From 1910d51d66adaac34b57e62ba63043fc5bb40d58 Mon Sep 17 00:00:00 2001 From: Daisie Huang Date: Wed, 13 Nov 2024 10:55:11 -0800 Subject: [PATCH 1/4] Update requirements.txt --- requirements.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/requirements.txt b/requirements.txt index 6e54c755..fb19615b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -14,3 +14,6 @@ psycopg2-binary watchdog~=4.0.0 gunicorn>=23.0.0 uvicorn[standard]==0.30.6 +werkzeug>=3.1.0 # not directly required, pinned by Snyk to avoid a vulnerability +zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability +urllib3>=2.2.2 # not directly required, pinned by Snyk to avoid a vulnerability From 154b4f400fea0881f7a5feb6bb349a673c897326 Mon Sep 17 00:00:00 2001 From: Daisie Huang Date: Tue, 19 Nov 2024 16:05:14 -0800 Subject: [PATCH 2/4] should return all if request is from query --- htsget_server/drs_operations.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htsget_server/drs_operations.py b/htsget_server/drs_operations.py index 67bfd68b..a3b5423e 100644 --- a/htsget_server/drs_operations.py +++ b/htsget_server/drs_operations.py @@ -118,7 +118,7 @@ def list_cohorts(): if cohorts is None: return [], 404 try: - if authz.is_site_admin(connexion.request): + if authz.is_site_admin(connexion.request) or authz.request_is_from_query(connexion.request): return list(map(lambda x: x['id'], cohorts)), 200 authorized_cohorts = authz.get_authorized_cohorts(connexion.request) return list(set(map(lambda x: x['id'], cohorts)).intersection(set(authorized_cohorts))), 200 From 303d72656b7f1a29801326b560257fcb920a80b5 Mon Sep 17 00:00:00 2001 From: fnguyen Date: Wed, 20 Nov 2024 10:06:49 -0500 Subject: [PATCH 3/4] Also add it for the get_cohort endpoint --- htsget_server/drs_operations.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htsget_server/drs_operations.py b/htsget_server/drs_operations.py index a3b5423e..73a66090 100644 --- a/htsget_server/drs_operations.py +++ b/htsget_server/drs_operations.py @@ -138,7 +138,7 @@ def get_cohort(cohort_id): new_cohort = database.get_cohort(cohort_id) if new_cohort is None: return {"message": "No matching cohort found"}, 404 - if authz.is_cohort_authorized(connexion.request, cohort_id): + if authz.is_cohort_authorized(connexion.request, cohort_id) or authz.request_is_from_query(connexion.request): return new_cohort, 200 return {"message": f"Not authorized to access cohort {cohort_id}"}, 403 From dd0b27720d7b413f19e1efff72434d04c54f814d Mon Sep 17 00:00:00 2001 From: fnguyen Date: Wed, 20 Nov 2024 10:06:59 -0500 Subject: [PATCH 4/4] Prevent is_cohort_authorized from 500ing when given a request with no Auth (e.g. through integration tests) --- htsget_server/authz.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/htsget_server/authz.py b/htsget_server/authz.py index 58ebc2dc..bf0e062b 100644 --- a/htsget_server/authz.py +++ b/htsget_server/authz.py @@ -66,6 +66,8 @@ def is_cohort_authorized(request, cohort_id): return True if request_is_from_ingest(req): return True + if not "Authorization" in request.headers: + return False return authx.auth.is_action_allowed_for_program(authx.auth.get_auth_token(req), method=req.method, path=req.path, program=cohort_id)