add signing account to group on creation

broadinstitute · Jan 25, 2024 · e01aedf · e01aedf
1 parent dec2531
commit e01aedf
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 5 deletions.
diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/google/GoogleExtensions.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/google/GoogleExtensions.scala
@@ -315,7 +315,11 @@ class GoogleExtensions(
       _ <- IO.fromFuture(IO(googleDirectoryDAO.addMemberToGroup(allUsersGroup.email, proxyEmail)))
       _ <-
         if (excludeFromPetSigningAccount.contains(user.email) || !googleServicesConfig.petSigningAccountsEnabled) IO.none
-        else petSigningAccounts.getUserPetSigningAccount(user, samRequestContext)
+        else
+          for {
+            petSigningAccount <- petSigningAccounts.createPetSigningAccountForUser(user, samRequestContext)
+            _ <- IO.fromFuture(IO(googleDirectoryDAO.addMemberToGroup(allPetSigningAccountsGroupEmail, petSigningAccount.serviceAccount.email)))
+          } yield ()
     } yield ()
   }
 

diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/google/PetSigningAccounts.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/google/PetSigningAccounts.scala
@@ -34,6 +34,13 @@ class PetSigningAccounts(
   private[google] val allPetSigningAccountsGroupEmail = WorkbenchEmail(
     s"${googleServicesConfig.resourceNamePrefix.getOrElse("")}GROUP_${CloudExtensions.allPetSingingAccountsGroupName.value}@$emailDomain"
   )
+
+  private[google] def createPetSigningAccountForUser(user: SamUser, samRequestContext: SamRequestContext): IO[PetServiceAccount] = {
+    val googleProject = petServiceAccountProject(user)
+    val (petSaName, petSaDisplayName) = toPetSigningAccountFromUser(user)
+    createPetSigningAccount(user, petSaName, petSaDisplayName, googleProject, samRequestContext)
+  }
+
   private[google] def createPetSigningAccount(
       user: SamUser,
       petSaName: ServiceAccountName,
@@ -96,22 +103,26 @@ class PetSigningAccounts(
     (pet, serviceAccount).parTupled
   }
 
+  private[google] def petServiceAccountProject(samUser: SamUser): GoogleProject =
+    GoogleProject(
+      s"fc-${googleServicesConfig.environment.substring(0, Math.min(googleServicesConfig.environment.length(), 5))}-${samUser.id}"
+    ) // max 30 characters. subject ID is 21
+
   private[google] def getUserPetSigningAccount(user: SamUser, samRequestContext: SamRequestContext): IO[Option[String]] = {
-    val projectName =
-      s"fc-${googleServicesConfig.environment.substring(0, Math.min(googleServicesConfig.environment.length(), 5))}-${user.id.value}" // max 30 characters. subject ID is 21
+    val googleProject = petServiceAccountProject(user)
     val (petSaName, petSaDisplayName) = toPetSigningAccountFromUser(user)
 
     val keyFuture = for {
       creationOperationId <- googleProjectDAO
-        .createProject(projectName, googleServicesConfig.terraGoogleOrgNumber, GoogleResourceTypes.Organization)
+        .createProject(googleProject.value, googleServicesConfig.terraGoogleOrgNumber, GoogleResourceTypes.Organization)
         .map(opId => Option(opId)) recover {
         case gjre: GoogleJsonResponseException if gjre.getDetails.getCode == StatusCodes.Conflict.intValue => None
       }
       _ <- creationOperationId match {
         case Some(opId) => pollShellProjectCreation(opId) // poll until it's created
         case None => Future.successful(())
       }
-      serviceAccount <- createPetSigningAccount(user, petSaName, petSaDisplayName, GoogleProject(projectName), samRequestContext).unsafeToFuture()
+      serviceAccount <- createPetSigningAccount(user, petSaName, petSaDisplayName, googleProject, samRequestContext).unsafeToFuture()
       key <- googleKeyCache.getKey(serviceAccount).unsafeToFuture()
     } yield Some(key)
     IO.fromFuture(IO(keyFuture))