feat(BDC-56): Cascading Authz Integration Tests

docs/howto/authentication_file_phs001194.txt

@@ -0,0 +1,2 @@
+user name, login, authority, role, email, phone, status, phsid, permission set, created, updated, expires, downloader for, downloader for names, downloader for emails
+cdis.autotest@gmail.com,cdis.autotest@gmail.com,eRA,Downloader,cdis.autotest@gmail.com,"+(111) 1111111",active,"phs001194","General Research Use",2022-12-09 14:29:32.580,2022-12-10 12:49:58.870,2023-12-09 00:00:00.000,ME,ME ME,cdis.autotest@gmail.com

docs/howto/cascading-auth-config.md

@@ -0,0 +1,28 @@
+# Configuring Cascading Authorization for dbGaP Sync Tests
+
+1. Add the `authentication_file_phs001194.txt` in this directory to the SFTP Server used by the integration test environments. 
+2. Update the integration test environments' fence-config.yaml to include the `parent_to_child_studies_mapping` for the dbGaP.info configuration for the SFTP Server in Step 1.
+3. Run `gen3 kube-setup-fence` so the changes to the fence-config.yaml changes are applied to the cluster.
+
+fence-config.yaml example: 
+
+```
+dbGaP:
+  - info:
+      host: 'sftp.server.example.not-a-real-server.amazonaws.com'
+      username: 'jenkins-dcp'
+      password: ''
+      port: 22
+      proxy: 'cloud-proxy.internal.io'
+      proxy_user: 'sftpuser'
+      encrypted: false
+    study_to_resource_namespaces:
+        '_default': ['/']
+    allow_non_dbGaP_whitelist: true
+    allowed_whitelist_patterns: ['authentication_file_PROJECT-(\d*).(csv|txt)', 'authentication_file_NCI-(\d*).(csv|txt)']  
+    protocol: 'sftp'
+    decrypt_key: <redacted>
+    parse_consent_code: false
+    parent_to_child_studies_mapping:
+      'phs001194': ['phs000571']
+```

suites/apis/dbgapTest.js

@@ -77,6 +77,27 @@ const indexed_files = {
     authz: ['/orgB/programs/phs000179'],
     size: 11,
   },
+  parentPhs001194File: {
+    filename: 'cascauth',
+    urls: [
+      's3://cdis-presigned-url-test/testdata',
+      `gs://${fenceProps.googleBucketInfo.test.bucketId}/${fenceProps.googleBucketInfo.QA.fileName}`
+
+    ],
+    md5: '73d643ec3f4beb9020eef0beed440ad2',
+    authz: ['/programs/phs001194'],
+    size: 11,
+  },
+  childPhs000571File: {
+    filename: 'cascauth',
+    urls: [
+      's3://cdis-presigned-url-test/testdata',
+      `gs://${fenceProps.googleBucketInfo.test.bucketId}/${fenceProps.googleBucketInfo.QA.fileName}`
+    ],
+    md5: '73d643ec3f4beb9020eef0beed440ad2',
+    authz: ['/programs/phs000571'],
+    size: 11,
+  },
   QAFile: {
     filename: 'testdata',
     urls: [
@@ -128,6 +149,20 @@ BeforeSuite(async ({ fence, users, indexd }) => {
     var fenceCmd = `fence-create link-bucket-to-project --project_auth_id phs000178 --bucket_id ${bucketId} --bucket_provider google`;
     console.log(`Running: ${fenceCmd}`);
     bash.runCommand(fenceCmd, 'fence');
+
+    // Google signed urls are testing for dbgap syncing as well, link phs ids to
+    // existing buckets
+    bucketId = fenceProps.googleBucketInfo.test.bucketId;
+    var fenceCmd = `fence-create link-bucket-to-project --project_auth_id phs001194 --bucket_id ${bucketId} --bucket_provider google`;
+    console.log(`Running: ${fenceCmd}`);
+    bash.runCommand(fenceCmd, 'fence');
+
+    // Google signed urls are testing for dbgap syncing as well, link phs ids to
+    // existing buckets
+    bucketId = fenceProps.googleBucketInfo.test.bucketId;
+    var fenceCmd = `fence-create link-bucket-to-project --project_auth_id phs000571 --bucket_id ${bucketId} --bucket_provider google`;
+    console.log(`Running: ${fenceCmd}`);
+    bash.runCommand(fenceCmd, 'fence');
 });
 
