broadinstitute · salonishah11 · Apr 2, 2024 · Mar 14, 2024 · Mar 18, 2024 · Mar 18, 2024
@@ -578,10 +578,7 @@ services {
     config {
       enabled = false
       auth.azure = false
-      # Notes:
-      #   - don't include the 'Bearer' before the token
-      #   - this config value should be removed when support for fetching tokens from ECM has been added to Cromwell
-      access-token = "dummy-token"
+      ecm.base-url = "https://externalcreds.dsde-dev.broadinstitute.org"
     }
   }
 }

@@ -593,7 +593,7 @@ object Dependencies {
   val servicesDependencies: List[ModuleID] = List(
     "com.google.api" % "gax-grpc" % googleGaxGrpcV,
     "org.apache.commons" % "commons-csv" % commonsCsvV,
-  ) ++ testDatabaseDependencies
+  ) ++ testDatabaseDependencies ++ akkaHttpDependencies
 
   val serverDependencies: List[ModuleID] = slf4jBindingDependencies
 

@@ -12,6 +12,6 @@ object GithubAuthVending {
   sealed trait GithubAuthVendingResponse extends GithubAuthVendingMessage
   case class GithubAuthTokenResponse(accessToken: String) extends GithubAuthVendingResponse
   case object NoGithubAuthResponse extends GithubAuthVendingResponse
-  case class GithubAuthVendingFailure(error: Exception) extends GithubAuthVendingResponse
+  case class GithubAuthVendingFailure(errorMsg: String) extends GithubAuthVendingResponse
 
 }
@@ -44,7 +44,7 @@
           case GithubAuthTokenResponse(token) => Future.successful(Map("Authorization" -> s"Bearer ${token}"))
           case NoGithubAuthResponse => Future.successful(Map.empty)
           case GithubAuthVendingFailure(error) =>
-            Future.failed(new Exception("Failed to resolve github auth token", error))
+            Future.failed(new Exception(s"Failed to resolve GitHub auth token. Error: $error"))
         }
   }
 

@@ -0,0 +1,10 @@
+package cromwell.services.auth.ecm
+
+import com.typesafe.config.Config
+import net.ceedubs.ficus.Ficus._
+
+final case class EcmConfig(baseUrl: String)
+
+object EcmConfig {
+  def apply(config: Config): Option[EcmConfig] = config.as[Option[String]]("ecm.base-url").map(EcmConfig(_))
+}
@@ -0,0 +1,59 @@
+package cromwell.services.auth.ecm
+
+import akka.actor.ActorSystem
+import akka.http.scaladsl.Http
+import akka.http.scaladsl.model._
+import akka.http.scaladsl.model.headers.RawHeader
+import akka.util.ByteString
+
+import scala.concurrent.{ExecutionContext, Future}
+import scala.util.{Success, Try}
+import spray.json._
+
+class EcmService(baseEcmUrl: String) {
+  private val getGithubAccessTokenApiPath = "api/oauth/v1/github/access-token"
+
+  /*
+     ECM doesn't have a standard error response format. Some of the responses contains HTML tags in it. This helper
+     method returns custom error message for 401 and 403 errors as they contain HTML tags. For 400, 404 and 500 the
+     Swagger suggests that the response format is of ErrorReport schema and this method tries to extract the
+     actual message from the JSON object and returns it. In case of other status codes or if it fails to parse JSON it
+     returns the original error response.
+     ErrorReport schema: {"message":<actual_error_msg>, "statusCode":<code>}
+   */
+  def extractErrorMessage(errorCode: StatusCode, responseBodyAsStr: String): String =
+    errorCode match {
+      case StatusCodes.Unauthorized => "Invalid or missing authentication credentials."
+      case StatusCodes.Forbidden => "User doesn't have the right permission(s) to fetch Github token."
+      case StatusCodes.BadRequest | StatusCodes.NotFound | StatusCodes.InternalServerError =>
+        Try(responseBodyAsStr.parseJson) match {
+          case Success(JsObject(fields)) =>
+            fields.get("message").map(_.toString().replaceAll("\"", "")).getOrElse(responseBodyAsStr)
+          case _ => responseBodyAsStr
+        }
+      case _ => responseBodyAsStr
+    }
+
+  def getGithubAccessToken(
+    userToken: String
+  )(implicit actorSystem: ActorSystem, ec: ExecutionContext): Future[String] = {
+
+    def responseEntityToFutureStr(responseEntity: ResponseEntity): Future[String] =
+      responseEntity.dataBytes.runFold(ByteString(""))(_ ++ _).map(_.utf8String)
+
+    val headers: HttpHeader = RawHeader("Authorization", s"Bearer $userToken")
+    val httpRequest =
+      HttpRequest(method = HttpMethods.GET, uri = s"$baseEcmUrl/$getGithubAccessTokenApiPath").withHeaders(headers)
+
+    Http()
+      .singleRequest(httpRequest)
+      .flatMap((response: HttpResponse) =>
+        if (response.status.isFailure()) {
+          responseEntityToFutureStr(response.entity) flatMap { errorBody =>
+            val errorMessage = extractErrorMessage(response.status, errorBody)
+            Future.failed(new RuntimeException(s"HTTP ${response.status.value}. $errorMessage"))
+          }
+        } else responseEntityToFutureStr(response.entity)
+      )
+  }
+}
@@ -1,26 +1,51 @@
 package cromwell.services.auth.impl
 
