use of org.broadinstitute.dsde.workbench.client.sam.api.GoogleApi in project terra-workspace-manager by DataBiosphere.
the class SamService method getOrCreatePetSaCredentials.
/**
* Fetch credentials of a user's pet service account in a given project. This request to Sam will
* create the pet SA if it doesn't already exist.
*/
public AuthenticatedUserRequest getOrCreatePetSaCredentials(String projectId, AuthenticatedUserRequest userRequest) throws InterruptedException {
GoogleApi samGoogleApi = samGoogleApi(userRequest.getRequiredToken());
try {
String petEmail = getOrCreatePetSaEmail(projectId, userRequest.getRequiredToken());
String petToken = SamRetry.retry(() -> samGoogleApi.getPetServiceAccountToken(projectId, PET_SA_OAUTH_SCOPES));
// This should never happen, but it's more informative than an NPE from Optional.of
if (petToken == null) {
throw new InternalServerErrorException("Sam returned null pet service account token");
}
return new AuthenticatedUserRequest().email(petEmail).token(Optional.of(petToken));
} catch (ApiException apiException) {
throw SamExceptionFactory.create("Error getting pet service account token from Sam", apiException);
}
}
use of org.broadinstitute.dsde.workbench.client.sam.api.GoogleApi in project terra-workspace-manager by DataBiosphere.
the class EnablePet method doUserJourney.
@Override
protected void doUserJourney(TestUserSpecification testUser, WorkspaceApi userWorkspaceApi) throws Exception {
// Validate that the user cannot impersonate their pet before calling this endpoint.
GoogleApi samGoogleApi = SamClientUtils.samGoogleApi(testUser, server);
String petSaEmail = SamRetry.retry(() -> samGoogleApi.getPetServiceAccount(projectId));
Iam userIamClient = ClientTestUtils.getGcpIamClient(testUser);
assertFalse(canImpersonateSa(userIamClient, petSaEmail));
userWorkspaceApi.enablePet(getWorkspaceId());
assertTrue(canImpersonateSa(userIamClient, petSaEmail));
// Validate that calling this endpoint as the pet does not grant the pet permission to
// impersonate itself.
String rawPetSaToken = SamRetry.retry(() -> samGoogleApi.getPetServiceAccountToken(projectId, ClientTestUtils.TEST_USER_SCOPES));
AccessToken petSaToken = new AccessToken(rawPetSaToken, null);
WorkspaceApi petSaWorkspaceApi = ClientTestUtils.getWorkspaceClientFromToken(petSaToken, server);
petSaWorkspaceApi.enablePet(getWorkspaceId());
// Add second user to the workspace as a reader.
userWorkspaceApi.grantRole(new GrantRoleRequestBody().memberEmail(secondUser.userEmail), getWorkspaceId(), IamRole.READER);
// Validate the second user cannot impersonate either user's pet.
GoogleApi secondUserSamGoogleApi = SamClientUtils.samGoogleApi(secondUser, server);
String secondUserPetSaEmail = SamRetry.retry(() -> secondUserSamGoogleApi.getPetServiceAccount(projectId));
Iam secondUserIamClient = ClientTestUtils.getGcpIamClient(secondUser);
assertFalse(canImpersonateSa(secondUserIamClient, secondUserPetSaEmail));
assertFalse(canImpersonateSa(secondUserIamClient, petSaEmail));
// Enable the second user to impersonate their pet
WorkspaceApi secondUserWorkspaceApi = ClientTestUtils.getWorkspaceClient(secondUser, server);
secondUserWorkspaceApi.enablePet(getWorkspaceId());
assertTrue(canImpersonateSa(secondUserIamClient, secondUserPetSaEmail));
// Second user still cannot impersonate first user's pet
assertFalse(canImpersonateSa(secondUserIamClient, petSaEmail));
// Remove second user from workspace. This should revoke their permission to impersonate their
// pet.
userWorkspaceApi.removeRole(getWorkspaceId(), IamRole.READER, secondUser.userEmail);
assertTrue(ClientTestUtils.getWithRetryOnException(() -> assertCannotImpersonateSa(secondUserIamClient, secondUserPetSaEmail)));
}
Aggregations