                link = storage_link_class(
+                    task_id=task['id'],
+                    key=link_instance.key,
+                    row_index=link_instance.row_index,
+                    row_group=link_instance.row_group,
+                    storage=link_instance.storage,
+                )
+                link.save()
+                total_restored_links += 1
+                logger.info(
+                    f"Restored storage link for task {task['id']} from source task {tasks_with_storagelinks[0]['id']}"
+                )
 
     logger.info(f'Restored {total_restored_links} storage links for duplicated tasks')
 

label_studio/data_manager/actions/remove_duplicates.py

@@ -3201,6 +3201,33 @@
       "version": 3,
       "deleted": false
     },
+    "fflag_feat_utc_46_session_timeout_policy": {
+      "key": "fflag_feat_utc_46_session_timeout_policy",
+      "on": false,
+      "prerequisites": [],
+      "targets": [],
+      "contextTargets": [],
+      "rules": [],
+      "fallthrough": {
+        "variation": 0
+      },
+      "offVariation": 1,
+      "variations": [
+        true,
+        false
+      ],
+      "clientSideAvailability": {
+        "usingMobileKey": false,
+        "usingEnvironmentId": false
+      },
+      "clientSide": false,
+      "salt": "be7ce7b1242a4e82a5c1239d8a4f7195",
+      "trackEvents": false,
+      "trackEventsFallthrough": false,
+      "debugEventsUntilDate": null,
+      "version": 2,
+      "deleted": false
+    },
     "fflag_feature_all_optic_1421_cold_start_v2": {
       "key": "fflag_feature_all_optic_1421_cold_start_v2",
       "on": false,
@@ -3225,7 +3252,7 @@
       "trackEvents": false,
       "trackEventsFallthrough": false,
       "debugEventsUntilDate": null,
-      "version": 2,
+      "version": 4,
       "deleted": false
     },
     "fflag_feature_all_optic_1541_performance_score_on_latest_review_short": {
@@ -4403,6 +4430,33 @@
       "version": 8,
       "deleted": false
     },
+    "fflag_root_13_annotation_results_filtering": {
+      "key": "fflag_root_13_annotation_results_filtering",
+      "on": false,
+      "prerequisites": [],
+      "targets": [],
+      "contextTargets": [],
+      "rules": [],
+      "fallthrough": {
+        "variation": 0
+      },
+      "offVariation": 1,
+      "variations": [
+        true,
+        false
+      ],
+      "clientSideAvailability": {
+        "usingMobileKey": false,
+        "usingEnvironmentId": false
+      },
+      "clientSide": false,
+      "salt": "4ab31fe3b28f4abd90ac0558b7d41584",
+      "trackEvents": false,
+      "trackEventsFallthrough": false,
+      "debugEventsUntilDate": null,
+      "version": 2,
+      "deleted": false
+    },
     "fix_backend_dev_3134_exclude_deactivated_users": {
       "key": "fix_backend_dev_3134_exclude_deactivated_users",
       "on": false,

label_studio/feature_flags.json

@@ -141,10 +141,18 @@ def test_action_remove_duplicates(business_client, project_id, storage_model, li
     link_model.objects.create(task=task4, key='duplicated.jpg', storage=storage)
 
     # task 5: add a non-duplicated task using the same key, ensuring multiple tasks in the same key don't interfere
-    task_data = {'data': {'image': 'normal2.jpg'}}
-    task5 = make_task(task_data, project)
+    different_task_data = {'data': {'image': 'normal2.jpg'}}
+    task5 = make_task(different_task_data, project)
     link_model.objects.create(task=task5, key='duplicated.jpg', row_index=1, storage=storage)
 
+    # task 6: add duplicated task with a different storage link
+    task6 = make_task(task_data, project)
+    link_model.objects.create(task=task6, key='duplicated2.jpg', storage=storage)
+
+    # task 7: add duplicated task with a different storage link
+    task7 = make_task(task_data, project)
+    link_model.objects.create(task=task7, key='duplicated3.jpg', storage=storage)
+
     # call the "remove duplicated tasks" action
     status = business_client.post(
         f'/api/dm/actions?project={project_id}&id=remove_duplicates',

label_studio/tests/data_manager/test_api_actions.py

@@ -19,6 +19,7 @@ stages:
       method: POST
       json:
         url: "http://127.0.0.1:6666/webhook"
+        project: "{configured_project.id}"
         headers:
           Autorization: "Token 66666666666666666666666"
           Security: "123123123123123"
@@ -35,7 +36,7 @@ stages:
       status_code: 200
       json:
         id: !int "{webhook_id}"
-        project: null
+        project: !int "{configured_project.id}"
         actions: !anylist
         created_at: !anystr
         updated_at: !anystr