uc-cdis · paulineribeyre · Sep 11, 2019 · Aug 27, 2019 · Aug 30, 2019 · Aug 30, 2019
diff --git a/requirements.txt b/requirements.txt
@@ -34,3 +34,7 @@ gen3dictionary==2.0.0
 gen3datamodel==2.0.2
 -e git+https://git@github.com/uc-cdis/indexclient.git@1.6.0#egg=indexclient
 -e git+https://git@github.com/uc-cdis/storage-client.git@0.1.7#egg=storageclient
+
+# FIXME: TEMPORARY
+# REPLACE WITH gen3authz PACKAGE
+git+https://github.com/uc-cdis/gen3authz.git@fix/json#egg=gen3authz&subdirectory=python
diff --git a/sheepdog/api.py b/sheepdog/api.py
@@ -12,9 +12,9 @@
 from cdispyutils.uwsgi import setup_user_harakiri
 from dictionaryutils import DataDictionary, dictionary
 from datamodelutils import models, validators, postgres_admin
-
-
 from indexclient.client import IndexClient
+from gen3authz.client.arborist.client import ArboristClient
+
 
 import sheepdog
 from sheepdog.errors import (
@@ -149,6 +149,12 @@ def app_init(app):
     except KeyError:
         app.logger.error("Secret key not set in config! Authentication will not work")
 
+    if app.config.get("ARBORIST"):
+        app.auth = ArboristClient(arborist_base_url=app.config["ARBORIST"])
+    else:
+        app.logger.info("Using default Arborist base URL")
+        app.auth = ArboristClient()
+
 
 app = Flask(__name__)
 

diff --git a/sheepdog/auth/__init__.py b/sheepdog/auth/__init__.py
@@ -9,93 +9,24 @@
 
 import functools
 
-from cdislogging import get_logger
-import flask
-
-import authutils
-from authutils import ROLES, dbgap
-from authutils.user import AuthError, current_user, set_global_user
+from authutils.user import current_user
 from authutils.token.validate import current_token
-from cdiserrors import AuthZError
-
-from sheepdog import models
-
-LOGGER = get_logger("sheepdog_auth")
-
-
-def _log_import_error(module_name):
-    """
-    Log which module cannot be imported.
-
-    Just in case this currently short list grows, make it a function.
-    """
-    LOGGER.info("Unable to import %s, assuming it is not there", module_name)
-
-
-# planx only modules (for now)
-
-# Separate try blocks in case one gets brought into gdc authutils.
-# This is done with try blocks because when sheepdog.api imports
-# sheepdog.auth you can't use flask.current_app. It hasn't been
-# instantiated yet (application out of context error)
-
-try:
-    from authutils.token.validate import validate_request
-except ImportError:
-    _log_import_error("validate_request")
-
-
-def _role_error_msg(user_name, roles, project):
-    role_names = [role if role != "_member_" else "read (_member_)" for role in roles]
-    return "User {} doesn't have {} access in {}".format(
-        user_name, " or ".join(role_names), project
-    )
-
-
-def get_program_project_roles(program, project):
-    """
-    A lot of places (submission entities etc.) confuse the terminology and have
-    a ``project_id`` attribute which is actually ``{program}-{project}``, so
-    in those places call this function like
-
-        get_program_project_roles(*project_id.split('-', 1))
-
-    Args:
-        program (str): program name (NOT id)
-        project (str): project name (NOT id)
+import flask
+import re
 
-    Return:
-        Set[str]: roles
-    """
-    if not hasattr(flask.g, "sheepdog_roles"):
-        flask.g.sheepdog_roles = dict()
+from sheepdog.errors import AuthNError, AuthZError
 
-    if not (program, project) in flask.g.sheepdog_roles:
-        user_roles = set()
-        with flask.current_app.db.session_scope():
-            if program:
-                program_node = (
-                    flask.current_app.db.nodes(models.Program)
-                    .props(name=program)
-                    .scalar()
-                )
-                if program_node:
-                    program_id = program_node.dbgap_accession_number
-                    roles = current_user.projects.get(program_id, set())
-                    user_roles.update(set(roles))
-            if project:
-                project_node = (
-                    flask.current_app.db.nodes(models.Project)
-                    .props(code=project)
-                    .scalar()
-                )
-                if project_node:
-                    project_id = project_node.dbgap_accession_number
-                    roles = current_user.projects.get(project_id, set())
-                    user_roles.update(set(roles))
-        flask.g.sheepdog_roles[(program, project)] = user_roles
 
