Search in sources :

Example 6 with ResourcesApi

use of org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi in project terra-workspace-manager by DataBiosphere.

the class SamService method removeWorkspaceRole.

/**
 * Wrapper around Sam client to remove a role from the provided user.
 *
 * <p>This operation is only available to MC_WORKSPACE stage workspaces, as Rawls manages
 * permissions directly on other workspaces. Trying to remove a role that a user does not have
 * will succeed, though Sam will error if the email is not a registered user.
 */
@Traced
public void removeWorkspaceRole(UUID workspaceId, AuthenticatedUserRequest userRequest, WsmIamRole role, String email) throws InterruptedException {
    stageService.assertMcWorkspace(workspaceId, "removeWorkspaceRole");
    checkAuthz(userRequest, SamConstants.SamResource.WORKSPACE, workspaceId.toString(), samActionToModifyRole(role));
    ResourcesApi resourceApi = samResourcesApi(userRequest.getRequiredToken());
    try {
        SamRetry.retry(() -> resourceApi.removeUserFromPolicy(SamConstants.SamResource.WORKSPACE, workspaceId.toString(), role.toSamRole(), email.toLowerCase()));
        logger.info("Removed role {} from user {} in workspace {}", role.toSamRole(), email, workspaceId);
    } catch (ApiException apiException) {
        throw SamExceptionFactory.create("Error removing workspace role in Sam", apiException);
    }
}
Also used : ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi) ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException) Traced(io.opencensus.contrib.spring.aop.Traced)

Example 7 with ResourcesApi

use of org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi in project terra-workspace-manager by DataBiosphere.

the class SamService method listWorkspaceIds.

/**
 * List all workspace IDs in Sam this user has access to. Note that in environments shared with
 * Rawls, some of these workspaces will be Rawls managed and WSM will not know about them.
 */
@Traced
public List<UUID> listWorkspaceIds(AuthenticatedUserRequest userRequest) throws InterruptedException {
    ResourcesApi resourceApi = samResourcesApi(userRequest.getRequiredToken());
    List<UUID> workspaceIds = new ArrayList<>();
    try {
        List<ResourceAndAccessPolicy> resourceAndPolicies = SamRetry.retry(() -> resourceApi.listResourcesAndPolicies(SamConstants.SamResource.WORKSPACE));
        for (var resourceAndPolicy : resourceAndPolicies) {
            try {
                workspaceIds.add(UUID.fromString(resourceAndPolicy.getResourceId()));
            } catch (IllegalArgumentException e) {
                // ignored here.
                continue;
            }
        }
    } catch (ApiException apiException) {
        throw SamExceptionFactory.create("Error listing Workspace Ids in Sam", apiException);
    }
    return workspaceIds;
}
Also used : ArrayList(java.util.ArrayList) ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi) ResourceAndAccessPolicy(org.broadinstitute.dsde.workbench.client.sam.model.ResourceAndAccessPolicy) UUID(java.util.UUID) ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException) Traced(io.opencensus.contrib.spring.aop.Traced)

Example 8 with ResourcesApi

use of org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi in project terra-workspace-manager by DataBiosphere.

the class SamService method createControlledResource.

/**
 * Create a controlled resource in Sam.
 *
 * @param resource The WSM representation of the resource to create.
 * @param privateIamRole The IAM role to grant on a private resource. It is required for
 *     user-private resources and optional for application-private resources.
 * @param assignedUserEmail Email identifier of the assigned user of this resource. Same
 *     constraints as privateIamRoles.
 * @param userRequest Credentials to use for talking to Sam.
 */
@Traced
public void createControlledResource(ControlledResource resource, @Nullable ControlledResourceIamRole privateIamRole, @Nullable String assignedUserEmail, AuthenticatedUserRequest userRequest) throws InterruptedException {
    // We need the WSM SA for setting controlled resource policies
    initializeWsmServiceAccount();
    FullyQualifiedResourceId workspaceParentFqId = new FullyQualifiedResourceId().resourceId(resource.getWorkspaceId().toString()).resourceTypeName(SamConstants.SamResource.WORKSPACE);
    CreateResourceRequestV2 resourceRequest = new CreateResourceRequestV2().resourceId(resource.getResourceId().toString()).parent(workspaceParentFqId);
    var builder = new ControlledResourceSamPolicyBuilder(this, privateIamRole, assignedUserEmail, userRequest, ControlledResourceCategory.get(resource.getAccessScope(), resource.getManagedBy()));
    builder.addPolicies(resourceRequest);
    try {
        // We use the user request for the create, but could equally well use the WSM SA.
        // The creating token has no effect on the resource policies.
        ResourcesApi resourceApi = samResourcesApi(userRequest.getRequiredToken());
        SamRetry.retry(() -> resourceApi.createResourceV2(resource.getCategory().getSamResourceName(), resourceRequest));
        logger.info("Created Sam controlled resource {}", resource.getResourceId());
        dumpRoleBindings(resource.getCategory().getSamResourceName(), resource.getResourceId().toString(), getWsmServiceAccountToken());
    } catch (ApiException apiException) {
        // Do nothing if the resource to create already exists, this may not be the first time do is
        // called. Other exceptions still need to be surfaced.
        // Resource IDs are randomly generated, so we trust that the caller must have created
        // an existing Sam resource.
        logger.info("Sam API error while creating a controlled resource, code is " + apiException.getCode());
        if (apiException.getCode() == HttpStatus.CONFLICT.value()) {
            logger.info("Sam error was CONFLICT on creation request. This means the resource already " + "exists but is not an error so no exception thrown.");
            return;
        }
        throw SamExceptionFactory.create("Error creating controlled resource in Sam", apiException);
    }
}
Also used : FullyQualifiedResourceId(org.broadinstitute.dsde.workbench.client.sam.model.FullyQualifiedResourceId) ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi) CreateResourceRequestV2(org.broadinstitute.dsde.workbench.client.sam.model.CreateResourceRequestV2) ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException) Traced(io.opencensus.contrib.spring.aop.Traced)

