Merge branch 'develop' into ID-807-Stubbed-tos-endpoints

broadinstitute · Oct 23, 2023 · f7a36a2 · f7a36a2
2 parents ab2d60a + 5a91c3f
commit f7a36a2
Show file tree

Hide file tree

Showing 83 changed files with 1,430 additions and 415 deletions.
diff --git a/.github/workflows/verify_consumer_pacts.yml b/.github/workflows/verify_consumer_pacts.yml
@@ -139,16 +139,16 @@ jobs:
           fi
           git fetch
           if [[ ! -z "${{ env.CHECKOUT_BRANCH }}" ]] && [[ ! -z "${{ env.CHECKOUT_SHA }}" ]]; then
-            echo "git checkout ${{ env.CHECKOUT_BRANCH }} ${{ env.CHECKOUT_SHA }}"
-            git checkout ${{ env.CHECKOUT_BRANCH }} ${{ env.CHECKOUT_SHA }}
+            echo "git checkout -b ${{ env.CHECKOUT_BRANCH }} ${{ env.CHECKOUT_SHA }}"
+            git checkout -b ${{ env.CHECKOUT_BRANCH }} ${{ env.CHECKOUT_SHA }} || echo "already in ${{ env.CHECKOUT_BRANCH }}"
             echo "git branch"
             git branch
           else
-            if [[ "${{ github.event_name }}" == "push" ]]; then
+            if [[ "${{ github.event_name }}" == "push" ]] || [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
               echo "git checkout ${{ env.CURRENT_BRANCH }}"
               git checkout ${{ env.CURRENT_BRANCH }}
             else
-              echo "git checkout ${{ env.CURRENT_BRANCH }} ${{ env.CURRENT_SHA }}"
+              echo "git checkout -b ${{ env.CURRENT_BRANCH }} ${{ env.CURRENT_SHA }}"
               git checkout -b ${{ env.CURRENT_BRANCH }} ${{ env.CURRENT_SHA }}
             fi
           fi

diff --git a/pact4s/src/test/scala/org/broadinstitute/dsde/workbench/sam/MockTestSupport.scala b/pact4s/src/test/scala/org/broadinstitute/dsde/workbench/sam/MockTestSupport.scala
@@ -28,6 +28,7 @@ import org.broadinstitute.dsde.workbench.sam.db.TestDbReference
 import org.broadinstitute.dsde.workbench.sam.db.tables._
 import org.broadinstitute.dsde.workbench.sam.google.{GoogleExtensionRoutes, GoogleExtensions, GoogleGroupSynchronizer, GoogleKeyCache}
 import org.broadinstitute.dsde.workbench.sam.model._
+import org.broadinstitute.dsde.workbench.sam.model.api.SamUser
 import org.broadinstitute.dsde.workbench.sam.service.UserService._
 import org.broadinstitute.dsde.workbench.sam.service._
 import org.broadinstitute.dsde.workbench.sam.util.SamRequestContext

diff --git a/pact4s/src/test/scala/org/broadinstitute/dsde/workbench/sam/provider/SamProviderSpec.scala b/pact4s/src/test/scala/org/broadinstitute/dsde/workbench/sam/provider/SamProviderSpec.scala
@@ -14,6 +14,7 @@ import org.broadinstitute.dsde.workbench.sam.azure.AzureService
 import org.broadinstitute.dsde.workbench.sam.dataAccess.{AccessPolicyDAO, DirectoryDAO, StatefulMockAccessPolicyDaoBuilder}
 import org.broadinstitute.dsde.workbench.sam.google.GoogleExtensions
 import org.broadinstitute.dsde.workbench.sam.model._
+import org.broadinstitute.dsde.workbench.sam.model.api.SamUser
 import org.broadinstitute.dsde.workbench.sam.service._
 import org.broadinstitute.dsde.workbench.sam.util.SamRequestContext
 import org.broadinstitute.dsde.workbench.sam.{Generator, MockSamDependencies, MockTestSupport}
@@ -129,6 +130,16 @@ class SamProviderSpec
     })
   } yield ()
 
