Search in sources :

Example 1 with ResourceApi

use of bio.terra.workspace.api.ResourceApi in project terra-workspace-manager by DataBiosphere.

the class ControlledApplicationSharedGcsBucketLifecycle method doUserJourney.

@Override
public void doUserJourney(TestUserSpecification unused, WorkspaceApi workspaceApi) throws Exception {
    ApiClient ownerApiClient = ClientTestUtils.getClientForTestUser(owner, server);
    ApiClient wsmappApiClient = ClientTestUtils.getClientForTestUser(wsmapp, server);
    WorkspaceApplicationApi ownerWsmAppApi = new WorkspaceApplicationApi(ownerApiClient);
    ControlledGcpResourceApi wsmappResourceApi = new ControlledGcpResourceApi(wsmappApiClient);
    // Owner adds a reader and a writer to the workspace
    workspaceApi.grantRole(new GrantRoleRequestBody().memberEmail(reader.userEmail), getWorkspaceId(), IamRole.READER);
    logger.info("Added {} as a reader to workspace {}", reader.userEmail, getWorkspaceId());
    workspaceApi.grantRole(new GrantRoleRequestBody().memberEmail(writer.userEmail), getWorkspaceId(), IamRole.WRITER);
    logger.info("Added {} as a writer to workspace {}", writer.userEmail, getWorkspaceId());
    // Create the cloud context
    String projectId = CloudContextMaker.createGcpCloudContext(getWorkspaceId(), workspaceApi);
    assertNotNull(projectId);
    logger.info("Created project {}", projectId);
    // Create the bucket - should fail because application is not enabled
    String bucketResourceName = RandomStringUtils.random(6, true, false);
    ApiException createBucketFails = assertThrows(ApiException.class, () -> GcsBucketUtils.makeControlledGcsBucketAppShared(wsmappResourceApi, getWorkspaceId(), bucketResourceName, CloningInstructionsEnum.NOTHING));
    // TODO: [PF-1208] this should be FORBIDDEN (403), but we are throwing the wrong thing
    assertEquals(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED, createBucketFails.getCode());
    logger.info("Failed to create bucket, as expected");
    // Enable the application in the workspace
    WorkspaceApplicationDescription applicationDescription = ownerWsmAppApi.enableWorkspaceApplication(getWorkspaceId(), TEST_WSM_APP);
    assertThat(applicationDescription.getApplicationState(), equalTo(ApplicationState.OPERATING));
    logger.info("Enabled application in the workspace");
    // Validate that it is enabled
    WorkspaceApplicationDescription retrievedDescription = ownerWsmAppApi.getWorkspaceApplication(getWorkspaceId(), TEST_WSM_APP);
    assertThat(applicationDescription, equalTo(retrievedDescription));
    assertThat(applicationDescription.getWorkspaceApplicationState(), equalTo(WorkspaceApplicationState.ENABLED));
    // Create the bucket - should work this time
    CreatedControlledGcpGcsBucket createdBucket = GcsBucketUtils.makeControlledGcsBucketAppShared(wsmappResourceApi, getWorkspaceId(), bucketResourceName, CloningInstructionsEnum.NOTHING);
    bucketName = createdBucket.getGcpBucket().getAttributes().getBucketName();
    assertNotNull(bucketName);
    logger.info("Created bucket {}", bucketName);
    // Try to disable; should error because you cannot disable an app if it owns resources
    // in the workspace.
    ApiException disableAppFails = assertThrows(ApiException.class, () -> ownerWsmAppApi.disableWorkspaceApplication(getWorkspaceId(), TEST_WSM_APP));
    assertEquals(HttpStatusCodes.STATUS_CODE_BAD_REQUEST, disableAppFails.getCode());
    logger.info("Failed to disable app, as expected");
    try (GcsBucketAccessTester tester = new GcsBucketAccessTester(wsmapp, bucketName, projectId)) {
        tester.checkAccess(wsmapp, ControlledResourceIamRole.EDITOR);
        tester.checkAccess(owner, ControlledResourceIamRole.WRITER);
        tester.checkAccess(writer, ControlledResourceIamRole.WRITER);
        tester.checkAccess(reader, ControlledResourceIamRole.READER);
    }
    // The reader should be able to enumerate the bucket.
    ResourceApi readerResourceApi = ClientTestUtils.getResourceClient(reader, server);
    ResourceList bucketList = readerResourceApi.enumerateResources(getWorkspaceId(), 0, 5, ResourceType.GCS_BUCKET, StewardshipType.CONTROLLED);
    assertEquals(1, bucketList.getResources().size());
    MultiResourcesUtils.assertResourceType(ResourceType.GCS_BUCKET, bucketList);
    // Owner cannot delete the bucket through WSM
    ControlledGcpResourceApi ownerResourceApi = new ControlledGcpResourceApi(ownerApiClient);
    ApiException cannotDelete = assertThrows(ApiException.class, () -> GcsBucketUtils.deleteControlledGcsBucket(createdBucket.getResourceId(), getWorkspaceId(), ownerResourceApi));
    // TODO: [PF-1208] this should be FORBIDDEN (403), but we are throwing the wrong thing
    assertEquals(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED, cannotDelete.getCode());
    logger.info("Owner delete failed as expected");
    // Application can delete the bucket through WSM
    GcsBucketUtils.deleteControlledGcsBucket(createdBucket.getResourceId(), getWorkspaceId(), wsmappResourceApi);
    logger.info("Application delete succeeded");
}
Also used : ControlledGcpResourceApi(bio.terra.workspace.api.ControlledGcpResourceApi) ResourceApi(bio.terra.workspace.api.ResourceApi) ResourceList(bio.terra.workspace.model.ResourceList) GrantRoleRequestBody(bio.terra.workspace.model.GrantRoleRequestBody) WorkspaceApplicationApi(bio.terra.workspace.api.WorkspaceApplicationApi) WorkspaceApplicationDescription(bio.terra.workspace.model.WorkspaceApplicationDescription) ControlledGcpResourceApi(bio.terra.workspace.api.ControlledGcpResourceApi) ApiClient(bio.terra.workspace.client.ApiClient) ApiException(bio.terra.workspace.client.ApiException) CreatedControlledGcpGcsBucket(bio.terra.workspace.model.CreatedControlledGcpGcsBucket) GcsBucketAccessTester(scripts.utils.GcsBucketAccessTester)

