use of bio.terra.workspace.service.workspace.model.Workspace in project terra-workspace-manager by DataBiosphere.
the class WorkspaceServiceTest method getWorkspace_existing.
@Test
void getWorkspace_existing() {
Workspace request = defaultRequestBuilder(UUID.randomUUID()).build();
workspaceService.createWorkspace(request, USER_REQUEST);
assertEquals(request.getWorkspaceId(), workspaceService.getWorkspace(request.getWorkspaceId(), USER_REQUEST).getWorkspaceId());
}
use of bio.terra.workspace.service.workspace.model.Workspace in project terra-workspace-manager by DataBiosphere.
the class WorkspaceServiceTest method getWorkspace_forbiddenExisting.
@Test
void getWorkspace_forbiddenExisting() throws Exception {
Workspace request = defaultRequestBuilder(UUID.randomUUID()).build();
workspaceService.createWorkspace(request, USER_REQUEST);
doThrow(new ForbiddenException("forbid!")).when(mockSamService).checkAuthz(any(), any(), any(), any());
assertThrows(ForbiddenException.class, () -> workspaceService.getWorkspace(request.getWorkspaceId(), USER_REQUEST));
}
use of bio.terra.workspace.service.workspace.model.Workspace in project terra-workspace-manager by DataBiosphere.
the class CreateGcpContextFlightV2Test method createWorkspace.
/**
* Creates a workspace, returning its workspaceUuid.
*
* <p>Because the tests in this class mock Sam and Janitor service cleans up GCP projects, we do
* not need to explicitly clean up the workspaces created here.
*/
private UUID createWorkspace(@Nullable SpendProfileId spendProfileId) {
UUID uuid = UUID.randomUUID();
Workspace request = Workspace.builder().workspaceId(uuid).userFacingId("a" + uuid).workspaceStage(WorkspaceStage.MC_WORKSPACE).spendProfileId(spendProfileId).build();
return workspaceService.createWorkspace(request, userAccessUtils.defaultUserAuthRequest());
}
use of bio.terra.workspace.service.workspace.model.Workspace in project terra-workspace-manager by DataBiosphere.
the class DeleteAzureContextFlightTest method deleteMcWorkspaceWithAzureContextAndResource.
// This test would be better in the WorkspaceDeleteFlightTest, but that class extends
// BaseConnectedTest which doesn't have azure enabled so it lives here for now. If/when test
// structure is re-evaluated and BaseAzureTest goes away, this test should be moved
@Test
void deleteMcWorkspaceWithAzureContextAndResource() throws Exception {
AuthenticatedUserRequest userRequest = userAccessUtils.defaultUserAuthRequest();
// create new workspace so delete at end of test won't interfere with @AfterEach teardown
UUID uuid = UUID.randomUUID();
Workspace request = Workspace.builder().workspaceId(uuid).userFacingId("a" + uuid.toString()).workspaceStage(WorkspaceStage.MC_WORKSPACE).spendProfileId(spendUtils.defaultSpendId()).build();
UUID mcWorkspaceUuid = workspaceService.createWorkspace(request, userRequest);
createAzureContext(mcWorkspaceUuid, userRequest);
UUID ipId = createAzureIpResource(mcWorkspaceUuid, userRequest);
// Run the delete flight, retrying every retryable step once
FlightMap deleteParameters = new FlightMap();
deleteParameters.put(WorkspaceFlightMapKeys.WORKSPACE_ID, mcWorkspaceUuid.toString());
deleteParameters.put(WorkspaceFlightMapKeys.WORKSPACE_STAGE, WorkspaceStage.MC_WORKSPACE);
deleteParameters.put(JobMapKeys.AUTH_USER_INFO.getKeyName(), userRequest);
Map<String, StepStatus> doFailures = new HashMap<>();
doFailures.put(DeleteControlledSamResourcesStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
doFailures.put(DeleteGcpProjectStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
doFailures.put(DeleteAzureContextStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
doFailures.put(DeleteWorkspaceAuthzStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
doFailures.put(DeleteWorkspaceStateStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
FlightDebugInfo debugInfo = FlightDebugInfo.newBuilder().doStepFailures(doFailures).build();
FlightState flightState = StairwayTestUtils.blockUntilFlightCompletes(jobService.getStairway(), WorkspaceDeleteFlight.class, deleteParameters, DELETION_FLIGHT_TIMEOUT, debugInfo);
assertEquals(FlightStatus.SUCCESS, flightState.getFlightStatus());
// Verify the resource and workspace are not in WSM DB
assertThrows(WorkspaceNotFoundException.class, () -> controlledResourceService.getControlledResource(mcWorkspaceUuid, ipId, userRequest));
assertThrows(WorkspaceNotFoundException.class, () -> workspaceService.getWorkspace(mcWorkspaceUuid, userRequest));
}
use of bio.terra.workspace.service.workspace.model.Workspace in project terra-workspace-manager by DataBiosphere.