+  private def mockGetArbitraryPetServiceAccountToken(): IO[Unit] = for {
+    _ <- IO(
+      when {
+        googleExt.getArbitraryPetServiceAccountToken(any[SamUser], any[Set[String]], any[SamRequestContext])
+      } thenReturn {
+        Future.successful("aToken")
+      }
+    )
+  } yield ()
+
   private def mockResourceActionPermission(action: ResourceAction, hasPermission: Boolean): IO[Unit] = for {
     _ <- IO(
       lenient()
@@ -142,7 +153,7 @@ class SamProviderSpec
 
   private val providerStatesHandler: StateManagementFunction = StateManagementFunction {
     case ProviderState(States.UserExists, _) =>
-      logger.debug(States.UserExists)
+      mockGetArbitraryPetServiceAccountToken().unsafeRunSync()
     case ProviderState(States.SamOK, _) =>
       mockCriticalSubsystemsStatus(true).unsafeRunSync()
     case ProviderState(States.SamNotOK, _) =>

diff --git a/src/main/resources/sam.conf b/src/main/resources/sam.conf
@@ -41,6 +41,8 @@ termsOfService {
   isGracePeriodEnabled = ${?TOS_GRACE_PERIOD_ENABLED}
   version = ${?TOS_VERSION}
   baseUrl = ${?TOS_BASE_URL}
+  rollingAcceptanceWindowExpirationDatetime = ${?TOS_ROLLING_ACCEPTANCE_WINDOW_EXPIRATION_DATETIME}
+  previousVersion = ${?TOS_PREVIOUS_VERSION}
 }
 
 oidc {

diff --git a/src/main/resources/swagger/api-docs.yaml b/src/main/resources/swagger/api-docs.yaml
@@ -2793,6 +2793,102 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/ErrorReport'
+  /api/users/v2/self:
+    get:
+      tags:
+        - Users
+      summary: gets the user
+      operationId: getSamUserSelf
+      responses:
+        200:
+          description: user exists
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/SamUserResponse'
+        404:
+          description: user not found
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorReport'
+  /api/users/v2/self/allowed:
+    get:
+      tags:
+        - Users
+      summary: gets the user allowances
+      operationId: getSamUserSelfAllowances
+      responses:
+        200:
+          description: user exists
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/SamUserAllowances'
+        404:
+          description: user not found
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorReport'
+  /api/users/v2/{sam_user_id}:
+    get:
+      tags:
+        - Admin
+      summary: gets a user
+      description: Gets a SamUser by their id. This endpoint is scoped to the permissions of the caller.
+        A normal user can call the endpoint with their own id, but trying to get another user will result in a 404.
+        Admin permissions grant the caller the ability to get any id.
+      operationId: getSamUserById
+      parameters:
+        - name: sam_user_id
+          in: path
+          description: the id of the sam user to get
+          required: true
+          schema:
+            type: string
+      responses:
+        200:
+          description: user exists
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/SamUserResponse'
+        404:
+          description: user not found
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorReport'
+  /api/users/v2/{sam_user_id}/allowed:
+    get:
+      tags:
+        - Admin
+      summary: gets a user
+      description: Gets a users allowances by their id. This endpoint is scoped to the permissions of the caller.
+        A normal user can call the endpoint with their own id, but trying to get another user will result in a 404.
+        Admin permissions grant the caller the ability to get any id.
+      operationId: getSamUserAllowancesById
+      parameters:
+        - name: sam_user_id
+          in: path
+          description: the id of the sam user to get
+          required: true
+          schema:
+            type: string
+      responses:
+        200:
+          description: user exists
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/SamUserAllowances'
+        404:
+          description: user not found
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorReport'
   /register/user/v1:
     get:
       tags:
@@ -3799,6 +3895,53 @@ components:
           format: date-time
           description: User's time of last update
       description: specification of a User
+    SamUserResponse:
+      type: object
+      required:
+        - id
+        - email
+        - allowed
+        - createdAt
+        - updatedAt
+      properties:
+        id:
+          type: string
+          description: User's Id
+        googleSubjectId:
+          type: string
+          description: User's Google subject Id
+        email:
+          type: string
+          description: User's email address
+          format: email
+        azureB2CId:
+          type: string
+          description: User's Azure B2C Id
+        allowed:
+          type: boolean
+          description: Whether or not the user allowed to use the system
+        createdAt:
+          type: string
+          format: date-time
+          description: User's time of creation
+        registeredAt:
+          type: string
+          format: date-time
+          description: User's time of registration
+        updatedAt:
+          type: string
+          format: date-time
+          description: User's time of last update
+      description: specification of a User
+    SamUserAllowances:
+      type: object
+      properties:
+        allowed:
+          type: boolean
+          description: is the user allowed to use the system
+        details:
+          type: object
+          description: details of the user's allowances
     UpdateUserRequest:
       type: object
       properties:

diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/AdminRoutes.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/AdminRoutes.scala
@@ -9,11 +9,11 @@ import akka.http.scaladsl.server.Directives._
 import org.broadinstitute.dsde.workbench.model._
 import org.broadinstitute.dsde.workbench.model.google.GoogleProject
 import org.broadinstitute.dsde.workbench.sam.config.LiquibaseConfig
-import org.broadinstitute.dsde.workbench.sam.model.SamJsonSupport._
+import org.broadinstitute.dsde.workbench.sam.model.api.SamJsonSupport._
 import org.broadinstitute.dsde.workbench.sam.model.SamResourceActions.{adminAddMember, adminReadPolicies, adminRemoveMember}
 import org.broadinstitute.dsde.workbench.sam.model.SamResourceTypes.resourceTypeAdminName
 import org.broadinstitute.dsde.workbench.sam.model._
-import org.broadinstitute.dsde.workbench.sam.model.api.{AccessPolicyMembershipRequest, AdminUpdateUserRequest}
+import org.broadinstitute.dsde.workbench.sam.model.api.{AccessPolicyMembershipRequest, AdminUpdateUserRequest, SamUser}
 import org.broadinstitute.dsde.workbench.sam.service.ResourceService
 import org.broadinstitute.dsde.workbench.sam.util.SamRequestContext
 import spray.json.DefaultJsonProtocol._

diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/ExtensionRoutes.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/ExtensionRoutes.scala
@@ -1,7 +1,7 @@
 package org.broadinstitute.dsde.workbench.sam.api
 
 import akka.http.scaladsl.server
-import org.broadinstitute.dsde.workbench.sam.model.SamUser
+import org.broadinstitute.dsde.workbench.sam.model.api.SamUser
 import org.broadinstitute.dsde.workbench.sam.util.SamRequestContext
 
 trait ExtensionRoutes {

diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/ManagedGroupRoutes.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/ManagedGroupRoutes.scala
@@ -10,7 +10,8 @@ import org.broadinstitute.dsde.workbench.model.WorkbenchIdentityJsonSupport._
 import org.broadinstitute.dsde.workbench.model._
 import org.broadinstitute.dsde.workbench.sam._
 import org.broadinstitute.dsde.workbench.sam.model.{ResourceId, _}
-import org.broadinstitute.dsde.workbench.sam.model.SamJsonSupport._
+import org.broadinstitute.dsde.workbench.sam.model.api.SamJsonSupport._
+import org.broadinstitute.dsde.workbench.sam.model.api.SamUser
 import org.broadinstitute.dsde.workbench.sam.service.ManagedGroupService
 import org.broadinstitute.dsde.workbench.sam.service.ManagedGroupService.ManagedGroupPolicyName
 import org.broadinstitute.dsde.workbench.sam.util.SamRequestContext

