Example 1 with RoleBinding
use of bio.terra.workspace.service.iam.model.RoleBinding in project terra-workspace-manager by DataBiosphere.
the class SamService method listRoleBindings.
/**
* Wrapper around Sam client to retrieve the full current permissions model of a workspace.
*
* <p>This operation is only available to MC_WORKSPACE stage workspaces, as Rawls manages
* permissions directly on other workspaces.
*/
@Traced
public List<RoleBinding> listRoleBindings(UUID workspaceId, AuthenticatedUserRequest userRequest) throws InterruptedException {
stageService.assertMcWorkspace(workspaceId, "listRoleBindings");
checkAuthz(userRequest, SamConstants.SamResource.WORKSPACE, workspaceId.toString(), SamWorkspaceAction.READ_IAM);
ResourcesApi resourceApi = samResourcesApi(userRequest.getRequiredToken());
try {
List<AccessPolicyResponseEntry> samResult = SamRetry.retry(() -> resourceApi.listResourcePolicies(SamConstants.SamResource.WORKSPACE, workspaceId.toString()));
// callers.
return samResult.stream().filter(entry -> !entry.getPolicyName().equals(WsmIamRole.MANAGER.toSamRole())).map(entry -> RoleBinding.builder().role(WsmIamRole.fromSam(entry.getPolicyName())).users(entry.getPolicy().getMemberEmails()).build()).collect(Collectors.toList());
} catch (ApiException apiException) {
throw SamExceptionFactory.create("Error listing role bindings in Sam", apiException);
}
}
Also used :
RoleBinding(bio.terra.workspace.service.iam.model.RoleBinding)
CreateResourceRequestV2(org.broadinstitute.dsde.workbench.client.sam.model.CreateResourceRequestV2)
WsmIamRole(bio.terra.workspace.service.iam.model.WsmIamRole)
ControlledResource(bio.terra.workspace.service.resource.controlled.model.ControlledResource)
StatusApi(org.broadinstitute.dsde.workbench.client.sam.api.StatusApi)
LoggerFactory(org.slf4j.LoggerFactory)
Autowired(org.springframework.beans.factory.annotation.Autowired)
InternalServerErrorException(bio.terra.common.exception.InternalServerErrorException)
SamRetry(bio.terra.common.sam.SamRetry)
Map(java.util.Map)
GoogleApi(org.broadinstitute.dsde.workbench.client.sam.api.GoogleApi)
AccessPolicyResponseEntryV2(org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntryV2)
ImmutableSet(com.google.common.collect.ImmutableSet)
ServiceAccountName(bio.terra.cloudres.google.iam.ServiceAccountName)
Set(java.util.Set)
FullyQualifiedResourceId(org.broadinstitute.dsde.workbench.client.sam.model.FullyQualifiedResourceId)
UUID(java.util.UUID)
SamWorkspaceAction(bio.terra.workspace.service.iam.model.SamConstants.SamWorkspaceAction)
Collectors(java.util.stream.Collectors)
ControlledResourceCategory(bio.terra.workspace.service.resource.controlled.model.ControlledResourceCategory)
SamExceptionFactory(bio.terra.common.sam.exception.SamExceptionFactory)
List(java.util.List)
ControlledResourceIamRole(bio.terra.workspace.service.iam.model.ControlledResourceIamRole)
Optional(java.util.Optional)
SystemStatus(org.broadinstitute.dsde.workbench.client.sam.model.SystemStatus)
SamConfiguration(bio.terra.workspace.app.configuration.external.SamConfiguration)
HashMap(java.util.HashMap)
ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException)
GcpUtils(bio.terra.workspace.common.utils.GcpUtils)
ArrayList(java.util.ArrayList)
SamConstants(bio.terra.workspace.service.iam.model.SamConstants)
ImmutableList(com.google.common.collect.ImmutableList)
AccessPolicyMembershipV2(org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyMembershipV2)
InternalLogicException(bio.terra.workspace.common.exception.InternalLogicException)
Traced(io.opencensus.contrib.spring.aop.Traced)
ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)
Nullable(javax.annotation.Nullable)
AccessPolicyResponseEntry(org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntry)
Logger(org.slf4j.Logger)
GoogleCredentials(com.google.auth.oauth2.GoogleCredentials)
ApiClient(org.broadinstitute.dsde.workbench.client.sam.ApiClient)
IOException(java.io.IOException)
ResourceAndAccessPolicy(org.broadinstitute.dsde.workbench.client.sam.model.ResourceAndAccessPolicy)
ForbiddenException(bio.terra.common.exception.ForbiddenException)
HttpStatus(org.springframework.http.HttpStatus)
Component(org.springframework.stereotype.Component)
OkHttpClient(okhttp3.OkHttpClient)
UsersApi(org.broadinstitute.dsde.workbench.client.sam.api.UsersApi)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
StageService(bio.terra.workspace.service.stage.StageService)
AccessPolicyResponseEntry(org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntry)
ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)
ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException)
Traced(io.opencensus.contrib.spring.aop.Traced)
Example 2 with RoleBinding
use of bio.terra.workspace.service.iam.model.RoleBinding in project terra-workspace-manager by DataBiosphere.
