From db53e281ef78dd3ca8bbf5f35f98b6569caf9fa5 Mon Sep 17 00:00:00 2001
From: pkupczyk <pkupczyk>
Date: Thu, 6 Jul 2017 15:11:07 +0000
Subject: [PATCH] SSDM-5299 : Project Authorization - modify @RolesAllowed
annotations at experiment related methods
SVN: 38502
---
.../ProjectProviderFromExperimentPermId.java | 50 ++++++++++++++
.../screening/server/ScreeningServer.java | 15 +++--
.../ExperimentIdentifierPredicate.java | 32 ++++++++-
...ateWithExperimentIdentifierSystemTest.java | 67 +++++++++++++++++++
...edicateWithExperimentPermIdSystemTest.java | 67 +++++++++++++++++++
...perimentPredicateScreeningTestService.java | 9 +++
6 files changed, 232 insertions(+), 8 deletions(-)
create mode 100644 openbis/source/java/ch/systemsx/cisd/openbis/generic/server/authorization/project/provider/project/ProjectProviderFromExperimentPermId.java
create mode 100644 screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/authorization/predicate/experiment/ExperimentIdentifierPredicateWithExperimentIdentifierSystemTest.java
create mode 100644 screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/authorization/predicate/experiment/ExperimentIdentifierPredicateWithExperimentPermIdSystemTest.java
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/authorization/project/provider/project/ProjectProviderFromExperimentPermId.java b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/authorization/project/provider/project/ProjectProviderFromExperimentPermId.java
new file mode 100644
index 00000000000..210b0b86d54
--- /dev/null
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/authorization/project/provider/project/ProjectProviderFromExperimentPermId.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2017 ETH Zuerich, CISD
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.generic.server.authorization.project.provider.project;
+
+import ch.systemsx.cisd.openbis.generic.server.authorization.IAuthorizationDataProvider;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.data.project.IProject;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.data.project.ProjectFromProjectPE;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.provider.object.SingleObjectProvider;
+import ch.systemsx.cisd.openbis.generic.shared.dto.ExperimentPE;
+
+/**
+ * @author pkupczyk
+ */
+public class ProjectProviderFromExperimentPermId extends SingleObjectProvider<String>
+{
+
+ public ProjectProviderFromExperimentPermId(String permId)
+ {
+ super(permId);
+ }
+
+ @Override
+ protected IProject createProject(IAuthorizationDataProvider dataProvider, String permId)
+ {
+ ExperimentPE experimentPE = dataProvider.tryGetExperimentByPermId(permId);
+
+ if (experimentPE != null)
+ {
+ return new ProjectFromProjectPE(experimentPE.getProject());
+ } else
+ {
+ return null;
+ }
+ }
+
+}
diff --git a/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/server/ScreeningServer.java b/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/server/ScreeningServer.java
index 01f25909e2c..e287e7bd171 100644
--- a/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/server/ScreeningServer.java
+++ b/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/server/ScreeningServer.java
@@ -271,7 +271,8 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
session.tryGetPerson(), sample);
return SampleTranslator.translate(getSampleTypeSlaveServerPlugin(sample.getSampleType())
.getSampleInfo(session, sample), session.getBaseIndexURL(), MetaprojectTranslator
- .translate(metaprojectPEs), managedPropertyEvaluatorFactory);
+ .translate(metaprojectPEs),
+ managedPropertyEvaluatorFactory);
}
@Override
@@ -469,7 +470,8 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
@Override
@RolesAllowed(RoleWithHierarchy.PROJECT_OBSERVER)
public ExperimentFeatureVectorSummary getExperimentFeatureVectorSummary(String sessionToken,
- @AuthorizationGuard(guardClass = ExperimentTechIdPredicate.class) TechId experimentId, AnalysisProcedureCriteria analysisProcedureCriteria)
