broadinstitute · tlangs · Jun 11, 2024 · Jun 11, 2024 · Jun 12, 2024 · Jun 12, 2024
@@ -30,4 +30,5 @@
     <include file="changesets/20231019_sam_user_attributes_table.xml" relativeToChangelogFile="true"/>
     <include file="changesets/20240417_action_managed_identities.xml" relativeToChangelogFile="true"/>
     <include file="changesets/20240416_add_sam_rac_tables.xml" relativeToChangelogFile="true"/>
+    <include file="changesets/20240613_resource_created_by.xml" relativeToChangelogFile="true"/>
 </databaseChangeLog>
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<databaseChangeLog logicalFilePath="dummy"
+                   xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+                   xmlns:ext="http://www.liquibase.org/xml/ns/dbchangelog-ext"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog-ext http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-ext.xsd http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.4.xsd">
+
+    <changeSet logicalFilePath="dummy" author="tlangs" id="resource_created_by">
+        <addColumn tableName="sam_resource">
+            <column name="created_by" type="VARCHAR">
+                <constraints nullable="true"/>
+            </column>
+        </addColumn>
+        <addForeignKeyConstraint baseTableName="sam_resource" baseColumnNames="created_by"  constraintName="FK_SR_CREATOR" referencedTableName="SAM_USER" referencedColumnNames="id" onDelete="SET NULL" />
+    </changeSet>
+
+</databaseChangeLog>
@@ -172,6 +172,7 @@ resourceTypes = {
           wds-instance = ["owner"]
           kubernetes-app = ["manager"]
           kubernetes-app-shared = ["owner", "user"]
+          cbas-submission = ["owner"]
         }
       }
       application = {
@@ -188,6 +189,7 @@ resourceTypes = {
           google-project = ["pet-creator"]
           wds-instance = ["writer"]
           kubernetes-app-shared = ["user"]
+          cbas-submission = ["reader"]
         }
       }
       reader = {
@@ -198,6 +200,7 @@ resourceTypes = {
           google-project = ["pet-creator"]
           wds-instance = ["reader"]
           kubernetes-app-shared = ["user"]
+          cbas-submission = ["reader"]
         }
       }
       discoverer = {
@@ -1674,6 +1677,32 @@ resourceTypes = {
     allowLeaving = false
     reuseIds = true
   }
+
+  cbas-submission = {
+    actionPatterns = {
+      abort = {
+        description = "Abort this cbas-submission"
+      }
+      read = {
+        description = "read information about the submission"
+      }
+      create_with_parent = {
+        description = "Enables creating the request object with a parent"
+      }
+    }
+    ownerRoleName = "owner"
+    roles = {
+      owner = {
+        roleActions = ["abort", "create_with_parent"]
+        includedRoles = ["reader"]
+      }
+      reader = {
+        roleActions = ["read", "read_creator"]
+      }
+    }
+    allowLeaving = false
+    reuseIds = false
+  }
 }
 
 

@@ -1739,7 +1739,7 @@ paths:
         This endpoint is ONLY for determining the state of the user's permissions. 
         It does not take into account enabled status, or Terms of Service Compliance, nor does it take into account Auth Domains.
         To check if a user is allowed to execute an action on a resource, use /api/resources/v2/{resourceTypeName}/{resourceId}/action/{action}
-        By default, public resources are not included. Including public resources incurs a 3x cost of DB performance.
+        By default, public resources are not included. Including public resources might incur a 3x cost of DB performance.
       operationId: listResourcesV2
       parameters:
         - name: format
@@ -1789,6 +1789,15 @@ paths:
             type: array
             items:
               type: string
+        - name: parentResources
+          in: query
+          description: Fully Qualified Resource IDs of parent resources to filter on. Formatted as `resourceTypeName:resourceId`.
+          required: false
+          explode: false
+          schema:
+            type: array
+            items:
+              type: string
         - name: includePublic
           in: query
           description: Include public resources in the response

