broadinstitute · dvoet · Apr 4, 2025 · Apr 4, 2025 · Apr 4, 2025 · Apr 4, 2025
@@ -347,6 +347,16 @@ class NihService(val samDao: SamDAO,
 
   def updateNihLinkAndSyncSelf(userInfo: UserInfo, jwtWrapper: JWTWrapper): Future[PerRequestMessage] = {
     val res = for {
+      _ <-
+        if (allowedNihMembers(Set(WorkbenchEmail(userInfo.userEmail))).isEmpty) {
+          Future.failed(
+            new FireCloudExceptionWithErrorReport(
+              ErrorReport(StatusCodes.Forbidden, "User is not allowed to link NIH account")
+            )
+          )
+        } else {
+          Future.successful(())
+        }
       shibbolethPublicKey <- shibbolethDao.getPublicKey()
       decodedToken <- Future
         .fromTry(Jwt.decodeRawAll(jwtWrapper.jwt, shibbolethPublicKey, Seq(JwtAlgorithm.RS256)))

@@ -1,6 +1,8 @@
 package org.broadinstitute.dsde.firecloud.service
 
 import akka.http.scaladsl.model.StatusCodes
+import akka.http.scaladsl.model.headers.OAuth2BearerToken
+import org.broadinstitute.dsde.firecloud.FireCloudExceptionWithErrorReport
 import org.broadinstitute.dsde.firecloud.dataaccess._
 import org.broadinstitute.dsde.firecloud.mock.MockGoogleServicesDAO
 import org.broadinstitute.dsde.firecloud.model.{JWTWrapper, UserInfo}
@@ -112,4 +114,14 @@ class NihServiceSpec extends AnyFlatSpec with Matchers {
         fail(s"Expired token should fail at the decode stage. Response was: $x")
     }
   }
+
+  it should "403 linking denied email" in {
+    val nihServiceMock = new NihService(samDao, thurloeDao, googleDao, mock[ShibbolethDAO], ecmDao)
+    val userToken: UserInfo =
+      UserInfo("someone@gmail.com", OAuth2BearerToken("dummyToken"), -1, thurloeDao.TCGA_AND_TARGET_LINKED)
+    val error = intercept[FireCloudExceptionWithErrorReport] {
+      Await.result(nihServiceMock.updateNihLinkAndSyncSelf(userToken, JWTWrapper("dummyToken")), 3.seconds)
+    }
+    error.errorReport.statusCode shouldBe Some(StatusCodes.Forbidden)
+  }
 }
@@ -432,61 +432,6 @@ class NihServiceUnitSpec extends AnyFlatSpec with Matchers with BeforeAndAfterEa
     )(ArgumentMatchers.eq(UserInfo(adminAccessToken, "")))
   }
 
-  it should "decode a JWT from Shibboleth and sync allowlists and remove a denied user" in {
-    mockShibbolethDAO()
-    mockEcmUsers()
-    mockThurloeUsers()
-    val user = deniedUser
-    val userInfo = UserInfo(user.email.value,
-                            OAuth2BearerToken(user.id.value),
-                            Instant.now().plusSeconds(60).getEpochSecond,
-                            user.id.value
-    )
-    val linkedAccount = userTcgaOnlyLinkedAccount
-    val jwt = jwtForUser(linkedAccount)
-    val (statusCode, nihStatus) = Await
-      .result(nihService.updateNihLinkAndSyncSelf(userInfo, jwt), Duration.Inf)
-      .asInstanceOf[PerRequest.RequestComplete[(StatusCode, NihStatus)]]
-      .response
-
-    nihStatus.linkedNihUsername should be(Some(linkedAccount.linkedExternalId))
-    nihStatus.linkExpireTime should be(Some(linkedAccount.linkExpireTime.getMillis / 1000L))
-    nihStatus.datasetPermissions should be(
-      Set(
-        NihDatasetPermission("BROKEN", authorized = false),
-        NihDatasetPermission("TARGET", authorized = false),
-        NihDatasetPermission("TCGA", authorized = false),
-        NihDatasetPermission("RAS", authorized = false)
-      )
-    )
-
-    statusCode should be(StatusCodes.OK)
-    verify(googleDao, times(1)).getBucketObjectAsInputStream(FireCloudConfig.Nih.whitelistBucket, "tcga-whitelist.txt")
-    verify(googleDao, times(1)).getBucketObjectAsInputStream(FireCloudConfig.Nih.whitelistBucket,
-                                                             "target-whitelist.txt"
-    )
-    verify(samDao, times(1)).removeGroupMember(
-      ArgumentMatchers.eq(WorkbenchGroupName("TARGET-dbGaP-Authorized")),
-      ArgumentMatchers.eq(ManagedGroupRoles.Member),
-      ArgumentMatchers.eq(WorkbenchEmail(user.email.value))
-    )(ArgumentMatchers.eq(UserInfo(adminAccessToken, "")))
-    verify(samDao, times(1)).removeGroupMember(
-      ArgumentMatchers.eq(WorkbenchGroupName("TCGA-dbGaP-Authorized")),
-      ArgumentMatchers.eq(ManagedGroupRoles.Member),
-      ArgumentMatchers.eq(WorkbenchEmail(user.email.value))
-    )(ArgumentMatchers.eq(UserInfo(adminAccessToken, "")))
-    verify(samDao, never()).addGroupMember(
-      ArgumentMatchers.eq(WorkbenchGroupName("this-doesnt-matter")),
-      ArgumentMatchers.eq(ManagedGroupRoles.Member),
-      ArgumentMatchers.eq(WorkbenchEmail(user.email.value))
-    )(ArgumentMatchers.eq(UserInfo(adminAccessToken, "")))
-    verify(samDao, never()).addGroupMember(
-      ArgumentMatchers.eq(WorkbenchGroupName("other-group")),
-      ArgumentMatchers.eq(ManagedGroupRoles.Member),
-      ArgumentMatchers.eq(WorkbenchEmail(user.email.value))
-    )(ArgumentMatchers.eq(UserInfo(adminAccessToken, "")))
-  }
-
   it should "continue, but return an error of ECM returns an error" in {
     mockShibbolethDAO()
     mockThurloeUsers()