From a12ad32a828158ccf98d6e22405d004ed8211eed Mon Sep 17 00:00:00 2001
From: ThanKarab <tkarabatsis@hotmail.com>
Date: Mon, 4 May 2020 18:35:19 +0300
Subject: [PATCH 1/6] Refactored experiment-pathologies API.
---
.../eu/hbp/mip/controllers/ExperimentApi.java | 46 ++++------
.../hbp/mip/controllers/PathologiesApi.java | 46 +---------
.../java/eu/hbp/mip/model/PathologyDTO.java | 6 ++
.../java/eu/hbp/mip/utils/ClaimUtils.java | 87 ++++++++++++++++++-
.../eu/hbp/mip/utils/UserActionLogging.java | 2 +-
5 files changed, 110 insertions(+), 77 deletions(-)
diff --git a/src/main/java/eu/hbp/mip/controllers/ExperimentApi.java b/src/main/java/eu/hbp/mip/controllers/ExperimentApi.java
index 3958d99d6..ce5c81f64 100644
--- a/src/main/java/eu/hbp/mip/controllers/ExperimentApi.java
+++ b/src/main/java/eu/hbp/mip/controllers/ExperimentApi.java
@@ -115,39 +115,25 @@ public class ExperimentApi {
UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm", "Running the algorithm...");
if(authenticationIsEnabled) {
- // --- Validating proper access rights on the datasets ---
- List<String> userClaims = Arrays.asList(authentication.getAuthorities().toString().toLowerCase()
- .replaceAll("[\\s+\\]\\[]", "").split(","));
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "User Claims", userClaims.toString());
-
- // Don't check for dataset claims if "super" claim exists allowing everything
- if (!userClaims.contains(ClaimUtils.allDatasetsAllowedClaim())) {
- // Getting the dataset from the experiment parameters
- String experimentDatasets = null;
- for (AlgorithmExecutionParamDTO parameter : experimentExecutionDTO.getAlgorithms().get(0).getParameters()) {
- if (parameter.getName().equals("dataset")) {
- experimentDatasets = parameter.getValue();
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm", "Found the dataset parameter!");
- break;
- }
- }
-
- if (experimentDatasets == null || experimentDatasets.equals("")) {
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm",
- "A dataset should be specified when running an algorithm.");
- return ResponseEntity.badRequest().body("A dataset should be specified when running an algorithm.");
+ // Getting the dataset from the experiment parameters
+ String experimentDatasets = null;
+ for (ExperimentExecutionDTO.AlgorithmExecutionDTO.AlgorithmExecutionParamDTO parameter : experimentExecutionDTO.getAlgorithms().get(0).getParameters()) {
+ if (parameter.getName().equals("dataset")) {
+ experimentDatasets = parameter.getValue();
+ UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm", "Got the dataset parameter!");
+ break;
}
+ }
- for (String dataset : experimentDatasets.split(",")) {
- String datasetRole = ClaimUtils.getDatasetClaim(dataset);
- if (!userClaims.contains(datasetRole.toLowerCase())) {
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm",
- "You are not allowed to use dataset: " + dataset);
- return ResponseEntity.status(HttpStatus.FORBIDDEN).body("You are not allowed to use dataset: " + dataset);
- }
- }
+ if (experimentDatasets == null || experimentDatasets.equals("")) {
UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Run algorithm",
- "User is authorized to use the datasets: " + experimentDatasets);
+ "A dataset should be specified to run an algorithm.");
+ return ResponseEntity.badRequest().body("Please provide at least one dataset to run the algorithm.");
+ }
+
+ // --- Validating proper access rights on the datasets ---
+ if (!ClaimUtils.userHasDatasetsAuthorization(userInfo.getUser().getUsername(), authentication.getAuthorities(), experimentDatasets)){
+ return ResponseEntity.badRequest().body("You are not authorized to use these datasets.");
}
}
diff --git a/src/main/java/eu/hbp/mip/controllers/PathologiesApi.java b/src/main/java/eu/hbp/mip/controllers/PathologiesApi.java
