Examples with WsmIamRole bio.terra.workspace.service.iam.model.WsmIamRole used on opensource projects

Search in sources :

Example 1 with WsmIamRole

use of bio.terra.workspace.service.iam.model.WsmIamRole in project terra-workspace-manager by DataBiosphere.

the class CreateGcpContextFlightV2Test method assertPolicyGroupsSynced.

/**
 * Asserts that Sam groups are granted their appropriate IAM roles on a GCP project.
 */
private void assertPolicyGroupsSynced(UUID workspaceId, Project project) throws Exception {
    Map<WsmIamRole, String> roleToSamGroup = Arrays.stream(WsmIamRole.values()).collect(Collectors.toMap(Function.identity(), role -> "group:" + SamRethrow.onInterrupted(() -> mockSamService.syncWorkspacePolicy(workspaceId, role, userAccessUtils.defaultUserAuthRequest()), "syncWorkspacePolicy")));
    Policy currentPolicy = crl.getCloudResourceManagerCow().projects().getIamPolicy(project.getProjectId(), new GetIamPolicyRequest()).execute();
    for (WsmIamRole role : WsmIamRole.values()) {
        // Don't check MANAGER role, which isn't synced to GCP.
        if (role.equals(WsmIamRole.MANAGER)) {
            continue;
        }
        assertRoleBindingInPolicy(role, roleToSamGroup.get(role), currentPolicy, project.getProjectId());
    }
}
Also used : BeforeEach(org.junit.jupiter.api.BeforeEach) Arrays(java.util.Arrays) WsmIamRole(bio.terra.workspace.service.iam.model.WsmIamRole) SamService(bio.terra.workspace.service.iam.SamService) Autowired(org.springframework.beans.factory.annotation.Autowired) AuthenticatedUserRequest(bio.terra.workspace.service.iam.AuthenticatedUserRequest) GcpCloudContext(bio.terra.workspace.service.workspace.model.GcpCloudContext) CloudSyncRoleMapping(bio.terra.workspace.service.workspace.CloudSyncRoleMapping) Role(com.google.api.services.iam.v1.model.Role) Assertions.assertFalse(org.junit.jupiter.api.Assertions.assertFalse) GetIamPolicyRequest(com.google.api.services.cloudresourcemanager.v3.model.GetIamPolicyRequest) FlightState(bio.terra.stairway.FlightState) Duration(java.time.Duration) Map(java.util.Map) SpendUnauthorizedException(bio.terra.workspace.service.spendprofile.exceptions.SpendUnauthorizedException) CustomGcpIamRoleMapping(bio.terra.workspace.service.resource.controlled.cloud.gcp.CustomGcpIamRoleMapping) JobService(bio.terra.workspace.service.job.JobService) MockBean(org.springframework.boot.test.mock.mockito.MockBean) UserAccessUtils(bio.terra.workspace.connected.UserAccessUtils) NoBillingAccountException(bio.terra.workspace.service.workspace.exceptions.NoBillingAccountException) StairwayTestUtils(bio.terra.workspace.common.StairwayTestUtils) Binding(com.google.api.services.cloudresourcemanager.v3.model.Binding) UUID(java.util.UUID) SpendProfileId(bio.terra.workspace.service.spendprofile.SpendProfileId) Collectors(java.util.stream.Collectors) WorkspaceConnectedTestUtils(bio.terra.workspace.connected.WorkspaceConnectedTestUtils) CustomGcpIamRole(bio.terra.workspace.service.resource.controlled.cloud.gcp.CustomGcpIamRole) Test(org.junit.jupiter.api.Test) List(java.util.List) Matchers.containsInAnyOrder(org.hamcrest.Matchers.containsInAnyOrder) Assertions.assertTrue(org.junit.jupiter.api.Assertions.assertTrue) Optional(java.util.Optional) StepStatus(bio.terra.stairway.StepStatus) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) JobMapKeys(bio.terra.workspace.service.job.JobMapKeys) WorkspaceService(bio.terra.workspace.service.workspace.WorkspaceService) Policy(com.google.api.services.cloudresourcemanager.v3.model.Policy) Project(com.google.api.services.cloudresourcemanager.v3.model.Project) HashMap(java.util.HashMap) Function(java.util.function.Function) SamResource(bio.terra.workspace.service.iam.model.SamConstants.SamResource) SamRethrow(bio.terra.workspace.service.iam.SamRethrow) DisabledIfEnvironmentVariable(org.junit.jupiter.api.condition.DisabledIfEnvironmentVariable) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) Assertions.assertEquals(org.junit.jupiter.api.Assertions.assertEquals) FlightDebugInfo(bio.terra.stairway.FlightDebugInfo) CrlService(bio.terra.workspace.service.crl.CrlService) Nullable(javax.annotation.Nullable) SamSpendProfileAction(bio.terra.workspace.service.iam.model.SamConstants.SamSpendProfileAction) MissingSpendProfileException(bio.terra.workspace.service.workspace.exceptions.MissingSpendProfileException) FlightMap(bio.terra.stairway.FlightMap) Workspace(bio.terra.workspace.service.workspace.model.Workspace) IOException(java.io.IOException) BaseConnectedTest(bio.terra.workspace.common.BaseConnectedTest) SpendConnectedTestUtils(bio.terra.workspace.service.spendprofile.SpendConnectedTestUtils) WorkspaceStage(bio.terra.workspace.service.workspace.model.WorkspaceStage) Mockito(org.mockito.Mockito) FlightStatus(bio.terra.stairway.FlightStatus) Collections(java.util.Collections) Policy(com.google.api.services.cloudresourcemanager.v3.model.Policy) GetIamPolicyRequest(com.google.api.services.cloudresourcemanager.v3.model.GetIamPolicyRequest) WsmIamRole(bio.terra.workspace.service.iam.model.WsmIamRole)

