[ALS-9152] BDC: anyRecordOf and anyRecordOfMulti Access Rules (#253)

Author: Gcolon021

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/AccessRuleService.java

@@ -22,6 +22,7 @@
 
 import java.util.*;
 import java.util.concurrent.ConcurrentHashMap;
+import java.util.stream.Collectors;
 
 @Service
 public class AccessRuleService {
@@ -386,11 +387,11 @@ public boolean extractAndCheckRule(AccessRule accessRule, Object parsedRequestBo
         }
 
         if (accessRuleType == AccessRule.TypeNaming.IS_EMPTY
-                || accessRuleType == AccessRule.TypeNaming.IS_NOT_EMPTY) {
+            || accessRuleType == AccessRule.TypeNaming.IS_NOT_EMPTY) {
             if (requestBodyValue == null
-                    || (requestBodyValue instanceof String && ((String) requestBodyValue).isEmpty())
-                    || (requestBodyValue instanceof Collection && ((Collection) requestBodyValue).isEmpty())
-                    || (requestBodyValue instanceof Map && ((Map) requestBodyValue).isEmpty())) {
+                || (requestBodyValue instanceof String && ((String) requestBodyValue).isEmpty())
+                || (requestBodyValue instanceof Collection && ((Collection) requestBodyValue).isEmpty())
+                || (requestBodyValue instanceof Map && ((Map) requestBodyValue).isEmpty())) {
                 return accessRuleType == AccessRule.TypeNaming.IS_EMPTY;
             } else {
                 return accessRuleType == AccessRule.TypeNaming.IS_NOT_EMPTY;
@@ -428,7 +429,7 @@ private boolean evaluateMap(Object requestBodyValue, AccessRule accessRule) {
                         return true;
 
                     if ((accessRule.getCheckMapKeyOnly() == null || !accessRule.getCheckMapKeyOnly())
-                            && evaluateNode(entry.getValue(), accessRule))
+                        && evaluateNode(entry.getValue(), accessRule))
                         return true;
                 }
                 return false;
@@ -451,7 +452,7 @@ && evaluateNode(entry.getValue(), accessRule))
                         return false;
 
                     if ((accessRule.getCheckMapKeyOnly() == null || !accessRule.getCheckMapKeyOnly())
-                            && !evaluateNode(entry.getValue(), accessRule))
+                        && !evaluateNode(entry.getValue(), accessRule))
                         return false;
                 }
 
@@ -581,55 +582,51 @@ private boolean _decisionMaker(AccessRule accessRule, String requestBodyValue, S
      * @param projectAlias    The project alias.
      */
     protected void configureAccessRule(AccessRule ar, String studyIdentifier, String consent_group, String conceptPath, String projectAlias) {
-        if (ar.getGates() == null) {
-            ar.setGates(new HashSet<>());
-            ar.getGates().addAll(getGates(true, false, false));
+        ar.setGates(new HashSet<>());
+        ar.getGates().addAll(getGates(true, false, false));
 
-            if (ar.getSubAccessRule() == null) {
-                ar.setSubAccessRule(new HashSet<>());
-            }
-            ar.getSubAccessRule().addAll(getAllowedQueryTypeRules());
-            ar.getSubAccessRule().addAll(getPhenotypeSubRules(studyIdentifier, conceptPath, projectAlias));
-            ar.getSubAccessRule().addAll(getTopmedRestrictedSubRules());
+        if (ar.getSubAccessRule() == null) {
+            ar.setSubAccessRule(new HashSet<>());
         }
+        addUniqueSubRules(ar, getAllowedQueryTypeRules());
+        addUniqueSubRules(ar, getPhenotypeSubRules(studyIdentifier, conceptPath, projectAlias));
+        addUniqueSubRules(ar, getTopmedRestrictedSubRules());
     }
 
