use of bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.ControlledAiNotebookInstanceResource in project terra-workspace-manager by DataBiosphere.
the class ControlledResourceServiceTest method createAiNotebookInstanceNoWriterRoleThrowsBadRequest.
@Test
@DisabledIfEnvironmentVariable(named = "TEST_ENV", matches = BUFFER_SERVICE_DISABLED_ENVS_REG_EX)
void createAiNotebookInstanceNoWriterRoleThrowsBadRequest() throws Exception {
String instanceId = "create-ai-notebook-instance-shared";
ApiGcpAiNotebookInstanceCreationParameters creationParameters = ControlledResourceFixtures.defaultNotebookCreationParameters().instanceId(instanceId).location(DEFAULT_NOTEBOOK_LOCATION);
ControlledAiNotebookInstanceResource resource = makeNotebookTestResource(workspace.getWorkspaceId(), instanceId, instanceId);
// Shared notebooks not yet implemented.
// Private IAM roles must include writer role.
ControlledResourceIamRole notWriter = ControlledResourceIamRole.READER;
BadRequestException noWriterException = assertThrows(BadRequestException.class, () -> controlledResourceService.createAiNotebookInstance(resource, creationParameters, notWriter, new ApiJobControl().id(UUID.randomUUID().toString()), "fakeResultPath", user.getAuthenticatedRequest()));
assertEquals("A private, controlled AI Notebook instance must have the writer or editor role or else it is not useful.", noWriterException.getMessage());
}
use of bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.ControlledAiNotebookInstanceResource in project terra-workspace-manager by DataBiosphere.
the class ControlledResourceServiceTest method deleteAiNotebookInstanceUndoIsDismalFailure.
@Test
@DisabledIfEnvironmentVariable(named = "TEST_ENV", matches = BUFFER_SERVICE_DISABLED_ENVS_REG_EX)
void deleteAiNotebookInstanceUndoIsDismalFailure() throws Exception {
ControlledAiNotebookInstanceResource resource = createDefaultPrivateAiNotebookInstance("delete-ai-notebook-instance-undo", user);
// Test that trying to undo a notebook deletion is a dismal failure. We cannot undo deletion.
jobService.setFlightDebugInfoForTest(FlightDebugInfo.newBuilder().lastStepFailure(true).build());
assertThrows(InvalidResultStateException.class, () -> controlledResourceService.deleteControlledResourceSync(resource.getWorkspaceId(), resource.getResourceId(), user.getAuthenticatedRequest()));
}
use of bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.ControlledAiNotebookInstanceResource in project terra-workspace-manager by DataBiosphere.
the class ControlledResourceServiceTest method createAiNotebookInstanceUndo.
@Test
@DisabledIfEnvironmentVariable(named = "TEST_ENV", matches = BUFFER_SERVICE_DISABLED_ENVS_REG_EX)
void createAiNotebookInstanceUndo() throws Exception {
String instanceId = "create-ai-notebook-instance-undo";
String name = "create-ai-notebook-instance-undo-name";
ApiGcpAiNotebookInstanceCreationParameters creationParameters = ControlledResourceFixtures.defaultNotebookCreationParameters().instanceId(instanceId).location(DEFAULT_NOTEBOOK_LOCATION);
ControlledAiNotebookInstanceResource resource = makeNotebookTestResource(workspace.getWorkspaceId(), name, instanceId);
// Test idempotency of undo steps by retrying them once.
Map<String, StepStatus> retrySteps = new HashMap<>();
retrySteps.put(GrantPetUsagePermissionStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
retrySteps.put(CreateAiNotebookInstanceStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
jobService.setFlightDebugInfoForTest(FlightDebugInfo.newBuilder().lastStepFailure(true).undoStepFailures(retrySteps).build());
// Revoke user's Pet SA access, if they have it. Because these tests re-use a common workspace,
// the user may have pet SA access enabled prior to this test.
String serviceAccountEmail = samService.getOrCreatePetSaEmail(projectId, user.getAuthenticatedRequest().getRequiredToken());
petSaService.disablePetServiceAccountImpersonation(workspace.getWorkspaceId(), user.getEmail(), user.getAuthenticatedRequest());
IamCow userIamCow = crlService.getIamCow(user.getAuthenticatedRequest());
// Assert the user does not have access to their pet SA before the flight
// Note this uses user credentials for the IAM cow to validate the user's access.
assertFalse(canImpersonateSa(ServiceAccountName.builder().projectId(projectId).email(serviceAccountEmail).build(), userIamCow));
String jobId = controlledResourceService.createAiNotebookInstance(resource, creationParameters, DEFAULT_ROLE, new ApiJobControl().id(UUID.randomUUID().toString()), "fakeResultPath", user.getAuthenticatedRequest());
jobService.waitForJob(jobId);
assertEquals(FlightStatus.ERROR, stairwayComponent.get().getFlightState(jobId).getFlightStatus());
assertNotFound(resource.toInstanceName(projectId), crlService.getAIPlatformNotebooksCow());
assertThrows(ResourceNotFoundException.class, () -> controlledResourceService.getControlledResource(resource.getWorkspaceId(), resource.getResourceId(), user.getAuthenticatedRequest()));
// This check relies on cloud IAM propagation and is sometimes delayed.
CloudUtils.runWithRetryOnException(() -> throwIfImpersonateSa(ServiceAccountName.builder().projectId(projectId).email(serviceAccountEmail).build(), userIamCow));
}
use of bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.ControlledAiNotebookInstanceResource in project terra-workspace-manager by DataBiosphere.
the class ControlledResourceServiceTest method deleteAiNotebookInstanceDo.
