use of bio.terra.workspace.service.resource.controlled.model.ManagedByType in project terra-workspace-manager by DataBiosphere.
the class ControlledResourceControllerBase method toCommonFields.
public ControlledResourceFields toCommonFields(UUID workspaceId, ApiControlledResourceCommonFields apiCommonFields, AuthenticatedUserRequest userRequest) {
ManagedByType managedBy = ManagedByType.fromApi(apiCommonFields.getManagedBy());
AccessScopeType accessScopeType = AccessScopeType.fromApi(apiCommonFields.getAccessScope());
PrivateUserRole privateUserRole = computePrivateUserRole(workspaceId, apiCommonFields, userRequest);
return ControlledResourceFields.builder().workspaceId(workspaceId).resourceId(UUID.randomUUID()).name(apiCommonFields.getName()).description(apiCommonFields.getDescription()).cloningInstructions(CloningInstructions.fromApiModel(apiCommonFields.getCloningInstructions())).iamRole(privateUserRole.getRole()).assignedUser(privateUserRole.getUserEmail()).accessScope(accessScopeType).managedBy(managedBy).applicationId(controlledResourceService.getAssociatedApp(managedBy, userRequest)).build();
}
use of bio.terra.workspace.service.resource.controlled.model.ManagedByType in project terra-workspace-manager by DataBiosphere.
the class ControllerBase method computePrivateUserRole.
/**
* Validate and provide defaulting for the private resource user. The property is never required.
* The only time it is allowed is for application-private resources. If it is populated, we
* validate the user email and the specified IAM roles.
*
* <p>user-private resources are always assigned to the caller. You can't create a user-private
* resource and assign it to someone else. Because we can read the caller's email from the
* AuthenticatedUserRequest, we don't need to supply assignedUser in the request body.
*
* <p>application-private resources can be assigned to users other than the caller. For example,
* Leo could call WSM to create a VM (using the Leo SA's auth token) and request it be assigned to
* user X, not to the Leo SA.
*
* @param commonFields common fields from a controlled resource create request
* @param userRequest authenticate user
* @return PrivateUserRole holding the user email and the role list
*/
public PrivateUserRole computePrivateUserRole(UUID workspaceId, ApiControlledResourceCommonFields commonFields, AuthenticatedUserRequest userRequest) {
AccessScopeType accessScope = AccessScopeType.fromApi(commonFields.getAccessScope());
ManagedByType managedBy = ManagedByType.fromApi(commonFields.getManagedBy());
ApiPrivateResourceUser inputUser = commonFields.getPrivateResourceUser();
// Shared access has no private user role
if (accessScope == AccessScopeType.ACCESS_SCOPE_SHARED) {
validateNoInputUser(inputUser);
return new PrivateUserRole.Builder().present(false).build();
}
// Private access scope
switch(managedBy) {
case MANAGED_BY_APPLICATION:
{
// Supplying a user is optional for applications
if (inputUser == null) {
return new PrivateUserRole.Builder().present(false).build();
}
// We have a private user, so make sure the email is present and valid
String userEmail = commonFields.getPrivateResourceUser().getUserName();
ControllerValidationUtils.validateEmail(userEmail);
// Validate that the assigned user is a member of the workspace. It must have at least
// READ action.
SamRethrow.onInterrupted(() -> samService.userIsAuthorized(SamConstants.SamResource.WORKSPACE, workspaceId.toString(), SamConstants.SamWorkspaceAction.READ, userEmail, userRequest), "validate private user is workspace member");
// Translate the incoming role list into our internal model form
// This also validates that the incoming API model values are correct.
List<ControlledResourceIamRole> roles = commonFields.getPrivateResourceUser().getPrivateResourceIamRoles().stream().map(ControlledResourceIamRole::fromApiModel).collect(Collectors.toList());
if (roles.isEmpty()) {
throw new ValidationException("You must specify at least one role when you specify PrivateResourceIamRoles");
}
// The legal options for the assigned user of an application is READER
// or WRITER. EDITOR is not allowed. We take the "max" of READER and WRITER.
var maxRole = ControlledResourceIamRole.READER;
for (ControlledResourceIamRole role : roles) {
if (role == ControlledResourceIamRole.WRITER) {
if (maxRole == ControlledResourceIamRole.READER) {
maxRole = role;
}
} else if (role != ControlledResourceIamRole.READER) {
throw new ValidationException("For application private controlled resources, only READER and WRITER roles are allowed. Found " + role.toApiModel());
}
}
return new PrivateUserRole.Builder().present(true).userEmail(userEmail).role(maxRole).build();
}
case MANAGED_BY_USER:
{
// TODO: PF-1218 The target state is that supplying a user is not allowed.
// However, current CLI and maybe UI are supplying all or part of the structure,
// so tolerate all states: no-input, only roles, roles and user
/* Target state:
// Supplying a user is not allowed. The creating user is always the assigned user.
validateNoInputUser(inputUser);
*/
// Fill in the user role for the creating user
String userEmail = SamRethrow.onInterrupted(() -> samService.getUserEmailFromSam(userRequest), "getUserEmailFromSam");
// matches the requesting name.
if (inputUser != null && inputUser.getUserName() != null) {
if (!StringUtils.equalsIgnoreCase(userEmail, inputUser.getUserName())) {
throw new BadRequestException("User (" + userEmail + ") may only assign a private controlled resource to themselves");
}
}
// to different objects.
return new PrivateUserRole.Builder().present(true).userEmail(userEmail).role(ControlledResourceIamRole.EDITOR).build();
}
default:
throw new InternalLogicException("Unknown managedBy enum");
}
}
use of bio.terra.workspace.service.resource.controlled.model.ManagedByType in project terra-workspace-manager by DataBiosphere.
the class ValidCommonEnumTest method managedByValidityTest.
@Test
public void managedByValidityTest() throws Exception {
assertThat(ManagedByType.fromApi(ApiManagedBy.APPLICATION), equalTo(ManagedByType.MANAGED_BY_APPLICATION));
assertThat(ManagedByType.fromApi(ApiManagedBy.USER), equalTo(ManagedByType.MANAGED_BY_USER));
ManagedByType x = ManagedByType.fromSql(ManagedByType.MANAGED_BY_APPLICATION.toSql());
assertThat(x, equalTo(ManagedByType.MANAGED_BY_APPLICATION));
x = ManagedByType.fromSql(ManagedByType.MANAGED_BY_USER.toSql());
assertThat(x, equalTo(ManagedByType.MANAGED_BY_USER));
assertThrows(MissingRequiredFieldException.class, () -> ManagedByType.fromApi(null));
assertThrows(SerializationException.class, () -> ManagedByType.fromSql("xyzzy"));
assertThat(ManagedByType.MANAGED_BY_USER.toApiModel(), equalTo(ApiManagedBy.USER));
assertThat(ManagedByType.MANAGED_BY_APPLICATION.toApiModel(), equalTo(ApiManagedBy.APPLICATION));
}
Aggregations