+
     /**
      * Configures the harmonized AccessRule with gates and sub-rules.
      *
      * @param ar              The AccessRule to configure.
      * @param studyIdentifier The study identifier.
      * @param conceptPath     The concept path.
      * @param projectAlias    The project alias.
-     * @return
      */
     protected void configureHarmonizedAccessRule(AccessRule ar, String studyIdentifier, String conceptPath, String projectAlias) {
-        if (ar.getGates() == null) {
-            ar.setGates(new HashSet<>());
-            ar.getGates().add(upsertConsentGate("HARMONIZED_CONSENT", "$.query.query.categoryFilters." + fence_harmonized_consent_group_concept_path + "[*]", true, "harmonized data"));
+        ar.setGates(new HashSet<>());
+        ar.getGates().add(upsertConsentGate("HARMONIZED_CONSENT", "$.query.query.categoryFilters." + fence_harmonized_consent_group_concept_path + "[*]", true, "harmonized data"));
 
-            if (ar.getSubAccessRule() == null) {
-                ar.setSubAccessRule(new HashSet<>());
-            }
-            ar.getSubAccessRule().addAll(getAllowedQueryTypeRules());
-            ar.getSubAccessRule().addAll(getHarmonizedSubRules());
-            ar.getSubAccessRule().addAll(getPhenotypeSubRules(studyIdentifier, conceptPath, projectAlias));
+        if (ar.getSubAccessRule() == null) {
+            ar.setSubAccessRule(new HashSet<>());
         }
+
+        addUniqueSubRules(ar, getAllowedQueryTypeRules());
+        addUniqueSubRules(ar, getHarmonizedSubRules());
+        addUniqueSubRules(ar, getPhenotypeSubRules(studyIdentifier, conceptPath, projectAlias));
     }
 
     protected AccessRule configureClinicalAccessRuleWithPhenoSubRule(AccessRule ar, String studyIdentifier, String consent_group, String conceptPath, String projectAlias) {
-        if (ar.getGates() == null) {
-            ar.setGates(new HashSet<>());
-            ar.getGates().addAll(getGates(true, false, true));
+        ar.setGates(new HashSet<>());
+        ar.getGates().addAll(getGates(true, false, true));
 
-            if (ar.getSubAccessRule() == null) {
-                ar.setSubAccessRule(new HashSet<>());
-            }
-            ar.getSubAccessRule().addAll(getAllowedQueryTypeRules());
-            ar.getSubAccessRule().addAll(getPhenotypeSubRules(studyIdentifier, conceptPath, projectAlias));
-            ar.getSubAccessRule().add(createPhenotypeSubRule(fence_topmed_consent_group_concept_path, "ALLOW_TOPMED_CONSENT", "$.query.query.categoryFilters", AccessRule.TypeNaming.ALL_CONTAINS, "", true));
+        if (ar.getSubAccessRule() == null) {
+            ar.setSubAccessRule(new HashSet<>());
         }
 
+        addUniqueSubRules(ar, getAllowedQueryTypeRules());
+        addUniqueSubRules(ar, getPhenotypeSubRules(studyIdentifier, conceptPath, projectAlias));
+        addUniqueSubRules(ar, Collections.singleton(createPhenotypeSubRule(fence_topmed_consent_group_concept_path, "ALLOW_TOPMED_CONSENT", "$.query.query.categoryFilters", AccessRule.TypeNaming.ALL_CONTAINS, "", true)));
+
         return ar;
     }
 
@@ -678,7 +675,6 @@ private Set<AccessRule> loadAllowedQueryTypeRules() {
     }
 
 
-
     private Collection<? extends AccessRule> getTopmedRestrictedSubRules() {
         Set<AccessRule> rules = new HashSet<AccessRule>();
         rules.add(upsertTopmedRestrictedSubRule("CATEGORICAL", "$.query.query.variantInfoFilters[*].categoryVariantInfoFilters.*"));
@@ -722,7 +718,6 @@ private AccessRule upsertTopmedRestrictedSubRule(String type, String rule) {
     }
 
