Example 1 with AccessPolicyResponseEntryV2
use of org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntryV2 in project terra-workspace-manager by DataBiosphere.
the class SamService method dumpRoleBindings.
// Add code to retrieve and dump the role assignments for WSM controlled resources
// for debugging. No permission check outside of Sam.
public void dumpRoleBindings(String samResourceType, String resourceId, String token) {
logger.debug("DUMP ROLE BINDING - resourceType {} resourceId {}", samResourceType, resourceId);
ResourcesApi resourceApi = samResourcesApi(token);
try {
List<AccessPolicyResponseEntryV2> samResult = SamRetry.retry(() -> resourceApi.listResourcePoliciesV2(samResourceType, resourceId));
for (AccessPolicyResponseEntryV2 entry : samResult) {
logger.debug(" samPolicy: {}", entry);
}
} catch (ApiException apiException) {
throw SamExceptionFactory.create("Error listing role bindings in Sam", apiException);
} catch (InterruptedException e) {
logger.warn("dump role binding was interrupted");
}
}
Also used :
ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)
AccessPolicyResponseEntryV2(org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntryV2)
ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException)
Example 2 with AccessPolicyResponseEntryV2
use of org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntryV2 in project terra-workspace-manager by DataBiosphere.
the class SamClientUtils method dumpResourcePolicy.
// dump the Sam policy on a resource - assuming you have permission
public static void dumpResourcePolicy(TestUserSpecification testUser, ServerSpecification server, String resourceTypeName, String resourceId) throws Exception {
ResourcesApi samApi = new ResourcesApi(getSamApiClient(testUser, server));
List<AccessPolicyResponseEntryV2> policies = SamRetry.retry(() -> samApi.listResourcePoliciesV2(resourceTypeName, resourceId));
logger.info("SAM POLICY DUMP for {} id {}", resourceTypeName, resourceId);
for (AccessPolicyResponseEntryV2 entry : policies) {
logger.info(" policy: {}", entry);
}
}
Also used :
ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)
AccessPolicyResponseEntryV2(org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntryV2)
Example 3 with AccessPolicyResponseEntryV2
use of org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntryV2 in project terra-workspace-manager by DataBiosphere.
the class SamService method getUserRolesOnPrivateResource.
/**
* Return the list of roles a user has directly on a private, user-managed controlled resource.
* This will not return roles that a user holds via group membership.
*
* <p>This call to Sam is made as the WSM SA, as users do not have permission to directly modify
* IAM on resources. This method still requires user credentials to validate as a safeguard, but
* they are not used in the role removal call.
*
* @param resource The resource to fetch roles on
* @param userEmail Email identifier of the user whose role is being removed.
* @param userRequest User credentials. These are not used for the call to Sam, but must belong to
* a workspace owner to ensure the WSM SA is being used on a user's behalf correctly.
*/
public List<ControlledResourceIamRole> getUserRolesOnPrivateResource(ControlledResource resource, String userEmail, AuthenticatedUserRequest userRequest) throws InterruptedException {
// Validate that the provided user credentials can modify the owners of the resource's
// workspace.
// Although the Sam call to revoke a resource role must use WSM SA credentials instead, this
// is a safeguard against accidentally invoking these credentials for unauthorized users.
checkAuthz(userRequest, SamConstants.SamResource.WORKSPACE, resource.getWorkspaceId().toString(), samActionToModifyRole(WsmIamRole.OWNER));
try {
ResourcesApi wsmSaResourceApi = samResourcesApi(getWsmServiceAccountToken());
List<AccessPolicyResponseEntryV2> policyList = wsmSaResourceApi.listResourcePoliciesV2(resource.getCategory().getSamResourceName(), resource.getResourceId().toString());
return policyList.stream().filter(policyEntry -> policyEntry.getPolicy().getMemberEmails().contains(userEmail)).map(AccessPolicyResponseEntryV2::getPolicyName).map(ControlledResourceIamRole::fromSamRole).collect(Collectors.toList());
} catch (ApiException apiException) {
throw SamExceptionFactory.create("Sam error removing resource role in Sam", apiException);
}
}
Also used :
RoleBinding(bio.terra.workspace.service.iam.model.RoleBinding)
CreateResourceRequestV2(org.broadinstitute.dsde.workbench.client.sam.model.CreateResourceRequestV2)
