Merge branch 'main' of https://github.com/hubmapconsortium/gateway in…

…to dev-integrate
hubmapconsortium · Apr 23, 2024 · 946773f · 946773f
2 parents 7c2d5a8 + 5449e38
commit 946773f
Show file tree

Hide file tree

Showing 10 changed files with 185 additions and 1 deletion.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-2.1.31
+2.1.32
diff --git a/api_endpoints.dev.json b/api_endpoints.dev.json
@@ -521,6 +521,16 @@
       "endpoint": "/data-ingest-board-logout",
       "auth": false
     },
+    {
+      "method": "GET",
+      "endpoint": "/umls-auth",
+      "auth": false
+    },
+    {
+      "method": "GET",
+      "endpoint": "/ubkg-download-file-list",
+      "auth": false
+    },
     {
       "method": "POST",
       "endpoint": "/datasets/components",

diff --git a/api_endpoints.prod.json b/api_endpoints.prod.json
@@ -521,6 +521,16 @@
       "endpoint": "/data-ingest-board-logout",
       "auth": false
     },
+    {
+      "method": "GET",
+      "endpoint": "/umls-auth",
+      "auth": false
+    },
+    {
+      "method": "GET",
+      "endpoint": "/ubkg-download-file-list",
+      "auth": false
+    },
     {
       "method": "POST",
       "endpoint": "/datasets/components",

diff --git a/api_endpoints.test.json b/api_endpoints.test.json
@@ -521,6 +521,16 @@
       "endpoint": "/data-ingest-board-logout",
       "auth": false
     },
+    {
+      "method": "GET",
+      "endpoint": "/umls-auth",
+      "auth": false
+    },
+    {
+      "method": "GET",
+      "endpoint": "/ubkg-download-file-list",
+      "auth": false
+    },
     {
       "method": "POST",
       "endpoint": "/datasets/components",

diff --git a/hubmap-auth/src/app.py b/hubmap-auth/src/app.py
@@ -284,6 +284,40 @@ def file_auth():
     return response_401
 
 
+@app.route('/umls_auth', methods = ['GET'])
+def umls_auth():
+    logger.info("======umls_auth Original request.headers======")
+    logger.info(request.headers)
+
+    # Nginx auth_request only cares about the response status code
+    # it ignores the response body
+    # We use body here only for description purposes and direct visit to this endpoint
+    response_200 = make_response(jsonify({"message": "OK: Authorized"}), 200)
+    response_401 = make_response(jsonify({"message": "ERROR: Unauthorized"}), 401)
+    response_403 = make_response(jsonify({"message": "ERROR: Forbidden"}), 403)
+    response_500 = make_response(jsonify({"message": "ERROR: Internal Server Error"}), 500)
+
+    orig_uri = None
+
+    if "X-Original-URI" in request.headers:
+        orig_uri = request.headers.get("X-Original-URI")
+
+
+    parsed_uri = urlparse(orig_uri)
+
+    logger.debug("======parsed_uri======")
+    logger.debug(parsed_uri)
+
+    query = parse_qs(parsed_uri.query)
+
+    if 'umls-key' not in query:
+        return response_401
+    is_authorized = validate_umls_key(query['umls-key'][0])
+    if not is_authorized:
+        return response_403
+    return response_200
+
+
 ####################################################################################################
 ## Internal Functions Used By API Auth and File Auth
 ####################################################################################################
@@ -729,6 +763,17 @@ def get_file_access(uuid, token_from_query, request):
         return internal_error
 
 
+def validate_umls_key(umls_key):
+    validator_key = app.config['UMLS_KEY']
+    base_url = app.config['UMLS_VALIDATE_URL']
+    url = base_url + '?validatorApiKey=' + validator_key + '&apiKey=' + umls_key
+    result = requests.get(url=url)
+    if result.json() == True:
+        return True
+    else:
+        return False
+
+
 # Always pass through the requests with using modified version of the globus app secret as internal token
 def is_secrect_token(request):
     internal_token = auth_helper_instance.getProcessSecret()

diff --git a/hubmap-auth/src/instance/app.cfg.example b/hubmap-auth/src/instance/app.cfg.example
@@ -40,4 +40,8 @@ CACHE_MAXSIZE = 1024
 # Expire the cache after the time-to-live (seconds)
 CACHE_TTL = 7200
 
