initial commit: tms key change

client/modules/workspace/src/AppsSubmissionForm/AppsSubmissionForm.tsx

@@ -374,7 +374,11 @@ export const AppsSubmissionForm: React.FC = () => {
 
   useEffect(() => {
     if (submitResult?.execSys) {
-      setPushKeysSystem(submitResult.execSys);
+      setPushKeysSystem(
+        pushKeysSystem?.defaultAuthnMethod === 'TMS_KEYS'
+          ? undefined
+          : submitResult.execSys
+      );
     } else if (isSuccess) {
       reset(initialValues);
       if (definition.notes.isInteractive) {
@@ -553,6 +557,23 @@ export const AppsSubmissionForm: React.FC = () => {
             style={{ marginBottom: '1rem' }}
           />
         )}
+      {submitResult &&
+        submitResult.execSys &&
+        submitResult.execSys?.defaultAuthnMethod === 'TMS_Keys' && (
+          <Alert
+            message={
+              <>
+                There was a problem with file system access. Please submit a{' '}
+                <a href="/help/new-ticket/" target="_blank">
+                  ticket.
+                </a>
+              </>
+            }
+            type="warning"
+            showIcon
+            style={{ marginBottom: '1rem' }}
+          />
+        )}
       {missingAllocation && (
         <Alert
           message={

designsafe/apps/api/systems/views.py

@@ -7,7 +7,7 @@
 import json
 from django.http import JsonResponse
 from designsafe.apps.api.views import AuthenticatedApiView
-from designsafe.apps.onboarding.steps.system_access_v3 import create_system_credentials
+from designsafe.apps.onboarding.steps.system_access_v3 import create_system_credentials_with_keys
 from designsafe.utils.encryption import createKeyPair
 from .utils import add_pub_key_to_resource
 
@@ -43,7 +43,7 @@ def post(self, request):
             hostname=body["hostname"],
         )
 
-        create_system_credentials(
+        create_system_credentials_with_keys(
             request.user.tapis_oauth.client,
             request.user.username,
             publ_key_str,

designsafe/apps/onboarding/steps/system_access_v3.py

@@ -23,7 +23,7 @@
 
 # retry for 5 minutes to account for allocation propagation
 @retry(UnauthorizedError, tries=-1, max_time=5 * 60)
-def create_system_credentials(  # pylint: disable=too-many-arguments
+def create_system_credentials_with_keys(  # pylint: disable=too-many-arguments
     client,
     username,
     public_key,
@@ -44,19 +44,26 @@ def create_system_credentials(  # pylint: disable=too-many-arguments
         **data,
     )
 
-
-def register_public_key(
-    username, publicKey, system_id  # pylint: disable=invalid-name
+# retry for 5 minutes to account for allocation propagation
+@retry(UnauthorizedError, tries=-1, max_time=5 * 60)
+def create_system_credentials(  # pylint: disable=too-many-arguments
+    client,
+    username,
+    system_id,
+    createTmsKeys,
+    skipCredentialCheck=False,  # pylint: disable=invalid-name
+    **kwargs,
 ) -> int:
     """
-    Push a public key to the Key Service API.
+    Setup user's auth credential on a Tapis system using TMS.
     """
-    url = "https://api.tacc.utexas.edu/keys/v2/" + username
-    headers = {"Authorization": f"Bearer {settings.KEY_SERVICE_TOKEN}"}
-    data = {"key_value": publicKey, "tags": [{"name": "system", "value": system_id}]}
-    response = requests.post(url, json=data, headers=headers, timeout=60)
-    response.raise_for_status()
-    return response.status_code
+    logger.info(f"Creating user credential for {username} on Tapis system {system_id} using TMS")
+    client.systems.createUserCredential(
+        systemId=system_id,
+        userName=username,
+        createTmsKeys=createTmsKeys,
+        skipCredentialCheck=skipCredentialCheck,
+    )
 
 
 def set_user_permissions(user, system_id):
@@ -114,6 +121,14 @@ def check_system(self, system_id, path="/", **kwargs) -> None:
         """
         self.user.tapis_oauth.client.files.listFiles(systemId=system_id, path=path)
 
