Addressed comments

Author: csc-jm

Makefile

@@ -53,9 +53,6 @@ get_env: ## Get secrets needed for integration tests from vault
 	$(call write_secret,SDS_AAI_CLIENT_ID,sd-submit/secrets,sds_aai_id) \
 	$(call write_secret,SDS_AAI_CLIENT_SECRET,sd-submit/secrets,sds_aai_secret) \
 	$(call write_secret,SDS_AAI_URL,sd-submit/secrets,sds_aai_url) \
-	$(call write_secret,LS_AAI_CLIENT_ID,sd-submit/secrets,ls_aai_id) \
-	$(call write_secret,LS_AAI_CLIENT_SECRET,sd-submit/secrets,ls_aai_secret) \
-	$(call write_secret,LS_AAI_URL,sd-submit/secrets,ls_aai_url) \
 	$(call write_secret,KEYSTONE_ENDPOINT,sd-submit/secrets,pouta_host) \
 	$(call write_secret,NBIS_JWT_PUBLIC_KEY,sd-submit/secrets,nbis_jwt_public_key) \
 	$(call write_integration_test_secret,DATACITE_API,sd-submit/datacite_test,DOI_API) \

docker-compose.yml

@@ -75,9 +75,6 @@ services:
       start_period: 30s
     environment:
       - "DEPLOYMENT=NBIS"
-      - "OIDC_CLIENT_SECRET=${LS_AAI_CLIENT_SECRET:-${OIDC_CLIENT_SECRET:?OIDC_CLIENT_SECRET must be defined}}"
-      - "OIDC_CLIENT_ID=${LS_AAI_CLIENT_ID:-${OIDC_CLIENT_ID:?OIDC_CLIENT_ID must be defined}}"
-      - "OIDC_URL=${LS_AAI_URL:-${OIDC_URL:?OIDC_URL must be defined}}"
       - "BASE_URL=http://sd-submit-api-nbis:5431"
       - "OIDC_REDIRECT_URL=${OIDC_REDIRECT_URL}"
       - "OIDC_SECURE_COOKIE=${OIDC_SECURE_COOKIE}"
@@ -101,9 +98,9 @@ services:
       - "S3_ENDPOINT=${S3_INBOX_ENDPOINT:?S3_INBOX_ENDPOINT must be defined}"
       - "ADMIN_URL=${SDA_API_URL}"
       - "ADMIN_TOKEN=${ADMIN_TOKEN}"
-      - "BP_PUBLIC_C4GH_KEY=${C4GH_RECIPIENT_PUBLIC_KEY:?C4GH_RECIPIENT_PUBLIC_KEY must be defined}"
-      - "SENDER_SECRET_KEY=${C4GH_SENDER_SECRET_KEY:?C4GH_SENDER_SECRET_KEY must be defined}"
-      - "SECRET_KEY_PASSPHRASE=${C4GH_SECRET_KEY_PASSPHRASE:?C4GH_SECRET_KEY_PASSPHRASE must be defined}"
+      - "CRYPT4GH_PUBLIC_KEY=${C4GH_RECIPIENT_PUBLIC_KEY:?C4GH_RECIPIENT_PUBLIC_KEY must be defined}"
+      - "CRYPT4GH_PRIVATE_KEY=${C4GH_SENDER_SECRET_KEY:?C4GH_SENDER_SECRET_KEY must be defined}"
+      - "CRYPT4GH_PRIVATE_KEY_PASSPHRASE=${C4GH_SECRET_KEY_PASSPHRASE:?C4GH_SECRET_KEY_PASSPHRASE must be defined}"
       - "ALLOW_UNSAFE=${ALLOW_UNSAFE}"
 
   mock-oauth2:

