Merge pull request #341 from umccr/fix/test-elsa-integration

fix: elsa integration

Author: mmalenic

Cargo.lock

@@ -1,3 +1,4 @@
+use super::{extract_request, handle_response};
 use crate::server::AppState;
 use axum::Extension;
 use axum::extract::{Path, Query, State};
@@ -8,8 +9,6 @@ use http::HeaderMap;
 use serde_json::Value;
 use std::collections::HashMap;
 
-use super::{extract_request, handle_response};
-
 /// GET request reads endpoint.
 pub async fn reads<H: HtsGet + Send + Sync + 'static>(
   query: Query<HashMap<String, String>>,

htsget-axum/src/handlers/get.rs

@@ -438,10 +438,6 @@ The following additional options can be configured under the `auth` table to ena
 | `forward_id`            | Forwards the id of the request in a header called `Htsget-Context-Id`. The value of this header will be request path without the `/reads/` or `/variants/` component. For example, if a request path is `/reads/<id>`, this header will have the same value as `<id>`. | Boolean               | `false`  |
 | `passthrough_auth`      | Forward the authorization header to the authorization server directly without renaming it to a `Htsget-Context-` custom header. If this is true, then the `Authorization` header is required with the request.                                                         | Boolean               | `false`  |
 
-When using the `authorization_url`, the [authentication](#jwt-authentication) config must also be set as htsget-rs will
-forward the JWT token to the authorization server so that it can make decisions about the user's authorization. If the
-`authorization_url` is a file path, then authentication doesn't need to be set.
-
 Each header in the `forward_headers` option is forwarded as a custom `Htsget-Context-<name>` header to the authorization server.
 The authorization header can be forward as though it is coming from the client by setting `forward_auth_header = true`. This is
 useful to support authenticating the original client JWT at the authorization server and can be used to set-up authorization

htsget-config/README.md

@@ -30,6 +30,7 @@ cfg-if = "1"
 
 # JWT middleware
 reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
+reqwest-middleware = "0.4"
 jsonwebtoken = "9"
 jsonpath-rust = "1"
 regex = "1"

htsget-http/Cargo.toml

@@ -1,10 +1,9 @@
+use htsget_config::types::HtsGetError as HtsGetSearchError;
 use http::StatusCode;
 use http::header::{InvalidHeaderName, InvalidHeaderValue};
-use serde::Serialize;
+use serde::{Deserialize, Serialize};
 use thiserror::Error;
 
-use htsget_config::types::HtsGetError as HtsGetSearchError;
-
 pub type Result<T> = core::result::Result<T, HtsGetError>;
 
 /// An error type that describes the errors specified in the
@@ -29,18 +28,20 @@ pub enum HtsGetError {
   MethodNotAllowed(String),
   #[error("InternalError")]
   InternalError(String),
+  #[error("Wrapped")]
+  Wrapped(WrappedHtsGetError, StatusCode),
 }
 
 /// A helper struct implementing [serde's Serialize trait](Serialize) to allow
 /// easily converting HtsGetErrors to JSON
-#[derive(Serialize)]
+#[derive(Serialize, Deserialize, Clone, Debug, Eq, PartialEq)]
 pub struct JsonHtsGetError {
   error: String,
   message: String,
 }
 
 /// The "htsget" container wrapping the actual error response above
-#[derive(Serialize)]
+#[derive(Serialize, Deserialize, Clone, Debug, Eq, PartialEq)]
 pub struct WrappedHtsGetError {
   htsget: JsonHtsGetError,
 }
@@ -59,6 +60,7 @@ impl HtsGetError {
       | HtsGetError::InvalidRange(err) => (err, StatusCode::BAD_REQUEST),
       HtsGetError::MethodNotAllowed(err) => (err, StatusCode::METHOD_NOT_ALLOWED),
       HtsGetError::InternalError(err) => (err, StatusCode::INTERNAL_SERVER_ERROR),
+      HtsGetError::Wrapped(err, status) => return (err.clone(), *status),
     };
 
