Merge branch 'master' into chore/verbose

uc-cdis · Jun 25, 2019 · d085689 · d085689
2 parents a8b04c7 + b558a92
commit d085689
Show file tree

Hide file tree

Showing 11 changed files with 626 additions and 190 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1,30 @@
+.codacy.yml export-ignore
+.gitattributes export-ignore
+.gitignore export-ignore
+.travis.yml export-ignore
+CHANGELOG.md export-ignore
+Dockerfile export-ignore
+DockerfileShib export-ignore
+Jenkinsfile export-ignore
+Jenkinsfile.security export-ignore
+LICENSE export-ignore
+MANIFEST.in export-ignore
+NOTICE export-ignore
+README.md export-ignore
+bin export-ignore
+# cfg_help.py
+deployment export-ignore
+dev-requirements.txt export-ignore
+dockerrun.bash export-ignore
+dockerrunshib.bash export-ignore
+docs export-ignore
+# fence
+keys export-ignore
+openapis export-ignore
+pull_request_template.md export-ignore
+requirements.txt export-ignore
+# run.py
+# setup.py
+tests export-ignore
+ua.yaml export-ignore
+# wsgi.py
diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,7 @@
 FROM quay.io/cdis/py27base:pybase2-1.0.2
 
 RUN mkdir /var/www/fence \
-	&& chown www-data /var/www/fence
+    && chown www-data /var/www/fence
 
 COPY . /fence
 COPY ./deployment/uwsgi/uwsgi.ini /etc/uwsgi/uwsgi.ini
@@ -29,6 +29,7 @@ RUN (cd /tmp \
   && cd mhash-0.9.9.9 \
   && ./configure && make && make install \
   && /bin/rm -rf /tmp/*)
+
 #
 # mcrypt is required to decrypt dbgap user files - see fence/sync/sync_users.py
 #
@@ -42,4 +43,4 @@ EXPOSE 80
 
 WORKDIR /var/www/fence
 
-CMD ["sh","-c","bash /fence/dockerrun.bash && /dockerrun.sh"]
+CMD ["sh","-c","bash /fence/dockerrun.bash && /dockerrun.sh"]
diff --git a/Jenkinsfile.security b/Jenkinsfile.security
@@ -0,0 +1,6 @@
+#!groovy
+
+@Library('cdis-jenkins-lib@master') _
+
+securityPipeline {
+}
diff --git a/fence/config-default.yaml b/fence/config-default.yaml
@@ -354,6 +354,14 @@ dbGaP:
   protocol: 'sftp'
   decrypt_key: ''
   parse_consent_code: true
+  # A mapping from the dbgap study to which authorization namespaces the actual data
+  # lives in. For example, `studyX` data may exist in multiple organizations, so
+  # we need to know to map authorization to all orgs resources
+  study_to_resource_namespaces:
+    '_default': ['/']
+    'studyX': ['/orgA/', '/orgB/']
+    'studyY': ['/orgB/', '/orgC/']
+    'studyZ': ['/orgD/']
 
 # //////////////////////////////////////////////////////////////////////////////////////
 # STORAGE BACKENDS AND CREDENTIALS

diff --git a/fence/rbac/client.py b/fence/rbac/client.py
@@ -192,7 +192,7 @@ def policies_not_exist(self, policy_ids):
         ]
 
     @_arborist_retry()
-    def create_resource(self, parent_path, resource_json, overwrite=False):
+    def create_resource(self, parent_path, resource_json, create_parents=False):
         """
         Create a new resource in arborist (does not affect fence database or
         otherwise have any interaction with userdatamodel).
@@ -241,16 +241,10 @@ def create_resource(self, parent_path, resource_json, overwrite=False):
         #     /resource/parent/new_resource
         #
         path = self._resource_url + parent_path
+        if create_parents:
+            path = path + "?p"
+
         response = requests.post(path, json=resource_json)
-        if response.status_code == 409:
-            if not overwrite:
-                return None
-            # overwrite existing resource
-            resource_path = parent_path + resource_json["name"]
-            self.logger.info("trying to overwrite resource {}".format(resource_path))
-            self.delete_resource(resource_path)
-            self.create_resource(parent_path, resource_json, overwrite=False)
-            return
         data = _request_get_json(response)
         if isinstance(data, dict) and "error" in data:
             msg = data["error"]
@@ -265,7 +259,10 @@ def create_resource(self, parent_path, resource_json, overwrite=False):
         return data
 
     @_arborist_retry()
-    def update_resource(self, path, resource_json):
+    def update_resource(self, path, resource_json, create_parents=False):
+        path = self._resource_url + path
+        if create_parents:
+            path = path + "?p"
         response = _request_get_json(requests.put(path, json=resource_json))
         if "error" in response:
             self.logger.error(
@@ -367,7 +364,11 @@ def create_policy(self, policy_json, overwrite=False):
             response = requests.put(self._policy_url, json=policy_json)
         else:
             response = requests.post(self._policy_url, json=policy_json)
+
         data = _request_get_json(response)
+
+        self.logger.info("arborist data: {}".format(data))
+
         if response.status_code == 409:
             # already exists; this is ok, but leave warning
             self.logger.warn(