-    return flask.g.sheepdog_roles[(program, project)]
+def get_jwt_from_header():
+    jwt = None
+    auth_header = flask.request.headers.get("Authorization")
+    if auth_header:
+        items = auth_header.split(" ")
+        if len(items) == 2 and items[0].lower() == "bearer":
+            jwt = items[1]
+    if not jwt:
+        raise AuthNError("Didn't receive JWT correctly")
+    return jwt
 
 
 def authorize_for_project(*required_roles):
@@ -107,13 +38,31 @@ def authorize_for_project(*required_roles):
     def wrapper(func):
         @functools.wraps(func)
         def authorize_and_call(program, project, *args, **kwargs):
-            user_roles = get_program_project_roles(program, project)
-            if not user_roles & set(required_roles):
-                raise AuthZError(
-                    _role_error_msg(current_user.username, required_roles, project)
-                )
+            resource = "/programs/{}/projects/{}".format(program, project)
+            jwt = get_jwt_from_header()
+            authz = flask.current_app.auth.auth_request(
+                jwt=jwt,
+                service="sheepdog",
+                methods=required_roles,
+                resources=[resource]
+            )
+            if not authz:
+                raise AuthZError("user is unauthorized")
             return func(program, project, *args, **kwargs)
 
         return authorize_and_call
 
     return wrapper
+
+
+def authorize(program, project, roles):
+    resource = "/programs/{}/projects/{}".format(program, project)
+    jwt = get_jwt_from_header()
+    authz = flask.current_app.auth.auth_request(
+        jwt=jwt,
+        service="sheepdog",
+        methods=roles,
+        resources=[resource]
+    )
+    if not authz:
+        raise AuthZError("user is unauthorized")
diff --git a/sheepdog/blueprint/routes/views/program/project.py b/sheepdog/blueprint/routes/views/program/project.py
@@ -551,11 +551,6 @@ def file_operations(program, project, file_uuid):
             raise UserError("Unsupported file operation", code=405)
 
         project_id = program + "-" + project
-        role = PERMISSIONS[action]
-        roles = auth.get_program_project_roles(*project_id.split("-", 1))
-        if role not in roles:
-            raise AuthError("You don't have {} role to do '{}'".format(role, action))
-
         resp = utils.proxy_request(
             project_id,
             file_uuid,

diff --git a/sheepdog/dev_settings.py b/sheepdog/dev_settings.py
@@ -21,6 +21,8 @@
     "user_domain_name": env.get("KEYSTONE_DOMAIN"),
 }
 
+ARBORIST = "http://arborist-service/"
+
 # Storage
 CLEVERSAFE_HOST = env.get("CLEVERSAFE_HOST", "cleversafe.service.consul")
 

diff --git a/sheepdog/test_settings.py b/sheepdog/test_settings.py
@@ -15,6 +15,9 @@
     "auth_url": "https://fake_auth_url",
     "user_domain_name": "some_domain",
 }
+
+ARBORIST = "http://arborist-service/"
+
 SUBMISSION = {"bucket": "test_submission", "host": "host"}
 
 

diff --git a/sheepdog/transactions/deletion/entity.py b/sheepdog/transactions/deletion/entity.py
@@ -1,4 +1,5 @@
-from sheepdog.auth import get_program_project_roles
+from sheepdog.auth import authorize
+from sheepdog.errors import AuthZError
 from sheepdog.globals import submitted_state, ALLOWED_DELETION_STATES
 from sheepdog.transactions.entity_base import EntityBase, EntityErrors
 from sheepdog.transactions.transaction_base import MissingNode
@@ -22,9 +23,11 @@ def __init__(self, transaction, node):
         self.neighbors = (edge.src for edge in node.edges_in)
 
         # Check user permissions for deleting nodes
-        roles = get_program_project_roles(*self.transaction.project_id.split("-", 1))
-        if "delete" not in roles:
-            self.record_error(
+        try:
+            program, project = self.transaction.project_id.split("-")
+            authorize(program, project, ["delete"])
+        except AuthZError:
+            return self.record_error(
                 "You do not have delete permission for project {}".format(
                     self.transaction.project_id
                 )

diff --git a/sheepdog/transactions/submission/transaction.py b/sheepdog/transactions/submission/transaction.py
@@ -4,7 +4,8 @@
 from flask import current_app as capp
 
 from sheepdog import utils
-from sheepdog.auth import get_program_project_roles
+from sheepdog.auth import authorize
+from sheepdog.errors import AuthZError
 from sheepdog.globals import (
     ENTITY_STATE_CATEGORIES,
     FLAG_IS_ASYNC,
@@ -33,15 +34,16 @@ def __init__(self, smtp_conf=None, **kwargs):
         if utils.should_send_email(self.app_config):
             self.smtp_conf = smtp_conf
 
