Refactored experiment-pathologies API.

src/main/java/eu/hbp/mip/controllers/ExperimentApi.java

@@ -115,39 +115,25 @@ public class ExperimentApi {
         UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm", "Running the algorithm...");
 
         if(authenticationIsEnabled) {
-            // --- Validating proper access rights on the datasets  ---
-            List<String> userClaims = Arrays.asList(authentication.getAuthorities().toString().toLowerCase()
-                    .replaceAll("[\\s+\\]\\[]", "").split(","));
-            UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "User Claims", userClaims.toString());
-
-            // Don't check for dataset claims if "super" claim exists allowing everything
-            if (!userClaims.contains(ClaimUtils.allDatasetsAllowedClaim())) {
-                // Getting the dataset from the experiment parameters
-                String experimentDatasets = null;
-                for (AlgorithmExecutionParamDTO parameter : experimentExecutionDTO.getAlgorithms().get(0).getParameters()) {
-                    if (parameter.getName().equals("dataset")) {
-                        experimentDatasets = parameter.getValue();
-                        UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm", "Found the dataset parameter!");
-                        break;
-                    }
-                }
-
-                if (experimentDatasets == null || experimentDatasets.equals("")) {
-                    UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm",
-                            "A dataset should be specified when running an algorithm.");
-                    return ResponseEntity.badRequest().body("A dataset should be specified when running an algorithm.");
+            // Getting the dataset from the experiment parameters
+            String experimentDatasets = null;
+            for (ExperimentExecutionDTO.AlgorithmExecutionDTO.AlgorithmExecutionParamDTO parameter : experimentExecutionDTO.getAlgorithms().get(0).getParameters()) {
+                if (parameter.getName().equals("dataset")) {
+                    experimentDatasets = parameter.getValue();
+                    UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm", "Got the dataset parameter!");
+                    break;
                 }
+            }
 
-                for (String dataset : experimentDatasets.split(",")) {
-                    String datasetRole = ClaimUtils.getDatasetClaim(dataset);
-                    if (!userClaims.contains(datasetRole.toLowerCase())) {
-                        UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm",
-                                "You are not allowed to use dataset: " + dataset);
-                        return ResponseEntity.status(HttpStatus.FORBIDDEN).body("You are not allowed to use dataset: " + dataset);
-                    }
-                }
+            if (experimentDatasets == null || experimentDatasets.equals("")) {
                 UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm",
-                        "User is authorized to use the datasets: " + experimentDatasets);
+                        "A dataset should be specified to run an algorithm.");
+                return ResponseEntity.badRequest().body("Please provide at least one dataset to run the algorithm.");
+            }
+
+            // --- Validating proper access rights on the datasets  ---
+            if (!ClaimUtils.userHasDatasetsAuthorization(userInfo.getUser().getUsername(), authentication.getAuthorities(), experimentDatasets)){
+                return ResponseEntity.badRequest().body("You are not authorized to use these datasets.");
             }
         }
 

src/main/java/eu/hbp/mip/controllers/PathologiesApi.java

@@ -7,7 +7,6 @@ package eu.hbp.mip.controllers;
 import com.google.gson.Gson;
 import com.google.gson.reflect.TypeToken;
 import eu.hbp.mip.model.PathologyDTO;
-import eu.hbp.mip.model.PathologyDTO.PathologyDatasetDTO;
 import eu.hbp.mip.model.UserInfo;
 import eu.hbp.mip.utils.ClaimUtils;
 import eu.hbp.mip.utils.CustomResourceLoader;
@@ -26,8 +25,6 @@ import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
-import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.List;
 
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
@@ -68,47 +65,8 @@ public class PathologiesApi {
             return ResponseEntity.ok().body(gson.toJson(allPathologies));
         }
 
-        // --- Providing only the allowed pathologies/datasets to the user  ---
-        UserActionLogging.LogUserAction(userInfo.getUser().getUsername(),
-                "Load all the pathologies", "Filter out the unauthorised datasets.");
-
-        List<String> userClaims = Arrays.asList(authentication.getAuthorities().toString().toLowerCase()
-                .replaceAll("[\\s+\\]\\[]", "").split(","));
-
-        UserActionLogging.LogUserAction(userInfo.getUser().getUsername(),
-                "Load all the pathologies", "User Claims: " + userClaims);
-
-        // If the "dataset_all" claim exists then return everything
-        if (userClaims.contains(ClaimUtils.allDatasetsAllowedClaim())) {
-            return ResponseEntity.ok().body(gson.toJson(allPathologies));
-        }
-
-        List<PathologyDTO> userPathologies = new ArrayList<>();
-        for (PathologyDTO curPathology : allPathologies) {
-            UserActionLogging.LogUserAction(userInfo.getUser().getUsername(),
-                    "Load all the pathologies", "Pathology: " + curPathology);
-
-            List<PathologyDatasetDTO> userPathologyDatasets = new ArrayList<PathologyDatasetDTO>();
-            for (PathologyDatasetDTO dataset : curPathology.getDatasets()) {
-                if (userClaims.contains(ClaimUtils.getDatasetClaim(dataset.getCode()))) {
-                    userPathologyDatasets.add(dataset);
-                }
-            }
-
-            if (userPathologyDatasets.size() > 0) {
-                UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Load all the pathologies",
-                        "Added pathology '" + curPathology.getLabel() + " with datasets: '" + userPathologyDatasets + "'");
-
-                PathologyDTO userPathology = new PathologyDTO();
-                userPathology.setCode(curPathology.getCode());
-                userPathology.setLabel(curPathology.getLabel());
-                userPathology.setMetadataHierarchy(curPathology.getMetadataHierarchy());
-                userPathology.setDatasets(userPathologyDatasets);
-                userPathologies.add(userPathology);
-            }
-        }
-
-        return ResponseEntity.ok().body(gson.toJson(userPathologies));
+        return ResponseEntity.ok().body(ClaimUtils.getAuthorizedPathologies(
+                userInfo.getUser().getUsername(), authentication.getAuthorities(), allPathologies));
     }
 
