Check for hasher role in /lookup endpoint

hasher-matcher-actioner/.devcontainer/postcreate.sh

@@ -3,7 +3,7 @@ set -e
 
 pip install --editable .[all]
 
-# Find Python packages in opt and install them
+# Find Python packages in extensions and install them
 for setup_script in "$(find /workspace/extensions -name setup.py)"
 do
     module_dir="$(dirname "$setup_script")"

hasher-matcher-actioner/src/OpenMediaMatch/app.py

@@ -7,7 +7,7 @@
 with warnings.catch_warnings():
     warnings.simplefilter("ignore")
     from threatexchange.signal_type.pdq import signal as _
-## Resume regularly scheduled imports
+# Resume regularly scheduled imports
 
 import logging
 import os

hasher-matcher-actioner/src/OpenMediaMatch/blueprints/matching.py

@@ -139,7 +139,7 @@ def query_index(
     try:
         signal = signal_type.validate_signal_str(signal)
     except Exception as e:
-        abort(400, f"invalid signal type: {e}")
+        abort(400, f"invalid signal: {e}")
 
     index = _get_index(signal_type)
 
@@ -203,8 +203,10 @@ def lookup_get():
     Output:
      * List of matching banks
     """
-    # Url was passed as a query param?
     if request.args.get("url", None):
+        if not current_app.config.get("ROLE_HASHER", False):
+            abort(403, "Hashing is disabled, missing role")
+
         hashes = hashing.hash_media()
         resp = {}
         for signal_type in hashes.keys():
@@ -230,6 +232,9 @@ def lookup_post():
     Output:
      * List of matching banks
     """
+    if not current_app.config.get("ROLE_HASHER", False):
+        abort(403, "Hashing is disabled, missing role")
+
     hashes = hashing.hash_media_post()
 
     resp = {}

hasher-matcher-actioner/src/OpenMediaMatch/tests/test_api.py

@@ -1,5 +1,6 @@
 # Copyright (c) Meta Platforms, Inc. and affiliates.
 
+import tempfile
 import typing as t
 
 from flask.testing import FlaskClient
@@ -112,7 +113,8 @@ def test_banks_update(client: FlaskClient):
     assert get_response.status_code == 200
     json = get_response.get_json()
     assert len(json) == 1
-    assert json[0] == {"name": "MY_TEST_BANK_RENAMED", "matching_enabled_ratio": 0.5}
+    assert json[0] == {"name": "MY_TEST_BANK_RENAMED",
+                       "matching_enabled_ratio": 0.5}
 
 
 def test_banks_delete(client: FlaskClient):
@@ -221,6 +223,26 @@ def test_banks_add_hash_index(app: Flask, client: FlaskClient):
     assert post_response.json == {"matches": [2]}
 
 
+def test_lookup_add_hash_without_role(app: Flask, client: FlaskClient):
+    # role resets to True in the next test
+    client.application.config["ROLE_HASHER"] = False
+
+    # test GET
+    image_url = "https://github.com/facebook/ThreatExchange/blob/main/pdq/data/bridge-mods/aaa-orig.jpg?raw=true"
+    get_resp = client.get(f"/m/lookup?url={image_url}")
+    assert get_resp.status_code == 403
+
+    # test POST with temp file
+    with tempfile.NamedTemporaryFile(suffix='.jpg') as f:
+        # Write a minimal valid JPEG file header
+        f.write(
+            b'\xff\xd8\xff\xe0\x00\x10\x4a\x46\x49\x46\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00\xff\xd9')
+        f.flush()
+        files = {"file": (f.name, f.name, "image/jpeg")}
+        resp = client.post("/m/lookup", data=files)
+        assert resp.status_code == 403
+
+
 def test_exchange_api_set_auth(app: Flask, client: FlaskClient):
     storage = get_storage()
     sample_name = StaticSampleSignalExchangeAPI.get_name()