metadata_backend/api/handlers/publish.py

@@ -15,34 +15,16 @@
 from ..models.models import File, Registration, SubmissionId
 from ..models.submission import Rems, Submission, SubmissionMetadata, SubmissionWorkflow
 from ..processors.xml.bigpicture import (
-    BP_ANNOTATION_OBJECT_TYPE,
-    BP_DATASET_OBJECT_TYPE,
-    BP_IMAGE_OBJECT_TYPE,
-    BP_OBSERVATION_OBJECT_TYPE,
-    BP_OBSERVER_OBJECT_TYPE,
     BP_POLICY_OBJECT_TYPE,
-    BP_SAMPLE_OBJECT_TYPES,
-    BP_STAINING_OBJECT_TYPE,
     BP_XML_OBJECT_CONFIG,
 )
 from ..processors.xml.processors import XmlObjectProcessor
+from ..services.bigpicture import upload_bp_metadata_xmls
 from ..services.datacite import DataciteService
-from ..services.file import S3InboxSDAService
 from ..services.submission.bigpicture import is_clinical_policy
 from .restapi import RESTAPIHandler
 from .submission import SubmissionAPIHandler
 
-BP_METADATA_FILES: tuple[tuple[str | tuple[str, ...], str], ...] = (
-    (BP_DATASET_OBJECT_TYPE, "dataset.xml.c4gh"),
-    (BP_POLICY_OBJECT_TYPE, "policy.xml.c4gh"),
-    (BP_IMAGE_OBJECT_TYPE, "image.xml.c4gh"),
-    (BP_ANNOTATION_OBJECT_TYPE, "annotation.xml.c4gh"),
-    (BP_OBSERVATION_OBJECT_TYPE, "observation.xml.c4gh"),
-    (BP_OBSERVER_OBJECT_TYPE, "observer.xml.c4gh"),
-    (tuple(BP_SAMPLE_OBJECT_TYPES), "sample.xml.c4gh"),
-    (BP_STAINING_OBJECT_TYPE, "staining.xml.c4gh"),
-)
-
 
 class PublishAPIHandler(RESTAPIHandler):
     """Publish API handler."""
@@ -161,7 +143,7 @@ async def _publish_rems(self, submission: Submission, rems: Rems, registration:
             # Create REMS resource.
             if not registration.remsResourceId:
                 if submission.workflow == SubmissionWorkflow.BP:
-                    # Use BigPicture dataset id as the REMS resource id.
+                    # Use Bigpicture dataset id as the REMS resource id.
                     resid = submission.submissionId
                 elif registration.doi is not None:
                     # Use DOI as the REMS resource id.
@@ -331,7 +313,7 @@ async def publish_submission(
             jwt = self._services.auth._get_bearer_token(headers)
             if not jwt:
                 raise UserException("Missing OIDC access token in Authorization bearer header for SDA inbox upload.")
-            await self._upload_bp_metadata_xmls(submission_id, user.user_id, jwt)
+            await upload_bp_metadata_xmls(self._services, submission_id, user.user_id, jwt)
 
         # Update submission status to published.
         await submission_service.publish(submission_id)
@@ -406,32 +388,6 @@ async def _register_submission(self, submission: Submission, datacite: DataCiteM
         if self._handlers.metax is not None:
             await self._publish_metax(registration)
 
-    async def _upload_bp_metadata_xmls(self, submission_id: str, user_id: str, jwt: str) -> None:
-        """Upload encrypted Bigpicture metadata XML files to SDA inbox."""
-        file_provider = self._services.file_provider
-        if not isinstance(file_provider, S3InboxSDAService):
-            raise SystemException("Bigpicture metadata upload requires SDA inbox file provider service.")
-
-        bucket = user_id.replace("@", "_")  # SDA inbox bucket name is the user id with @ replaced by underscore
-        prefix = f"DATASET_{submission_id}/METADATA"
-        for object_type, filename in BP_METADATA_FILES:
-            xml = None
-            async for xml_doc in self._services.object.get_xml_documents(submission_id, object_type):
-                xml = xml_doc
-                break
-            if xml is None:
-                continue
-
-            object_key = f"{prefix}/{filename}"
-            await file_provider._add_file_to_bucket(
-                bucket_name=bucket,
-                object_key=object_key,
-                access_key=user_id,
-                secret_key=user_id,
-                session_token=jwt,
-                body=xml.encode("utf-8"),
-            )
-
     @staticmethod
     def _create_registration(submission_id: str, title: str, description: str, doi: str) -> Registration:
         """Create submission registration.