WsmIamRole(bio.terra.workspace.service.iam.model.WsmIamRole)
ControlledResource(bio.terra.workspace.service.resource.controlled.model.ControlledResource)
StatusApi(org.broadinstitute.dsde.workbench.client.sam.api.StatusApi)
LoggerFactory(org.slf4j.LoggerFactory)
Autowired(org.springframework.beans.factory.annotation.Autowired)
InternalServerErrorException(bio.terra.common.exception.InternalServerErrorException)
SamRetry(bio.terra.common.sam.SamRetry)
Map(java.util.Map)
GoogleApi(org.broadinstitute.dsde.workbench.client.sam.api.GoogleApi)
AccessPolicyResponseEntryV2(org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntryV2)
ImmutableSet(com.google.common.collect.ImmutableSet)
ServiceAccountName(bio.terra.cloudres.google.iam.ServiceAccountName)
Set(java.util.Set)
FullyQualifiedResourceId(org.broadinstitute.dsde.workbench.client.sam.model.FullyQualifiedResourceId)
UUID(java.util.UUID)
SamWorkspaceAction(bio.terra.workspace.service.iam.model.SamConstants.SamWorkspaceAction)
Collectors(java.util.stream.Collectors)
ControlledResourceCategory(bio.terra.workspace.service.resource.controlled.model.ControlledResourceCategory)
SamExceptionFactory(bio.terra.common.sam.exception.SamExceptionFactory)
List(java.util.List)
ControlledResourceIamRole(bio.terra.workspace.service.iam.model.ControlledResourceIamRole)
Optional(java.util.Optional)
SystemStatus(org.broadinstitute.dsde.workbench.client.sam.model.SystemStatus)
SamConfiguration(bio.terra.workspace.app.configuration.external.SamConfiguration)
HashMap(java.util.HashMap)
ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException)
GcpUtils(bio.terra.workspace.common.utils.GcpUtils)
ArrayList(java.util.ArrayList)
SamConstants(bio.terra.workspace.service.iam.model.SamConstants)
ImmutableList(com.google.common.collect.ImmutableList)
AccessPolicyMembershipV2(org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyMembershipV2)
InternalLogicException(bio.terra.workspace.common.exception.InternalLogicException)
Traced(io.opencensus.contrib.spring.aop.Traced)
ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)
Nullable(javax.annotation.Nullable)
AccessPolicyResponseEntry(org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntry)
Logger(org.slf4j.Logger)
GoogleCredentials(com.google.auth.oauth2.GoogleCredentials)
ApiClient(org.broadinstitute.dsde.workbench.client.sam.ApiClient)
IOException(java.io.IOException)
ResourceAndAccessPolicy(org.broadinstitute.dsde.workbench.client.sam.model.ResourceAndAccessPolicy)
ForbiddenException(bio.terra.common.exception.ForbiddenException)
HttpStatus(org.springframework.http.HttpStatus)
Component(org.springframework.stereotype.Component)
OkHttpClient(okhttp3.OkHttpClient)
UsersApi(org.broadinstitute.dsde.workbench.client.sam.api.UsersApi)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
StageService(bio.terra.workspace.service.stage.StageService)
ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)
AccessPolicyResponseEntryV2(org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntryV2)
ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException)
Aggregations
ResourcesApi (org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)3
AccessPolicyResponseEntryV2 (org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyResponseEntryV2)3
ApiException (org.broadinstitute.dsde.workbench.client.sam.ApiException)2
ServiceAccountName (bio.terra.cloudres.google.iam.ServiceAccountName)1
ForbiddenException (bio.terra.common.exception.ForbiddenException)1
InternalServerErrorException (bio.terra.common.exception.InternalServerErrorException)1
SamRetry (bio.terra.common.sam.SamRetry)1
SamExceptionFactory (bio.terra.common.sam.exception.SamExceptionFactory)1
SamConfiguration (bio.terra.workspace.app.configuration.external.SamConfiguration)1
InternalLogicException (bio.terra.workspace.common.exception.InternalLogicException)1
GcpUtils (bio.terra.workspace.common.utils.GcpUtils)1
ControlledResourceIamRole (bio.terra.workspace.service.iam.model.ControlledResourceIamRole)1
RoleBinding (bio.terra.workspace.service.iam.model.RoleBinding)1
SamConstants (bio.terra.workspace.service.iam.model.SamConstants)1
SamWorkspaceAction (bio.terra.workspace.service.iam.model.SamConstants.SamWorkspaceAction)1
WsmIamRole (bio.terra.workspace.service.iam.model.WsmIamRole)1
ControlledResource (bio.terra.workspace.service.resource.controlled.model.ControlledResource)1
ControlledResourceCategory (bio.terra.workspace.service.resource.controlled.model.ControlledResourceCategory)1
StageService (bio.terra.workspace.service.stage.StageService)1
GoogleCredentials (com.google.auth.oauth2.GoogleCredentials)1