Example 2 with WsmIamRole

use of bio.terra.workspace.service.iam.model.WsmIamRole in project terra-workspace-manager by DataBiosphere.

the class SamService method defaultWorkspacePolicies.

/**
 * Builds a policy list with a single provided owner and empty reader, writer and application
 * policies.
 *
 * <p>This is a helper function for building the policy section of a request to create a workspace
 * resource in Sam. The provided user is granted the OWNER role and empty policies for reader,
 * writer, and application are also included.
 *
 * <p>The empty policies are included because Sam requires all policies on a workspace to be
 * provided at creation time. Although policy membership can be modified later, policy creation
 * must happen at the same time as workspace resource creation.
 */
private Map<String, AccessPolicyMembershipV2> defaultWorkspacePolicies(String ownerEmail) {
    Map<String, AccessPolicyMembershipV2> policyMap = new HashMap<>();
    policyMap.put(WsmIamRole.OWNER.toSamRole(), new AccessPolicyMembershipV2().addRolesItem(WsmIamRole.OWNER.toSamRole()).addMemberEmailsItem(ownerEmail));
    // For all non-owner/manager roles, we create empty policies which can be modified later.
    for (WsmIamRole workspaceRole : WsmIamRole.values()) {
        if (workspaceRole != WsmIamRole.OWNER && workspaceRole != WsmIamRole.MANAGER) {
            policyMap.put(workspaceRole.toSamRole(), new AccessPolicyMembershipV2().addRolesItem(workspaceRole.toSamRole()));
        }
    }
    // We always give WSM's service account the 'manager' role for admin control of workspaces.
    String wsmSa = GcpUtils.getWsmSaEmail();
    policyMap.put(WsmIamRole.MANAGER.toSamRole(), new AccessPolicyMembershipV2().addRolesItem(WsmIamRole.MANAGER.toSamRole()).addMemberEmailsItem(wsmSa));
    return policyMap;
}
Also used : HashMap(java.util.HashMap) AccessPolicyMembershipV2(org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyMembershipV2) WsmIamRole(bio.terra.workspace.service.iam.model.WsmIamRole)

Example 3 with WsmIamRole

use of bio.terra.workspace.service.iam.model.WsmIamRole in project terra-workspace-manager by DataBiosphere.

the class CreateGcpContextFlightTest method assertPolicyGroupsSynced.