 AfterSuite(async ({ fence, indexd, users }) => {
@@ -250,6 +285,65 @@ Scenario('dbGaP Sync: created signed urls (from s3 and gs) to download, try crea
       + 'project phs000178, even though they have read access.');
 }).retry(1);
 
+Scenario('dbGaP Sync: Cascading Auth - create signed urls from s3 and gs to download, @dbgapSyncing @reqGoogle',
+    async ({I, fence, users}) => {
+        console.log('Use mainAcct to create s3 signed URL for file phs001194');
+
+        console.log('Use mainAcct to create gs signed URL for file phs001194');
+        const signedUrlgsPhs001194Res = await fence.do.createSignedUrl(
+            indexed_files.parentPhs001194File.did, ['protocol=gs'],
+            users.mainAcct.accessTokenHeader,
+        );
+        const signedUrls3phs001194Res = await fence.do.createSignedUrl(
+            indexed_files.parentPhs001194File.did, ['protocol=s3'],
+            users.mainAcct.accessTokenHeader,
+        );
+
+        const phs001194s3FileContents = await fence.do.getFileFromSignedUrlRes(
+            signedUrls3phs001194Res
+        );
+        const phs001194gsFileContents = await fence.do.getFileFromSignedUrlRes(
+            signedUrlgsPhs001194Res
+        );
+
+        console.log('Use mainAcct to create s3 signed URL for file phs000571');
+
+        console.log('Use mainAcct to create gs signed URL for file phs000571');
+        const signedUrlgsPhs000571Res = await fence.do.createSignedUrl(
+            indexed_files.childPhs000571File.did, ['protocol=gs'],
+            users.mainAcct.accessTokenHeader,
+        );
+        const signedUrls3phs000571Res = await fence.do.createSignedUrl(
+            indexed_files.childPhs000571File.did, ['protocol=s3'],
+            users.mainAcct.accessTokenHeader,
+        );
+
+        const phs000571s3FileContents = await fence.do.getFileFromSignedUrlRes(
+            signedUrls3phs000571Res
+        );
+        const phs000571gsFileContents = await fence.do.getFileFromSignedUrlRes(
+            signedUrlgsPhs000571Res
+        );
+        chai.expect(phs000571s3FileContents,
+            `User ${users.mainAcct.username} with access could NOT create s3 signed urls and read file for a ` +
+            `record in authorized dbGaP substudy phs000571 with its parent study phs001194 authorization`)
+            .to.equal(fence.props.awsBucketInfo.cdis_presigned_url_test.testdata);
+        chai.expect(phs000571gsFileContents,
+            `User ${users.mainAcct.username} with access could NOT create gs signed urls and read file for a ` +
+             'record in authorized dbGaP substudy phs000571 with parent study phs001194 authorization')
+            .to.equal(fence.props.googleBucketInfo.test.fileContents);
+
+        chai.expect(phs001194s3FileContents,
+            `User ${users.mainAcct.username} with access could NOT create s3 signed urls `
+            + 'and read file for a record in authorized dbGaP parent study phs001194')
+            .to.equal(fence.props.awsBucketInfo.cdis_presigned_url_test.testdata);
+        chai.expect(phs001194gsFileContents,
+            `User ${users.mainAcct.username} with access could NOT create gs signed urls `
+            + 'and read file for a record in authorized dbGaP parent phs001194')
+            .to.equal(fence.props.googleBucketInfo.test.fileContents);
+    }
+)
+
 Scenario('dbGaP + user.yaml Sync: ensure combined access @dbgapSyncing @reqGoogle',
   async ({ fence, users }) => {
     console.log('Running usersync job and adding dbgap sync to yaml sync');