diff --git a/src/main/java/eu/hbp/mip/controllers/ExperimentApi.java b/src/main/java/eu/hbp/mip/controllers/ExperimentApi.java
index 3958d99d608fff64bfcf934ee22e5ef61a44e303..ce5c81f642b5841c08b0936afe8da9b54dd2486b 100644
--- a/src/main/java/eu/hbp/mip/controllers/ExperimentApi.java
+++ b/src/main/java/eu/hbp/mip/controllers/ExperimentApi.java
@@ -115,39 +115,25 @@ public class ExperimentApi {
UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm", "Running the algorithm...");
if(authenticationIsEnabled) {
- // --- Validating proper access rights on the datasets ---
- List<String> userClaims = Arrays.asList(authentication.getAuthorities().toString().toLowerCase()
- .replaceAll("[\\s+\\]\\[]", "").split(","));
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "User Claims", userClaims.toString());
-
- // Don't check for dataset claims if "super" claim exists allowing everything
- if (!userClaims.contains(ClaimUtils.allDatasetsAllowedClaim())) {
- // Getting the dataset from the experiment parameters
- String experimentDatasets = null;
- for (AlgorithmExecutionParamDTO parameter : experimentExecutionDTO.getAlgorithms().get(0).getParameters()) {
- if (parameter.getName().equals("dataset")) {
- experimentDatasets = parameter.getValue();
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm", "Found the dataset parameter!");
- break;
- }
- }
-
- if (experimentDatasets == null || experimentDatasets.equals("")) {
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm",
- "A dataset should be specified when running an algorithm.");
- return ResponseEntity.badRequest().body("A dataset should be specified when running an algorithm.");
+ // Getting the dataset from the experiment parameters
+ String experimentDatasets = null;
+ for (ExperimentExecutionDTO.AlgorithmExecutionDTO.AlgorithmExecutionParamDTO parameter : experimentExecutionDTO.getAlgorithms().get(0).getParameters()) {
+ if (parameter.getName().equals("dataset")) {
+ experimentDatasets = parameter.getValue();
+ UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm", "Got the dataset parameter!");
+ break;
}
+ }
- for (String dataset : experimentDatasets.split(",")) {
- String datasetRole = ClaimUtils.getDatasetClaim(dataset);
- if (!userClaims.contains(datasetRole.toLowerCase())) {
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm",
- "You are not allowed to use dataset: " + dataset);
- return ResponseEntity.status(HttpStatus.FORBIDDEN).body("You are not allowed to use dataset: " + dataset);
- }
- }
+ if (experimentDatasets == null || experimentDatasets.equals("")) {
UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm",
- "User is authorized to use the datasets: " + experimentDatasets);
+ "A dataset should be specified to run an algorithm.");
+ return ResponseEntity.badRequest().body("Please provide at least one dataset to run the algorithm.");
+ }
+
+ // --- Validating proper access rights on the datasets ---
+ if (!ClaimUtils.userHasDatasetsAuthorization(userInfo.getUser().getUsername(), authentication.getAuthorities(), experimentDatasets)){
+ return ResponseEntity.badRequest().body("You are not authorized to use these datasets.");
}
}
diff --git a/src/main/java/eu/hbp/mip/controllers/PathologiesApi.java b/src/main/java/eu/hbp/mip/controllers/PathologiesApi.java
index b7914e2215693126dfed7658b9bfa7e07796dec6..56a6b165afbf8684bf1de226fd095b1251290f4d 100644
--- a/src/main/java/eu/hbp/mip/controllers/PathologiesApi.java
+++ b/src/main/java/eu/hbp/mip/controllers/PathologiesApi.java
@@ -7,7 +7,6 @@ package eu.hbp.mip.controllers;
import com.google.gson.Gson;
import com.google.gson.reflect.TypeToken;
import eu.hbp.mip.model.PathologyDTO;