-import akka.actor.{Actor, ActorRef, Props}
+import akka.actor.{Actor, ActorRef, ActorSystem, Props}
 import com.typesafe.config.Config
 import com.typesafe.scalalogging.LazyLogging
 import cromwell.core.Dispatcher.ServiceDispatcher
-import cromwell.services.auth.GithubAuthVending.{GithubAuthRequest, GithubAuthTokenResponse, NoGithubAuthResponse}
+import cromwell.services.auth.GithubAuthVending.{
+  GithubAuthRequest,
+  GithubAuthTokenResponse,
+  GithubAuthVendingFailure,
+  NoGithubAuthResponse
+}
+import cromwell.services.auth.ecm.{EcmConfig, EcmService}
 import cromwell.util.GracefulShutdownHelper.ShutdownCommand
 
+import scala.concurrent.ExecutionContext
+import scala.util.{Failure, Success}
+
 class GithubAuthVendingActor(serviceConfig: Config, globalConfig: Config, serviceRegistryActor: ActorRef)
     extends Actor
     with LazyLogging {
 
-  lazy val enabled = serviceConfig.getBoolean("enabled")
+  implicit val system: ActorSystem = context.system
+  implicit val ec: ExecutionContext = context.dispatcher
+
+  lazy val enabled: Boolean = serviceConfig.getBoolean("enabled")
+
+  private lazy val ecmConfigOpt: Option[EcmConfig] = EcmConfig.apply(serviceConfig)
+  lazy val ecmServiceOpt: Option[EcmService] = ecmConfigOpt.map(ecmConfig => new EcmService(ecmConfig.baseUrl))
 
   override def receive: Receive = {
-    case GithubAuthRequest(_) if enabled =>
-      sender() ! GithubAuthTokenResponse(serviceConfig.getString("access-token"))
+    case GithubAuthRequest(userToken) if enabled =>
+      val respondTo = sender()
+      ecmServiceOpt match {
+        case Some(ecmService) =>
+          ecmService.getGithubAccessToken(userToken) onComplete {
+            case Success(githubToken) => respondTo ! GithubAuthTokenResponse(githubToken)
+            case Failure(e) => respondTo ! GithubAuthVendingFailure(e.getMessage)
+          }
+        case None =>
+          respondTo ! GithubAuthVendingFailure(
+            "Invalid configuration for service 'GithubAuthVending': missing 'ecm.base-url' value."
+          )
+      }
     // This service currently doesn't do any work on shutdown but the service registry pattern requires it
     // (see https://github.com/broadinstitute/cromwell/issues/2575)
     case ShutdownCommand => context stop self
-    case _ =>
-      sender() ! NoGithubAuthResponse
+    case _ => sender() ! NoGithubAuthResponse
   }
 }
 

@@ -67,12 +67,11 @@ class GithubAuthVendingSupportSpec extends TestKitSuite with AnyFlatSpecLike wit
     val authHeader: Future[Map[String, String]] = provider.authHeader()
 
     serviceRegistryActor.expectMsg(GithubAuthRequest("user-token"))
-    serviceRegistryActor.reply(GithubAuthVending.GithubAuthVendingFailure(new Exception("BOOM")))
+    serviceRegistryActor.reply(GithubAuthVending.GithubAuthVendingFailure("BOOM"))
 
     eventually {
       authHeader.isCompleted should be(true)
-      authHeader.value.get.failed.get.getMessage should be("Failed to resolve github auth token")
-      authHeader.value.get.failed.get.getCause.getMessage should be("BOOM")
+      authHeader.value.get.failed.get.getMessage should be("Failed to resolve GitHub auth token. Error: BOOM")
     }
   }
 

