Don't encrypt tokens for UCS

TheByronHimes · TheByronHimes · commit b3010f814bec · 2025-09-12T08:29:16.000Z
diff --git a/.devcontainer/.dev_config.yaml b/.devcontainer/.dev_config.yaml
@@ -8,6 +8,5 @@ ucs_url: http://127.0.0.1/upload
 access_url: http://127.0.0.1/access
 audit_record_topic: audit-records
 audit_record_type: audit_record_logged
-ucs_public_key: dWoWghAEVPcpHILEb5drJx59nF+of6YKuAOhKRpmegY=
 work_order_signing_key: "{}"
 file_upload_box_topic: file-upload-boxes
diff --git a/README.md b/README.md
@@ -104,8 +104,6 @@ The service requires the following configuration parameters:
   ```
 
 
-- <a id="properties/ucs_public_key"></a>**`ucs_public_key`** *(string, required)*: The public key used to encrypt work order tokens sent to the UCS.
-
 - <a id="properties/access_url"></a>**`access_url`** *(string, required)*: URL pointing to the internal access API.
 
 
diff --git a/config_schema.json b/config_schema.json
@@ -45,11 +45,6 @@
       "type": "string",
       "writeOnly": true
     },
-    "ucs_public_key": {
-      "description": "The public key used to encrypt work order tokens sent to the UCS",
-      "title": "Ucs Public Key",
-      "type": "string"
-    },
     "access_url": {
       "description": "URL pointing to the internal access API.",
       "examples": [
@@ -492,7 +487,6 @@
     "audit_record_type",
     "ucs_url",
     "work_order_signing_key",
-    "ucs_public_key",
     "access_url",
     "service_instance_id",
     "kafka_servers",
diff --git a/example_config.yaml b/example_config.yaml
@@ -47,7 +47,6 @@ otel_trace_sampling_rate: 1.0
 port: 8080
 service_instance_id: '1'
 service_name: uos
-ucs_public_key: dWoWghAEVPcpHILEb5drJx59nF+of6YKuAOhKRpmegY=
 ucs_url: http://127.0.0.1/upload
 work_order_signing_key: '**********'
 workers: 1
diff --git a/src/uos/adapters/outbound/http.py b/src/uos/adapters/outbound/http.py
@@ -20,13 +20,13 @@
 from uuid import UUID
 
 import httpx
-from ghga_service_commons.utils.crypt import encrypt
 from ghga_service_commons.utils.utc_dates import UTCDatetime
 from jwcrypto import jwk
 from pydantic import UUID4, Field, SecretStr
 from pydantic_settings import BaseSettings
 
 from uos.core.models import (
+    BaseWorkOrderToken,
     ChangeFileBoxWorkOrder,
     CreateFileBoxWorkOrder,
     UploadGrant,
@@ -64,10 +64,6 @@ class UCSApiConfig(BaseSettings):
         description="The private key for signing work order tokens",
         examples=['{"crv": "P-256", "kty": "EC", "x": "...", "y": "..."}'],
     )
-    ucs_public_key: str = Field(
-        ...,
-        description="The public key used to encrypt work order tokens sent to the UCS",
-    )
 
 
 class AccessClient(AccessClientPort):
@@ -261,7 +257,6 @@ class UCSClient(UCSClientPort):
 
     def __init__(self, *, config: UCSApiConfig):
         self._ucs_url = config.ucs_url
-        self._ucs_public_key = config.ucs_public_key
         self._signing_key = jwk.JWK.from_json(
             config.work_order_signing_key.get_secret_value()
         )
@@ -270,9 +265,9 @@ def __init__(self, *, config: UCSApiConfig):
             log.error(key_error)
             raise key_error
 
-    def _auth_header(self, signed_wot: str) -> dict[str, str]:
-        encrypted_wot = encrypt(signed_wot, self._ucs_public_key)
-        headers = {"Authorization": f"Bearer {encrypted_wot}"}
+    def _auth_header(self, wot: BaseWorkOrderToken) -> dict[str, str]:
+        signed_wot = sign_work_order_token(wot, self._signing_key)
+        headers = {"Authorization": f"Bearer {signed_wot}"}
         return headers
 
     async def create_file_upload_box(self, *, storage_alias: str) -> UUID4:
@@ -281,8 +276,7 @@ async def create_file_upload_box(self, *, storage_alias: str) -> UUID4:
         Raises:
             UCSCallError if there's a problem with the operation.
