Skip to content

Commit

Permalink
consolidate authz to has_full_authz
Browse files Browse the repository at this point in the history
  • Loading branch information
daisieh committed Dec 2, 2024
1 parent 8d74618 commit be5f3e8
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 27 deletions.
25 changes: 13 additions & 12 deletions htsget_server/authz.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ def __init__(self, headers, method, path):


def is_testing(request):
if request.headers.get("Authorization") == f"Bearer {TEST_KEY}":
if "Authorization" in request.headers and request.headers["Authorization"] == f"Bearer {TEST_KEY}":
logger.warning("TEST MODE, AUTHORIZATION IS DISABLED")
return True

Expand All @@ -34,9 +34,7 @@ def is_authed(id_, request):
return 401
if is_testing(request):
return 200 # no auth
if request_is_from_ingest(request):
return 200
if request_is_from_query(request):
if has_full_authz(request):
return 200
if "Authorization" in request.headers:
obj = database.get_drs_object(id_)
Expand All @@ -51,10 +49,13 @@ def is_authed(id_, request):


def get_authorized_programs(request):
if is_testing(request):
req = AuthzRequest(request.headers, request.method, request.url.path)
if has_full_authz(req):
return database.list_programs()
if is_testing(req):
return ["test-htsget"]
try:
return authx.auth.get_opa_datasets(AuthzRequest(request.headers, request.method, request.url.path))
return authx.auth.get_opa_datasets(req)
except Exception as e:
logger.warning(f"Couldn't authorize programs: {type(e)} {str(e)}")
return []
Expand All @@ -64,26 +65,26 @@ def is_program_authorized(request, program_id):
req = AuthzRequest(request.headers, request.method, request.url.path)
if is_testing(req):
return True
if request_is_from_ingest(req):
if has_full_authz(req):
return True
if not "Authorization" in request.headers:
return False
return authx.auth.is_action_allowed_for_program(authx.auth.get_auth_token(req), method=req.method, path=req.path, program=program_id)


def is_site_admin(request):
def has_full_authz(request):
"""
Is the user associated with the token a site admin?
Is the user associated with the token a site admin? Alternately, is this request from query or ingest?
"""
if is_testing(request):
return True
if request_is_from_ingest(request):
if request_is_from_ingest(request) or request_is_from_query(request):
return True
if "Authorization" in request.headers:
try:
return authx.auth.is_site_admin(AuthzRequest(request.headers, request.method, request.url.path))
return authx.auth.has_full_authz(AuthzRequest(request.headers, request.method, request.url.path))
except Exception as e:
logger.warning(f"Couldn't authorize site_admin: {type(e)} {str(e)}")
logger.warning(f"Couldn't authorize for full access: {type(e)} {str(e)}")
return False
return False

Expand Down
4 changes: 2 additions & 2 deletions htsget_server/drs_operations.py
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ def list_programs():
if programs is None:
return [], 404
try:
if authz.is_site_admin(connexion.request) or authz.request_is_from_query(connexion.request):
if authz.has_full_authz(connexion.request):
return list(map(lambda x: x['id'], programs)), 200
authorized_programs = authz.get_authorized_programs(connexion.request)
return list(set(map(lambda x: x['id'], programs)).intersection(set(authorized_programs))), 200
Expand All @@ -138,7 +138,7 @@ def get_program(program_id):
new_program = database.get_program(program_id)
if new_program is None:
return {"message": "No matching program found"}, 404
if authz.is_program_authorized(connexion.request, program_id) or authz.request_is_from_query(connexion.request):
if authz.is_program_authorized(connexion.request, program_id):
return new_program, 200
return {"message": f"Not authorized to access program {program_id}"}, 403

Expand Down
18 changes: 5 additions & 13 deletions htsget_server/htsget_operations.py
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ def get_reads_data(id_, reference_name=None, format_="bam", start=None, end=None

@app.route('/reads/<path:id_>/index')
def index_reads(id_=None):
if not authz.is_site_admin(connexion.request):
if not authz.has_full_authz(connexion.request):
return {"message": "User is not authorized to index reads"}, 403
if id_ is not None:
# check that there is a database drs object for this:
Expand Down Expand Up @@ -184,7 +184,7 @@ def verify_variants_genomic_drs_object(id_):

@app.route('/variants/<path:id_>/index')
def index_variants(id_=None, force=False, do_not_index=False, genome='hg38'):
if not authz.is_site_admin(connexion.request):
if not authz.has_full_authz(connexion.request):
return {"message": "User is not authorized to index variants"}, 403
if id_ is not None:
# check that there is a database drs object for this:
Expand Down Expand Up @@ -301,18 +301,10 @@ def _get_samples(samples):
if res["program"] not in samples_by_program:
samples_by_program[res["program"]] = []
samples_by_program[res["program"]].append(res)
if authz.is_testing(connexion.request):
for program in samples_by_program:
authz_programs = authz.get_authorized_programs(connexion.request)
for program in authz_programs:
if program in samples_by_program:
result.extend(samples_by_program[program])
else:
if authz.request_is_from_query(connexion.request) or authz.request_is_from_ingest(connexion.request):
for program in samples_by_program:
result.extend(samples_by_program[program])
else:
authz_programs = authz.get_authorized_programs(connexion.request)
for program in authz_programs:
if program in samples_by_program:
result.extend(samples_by_program[program])
return result


Expand Down

0 comments on commit be5f3e8

Please sign in to comment.