[ALS-9219] Clean up roles on startup (#258)

* Refactor role cleanup and privilege logic

Implemented cleanupRolesNotInMapping in RoleService to remove roles not present in the given mapping and delete associated user-role relationships. Enhanced privilege configuration with better rule initialization and optimized gate-setting logic. Updated logging levels and replaced redundant code blocks for clarity.

* Clear privileges before deleting roles in cleanupRolesNotInMapping

* Update role cleanup logic to use managedRoles and improve logging

Author: Gcolon021

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/repository/RoleRepository.java

@@ -21,4 +21,6 @@ public interface RoleRepository extends JpaRepository<Role, UUID> {
     Set<Role> findByUuidIn(Set<UUID> uuids);
 
     Set<Role> findByNameIn(Set<String> names);
+
+    Set<Role> findByNameNotIn(Set<String> names);
 }

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/repository/UserRepository.java

@@ -4,8 +4,12 @@
 import edu.harvard.hms.dbmi.avillach.auth.entity.User;
 import org.springframework.data.jpa.repository.EntityGraph;
 import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Modifying;
+import org.springframework.data.jpa.repository.Query;
 import org.springframework.data.repository.PagingAndSortingRepository;
+import org.springframework.data.repository.query.Param;
 import org.springframework.stereotype.Repository;
+import org.springframework.transaction.annotation.Transactional;
 
 import java.util.List;
 import java.util.Optional;
@@ -39,4 +43,9 @@ public interface UserRepository extends JpaRepository<User, UUID> {
 
     Set<User> findByPassportIsNotNull();
 
+    @Modifying
+    @Query(value = "DELETE FROM user_role where role_id in (:roleIDs)", nativeQuery = true)
+    @Transactional
+    void deleteUserRoles(@Param("roleIDs") List<UUID> roleIDs);
+
 }

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/AccessRuleService.java

@@ -383,8 +383,8 @@ public boolean extractAndCheckRule(AccessRule accessRule, Object parsedRequestBo
                 return true;
             }
 
-            if(accessRuleType == AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY ||
-            accessRuleType == AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY_IGNORE_CASE) {
+            if (accessRuleType == AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY ||
+                accessRuleType == AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY_IGNORE_CASE) {
                 logger.debug("extractAndCheckRule() -> JsonPath.parse().read() PathNotFound;  passing rule {} for type {}", rule, accessRuleType);
                 return true;
             }
@@ -564,14 +564,20 @@ private boolean _decisionMaker(AccessRule accessRule, String requestBodyValue, S
 
         return switch (accessRule.getType()) {
             case AccessRule.TypeNaming.NOT_CONTAINS -> !requestBodyValue.contains(value);
-            case AccessRule.TypeNaming.NOT_CONTAINS_IGNORE_CASE -> !requestBodyValue.toLowerCase().contains(value.toLowerCase());
+            case AccessRule.TypeNaming.NOT_CONTAINS_IGNORE_CASE ->
+                    !requestBodyValue.toLowerCase().contains(value.toLowerCase());
             case (AccessRule.TypeNaming.NOT_EQUALS) -> !value.equals(requestBodyValue);
-            case (AccessRule.TypeNaming.ANY_EQUALS), (AccessRule.TypeNaming.ALL_EQUALS) -> value.equals(requestBodyValue);
-            case (AccessRule.TypeNaming.ALL_CONTAINS), (AccessRule.TypeNaming.ANY_CONTAINS), (AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY) -> requestBodyValue.contains(value);
-            case (AccessRule.TypeNaming.ALL_CONTAINS_IGNORE_CASE), (AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY_IGNORE_CASE) -> requestBodyValue.toLowerCase().contains(value.toLowerCase());
+            case (AccessRule.TypeNaming.ANY_EQUALS), (AccessRule.TypeNaming.ALL_EQUALS) ->
+                    value.equals(requestBodyValue);
+            case (AccessRule.TypeNaming.ALL_CONTAINS), (AccessRule.TypeNaming.ANY_CONTAINS),
+                 (AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY) -> requestBodyValue.contains(value);
+            case (AccessRule.TypeNaming.ALL_CONTAINS_IGNORE_CASE),
+                 (AccessRule.TypeNaming.ALL_CONTAINS_OR_EMPTY_IGNORE_CASE) ->
+                    requestBodyValue.toLowerCase().contains(value.toLowerCase());
             case (AccessRule.TypeNaming.NOT_EQUALS_IGNORE_CASE) -> !value.equalsIgnoreCase(requestBodyValue);
             case (AccessRule.TypeNaming.ALL_EQUALS_IGNORE_CASE) -> value.equalsIgnoreCase(requestBodyValue);
-            case (AccessRule.TypeNaming.ALL_REG_MATCH), (AccessRule.TypeNaming.ANY_REG_MATCH) -> requestBodyValue.matches(value);
+            case (AccessRule.TypeNaming.ALL_REG_MATCH), (AccessRule.TypeNaming.ANY_REG_MATCH) ->
+                    requestBodyValue.matches(value);
             default -> {
                 logger.warn("evaluateAccessRule() incoming accessRule type is out of scope. Just return true.");
                 yield true;
@@ -589,12 +595,8 @@ private boolean _decisionMaker(AccessRule accessRule, String requestBodyValue, S
      * @param projectAlias    The project alias.
      */
     protected void configureAccessRule(AccessRule ar, String studyIdentifier, String consent_group, String conceptPath, String projectAlias) {
-        ar.setGates(new HashSet<>());
-        ar.getGates().addAll(getGates(true, false, false));
+        ar.setGates(new HashSet<>(getGates(true, false, false)));
 
