Skip to content

Commit

Permalink
catalog: first catalog test work, #TASK-4389
Browse files Browse the repository at this point in the history
  • Loading branch information
@pfurio
pfurio committed Oct 24, 2023
1 parent d882956 commit 114ad40
Show file tree
Hide file tree
Showing 51 changed files with 1,536 additions and 408 deletions.
21 changes: 16 additions & 5 deletions opencga-analysis/src/main/java/org/opencb/opencga/analysis/rga/RgaManager.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import org.opencb.opencga.analysis.rga.exceptions.RgaException;
import org.opencb.opencga.analysis.rga.iterators.RgaIterator;
import org.opencb.opencga.analysis.variant.manager.VariantStorageManager;
import org.opencb.opencga.catalog.auth.authorization.AuthorizationManager;
import org.opencb.opencga.catalog.db.api.SampleDBAdaptor;
import org.opencb.opencga.catalog.exceptions.CatalogException;
import org.opencb.opencga.catalog.managers.AbstractManager;
Expand Down Expand Up @@ -151,7 +152,9 @@ public void index(String study, Path file, String token) throws CatalogException

Study studyObject = catalogManager.getStudyManager().get(study, QueryOptions.empty(), token).first();
try {
catalogManager.getAuthorizationManager().isOwnerOrAdmin(organizationId, studyObject.getUid(), userId);
AuthorizationManager authorizationManager = catalogManager.getAuthorizationManager();
long studyId = studyObject.getUid();
authorizationManager.isStudyAdministrator(organizationId, studyId, userId);
} catch (CatalogException e) {
logger.error(e.getMessage(), e);
throw new CatalogException("Only owners or admins can index", e.getCause());
Expand Down Expand Up @@ -234,7 +237,9 @@ public void generateAuxiliarCollection(String studyStr, String token) throws Cat
String userId = catalogManager.getUserManager().getUserId(organizationId, token);
Study study = catalogManager.getStudyManager().get(studyStr, QueryOptions.empty(), token).first();
try {
catalogManager.getAuthorizationManager().isOwnerOrAdmin(organizationId, study.getUid(), userId);
AuthorizationManager authorizationManager = catalogManager.getAuthorizationManager();
long studyId = study.getUid();
authorizationManager.isStudyAdministrator(organizationId, studyId, userId);
} catch (CatalogException e) {
logger.error(e.getMessage(), e);
throw new CatalogException("Only owners or admins can generate the auxiliary RGA collection", e.getCause());
Expand Down Expand Up @@ -636,7 +641,9 @@ public OpenCGAResult<RgaKnockoutByGene> geneQuery(String studyStr, Query query,
QueryOptions queryOptions = setDefaultLimit(options);
List<String> includeIndividuals = queryOptions.getAsStringList(RgaQueryParams.INCLUDE_INDIVIDUAL);

Boolean isOwnerOrAdmin = catalogManager.getAuthorizationManager().isOwnerOrAdmin(organizationId, study.getUid(), userId);
AuthorizationManager authorizationManager = catalogManager.getAuthorizationManager();
long studyId = study.getUid();
Boolean isOwnerOrAdmin = authorizationManager.isStudyAdministrator(organizationId, studyId, userId);
Query auxQuery = query != null ? new Query(query) : new Query();

// Get number of matches
Expand Down Expand Up @@ -773,7 +780,9 @@ public OpenCGAResult<KnockoutByVariant> variantQuery(String studyStr, Query quer
QueryOptions queryOptions = setDefaultLimit(options);
List<String> includeIndividuals = queryOptions.getAsStringList(RgaQueryParams.INCLUDE_INDIVIDUAL);

Boolean isOwnerOrAdmin = catalogManager.getAuthorizationManager().isOwnerOrAdmin(organizationId, study.getUid(), userId);
AuthorizationManager authorizationManager = catalogManager.getAuthorizationManager();
long studyId = study.getUid();
Boolean isOwnerOrAdmin = authorizationManager.isStudyAdministrator(organizationId, studyId, userId);
Query auxQuery = query != null ? new Query(query) : new Query();

