diff --git a/docs/howto/authentication_file_phs001194.txt b/docs/howto/authentication_file_phs001194.txt new file mode 100644 index 000000000..1678c188d --- /dev/null +++ b/docs/howto/authentication_file_phs001194.txt @@ -0,0 +1,2 @@ +user name, login, authority, role, email, phone, status, phsid, permission set, created, updated, expires, downloader for, downloader for names, downloader for emails +cdis.autotest@gmail.com,cdis.autotest@gmail.com,eRA,Downloader,cdis.autotest@gmail.com,"+(111) 1111111",active,"phs001194","General Research Use",2022-12-09 14:29:32.580,2022-12-10 12:49:58.870,2023-12-09 00:00:00.000,ME,ME ME,cdis.autotest@gmail.com \ No newline at end of file diff --git a/docs/howto/cascading-auth-config.md b/docs/howto/cascading-auth-config.md new file mode 100644 index 000000000..6f29f5ace --- /dev/null +++ b/docs/howto/cascading-auth-config.md @@ -0,0 +1,28 @@ +# Configuring Cascading Authorization for dbGaP Sync Tests + +1. Add the `authentication_file_phs001194.txt` in this directory to the SFTP Server used by the integration test environments. +2. Update the integration test environments' fence-config.yaml to include the `parent_to_child_studies_mapping` for the dbGaP.info configuration for the SFTP Server in Step 1. +3. Run `gen3 kube-setup-fence` so the changes to the fence-config.yaml changes are applied to the cluster. + +fence-config.yaml example: + +``` +dbGaP: + - info: + host: 'sftp.server.example.not-a-real-server.amazonaws.com' + username: 'jenkins-dcp' + password: '' + port: 22 + proxy: 'cloud-proxy.internal.io' + proxy_user: 'sftpuser' + encrypted: false + study_to_resource_namespaces: + '_default': ['/'] + allow_non_dbGaP_whitelist: true + allowed_whitelist_patterns: ['authentication_file_PROJECT-(\d*).(csv|txt)', 'authentication_file_NCI-(\d*).(csv|txt)'] + protocol: 'sftp' + decrypt_key: + parse_consent_code: false + parent_to_child_studies_mapping: + 'phs001194': ['phs000571'] +``` \ No newline at end of file diff --git a/suites/apis/dbgapTest.js b/suites/apis/dbgapTest.js index 5d8f9848c..bc3ed162f 100644 --- a/suites/apis/dbgapTest.js +++ b/suites/apis/dbgapTest.js @@ -77,6 +77,27 @@ const indexed_files = { authz: ['/orgB/programs/phs000179'], size: 11, }, + parentPhs001194File: { + filename: 'cascauth', + urls: [ + 's3://cdis-presigned-url-test/testdata', + `gs://${fenceProps.googleBucketInfo.test.bucketId}/${fenceProps.googleBucketInfo.QA.fileName}` + + ], + md5: '73d643ec3f4beb9020eef0beed440ad2', + authz: ['/programs/phs001194'], + size: 11, + }, + childPhs000571File: { + filename: 'cascauth', + urls: [ + 's3://cdis-presigned-url-test/testdata', + `gs://${fenceProps.googleBucketInfo.test.bucketId}/${fenceProps.googleBucketInfo.QA.fileName}` + ], + md5: '73d643ec3f4beb9020eef0beed440ad2', + authz: ['/programs/phs000571'], + size: 11, + }, QAFile: { filename: 'testdata', urls: [ @@ -128,6 +149,20 @@ BeforeSuite(async ({ fence, users, indexd }) => { var fenceCmd = `fence-create link-bucket-to-project --project_auth_id phs000178 --bucket_id ${bucketId} --bucket_provider google`; console.log(`Running: ${fenceCmd}`); bash.runCommand(fenceCmd, 'fence'); + + // Google signed urls are testing for dbgap syncing as well, link phs ids to + // existing buckets + bucketId = fenceProps.googleBucketInfo.test.bucketId; + var fenceCmd = `fence-create link-bucket-to-project --project_auth_id phs001194 --bucket_id ${bucketId} --bucket_provider google`; + console.log(`Running: ${fenceCmd}`); + bash.runCommand(fenceCmd, 