update ga4gh with fixes

Author: blankdots

beacon_api/api/exceptions.py

@@ -10,37 +10,35 @@
 from ..conf import CONFIG_INFO
 
 
-class BeaconError(Exception):
-    """BeaconError Exception specific class.
+def process_exception_data(request, host, error_code, error):
+    """Return request data as dictionary.
 
     Generates custom exception messages based on request parameters.
     """
-
-    def __init__(self, request, host, error_code, error):
-        """Return request data as dictionary."""
-        self.data = {'beaconId': '.'.join(reversed(host.split('.'))),
-                     "apiVersion": __apiVersion__,
-                     'exists': None,
-                     'error': {'errorCode': error_code,
-                               'errorMessage': error},
-                     'alleleRequest': {'referenceName': request.get("referenceName", None),
-                                       'referenceBases': request.get("referenceBases", None),
-                                       'includeDatasetResponses': request.get("includeDatasetResponses", "NONE"),
-                                       'assemblyId': request.get("assemblyId", None)},
-                     # showing empty datasetsAlleRsponse as no datasets found
-                     # A null/None would represent no data while empty array represents
-                     # none found or error and corresponds with exists null/None
-                     'datasetAlleleResponses': []}
-        # include datasetIds only if they are specified
-        # as per specification if they don't exist all datatsets will be queried
-        # Only one of `alternateBases` or `variantType` is required, validated by schema
-        oneof_fields = ["alternateBases", "variantType", "start", "end", "startMin", "startMax",
-                        "endMin", "endMax", "datasetIds"]
-        self.data['alleleRequest'].update({k: request.get(k) for k in oneof_fields if k in request})
-        return self.data
-
-
-class BeaconBadRequest(BeaconError):
+    data = {'beaconId': '.'.join(reversed(host.split('.'))),
+            "apiVersion": __apiVersion__,
+            'exists': None,
+            'error': {'errorCode': error_code,
+                      'errorMessage': error},
+            'alleleRequest': {'referenceName': request.get("referenceName", None),
+                              'referenceBases': request.get("referenceBases", None),
+                              'includeDatasetResponses': request.get("includeDatasetResponses", "NONE"),
+                              'assemblyId': request.get("assemblyId", None)},
+            # showing empty datasetsAlleRsponse as no datasets found
+            # A null/None would represent no data while empty array represents
+            # none found or error and corresponds with exists null/None
+            'datasetAlleleResponses': []}
+    # include datasetIds only if they are specified
+    # as per specification if they don't exist all datatsets will be queried
+    # Only one of `alternateBases` or `variantType` is required, validated by schema
+    oneof_fields = ["alternateBases", "variantType", "start", "end", "startMin", "startMax",
+                    "endMin", "endMax", "datasetIds"]
+    data['alleleRequest'].update({k: request.get(k) for k in oneof_fields if k in request})
+
+    return data
+
+
+class BeaconBadRequest(web.HTTPBadRequest):
     """Exception returns with 400 code and a custom error message.
 
     The method is called if one of the required parameters are missing or invalid.
@@ -49,13 +47,12 @@ class BeaconBadRequest(BeaconError):
 
     def __init__(self, request, host, error):
         """Return custom bad request exception."""
-        data = super().__init__(request, host, 400, error)
-
-        LOG.error(f'400 ERROR MESSAGE: {error}')
-        raise web.HTTPBadRequest(content_type="application/json", text=json.dumps(data))
+        data = process_exception_data(request, host, 400, error)
+        super().__init__(text=json.dumps(data), content_type="application/json")
+        LOG.error(f'401 ERROR MESSAGE: {error}')
 
 
-class BeaconUnauthorised(BeaconError):
+class BeaconUnauthorised(web.HTTPUnauthorized):
     """HTTP Exception returns with 401 code with a custom error message.
 
     The method is called if the user is not registered or if the token from the authentication has expired.
@@ -64,17 +61,17 @@ class BeaconUnauthorised(BeaconError):
 
     def __init__(self, request, host, error, error_message):
         """Return custom unauthorized exception."""
-        data = super().__init__(request, host, 401, error)
+        data = process_exception_data(request, host, 401, error)
         headers_401 = {"WWW-Authenticate": f"Bearer realm=\"{CONFIG_INFO.url}\"\n\
                          error=\"{error}\"\n\
                          error_description=\"{error_message}\""}
+        super().__init__(content_type="application/json", text=json.dumps(data),
+                         # we use auth scheme Bearer by default
+                         headers=headers_401)
         LOG.error(f'401 ERROR MESSAGE: {error}')
-        raise web.HTTPUnauthorized(content_type="application/json", text=json.dumps(data),
-                                   # we use auth scheme Bearer by default
-                                   headers=headers_401)
 
 
-class BeaconForbidden(BeaconError):
+class BeaconForbidden(web.HTTPForbidden):
     """HTTP Exception returns with 403 code with the error message.
 