diff --git a/...e/dsde/workbench/sam/api/UserRoutes.scala → ...sde/workbench/sam/api/OldUserRoutes.scala b/...e/dsde/workbench/sam/api/UserRoutes.scala → ...sde/workbench/sam/api/OldUserRoutes.scala
@@ -7,8 +7,7 @@ import akka.http.scaladsl.server
 import akka.http.scaladsl.server.Directives._
 import akka.http.scaladsl.server.{Directive0, ExceptionHandler}
 import org.broadinstitute.dsde.workbench.model._
-import org.broadinstitute.dsde.workbench.sam.model.SamJsonSupport._
-import org.broadinstitute.dsde.workbench.sam.model.SamUser
+import org.broadinstitute.dsde.workbench.sam.model.api.SamJsonSupport._
 import org.broadinstitute.dsde.workbench.sam.service.UserService
 import org.broadinstitute.dsde.workbench.sam.util.SamRequestContext
 import spray.json.JsBoolean
@@ -17,7 +16,7 @@ import scala.concurrent.ExecutionContext
 
 /** Created by mbemis on 5/22/17.
   */
-trait UserRoutes extends SamUserDirectives with SamRequestContextDirectives {
+trait OldUserRoutes extends SamUserDirectives with SamRequestContextDirectives {
   implicit val executionContext: ExecutionContext
   val userService: UserService
 
@@ -33,7 +32,7 @@ trait UserRoutes extends SamUserDirectives with SamRequestContextDirectives {
     })
   }
 
-  def userRoutes(samRequestContext: SamRequestContext): server.Route =
+  def oldUserRoutes(samRequestContext: SamRequestContext): server.Route =
     pathPrefix("user") {
       (pathPrefix("v1") | pathEndOrSingleSlash) {
         pathEndOrSingleSlash {
@@ -151,33 +150,4 @@ trait UserRoutes extends SamUserDirectives with SamRequestContextDirectives {
         }
       }
     }
-
-  def apiUserRoutes(samUser: SamUser, samRequestContext: SamRequestContext): server.Route = pathPrefix("users") {
-    pathPrefix("v1") {
-      get {
-        path(Segment) { email =>
-          pathEnd {
-            complete {
-              userService.getUserIdInfoFromEmail(WorkbenchEmail(email), samRequestContext).map {
-                case Left(_) => StatusCodes.NotFound -> None
-                case Right(None) => StatusCodes.NoContent -> None
-                case Right(Some(userIdInfo)) => StatusCodes.OK -> Some(userIdInfo)
-              }
-            }
-          }
-        }
-      } ~
-        pathPrefix("invite") {
-          post {
-            path(Segment) { inviteeEmail =>
-              complete {
-                userService
-                  .inviteUser(WorkbenchEmail(inviteeEmail.trim), samRequestContext)
-                  .map(userStatus => StatusCodes.Created -> userStatus)
-              }
-            }
-          }
-        }
-    }
-  }
 }
diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/ResourceRoutes.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/ResourceRoutes.scala
@@ -11,9 +11,9 @@ import org.broadinstitute.dsde.workbench.model.WorkbenchIdentityJsonSupport._
 import org.broadinstitute.dsde.workbench.model._
 import org.broadinstitute.dsde.workbench.sam.config.LiquibaseConfig
 import org.broadinstitute.dsde.workbench.sam.model.RootPrimitiveJsonSupport._
-import org.broadinstitute.dsde.workbench.sam.model.SamJsonSupport._
+import org.broadinstitute.dsde.workbench.sam.model.api.SamJsonSupport._
 import org.broadinstitute.dsde.workbench.sam.model._
-import org.broadinstitute.dsde.workbench.sam.model.api.AccessPolicyMembershipRequest
+import org.broadinstitute.dsde.workbench.sam.model.api.{AccessPolicyMembershipRequest, SamUser}
 import org.broadinstitute.dsde.workbench.sam.service.ResourceService
 import org.broadinstitute.dsde.workbench.sam.util.SamRequestContext
 import spray.json.DefaultJsonProtocol._

diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/SamRoutes.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/SamRoutes.scala
@@ -48,14 +48,16 @@ abstract class SamRoutes(
     val openTelemetry: OpenTelemetryMetrics[IO]
 ) extends LazyLogging
     with ResourceRoutes
-    with UserRoutes
+    with OldUserRoutes
     with StatusRoutes
     with TermsOfServiceRoutes
     with ExtensionRoutes
     with ManagedGroupRoutes
     with AdminRoutes
     with AzureRoutes
-    with ServiceAdminRoutes {
+    with ServiceAdminRoutes
+    with UserRoutesV1
+    with UserRoutesV2 {
 
   def route: server.Route = (logRequestResult & handleExceptions(myExceptionHandler)) {
     oidcConfig.swaggerRoutes("swagger/api-docs.yaml") ~
@@ -65,19 +67,20 @@ abstract class SamRoutes(
       termsOfServiceRoutes ~
       withExecutionContext(ExecutionContext.global) {
         withSamRequestContext { samRequestContext =>
-          pathPrefix("register")(userRoutes(samRequestContext)) ~
+          pathPrefix("register")(oldUserRoutes(samRequestContext)) ~
             pathPrefix("api") {
               // these routes are for machine to machine authorized requests
               // the whitelisted service admin account email is in the header of the request
               serviceAdminRoutes(samRequestContext) ~
+                userRoutesV2(samRequestContext) ~
                 withActiveUser(samRequestContext) { samUser =>
                   val samRequestContextWithUser = samRequestContext.copy(samUser = Option(samUser))
                   resourceRoutes(samUser, samRequestContextWithUser) ~
                     adminRoutes(samUser, samRequestContextWithUser) ~
                     extensionRoutes(samUser, samRequestContextWithUser) ~
                     groupRoutes(samUser, samRequestContextWithUser) ~
-                    apiUserRoutes(samUser, samRequestContextWithUser) ~
-                    azureRoutes(samUser, samRequestContextWithUser)
+                    azureRoutes(samUser, samRequestContextWithUser) ~
+                    userRoutesV1(samUser, samRequestContextWithUser)
                 }
             }
         }

diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/SamUserDirectives.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/SamUserDirectives.scala
@@ -10,8 +10,9 @@ import org.broadinstitute.dsde.workbench.sam._
 import org.broadinstitute.dsde.workbench.sam.api.RejectionHandlers.termsOfServiceRejectionHandler
 import org.broadinstitute.dsde.workbench.sam.config.AppConfig.AdminConfig
 import org.broadinstitute.dsde.workbench.sam.config.TermsOfServiceConfig
-import org.broadinstitute.dsde.workbench.sam.model.SamJsonSupport._
-import org.broadinstitute.dsde.workbench.sam.model.{SamUser, TermsOfServiceAcceptance}
+import org.broadinstitute.dsde.workbench.sam.model.api.SamJsonSupport._
+import org.broadinstitute.dsde.workbench.sam.model.TermsOfServiceAcceptance
+import org.broadinstitute.dsde.workbench.sam.model.api.SamUser
 import org.broadinstitute.dsde.workbench.sam.util.SamRequestContext
 
 /** Directives to get user information.

diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/ServiceAdminRoutes.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/ServiceAdminRoutes.scala
@@ -5,7 +5,7 @@ import akka.http.scaladsl.model.StatusCodes.{NotFound, OK}
 import akka.http.scaladsl.server
 import akka.http.scaladsl.server.Directives._
 import org.broadinstitute.dsde.workbench.model._
-import org.broadinstitute.dsde.workbench.sam.model.SamJsonSupport._
+import org.broadinstitute.dsde.workbench.sam.model.api.SamJsonSupport._
 import org.broadinstitute.dsde.workbench.sam.service.ResourceService
 import org.broadinstitute.dsde.workbench.sam.util.SamRequestContext
 import spray.json.DefaultJsonProtocol._