metadata_backend/api/handlers/restapi.py

@@ -49,7 +49,7 @@ class RESTAPIServiceHandlers(BaseModel):
     ror: RorServiceHandler | None
     rems: RemsServiceHandler
     keystone: KeystoneServiceHandler | None
-    auth: AuthServiceHandler
+    auth: AuthServiceHandler | None
     admin: AdminServiceHandler | None = None
     database: HealthHandler
 

metadata_backend/api/services/bigpicture.py

@@ -0,0 +1,112 @@
+"""Bigpicture API services."""
+
+from ..exceptions import SystemException
+from ..handlers.restapi import RESTAPIServices
+from ..processors.xml.bigpicture import (
+    BP_ANNOTATION_OBJECT_TYPE,
+    BP_DATASET_OBJECT_TYPE,
+    BP_IMAGE_OBJECT_TYPE,
+    BP_LANDING_PAGE_OBJECT_TYPE,
+    BP_OBSERVATION_OBJECT_TYPE,
+    BP_OBSERVER_OBJECT_TYPE,
+    BP_ORGANISATION_OBJECT_TYPE,
+    BP_POLICY_OBJECT_TYPE,
+    BP_REMS_OBJECT_TYPE,
+    BP_SAMPLE_OBJECT_TYPES,
+    BP_STAINING_OBJECT_TYPE,
+)
+from .file import S3InboxSDAService
+
+BP_METADATA_FILES: tuple[tuple[str | tuple[str, ...], str], ...] = (
+    (BP_DATASET_OBJECT_TYPE, "dataset.xml.c4gh"),
+    (BP_POLICY_OBJECT_TYPE, "policy.xml.c4gh"),
+    (BP_IMAGE_OBJECT_TYPE, "image.xml.c4gh"),
+    (BP_ANNOTATION_OBJECT_TYPE, "annotation.xml.c4gh"),
+    (BP_OBSERVATION_OBJECT_TYPE, "observation.xml.c4gh"),
+    (BP_OBSERVER_OBJECT_TYPE, "observer.xml.c4gh"),
+    (tuple(BP_SAMPLE_OBJECT_TYPES), "sample.xml.c4gh"),
+    (BP_STAINING_OBJECT_TYPE, "staining.xml.c4gh"),
+)
+
+BP_LANDING_PAGE: tuple[tuple[str, str], ...] = ((BP_LANDING_PAGE_OBJECT_TYPE, "landing_page.xml.c4gh"),)
+
+BP_PRIVATE_METDATA_FILES: tuple[tuple[str, str], ...] = (
+    (BP_ORGANISATION_OBJECT_TYPE, "organisation.xml.c4gh"),
+    (BP_REMS_OBJECT_TYPE, "rems.xml.c4gh"),
+)
+
+
+async def _upload_xml_documents(
+    services: RESTAPIServices,
+    file_provider: S3InboxSDAService,
+    *,
+    bucket_name: str,
+    prefix: str,
+    object_files: tuple[tuple[str | tuple[str, ...], str], ...],
+    user_id: str,
+    jwt: str,
+    submission_id: str,
+) -> None:
+    for object_type, filename in object_files:
+        xml = None
+        async for xml_doc in services.object.get_xml_documents(submission_id, object_type):
+            xml = xml_doc
+            break
+        if xml is None:
+            continue
+
+        object_key = f"{prefix}/{filename}"
+        await file_provider._add_file_to_bucket(
+            bucket_name=bucket_name,
+            object_key=object_key,
+            access_key=user_id,
+            secret_key=user_id,
+            session_token=jwt,
+            body=xml.encode("utf-8"),
+        )
+
+
+async def upload_bp_metadata_xmls(services: RESTAPIServices, submission_id: str, user_id: str, jwt: str) -> None:
+    """Upload encrypted Bigpicture metadata XML files to SDA inbox."""
+    file_provider = services.file_provider
+    if not isinstance(file_provider, S3InboxSDAService):
+        raise SystemException("Bigpicture metadata upload requires SDA inbox file provider service.")
+
+    bucket = user_id.replace("@", "_")  # SDA inbox bucket name is the user id with @ replaced by underscore
+
+    # Metadata XML files
+    await _upload_xml_documents(
+        services,
+        file_provider,
+        bucket_name=bucket,
+        prefix=f"DATASET_{submission_id}/METADATA",
+        object_files=BP_METADATA_FILES,
+        user_id=user_id,
+        jwt=jwt,
+        submission_id=submission_id,
+    )
+
+    # Landing page XML file
+    await _upload_xml_documents(
+        services,
+        file_provider,
+        bucket_name=bucket,
+        prefix=f"DATASET_{submission_id}/LANDING_PAGE",
+        object_files=BP_LANDING_PAGE,
+        user_id=user_id,
+        jwt=jwt,
+        submission_id=submission_id,
+    )
+
+    # Private metadata XML files
+    # TODO(improve): Add datacite.xml to private metadata files once datacite.xml is available
+    await _upload_xml_documents(
+        services,
+        file_provider,
+        bucket_name=bucket,
+        prefix=f"DATASET_{submission_id}/PRIVATE",
+        object_files=BP_PRIVATE_METDATA_FILES,
+        user_id=user_id,
+        jwt=jwt,
+        submission_id=submission_id,
+    )

