Remove OpenAuthenticationService and added open access handling

Deleted OpenAuthenticationService and its test class. Updated AuthorizationService to handle open access requests and refactored UserService for open access query template merging. Adjusted SecurityConfig to permit new endpoints and altered logout behavior. Updated dependencies to include Spring Boot DevTools for development profile.

Author: Gcolon021

pic-sure-auth-services/pom.xml

@@ -198,8 +198,19 @@
             <artifactId>jackson-annotations</artifactId>
             <version>2.17.0</version>
         </dependency>
-
     </dependencies>
+    <profiles>
+        <profile>
+            <id>dev</id>
+            <dependencies>
+                <dependency>
+                    <groupId>org.springframework.boot</groupId>
+                    <artifactId>spring-boot-devtools</artifactId>
+                    <optional>true</optional>
+                </dependency>
+            </dependencies>
+        </profile>
+    </profiles>
     <build>
         <finalName>${project.artifactId}</finalName>
         <plugins>

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/config/SecurityConfig.java

@@ -57,15 +57,21 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                                     "/authentication",
                                     "/authentication/**",
                                     "/swagger.yaml",
-                                    "/swagger.json"
+                                    "/swagger.json",
+                                    "/user/me/queryTemplate",
+                                    "/user/me/queryTemplate/**",
+                                    "/open/validate"
                             ).permitAll()
                             .anyRequest().authenticated()
                 )
                 .httpBasic(AbstractHttpConfigurer::disable)
                 .formLogin(AbstractHttpConfigurer::disable)
                 .addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class)
-                .logout((logout) -> logout.logoutUrl("/logout").addLogoutHandler(customLogoutHandler()));
-
+                .logout((logout) -> logout.logoutUrl("/logout").addLogoutHandler(customLogoutHandler()).logoutSuccessHandler((request, response, authentication) -> {
+                    // We don't want to redirect to a login page, we just want to return a 200
+                    // We leave it to the client to handle the redirect
+                    response.setStatus(200);
+                }));
 
         return http.build();
     }

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/entity/AccessRule.java

@@ -1,16 +1,11 @@
 package edu.harvard.hms.dbmi.avillach.auth.entity;
 
-import com.fasterxml.jackson.annotation.JsonIgnore;
-import com.fasterxml.jackson.annotation.JsonProperty;
-
 import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
 import jakarta.persistence.FetchType;
 import jakarta.persistence.JoinColumn;
 import jakarta.persistence.JoinTable;
 import jakarta.persistence.ManyToMany;
-import jakarta.persistence.ManyToOne;
-import jakarta.persistence.OneToMany;
 import jakarta.persistence.Transient;
 
 import java.lang.reflect.Field;

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/filter/JWTFilter.java

@@ -114,7 +114,7 @@ protected void doFilterInternal(HttpServletRequest request, @NonNull HttpServlet
 
                 // Check if user is attempting to access the correct introspect endpoint. If not reject the request
                 // log an error indicating the user's token may be being used by a malicious actor.
-                if (!request.getRequestURI().endsWith("token/inspect")) {
+                if (!request.getRequestURI().endsWith("token/inspect") && !request.getRequestURI().endsWith("open/validate")) {
                     logger.error("{} attempted to perform request {} token may be compromised.", userId, request.getRequestURI());
                     response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User is deactivated");
                 }

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/model/EvaluateAccessRuleResult.java

@@ -0,0 +1,8 @@
+package edu.harvard.hms.dbmi.avillach.auth.model;
+
+import edu.harvard.hms.dbmi.avillach.auth.entity.AccessRule;
+
+import java.util.Set;
+
+public record EvaluateAccessRuleResult(boolean result, Set<AccessRule> failedRules, String passRuleName) {
+}

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/rest/OpenAccessController.java

@@ -0,0 +1,32 @@
+package edu.harvard.hms.dbmi.avillach.auth.rest;
+
+import edu.harvard.hms.dbmi.avillach.auth.service.impl.authorization.AuthorizationService;
+import io.swagger.v3.oas.annotations.Parameter;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.ResponseEntity;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+import java.util.Map;
+
+@Controller
+@RequestMapping(value = "/open")
+public class OpenAccessController {
+
+    private final AuthorizationService authorizationService;
+
+    @Autowired
+    public OpenAccessController(AuthorizationService authorizationService) {
+        this.authorizationService = authorizationService;
+    }
+
+    @RequestMapping(value = "/validate", produces = "application/json")
+    public ResponseEntity<?> validate(@Parameter(required = true, description = "A JSON object that at least" +
+            " include a user the token for validation")
+                         @RequestBody Map<String, Object> inputMap) {
+        boolean isValid = authorizationService.openAccessRequestIsValid(inputMap);
+        return ResponseEntity.ok(isValid);
+    }
+
+}

