Implement RAS Authentication Provider

pic-sure-auth-db/db/sql/V5__MIGRATE_TO_ACCESSRULE_JOINTABLE.sql

@@ -28,5 +28,4 @@ UPDATE access_rule ar
     JOIN accessRule_subRule ars ON ars.accessRule_id = ar.uuid
     SET ar.subAccessRuleParent_uuid = NULL; -- Remove circular dependency reference so it can be dropped
 
--- Step 4: Drop the column from the original table
-ALTER TABLE access_rule DROP COLUMN subAccessRuleParent_uuid;
+-- Step 4: Drop the column from the original table

pic-sure-auth-db/db/sql/V7__Add_Passport_User_Col.sql

@@ -0,0 +1 @@
+ALTER TABLE user ADD COLUMN passport TEXT;

pic-sure-auth-services/pom.xml

@@ -101,7 +101,7 @@
         </dependency>
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
-            <artifactId>jjwt-jackson</artifactId> <!-- or jjwt-gson if Gson is preferred -->
+            <artifactId>jjwt-jackson</artifactId>
             <version>0.12.5</version>
             <scope>runtime</scope>
         </dependency>

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/Application.java

@@ -5,9 +5,11 @@
 import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration;
 import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
+import org.springframework.scheduling.annotation.EnableScheduling;
 
 @SpringBootApplication(exclude = {SecurityAutoConfiguration.class, UserDetailsServiceAutoConfiguration.class})
 @EnableJpaRepositories
+@EnableScheduling
 public class Application {
     public static void main(String[] args) {
         SpringApplication.run(Application.class);

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/config/CustomKeyGenerator.java

@@ -11,7 +11,7 @@ public class CustomKeyGenerator implements KeyGenerator {
     public Object generate(Object target, Method method, Object... params) {
         for (Object param : params) {
             if (param instanceof User user) {
-                return user.getEmail();
+                return user.getSubject();
             }
         }
 

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/config/CustomLogoutHandler.java

@@ -0,0 +1,49 @@
+package edu.harvard.hms.dbmi.avillach.auth.config;
+
+import edu.harvard.hms.dbmi.avillach.auth.service.impl.AccessRuleService;
+import edu.harvard.hms.dbmi.avillach.auth.service.impl.SessionService;
+import edu.harvard.hms.dbmi.avillach.auth.service.impl.UserService;
+import edu.harvard.hms.dbmi.avillach.auth.utils.JWTUtil;
+import io.jsonwebtoken.Claims;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
+import org.springframework.stereotype.Component;
+
+@Component
+public class CustomLogoutHandler implements LogoutHandler {
+
+    private final Logger logger = LoggerFactory.getLogger(CustomLogoutHandler.class);
+    private final SessionService sessionService;
+    private final UserService userService;
+    private final AccessRuleService accessRuleService;
+    private final JWTUtil jwtUtil;
+
+    public CustomLogoutHandler(SessionService sessionService, UserService userService, AccessRuleService accessRuleService, edu.harvard.hms.dbmi.avillach.auth.utils.JWTUtil jwtUtil) {
+        this.sessionService = sessionService;
+        this.userService = userService;
+        this.accessRuleService = accessRuleService;
+        this.jwtUtil = jwtUtil;
+    }
+
+    @Override
+    public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
+        String bearer = request.getHeader("Authorization");
+        String token = bearer.substring(7);
+        Claims payload = jwtUtil.parseToken(token).getPayload();
+        String subject = payload.getSubject();
+
+        if (StringUtils.isNotBlank(subject)) {
+            logger.info("logout() Logging out User: {}", subject);
+            this.sessionService.endSession(subject);
+            this.userService.evictFromCache(subject);
+            this.accessRuleService.evictFromCache(subject);
+            this.userService.removeUserPassport(subject);
+        }
+    }
+}
+

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/config/SecurityConfig.java

@@ -1,6 +1,10 @@
 package edu.harvard.hms.dbmi.avillach.auth.config;
 
 import edu.harvard.hms.dbmi.avillach.auth.filter.JWTFilter;
+import edu.harvard.hms.dbmi.avillach.auth.service.impl.AccessRuleService;
+import edu.harvard.hms.dbmi.avillach.auth.service.impl.SessionService;
+import edu.harvard.hms.dbmi.avillach.auth.service.impl.UserService;
+import edu.harvard.hms.dbmi.avillach.auth.utils.JWTUtil;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -20,13 +24,25 @@
 public class SecurityConfig {
 
     private final JWTFilter jwtFilter;
-
+    private final SessionService sessionService;
     private final AuthenticationProvider authenticationProvider;
+    private final UserService userService;
+    private final AccessRuleService accessRuleService;
+    private final JWTUtil jwtUtil;
 