+ @AuthorizationGuard(guardClass = ExperimentTechIdPredicate.class) TechId experimentId,
+ AnalysisProcedureCriteria analysisProcedureCriteria)
{
Session session = getSession(sessionToken);
// NOTE: we want the settings to be passed form the client in future
@@ -523,8 +525,7 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
MaterialSummarySettings settings = new MaterialSummarySettings();
settings.setAggregationType(MaterialReplicaSummaryAggregationType.MEDIAN);
settings.setFeatureCodes(new ArrayList<String>());
- settings.setReplicaMatrialTypePatterns(new String[]
- { "GENE", "CONTROL", "COMPOUND" });
+ settings.setReplicaMatrialTypePatterns(new String[] { "GENE", "CONTROL", "COMPOUND" });
settings.setMaterialDetailsPropertyType(ScreeningConstants.GENE_SYMBOLS);
settings.setBiologicalReplicatePropertyTypeCodes("CONCENTRATION", "SIRNA");
return settings;
@@ -651,7 +652,7 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
}
@Override
- @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+ @RolesAllowed(RoleWithHierarchy.PROJECT_OBSERVER)
public List<PlateWellReferenceWithDatasets> listPlateWells(
String sessionToken,
@AuthorizationGuard(guardClass = ExperimentIdentifierPredicate.class) ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentIdentifier experimentIdentifer,
@@ -704,7 +705,7 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
}
@Override
- @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+ @RolesAllowed(RoleWithHierarchy.PROJECT_OBSERVER)
public List<Plate> listPlates(String sessionToken,
@AuthorizationGuard(guardClass = ExperimentIdentifierPredicate.class) ExperimentIdentifier experiment) throws IllegalArgumentException
{
@@ -821,7 +822,7 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
}
@Override
- @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+ @RolesAllowed(RoleWithHierarchy.PROJECT_OBSERVER)
public ExperimentImageMetadata getExperimentImageMetadata(String sessionToken,
@AuthorizationGuard(guardClass = ExperimentIdentifierPredicate.class) ExperimentIdentifier experimentIdentifer)
{
diff --git a/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/server/authorization/ExperimentIdentifierPredicate.java b/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/server/authorization/ExperimentIdentifierPredicate.java
index c1fa3611351..04114df321f 100644
--- a/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/server/authorization/ExperimentIdentifierPredicate.java
+++ b/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/server/authorization/ExperimentIdentifierPredicate.java
@@ -21,9 +21,15 @@ import java.util.List;
import ch.systemsx.cisd.common.exceptions.Status;
import ch.systemsx.cisd.openbis.generic.server.authorization.RoleWithIdentifier;
import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.AbstractSpacePredicate;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.IProjectAuthorization;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.ProjectAuthorizationBuilder;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.provider.project.ProjectProviderFromExperimentIdentifierString;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.provider.project.ProjectProviderFromExperimentPermId;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.provider.role.RolesProviderFromRolesWithIdentifier;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.provider.user.UserProviderFromPersonPE;
import ch.systemsx.cisd.openbis.generic.shared.dto.ExperimentPE;
-import ch.systemsx.cisd.openbis.generic.shared.dto.SpacePE;
import ch.systemsx.cisd.openbis.generic.shared.dto.PersonPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.SpacePE;
import ch.systemsx.cisd.openbis.generic.shared.util.SpaceCodeHelper;
import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentIdentifier;
@@ -49,6 +55,18 @@ public class ExperimentIdentifierPredicate extends AbstractSpacePredicate<Experi
{
if (value.getPermId() != null)
{
+ IProjectAuthorization<String> pa = new ProjectAuthorizationBuilder<String>()
