Verify requester pays status in AnVIL audits

UW-GAC · Mar 9, 2024 · 3e323d1 · 3e323d1
1 parent 55a2702
commit 3e323d1
Show file tree

Hide file tree

Showing 4 changed files with 361 additions and 3 deletions.
diff --git a/anvil_consortium_manager/anvil_api.py b/anvil_consortium_manager/anvil_api.py
@@ -237,7 +237,7 @@ def list_workspaces(self, fields=None):
         else:
             return self.auth_session.get(url, 200)
 
-    def get_workspace(self, workspace_namespace, workspace_name):
+    def get_workspace(self, workspace_namespace, workspace_name, fields=None):
         """Get information about a specific workspace on AnVIL.
 
         Calls the Rawls /api/workspaces/{workspace_namespace}/{workspace_name} GET method.
@@ -250,7 +250,10 @@ def get_workspace(self, workspace_namespace, workspace_name):
             requests.Response
         """
         url = self.rawls_entry_point + "/api/workspaces/" + workspace_namespace + "/" + workspace_name
-        return self.auth_session.get(url, 200)
+        if fields:
+            return self.auth_session.get(url, 200, params={"fields": fields})
+        else:
+            return self.auth_session.get(url, 200)
 
     def create_workspace(self, workspace_namespace, workspace_name, authorization_domains=[]):
         """Create a workspace on AnVIL.

diff --git a/anvil_consortium_manager/audit/audit.py b/anvil_consortium_manager/audit/audit.py
@@ -363,14 +363,18 @@ class WorkspaceAudit(AnVILAudit):
     ERROR_DIFFERENT_LOCK = "Workspace lock status does not match on AnVIL"
     """Error when the workspace.is_locked status does not match the lock status on AnVIL."""
 
+    ERROR_DIFFERENT_REQUESTER_PAYS = "Workspace bucket requester_pays status does not match on AnVIL"
+    """Error when the workspace.is_locked status does not match the lock status on AnVIL."""
+
     def run_audit(self):
         """Run an audit on Workspaces in the app."""
         # Check the list of workspaces.
         fields = [
             "workspace.namespace",
             "workspace.name",
             "workspace.authorizationDomain",
-            "workspace.isLocked,accessLevel",
+            "workspace.isLocked",
+            "accessLevel",
         ]
         response = AnVILAPIClient().list_workspaces(fields=",".join(fields))
         workspaces_on_anvil = response.json()
@@ -408,6 +412,14 @@ def run_audit(self):
                 # Check lock status.
                 if workspace.is_locked != workspace_details["workspace"]["isLocked"]:
                     model_instance_result.add_error(self.ERROR_DIFFERENT_LOCK)
+                # Check is_requester_pays status. Unfortunately we have to make a separate API call.
+                response = AnVILAPIClient().get_workspace(
+                    workspace.billing_project.name,
+                    workspace.name,
+                    fields=["bucketOptions"],
+                )
+                if workspace.is_requester_pays != response.json()["bucketOptions"]["requesterPays"]:
+                    model_instance_result.add_error(self.ERROR_DIFFERENT_REQUESTER_PAYS)
 
             self.add_result(model_instance_result)