@@ -252,6 +252,16 @@ trait ResourceRoutes extends SamUserDirectives with SecurityDirectives with SamM
                     }
                   }
                 }
+              } ~
+              pathPrefix("creator") {
+                requireAction(resource, SamResourceActions.readCreator, samUser.id, samRequestContext) {
+                  pathEndOrSingleSlash {
+                    complete(resourceService.getResourceCreator(resource, samRequestContext).map {
+                      case Some(response) => StatusCodes.OK -> response.email
+                      case None => throw new WorkbenchExceptionWithErrorReport(ErrorReport(StatusCodes.NotFound, "resource creator not found"))
+                    })
+                  }
+                }
               }
             }
           }
@@ -605,38 +615,65 @@ trait ResourceRoutes extends SamUserDirectives with SecurityDirectives with SamM
       "policies".as[String].?,
       "roles".as[String].?,
       "actions".as[String].?,
+      "parentResources".as[String].?,
       "includePublic" ? false,
       "format".as[String] ? "hierarchical"
-    ) { (resourceTypes: Option[String], policies: Option[String], roles: Option[String], actions: Option[String], includePublic: Boolean, format: String) =>
-      format match {
-        case "flat" =>
-          complete {
-            resourceService
-              .listResourcesFlat(
-                samUser.id,
-                resourceTypes.map(_.split(",").map(ResourceTypeName(_)).toSet).getOrElse(Set.empty),
-                policies.map(_.split(",").map(AccessPolicyName(_)).toSet).getOrElse(Set.empty),
-                roles.map(_.split(",").map(ResourceRoleName(_)).toSet).getOrElse(Set.empty),
-                actions.map(_.split(",").map(ResourceAction(_)).toSet).getOrElse(Set.empty),
-                includePublic,
-                samRequestContext
-              )
-              .map(StatusCodes.OK -> _)
-          }
-        case "hierarchical" =>
-          complete {
-            resourceService
-              .listResourcesHierarchical(
-                samUser.id,
-                resourceTypes.map(_.split(",").map(ResourceTypeName(_)).toSet).getOrElse(Set.empty),
-                policies.map(_.split(",").map(AccessPolicyName(_)).toSet).getOrElse(Set.empty),
-                roles.map(_.split(",").map(ResourceRoleName(_)).toSet).getOrElse(Set.empty),
-                actions.map(_.split(",").map(ResourceAction(_)).toSet).getOrElse(Set.empty),
-                includePublic,
-                samRequestContext
-              )
-              .map(StatusCodes.OK -> _)
-          }
-      }
+    ) {
+      (
+          resourceTypes: Option[String],
+          policies: Option[String],
+          roles: Option[String],
+          actions: Option[String],
+          parentResources: Option[String],
+          includePublic: Boolean,
+          format: String
+      ) =>
+        val parsedResourceTypes = resourceTypes.map(_.split(",").map(ResourceTypeName(_)).toSet).getOrElse(Set.empty)
+        val parsedPolicies = policies.map(_.split(",").map(AccessPolicyName(_)).toSet).getOrElse(Set.empty)
+        val parsedRoles = roles.map(_.split(",").map(ResourceRoleName(_)).toSet).getOrElse(Set.empty)
+        val parsedActions = actions.map(_.split(",").map(ResourceAction(_)).toSet).getOrElse(Set.empty)
+        val parsedParentResourceIds = parentResources
+          .map(
+            _.split(",")
+              .map { r =>
+                val splitted = r.split(":")
+                FullyQualifiedResourceId(ResourceTypeName(splitted(0)), ResourceId(splitted(1)))
+              }
+              .toSet
+          )
+          .getOrElse(Set.empty)
+        format match {
+          case "flat" =>
+            complete {
+              resourceService
+                .listResourcesFlat(
+                  samUser.id,
+                  parsedResourceTypes,
+                  parsedPolicies,
+                  parsedRoles,
+                  parsedActions,
+                  parsedParentResourceIds,
+                  includePublic,
+                  samRequestContext
+                )
+                .map(StatusCodes.OK -> _)
+            }
+          case "hierarchical" =>
+            complete {
+              resourceService
+                .listResourcesHierarchical(
+                  samUser.id,
+                  parsedResourceTypes,
+                  parsedPolicies,
+                  parsedRoles,
+                  parsedActions,
+                  parsedParentResourceIds,
+                  includePublic,
+                  samRequestContext
+                )
+                .map(StatusCodes.OK -> _)
+            }
+        }
+
     }
 }
@@ -197,6 +197,7 @@ trait UserRoutesV2 extends SamUserDirectives with SamRequestContextDirectives {
               Set.empty,
               Set(ResourceRoleName("user")),
               Set.empty,
+              Set.empty,
               includePublic = false,
               samRequestContext
             )

@@ -118,10 +118,13 @@ trait AccessPolicyDAO {
       policies: Set[AccessPolicyName],
       roles: Set[ResourceRoleName],
       actions: Set[ResourceAction],
+      parentResourceIds: Set[FullyQualifiedResourceId],
       includePublic: Boolean,
       samRequestContext: SamRequestContext
   ): IO[Seq[FilterResourcesResult]]
 
+  def getResourceCreator(resource: FullyQualifiedResourceId, samRequestContext: SamRequestContext): IO[Option[WorkbenchUserId]]
+
 }
 
 sealed abstract class LoadResourceAuthDomainResult