use of org.pmiops.workbench.db.model.User in project workbench by all-of-us.
the class ProfileControllerTest method testCreateAccount_success.
@Test
public void testCreateAccount_success() throws Exception {
createUser();
User user = userDao.findUserByEmail(PRIMARY_EMAIL);
assertThat(user).isNotNull();
assertThat(user.getDataAccessLevel()).isEqualTo(DataAccessLevel.UNREGISTERED);
}
use of org.pmiops.workbench.db.model.User in project workbench by all-of-us.
the class WorkspacesControllerTest method testCloneWorkspaceDifferentOwner.
@Test
public void testCloneWorkspaceDifferentOwner() throws Exception {
Workspace workspace = createDefaultWorkspace();
workspace = workspacesController.createWorkspace(workspace).getBody();
User cloner = new User();
cloner.setEmail("cloner@gmail.com");
cloner.setUserId(456L);
cloner.setFreeTierBillingProjectName("TestBillingProject1");
cloner.setDisabled(false);
cloner = userDao.save(cloner);
when(userProvider.get()).thenReturn(cloner);
stubGetWorkspace(workspace.getNamespace(), workspace.getName(), LOGGED_IN_USER_EMAIL, WorkspaceAccessLevel.READER);
CloneWorkspaceRequest req = new CloneWorkspaceRequest();
Workspace modWorkspace = new Workspace();
modWorkspace.setName("cloned");
modWorkspace.setNamespace("cloned-ns");
ResearchPurpose modPurpose = new ResearchPurpose();
modPurpose.setAncestry(true);
modWorkspace.setResearchPurpose(modPurpose);
req.setWorkspace(modWorkspace);
stubGetWorkspace(modWorkspace.getNamespace(), modWorkspace.getName(), "cloner@gmail.com", WorkspaceAccessLevel.OWNER);
Workspace workspace2 = workspacesController.cloneWorkspace(workspace.getNamespace(), workspace.getId(), req).getBody().getWorkspace();
assertThat(workspace2.getCreator()).isEqualTo(cloner.getEmail());
assertThat(workspace2.getUserRoles().size()).isEqualTo(1);
assertThat(workspace2.getUserRoles().get(0).getRole()).isEqualTo(WorkspaceAccessLevel.OWNER);
assertThat(workspace2.getUserRoles().get(0).getEmail()).isEqualTo(cloner.getEmail());
}
use of org.pmiops.workbench.db.model.User in project workbench by all-of-us.
the class WorkspacesControllerTest method testClonePermissionDenied.
@Test(expected = NotFoundException.class)
public void testClonePermissionDenied() throws Exception {
Workspace workspace = createDefaultWorkspace();
workspace = workspacesController.createWorkspace(workspace).getBody();
// Clone with a different user.
User cloner = new User();
cloner.setEmail("cloner@gmail.com");
cloner.setUserId(456L);
cloner.setFreeTierBillingProjectName("TestBillingProject1");
cloner.setDisabled(false);
cloner = userDao.save(cloner);
when(userProvider.get()).thenReturn(cloner);
// Permission denied manifests as a 404 in Firecloud.
when(fireCloudService.getWorkspace(workspace.getNamespace(), workspace.getName())).thenThrow(new ApiException(404, ""));
CloneWorkspaceRequest req = new CloneWorkspaceRequest();
Workspace modWorkspace = new Workspace();
modWorkspace.setName("cloned");
modWorkspace.setNamespace("cloned-ns");
req.setWorkspace(modWorkspace);
ResearchPurpose modPurpose = new ResearchPurpose();
modPurpose.setAncestry(true);
modWorkspace.setResearchPurpose(modPurpose);
workspacesController.cloneWorkspace(workspace.getNamespace(), workspace.getId(), req);
}
use of org.pmiops.workbench.db.model.User in project workbench by all-of-us.
the class AuditControllerTest method setUp.
@Before
public void setUp() {
User user = new User();
user.setEmail(USER_EMAIL);
user.setUserId(123L);
user.setFreeTierBillingProjectName(FC_PROJECT_ID);
user.setDisabled(false);
user = userDao.save(user);
cdrV1 = new CdrVersion();
cdrV1.setBigqueryProject(CDR_V1_PROJECT_ID);
cdrV1 = cdrVersionDao.save(cdrV1);
cdrV2 = new CdrVersion();
cdrV2.setBigqueryProject(CDR_V2_PROJECT_ID);
cdrV2 = cdrVersionDao.save(cdrV2);
CLOCK.setInstant(NOW);
}
use of org.pmiops.workbench.db.model.User in project workbench by all-of-us.
the class AuthInterceptor method preHandle.