+ .withData(authorizationDataProvider)
+ .withUser(new UserProviderFromPersonPE(person))
+ .withRoles(new RolesProviderFromRolesWithIdentifier(allowedRoles))
+ .withObjects(new ProjectProviderFromExperimentPermId(value.getPermId()))
+ .build();
+
+ if (pa.getObjectsWithoutAccess().isEmpty())
+ {
+ return Status.OK;
+ }
+
final ExperimentPE experimentOrNull =
authorizationDataProvider.tryGetExperimentByPermId(value.getPermId());
if (experimentOrNull == null)
@@ -60,6 +78,18 @@ public class ExperimentIdentifierPredicate extends AbstractSpacePredicate<Experi
return evaluate(allowedRoles, person, space.getCode());
}
+ IProjectAuthorization<String> pa = new ProjectAuthorizationBuilder<String>()
+ .withData(authorizationDataProvider)
+ .withUser(new UserProviderFromPersonPE(person))
+ .withRoles(new RolesProviderFromRolesWithIdentifier(allowedRoles))
+ .withObjects(new ProjectProviderFromExperimentIdentifierString(value.getAugmentedCode()))
+ .build();
+
+ if (pa.getObjectsWithoutAccess().isEmpty())
+ {
+ return Status.OK;
+ }
+
final String spaceCode = SpaceCodeHelper.getSpaceCode(person, value.getSpaceCode());
return evaluate(allowedRoles, person, spaceCode);
}
diff --git a/screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/authorization/predicate/experiment/ExperimentIdentifierPredicateWithExperimentIdentifierSystemTest.java b/screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/authorization/predicate/experiment/ExperimentIdentifierPredicateWithExperimentIdentifierSystemTest.java
new file mode 100644
index 00000000000..90d4485de35
--- /dev/null
+++ b/screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/authorization/predicate/experiment/ExperimentIdentifierPredicateWithExperimentIdentifierSystemTest.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2017 ETH Zuerich, CISD
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.screening.systemtests.authorization.predicate.experiment;
+
+import java.util.List;
+
+import ch.systemsx.cisd.common.exceptions.UserFailureException;
+import ch.systemsx.cisd.openbis.generic.shared.dto.ExperimentPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.IAuthSessionProvider;
+import ch.systemsx.cisd.openbis.generic.shared.dto.PersonPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.ProjectPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.SpacePE;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentIdentifier;
+import ch.systemsx.cisd.openbis.screening.systemtests.authorization.predicate.CommonPredicateScreeningSystemTest;
+
+/**
+ * @author pkupczyk
+ */
+public class ExperimentIdentifierPredicateWithExperimentIdentifierSystemTest extends CommonPredicateScreeningSystemTest<ExperimentIdentifier>
+{
+
+ @Override
+ protected ExperimentIdentifier createNonexistentObject()
+ {
+ return new ExperimentIdentifier("IDONTEXIST", "IDONTEXIST", "IDONTEXIST", null);
+ }
+
+ @Override
+ protected ExperimentIdentifier createObject(SpacePE spacePE, ProjectPE projectPE)
+ {
+ ExperimentPE experimentPE = getExperiment(spacePE, projectPE);
+ return new ExperimentIdentifier(experimentPE.getCode(), projectPE.getCode(), spacePE.getCode(), null);
+ }
+
+ @Override
+ protected void evaluateObjects(IAuthSessionProvider session, List<ExperimentIdentifier> objects)
+ {
+ getBean(ExperimentPredicateScreeningTestService.class).testExperimentIdentifierPredicate(session, objects.get(0));
+ }
+
+ @Override
+ protected void assertWithNull(PersonPE person, Throwable t)
+ {
+ assertException(t, UserFailureException.class, "No experiment specified.");
+ }
+
+ @Override
+ protected void assertWithNonexistentObject(PersonPE person, Throwable t)
+ {
+ assertAuthorizationFailureExceptionThatNotEnoughPrivileges(t);
+ }
+
+}
diff --git a/screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/authorization/predicate/experiment/ExperimentIdentifierPredicateWithExperimentPermIdSystemTest.java b/screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/authorization/predicate/experiment/ExperimentIdentifierPredicateWithExperimentPermIdSystemTest.java
