Merge 7c24dd5 into c6eadfe

broadinstitute · Aug 21, 2020 · aefd23c · aefd23c
2 parents c6eadfe + 7c24dd5
commit aefd23c
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -48,11 +48,11 @@ Latest SBT dependency: `"org.broadinstitute.dsde.workbench" %% "workbench-metric
 
 Contains utility functions for talking to Google APIs and DAOs for Google PubSub, Google Directory, Google IAM, and Google BigQuery. 
 
-Latest SBT dependency: `"org.broadinstitute.dsde.workbench" %% "workbench-google" % "0.21-445035e"`
+Latest SBT dependency: `"org.broadinstitute.dsde.workbench" %% "workbench-google" % "0.21-TRAVIS-REPLACE-ME"`
 
 To depend on the `MockGoogle*` classes, additionally depend on:
 
-`"org.broadinstitute.dsde.workbench" %% "workbench-google"  % "0.21-2a218f3" % "test" classifier "tests"`
+`"org.broadinstitute.dsde.workbench" %% "workbench-google"  % "0.21-TRAVIS-REPLACE-ME" % "test" classifier "tests"`
 
 [Changelog](google/CHANGELOG.md)
 

diff --git a/google/CHANGELOG.md b/google/CHANGELOG.md
@@ -4,7 +4,7 @@ This file documents changes to the `workbench-google` library, including notes o
 
 ## 0.21
 
-SBT dependency: `"org.broadinstitute.dsde.workbench" %% "workbench-google" % "0.21-445035e"`
+SBT dependency: `"org.broadinstitute.dsde.workbench" %% "workbench-google" % "0.21-TRAVIS-REPLACE-ME"`
 
 ### Added
 
@@ -13,6 +13,7 @@ SBT dependency: `"org.broadinstitute.dsde.workbench" %% "workbench-google" % "0.
   - The now deprecated `addIamRolesForUser` and `removeIamRolesForUser` call the aforementioned methods
   for backwards compatibility.
 - `getProjectNumber` in `GoogleProjectDAO`
+- `addWorkloadIdentityUserRoleForUser` in `GoogleIamDAO`
 
 ### Changed
 

diff --git a/google/src/main/scala/org/broadinstitute/dsde/workbench/google/GoogleIamDAO.scala b/google/src/main/scala/org/broadinstitute/dsde/workbench/google/GoogleIamDAO.scala
@@ -138,6 +138,19 @@ trait GoogleIamDAO {
                      memberType: MemberType,
                      rolesToRemove: Set[String]): Future[Boolean]
 
+  /**
+   *
+   * @param serviceAccountProject the google projecting which we're adding the IAM roles
+   * @param serviceAccountEmail the service account on which to add the roles to (i.e. the IAM resource).
+   * @param memberEmail the user email address for which to add the roles to
+   * @param rolesToAdd Set of roles to add to the serviceAccountEmail
+   * @return
+   */
+  def addIamPolicyBindingOnServiceAccount(serviceAccountProject: GoogleProject,
+                                          serviceAccountEmail: WorkbenchEmail,
+                                          memberEmail: WorkbenchEmail,
+                                          rolesToAdd: Set[String]): Future[Unit]
+
   /**
    * Adds the Service Account User role for the given users on the given service account.
    * This allows the users to impersonate as the service account.

diff --git a/google/src/main/scala/org/broadinstitute/dsde/workbench/google/HttpGoogleIamDAO.scala b/google/src/main/scala/org/broadinstitute/dsde/workbench/google/HttpGoogleIamDAO.scala
@@ -221,17 +221,13 @@ class HttpGoogleIamDAO(appName: String, googleCredentialMode: GoogleCredentialMo
       }
     }
 
-  override def addServiceAccountUserRoleForUser(serviceAccountProject: GoogleProject,
-                                                serviceAccountEmail: WorkbenchEmail,
-                                                userEmail: WorkbenchEmail): Future[Unit] =
-    // Note the project here is the one in which we're adding the IAM roles.
-    // In this case the serviceAccountEmail acts as a resource, not an identity. Therefore the serviceAccountEmail
-    // should live in the provided serviceAccountProject. For more information on service account permissions, see:
-    // - https://cloud.google.com/iam/docs/service-accounts#service_account_permissions
-    // - https://cloud.google.com/iam/docs/service-accounts#the_service_account_user_role
+  override def addIamPolicyBindingOnServiceAccount(serviceAccountProject: GoogleProject,
+                                                   serviceAccountEmail: WorkbenchEmail,
+                                                   memberEmail: WorkbenchEmail,
+                                                   rolesToAdd: Set[String]): Future[Unit] =
     getServiceAccountPolicy(serviceAccountProject, serviceAccountEmail).flatMap { policy =>
       val updatedPolicy =
-        updatePolicy(policy, userEmail, MemberType.ServiceAccount, Set("roles/iam.serviceAccountUser"), Set.empty)
+        updatePolicy(policy, memberEmail, MemberType.ServiceAccount, rolesToAdd, Set.empty)
       val policyRequest = new ServiceAccountSetIamPolicyRequest().setPolicy(updatedPolicy)
       val request = iam
         .projects()
@@ -243,6 +239,19 @@ class HttpGoogleIamDAO(appName: String, googleCredentialMode: GoogleCredentialMo
       }.void
     }
 
+  override def addServiceAccountUserRoleForUser(serviceAccountProject: GoogleProject,
+                                                serviceAccountEmail: WorkbenchEmail,
+                                                userEmail: WorkbenchEmail): Future[Unit] =
+    // Note the project here is the one in which we're adding the IAM roles.
+    // In this case the serviceAccountEmail acts as a resource, not an identity. Therefore the serviceAccountEmail
+    // should live in the provided serviceAccountProject. For more information on service account permissions, see:
+    // - https://cloud.google.com/iam/docs/service-accounts#service_account_permissions
+    // - https://cloud.google.com/iam/docs/service-accounts#the_service_account_user_role
+    addIamPolicyBindingOnServiceAccount(serviceAccountProject,
+                                        serviceAccountEmail,
+                                        userEmail,
+                                        Set("roles/iam.serviceAccountUser"))
+
   override def createServiceAccountKey(serviceAccountProject: GoogleProject,
                                        serviceAccountEmail: WorkbenchEmail): Future[ServiceAccountKey] = {
     val request = new CreateServiceAccountKeyRequest()

diff --git a/google/src/test/scala/org/broadinstitute/dsde/workbench/google/mock/MockGoogleIamDAO.scala b/google/src/test/scala/org/broadinstitute/dsde/workbench/google/mock/MockGoogleIamDAO.scala
@@ -70,6 +70,16 @@ class MockGoogleIamDAO extends GoogleIamDAO {
                                  iamPermissions: Set[IamPermission]): Future[Set[IamPermission]] =
     Future.successful(iamPermissions)
 
+  override def addIamPolicyBindingOnServiceAccount(serviceAccountProject: GoogleProject,
+                                                   serviceAccountEmail: WorkbenchEmail,
+                                                   memberEmail: WorkbenchEmail,
+                                                   rolesToAdd: Set[String]): Future[Unit] =
+    if (serviceAccounts.contains(serviceAccountEmail)) {
+      Future.successful(())
+    } else {
+      Future.failed(new Exception(s"Unknown service account $memberEmail"))
+    }
+
   override def addServiceAccountUserRoleForUser(googleProject: GoogleProject,
                                                 serviceAccountEmail: WorkbenchEmail,
                                                 userEmail: WorkbenchEmail): Future[Unit] =