ResourceIds resourceIds;
Expand Down Expand Up @@ -1732,7 +1741,9 @@ private Preprocess individualQueryPreprocess(Study study, Query query, QueryOpti
throw new RgaException("Missing RGA indexes for study '" + study.getFqn() + "' or solr server not alive");
}

Boolean isOwnerOrAdmin = catalogManager.getAuthorizationManager().isOwnerOrAdmin(organizationId, study.getUid(), userId);
AuthorizationManager authorizationManager = catalogManager.getAuthorizationManager();
long studyId = study.getUid();
Boolean isOwnerOrAdmin = authorizationManager.isStudyAdministrator(organizationId, studyId, userId);

Preprocess preprocessResult = new Preprocess();
preprocessResult.setUserId(userId);
Expand Down
3 changes: 3 additions & 0 deletions ...main/java/org/opencb/opencga/catalog/auth/authentication/azure/AuthenticationFactory.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,4 +126,7 @@ public static AuthenticationManager getOrganizationAuthenticationManager(String
return organizationAuthenticationManagers.get(authOriginId);
}

public static void clear() {
authenticationManagerMap.clear();
}
}
12 changes: 7 additions & 5 deletions ...log/src/main/java/org/opencb/opencga/catalog/auth/authorization/AuthorizationManager.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
import org.opencb.opencga.catalog.exceptions.CatalogDBException;
import org.opencb.opencga.catalog.exceptions.CatalogException;
import org.opencb.opencga.catalog.utils.ParamUtils;
import org.opencb.opencga.core.api.ParamConstants;
import org.opencb.opencga.core.models.AclEntryList;
import org.opencb.opencga.core.models.JwtPayload;
import org.opencb.opencga.core.models.clinical.ClinicalAnalysisPermissions;
Expand Down Expand Up @@ -86,8 +87,7 @@ static EnumSet<StudyPermissions.Permissions> getLockedAcls() {
default void checkIsOrganizationOwnerOrAdmin(String organization, String userId)
throws CatalogAuthorizationException, CatalogDBException {
if (!isOrganizationOwnerOrAdmin(organization, userId)) {
throw new CatalogAuthorizationException("Permission denied: Only the owner or admins of the organization can perform this "
+ "action.");
throw CatalogAuthorizationException.notOwnerOrAdmin();
}
}

Expand Down Expand Up @@ -120,17 +120,19 @@ void checkUpdateGroupPermissions(String organizationId, long studyId, String use

void checkCanCreateUpdateDeleteVariableSets(String organizationId, long studyId, String userId) throws CatalogException;

boolean isInstallationAdministrator(JwtPayload payload) throws CatalogException;
default boolean isOpencga(String userId) {
return ParamConstants.OPENCGA_USER_ID.equals(userId) || ParamConstants.OPENCGA_USER_FQN.equals(userId);
}

boolean isInstallationAdministrator(String organizationId, String user);
boolean isInstallationAdministrator(JwtPayload payload) throws CatalogException;

void checkIsInstallationAdministrator(String organizationId, String user) throws CatalogException;

void checkIsOwnerOrAdmin(String organizationId, long studyId, String userId) throws CatalogException;

boolean isOrganizationOwnerOrAdmin(String organization, String userId) throws CatalogDBException;

boolean isOwnerOrAdmin(String organizationId, long studyId, String userId) throws CatalogException;
boolean isStudyAdministrator(String organizationId, long studyId, String userId) throws CatalogException;

void checkFilePermission(String organizationId, long studyId, long fileId, String userId, FilePermissions permission)
throws CatalogException;
Expand Down
115 changes: 27 additions & 88 deletions .../main/java/org/opencb/opencga/catalog/auth/authorization/CatalogAuthorizationManager.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,6 @@ public class CatalogAuthorizationManager implements AuthorizationManager {

public static final String MEMBERS_GROUP = ParamConstants.MEMBERS_GROUP;
public static final String ADMINS_GROUP = ParamConstants.ADMINS_GROUP;
private static final String OPENCGA = ParamConstants.OPENCGA_USER_ID;

private final Logger logger;

Expand All @@ -74,15 +73,15 @@ public CatalogAuthorizationManager(DBAdaptorFactory dbFactory, AuthorizationDBAd