-import eu.hbp.mip.model.PathologyDTO.PathologyDatasetDTO;
import eu.hbp.mip.model.UserInfo;
import eu.hbp.mip.utils.ClaimUtils;
import eu.hbp.mip.utils.CustomResourceLoader;
@@ -26,8 +25,6 @@ import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
-import java.util.ArrayList;
-import java.util.Arrays;
import java.util.List;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
@@ -68,47 +65,8 @@ public class PathologiesApi {
return ResponseEntity.ok().body(gson.toJson(allPathologies));
}
- // --- Providing only the allowed pathologies/datasets to the user ---
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(),
- "Load all the pathologies", "Filter out the unauthorised datasets.");
-
- List<String> userClaims = Arrays.asList(authentication.getAuthorities().toString().toLowerCase()
- .replaceAll("[\\s+\\]\\[]", "").split(","));
-
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(),
- "Load all the pathologies", "User Claims: " + userClaims);
-
- // If the "dataset_all" claim exists then return everything
- if (userClaims.contains(ClaimUtils.allDatasetsAllowedClaim())) {
- return ResponseEntity.ok().body(gson.toJson(allPathologies));
- }
-
- List<PathologyDTO> userPathologies = new ArrayList<>();
- for (PathologyDTO curPathology : allPathologies) {
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(),
- "Load all the pathologies", "Pathology: " + curPathology);
-
- List<PathologyDatasetDTO> userPathologyDatasets = new ArrayList<PathologyDatasetDTO>();
- for (PathologyDatasetDTO dataset : curPathology.getDatasets()) {
- if (userClaims.contains(ClaimUtils.getDatasetClaim(dataset.getCode()))) {
- userPathologyDatasets.add(dataset);
- }
- }
-
- if (userPathologyDatasets.size() > 0) {
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Load all the pathologies",
- "Added pathology '" + curPathology.getLabel() + " with datasets: '" + userPathologyDatasets + "'");
-
- PathologyDTO userPathology = new PathologyDTO();
- userPathology.setCode(curPathology.getCode());
- userPathology.setLabel(curPathology.getLabel());
- userPathology.setMetadataHierarchy(curPathology.getMetadataHierarchy());
- userPathology.setDatasets(userPathologyDatasets);
- userPathologies.add(userPathology);
- }
- }
-
- return ResponseEntity.ok().body(gson.toJson(userPathologies));
+ return ResponseEntity.ok().body(ClaimUtils.getAuthorizedPathologies(
+ userInfo.getUser().getUsername(), authentication.getAuthorities(), allPathologies));
}
// Pure Java
diff --git a/src/main/java/eu/hbp/mip/model/PathologyDTO.java b/src/main/java/eu/hbp/mip/model/PathologyDTO.java
index e447ba6053a6126c66ce20910cc78af07b6988e1..cc407e7f266420a8f35457f2b44182ac729319b8 100644
--- a/src/main/java/eu/hbp/mip/model/PathologyDTO.java
+++ b/src/main/java/eu/hbp/mip/model/PathologyDTO.java
@@ -72,6 +72,12 @@ public class PathologyDTO {
public void setLabel(String label) {
this.label = label;
}
+
+ public String toString(){ return code;}
+ }
+
+ public String toString(){
+ return code;
}
}
diff --git a/src/main/java/eu/hbp/mip/utils/ClaimUtils.java b/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
index f9bd98b5886df396f233e95655f3e6240ac63b47..b53d1d900e7a7633ff316ba80cc6582e6e26abf7 100644
--- a/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
+++ b/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
@@ -1,11 +1,94 @@
package eu.hbp.mip.utils;
+import com.google.gson.Gson;
+import eu.hbp.mip.model.PathologyDTO;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+
+
public class ClaimUtils {
- public static String allDatasetsAllowedClaim(){
+
+ private static final Gson gson = new Gson();
+
+ public static String allDatasetsAllowedClaim() {
