v3.0.0: Site roles, program authz, user authz

.github/workflows/test.yml

@@ -0,0 +1,23 @@
+name: Github Actions Test
+
+on: [push]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.12"]
+    env:
+      CANDIG_URL: "http://localhost"
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Build Docker image
+        run: docker image build --build-arg venv_python=${{ matrix.python-version }} --iidfile image.txt .
+      - name: Test with pytest
+        run: docker run `cat image.txt`

.gitignore

@@ -7,4 +7,5 @@
 .pytest_cache
 */__pycache__
 */*/__pycache__
-permissions_engine/data.json
+permissions_engine/data.json
+image.txt

Dockerfile

@@ -28,6 +28,10 @@ USER candig
 
 WORKDIR /app/
 
+RUN curl -L -o opa https://openpolicyagent.org/downloads/v0.63.0/opa_linux_amd64_static
+
+RUN chmod 755 ./opa
+
 RUN touch /app/initial_setup
 
-ENTRYPOINT ["bash", "/app/entrypoint.sh"]
+ENTRYPOINT pytest

README.md

@@ -1,5 +1,22 @@
-# Open Policy Agent for CanDIGv2
+CanDIG uses Opa as the policy authorization engine. Its policies are defined in [permissions_engine](permissions_engine)
+The User is defined in the jwt presented in the authorization header.
 
-This is the implementation of [OPA](https://www.openpolicyagent.org/) for CanDIGv2. The OPA service provides a unified policy engine across CanDIG services.
+Interactions with the IdP are handled by rego code in [idp.rego](permissions_engine/idp.rego). This fetches
+the appropriate endpoints from the IdP's `openid_configuration` service, then queries
+`introspection` on the token and gets the users `userinfo`. The user is decoded and verified at the `/idp` endpoints.
 
-Opa can be tested as part of the CanDIGv2 stack: from the CanDIGv2 repo directory, run `pytest etc/tests`.
+Interactions with Vault are handled by [vault.rego](permissions_engine/vault.rego). Secrets stored in the opa's service store are retrieved here.
+
+Authorization to endpoints in the OPA service itself is defined in [authz.rego](permissions_engine/authz.rego).
+
+* Token-based auth: There are two api tokens defined: the root token allows any path to be accessed, while the service token only allows the `permissions/datasets` and `permissions/allowed` endpoints to be viewed.
+
+* Role-based auth: Roles for the site are defined in the format given in [site_roles.json](defaults/site_roles.json). if the User is defined as a site admin, they are allowed to view any endpoint. Other site-based roles can be similarly defined.
+
+* Endpoint-based auth: Any service can use the `/service/verified` endpoint. Other specific endpoints can be similarly allowed.
+
+* Program-based and user-based authorizations are defined at the `permissions` path: For a given User and the method of accessing a service (method, path), the `/permissions/datasets` endpoint returns the list of programs that user is allowed to access for that method/path, while the `/permissions/allowed` endpoint returns True if either the user is a site admin or the user is allowed to access that method/path. The following two types of authorizations are available:
+
+  * Authorizations for roles in particular programs: users defined as team_members for a program are allowed to access the read paths specified in [paths.json](defaults/paths.json), while users defined as program_curators are allowed to access the curate and delete paths. Note: read and curate paths are separately allowed: if a user should be allowed to both read and curate, they should be in both the team_members and program_curators groups. Program authorizations can be created, edited, and deleted through the ingest microservice. Default test examples can be found in [programs.json](defaults/programs.json).
+
+  * Users can also be specifically authorized to read data for a particular program through a data access authorization. User Read authorizations can be created, edited, and revoked through the ingest microservice.