@Override
public void checkCanEditProject(String organizationId, long projectId, String userId) throws CatalogException {
if (isOrganizationOwnerOrAdmin(organizationId, userId)) {
if (isOpencga(userId) || isOrganizationOwnerOrAdmin(organizationId, userId)) {
return;
}
throw new CatalogAuthorizationException("Permission denied: Only the owner of the project can update it.");
}

@Override
public void checkCanViewProject(String organizationId, long projectId, String userId) throws CatalogException {
if (isOrganizationOwnerOrAdmin(organizationId, userId)) {
if (isOpencga(userId) || isOrganizationOwnerOrAdmin(organizationId, userId)) {
return;
}

Expand Down Expand Up @@ -115,7 +114,7 @@ public void checkStudyPermission(String organizationId, long studyUid, JwtPayloa
@Override
public void checkStudyPermission(String organizationId, long studyId, String userId, StudyPermissions.Permissions permission)
throws CatalogException {
if (isInstallationAdministrator(organizationId, userId)) {
if (isOpencga(userId) || isOrganizationOwnerOrAdmin(organizationId, userId)) {
return;
} else {
if (dbAdaptorFactory.getCatalogStudyDBAdaptor(organizationId).hasStudyPermission(studyId, userId, permission)) {
Expand All @@ -127,42 +126,27 @@ public void checkStudyPermission(String organizationId, long studyId, String use

@Override
public void checkCanEditStudy(String organizationId, long studyId, String userId) throws CatalogException {
if (isInstallationAdministrator(organizationId, userId)) {
return;
}

String ownerId = dbAdaptorFactory.getCatalogStudyDBAdaptor(organizationId).getOwnerId(studyId);
if (!ownerId.equals(userId) && !isAdministrativeUser(organizationId, studyId, userId)) {
throw new CatalogAuthorizationException("Only owners or administrative users are allowed to modify a study");
if (!isOpencga(userId) && !isStudyAdministrator(organizationId, studyId, userId)) {
throw CatalogAuthorizationException.notStudyAdmin("modify a study");
}
}

@Override
public void checkCanViewStudy(String organizationId, long studyId, String userId) throws CatalogException {
if (isInstallationAdministrator(organizationId, userId)) {
return;
}

String ownerId = dbAdaptorFactory.getCatalogStudyDBAdaptor(organizationId).getOwnerId(studyId);
if (ownerId.equals(userId)) {
if (isOpencga(userId)) {
return;
}

OpenCGAResult<Group> groupBelonging = getGroupBelonging(organizationId, studyId, userId);
if (groupBelonging.getNumResults() == 0) {
throw new CatalogAuthorizationException("Only the members of the study are allowed to see it");
throw CatalogAuthorizationException.notStudyMember("see it");
}
}

@Override
public void checkCanUpdatePermissionRules(String organizationId, long studyId, String userId) throws CatalogException {
if (isInstallationAdministrator(organizationId, userId)) {
return;
}

String ownerId = dbAdaptorFactory.getCatalogStudyDBAdaptor(organizationId).getOwnerId(studyId);
if (!ownerId.equals(userId) && !isAdministrativeUser(organizationId, studyId, userId)) {
throw new CatalogAuthorizationException("Only owners or administrative users are allowed to modify a update permission rules");
if (!isOpencga(userId) && !isStudyAdministrator(organizationId, studyId, userId)) {
throw CatalogAuthorizationException.notStudyAdmin("update the permission rules");
}
}

Expand All @@ -173,13 +157,8 @@ public void checkCreateDeleteGroupPermissions(String organizationId, long studyI
throw new CatalogAuthorizationException(group + " is a protected group that cannot be created or deleted.");
}

if (isInstallationAdministrator(organizationId, userId)) {
return;
}

String ownerId = dbAdaptorFactory.getCatalogStudyDBAdaptor(organizationId).getOwnerId(studyId);
if (!userId.equals(ownerId) && !isAdministrativeUser(organizationId, studyId, userId)) {
throw new CatalogAuthorizationException("Only administrative users are allowed to create/remove groups.");
if (!isOpencga(userId) && !isStudyAdministrator(organizationId, studyId, userId)) {
throw CatalogAuthorizationException.notStudyAdmin("create or remove groups.");
}
}

