From 4893b436a6207af7e30a1f15b370782c9f4062dc Mon Sep 17 00:00:00 2001 From: GeorgeC Date: Mon, 15 Jul 2024 14:42:08 -0400 Subject: [PATCH 1/2] Update AuthorizationService Open access does not currently assign a connection to users. We should change this in the future, but for now we will handle the case. --- config/psama/psama.env | 1 + .../impl/authorization/AuthorizationService.java | 11 ++++++----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/config/psama/psama.env b/config/psama/psama.env index 9994d850e..9c519b745 100644 --- a/config/psama/psama.env +++ b/config/psama/psama.env @@ -6,6 +6,7 @@ # after initial login. APPLICATION_CLIENT_SECRET= APPLICATION_CLIENT_SECRET_IS_BASE_64=false +STACK_SPECIFIC_APPLICATION_ID= # Fence IDP Configuration FENCE_IDP_PROVIDER_IS_ENABLED=false diff --git a/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/authorization/AuthorizationService.java b/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/authorization/AuthorizationService.java index 940d622cc..11db3c1a2 100644 --- a/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/authorization/AuthorizationService.java +++ b/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/authorization/AuthorizationService.java @@ -87,7 +87,6 @@ public AuthorizationService(AccessRuleService accessRuleService, @Value("${stric */ public boolean isAuthorized(Application application, Object requestBody, User user) { // create timer - long startTime = System.currentTimeMillis(); String applicationName = application.getName(); String resourceId = "null"; String targetService = "null"; @@ -98,7 +97,6 @@ public boolean isAuthorized(Application application, Object requestBody, User us return true; } - long parseTimeFrame = System.currentTimeMillis(); try { Map requestBodyMap = (Map) requestBody; Map queryMap = (Map) requestBodyMap.get("query"); @@ -122,10 +120,14 @@ public boolean isAuthorized(Application application, Object requestBody, User us logger.debug("isAuthorized() Stack Trace: ", e1); return false; } - logger.info("Parse timeframe {} ms", (System.currentTimeMillis() - parseTimeFrame)); Set accessRules; - String label = user.getConnection().getLabel(); + String label = ""; + if (user.getConnection() != null) { + // Open Access doesn't currently use a connection + label = user.getConnection().getLabel(); + } + if (!this.strictConnections.contains(label)) { Set privileges = user.getPrivilegesByApplication(application); if (privileges == null || privileges.isEmpty()) { @@ -174,7 +176,6 @@ public boolean isAuthorized(Application application, Object requestBody, User us .map(ar -> (ar.getMergedName().isEmpty() ? ar.getName() : ar.getMergedName())) .collect(Collectors.joining(", ")) + "]"); - logger.info("Login time: {}ms", System.currentTimeMillis() - startTime); return result; } From 89cc98a3e6f39e34497c4d88d03c58ee443fe897 Mon Sep 17 00:00:00 2001 From: GeorgeC Date: Mon, 15 Jul 2024 15:18:06 -0400 Subject: [PATCH 2/2] Refactor open access role handling in UserService The revision refactors how open access roles are handled in UserService.java. A condition was added to check if the user's roles are null before assigning a new HashSet, thus improving code robustness. Instead of setting the roles directly, the role is now added to the user's existing roles, ensuring preservation of any pre-existing roles. --- .../dbmi/avillach/auth/service/impl/UserService.java | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/UserService.java b/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/UserService.java index 9dd1b436d..db5e0d45b 100644 --- a/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/UserService.java +++ b/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/UserService.java @@ -563,13 +563,15 @@ public User createOpenAccessUser(Role openAccessRole) { // Save the user to get a UUID user = save(user); user.setSubject("open_access|" + user.getUuid().toString()); - if (openAccessRole != null) { - user.setRoles(Set.of(openAccessRole)); - } else { - logger.error("createOpenAccessUser() openAccessRole is null"); + + if (user.getRoles() == null) { user.setRoles(new HashSet<>()); } + if (openAccessRole != null) { + user.getRoles().add(openAccessRole); + } + user.setEmail(user.getUuid() + "@open_access.com"); user = save(user);