Search in sources :

Example 1 with GoogleApi

use of org.broadinstitute.dsde.workbench.client.sam.api.GoogleApi in project terra-workspace-manager by DataBiosphere.

the class SamService method getOrCreatePetSaCredentials.

/**
 * Fetch credentials of a user's pet service account in a given project. This request to Sam will
 * create the pet SA if it doesn't already exist.
 */
public AuthenticatedUserRequest getOrCreatePetSaCredentials(String projectId, AuthenticatedUserRequest userRequest) throws InterruptedException {
    GoogleApi samGoogleApi = samGoogleApi(userRequest.getRequiredToken());
    try {
        String petEmail = getOrCreatePetSaEmail(projectId, userRequest.getRequiredToken());
        String petToken = SamRetry.retry(() -> samGoogleApi.getPetServiceAccountToken(projectId, PET_SA_OAUTH_SCOPES));
        // This should never happen, but it's more informative than an NPE from Optional.of
        if (petToken == null) {
            throw new InternalServerErrorException("Sam returned null pet service account token");
        }
        return new AuthenticatedUserRequest().email(petEmail).token(Optional.of(petToken));
    } catch (ApiException apiException) {
        throw SamExceptionFactory.create("Error getting pet service account token from Sam", apiException);
    }
}
Also used : GoogleApi(org.broadinstitute.dsde.workbench.client.sam.api.GoogleApi) InternalServerErrorException(bio.terra.common.exception.InternalServerErrorException) ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException)

Example 2 with GoogleApi

use of org.broadinstitute.dsde.workbench.client.sam.api.GoogleApi in project terra-workspace-manager by DataBiosphere.

the class EnablePet method doUserJourney.

@Override
protected void doUserJourney(TestUserSpecification testUser, WorkspaceApi userWorkspaceApi) throws Exception {
    // Validate that the user cannot impersonate their pet before calling this endpoint.
    GoogleApi samGoogleApi = SamClientUtils.samGoogleApi(testUser, server);
    String petSaEmail = SamRetry.retry(() -> samGoogleApi.getPetServiceAccount(projectId));
    Iam userIamClient = ClientTestUtils.getGcpIamClient(testUser);
    assertFalse(canImpersonateSa(userIamClient, petSaEmail));
    userWorkspaceApi.enablePet(getWorkspaceId());
    assertTrue(canImpersonateSa(userIamClient, petSaEmail));
    // Validate that calling this endpoint as the pet does not grant the pet permission to
    // impersonate itself.
    String rawPetSaToken = SamRetry.retry(() -> samGoogleApi.getPetServiceAccountToken(projectId, ClientTestUtils.TEST_USER_SCOPES));
    AccessToken petSaToken = new AccessToken(rawPetSaToken, null);
    WorkspaceApi petSaWorkspaceApi = ClientTestUtils.getWorkspaceClientFromToken(petSaToken, server);
    petSaWorkspaceApi.enablePet(getWorkspaceId());
    // Add second user to the workspace as a reader.
    userWorkspaceApi.grantRole(new GrantRoleRequestBody().memberEmail(secondUser.userEmail), getWorkspaceId(), IamRole.READER);
    // Validate the second user cannot impersonate either user's pet.
    GoogleApi secondUserSamGoogleApi = SamClientUtils.samGoogleApi(secondUser, server);
    String secondUserPetSaEmail = SamRetry.retry(() -> secondUserSamGoogleApi.getPetServiceAccount(projectId));
    Iam secondUserIamClient = ClientTestUtils.getGcpIamClient(secondUser);
    assertFalse(canImpersonateSa(secondUserIamClient, secondUserPetSaEmail));
    assertFalse(canImpersonateSa(secondUserIamClient, petSaEmail));
    // Enable the second user to impersonate their pet
    WorkspaceApi secondUserWorkspaceApi = ClientTestUtils.getWorkspaceClient(secondUser, server);
    secondUserWorkspaceApi.enablePet(getWorkspaceId());
    assertTrue(canImpersonateSa(secondUserIamClient, secondUserPetSaEmail));
    // Second user still cannot impersonate first user's pet
    assertFalse(canImpersonateSa(secondUserIamClient, petSaEmail));
    // Remove second user from workspace. This should revoke their permission to impersonate their
    // pet.
    userWorkspaceApi.removeRole(getWorkspaceId(), IamRole.READER, secondUser.userEmail);
    assertTrue(ClientTestUtils.getWithRetryOnException(() -> assertCannotImpersonateSa(secondUserIamClient, secondUserPetSaEmail)));
}
Also used : GrantRoleRequestBody(bio.terra.workspace.model.GrantRoleRequestBody) Iam(com.google.api.services.iam.v1.Iam) GoogleApi(org.broadinstitute.dsde.workbench.client.sam.api.GoogleApi) WorkspaceApi(bio.terra.workspace.api.WorkspaceApi) AccessToken(com.google.auth.oauth2.AccessToken)

Aggregations

GoogleApi (org.broadinstitute.dsde.workbench.client.sam.api.GoogleApi)2 InternalServerErrorException (bio.terra.common.exception.InternalServerErrorException)1 WorkspaceApi (bio.terra.workspace.api.WorkspaceApi)1 GrantRoleRequestBody (bio.terra.workspace.model.GrantRoleRequestBody)1 Iam (com.google.api.services.iam.v1.Iam)1 AccessToken (com.google.auth.oauth2.AccessToken)1 ApiException (org.broadinstitute.dsde.workbench.client.sam.ApiException)1