Expand All @@ -191,28 +170,15 @@ public void checkSyncGroupPermissions(String organizationId, long studyUid, Stri
@Override
public void checkUpdateGroupPermissions(String organizationId, long studyId, String userId, String group,
ParamUtils.BasicUpdateAction action) throws CatalogException {
String ownerId = dbAdaptorFactory.getCatalogStudyDBAdaptor(organizationId).getOwnerId(studyId);

if (userId.equals(ownerId)) {
// Granted permission but check it is a valid action
if (group.equals(MEMBERS_GROUP)
&& (action != ParamUtils.BasicUpdateAction.ADD && action != ParamUtils.BasicUpdateAction.REMOVE)) {
throw new CatalogAuthorizationException("Only ADD or REMOVE actions are accepted for @members group.");
}
return;
if (MEMBERS_GROUP.equals(group)
&& (action != ParamUtils.BasicUpdateAction.ADD && action != ParamUtils.BasicUpdateAction.REMOVE)) {
throw new CatalogAuthorizationException("Only ADD or REMOVE actions are accepted for " + MEMBERS_GROUP + " group.");
}

if (group.equals(ADMINS_GROUP)) {
throw new CatalogAuthorizationException("Only the owner of the study can assign/remove users to the administrative group.");
if (ADMINS_GROUP.equals(group) && !isOrganizationOwnerOrAdmin(organizationId, userId)) {
throw CatalogAuthorizationException.notOwnerOrAdmin("assign or remove users to the " + ADMINS_GROUP + " group.");
}

if (!isInstallationAdministrator(organizationId, userId) && !isAdministrativeUser(organizationId, studyId, userId)) {
throw new CatalogAuthorizationException("Only administrative users are allowed to assign/remove users to groups.");
}

// Check it is a valid action
if (group.equals(MEMBERS_GROUP) && (action != ParamUtils.BasicUpdateAction.ADD && action != ParamUtils.BasicUpdateAction.REMOVE)) {
throw new CatalogAuthorizationException("Only ADD or REMOVE actions are accepted for @members group.");
if (!isStudyAdministrator(organizationId, studyId, userId)) {
throw CatalogAuthorizationException.notStudyAdmin("assign or remove users to groups.");
}
}

Expand All @@ -227,27 +193,15 @@ public void checkNotAssigningPermissionsToAdminsGroup(List<String> members) thro

@Override
public void checkCanAssignOrSeePermissions(String organizationId, long studyId, String userId) throws CatalogException {
if (isInstallationAdministrator(organizationId, userId)) {
return;
}

String ownerId = dbAdaptorFactory.getCatalogStudyDBAdaptor(organizationId).getOwnerId(studyId);
if (!ownerId.equals(userId) && !isAdministrativeUser(organizationId, studyId, userId)) {
throw new CatalogAuthorizationException("Only owners or administrative users are allowed to assign or see all permissions");
if (!isOpencga(userId) && !isStudyAdministrator(organizationId, studyId, userId)) {
throw CatalogAuthorizationException.notStudyAdmin("assign or see all permissions");
}
}

@Override
public void checkCanCreateUpdateDeleteVariableSets(String organizationId, long studyId, String userId) throws CatalogException {
if (isInstallationAdministrator(organizationId, userId)) {
return;
}

String ownerId = dbAdaptorFactory.getCatalogStudyDBAdaptor(organizationId).getOwnerId(studyId);

if (!ownerId.equals(userId) && !isAdministrativeUser(organizationId, studyId, userId)) {
throw new CatalogAuthorizationException("Only owners or administrative users are allowed to create/update/delete variable "
+ "sets");
if (!isOpencga(userId) && !isOrganizationOwnerOrAdmin(organizationId, userId)) {
throw CatalogAuthorizationException.notOwnerOrAdmin("create, update or delete variable sets.");
}
}

Expand All @@ -262,25 +216,20 @@ public boolean isInstallationAdministrator(JwtPayload payload) throws CatalogExc
return true;
}

