Merge branch 'develop' into id-1178-add-rac-db-tables

broadinstitute · May 3, 2024 · 0484f59 · 0484f59
2 parents cda31dc + d8fcf10
commit 0484f59
Show file tree

Hide file tree

Showing 33 changed files with 1,609 additions and 102 deletions.
diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
@@ -13,11 +13,6 @@ on:
         default: false
         required: false
         type: string
-      print-tag:
-        description: "Echo generated tag to console"
-        default: "true"
-        required: false
-        type: string
       release-branches:
         description: "Default branch (main, develop, etc)"
         default: 'main'
@@ -30,6 +25,9 @@ on:
       new-tag:
         description: "The value of the newly created tag"
         value: ${{ jobs.tag-job.outputs.new-tag }}
+      app-version:
+        description: "The app version"
+        value: ${{ jobs.tag-job.outputs.app-version }}
     secrets:
       BROADBOT_TOKEN:
         required: true
@@ -44,6 +42,7 @@ jobs:
     outputs:
       tag: ${{ steps.tag.outputs.tag }}
       new-tag: ${{ steps.tag.outputs.new_tag }}
+      app-version: ${{ steps.output-version.outputs.app-version }}
     steps:
       - name: Checkout current code
         uses: actions/checkout@v3
@@ -60,7 +59,14 @@ jobs:
           DRY_RUN: ${{ inputs.dry-run }}
           RELEASE_BRANCHES: ${{ inputs.release-branches }}
           WITH_V: true
-      - name: Echo generated tag to console
-        if: ${{ inputs.print-tag == 'true' }}
+      - name: Output app version
+        id: output-version
         run: |
-          echo "Newly created version tag: '${{ steps.tag.outputs.new_tag }}'"
+          # See https://broadworkbench.atlassian.net/browse/QA-2282 for context
+          if [[ -z "${{ steps.tag.outputs.new_tag }}" ]]; then
+            echo "App version tag for this commit has already been dispatched: '${{ steps.tag.outputs.tag }}'"
+            echo "app-version=${{ steps.tag.outputs.tag }}" >> $GITHUB_OUTPUT
+          else
+            echo "New app version tag: '${{ steps.tag.outputs.new_tag }}'"
+            echo "app-version=${{ steps.tag.outputs.new_tag }}" >> $GITHUB_OUTPUT
+          fi
diff --git a/.github/workflows/verify_consumer_pacts.yml b/.github/workflows/verify_consumer_pacts.yml
@@ -151,7 +151,7 @@ jobs:
           # for publishing the results of provider verification.
           if [[ -z "${{ inputs.pb-event-type }}" ]]; then
             echo "PROVIDER_BRANCH=${{ env.CURRENT_BRANCH }}" >> $GITHUB_ENV
-            echo "PROVIDER_VERSION=${{ needs.regulated-tag-job.outputs.new-tag }}" >> $GITHUB_ENV
+            echo "PROVIDER_VERSION=${{ needs.regulated-tag-job.outputs.app-version }}" >> $GITHUB_ENV
           else
             echo "PROVIDER_VERSION=${{ env.PROVIDER_TAG }}" >> $GITHUB_ENV
           fi

diff --git a/automation/project/Dependencies.scala b/automation/project/Dependencies.scala
@@ -7,9 +7,9 @@ object Dependencies {
   val akkaV = "2.6.19"
   val akkaHttpV = "10.2.2"
 
-  val workbenchLibV = "a0519cb"
+  val workbenchLibV = "d16cba9"
   val workbenchGoogleV = s"0.30-$workbenchLibV"
-  val workbenchGoogle2V = s"0.34-$workbenchLibV"
+  val workbenchGoogle2V = s"0.36-$workbenchLibV"
   val workbenchServiceTestV = "2.0-5863cbd"
 
   val excludeWorkbenchModel = ExclusionRule(organization = "org.broadinstitute.dsde.workbench", name = "workbench-model_" + scalaV)

diff --git a/pact4s/src/test/resources/reference.conf b/pact4s/src/test/resources/reference.conf
@@ -119,8 +119,6 @@ testStuff = {
 oidc {
   authorityEndpoint = "https://accounts.google.com"
   oidcClientId = "some-client"
-  oidcClientSecret = "some-secret"
-  legacyGoogleClientId = "another-client"
 }
 
 liquibase {

diff --git a/project/Dependencies.scala b/project/Dependencies.scala
@@ -11,14 +11,14 @@ object Dependencies {
   val postgresDriverVersion = "42.7.2"
   val sentryVersion = "6.15.0"
 