/**
 * Asserts that Sam groups are granted their appropriate IAM roles on a GCP project.
 */
private void assertPolicyGroupsSynced(UUID workspaceId, Project project) throws Exception {
    Map<WsmIamRole, String> roleToSamGroup = Arrays.stream(WsmIamRole.values()).filter(role -> !role.equals(WsmIamRole.MANAGER)).collect(Collectors.toMap(Function.identity(), role -> "group:" + SamRethrow.onInterrupted(() -> mockSamService.syncWorkspacePolicy(workspaceId, role, userAccessUtils.defaultUserAuthRequest()), "syncWorkspacePolicy")));
    Policy currentPolicy = crl.getCloudResourceManagerCow().projects().getIamPolicy(project.getProjectId(), new GetIamPolicyRequest()).execute();
    for (WsmIamRole role : WsmIamRole.values()) {
        // Don't check MANAGER role, which isn't synced to GCP.
        if (role.equals(WsmIamRole.MANAGER)) {
            continue;
        }
        assertRoleBindingInPolicy(role, roleToSamGroup.get(role), currentPolicy, project.getProjectId());
    }
}
Also used : BeforeEach(org.junit.jupiter.api.BeforeEach) Arrays(java.util.Arrays) WsmIamRole(bio.terra.workspace.service.iam.model.WsmIamRole) SamService(bio.terra.workspace.service.iam.SamService) Autowired(org.springframework.beans.factory.annotation.Autowired) AuthenticatedUserRequest(bio.terra.workspace.service.iam.AuthenticatedUserRequest) CloudSyncRoleMapping(bio.terra.workspace.service.workspace.CloudSyncRoleMapping) Role(com.google.api.services.iam.v1.model.Role) Assertions.assertFalse(org.junit.jupiter.api.Assertions.assertFalse) GetIamPolicyRequest(com.google.api.services.cloudresourcemanager.v3.model.GetIamPolicyRequest) FlightState(bio.terra.stairway.FlightState) Duration(java.time.Duration) Map(java.util.Map) SpendUnauthorizedException(bio.terra.workspace.service.spendprofile.exceptions.SpendUnauthorizedException) CustomGcpIamRoleMapping(bio.terra.workspace.service.resource.controlled.cloud.gcp.CustomGcpIamRoleMapping) JobService(bio.terra.workspace.service.job.JobService) MockBean(org.springframework.boot.test.mock.mockito.MockBean) UserAccessUtils(bio.terra.workspace.connected.UserAccessUtils) NoBillingAccountException(bio.terra.workspace.service.workspace.exceptions.NoBillingAccountException) StairwayTestUtils(bio.terra.workspace.common.StairwayTestUtils) Binding(com.google.api.services.cloudresourcemanager.v3.model.Binding) UUID(java.util.UUID) SpendProfileId(bio.terra.workspace.service.spendprofile.SpendProfileId) Collectors(java.util.stream.Collectors) WorkspaceConnectedTestUtils(bio.terra.workspace.connected.WorkspaceConnectedTestUtils) CustomGcpIamRole(bio.terra.workspace.service.resource.controlled.cloud.gcp.CustomGcpIamRole) Test(org.junit.jupiter.api.Test) List(java.util.List) Matchers.containsInAnyOrder(org.hamcrest.Matchers.containsInAnyOrder) Assertions.assertTrue(org.junit.jupiter.api.Assertions.assertTrue) Optional(java.util.Optional) StepStatus(bio.terra.stairway.StepStatus) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) JobMapKeys(bio.terra.workspace.service.job.JobMapKeys) WorkspaceService(bio.terra.workspace.service.workspace.WorkspaceService) Policy(com.google.api.services.cloudresourcemanager.v3.model.Policy) Project(com.google.api.services.cloudresourcemanager.v3.model.Project) HashMap(java.util.HashMap) Function(java.util.function.Function) SamResource(bio.terra.workspace.service.iam.model.SamConstants.SamResource) SamRethrow(bio.terra.workspace.service.iam.SamRethrow) DisabledIfEnvironmentVariable(org.junit.jupiter.api.condition.DisabledIfEnvironmentVariable) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) Assertions.assertEquals(org.junit.jupiter.api.Assertions.assertEquals) FlightDebugInfo(bio.terra.stairway.FlightDebugInfo) CrlService(bio.terra.workspace.service.crl.CrlService) Nullable(javax.annotation.Nullable) SamSpendProfileAction(bio.terra.workspace.service.iam.model.SamConstants.SamSpendProfileAction) MissingSpendProfileException(bio.terra.workspace.service.workspace.exceptions.MissingSpendProfileException) FlightMap(bio.terra.stairway.FlightMap) Workspace(bio.terra.workspace.service.workspace.model.Workspace) IOException(java.io.IOException) BaseConnectedTest(bio.terra.workspace.common.BaseConnectedTest) SpendConnectedTestUtils(bio.terra.workspace.service.spendprofile.SpendConnectedTestUtils) WorkspaceStage(bio.terra.workspace.service.workspace.model.WorkspaceStage) Mockito(org.mockito.Mockito) FlightStatus(bio.terra.stairway.FlightStatus) Collections(java.util.Collections) Policy(com.google.api.services.cloudresourcemanager.v3.model.Policy) GetIamPolicyRequest(com.google.api.services.cloudresourcemanager.v3.model.GetIamPolicyRequest) WsmIamRole(bio.terra.workspace.service.iam.model.WsmIamRole)

