Search in sources :

Example 36 with Workspace

use of bio.terra.workspace.service.workspace.model.Workspace in project terra-workspace-manager by DataBiosphere.

the class WorkspaceServiceTest method getWorkspace_existing.

@Test
void getWorkspace_existing() {
    Workspace request = defaultRequestBuilder(UUID.randomUUID()).build();
    workspaceService.createWorkspace(request, USER_REQUEST);
    assertEquals(request.getWorkspaceId(), workspaceService.getWorkspace(request.getWorkspaceId(), USER_REQUEST).getWorkspaceId());
}
Also used : Workspace(bio.terra.workspace.service.workspace.model.Workspace) ApiClonedWorkspace(bio.terra.workspace.generated.model.ApiClonedWorkspace) Test(org.junit.jupiter.api.Test) BaseConnectedTest(bio.terra.workspace.common.BaseConnectedTest)

Example 37 with Workspace

use of bio.terra.workspace.service.workspace.model.Workspace in project terra-workspace-manager by DataBiosphere.

the class WorkspaceServiceTest method getWorkspace_forbiddenExisting.

@Test
void getWorkspace_forbiddenExisting() throws Exception {
    Workspace request = defaultRequestBuilder(UUID.randomUUID()).build();
    workspaceService.createWorkspace(request, USER_REQUEST);
    doThrow(new ForbiddenException("forbid!")).when(mockSamService).checkAuthz(any(), any(), any(), any());
    assertThrows(ForbiddenException.class, () -> workspaceService.getWorkspace(request.getWorkspaceId(), USER_REQUEST));
}
Also used : ForbiddenException(bio.terra.common.exception.ForbiddenException) Workspace(bio.terra.workspace.service.workspace.model.Workspace) ApiClonedWorkspace(bio.terra.workspace.generated.model.ApiClonedWorkspace) Test(org.junit.jupiter.api.Test) BaseConnectedTest(bio.terra.workspace.common.BaseConnectedTest)

Example 38 with Workspace

use of bio.terra.workspace.service.workspace.model.Workspace in project terra-workspace-manager by DataBiosphere.

the class CreateGcpContextFlightV2Test method createWorkspace.

/**
 * Creates a workspace, returning its workspaceUuid.
 *
 * <p>Because the tests in this class mock Sam and Janitor service cleans up GCP projects, we do
 * not need to explicitly clean up the workspaces created here.
 */
private UUID createWorkspace(@Nullable SpendProfileId spendProfileId) {
    UUID uuid = UUID.randomUUID();
    Workspace request = Workspace.builder().workspaceId(uuid).userFacingId("a" + uuid).workspaceStage(WorkspaceStage.MC_WORKSPACE).spendProfileId(spendProfileId).build();
    return workspaceService.createWorkspace(request, userAccessUtils.defaultUserAuthRequest());
}
Also used : UUID(java.util.UUID) Workspace(bio.terra.workspace.service.workspace.model.Workspace)

Example 39 with Workspace

use of bio.terra.workspace.service.workspace.model.Workspace in project terra-workspace-manager by DataBiosphere.

the class DeleteAzureContextFlightTest method deleteMcWorkspaceWithAzureContextAndResource.

