Examples with AccessPolicyMembershipV2 org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyMembershipV2 used on opensource projects

Example 1 with AccessPolicyMembershipV2

use of org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyMembershipV2 in project terra-workspace-manager by DataBiosphere.

the class SamService method defaultWorkspacePolicies.

/**
 * Builds a policy list with a single provided owner and empty reader, writer and application
 * policies.
 *
 * <p>This is a helper function for building the policy section of a request to create a workspace
 * resource in Sam. The provided user is granted the OWNER role and empty policies for reader,
 * writer, and application are also included.
 *
 * <p>The empty policies are included because Sam requires all policies on a workspace to be
 * provided at creation time. Although policy membership can be modified later, policy creation
 * must happen at the same time as workspace resource creation.
 */
private Map<String, AccessPolicyMembershipV2> defaultWorkspacePolicies(String ownerEmail) {
    Map<String, AccessPolicyMembershipV2> policyMap = new HashMap<>();
    policyMap.put(WsmIamRole.OWNER.toSamRole(), new AccessPolicyMembershipV2().addRolesItem(WsmIamRole.OWNER.toSamRole()).addMemberEmailsItem(ownerEmail));
    // For all non-owner/manager roles, we create empty policies which can be modified later.
    for (WsmIamRole workspaceRole : WsmIamRole.values()) {
        if (workspaceRole != WsmIamRole.OWNER && workspaceRole != WsmIamRole.MANAGER) {
            policyMap.put(workspaceRole.toSamRole(), new AccessPolicyMembershipV2().addRolesItem(workspaceRole.toSamRole()));
        }
    }
    // We always give WSM's service account the 'manager' role for admin control of workspaces.
    String wsmSa = GcpUtils.getWsmSaEmail();
    policyMap.put(WsmIamRole.MANAGER.toSamRole(), new AccessPolicyMembershipV2().addRolesItem(WsmIamRole.MANAGER.toSamRole()).addMemberEmailsItem(wsmSa));
    return policyMap;
}

Example 2 with AccessPolicyMembershipV2

use of org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyMembershipV2 in project terra-workspace-manager by DataBiosphere.

the class ControlledResourceSamPolicyBuilder method addWsmResourceOwnerPolicy.

/**
 * Add WSM's service account as the owner of a controlled resource in Sam. Used for admin
 * reassignment of resources. This assumes samService.initialize() has already been called, which
 * should happen on start.
 */
private void addWsmResourceOwnerPolicy(CreateResourceRequestV2 request) {
    try {
        AccessPolicyMembershipV2 ownerPolicy = new AccessPolicyMembershipV2().addRolesItem(ControlledResourceIamRole.OWNER.toSamRole()).addMemberEmailsItem(GcpUtils.getWsmSaEmail());
        request.putPoliciesItem(ControlledResourceIamRole.OWNER.toSamRole(), ownerPolicy);
    } catch (InternalServerErrorException e) {
        // In cases where WSM is not running as a service account (e.g. unit tests), the above call to
        // get application default credentials will fail. This is fine, as those cases don't create
        // real resources.
        logger.warn("Failed to add WSM service account as resource owner Sam. This is expected for tests.", e);
    }
}

Example 3 with AccessPolicyMembershipV2

use of org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyMembershipV2 in project terra-workspace-manager by DataBiosphere.

the class SamService method addWsmResourceOwnerPolicy.

/**
 * Add WSM's service account as the owner of a controlled resource in Sam. Used for admin
 * reassignment of resources. This assumes samService.initialize() has already been called, which
 * should happen on start.
 */
private void addWsmResourceOwnerPolicy(CreateResourceRequestV2 request) throws InterruptedException {
    try {
        AuthenticatedUserRequest wsmRequest = new AuthenticatedUserRequest().token(Optional.of(getWsmServiceAccountToken()));
        String wsmSaEmail = getUserEmailFromSam(wsmRequest);
        AccessPolicyMembershipV2 ownerPolicy = new AccessPolicyMembershipV2().addRolesItem(ControlledResourceIamRole.OWNER.toSamRole()).addMemberEmailsItem(wsmSaEmail);
        request.putPoliciesItem(ControlledResourceIamRole.OWNER.toSamRole(), ownerPolicy);
    } catch (InternalServerErrorException e) {
        // In cases where WSM is not running as a service account (e.g. unit tests), the above call to
        // get application default credentials will fail. This is fine, as those cases don't create
        // real resources.
        logger.warn("Failed to add WSM service account as resource owner Sam. This is expected for tests.", e);
    }
}

Example 4 with AccessPolicyMembershipV2

use of org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyMembershipV2 in project terra-workspace-manager by DataBiosphere.

the class ControlledResourceSamPolicyBuilder method addPolicies.

public void addPolicies(CreateResourceRequestV2 request) throws InterruptedException {
    Map<ControlledResourceIamRole, AccessPolicyMembershipV2> policyMap;
    // Owner is always WSM SA
    addWsmResourceOwnerPolicy(request);
    switch(category) {
        case USER_SHARED:
            // All other policies are inherited - nothing more to do
            break;
        case USER_PRIVATE:
            // Double check - this is validated earlier and should never happen.
            if (privateUserEmail == null || privateIamRole == null) {
                throw new InternalLogicException("Flight should never see user-private without a user email and iam role");
            }
            policyMap = makeInitialPolicyMap();
            policyMap.get(privateIamRole).addMemberEmailsItem(privateUserEmail);
            applyPolicyMap(request, policyMap);
            break;
        case APPLICATION_SHARED:
            // Double check - this is validated earlier and should never happen
            if (privateUserEmail != null) {
                throw new InternalLogicException("Flight should never see application-shared with a user email");
            }
            // Application is always editor on its resources; other policies are inherited
            AccessPolicyMembershipV2 editorPolicy = new AccessPolicyMembershipV2().addRolesItem(ControlledResourceIamRole.EDITOR.toSamRole());
            addApplicationResourceEditorPolicy(editorPolicy, userRequest);
            request.putPoliciesItem(ControlledResourceIamRole.EDITOR.toSamRole(), editorPolicy);
            break;
        case APPLICATION_PRIVATE:
            policyMap = makeInitialPolicyMap();
            // Application is always editor
            addApplicationResourceEditorPolicy(policyMap.get(ControlledResourceIamRole.EDITOR), userRequest);
            // if we have an assigned user, set up their permission
            if (privateUserEmail != null) {
                policyMap.get(privateIamRole).addMemberEmailsItem(privateUserEmail);
            }
            applyPolicyMap(request, policyMap);
            break;
    }
}

Example 5 with AccessPolicyMembershipV2

use of org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyMembershipV2 in project terra-cli by DataBiosphere.

the class SpendProfileManagerService method createDefaultSpendProfile.

/**
 * Create a new SAM resource for the WSM default spend profile of the current server.
 */
public void createDefaultSpendProfile() {
    // create two policies (owner, user) and make sure the current user is an owner
    Map<String, AccessPolicyMembershipV2> policies = new HashMap<>();
    policies.put("owner", new AccessPolicyMembershipV2().addRolesItem("owner").addMemberEmailsItem(Context.requireUser().getEmail()));
    policies.put("user", new AccessPolicyMembershipV2().addRolesItem("user"));
    samService.createResource(SPEND_PROFILE_RESOURCE_TYPE, Context.getServer().getWsmDefaultSpendProfile(), policies);
}