From be5f3e8f0bd1024166e5884288dadab118f77c04 Mon Sep 17 00:00:00 2001 From: Daisie Huang Date: Mon, 2 Dec 2024 11:55:51 -0800 Subject: [PATCH] consolidate authz to has_full_authz --- htsget_server/authz.py | 25 +++++++++++++------------ htsget_server/drs_operations.py | 4 ++-- htsget_server/htsget_operations.py | 18 +++++------------- 3 files changed, 20 insertions(+), 27 deletions(-) diff --git a/htsget_server/authz.py b/htsget_server/authz.py index c4f135ce..8e231515 100644 --- a/htsget_server/authz.py +++ b/htsget_server/authz.py @@ -24,7 +24,7 @@ def __init__(self, headers, method, path): def is_testing(request): - if request.headers.get("Authorization") == f"Bearer {TEST_KEY}": + if "Authorization" in request.headers and request.headers["Authorization"] == f"Bearer {TEST_KEY}": logger.warning("TEST MODE, AUTHORIZATION IS DISABLED") return True @@ -34,9 +34,7 @@ def is_authed(id_, request): return 401 if is_testing(request): return 200 # no auth - if request_is_from_ingest(request): - return 200 - if request_is_from_query(request): + if has_full_authz(request): return 200 if "Authorization" in request.headers: obj = database.get_drs_object(id_) @@ -51,10 +49,13 @@ def is_authed(id_, request): def get_authorized_programs(request): - if is_testing(request): + req = AuthzRequest(request.headers, request.method, request.url.path) + if has_full_authz(req): + return database.list_programs() + if is_testing(req): return ["test-htsget"] try: - return authx.auth.get_opa_datasets(AuthzRequest(request.headers, request.method, request.url.path)) + return authx.auth.get_opa_datasets(req) except Exception as e: logger.warning(f"Couldn't authorize programs: {type(e)} {str(e)}") return [] @@ -64,26 +65,26 @@ def is_program_authorized(request, program_id): req = AuthzRequest(request.headers, request.method, request.url.path) if is_testing(req): return True - if request_is_from_ingest(req): + if has_full_authz(req): return True if not "Authorization" in request.headers: return False return authx.auth.is_action_allowed_for_program(authx.auth.get_auth_token(req), method=req.method, path=req.path, program=program_id) -def is_site_admin(request): +def has_full_authz(request): """ - Is the user associated with the token a site admin? + Is the user associated with the token a site admin? Alternately, is this request from query or ingest? """ if is_testing(request): return True - if request_is_from_ingest(request): + if request_is_from_ingest(request) or request_is_from_query(request): return True if "Authorization" in request.headers: try: - return authx.auth.is_site_admin(AuthzRequest(request.headers, request.method, request.url.path)) + return authx.auth.has_full_authz(AuthzRequest(request.headers, request.method, request.url.path)) except Exception as e: - logger.warning(f"Couldn't authorize site_admin: {type(e)} {str(e)}") + logger.warning(f"Couldn't authorize for full access: {type(e)} {str(e)}") return False return False diff --git a/htsget_server/drs_operations.py b/htsget_server/drs_operations.py index f4911343..3822ac5f 100644 --- a/htsget_server/drs_operations.py +++ b/htsget_server/drs_operations.py @@ -118,7 +118,7 @@ def list_programs(): if programs is None: return [], 404 try: - if authz.is_site_admin(connexion.request) or authz.request_is_from_query(connexion.request): + if authz.has_full_authz(connexion.request): return list(map(lambda x: x['id'], programs)), 200 authorized_programs = authz.get_authorized_programs(connexion.request) return list(set(map(lambda x: x['id'], programs)).intersection(set(authorized_programs))), 200 @@ -138,7 +138,7 @@ def get_program(program_id): new_program = database.get_program(program_id) if new_program is None: return {"message": "No matching program found"}, 404 - if authz.is_program_authorized(connexion.request, program_id) or authz.request_is_from_query(connexion.request): + if authz.is_program_authorized(connexion.request, program_id): return new_program, 200 return {"message": f"Not authorized to access program {program_id}"}, 403 diff --git a/htsget_server/htsget_operations.py b/htsget_server/htsget_operations.py index 6aed5abb..f17b9227 100644 --- a/htsget_server/htsget_operations.py +++ b/htsget_server/htsget_operations.py @@ -116,7 +116,7 @@ def get_reads_data(id_, reference_name=None, format_="bam", start=None, end=None @app.route('/reads//index') def index_reads(id_=None): - if not authz.is_site_admin(connexion.request): + if not authz.has_full_authz(connexion.request): return {"message": "User is not authorized to index reads"}, 403 if id_ is not None: # check that there is a database drs object for this: @@ -184,7 +184,7 @@ def verify_variants_genomic_drs_object(id_): @app.route('/variants//index') def index_variants(id_=None, force=False, do_not_index=False, genome='hg38'): - if not authz.is_site_admin(connexion.request): + if not authz.has_full_authz(connexion.request): return {"message": "User is not authorized to index variants"}, 403 if id_ is not None: # check that there is a database drs object for this: @@ -301,18 +301,10 @@ def _get_samples(samples): if res["program"] not in samples_by_program: samples_by_program[res["program"]] = [] samples_by_program[res["program"]].append(res) - if authz.is_testing(connexion.request): - for program in samples_by_program: + authz_programs = authz.get_authorized_programs(connexion.request) + for program in authz_programs: + if program in samples_by_program: result.extend(samples_by_program[program]) - else: - if authz.request_is_from_query(connexion.request) or authz.request_is_from_ingest(connexion.request): - for program in samples_by_program: - result.extend(samples_by_program[program]) - else: - authz_programs = authz.get_authorized_programs(connexion.request) - for program in authz_programs: - if program in samples_by_program: - result.extend(samples_by_program[program]) return result