ID-1270 create_with_parent Action (#1441)

* ID-1270 create_with_parent Action

Author: tlangs

src/main/scala/org/broadinstitute/dsde/workbench/sam/api/SecurityDirectives.scala

@@ -74,8 +74,10 @@ trait SecurityDirectives {
     maybeParent match {
       case None => Directives.pass // no parent specified, proceed
       case Some(parent) =>
-        // parents are allowed for a resource type if the owner role contains the SamResourceActions.setParent action
-        val parentAllowed = resourceType.roles.find(_.roleName == resourceType.ownerRoleName).exists(_.actions.contains(SamResourceActions.setParent))
+        // parents are allowed for a resource type if the owner role contains the SamResourceActions.setParent or SamResourceActions.createWithParent action
+        val parentAllowed = resourceType.roles
+          .find(_.roleName == resourceType.ownerRoleName)
+          .exists(role => role.actions.contains(SamResourceActions.setParent) || role.actions.contains(SamResourceActions.createWithParent))
         if (!parentAllowed) {
           Directives.failWith(
             new WorkbenchExceptionWithErrorReport(

src/main/scala/org/broadinstitute/dsde/workbench/sam/model/SamModel.scala

@@ -31,6 +31,7 @@ object SamResourceActions {
   val testAnyActionAccess = ResourceAction("test_any_action_access")
   val getParent = ResourceAction("get_parent")
   val setParent = ResourceAction("set_parent")
+  val createWithParent = ResourceAction("create_with_parent")
   val addChild = ResourceAction("add_child")
   val removeChild = ResourceAction("remove_child")
   val listChildren = ResourceAction("list_children")

src/test/scala/org/broadinstitute/dsde/workbench/sam/api/ResourceRoutesV2Spec.scala

@@ -213,6 +213,37 @@ class ResourceRoutesV2Spec extends RetryableAnyFlatSpec with Matchers with TestS
     }
   }
 
+  it should "204 create resource with content with parent with create_with_parent action" in {
+    val resourceType = ResourceType(
+      ResourceTypeName("rt"),
+      Set(ResourceActionPattern(SamResourceActions.setParent.value, "", false)),
+      Set(ResourceRole(ResourceRoleName("owner"), Set(SamResourceActions.createWithParent, SamResourceActions.addChild))),
+      ResourceRoleName("owner")
+    )
+    val samRoutes = TestSamRoutes(Map(resourceType.name -> resourceType))
+
+    val createParentResourceRequest = CreateResourceRequest(
+      ResourceId("parent"),
+      Map(AccessPolicyName("goober") -> AccessPolicyMembershipRequest(Set(defaultUserInfo.email), Set.empty, Set(resourceType.ownerRoleName))),
+      Set.empty,
+      Some(false)
+    )
+    Post(s"/api/resources/v2/${resourceType.name}", createParentResourceRequest) ~> samRoutes.route ~> check {
+      status shouldEqual StatusCodes.NoContent
+    }
+
+    val createResourceRequest = CreateResourceRequest(
+      ResourceId("foo"),
+      Map(AccessPolicyName("goober") -> AccessPolicyMembershipRequest(Set(defaultUserInfo.email), Set.empty, Set(resourceType.ownerRoleName))),
+      Set.empty,
+      Some(false),
+      Some(FullyQualifiedResourceId(resourceType.name, createParentResourceRequest.resourceId))
+    )
+    Post(s"/api/resources/v2/${resourceType.name}", createResourceRequest) ~> samRoutes.route ~> check {
+      status shouldEqual StatusCodes.NoContent
+    }
+  }
+
   it should "400 with parent when parents not allowed" in {
     val resourceType = ResourceType(
       ResourceTypeName("rt"),
@@ -2036,6 +2067,30 @@ class ResourceRoutesV2Spec extends RetryableAnyFlatSpec with Matchers with TestS
     }
   }
 
+  it should "403 if user only has create_with_parent on child resource" in {
+    val fullyQualifiedChildResource = FullyQualifiedResourceId(defaultResourceType.name, ResourceId("child"))
+    val newParentResource = FullyQualifiedResourceId(defaultResourceType.name, ResourceId("newParent"))
+    val currentParentResource = FullyQualifiedResourceId(defaultResourceType.name, ResourceId("currentParent"))
+    val samRoutes = createSamRoutes()
+
+    setupParentRoutes(
+      samRoutes,
+      fullyQualifiedChildResource,
+      currentParentOpt = Option(currentParentResource),
+      newParentOpt = Option(newParentResource),
+      actionsOnChild = Set(SamResourceActions.readPolicies, SamResourceActions.createWithParent),
+      actionsOnCurrentParent = Set(SamResourceActions.removeChild),
+      actionsOnNewParent = Set(SamResourceActions.addChild)
+    )
+
+    Put(
+      s"/api/resources/v2/${defaultResourceType.name}/${fullyQualifiedChildResource.resourceId.value}/parent",
+      newParentResource
+    ) ~> samRoutes.route ~> check {
+      status shouldEqual StatusCodes.Forbidden
+    }
+  }
+
   it should "403 if user is missing add_child on new parent resource" in {
     val fullyQualifiedChildResource = FullyQualifiedResourceId(defaultResourceType.name, ResourceId("child"))
     val newParentResource = FullyQualifiedResourceId(defaultResourceType.name, ResourceId("newParent"))