     protected Collection<? extends AccessRule> getPhenotypeSubRules(String studyIdentifier, String conceptPath, String alias) {
-
         Set<AccessRule> rules = new HashSet<AccessRule>();
         //categorical filters will always contain at least one entry (for the consent groups); it will never be empty
         rules.add(createPhenotypeSubRule(fence_parent_consent_group_concept_path, "ALLOW_PARENT_CONSENT", "$.query.query.categoryFilters", AccessRule.TypeNaming.ALL_CONTAINS, "", true));
@@ -731,12 +726,16 @@ protected Collection<? extends AccessRule> getPhenotypeSubRules(String studyIden
             rules.add(createPhenotypeSubRule(underscorePath, "ALLOW " + underscorePath, "$.query.query.fields.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "FIELDS", false));
             rules.add(createPhenotypeSubRule(underscorePath, "ALLOW " + underscorePath, "$.query.query.categoryFilters", AccessRule.TypeNaming.ALL_CONTAINS, "CATEGORICAL", true));
             rules.add(createPhenotypeSubRule(underscorePath, "ALLOW " + underscorePath, "$.query.query.requiredFields.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "REQ_FIELDS", false));
+            rules.add(createPhenotypeSubRule(underscorePath, "ALLOW " + underscorePath, "$.query.query.anyRecordOf.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "ANY_RECORD_OF", false));
+            rules.add(createPhenotypeSubRule(underscorePath, "ALLOW " + underscorePath, "$.query.query.anyRecordOfMulti.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "ANY_RECORD_OF_MULTI", false));
         }
 
         rules.add(createPhenotypeSubRule(conceptPath, alias + "_" + studyIdentifier, "$.query.query.categoryFilters", AccessRule.TypeNaming.ALL_CONTAINS, "CATEGORICAL", true));
         rules.add(createPhenotypeSubRule(conceptPath, alias + "_" + studyIdentifier, "$.query.query.numericFilters", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "NUMERIC", true));
         rules.add(createPhenotypeSubRule(conceptPath, alias + "_" + studyIdentifier, "$.query.query.fields.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "FIELDS", false));
         rules.add(createPhenotypeSubRule(conceptPath, alias + "_" + studyIdentifier, "$.query.query.requiredFields.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "REQUIRED_FIELDS", false));
+        rules.add(createPhenotypeSubRule(conceptPath, alias + "_" + studyIdentifier, "$.query.query.anyRecordOf.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "ANY_RECORD_OF", false));
+        rules.add(createPhenotypeSubRule(conceptPath, alias + "_" + studyIdentifier, "$.query.query.anyRecordOfMulti.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "ANY_RECORD_OF_MULTI", false));
 
         return rules;
     }
@@ -759,12 +758,16 @@ private Collection<? extends AccessRule> getHarmonizedSubRules() {
             rules.add(createPhenotypeSubRule(underscorePath, "ALLOW " + underscorePath, "$.query.query.fields.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "FIELDS", false));
             rules.add(createPhenotypeSubRule(underscorePath, "ALLOW " + underscorePath, "$.query.query.categoryFilters", AccessRule.TypeNaming.ALL_CONTAINS, "CATEGORICAL", true));
             rules.add(createPhenotypeSubRule(underscorePath, "ALLOW " + underscorePath, "$.query.query.requiredFields.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "REQ_FIELDS", false));
+            rules.add(createPhenotypeSubRule(underscorePath, "ALLOW " + underscorePath, "$.query.query.anyRecordOf.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "ANY_RECORD_OF", false));
+            rules.add(createPhenotypeSubRule(underscorePath, "ALLOW " + underscorePath, "$.query.query.anyRecordOfMulti.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "ANY_RECORD_OF_MULTI", false));
         }
 
         rules.add(createPhenotypeSubRule(fence_harmonized_concept_path, "HARMONIZED", "$.query.query.categoryFilters", AccessRule.TypeNaming.ALL_CONTAINS, "CATEGORICAL", true));
         rules.add(createPhenotypeSubRule(fence_harmonized_concept_path, "HARMONIZED", "$.query.query.numericFilters", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "NUMERIC", true));
         rules.add(createPhenotypeSubRule(fence_harmonized_concept_path, "HARMONIZED", "$.query.query.fields.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "FIELDS", false));
         rules.add(createPhenotypeSubRule(fence_harmonized_concept_path, "HARMONIZED", "$.query.query.requiredFields.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "REQUIRED_FIELDS", false));
+        rules.add(createPhenotypeSubRule(fence_harmonized_concept_path, "HARMONIZED", "$.query.query.anyRecordOf.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "ANY_RECORD_OF", false));
+        rules.add(createPhenotypeSubRule(fence_harmonized_concept_path, "HARMONIZED", "$.query.query.anyRecordOfMulti.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "ANY_RECORD_OF_MULTI", false));
 