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/RoleService.java

@@ -201,7 +201,7 @@ public Role createRole(String roleName, String roleDescription) {
         Role role = findByName(roleName);
         if (role != null) {
             // Role already exists
-            logger.info("upsertRole() role already exists");
+            logger.debug("upsertRole() role already exists");
         } else {
             logger.info("createRole() New PSAMA role name:{}", roleName);
             // This is a new Role

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/UserService.java

@@ -56,15 +56,14 @@ public class UserService {
     private final long tokenExpirationTime;
     private static final long defaultTokenExpirationTime = 1000L * 60 * 60; // 1 hour
     private final SessionService sessionService;
+    private final boolean openAccessIsEnabled;
 
     public long longTermTokenExpirationTime;
 
     private final String applicationUUID;
     private final ObjectMapper objectMapper = new ObjectMapper();
     private final JWTUtil jwtUtil;
 
-    private final Set<String> openAccessIdpValues = Set.of("fence", "ras");
-
     @Autowired
     public UserService(BasicMailService basicMailService, TOSService tosService,
                        UserRepository userRepository,
@@ -74,7 +73,8 @@ public UserService(BasicMailService basicMailService, TOSService tosService,
                        @Value("${application.token.expiration.time}") long tokenExpirationTime,
                        @Value("${application.default.uuid}") String applicationUUID,
                        @Value("${application.long.term.token.expiration.time}") long longTermTokenExpirationTime,
-                       JWTUtil jwtUtil, SessionService sessionService) {
+                       JWTUtil jwtUtil, SessionService sessionService,
+                       @Value("${open.idp.provider.is.enabled}") boolean openIdpProviderIsEnabled) {
         this.basicMailService = basicMailService;
         this.tosService = tosService;
         this.userRepository = userRepository;
@@ -89,6 +89,7 @@ public UserService(BasicMailService basicMailService, TOSService tosService,
         long defaultLongTermTokenExpirationTime = 1000L * 60 * 60 * 24 * 30;
         this.longTermTokenExpirationTime = longTermTokenExpirationTime > 0 ? longTermTokenExpirationTime : defaultLongTermTokenExpirationTime;
         this.sessionService = sessionService;
+        this.openAccessIsEnabled = openIdpProviderIsEnabled;
     }
 
     public HashMap<String, String> getUserProfileResponse(Map<String, Object> claims) {
@@ -387,19 +388,48 @@ public Optional<String> getQueryTemplate(String applicationId) {
 
         SecurityContext securityContext = SecurityContextHolder.getContext();
         Optional<CustomUserDetails> customUserDetails = Optional.ofNullable((CustomUserDetails) securityContext.getAuthentication().getPrincipal());
-        if (customUserDetails.isEmpty() || customUserDetails.get().getUser() == null) {
-            logger.error("Security context didn't have a user stored.");
-            return Optional.empty();
+        if ((customUserDetails.isEmpty() || customUserDetails.get().getUser() == null) && openAccessIsEnabled) {
+            Optional<Application> application = this.applicationRepository.findById(UUID.fromString(applicationId));
+            if (application.isEmpty()) {
+                logger.error("getQueryTemplate() cannot find corresponding application by UUID: {}", UUID.fromString(applicationId));
+                throw new IllegalArgumentException("Cannot find application by input UUID: " + UUID.fromString(applicationId));
+            }
+
+            return Optional.ofNullable(openMergeTemplate(application.orElse(null)));
+        } else {
+            if (customUserDetails.isEmpty() || customUserDetails.get().getUser() == null) {
+                logger.error("Security context didn't have a user stored.");
+                return Optional.empty();
+            }
+
+            User user = customUserDetails.get().getUser();
+            Optional<Application> application = this.applicationRepository.findById(UUID.fromString(applicationId));
+            if (application.isEmpty()) {
+                logger.error("getQueryTemplate() cannot find corresponding application by UUID: {}", UUID.fromString(applicationId));
+                throw new IllegalArgumentException("Cannot find application by input UUID: " + UUID.fromString(applicationId));
+            }
+
+            return Optional.ofNullable(mergeTemplate(user, application.orElse(null)));
         }
+    }
 
-        User user = customUserDetails.get().getUser();
-        Optional<Application> application = this.applicationRepository.findById(UUID.fromString(applicationId));
-        if (application.isEmpty()) {
-            logger.error("getQueryTemplate() cannot find corresponding application by UUID: {}", UUID.fromString(applicationId));
-            throw new IllegalArgumentException("Cannot find application by input UUID: " + UUID.fromString(applicationId));
+    private String openMergeTemplate(Application application) {
+        Set<Privilege> applicationPrivileges = application.getPrivileges();
+        Role openAccessRole = roleService.findByName(MANAGED_OPEN_ACCESS_ROLE_NAME);
+        // get all of the privileges for the open access role
+        Set<Privilege> privileges = openAccessRole.getPrivileges();
+        privileges.addAll(applicationPrivileges);
+        // get the query template for each privilege
+        Map mergedTemplateMap = getMergedQueryTemplateMap(privileges);
+        String resultJSON;
+        try {
+            resultJSON = objectMapper.writeValueAsString(mergedTemplateMap);
+        } catch (JsonProcessingException ex) {
+            logger.error("mergeTemplate() cannot convert map to json string. The map mergedTemplate is: {}", mergedTemplateMap);
+            throw new IllegalArgumentException("Inner application error, please contact admin.");
         }
 
