use of bio.terra.workspace.model.GcpGcsBucketResource in project terra-workspace-manager by DataBiosphere.
the class ControlledGcsBucketLifecycle method testCloneBucket.
private void testCloneBucket(GcpGcsBucketResource sourceBucket, TestUserSpecification cloningUser, ControlledGcpResourceApi resourceApi) throws Exception {
final String destinationBucketName = "clone-" + UUID.randomUUID().toString();
// clone the bucket
final String clonedBucketDescription = "A cloned bucket";
final CloneControlledGcpGcsBucketRequest cloneRequest = new CloneControlledGcpGcsBucketRequest().bucketName(destinationBucketName).destinationWorkspaceId(getDestinationWorkspaceId()).name(sourceBucket.getMetadata().getName()).description(clonedBucketDescription).location(// use same as src
null).cloningInstructions(CloningInstructionsEnum.RESOURCE).jobControl(new JobControl().id(UUID.randomUUID().toString()));
logger.info("Cloning bucket\n\tname: {}\n\tresource ID: {}\n\tworkspace: {}\n\t" + "projectID: {}\ninto destination bucket\n\tname: {}\n\tworkspace: {}\n\tprojectID: {}", sourceBucket.getMetadata().getName(), sourceBucket.getMetadata().getResourceId(), sourceBucket.getMetadata().getWorkspaceId(), getSourceProjectId(), destinationBucketName, getDestinationWorkspaceId(), getDestinationProjectId());
CloneControlledGcpGcsBucketResult cloneResult = resourceApi.cloneGcsBucket(cloneRequest, sourceBucket.getMetadata().getWorkspaceId(), sourceBucket.getMetadata().getResourceId());
cloneResult = ClientTestUtils.pollWhileRunning(cloneResult, () -> resourceApi.getCloneGcsBucketResult(cloneRequest.getDestinationWorkspaceId(), cloneRequest.getJobControl().getId()), CloneControlledGcpGcsBucketResult::getJobReport, Duration.ofSeconds(5));
ClientTestUtils.assertJobSuccess("cloned bucket", cloneResult.getJobReport(), cloneResult.getErrorReport());
final ClonedControlledGcpGcsBucket clonedBucket = cloneResult.getBucket();
assertEquals(getWorkspaceId(), clonedBucket.getSourceWorkspaceId());
assertEquals(sourceBucket.getMetadata().getResourceId(), clonedBucket.getSourceResourceId());
final CreatedControlledGcpGcsBucket createdBucket = clonedBucket.getBucket();
final GcpGcsBucketResource clonedResource = createdBucket.getGcpBucket();
assertEquals(destinationBucketName, clonedResource.getAttributes().getBucketName());
final ResourceMetadata clonedResourceMetadata = clonedResource.getMetadata();
assertEquals(getDestinationWorkspaceId(), clonedResourceMetadata.getWorkspaceId());
assertEquals(sourceBucket.getMetadata().getName(), clonedResourceMetadata.getName());
assertEquals(clonedBucketDescription, clonedResourceMetadata.getDescription());
final ResourceMetadata sourceMetadata = sourceBucket.getMetadata();
assertEquals(CloningInstructionsEnum.NOTHING, clonedResourceMetadata.getCloningInstructions());
assertEquals(sourceMetadata.getCloudPlatform(), clonedResourceMetadata.getCloudPlatform());
assertEquals(ResourceType.GCS_BUCKET, clonedResourceMetadata.getResourceType());
assertEquals(StewardshipType.CONTROLLED, clonedResourceMetadata.getStewardshipType());
assertEquals(sourceMetadata.getControlledResourceMetadata().getAccessScope(), clonedResourceMetadata.getControlledResourceMetadata().getAccessScope());
assertEquals(sourceMetadata.getControlledResourceMetadata().getManagedBy(), clonedResourceMetadata.getControlledResourceMetadata().getManagedBy());
assertEquals(sourceMetadata.getControlledResourceMetadata().getPrivateResourceUser(), clonedResourceMetadata.getControlledResourceMetadata().getPrivateResourceUser());
assertEquals(CloudPlatform.GCP, clonedResourceMetadata.getCloudPlatform());
