Merge d58dc6f into 2e021e4

.secrets.baseline

@@ -1,14 +1,11 @@
 {
-  "version": "1.1.0",
+  "generated_at": "2021-06-10T21:56:24Z",
   "plugins_used": [
-    {
-      "name": "ArtifactoryDetector"
-    },
     {
       "name": "AWSKeyDetector"
     },
     {
-      "name": "AzureStorageKeyDetector"
+      "name": "ArtifactoryDetector"
     },
     {
       "name": "Base64HighEntropyString",
@@ -22,7 +19,7 @@
     },
     {
       "name": "HexHighEntropyString",
-      "limit": 3.0
+      "limit": 3
     },
     {
       "name": "IbmCloudIamDetector"
@@ -34,15 +31,12 @@
       "name": "JwtTokenDetector"
     },
     {
-      "name": "KeywordDetector",
-      "keyword_exclude": ""
+      "keyword_exclude": null,
+      "name": "KeywordDetector"
     },
     {
       "name": "MailchimpDetector"
     },
-    {
-      "name": "NpmDetector"
-    },
     {
       "name": "PrivateKeyDetector"
     },
@@ -52,56 +46,13 @@
     {
       "name": "SoftlayerDetector"
     },
-    {
-      "name": "SquareOAuthDetector"
-    },
     {
       "name": "StripeDetector"
     },
     {
       "name": "TwilioKeyDetector"
     }
   ],
-  "filters_used": [
-    {
-      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
-    },
-    {
-      "path": "detect_secrets.filters.common.is_baseline_file",
-      "filename": ".secrets.baseline"
-    },
-    {
-      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
-      "min_level": 2
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_lock_file"
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_sequential_string"
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_swagger_file"
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_templated_secret"
-    }
-  ],
   "results": {
     "fence/blueprints/storage_creds/google.py": [
       {
@@ -119,13 +70,6 @@
         "hashed_secret": "98c144f5ecbb4dbe575147a39698b6be1a5649dd",
         "is_verified": false,
         "line_number": 66
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "fence/blueprints/storage_creds/other.py",
-        "hashed_secret": "98c144f5ecbb4dbe575147a39698b6be1a5649dd",
-        "is_verified": false,
-        "line_number": 66
       }
     ],
     "fence/config-default.yaml": [
@@ -135,6 +79,13 @@
         "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
         "is_verified": false,
         "line_number": 31
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "fence/config-default.yaml",
+        "hashed_secret": "5d07e1b80e448a213b392049888111e1779a52db",
+        "is_verified": false,
+        "line_number": 554
       }
     ],
     "fence/local_settings.example.py": [
@@ -159,7 +110,7 @@
         "filename": "fence/resources/google/utils.py",
         "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9",
         "is_verified": false,
-        "line_number": 125
+        "line_number": 277
       }
     ],
     "fence/utils.py": [
@@ -168,21 +119,44 @@
         "filename": "fence/utils.py",
         "hashed_secret": "8318df9ecda039deac9868adf1944a29a95c7114",
         "is_verified": false,
-        "line_number": 104
+        "line_number": 105
+      }
+    ],
+    "openapis/swagger.yaml": [
+      {
+        "type": "Private Key",
+        "filename": "openapis/swagger.yaml",
+        "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9",
+        "is_verified": false,
+        "line_number": 1927
       },
       {
         "type": "Secret Keyword",
-        "filename": "fence/utils.py",
-        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "filename": "openapis/swagger.yaml",
+        "hashed_secret": "bb8e48bd1e73662027a0f0b876b695d4c18f5ed4",
         "is_verified": false,
-        "line_number": 248
+        "line_number": 1927
       },
       {
         "type": "Secret Keyword",
-        "filename": "fence/utils.py",
-        "hashed_secret": "8954f53c9dc3f57137230a016d65bfaee24f8bc5",
+        "filename": "openapis/swagger.yaml",
+        "hashed_secret": "7861ab65194de92776ab9cd06d4d7e7e1ec2c36d",
+        "is_verified": false,
+        "line_number": 2007
+      },
+      {
+        "type": "JSON Web Token",
+        "filename": "openapis/swagger.yaml",
+        "hashed_secret": "d6b66ddd9ea7dbe760114bfe9a97352a5e139134",
+        "is_verified": false,
+        "line_number": 2029
+      },
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "openapis/swagger.yaml",
+        "hashed_secret": "98c144f5ecbb4dbe575147a39698b6be1a5649dd",
         "is_verified": false,
-        "line_number": 249
+        "line_number": 2041
       }
     ],
     "tests/conftest.py": [
@@ -205,23 +179,9 @@
       {
         "type": "Secret Keyword",
         "filename": "tests/credentials/google/test_credentials.py",
-        "hashed_secret": "a06bdb09c0106ab559bd6acab2f1935e19f7e939",
-        "is_verified": false,
-        "line_number": 381
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/credentials/google/test_credentials.py",
-        "hashed_secret": "93aa43c580f5347782e17fba5091f944767b15f0",
-        "is_verified": false,
-        "line_number": 474
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/credentials/google/test_credentials.py",
-        "hashed_secret": "768b7fe00de4fd233c0c72375d12f87ce9670144",
+        "hashed_secret": "22afbfecd4124e2eb0e2a79fafdf62b207a8f8c7",
         "is_verified": false,
-        "line_number": 476
+        "line_number": 579
       }
     ],
     "tests/keys/2018-05-01T21:29:02Z/jwt_private_key.pem": [
@@ -248,16 +208,7 @@
         "filename": "tests/ras/test_ras.py",
         "hashed_secret": "d9db6fe5c14dc55edd34115cdf3958845ac30882",
         "is_verified": false,
-        "line_number": 90
-      }
-    ],
-    "tests/scripting/test_fence-create.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/scripting/test_fence-create.py",
-        "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4",
-        "is_verified": false,
-        "line_number": 1120
+        "line_number": 327
       }
     ],
     "tests/test-fence-config.yaml": [
@@ -267,15 +218,50 @@
         "hashed_secret": "afc848c316af1a89d49826c5ae9d00ed769415f3",
         "is_verified": false,
         "line_number": 31
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/test-fence-config.yaml",
-        "hashed_secret": "1627df13b5cd8b3521d02bd8eb2ca31334b3aef2",
-        "is_verified": false,
-        "line_number": 472
       }
     ]
   },
-  "generated_at": "2021-06-09T19:21:40Z"
+  "version": "1.1.0",
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.regex.should_exclude_file",
+      "pattern": [
+        "poetry.lock"
+      ]
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    }
+  ]
 }