index b7914e221..56a6b165a 100644
--- a/src/main/java/eu/hbp/mip/controllers/PathologiesApi.java
+++ b/src/main/java/eu/hbp/mip/controllers/PathologiesApi.java
@@ -7,7 +7,6 @@ package eu.hbp.mip.controllers;
import com.google.gson.Gson;
import com.google.gson.reflect.TypeToken;
import eu.hbp.mip.model.PathologyDTO;
-import eu.hbp.mip.model.PathologyDTO.PathologyDatasetDTO;
import eu.hbp.mip.model.UserInfo;
import eu.hbp.mip.utils.ClaimUtils;
import eu.hbp.mip.utils.CustomResourceLoader;
@@ -26,8 +25,6 @@ import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
-import java.util.ArrayList;
-import java.util.Arrays;
import java.util.List;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
@@ -68,47 +65,8 @@ public class PathologiesApi {
return ResponseEntity.ok().body(gson.toJson(allPathologies));
}
- // --- Providing only the allowed pathologies/datasets to the user ---
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(),
- "Load all the pathologies", "Filter out the unauthorised datasets.");
-
- List<String> userClaims = Arrays.asList(authentication.getAuthorities().toString().toLowerCase()
- .replaceAll("[\\s+\\]\\[]", "").split(","));
-
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(),
- "Load all the pathologies", "User Claims: " + userClaims);
-
- // If the "dataset_all" claim exists then return everything
- if (userClaims.contains(ClaimUtils.allDatasetsAllowedClaim())) {
- return ResponseEntity.ok().body(gson.toJson(allPathologies));
- }
-
- List<PathologyDTO> userPathologies = new ArrayList<>();
- for (PathologyDTO curPathology : allPathologies) {
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(),
- "Load all the pathologies", "Pathology: " + curPathology);
-
- List<PathologyDatasetDTO> userPathologyDatasets = new ArrayList<PathologyDatasetDTO>();
- for (PathologyDatasetDTO dataset : curPathology.getDatasets()) {
- if (userClaims.contains(ClaimUtils.getDatasetClaim(dataset.getCode()))) {
- userPathologyDatasets.add(dataset);
- }
- }
-
- if (userPathologyDatasets.size() > 0) {
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Load all the pathologies",
- "Added pathology '" + curPathology.getLabel() + " with datasets: '" + userPathologyDatasets + "'");
-
- PathologyDTO userPathology = new PathologyDTO();
- userPathology.setCode(curPathology.getCode());
- userPathology.setLabel(curPathology.getLabel());
- userPathology.setMetadataHierarchy(curPathology.getMetadataHierarchy());
- userPathology.setDatasets(userPathologyDatasets);
- userPathologies.add(userPathology);
- }
- }
-
- return ResponseEntity.ok().body(gson.toJson(userPathologies));
+ return ResponseEntity.ok().body(ClaimUtils.getAuthorizedPathologies(
+ userInfo.getUser().getUsername(), authentication.getAuthorities(), allPathologies));
}
// Pure Java
diff --git a/src/main/java/eu/hbp/mip/model/PathologyDTO.java b/src/main/java/eu/hbp/mip/model/PathologyDTO.java
index e447ba605..cc407e7f2 100644
--- a/src/main/java/eu/hbp/mip/model/PathologyDTO.java
+++ b/src/main/java/eu/hbp/mip/model/PathologyDTO.java
@@ -72,6 +72,12 @@ public class PathologyDTO {
public void setLabel(String label) {
this.label = label;
}
+
+ public String toString(){ return code;}
+ }
+
+ public String toString(){
+ return code;
}
}
diff --git a/src/main/java/eu/hbp/mip/utils/ClaimUtils.java b/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
index f9bd98b58..b53d1d900 100644
--- a/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
+++ b/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
@@ -1,11 +1,94 @@
package eu.hbp.mip.utils;
+import com.google.gson.Gson;
+import eu.hbp.mip.model.PathologyDTO;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+
+
public class ClaimUtils {
- public static String allDatasetsAllowedClaim(){
+
+ private static final Gson gson = new Gson();
+