-        if (ar.getSubAccessRule() == null) {
-            ar.setSubAccessRule(new HashSet<>());
-        }
         addUniqueSubRules(ar, getAllowedQueryTypeRules());
         addUniqueSubRules(ar, getPhenotypeSubRules(studyIdentifier, conceptPath, projectAlias));
         addUniqueSubRules(ar, getTopmedRestrictedSubRules());
@@ -610,25 +612,15 @@ protected void configureAccessRule(AccessRule ar, String studyIdentifier, String
      * @param projectAlias    The project alias.
      */
     protected void configureHarmonizedAccessRule(AccessRule ar, String studyIdentifier, String conceptPath, String projectAlias) {
-        ar.setGates(new HashSet<>());
-        ar.getGates().add(upsertConsentGate("HARMONIZED_CONSENT", "$.query.query.categoryFilters." + fence_harmonized_consent_group_concept_path + "[*]", true, "harmonized data"));
-
-        if (ar.getSubAccessRule() == null) {
-            ar.setSubAccessRule(new HashSet<>());
-        }
+        ar.setGates(new HashSet<>(Collections.singleton(upsertConsentGate("HARMONIZED_CONSENT", "$.query.query.categoryFilters." + fence_harmonized_consent_group_concept_path + "[*]", true, "harmonized data"))));
 
         addUniqueSubRules(ar, getAllowedQueryTypeRules());
         addUniqueSubRules(ar, getHarmonizedSubRules());
         addUniqueSubRules(ar, getPhenotypeSubRules(studyIdentifier, conceptPath, projectAlias));
     }
 
     protected AccessRule configureClinicalAccessRuleWithPhenoSubRule(AccessRule ar, String studyIdentifier, String consent_group, String conceptPath, String projectAlias) {
-        ar.setGates(new HashSet<>());
-        ar.getGates().addAll(getGates(true, false, true));
-
-        if (ar.getSubAccessRule() == null) {
-            ar.setSubAccessRule(new HashSet<>());
-        }
+        ar.setGates(new HashSet<>(getGates(true, false, true)));
 
         addUniqueSubRules(ar, getAllowedQueryTypeRules());
         addUniqueSubRules(ar, getPhenotypeSubRules(studyIdentifier, conceptPath, projectAlias));
@@ -705,7 +697,7 @@ private AccessRule upsertTopmedRestrictedSubRule(String type, String rule) {
         AccessRule ar = this.getAccessRuleByName(ar_name);
         if (ar != null) {
             // Log and return the existing rule
-            logger.debug("Found existing rule: {}", ar.getName());
+            logger.trace("Found existing rule: {}", ar.getName());
             return ar;
         }
 
@@ -823,12 +815,7 @@ private Collection<? extends AccessRule> getGates(boolean parent, boolean harmon
     }
 
     protected AccessRule populateTopmedAccessRule(AccessRule rule, boolean includeParent) {
-        if (rule.getGates() == null) {
-            rule.setGates(new HashSet<>(getGates(includeParent, false, true)));
-        } else {
-            rule.getGates().addAll(getGates(includeParent, false, true));
-        }
-
+        rule.setGates(new HashSet<>(getGates(includeParent, false, true)));
         addUniqueSubRules(rule, getAllowedQueryTypeRules());
 