the class RemoveUserFromWorkspaceFlightTest method removeUserFromWorkspaceFlightDoUndo.
@Test
@DisabledIfEnvironmentVariable(named = "TEST_ENV", matches = BUFFER_SERVICE_DISABLED_ENVS_REG_EX)
void removeUserFromWorkspaceFlightDoUndo() throws Exception {
// Create a workspace as the default test user
UUID uuid = UUID.randomUUID();
Workspace request = Workspace.builder().workspaceId(uuid).userFacingId("a" + uuid.toString()).workspaceStage(WorkspaceStage.MC_WORKSPACE).spendProfileId(spendUtils.defaultSpendId()).build();
UUID workspaceUuid = workspaceService.createWorkspace(request, userAccessUtils.defaultUserAuthRequest());
// Add the secondary test user as a writer
samService.grantWorkspaceRole(workspaceUuid, userAccessUtils.defaultUserAuthRequest(), WsmIamRole.WRITER, userAccessUtils.getSecondUserEmail());
samService.dumpRoleBindings(SamResource.WORKSPACE, workspaceUuid.toString(), userAccessUtils.defaultUserAuthRequest().getRequiredToken());
// Create a GCP context as default user
String makeContextJobId = UUID.randomUUID().toString();
workspaceService.createGcpCloudContext(workspaceUuid, makeContextJobId, userAccessUtils.defaultUserAuthRequest());
jobService.waitForJob(makeContextJobId);
AsyncJobResult<CloudContextHolder> createContextJobResult = jobService.retrieveAsyncJobResult(makeContextJobId, CloudContextHolder.class, userAccessUtils.defaultUserAuthRequest());
assertEquals(StatusEnum.SUCCEEDED, createContextJobResult.getJobReport().getStatus());
GcpCloudContext cloudContext = createContextJobResult.getResult().getGcpCloudContext();
// Create a private dataset for secondary user
String datasetId = RandomStringUtils.randomAlphabetic(8);
ControlledBigQueryDatasetResource privateDataset = buildPrivateDataset(workspaceUuid, datasetId, cloudContext.getGcpProjectId());
assertNotNull(privateDataset);
// Allow the secondary user to impersonate their pet SA.
petSaService.enablePetServiceAccountImpersonation(workspaceUuid, userAccessUtils.getSecondUserEmail(), userAccessUtils.secondUserAuthRequest());
String secondaryUserPetServiceEmail = petSaService.getUserPetSa(cloudContext.getGcpProjectId(), userAccessUtils.getSecondUserEmail(), userAccessUtils.secondUserAuthRequest()).get().email();
// Validate the secondary user can impersonate their pet SA directly.
Iam secondaryUserIamClient = getIamClientForUser(userAccessUtils.secondUserAccessToken());
assertTrue(canImpersonateSa(secondaryUserIamClient, cloudContext.getGcpProjectId(), secondaryUserPetServiceEmail));
// Validate with Sam that secondary user can read their private resource
assertTrue(samService.isAuthorized(userAccessUtils.secondUserAuthRequest(), privateDataset.getCategory().getSamResourceName(), privateDataset.getResourceId().toString(), SamControlledResourceActions.WRITE_ACTION));
// Run the "removeUser" flight to the very end, then undo it, retrying steps along the way.