// This test would be better in the WorkspaceDeleteFlightTest, but that class extends
// BaseConnectedTest which doesn't have azure enabled so it lives here for now. If/when test
// structure is re-evaluated and BaseAzureTest goes away, this test should be moved
@Test
void deleteMcWorkspaceWithAzureContextAndResource() throws Exception {
    AuthenticatedUserRequest userRequest = userAccessUtils.defaultUserAuthRequest();
    // create new workspace so delete at end of test won't interfere with @AfterEach teardown
    UUID uuid = UUID.randomUUID();
    Workspace request = Workspace.builder().workspaceId(uuid).userFacingId("a" + uuid.toString()).workspaceStage(WorkspaceStage.MC_WORKSPACE).spendProfileId(spendUtils.defaultSpendId()).build();
    UUID mcWorkspaceUuid = workspaceService.createWorkspace(request, userRequest);
    createAzureContext(mcWorkspaceUuid, userRequest);
    UUID ipId = createAzureIpResource(mcWorkspaceUuid, userRequest);
    // Run the delete flight, retrying every retryable step once
    FlightMap deleteParameters = new FlightMap();
    deleteParameters.put(WorkspaceFlightMapKeys.WORKSPACE_ID, mcWorkspaceUuid.toString());
    deleteParameters.put(WorkspaceFlightMapKeys.WORKSPACE_STAGE, WorkspaceStage.MC_WORKSPACE);
    deleteParameters.put(JobMapKeys.AUTH_USER_INFO.getKeyName(), userRequest);
    Map<String, StepStatus> doFailures = new HashMap<>();
    doFailures.put(DeleteControlledSamResourcesStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    doFailures.put(DeleteGcpProjectStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    doFailures.put(DeleteAzureContextStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    doFailures.put(DeleteWorkspaceAuthzStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    doFailures.put(DeleteWorkspaceStateStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    FlightDebugInfo debugInfo = FlightDebugInfo.newBuilder().doStepFailures(doFailures).build();
    FlightState flightState = StairwayTestUtils.blockUntilFlightCompletes(jobService.getStairway(), WorkspaceDeleteFlight.class, deleteParameters, DELETION_FLIGHT_TIMEOUT, debugInfo);
    assertEquals(FlightStatus.SUCCESS, flightState.getFlightStatus());
    // Verify the resource and workspace are not in WSM DB
    assertThrows(WorkspaceNotFoundException.class, () -> controlledResourceService.getControlledResource(mcWorkspaceUuid, ipId, userRequest));
    assertThrows(WorkspaceNotFoundException.class, () -> workspaceService.getWorkspace(mcWorkspaceUuid, userRequest));
}
Also used : HashMap(java.util.HashMap) AuthenticatedUserRequest(bio.terra.workspace.service.iam.AuthenticatedUserRequest) UUID(java.util.UUID) Workspace(bio.terra.workspace.service.workspace.model.Workspace) Test(org.junit.jupiter.api.Test) BaseAzureTest(bio.terra.workspace.common.BaseAzureTest)

Example 40 with Workspace

use of bio.terra.workspace.service.workspace.model.Workspace in project terra-workspace-manager by DataBiosphere.

the class RemoveUserFromWorkspaceFlightTest method removeUserFromWorkspaceFlightDoUndo.