fence/__init__.py

@@ -1,16 +1,17 @@
 from collections import OrderedDict
-import os
-import tempfile
-
-from authutils.oauth2.client import OAuthClient
 import flask
 from flask_cors import CORS
 from flask_sqlalchemy_session import flask_scoped_session, current_session
+import os
+import tempfile
 from urllib.parse import urljoin
+
+from authutils.oauth2.client import OAuthClient
+from cdislogging import get_logger
+from gen3authz.client.arborist.client import ArboristClient
 from userdatamodel.driver import SQLAlchemyDriver
 from werkzeug.middleware.dispatcher import DispatcherMiddleware
 
-
 from fence.auth import logout, build_redirect_url
 from fence.blueprints.data.indexd import S3IndexedFileLocation
 from fence.blueprints.login.utils import allowed_login_redirects, domain
@@ -19,7 +20,7 @@
 from fence.models import migrate
 from fence.oidc.client import query_client
 from fence.oidc.server import server
-from fence.resources.audit_service_client import AuditServiceClient
+from fence.resources.audit.client import AuditServiceClient
 from fence.resources.aws.boto_manager import BotoManager
 from fence.resources.openid.cilogon_oauth2 import CilogonOauth2Client as CilogonClient
 from fence.resources.openid.cognito_oauth2 import CognitoOauth2Client as CognitoClient
@@ -49,12 +50,6 @@
 import fence.blueprints.google
 import fence.blueprints.privacy
 
-from cdislogging import get_logger
-
-from cdispyutils.config import get_value
-
-from gen3authz.client.arborist.client import ArboristClient
-
 
 # for some reason the temp dir does not get created properly if we move
 # this statement to `_setup_prometheus()`

fence/blueprints/data/blueprint.py

@@ -3,14 +3,15 @@
 from cdislogging import get_logger
 
 from fence.auth import login_required, require_auth_header, current_token, get_jwt
+from fence.authz.auth import check_arborist_auth
 from fence.blueprints.data.indexd import (
     BlankIndex,
     IndexedFile,
     get_signed_url_for_file,
 )
 from fence.errors import Forbidden, InternalError, UserError, Forbidden
+from fence.resources.audit.utils import enable_audit_logging
 from fence.utils import get_valid_expiration
-from fence.authz.auth import check_arborist_auth
 
 
 logger = get_logger(__name__)
@@ -292,6 +293,7 @@ def upload_file(file_id):
 
 
 @blueprint.route("/download/<path:file_id>", methods=["GET"])
+@enable_audit_logging
 def download_file(file_id):
     """
     Get a presigned url to download a file given by file_id.