     (
@@ -97,3 +99,23 @@ impl From<InvalidHeaderValue> for HtsGetError {
     Self::InternalError(err.to_string())
   }
 }
+
+impl From<reqwest_middleware::Error> for HtsGetError {
+  fn from(err: reqwest_middleware::Error) -> Self {
+    match err {
+      reqwest_middleware::Error::Middleware(err) => HtsGetError::InternalError(err.to_string()),
+      reqwest_middleware::Error::Reqwest(err) => err
+        .status()
+        .map(|status| match status {
+          StatusCode::UNAUTHORIZED => HtsGetError::InvalidAuthentication(err.to_string()),
+          StatusCode::FORBIDDEN => HtsGetError::PermissionDenied(err.to_string()),
+          StatusCode::NOT_FOUND => HtsGetError::NotFound(err.to_string()),
+          StatusCode::PAYLOAD_TOO_LARGE => HtsGetError::PayloadTooLarge(err.to_string()),
+          StatusCode::BAD_REQUEST => HtsGetError::InvalidInput(err.to_string()),
+          StatusCode::METHOD_NOT_ALLOWED => HtsGetError::MethodNotAllowed(err.to_string()),
+          _ => HtsGetError::InternalError(err.to_string()),
+        })
+        .unwrap_or(HtsGetError::InternalError(err.to_string())),
+    }
+  }
+}

htsget-http/src/error.rs

@@ -12,46 +12,45 @@ use htsget_config::config::service_info::PackageInfo;
 use htsget_config::types::{JsonResponse, Query, Request, Response};
 use htsget_search::HtsGet;
 use http::HeaderMap;
-use jsonwebtoken::TokenData;
 use serde_json::Value;
 use tokio::select;
 use tracing::debug;
 use tracing::instrument;
 
-async fn authenticate(
-  headers: &HeaderMap,
-  auth: Option<Auth>,
-) -> Result<Option<(TokenData<Value>, Auth)>> {
+async fn authenticate(headers: &HeaderMap, auth: Option<Auth>) -> Result<Option<Auth>> {
   if let Some(mut auth) = auth {
     if auth.config().auth_mode().is_some() {
-      return Ok(Some((auth.validate_jwt(headers).await?, auth)));
+      auth.validate_jwt(headers).await?;
+      Ok(Some(auth))
+    } else {
+      Ok(Some(auth))
     }
+  } else {
+    Ok(auth)
   }
-
-  Ok(None)
 }
 
 async fn authorize(
   headers: &HeaderMap,
   path: &str,
   queries: &mut [Query],
-  auth: Option<(TokenData<Value>, Auth)>,
+  auth: Option<Auth>,
   extensions: Option<Value>,
   endpoint: &Endpoint,
-) -> Result<Option<AuthorizationRestrictions>> {
-  if let Some((_, mut auth)) = auth {
+) -> Result<Option<(AuthorizationRestrictions, bool)>> {
+  if let Some(mut auth) = auth {
     let _rules = auth
       .validate_authorization(headers, path, queries, extensions, endpoint)
       .await?;
     cfg_if! {
       if #[cfg(feature = "experimental")] {
         if auth.config().add_hint() {
-          Ok(_rules)
+          Ok(_rules.map(|rules| (rules, true)))
         } else {
-          Ok(None)
+          Ok(_rules.map(|rules| (rules, false)))
         }
       } else {
-        Ok(None)
+        Ok(_rules.map(|rules| (rules, false)))
       }
     }
   } else {
@@ -75,6 +74,7 @@ pub async fn get(
   let headers = request.headers().clone();
 
   let auth = authenticate(&headers, auth).await?;
+  debug!(auth = ?auth, "auth");
 
   let format = match_format_from_query(&endpoint, request.query())?;
   let mut query = vec![convert_to_query(request, format)?];
@@ -92,13 +92,15 @@ pub async fn get(
 
   let query = query.into_iter().next().expect("single element vector");
 
-  let response = if let Some(ref rules) = rules {
+  debug!(rules = ?rules, "rules");
+  let response = if let Some((ref rules, _)) = rules {
     let mut remote_locations = rules.clone().into_remote_locations();
     if let Some(package_info) = package_info {
       remote_locations
         .set_from_package_info(package_info)
         .map_err(|_| InternalError("invalid remote locations".to_string()))?;
     }
+    debug!(remote_locations = ?remote_locations, "remote locations");
 
     // If there are remote locations, try them first.
     match remote_locations
@@ -115,7 +117,11 @@ pub async fn get(
 
   cfg_if! {
     if #[cfg(feature = "experimental")] {
-      Ok(response.with_allowed(rules.map(|r| r.into_rules())))
+      let allowed = match rules {
+        Some((rules, add_hint)) if add_hint => Some(rules.into_rules()),
+        _ => None
+      };
+      Ok(response.with_allowed(allowed))
     } else {
       Ok(response)
     }
@@ -138,6 +144,7 @@ pub async fn post(
   let headers = request.headers().clone();
 
   let auth = authenticate(&headers, auth).await?;
+  debug!(auth = ?auth, "auth");
 