Map<String, StepStatus> retrySteps = new HashMap<>();
retrySteps.put(RemoveUserFromSamStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
retrySteps.put(CheckUserStillInWorkspaceStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
retrySteps.put(ClaimUserPrivateResourcesStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
retrySteps.put(RemovePrivateResourceAccessStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
retrySteps.put(MarkPrivateResourcesAbandonedStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
retrySteps.put(RevokePetUsagePermissionStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
retrySteps.put(ReleasePrivateResourceCleanupClaimsStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
FlightDebugInfo failingDebugInfo = FlightDebugInfo.newBuilder().undoStepFailures(retrySteps).lastStepFailure(true).build();
FlightMap inputParameters = new FlightMap();
inputParameters.put(WorkspaceFlightMapKeys.WORKSPACE_ID, workspaceUuid.toString());
inputParameters.put(WorkspaceFlightMapKeys.USER_TO_REMOVE, userAccessUtils.getSecondUserEmail());
inputParameters.put(WorkspaceFlightMapKeys.ROLE_TO_REMOVE, ControlledResourceIamRole.WRITER.name());
// Auth info comes from default user, as they are the ones "making this request"
inputParameters.put(JobMapKeys.AUTH_USER_INFO.getKeyName(), userAccessUtils.defaultUserAuthRequest());
FlightState flightState = StairwayTestUtils.blockUntilFlightCompletes(jobService.getStairway(), RemoveUserFromWorkspaceFlight.class, inputParameters, STAIRWAY_FLIGHT_TIMEOUT, failingDebugInfo);
assertEquals(FlightStatus.ERROR, flightState.getFlightStatus());
// Validate that secondary user is still a workspace writer, can still read their private
// resource, and can still impersonate their pet SA.
assertTrue(samService.isAuthorized(userAccessUtils.secondUserAuthRequest(), SamResource.WORKSPACE, workspaceUuid.toString(), SamWorkspaceAction.WRITE));
assertTrue(samService.isAuthorized(userAccessUtils.secondUserAuthRequest(), privateDataset.getCategory().getSamResourceName(), privateDataset.getResourceId().toString(), SamControlledResourceActions.WRITE_ACTION));
assertTrue(canImpersonateSa(secondaryUserIamClient, cloudContext.getGcpProjectId(), secondaryUserPetServiceEmail));
// Run the flight again, this time to success. Retry each do step once.
FlightDebugInfo passingDebugInfo = FlightDebugInfo.newBuilder().doStepFailures(retrySteps).build();
FlightState passingFlightState = StairwayTestUtils.blockUntilFlightCompletes(jobService.getStairway(), RemoveUserFromWorkspaceFlight.class, inputParameters, STAIRWAY_FLIGHT_TIMEOUT, passingDebugInfo);
assertEquals(FlightStatus.SUCCESS, passingFlightState.getFlightStatus());
// Verify the secondary user can no longer access the workspace, their private resource,
// or impersonate their pet SA.
assertFalse(samService.isAuthorized(userAccessUtils.secondUserAuthRequest(), SamResource.WORKSPACE, workspaceUuid.toString(), SamWorkspaceAction.WRITE));
assertFalse(samService.isAuthorized(userAccessUtils.secondUserAuthRequest(), privateDataset.getCategory().getSamResourceName(), privateDataset.getResourceId().toString(), SamControlledResourceActions.WRITE_ACTION));
// Permissions can take some time to propagate, retry until the user can no longer impersonate
// their pet SA.
assertTrue(CloudUtils.getWithRetryOnException(() -> assertCannotImpersonateSa(secondaryUserIamClient, cloudContext.getGcpProjectId(), secondaryUserPetServiceEmail)));
// Cleanup
workspaceService.deleteWorkspace(workspaceUuid, userAccessUtils.defaultUserAuthRequest());
}
Aggregations