     @Autowired
-    public SecurityConfig(JWTFilter jwtFilter, AuthenticationProvider authenticationProvider) {
+    public SecurityConfig(JWTFilter jwtFilter, SessionService sessionService, AuthenticationProvider authenticationProvider, UserService userService, AccessRuleService accessRuleService, JWTUtil jwtUtil) {
         this.jwtFilter = jwtFilter;
+        this.sessionService = sessionService;
         this.authenticationProvider = authenticationProvider;
+        this.userService = userService;
+        this.accessRuleService = accessRuleService;
+        this.jwtUtil = jwtUtil;
+    }
+
+    @Bean
+    public CustomLogoutHandler customLogoutHandler() {
+        return new CustomLogoutHandler(sessionService, userService, accessRuleService, jwtUtil);
     }
 
     @Bean
@@ -47,8 +63,9 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                 )
                 .httpBasic(AbstractHttpConfigurer::disable)
                 .formLogin(AbstractHttpConfigurer::disable)
-                .logout(AbstractHttpConfigurer::disable)
-                .addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);
+                .addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class)
+                .logout((logout) -> logout.logoutUrl("/logout").addLogoutHandler(customLogoutHandler()));
+
 
         return http.build();
     }

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/entity/AccessRule.java

@@ -130,7 +130,7 @@ public static Map<String, Integer> getTypeNameMap(){
      * which means if only part of the gate set is passed, the gate still
      * not passed
      */
-    @ManyToMany(fetch = FetchType.LAZY)
+    @ManyToMany(fetch = FetchType.EAGER)
     @JoinTable(name = "accessRule_gate",
             joinColumns = {@JoinColumn(name = "accessRule_id", nullable = false)},
             inverseJoinColumns = {@JoinColumn(name = "gate_id", nullable = false)})
@@ -162,7 +162,7 @@ public static Map<String, Integer> getTypeNameMap(){
     /**
      * introduce sub-accessRule to enable the ability of more complex problem, essentially it is an AND relationship.
      */
-    @ManyToMany(fetch = FetchType.LAZY)
+    @ManyToMany(fetch = FetchType.EAGER)
     @JoinTable(name = "accessRule_subRule",
             joinColumns = {@JoinColumn(name = "accessRule_id", nullable = false)},
             inverseJoinColumns = {@JoinColumn(name = "subRule_id", nullable = false)})

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/entity/Privilege.java

@@ -20,7 +20,7 @@ public class Privilege extends BaseEntity {
 
     private String description;
 
-    @ManyToOne(fetch = FetchType.LAZY)
+    @ManyToOne(fetch = FetchType.EAGER)
     @JoinColumn(name = "application_id")
     private Application application;
 

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/entity/User.java

@@ -75,6 +75,9 @@ public User(User user) {
 	@Column(name = "long_term_token")
 	private String token;
 
+	@Column(name = "passport")
+	private String passport;
+
 	public User() {
 
 	}
@@ -280,6 +283,14 @@ public void setToken(String token) {
 		this.token = token;
 	}
 
+	public String getPassport() {
+		return passport;
+	}
+
+	public void setPassport(String passport) {
+		this.passport = passport;
+	}
+
 	/**
 	 * <p>Inner class defining limited user attributes returned from the User endpoint.</p>
 	 */

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/enums/PassportValidationResponse.java