final Storage destinationProjectStorageClient = ClientTestUtils.getGcpStorageClient(cloningUser, getDestinationProjectId());
final Bucket destinationGcsBucket = destinationProjectStorageClient.get(destinationBucketName);
// Location, storage class, and lifecycle rules should match values from createBucketAttempt
assertEquals(StorageClass.STANDARD, destinationGcsBucket.getStorageClass());
assertEquals(BUCKET_LOCATION, // default since not specified
destinationGcsBucket.getLocation());
assertEquals(2, destinationGcsBucket.getLifecycleRules().size());
verifyClonedLifecycleRules(destinationGcsBucket);
assertEquals(CloningInstructionsEnum.RESOURCE, clonedBucket.getEffectiveCloningInstructions());
// test retrieving file from destination bucket
Storage cloningUserStorageClient = ClientTestUtils.getGcpStorageClient(cloningUser, getDestinationProjectId());
BlobId blobId = BlobId.of(destinationBucketName, GCS_BLOB_NAME);
assertNotNull(blobId);
final Blob retrievedFile = cloningUserStorageClient.get(blobId);
assertNotNull(retrievedFile);
assertEquals(blobId.getName(), retrievedFile.getBlobId().getName());
}
use of bio.terra.workspace.model.GcpGcsBucketResource in project terra-workspace-manager by DataBiosphere.
the class PrivateControlledGcsBucketLifecycle method doUserJourney.
@Override
public void doUserJourney(TestUserSpecification testUser, WorkspaceApi workspaceApi) throws Exception {
String projectId = CloudContextMaker.createGcpCloudContext(getWorkspaceId(), workspaceApi);
ControlledGcpResourceApi workspaceOwnerResourceApi = ClientTestUtils.getControlledGcpResourceClient(testUser, server);
ControlledGcpResourceApi privateUserResourceApi = ClientTestUtils.getControlledGcpResourceClient(privateResourceUser, server);
workspaceApi.grantRole(new GrantRoleRequestBody().memberEmail(workspaceReader.userEmail), getWorkspaceId(), IamRole.READER);
logger.info("Added {} as a reader to workspace {}", workspaceReader.userEmail, getWorkspaceId());
workspaceApi.grantRole(new GrantRoleRequestBody().memberEmail(privateResourceUser.userEmail), getWorkspaceId(), IamRole.WRITER);
logger.info("Added {} as a writer to workspace {}", privateResourceUser.userEmail, getWorkspaceId());
// Create a private bucket, which privateResourceUser assigns to themselves.
// Cloud IAM permissions may take several minutes to sync, so we retry this operation until
// it succeeds.
CreatedControlledGcpGcsBucket bucket = ClientTestUtils.getWithRetryOnException(() -> createPrivateBucket(privateUserResourceApi));
UUID resourceId = bucket.getResourceId();
// Retrieve the bucket resource from WSM
logger.info("Retrieving bucket resource id {}", resourceId.toString());
GcpGcsBucketResource gotBucket = privateUserResourceApi.getBucket(getWorkspaceId(), resourceId);
String bucketName = gotBucket.getAttributes().getBucketName();
assertEquals(bucket.getGcpBucket().getAttributes().getBucketName(), bucketName);
// Assert the bucket is assigned to privateResourceUser, even though resource user was
// not specified
assertEquals(privateResourceUser.userEmail, gotBucket.getMetadata().getControlledResourceMetadata().getPrivateResourceUser().getUserName());
try (GcsBucketAccessTester tester = new GcsBucketAccessTester(privateResourceUser, bucketName, projectId)) {
tester.checkAccessWait(privateResourceUser, ControlledResourceIamRole.EDITOR);
// workspace owner can do nothing
tester.checkAccess(testUser, null);
tester.checkAccess(workspaceReader, null);
}
// Any workspace user should be able to enumerate all buckets, even though they can't access
// their contents.
