Feature/files api

.github/integration/setup/common/09_create_jwt.sh

@@ -0,0 +1,71 @@
+#!/usr/bin/bash
+
+# Create RSA keys
+cd dev_utils || exit 1
+mkdir -p keys/pub || exit 1
+cd keys || exit 1
+
+ssh-keygen -t rsa -b 4096 -m PEM -f example.demo.pem -q -N ""
+openssl rsa -in example.demo.pem -pubout -outform PEM -out pub/example.demo.pub
+
+# Shared content to use as template
+header_template='{
+    "typ": "JWT",
+    "kid": "0001"
+}'
+
+build_header() {
+        jq -c \
+                --arg iat_str "$(date +%s)" \
+                --arg alg "${1}" \
+                '
+        ($iat_str | tonumber) as $iat
+        | .alg = $alg
+        | .iat = $iat
+        | .exp = ($iat + 86400)
+        ' <<<"$header_template" | tr -d '\n'
+}
+
+b64enc() { openssl enc -base64 -A | tr '+/' '-_' | tr -d '='; }
+json() { jq -c . | LC_CTYPE=C tr -d '\n'; }
+rs_sign() { openssl dgst -binary -sha"${1}" -sign <(printf '%s\n' "$2"); }
+es_sign() { openssl dgst -binary -sha"${1}" -sign <(printf '%s\n' "$2") | openssl asn1parse -inform DER | grep INTEGER | cut -d ':' -f 4 | xxd -p -r; }
+
+sign() {
+        if [ -n "$2" ]; then
+                rsa_secret=$(<"$2")
+        else
+                echo "no signing key supplied"
+                exit 1
+        fi
+        local algo payload header sig secret=$rsa_secret
+        algo=${1:-RS256}
+        algo=${algo^^}
+        header=$(build_header "$algo") || return
+        payload=${4:-$test_payload}
+        signed_content="$(json <<<"$header" | b64enc).$(json <<<"$payload" | b64enc)"
+        case $algo in
+        RS*) sig=$(printf %s "$signed_content" | rs_sign "${algo#RS}" "$secret" | b64enc) ;;
+        ES*) sig=$(printf %s "$signed_content" | es_sign "${algo#ES}" "$secret" | b64enc) ;;
+        *)
+                echo "Unknown algorithm" >&2
+                return 1
+                ;;
+        esac
+        printf '%s.%s\n' "${signed_content}" "${sig}"
+}
+
+iat=$(date +%s)
+exp=$(date --date="${3:-tomorrow}" +%s)
+
+test_payload='{
+  "sub": "test",
+  "azp": "azp",
+  "scope": "openid ga4gh_passport_v1",
+  "iss": "http://example.demo",
+  "exp": '"$exp"',
+  "iat": '"$iat"',
+  "jti": "6ad7aa42-3e9c-4833-bd16-765cb80c2102"
+}'
+
+sign RS256 example.demo.pem > token.jwt

.github/integration/setup/common/10_services.sh

@@ -79,7 +79,7 @@ else
 
     docker-compose -f compose-sda.yml up -d
 
-    for p in ingest verify finalize mapper intercept backup; do
+    for p in ingest verify finalize mapper intercept backup api; do
         RETRY_TIMES=0
         until docker ps -f name="$p" --format "{{.Status}}" | grep "Up"
         do echo "waiting for $p to become ready"

.github/integration/tests/common/30_ingest_test.sh

@@ -407,3 +407,11 @@ docker run --rm --name client --network dev_utils_default -v "$PWD/certs:/certs"
 	-e PGSSLCERT=/certs/client.pem -e PGSSLKEY=/certs/client-key.pem -e PGSSLROOTCERT=/certs/ca.pem \
 	neicnordic/pg-client:latest postgresql://postgres:rootpassword@db:5432/lega \
 	-t -c "SELECT id, status, stable_id, archive_path FROM local_ega.files ORDER BY id DESC"
+
+# Test the API files endpoint
+token="$(cat keys/token.jwt)"
+response="$(curl -k -L "https://localhost:8080/files" -H "Authorization: Bearer $token" | jq -r 'sort_by(.inboxPath)|.[-1].fileStatus')"
+if [ "$response" != "ready" ]; then
+	echo "API returned incorrect value, expected ready got: $response"
+	exit 1
+fi

cmd/api/api.go

@@ -3,18 +3,24 @@ package main
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"net/http"
+	"net/url"
 	"os"
 	"os/signal"
+	"strings"
 	"syscall"
 	"time"
 
 	"sda-pipeline/internal/broker"
 	"sda-pipeline/internal/config"
 	"sda-pipeline/internal/database"
 
-	"github.com/gorilla/mux"
+	"github.com/gin-gonic/gin"
+	"github.com/lestrrat-go/jwx/v2/jwa"
+	"github.com/lestrrat-go/jwx/v2/jwt"
 
 	log "github.com/sirupsen/logrus"
 )
@@ -36,6 +42,13 @@ func main() {
 		log.Fatal(err)
 	}
 
+	Conf.API.JtwKeys = make(map[string][]byte)
+	if Conf.API.JwtPubKeyPath != "" {
+		if err := config.GetJwtKey(Conf.API.JwtPubKeyPath, Conf.API.JtwKeys); err != nil {
+			log.Panicf("Error while getting key %s: %v", Conf.API.JwtPubKeyPath, err)
+		}
+	}
+
 	sigc := make(chan os.Signal, 5)
 	signal.Notify(sigc, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT)
 	go func() {
@@ -62,9 +75,11 @@ func main() {
 }
 
 func setup(config *config.Config) *http.Server {
-	r := mux.NewRouter().SkipClean(true)
 