     // Pure Java

src/main/java/eu/hbp/mip/model/PathologyDTO.java

@@ -72,6 +72,12 @@ public class PathologyDTO {
         public void setLabel(String label) {
             this.label = label;
         }
+
+        public String toString(){ return code;}
+    }
+
+    public String toString(){
+        return code;
     }
 
 }

src/main/java/eu/hbp/mip/utils/ClaimUtils.java

 package eu.hbp.mip.utils;
 
+import com.google.gson.Gson;
+import eu.hbp.mip.model.PathologyDTO;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+
+
 public class ClaimUtils {
-    public static String allDatasetsAllowedClaim(){
+
+    private static final Gson gson = new Gson();
+
+    public static String allDatasetsAllowedClaim() {
         return "dataset_all";
     }
 
-    public static String getDatasetClaim(String datasetCode){
+    public static String getDatasetClaim(String datasetCode) {
         return "dataset_" + datasetCode;
     }
+
+    public static boolean userHasDatasetsAuthorization(String username, Collection<? extends GrantedAuthority> authorities,
+                                                       String experimentDatasets) {
+
+        List<String> userClaims = Arrays.asList(authorities.toString().toLowerCase()
+                .replaceAll("[\\s+\\]\\[]", "").split(","));
+        UserActionLogging.LogUserAction(username, "User Claims", userClaims.toString());
+
+        // Don't check for dataset claims if "super" claim exists allowing everything
+        if (!userClaims.contains(ClaimUtils.allDatasetsAllowedClaim())) {
+
+            for (String dataset : experimentDatasets.split(",")) {
+                String datasetRole = ClaimUtils.getDatasetClaim(dataset);
+                if (!userClaims.contains(datasetRole.toLowerCase())) {
+                    UserActionLogging.LogUserAction(username, "Run algorithm",
+                            "You are not allowed to use dataset: " + dataset);
+                    return false;
+                }
+            }
+            UserActionLogging.LogUserAction(username, "Run algorithm",
+                    "User is authorized to use the datasets: " + experimentDatasets);
+        }
+        return true;
+    }
+
+    public static String getAuthorizedPathologies(String username, Collection<? extends GrantedAuthority> authorities,
+                                                  List<PathologyDTO> allPathologies) {
+        // --- Providing only the allowed pathologies/datasets to the user  ---
+        UserActionLogging.LogUserAction(username,
+                "Load all the pathologies", "Filter out the unauthorised datasets.");
+
+        List<String> userClaims = Arrays.asList(authorities.toString().toLowerCase()
+                .replaceAll("[\\s+\\]\\[]", "").split(","));
+
+        UserActionLogging.LogUserAction(username,
+                "Load all the pathologies", "User Claims: " + userClaims);
+
+        // If the "dataset_all" claim exists then return everything
+        if (userClaims.contains(ClaimUtils.allDatasetsAllowedClaim())) {
+            return gson.toJson(allPathologies);
+        }
+
+        List<PathologyDTO> userPathologies = new ArrayList<>();
+        for (PathologyDTO curPathology : allPathologies) {
+            UserActionLogging.LogUserAction(username,
+                    "Load all the pathologies", "Pathology: " + curPathology.getCode());
+
+            List<PathologyDTO.PathologyDatasetDTO> userPathologyDatasets = new ArrayList<PathologyDTO.PathologyDatasetDTO>();
+            for (PathologyDTO.PathologyDatasetDTO dataset : curPathology.getDatasets()) {
+                if (userClaims.contains(ClaimUtils.getDatasetClaim(dataset.getCode()))) {
+                    userPathologyDatasets.add(dataset);
+                }
+            }
+
+            if (userPathologyDatasets.size() > 0) {
+                UserActionLogging.LogUserAction(username, "Load all the pathologies",
+                        "Added pathology '" + curPathology.getLabel() + " with datasets: '" + userPathologyDatasets + "'");
+
+                PathologyDTO userPathology = new PathologyDTO();
+                userPathology.setCode(curPathology.getCode());
+                userPathology.setLabel(curPathology.getLabel());
+                userPathology.setMetadataHierarchy(curPathology.getMetadataHierarchy());
+                userPathology.setDatasets(userPathologyDatasets);
+                userPathologies.add(userPathology);
+            }
+        }
+
+        return gson.toJson(userPathologies);
+    }
+
 }

src/main/java/eu/hbp/mip/utils/UserActionLogging.java

@@ -11,7 +11,7 @@ public class UserActionLogging {
         LOGGER.info(" User : "
                 + userName
                 + " called endpoint: " + actionName
-                + " info: " + actionInfo);
+                + ", info: " + actionInfo);
     }
 
     // Usually, used from Threads because threads can't get userName.