Example 4 with WsmIamRole

use of bio.terra.workspace.service.iam.model.WsmIamRole in project terra-workspace-manager by DataBiosphere.

the class GcpCloudSyncStep method doStep.

@Override
public StepResult doStep(FlightContext flightContext) throws InterruptedException, RetryException {
    String gcpProjectId = flightContext.getWorkingMap().get(GCP_PROJECT_ID, String.class);
    FlightMap workingMap = flightContext.getWorkingMap();
    // Read Sam groups for each workspace role.
    Map<WsmIamRole, String> workspaceRoleGroupsMap = workingMap.get(WorkspaceFlightMapKeys.IAM_GROUP_EMAIL_MAP, new TypeReference<>() {
    });
    try {
        Policy currentPolicy = resourceManagerCow.projects().getIamPolicy(gcpProjectId, new GetIamPolicyRequest()).execute();
        List<Binding> newBindings = new ArrayList<>();
        // Add all existing bindings to ensure we don't accidentally clobber existing permissions.
        newBindings.addAll(currentPolicy.getBindings());
        // Add appropriate project-level roles for each WSM IAM role.
        workspaceRoleGroupsMap.forEach((role, email) -> newBindings.add(bindingForRole(role, email, gcpProjectId)));
        Policy newPolicy = new Policy().setVersion(currentPolicy.getVersion()).setBindings(newBindings).setEtag(currentPolicy.getEtag());
        SetIamPolicyRequest iamPolicyRequest = new SetIamPolicyRequest().setPolicy(newPolicy);
        logger.info("Setting new Cloud Context IAM policy: " + iamPolicyRequest.toPrettyString());
        resourceManagerCow.projects().setIamPolicy(gcpProjectId, iamPolicyRequest).execute();
    } catch (IOException e) {
        throw new RetryableCrlException("Error setting IAM permissions", e);
    }
    return StepResult.getStepResultSuccess();
}
Also used : Policy(com.google.api.services.cloudresourcemanager.v3.model.Policy) Binding(com.google.api.services.cloudresourcemanager.v3.model.Binding) SetIamPolicyRequest(com.google.api.services.cloudresourcemanager.v3.model.SetIamPolicyRequest) ArrayList(java.util.ArrayList) IOException(java.io.IOException) GetIamPolicyRequest(com.google.api.services.cloudresourcemanager.v3.model.GetIamPolicyRequest) RetryableCrlException(bio.terra.workspace.service.workspace.exceptions.RetryableCrlException) FlightMap(bio.terra.stairway.FlightMap) WsmIamRole(bio.terra.workspace.service.iam.model.WsmIamRole)