-        return Optional.ofNullable(mergeTemplate(user, application.orElse(null)));
+        return resultJSON;
     }
 
     public Map<String, String> getDefaultQueryTemplate() {
@@ -416,8 +446,22 @@ public Map<String, String> getDefaultQueryTemplate() {
     @Cacheable(value = "mergedTemplateCache", keyGenerator = "customKeyGenerator")
     public String mergeTemplate(User user, Application application) {
         String resultJSON;
+        Set<Privilege> privilegesByApplication = user.getPrivilegesByApplication(application);
+        Map mergedTemplateMap = getMergedQueryTemplateMap(privilegesByApplication);
+
+        try {
+            resultJSON = objectMapper.writeValueAsString(mergedTemplateMap);
+        } catch (JsonProcessingException ex) {
+            logger.error("mergeTemplate() cannot convert map to json string. The map mergedTemplate is: {}", mergedTemplateMap);
+            throw new IllegalArgumentException("Inner application error, please contact admin.");
+        }
+
+        return resultJSON;
+    }
+
+    private Map getMergedQueryTemplateMap(Set<Privilege> privilegesByApplication) {
         Map mergedTemplateMap = null;
-        for (Privilege privilege : user.getPrivilegesByApplication(application)) {
+        for (Privilege privilege : privilegesByApplication) {
             String template = privilege.getQueryTemplate();
             logger.debug("mergeTemplate() processing template:{}", template);
             if (template == null || template.trim().isEmpty()) {
@@ -442,15 +486,7 @@ public String mergeTemplate(User user, Application application) {
 
             mergedTemplateMap = JsonUtils.mergeTemplateMap(mergedTemplateMap, templateMap);
         }
-
-        try {
-            resultJSON = objectMapper.writeValueAsString(mergedTemplateMap);
-        } catch (JsonProcessingException ex) {
-            logger.error("mergeTemplate() cannot convert map to json string. The map mergedTemplate is: {}", mergedTemplateMap);
-            throw new IllegalArgumentException("Inner application error, please contact admin.");
-        }
-
-        return resultJSON;
+        return mergedTemplateMap;
     }
 
     @CacheEvict(value = "mergedTemplateCache")

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/authentication/FENCEAuthenticationService.java

@@ -35,7 +35,6 @@ public class FENCEAuthenticationService implements AuthenticationService {
     private final Logger logger = LoggerFactory.getLogger(FENCEAuthenticationService.class);
 
     private final UserService userService;
-    private final RoleService roleService;
     private final ConnectionWebService connectionService; // We will need to investigate if the ConnectionWebService will need to be versioned as well.
     private final AccessRuleService accessRuleService;
     private final FenceMappingUtility fenceMappingUtility;
@@ -52,7 +51,6 @@ public class FENCEAuthenticationService implements AuthenticationService {
 
     @Autowired
     public FENCEAuthenticationService(UserService userService,
-                                      RoleService roleService,
                                       ConnectionWebService connectionService,
                                       RestClientUtil restClientUtil,
                                       @Value("${fence.idp.provider.is.enabled}") boolean isFenceEnabled,
@@ -62,7 +60,6 @@ public FENCEAuthenticationService(UserService userService,
                                       AccessRuleService accessRuleService,
                                       FenceMappingUtility fenceMappingUtility) {
         this.userService = userService;
-        this.roleService = roleService;
         this.connectionService = connectionService;
         this.idp_provider_uri = idpProviderUri;
         this.fence_client_id = fenceClientId;
@@ -82,7 +79,7 @@ public void initializeFenceService() {
 
     @Override
     public HashMap<String, String> authenticate(Map<String, String> authRequest, String host) {
-        String callBackUrl = "https://" + host + "/psamaui/login/";
+        String callBackUrl = "https://" + host + "/login/loading/";
 
         logger.debug("getFENCEProfile() starting...");
         String fence_code = authRequest.get("code");

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/authentication/OktaAuthenticationService.java

@@ -36,7 +36,7 @@ public OktaAuthenticationService(String idpProviderUri, String clientId, String
      * @return The response from the token endpoint as a JsonNode
      */
     protected JsonNode handleCodeTokenExchange(String host, String code) {
-        String redirectUri = "https://" + host + "/psamaui/login";
+        String redirectUri = "https://" + host + "/login/loading";
         String queryString = "grant_type=authorization_code" + "&code=" + code + "&redirect_uri=" + redirectUri;
         String oktaTokenUrl = "https://" + this.idp_provider_uri + "/oauth2/default/v1/token";