diff --git a/.github/workflows/image_build_push.yaml b/.github/workflows/image_build_push.yaml
index 94b6f4dccf..7598078802 100644
--- a/.github/workflows/image_build_push.yaml
+++ b/.github/workflows/image_build_push.yaml
@@ -8,6 +8,7 @@ jobs:
uses: uc-cdis/.github/.github/workflows/image_build_push.yaml@master
with:
OVERRIDE_REPO_NAME: "ohdsi-webapi"
+ BUILD_PLATFORMS: "linux/amd64"
secrets:
ECR_AWS_ACCESS_KEY_ID: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
ECR_AWS_SECRET_ACCESS_KEY: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
diff --git a/pom.xml b/pom.xml
index 845032b8ae..9b0e64a0c3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -82,6 +82,7 @@
ISOLATION_READ_COMMITTED
default
+ teamproject
DisabledSecurity
43200
http://localhost
@@ -226,7 +227,7 @@
false
200
true
- debug
+ info
debug
info
info
diff --git a/src/main/java/org/ohdsi/webapi/shiro/filters/UpdateAccessTokenFilter.java b/src/main/java/org/ohdsi/webapi/shiro/filters/UpdateAccessTokenFilter.java
index bc2c239d5a..faeaa70952 100644
--- a/src/main/java/org/ohdsi/webapi/shiro/filters/UpdateAccessTokenFilter.java
+++ b/src/main/java/org/ohdsi/webapi/shiro/filters/UpdateAccessTokenFilter.java
@@ -48,16 +48,20 @@ public class UpdateAccessTokenFilter extends AdviceFilter {
private final int tokenExpirationIntervalInSeconds;
private final Set defaultRoles;
private final String onFailRedirectUrl;
+ private final String authorizationMode;
public UpdateAccessTokenFilter(
PermissionManager authorizer,
Set defaultRoles,
int tokenExpirationIntervalInSeconds,
- String onFailRedirectUrl) {
+ String onFailRedirectUrl,
+ String authorizationMode) {
this.authorizer = authorizer;
this.tokenExpirationIntervalInSeconds = tokenExpirationIntervalInSeconds;
this.defaultRoles = defaultRoles;
this.onFailRedirectUrl = onFailRedirectUrl;
+ this.authorizationMode = authorizationMode;
+ logger.debug("AUTHORIZATION_MODE in UpdateAccessTokenFilter constructor == '{}'", this.authorizationMode);
}
@Override
@@ -82,7 +86,7 @@ protected boolean preHandle(ServletRequest request, ServletResponse response) th
*/
ShiroHttpServletRequest requestShiro = (ShiroHttpServletRequest) request;
HttpSession shiroSession = requestShiro.getSession();
- if (login == null && shiroSession.getAttribute(CasHandleFilter.CONST_CAS_AUTHN) != null // TODO - can we use something similar to flag that it is a Fence/oid with teamProject? For now we're just fishing it out from the request parameters itself
+ if (login == null && shiroSession.getAttribute(CasHandleFilter.CONST_CAS_AUTHN) != null
&& ((String) shiroSession.getAttribute(CasHandleFilter.CONST_CAS_AUTHN)).equalsIgnoreCase("true")) {
login = ((Pac4jPrincipal) principal).getProfile().getId();
}
@@ -132,17 +136,21 @@ protected boolean preHandle(ServletRequest request, ServletResponse response) th
name = login;
}
try {
- // TODO - remove all teamProject roles at start of login (find this place...OR add a new "remove teamproject" filter)...
-
+ logger.debug("AUTHORIZATION_MODE in UpdateAccessTokenFilter == '{}'", this.authorizationMode);
boolean resetRoles = false;
- // check if teamProject is part of the request:
- String teamProjectRole = extractTeamProjectFromRequestParameters(request);
Set newUserRoles = new HashSet();
- if (teamProjectRole != null) {
- // add teamProject as a role in the newUserRoles list:
- newUserRoles.add(teamProjectRole);
+ if (this.authorizationMode.equals("teamproject")) {
+ // in case of "teamproject" mode, we want all roles to be reset always, and
+ // set to only the one requested/found in the request parameters (following lines below):
resetRoles = true;
- // TODO - double check with Arborist if this role has really been granted to the user....
+ // check if a teamproject parameter is found in the request:
+ String teamProjectRole = extractTeamProjectFromRequestParameters(request);
+ // if found, add teamproject as a role in the newUserRoles list:
+ if (teamProjectRole != null) {
+ newUserRoles.add(teamProjectRole);
+ // double check with Arborist if this role has really been granted to the user....
+ // TODO
+ }
}
this.authorizer.registerUser(login, name, defaultRoles, newUserRoles, resetRoles);
diff --git a/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java b/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java
index 4fb4e65286..55991e403c 100644
--- a/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java
+++ b/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java
@@ -253,6 +253,9 @@ public class AtlasRegularSecurity extends AtlasSecurity {
@Value("${security.auth.google.enabled}")
private boolean googleAuthEnabled;
+ @Value("${security.ohdsi.custom.authorization.mode}")
+ private String authorizationMode;
+
private RestTemplate restTemplate = new RestTemplate();
@Autowired
@@ -269,8 +272,9 @@ public Map getFilters() {
Map filters = super.getFilters();
filters.put(LOGOUT, new LogoutFilter(eventPublisher));
+ logger.debug("Initializing UpdateAccessTokenFilter with AUTHORIZATION_MODE === '{}'", this.authorizationMode);
filters.put(UPDATE_TOKEN, new UpdateAccessTokenFilter(this.authorizer, this.defaultRoles, this.tokenExpirationIntervalInSeconds,
- this.redirectUrl));
+ this.redirectUrl, this.authorizationMode));
filters.put(ACCESS_AUTHC, new GoogleAccessTokenFilter(restTemplate, permissionManager, Collections.emptySet()));
filters.put(JWT_AUTHC, new AtlasJwtAuthFilter());
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 8143a3b9f9..cc696ba8bc 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -199,6 +199,9 @@ security.auth.ldap.enabled=${security.auth.ldap.enabled}
security.auth.ad.enabled=${security.auth.ad.enabled}
security.auth.cas.enabled=${security.auth.cas.enabled}
+#Authorization config
+security.ohdsi.custom.authorization.mode=${security.ohdsi.custom.authorization.mode}
+
#Execution engine
executionengine.updateStatusCallback=${executionengine.updateStatusCallback}
executionengine.resultCallback=${executionengine.resultCallback}