ResourceApi readerApi = ClientTestUtils.getResourceClient(workspaceReader, server);
ResourceList bucketList = readerApi.enumerateResources(getWorkspaceId(), 0, 5, ResourceType.GCS_BUCKET, StewardshipType.CONTROLLED);
assertEquals(1, bucketList.getResources().size());
MultiResourcesUtils.assertResourceType(ResourceType.GCS_BUCKET, bucketList);
// Workspace owner has DELETER role and can delete the bucket through WSM
var ownerDeleteResult = deleteBucket(workspaceOwnerResourceApi, resourceId);
ClientTestUtils.assertJobSuccess("owner delete bucket", ownerDeleteResult.getJobReport(), ownerDeleteResult.getErrorReport());
// verify the bucket was deleted from WSM metadata
ApiException bucketIsMissing = assertThrows(ApiException.class, () -> workspaceOwnerResourceApi.getBucket(getWorkspaceId(), resourceId), "Incorrectly found a deleted bucket!");
assertEquals(HttpStatusCodes.STATUS_CODE_NOT_FOUND, bucketIsMissing.getCode());
// also verify it was deleted from GCP
Storage ownerStorageClient = ClientTestUtils.getGcpStorageClient(testUser, projectId);
Bucket maybeBucket = ownerStorageClient.get(bucketName);
assertNull(maybeBucket);
// TODO: PF-1218 - change these to negative tests - should error - when
// the ticket is complete. These exercise two create cases with currently
// valid combinations of private user.
PrivateResourceIamRoles roles = new PrivateResourceIamRoles();
roles.add(ControlledResourceIamRole.READER);
// Supply all private user parameters
PrivateResourceUser privateUserFull = new PrivateResourceUser().userName(privateResourceUser.userEmail).privateResourceIamRoles(roles);
CreatedControlledGcpGcsBucket userFullBucket = GcsBucketUtils.makeControlledGcsBucket(privateUserResourceApi, getWorkspaceId(), RESOURCE_PREFIX + UUID.randomUUID().toString(), /*bucketName=*/
null, AccessScope.PRIVATE_ACCESS, ManagedBy.USER, CloningInstructionsEnum.NOTHING, privateUserFull);
assertNotNull(userFullBucket.getGcpBucket().getAttributes().getBucketName());
deleteBucket(workspaceOwnerResourceApi, userFullBucket.getResourceId());
// Supply just the roles, but no email
PrivateResourceUser privateUserNoEmail = new PrivateResourceUser().userName(null).privateResourceIamRoles(roles);
CreatedControlledGcpGcsBucket userNoEmailBucket = GcsBucketUtils.makeControlledGcsBucket(privateUserResourceApi, getWorkspaceId(), RESOURCE_PREFIX + UUID.randomUUID().toString(), /*bucketName=*/
null, AccessScope.PRIVATE_ACCESS, ManagedBy.USER, CloningInstructionsEnum.NOTHING, privateUserNoEmail);
assertNotNull(userNoEmailBucket.getGcpBucket().getAttributes().getBucketName());
deleteBucket(workspaceOwnerResourceApi, userNoEmailBucket.getResourceId());
String uniqueBucketName = String.format("terra_%s_bucket", UUID.randomUUID().toString().replace("-", "_"));
CreatedControlledGcpGcsBucket bucketWithBucketNameSpecified = GcsBucketUtils.makeControlledGcsBucket(privateUserResourceApi, getWorkspaceId(), RESOURCE_PREFIX + UUID.randomUUID().toString(), /*bucketName=*/
uniqueBucketName, AccessScope.PRIVATE_ACCESS, ManagedBy.USER, CloningInstructionsEnum.NOTHING, privateUserFull);
assertEquals(uniqueBucketName, bucketWithBucketNameSpecified.getGcpBucket().getAttributes().getBucketName());
deleteBucket(workspaceOwnerResourceApi, bucketWithBucketNameSpecified.getResourceId());
}
use of bio.terra.workspace.model.GcpGcsBucketResource in project terra-workspace-manager by DataBiosphere.
the class ReferencedGcsResourceLifecycle method testUpdateReferences.
