uc-cdis · Avantol13 · May 20, 2019 · Apr 1, 2019 · Apr 2, 2019 · Apr 2, 2019
diff --git a/bin/fence-create b/bin/fence-create
@@ -5,6 +5,8 @@ import os
 import sys
 import logging
 
+from cdislogging import get_logger
+
 from fence.jwt import keys
 from fence.config import config
 from fence.scripting.fence_create import (
@@ -29,6 +31,7 @@ from fence.scripting.fence_create import (
     verify_user_registration,
     force_update_google_link,
 )
+from fence.rbac.client import ArboristClient
 
 
 def str2bool(v):
@@ -51,6 +54,11 @@ def parse_arguments():
         action="store_true",
         default=False,
     )
+    parser.add_argument(
+        "--arborist",
+        help="the base URL for the arborist service to sync to",
+        default=None,
+    )
 
     subparsers = parser.add_subparsers(title="action", dest="action")
 
@@ -88,6 +96,9 @@ def parse_arguments():
         action="store_true",
         default=False,
     )
+    client_create.add_argument(
+        "--policies", help="which RBAC policies are granted to this client", nargs="*"
+    )
 
     client_modify = subparsers.add_parser("client-modify")
     client_modify.add_argument("--client", required=True)
@@ -109,6 +120,12 @@ def parse_arguments():
     client_modify.add_argument(
         "--delete-urls", help="delete all urls", action="store_true", default=False
     )
+    client_modify.add_argument(
+        "--policies",
+        help="which RBAC policies are granted to this client; if given, "
+        "previous policies will be revoked",
+        nargs="*",
+    )
 
     client_list = subparsers.add_parser("client-list")
 
@@ -335,6 +352,12 @@ def main():
     STORAGE_CREDENTIALS = os.environ.get("STORAGE_CREDENTIALS") or config.get(
         "STORAGE_CREDENTIALS"
     )
+    arborist = None
+    if args.arborist:
+        arborist = ArboristClient(
+            arborist_base_url=args.arborist,
+            logger=get_logger("user_syncer.arborist_client"),
+        )
 
     if args.action == "create":
         yaml_input = args.__dict__["yaml-input"]
@@ -349,6 +372,8 @@ def main():
             auto_approve=args.auto_approve,
             grant_types=args.grant_types,
             confidential=confidential,
+            arborist=arborist,
+            policies=args.policies,
         )
     elif args.action == "client-modify":
         modify_client_action(
@@ -360,6 +385,8 @@ def main():
             description=args.description,
             set_auto_approve=args.set_auto_approve,
             unset_auto_approve=args.unset_auto_approve,
+            arborist=arborist,
+            policies=args.policies,
         )
     elif args.action == "client-delete":
         delete_client_action(DB, args.client)
@@ -380,7 +407,7 @@ def main():
             is_sync_from_dbgap_server=str2bool(args.sync_from_dbgap),
             sync_from_local_csv_dir=args.csv_dir,
             sync_from_local_yaml_file=args.yaml,
-            arborist=args.arborist,
+            arborist=arborist,
         )
     elif args.action == "google-manage-keys":
         remove_expired_google_service_account_keys(DB)

diff --git a/fence/__init__.py b/fence/__init__.py
@@ -16,7 +16,9 @@
 from fence.rbac.client import ArboristClient
 from fence.resources.aws.boto_manager import BotoManager
 from fence.resources.openid.google_oauth2 import GoogleOauth2Client as GoogleClient
-from fence.resources.openid.microsoft_oauth2 import MicrosoftOauth2Client as MicrosoftClient
+from fence.resources.openid.microsoft_oauth2 import (
+    MicrosoftOauth2Client as MicrosoftClient
+)
 from fence.resources.openid.orcid_oauth2 import OrcidOauth2Client as ORCIDClient
 from fence.resources.storage import StorageManager
 from fence.resources.user.user_session import UserSessionInterface
@@ -27,7 +29,6 @@
 import fence.blueprints.data
 import fence.blueprints.login
 import fence.blueprints.oauth2
-import fence.blueprints.rbac
 import fence.blueprints.misc
 import fence.blueprints.storage_creds
 import fence.blueprints.user
@@ -39,7 +40,7 @@
 
 # Can't read config yet. Just set to debug for now, else no handlers.
 # Later, in app_config(), will actually set level based on config
-logger = get_logger(__name__, log_level='debug')
+logger = get_logger(__name__, log_level="debug")
 
 app = flask.Flask(__name__)
 CORS(app=app, headers=["content-type", "accept"], expose_headers="*")
@@ -102,9 +103,6 @@ def app_register_blueprints(app):
     google_blueprint = fence.blueprints.google.make_google_blueprint()
     app.register_blueprint(google_blueprint, url_prefix="/google")
 