@@ -0,0 +1,30 @@
+package cromwell.services.auth.ecm
+
+import com.typesafe.config.ConfigFactory
+import org.scalatest.flatspec.AnyFlatSpec
+import org.scalatest.matchers.should.Matchers
+
+class EcmConfigSpec extends AnyFlatSpec with Matchers {
+
+  it should "parse ECM base url when present" in {
+    val config = ConfigFactory.parseString(s"""
+                                              |enabled = true
+                                              |auth.azure = true
+                                              |ecm.base-url = "https://mock-ecm-url.org"
+      """.stripMargin)
+
+    val actualEcmConfig = EcmConfig.apply(config)
+
+    actualEcmConfig shouldBe defined
+    actualEcmConfig.get.baseUrl shouldBe "https://mock-ecm-url.org"
+  }
+
+  it should "return None when ECM base url is absent" in {
+    val config = ConfigFactory.parseString(s"""
+                                              |enabled = true
+                                              |auth.azure = true
+      """.stripMargin)
+
+    EcmConfig.apply(config) shouldBe None
+  }
+}
@@ -0,0 +1,62 @@
+package cromwell.services.auth.ecm
+
+import akka.http.scaladsl.model.StatusCodes
+import org.scalatest.flatspec.AnyFlatSpec
+import org.scalatest.matchers.should.Matchers
+import org.scalatest.prop.TableDrivenPropertyChecks
+
+class EcmServiceSpec extends AnyFlatSpec with Matchers with TableDrivenPropertyChecks {
+
+  private val ecmService = new EcmService("https://mock-ecm-url.org")
+
+  private val ecm400ErrorMsg = "No enum constant bio.terra.externalcreds.generated.model.Provider.githubb"
+  private val ecm404ErrorMsg =
+    "No linked account found for user ID: 123 and provider: github. Please go to the Terra Profile page External Identities tab to link your account for this provider"
+
+  private val testCases = Table(
+    ("test name", "response status code", "response body string", "expected error message"),
+    ("return custom 401 error when status code is 401",
+     StatusCodes.Unauthorized,
+     "<h2>could be anything</h2>",
+     "Invalid or missing authentication credentials."
+    ),
+    ("return custom 403 error when status code is 403",
+     StatusCodes.Forbidden,
+     "<h2>could be anything</h2>",
+     "User doesn't have the right permission(s) to fetch Github token."
+    ),
+    ("extract message from valid ErrorReport JSON if status code is 400",
+     StatusCodes.BadRequest,
+     s"""{ "message" : "$ecm400ErrorMsg", "statusCode" : 400}""",
+     ecm400ErrorMsg
+    ),
+    ("extract message from valid ErrorReport JSON if status code is 404",
+     StatusCodes.NotFound,
+     s"""{ "message" : "$ecm404ErrorMsg", "statusCode" : 404}""",
+     ecm404ErrorMsg
+    ),
+    ("extract message from valid ErrorReport JSON if status code is 500",
+     StatusCodes.InternalServerError,
+     """{ "message" : "Internal error", "statusCode" : 500}""",
+     "Internal error"
+    ),
+    ("return response error body if it fails to parse JSON",
+     StatusCodes.InternalServerError,
+     "Response error - not a JSON",
+     "Response error - not a JSON"
+    ),
+    ("return response error body for other non-success status codes",
+     StatusCodes.BadGateway,
+     "Response error - Bad Gateway",
+     "Response error - Bad Gateway"
+    )
+  )
+
+  behavior of "extractErrorMessage in EcmService"
+
+  forAll(testCases) { (testName, statusCode, responseBodyAsStr, expectedErrorMsg) =>
+    it should testName in {
+      assert(ecmService.extractErrorMessage(statusCode, responseBodyAsStr) == expectedErrorMsg)
+    }
+  }
+}
@@ -0,0 +1,120 @@
+package cromwell.services.auth.impl
+
+import akka.actor.{ActorRef, ActorSystem, Props}
+import akka.testkit.TestProbe
+import com.typesafe.config.{Config, ConfigFactory}
+import cromwell.core.TestKitSuite
+import cromwell.services.auth.GithubAuthVending.{
+  GithubAuthRequest,
+  GithubAuthTokenResponse,
+  GithubAuthVendingFailure,
+  NoGithubAuthResponse
+}
+import cromwell.services.auth.ecm.EcmService
+import cromwell.services.auth.impl.GithubAuthVendingActorSpec.TestGithubAuthVendingActor
