Merge ebf7f38 into 1456cb5

broadinstitute · Feb 1, 2019 · 760b963 · 760b963
2 parents 1456cb5 + ebf7f38
commit 760b963
Show file tree

Hide file tree

Showing 8 changed files with 96 additions and 53 deletions.
diff --git a/project/Dependencies.scala b/project/Dependencies.scala
@@ -10,7 +10,7 @@ object Dependencies {
 
   val workbenchUtilV   = "0.5-6942040"
   val workbenchModelV  = "0.13-7e86fba"
-  val workbenchGoogleV = "0.18-8328aae"
+  val workbenchGoogleV = "0.18-ffa049c-SNAP"
   val workbenchGoogle2V = "0.1-8328aae"
   val workbenchNotificationsV = "0.1-f2a0020"
   val monocleVersion = "1.5.1-cats"

diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/Boot.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/Boot.scala
@@ -17,19 +17,8 @@ import javax.net.ssl.SSLContext
 import org.broadinstitute.dsde.workbench.dataaccess.PubSubNotificationDAO
 import org.broadinstitute.dsde.workbench.google.GoogleCredentialModes.{Json, Pem}
 import org.broadinstitute.dsde.workbench.google2.util.DistributedLock
-import org.broadinstitute.dsde.workbench.google.{
-  GoogleDirectoryDAO,
-  HttpGoogleDirectoryDAO,
-  HttpGoogleIamDAO,
-  HttpGoogleProjectDAO,
-  HttpGooglePubSubDAO,
-  HttpGoogleStorageDAO
-}
-import org.broadinstitute.dsde.workbench.google2.{
-  GoogleStorageService,
-  GoogleFirestoreInterpreter,
-  GoogleStorageInterpreter
-}
+import org.broadinstitute.dsde.workbench.google.{GoogleDirectoryDAO, GoogleKmsInterpreter, GoogleKmsService, HttpGoogleDirectoryDAO, HttpGoogleIamDAO, HttpGoogleProjectDAO, HttpGooglePubSubDAO, HttpGoogleStorageDAO}
+import org.broadinstitute.dsde.workbench.google2.{GoogleFirestoreInterpreter, GoogleStorageInterpreter, GoogleStorageService}
 import org.broadinstitute.dsde.workbench.model.{WorkbenchEmail, WorkbenchException, WorkbenchSubject}
 import org.broadinstitute.dsde.workbench.sam.api.{SamRoutes, StandardUserInfoDirectives}
 import org.broadinstitute.dsde.workbench.sam.config.{AppConfig, GoogleConfig}
@@ -64,7 +53,7 @@ object Boot extends IOApp with LazyLogging {
 
     val appDependencies = createAppDependencies(appConfig)
 
-    appDependencies.use { dependencies =>
+    appDependencies.use { dependencies => // this is where the resource is used
       for {
         _ <- IO.fromFuture(IO(schemaDAO.init())).onError {
           case e: WorkbenchException =>
@@ -183,15 +172,18 @@ object Boot extends IOApp with LazyLogging {
               config.googleServicesConfig.serviceAccountCredentialJson.firestoreServiceAccountJsonPath.asString)
             googleStorage <- GoogleStorageInterpreter.storage[IO](
               config.googleServicesConfig.serviceAccountCredentialJson.defaultServiceAccountJsonPath.asString)
+            googleKmsClient <- GoogleKmsInterpreter.client[IO](
+              config.googleServicesConfig.serviceAccountCredentialJson.defaultServiceAccountJsonPath.asString)
           } yield {
             val ioFireStore = GoogleFirestoreInterpreter[IO](googleFire)
             // googleServicesConfig.resourceNamePrefix is an environment specific variable passed in https://github.com/broadinstitute/firecloud-develop/blob/fade9286ff0aec8449121ed201ebc44c8a4d57dd/run-context/fiab/configs/sam/docker-compose.yaml.ctmpl#L24
             // Use resourceNamePrefix to avoid collision between different fiab environments (we share same firestore for fiabs)
             val lock =
               DistributedLock[IO](s"sam-${config.googleServicesConfig.resourceNamePrefix.getOrElse("local")}", appConfig.distributedLockConfig, ioFireStore)
             val newGoogleStorage = GoogleStorageInterpreter[IO](googleStorage, blockingEc)
+            val googleKmsInterpreter = GoogleKmsInterpreter[IO](googleKmsClient, blockingEc)
             val resourceTypeMap = appConfig.resourceTypes.map(rt => rt.name -> rt).toMap
-            val cloudExtension = createGoogleCloudExt(accessPolicyDao, directoryDAO, config, resourceTypeMap, lock, newGoogleStorage)
+            val cloudExtension = createGoogleCloudExt(accessPolicyDao, directoryDAO, config, resourceTypeMap, lock, newGoogleStorage, googleKmsInterpreter)
             val googleGroupSynchronizer = new GoogleGroupSynchronizer(backgroundDirectoryDAO, backgroundAccessPolicyDao, cloudExtension.googleDirectoryDAO, cloudExtension, resourceTypeMap)(backgroundLdapExecutionContext)
             val cloudExtensionsInitializer = new GoogleExtensionsInitializer(cloudExtension, googleGroupSynchronizer)
             createAppDepenciesWithSamRoutes(appConfig, cloudExtensionsInitializer, accessPolicyDao, directoryDAO)
@@ -206,7 +198,8 @@ object Boot extends IOApp with LazyLogging {
       config: GoogleConfig,
       resourceTypeMap: Map[ResourceTypeName, ResourceType],
       distributedLock: DistributedLock[IO],
-      googleStorageNew: GoogleStorageService[IO])(implicit actorSystem: ActorSystem): GoogleExtensions = {
+      googleStorageNew: GoogleStorageService[IO],
+      googleKms: GoogleKmsService[IO])(implicit actorSystem: ActorSystem): GoogleExtensions = {
     val googleDirDaos = (config.googleServicesConfig.adminSdkServiceAccounts match {
       case None =>
         NonEmptyList.one(
@@ -267,6 +260,7 @@ object Boot extends IOApp with LazyLogging {
       googleProjectDAO,
       googleKeyCache,
       notificationDAO,
+      googleKms,
       config.googleServicesConfig,
       config.petServiceAccountConfig,
       resourceTypeMap

diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/config/GoogleServicesConfig.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/config/GoogleServicesConfig.scala
@@ -36,7 +36,8 @@ final case class GoogleServicesConfig(
     notificationTopic: String,
     googleKeyCacheConfig: GoogleKeyCacheConfig,
     resourceNamePrefix: Option[String],
-    adminSdkServiceAccounts: Option[NonEmptyList[ServiceAccountConfig]]
+    adminSdkServiceAccounts: Option[NonEmptyList[ServiceAccountConfig]],
+    googleKms: GoogleKmsConfig
 )
 
 object GoogleServicesConfig {
@@ -54,6 +55,15 @@ object GoogleServicesConfig {
     )
   }
 
+  implicit val googleKmsConfigReader: ValueReader[GoogleKmsConfig] = ValueReader.relative { config =>
+    GoogleKmsConfig(
+      config.getString("project"),
+      config.getString("location"),
+      config.getString("keyRingId"),
+      config.getString("keyId")
+    )
+  }
+
   implicit val serviceAccountConfigReader: ValueReader[ServiceAccountConfig] = ValueReader.relative { config =>
     ServiceAccountConfig(config.root().render(ConfigRenderOptions.concise))
   }
@@ -87,7 +97,8 @@ object GoogleServicesConfig {
       config.getString("notifications.topicName"),
       config.as[GoogleKeyCacheConfig]("googleKeyCache"),
       config.as[Option[String]]("resourceNamePrefix"),
-      config.as[Option[NonEmptyList[ServiceAccountConfig]]]("adminSdkServiceAccounts")
+      config.as[Option[NonEmptyList[ServiceAccountConfig]]]("adminSdkServiceAccounts"),
+      config.as[GoogleKmsConfig]("kms")
     )
   }
 }

diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/config/KmsConfig.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/config/KmsConfig.scala
@@ -0,0 +1,17 @@
+package org.broadinstitute.dsde.workbench.sam.config
+
+/**
+  * created by mtalbott 1/25/18
+  *
+  * @param project google project for the key
+  * @param location location for the key
+  * @param keyRingId name of the key ring that contains the key
+  * @param keyId name of the key
+  */
+
+final case class GoogleKmsConfig(
+                                  project: String,
+                                  location: String,
+                                  keyRingId: String,
+                                  keyId: String
+                          )
diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/google/GoogleExtensions.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/google/GoogleExtensions.scala
@@ -9,22 +9,14 @@ import akka.http.scaladsl.model.headers.OAuth2BearerToken
 import cats.effect.{ContextShift, IO}
 import cats.implicits._
 import com.google.api.client.googleapis.json.GoogleJsonResponseException
+import com.google.api.gax.rpc.{ApiException, StatusCode}
 import com.google.auth.oauth2.ServiceAccountCredentials
 import com.google.rpc.Code
 import com.typesafe.scalalogging.LazyLogging
 import org.broadinstitute.dsde.workbench.dataaccess.NotificationDAO
 import org.broadinstitute.dsde.workbench.google2.util.{DistributedLock, LockPath}
-import org.broadinstitute.dsde.workbench.google.{
-  GoogleDirectoryDAO,
-  GoogleIamDAO,
-  GoogleProjectDAO,
-  GooglePubSubDAO,
-  GoogleStorageDAO
-}
-import org.broadinstitute.dsde.workbench.google2.{
-  CollectionName,
-  Document
-}
+import org.broadinstitute.dsde.workbench.google.{GoogleDirectoryDAO, GoogleIamDAO, GoogleKmsService, GoogleProjectDAO, GooglePubSubDAO, GoogleStorageDAO, KeyId, KeyRingId, Location}
+import org.broadinstitute.dsde.workbench.google2.{CollectionName, Document}
 import org.broadinstitute.dsde.workbench.model.Notifications.Notification
 import org.broadinstitute.dsde.workbench.model.WorkbenchIdentityJsonSupport.WorkbenchGroupNameFormat
 import org.broadinstitute.dsde.workbench.model._
@@ -62,6 +54,7 @@ class GoogleExtensions(
     val googleProjectDAO: GoogleProjectDAO,
     val googleKeyCache: GoogleKeyCache,
     val notificationDAO: NotificationDAO,
+    val googleKms: GoogleKmsService[IO],
     val googleServicesConfig: GoogleServicesConfig,
     val petServiceAccountConfig: PetServiceAccountConfig,
     val resourceTypes: Map[ResourceTypeName, ResourceType])(implicit val system: ActorSystem, executionContext: ExecutionContext, cs: ContextShift[IO])
@@ -134,6 +127,26 @@ class GoogleExtensions(
             case e: WorkbenchExceptionWithErrorReport if e.errorReport.statusCode == Option(StatusCodes.Conflict) =>
           }))
 
+      _ <- googleKms.createKeyRing(GoogleProject(googleServicesConfig.googleKms.project),
+        Location(googleServicesConfig.googleKms.location),
+        KeyRingId(googleServicesConfig.googleKms.keyRingId)) onError { case e: ApiException if e.getStatusCode.getCode == StatusCode.Code.ALREADY_EXISTS =>
+          IO.delay(logger.warn(s"Key ring with id: ${googleServicesConfig.googleKms.keyRingId} already exists. Proceeding with this key ring"))
+        }
+
+      _ <- googleKms.createKey(GoogleProject(googleServicesConfig.googleKms.project),
+        Location(googleServicesConfig.googleKms.location),
+        KeyRingId(googleServicesConfig.googleKms.keyRingId),
+        KeyId(googleServicesConfig.googleKms.keyId)) onError { case e: ApiException if e.getStatusCode.getCode == StatusCode.Code.ALREADY_EXISTS =>
+          IO.delay(logger.warn(s"Key with id: ${googleServicesConfig.googleKms.keyId} already exists. Proceeding with this key"))
+        }
+
+      _ <- googleKms.addMemberToKeyPolicy(GoogleProject(googleServicesConfig.googleKms.project),
+        Location(googleServicesConfig.googleKms.location),
+        KeyRingId(googleServicesConfig.googleKms.keyRingId),
+        KeyId(googleServicesConfig.googleKms.keyId),
+        s"group:$allUsersGroupEmail",
+        "roles/cloudkms.cryptoKeyEncrypterDecrypter")
+
       _ <- samApplication.resourceService.createResourceType(extensionResourceType)
 
       _ <- IO.fromFuture(IO(samApplication.resourceService.createResource(extensionResourceType, GoogleExtensions.resourceId, serviceAccountUserInfo))) handleErrorWith {

diff --git a/src/test/resources/reference.conf b/src/test/resources/reference.conf
@@ -55,6 +55,13 @@ googleServices {
       workerCount = 1
     }
   }
+
+  kms {
+    project = "broad-dsde-dev"
+    location = "global"
+    keyRingId = "mtalbott"
+    keyId = "mtalbott"
+  }
 }
 
 schemaLock {

diff --git a/src/test/scala/org/broadinstitute/dsde/workbench/sam/TestSupport.scala b/src/test/scala/org/broadinstitute/dsde/workbench/sam/TestSupport.scala
@@ -125,6 +125,7 @@ object TestSupport extends TestSupport {
       null,
       cloudKeyCache,
       notificationDAO,
+      FakeGoogleKmsInterpreter,
       googleServicesConfig,
       petServiceAccountConfig,
       resourceTypes))