Example 2 with ResourceApi

use of bio.terra.workspace.api.ResourceApi in project terra-workspace-manager by DataBiosphere.

the class EnumerateResources method doSetup.

@Override
public void doSetup(List<TestUserSpecification> testUsers, WorkspaceApi workspaceApi) throws Exception {
    // initialize workspace
    super.doSetup(testUsers, workspaceApi);
    assertThat("There must be two test users defined for this test.", testUsers != null && testUsers.size() == 2);
    TestUserSpecification workspaceOwner = testUsers.get(0);
    workspaceReader = testUsers.get(1);
    // static assumptions
    assertThat(PAGE_SIZE * 2, lessThan(RESOURCE_COUNT));
    assertThat(PAGE_SIZE * 3, greaterThan(RESOURCE_COUNT));
    ApiClient ownerApiClient = ClientTestUtils.getClientForTestUser(workspaceOwner, server);
    ownerControlledGcpResourceApi = new ControlledGcpResourceApi(ownerApiClient);
    ownerReferencedGcpResourceApi = new ReferencedGcpResourceApi(ownerApiClient);
    ownerResourceApi = new ResourceApi(ownerApiClient);
    ApiClient readerApiClient = ClientTestUtils.getClientForTestUser(workspaceReader, server);
    readerResourceApi = new ResourceApi(readerApiClient);
    // Create a cloud context for the workspace
    CloudContextMaker.createGcpCloudContext(getWorkspaceId(), workspaceApi);
    // create the resources for the test
    logger.info("Creating {} resources", RESOURCE_COUNT);
    resourceList = MultiResourcesUtils.makeResources(ownerReferencedGcpResourceApi, ownerControlledGcpResourceApi, getWorkspaceId());
    logger.info("Created {} resources", resourceList.size());
}
Also used : ControlledGcpResourceApi(bio.terra.workspace.api.ControlledGcpResourceApi) ReferencedGcpResourceApi(bio.terra.workspace.api.ReferencedGcpResourceApi) ResourceApi(bio.terra.workspace.api.ResourceApi) ReferencedGcpResourceApi(bio.terra.workspace.api.ReferencedGcpResourceApi) ControlledGcpResourceApi(bio.terra.workspace.api.ControlledGcpResourceApi) TestUserSpecification(bio.terra.testrunner.runner.config.TestUserSpecification) ApiClient(bio.terra.workspace.client.ApiClient)

