From 3c89eb6287b7a2a1dddbd1c9a392a9a58272a54b Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Thu, 20 Jul 2023 15:50:46 -0400 Subject: [PATCH 1/3] fix: correct permissions for querying drs objects + downloading --- chord_drs/authz.py | 6 ++++-- chord_drs/routes.py | 12 ++++++------ 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/chord_drs/authz.py b/chord_drs/authz.py index 95967af..0cd9310 100644 --- a/chord_drs/authz.py +++ b/chord_drs/authz.py @@ -4,7 +4,8 @@ __all__ = [ "authz_middleware", "PERMISSION_INGEST_DATA", - "PERMISSION_VIEW_DATA", + "PERMISSION_QUERY_DATA", + "PERMISSION_DOWNLOAD_DATA", ] authz_middleware = FlaskAuthMiddleware( @@ -14,4 +15,5 @@ ) PERMISSION_INGEST_DATA = "ingest:data" -PERMISSION_VIEW_DATA = "view:data" +PERMISSION_QUERY_DATA = "query:data" +PERMISSION_DOWNLOAD_DATA = "download:data" diff --git a/chord_drs/routes.py b/chord_drs/routes.py index f8f94fe..9dd3185 100644 --- a/chord_drs/routes.py +++ b/chord_drs/routes.py @@ -18,7 +18,7 @@ from werkzeug.exceptions import BadRequest, Forbidden, NotFound, InternalServerError from . import __version__ -from .authz import authz_middleware, PERMISSION_VIEW_DATA, PERMISSION_INGEST_DATA +from .authz import authz_middleware, PERMISSION_INGEST_DATA, PERMISSION_QUERY_DATA, PERMISSION_DOWNLOAD_DATA from .constants import BENTO_SERVICE_KIND, SERVICE_NAME, SERVICE_TYPE from .data_sources import DATA_SOURCE_LOCAL, DATA_SOURCE_MINIO from .db import db @@ -84,7 +84,7 @@ def check_objects_permission(drs_objs: list[DrsBlob | DrsBundle], permission: st })["result"] -def fetch_and_check_object_permissions(object_id: str) -> tuple[DrsBlob | DrsBundle, bool]: +def fetch_and_check_object_permissions(object_id: str, permission: str) -> tuple[DrsBlob | DrsBundle, bool]: view_data_everything = check_everything_permission(PERMISSION_VIEW_DATA) drs_object, is_bundle = get_drs_object(object_id) @@ -275,7 +275,7 @@ def get_drs_object(object_id: str) -> tuple[DrsBlob | DrsBundle | None, bool]: @drs_service.route("/objects/", methods=["GET"]) @drs_service.route("/ga4gh/drs/v1/objects/", methods=["GET"]) def object_info(object_id: str): - drs_object, is_bundle = fetch_and_check_object_permissions(object_id) + drs_object, is_bundle = fetch_and_check_object_permissions(object_id, PERMISSION_QUERY_DATA) if is_bundle: expand: bool = str_to_bool(request.args.get("expand", "")) @@ -289,7 +289,7 @@ def object_info(object_id: str): @drs_service.route("/objects//access/", methods=["GET"]) @drs_service.route("/ga4gh/drs/v1/objects//access/", methods=["GET"]) def object_access(object_id: str, access_id: str): - fetch_and_check_object_permissions(object_id) + fetch_and_check_object_permissions(object_id, PERMISSION_QUERY_DATA) # We explicitly do not support access_id-based accesses; all of them will be 'not found' # since we don't provide access IDs @@ -326,7 +326,7 @@ def object_search(): raise BadRequest("Missing GET search terms (name | fuzzy_name | q)") # TODO: map objects to resources to avoid duplicate calls to same resource in check_objects_permission - for obj, p in zip(objects, check_objects_permission(list(objects), PERMISSION_VIEW_DATA)): + for obj, p in zip(objects, check_objects_permission(list(objects), PERMISSION_QUERY_DATA)): if p: # Only include the blob in the search results if we have permissions to view it. response.append(build_blob_json(obj, internal_path)) @@ -340,7 +340,7 @@ def object_download(object_id: str): # TODO: Bundle download - drs_object, is_bundle = fetch_and_check_object_permissions(object_id) + drs_object, is_bundle = fetch_and_check_object_permissions(object_id, PERMISSION_DOWNLOAD_DATA) if is_bundle: raise BadRequest("Bundle download is currently unsupported") From 24b0fc8e78008e9f607e760e45281f880a69f779 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Thu, 20 Jul 2023 15:51:17 -0400 Subject: [PATCH 2/3] chore: bump version to 0.12.1 --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index d5cf168..1ff5182 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "chord-drs" -version = "0.12.0" +version = "0.12.1" description = "An implementation of a data repository system (as per GA4GH's specs) for the Bento platform." authors = ["David Lougheed "] license = "LGPL-3.0" From 46ca4918de770476033922118ed6a41dc5c944b6 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Thu, 20 Jul 2023 15:54:56 -0400 Subject: [PATCH 3/3] oops --- chord_drs/routes.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/chord_drs/routes.py b/chord_drs/routes.py index 9dd3185..97a9283 100644 --- a/chord_drs/routes.py +++ b/chord_drs/routes.py @@ -85,7 +85,7 @@ def check_objects_permission(drs_objs: list[DrsBlob | DrsBundle], permission: st def fetch_and_check_object_permissions(object_id: str, permission: str) -> tuple[DrsBlob | DrsBundle, bool]: - view_data_everything = check_everything_permission(PERMISSION_VIEW_DATA) + view_data_everything = check_everything_permission(permission) drs_object, is_bundle = get_drs_object(object_id) @@ -100,7 +100,7 @@ def fetch_and_check_object_permissions(object_id: str, permission: str) -> tuple # Good to go already! authz_middleware.mark_authz_done(request) else: - p = check_objects_permission([drs_object], PERMISSION_VIEW_DATA) + p = check_objects_permission([drs_object], permission) authz_middleware.mark_authz_done(request) if not (p and p[0]): raise forbidden()