defaults/paths.json

@@ -0,0 +1,41 @@
+{
+    "paths": {
+        "read": {
+            "get": [
+                "/v2/discovery/?.*",
+                "/v2/authorized/?.*",
+                "/htsget/v1/variants/?.*",
+                "/htsget/v1/variants/search",
+                "/htsget/v1/reads/?.*",
+                "/htsget/v1/samples/?.*",
+                "/ga4gh/drs/v1/objects/?.*",
+                "/ga4gh/drs/v1/cohorts/?.*",
+                "/ga4gh/drs/v1/cohorts/?.*/status",
+                "/beacon/v2/g_variants/?.*"
+            ],
+            "post": [
+                "/htsget/v1/variants/search",
+                "/htsget/v1/samples",
+                "/beacon/v2/g_variants"
+            ]
+        },
+        "curate": {
+            "get": [
+                "/htsget/v1/variants/?.*/index",
+                "/htsget/v1/variants/?.*/verify",
+                "/htsget/v1/reads/?.*/index",
+                "/htsget/v1/reads/?.*/verify"
+            ],
+            "post": [
+                "/ingest/?.*",
+                "/ga4gh/drs/v1/?.*",
+                "/v2/ingest/?.*"
+            ],
+            "delete": [
+                "/ingest/?.*",
+                "/ga4gh/drs/v1/?.*",
+                "/v2/ingest/?.*"
+            ]
+        }
+    }
+}

defaults/programs.json

@@ -0,0 +1,14 @@
+{
+    "SYNTHETIC-1": {
+        "program_id": "SYNTHETIC-1",
+        "program_curators": ["USER1"],
+        "team_members": ["USER1"],
+        "date_created": "2020-01-01"
+    },
+    "SYNTHETIC-2": {
+        "program_id": "SYNTHETIC-2",
+        "program_curators": ["USER2"],
+        "team_members": ["USER2"],
+        "date_created": "2020-03-01"
+    }
+}

defaults/site_roles.json

@@ -0,0 +1,17 @@
+{
+    "site_roles": {
+        "admin": [
+            "SITE_ADMIN_USER"
+        ],
+        "curator": [
+        ],
+        "local_team": [
+            "USER1"
+        ],
+        "mohccn_network": [
+            "USER1",
+            "USER2"
+        ]
+    }
+}
+

entrypoint.sh

@@ -3,18 +3,28 @@
 set -Euo pipefail
 
 OPA_ROOT_TOKEN=$(cat /run/secrets/opa-root-token)
+OPA_SERVICE_TOKEN=$(cat /run/secrets/opa-service-token)
+SITE_ADMIN_USER=$(cat /run/secrets/site_admin_name)
+USER1=$(cat /run/secrets/user1_name)
+USER2=$(cat /run/secrets/user2_name)
 
 if [[ -f "/app/initial_setup" ]]; then
-    sed -i s/CLIENT_ID/$KEYCLOAK_CLIENT_ID/ /app/permissions_engine/idp.rego && sed -i s/CLIENT_ID/$KEYCLOAK_CLIENT_ID/ /app/permissions_engine/authz.rego
-    sed -i s/OPA_SITE_ADMIN_KEY/$OPA_SITE_ADMIN_KEY/ /app/permissions_engine/idp.rego && sed -i s/OPA_SITE_ADMIN_KEY/$OPA_SITE_ADMIN_KEY/ /app/permissions_engine/authz.rego
+    # set up our default values
+    sed -i s/CANDIG_USER_KEY/$CANDIG_USER_KEY/ /app/permissions_engine/idp.rego
 
-    OPA_SERVICE_TOKEN=$(cat /run/secrets/opa-service-token)
-    sed -i s/OPA_SERVICE_TOKEN/$OPA_SERVICE_TOKEN/ /app/permissions_engine/authz.rego
+    # set up default users in default jsons:
+    sed -i s/SITE_ADMIN_USER/$SITE_ADMIN_USER/ /app/defaults/site_roles.json
+    sed -i s/USER1/$USER1/ /app/defaults/site_roles.json
+    sed -i s/USER2/$USER2/ /app/defaults/site_roles.json
+    sed -i s/SITE_ADMIN_USER/$SITE_ADMIN_USER/ /app/defaults/programs.json
+    sed -i s/USER1/$USER1/ /app/defaults/programs.json
+    sed -i s/USER2/$USER2/ /app/defaults/programs.json
 
+    sed -i s/OPA_SERVICE_TOKEN/$OPA_SERVICE_TOKEN/ /app/permissions_engine/authz.rego
     sed -i s/OPA_ROOT_TOKEN/$OPA_ROOT_TOKEN/ /app/permissions_engine/authz.rego
 