Example 3 with ResourceApi

use of bio.terra.workspace.api.ResourceApi in project terra-workspace-manager by DataBiosphere.

the class PrivateControlledGcsBucketLifecycle method doUserJourney.

@Override
public void doUserJourney(TestUserSpecification testUser, WorkspaceApi workspaceApi) throws Exception {
    String projectId = CloudContextMaker.createGcpCloudContext(getWorkspaceId(), workspaceApi);
    ControlledGcpResourceApi workspaceOwnerResourceApi = ClientTestUtils.getControlledGcpResourceClient(testUser, server);
    ControlledGcpResourceApi privateUserResourceApi = ClientTestUtils.getControlledGcpResourceClient(privateResourceUser, server);
    workspaceApi.grantRole(new GrantRoleRequestBody().memberEmail(workspaceReader.userEmail), getWorkspaceId(), IamRole.READER);
    logger.info("Added {} as a reader to workspace {}", workspaceReader.userEmail, getWorkspaceId());
    workspaceApi.grantRole(new GrantRoleRequestBody().memberEmail(privateResourceUser.userEmail), getWorkspaceId(), IamRole.WRITER);
    logger.info("Added {} as a writer to workspace {}", privateResourceUser.userEmail, getWorkspaceId());
    // Create a private bucket, which privateResourceUser assigns to themselves.
    // Cloud IAM permissions may take several minutes to sync, so we retry this operation until
    // it succeeds.
    CreatedControlledGcpGcsBucket bucket = ClientTestUtils.getWithRetryOnException(() -> createPrivateBucket(privateUserResourceApi));
    UUID resourceId = bucket.getResourceId();
    // Retrieve the bucket resource from WSM
    logger.info("Retrieving bucket resource id {}", resourceId.toString());
    GcpGcsBucketResource gotBucket = privateUserResourceApi.getBucket(getWorkspaceId(), resourceId);
    String bucketName = gotBucket.getAttributes().getBucketName();
    assertEquals(bucket.getGcpBucket().getAttributes().getBucketName(), bucketName);
    // Assert the bucket is assigned to privateResourceUser, even though resource user was
    // not specified
    assertEquals(privateResourceUser.userEmail, gotBucket.getMetadata().getControlledResourceMetadata().getPrivateResourceUser().getUserName());
    try (GcsBucketAccessTester tester = new GcsBucketAccessTester(privateResourceUser, bucketName, projectId)) {
        tester.checkAccessWait(privateResourceUser, ControlledResourceIamRole.EDITOR);
        // workspace owner can do nothing
        tester.checkAccess(testUser, null);
        tester.checkAccess(workspaceReader, null);
    }
    // Any workspace user should be able to enumerate all buckets, even though they can't access
    // their contents.
    ResourceApi readerApi = ClientTestUtils.getResourceClient(workspaceReader, server);
    ResourceList bucketList = readerApi.enumerateResources(getWorkspaceId(), 0, 5, ResourceType.GCS_BUCKET, StewardshipType.CONTROLLED);
    assertEquals(1, bucketList.getResources().size());
    MultiResourcesUtils.assertResourceType(ResourceType.GCS_BUCKET, bucketList);
    // Workspace owner has DELETER role and can delete the bucket through WSM
    var ownerDeleteResult = deleteBucket(workspaceOwnerResourceApi, resourceId);
    ClientTestUtils.assertJobSuccess("owner delete bucket", ownerDeleteResult.getJobReport(), ownerDeleteResult.getErrorReport());
    // verify the bucket was deleted from WSM metadata
    ApiException bucketIsMissing = assertThrows(ApiException.class, () -> workspaceOwnerResourceApi.getBucket(getWorkspaceId(), resourceId), "Incorrectly found a deleted bucket!");
