Example 1 with ApiException
use of org.broadinstitute.dsde.workbench.client.sam.ApiException in project jade-data-repo by DataBiosphere.
the class SamIam method listAuthorizedResourcesInner.
private List<UUID> listAuthorizedResourcesInner(AuthenticatedUserRequest userReq, IamResourceType iamResourceType) throws ApiException {
ResourcesApi samResourceApi = samResourcesApi(userReq.getRequiredToken());
List<ResourceAndAccessPolicy> resources = samResourceApi.listResourcesAndPolicies(iamResourceType.toString());
return resources.stream().map(resource -> UUID.fromString(resource.getResourceId())).collect(Collectors.toList());
}
Also used :
DataRepoException(bio.terra.common.exception.DataRepoException)
Arrays(java.util.Arrays)
IamResourceType(bio.terra.service.iam.IamResourceType)
AccessPolicyMembership(org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyMembership)
LoggerFactory(org.slf4j.LoggerFactory)
Autowired(org.springframework.beans.factory.annotation.Autowired)
IamUnauthorizedException(bio.terra.service.iam.exception.IamUnauthorizedException)
HashMap(java.util.HashMap)
ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException)
IamInternalServerErrorException(bio.terra.service.iam.exception.IamInternalServerErrorException)
ArrayList(java.util.ArrayList)
IamAction(bio.terra.service.iam.IamAction)
GoogleApi(org.broadinstitute.dsde.workbench.client.sam.api.GoogleApi)
Map(java.util.Map)
ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)
Pair(org.broadinstitute.dsde.workbench.client.sam.Pair)
AccessPolicyResponseEntry(org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntry)
PolicyModel(bio.terra.model.PolicyModel)
Logger(org.slf4j.Logger)
ApiClient(org.broadinstitute.dsde.workbench.client.sam.ApiClient)
IamBadRequestException(bio.terra.service.iam.exception.IamBadRequestException)
ResourceAndAccessPolicy(org.broadinstitute.dsde.workbench.client.sam.model.ResourceAndAccessPolicy)
IamProviderInterface(bio.terra.service.iam.IamProviderInterface)
UUID(java.util.UUID)
Collectors(java.util.stream.Collectors)
IamRole(bio.terra.service.iam.IamRole)
Component(org.springframework.stereotype.Component)
List(java.util.List)
HttpStatusCodes(com.google.api.client.http.HttpStatusCodes)
UserStatusInfo(bio.terra.model.UserStatusInfo)
UsersApi(org.broadinstitute.dsde.workbench.client.sam.api.UsersApi)
AuthenticatedUserRequest(bio.terra.service.iam.AuthenticatedUserRequest)
ConfigurationService(bio.terra.service.configuration.ConfigurationService)
Collections(java.util.Collections)
IamNotFoundException(bio.terra.service.iam.exception.IamNotFoundException)
ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)
ResourceAndAccessPolicy(org.broadinstitute.dsde.workbench.client.sam.model.ResourceAndAccessPolicy)
Example 2 with ApiException
use of org.broadinstitute.dsde.workbench.client.sam.ApiException in project jade-data-repo by DataBiosphere.
the class SamRetry method perform.
<T> T perform(SamFunction<T> function) throws InterruptedException {
while (true) {
try {
// Simulate a socket timeout for testing
configService.fault(ConfigEnum.SAM_TIMEOUT_FAULT, () -> {
throw new ApiException("fault insertion", HttpStatusCodes.STATUS_CODE_SERVER_ERROR, null, null);
});
return function.apply();
} catch (ApiException ex) {
RuntimeException rex = SamIam.convertSAMExToDataRepoEx((ApiException) ex);
if (!(rex instanceof IamInternalServerErrorException)) {
throw rex;
}
logger.info("SamRetry: caught retry-able exception: " + ex);
// sleep, then we give up and re-throw.
if (operationTimeout.minusSeconds(retrySeconds).isBefore(now())) {
logger.error("SamRetry: operation timed out after " + operationTimeout.toString());
throw rex;
}
} catch (Exception ex) {
throw new IamInternalServerErrorException("Unexpected exception type: " + ex.toString(), ex);
}
// Retry
logger.info("SamRetry: sleeping " + retrySeconds + " seconds");
TimeUnit.SECONDS.sleep(retrySeconds);
retrySeconds = retrySeconds + retrySeconds;
if (retrySeconds > retryMaxWait) {
retrySeconds = retryMaxWait;
}
}
}
Also used :
IamInternalServerErrorException(bio.terra.service.iam.exception.IamInternalServerErrorException)
ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException)
IamInternalServerErrorException(bio.terra.service.iam.exception.IamInternalServerErrorException)
ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException)
Example 3 with ApiException
use of org.broadinstitute.dsde.workbench.client.sam.ApiException in project terra-external-credentials-manager by DataBiosphere.
the class OidcApiControllerTest method mockSamUserError.
private void mockSamUserError(String accessToken, HttpStatus notFound) throws ApiException {
var usersApiMock = mock(UsersApi.class);
when(samServiceMock.samUsersApi(accessToken)).thenReturn(usersApiMock);
when(usersApiMock.getUserStatusInfo()).thenThrow(new ApiException(notFound.value(), "Not Found"));
}
Also used :
ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException)
Example 4 with ApiException
use of org.broadinstitute.dsde.workbench.client.sam.ApiException in project terra-workspace-manager by DataBiosphere.
the class SamService method removeResourceRole.
