Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow document id variant API connect, and improve user cred check when accessing variants #4455

Merged
merged 29 commits into from
Mar 4, 2024
Merged

Allow document id variant API connect, and improve user cred check when accessing variants #4455

merged 29 commits into from
Mar 4, 2024

Conversation

dnil
Copy link
Collaborator

@dnil dnil commented Feb 22, 2024
edited
Loading

This PR adds a functionality or fixes a bug.

Prepare to fix Clinical-Genomics-Lund/gens#114 and to do Clinical-Genomics/gens#57 in the easiest way. Gens does not have any concept of institute. It cannot easily use the standard scout variant link endpoint (without resorting to more direct db reading or additional potential future api calls), or the recent pin variant api endpoint. The variant document_id uniquely identifies a variant (includes unique case _id). Using it in the calls seems the most parsimonious, given that some extra safety measures are taken to ensure the current user really has access.

En passant fix security issue with the existing variant api call.

Testing on cg-vm1 server (Clinical Genomics Stockholm)

Prepare for testing

  1. Make sure the PR is pushed and available on Docker Hub
  2. Fist book your testing time using the Pax software available at https://pax.scilifelab.se/. The resource you are going to call dibs on is scout-stage and the server is cg-vm1.
  3. ssh <USER.NAME>@cg-vm1.scilifelab.se
  4. sudo -iu hiseq.clinical
  5. ssh localhost
  6. (optional) Find out which scout branch is currently deployed on cg-vm1: podman ps
  7. Stop the service with current deployed branch: systemctl --user stop scout.target
  8. Start the scout service with the branch to test: systemctl --user start scout@<this_branch>
  9. Make sure the branch is deployed: systemctl --user status scout.target
  10. After testing is done, repeat procedure at https://pax.scilifelab.se/, which will release the allocated resource (scout-stage) to be used for testing by other users.
Testing on hasta server (Clinical Genomics Stockholm)

Prepare for testing

  1. ssh <USER.NAME>@hasta.scilifelab.se
  2. Book your testing time using the Pax software. us; paxa -u <user> -s hasta -r scout-stage. You can also use the WSGI Pax app available at https://pax.scilifelab.se/.
  3. (optional) Find out which scout branch is currently deployed on cg-vm1: conda activate S_scout; pip freeze | grep scout-browser
  4. Deploy the branch to test: bash /home/proj/production/servers/resources/hasta.scilifelab.se/update-tool-stage.sh -e S_scout -t scout -b <this_branch>
  5. Make sure the branch is deployed: us; scout --version
  6. After testing is done, repeat the paxa procedure, which will release the allocated resource (scout-stage) to be used for testing by other users.

How to test:

  1. how to test it, possibly with real cases/data

Expected outcome:
The functionality should be working
Take a screenshot and attach or copy/paste the output.

Review:

  • code approved by CR
  • tests executed by DN

@codecov Codecov
Copy link

codecov bot commented Mar 1, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 79.36508% with 13 lines in your changes are missing coverage. Please review.

Project coverage is 84.66%. Comparing base (205a7a1) to head (b5c20d1).

Files Patch % Lines
scout/server/blueprints/variant/controllers.py 67.74% 10 Missing ⚠️
scout/server/utils.py 84.61% 2 Missing ⚠️
scout/server/blueprints/api/views.py 94.11% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4455      +/-   ##
==========================================
- Coverage   84.69%   84.66%   -0.03%     
==========================================
  Files         310      310              
  Lines       18507    18533      +26     
==========================================
+ Hits        15674    15691      +17     
- Misses       2833     2842       +9

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@dnil
Copy link
Collaborator Author

dnil commented Mar 1, 2024

While thinking about this, I noticed we have a few flaws in checking if users are authorised to view things. For starters, the variant api is not really relying on its checks (which are anyway nonexistent).

Screenshot 2024-03-01 at 13 53 07

Given a malicious authenticated user, it would be possible to give any fake institute and case. It is easy to see the institute and case are not really used in the variant api call: the variant_id (document_id) is complete enough without them.
Screenshot 2024-03-01 at 13 54 54
Screenshot 2024-03-01 at 13 55 51
Screenshot 2024-03-01 at 13 55 57

Even if an insitute_and_case check is introduced, the same goes, so if we had any malicious users, they could just give an institute and case they do have access to. The latter potentially generalises also to other endpoints that do not make direct use of the institute and case supplied for the check.

@dnil dnil marked this pull request as ready for review March 1, 2024 14:52
@dnil
Copy link
Collaborator Author

dnil commented Mar 1, 2024
edited
Loading

I'll add a test as well, but the code should be there for review.

Screenshot 2024-03-01 at 15 40 08
Screenshot 2024-03-01 at 15 34 44

@northwestwitch northwestwitch self-assigned this Mar 4, 2024
northwestwitch
northwestwitch approved these changes Mar 4, 2024
View reviewed changes
Copy link
Member

@northwestwitch northwestwitch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! 👍🏻 I have some comments for improving the code

CHANGELOG.md Outdated Show resolved Hide resolved
scout/server/blueprints/api/views.py Outdated Show resolved Hide resolved
scout/server/blueprints/api/views.py Show resolved Hide resolved
scout/server/blueprints/api/views.py Outdated Show resolved Hide resolved
scout/server/blueprints/api/views.py Outdated Show resolved Hide resolved
scout/server/blueprints/variant/controllers.py Show resolved Hide resolved
scout/server/blueprints/variant/controllers.py Outdated Show resolved Hide resolved
dnil and others added 3 commits March 4, 2024 10:28
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Mar 4, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@dnil dnil merged commit 7b82e9e into main Mar 4, 2024
20 checks passed
@dnil dnil deleted the navigate_document_id_variant branch March 4, 2024 15:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@northwestwitch northwestwitch northwestwitch approved these changes

Assignees

@northwestwitch northwestwitch

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Link to variant in Scout
3 participants
@dnil @northwestwitch @TereseBo