Examples with Traced io.opencensus.contrib.spring.aop.Traced used on opensource projects

Example 1 with Traced

use of io.opencensus.contrib.spring.aop.Traced in project terra-workspace-manager by DataBiosphere.

the class SamService method removeResourceRole.

/**
 * Wrapper around the Sam client to remove a role from the provided user on a controlled resource.
 *
 * <p>Similar to {@removeWorkspaceRole}, but for controlled resources. This should only be
 * necessary for private resources, as users do not have individual roles on shared resources.
 *
 * <p>This call to Sam is made as the WSM SA, as users do not have permission to directly modify
 * IAM on resources. This method still requires user credentials to validate as a safeguard, but
 * they are not used in the role removal call.
 *
 * @param resource The resource to remove a role from
 * @param userRequest User credentials. These are not used for the call to Sam, but must belong to
 *     a workspace owner to ensure the WSM SA is being used on a user's behalf correctly.
 * @param role The role to remove
 * @param email Email identifier of the user whose role is being removed.
 */
@Traced
public void removeResourceRole(ControlledResource resource, AuthenticatedUserRequest userRequest, ControlledResourceIamRole role, String email) throws InterruptedException {
    // Validate that the provided user credentials can modify the owners of the resource's
    // workspace.
    // Although the Sam call to revoke a resource role must use WSM SA credentials instead, this
    // is a safeguard against accidentally invoking these credentials for unauthorized users.
    checkAuthz(userRequest, SamConstants.SamResource.WORKSPACE, resource.getWorkspaceId().toString(), samActionToModifyRole(WsmIamRole.OWNER));
    try {
        ResourcesApi wsmSaResourceApi = samResourcesApi(getWsmServiceAccountToken());
        SamRetry.retry(() -> wsmSaResourceApi.removeUserFromPolicyV2(resource.getCategory().getSamResourceName(), resource.getResourceId().toString(), role.toSamRole(), email));
        logger.info("Removed role {} from user {} on resource {}", role.toSamRole(), email, resource.getResourceId());
    } catch (ApiException apiException) {
        throw SamExceptionFactory.create("Sam error removing resource role in Sam", apiException);
    }
}

Example 2 with Traced

use of io.opencensus.contrib.spring.aop.Traced in project terra-workspace-manager by DataBiosphere.

the class SamService method removeWorkspaceRole.

/**
 * Wrapper around Sam client to remove a role from the provided user.
 *
 * <p>This operation is only available to MC_WORKSPACE stage workspaces, as Rawls manages
 * permissions directly on other workspaces. Trying to remove a role that a user does not have
 * will succeed, though Sam will error if the email is not a registered user.
 */
@Traced
public void removeWorkspaceRole(UUID workspaceId, AuthenticatedUserRequest userRequest, WsmIamRole role, String email) throws InterruptedException {
    stageService.assertMcWorkspace(workspaceId, "removeWorkspaceRole");
    checkAuthz(userRequest, SamConstants.SamResource.WORKSPACE, workspaceId.toString(), samActionToModifyRole(role));
    ResourcesApi resourceApi = samResourcesApi(userRequest.getRequiredToken());
    try {
        SamRetry.retry(() -> resourceApi.removeUserFromPolicy(SamConstants.SamResource.WORKSPACE, workspaceId.toString(), role.toSamRole(), email.toLowerCase()));
        logger.info("Removed role {} from user {} in workspace {}", role.toSamRole(), email, workspaceId);
    } catch (ApiException apiException) {
        throw SamExceptionFactory.create("Error removing workspace role in Sam", apiException);
    }
}

Example 3 with Traced

use of io.opencensus.contrib.spring.aop.Traced in project terra-workspace-manager by DataBiosphere.

the class SamService method listWorkspaceIds.