return "dataset_all";
}
- public static String getDatasetClaim(String datasetCode){
+ public static String getDatasetClaim(String datasetCode) {
return "dataset_" + datasetCode;
}
+
+ public static boolean userHasDatasetsAuthorization(String username, Collection<? extends GrantedAuthority> authorities,
+ String experimentDatasets) {
+
+ List<String> userClaims = Arrays.asList(authorities.toString().toLowerCase()
+ .replaceAll("[\\s+\\]\\[]", "").split(","));
+ UserActionLogging.LogUserAction(username, "User Claims", userClaims.toString());
+
+ // Don't check for dataset claims if "super" claim exists allowing everything
+ if (!userClaims.contains(ClaimUtils.allDatasetsAllowedClaim())) {
+
+ for (String dataset : experimentDatasets.split(",")) {
+ String datasetRole = ClaimUtils.getDatasetClaim(dataset);
+ if (!userClaims.contains(datasetRole.toLowerCase())) {
+ UserActionLogging.LogUserAction(username, "Run algorithm",
+ "You are not allowed to use dataset: " + dataset);
+ return false;
+ }
+ }
+ UserActionLogging.LogUserAction(username, "Run algorithm",
+ "User is authorized to use the datasets: " + experimentDatasets);
+ }
+ return true;
+ }
+
+ public static String getAuthorizedPathologies(String username, Collection<? extends GrantedAuthority> authorities,
+ List<PathologyDTO> allPathologies) {
+ // --- Providing only the allowed pathologies/datasets to the user ---
+ UserActionLogging.LogUserAction(username,
+ "Load all the pathologies", "Filter out the unauthorised datasets.");
+
+ List<String> userClaims = Arrays.asList(authorities.toString().toLowerCase()
+ .replaceAll("[\\s+\\]\\[]", "").split(","));
+
+ UserActionLogging.LogUserAction(username,
+ "Load all the pathologies", "User Claims: " + userClaims);
+
+ // If the "dataset_all" claim exists then return everything
+ if (userClaims.contains(ClaimUtils.allDatasetsAllowedClaim())) {
+ return gson.toJson(allPathologies);
+ }
+
+ List<PathologyDTO> userPathologies = new ArrayList<>();
+ for (PathologyDTO curPathology : allPathologies) {
+ UserActionLogging.LogUserAction(username,
+ "Load all the pathologies", "Pathology: " + curPathology.getCode());
+
+ List<PathologyDTO.PathologyDatasetDTO> userPathologyDatasets = new ArrayList<PathologyDTO.PathologyDatasetDTO>();
+ for (PathologyDTO.PathologyDatasetDTO dataset : curPathology.getDatasets()) {
+ if (userClaims.contains(ClaimUtils.getDatasetClaim(dataset.getCode()))) {
+ userPathologyDatasets.add(dataset);
+ }
+ }
+
+ if (userPathologyDatasets.size() > 0) {
+ UserActionLogging.LogUserAction(username, "Load all the pathologies",
+ "Added pathology '" + curPathology.getLabel() + " with datasets: '" + userPathologyDatasets + "'");
+
+ PathologyDTO userPathology = new PathologyDTO();
+ userPathology.setCode(curPathology.getCode());
+ userPathology.setLabel(curPathology.getLabel());
+ userPathology.setMetadataHierarchy(curPathology.getMetadataHierarchy());
+ userPathology.setDatasets(userPathologyDatasets);
+ userPathologies.add(userPathology);
+ }
+ }
+
+ return gson.toJson(userPathologies);
+ }
+
}
diff --git a/src/main/java/eu/hbp/mip/utils/UserActionLogging.java b/src/main/java/eu/hbp/mip/utils/UserActionLogging.java
index a0ec02277d0249c92577a3fad044de506ab7b039..18e27317a455cb8b87a605ef8495720a32bca889 100644
--- a/src/main/java/eu/hbp/mip/utils/UserActionLogging.java
+++ b/src/main/java/eu/hbp/mip/utils/UserActionLogging.java
@@ -11,7 +11,7 @@ public class UserActionLogging {
LOGGER.info(" User : "
+ userName
+ " called endpoint: " + actionName
- + " info: " + actionInfo);
+ + ", info: " + actionInfo);
}
// Usually, used from Threads because threads can't get userName.