Examples with ResourcesApi org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi used on opensource projects

Example 16 with ResourcesApi

use of org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi in project terra-workspace-manager by DataBiosphere.

the class SamService method listRoleBindings.

/**
 * Wrapper around Sam client to retrieve the full current permissions model of a workspace.
 *
 * <p>This operation is only available to MC_WORKSPACE stage workspaces, as Rawls manages
 * permissions directly on other workspaces.
 */
@Traced
public List<RoleBinding> listRoleBindings(UUID workspaceId, AuthenticatedUserRequest userRequest) throws InterruptedException {
    stageService.assertMcWorkspace(workspaceId, "listRoleBindings");
    checkAuthz(userRequest, SamConstants.SamResource.WORKSPACE, workspaceId.toString(), SamWorkspaceAction.READ_IAM);
    ResourcesApi resourceApi = samResourcesApi(userRequest.getRequiredToken());
    try {
        List<AccessPolicyResponseEntry> samResult = SamRetry.retry(() -> resourceApi.listResourcePolicies(SamConstants.SamResource.WORKSPACE, workspaceId.toString()));
        // callers.
        return samResult.stream().filter(entry -> !entry.getPolicyName().equals(WsmIamRole.MANAGER.toSamRole())).map(entry -> RoleBinding.builder().role(WsmIamRole.fromSam(entry.getPolicyName())).users(entry.getPolicy().getMemberEmails()).build()).collect(Collectors.toList());
    } catch (ApiException apiException) {
        throw SamExceptionFactory.create("Error listing role bindings in Sam", apiException);
    }
}

Example 17 with ResourcesApi

use of org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi in project terra-workspace-manager by DataBiosphere.

the class SamService method getUserRolesOnPrivateResource.

/**
 * Return the list of roles a user has directly on a private, user-managed controlled resource.
 * This will not return roles that a user holds via group membership.
 *
 * <p>This call to Sam is made as the WSM SA, as users do not have permission to directly modify
 * IAM on resources. This method still requires user credentials to validate as a safeguard, but
 * they are not used in the role removal call.
 *
 * @param resource The resource to fetch roles on
 * @param userEmail Email identifier of the user whose role is being removed.
 * @param userRequest User credentials. These are not used for the call to Sam, but must belong to
 *     a workspace owner to ensure the WSM SA is being used on a user's behalf correctly.
 */
public List<ControlledResourceIamRole> getUserRolesOnPrivateResource(ControlledResource resource, String userEmail, AuthenticatedUserRequest userRequest) throws InterruptedException {
    // Validate that the provided user credentials can modify the owners of the resource's
    // workspace.
    // Although the Sam call to revoke a resource role must use WSM SA credentials instead, this
    // is a safeguard against accidentally invoking these credentials for unauthorized users.
    checkAuthz(userRequest, SamConstants.SamResource.WORKSPACE, resource.getWorkspaceId().toString(), samActionToModifyRole(WsmIamRole.OWNER));
    try {
        ResourcesApi wsmSaResourceApi = samResourcesApi(getWsmServiceAccountToken());
        List<AccessPolicyResponseEntryV2> policyList = wsmSaResourceApi.listResourcePoliciesV2(resource.getCategory().getSamResourceName(), resource.getResourceId().toString());
        return policyList.stream().filter(policyEntry -> policyEntry.getPolicy().getMemberEmails().contains(userEmail)).map(AccessPolicyResponseEntryV2::getPolicyName).map(ControlledResourceIamRole::fromSamRole).collect(Collectors.toList());
    } catch (ApiException apiException) {
        throw SamExceptionFactory.create("Sam error removing resource role in Sam", apiException);
    }
}

Example 18 with ResourcesApi

use of org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi in project terra-workspace-manager by DataBiosphere.

the class SamService method grantWorkspaceRole.

/**
 * Wrapper around Sam client to grant a role to the provided user.
 *
 * <p>This operation is only available to MC_WORKSPACE stage workspaces, as Rawls manages
 * permissions directly on other workspaces.
 *
 * @param workspaceId The workspace this operation takes place in
 * @param userRequest Credentials of the user requesting this operation. Only owners have
 *     permission to modify roles in a workspace.
 * @param role The role being granted.
 * @param email The user being granted a role.
 */
@Traced
public void grantWorkspaceRole(UUID workspaceId, AuthenticatedUserRequest userRequest, WsmIamRole role, String email) throws InterruptedException {
    stageService.assertMcWorkspace(workspaceId, "grantWorkspaceRole");
    checkAuthz(userRequest, SamConstants.SamResource.WORKSPACE, workspaceId.toString(), samActionToModifyRole(role));
    ResourcesApi resourceApi = samResourcesApi(userRequest.getRequiredToken());
    try {
        // GCP always uses lowercase email identifiers, so we do the same here for consistency.
        SamRetry.retry(() -> resourceApi.addUserToPolicy(SamConstants.SamResource.WORKSPACE, workspaceId.toString(), role.toSamRole(), email.toLowerCase()));
        logger.info("Granted role {} to user {} in workspace {}", role.toSamRole(), email, workspaceId);
    } catch (ApiException apiException) {
        throw SamExceptionFactory.create("Error granting workspace role in Sam", apiException);
    }
}

Example 19 with ResourcesApi

use of org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi in project terra-workspace-manager by DataBiosphere.

the class SamService method deleteControlledResource.

/**
 * Delete controlled resource with an access token
 *
 * @param resource the controlled resource whose Sam resource to delete
 * @param token access token
 * @throws InterruptedException on thread interrupt
 */
@Traced
public void deleteControlledResource(ControlledResource resource, String token) throws InterruptedException {
    ResourcesApi resourceApi = samResourcesApi(token);
    try {
        SamRetry.retry(() -> resourceApi.deleteResourceV2(resource.getCategory().getSamResourceName(), resource.getResourceId().toString()));
        logger.info("Deleted Sam controlled resource {}", resource.getResourceId());
    } catch (ApiException apiException) {
        // Do nothing if the resource to delete is not found, this may not be the first time delete is
        // called. Other exceptions still need to be surfaced.
        logger.info("Sam API error while deleting a controlled resource, code is " + apiException.getCode());
        if (apiException.getCode() == HttpStatus.NOT_FOUND.value()) {
            logger.info("Sam error was NOT_FOUND on a deletion call. " + "This just means the deletion was tried twice so no error thrown.");
            return;
        }
        throw SamExceptionFactory.create("Error deleting controlled resource in Sam", apiException);
    }
}

Example 20 with ResourcesApi

use of org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi in project jade-data-repo by DataBiosphere.

the class SamIam method retrievePoliciesInner.

private List<PolicyModel> retrievePoliciesInner(AuthenticatedUserRequest userReq, IamResourceType iamResourceType, UUID resourceId) throws ApiException {
    ResourcesApi samResourceApi = samResourcesApi(userReq.getRequiredToken());
    List<AccessPolicyResponseEntry> results = samResourceApi.listResourcePolicies(iamResourceType.toString(), resourceId.toString());
    return results.stream().map(entry -> new PolicyModel().name(entry.getPolicyName()).members(entry.getPolicy().getMemberEmails())).collect(Collectors.toList());
}