Filter expired permissions from RAS Ga4gh Passports

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/RASPassPortService.java

@@ -8,7 +8,6 @@
 import edu.harvard.hms.dbmi.avillach.auth.model.ras.RasDbgapPermission;
 import edu.harvard.hms.dbmi.avillach.auth.utils.JWTUtil;
 import edu.harvard.hms.dbmi.avillach.auth.utils.RestClientUtil;
-import jakarta.annotation.PostConstruct;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -21,10 +20,9 @@
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 
-import java.util.HashSet;
-import java.util.List;
-import java.util.Optional;
-import java.util.Set;
+import java.time.Instant;
+import java.util.*;
+import java.util.stream.Collectors;
 
 @Service
 public class RASPassPortService {
@@ -161,20 +159,18 @@ public Optional<String> validateVisa(String visa) {
         return Optional.ofNullable(responseVal);
     }
 
-    public Set<RasDbgapPermission> ga4gpPassportToRasDbgapPermissions(List<String> ga4ghPassports) {
+    public Set<RasDbgapPermission> ga4gpPassportToRasDbgapPermissions(Set<Optional<Ga4ghPassportV1>> ga4ghPassports) {
         if (ga4ghPassports == null) {
             return null;
         }
 
         logger.debug("Converting ga4ghPassports to RasDbgapPermissions");
         HashSet<RasDbgapPermission> rasDbgapPermissions = new HashSet<>();
+        long date = Instant.now().toEpochMilli() / 1000;
         ga4ghPassports.forEach(ga4ghPassport -> {
-            Optional<Ga4ghPassportV1> parsedGa4ghPassportV1 = JWTUtil.parseGa4ghPassportV1(ga4ghPassport);
-            if (parsedGa4ghPassportV1.isPresent()) {
-                Ga4ghPassportV1 ga4ghPassportV1 = parsedGa4ghPassportV1.get();
-                logger.info("ga4gh_passport_v1: {}", ga4ghPassportV1);
-
-                rasDbgapPermissions.addAll(ga4ghPassportV1.getRasDbgagPermissions());
+            if (ga4ghPassport.isPresent()) {
+                Ga4ghPassportV1 ga4ghPassportV1 = ga4ghPassport.get();
+                rasDbgapPermissions.addAll(ga4ghPassportV1.getRasDbgagPermissions().stream().filter(rasDbgapPermission -> date <= rasDbgapPermission.getExpiration()).collect(Collectors.toSet()));
             }
         });
 

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/authentication/RASAuthenticationService.java

@@ -5,10 +5,12 @@
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import edu.harvard.hms.dbmi.avillach.auth.entity.Connection;
 import edu.harvard.hms.dbmi.avillach.auth.entity.User;
+import edu.harvard.hms.dbmi.avillach.auth.model.ras.Ga4ghPassportV1;
 import edu.harvard.hms.dbmi.avillach.auth.model.ras.Passport;
 import edu.harvard.hms.dbmi.avillach.auth.model.ras.RasDbgapPermission;
 import edu.harvard.hms.dbmi.avillach.auth.service.AuthenticationService;
 import edu.harvard.hms.dbmi.avillach.auth.service.impl.*;
+import edu.harvard.hms.dbmi.avillach.auth.utils.JWTUtil;
 import edu.harvard.hms.dbmi.avillach.auth.utils.RestClientUtil;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
@@ -142,7 +144,8 @@ private Optional<Passport> extractAndVerifyPassport(Map<String, String> authRequ
 
     protected User updateRasUserRoles(String code, User user, Passport rasPassport) {
         logger.info("RAS PASSPORT FOUND ___ USER: {} ___ PASSPORT: {} ___ CODE {}", user.getSubject(), rasPassport, code);
-        Set<RasDbgapPermission> dbgapPermissions = this.rasPassPortService.ga4gpPassportToRasDbgapPermissions(rasPassport.getGa4ghPassportV1());
+        Set<Optional<Ga4ghPassportV1>> ga4ghPassports = rasPassport.getGa4ghPassportV1().stream().map(JWTUtil::parseGa4ghPassportV1).filter(Optional::isPresent).collect(Collectors.toSet());
+        Set<RasDbgapPermission> dbgapPermissions = this.rasPassPortService.ga4gpPassportToRasDbgapPermissions(ga4ghPassports);
         Set<String> dbgapRoleNames = this.roleService.getRoleNamesForDbgapPermissions(dbgapPermissions);
         user = userService.updateUserRoles(user, dbgapRoleNames);
         logger.debug("USER {} ROLES UPDATED {} ___ CODE {}",

pic-sure-auth-services/src/test/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/RASPassPortServiceTest.java

@@ -1,6 +1,7 @@
 package edu.harvard.hms.dbmi.avillach.auth.service.impl;
 
 import edu.harvard.hms.dbmi.avillach.auth.enums.PassportValidationResponse;
+import edu.harvard.hms.dbmi.avillach.auth.model.ras.Ga4ghPassportV1;
 import edu.harvard.hms.dbmi.avillach.auth.model.ras.Passport;
 import edu.harvard.hms.dbmi.avillach.auth.model.ras.RasDbgapPermission;
 import edu.harvard.hms.dbmi.avillach.auth.utils.JWTUtil;
@@ -13,13 +14,12 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.test.context.ContextConfiguration;
 
-import java.util.Optional;
-import java.util.Set;
+import java.time.Instant;
+import java.util.*;
+import java.util.concurrent.atomic.AtomicInteger;
+import java.util.stream.Collectors;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertNull;
-import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.when;
 