    assertEquals(HttpStatusCodes.STATUS_CODE_NOT_FOUND, bucketIsMissing.getCode());
    // also verify it was deleted from GCP
    Storage ownerStorageClient = ClientTestUtils.getGcpStorageClient(testUser, projectId);
    Bucket maybeBucket = ownerStorageClient.get(bucketName);
    assertNull(maybeBucket);
    // TODO: PF-1218 - change these to negative tests - should error - when
    // the ticket is complete. These exercise two create cases with currently
    // valid combinations of private user.
    PrivateResourceIamRoles roles = new PrivateResourceIamRoles();
    roles.add(ControlledResourceIamRole.READER);
    // Supply all private user parameters
    PrivateResourceUser privateUserFull = new PrivateResourceUser().userName(privateResourceUser.userEmail).privateResourceIamRoles(roles);
    CreatedControlledGcpGcsBucket userFullBucket = GcsBucketUtils.makeControlledGcsBucket(privateUserResourceApi, getWorkspaceId(), RESOURCE_PREFIX + UUID.randomUUID().toString(), /*bucketName=*/
    null, AccessScope.PRIVATE_ACCESS, ManagedBy.USER, CloningInstructionsEnum.NOTHING, privateUserFull);
    assertNotNull(userFullBucket.getGcpBucket().getAttributes().getBucketName());
    deleteBucket(workspaceOwnerResourceApi, userFullBucket.getResourceId());
    // Supply just the roles, but no email
    PrivateResourceUser privateUserNoEmail = new PrivateResourceUser().userName(null).privateResourceIamRoles(roles);
    CreatedControlledGcpGcsBucket userNoEmailBucket = GcsBucketUtils.makeControlledGcsBucket(privateUserResourceApi, getWorkspaceId(), RESOURCE_PREFIX + UUID.randomUUID().toString(), /*bucketName=*/
    null, AccessScope.PRIVATE_ACCESS, ManagedBy.USER, CloningInstructionsEnum.NOTHING, privateUserNoEmail);
    assertNotNull(userNoEmailBucket.getGcpBucket().getAttributes().getBucketName());
    deleteBucket(workspaceOwnerResourceApi, userNoEmailBucket.getResourceId());
    String uniqueBucketName = String.format("terra_%s_bucket", UUID.randomUUID().toString().replace("-", "_"));
    CreatedControlledGcpGcsBucket bucketWithBucketNameSpecified = GcsBucketUtils.makeControlledGcsBucket(privateUserResourceApi, getWorkspaceId(), RESOURCE_PREFIX + UUID.randomUUID().toString(), /*bucketName=*/
    uniqueBucketName, AccessScope.PRIVATE_ACCESS, ManagedBy.USER, CloningInstructionsEnum.NOTHING, privateUserFull);
    assertEquals(uniqueBucketName, bucketWithBucketNameSpecified.getGcpBucket().getAttributes().getBucketName());
    deleteBucket(workspaceOwnerResourceApi, bucketWithBucketNameSpecified.getResourceId());
}
Also used : GrantRoleRequestBody(bio.terra.workspace.model.GrantRoleRequestBody) PrivateResourceUser(bio.terra.workspace.model.PrivateResourceUser) GcsBucketAccessTester(scripts.utils.GcsBucketAccessTester) GcpGcsBucketResource(bio.terra.workspace.model.GcpGcsBucketResource) ControlledGcpResourceApi(bio.terra.workspace.api.ControlledGcpResourceApi) ResourceApi(bio.terra.workspace.api.ResourceApi) ResourceList(bio.terra.workspace.model.ResourceList) Storage(com.google.cloud.storage.Storage) Bucket(com.google.cloud.storage.Bucket) CreatedControlledGcpGcsBucket(bio.terra.workspace.model.CreatedControlledGcpGcsBucket) ControlledGcpResourceApi(bio.terra.workspace.api.ControlledGcpResourceApi) UUID(java.util.UUID) PrivateResourceIamRoles(bio.terra.workspace.model.PrivateResourceIamRoles) CreatedControlledGcpGcsBucket(bio.terra.workspace.model.CreatedControlledGcpGcsBucket) ApiException(bio.terra.workspace.client.ApiException)