+ public static String allDatasetsAllowedClaim() {
return "dataset_all";
}
- public static String getDatasetClaim(String datasetCode){
+ public static String getDatasetClaim(String datasetCode) {
return "dataset_" + datasetCode;
}
+
+ public static boolean userHasDatasetsAuthorization(String username, Collection<? extends GrantedAuthority> authorities,
+ String experimentDatasets) {
+
+ List<String> userClaims = Arrays.asList(authorities.toString().toLowerCase()
+ .replaceAll("[\\s+\\]\\[]", "").split(","));
+ UserActionLogging.LogUserAction(username, "User Claims", userClaims.toString());
+
+ // Don't check for dataset claims if "super" claim exists allowing everything
+ if (!userClaims.contains(ClaimUtils.allDatasetsAllowedClaim())) {
+
+ for (String dataset : experimentDatasets.split(",")) {
+ String datasetRole = ClaimUtils.getDatasetClaim(dataset);
+ if (!userClaims.contains(datasetRole.toLowerCase())) {
+ UserActionLogging.LogUserAction(username, "Run algorithm",
+ "You are not allowed to use dataset: " + dataset);
+ return false;
+ }
+ }
+ UserActionLogging.LogUserAction(username, "Run algorithm",
+ "User is authorized to use the datasets: " + experimentDatasets);
+ }
+ return true;
+ }
+
+ public static String getAuthorizedPathologies(String username, Collection<? extends GrantedAuthority> authorities,
+ List<PathologyDTO> allPathologies) {
+ // --- Providing only the allowed pathologies/datasets to the user ---
+ UserActionLogging.LogUserAction(username,
+ "Load all the pathologies", "Filter out the unauthorised datasets.");
+
+ List<String> userClaims = Arrays.asList(authorities.toString().toLowerCase()
+ .replaceAll("[\\s+\\]\\[]", "").split(","));
+
+ UserActionLogging.LogUserAction(username,
+ "Load all the pathologies", "User Claims: " + userClaims);
+
+ // If the "dataset_all" claim exists then return everything
+ if (userClaims.contains(ClaimUtils.allDatasetsAllowedClaim())) {
+ return gson.toJson(allPathologies);
+ }
+
+ List<PathologyDTO> userPathologies = new ArrayList<>();
+ for (PathologyDTO curPathology : allPathologies) {
+ UserActionLogging.LogUserAction(username,
+ "Load all the pathologies", "Pathology: " + curPathology.getCode());
+
+ List<PathologyDTO.PathologyDatasetDTO> userPathologyDatasets = new ArrayList<PathologyDTO.PathologyDatasetDTO>();
+ for (PathologyDTO.PathologyDatasetDTO dataset : curPathology.getDatasets()) {
+ if (userClaims.contains(ClaimUtils.getDatasetClaim(dataset.getCode()))) {
+ userPathologyDatasets.add(dataset);
+ }
+ }
+
+ if (userPathologyDatasets.size() > 0) {
+ UserActionLogging.LogUserAction(username, "Load all the pathologies",
+ "Added pathology '" + curPathology.getLabel() + " with datasets: '" + userPathologyDatasets + "'");
+
+ PathologyDTO userPathology = new PathologyDTO();
+ userPathology.setCode(curPathology.getCode());
+ userPathology.setLabel(curPathology.getLabel());
+ userPathology.setMetadataHierarchy(curPathology.getMetadataHierarchy());
+ userPathology.setDatasets(userPathologyDatasets);
+ userPathologies.add(userPathology);
+ }
+ }
+
+ return gson.toJson(userPathologies);
+ }
+
}
diff --git a/src/main/java/eu/hbp/mip/utils/UserActionLogging.java b/src/main/java/eu/hbp/mip/utils/UserActionLogging.java
index a0ec02277..18e27317a 100644
--- a/src/main/java/eu/hbp/mip/utils/UserActionLogging.java
+++ b/src/main/java/eu/hbp/mip/utils/UserActionLogging.java
@@ -11,7 +11,7 @@ public class UserActionLogging {
LOGGER.info(" User : "
+ userName
+ " called endpoint: " + actionName
- + " info: " + actionInfo);
+ + ", info: " + actionInfo);
}
// Usually, used from Threads because threads can't get userName.
--
GitLab
From ed846218367c72fa809465e092e4a981ac4a6fbc Mon Sep 17 00:00:00 2001
From: ThanKarab <tkarabatsis@hotmail.com>
Date: Mon, 4 May 2020 20:59:07 +0300
Subject: [PATCH 2/6] Logs added.
