Merge branch 'master' of https://github.com/uc-cdis/gen3-workflow int…

…o debug/test_wf_branch
uc-cdis · Feb 11, 2025 · a7ff992 · a7ff992
2 parents 9dc6bd7 + a28541f
commit a7ff992
Show file tree

Hide file tree

Showing 4 changed files with 187 additions and 162 deletions.
diff --git a/docs/openapi.yaml b/docs/openapi.yaml
@@ -188,8 +188,8 @@ paths:
       - GA4GH TES
   /s3/{path}:
     delete:
-      description: 'Receive incoming S3 requests, re-sign them (AWS Signature Version
-        4 algorithm) with the
+      description: 'Receive incoming signed S3 requests, re-sign them (AWS Signature
+        Version 4 algorithm) with the
 
         appropriate credentials to access the current user''s AWS S3 bucket, and forward
         them to
@@ -219,8 +219,8 @@ paths:
       tags:
       - S3
     get:
-      description: 'Receive incoming S3 requests, re-sign them (AWS Signature Version
-        4 algorithm) with the
+      description: 'Receive incoming signed S3 requests, re-sign them (AWS Signature
+        Version 4 algorithm) with the
 
         appropriate credentials to access the current user''s AWS S3 bucket, and forward
         them to
@@ -250,8 +250,8 @@ paths:
       tags:
       - S3
     head:
-      description: 'Receive incoming S3 requests, re-sign them (AWS Signature Version
-        4 algorithm) with the
+      description: 'Receive incoming signed S3 requests, re-sign them (AWS Signature
+        Version 4 algorithm) with the
 
         appropriate credentials to access the current user''s AWS S3 bucket, and forward
         them to
@@ -281,8 +281,8 @@ paths:
       tags:
       - S3
     options:
-      description: 'Receive incoming S3 requests, re-sign them (AWS Signature Version
-        4 algorithm) with the
+      description: 'Receive incoming signed S3 requests, re-sign them (AWS Signature
+        Version 4 algorithm) with the
 
         appropriate credentials to access the current user''s AWS S3 bucket, and forward
         them to
@@ -312,8 +312,8 @@ paths:
       tags:
       - S3
     patch:
-      description: 'Receive incoming S3 requests, re-sign them (AWS Signature Version
-        4 algorithm) with the
+      description: 'Receive incoming signed S3 requests, re-sign them (AWS Signature
+        Version 4 algorithm) with the
 
         appropriate credentials to access the current user''s AWS S3 bucket, and forward
         them to
@@ -343,8 +343,8 @@ paths:
       tags:
       - S3
     post:
-      description: 'Receive incoming S3 requests, re-sign them (AWS Signature Version
-        4 algorithm) with the
+      description: 'Receive incoming signed S3 requests, re-sign them (AWS Signature
+        Version 4 algorithm) with the
 
         appropriate credentials to access the current user''s AWS S3 bucket, and forward
         them to
@@ -374,8 +374,8 @@ paths:
       tags:
       - S3
     put:
-      description: 'Receive incoming S3 requests, re-sign them (AWS Signature Version
-        4 algorithm) with the
+      description: 'Receive incoming signed S3 requests, re-sign them (AWS Signature
+        Version 4 algorithm) with the
 
         appropriate credentials to access the current user''s AWS S3 bucket, and forward
         them to
@@ -405,8 +405,8 @@ paths:
       tags:
       - S3
     trace:
-      description: 'Receive incoming S3 requests, re-sign them (AWS Signature Version
-        4 algorithm) with the
+      description: 'Receive incoming signed S3 requests, re-sign them (AWS Signature
+        Version 4 algorithm) with the
 
         appropriate credentials to access the current user''s AWS S3 bucket, and forward
         them to

diff --git a/gen3workflow/routes/s3.py b/gen3workflow/routes/s3.py
@@ -8,7 +8,11 @@
 import hmac
 from starlette.datastructures import Headers
 from starlette.responses import Response
-from starlette.status import HTTP_400_BAD_REQUEST, HTTP_403_FORBIDDEN
+from starlette.status import (
+    HTTP_400_BAD_REQUEST,
+    HTTP_401_UNAUTHORIZED,
+    HTTP_403_FORBIDDEN,
+)
 
 from gen3workflow import aws_utils, logger
 from gen3workflow.auth import Auth
@@ -45,6 +49,10 @@ def get_access_token(headers: Headers) -> str:
     logger.debug(f"The authorization header in S3 request {auth_header=}")
     if not auth_header:
         return ""
+    if auth_header.lower().startswith("bearer"):
+        err_msg = f"Bearer tokens in the authorization header are not supported by this endpoint. Please use the AWS SDK/CLI instead"
+        logger.error(err_msg)
+        raise HTTPException(HTTP_401_UNAUTHORIZED, err_msg)
     try:
         if "Credential=" in auth_header:
             # Extract key ID from AWS-style authorization header
@@ -84,7 +92,7 @@ def get_signature_key(key: str, date: str, region_name: str, service_name: str)
 )
 async def s3_endpoint(path: str, request: Request):
     """
-    Receive incoming S3 requests, re-sign them (AWS Signature Version 4 algorithm) with the
+    Receive incoming signed S3 requests, re-sign them (AWS Signature Version 4 algorithm) with the
     appropriate credentials to access the current user's AWS S3 bucket, and forward them to
     AWS S3.
     """