@Override
public boolean isInstallationAdministrator(String organizationId, String user) {
return OPENCGA.equals(user);
}

@Override
public void checkIsInstallationAdministrator(String organizationId, String user) throws CatalogException {
if (!isInstallationAdministrator(organizationId, user)) {
if (!isOpencga(user) && !isOrganizationOwnerOrAdmin(organizationId, user)) {
throw new CatalogAuthorizationException("Only ADMINISTRATOR users are allowed to perform this action");
}
}

@Override
public void checkIsOwnerOrAdmin(String organizationId, long studyId, String userId) throws CatalogException {
if (isInstallationAdministrator(organizationId, userId)) {
if (isOrganizationOwnerOrAdmin(organizationId, userId)) {
return;
}

if (!isOwnerOrAdmin(organizationId, studyId, userId)) {
if (!isStudyAdministrator(organizationId, studyId, userId)) {
throw new CatalogAuthorizationException("Only owners or administrative users are allowed to perform this action");
}
}
Expand All @@ -296,17 +245,7 @@ public boolean isOrganizationOwnerOrAdmin(String organizationId, String userId)
}

@Override
public boolean isOwnerOrAdmin(String organizationId, long studyId, String userId) throws CatalogException {
String ownerId = dbAdaptorFactory.getCatalogStudyDBAdaptor(organizationId).getOwnerId(studyId);

if (!ownerId.equals(userId) && !isAdministrativeUser(organizationId, studyId, userId)) {
return false;
}
return true;
}


private boolean isAdministrativeUser(String organizationId, long studyId, String user) throws CatalogException {
public boolean isStudyAdministrator(String organizationId, long studyId, String user) throws CatalogException {
OpenCGAResult<Group> groupBelonging = getGroupBelonging(organizationId, studyId, user);
for (Group group : groupBelonging.getResults()) {
if (group.getId().equals(ADMINS_GROUP)) {
Expand All @@ -332,7 +271,7 @@ public void checkFilePermission(String organizationId, long studyId, long fileId

private boolean checkUserPermission(String organizationId, String userId, Query query, CoreDBAdaptor dbAdaptor)
throws CatalogException {
if (isInstallationAdministrator(organizationId, userId)) {
if (isOpencga(userId) || isOrganizationOwnerOrAdmin(organizationId, userId)) {
return true;
} else {
if (dbAdaptor.count(query, userId).getNumMatches() == 1) {
Expand Down
4 changes: 3 additions & 1 deletion opencga-catalog/src/main/java/org/opencb/opencga/catalog/db/DBAdaptorFactory.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,11 +85,13 @@ default String getCatalogDatabase(String prefix, String organization) {

MetaDBAdaptor getCatalogMetaDBAdaptor(String organization) throws CatalogDBException;

OpenCGAResult<Organization> createOrganization(Organization organization, QueryOptions options)
OpenCGAResult<Organization> createOrganization(Organization organization, QueryOptions options, String userId)
throws CatalogDBException, CatalogParameterException, CatalogAuthorizationException;

void deleteOrganization(Organization organization) throws CatalogDBException;

SettingsDBAdaptor getCatalogSettingsDBAdaptor(String organization) throws CatalogDBException;

OrganizationDBAdaptor getCatalogOrganizationDBAdaptor(String organization) throws CatalogDBException;

UserDBAdaptor getCatalogUserDBAdaptor(String organization) throws CatalogDBException;
Expand Down
1 change: 1 addition & 0 deletions opencga-catalog/src/main/java/org/opencb/opencga/catalog/db/api/OrganizationDBAdaptor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ enum QueryParams implements QueryParam {
DOMAIN("domain", STRING, ""),
OWNER("owner", STRING, ""),
ADMINS("admins", TEXT_ARRAY, ""),
CONFIGURATION("configuration", OBJECT, ""),
CREATION_DATE("creationDate", DATE, ""),
MODIFICATION_DATE("modificationDate", DATE, ""),
PROJECTS("projects", OBJECT, ""),
Expand Down
Loading

0 comments on commit 114ad40

Please sign in to comment.