diff --git a/htsget_server/authz.py b/htsget_server/authz.py index 7fe8ae51..58162a39 100644 --- a/htsget_server/authz.py +++ b/htsget_server/authz.py @@ -15,15 +15,16 @@ def is_authed(id_, request): print("WARNING: TEST MODE, AUTHORIZATION IS DISABLED") app.logger.warning("WARNING: TEST MODE, AUTHORIZATION IS DISABLED") return 200 # no auth - if is_site_admin(request): - return 200 if "Authorization" in request.headers: authed_datasets = get_authorized_datasets(request) - obj = database.get_drs_object(id_) - if obj is not None and 'datasets' in obj: - for dataset in obj["datasets"]: - if dataset in authed_datasets: - return 200 + if id_: + obj = database.get_drs_object(id_) + if obj is not None and 'datasets' in obj: + for dataset in obj["datasets"]: + if (dataset in authed_datasets) and (authx.auth.is_permissible(request)): + return 200 + else: + if (authx.auth.is_permissible(request)): return 200 else: return 401 return 403 @@ -38,30 +39,11 @@ def is_testing(request): def get_authorized_datasets(request): try: - return authx.auth.get_opa_datasets(request, opa_url=AUTHZ['CANDIG_OPA_URL'], admin_secret=AUTHZ['CANDIG_OPA_SECRET']) + return authx.auth.get_readable_datasets(request, opa_url=AUTHZ['CANDIG_OPA_URL'], admin_secret=AUTHZ['CANDIG_OPA_SECRET']) except Exception as e: print(f"Couldn't authorize datasets: {type(e)} {str(e)}") app.logger.warning(f"Couldn't authorize datasets: {type(e)} {str(e)}") return [] - -def is_site_admin(request): - """ - Is the user associated with the token a site admin? - """ - if request.headers.get("Authorization") == f"Bearer {TEST_KEY}": - print("WARNING: TEST MODE, AUTHORIZATION IS DISABLED") - app.logger.warning("WARNING: TEST MODE, AUTHORIZATION IS DISABLED") - return True # no auth - if "Authorization" in request.headers: - try: - return authx.auth.is_site_admin(request, opa_url=AUTHZ['CANDIG_OPA_URL'], admin_secret=AUTHZ['CANDIG_OPA_SECRET']) - except Exception as e: - print(f"Couldn't authorize site_admin: {type(e)} {str(e)}") - app.logger.warning(f"Couldn't authorize site_admin: {type(e)} {str(e)}") - return False - return False - - def get_s3_url(request, s3_endpoint=None, bucket=None, object_id=None, access_key=None, secret_key=None, region=None, public=False): return authx.auth.get_s3_url(request, s3_endpoint=s3_endpoint, bucket=bucket, object_id=object_id, access_key=access_key, secret_key=secret_key, region=region, public=public) diff --git a/htsget_server/database.py b/htsget_server/database.py index 5616e812..9d8818b3 100644 --- a/htsget_server/database.py +++ b/htsget_server/database.py @@ -10,7 +10,6 @@ ObjectDBBase = declarative_base() - ## Variant search entities ## relationships diff --git a/htsget_server/drs_operations.py b/htsget_server/drs_operations.py index 985c1970..d0b90ef0 100644 --- a/htsget_server/drs_operations.py +++ b/htsget_server/drs_operations.py @@ -88,7 +88,7 @@ def get_access_url(object_id, access_id): def post_object(): - if not authz.is_site_admin(request): + if not authz.is_authed(None, request): return {"message": "User is not authorized to POST"}, 403 new_object = database.create_drs_object(connexion.request.json) return new_object, 200 @@ -96,7 +96,7 @@ def post_object(): @app.route('/ga4gh/drs/v1/objects/') def delete_object(object_id): - if not authz.is_site_admin(request): + if not authz.is_authed(object_id, request): return {"message": "User is not authorized to POST"}, 403 try: new_object = database.delete_drs_object(escape(object_id)) @@ -110,8 +110,6 @@ def list_datasets(): if datasets is None: return [], 404 try: - if authz.is_site_admin(request): - return list(map(lambda x: x['id'], datasets)), 200 authorized_datasets = authz.get_authorized_datasets(request) return list(set(map(lambda x: x['id'], datasets)).intersection(set(authorized_datasets))), 200 except Exception as e: @@ -119,7 +117,7 @@ def list_datasets(): def post_dataset(): - if not authz.is_site_admin(request): + if not authz.is_authed(None, request): return {"message": "User is not authorized to POST"}, 403 new_dataset = database.create_dataset(connexion.request.json) return new_dataset, 200 @@ -129,8 +127,6 @@ def get_dataset(dataset_id): new_dataset = database.get_dataset(dataset_id) if new_dataset is None: return {"message": "No matching dataset found"}, 404 - if authz.is_site_admin(request): - return new_dataset, 200 authorized_datasets = authz.get_authorized_datasets(request) if new_dataset["id"] in authorized_datasets: return new_dataset, 200 @@ -138,7 +134,7 @@ def get_dataset(dataset_id): def delete_dataset(dataset_id): - if not authz.is_site_admin(request): + if not authz.is_authed(None, request): return {"message": "User is not authorized to POST"}, 403 try: new_dataset = database.delete_dataset(dataset_id) diff --git a/htsget_server/htsget_operations.py b/htsget_server/htsget_operations.py index 6772d0ce..9d50345c 100644 --- a/htsget_server/htsget_operations.py +++ b/htsget_server/htsget_operations.py @@ -111,7 +111,7 @@ def get_variants_data(id_, reference_name=None, format_="VCF", start=None, end=N @app.route('/variants//index') def index_variants(id_=None, force=False, genome='hg38', genomic_id=None): - if not authz.is_site_admin(request): + if not authz.is_authed(id_, request): return {"message": "User is not authorized to index variants"}, 403 if id_ is not None: params = {"id": id_, "reference_genome": genome} diff --git a/htsget_server/server.py b/htsget_server/server.py index dcf9a43c..e1320d04 100644 --- a/htsget_server/server.py +++ b/htsget_server/server.py @@ -2,6 +2,7 @@ from flask_cors import CORS import connexion import logging +from sys import stdout from config import PORT, DEBUG_MODE # Create the application instance diff --git a/requirements.txt b/requirements.txt index c90925e9..05250d1c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5,6 +5,6 @@ pysam==0.20.0 sqlalchemy==1.4.44 connexion==2.14.1 MarkupSafe==2.1.1 -candigv2-authx@git+https://github.com/CanDIG/candigv2-authx.git@v1.0.0 +candigv2-authx@git+https://github.com/CanDIG/candigv2-authx.git@new-auth-model pytest==7.2.0 uwsgi==2.0.21