/**
* Wrapper around the Sam client to remove a role from the provided user on a controlled resource.
*
* <p>Similar to {@removeWorkspaceRole}, but for controlled resources. This should only be
* necessary for private resources, as users do not have individual roles on shared resources.
*
* <p>This call to Sam is made as the WSM SA, as users do not have permission to directly modify
* IAM on resources. This method still requires user credentials to validate as a safeguard, but
* they are not used in the role removal call.
*
* @param resource The resource to remove a role from
* @param userRequest User credentials. These are not used for the call to Sam, but must belong to
* a workspace owner to ensure the WSM SA is being used on a user's behalf correctly.
* @param role The role to remove
* @param email Email identifier of the user whose role is being removed.
*/
@Traced
public void removeResourceRole(ControlledResource resource, AuthenticatedUserRequest userRequest, ControlledResourceIamRole role, String email) throws InterruptedException {
// Validate that the provided user credentials can modify the owners of the resource's
// workspace.
// Although the Sam call to revoke a resource role must use WSM SA credentials instead, this
// is a safeguard against accidentally invoking these credentials for unauthorized users.
checkAuthz(userRequest, SamConstants.SamResource.WORKSPACE, resource.getWorkspaceId().toString(), samActionToModifyRole(WsmIamRole.OWNER));
try {
ResourcesApi wsmSaResourceApi = samResourcesApi(getWsmServiceAccountToken());
SamRetry.retry(() -> wsmSaResourceApi.removeUserFromPolicyV2(resource.getCategory().getSamResourceName(), resource.getResourceId().toString(), role.toSamRole(), email));
logger.info("Removed role {} from user {} on resource {}", role.toSamRole(), email, resource.getResourceId());
} catch (ApiException apiException) {
throw SamExceptionFactory.create("Sam error removing resource role in Sam", apiException);
}
}
Also used :
ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)
ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException)
Traced(io.opencensus.contrib.spring.aop.Traced)
Example 5 with ApiException
use of org.broadinstitute.dsde.workbench.client.sam.ApiException in project terra-workspace-manager by DataBiosphere.
the class SamService method removeWorkspaceRole.
/**
* Wrapper around Sam client to remove a role from the provided user.
*
* <p>This operation is only available to MC_WORKSPACE stage workspaces, as Rawls manages
* permissions directly on other workspaces. Trying to remove a role that a user does not have
* will succeed, though Sam will error if the email is not a registered user.
*/
@Traced
public void removeWorkspaceRole(UUID workspaceId, AuthenticatedUserRequest userRequest, WsmIamRole role, String email) throws InterruptedException {
stageService.assertMcWorkspace(workspaceId, "removeWorkspaceRole");
checkAuthz(userRequest, SamConstants.SamResource.WORKSPACE, workspaceId.toString(), samActionToModifyRole(role));
ResourcesApi resourceApi = samResourcesApi(userRequest.getRequiredToken());
try {
SamRetry.retry(() -> resourceApi.removeUserFromPolicy(SamConstants.SamResource.WORKSPACE, workspaceId.toString(), role.toSamRole(), email.toLowerCase()));
logger.info("Removed role {} from user {} in workspace {}", role.toSamRole(), email, workspaceId);
} catch (ApiException apiException) {
throw SamExceptionFactory.create("Error removing workspace role in Sam", apiException);
}
}
Also used :
ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)
ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException)
Traced(io.opencensus.contrib.spring.aop.Traced)
Aggregations
ApiException (org.broadinstitute.dsde.workbench.client.sam.ApiException)20
ResourcesApi (org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)15
Traced (io.opencensus.contrib.spring.aop.Traced)12
ArrayList (java.util.ArrayList)5
UUID (java.util.UUID)5
GoogleApi (org.broadinstitute.dsde.workbench.client.sam.api.GoogleApi)5
UsersApi (org.broadinstitute.dsde.workbench.client.sam.api.UsersApi)5
ResourceAndAccessPolicy (org.broadinstitute.dsde.workbench.client.sam.model.ResourceAndAccessPolicy)5
HashMap (java.util.HashMap)4
List (java.util.List)4
Map (java.util.Map)4
Collectors (java.util.stream.Collectors)4
ApiClient (org.broadinstitute.dsde.workbench.client.sam.ApiClient)4
AccessPolicyResponseEntry (org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntry)4
CreateResourceRequestV2 (org.broadinstitute.dsde.workbench.client.sam.model.CreateResourceRequestV2)4
Logger (org.slf4j.Logger)4
LoggerFactory (org.slf4j.LoggerFactory)4
Autowired (org.springframework.beans.factory.annotation.Autowired)4
Component (org.springframework.stereotype.Component)4
InternalServerErrorException (bio.terra.common.exception.InternalServerErrorException)3
