Merge pull request #311 from CanDIG/daisieh/no-service-token

Don't pass in OPA_SECRET anymore
CanDIG · May 28, 2024 · bf50265 · bf50265
2 parents 3423c92 + 14d9270
commit bf50265
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 7 deletions.
diff --git a/config.ini b/config.ini
@@ -10,6 +10,5 @@ DBPath = sqlite:///./data/files.db
 PGPath = postgresql+psycopg2://<POSTGRES_USERNAME>:PASSWORD@HOST:5432/genomic
 
 [authz]
-CANDIG_OPA_SECRET = <CANDIG_OPA_SECRET>
 CANDIG_OPA_URL = <OPA_URL>
 CANDIG_VAULT_URL = <VAULT_URL>
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -2,12 +2,10 @@
 
 set -Euo pipefail
 
-export OPA_SECRET=$(cat /run/secrets/opa-service-token)
 export VAULT_URL=$VAULT_URL
 export AGGREGATE_COUNT_THRESHOLD=$AGGREGATE_COUNT_THRESHOLD
 
 if [[ -f "initial_setup" ]]; then
-    sed -i s@\<CANDIG_OPA_SECRET\>@$OPA_SECRET@ config.ini
     sed -i s@\<OPA_URL\>@$OPA_URL@ config.ini
     sed -i s@\<VAULT_URL\>@$VAULT_URL@ config.ini
     sed -i s@\<AGGREGATE_COUNT_THRESHOLD\>@$AGGREGATE_COUNT_THRESHOLD@ config.ini

diff --git a/htsget_server/authz.py b/htsget_server/authz.py
@@ -37,7 +37,7 @@ def get_authorized_cohorts(request):
     if is_testing(request):
         return []
     try:
-        return authx.auth.get_opa_datasets(request, admin_secret=AUTHZ['CANDIG_OPA_SECRET'])
+        return authx.auth.get_opa_datasets(request)
     except Exception as e:
         print(f"Couldn't authorize cohorts: {type(e)} {str(e)}")
         app.logger.warning(f"Couldn't authorize cohorts: {type(e)} {str(e)}")
@@ -47,7 +47,7 @@ def get_authorized_cohorts(request):
 def is_cohort_authorized(request, cohort_id):
     if is_testing(request):
         return True
-    return authx.auth.is_action_allowed_for_program(authx.auth.get_auth_token(request), method=request.method, path=request.path, program=cohort_id, admin_secret=AUTHZ['CANDIG_OPA_SECRET'])
+    return authx.auth.is_action_allowed_for_program(authx.auth.get_auth_token(request), method=request.method, path=request.path, program=cohort_id)
 
 
 def is_site_admin(request):
@@ -58,7 +58,7 @@ def is_site_admin(request):
         return True
     if "Authorization" in request.headers:
         try:
-            return authx.auth.is_site_admin(request, admin_secret=AUTHZ['CANDIG_OPA_SECRET'])
+            return authx.auth.is_site_admin(request)
         except Exception as e:
             print(f"Couldn't authorize site_admin: {type(e)} {str(e)}")
             app.logger.warning(f"Couldn't authorize site_admin: {type(e)} {str(e)}")

diff --git a/requirements.txt b/requirements.txt
@@ -5,7 +5,7 @@ pysam==0.22.0
 sqlalchemy==1.4.44
 connexion==2.14.1
 MarkupSafe==2.1.1
-candigv2-authx@git+https://github.com/CanDIG/[email protected].1
+candigv2-authx@git+https://github.com/CanDIG/[email protected].2
 pytest==7.2.0
 uwsgi==2.0.23
 connexion[swagger-ui]