From d890e3f14b636a1d524c669a52a1c5986ee99169 Mon Sep 17 00:00:00 2001
From: pieterlukasse <pieterlukasse@gmail.com>
Date: Mon, 18 Sep 2023 16:58:23 +0200
Subject: [PATCH] feat: use custom configuration option

---
 .github/workflows/image_build_push.yaml       |  1 +
 pom.xml                                       |  3 +-
 .../filters/UpdateAccessTokenFilter.java      | 28 ++++++++++++-------
 .../management/AtlasRegularSecurity.java      |  6 +++-
 src/main/resources/application.properties     |  3 ++
 5 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/image_build_push.yaml b/.github/workflows/image_build_push.yaml
index 94b6f4dccf..7598078802 100644
--- a/.github/workflows/image_build_push.yaml
+++ b/.github/workflows/image_build_push.yaml
@@ -8,6 +8,7 @@ jobs:
     uses: uc-cdis/.github/.github/workflows/image_build_push.yaml@master
     with:
       OVERRIDE_REPO_NAME: "ohdsi-webapi"
+      BUILD_PLATFORMS: "linux/amd64"
     secrets:
       ECR_AWS_ACCESS_KEY_ID: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
       ECR_AWS_SECRET_ACCESS_KEY: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
diff --git a/pom.xml b/pom.xml
index 845032b8ae..9b0e64a0c3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -82,6 +82,7 @@
     <spring.batch.repository.isolationLevelForCreate>ISOLATION_READ_COMMITTED</spring.batch.repository.isolationLevelForCreate>
     <spring.profiles.active>default</spring.profiles.active>
 
+    <security.ohdsi.custom.authorization.mode>teamproject</security.ohdsi.custom.authorization.mode>
     <security.provider>DisabledSecurity</security.provider>
     <security.token.expiration>43200</security.token.expiration>
     <security.origin>http://localhost</security.origin>
@@ -226,7 +227,7 @@
     <spring.jpa.properties.hibernate.generate_statistics>false</spring.jpa.properties.hibernate.generate_statistics>
     <spring.jpa.properties.hibernate.jdbc.batch_size>200</spring.jpa.properties.hibernate.jdbc.batch_size>
     <spring.jpa.properties.hibernate.order_inserts>true</spring.jpa.properties.hibernate.order_inserts>
-    <logging.level.root>debug</logging.level.root>
+    <logging.level.root>info</logging.level.root>
     <logging.level.org.ohdsi>debug</logging.level.org.ohdsi>
     <logging.level.org.springframework.orm>info</logging.level.org.springframework.orm>
     <logging.level.org.springframework.jdbc>info</logging.level.org.springframework.jdbc>
diff --git a/src/main/java/org/ohdsi/webapi/shiro/filters/UpdateAccessTokenFilter.java b/src/main/java/org/ohdsi/webapi/shiro/filters/UpdateAccessTokenFilter.java
index bc2c239d5a..faeaa70952 100644
--- a/src/main/java/org/ohdsi/webapi/shiro/filters/UpdateAccessTokenFilter.java
+++ b/src/main/java/org/ohdsi/webapi/shiro/filters/UpdateAccessTokenFilter.java
@@ -48,16 +48,20 @@ public class UpdateAccessTokenFilter extends AdviceFilter {
   private final int tokenExpirationIntervalInSeconds;
   private final Set<String> defaultRoles;
   private final String onFailRedirectUrl;
+  private final String authorizationMode;
 
   public UpdateAccessTokenFilter(
           PermissionManager authorizer,
           Set<String> defaultRoles,
           int tokenExpirationIntervalInSeconds,
-          String onFailRedirectUrl) {
+          String onFailRedirectUrl,
+          String authorizationMode) {
     this.authorizer = authorizer;
     this.tokenExpirationIntervalInSeconds = tokenExpirationIntervalInSeconds;
     this.defaultRoles = defaultRoles;
     this.onFailRedirectUrl = onFailRedirectUrl;
+    this.authorizationMode = authorizationMode;
+    logger.debug("AUTHORIZATION_MODE in UpdateAccessTokenFilter constructor == '{}'", this.authorizationMode);
   }
   