Example 5 with WsmIamRole

use of bio.terra.workspace.service.iam.model.WsmIamRole in project terra-workspace-manager by DataBiosphere.

the class UpdateDbGcpCloudContextStep method doStep.

@Override
public StepResult doStep(FlightContext flightContext) throws InterruptedException {
    FlightUtils.validateRequiredEntries(flightContext.getWorkingMap(), GCP_PROJECT_ID, IAM_GROUP_EMAIL_MAP);
    String projectId = flightContext.getWorkingMap().get(GCP_PROJECT_ID, String.class);
    Map<WsmIamRole, String> workspaceRoleGroupsMap = flightContext.getWorkingMap().get(WorkspaceFlightMapKeys.IAM_GROUP_EMAIL_MAP, new TypeReference<>() {
    });
    GcpCloudContext context = new GcpCloudContext(projectId, workspaceRoleGroupsMap.get(WsmIamRole.OWNER), workspaceRoleGroupsMap.get(WsmIamRole.WRITER), workspaceRoleGroupsMap.get(WsmIamRole.READER), workspaceRoleGroupsMap.get(WsmIamRole.APPLICATION));
    gcpCloudContextService.createGcpCloudContextFinish(workspaceId, context, flightContext.getFlightId());
    CloudContextHolder cch = new CloudContextHolder();
    cch.setGcpCloudContext(context);
    FlightUtils.setResponse(flightContext, cch, HttpStatus.OK);
    return StepResult.getStepResultSuccess();
}
Also used : CloudContextHolder(bio.terra.workspace.service.workspace.model.CloudContextHolder) WsmIamRole(bio.terra.workspace.service.iam.model.WsmIamRole) GcpCloudContext(bio.terra.workspace.service.workspace.model.GcpCloudContext)

Aggregations

WsmIamRole (bio.terra.workspace.service.iam.model.WsmIamRole)5 FlightMap (bio.terra.stairway.FlightMap)3 Binding (com.google.api.services.cloudresourcemanager.v3.model.Binding)3 GetIamPolicyRequest (com.google.api.services.cloudresourcemanager.v3.model.GetIamPolicyRequest)3 Policy (com.google.api.services.cloudresourcemanager.v3.model.Policy)3 IOException (java.io.IOException)3 FlightDebugInfo (bio.terra.stairway.FlightDebugInfo)2 FlightState (bio.terra.stairway.FlightState)2 FlightStatus (bio.terra.stairway.FlightStatus)2 StepStatus (bio.terra.stairway.StepStatus)2 BaseConnectedTest (bio.terra.workspace.common.BaseConnectedTest)2 StairwayTestUtils (bio.terra.workspace.common.StairwayTestUtils)2 UserAccessUtils (bio.terra.workspace.connected.UserAccessUtils)2 WorkspaceConnectedTestUtils (bio.terra.workspace.connected.WorkspaceConnectedTestUtils)2 CrlService (bio.terra.workspace.service.crl.CrlService)2 AuthenticatedUserRequest (bio.terra.workspace.service.iam.AuthenticatedUserRequest)2 SamRethrow (bio.terra.workspace.service.iam.SamRethrow)2 SamService (bio.terra.workspace.service.iam.SamService)2 SamResource (bio.terra.workspace.service.iam.model.SamConstants.SamResource)2 SamSpendProfileAction (bio.terra.workspace.service.iam.model.SamConstants.SamSpendProfileAction)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial