Merge pull request #52 from Pan-Canadian-Genome-Library/daisieh/daco

Add group DACO approvals

Author: daisieh

app/daemon.py

@@ -0,0 +1,11 @@
+import os
+import sys
+from src.auth import reload_comanage
+
+if __name__ == "__main__":
+    if os.path.isfile("/app/reload"):
+        print("reloading")
+        result, status_code = reload_comanage()
+        os.remove("/app/reload")
+        print(f"reloaded {status_code} {result}")
+    sys.exit(10)

app/daemon.sh

@@ -0,0 +1,3 @@
+until python daemon.py; do
+    sleep 5
+done

app/dev.entrypoint.sh

@@ -48,6 +48,8 @@ fi
 # make sure that our vault stores have the latest values
 python3 /app/refresh_stores.py
 
+# spin up daemon process
+bash /app/daemon.sh &
 
 # start server
 cd /app/src

app/entrypoint.sh

@@ -33,6 +33,8 @@ fi
 # make sure that our vault stores have the latest values
 python3 /app/refresh_stores.py
 
+# spin up daemon process
+bash /app/daemon.sh &
 
 # start server
 cd /app/src

app/src/auth.py

@@ -545,6 +545,7 @@ def list_authz_for_user(pcgl_id, service=SERVICE_NAME):
         if status_code == 200:
             result["groups"] = groups
         return result, status_code
+    return user_dict, status_code
 
 
 
@@ -765,6 +766,12 @@ def get_user_record(comanage_id=None, oidcsub=None, force=False, service=SERVICE
         for email in response.json()["EmailAddresses"]:
             if email["Mail"] not in emails and email["Verified"]:
                 emails.append({"address": email["Mail"], "type": email["Type"]})
+                # see if we have any DAC auths for this email address:
+                temp_user, status_code = get_service_store_secret(service, key=f"users/{email["Mail"]}")
+                if status_code == 200:
+                    for auth in temp_user["study_authorizations"]:
+                        user["study_authorizations"][auth] = temp_user["study_authorizations"][auth]
+                    delete_service_store_secret(service, key=f"users/{email["Mail"]}")
     user["emails"] = emails
 
     set_service_store_secret(service, key=f"users/{comanage_id}", value=json.dumps(user))

app/src/authz_openapi.yaml

@@ -185,6 +185,21 @@ paths:
         schema:
           type: string
         required: true
+    post:
+      summary: Add a DAC authorization for a study for a group of users
+      description: Authorize a study for a group of users (or update a study auth for a set of users)
+      operationId: authz_operations.authorize_study_for_users
+      security:
+      - bearerAuth: []
+      requestBody:
+        $ref: '#/components/requestBodies/StudyDACAuthorizationRequest'
+      responses:
+        200:
+          description: Success
+          content:
+            application/json:
+              schema:
+                type: object
     get:
       summary: Get authorization information for a study
       description: Get authorization information for a study
@@ -391,6 +406,11 @@ components:
         'application/json':
           schema:
             $ref: "#/components/schemas/StudyAuthorization"
+    StudyDACAuthorizationRequest:
+      content:
+        'application/json':
+          schema:
+            $ref: "#/components/schemas/StudyDACAuthorization"
     DACAuthorizationRequest:
       content:
         'application/json':
@@ -491,6 +511,22 @@ components:
         - study_id
         - start_date
         - end_date
+    StudyDACAuthorization:
+      type: object
+      description: a DAC approval for multiple users for the given study
+      properties:
+        user_emails:
+          type: array
+          items:
+            type: string
+        start_date:
+          type: string
+        end_date:
+          type: string
+      required:
+        - user_emails
+        - start_date
+        - end_date
     Action:
       type: object
       description: an action for which authorization is requested

app/src/authz_operations.py

@@ -209,6 +209,60 @@ async def add_study_authorization():
         return {"error": f"{type(e)} {str(e)}"}, 500
 
 
+@app.route('/study/<path:study_id>')
+async def authorize_study_for_users(study_id):
+    study_dict = await connexion.request.json()
+    study_dict["study_id"] = study_id
+    service = "opa"
+    if "X-Test-Mode" in connexion.request.headers and connexion.request.headers["X-Test-Mode"] == os.getenv("TEST_KEY"):
+        service = "test"
+    try:
+        if auth.is_action_allowed_for_study(connexion.request, method="POST", path=f"/study/{study_id}", study=study_dict["study_id"]):
+            # we need to check to see if the study even exists in the system
+            all_studies, status_code = auth.list_studies(service=service)
+            if status_code != 200:
+                return all_studies, status_code
+            if study_dict["study_id"] not in all_studies:
+                return {"error": f"Study {study_dict['study_id']} does not exist in {all_studies}"}
+
+            # for each user, look up user by email:
+            user_emails = list(set(study_dict["user_emails"]))
+            result = {"success": [], "error": []}
+            study_auth = {
+                "study_id": study_dict["study_id"],
+                "start_date": study_dict["start_date"],
+                "end_date": study_dict["end_date"]
+            }
+            for user_email in user_emails:
+                user_dict, status_code = auth.lookup_user_by_email(user_email)
+                if status_code == 404:
+                    # create a temp user
+                    user_dict = {"study_authorizations": {}, "id": user_email}
+                    user_dict["study_authorizations"][study_dict["study_id"]] = study_auth
+                    response, status_code = auth.write_user(user_dict, service=service)
+                    if status_code == 200:
+                        result["success"].append(user_email)
+                    else:
+                        result["error"].append(f"failed to write auth for {user_email}: {response}")
+                else:
+                    # the result from lookup_user_by_email is an array, so grab the first thing:
+                    user_dict = user_dict[0]
+                    user_dict["study_authorizations"][study_dict["study_id"]] = study_auth
+                    response, status_code = auth.write_user(user_dict, service=service)
+                    if status_code == 200:
+                        result["success"].append(user_email)
+                    else:
+                        result["error"].append(f"failed to write auth for {user_email}")
+            return result, 200
+        return {"error": "User is not authorized to authorize studies"}, 403
+    except auth.UserTokenError as e:
+        return {"error": f"{type(e)} {str(e)}"}, 401
+    except auth.AuthzError as e:
+        return {"error": f"{type(e)} {str(e)}"}, 403
+    # except Exception as e:
+    #     return {"error": f"{type(e)} {str(e)}"}, 500
+
+
 @app.route('/study/<path:study_id>')
 def get_study_authorization(study_id):
     service = "opa"
@@ -356,7 +410,7 @@ def lookup_user(email=None):
                     # only add users that have a pcgl id:
                     if "pcglid" in user:
                         result.append(user["pcglid"])
-            return result, status_code
+            return {"result": result}, status_code
         return {"error": "User is not authorized to look up users"}, 403
     except auth.UserTokenError as e:
         return {"error": f"{type(e)} {str(e)}"}, 401
@@ -394,6 +448,12 @@ async def reload_comanage():
         return {"error": f"{type(e)} {str(e)}"}, 403
     except Exception as e:
         return {"error": f"{type(e)} {str(e)}"}, 500
-    result, status_code = auth.reload_comanage()
-    print(result)
-    return result, status_code
+
+    try:
+        open("/app/reload", "x")
+    except FileExistsError:
+        pass
+    except Exception as e:
+        return {"error": f"couldn't reload: {type(e)} {str(e)}"}, 500
+
+    return {"status": "reloading: should be complete in a minute or two"}, 200