Updated how we do security for the endpoint and fixed a test

CDCgov · Sep 4, 2024 · 46fbf8f · 46fbf8f
1 parent 5f0d760
commit 46fbf8f
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 21 deletions.
diff --git a/prime-router/src/main/kotlin/azure/ReportFunction.kt b/prime-router/src/main/kotlin/azure/ReportFunction.kt
@@ -32,7 +32,6 @@ import gov.cdc.prime.router.common.JacksonMapperUtilities
 import gov.cdc.prime.router.fhirengine.utils.FhirTranscoder
 import gov.cdc.prime.router.history.azure.SubmissionsFacade
 import gov.cdc.prime.router.tokens.AuthenticatedClaims
-import gov.cdc.prime.router.tokens.Scope
 import gov.cdc.prime.router.tokens.authenticationFailure
 import gov.cdc.prime.router.tokens.authorizationFailure
 import org.apache.logging.log4j.kotlin.Logging
@@ -101,29 +100,25 @@ class ReportFunction(
         @HttpTrigger(
             name = "downloadReport",
             methods = [HttpMethod.GET],
-            authLevel = AuthorizationLevel.ANONYMOUS,
+            authLevel = AuthorizationLevel.FUNCTION,
             route = "reports/download"
         ) request: HttpRequestMessage<String?>,
     ): HttpResponseMessage {
-        val claims = AuthenticatedClaims.authenticate(request)
-        if (claims != null && claims.authorized(setOf(Scope.primeAdminScope))) {
-            val reportId = request.queryParameters[REPORT_ID_PARAMETER]
-            val removePIIRaw = request.queryParameters[REMOVE_PII]
-            var removePII = false
-            if (removePIIRaw.isNullOrBlank() || removePIIRaw.toBoolean()) {
-                removePII = true
-            }
-            if (reportId.isNullOrBlank()) {
-                return HttpUtilities.badRequestResponse(request, "Must provide a reportId.")
-            }
-            return processDownloadReport(
-                request,
-                ReportId.fromString(reportId),
-                removePII,
-                Environment.get().envName
-            )
+        val reportId = request.queryParameters[REPORT_ID_PARAMETER]
+        val removePIIRaw = request.queryParameters[REMOVE_PII]
+        var removePII = false
+        if (removePIIRaw.isNullOrBlank() || removePIIRaw.toBoolean()) {
+            removePII = true
+        }
+        if (reportId.isNullOrBlank()) {
+            return HttpUtilities.badRequestResponse(request, "Must provide a reportId.")
         }
-        return HttpUtilities.unauthorizedResponse(request)
+        return processDownloadReport(
+            request,
+            ReportId.fromString(reportId),
+            removePII,
+            Environment.get().envName
+        )
     }
 
     fun processDownloadReport(

diff --git a/prime-router/src/test/kotlin/azure/ReportFunctionTests.kt b/prime-router/src/test/kotlin/azure/ReportFunctionTests.kt
@@ -774,14 +774,16 @@ class ReportFunctionTests {
         val blobConnectionInfo = mockk<BlobAccess.BlobContainerMetadata>()
         every { blobConnectionInfo.getBlobEndpoint() } returns "http://endpoint/metadata"
         every { BlobAccess.downloadBlobAsByteArray(any<String>()) } returns fhirReport.toByteArray(Charsets.UTF_8)
+        val reportId = UUID.randomUUID()
+        every { mockDb.fetchReportFile(reportId, null, null) } returns reportFile
 
         val metadata = UnitTestUtils.simpleMetadata
         val settings = FileSettings().loadOrganizations(oneOrganization)
         val actionHistory = spyk(ActionHistory(TaskAction.receive))
 
         val result = ReportFunction(makeEngine(metadata, settings), actionHistory).processDownloadReport(
             MockHttpRequestMessage(),
-            UUID.randomUUID(),
+            reportId,
             true,
             "local",
             mockDb