Download api (#325)

changelog:

- addition of download API endpoints
- addition of default metadatasets, files, and submissions to the test db

Co-authored-by: Leon Kuchenbecker <[email protected]>

Author: KerstenBreuer

.devcontainer/devcontainer.json

@@ -35,7 +35,8 @@
 		"alexcvzz.vscode-sqlite",
 		"njpwerner.autodocstring",
 		"arjun.swagger-viewer",
-		"ms-azuretools.vscode-docker"
+		"ms-azuretools.vscode-docker",
+		"ms-toolsai.jupyter"
 	]
 
 	// Use 'forwardPorts' to make a list of ports inside the container available locally.

datameta/alembic/versions/20210426_4cf970aec869.py

@@ -0,0 +1,36 @@
+"""add download token
+
+Revision ID: 4cf970aec869
+Revises: 68a28d6ed9cb
+Create Date: 2021-04-26 06:54:35.516091
+
+"""
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision = '4cf970aec869'
+down_revision = '68a28d6ed9cb'
+branch_labels = None
+depends_on = None
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('downloadtokens',
+    sa.Column('id', sa.Integer(), nullable=False),
+    sa.Column('uuid', postgresql.UUID(as_uuid=True), nullable=False),
+    sa.Column('file_id', sa.Integer(), nullable=False),
+    sa.Column('value', sa.Text(), nullable=False),
+    sa.Column('expires', sa.DateTime(), nullable=False),
+    sa.ForeignKeyConstraint(['file_id'], ['files.id'], name=op.f('fk_downloadtokens_file_id_files')),
+    sa.PrimaryKeyConstraint('id', name=op.f('pk_downloadtokens')),
+    sa.UniqueConstraint('uuid', name=op.f('uq_downloadtokens_uuid')),
+    sa.UniqueConstraint('value', name=op.f('uq_downloadtokens_value'))
+    )
+    # ### end Alembic commands ###
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table('downloadtokens')
+    # ### end Alembic commands ###

datameta/api/__init__.py

@@ -62,9 +62,11 @@ def includeme(config: Configurator) -> None:
     config.add_route("groups_id", base_url + "/groups/{id}")
     config.add_route("rpc_delete_files", base_url + "/rpc/delete-files")
     config.add_route("rpc_delete_metadatasets", base_url + "/rpc/delete-metadatasets")
+    config.add_route("rpc_get_file_url", base_url + "/rpc/get-file-url/{id}")
 
     # Endpoint outside of openapi
     config.add_route("upload", base_url + "/upload/{id}")
+    config.add_route("download_by_token", base_url + "/download/{token}")
 
 
 @view_config(

datameta/api/apikeys.py

@@ -90,13 +90,8 @@ def get_expiration_date_from_str(expires_str:Optional[str]):
 
 
 def generate_api_key(request:Request, user:models.User, label:str, expires:Optional[datetime]=None):
-    """For Token Composition:
-    Tokens consist of a core, which is stored as hash in the database,
-    plus a prefix that contains the user and the label of that ApiKey.
-    The user always provides the entire token, which is then split up
-    into prefic and core component. The prefix is used to identify the
-    ApiKey object in the database and the core component is matched
-    against the hash for validating it.
+    """
+    Generate API Token and store unsalted hash in db.
     """
     token = security.generate_token()
     token_hash = security.hash_token(token)

