fix(auth): add audience to token validation, improve error catching

uc-cdis · Nov 15, 2023 · 1bf6c0f · 1bf6c0f
1 parent 59eac89
commit 1bf6c0f
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 9 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -63,7 +63,7 @@ jobs:
 
   InformationalLint:
     name: Run Informational Linters
-    needs: [LintConfig]
+    needs: [LintConfig, UnitTest]
     uses: uc-cdis/.github/.github/workflows/optional_lint_check.yaml@feat/lint
     with:
        python-version: '3.9'

diff --git a/gen3discoveryai/auth.py b/gen3discoveryai/auth.py
@@ -54,13 +54,21 @@ async def authorize_request(
     if not token:
         raise HTTPException(status_code=HTTP_401_UNAUTHENTICATED)
 
-    if not await arborist.auth_request(
-        token.credentials,
-        service="gen3_discovery_ai",
-        methods=authz_access_method,
-        resources=authz_resources,
-    ):
-        raise HTTPException(status_code=HTTP_403_FORBIDDEN)
+    try:
+        if not await arborist.auth_request(
+            token.credentials,
+            service="gen3_discovery_ai",
+            methods=authz_access_method,
+            resources=authz_resources,
+        ):
+            logging.debug(
+                f"user does not have `{authz_access_method}` access "
+                f"on `{authz_resources}` for service `gen3_discovery_ai`"
+            )
+            raise HTTPException(status_code=HTTP_403_FORBIDDEN)
+    except Exception as exc:
+        logging.debug(f"arborist.auth_request failed, exc: {exc}")
+        raise HTTPException(status_code=HTTP_403_FORBIDDEN) from exc
 
 
 async def get_user_id(
@@ -158,10 +166,15 @@ async def _get_token_claims(
     if not token:
         raise HTTPException(status_code=HTTP_401_UNAUTHENTICATED)
 
+    # This is what the Gen3 AuthN/Z service adds as the audience to represent Gen3 services
+    audience = f"{request.base_url}/user"
+
     try:
         # NOTE: token can be None if no Authorization header was provided, we expect
         #       this to cause a downstream exception since it is invalid
-        token_claims = await access_token("user", "openid", purpose="access")(token)
+        token_claims = await access_token(
+            "user", "openid", audience=audience, purpose="access"
+        )(token)
     except Exception as exc:
         logging.error(exc.detail if hasattr(exc, "detail") else exc, exc_info=True)
         raise HTTPException(