new file mode 100644
index 00000000000..abf298cddeb
--- /dev/null
+++ b/screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/authorization/predicate/experiment/ExperimentIdentifierPredicateWithExperimentPermIdSystemTest.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2017 ETH Zuerich, CISD
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.screening.systemtests.authorization.predicate.experiment;
+
+import java.util.List;
+
+import ch.systemsx.cisd.common.exceptions.UserFailureException;
+import ch.systemsx.cisd.openbis.generic.shared.dto.ExperimentPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.IAuthSessionProvider;
+import ch.systemsx.cisd.openbis.generic.shared.dto.PersonPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.ProjectPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.SpacePE;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentIdentifier;
+import ch.systemsx.cisd.openbis.screening.systemtests.authorization.predicate.CommonPredicateScreeningSystemTest;
+
+/**
+ * @author pkupczyk
+ */
+public class ExperimentIdentifierPredicateWithExperimentPermIdSystemTest extends CommonPredicateScreeningSystemTest<ExperimentIdentifier>
+{
+
+ @Override
+ protected ExperimentIdentifier createNonexistentObject()
+ {
+ return new ExperimentIdentifier(null, null, null, "IDONTEXIST");
+ }
+
+ @Override
+ protected ExperimentIdentifier createObject(SpacePE spacePE, ProjectPE projectPE)
+ {
+ ExperimentPE experimentPE = getExperiment(spacePE, projectPE);
+ return new ExperimentIdentifier(null, null, null, experimentPE.getPermId());
+ }
+
+ @Override
+ protected void evaluateObjects(IAuthSessionProvider session, List<ExperimentIdentifier> objects)
+ {
+ getBean(ExperimentPredicateScreeningTestService.class).testExperimentIdentifierPredicate(session, objects.get(0));
+ }
+
+ @Override
+ protected void assertWithNull(PersonPE person, Throwable t)
+ {
+ assertException(t, UserFailureException.class, "No experiment specified.");
+ }
+
+ @Override
+ protected void assertWithNonexistentObject(PersonPE person, Throwable t)
+ {
+ assertAuthorizationFailureExceptionThatNotEnoughPrivileges(t);
+ }
+
+}
diff --git a/screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/authorization/predicate/experiment/ExperimentPredicateScreeningTestService.java b/screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/authorization/predicate/experiment/ExperimentPredicateScreeningTestService.java
index f6623802451..c3237fb375d 100644
--- a/screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/authorization/predicate/experiment/ExperimentPredicateScreeningTestService.java
+++ b/screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/authorization/predicate/experiment/ExperimentPredicateScreeningTestService.java
@@ -23,7 +23,9 @@ import ch.systemsx.cisd.openbis.generic.server.authorization.annotation.Authoriz
import ch.systemsx.cisd.openbis.generic.server.authorization.annotation.RolesAllowed;
import ch.systemsx.cisd.openbis.generic.shared.basic.dto.RoleWithHierarchy;
import ch.systemsx.cisd.openbis.generic.shared.dto.IAuthSessionProvider;
+import ch.systemsx.cisd.openbis.plugin.screening.server.authorization.ExperimentIdentifierPredicate;
import ch.systemsx.cisd.openbis.plugin.screening.server.authorization.ExperimentSearchCriteriaPredicate;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentIdentifier;
import ch.systemsx.cisd.openbis.plugin.screening.shared.basic.dto.WellSearchCriteria.ExperimentSearchCriteria;
/**
@@ -40,4 +42,11 @@ public class ExperimentPredicateScreeningTestService
{
}
+ @Transactional
+ @RolesAllowed(value = { RoleWithHierarchy.PROJECT_OBSERVER })
+ public void testExperimentIdentifierPredicate(IAuthSessionProvider session,
+ @AuthorizationGuard(guardClass = ExperimentIdentifierPredicate.class) ExperimentIdentifier experimentIdentifier)
+ {
+ }
+
}
--
GitLab