/**
* Returns true iff the request is auth'd and should proceed. Publishes authenticated user info
* using Spring's SecurityContext.
* @param handler The Swagger-generated ApiController. It contains our handler as a private
* delegate.
*/
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
// OPTIONS methods requests don't need authorization.
if (request.getMethod().equals(HttpMethods.OPTIONS)) {
return true;
}
HandlerMethod method = (HandlerMethod) handler;
boolean isAuthRequired = false;
ApiOperation apiOp = AnnotationUtils.findAnnotation(method.getMethod(), ApiOperation.class);
if (apiOp != null) {
for (Authorization auth : apiOp.authorizations()) {
if (auth.value().equals(authName)) {
isAuthRequired = true;
break;
}
}
}
if (!isAuthRequired) {
return true;
}
String authorizationHeader = request.getHeader(HttpHeaders.AUTHORIZATION);
if (authorizationHeader == null || !authorizationHeader.startsWith("Bearer ")) {
log.warning("No bearer token found in request");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
}
String token = authorizationHeader.substring("Bearer".length()).trim();
Userinfoplus userInfo;
try {
userInfo = userInfoService.getUserInfo(token);
} catch (HttpResponseException e) {
log.log(Level.WARNING, "{0} response getting user info for bearer token {1}: {2}", new Object[] { e.getStatusCode(), token, e.getStatusMessage() });
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
}
// TODO: check Google group membership to ensure user is in registered user group
String userEmail = userInfo.getEmail();
WorkbenchConfig workbenchConfig = workbenchConfigProvider.get();
if (workbenchConfig.auth.serviceAccountApiUsers.contains(userEmail)) {
// Whitelisted service accounts are able to make API calls, too.
// TODO: stop treating service accounts as normal users, have a separate table for them,
// administrators.
User user = userDao.findUserByEmail(userEmail);
if (user == null) {
user = userService.createServiceAccountUser(userEmail);
}
SecurityContextHolder.getContext().setAuthentication(new UserAuthentication(user, userInfo, token, UserType.SERVICE_ACCOUNT));
log.log(Level.INFO, "{0} service account in use", userInfo.getEmail());
return true;
}
String gsuiteDomainSuffix = "@" + workbenchConfig.googleDirectoryService.gSuiteDomain;
if (!userEmail.endsWith(gsuiteDomainSuffix)) {
try {
// If the email isn't in our GSuite domain, try FireCloud; we could be dealing with a
// pet service account. In both AofU and FireCloud, the pet SA is treated as if it were
// the user it was created for.
userEmail = fireCloudService.getMe().getUserInfo().getUserEmail();
} catch (ApiException e) {
log.log(Level.INFO, "FireCloud lookup for {0} failed, can't access the workbench: {1}", new Object[] { userInfo.getEmail(), e.getMessage() });
response.sendError(e.getCode());
return false;
}
if (!userEmail.endsWith(gsuiteDomainSuffix)) {
log.log(Level.INFO, "User {0} isn't in domain {1}, can't access the workbench", new Object[] { userEmail, gsuiteDomainSuffix });
response.sendError(HttpServletResponse.SC_NOT_FOUND);
return false;
}
}
User user = userDao.findUserByEmail(userEmail);
if (user == null) {
// TODO(danrodney): start populating contact email in Google account, use it here.
user = userService.createUser(userInfo.getGivenName(), userInfo.getFamilyName(), userInfo.getEmail(), null);
} else {
if (user.getDisabled()) {
throw new ForbiddenException(ExceptionUtils.errorResponse(ErrorCode.USER_DISABLED, "This user account has been disabled."));
}
}
SecurityContextHolder.getContext().setAuthentication(new UserAuthentication(user, userInfo, token, UserType.RESEARCHER));
// TODO: setup this in the context, get rid of log statement
log.log(Level.INFO, "{0} logged in", userInfo.getEmail());
if (!hasRequiredAuthority(method, user)) {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return false;
}
return true;
}
Aggregations