'fence'); + + // Google signed urls are testing for dbgap syncing as well, link phs ids to + // existing buckets + bucketId = fenceProps.googleBucketInfo.test.bucketId; + var fenceCmd = `fence-create link-bucket-to-project --project_auth_id phs000571 --bucket_id ${bucketId} --bucket_provider google`; + console.log(`Running: ${fenceCmd}`); + bash.runCommand(fenceCmd, 'fence'); }); AfterSuite(async ({ fence, indexd, users }) => { @@ -250,6 +285,65 @@ Scenario('dbGaP Sync: created signed urls (from s3 and gs) to download, try crea + 'project phs000178, even though they have read access.'); }).retry(1); +Scenario('dbGaP Sync: Cascading Auth - create signed urls from s3 and gs to download, @dbgapSyncing @reqGoogle', + async ({I, fence, users}) => { + console.log('Use mainAcct to create s3 signed URL for file phs001194'); + + console.log('Use mainAcct to create gs signed URL for file phs001194'); + const signedUrlgsPhs001194Res = await fence.do.createSignedUrl( + indexed_files.parentPhs001194File.did, ['protocol=gs'], + users.mainAcct.accessTokenHeader, + ); + const signedUrls3phs001194Res = await fence.do.createSignedUrl( + indexed_files.parentPhs001194File.did, ['protocol=s3'], + users.mainAcct.accessTokenHeader, + ); + + const phs001194s3FileContents = await fence.do.getFileFromSignedUrlRes( + signedUrls3phs001194Res + ); + const phs001194gsFileContents = await fence.do.getFileFromSignedUrlRes( + signedUrlgsPhs001194Res + ); + + console.log('Use mainAcct to create s3 signed URL for file phs000571'); + + console.log('Use mainAcct to create gs signed URL for file phs000571'); + const signedUrlgsPhs000571Res = await fence.do.createSignedUrl( + indexed_files.childPhs000571File.did, ['protocol=gs'], + users.mainAcct.accessTokenHeader, + ); + const signedUrls3phs000571Res = await fence.do.createSignedUrl( + indexed_files.childPhs000571File.did, ['protocol=s3'], + users.mainAcct.accessTokenHeader, + ); + + const phs000571s3FileContents = await fence.do.getFileFromSignedUrlRes( + signedUrls3phs000571Res + ); + const phs000571gsFileContents = await fence.do.getFileFromSignedUrlRes( + signedUrlgsPhs000571Res + ); + chai.expect(phs000571s3FileContents, + `User ${users.mainAcct.username} with access could NOT create s3 signed urls and read file for a ` + + `record in authorized dbGaP substudy phs000571 with its parent study phs001194 authorization`) + .to.equal(fence.props.awsBucketInfo.cdis_presigned_url_test.testdata); + chai.expect(phs000571gsFileContents, + `User ${users.mainAcct.username} with access could NOT create gs signed urls and read file for a ` + + 'record in authorized dbGaP substudy phs000571 with parent study phs001194 authorization') + .to.equal(fence.props.googleBucketInfo.test.fileContents); + + chai.expect(phs001194s3FileContents, + `User ${users.mainAcct.username} with access could NOT create s3 signed urls ` + + 'and read file for a record in authorized dbGaP parent study phs001194') + .to.equal(fence.props.awsBucketInfo.cdis_presigned_url_test.testdata); + chai.expect(phs001194gsFileContents, + `User ${users.mainAcct.username} with access could NOT create gs signed urls ` + + 'and read file for a record in authorized dbGaP parent phs001194') + .to.equal(fence.props.googleBucketInfo.test.fileContents); + } +) + Scenario('dbGaP + user.yaml Sync: ensure combined access @dbgapSyncing @reqGoogle', async ({ fence, users }) => { console.log('Running usersync job and adding dbgap sync to yaml sync');