metadata_backend/api/services/file.py

@@ -442,8 +442,8 @@ async def _load_crypt4gh_keys(self) -> tuple[object, object]:
         """Load Crypt4GH sender secret and recipient public keys from env variables."""
         conf = c4gh_config()
         try:
-            sender_key_pem = base64.b64decode(conf.SENDER_SECRET_KEY).decode("utf-8")
-            recipient_key_pem = base64.b64decode(conf.BP_PUBLIC_C4GH_KEY).decode("utf-8")
+            sender_key_pem = base64.b64decode(conf.CRYPT4GH_PRIVATE_KEY).decode("utf-8")
+            recipient_key_pem = base64.b64decode(conf.CRYPT4GH_PUBLIC_KEY).decode("utf-8")
         except (binascii.Error, UnicodeDecodeError) as ex:
             raise SystemException("Invalid base64 in C4GH key environment variables.") from ex
 
@@ -458,7 +458,7 @@ async def _load_crypt4gh_keys(self) -> tuple[object, object]:
             if private_data.startswith(c4gh.MAGIC_WORD):
                 private_stream.seek(len(c4gh.MAGIC_WORD))
 
-            sender_secret_key = c4gh.parse_private_key(private_stream, lambda: conf.SECRET_KEY_PASSPHRASE)
+            sender_secret_key = c4gh.parse_private_key(private_stream, lambda: conf.CRYPT4GH_PRIVATE_KEY_PASSPHRASE)
             recipient_public_key = public_data
             return sender_secret_key, recipient_public_key
         except Exception as ex:

metadata_backend/api/services/submission/bigpicture.py

@@ -78,7 +78,7 @@ def is_clinical_policy(policy_processor: XmlObjectProcessor) -> bool:
 
 
 class BigpictureObjectSubmissionService(ObjectSubmissionService):
-    """Service for processing BigPicture submissions."""
+    """Service for processing Bigpicture submissions."""
 
     def __init__(
         self,
@@ -140,7 +140,7 @@ def _create_processor(objects: list[ObjectSubmission]) -> tuple[XmlStringDocumen
         if datacite_object:
             datacite = read_datacite_xml(datacite_object.document)
 
-        # Create processor for BigPicture XMLs.
+        # Create processor for Bigpicture XMLs.
         processor = XmlStringDocumentsProcessor(BP_XML_OBJECT_CONFIG, [o.document for o in bp_objects])
         return processor, datacite
 

metadata_backend/conf/c4gh.py

@@ -9,9 +9,9 @@ class Crypt4GHConfig(BaseSettings):
 
     model_config = {"extra": "allow"}  # Allow creation using the constructor.
 
