search

DataBiosphere / data-store

AWS and GCP data storage system for genomic data.
https://dss.dev.ucsc-cgp-redwood.org
Other
3 stars 2 forks source link

Determine and implement CRUD endpoint actions for Auth0 #119

Closed chmreid closed 4 years ago

chmreid commented 4 years ago

Background

As part of adding an Auth0 auth layer to the data store, we will be decorating a set of API endpoints with a security decorator that indicates what type of action the endpoint is (CRUD).

The decorator will use this information, together with JWT, and information passed to the decorated function (UUID/resource, etc.), to determine what the user is permitted to do.

Files Affected

The security check for each type of action will ultimately be handled in the Auth0 class in dss/util/auth/auth0.py.

This class defines _create() _read() _update() _delete() methods. Each API endpoint will indicate which of the four types of operation it is. So a call to PUT /bundles/<uuid> would map to a put() function in dss.api.bundles. That function would be decorated with a security decorator that indicates it is a create operation. Then the security check that would be called would be the _create() method of the Auth0 class in dss.util.auth.

The security decorators are added to each API endpoint that needs auth in dss/api/{files,bundles,*}.py

From the scripts/swagger_auth.py script we can get a set of API endpoints that will be protected:

default_auth = {"/files/{uuid}": ["put"],
                "/subscriptions": ["get", "put"],
                "/subscriptions/{uuid}": ["get", "delete"],
                "/collections": ["get", "put"],
                "/collections/{uuid}": ["get", "patch", "delete"],
                "/bundles/{uuid}": ["put", "patch", "delete"]
               }

Work to be Done

Implement the security checks as follows:

Create:

Read:

Update:

Delete:

Related Issues

Relates to Auth0 FLAC user stories #93

Definition of Done

These security checks are implemented in the Auth0 class in dss/util/auth/auth0.py.