+    # retry for 5 minutes to account for setfacl and allocation propagation
+    @retry(UnauthorizedError, tries=10, max_time=5 * 60)
+    def get_system(self, system_id, **kwargs) -> None:
+        """
+        Check whether a user already has access to a storage system by attempting a listing.
+        """
+        return self.user.tapis_oauth.client.system.getSystem(systemId=system_id)
+
     def process(self):
         self.log(f"Processing system access for user {self.user.username}")
         for system in self.settings.get("access_systems") or []:
@@ -132,21 +147,17 @@ def process(self):
             except BaseTapyException:
                 self.log(f"Creating credentials for system: {system}")
 
-            (priv, pub) = createKeyPair()
-
             try:
-                register_public_key(self.user.username, pub, system)
-                self.log(f"Successfully registered public key for system: {system}")
-            except HTTPError as exc:
-                logger.error(exc)
-                self.fail(
-                    f"Failed to register public key with key service for system: {system}"
-                )
-
-            try:
-                create_system_credentials(
-                    self.user.tapis_oauth.client, self.user.username, pub, priv, system
-                )
+                system_definition = self.get_system(system)
+                if system_definition.get("defaultAuthnMethod") != 'TMS_KEYS':
+                    (priv, pub) = createKeyPair()
+                    create_system_credentials_with_keys(
+                        self.user.tapis_oauth.client, self.user.username, pub, priv, system
+                    )
+                else:
+                    create_system_credentials(
+                        self.user.tapis_oauth.client, self.user.username, system
+                    )
                 self.log(f"Successfully created credentials for system: {system}")
             except BaseTapyException as exc:
                 logger.error(exc)

designsafe/apps/workspace/api/views.py

@@ -27,6 +27,10 @@
 )
 from designsafe.apps.api.users.utils import get_allocations
 from designsafe.apps.workspace.api.utils import check_job_for_timeout
+from designsafe.apps.onboarding.steps.system_access_v3 import (
+    create_system_credentials,
+    create_system_credentials_with_keys,
+)
 
 
 logger = logging.getLogger(__name__)
@@ -113,18 +117,27 @@ def _get_app(app_id, app_version, user):
     return data
 
 
-def test_system_needs_keys(tapis, system_id):
+def test_system_needs_keys(tapis, username, system_id):
     """Tests a Tapis system by making a file listing call.
 
-    returns: SystemDef
-    """
+    If the system is TMS_KEYS-based, it attempts to create credentials before listing files.
 
+    Args:
+        tapis (Tapis): An instance of the Tapis client.
+        username (str)): The user to create credentials.
+        system_id (str): The ID of the Tapis system to test.
+
+    Returns:
+        SystemDef: The system definition if an error occurs.
+    """
+    system_def = tapis.systems.getSystem(systemId=system_id)
     try:
+        # Check if the system uses TMS_KEYS and create credentials if necessary
+        if system_def.get("defaultAuthnMethod") == 'TMS_KEYS':
+            create_system_credentials(tapis, username, system_id, createTmsKeys=True)
         tapis.files.listFiles(systemId=system_id, path="/")
     except (InternalServerError, UnauthorizedError):
-        system_def = tapis.systems.getSystem(systemId=system_id)
         return system_def
-    return False
 
 
 class SystemListingView(AuthenticatedApiView):
@@ -701,7 +714,7 @@ def _submit_job(self, request, body, tapis, username):
         for system_id in list(
             set([job_post["archiveSystemId"], job_post["execSystemId"]])
         ):
-            system_needs_keys = test_system_needs_keys(tapis, system_id)
+            system_needs_keys = test_system_needs_keys(tapis, username, system_id)
             if system_needs_keys:
                 logger.info(
                     f"Keys for user {username} must be manually pushed to system: {system_needs_keys.id}"