   @Override
@@ -82,7 +86,7 @@ protected boolean preHandle(ServletRequest request, ServletResponse response) th
       */
       ShiroHttpServletRequest requestShiro = (ShiroHttpServletRequest) request;
       HttpSession shiroSession = requestShiro.getSession();
-      if (login == null && shiroSession.getAttribute(CasHandleFilter.CONST_CAS_AUTHN) != null   // TODO - can we use something similar to flag that it is a Fence/oid with teamProject? For now we're just fishing it out from the request parameters itself
+      if (login == null && shiroSession.getAttribute(CasHandleFilter.CONST_CAS_AUTHN) != null
               && ((String) shiroSession.getAttribute(CasHandleFilter.CONST_CAS_AUTHN)).equalsIgnoreCase("true")) {
               login = ((Pac4jPrincipal) principal).getProfile().getId();
       }
@@ -132,17 +136,21 @@ protected boolean preHandle(ServletRequest request, ServletResponse response) th
         name = login;
       }
       try {
-        // TODO - remove all teamProject roles at start of login (find this place...OR add a new "remove teamproject" filter)...
-
+        logger.debug("AUTHORIZATION_MODE in UpdateAccessTokenFilter == '{}'", this.authorizationMode);
         boolean resetRoles = false;
-        // check if teamProject is part of the request:
-        String teamProjectRole = extractTeamProjectFromRequestParameters(request);
         Set<String> newUserRoles = new HashSet<String>();
-        if (teamProjectRole != null) {
-          // add teamProject as a role in the newUserRoles list:
-          newUserRoles.add(teamProjectRole);
+        if (this.authorizationMode.equals("teamproject")) {
+          // in case of "teamproject" mode, we want all roles to be reset always, and
+          // set to only the one requested/found in the request parameters (following lines below):
           resetRoles = true;
-          // TODO - double check with Arborist if this role has really been granted to the user....
+          // check if a teamproject parameter is found in the request:
+          String teamProjectRole = extractTeamProjectFromRequestParameters(request);
+          // if found, add teamproject as a role in the newUserRoles list:
+          if (teamProjectRole != null) {
+            newUserRoles.add(teamProjectRole);
+            // double check with Arborist if this role has really been granted to the user....
+            // TODO
+          }
         }
         this.authorizer.registerUser(login, name, defaultRoles, newUserRoles, resetRoles);
         
diff --git a/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java b/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java
index 4fb4e65286..55991e403c 100644
--- a/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java
+++ b/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java
@@ -253,6 +253,9 @@ public class AtlasRegularSecurity extends AtlasSecurity {
     @Value("${security.auth.google.enabled}")
     private boolean googleAuthEnabled;
 
+    @Value("${security.ohdsi.custom.authorization.mode}")
+    private String authorizationMode;
+
     private RestTemplate restTemplate = new RestTemplate();
 
     @Autowired
@@ -269,8 +272,9 @@ public Map<FilterTemplates, Filter> getFilters() {
         Map<FilterTemplates, Filter> filters = super.getFilters();
 
         filters.put(LOGOUT, new LogoutFilter(eventPublisher));
+        logger.debug("Initializing UpdateAccessTokenFilter with AUTHORIZATION_MODE === '{}'", this.authorizationMode);
         filters.put(UPDATE_TOKEN, new UpdateAccessTokenFilter(this.authorizer, this.defaultRoles, this.tokenExpirationIntervalInSeconds,
-                this.redirectUrl));
+                this.redirectUrl, this.authorizationMode));
 
         filters.put(ACCESS_AUTHC, new GoogleAccessTokenFilter(restTemplate, permissionManager, Collections.emptySet()));
         filters.put(JWT_AUTHC, new AtlasJwtAuthFilter());
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 8143a3b9f9..cc696ba8bc 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -199,6 +199,9 @@ security.auth.ldap.enabled=${security.auth.ldap.enabled}
 security.auth.ad.enabled=${security.auth.ad.enabled}
 security.auth.cas.enabled=${security.auth.cas.enabled}
 
+#Authorization config
+security.ohdsi.custom.authorization.mode=${security.ohdsi.custom.authorization.mode}
+
 #Execution engine
 executionengine.updateStatusCallback=${executionengine.updateStatusCallback}
 executionengine.resultCallback=${executionengine.resultCallback}