Example 9 with ResourcesApi

use of org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi in project terra-workspace-manager by DataBiosphere.

the class SamService method dumpRoleBindings.

// Add code to retrieve and dump the role assignments for WSM controlled resources
// for debugging. No permission check outside of Sam.
public void dumpRoleBindings(String samResourceType, String resourceId, String token) {
    logger.debug("DUMP ROLE BINDING - resourceType {} resourceId {}", samResourceType, resourceId);
    ResourcesApi resourceApi = samResourcesApi(token);
    try {
        List<AccessPolicyResponseEntryV2> samResult = SamRetry.retry(() -> resourceApi.listResourcePoliciesV2(samResourceType, resourceId));
        for (AccessPolicyResponseEntryV2 entry : samResult) {
            logger.debug("  samPolicy: {}", entry);
        }
    } catch (ApiException apiException) {
        throw SamExceptionFactory.create("Error listing role bindings in Sam", apiException);
    } catch (InterruptedException e) {
        logger.warn("dump role binding was interrupted");
    }
}
Also used : ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi) AccessPolicyResponseEntryV2(org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntryV2) ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException)

Example 10 with ResourcesApi

use of org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi in project terra-workspace-manager by DataBiosphere.

the class SamService method deleteWorkspace.

@Traced
public void deleteWorkspace(AuthenticatedUserRequest userRequest, UUID id) throws InterruptedException {
    String authToken = userRequest.getRequiredToken();
    ResourcesApi resourceApi = samResourcesApi(authToken);
    try {
        SamRetry.retry(() -> resourceApi.deleteResource(SamConstants.SamResource.WORKSPACE, id.toString()));
        logger.info("Deleted Sam resource for workspace {}", id);
    } catch (ApiException apiException) {
        logger.info("Sam API error while deleting workspace, code is " + apiException.getCode());
        // called. Other exceptions still need to be surfaced.
        if (apiException.getCode() == HttpStatus.NOT_FOUND.value()) {
            logger.info("Sam error was NOT_FOUND on a deletion call. " + "This just means the deletion was tried twice so no error thrown.");
            return;
        }
        throw SamExceptionFactory.create("Error deleting a workspace in Sam", apiException);
    }
}
Also used : ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi) ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException) Traced(io.opencensus.contrib.spring.aop.Traced)

Aggregations

ResourcesApi (org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)23 ApiException (org.broadinstitute.dsde.workbench.client.sam.ApiException)15 Traced (io.opencensus.contrib.spring.aop.Traced)12 ArrayList (java.util.ArrayList)6 HashMap (java.util.HashMap)6 AccessPolicyMembership (org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyMembership)6 UUID (java.util.UUID)5 CreateResourceRequestV2 (org.broadinstitute.dsde.workbench.client.sam.model.CreateResourceRequestV2)5 ResourceAndAccessPolicy (org.broadinstitute.dsde.workbench.client.sam.model.ResourceAndAccessPolicy)5 PolicyModel (bio.terra.model.PolicyModel)4 IamRole (bio.terra.service.iam.IamRole)4 List (java.util.List)4 Map (java.util.Map)4 Collectors (java.util.stream.Collectors)4 ApiClient (org.broadinstitute.dsde.workbench.client.sam.ApiClient)4 GoogleApi (org.broadinstitute.dsde.workbench.client.sam.api.GoogleApi)4 UsersApi (org.broadinstitute.dsde.workbench.client.sam.api.UsersApi)4 AccessPolicyResponseEntry (org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntry)4 AccessPolicyResponseEntryV2 (org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntryV2)4 Logger (org.slf4j.Logger)4