         return rule;
@@ -955,7 +942,7 @@ protected AccessRule upsertTopmedAccessRule(String project_name, String consent_
      */
     protected AccessRule upsertHarmonizedAccessRule(String project_name, String consent_group) {
         String ar_name = "AR_TOPMED_" + project_name + "_" + consent_group + "_" + "HARMONIZED";
-        logger.debug("upsertHarmonizedAccessRule() Creating new access rule {}", ar_name);
+        logger.trace("upsertHarmonizedAccessRule() Creating new access rule {}", ar_name);
         String description = "MANAGED AR for " + project_name + "." + consent_group + " Topmed data";
         String ruleText = "$.query.query.categoryFilters." + fence_harmonized_consent_group_concept_path + "[*]";
         String arValue = project_name + "." + consent_group;
@@ -1004,7 +991,7 @@ private AccessRule upsertConsentGate(String gateName, String rule, boolean is_pr
 
     protected AccessRule createPhenotypeSubRule(String conceptPath, String alias, String rule, int ruleType, String label, boolean useMapKey) {
         String ar_name = "AR_PHENO_" + alias + "_" + label;
-        logger.debug("createPhenotypeSubRule() Creating new access rule {}", ar_name);
+        logger.trace("createPhenotypeSubRule() Creating new access rule {}", ar_name);
 
         // Check if the conceptPath has `\\\\` present. This technically represents `\\`.
         if (conceptPath != null && conceptPath.contains("\\\\")) {
@@ -1029,8 +1016,9 @@ protected AccessRule getOrCreateAccessRule(String name, String description, Stri
         return accessRuleCache.computeIfAbsent(name, key -> {
             AccessRule ar = this.getAccessRuleByName(key);
             if (ar == null) {
-                logger.debug("Creating new access rule {}", key);
+                logger.trace("Creating new access rule {}", key);
                 ar = new AccessRule();
+
                 ar.setName(name);
                 ar.setDescription(description);
                 ar.setRule(rule);
@@ -1062,7 +1050,7 @@ public List<AccessRule> getAccessRulesByPrivilegeIds(List<UUID> privilegeIds) {
      * Adds unique sub-rules to the provided parent access rule. This method ensures that duplicate sub-rules,
      * based on their names, are not added to the parent access rule.
      *
-     * @param accessRule the parent access rule to which the sub-rules are added
+     * @param accessRule    the parent access rule to which the sub-rules are added
      * @param subRulesToAdd the collection of sub-rules to be added to the parent access rule
      */
     private void addUniqueSubRules(AccessRule accessRule, Collection<? extends AccessRule> subRulesToAdd) {

pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/PrivilegeService.java

@@ -122,7 +122,7 @@ public Privilege save(Privilege privilege) {
 
     public Set<Privilege> addPrivileges(Role r, Map<String, StudyMetaData> fenceMapping) {
         String roleName = r.getName();
-        logger.info("addFENCEPrivileges() starting, adding privilege(s) to role {}", roleName);
+        logger.debug("addPrivilege() starting, adding privilege(s) to role {}", roleName);
 
         //each project can have up to three privileges: Parent  |  Harmonized  | Topmed
         //harmonized has 2 ARs for parent + harmonized and harmonized only
@@ -135,13 +135,13 @@ public Set<Privilege> addPrivileges(Role r, Map<String, StudyMetaData> fenceMapp
         //e.g. MANAGED_phs0000xx_c2 or MANAGED_tutorial-biolinc_camp
         String project_name = extractProject(roleName);
         if (project_name.isEmpty()) {
-            logger.warn("addFENCEPrivileges() role name: {} returned an empty project name", roleName);
+            logger.warn("addPrivileges() role name: {} returned an empty project name", roleName);
         }
         String consent_group = extractConsentGroup(roleName);
         if (!consent_group.isEmpty()) {
-            logger.warn("addFENCEPrivileges() role name: {} returned an empty consent group", roleName);
+            logger.warn("addPrivileges() role name: {} returned an empty consent group", roleName);
         }
-        logger.info("addFENCEPrivileges() project name: {} consent group: {}", project_name, consent_group);
+        logger.debug("addPrivileges() project name: {} consent group: {}", project_name, consent_group);
 
         // Look up the metadata by consent group.
         StudyMetaData projectMetadata = getStudyMappingForProjectAndConsent(project_name, consent_group, fenceMapping);
@@ -170,7 +170,7 @@ public Set<Privilege> addPrivileges(Role r, Map<String, StudyMetaData> fenceMapp
 
         if (dataType != null && dataType.contains("P")) {
             //insert clinical privs
-            logger.info("addPrivileges() project:{} consent_group:{} concept_path:{}", project_name, consent_group, concept_path);
+            logger.debug("addPrivileges() project:{} consent_group:{} concept_path:{}", project_name, consent_group, concept_path);
             privs.add(upsertClinicalPrivilege(project_name, projectAlias, consent_group, concept_path, false));
 
