Feat: working version tying permissions to teamproject role #101

pieterlukasse · 2023-11-17T16:13:37Z

--------Please refer to PR #107 for the latest review--------

Jira Ticket: VADC-809

New Features

uses the new permissions framework introduced in Filter cohorts and concepts by permission (#2245) OHDSI/WebAPI#2301 to assign specific cohortdefinition permissions to a "team project" role when a new cohort is made by a "team project" user in Atlas

Example:

Creating a cohort (with id 8) while logged in as a team member of "team project" def, results in the following records:

"def"	"cohortdefinition:8:check:post"
"def"	"cohortdefinition:8:put"
"def"	"cohortdefinition:8:delete"
"def"	"cohortdefinition:8:version:*:get"
"def"	"cohortdefinition:8:info:get"
"def"	"cohortdefinition:8:get"
"def"	"cohortdefinition:8:version:get"

Query used for list above:

select 
    sec_role.name, sec_permission.value
  from
    webapi.sec_role 
    inner join webapi.sec_role_permission on sec_role.id = sec_role_permission.role_id
    inner join webapi.sec_permission on sec_role_permission.permission_id = sec_permission.id
 where 
   sec_role.name = 'def'

Motivation

Motivation for this PR is twofold:

This change ensures that when another user logs in with the same "team project" (def in this case), this user will get the role def assigned and thus inherit access to cohorts accessible to this role (8 in this case).
By linking the cohorts to a "team project" role instead of linking them directly to a user, it becomes possible to get the complete list of all cohorts for a given "team project" (which is useful in other scenarios / for some of the other non-atlas tooling integrating with this DB)

Merge order

Should be merged after vinci-ohdsi#5

src/main/java/org/ohdsi/webapi/security/model/EntityPermissionSchema.java

src/main/java/org/ohdsi/webapi/shiro/PermissionManager.java

…t mode

... just for testing at the moment. System roles should really be assigned to the user beforehand as part of the onboarding process...

...and allow reading current teamproject from cache in case of a request to /user/refresh endpoint

... these roles turned out to be essential for getting the error resolved (an error stating "you are not authorized to view the concept set expression")

src/main/java/org/ohdsi/webapi/shiro/filters/TeamProjectBasedAuthorizingFilter.java

pom.xml

src/main/java/org/ohdsi/webapi/security/PermissionService.java

src/main/java/org/ohdsi/webapi/shiro/PermissionManager.java

...to avoid the scenario where the user comes back in another session and still gets the same teamProject role assigned...while in reality he might have been removed from that team for example

...and therefore from the flow of endpoints like /user/refresh. Not sure why this was added there, as the /user/logout should be the place to remove a session. This solves a org.apache.shiro.subject.support.DisabledSessionException. If the worry is that logout won`t be called, then the expiry time should just be set to a short period. The adjustment in JwtAuthRealm.java was to deal with the side effect that occurred after the removal of the .stop in the UpdateAccessTokenFilter filter: java.lang.ClassCastException: io.buji.pac4j.subject.Pac4jPrincipal cannot be cast to java.lang.String

...to avoid any race conditions where two threads could end up trying to remove the same role for example.

Co-authored-by: burtonk <117617405+k-burt-uch@users.noreply.github.com>

...and extra failsafe to avoid empty string names in the request parameters

…rvice ...with the access rules only changing if this.authorizationMode.equals("teamproject"). For teamproject mode we want the users to only see items that are granted through a role and not include the ones they have created (as they might have created this while logged/in / working on another teamproject

…oject_access_control

pieterlukasse · 2024-02-15T19:51:56Z

PR #107 replaces this one.

pieterlukasse commented Nov 17, 2023

View reviewed changes

src/main/java/org/ohdsi/webapi/security/model/EntityPermissionSchema.java Show resolved Hide resolved

pieterlukasse changed the title ~~wip: working version tying permissions to teamproject role~~ Feat: working version tying permissions to teamproject role Nov 17, 2023

pieterlukasse force-pushed the feat/add_team_project_access_control branch 2 times, most recently from 7a157b6 to f15c0ce Compare November 22, 2023 13:50

pieterlukasse commented Dec 15, 2023

View reviewed changes

src/main/java/org/ohdsi/webapi/shiro/PermissionManager.java Show resolved Hide resolved

pieterlukasse force-pushed the feat/add_arborist_validation branch from 22ef1a4 to 9b906c1 Compare January 5, 2024 15:49

pieterlukasse added 9 commits January 5, 2024 16:49

wip: working version tying permissions to teamproject role

d802335

wip: add "Atlas users" role as default role when logged-in teamprojec…

5a0960e

…t mode

fix: add "Atlas users" as default system role

a9c188f

wip: add more log statements for PermissionManager

b61f536

tmp: add default roles on the fly

fe96b57

... just for testing at the moment. System roles should really be assigned to the user beforehand as part of the onboarding process...

feat: ensure /user/me endpoint also triggers the UPDATE_TOKEN filter

1a8c6a8

feat: ensure the teamproject is stored per user

534f6bc

...and allow reading current teamproject from cache in case of a request to /user/refresh endpoint

wip: moved logic to new filter class TeamProjectBasedAuthorizingFilter

1f69b44

wip: remove commented-out code

6a0ae7b

pieterlukasse force-pushed the feat/add_team_project_access_control branch from af6a085 to 6a0ae7b Compare January 5, 2024 15:50

fix: working version with roles 15 and 1000 added

584d5d8

... these roles turned out to be essential for getting the error resolved (an error stating "you are not authorized to view the concept set expression")