-    if config.get("ARBORIST"):
-        app.register_blueprint(fence.blueprints.rbac.blueprint, url_prefix="/rbac")
-
     fence.blueprints.misc.register_misc(app)
 
     @app.route("/")

diff --git a/fence/auth.py b/fence/auth.py
@@ -22,6 +22,25 @@
 logger = get_logger(__name__)
 
 
+def get_jwt():
+    """
+    Return the user's JWT from authorization header. Requires flask application context.
+
+    Raises:
+        - Unauthorized, if header is missing or not in the correct format
+    """
+    header = flask.request.headers.get("Authorization")
+    if not header:
+        raise Unauthorized("missing authorization header")
+    try:
+        bearer, token = header.split(" ")
+    except ValueError:
+        raise Unauthorized("authorization header not in expected format")
+    if bearer.lower() != "bearer":
+        raise Unauthorized("expected bearer token in auth header")
+    return token
+
+
 def build_redirect_url(hostname, path):
     """
     Compute a redirect given a hostname and next path where

diff --git a/fence/blueprints/data/blueprint.py b/fence/blueprints/data/blueprint.py
@@ -8,11 +8,7 @@
     IndexedFile,
     get_signed_url_for_file,
 )
-from fence.errors import (
-    Forbidden,
-    InternalError,
-    UserError,
-)
+from fence.errors import Forbidden, InternalError, UserError
 from fence.utils import is_valid_expiration
 from fence.rbac import check_arborist_auth
 

diff --git a/fence/blueprints/data/indexd.py b/fence/blueprints/data/indexd.py
@@ -11,6 +11,8 @@
 import requests
 
 from fence.auth import (
+    get_jwt,
+    has_oauth,
     current_token,
     login_required,
     set_current_token,
@@ -162,7 +164,7 @@ def init_multipart_upload(key, expires_in=None):
 
         Args:
             key(str): object key
-        
+
         Returns:
             uploadId(str)
         """
@@ -209,7 +211,7 @@ def generate_aws_presigned_url_for_part(key, uploadId, partNumber, expires_in):
             key(str): object key of `guid/filename`
             uploadID(str): uploadId of the current upload.
             partNumber(int): the part number
-        
+
         Returns:
             presigned_url(str)
         """
@@ -299,7 +301,9 @@ def get_signed_url(self, protocol, action, expires_in, force_signed_url=True):
         # don't check the authorization if the file is public
         # (downloading public files with no auth is fine)
         if not self.public and not self.check_authorization(action):
-            raise Unauthorized("You don't have access permission on this file")
+            raise Unauthorized(
+                "You don't have access permission on this file: {}".format(self.file_id)
+            )
         if action is not None and action not in SUPPORTED_ACTIONS:
             raise NotSupported("action {} is not supported".format(action))
         return self._get_signed_url(protocol, action, expires_in, force_signed_url)
@@ -343,6 +347,18 @@ def set_acls(self):
         else:
             raise Unauthorized("This file is not accessible")
 
+    def check_authz(self, action):
+        if not self.index_document.get("authz"):
+            raise ValueError("index record missing `authz`")
+
+        request = {"user": {"token": get_jwt()}, "requests": []}
+        for resource in self.index_document["authz"]:
+            request["requests"].append(
+                {"resource": resource, "action": {"service": "fence", "method": action}}
+            )
+
+        return flask.current_app.arborist.auth_request(request)
+
     @cached_property
     def metadata(self):
         return self.index_document.get("metadata", {})
@@ -364,6 +380,19 @@ def check_authorization(self, action):
                 username = flask.g.user.username
             return self.index_document.get("uploader") == username
 
+        try:
+            action_to_method = {"upload": "write_storage", "download": "read_storage"}
+            method = action_to_method[action]
+            # action should be upload or download
+            # return bool for authorization
+            return self.check_authz(method)
+        except ValueError:
+            # this is ok; we'll default to ACL field (previous behavior)
+            # may want to deprecate in future
+            logger.info(
+                "Couldn't find `authz` field on indexd record, falling back to `acl`."
+            )
+
         if flask.g.token is None:
             given_acls = set(filter_auth_ids(action, flask.g.user.project_access))
         else:
@@ -654,7 +683,7 @@ def generate_presigne_url_for_part_upload(self, uploadId, partNumber, expires_in
     def complete_multipart_upload(self, uploadId, parts, expires_in):
         """
         Complete multipart upload.
-        
+
         Args:
             uploadId(str): upload id of the current upload
             parts(list(set)): List of part infos