Revert "Revert "fix(migrate): improve acl->authz migration, remove de… (

#338)

* Revert "Revert "fix(migrate): improve acl->authz migration, remove deprecated endpoints (#336)" (#337)"

This reverts commit 6d7b337.

* fix(routing): reorder blueprint routes to accommodate new version of web framework

* fix(migration): ensure if a valid authz path is found for any acl, we move on

* fix(migration): ensure if a valid authz path is found for any acl, we move on

* Update migrate_acl_authz.py

* Update migrate_acl_authz.py

Co-authored-by: Alexander VT <alexander.m.vantol@gmail.com>

bin/migrate_acl_authz.py

@@ -15,7 +15,7 @@
 access to all the listed items, only the project should end up in `authz` (since
 requiring the program would omit access to users who can access only the project).
 
-Furthermore, there are two ways to represent the arborist resources that go into
+Furthermore, there are two ways to represent the Arborist resources that go into
 `authz`: the path (human-readable string) and the tag (random string, pseudo-UUID). The
 tags are what we want to ultimately put into the `authz` field, since these are
 persistent whereas the path could change if resources are renamed.
@@ -34,8 +34,9 @@
 
 from indexd.index.drivers.alchemy import IndexRecord, IndexRecordAuthz
 
+from yaml import safe_load
 
-logger = get_logger("migrate_acl_authz")
+logger = get_logger("migrate_acl_authz", log_level="debug")
 
 
 def main():
@@ -49,7 +50,10 @@ def main():
     driver = settings["config"]["INDEX"]["driver"]
     try:
         acl_converter = ACLConverter(
-            args.arborist, getattr(args, "sheepdog"), getattr(args, "use_tags")
+            args.arborist,
+            getattr(args, "sheepdog"),
+            getattr(args, "use_tags"),
+            getattr(args, "user_yaml_path"),
         )
     except EnvironmentError:
         logger.error("can't continue without database connection")
@@ -119,11 +123,18 @@ def parse_args():
         dest="start_did",
         help="did to start at (records processed in lexographical order)",
     )
+    parser.add_argument(
+        "--user-yaml-path",
+        dest="user_yaml_path",
+        help="path to user yaml for pulling authz mapping",
+    )
     return parser.parse_args()
 
 
 class ACLConverter(object):
-    def __init__(self, arborist_url, sheepdog_db=None, use_tags=False):
+    def __init__(
+        self, arborist_url, sheepdog_db=None, use_tags=False, user_yaml_path=None
+    ):
         self.arborist_url = arborist_url.rstrip("/")
         self.programs = set()
         self.projects = dict()
@@ -134,6 +145,21 @@ def __init__(self, arborist_url, sheepdog_db=None, use_tags=False):
         else:
             logger.info("not using any auth namespace")
         self.use_sheepdog_db = bool(sheepdog_db)
+        self.mapping = {}
+
+        if user_yaml_path:
+            with open(user_yaml_path, "r") as f:
+                user_yaml = safe_load(f)
+                user_yaml_authz = user_yaml.get("authz", dict())
+                if not user_yaml_authz:
+                    user_yaml_authz = user_yaml.get("rbac", dict())
+
+                project_to_resource = user_yaml_authz.get(
+                    "user_project_to_resource", dict()
+                )
+                self.mapping = project_to_resource
+
+        logger.info(f"got mapping: {self.mapping}")
 
         # if "use_tags" is True, map resource paths to tags in arborist so
         # we can save http calls
@@ -194,6 +220,11 @@ def acl_to_authz(self, record):
             if not acl_item:
                 # ignore empty string
                 continue
+            # prefer user.yaml authz mapping (if provided)
+            elif acl_item in self.mapping:
+                path = self.mapping[acl_item]
+                projects_found += 1
+                break
             elif acl_item == "*":
                 # if there's a * it should just be open. return early
                 path = "/open"
@@ -211,11 +242,7 @@ def acl_to_authz(self, record):
                     self.projects[acl_item], acl_item
                 )
                 projects_found += 1
-            else:
-                # nothing worked, raise exception
-                raise EnvironmentError(
-                    "program or project {} does not exist".format(acl_item)
-                )
+                break
 
         if not path:
             logger.error(

indexd/app.py

@@ -7,7 +7,6 @@
 from .guid.blueprint import blueprint as indexd_drs_blueprint
 from .blueprint import blueprint as cross_blueprint
 
-from indexd.fence_client import FenceClient
 from indexd.urls.blueprint import blueprint as index_urls_blueprint
 
 import os
@@ -22,10 +21,6 @@ def app_init(app, settings=None):
         from .default_settings import settings
     app.config.update(settings["config"])
     app.auth = settings["auth"]
-    app.fence_client = FenceClient(
-        url=os.environ.get("PRESIGNED_FENCE_URL")
-        or "http://presigned-url-fence-service"
-    )
     app.hostname = os.environ.get("HOSTNAME") or "http://example.io"
     app.register_blueprint(indexd_bulk_blueprint)
     app.register_blueprint(indexd_index_blueprint)

indexd/drs/blueprint.py

@@ -64,26 +64,6 @@ def list_drs_records():
     return flask.jsonify(ret), 200
 
 
-@blueprint.route(
-    "/ga4gh/drs/v1/objects/<path:object_id>/access",
-    defaults={"access_id": None},
-    methods=["GET"],
-)
-@blueprint.route(
-    "/ga4gh/drs/v1/objects/<path:object_id>/access/<path:access_id>", methods=["GET"]
-)
-def get_signed_url(object_id, access_id):
-    if not access_id:
-        raise (UserError("Access ID/Protocol is required."))
-    res = flask.current_app.fence_client.get_signed_url_for_object(
-        object_id=object_id, access_id=access_id
-    )
-    if not res:
-        raise IndexNoRecordFound("No signed url found")
-
-    return res, 200
-
-
 def create_drs_uri(did):
     """
     Return ga4gh-compilant drs format uri