Merge pull request #340 from umccr/feat/path-context

mmalenic · web-flow · commit 54458526eec2 · 2025-10-27T05:24:11.000Z
feat: path context
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/htsget-config/README.md b/htsget-config/README.md
@@ -430,11 +430,13 @@ The authorization server should respond with a rule set that htsget-rs can use t
 
 The following additional options can be configured under the `auth` table to enable this:
 
-| Option              | Description                                                                                                                                                                                                    | Type                  | Default  |
-|---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------|
-| `authorization_url` | The URL which will be called to authorize the user. A GET request will be issued to the url. Alternatively, this can be a file path to authorize users based on static config.                                 | URL                   | Not set. |
-| `forward_headers`   | For each header specified, forward any headers from the client to the authorization server. Headers are forwarded with the `Htsget-Context-` as a prefix.                                                      | Array of header names | Not set. |
-| `passthrough_auth`  | Forward the authorization header to the authorization server directly without renaming it to a `Htsget-Context-` custom header. If this is true, then the `Authorization` header is required with the request. | Boolean               | `false`  |
+| Option                  | Description                                                                                                                                                                                                                                                            | Type                  | Default  |
+|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------|
+| `authorization_url`     | The URL which will be called to authorize the user. A GET request will be issued to the url. Alternatively, this can be a file path to authorize users based on static config.                                                                                         | URL                   | Not set. |
+| `forward_headers`       | For each header specified, forward any headers from the client to the authorization server. Headers are forwarded with the `Htsget-Context-` as a prefix.                                                                                                              | Array of header names | Not set. |
+| `forward_endpoint_type` | Forwards the type of endpoint that the request used in a header called `Htsget-Context-Endpoint-Type`. The value of this header will either be `reads` or `variants`, depending on whether the user requested the reads or variants endpoint.                          | Boolean               | `false`  |
+| `forward_id`            | Forwards the id of the request in a header called `Htsget-Context-Id`. The value of this header will be request path without the `/reads/` or `/variants/` component. For example, if a request path is `/reads/<id>`, this header will have the same value as `<id>`. | Boolean               | `false`  |
+| `passthrough_auth`      | Forward the authorization header to the authorization server directly without renaming it to a `Htsget-Context-` custom header. If this is true, then the `Authorization` header is required with the request.                                                         | Boolean               | `false`  |
 
 When using the `authorization_url`, the [authentication](#jwt-authentication) config must also be set as htsget-rs will
 forward the JWT token to the authorization server so that it can make decisions about the user's authorization. If the
diff --git a/htsget-config/docs/examples/auth.toml b/htsget-config/docs/examples/auth.toml
@@ -22,6 +22,10 @@ authorization_url = "https://www.example.com/authorize"
 passthrough_auth = true
 ## Any headers to forward
 #forward_headers = ["Content-Type"]
+## Forward the endpoint type to the auth service.
+#forward_endpoint_type = true
+## Forward the request id.
+#forward_id = true
 
 ## Set client authentication
 #http.key = "key.pem"
diff --git a/htsget-config/src/config/advanced/auth/authorization.rs b/htsget-config/src/config/advanced/auth/authorization.rs
@@ -38,7 +38,7 @@ impl<'de> Deserialize<'de> for UrlOrStatic {
 }
 
 /// The extensions to pass through to the authorization server from http request extensions.
-#[derive(Serialize, Deserialize, Debug, Clone)]
+#[derive(Serialize, Deserialize, Debug, Clone, Eq, PartialEq)]
 #[serde(deny_unknown_fields)]
 pub struct ForwardExtensions {
   json_path: String,
diff --git a/htsget-config/src/config/advanced/auth/mod.rs b/htsget-config/src/config/advanced/auth/mod.rs
@@ -28,6 +28,8 @@ pub struct AuthConfig {
   validate_subject: Option<String>,
   authorization_url: Option<UrlOrStatic>,
   forward_headers: Vec<String>,
+  forward_endpoint_type: bool,
+  forward_id: bool,
   passthrough_auth: bool,
   forward_extensions: Vec<ForwardExtensions>,
   http_client: HttpClient,
@@ -95,6 +97,16 @@ impl AuthConfig {
     self.forward_headers.as_slice()
   }
 