-    SENDER_SECRET_KEY: str = Field(description="Base64 encoded private Crypt4GH key")
-    SECRET_KEY_PASSPHRASE: str = Field(description="Secret key passphrase")
-    BP_PUBLIC_C4GH_KEY: str = Field(description="Base64 encoded public Crypt4GH key for Bigpicture")
+    CRYPT4GH_PRIVATE_KEY: str = Field(description="Base64 encoded private Crypt4GH key")
+    CRYPT4GH_PRIVATE_KEY_PASSPHRASE: str = Field(description="Secret key passphrase")
+    CRYPT4GH_PUBLIC_KEY: str = Field(description="Base64 encoded public Crypt4GH key for Bigpicture")
 
 
 def c4gh_config() -> Crypt4GHConfig:

metadata_backend/server.py

@@ -183,12 +183,14 @@ async def _shutdown() -> None:
     pid_handler = None
     admin_handler = None
     keystone_handler = None
+    auth_handler = None
 
     if config.DEPLOYMENT == DEPLOYMENT_CSC:
         metax_handler = _create_handler(MetaxServiceHandler())
         ror_handler = _create_handler(RorServiceHandler())
         pid_handler = _create_handler(PIDServiceHandler(metax_handler))
         keystone_handler = _create_handler(KeystoneServiceHandler())
+        auth_handler = _create_handler(AuthServiceHandler())
 
     if config.DEPLOYMENT == DEPLOYMENT_NBIS:
         datacite_handler = _create_handler(DataciteServiceHandler(metax_handler))
@@ -200,7 +202,6 @@ async def _shutdown() -> None:
     )
 
     rems_handler = _create_handler(RemsServiceHandler())
-    auth_handler = _create_handler(AuthServiceHandler())
 
     # Provide services for FastAPI routes.
     services = RESTAPIServices(

tests/integration/conftest.py

@@ -34,7 +34,7 @@
     get_submission,
 )
 from tests.utils import (
-    BigPictureObjectNames,
+    BigpictureObjectNames,
     bp_submission_documents,
     bp_update_documents,
     get_test_es256_keypair,
@@ -143,20 +143,20 @@ async def _update(
 class SubmissionCallableBigpicture(Protocol):
     def __call__(
         self, is_datacite: bool
-    ) -> Awaitable[tuple[Submission, BigPictureObjectNames]]: ...  # submission names, object names
+    ) -> Awaitable[tuple[Submission, BigpictureObjectNames]]: ...  # submission names, object names
 
 
 class SubmissionUpdateCallableBigpicture(Protocol):
     def __call__(
-        self, submission_id: str, submission_name: str, object_names: BigPictureObjectNames, is_datacite: bool
+        self, submission_id: str, submission_name: str, object_names: BigpictureObjectNames, is_datacite: bool
     ) -> Awaitable[Submission]: ...
 
 
 @pytest.fixture
 async def bp_submission(nbis_client: aiohttp.ClientSession, project_id: str) -> SubmissionCallableBigpicture:
     """Create Bigpicture submission using the /submit endpoint."""
 
-    async def _create(is_datacite: bool = False) -> tuple[Submission, BigPictureObjectNames]:  # noqa
+    async def _create(is_datacite: bool = False) -> tuple[Submission, BigpictureObjectNames]:  # noqa
         submission_name, object_names, files = bp_submission_documents(is_datacite=is_datacite)
 
         # Post submission.
@@ -178,7 +178,7 @@ async def bp_submission_update(
     """
 
     async def _update(
-        submission_id: str, submission_name: str, object_names: BigPictureObjectNames, is_datacite: bool
+        submission_id: str, submission_name: str, object_names: BigpictureObjectNames, is_datacite: bool
     ) -> Submission:  # noqa
         _, _, files = bp_update_documents(submission_name, object_names, is_datacite)