the class SamServiceTest method listPermissionsIncludesAddedUsers.
@Test
void listPermissionsIncludesAddedUsers() throws Exception {
samService.grantWorkspaceRole(workspaceId, defaultUserRequest(), WsmIamRole.READER, userAccessUtils.getSecondUserEmail());
List<RoleBinding> policyList = samService.listRoleBindings(workspaceId, defaultUserRequest());
RoleBinding expectedOwnerBinding = RoleBinding.builder().role(WsmIamRole.OWNER).users(Collections.singletonList(userAccessUtils.getDefaultUserEmail())).build();
RoleBinding expectedReaderBinding = RoleBinding.builder().role(WsmIamRole.READER).users(Collections.singletonList(userAccessUtils.getSecondUserEmail())).build();
RoleBinding expectedWriterBinding = RoleBinding.builder().role(WsmIamRole.WRITER).users(Collections.emptyList()).build();
RoleBinding expectedApplicationBinding = RoleBinding.builder().role(WsmIamRole.APPLICATION).users(Collections.emptyList()).build();
assertThat(policyList, containsInAnyOrder(equalTo(expectedOwnerBinding), equalTo(expectedWriterBinding), equalTo(expectedReaderBinding), equalTo(expectedApplicationBinding)));
}
Also used :
RoleBinding(bio.terra.workspace.service.iam.model.RoleBinding)
BaseConnectedTest(bio.terra.workspace.common.BaseConnectedTest)
Test(org.junit.jupiter.api.Test)
Aggregations
RoleBinding (bio.terra.workspace.service.iam.model.RoleBinding)2
ServiceAccountName (bio.terra.cloudres.google.iam.ServiceAccountName)1
ForbiddenException (bio.terra.common.exception.ForbiddenException)1
InternalServerErrorException (bio.terra.common.exception.InternalServerErrorException)1
SamRetry (bio.terra.common.sam.SamRetry)1
SamExceptionFactory (bio.terra.common.sam.exception.SamExceptionFactory)1
SamConfiguration (bio.terra.workspace.app.configuration.external.SamConfiguration)1
BaseConnectedTest (bio.terra.workspace.common.BaseConnectedTest)1
InternalLogicException (bio.terra.workspace.common.exception.InternalLogicException)1
GcpUtils (bio.terra.workspace.common.utils.GcpUtils)1
ControlledResourceIamRole (bio.terra.workspace.service.iam.model.ControlledResourceIamRole)1
SamConstants (bio.terra.workspace.service.iam.model.SamConstants)1
SamWorkspaceAction (bio.terra.workspace.service.iam.model.SamConstants.SamWorkspaceAction)1
WsmIamRole (bio.terra.workspace.service.iam.model.WsmIamRole)1
ControlledResource (bio.terra.workspace.service.resource.controlled.model.ControlledResource)1
ControlledResourceCategory (bio.terra.workspace.service.resource.controlled.model.ControlledResourceCategory)1
StageService (bio.terra.workspace.service.stage.StageService)1
GoogleCredentials (com.google.auth.oauth2.GoogleCredentials)1
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
ImmutableList (com.google.common.collect.ImmutableList)1