+  /// Get whether to forward the endpoint type of the request.
+  pub fn forward_endpoint_type(&self) -> bool {
+    self.forward_endpoint_type
+  }
+
+  /// Get whether to forward the id of the request.
+  pub fn forward_id(&self) -> bool {
+    self.forward_id
+  }
+
   /// Get whether to pass through the auth header.
   pub fn passthrough_auth(&self) -> bool {
     self.passthrough_auth
@@ -126,6 +138,8 @@ pub struct AuthConfigBuilder {
   validate_subject: Option<String>,
   authorization_url: Option<UrlOrStatic>,
   forward_headers: Vec<String>,
+  forward_endpoint_type: bool,
+  forward_id: bool,
   passthrough_auth: bool,
   forward_extensions: Vec<ForwardExtensions>,
   #[serde(rename = "http", alias = "tls", skip_serializing)]
@@ -193,6 +207,18 @@ impl AuthConfigBuilder {
     self
   }
 
+  /// Set whether to forward the endpoint type.
+  pub fn forward_endpoint_type(mut self, forward_endpoint_type: bool) -> Self {
+    self.forward_endpoint_type = forward_endpoint_type;
+    self
+  }
+
+  /// Set whether to forward the id.
+  pub fn forward_id(mut self, forward_id: bool) -> Self {
+    self.forward_id = forward_id;
+    self
+  }
+
   /// Set whether to pass through auth.
   pub fn passthrough_auth(mut self, passthrough_auth: bool) -> Self {
     self.passthrough_auth = passthrough_auth;
@@ -214,6 +240,8 @@ impl AuthConfigBuilder {
       validate_subject: self.validate_subject,
       authorization_url: self.authorization_url,
       forward_headers: self.forward_headers,
+      forward_endpoint_type: self.forward_endpoint_type,
+      forward_id: self.forward_id,
       passthrough_auth: self.passthrough_auth,
       forward_extensions: self.forward_extensions,
       http_client: self
@@ -239,6 +267,8 @@ impl Default for AuthConfigBuilder {
       validate_subject: None,
       authorization_url,
       forward_headers: vec![],
+      forward_endpoint_type: false,
+      forward_id: false,
       passthrough_auth: false,
       forward_extensions: vec![],
       http_client: None,
@@ -376,6 +406,11 @@ mod tests {
       validate_issuer = ["iss1"]
       validate_subject = "sub"
       authorization_url = "https://www.example.com"
+      passthrough_auth = true
+      forward_headers = ["header"]
+      forward_endpoint_type = true
+      forward_id = true
+      forward_extensions = [ { json_path = '$.extension', name = 'Extension'} ]
       "#,
     )
     .unwrap();
@@ -396,6 +431,17 @@ mod tests {
       config.authorization_url().unwrap(),
       &UrlOrStatic::Url("https://www.example.com".parse::<Uri>().unwrap())
     );
+    assert!(config.passthrough_auth());
+    assert_eq!(config.forward_headers(), ["header".to_string()]);
+    assert!(config.forward_endpoint_type());
+    assert!(config.forward_id());
+    assert_eq!(
+      config.forward_extensions(),
+      [ForwardExtensions::new(
+        "$.extension".to_string(),
+        "Extension".to_string()
+      )]
+    );
   }
 
   #[cfg(feature = "experimental")]
diff --git a/htsget-http/src/error.rs b/htsget-http/src/error.rs
@@ -1,4 +1,5 @@
 use http::StatusCode;
+use http::header::{InvalidHeaderName, InvalidHeaderValue};
 use serde::Serialize;
 use thiserror::Error;
 