@@ -0,0 +1,45 @@
+package edu.harvard.hms.dbmi.avillach.auth.enums;
+
+public enum PassportValidationResponse {
+    // The Visa’s signature is valid, the Visa has not expired, a valid txn claim is present
+    VALID("Valid"),
+    // The encoded Visa’s signature failed validation, is missing or incorrect
+    INVALID("Invalid"),
+    // The Passport payload or Visa parameter is missing
+    MISSING("Missing"),
+    // The format of the Passport or Visa is incorrect
+    INVALID_PASSPORT("Invalid Passport"),
+    // The Visa has expired (as indicated by the “exp” claim)
+    VISA_EXPIRED("Visa Expired"),
+    // The Transaction claim (txn) has an error or is missing
+    TXN_ERROR("Txn Error"),
+    // The Expiration claim (exp) has an error or is missing
+    EXPIRATION_ERROR("Expiration Error"),
+    // A DB related validation error occurred
+    VALIDATION_ERROR("Validation Error"),
+    // The Visa was expired because the required polling time was exceeded
+    EXPIRED_POLLING("Expired Polling"),
+    // There is a change in the dbGaP permissions associated with the user
+    PERMISSION_UPDATE("Permission Update");
+
+    private final String value;
+
+    PassportValidationResponse(String value) {
+        this.value = value;
+    }
+
+    // FromValue
+    public static PassportValidationResponse fromValue(String value) {
+        for (PassportValidationResponse response : PassportValidationResponse.values()) {
+            if (response.getValue().equals(value)) {
+                return response;
+            }
+        }
+        return null;
+    }
+
+    public String getValue() {
+        return value;
+    }
+
+}

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/model/InvalidRefreshToken.java

@@ -0,0 +1,4 @@
+package edu.harvard.hms.dbmi.avillach.auth.model;
+
+public record InvalidRefreshToken(String error) implements RefreshToken {
+}

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/model/RefreshToken.java

@@ -0,0 +1,5 @@
+package edu.harvard.hms.dbmi.avillach.auth.model;
+
+public sealed interface RefreshToken permits ValidRefreshToken, InvalidRefreshToken {
+}
+

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/model/ValidRefreshToken.java

@@ -0,0 +1,4 @@
+package edu.harvard.hms.dbmi.avillach.auth.model;
+
+public record ValidRefreshToken(String token, String expirationDate) implements RefreshToken {
+}

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/model/ras/Ga4ghPassportV1.java

@@ -0,0 +1,109 @@
+package edu.harvard.hms.dbmi.avillach.auth.model.ras;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.List;
+
+public class Ga4ghPassportV1 {
+
+    private String iss;
+    private String sub;
+    private long iat;
+    private long exp;
+    private String scope;
+    private String jti;
+    private String txn;
+
+    @JsonProperty("ga4gh_visa_v1")
+    private Ga4ghVisaV1 ga4ghVisaV1;
+
+    @JsonProperty("ras_dbgap_permissions")
+    private List<RasDbgapPermission> rasDbgagPermissions;
+
+    public String getIss() {
+        return iss;
+    }
+
+    public void setIss(String iss) {
+        this.iss = iss;
+    }
+
+    public String getSub() {
+        return sub;
+    }
+
+    public void setSub(String sub) {
+        this.sub = sub;
+    }
+
+    public long getIat() {
+        return iat;
+    }
+
+    public void setIat(long iat) {
+        this.iat = iat;
+    }
+
+    public long getExp() {
+        return exp;
+    }
+
+    public void setExp(long exp) {
+        this.exp = exp;
+    }
+
+    public String getScope() {
+        return scope;
+    }
+
+    public void setScope(String scope) {
+        this.scope = scope;
+    }
+
+    public String getJti() {
+        return jti;
+    }
+
+    public void setJti(String jti) {
+        this.jti = jti;
+    }
+
+    public String getTxn() {
+        return txn;
+    }
+
+    public void setTxn(String txn) {
+        this.txn = txn;
+    }
+
+    public Ga4ghVisaV1 getGa4ghVisaV1() {
+        return ga4ghVisaV1;
+    }
+
+    public void setGa4ghVisaV1(Ga4ghVisaV1 ga4ghVisaV1) {
+        this.ga4ghVisaV1 = ga4ghVisaV1;
+    }
+
+    public List<RasDbgapPermission> getRasDbgagPermissions() {
+        return rasDbgagPermissions;
+    }
+
+    public void setRasDbgagPermissions(List<RasDbgapPermission> rasDbgagPermissions) {
+        this.rasDbgagPermissions = rasDbgagPermissions;
+    }
+
+    @Override
+    public String toString() {
+        return "Ga4ghPassportV1{" +
+                "iss='" + iss + '\'' +
+                ", sub='" + sub + '\'' +
+                ", iat=" + iat +
+                ", exp=" + exp +
+                ", scope='" + scope + '\'' +
+                ", jti='" + jti + '\'' +
+                ", txn='" + txn + '\'' +
+                ", ga4ghVisaV1=" + ga4ghVisaV1 +
+                ", rasDbgagPermissions=" + rasDbgagPermissions +
+                '}';
+    }
+}