+# Umls key authentication
+UMLS_KEY = ''
+UMLS_VALIDATE_URL = ''
+
 
diff --git a/nginx/conf.d-prod/ubkg-download.conf b/nginx/conf.d-prod/ubkg-download.conf
@@ -0,0 +1,66 @@
+# Port 80 on host maps to 8080 on container
+server {
+    # Only root can listen on ports below 1024, we use higher-numbered ports
+    # since nginx is running under non-root user hubmap
+    listen 8080;
+    server_name ubkg-downloads.xconsortia.org;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }    
+}
+
+# Port 443 on host maps to 4430 on container
+server {
+    # Only root can listen on ports below 1024, we use higher-numbered ports
+    # since nginx is running under non-root user hubmap
+    listen 4430 ssl; # managed by Certbot
+    server_name ubkg-downloads.xconsortia.org;
+    root /usr/share/nginx/html;
+
+    ssl_certificate /etc/letsencrypt/live/gateway.api.hubmapconsortium.org/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/gateway.api.hubmapconsortium.org/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+    # Logging to the mounted volume for outside container access
+    access_log /usr/src/app/log/nginx_access_ubkg-download.log;
+    error_log /usr/src/app/log/nginx_error_ubkg-download.log warn;
+
+    # No auth_request for favicon    
+    location = /favicon.ico {
+        alias /usr/share/nginx/html/favicon.ico;
+    }
+
+    location / { 
+        # If the file named `maintenance.on` exitis under the target directory
+        # proxy all the requests to that port of this same container that serves the maintenance page
+        if (-f /usr/share/nginx/html/ubkg-download-maintenance/maintenance.on) {
+            # Use IP v4 "127.0.0.1" instead of "localhost" to avoid 502 error caused by DNS failure
+            proxy_pass http://127.0.0.1:5035;
+        }
+
+        proxy_pass http://ubkg-download:3000;
+    }
+
+}
+
+# Port 5035 runs the ubkg-download-maintenance static page index.html
+# No need to public this port from the container to host
+server {
+    # Only root can listen on ports below 1024, we use higher-numbered ports
+    # since nginx is running under non-root user hubmap
+    listen 5035;
+
+    server_name localhost;
+
+    root /usr/share/nginx/html/ubkg-download-maintenance;
+
+    # Direct all requests to maintenance index.html
+    # Except the static resources calls from within the maintenance index.html 
+    location / {
+        # Must use /index.html rather than index.html
+        try_files $uri /index.html =404;
+    }
+}
+
diff --git a/nginx/html/ubkg-download-maintenance/favicon.ico b/nginx/html/ubkg-download-maintenance/favicon.ico
diff --git a/nginx/html/ubkg-download-maintenance/index.html b/nginx/html/ubkg-download-maintenance/index.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <title>HuBMAP Consortium - UBKG Download Under Maintenance</title>
+    <style>
+        html {
+            font-family: Arial, Helvetica, sans-serif;
+        }
+
+        .title {
+            width: 100%;
+            text-align: center;
+            padding-top: 40px;
+        }
+        .content {
+            text-align: center;
+            width: 60%;
+            margin-left: auto;
+            margin-right: auto;
+        }
+        #logo {
+            margin: 40px auto 20px;
+        }
+    </style>
+</head>
+<body>
+    <header class="title">
+        <img id="logo" src="/logo.png" width="283" height="104" alt="">
+        <h1>HuBMAP Consortium - UBKG Download Under Maintenance</h1>
+    </header>
+    <section class="content">
+        <p>The site is currently down for maintenance.</p>
+        <p>Sorry for the inconvenience.</p>
+    </section>
+</body>
+</html>
+
diff --git a/nginx/html/ubkg-download-maintenance/logo.png b/nginx/html/ubkg-download-maintenance/logo.png