         return rules;
     }
@@ -784,6 +787,8 @@ protected Collection<? extends AccessRule> getPhenotypeRestrictedSubRules(String
             rules.add(createPhenotypeSubRule(underscorePath, "ALLOW " + underscorePath, "$.query.query.fields.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "FIELDS", false));
             rules.add(createPhenotypeSubRule(underscorePath, "ALLOW " + underscorePath, "$.query.query.categoryFilters", AccessRule.TypeNaming.ALL_CONTAINS, "CATEGORICAL", true));
             rules.add(createPhenotypeSubRule(underscorePath, "ALLOW " + underscorePath, "$.query.query.requiredFields.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "REQ_FIELDS", false));
+            rules.add(createPhenotypeSubRule(underscorePath, "ALLOW " + underscorePath, "$.query.query.anyRecordOf.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "ANY_RECORD_OF", false));
+            rules.add(createPhenotypeSubRule(underscorePath, "ALLOW " + underscorePath, "$.query.query.anyRecordOfMulti.[*]", AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY, "ANY_RECORD_OF_MULTI", false));
         }
 
         rules.add(createPhenotypeSubRule(null, alias + "_" + studyIdentifier + "_" + consentCode, "$.query.query.numericFilters.[*]", AccessRule.TypeNaming.IS_EMPTY, "DISALLOW_NUMERIC", false));
@@ -817,11 +822,7 @@ protected AccessRule populateTopmedAccessRule(AccessRule rule, boolean includePa
             rule.getGates().addAll(getGates(includeParent, false, true));
         }
 
-        if (rule.getSubAccessRule() == null) {
-            rule.setSubAccessRule(new HashSet<>(getAllowedQueryTypeRules()));
-        } else {
-            rule.getSubAccessRule().addAll(getAllowedQueryTypeRules());
-        }
+        addUniqueSubRules(rule, getAllowedQueryTypeRules());
 
         return rule;
     }
@@ -833,11 +834,9 @@ protected AccessRule populateHarmonizedAccessRule(AccessRule rule, String parent
             )));
         }
 
-        if (rule.getSubAccessRule() == null) {
-            rule.setSubAccessRule(new HashSet<>(getAllowedQueryTypeRules()));
-            rule.getSubAccessRule().addAll(getHarmonizedSubRules());
-            rule.getSubAccessRule().addAll(getPhenotypeSubRules(studyIdentifier, parentConceptPath, projectAlias));
-        }
+        addUniqueSubRules(rule, getAllowedQueryTypeRules());
+        addUniqueSubRules(rule, getHarmonizedSubRules());
+        addUniqueSubRules(rule, getPhenotypeSubRules(studyIdentifier, parentConceptPath, projectAlias));
 
         return rule;
     }
@@ -918,7 +917,7 @@ protected AccessRule upsertTopmedAccessRule(String project_name, String consent_
 
         String conceptPath = fence_topmed_consent_group_concept_path;
         // Check if the conceptPath has `\\\\` present. This technically represents `\\`.
-        if(conceptPath != null && conceptPath.contains("\\\\")) {
+        if (conceptPath != null && conceptPath.contains("\\\\")) {
             // This will convert all `\\\\` to `\\`.
             conceptPath = conceptPath.replaceAll("\\\\\\\\", "\\\\");
         }
@@ -1001,8 +1000,8 @@ protected AccessRule createPhenotypeSubRule(String conceptPath, String alias, St
         logger.debug("createPhenotypeSubRule() Creating new access rule {}", ar_name);
 
         // Check if the conceptPath has `\\\\` present. This technically represents `\\`.
-        if(conceptPath != null && conceptPath.contains("\\\\")) {
-           // This will convert all `\\\\` to `\\`.
+        if (conceptPath != null && conceptPath.contains("\\\\")) {
+            // This will convert all `\\\\` to `\\`.
             conceptPath = conceptPath.replaceAll("\\\\\\\\", "\\\\");
         }
 