     `'Resource not granted for authenticated user or resource protected for all users.'`.
@@ -84,13 +81,12 @@ class BeaconForbidden(BeaconError):
 
     def __init__(self, request, host, error):
         """Return custom forbidden exception."""
-        data = super().__init__(request, host, 403, error)
-
+        data = process_exception_data(request, host, 403, error)
+        super().__init__(content_type="application/json", text=json.dumps(data))
         LOG.error(f'403 ERROR MESSAGE: {error}')
-        raise web.HTTPForbidden(content_type="application/json", text=json.dumps(data))
 
 
-class BeaconServerError(BeaconError):
+class BeaconServerError(web.HTTPInternalServerError):
     """HTTP Exception returns with 500 code with the error message.
 
     The 500 error is not specified by the Beacon API, thus as simple error would do.
@@ -100,6 +96,5 @@ def __init__(self, error):
         """Return custom forbidden exception."""
         data = {'errorCode': 500,
                 'errorMessage': error}
-
+        super().__init__(content_type="application/json", text=json.dumps(data))
         LOG.error(f'500 ERROR MESSAGE: {error}')
-        raise web.HTTPInternalServerError(content_type="application/json", text=json.dumps(data))

beacon_api/permissions/ga4gh.py

@@ -7,7 +7,7 @@
 .. code-block:: javascript
 
     {
-        "scope": "ga4gh_passport_v1",
+        "scope": "openid ga4gh_passport_v1",
         ...
     }
 
@@ -87,13 +87,25 @@
 import aiohttp
 
 from authlib.jose import jwt
-from authlib.jose.errors import MissingClaimError, InvalidClaimError, ExpiredTokenError, InvalidTokenError
 
 from ..api.exceptions import BeaconServerError
 from ..utils.logging import LOG
 from ..conf import OAUTH2_CONFIG
 
 
+async def check_ga4gh_token(decoded_data, token, bona_fide_status, dataset_permissions):
+    """Check the token for GA4GH claims."""
+    if 'scope' in decoded_data:
+        ga4gh_scopes = ['openid', 'ga4gh_passport_v1']
+        token_scopes = decoded_data.get('scope').split(' ')
+        LOG.info(f'GA4H Required scopes: {ga4gh_scopes}')
+        LOG.info(f'Token scopes: {token_scopes}')
+        LOG.info(f'Bona fide before: {bona_fide_status}')
+        LOG.info(f'Permissions before: {dataset_permissions}')
+        if all(scope in token_scopes for scope in ga4gh_scopes):
+            dataset_permissions, bona_fide_status = await get_ga4gh_permissions(token)
+
+
 async def decode_passport(encoded_passport):
     """Return decoded header and payload from encoded passport JWT.
 
@@ -148,10 +160,11 @@ async def get_ga4gh_permissions(token):
             # Decode passport
             header, payload = await decode_passport(encoded_passport)
             # Sort passports that carry dataset permissions
-            if payload.get('ga4gh_visa_v1', {}).get('type') == 'ControlledAccessGrants':
+            pass_type = payload.get('ga4gh_visa_v1', {}).get('type')
+            if pass_type == 'ControlledAccessGrants':
                 dataset_passports.append((encoded_passport, header))
             # Sort passports that MAY carry bona fide status information
-            if payload.get('ga4gh_visa_v1', {}).get('type') in ['AcceptedTermsAndPolicies', 'ResearcherStatus']:
+            if pass_type in ['AcceptedTermsAndPolicies', 'ResearcherStatus']:
                 bona_fide_passports.append((encoded_passport, header, payload))
 
     # Parse dataset passports to extract dataset permissions and validate them
@@ -227,20 +240,8 @@ async def validate_passport(passport):
         decoded_passport.validate()
         # Return decoded and validated payload contents
         return decoded_passport
-    except MissingClaimError as e:
-        LOG.error(f'Missing claim(s): {e}')
-        pass
-    except ExpiredTokenError as e:
-        LOG.error(f'Expired signature: {e}')
-        pass
-    except InvalidClaimError as e:
-        LOG.error(f'Token info not corresponding with claim: {e}')
-        pass
-    except InvalidTokenError as e:
-        LOG.error(f'Invalid authorization token: {e}')
-        pass
-
-    return None
+    except Exception as e:
+        LOG.error(f"Something went wrong when processing JWT tokens: {e}")
 