-  val workbenchLibV = "1c0cf92" // If updating this, make sure googleStorageLocal in test dependencies is up-to-date
+  val workbenchLibV = "d16cba9" // If updating this, make sure googleStorageLocal in test dependencies is up-to-date
   val workbenchUtilV = s"0.10-$workbenchLibV"
   val workbenchUtil2V = s"0.9-$workbenchLibV"
   val workbenchModelV = s"0.19-$workbenchLibV"
   val workbenchGoogleV = s"0.30-$workbenchLibV"
   val workbenchGoogle2V = s"0.36-$workbenchLibV"
   val workbenchNotificationsV = s"0.6-$workbenchLibV"
-  val workbenchOauth2V = s"0.5-$workbenchLibV"
+  val workbenchOauth2V = s"0.7-$workbenchLibV"
   val monocleVersion = "2.0.5"
   val crlVersion = "1.2.30-SNAPSHOT"
   val tclVersion = "1.0.5-SNAPSHOT"

diff --git a/src/main/resources/org/broadinstitute/dsde/sam/liquibase/changelog.xml b/src/main/resources/org/broadinstitute/dsde/sam/liquibase/changelog.xml
@@ -28,6 +28,6 @@
     <include file="changesets/20230929_add_tos_audit_table.xml" relativeToChangelogFile="true"/>
     <include file="changesets/20231011_add_tos_audit_table_created_at_pk.xml" relativeToChangelogFile="true"/>
     <include file="changesets/20231019_sam_user_attributes_table.xml" relativeToChangelogFile="true"/>
+    <include file="changesets/20240417_action_managed_identities.xml" relativeToChangelogFile="true"/>
     <include file="changesets/20240416_add_sam_rac_tables.xml" relativeToChangelogFile="true"/>
-
 </databaseChangeLog>
diff --git a/...s/org/broadinstitute/dsde/sam/liquibase/changesets/20240417_action_managed_identities.xml b/...s/org/broadinstitute/dsde/sam/liquibase/changesets/20240417_action_managed_identities.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<databaseChangeLog logicalFilePath="dummy"
+                   xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+                   xmlns:ext="http://www.liquibase.org/xml/ns/dbchangelog-ext"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog-ext http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-ext.xsd http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.4.xsd">
+
+    <changeSet logicalFilePath="dummy" author="tlangs" id="action_managed_identities">
+        <createTable tableName="SAM_ACTION_MANAGED_IDENTITY">
+            <column name="resource_id" type="BIGINT">
+                <constraints nullable="false" primaryKey="true" foreignKeyName="FK_SAMI_RESOURCE" referencedTableName="SAM_RESOURCE" referencedColumnNames="id" deleteCascade="true"/>
+            </column>
+
+            <column name="resource_action_id" type="BIGINT">
+                <constraints nullable="false" primaryKey="true" foreignKeyName="FK_SAMI_ACTION" referencedTableName="SAM_RESOURCE_ACTION" referencedColumnNames="id"/>
+            </column>
+            <column name="managed_resource_group_id" type="BIGINT">
+                <constraints nullable="false" primaryKey="true" foreignKeyName="FK_SAMI_MRG" referencedTableName="SAM_AZURE_MANAGED_RESOURCE_GROUP" referencedColumnNames="id" deleteCascade="true"/>
+            </column>
+            <column name="object_id" type="VARCHAR">
+                <constraints nullable="false"/>
+            </column>
+            <column name="display_name" type="VARCHAR">
+                <constraints nullable="false"/>
+            </column>
+        </createTable>
+    </changeSet>
+
+</databaseChangeLog>
diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf
@@ -1550,6 +1550,152 @@ resourceTypes = {
     allowLeaving = false
     reuseIds = true
   }
+
+  resource-access-constraint = {
+    actionPatterns = {
+      use = {
+        description = "use this RAC for a SAM resource"
+      }
+      add_lock = {
+        description = "add a lock to this RAC"
+      }
+      delete = {
+        description = "delete this RAC"
+      }
+      read_policies = {
+        description = "view all policies and policy details for this RAC"
+      }
+      "share_policy::owner" = {
+        description = "change the membership of the owner policy for this RAC"
+      }
+    }
+    ownerRoleName = "owner"
+    roles = {