-    sed -i s@VAULT_URL@$VAULT_URL@ /app/permissions_engine/authz.rego
-    sed -i s@VAULT_URL@$VAULT_URL@ /app/permissions_engine/service.rego
+    # set up vault URL
+    sed -i s@VAULT_URL@$VAULT_URL@ /app/permissions_engine/vault.rego
 
     echo "initializing stores"
     python3 /app/initialize_vault_store.py

healthcheck.py

@@ -1,52 +1,21 @@
-import json
 import os
-import re
 import sys
-import uuid
-from http import HTTPStatus
-from pathlib import Path
-import datetime
 import requests
 
-keycloak_url = os.environ.get('KEYCLOAK_PUBLIC_URL')
+opa_url = os.environ.get('OPA_URL')
 
-# Read Docker secrets
-with open("/run/secrets/client_secret") as f:
-    client_secret = f.read().strip()
-
-with open("/run/secrets/password") as f:
-    password = f.read().strip()
-
-def get_token(username=None, password=None, client_id=None, client_secret=None):
-    payload = {
-        "client_id": client_id,
-        "client_secret": client_secret,
-        "grant_type": "password",
-        "username": username,
-        "password": password,
-        "scope": "openid",
-    }
-    response = requests.post(
-        f"{keycloak_url}/auth/realms/candig/protocol/openid-connect/token",
-        data=payload,
-    )
-    if response.status_code == 200:
-        return response.json()["access_token"]
 
 def perform_healthcheck():
-    auth_token = get_token(username="user2", password=password, client_id="local_candig", client_secret=client_secret)
-    headers = {"Authorization": f"Bearer {auth_token}"}
-    url = os.environ.get('OPA_URL')
-
     try:
-        response = requests.get(url, headers=headers)
+        response = requests.get(f"{opa_url}/v1/data/service/service-info")
         response.raise_for_status()
         print("Health check passed!")
         return True
     except requests.exceptions.RequestException as e:
         print(f"Health check failed: {e}")
         return False
 
+
 if __name__ == "__main__":
     health_status = perform_healthcheck()
     if not health_status:

initialize_vault_store.py

@@ -1,9 +1,9 @@
 import json
 import os
-from authx.auth import set_service_store_secret, add_provider_to_opa
+from authx.auth import get_service_store_secret, set_service_store_secret, add_provider_to_opa, add_program_to_opa
 import sys
 
-## Initializes Vault's opa service store with the information for our IDP and the data in access.json and paths.json
+## Initializes Vault's opa service store with the information for our IDP and the data in site_roles.json, paths.json, programs.json
 
 results = []
 
@@ -18,22 +18,37 @@
             print(str(e))
             sys.exit(1)
 
-    with open('/app/permissions_engine/access.json') as f:
+    with open('/app/defaults/paths.json') as f:
         data = f.read()
-        response, status_code = set_service_store_secret("opa", key="access", value=data)
+        response, status_code = set_service_store_secret("opa", key="paths", value=data)
         if status_code != 200:
-            sys.exit(2)
+            sys.exit(3)
         results.append(response)
 
-    with open('/app/permissions_engine/paths.json') as f:
+    with open('/app/defaults/site_roles.json') as f:
         data = f.read()
-        response, status_code = set_service_store_secret("opa", key="paths", value=data)
+        response, status_code = set_service_store_secret("opa", key="site_roles", value=data)
         if status_code != 200:
-            sys.exit(3)
+            sys.exit(2)
         results.append(response)
+
+    with open('/app/defaults/programs.json') as f:
+        programs = json.load(f)
+        for program in programs:
+            response, status_code = add_program_to_opa(programs[program])
+            if status_code != 200:
+                sys.exit(2)
+            results.append(response)
 except Exception as e:
     print(str(e))
     sys.exit(4)
 
+# initialize pending users
+response, status_code = get_service_store_secret("opa", key="pending_users")
+if status_code == 404:
+    response, status_code = set_service_store_secret("opa", key="pending_users", value=json.dumps({"pending_users": {}}))
+    if status_code != 200:
+        sys.exit(2)
+
 # print(json.dumps(results, indent=4))
 sys.exit(0)