@Test
@DisabledIfEnvironmentVariable(named = "TEST_ENV", matches = BUFFER_SERVICE_DISABLED_ENVS_REG_EX)
void deleteAiNotebookInstanceDo() throws Exception {
ControlledAiNotebookInstanceResource resource = createDefaultPrivateAiNotebookInstance("delete-ai-notebook-instance-do", user);
InstanceName instanceName = resource.toInstanceName(projectId);
AIPlatformNotebooksCow notebooks = crlService.getAIPlatformNotebooksCow();
// Test idempotency of steps by retrying them once.
Map<String, StepStatus> retrySteps = new HashMap<>();
retrySteps.put(DeleteAiNotebookInstanceStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
jobService.setFlightDebugInfoForTest(FlightDebugInfo.newBuilder().doStepFailures(retrySteps).build());
controlledResourceService.deleteControlledResourceSync(resource.getWorkspaceId(), resource.getResourceId(), user.getAuthenticatedRequest());
assertNotFound(instanceName, notebooks);
assertThrows(ResourceNotFoundException.class, () -> controlledResourceService.getControlledResource(resource.getWorkspaceId(), resource.getResourceId(), user.getAuthenticatedRequest()));
}
use of bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.ControlledAiNotebookInstanceResource in project terra-workspace-manager by DataBiosphere.
the class ControlledResourceServiceTest method createAiNotebookInstanceDo.
@Test
@DisabledIfEnvironmentVariable(named = "TEST_ENV", matches = BUFFER_SERVICE_DISABLED_ENVS_REG_EX)
void createAiNotebookInstanceDo() throws Exception {
UUID workspaceId = reusableWorkspace(user).getWorkspaceId();
String instanceId = "create-ai-notebook-instance-do";
ApiGcpAiNotebookInstanceCreationParameters creationParameters = ControlledResourceFixtures.defaultNotebookCreationParameters().instanceId(instanceId).location(DEFAULT_NOTEBOOK_LOCATION);
ControlledAiNotebookInstanceResource resource = makeNotebookTestResource(workspaceId, "initial-notebook-name", instanceId);
// Test idempotency of steps by retrying them once.
Map<String, StepStatus> retrySteps = new HashMap<>();
retrySteps.put(RetrieveNetworkNameStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
retrySteps.put(GrantPetUsagePermissionStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
retrySteps.put(CreateAiNotebookInstanceStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
retrySteps.put(NotebookCloudSyncStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
jobService.setFlightDebugInfoForTest(FlightDebugInfo.newBuilder().doStepFailures(retrySteps).build());
String jobId = controlledResourceService.createAiNotebookInstance(resource, creationParameters, DEFAULT_ROLE, new ApiJobControl().id(UUID.randomUUID().toString()), "fakeResultPath", user.getAuthenticatedRequest());
jobService.waitForJob(jobId);
assertEquals(FlightStatus.SUCCESS, stairwayComponent.get().getFlightState(jobId).getFlightStatus());
assertEquals(resource, controlledResourceService.getControlledResource(workspaceId, resource.getResourceId(), user.getAuthenticatedRequest()));
InstanceName instanceName = resource.toInstanceName(workspaceService.getAuthorizedRequiredGcpProject(workspaceId, user.getAuthenticatedRequest()));
Instance instance = crlService.getAIPlatformNotebooksCow().instances().get(instanceName).execute();
// Test that the user has permissions from WRITER roles on the notebooks instance. Only notebook
// instance level permissions can be checked on the notebook instance test IAM permissions
// endpoint, so no "notebooks.instances.list" permission as that's project level.
List<String> expectedWriterPermissions = ImmutableList.of("notebooks.instances.get", "notebooks.instances.reset", "notebooks.instances.setAccelerator", "notebooks.instances.setMachineType", "notebooks.instances.start", "notebooks.instances.stop", "notebooks.instances.use");
assertThat(AIPlatformNotebooksCow.create(crlService.getClientConfig(), user.getGoogleCredentials()).instances().testIamPermissions(instanceName, new com.google.api.services.notebooks.v1.model.TestIamPermissionsRequest().setPermissions(expectedWriterPermissions)).execute().getPermissions(), Matchers.containsInAnyOrder(expectedWriterPermissions.toArray()));
// Test that the user has access to the notebook with a service account through proxy mode.
// git secrets gets a false positive if 'service_account' is double quoted.
assertThat(instance.getMetadata(), Matchers.hasEntry("proxy-mode", "service_" + "account"));
ServiceAccountName serviceAccountName = ServiceAccountName.builder().projectId(instanceName.projectId()).email(instance.getServiceAccount()).build();
// The user needs to have the actAs permission on the service account.
String actAsPermission = "iam.serviceAccounts.actAs";
assertThat(IamCow.create(crlService.getClientConfig(), user.getGoogleCredentials()).projects().serviceAccounts().testIamPermissions(serviceAccountName, new TestIamPermissionsRequest().setPermissions(List.of(actAsPermission))).execute().getPermissions(), Matchers.contains(actAsPermission));
// Creating a controlled resource with a duplicate underlying notebook instance is not allowed.
ControlledAiNotebookInstanceResource duplicateResource = makeNotebookTestResource(workspaceId, "new-name-same-notebook-instance", instanceId);
String duplicateResourceJobId = controlledResourceService.createAiNotebookInstance(duplicateResource, creationParameters, DEFAULT_ROLE, new ApiJobControl().id(UUID.randomUUID().toString()), "fakeResultPath", user.getAuthenticatedRequest());
jobService.waitForJob(duplicateResourceJobId);
JobService.JobResultOrException<ControlledAiNotebookInstanceResource> duplicateJobResult = jobService.retrieveJobResult(duplicateResourceJobId, ControlledAiNotebookInstanceResource.class, user.getAuthenticatedRequest());
assertEquals(DuplicateResourceException.class, duplicateJobResult.getException().getClass());
}
Aggregations