 
 async def get_ga4gh_controlled(passports):
@@ -274,35 +275,31 @@ async def get_ga4gh_bona_fide(passports):
         # Check for the `type` of visa to determine if to look for `terms` or `status`
         #
         # CHECK FOR TERMS
-        if passport[2].get('ga4gh_visa_v1', {}).get('type') == 'AcceptedTermsAndPolicies':
-            # Check if the visa contains a bona fide value
-            if passport[2].get('ga4gh_visa_v1', {}).get('value') == OAUTH2_CONFIG.bona_fide_value:
-                # This passport has the correct type and value, next step is to validate it
-                #
-                # Decode passport and validate its contents
-                # If the validation passes, terms will be set to True
-                # If the validation fails, an exception will be raised
-                # (and ignored since it's not fatal), and terms will remain False
-                await validate_passport(passport)
-                # The token is validated, therefore the terms are accepted
-                terms = True
+        passport_type = passport[2].get('ga4gh_visa_v1', {}).get('type')
+        passport_value = passport[2].get('ga4gh_visa_v1', {}).get('value')
+        if passport_type in 'AcceptedTermsAndPolicies' and passport_value == OAUTH2_CONFIG.bona_fide_value:
+            # This passport has the correct type and value, next step is to validate it
+            #
+            # Decode passport and validate its contents
+            # If the validation passes, terms will be set to True
+            # If the validation fails, an exception will be raised
+            # (and ignored since it's not fatal), and terms will remain False
+            await validate_passport(passport)
+            # The token is validated, therefore the terms are accepted
+            terms = True
         #
         # CHECK FOR STATUS
-        if passport[2].get('ga4gh_visa_v1', {}).get('type') == 'ResearcherStatus':
+        if passport_value == OAUTH2_CONFIG.bona_fide_value and passport_type == 'ResearcherStatus':
             # Check if the visa contains a bona fide value
-            if passport[2].get('ga4gh_visa_v1', {}).get('value') == OAUTH2_CONFIG.bona_fide_value:
-                # This passport has the correct type and value, next step is to validate it
-                #
-                # Decode passport and validate its contents
-                # If the validation passes, status will be set to True
-                # If the validation fails, an exception will be raised
-                # (and ignored since it's not fatal), and status will remain False
-                await validate_passport(passport)
-                # The token is validated, therefore the status is accepted
-                status = True
-
-    if terms and status:
-        # User has agreed to terms and has been recognized by a peer, return True for Bona Fide status
-        return True
+            # This passport has the correct type and value, next step is to validate it
+            #
+            # Decode passport and validate its contents
+            # If the validation passes, status will be set to True
+            # If the validation fails, an exception will be raised
+            # (and ignored since it's not fatal), and status will remain False
+            await validate_passport(passport)
+            # The token is validated, therefore the status is accepted
+            status = True
 
-    return False
+        # User has agreed to terms and has been recognized by a peer, return True for Bona Fide status
+    return terms and status

beacon_api/utils/validate.py

@@ -13,7 +13,7 @@
 from aiocache.serializers import JsonSerializer
 from ..api.exceptions import BeaconUnauthorised, BeaconBadRequest, BeaconForbidden, BeaconServerError
 from ..conf import OAUTH2_CONFIG
-from ..permissions.ga4gh import get_ga4gh_permissions
+from ..permissions.ga4gh import check_ga4gh_token
 from jsonschema import Draft7Validator, validators
 from jsonschema.exceptions import ValidationError
 
@@ -183,19 +183,13 @@ async def token_middleware(request, handler):
                 # for now the permissions just reflects that the data can be decoded from token
                 # the bona fide status is checked against ELIXIR AAI by default or the URL from config
                 # the bona_fide_status is specific to ELIXIR Tokens
-                #
+                dataset_permissions, bona_fide_status = [], ''
+
                 # Retrieve GA4GH Passports from /userinfo and process them into dataset permissions and bona fide status
                 bona_fide_status = False
                 dataset_permissions = set()
-                required_scopes = ['openid', 'ga4gh_passport_v1']
-                token_scopes = decoded_data.get('scope').split(' ')
-                LOG.info(f'Required scopes: {required_scopes}')
-                LOG.info(f'Token scopes: {token_scopes}')
-                LOG.info(f'Bona fide before: {bona_fide_status}')
-                LOG.info(f'Permissions before: {dataset_permissions}')
-                if all(scope in token_scopes for scope in required_scopes):
-                    dataset_permissions, bona_fide_status = await get_ga4gh_permissions(token)
-                #
+                check_ga4gh_token(decoded_data, token, bona_fide_status, dataset_permissions)
+
                 LOG.info(f'Bona fide after: {bona_fide_status}')
                 LOG.info(f'Permissions after: {dataset_permissions}')
                 controlled_datasets = set()

tests/test_app.py

@@ -37,14 +37,14 @@ def generate_token(issuer):
         "iss": issuer,
         "aud": "audience",
         "exp": 9999999999,
-        "sub": "smth@elixir-europe.org"
+        "sub": "smth@smth.org"
     }
     token = jwt.encode(header, payload, pem).decode('utf-8')
     return token, pem
 
 
 def generate_bad_token():
-    """Mock ELIXIR AAI token."""
+    """Mock AAI token."""
     pem = {
         "kty": "oct",
         "kid": "018c0ae5-4d9b-471b-bfd6-eef314bc7037",
@@ -286,7 +286,7 @@ async def test_invalid_scheme_get_query(self):
     @asynctest.mock.patch('beacon_api.app.query_request_handler', side_effect=json.dumps(PARAMS))
     @unittest_run_loop
     async def test_valid_token_get_query(self, mock_handler, mock_object):
-        """Test valid token GET query endpoint, invalid scheme."""
+        """Test valid token GET query endpoint."""
         token = os.environ.get('TOKEN')
         resp = await self.client.request("POST", "/query",
                                          data=json.dumps(PARAMS),