@@ -1051,4 +1050,29 @@ private String escapePath(String path) {
     public List<AccessRule> getAccessRulesByPrivilegeIds(List<UUID> privilegeIds) {
         return this.accessRuleRepo.getAccessRulesByPrivilegeIds(privilegeIds);
     }
+
+    /**
+     * Adds unique sub-rules to the provided parent access rule. This method ensures that duplicate sub-rules,
+     * based on their names, are not added to the parent access rule.
+     *
+     * @param accessRule the parent access rule to which the sub-rules are added
+     * @param subRulesToAdd the collection of sub-rules to be added to the parent access rule
+     */
+    private void addUniqueSubRules(AccessRule accessRule, Collection<? extends AccessRule> subRulesToAdd) {
+        if (accessRule.getSubAccessRule() == null) {
+            accessRule.setSubAccessRule(new HashSet<>());
+        }
+
+        Set<String> existingRuleNames = accessRule.getSubAccessRule().stream()
+                .map(AccessRule::getName)
+                .collect(Collectors.toSet());
+
+        for (AccessRule subRule : subRulesToAdd) {
+            if (!existingRuleNames.contains(subRule.getName())) {
+                accessRule.getSubAccessRule().add(subRule);
+                existingRuleNames.add(subRule.getName());
+            }
+        }
+    }
+
 }

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/PrivilegeService.java

@@ -207,12 +207,10 @@ private Privilege upsertClinicalPrivilege(String studyIdentifier, String project
 
         // Check if the Privilege already exists
         Privilege priv = this.findByName(privilegeName);
-        if (priv != null) {
-            logger.info("{} already exists", privilegeName);
-            return priv;
+        if (priv == null) {
+            priv = new Privilege();
         }
 
-        priv = new Privilege();
         try {
             priv.setApplication(picSureApp);
             priv.setName(privilegeName);

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/RoleService.java

@@ -177,6 +177,15 @@ public Role findByName(String roleName) {
         return this.roleRepository.findByName(roleName);
     }
 
+    public Role getOrCreateRole(String roleName, String roleDescription) {
+        Role existingRole = this.roleRepository.findByName(roleName);
+        if (existingRole != null) {
+            return existingRole;
+        }
+
+        return createRole(roleName, roleDescription);
+    }
+
     public Role createRole(String roleName, String roleDescription) {
         if (roleName.isEmpty()) {
             logger.info("createRole() roleName is empty");
@@ -205,28 +214,6 @@ public Role createRole(String roleName, String roleDescription) {
         return role;
     }
 
-    /**
-     * Only use this service if you know this is a new role. Otherwise, use createRole().
-     * @param roleName The name of the role to be created.
-     * @param roleDescription Description of the role.
-     * @return
-     */
-    public Role createNewRole(String roleName, String roleDescription) {
-        if(roleName.isEmpty()){
-            logger.info("createNewRole() roleName is empty");
-            return null;
-        }
-
-        logger.info("createNewRole() New PSAMA role name:{}", roleName);
-        Role role = new Role();
-        role.setName(roleName);
-        role.setDescription(roleDescription);
-        // Since this is a new Role, we need to ensure that the
-        // corresponding Privilege (with gates) and AccessRule is added.
-        role.setPrivileges(privilegeService.addPrivileges(role, this.fenceMappingUtility.getFENCEMapping()));
-        return role;
-    }
-
     /**
      * Insert or Update the User object's list of Roles in the database.
      *

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/UserService.java

@@ -694,7 +694,7 @@ public User updateUserRoles(User current_user, Set<String> roleNames) {
         Map<String, Role> existingRoles = roleService.findByNames(roleNames);
         List<Role> newRoles = roleNames.stream()
                 .filter(roleName -> !currentRoleNames.contains(roleName))
-                .map(roleName -> existingRoles.getOrDefault(roleName, this.roleService.createNewRole(roleName, "MANAGED role " + roleName)))
+                .map(roleName -> existingRoles.getOrDefault(roleName, this.roleService.getOrCreateRole(roleName, "MANAGED role " + roleName)))
                 .filter(Objects::nonNull)
                 .collect(Collectors.toList());