-	r.HandleFunc("/ready", readinessResponse).Methods("GET")
+	r := gin.Default()
+
+	r.GET("/ready", readinessResponse)
+	r.GET("/files", getFiles)
 
 	cfg := &tls.Config{
 		MinVersion:               tls.VersionTLS12,
@@ -94,11 +109,11 @@ func shutdown() {
 	defer Conf.API.DB.Close()
 }
 
-func readinessResponse(w http.ResponseWriter, r *http.Request) {
-	statusCocde := http.StatusOK
+func readinessResponse(c *gin.Context) {
+	statusCode := http.StatusOK
 
 	if Conf.API.MQ.Connection.IsClosed() {
-		statusCocde = http.StatusServiceUnavailable
+		statusCode = http.StatusServiceUnavailable
 		newConn, err := broker.NewMQ(Conf.Broker)
 		if err != nil {
 			log.Errorf("failed to reconnect to MQ, reason: %v", err)
@@ -108,7 +123,7 @@ func readinessResponse(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if Conf.API.MQ.Channel.IsClosed() {
-		statusCocde = http.StatusServiceUnavailable
+		statusCode = http.StatusServiceUnavailable
 		Conf.API.MQ.Connection.Close()
 		newConn, err := broker.NewMQ(Conf.Broker)
 		if err != nil {
@@ -121,10 +136,10 @@ func readinessResponse(w http.ResponseWriter, r *http.Request) {
 	if DBRes := checkDB(Conf.API.DB, 5*time.Millisecond); DBRes != nil {
 		log.Debugf("DB connection error :%v", DBRes)
 		Conf.API.DB.Reconnect()
-		statusCocde = http.StatusServiceUnavailable
+		statusCode = http.StatusServiceUnavailable
 	}
 
-	w.WriteHeader(statusCocde)
+	c.JSON(statusCode, "")
 }
 
 func checkDB(database *database.SQLdb, timeout time.Duration) error {
@@ -136,3 +151,114 @@ func checkDB(database *database.SQLdb, timeout time.Duration) error {
 
 	return database.DB.PingContext(ctx)
 }
+
+// getFiles returns the files from the database for a specific user
+func getFiles(c *gin.Context) {
+
+	log.Debugf("request files in project")
+	c.Writer.Header().Set("Content-Type", "application/json")
+	// Get user ID to extract all files
+	userID, err := getUserFromToken(c.Request)
+	if err != nil {
+		// something went wrong with user token
+		c.JSON(500, err.Error())
+
+		return
+	}
+
+	files, err := Conf.API.DB.GetUserFiles(userID)
+	if err != nil {
+		// something went wrong with querying or parsing rows
+		c.JSON(500, err.Error())
+
+		return
+	}
+
+	// Return response
+	c.JSON(200, files)
+}
+
+// getUserFromToken parses the token, validates it against the key and returns the key
+func getUserFromToken(r *http.Request) (string, error) {
+	// Check that a token is provided
+	tokenStr, err := getToken(r.Header.Get("Authorization"))
+	if err != nil {
+		log.Error("authorization header missing from request")
+
+		return "", fmt.Errorf("could not get token from header: %v", err)
+	}
+
+	token, err := jwt.Parse([]byte(tokenStr), jwt.WithVerify(false))
+	if err != nil {
+		return "", fmt.Errorf("failed to get parse token: %v", err)
+	}
+	strIss := token.Issuer()
+
+	// Poor string unescaper for elixir
+	strIss = strings.ReplaceAll(strIss, "\\", "")
+
+	log.Debugf("Looking for key for %s", strIss)
+
+	iss, err := url.ParseRequestURI(strIss)
+	if err != nil || iss.Hostname() == "" {
+		return "", fmt.Errorf("failed to get issuer from token (%v)", strIss)
+	}
+
+	block, _ := pem.Decode(Conf.API.JtwKeys[iss.Hostname()])
+	key, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse key (%v)", err)
+	}
+
+	verifiedToken, err := jwt.Parse([]byte(tokenStr), jwt.WithKey(jwa.RS256, key))
+	if err != nil {
+		log.Debugf("failed to verify token as RS256 signature of token %s", err)
+		verifiedToken, err = jwt.Parse([]byte(tokenStr), jwt.WithKey(jwa.ES256, key))
+		if err != nil {
+			log.Errorf("failed to verify token as ES256 signature of token %s", err)
+
+			return "", fmt.Errorf("failed to verify token as RSA256 or ES256 signature of token %s", err)
+		}
+	}
+
+	return verifiedToken.Subject(), nil
+}
+
+// getToken parses the token string from header
+func getToken(header string) (string, error) {
+	log.Debug("parsing access token from header")
+
+	if len(header) == 0 {
+		log.Error("authorization check failed, empty header")
+
+		return "", fmt.Errorf("access token must be provided")
+	}
+
+	// Check that Bearer scheme is used
+	headerParts := strings.Split(header, " ")
+	if headerParts[0] != "Bearer" {
+		log.Error("authorization check failed, no Bearer on header")
+
+		return "", fmt.Errorf("authorization scheme must be bearer")
+	}
+
+	// Check that header contains a token string
+	var token string
+	if len(headerParts) == 2 {
+		token = headerParts[1]
+	} else {
+		log.Error("authorization check failed, no token on header")
+
+		return "", fmt.Errorf("token string is missing from authorization header")
+	}
+
+	if len(token) < 2 {
+		log.Error("authorization check failed, too small token")
+
+		return "", fmt.Errorf("token string is missing from authorization header")
+	}
+
+	log.Debug("access token found")
+
+	return token, nil
+}