-        roles = get_program_project_roles(*self.project_id.split("-", 1))
-        if ROLE_SUBMIT not in roles:
-            self.record_error(
+        try:
+            program, project = self.transaction.project_id.split("-")
+            authorize(program, project, [ROLE_SUBMIT])
+        except AuthZError:
+            return self.record_error(
                 "You do not have submit permission for project {}".format(
                     self.project_id
                 ),
                 type=EntityErrors.INVALID_PERMISSIONS,
             )
-            return
 
         self.project_node = utils.lookup_project(
             self.db_driver, self.program, self.project

diff --git a/sheepdog/transactions/upload/entity.py b/sheepdog/transactions/upload/entity.py
@@ -11,8 +11,8 @@
 
 from sheepdog import dictionary
 from sheepdog import models
-from sheepdog.auth import get_program_project_roles
-from sheepdog.errors import InternalError
+from sheepdog.auth import authorize
+from sheepdog.errors import AuthZError, InternalError
 from sheepdog.globals import (
     REGEX_UUID,
     UNVERIFIED_PROGRAM_NAMES,
@@ -231,11 +231,13 @@ def get_node_create(self, skip_node_lookup=False):
             psqlgraph.Node
         """
         # Check user permissions for updating nodes
-        roles = self.get_user_roles()
-        if "create" not in roles:
+        try:
+            program, project = self.transaction.project_id.split("-")
+            authorize(program, project, ["create"])
+        except AuthZError:
             return self.record_error(
-                "You do not have create permission for project {} only {}".format(
-                    self.transaction.project_id, roles
+                "You do not have create permission for project {}".format(
+                    self.transaction.project_id
                 ),
                 type=EntityErrors.INVALID_PERMISSIONS,
             )
@@ -328,14 +330,16 @@ def get_node_merge(self):
             return None
 
         # Check user permissions for updating nodes
-        if "update" not in self.get_user_roles():
-            self.record_error(
+        try:
+            program, project = self.transaction.project_id.split("-")
+            authorize(program, project, ["update"])
+        except AuthZError:
+            return self.record_error(
                 "You do not have update permission for project {}".format(
                     self.transaction.project_id
                 ),
                 type=EntityErrors.INVALID_PERMISSIONS,
             )
-            return None
 
         self.old_props = {k: v for k, v in node.props.iteritems()}
 
@@ -616,27 +620,6 @@ def get_system_property_defaults(self):
                 doc[key] = prop["default"]
         return doc
 
-    def get_user_roles(self):
-        return get_program_project_roles(*self.transaction.project_id.split("-", 1))
-
-    def is_case_creation_allowed(self, case_id):
-        """
-        Check if case creation is allowed:
-
-        #. Does the case exist in dbGaP?
-        #. Is the case in a predefined list of cases to allow?
-        #. Is the owning project in a predefined list of projects?
-        """
-        program, project = self.transaction.project_id.split("-", 1)
-        if program in UNVERIFIED_PROGRAM_NAMES:
-            return True
-        elif project in UNVERIFIED_PROJECT_CODES:
-            return True
-        else:
-            return self.transaction.dbgap_x_referencer.case_exists(
-                program, project, self.doc.get("submitter_id")
-            )
-
     def set_association_proxies(self):
         """
         Set all links on the actual node instance.

diff --git a/sheepdog/transactions/upload/transaction.py b/sheepdog/transactions/upload/transaction.py
@@ -6,12 +6,12 @@
 from collections import Counter
 
 # Validating Entity Existence in dbGaP
+from authutils import dbgap
 from datamodelutils import validators
 from sqlalchemy.exc import IntegrityError
 from sqlalchemy.orm.attributes import flag_modified
 from gdcdictionary import gdcdictionary
 
-from sheepdog.auth import dbgap
 from sheepdog import models
 from sheepdog import utils
 from sheepdog.errors import UserError, HandledIntegrityError