datameta/api/download.py

@@ -0,0 +1,91 @@
+# Copyright 2021 Universität Tübingen, DKFZ and EMBL for the German Human Genome-Phenome Archive (GHGA)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from pyramid.view import view_config
+from pyramid.httpexceptions import HTTPNotFound, HTTPOk, HTTPTemporaryRedirect
+from pyramid.request import Request
+from pyramid.response import FileResponse
+from datetime import datetime, timedelta
+import urllib.parse
+from .. import security, models, storage
+from . import base_url
+from .files import access_file_by_user
+from ..errors import get_validation_error
+from sqlalchemy import and_
+
+
+@view_config(
+    route_name = "rpc_get_file_url",
+    renderer        = "json",
+    request_method  = "GET",
+    openapi         = True
+)
+def get_file_url(request) -> HTTPTemporaryRedirect:
+    """Redirects to a temporary, pre-sign HTTP-URL for downloading a file.
+    """
+    file_id = request.openapi_validated.parameters.path['id']
+    expires_after = request.openapi_validated.parameters.query['expires'] 
+    auth_user = security.revalidate_user(request)
+
+    # get file from db:
+    db_file = access_file_by_user(
+        request,
+        user = auth_user,
+        file_id = file_id
+    )
+
+    # retrieve URL:
+    url = storage.get_download_url(
+        request=request,
+        db_file=db_file,
+        expires_after=expires_after
+    )
+
+    return HTTPTemporaryRedirect(url)
+
+
+@view_config(
+    route_name = "download_by_token",
+    renderer        = "json",
+    request_method  = "GET"
+)
+def download_by_token(request) -> HTTPOk:
+    """Download a file using a file download token.
+
+    Usage: /download/{download_token}
+    """
+    token = request.matchdict['token']
+    hashed_token = security.hash_token(token)
+
+    # get download token from db
+    db = request.dbsession
+    db_token = db.query(models.DownloadToken).filter(
+        and_(
+            models.DownloadToken.value==hashed_token,
+            models.DownloadToken.expires>datetime.now()
+        )
+    ).one_or_none()
+
+    if db_token is None:
+        raise HTTPNotFound()
+
+    # serve file:
+    response = FileResponse(
+        storage.get_local_storage_path(request, db_token.file.storage_uri),
+        request=request,
+        content_type='application/octet-stream'
+    )
+    response.content_disposition = f"attachment; filename=\"{db_token.file.name}\""
+
+    return response

datameta/api/files.py

@@ -73,7 +73,23 @@ def delete_staged_file_from_db(file_id, db, auth_user):
     return user_uuid, file_uuid, storage_uri
 
 
+def access_file_by_user(
+    request:Request,
+    user: models.User,
+    file_id: str
+) -> models.File:
+    db = request.dbsession
+    db_file = resource.resource_by_id(db, models.File, file_id)
 
+    # Check if file could be found
+    if db_file is None:
+        raise HTTPNotFound(json=None)
+
+    # Check if requesting user has access to the file
+    if not authz.view_file(user, db_file):
+        raise HTTPForbidden(json=None)
+
+    return db_file
 
 @view_config(
     route_name      = "rpc_delete_files",
@@ -174,18 +190,12 @@ def get_file(request: Request) -> FileResponse:
     # Check authentication and raise 401 if unavailable
     auth_user = security.revalidate_user(request)
 
-    db = request.dbsession
-
     # Obtain file from database
-    db_file = resource.resource_by_id(db, models.File, request.matchdict['id'])
-
-    # Check if file could be found
-    if db_file is None:
-        raise HTTPNotFound(json=None)
-
-    # Check if requesting user has access to the file
-    if not authz.view_file(auth_user, db_file):
-        raise HTTPForbidden(json=None)
+    db_file = access_file_by_user(
+        request,
+        user = auth_user,
+        file_id = request.matchdict['id']
+    )
 
     # Return details
     return FileResponse(

datameta/api/openapi.yaml

@@ -15,7 +15,7 @@
 openapi: 3.0.0
 info:
   description: DataMeta
-  version: 0.14.0
+  version: 0.15.0
   title: DataMeta
 
 servers:
@@ -190,6 +190,54 @@ paths:
           description: Internal Server Error
 