private void testUpdateReferences(GcpGcsBucketResource fineGrainedBucket, ReferencedGcpResourceApi fullAccessApi) throws Exception {
ReferencedGcpResourceApi partialAccessApi = ClientTestUtils.getReferencedGcpResourceClient(partialAccessUser, server);
ResourceApi partialAccessResourceApi = ClientTestUtils.getResourceClient(partialAccessUser, server);
// Update GCS bucket's name and description
String newBucketName = "newGcsBucket";
String newBucketDescription = "a new description to the new bucket reference";
GcsBucketUtils.updateGcsBucketReference(fullAccessApi, getWorkspaceId(), bucketResourceId, newBucketName, newBucketDescription, null);
GcpGcsBucketResource bucketReferenceFirstUpdate = fullAccessApi.getBucketReference(getWorkspaceId(), bucketResourceId);
assertEquals(newBucketName, bucketReferenceFirstUpdate.getMetadata().getName());
assertEquals(newBucketDescription, bucketReferenceFirstUpdate.getMetadata().getDescription());
assertEquals(gcsUniformAccessBucketAttributes.getBucketName(), bucketReferenceFirstUpdate.getAttributes().getBucketName());
assertTrue(partialAccessResourceApi.checkReferenceAccess(getWorkspaceId(), bucketResourceId));
// Attempt to update bucket reference but {@code userWithPartialAccess} does not have
// access to the bucket with fine-grained access
assertThrows(ApiException.class, () -> GcsBucketUtils.updateGcsBucketReference(partialAccessApi, getWorkspaceId(), bucketResourceId, /*name=*/
null, /*description=*/
null, fineGrainedBucket.getAttributes().getBucketName()));
// Successfully update the referencing target because the {@code userWithFullAccess} has
// access to the bucket with fine-grained access.
GcsBucketUtils.updateGcsBucketReference(fullAccessApi, getWorkspaceId(), bucketResourceId, /*name=*/
null, /*description=*/
null, fineGrainedBucket.getAttributes().getBucketName());
GcpGcsBucketResource bucketReferenceSecondUpdate = fullAccessApi.getBucketReference(getWorkspaceId(), bucketResourceId);
assertEquals(newBucketName, bucketReferenceSecondUpdate.getMetadata().getName());
assertEquals(newBucketDescription, bucketReferenceSecondUpdate.getMetadata().getDescription());
assertEquals(fineGrainedBucket.getAttributes().getBucketName(), bucketReferenceSecondUpdate.getAttributes().getBucketName());
// Update GCS bucket object's name and description
String newBlobName = "newBlobName";
String newBlobDescription = "a new description to the new bucket blob reference";
GcsBucketUtils.updateGcsBucketObjectReference(fullAccessApi, getWorkspaceId(), fileResourceId, newBlobName, newBlobDescription, /*bucketName=*/
null, /*objectName=*/
null);
GcpGcsObjectResource blobResource = fullAccessApi.getGcsObjectReference(getWorkspaceId(), fileResourceId);
assertEquals(newBlobName, blobResource.getMetadata().getName());
assertEquals(newBlobDescription, blobResource.getMetadata().getDescription());
assertEquals(gcsFileAttributes.getBucketName(), blobResource.getAttributes().getBucketName());
assertEquals(gcsFileAttributes.getFileName(), blobResource.getAttributes().getFileName());
// Update GCS bucket object's referencing target from foo/monkey_sees_monkey_dos.txt to foo/.
assertTrue(partialAccessResourceApi.checkReferenceAccess(getWorkspaceId(), fileResourceId));
// Update object path only.
// Attempt to update to foo but {@code userWithPartialAccess} does not have access to foo/
assertThrows(ApiException.class, () -> GcsBucketUtils.updateGcsBucketObjectReference(partialAccessApi, getWorkspaceId(), fileResourceId, /*name=*/
null, /*description=*/
null, gcsFileAttributes.getBucketName(), gcsFolderAttributes.getFileName()));
// User with access to foo/ can successfully update the referencing target to foo/.