@@ -84,3 +85,15 @@ impl From<HtsGetSearchError> for HtsGetError {
     }
   }
 }
+
+impl From<InvalidHeaderName> for HtsGetError {
+  fn from(err: InvalidHeaderName) -> Self {
+    Self::InternalError(err.to_string())
+  }
+}
+
+impl From<InvalidHeaderValue> for HtsGetError {
+  fn from(err: InvalidHeaderValue) -> Self {
+    Self::InternalError(err.to_string())
+  }
+}
diff --git a/htsget-http/src/http_core.rs b/htsget-http/src/http_core.rs
@@ -37,10 +37,11 @@ async fn authorize(
   queries: &mut [Query],
   auth: Option<(TokenData<Value>, Auth)>,
   extensions: Option<Value>,
+  endpoint: &Endpoint,
 ) -> Result<Option<AuthorizationRestrictions>> {
   if let Some((_, mut auth)) = auth {
     let _rules = auth
-      .validate_authorization(headers, path, queries, extensions)
+      .validate_authorization(headers, path, queries, extensions, endpoint)
       .await?;
     cfg_if! {
       if #[cfg(feature = "experimental")] {
@@ -77,7 +78,15 @@ pub async fn get(
 
   let format = match_format_from_query(&endpoint, request.query())?;
   let mut query = vec![convert_to_query(request, format)?];
-  let rules = authorize(&headers, &path, query.as_mut_slice(), auth, extensions).await?;
+  let rules = authorize(
+    &headers,
+    &path,
+    query.as_mut_slice(),
+    auth,
+    extensions,
+    &endpoint,
+  )
+  .await?;
 
   debug!(endpoint = ?endpoint, query = ?query, "getting GET response");
 
@@ -137,7 +146,15 @@ pub async fn post(
   }
 
   let mut queries = body.get_queries(request, &endpoint)?;
-  let rules = authorize(&headers, &path, queries.as_mut_slice(), auth, extensions).await?;
+  let rules = authorize(
+    &headers,
+    &path,
+    queries.as_mut_slice(),
+    auth,
+    extensions,
+    &endpoint,
+  )
+  .await?;
 
   debug!(endpoint = ?endpoint, queries = ?queries, "getting POST response");
 
diff --git a/htsget-http/src/lib.rs b/htsget-http/src/lib.rs
@@ -9,8 +9,9 @@ use query_builder::QueryBuilder;
 pub use service_info::get_service_info_json;
 pub use service_info::{Htsget, ServiceInfo, Type};
 use std::collections::HashMap;
-use std::result;
+use std::fmt::{Display, Formatter};
 use std::str::FromStr;
+use std::{fmt, result};
 
 pub mod error;
 pub mod http_core;
@@ -39,6 +40,15 @@ impl FromStr for Endpoint {
   }
 }
 
+impl Display for Endpoint {
+  fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
+    match self {
+      Self::Reads => write!(f, "reads"),
+      Self::Variants => write!(f, "variants"),
+    }
+  }
+}
+
 /// Match the format from a query parameter.
 pub fn match_format_from_query(
   endpoint: &Endpoint,
diff --git a/htsget-http/src/middleware/auth.rs b/htsget-http/src/middleware/auth.rs
diff --git a/htsget-lambda/Cargo.toml b/htsget-lambda/Cargo.toml

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ impl<'de> Deserialize<'de> for UrlOrStatic {`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`/// The extensions to pass through to the authorization server from http request extensions.`
`41`		`-#[derive(Serialize, Deserialize, Debug, Clone)]`
	`41`	`+#[derive(Serialize, Deserialize, Debug, Clone, Eq, PartialEq)]`
`42`	`42`	`#[serde(deny_unknown_fields)]`
`43`	`43`	`pub struct ForwardExtensions {`
`44`	`44`	`json_path: String,`