wip: use custom configuration option

pom.xml

@@ -82,6 +82,7 @@
     <spring.batch.repository.isolationLevelForCreate>ISOLATION_READ_COMMITTED</spring.batch.repository.isolationLevelForCreate>
     <spring.profiles.active>default</spring.profiles.active>
 
+    <security.ohdsi.custom.authorization.mode></security.ohdsi.custom.authorization.mode>
     <security.provider>DisabledSecurity</security.provider>
     <security.token.expiration>43200</security.token.expiration>
     <security.origin>http://localhost</security.origin>
@@ -226,7 +227,7 @@
     <spring.jpa.properties.hibernate.generate_statistics>false</spring.jpa.properties.hibernate.generate_statistics>
     <spring.jpa.properties.hibernate.jdbc.batch_size>200</spring.jpa.properties.hibernate.jdbc.batch_size>
     <spring.jpa.properties.hibernate.order_inserts>true</spring.jpa.properties.hibernate.order_inserts>
-    <logging.level.root>debug</logging.level.root>
+    <logging.level.root>info</logging.level.root>
     <logging.level.org.ohdsi>debug</logging.level.org.ohdsi>
     <logging.level.org.springframework.orm>info</logging.level.org.springframework.orm>
     <logging.level.org.springframework.jdbc>info</logging.level.org.springframework.jdbc>

src/main/java/org/ohdsi/webapi/shiro/filters/UpdateAccessTokenFilter.java

@@ -48,16 +48,19 @@ public class UpdateAccessTokenFilter extends AdviceFilter {
   private final int tokenExpirationIntervalInSeconds;
   private final Set<String> defaultRoles;
   private final String onFailRedirectUrl;
+  private final String authorizationMode;
 
   public UpdateAccessTokenFilter(
           PermissionManager authorizer,
           Set<String> defaultRoles,
           int tokenExpirationIntervalInSeconds,
-          String onFailRedirectUrl) {
+          String onFailRedirectUrl,
+          String authorizationMode) {
     this.authorizer = authorizer;
     this.tokenExpirationIntervalInSeconds = tokenExpirationIntervalInSeconds;
     this.defaultRoles = defaultRoles;
     this.onFailRedirectUrl = onFailRedirectUrl;
+    this.authorizationMode = authorizationMode;
   }
 
   @Override
@@ -82,7 +85,7 @@ protected boolean preHandle(ServletRequest request, ServletResponse response) th
       */
       ShiroHttpServletRequest requestShiro = (ShiroHttpServletRequest) request;
       HttpSession shiroSession = requestShiro.getSession();
-      if (login == null && shiroSession.getAttribute(CasHandleFilter.CONST_CAS_AUTHN) != null   // TODO - can we use something similar to flag that it is a Fence/oid with teamProject? For now we're just fishing it out from the request parameters itself
+      if (login == null && shiroSession.getAttribute(CasHandleFilter.CONST_CAS_AUTHN) != null
               && ((String) shiroSession.getAttribute(CasHandleFilter.CONST_CAS_AUTHN)).equalsIgnoreCase("true")) {
               login = ((Pac4jPrincipal) principal).getProfile().getId();
       }
@@ -132,17 +135,21 @@ protected boolean preHandle(ServletRequest request, ServletResponse response) th
         name = login;
       }
       try {
-        // TODO - remove all teamProject roles at start of login (find this place...OR add a new "remove teamproject" filter)...
-
+        logger.debug("AUTHORIZATION_MODE === '{}'", authorizationMode);
         boolean resetRoles = false;
-        // check if teamProject is part of the request:
-        String teamProjectRole = extractTeamProjectFromRequestParameters(request);
         Set<String> newUserRoles = new HashSet<String>();
-        if (teamProjectRole != null) {
-          // add teamProject as a role in the newUserRoles list:
-          newUserRoles.add(teamProjectRole);
+        if (authorizationMode.equals("teamproject")) {
+          // in case of "teamproject" mode, we want all roles to be reset always, and
+          // set to only the one requested/found in the request parameters (following lines below):
           resetRoles = true;
-          // TODO - double check with Arborist if this role has really been granted to the user....
+          // check if a teamproject parameter is found in the request:
+          String teamProjectRole = extractTeamProjectFromRequestParameters(request);
+          // if found, add teamproject as a role in the newUserRoles list:
+          if (teamProjectRole != null) {
+            newUserRoles.add(teamProjectRole);
+            // double check with Arborist if this role has really been granted to the user....
+            // TODO
+          }
         }
         this.authorizer.registerUser(login, name, defaultRoles, newUserRoles, resetRoles);
 

src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java

@@ -253,6 +253,9 @@ public class AtlasRegularSecurity extends AtlasSecurity {
     @Value("${security.auth.google.enabled}")
     private boolean googleAuthEnabled;
 
+    @Value("${security.ohdsi.custom.authorization.mode}")
+    private String authorizationMode;
+
     private RestTemplate restTemplate = new RestTemplate();
 
     @Autowired
@@ -270,7 +273,7 @@ public Map<FilterTemplates, Filter> getFilters() {
 
         filters.put(LOGOUT, new LogoutFilter(eventPublisher));
         filters.put(UPDATE_TOKEN, new UpdateAccessTokenFilter(this.authorizer, this.defaultRoles, this.tokenExpirationIntervalInSeconds,
-                this.redirectUrl));
+                this.redirectUrl, this.authorizationMode));
 
         filters.put(ACCESS_AUTHC, new GoogleAccessTokenFilter(restTemplate, permissionManager, Collections.emptySet()));
         filters.put(JWT_AUTHC, new AtlasJwtAuthFilter());

src/main/resources/application.properties

@@ -199,6 +199,9 @@ security.auth.ldap.enabled=${security.auth.ldap.enabled}
 security.auth.ad.enabled=${security.auth.ad.enabled}
 security.auth.cas.enabled=${security.auth.cas.enabled}
 
+#Authorization config
+security.ohdsi.custom.authorization.mode=${security.ohdsi.custom.authorization.mode}
+
 #Execution engine
 executionengine.updateStatusCallback=${executionengine.updateStatusCallback}
 executionengine.resultCallback=${executionengine.resultCallback}