 
+  /rpc/get-file-url/{id}:
+    get:
+      summary: "[Not RESTful]: Redirects to a temporary, pre-signed HTTP-URL for downloading a file."
+      description: >-
+        For the file with the given ID, this enpoint will redirect to a pre-signed HTTP URL for
+        downloading the requested file. The pre-signed URL times out after a certain amount of
+        time which can be configured with the "expires" query string.
+        [Attention this endpoint is not RESTful, the result should not be cached.]
+      tags:
+        - Remote Procedure Calls
+      operationId: GetFileUrl
+      parameters:
+        - name: id
+          in: path
+          description: ID of the file
+          required: true
+          schema:
+            type: string
+        - name: expires
+          in: query
+          description: Minutes until the pre-signed URL will expire, defaults to 1
+          schema:
+            type: integer
+            default: 1
+      responses:
+        '307':
+          description: Redirecting to the pre-signed URL of the file
+          headers:
+            location:
+              description: Location to redirect to
+              schema:
+                type: string
+        '400':
+          description: Validation Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ErrorModel"
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden
+        '404':
+          description: The specified file does not exist.
+        '500':
+          description: Internal Server Error
+
+
   /users/{id}/keys:
     get:
       summary: All API keys for a user

datameta/models/__init__.py

@@ -30,7 +30,8 @@
         MetaDataSet,
         ApplicationSettings,
         DateTimeMode,
-        ApiKey
+        ApiKey,
+        DownloadToken
         ) # flake8: noqa
 
 # run configure_mappers after defining all of the models to ensure

datameta/models/db.py

@@ -127,6 +127,17 @@ class File(Base):
     # Relationships
     metadatumrecord  = relationship('MetaDatumRecord', back_populates='file', uselist=False)
     user             = relationship('User', back_populates='files')
+    downloadtokens  = relationship('DownloadToken', back_populates='file')
+
+class DownloadToken(Base):
+    __tablename__    = 'downloadtokens'
+    id               = Column(Integer, primary_key=True)
+    uuid             = Column(UUID(as_uuid=True), unique=True, default=uuid.uuid4, nullable=False)
+    file_id          = Column(Integer, ForeignKey('files.id'), nullable=False)
+    value            = Column(Text, nullable=False, unique=True)
+    expires          = Column(DateTime, nullable=False)
+    # Relationships
+    file             = relationship('File', back_populates='downloadtokens')
 
 class Submission(Base):
     __tablename__    = 'submissions'

datameta/storage.py

@@ -16,7 +16,11 @@
 import shutil
 import logging
 import hashlib
-from . import security
+from datetime import datetime, timedelta
+from pyramid.request import Request
+from typing import Optional
+from . import security, models
+from .api import base_url
 
 log = logging.getLogger(__name__)
 
@@ -141,3 +145,43 @@ def freeze(request, db_file):
     if db_file.storage_uri.startswith("s3://"):
         return _freeze_s3(request, db_file)
     raise NotImplementedError()
+
+def _get_download_url_local(request:Request, db_file:models.File, expires_after:Optional[int]=None):
+    if expires_after is None:
+        expires_after = 1
+
+    token = security.generate_token()
+    token_hash = security.hash_token(token)
+    expires = datetime.now() + timedelta(minutes=float(expires_after))
+
+    db = request.dbsession
+    download_token = models.DownloadToken(
+        file_id = db_file.id,
+        value = token_hash,
+        expires = expires
+    )
+    db.add(download_token)
+
+    return f"{base_url}/download/{token}"
+
+def _get_download_url_s3(request:Request, db_file:models.File, expires_after:Optional[int]=None):
+    # TODO
+    raise NotImplementedError()
+
+def get_download_url(request:Request, db_file:models.File, expires_after:Optional[int]=None):
+    """Get a presigned URL to download a file
+
+    Args:
+        request (Request): The calling HTTP request 
+        db_file (models.File): The database 'File' object
+        expires_after (Optional[int]): Number of minutes after which the URL will expire
+    """
+    if db_file.storage_uri is None:
+        raise NoDataError() # No data has been uploaded yet
+    if db_file.storage_uri.startswith("file://"):
+        return _get_download_url_local(request, db_file, expires_after=expires_after)
+    if db_file.storage_uri.startswith("s3://"):
+        return _get_download_url_s3(request, db_file, expires_after=expires_after)
+    raise NotImplementedError()
+
+