@Test
@DisabledIfEnvironmentVariable(named = "TEST_ENV", matches = BUFFER_SERVICE_DISABLED_ENVS_REG_EX)
void removeUserFromWorkspaceFlightDoUndo() throws Exception {
    // Create a workspace as the default test user
    UUID uuid = UUID.randomUUID();
    Workspace request = Workspace.builder().workspaceId(uuid).userFacingId("a" + uuid.toString()).workspaceStage(WorkspaceStage.MC_WORKSPACE).spendProfileId(spendUtils.defaultSpendId()).build();
    UUID workspaceUuid = workspaceService.createWorkspace(request, userAccessUtils.defaultUserAuthRequest());
    // Add the secondary test user as a writer
    samService.grantWorkspaceRole(workspaceUuid, userAccessUtils.defaultUserAuthRequest(), WsmIamRole.WRITER, userAccessUtils.getSecondUserEmail());
    samService.dumpRoleBindings(SamResource.WORKSPACE, workspaceUuid.toString(), userAccessUtils.defaultUserAuthRequest().getRequiredToken());
    // Create a GCP context as default user
    String makeContextJobId = UUID.randomUUID().toString();
    workspaceService.createGcpCloudContext(workspaceUuid, makeContextJobId, userAccessUtils.defaultUserAuthRequest());
    jobService.waitForJob(makeContextJobId);
    AsyncJobResult<CloudContextHolder> createContextJobResult = jobService.retrieveAsyncJobResult(makeContextJobId, CloudContextHolder.class, userAccessUtils.defaultUserAuthRequest());
    assertEquals(StatusEnum.SUCCEEDED, createContextJobResult.getJobReport().getStatus());
    GcpCloudContext cloudContext = createContextJobResult.getResult().getGcpCloudContext();
    // Create a private dataset for secondary user
    String datasetId = RandomStringUtils.randomAlphabetic(8);
    ControlledBigQueryDatasetResource privateDataset = buildPrivateDataset(workspaceUuid, datasetId, cloudContext.getGcpProjectId());
    assertNotNull(privateDataset);
    // Allow the secondary user to impersonate their pet SA.
    petSaService.enablePetServiceAccountImpersonation(workspaceUuid, userAccessUtils.getSecondUserEmail(), userAccessUtils.secondUserAuthRequest());
    String secondaryUserPetServiceEmail = petSaService.getUserPetSa(cloudContext.getGcpProjectId(), userAccessUtils.getSecondUserEmail(), userAccessUtils.secondUserAuthRequest()).get().email();
    // Validate the secondary user can impersonate their pet SA directly.
    Iam secondaryUserIamClient = getIamClientForUser(userAccessUtils.secondUserAccessToken());
    assertTrue(canImpersonateSa(secondaryUserIamClient, cloudContext.getGcpProjectId(), secondaryUserPetServiceEmail));
    // Validate with Sam that secondary user can read their private resource
    assertTrue(samService.isAuthorized(userAccessUtils.secondUserAuthRequest(), privateDataset.getCategory().getSamResourceName(), privateDataset.getResourceId().toString(), SamControlledResourceActions.WRITE_ACTION));
    // Run the "removeUser" flight to the very end, then undo it, retrying steps along the way.
    Map<String, StepStatus> retrySteps = new HashMap<>();
    retrySteps.put(RemoveUserFromSamStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    retrySteps.put(CheckUserStillInWorkspaceStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    retrySteps.put(ClaimUserPrivateResourcesStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    retrySteps.put(RemovePrivateResourceAccessStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    retrySteps.put(MarkPrivateResourcesAbandonedStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    retrySteps.put(RevokePetUsagePermissionStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    retrySteps.put(ReleasePrivateResourceCleanupClaimsStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    FlightDebugInfo failingDebugInfo = FlightDebugInfo.newBuilder().undoStepFailures(retrySteps).lastStepFailure(true).build();
    FlightMap inputParameters = new FlightMap();
    inputParameters.put(WorkspaceFlightMapKeys.WORKSPACE_ID, workspaceUuid.toString());
    inputParameters.put(WorkspaceFlightMapKeys.USER_TO_REMOVE, userAccessUtils.getSecondUserEmail());
    inputParameters.put(WorkspaceFlightMapKeys.ROLE_TO_REMOVE, ControlledResourceIamRole.WRITER.name());
    // Auth info comes from default user, as they are the ones "making this request"
    inputParameters.put(JobMapKeys.AUTH_USER_INFO.getKeyName(), userAccessUtils.defaultUserAuthRequest());
    FlightState flightState = StairwayTestUtils.blockUntilFlightCompletes(jobService.getStairway(), RemoveUserFromWorkspaceFlight.class, inputParameters, STAIRWAY_FLIGHT_TIMEOUT, failingDebugInfo);
    assertEquals(FlightStatus.ERROR, flightState.getFlightStatus());
    // Validate that secondary user is still a workspace writer, can still read their private
    // resource, and can still impersonate their pet SA.
    assertTrue(samService.isAuthorized(userAccessUtils.secondUserAuthRequest(), SamResource.WORKSPACE, workspaceUuid.toString(), SamWorkspaceAction.WRITE));
    assertTrue(samService.isAuthorized(userAccessUtils.secondUserAuthRequest(), privateDataset.getCategory().getSamResourceName(), privateDataset.getResourceId().toString(), SamControlledResourceActions.WRITE_ACTION));
    assertTrue(canImpersonateSa(secondaryUserIamClient, cloudContext.getGcpProjectId(), secondaryUserPetServiceEmail));
    // Run the flight again, this time to success. Retry each do step once.
    FlightDebugInfo passingDebugInfo = FlightDebugInfo.newBuilder().doStepFailures(retrySteps).build();
    FlightState passingFlightState = StairwayTestUtils.blockUntilFlightCompletes(jobService.getStairway(), RemoveUserFromWorkspaceFlight.class, inputParameters, STAIRWAY_FLIGHT_TIMEOUT, passingDebugInfo);
    assertEquals(FlightStatus.SUCCESS, passingFlightState.getFlightStatus());
    // Verify the secondary user can no longer access the workspace, their private resource,
    // or impersonate their pet SA.
    assertFalse(samService.isAuthorized(userAccessUtils.secondUserAuthRequest(), SamResource.WORKSPACE, workspaceUuid.toString(), SamWorkspaceAction.WRITE));
    assertFalse(samService.isAuthorized(userAccessUtils.secondUserAuthRequest(), privateDataset.getCategory().getSamResourceName(), privateDataset.getResourceId().toString(), SamControlledResourceActions.WRITE_ACTION));
    // Permissions can take some time to propagate, retry until the user can no longer impersonate
    // their pet SA.
    assertTrue(CloudUtils.getWithRetryOnException(() -> assertCannotImpersonateSa(secondaryUserIamClient, cloudContext.getGcpProjectId(), secondaryUserPetServiceEmail)));
    // Cleanup
    workspaceService.deleteWorkspace(workspaceUuid, userAccessUtils.defaultUserAuthRequest());
}
Also used : FlightDebugInfo(bio.terra.stairway.FlightDebugInfo) HashMap(java.util.HashMap) StepStatus(bio.terra.stairway.StepStatus) CloudContextHolder(bio.terra.workspace.service.workspace.model.CloudContextHolder) FlightState(bio.terra.stairway.FlightState) Iam(com.google.api.services.iam.v1.Iam) FlightMap(bio.terra.stairway.FlightMap) UUID(java.util.UUID) ControlledBigQueryDatasetResource(bio.terra.workspace.service.resource.controlled.cloud.gcp.bqdataset.ControlledBigQueryDatasetResource) GcpCloudContext(bio.terra.workspace.service.workspace.model.GcpCloudContext) Workspace(bio.terra.workspace.service.workspace.model.Workspace) Test(org.junit.jupiter.api.Test) BaseConnectedTest(bio.terra.workspace.common.BaseConnectedTest) DisabledIfEnvironmentVariable(org.junit.jupiter.api.condition.DisabledIfEnvironmentVariable)