---
src/main/java/eu/hbp/mip/utils/ClaimUtils.java | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/src/main/java/eu/hbp/mip/utils/ClaimUtils.java b/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
index b53d1d900..243b2c60e 100644
--- a/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
+++ b/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
@@ -50,13 +50,13 @@ public class ClaimUtils {
List<PathologyDTO> allPathologies) {
// --- Providing only the allowed pathologies/datasets to the user ---
UserActionLogging.LogUserAction(username,
- "Load all the pathologies", "Filter out the unauthorised datasets.");
+ "Load pathologies", "Filter out the unauthorised datasets.");
List<String> userClaims = Arrays.asList(authorities.toString().toLowerCase()
.replaceAll("[\\s+\\]\\[]", "").split(","));
UserActionLogging.LogUserAction(username,
- "Load all the pathologies", "User Claims: " + userClaims);
+ "Load pathologies", "User Claims: " + userClaims);
// If the "dataset_all" claim exists then return everything
if (userClaims.contains(ClaimUtils.allDatasetsAllowedClaim())) {
@@ -66,18 +66,26 @@ public class ClaimUtils {
List<PathologyDTO> userPathologies = new ArrayList<>();
for (PathologyDTO curPathology : allPathologies) {
UserActionLogging.LogUserAction(username,
- "Load all the pathologies", "Pathology: " + curPathology.getCode());
+ "Load pathologies", "Pathology: " + curPathology.getCode());
List<PathologyDTO.PathologyDatasetDTO> userPathologyDatasets = new ArrayList<PathologyDTO.PathologyDatasetDTO>();
for (PathologyDTO.PathologyDatasetDTO dataset : curPathology.getDatasets()) {
if (userClaims.contains(ClaimUtils.getDatasetClaim(dataset.getCode()))) {
+ UserActionLogging.LogUserAction(username, "Load pathologies",
+ "Added dataset: " + dataset.getCode());
userPathologyDatasets.add(dataset);
+ }else{
+ UserActionLogging.LogUserAction(username, "Load pathologies",
+ "Dataset not added: '" + dataset.getCode());
+ UserActionLogging.LogUserAction(username, "Load pathologies",
+ "Claim did not exist: '" + ClaimUtils.getDatasetClaim(dataset.getCode()));
}
}
if (userPathologyDatasets.size() > 0) {
- UserActionLogging.LogUserAction(username, "Load all the pathologies",
- "Added pathology '" + curPathology.getLabel() + " with datasets: '" + userPathologyDatasets + "'");
+ UserActionLogging.LogUserAction(username, "Load pathologies",
+ "Added pathology '" + curPathology.getLabel()
+ + " with datasets: '" + userPathologyDatasets + "'");
PathologyDTO userPathology = new PathologyDTO();
userPathology.setCode(curPathology.getCode());
--
GitLab
From 1b8a9785d3e593f7e799c2b9d84b4ecd9ba8d0c1 Mon Sep 17 00:00:00 2001
From: ThanKarab <tkarabatsis@hotmail.com>
Date: Mon, 4 May 2020 21:46:58 +0300
Subject: [PATCH 3/6] Log fixes.
---
src/main/java/eu/hbp/mip/utils/ClaimUtils.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/main/java/eu/hbp/mip/utils/ClaimUtils.java b/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
index 243b2c60e..72565800e 100644
--- a/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
+++ b/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
@@ -66,7 +66,7 @@ public class ClaimUtils {
List<PathologyDTO> userPathologies = new ArrayList<>();
for (PathologyDTO curPathology : allPathologies) {
UserActionLogging.LogUserAction(username,
- "Load pathologies", "Pathology: " + curPathology.getCode());
+ "Load pathologies", "Checking pathology: " + curPathology.getCode());
List<PathologyDTO.PathologyDatasetDTO> userPathologyDatasets = new ArrayList<PathologyDTO.PathologyDatasetDTO>();
for (PathologyDTO.PathologyDatasetDTO dataset : curPathology.getDatasets()) {
@@ -85,7 +85,7 @@ public class ClaimUtils {
if (userPathologyDatasets.size() > 0) {
UserActionLogging.LogUserAction(username, "Load pathologies",
"Added pathology '" + curPathology.getLabel()
- + " with datasets: '" + userPathologyDatasets + "'");
+ + "' with datasets: '" + userPathologyDatasets + "'");
PathologyDTO userPathology = new PathologyDTO();
userPathology.setCode(curPathology.getCode());
--
GitLab
From 0784864709782119063900708c13fe14e10e05a2 Mon Sep 17 00:00:00 2001
From: ThanKarab <tkarabatsis@hotmail.com>
Date: Mon, 4 May 2020 22:30:46 +0300
Subject: [PATCH 4/6] Log fixes.