             //if harmonized study, also create harmonized privileges
@@ -231,7 +231,6 @@ private Privilege upsertClinicalPrivilege(String studyIdentifier, String project
             }
             accessRules.addAll(this.accessRuleService.addStandardAccessRules());
             priv.setAccessRules(accessRules);
-            logger.info("Added {} access_rules to privilege", accessRules.size());
 
             priv = this.save(priv);
             logger.info("Added new privilege {} to DB", priv.getName());
@@ -251,18 +250,21 @@ private static String createClinicalQueryTemplate(String studyIdentifier, String
 
     private AccessRule createClinicalHarmonizedAccessRule(String studyIdentifier, String consentGroup, String conceptPath, String projectAlias) {
         AccessRule ar = this.accessRuleService.createConsentAccessRule(studyIdentifier, consentGroup, "HARMONIZED", fence_harmonized_consent_group_concept_path);
+        ar.setSubAccessRule(new HashSet<>());
         this.accessRuleService.configureHarmonizedAccessRule(ar, studyIdentifier, conceptPath, projectAlias);
         return this.accessRuleService.save(ar);
     }
 
     private AccessRule createClinicalTopmedParentAccessRule(String studyIdentifier, String consentGroup, String conceptPath, String projectAlias) {
         AccessRule ar = this.accessRuleService.upsertTopmedAccessRule(studyIdentifier, consentGroup, "TOPMED+PARENT");
+        ar.setSubAccessRule(new HashSet<>());
         ar = this.accessRuleService.configureClinicalAccessRuleWithPhenoSubRule(ar, studyIdentifier, consentGroup, conceptPath, projectAlias);
         return this.accessRuleService.save(ar);
     }
 
     private AccessRule createClinicalParentAccessRule(String studyIdentifier, String consentGroup, String conceptPath, String projectAlias) {
         AccessRule ar = this.accessRuleService.createConsentAccessRule(studyIdentifier, consentGroup, "PARENT", fence_parent_consent_group_concept_path);
+        ar.setSubAccessRule(new HashSet<>());
         this.accessRuleService.configureAccessRule(ar, studyIdentifier, consentGroup, conceptPath, projectAlias);
         return this.accessRuleService.save(ar);
     }
@@ -316,13 +318,15 @@ private Privilege upsertTopmedPrivilege(String studyIdentifier, String projectAl
 
     private AccessRule createHarmonizedTopmedAccessRule(String studyIdentifier, String projectAlias, String consentGroup, String parentConceptPath) {
         AccessRule harmonizedRule = this.accessRuleService.upsertHarmonizedAccessRule(studyIdentifier, consentGroup);
+        harmonizedRule.setSubAccessRule(new HashSet<>());
         harmonizedRule = this.accessRuleService.populateHarmonizedAccessRule(harmonizedRule, parentConceptPath, studyIdentifier, projectAlias);
         this.accessRuleService.save(harmonizedRule);
         return harmonizedRule;
     }
 
     private AccessRule createTopmedParentAccessRule(String studyIdentifier, String consentGroup, String parentConceptPath, String projectAlias) {
         AccessRule topmedParentRule = this.accessRuleService.upsertTopmedAccessRule(studyIdentifier, consentGroup, "TOPMED+PARENT");
+        topmedParentRule.setSubAccessRule(new HashSet<>());
         this.accessRuleService.populateTopmedAccessRule(topmedParentRule, true);
         topmedParentRule.getSubAccessRule().addAll(this.accessRuleService.getPhenotypeSubRules(studyIdentifier, parentConceptPath, projectAlias));
         topmedParentRule.getSubAccessRule().add(this.accessRuleService.createPhenotypeSubRule(fence_topmed_consent_group_concept_path, "ALLOW_TOPMED_CONSENT", "$.query.query.categoryFilters", AccessRule.TypeNaming.ALL_CONTAINS, "", true));
@@ -411,7 +415,7 @@ private static String extractConsentGroup(String roleName) {
 
     private StudyMetaData getStudyMappingForProjectAndConsent(String projectId, String consent_group, Map<String, StudyMetaData> fenceMapping) {
         String consentVal = (consent_group != null && !consent_group.isEmpty()) ? projectId + "." + consent_group : projectId;
-        logger.info("getFENCEMappingforProjectAndConsent() looking up {}", consentVal);
+        logger.debug("getStudyMappingForProjectAndConsent() looking up {}", consentVal);
 
         return fenceMapping.get(consentVal);
     }