Aggregations

Workspace (bio.terra.workspace.service.workspace.model.Workspace)74 Test (org.junit.jupiter.api.Test)40 BaseConnectedTest (bio.terra.workspace.common.BaseConnectedTest)30 ApiClonedWorkspace (bio.terra.workspace.generated.model.ApiClonedWorkspace)27 UUID (java.util.UUID)27 AuthenticatedUserRequest (bio.terra.workspace.service.iam.AuthenticatedUserRequest)11 BaseUnitTest (bio.terra.workspace.common.BaseUnitTest)8 HashMap (java.util.HashMap)7 FlightDebugInfo (bio.terra.stairway.FlightDebugInfo)6 ApiCreatedWorkspace (bio.terra.workspace.generated.model.ApiCreatedWorkspace)6 SpendProfileId (bio.terra.workspace.service.spendprofile.SpendProfileId)6 ResponseEntity (org.springframework.http.ResponseEntity)6 FlightMap (bio.terra.stairway.FlightMap)5 StepStatus (bio.terra.stairway.StepStatus)5 Traced (io.opencensus.contrib.spring.aop.Traced)5 DisabledIfEnvironmentVariable (org.junit.jupiter.api.condition.DisabledIfEnvironmentVariable)5 ForbiddenException (bio.terra.common.exception.ForbiddenException)4 FlightState (bio.terra.stairway.FlightState)3 ApiWorkspaceDescription (bio.terra.workspace.generated.model.ApiWorkspaceDescription)3 JobBuilder (bio.terra.workspace.service.job.JobBuilder)3