+      owner = {
+        roleActions = ["use", "add_lock", "delete", "read_policies", "share_policy::owner"]
+      }
+    }
+    allowLeaving = false
+    reuseIds = true
+  }
+
+  lock = {
+    actionPatterns = {
+      use = {
+        description = "use this lock for a resource access constraint"
+      }
+      delete = {
+        description = "delete this lock"
+      }
+      read_policies = {
+        description = "view all policies and policy details for this lock"
+      }
+      "share_policy::owner" = {
+        description = "change the membership of the owner policy for this lock"
+      }
+    }
+    ownerRoleName = "owner"
+    roles = {
+      owner = {
+        roleActions = ["use", "delete", "read_policies", "share_policy::owner"]
+      }
+    }
+    allowLeaving = false
+    reuseIds = true
+  }
+
+  private_azure_container_registry = {
+    actionPatterns = {
+      delete = {
+        description = "Delete this private acr"
+      }
+      read_policies = {
+        description = "view all policies and policy details for this private acr"
+      }
+      identify = {
+        description = "use the identity that has access to this private acr"
+      }
+      "share_policy::admin" = {
+        description = "change the membership of the admin policy for this private acr"
+      }
+      "share_policy::user" = {
+        description = "change the membership of the user policy for this private acr"
+      }
+    }
+    ownerRoleName = "admin"
+    roles = {
+      admin = {
+        roleActions = ["delete", "read_policies", "use", "share_policy::admin", "share_policy::user", "identify"]
+      }
+      user = {
+        roleActions = ["identify"]
+      }
+    }
+    allowLeaving = false
+    reuseIds = true
+  }
+
+  private_azure_storage_account = {
+    actionPatterns = {
+      delete = {
+        description = "Delete this private azure storage account"
+      }
+      read_policies = {
+        description = "view all policies and policy details for this private azure storage account"
+      }
+      identify = {
+        description = "use the identity that has access to this private azure storage account"
+      }
+      "share_policy::admin" = {
+        description = "change the membership of the admin policy for this private azure storage account"
+      }
+      "share_policy::user" = {
+        description = "change the membership of the user policy for this private azure storage account"
+      }
+    }
+    ownerRoleName = "admin"
+    roles = {
+      admin = {
+        roleActions = ["delete", "read_policies", "use", "share_policy::admin", "share_policy::user", "identify"]
+      }
+      user = {
+        roleActions = ["identify"]
+      }
+    }
+    allowLeaving = false
+    reuseIds = true
+  }
+
+  azure_managed_identity = {
+    actionPatterns = {
+      delete = {
+        description = "Delete this azure managed identity"
+      }
+      read_policies = {
+        description = "view all policies and policy details for this azure managed identity"
+      }
+      identify = {
+        description = "use the identity that has access to this azure managed identity"
+      }
+      "share_policy::admin" = {
+        description = "change the membership of the admin policy for this azure managed identity"
+      }
+      "share_policy::user" = {
+        description = "change the membership of the user policy for this azure managed identity"
+      }
+    }
+    ownerRoleName = "admin"
+    roles = {
+      admin = {
+        roleActions = ["delete", "read_policies", "use", "share_policy::admin", "share_policy::user", "identify"]
+      }
+      user = {
+        roleActions = ["identify"]
+      }
+    }
+    allowLeaving = false
+    reuseIds = true
+  }
 }
 
 

diff --git a/src/main/resources/sam.conf b/src/main/resources/sam.conf
@@ -37,8 +37,6 @@ termsOfService {
 oidc {
   authorityEndpoint = ${?OIDC_AUTHORITY_ENDPOINT}
   oidcClientId = ${?OIDC_CLIENT_ID}
-  oidcClientSecret = ${?OIDC_CLIENT_SECRET}
-  legacyGoogleClientId = ${?LEGACY_GOOGLE_CLIENT_ID}
 }
 
 schemaLock {