Examples with ResourcesApi org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi used on opensource projects

Example 1 with ResourcesApi

use of org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi in project jade-data-repo by DataBiosphere.

the class SamIam method createDatasetResourceInner.

private Map<IamRole, String> createDatasetResourceInner(AuthenticatedUserRequest userReq, UUID datasetId) throws ApiException {
    CreateResourceCorrectRequest req = new CreateResourceCorrectRequest();
    req.setResourceId(datasetId.toString());
    req.addPoliciesItem(IamRole.STEWARD.toString(), createAccessPolicy(IamRole.STEWARD.toString(), Collections.singletonList(samConfig.getStewardsGroupEmail())));
    req.addPoliciesItem(IamRole.CUSTODIAN.toString(), createAccessPolicy(IamRole.CUSTODIAN.toString(), Collections.singletonList(userReq.getEmail())));
    req.addPoliciesItem(IamRole.INGESTER.toString(), new AccessPolicyMembership().roles(Collections.singletonList(IamRole.INGESTER.toString())));
    ResourcesApi samResourceApi = samResourcesApi(userReq.getRequiredToken());
    logger.debug(req.toString());
    // create the resource in sam
    createResourceCorrectCall(samResourceApi.getApiClient(), IamResourceType.DATASET.toString(), req);
    // we'll want all of these roles to have read access to the underlying data,
    // so we sync and return the emails for the policies that get created by SAM
    Map<IamRole, String> policies = new HashMap<>();
    for (IamRole role : Arrays.asList(IamRole.STEWARD, IamRole.CUSTODIAN, IamRole.INGESTER)) {
        String policy = syncOnePolicy(userReq, IamResourceType.DATASET, datasetId, role);
        policies.put(role, policy);
    }
    return policies;
}

Example 2 with ResourcesApi

use of org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi in project jade-data-repo by DataBiosphere.

the class SamIam method listAuthorizedResourcesInner.

private List<UUID> listAuthorizedResourcesInner(AuthenticatedUserRequest userReq, IamResourceType iamResourceType) throws ApiException {
    ResourcesApi samResourceApi = samResourcesApi(userReq.getRequiredToken());
    List<ResourceAndAccessPolicy> resources = samResourceApi.listResourcesAndPolicies(iamResourceType.toString());
    return resources.stream().map(resource -> UUID.fromString(resource.getResourceId())).collect(Collectors.toList());
}

Example 3 with ResourcesApi

use of org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi in project jade-data-repo by DataBiosphere.

the class SamIam method addPolicyMemberInner.

private PolicyModel addPolicyMemberInner(AuthenticatedUserRequest userReq, IamResourceType iamResourceType, UUID resourceId, String policyName, String userEmail) throws ApiException {
    ResourcesApi samResourceApi = samResourcesApi(userReq.getRequiredToken());
    samResourceApi.addUserToPolicy(iamResourceType.toString(), resourceId.toString(), policyName, userEmail);
    AccessPolicyMembership result = samResourceApi.getPolicy(iamResourceType.toString(), resourceId.toString(), policyName);
    return new PolicyModel().name(policyName).members(result.getMemberEmails());
}

Example 4 with ResourcesApi

use of org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi in project jade-data-repo by DataBiosphere.

the class SamIam method deleteResourceInner.

// Return useless boolean to match the SamFunction signature for retry
private boolean deleteResourceInner(AuthenticatedUserRequest userReq, IamResourceType iamResourceType, String resourceId) throws ApiException {
    ResourcesApi samResourceApi = samResourcesApi(userReq.getRequiredToken());
    samResourceApi.deleteResource(iamResourceType.toString(), resourceId);
    return true;
}

Example 5 with ResourcesApi

use of org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi in project terra-workspace-manager by DataBiosphere.

the class SamService method removeResourceRole.

/**
 * Wrapper around the Sam client to remove a role from the provided user on a controlled resource.
 *
 * <p>Similar to {@removeWorkspaceRole}, but for controlled resources. This should only be
 * necessary for private resources, as users do not have individual roles on shared resources.
 *
 * <p>This call to Sam is made as the WSM SA, as users do not have permission to directly modify
 * IAM on resources. This method still requires user credentials to validate as a safeguard, but
 * they are not used in the role removal call.
 *
 * @param resource The resource to remove a role from
 * @param userRequest User credentials. These are not used for the call to Sam, but must belong to
 *     a workspace owner to ensure the WSM SA is being used on a user's behalf correctly.
 * @param role The role to remove
 * @param email Email identifier of the user whose role is being removed.
 */
@Traced
public void removeResourceRole(ControlledResource resource, AuthenticatedUserRequest userRequest, ControlledResourceIamRole role, String email) throws InterruptedException {
    // Validate that the provided user credentials can modify the owners of the resource's
    // workspace.
    // Although the Sam call to revoke a resource role must use WSM SA credentials instead, this
    // is a safeguard against accidentally invoking these credentials for unauthorized users.
    checkAuthz(userRequest, SamConstants.SamResource.WORKSPACE, resource.getWorkspaceId().toString(), samActionToModifyRole(WsmIamRole.OWNER));
    try {
        ResourcesApi wsmSaResourceApi = samResourcesApi(getWsmServiceAccountToken());
        SamRetry.retry(() -> wsmSaResourceApi.removeUserFromPolicyV2(resource.getCategory().getSamResourceName(), resource.getResourceId().toString(), role.toSamRole(), email));
        logger.info("Removed role {} from user {} on resource {}", role.toSamRole(), email, resource.getResourceId());
    } catch (ApiException apiException) {
        throw SamExceptionFactory.create("Sam error removing resource role in Sam", apiException);
    }
}