GcsBucketUtils.updateGcsBucketObjectReference(fullAccessApi, getWorkspaceId(), fileResourceId, /*name=*/
null, /*description=*/
null, /*bucketName=*/
null, gcsFolderAttributes.getFileName());
GcpGcsObjectResource blobReferenceSecondUpdate = fullAccessApi.getGcsObjectReference(getWorkspaceId(), fileResourceId);
assertEquals(gcsFileAttributes.getBucketName(), blobReferenceSecondUpdate.getAttributes().getBucketName());
assertEquals(gcsFolderAttributes.getFileName(), blobReferenceSecondUpdate.getAttributes().getFileName());
assertEquals(newBlobName, blobReferenceSecondUpdate.getMetadata().getName());
assertEquals(newBlobDescription, blobReferenceSecondUpdate.getMetadata().getDescription());
// update bucket only.
GcsBucketUtils.updateGcsBucketObjectReference(fullAccessApi, getWorkspaceId(), fileResourceId, /*name=*/
null, /*description=*/
null, /*bucketName=*/
gcsUniformAccessBucketAttributes.getBucketName(), null);
GcpGcsObjectResource blobReferenceThirdUpdate = fullAccessApi.getGcsObjectReference(getWorkspaceId(), fileResourceId);
assertEquals(gcsUniformAccessBucketAttributes.getBucketName(), blobReferenceThirdUpdate.getAttributes().getBucketName());
assertEquals(gcsFolderAttributes.getFileName(), blobReferenceThirdUpdate.getAttributes().getFileName());
assertEquals(newBlobName, blobReferenceThirdUpdate.getMetadata().getName());
assertEquals(newBlobDescription, blobReferenceThirdUpdate.getMetadata().getDescription());
// Update both bucket and object path.
GcsBucketUtils.updateGcsBucketObjectReference(fullAccessApi, getWorkspaceId(), fileResourceId, /*name=*/
null, /*description=*/
null, /*bucketName=*/
gcsFileAttributes.getBucketName(), gcsFileAttributes.getFileName());
GcpGcsObjectResource blobReferenceFourthUpdate = fullAccessApi.getGcsObjectReference(getWorkspaceId(), fileResourceId);
assertEquals(gcsFileAttributes.getBucketName(), blobReferenceFourthUpdate.getAttributes().getBucketName());
assertEquals(gcsFileAttributes.getFileName(), blobReferenceFourthUpdate.getAttributes().getFileName());
assertEquals(newBlobName, blobReferenceFourthUpdate.getMetadata().getName());
assertEquals(newBlobDescription, blobReferenceFourthUpdate.getMetadata().getDescription());
}
use of bio.terra.workspace.model.GcpGcsBucketResource in project terra-workspace-manager by DataBiosphere.
the class ReferencedGcsResourceLifecycle method doUserJourney.
@Override
protected void doUserJourney(TestUserSpecification testUser, WorkspaceApi workspaceApi) throws Exception {
ReferencedGcpResourceApi referencedGcpResourceApi = ClientTestUtils.getReferencedGcpResourceClient(testUser, server);
// Grant secondary users READER permission in the workspace.
workspaceApi.grantRole(new GrantRoleRequestBody().memberEmail(partialAccessUser.userEmail), getWorkspaceId(), IamRole.READER);
workspaceApi.grantRole(new GrantRoleRequestBody().memberEmail(noAccessUser.userEmail), getWorkspaceId(), IamRole.READER);
// Create the references
GcpGcsBucketResource referencedBucket = GcsBucketUtils.makeGcsBucketReference(gcsUniformAccessBucketAttributes, referencedGcpResourceApi, getWorkspaceId(), MultiResourcesUtils.makeName(), CloningInstructionsEnum.REFERENCE);
bucketResourceId = referencedBucket.getMetadata().getResourceId();
GcpGcsBucketResource fineGrainedBucket = GcsBucketUtils.makeGcsBucketReference(gcsFineGrainedAccessBucketAttributes, referencedGcpResourceApi, getWorkspaceId(), MultiResourcesUtils.makeName(), CloningInstructionsEnum.REFERENCE);
fineGrainedBucketResourceId = fineGrainedBucket.getMetadata().getResourceId();
GcpGcsObjectResource referencedGcsFile = GcsBucketObjectUtils.makeGcsObjectReference(gcsFileAttributes, referencedGcpResourceApi, getWorkspaceId(), MultiResourcesUtils.makeName(), CloningInstructionsEnum.REFERENCE);
