small fixes

Author: paulineribeyre

.secrets.baseline

@@ -98,10 +98,6 @@
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
     },
-    {
-      "path": "detect_secrets.filters.gibberish.should_exclude_secret",
-      "limit": 3.7
-    },
     {
       "path": "detect_secrets.filters.heuristic.is_indirect_reference"
     },
@@ -130,6 +126,61 @@
       "path": "detect_secrets.filters.heuristic.is_templated_secret"
     }
   ],
-  "results": {},
-  "generated_at": "2026-02-27T23:06:29Z"
+  "results": {
+    ".github/workflows/ci.yml": [
+      {
+        "type": "Secret Keyword",
+        "filename": ".github/workflows/ci.yml",
+        "hashed_secret": "3e26d6750975d678acb8fa35a0f69237881576b0",
+        "is_verified": false,
+        "line_number": 15
+      }
+    ],
+    "docs/local_installation.md": [
+      {
+        "type": "Secret Keyword",
+        "filename": "docs/local_installation.md",
+        "hashed_secret": "08d2e98e6754af941484848930ccbaddfefe13d6",
+        "is_verified": false,
+        "line_number": 90
+      }
+    ],
+    "docs/s3.md": [
+      {
+        "type": "Secret Keyword",
+        "filename": "docs/s3.md",
+        "hashed_secret": "08d2e98e6754af941484848930ccbaddfefe13d6",
+        "is_verified": false,
+        "line_number": 55
+      }
+    ],
+    "tests/conftest.py": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "tests/conftest.py",
+        "hashed_secret": "06a9fa84e13b8f701d0c03235f675fee5e6fd736",
+        "is_verified": false,
+        "line_number": 196
+      }
+    ],
+    "tests/test-gen3workflow-config.yaml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/test-gen3workflow-config.yaml",
+        "hashed_secret": "900a7331f7bf83bff0e1b2c77f471b4a5145da0f",
+        "is_verified": false,
+        "line_number": 5
+      }
+    ],
+    "tests/test_s3_endpoint.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/test_s3_endpoint.py",
+        "hashed_secret": "08d2e98e6754af941484848930ccbaddfefe13d6",
+        "is_verified": false,
+        "line_number": 77
+      }
+    ]
+  },
+  "generated_at": "2026-03-02T20:27:56Z"
 }

gen3workflow/routes/s3.py

@@ -178,8 +178,8 @@ async def s3_endpoint(path: str, request: Request):
     # Extract the caller's access token from the request headers, and ensure the caller (user, or
     # client acting on behalf of the user) has access to the user's files.
     # Note: sharing task inputs/output is not supported. Currently, users can only access their own
-    # S3 bucket. It could be supported by hitting the "GET task" endpoint to get the list of
-    # files for a specific task that a user has access to in another user's bucket.
+    # S3 bucket. Sharing could be supported in the future by hitting the "GET task" endpoint to get
+    # the list of files for a specific task.
     auth = Auth(api_request=request)
     user_id = await set_access_token_and_get_user_id(auth, request.headers)
     auth_verb = {"GET": "read", "HEAD": "read", "DELETE": "delete"}.get(

gen3workflow/routes/storage.py

@@ -15,7 +15,7 @@
 router = APIRouter(prefix="/storage")
 
 
-# TODO: remove the /storage/info path once CI has been updated to use /storage/setup
+# TODO: remove the /storage/info path once the CI and plugin use /storage/setup
 @router.get("/info", status_code=HTTP_200_OK)
 @router.get("/info/", status_code=HTTP_200_OK, include_in_schema=False)
 @router.get("/setup", status_code=HTTP_200_OK)
@@ -69,7 +69,7 @@ async def delete_user_bucket(request: Request, auth=Depends(Auth)) -> None:
     token_claims = await auth.get_token_claims()
     user_id = token_claims.get("sub")
     await auth.authorize(
-        "delete", [f"/services/workflow/gen3-workflow/tasks/{user_id}"]
+        "delete", [f"/services/workflow/gen3-workflow/storage/{user_id}"]
     )
     logger.info(f"User '{user_id}' deleting their storage bucket")
     deleted_bucket_name = aws_utils.cleanup_user_bucket(user_id, delete_bucket=True)
@@ -105,7 +105,7 @@ async def empty_user_bucket(request: Request, auth=Depends(Auth)) -> None:
     token_claims = await auth.get_token_claims()
     user_id = token_claims.get("sub")
     await auth.authorize(
-        "delete", [f"/services/workflow/gen3-workflow/tasks/{user_id}"]
+        "delete", [f"/services/workflow/gen3-workflow/storage/{user_id}"]
     )
     logger.info(f"User '{user_id}' emptying their storage bucket")
     deleted_bucket_name = aws_utils.cleanup_user_bucket(user_id)

tests/conftest.py

@@ -193,7 +193,7 @@ def mock_tes_server_request_function(
                         "state": "COMPLETE",
                         "logs": [{"system_logs": ["blah"]}],
                         "tags": {
-                            "_AUTHZ": f"/services/workflow/gen3-workflow/tasks/OTHER_USER/TASK_ID_PLACEHOLDER"
+                            "_AUTHZ": "/services/workflow/gen3-workflow/tasks/OTHER_USER/TASK_ID_PLACEHOLDER"
                         },
                     },
                     # test that the app can handle a task with no tags:

tests/test_misc.py

@@ -94,7 +94,7 @@ def test_get_safe_name_from_hostname(reset_config_hostname):
 @pytest.mark.parametrize(
     "access_token_patcher", [{"user_id": NEW_TEST_USER_ID}], indirect=True
 )
-async def test_storage_info(
+async def test_storage_setup(
     client, access_token_patcher, mock_aws_services, trailing_slash
 ):
     """
@@ -313,6 +313,14 @@ async def test_delete_user_bucket(
         e.value.response.get("ResponseMetadata", {}).get("HTTPStatusCode") == 404
     ), f"Bucket still exists: {e.value}"
 
+    # An authz check should have been made
+    mock_arborist_request.assert_called_with(
+        method="POST",
+        path=f"/auth/request",
+        body=f'{{"requests":[{{"resource":"/services/workflow/gen3-workflow/storage/{TEST_USER_ID}","action":{{"service":"gen3-workflow","method":"delete"}}}}],"user":{{"token":"{TEST_USER_TOKEN}"}}}}',
+        authorized=client.authorized,
+    )
+
     # Attempt to Delete the bucket again, must receive a 404, since bucket not found.
     res = await client.delete(
         "/storage/user-bucket", headers={"Authorization": f"bearer {TEST_USER_TOKEN}"}