add authz check

uc-cdis · Dec 13, 2024 · 4032cc4 · 4032cc4
1 parent 303c570
commit 4032cc4
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/gen3workflow/routes/s3.py b/gen3workflow/routes/s3.py
@@ -71,17 +71,18 @@ async def s3_endpoint(path: str, request: Request):
     """
     logger.debug(f"Incoming S3 request: '{request.method} {path}'")
 
-    # extract the user's access token from the request headers, and use it to get the name of
-    # the user's bucket
+    # extract the user's access token from the request headers, and ensure the user has access
+    # to run workflows
     auth = Auth(api_request=request)
     auth.bearer_token = HTTPAuthorizationCredentials(
         scheme="bearer", credentials=get_access_token(request.headers)
     )
+    await auth.authorize("create", ["/services/workflow/gen3-workflow/tasks"])
+
+    # get the name of the user's bucket and ensure the user is making a call to their own bucket
     token_claims = await auth.get_token_claims()
     user_id = token_claims.get("sub")
     user_bucket = aws_utils.get_safe_name_from_user_id(user_id)
-
-    # ensure the user is making a call to their own bucket
     request_bucket = path.split("?")[0].split("/")[0]
     if request_bucket != user_bucket:
         err_msg = f"'{path}' not allowed. You can make calls to your personal bucket, '{user_bucket}'"

diff --git a/tests/test_s3_endpoint.py b/tests/test_s3_endpoint.py
@@ -43,6 +43,23 @@ def test_s3_endpoint_no_token(s3_client):
         s3_client.list_objects(Bucket=f"gen3wf-{config['HOSTNAME']}-{TEST_USER_ID}")
 
 
+"""
+This test currently doesn't work because the client generated when `get_url` is True is not stopped
+properly, so generating a different client (with `authorized=False` param) triggers an error:
+> OSError: [Errno 48] error while attempting to bind on address ('0.0.0.0', 8080): address already
+  in use
+TODO fix that
+"""
+# @pytest.mark.parametrize("client", [{"get_url": True, "authorized": False}], indirect=True)
+# def test_s3_endpoint_unauthorized(s3_client, access_token_patcher):
+#     """
+#     Hitting the `/s3` endpoint with a Gen3 access token that does not have the appropriate access
+#     should result in a 403 Forbidden error.
+#     """
+#     with pytest.raises(ClientError, match="403"):
+#         s3_client.list_objects(Bucket=f"gen3wf-{config['HOSTNAME']}-{TEST_USER_ID}")
+
+
 @pytest.mark.parametrize("client", [{"get_url": True}], indirect=True)
 @pytest.mark.parametrize(
     "bucket_name",