         """
-        signed_wot = sign_work_order_token(CreateFileBoxWorkOrder(), self._signing_key)
-        headers = self._auth_header(signed_wot)
+        headers = self._auth_header(CreateFileBoxWorkOrder())
         body = {"storage_alias": storage_alias}
         response = httpx.post(f"{self._ucs_url}/boxes", headers=headers, json=body)
         if response.status_code != 201:
@@ -310,8 +304,7 @@ async def lock_file_upload_box(self, *, box_id: UUID4) -> None:
             UCSCallError if there's a problem with the operation.
         """
         wot = ChangeFileBoxWorkOrder(work_type="lock", box_id=box_id)
-        signed_wot = sign_work_order_token(wot, self._signing_key)
-        headers = self._auth_header(signed_wot)
+        headers = self._auth_header(wot)
         body = {"lock": True}
         response = httpx.patch(
             f"{self._ucs_url}/boxes/{box_id}", headers=headers, json=body
@@ -334,8 +327,8 @@ async def unlock_file_upload_box(self, *, box_id: UUID4) -> None:
             UCSCallError if there's a problem with the operation.
         """
         wot = ChangeFileBoxWorkOrder(work_type="unlock", box_id=box_id)
-        signed_wot = sign_work_order_token(wot, self._signing_key)
-        headers = self._auth_header(signed_wot)
+
+        headers = self._auth_header(wot)
         body = {"lock": False}
         response = httpx.patch(
             f"{self._ucs_url}/boxes/{box_id}", headers=headers, json=body
@@ -358,8 +351,7 @@ async def get_file_upload_list(self, *, box_id: UUID4) -> list[UUID4]:
             UCSCallError if there's a problem with the operation.
         """
         wot = ViewFileBoxWorkOrder(box_id=box_id)
-        signed_wot = sign_work_order_token(wot, self._signing_key)
-        headers = self._auth_header(signed_wot)
+        headers = self._auth_header(wot)
         response = httpx.get(f"{self._ucs_url}/boxes/{box_id}/uploads", headers=headers)
         if response.status_code != 200:
             log.error(
diff --git a/tests/fixtures/test_config.yaml b/tests/fixtures/test_config.yaml
@@ -10,4 +10,3 @@ audit_record_topic: audit-records
 audit_record_type: audit_record_logged
 file_upload_box_topic: file-upload-boxes
 work_order_signing_key: "{}"
-ucs_public_key: dWoWghAEVPcpHILEb5drJx59nF+of6YKuAOhKRpmegY=
diff --git a/tests/unit/test_orchestrator.py b/tests/unit/test_orchestrator.py
@@ -175,7 +175,7 @@ async def test_get_upload_box_files_happy(rig: JointRig):
     )
 
     # Mock the UCS client to return a list of file IDs
-    test_file_ids = [uuid4(), uuid4(), uuid4()]
+    test_file_ids = sorted([uuid4(), uuid4(), uuid4()])
     rig.ucs_client.get_file_upload_list.return_value = test_file_ids  # type: ignore
 
     # Mock the access client for non-data steward case

Original file line number	Diff line number	Diff line change
`@@ -175,7 +175,7 @@ async def test_get_upload_box_files_happy(rig: JointRig):`
`175`	`175`	`)`
`176`	`176`
`177`	`177`	`# Mock the UCS client to return a list of file IDs`
`178`		`- test_file_ids = [uuid4(), uuid4(), uuid4()]`
	`178`	`+ test_file_ids = sorted([uuid4(), uuid4(), uuid4()])`
`179`	`179`	`rig.ucs_client.get_file_upload_list.return_value = test_file_ids # type: ignore`
`180`	`180`
`181`	`181`	`# Mock the access client for non-data steward case`