fileResourceId = referencedGcsFile.getMetadata().getResourceId();
GcpGcsObjectResource referencedGcsFolder = GcsBucketObjectUtils.makeGcsObjectReference(gcsFolderAttributes, referencedGcpResourceApi, getWorkspaceId(), MultiResourcesUtils.makeName(), CloningInstructionsEnum.REFERENCE);
folderResourceId = referencedGcsFolder.getMetadata().getResourceId();
// Get the references
testGetReferences(referencedBucket, fineGrainedBucket, referencedGcsFile, referencedGcsFolder, referencedGcpResourceApi);
// Create a second workspace to clone references into, owned by the same user
testCloneReference(referencedBucket, fineGrainedBucket, referencedGcsFile, referencedGcsFolder, referencedGcpResourceApi, workspaceApi);
// Validate reference access
testValidateReference(testUser);
// Update the references
testUpdateReferences(fineGrainedBucket, referencedGcpResourceApi);
// Delete the references
referencedGcpResourceApi.deleteBucketReference(getWorkspaceId(), bucketResourceId);
referencedGcpResourceApi.deleteBucketReference(getWorkspaceId(), fineGrainedBucketResourceId);
referencedGcpResourceApi.deleteGcsObjectReference(getWorkspaceId(), fileResourceId);
referencedGcpResourceApi.deleteGcsObjectReference(getWorkspaceId(), folderResourceId);
// Enumerating all resources with no filters should be empty
ResourceApi resourceApi = ClientTestUtils.getResourceClient(testUser, server);
ResourceList enumerateResult = resourceApi.enumerateResources(getWorkspaceId(), 0, 100, null, null);
assertTrue(enumerateResult.getResources().isEmpty());
}
use of bio.terra.workspace.model.GcpGcsBucketResource in project terra-workspace-manager by DataBiosphere.
the class ReferencedGcsResourceLifecycle method testGetReferences.
private void testGetReferences(GcpGcsBucketResource uniformBucketReference, GcpGcsBucketResource fineGrainedBucketReference, GcpGcsObjectResource fileReference, GcpGcsObjectResource folderReference, ReferencedGcpResourceApi referencedGcpResourceApi) throws Exception {
GcpGcsBucketResource fetchedBucket = referencedGcpResourceApi.getBucketReference(getWorkspaceId(), bucketResourceId);
assertEquals(uniformBucketReference, fetchedBucket);
GcpGcsBucketResource fetchedFineGrainedBucket = referencedGcpResourceApi.getBucketReference(getWorkspaceId(), fineGrainedBucketResourceId);
assertEquals(fineGrainedBucketReference, fetchedFineGrainedBucket);
GcpGcsObjectResource fetchedGcsFile = referencedGcpResourceApi.getGcsObjectReference(getWorkspaceId(), fileResourceId);
assertEquals(fileReference, fetchedGcsFile);
GcpGcsObjectResource fetchedGcsFolder = referencedGcpResourceApi.getGcsObjectReference(getWorkspaceId(), folderResourceId);
assertEquals(folderReference, fetchedGcsFolder);
// Enumerate the references
// Any workspace member can view references in WSM, even if they can't view the underlying cloud
// resource or contents.
ResourceApi noAccessApi = ClientTestUtils.getResourceClient(noAccessUser, server);
ResourceList referenceList = noAccessApi.enumerateResources(getWorkspaceId(), 0, 5, /*referenceType=*/
null, StewardshipType.REFERENCED);
assertEquals(4, referenceList.getResources().size());
ResourceList bucketList = noAccessApi.enumerateResources(getWorkspaceId(), 0, 5, /*referenceType=*/
ResourceType.GCS_BUCKET, StewardshipType.REFERENCED);
assertEquals(2, bucketList.getResources().size());
MultiResourcesUtils.assertResourceType(ResourceType.GCS_BUCKET, bucketList);
ResourceList fileList = noAccessApi.enumerateResources(getWorkspaceId(), 0, 5, /*referenceType=*/
ResourceType.GCS_OBJECT, StewardshipType.REFERENCED);
assertEquals(2, fileList.getResources().size());
MultiResourcesUtils.assertResourceType(ResourceType.GCS_OBJECT, fileList);
}
Aggregations