---
src/main/java/eu/hbp/mip/controllers/PathologiesApi.java | 2 +-
src/main/java/eu/hbp/mip/utils/ClaimUtils.java | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/main/java/eu/hbp/mip/controllers/PathologiesApi.java b/src/main/java/eu/hbp/mip/controllers/PathologiesApi.java
index 56a6b165a..f4eb2a7d6 100644
--- a/src/main/java/eu/hbp/mip/controllers/PathologiesApi.java
+++ b/src/main/java/eu/hbp/mip/controllers/PathologiesApi.java
@@ -48,7 +48,7 @@ public class PathologiesApi {
@RequestMapping(name = "/pathologies", method = RequestMethod.GET)
public ResponseEntity<String> getPathologies(Authentication authentication) {
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Load all the pathologies", "");
+ UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "Load pathologies", "Running ...");
// Load pathologies from file
Resource resource = resourceLoader.getResource("file:/opt/portal/api/pathologies.json");
diff --git a/src/main/java/eu/hbp/mip/utils/ClaimUtils.java b/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
index 72565800e..a169fff57 100644
--- a/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
+++ b/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
@@ -76,9 +76,9 @@ public class ClaimUtils {
userPathologyDatasets.add(dataset);
}else{
UserActionLogging.LogUserAction(username, "Load pathologies",
- "Dataset not added: '" + dataset.getCode());
+ "Dataset not added: " + dataset.getCode());
UserActionLogging.LogUserAction(username, "Load pathologies",
- "Claim did not exist: '" + ClaimUtils.getDatasetClaim(dataset.getCode()));
+ "Claim did not exist: " + ClaimUtils.getDatasetClaim(dataset.getCode()));
}
}
--
GitLab
From 8db5f0edf215f656fc2cb7d8f3c73c84ba15f492 Mon Sep 17 00:00:00 2001
From: ThanKarab <tkarabatsis@hotmail.com>
Date: Tue, 5 May 2020 10:21:11 +0300
Subject: [PATCH 5/6] Lower Casing the dataset when getting the role.
---
src/main/java/eu/hbp/mip/utils/ClaimUtils.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/main/java/eu/hbp/mip/utils/ClaimUtils.java b/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
index a169fff57..0972bc0a0 100644
--- a/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
+++ b/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
@@ -19,7 +19,7 @@ public class ClaimUtils {
}
public static String getDatasetClaim(String datasetCode) {
- return "dataset_" + datasetCode;
+ return "dataset_" + datasetCode.toLowerCase();
}
public static boolean userHasDatasetsAuthorization(String username, Collection<? extends GrantedAuthority> authorities,
--
GitLab
From 6ecab71440e3f81ae7105a25cc741af5cfaf0e1b Mon Sep 17 00:00:00 2001
From: ThanKarab <tkarabatsis@hotmail.com>
Date: Tue, 5 May 2020 10:22:23 +0300
Subject: [PATCH 6/6] Removed unecessary logs.
---
src/main/java/eu/hbp/mip/utils/ClaimUtils.java | 8 --------
1 file changed, 8 deletions(-)
diff --git a/src/main/java/eu/hbp/mip/utils/ClaimUtils.java b/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
index 0972bc0a0..eeceb5d21 100644
--- a/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
+++ b/src/main/java/eu/hbp/mip/utils/ClaimUtils.java
@@ -65,20 +65,12 @@ public class ClaimUtils {
List<PathologyDTO> userPathologies = new ArrayList<>();
for (PathologyDTO curPathology : allPathologies) {
- UserActionLogging.LogUserAction(username,
- "Load pathologies", "Checking pathology: " + curPathology.getCode());
-
List<PathologyDTO.PathologyDatasetDTO> userPathologyDatasets = new ArrayList<PathologyDTO.PathologyDatasetDTO>();
for (PathologyDTO.PathologyDatasetDTO dataset : curPathology.getDatasets()) {
if (userClaims.contains(ClaimUtils.getDatasetClaim(dataset.getCode()))) {
UserActionLogging.LogUserAction(username, "Load pathologies",
"Added dataset: " + dataset.getCode());
userPathologyDatasets.add(dataset);
- }else{
- UserActionLogging.LogUserAction(username, "Load pathologies",
- "Dataset not added: " + dataset.getCode());
- UserActionLogging.LogUserAction(username, "Load pathologies",
- "Claim did not exist: " + ClaimUtils.getDatasetClaim(dataset.getCode()));
}
}
--
GitLab