+import org.scalatest.concurrent.Eventually
+import org.scalatest.flatspec.AnyFlatSpecLike
+import org.scalatest.matchers.should.Matchers
+
+import scala.concurrent.{ExecutionContext, Future}
+
+class GithubAuthVendingActorSpec extends TestKitSuite with AnyFlatSpecLike with Matchers with Eventually {
+
+  final private val githubAuthEnabledServiceConfig =
+    ConfigFactory.parseString(s"""
+                                 |enabled = true
+                                 |auth.azure = true
+                                 |ecm.base-url = "https://mock-ecm-url.org"
+        """.stripMargin)
+
+  behavior of "GithubAuthVendingActor"
+
+  it should "return NoGithubAuthResponse if GithubAuthVending is disabled" in {
+    val serviceConfig = ConfigFactory.parseString(s"""
+                                                     |enabled = false
+                                                     |auth.azure = false
+      """.stripMargin)
+
+    val serviceRegistryActor = TestProbe()
+    val actor = system.actorOf(
+      Props(new GithubAuthVendingActor(serviceConfig, ConfigFactory.parseString(""), serviceRegistryActor.ref))
+    )
+
+    eventually {
+      serviceRegistryActor.send(actor, GithubAuthRequest("valid_user_token"))
+      serviceRegistryActor.expectMsg(NoGithubAuthResponse)
+    }
+  }
+
+  it should "return invalid configuration error if no ECM base url is found" in {
+    val serviceConfig = ConfigFactory.parseString(s"""
+                                                     |enabled = true
+                                                     |auth.azure = true
+      """.stripMargin)
+
+    val serviceRegistryActor = TestProbe()
+    val actor = system.actorOf(
+      Props(new GithubAuthVendingActor(serviceConfig, ConfigFactory.parseString(""), serviceRegistryActor.ref))
+    )
+
+    eventually {
+      serviceRegistryActor.send(actor, GithubAuthRequest("valid_user_token"))
+      serviceRegistryActor.expectMsg(
+        GithubAuthVendingFailure("Invalid configuration for service 'GithubAuthVending': missing 'ecm.base-url' value.")
+      )
+    }
+  }
+
+  it should "return Github token if found" in {
+    val serviceRegistryActor = TestProbe()
+    val actor = system.actorOf(
+      Props(
+        new TestGithubAuthVendingActor(githubAuthEnabledServiceConfig,
+                                       ConfigFactory.parseString(""),
+                                       serviceRegistryActor.ref
+        )
+      )
+    )
+
+    eventually {
+      serviceRegistryActor.send(actor, GithubAuthRequest("valid_user_token"))
+      serviceRegistryActor.expectMsg(GithubAuthTokenResponse("gha_token"))
+    }
+  }
+
+  it should "return failure message if ECM service returns non-successful response" in {
+    val serviceRegistryActor = TestProbe()
+    val actor = system.actorOf(
+      Props(
+        new TestGithubAuthVendingActor(githubAuthEnabledServiceConfig,
+                                       ConfigFactory.parseString(""),
+                                       serviceRegistryActor.ref
+        )
+      )
+    )
+
+    eventually {
+      serviceRegistryActor.send(actor, GithubAuthRequest("invalid_user_token"))
+      serviceRegistryActor.expectMsg(GithubAuthVendingFailure("Exception thrown for testing purposes"))
+    }
+  }
+}
+
+class TestEcmService(baseUrl: String) extends EcmService(baseUrl) {
+
+  override def getGithubAccessToken(
+    userToken: String
+  )(implicit actorSystem: ActorSystem, ec: ExecutionContext): Future[String] =
+    userToken match {
+      case "valid_user_token" => Future.successful("gha_token")
+      case _ => Future.failed(new RuntimeException("Exception thrown for testing purposes"))
+    }
+}
+
+object GithubAuthVendingActorSpec {
+
+  class TestGithubAuthVendingActor(serviceConfig: Config, globalConfig: Config, serviceRegistryActor: ActorRef)
+      extends GithubAuthVendingActor(serviceConfig, globalConfig, serviceRegistryActor) {
+    override lazy val ecmServiceOpt: Option[EcmService] = Some(new TestEcmService("https://mock-ecm-url.org"))
+  }
+}