@@ -57,22 +57,93 @@ public void testGa4ghPassPortStudies_IsNull() {
     }
 
     @Test
-    public void testGa4gpPassportStudies_IsNotNull() {
+    public void testGa4gpPassportStudies_IsNotNull_And_ExpiredPermissionsExcluded() {
         Optional<Passport> passport = JWTUtil.parsePassportJWTV11(exampleRasPassport);
-        Set<RasDbgapPermission> permissions = rasPassPortService.ga4gpPassportToRasDbgapPermissions(passport.get().getGa4ghPassportV1());
+        Set<Optional<Ga4ghPassportV1>> ga4ghPassports = passport.get().getGa4ghPassportV1().stream().map(JWTUtil::parseGa4ghPassportV1).filter(Optional::isPresent).collect(Collectors.toSet());
+        Set<RasDbgapPermission> permissions = rasPassPortService.ga4gpPassportToRasDbgapPermissions(ga4ghPassports);
         assertNotNull(permissions);
+        assertTrue(permissions.isEmpty());
     }
 
     @Test
     public void testGa4gpPassportStudies_HasCorrectStudies() {
         Optional<Passport> passport = JWTUtil.parsePassportJWTV11(exampleRasPassport);
-        Set<RasDbgapPermission> permissions = rasPassPortService.ga4gpPassportToRasDbgapPermissions(passport.get().getGa4ghPassportV1());
+        long futureDate = (Instant.now().toEpochMilli() / 1000) + 100000;
+
+        // Update the expiry date of each permission in our test passport. All permissions in the example passport
+        // expired in 2022.
+        Set<Optional<Ga4ghPassportV1>> ga4ghPassports = passport.get().getGa4ghPassportV1().stream()
+                .map(JWTUtil::parseGa4ghPassportV1)
+                .filter(Optional::isPresent)
+                .map(optionalPassport -> {
+                    Ga4ghPassportV1 ga4ghPassportV1 = optionalPassport.get();
+                    List<RasDbgapPermission> rasDbgagPermissions = ga4ghPassportV1.getRasDbgagPermissions();
+                    List<RasDbgapPermission> newExpires = rasDbgagPermissions.stream().peek(rasDbgapPermission -> rasDbgapPermission.setExpiration(futureDate)).toList();
+                    ga4ghPassportV1.setRasDbgagPermissions(newExpires);
+                    return Optional.of(ga4ghPassportV1);
+                })
+                .collect(Collectors.toSet());
+
+        Set<RasDbgapPermission> permissions = rasPassPortService.ga4gpPassportToRasDbgapPermissions(ga4ghPassports);
 
         assertEquals(2, permissions.size());
         assertTrue(permissions.stream().anyMatch(p -> p.getPhsId().equals("phs000300")));
         assertTrue(permissions.stream().anyMatch(p -> p.getPhsId().equals("phs000006")));
     }
 
+    @Test
+    public void testGa4gpPassportStudies_HalfAreExpired() {
+        Optional<Passport> passport = JWTUtil.parsePassportJWTV11(exampleRasPassport);
+        long futureDate = (Instant.now().toEpochMilli() / 1000) + 100000;
+        long pastDate = (Instant.now().toEpochMilli() / 1000) - 100000;
+
+        List<String> expiredPHS = new ArrayList<>();
+        List<String> validPHS = new ArrayList<>();
+        // Update the expiry date of each permission in our test passport.
+        // We alternate: even-indexed permissions become valid, odd-indexed ones remain (or become) invalid.
+        Set<Optional<Ga4ghPassportV1>> ga4ghPassports = passport.get().getGa4ghPassportV1().stream()
+                .map(JWTUtil::parseGa4ghPassportV1)
+                .filter(Optional::isPresent)
+                .map(optionalPassport -> {
+                    Ga4ghPassportV1 ga4ghPassportV1 = optionalPassport.get();
+                    List<RasDbgapPermission> rasDbgagPermissions = ga4ghPassportV1.getRasDbgagPermissions();
+
+                    AtomicInteger index = new AtomicInteger();
+                    List<RasDbgapPermission> updatedPermissions = rasDbgagPermissions.stream()
+                            .peek(permission -> {
+                                if (index.getAndIncrement() % 2 == 0) {
+                                    // For even indices, use a valid future expiration.
+                                    permission.setExpiration(futureDate);
+                                    validPHS.add(permission.getPhsId());
+                                } else {
+                                    // For odd indices, use an expired (invalid) timestamp.
+                                    permission.setExpiration(pastDate);
+                                    expiredPHS.add(permission.getPhsId());
+                                }
+                            })
+                            .collect(Collectors.toList());
+
+                    ga4ghPassportV1.setRasDbgagPermissions(updatedPermissions);
+                    return Optional.of(ga4ghPassportV1);
+                })
+                .collect(Collectors.toSet());
+
+        // Convert the GA4GH passports to RAS DbGaP permissions. The underlying conversion
+        // should filter out the ones with invalid expiration dates.
+        Set<RasDbgapPermission> permissions = rasPassPortService.ga4gpPassportToRasDbgapPermissions(ga4ghPassports);
+
+        // We expect only the valid (future-dated) permissions to be returned.
+        assertEquals(validPHS.size(), permissions.size());
+
+        // verify only expected values are in permissions set
+        List<String> finalPHS = permissions.stream().map(RasDbgapPermission::getPhsId).toList();
+        assertEquals(finalPHS, validPHS, "The valid phs ids do not match the expected values.");
+
+        // verify no expired permissions are in the passport.
+        expiredPHS.forEach(phs -> assertFalse(finalPHS.contains(phs), "Expired phs id " + phs + " should not appear in the valid permissions."));
+    }
+
+
     @Test
     public void testValidateVisa_Valid() {
         when(restClientUtil.retrievePostResponse(any(String.class), any()))