Example 4 with ResourceApi

use of bio.terra.workspace.api.ResourceApi in project terra-workspace-manager by DataBiosphere.

the class ReferencedDataRepoSnapshotLifecycle method testUpdateReference.

private void testUpdateReference(ReferencedGcpResourceApi ownerApi) throws Exception {
    ReferencedGcpResourceApi partialAccessApi = ClientTestUtils.getReferencedGcpResourceClient(partialAccessUser, server);
    ResourceApi partialAccessResourceApi = ClientTestUtils.getResourceClient(partialAccessUser, server);
    // Update snapshot's name and description
    String newSnapshotReferenceName = "newSnapshotReferenceName";
    String newSnapshotReferenceDescription = "a new description of another snapshot reference";
    updateDataRepoSnapshotReferenceResource(ownerApi, getWorkspaceId(), snapshotResourceId, newSnapshotReferenceName, newSnapshotReferenceDescription, /*instanceId=*/
    null, /*snapshot=*/
    null);
    DataRepoSnapshotResource snapshotResource = ownerApi.getDataRepoSnapshotReference(getWorkspaceId(), snapshotResourceId);
    assertEquals(newSnapshotReferenceName, snapshotResource.getMetadata().getName());
    assertEquals(newSnapshotReferenceDescription, snapshotResource.getMetadata().getDescription());
    assertFalse(partialAccessResourceApi.checkReferenceAccess(getWorkspaceId(), snapshotResourceId));
    assertThrows(ApiException.class, () -> updateDataRepoSnapshotReferenceResource(partialAccessApi, getWorkspaceId(), snapshotResourceId, newSnapshotReferenceName, newSnapshotReferenceDescription, /*instanceId=*/
    null, snapshotId2));
    updateDataRepoSnapshotReferenceResource(ownerApi, getWorkspaceId(), snapshotResourceId, newSnapshotReferenceName, newSnapshotReferenceDescription, /*instanceId=*/
    null, snapshotId2);
    DataRepoSnapshotResource snapshotResourceSecondUpdate = ownerApi.getDataRepoSnapshotReference(getWorkspaceId(), snapshotResourceId);
    assertEquals(newSnapshotReferenceName, snapshotResourceSecondUpdate.getMetadata().getName());
    assertEquals(newSnapshotReferenceDescription, snapshotResourceSecondUpdate.getMetadata().getDescription());
    assertEquals(snapshotId2, snapshotResourceSecondUpdate.getAttributes().getSnapshot());
    assertEquals(tdrInstance, snapshotResourceSecondUpdate.getAttributes().getInstanceName());
    assertTrue(partialAccessResourceApi.checkReferenceAccess(getWorkspaceId(), snapshotResourceId));
}
Also used : ReferencedGcpResourceApi(bio.terra.workspace.api.ReferencedGcpResourceApi) ResourceApi(bio.terra.workspace.api.ResourceApi) ReferencedGcpResourceApi(bio.terra.workspace.api.ReferencedGcpResourceApi) DataRepoSnapshotResource(bio.terra.workspace.model.DataRepoSnapshotResource)

Example 5 with ResourceApi

use of bio.terra.workspace.api.ResourceApi in project terra-workspace-manager by DataBiosphere.

the class ReferencedDataRepoSnapshotLifecycle method doUserJourney.

