PXP-7557: Propagate params in DRS signed url endpoint (#303)

* fix(propagate_url_params): pull query string from flask request url and propagate to fence request when nonempty

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": null,
     "lines": null
   },
-  "generated_at": "2020-12-17T14:53:23Z",
+  "generated_at": "2021-02-09T16:11:33Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -198,7 +198,7 @@
       {
         "hashed_secret": "5666c088b494f26cd8f63ace013992f5fc391ce0",
         "is_verified": false,
-        "line_number": 25,
+        "line_number": 31,
         "type": "Hex High Entropy String"
       }
     ],

indexd/fence_client.py

@@ -26,6 +26,8 @@ def get_signed_url_for_object(self, object_id, access_id):
             raise AuthError("Not Authorized. Access Token Required.")
         if access_id:
             url += "?protocol=" + access_id
+            if flask.request.query_string:
+                url = f"{url}&{flask.request.query_string.decode()}"
         try:
             req = requests.get(url, headers=headers)
         except Exception as e:

tests/test_drs.py

@@ -6,10 +6,16 @@
 from tests.test_bundles import get_bundle_doc
 
 
-def generate_presigned_url_response(did, protocol="", status=200):
-    full_url = (
-        "https://fictitious-commons.io/data/download/" + did + "?protocol=" + protocol
-    )
+def generate_presigned_url_response(did, status=200, **query_params):
+    if query_params:
+        query_string = "&".join(
+            f"{param}={value}" for param, value in query_params.items()
+        )
+        full_url = (
+            "https://fictitious-commons.io/data/download/" + did + "?" + query_string
+        )
+    else:
+        full_url = "https://fictitious-commons.io/data/download/" + did
     presigned_url = {
         "url": "https://storage.googleapis.com/nih-mock-project-released-phs123-c2/RootStudyConsentSet_phs000007.Whatever.v666.p1.c2.FBI-BMW-CIA.tar.gz?GoogleAccessId=internal-someuser-1399@dcpstage-210518.iam.gserviceaccount.com&Expires=1582215120&Signature=hUsgjkegdsfkjbsajkafnsdjksdnfjknbdsajkfbsdkjfbjdfbkjdasfbnjsdnfjsnd2FTr%2FKs2kGKs0fJ8v5elFk5NQAYdrGcU3kROrzJuHUbI%2BMZ839SAbAz2rbMBuC9e46%2BdB91%2FA==&userProject=dcf-mock-project"
     }
@@ -117,7 +123,7 @@ def test_get_presigned_url_unauthorized(client, user):
     res_1 = client.post("/index/", json=data, headers=user)
     assert res_1.status_code == 200
     rec_1 = res_1.json
-    generate_presigned_url_response(rec_1["did"], "s3", status=401)
+    generate_presigned_url_response(rec_1["did"], protocol="s3", status=401)
     res_2 = client.get(
         "/ga4gh/drs/v1/objects/" + rec_1["did"] + "/access/s3",
         headers=user,
@@ -133,7 +139,7 @@ def test_get_presigned_url_with_access_id(client, user):
     rec_1 = res_1.json
     access_id_list = ["s3", "gs", "ftp"]
     for access_id in access_id_list:
-        presigned = generate_presigned_url_response(rec_1["did"], access_id)
+        presigned = generate_presigned_url_response(rec_1["did"], protocol=access_id)
         res_2 = client.get(
             "/ga4gh/drs/v1/objects/" + rec_1["did"] + "/access/" + access_id,
             headers={"AUTHORIZATION": "12345"},
@@ -147,7 +153,7 @@ def test_get_presigned_url_no_access_id(client, user):
     res_1 = client.post("/index/", json=data, headers=user)
     assert res_1.status_code == 200
     rec_1 = res_1.json
-    generate_presigned_url_response(rec_1["did"], "s3")
+    generate_presigned_url_response(rec_1["did"], protocol="s3")
     res_2 = client.get(
         "/ga4gh/drs/v1/objects/" + rec_1["did"] + "/access/",
         headers={"AUTHORIZATION": "12345"},
@@ -160,7 +166,7 @@ def test_get_presigned_url_no_bearer_token(client, user):
     res_1 = client.post("/index/", json=data, headers=user)
     assert res_1.status_code == 200
     rec_1 = res_1.json
-    generate_presigned_url_response(rec_1["did"], "s3")
+    generate_presigned_url_response(rec_1["did"], protocol="s3")
     res_2 = client.get("/ga4gh/drs/v1/objects/" + rec_1["did"] + "/access/s3")
     assert res_2.status_code == 403
 
@@ -171,7 +177,7 @@ def test_get_presigned_url_wrong_access_id(client, user):
     res_1 = client.post("/index/", json=data, headers=user)
     assert res_1.status_code == 200
     rec_1 = res_1.json
-    generate_presigned_url_response(rec_1["did"], "s2", status=404)
+    generate_presigned_url_response(rec_1["did"], protocol="s2", status=404)
     res_2 = client.get(
         "/ga4gh/drs/v1/objects/" + rec_1["did"] + "/access/s2",
         headers={"AUTHORIZATION": "12345"},
@@ -208,10 +214,39 @@ def test_get_presigned_url_with_encoded_slash(client, user):
     rec_1 = res_1.json
     access_id_list = ["s3", "gs", "ftp"]
     for access_id in access_id_list:
-        presigned = generate_presigned_url_response(rec_1["did"], access_id)
+        presigned = generate_presigned_url_response(rec_1["did"], protocol=access_id)
         res_2 = client.get(
             "/ga4gh/drs/v1/objects/" + did + "/access/" + access_id,
             headers={"AUTHORIZATION": "12345"},
         )
         assert res_2.status_code == 200
         assert res_2.json == presigned
+
+
+@responses.activate
+def test_get_presigned_url_with_query_params(client, user):
+    data = get_doc()
+    data["did"] = "dg.TEST/ed8f4658-6acd-4f96-9dd8-3709890c959e"
+    did = "dg.TEST%2Fed8f4658-6acd-4f96-9dd8-3709890c959e"
+    res_1 = client.post("/index/", json=data, headers=user)
+    assert res_1.status_code == 200
+
+    rec_1 = res_1.json
+    access_id_list = ["s3", "gs", "ftp"]
+    for access_id in access_id_list:
+        presigned = generate_presigned_url_response(
+            rec_1["did"],
+            protocol=access_id,
+            userProject="someproject",
+            arbitrary_parameter="val",
+        )
+        res_2 = client.get(
+            "/ga4gh/drs/v1/objects/"
+            + did
+            + "/access/"
+            + access_id
+            + "?userProject=someproject&arbitrary_parameter=val",
+            headers={"AUTHORIZATION": "12345"},
+        )
+        assert res_2.status_code == 200
+        assert res_2.json == presigned