add logs and add user ID to logs

gen3workflow/auth.py

@@ -84,8 +84,10 @@ async def authorize(
             authorized = False
 
         if not authorized:
+            token_claims = await self.get_token_claims() if token else {}
+            user_id = token_claims.get("sub")
             logger.error(
-                f"Authorization error: token must have '{method}' access on {resources} for service 'gen3-workflow'."
+                f"Authorization error for user '{user_id}': token must have '{method}' access on {resources} for service 'gen3-workflow'."
             )
             if throw:
                 raise HTTPException(
@@ -104,7 +106,7 @@ async def grant_user_access_to_their_own_tasks(self, username, user_id) -> None:
             user_id (str): The user's unique Gen3 ID
         """
         logger.info(
-            f"Granting user '{username}' access to their own tasks if they don't already have it"
+            f"Granting user '{user_id}' access to their own tasks if they don't already have it"
         )
         resource_path = f"/users/{user_id}/gen3-workflow/tasks"
         if await self.authorize(method="read", resources=[resource_path], throw=False):

gen3workflow/aws_utils.py

@@ -59,7 +59,7 @@ def create_user_bucket(user_id: str) -> Tuple[str, str, str]:
                 "LocationConstraint": config["USER_BUCKETS_REGION"]
             },
         )
-    logger.debug(f"Created S3 bucket '{user_bucket_name}'")
+    logger.info(f"Created S3 bucket '{user_bucket_name} for user '{user_id}'")
 
     # set up KMS encryption on the bucket.
     # the only way to check if the KMS key has already been created is to use an alias

gen3workflow/routes/ga4gh_tes.py

@@ -31,7 +31,14 @@ async def get_request_body(request: Request):
 
 
 @router.get("/service-info", status_code=HTTP_200_OK)
-async def service_info(request: Request) -> dict:
+async def service_info(request: Request, auth=Depends(Auth)) -> dict:
+    try:
+        token_claims = await auth.get_token_claims()
+    except Exception:
+        token_claims = {}
+    user_id = token_claims.get("sub")
+    logger.info(f"User '{user_id}' getting TES service info")
+
     url = f"{config['TES_SERVER_URL']}/service-info"
     res = await request.app.async_client.get(url)
     if res.status_code != HTTP_200_OK:
@@ -89,6 +96,7 @@ async def create_task(request: Request, auth=Depends(Auth)) -> dict:
         err_msg = "No context.user.name in token"
         logger.error(err_msg)
         raise HTTPException(HTTP_401_UNAUTHORIZED, err_msg)
+    logger.info(f"User '{user_id}' creating TES task")
 
     # Fetch the list of images from request body as a set
     images_from_request = {
@@ -156,6 +164,13 @@ def apply_view_to_task(view: str, task: dict) -> dict:
 
 @router.get("/tasks", status_code=HTTP_200_OK)
 async def list_tasks(request: Request, auth=Depends(Auth)) -> dict:
+    try:
+        token_claims = await auth.get_token_claims()
+    except Exception:
+        token_claims = {}
+    user_id = token_claims.get("sub")
+    logger.info(f"User '{user_id}' listing TES tasks")
+
     supported_params = {
         "name_prefix",
         "state",
@@ -216,6 +231,13 @@ async def list_tasks(request: Request, auth=Depends(Auth)) -> dict:
 
 @router.get("/tasks/{task_id}", status_code=HTTP_200_OK)
 async def get_task(request: Request, task_id: str, auth=Depends(Auth)) -> dict:
+    try:
+        token_claims = await auth.get_token_claims()
+    except Exception:
+        token_claims = {}
+    user_id = token_claims.get("sub")
+    logger.info(f"User '{user_id}' getting TES task '{task_id}'")
+
     supported_params = {"view"}
     query_params = {
         k: v for k, v in dict(request.query_params).items() if k in supported_params
@@ -246,6 +268,13 @@ async def get_task(request: Request, task_id: str, auth=Depends(Auth)) -> dict:
 
 @router.post("/tasks/{task_id}:cancel", status_code=HTTP_200_OK)
 async def cancel_task(request: Request, task_id: str, auth=Depends(Auth)) -> dict:
+    try:
+        token_claims = await auth.get_token_claims()
+    except Exception:
+        token_claims = {}
+    user_id = token_claims.get("sub")
+    logger.info(f"User '{user_id}' deleting TES task '{task_id}'")
+
     # check if this user has access to delete this task
     url = f"{config['TES_SERVER_URL']}/tasks/{task_id}?view=FULL"
     res = await request.app.async_client.get(url)

gen3workflow/routes/s3.py

@@ -72,8 +72,6 @@ async def s3_endpoint(path: str, request: Request):
     TODO: users can currently use this to get any output files. How to limit access to outputs so
     users can't for example output and see controlled data?
     """
-    logger.debug(f"Incoming S3 request: '{request.method} {path}'")
-
     # extract the user's access token from the request headers, and ensure the user has access
     # to run workflows
     auth = Auth(api_request=request)
@@ -85,6 +83,7 @@ async def s3_endpoint(path: str, request: Request):
     # get the name of the user's bucket and ensure the user is making a call to their own bucket
     token_claims = await auth.get_token_claims()
     user_id = token_claims.get("sub")
+    logger.info(f"Incoming S3 request from user '{user_id}': '{request.method} {path}'")
     user_bucket = aws_utils.get_safe_name_from_user_id(user_id)
     request_bucket = path.split("?")[0].split("/")[0]
     if request_bucket != user_bucket:

gen3workflow/routes/storage.py

@@ -1,7 +1,7 @@
 from fastapi import APIRouter, Depends, Request
 from starlette.status import HTTP_200_OK
 
-from gen3workflow import aws_utils
+from gen3workflow import aws_utils, logger
 from gen3workflow.auth import Auth
 
 
@@ -10,8 +10,12 @@
 
 @router.get("/info", status_code=HTTP_200_OK)
 async def get_storage_info(request: Request, auth=Depends(Auth)) -> dict:
-    token_claims = await auth.get_token_claims()
+    try:
+        token_claims = await auth.get_token_claims()
+    except Exception:
+        token_claims = {}
     user_id = token_claims.get("sub")
+    logger.info(f"User '{user_id}' getting their own storage info")
     bucket_name, bucket_prefix, bucket_region = aws_utils.create_user_bucket(user_id)
     return {
         "bucket": bucket_name,