   if !request.query().is_empty() {
     return Err(InvalidInput(
@@ -159,7 +166,9 @@ pub async fn post(
   debug!(endpoint = ?endpoint, queries = ?queries, "getting POST response");
 
   let mut futures = FuturesOrdered::new();
-  if let Some(ref rules) = rules {
+  debug!(rules = ?rules, "rules");
+
+  if let Some((ref rules, _)) = rules {
     for query in queries {
       let mut remote_locations = rules.clone().into_remote_locations();
       if let Some(package_info) = package_info {
@@ -168,6 +177,7 @@ pub async fn post(
           .map_err(|_| InternalError("invalid remote locations".to_string()))?;
       }
       let owned_searcher = searcher.clone();
+      debug!(remote_locations = ?remote_locations, "remote locations");
 
       // If there are remote locations, try them first.
       futures.push_back(tokio::spawn(async move {
@@ -198,7 +208,11 @@ pub async fn post(
     JsonResponse::from(merge_responses(responses).expect("expected at least one response"));
   cfg_if! {
     if #[cfg(feature = "experimental")] {
-      Ok(response.with_allowed(rules.map(|r| r.into_rules())))
+      let allowed = match rules {
+        Some((rules, add_hint)) if add_hint => Some(rules.into_rules()),
+        _ => None
+      };
+      Ok(response.with_allowed(allowed))
     } else {
       Ok(response)
     }

htsget-http/src/http_core.rs

@@ -1,7 +1,7 @@
 //! The htsget authorization middleware.
 //!
 
-use crate::error::Result as HtsGetResult;
+use crate::error::{Result as HtsGetResult, WrappedHtsGetError};
 use crate::middleware::error::Error::AuthBuilderError;
 use crate::middleware::error::Result;
 use crate::{Endpoint, HtsGetError};
@@ -22,7 +22,7 @@ use serde::de::DeserializeOwned;
 use serde_json::Value;
 use std::fmt::{Debug, Formatter};
 use std::str::FromStr;
-use tracing::trace;
+use tracing::{debug, trace};
 
 /// The authorization middleware builder.
 #[derive(Default, Debug)]
@@ -88,22 +88,36 @@ impl Auth {
     headers: HeaderMap,
   ) -> HtsGetResult<D> {
     trace!("fetching url: {}", url);
-    let err = || HtsGetError::InternalError(format!("failed to fetch data from {url}"));
     let response = self
       .config
       .http_client()
-      .map_err(|_| err())?
+      .map_err(|err| HtsGetError::InternalError(format!("failed to fetch data from {url}: {err}")))?
       .get(url)
       .headers(headers)
       .send()
-      .await
-      .map_err(|_| err())?;
+      .await?;
     trace!("response: {:?}", response);
 
-    response.json().await.map_err(|_| err())
+    let status = response.status();
+
+    // Forward a valid htsget error if that's what the backend returns.
+    let value = response.json::<Value>().await.map_err(|err| {
+      HtsGetError::InternalError(format!("failed to fetch data from {url}: {err}"))
+    })?;
+    trace!("value: {}", value);
+
+    match serde_json::from_value::<D>(value.clone()) {
+      Ok(response) => Ok(response),
+      Err(_) => match serde_json::from_value::<WrappedHtsGetError>(value.clone()) {
+        Ok(err) => Err(HtsGetError::Wrapped(err, status)),
+        Err(_) => Err(HtsGetError::InternalError(format!(
+          "failed to fetch data from {url}: {value}"
+        ))),
+      },
+    }
   }
 
-  /// Get a decoding key form the JWKS url.
+  /// Get a decoding key from the JWKS url.
   pub async fn decode_jwks(&mut self, jwks_url: &Uri, token: &str) -> HtsGetResult<DecodingKey> {
     // Decode header and get the key id.
     let header = decode_header(token)?;
@@ -437,6 +451,8 @@ impl Auth {
       .query_authorization_service(headers, request_extensions, endpoint, path)
       .await?;
 
+    debug!(restrictions = ?restrictions, "restrictions");
+
     if let Some(restrictions) = restrictions {
       cfg_if! {
         if #[cfg(feature = "experimental")] {

htsget-http/src/middleware/auth.rs

@@ -59,6 +59,7 @@ where
     let mut event: Request = lambda_request.into();
 
     // After creating the request event, add the original request as an extension.
+    debug!(original_request = ?original_request, "original_request");
     event.extensions_mut().insert(original_request);
 
     let fut = Box::pin(self.service.call(event.with_lambda_context(req.context)));