init policies

broadinstitute · Oct 26, 2018 · 4e388f4 · 4e388f4
1 parent 126cda5
commit 4e388f4
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 5 deletions.
diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/Boot.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/Boot.scala
@@ -87,8 +87,8 @@ object Boot extends App with LazyLogging {
       case None => NoExtensions
     }
 
-
-    def createSamRoutes(cloudExtensions: CloudExtensions, accessPolicyDAO: AccessPolicyDAO): (SamRoutes, UserService, ResourceService, StatusService) = {
+    //TODO: reorganzie this a bit after https://github.com/broadinstitute/sam/pull/230
+    def createSamRoutes(cloudExtensions: CloudExtensions, accessPolicyDAO: AccessPolicyDAO): (SamRoutes, UserService, ResourceService, StatusService, PolicyEvaluatorService) = {
       // TODO - https://broadinstitute.atlassian.net/browse/GAWB-3603
       // This should JUST get the value from "emailDomain", but for now we're keeping the backwards compatibility code to
       // fall back to getting the "googleServices.appsDomain"
@@ -107,7 +107,7 @@ object Boot extends App with LazyLogging {
           }
         case _ => new SamRoutes(resourceService, userService, statusService, managedGroupService, config.as[SwaggerConfig]("swagger"), directoryDAO, policyEvaluatorService) with StandardUserInfoDirectives with NoExtensionRoutes
       }
-      (samRoutes, userService, resourceService, statusService)
+      (samRoutes, userService, resourceService, statusService, policyEvaluatorService)
     }
 
     for {
@@ -125,13 +125,15 @@ object Boot extends App with LazyLogging {
           implicit val cs = IO.contextShift(scala.concurrent.ExecutionContext.Implicits.global)
           val accessPolicyDao = new LdapAccessPolicyDAO(ldapConnectionPool, directoryConfig, blockingEc)
           val cloudExtension = createCloudExt(accessPolicyDao)
-          val (sRoutes, userService, resourceService, statusService) = createSamRoutes(cloudExtension, accessPolicyDao)
+          val (sRoutes, userService, resourceService, statusService, policyService) = createSamRoutes(cloudExtension, accessPolicyDao)
 
           for{
             _ <- resourceService.initResourceTypes().handleErrorWith{
               case t: Throwable => IO(logger.error("FATAL - failure starting http server", t)) *> IO.raiseError(t)
             }
 
+            _ <- policyService.initPolicy()
+
             _ <- IO.fromFuture(IO(cloudExtension.onBoot(SamApplication(userService, resourceService, statusService))))
 
             binding <- IO.fromFuture(IO(Http().bindAndHandle(sRoutes.route, "0.0.0.0", 8080))).handleErrorWith{

diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/service/PolicyEvaluatorService.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/service/PolicyEvaluatorService.scala
@@ -3,6 +3,7 @@ package org.broadinstitute.dsde.workbench.sam.service
 import cats.effect.IO
 import cats.implicits._
 import com.typesafe.scalalogging.LazyLogging
+import com.unboundid.ldap.sdk.{LDAPException, ResultCode}
 import org.broadinstitute.dsde.workbench.model._
 import org.broadinstitute.dsde.workbench.sam.model._
 import org.broadinstitute.dsde.workbench.sam.openam.AccessPolicyDAO
@@ -13,6 +14,20 @@ class PolicyEvaluatorService(
     private val resourceTypes: Map[ResourceTypeName, ResourceType],
     private val accessPolicyDAO: AccessPolicyDAO)(implicit val executionContext: ExecutionContext)
     extends LazyLogging {
+  def initPolicy(): IO[Unit] = {
+    val policyName = AccessPolicyName("admin-notifier-set-public")
+    accessPolicyDAO.createPolicy(AccessPolicy(
+      FullyQualifiedPolicyId(FullyQualifiedResourceId(SamResourceTypes.resourceTypeAdminName, ResourceId("managed-group")), policyName),
+      Set.empty, //TODO: question: what should memebers be?
+      WorkbenchEmail("dummy@gmail.com"),
+      Set.empty, //TODO: what's right value for ResourceRoleName?
+      Set(SamResourceActions.setPublicPolicy(policyName)),
+      true
+    )).void.recover{
+      case ldape: LDAPException if ldape.getResultCode == ResultCode.ENTRY_ALREADY_EXISTS => ()
+    }
+  }
+
   def hasPermission(resource: FullyQualifiedResourceId, action: ResourceAction, userId: WorkbenchUserId): IO[Boolean] =
     listUserResourceActions(resource, userId).map { _.contains(action) }
 

diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/service/ResourceService.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/service/ResourceService.scala
@@ -44,7 +44,7 @@ class ResourceService(private val resourceTypes: Map[ResourceTypeName, ResourceT
           // make sure resource type admin is added first because the rest depends on it
           createdAdminType <- createResourceType(resourceTypeAdmin)
 
-          result <- resourceTypes.values.toList.filterNot(_.name == SamResourceTypes.resourceTypeAdminName).parTraverse { rt =>
+          result <- resourceTypes.values.filterNot(_.name == SamResourceTypes.resourceTypeAdminName).toList.parTraverse { rt =>
             for {
               _ <- createResourceType(rt)
               policy = ValidatableAccessPolicy(AccessPolicyName(resourceTypeAdmin.ownerRoleName.value), Map.empty, Set(resourceTypeAdmin.ownerRoleName), Set.empty)