@Override
protected void doUserJourney(TestUserSpecification testUser, WorkspaceApi workspaceApi) throws Exception {
    ReferencedGcpResourceApi referencedGcpResourceApi = ClientTestUtils.getReferencedGcpResourceClient(testUser, server);
    // Add the "partial access" user as a workspace reader. This does not give them access to any
    // underlying referenced resources.
    workspaceApi.grantRole(new GrantRoleRequestBody().memberEmail(partialAccessUser.userEmail), getWorkspaceId(), IamRole.READER);
    // Create the reference
    DataRepoSnapshotResource snapshotResource = DataRepoUtils.makeDataRepoSnapshotReference(referencedGcpResourceApi, getWorkspaceId(), MultiResourcesUtils.makeName(), snapshotId, tdrInstance);
    snapshotResourceId = snapshotResource.getMetadata().getResourceId();
    // Get the reference
    ResourceApi resourceApi = ClientTestUtils.getResourceClient(testUser, server);
    testGetReference(snapshotResource, referencedGcpResourceApi, resourceApi);
    // Create a second workspace to clone the reference into, owned by the same user
    testCloneReference(snapshotResource, referencedGcpResourceApi, workspaceApi);
    // Validate snapshot access
    testValidateReference(testUser);
    // Update reference
    testUpdateReference(referencedGcpResourceApi);
    // Delete the reference
    referencedGcpResourceApi.deleteDataRepoSnapshotReference(getWorkspaceId(), snapshotResourceId);
    // Enumerating all resources with no filters should be empty
    ResourceList enumerateResult = resourceApi.enumerateResources(getWorkspaceId(), 0, 100, null, null);
    assertTrue(enumerateResult.getResources().isEmpty());
}
Also used : ReferencedGcpResourceApi(bio.terra.workspace.api.ReferencedGcpResourceApi) ResourceApi(bio.terra.workspace.api.ResourceApi) ResourceList(bio.terra.workspace.model.ResourceList) GrantRoleRequestBody(bio.terra.workspace.model.GrantRoleRequestBody) ReferencedGcpResourceApi(bio.terra.workspace.api.ReferencedGcpResourceApi) DataRepoSnapshotResource(bio.terra.workspace.model.DataRepoSnapshotResource)

Aggregations

ResourceApi (bio.terra.workspace.api.ResourceApi)20 ReferencedGcpResourceApi (bio.terra.workspace.api.ReferencedGcpResourceApi)14 ResourceList (bio.terra.workspace.model.ResourceList)13 ControlledGcpResourceApi (bio.terra.workspace.api.ControlledGcpResourceApi)8 GrantRoleRequestBody (bio.terra.workspace.model.GrantRoleRequestBody)8 ApiException (bio.terra.workspace.client.ApiException)5 GcpGcsBucketResource (bio.terra.workspace.model.GcpGcsBucketResource)5 UUID (java.util.UUID)5 GcpBigQueryDatasetResource (bio.terra.workspace.model.GcpBigQueryDatasetResource)4 ApiClient (bio.terra.workspace.client.ApiClient)3 CreatedControlledGcpGcsBucket (bio.terra.workspace.model.CreatedControlledGcpGcsBucket)3 GcpBigQueryDataTableResource (bio.terra.workspace.model.GcpBigQueryDataTableResource)3 GcpGcsObjectResource (bio.terra.workspace.model.GcpGcsObjectResource)3 GcsBucketAccessTester (scripts.utils.GcsBucketAccessTester)3 WorkspaceApplicationApi (bio.terra.workspace.api.WorkspaceApplicationApi)2 DataRepoSnapshotResource (bio.terra.workspace.model.DataRepoSnapshotResource)2 WorkspaceApplicationDescription (bio.terra.workspace.model.WorkspaceApplicationDescription)2 Bucket (com.google.cloud.storage.Bucket)2 Storage (com.google.cloud.storage.Storage)2 SystemException (bio.terra.cli.exception.SystemException)1