/**
 * List all workspace IDs in Sam this user has access to. Note that in environments shared with
 * Rawls, some of these workspaces will be Rawls managed and WSM will not know about them.
 */
@Traced
public List<UUID> listWorkspaceIds(AuthenticatedUserRequest userRequest) throws InterruptedException {
    ResourcesApi resourceApi = samResourcesApi(userRequest.getRequiredToken());
    List<UUID> workspaceIds = new ArrayList<>();
    try {
        List<ResourceAndAccessPolicy> resourceAndPolicies = SamRetry.retry(() -> resourceApi.listResourcesAndPolicies(SamConstants.SamResource.WORKSPACE));
        for (var resourceAndPolicy : resourceAndPolicies) {
            try {
                workspaceIds.add(UUID.fromString(resourceAndPolicy.getResourceId()));
            } catch (IllegalArgumentException e) {
                // ignored here.
                continue;
            }
        }
    } catch (ApiException apiException) {
        throw SamExceptionFactory.create("Error listing Workspace Ids in Sam", apiException);
    }
    return workspaceIds;
}

Example 4 with Traced

use of io.opencensus.contrib.spring.aop.Traced in project terra-workspace-manager by DataBiosphere.

the class SamService method createControlledResource.

/**
 * Create a controlled resource in Sam.
 *
 * @param resource The WSM representation of the resource to create.
 * @param privateIamRole The IAM role to grant on a private resource. It is required for
 *     user-private resources and optional for application-private resources.
 * @param assignedUserEmail Email identifier of the assigned user of this resource. Same
 *     constraints as privateIamRoles.
 * @param userRequest Credentials to use for talking to Sam.
 */
@Traced
public void createControlledResource(ControlledResource resource, @Nullable ControlledResourceIamRole privateIamRole, @Nullable String assignedUserEmail, AuthenticatedUserRequest userRequest) throws InterruptedException {
    // We need the WSM SA for setting controlled resource policies
    initializeWsmServiceAccount();
    FullyQualifiedResourceId workspaceParentFqId = new FullyQualifiedResourceId().resourceId(resource.getWorkspaceId().toString()).resourceTypeName(SamConstants.SamResource.WORKSPACE);
    CreateResourceRequestV2 resourceRequest = new CreateResourceRequestV2().resourceId(resource.getResourceId().toString()).parent(workspaceParentFqId);
    var builder = new ControlledResourceSamPolicyBuilder(this, privateIamRole, assignedUserEmail, userRequest, ControlledResourceCategory.get(resource.getAccessScope(), resource.getManagedBy()));
    builder.addPolicies(resourceRequest);
    try {
        // We use the user request for the create, but could equally well use the WSM SA.
        // The creating token has no effect on the resource policies.
        ResourcesApi resourceApi = samResourcesApi(userRequest.getRequiredToken());
        SamRetry.retry(() -> resourceApi.createResourceV2(resource.getCategory().getSamResourceName(), resourceRequest));
        logger.info("Created Sam controlled resource {}", resource.getResourceId());
        dumpRoleBindings(resource.getCategory().getSamResourceName(), resource.getResourceId().toString(), getWsmServiceAccountToken());
    } catch (ApiException apiException) {
        // Do nothing if the resource to create already exists, this may not be the first time do is
        // called. Other exceptions still need to be surfaced.
        // Resource IDs are randomly generated, so we trust that the caller must have created
        // an existing Sam resource.
        logger.info("Sam API error while creating a controlled resource, code is " + apiException.getCode());
        if (apiException.getCode() == HttpStatus.CONFLICT.value()) {
            logger.info("Sam error was CONFLICT on creation request. This means the resource already " + "exists but is not an error so no exception thrown.");
            return;
        }
        throw SamExceptionFactory.create("Error creating controlled resource in Sam", apiException);
    }
}

Example 5 with Traced

use of io.opencensus.contrib.spring.aop.Traced in project terra-workspace-manager by DataBiosphere.

the class SamService method deleteWorkspace.

@Traced
public void deleteWorkspace(AuthenticatedUserRequest userRequest, UUID id) throws InterruptedException {
    String authToken = userRequest.getRequiredToken();
    ResourcesApi resourceApi = samResourcesApi(authToken);
    try {
        SamRetry.retry(() -> resourceApi.deleteResource(SamConstants.SamResource.WORKSPACE, id.toString()));
        logger.info("Deleted Sam resource for workspace {}", id);
    } catch (ApiException apiException) {
        logger.info("Sam API error while deleting workspace, code is " + apiException.getCode());
        // called. Other exceptions still need to be surfaced.
        if (apiException.getCode() == HttpStatus.NOT_FOUND.value()) {
            logger.info("Sam error was NOT_FOUND on a deletion call. " + "This just means the deletion was tried twice so no error thrown.");
            return;
        }
        throw SamExceptionFactory.create("Error deleting a workspace in Sam", apiException);
    }
}