fix misc issues with auth impl, add validate ssl flag, improve some l…

…ogging

bento_beacon/app.py

@@ -114,5 +114,5 @@ def generic_exception_handler(e):
         current_app.logger.error(f"HTTP Exception: {e}")
         return beacon_error_response(e.name, e.code), e.code
 
-    current_app.logger.error(f"Server Error: {e}")
+    current_app.logger.error(f"Server Error: {repr(e)}")
     return beacon_error_response("Server Error", 500), 500

bento_beacon/authz/access.py

@@ -21,14 +21,14 @@ def get_token_endpoint_from_openid_config_url(url: str, validate_ssl: bool = Tru
 def get_access_token() -> str | None:
     logger = current_app.logger
 
-    oidc_config_url = current_app.config["BENTO_OPENID_CONFIG_URL"]
+    oidc_config_url = current_app.config["OPENID_CONFIG_URL"]
     client_id = current_app.config["CLIENT_ID"]
     client_secret = current_app.config["CLIENT_SECRET"]
-    validate_ssl = not current_app.config["BENTO_DEBUG"]
+    validate_ssl = current_app.config["BENTO_VALIDATE_SSL"]
 
     if not all((oidc_config_url, client_id, client_secret)):
         logger.error(
-            "Could not retrieve access token; one of BENTO_OPENID_CONFIG_URL | CLIENT_ID | CLIENT_SECRET is not set"
+            "Could not retrieve access token; one of OPENID_CONFIG_URL | CLIENT_ID | CLIENT_SECRET is not set"
         )
         return None
 
@@ -48,6 +48,10 @@ def get_access_token() -> str | None:
         },
     )
 
+    if not token_res.ok:
+        logger.error(f"Could not retrieve access token; got error response: {token_res.json()}")
+        return None
+
     return token_res.json()["access_token"]
 
 
@@ -60,7 +64,7 @@ def create_access_header_or_fall_back():
 
     access_token = get_access_token()
     if access_token is None:
-        logger.error("Could not retrieve access token; falling back to request headers")
+        logger.error("create_access_header_or_fall_back: falling back to request headers")
         return auth_header_from_request()
     else:
         return {"Authorization": f"Bearer {access_token}"}

bento_beacon/config_files/config.py

@@ -1,5 +1,7 @@
 import json
 import os
+import urllib3
+
 
 GA4GH_BEACON_REPO_URL = "https://raw.githubusercontent.com/ga4gh-beacon/beacon-v2"
 
@@ -8,6 +10,15 @@ def str_to_bool(value: str) -> bool:
     return value.strip().lower() in ("true", "1", "t", "yes")
 
 
+DEBUG = str_to_bool(os.environ.get("BENTO_DEBUG", os.environ.get("FLASK_DEBUG", "false")))
+VALIDATE_SSL = str_to_bool(os.environ.get("BENTO_VALIDATE_SSL", str(not DEBUG)))
+
+if not VALIDATE_SSL:
+    # Don't let urllib3 spam us with SSL validation warnings if we're operating with SSL validation off, most likely in
+    # a development/test context where we're using self-signed certificates.
+    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+
 class Config:
     BEACON_SPEC_VERSION = "v2.0.0"
 
@@ -26,7 +37,8 @@ class Config:
 
     DEFAULT_PAGINATION_PAGE_SIZE = 10
 
-    BENTO_DEBUG = str_to_bool(os.environ.get("BENTO_DEBUG", os.environ.get("FLASK_DEBUG", "false")))
+    BENTO_DEBUG = DEBUG
+    BENTO_VALIDATE_SSL = VALIDATE_SSL
 
     BENTO_DOMAIN = os.environ.get("BENTOV2_DOMAIN")
     BEACON_BASE_URL = os.environ.get("BEACON_BASE_URL")

bento_beacon/utils/gohan_utils.py

@@ -179,7 +179,11 @@ def gohan_network_call(url, gohan_args):
     c = current_app.config
     try:
         r = requests.get(
-            url, headers=create_access_header_or_fall_back(), timeout=c["GOHAN_TIMEOUT"], params=gohan_args
+            url,
+            headers=create_access_header_or_fall_back(),
+            params=gohan_args,
+            timeout=c["GOHAN_TIMEOUT"],
+            verify=c["BENTO_VALIDATE_SSL"],
         )
 
         # handle gohan errors or any bad responses

bento_beacon/utils/katsu_utils.py

@@ -54,7 +54,13 @@ def katsu_network_call(payload, endpoint=None):
     current_app.logger.debug(f"calling katsu url {url}")
 
     try:
-        r = requests.post(url, headers=create_access_header_or_fall_back(), timeout=c["KATSU_TIMEOUT"], json=payload)
+        r = requests.post(
+            url,
+            headers=create_access_header_or_fall_back(),
+            json=payload,
+            timeout=c["KATSU_TIMEOUT"],
+            verify=c["BENTO_VALIDATE_SSL"],
+        )
 
         katsu_response = r.json()
         if not r.ok:
@@ -78,7 +84,7 @@ def katsu_network_call(payload, endpoint=None):
 def katsu_get(endpoint, id=None, query="", requires_auth: Literal["none", "forwarded", "full"] = "none"):
     c = current_app.config
     katsu_base_url = c["KATSU_BASE_URL"]
-    timeout = current_app.config["KATSU_TIMEOUT"]
+    timeout = c["KATSU_TIMEOUT"]
 
     # construct request url
     url_components = urlsplit(katsu_base_url)
@@ -99,7 +105,7 @@ def katsu_get(endpoint, id=None, query="", requires_auth: Literal["none", "forwa
             headers = auth_header_from_request()
         elif requires_auth == "full":
             headers = create_access_header_or_fall_back()
-        r = requests.get(query_url, headers=headers, timeout=timeout)
+        r = requests.get(query_url, headers=headers, timeout=timeout, verify=c["BENTO_VALIDATE_SSL"])
         katsu_response = r.json()
 
     except JSONDecodeError:
@@ -309,7 +315,9 @@ def overview_statistics():
 
 def katsu_censorship_settings() -> tuple[int | None, int | None]:
     # TODO: should be project-dataset scoped
-    rules = katsu_get(current_app.config["KATSU_PUBLIC_RULES"], requires_auth="forwarded")
+    # TODO: should be called on-the-fly and pass request authorization headers onward, since this can change based on
+    #  scoping and the token's particular permissions.
+    rules = katsu_get(current_app.config["KATSU_PUBLIC_RULES"], requires_auth="none")
     max_filters = rules.get("max_query_parameters")
     count_threshold = rules.get("count_threshold")
     # return even if None