Allow anonymous get to id cache for discovery (merge commit)

Merge branch 'bugfix/expose-id-get' into 'main'
* allow x-project access when fetching public keys via CLI

* allow anonymous get to id cache for discovery

Closes #1258
See merge request https://gitlab.ci.csc.fi/sds-dev/sd-connect/swift-browser-ui/-/merge_requests/413

Approved-by: Hang Le <lhang@csc.fi>
Co-authored-by: Sampsa Penna <sampsa.penna@csc.fi>
Merged by Hang Le <lhang@csc.fi>

Author: Hang Le

swift_browser_ui/common/common_middleware.py

@@ -65,8 +65,11 @@ async def handle_validate_authentication(
     handler: swift_browser_ui.common.types.AiohttpHandler,
 ) -> aiohttp.web.Response:
     """Handle the authentication of a response as a middleware function."""
+    # TODO: better configuration for conditional skipping of anonymous endpoints
     if request.path == "/health":
         return await handler(request)
+    if "/ids/" in request.path and request.method in {"GET", "OPTIONS"}:
+        return await handler(request)
 
     try:
         signature = request.query["signature"]
@@ -83,7 +86,11 @@ async def handle_validate_authentication(
 
     if "db_conn" in request.app:
         project = ""
-        if "project" in request.match_info:
+        if "/keys" in request.path and request.method == "GET" and "for" in request.query:
+            project = request.query["for"]
+            LOGGER.debug("Using x-project access for project public key.")
+            LOGGER.debug(f"Using {project} as project for request token.")
+        elif "project" in request.match_info:
             LOGGER.debug(f"Using main project for {request}.")
             project = request.match_info["project"]
         elif "owner" in request.match_info:

swift_browser_ui/common/vault_client.py

@@ -9,7 +9,12 @@
 from typing import Any, Dict, List
 
 from aiohttp import ClientSession, ClientTimeout
-from aiohttp.web import HTTPError, HTTPGatewayTimeout, HTTPInternalServerError
+from aiohttp.web import (
+    HTTPError,
+    HTTPGatewayTimeout,
+    HTTPInternalServerError,
+    HTTPNotFound,
+)
 from yarl import URL
 
 from swift_browser_ui.ui.settings import setd
@@ -230,7 +235,7 @@ async def _request(
             message = "Unexpected issue when connecting to service provider."
             raise VaultServerError(text=message, reason=message) from exc
 
-    async def get_public_key(self, project: str) -> str:
+    async def get_public_key(self, project: str, skip_create: bool = False) -> str:
         """Get a project specific public key.
 
         If a key is not found for a project, creates a new one and fetches it.
@@ -249,7 +254,14 @@ async def get_key() -> str:
 
         LOGGER.debug("Getting public key for project %r", project)
         key = await get_key()
-        if not key:
+        if not key and skip_create:
+            LOGGER.debug(
+                "No key: %s found for project % r, but not creating a new one for foreign access.",
+                key,
+                project,
+            )
+            raise HTTPNotFound
+        elif not key and not skip_create:
             LOGGER.debug(
                 "No key: %s found for project %r, creating a new one.", key, project
             )

swift_browser_ui/upload/api.py

@@ -282,7 +282,9 @@ async def handle_project_key(request: aiohttp.web.Request) -> aiohttp.web.Respon
     """Answer project specific encryption keys."""
     vault_client: VaultClient = request.app[VAULT_CLIENT]
     project = request.match_info["project"]
-    public_key = await vault_client.get_public_key(project)
+    # Skip creating public keys for x-project access
+    skip_create = "for" in request.query
+    public_key = await vault_client.get_public_key(project, skip_create=skip_create)
 
     return aiohttp.web.Response(
         text=public_key,