-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement RAS Authentication Provider #195
Conversation
Create OktaAuthenticationService to extract OKTA implementation. Added RASAuthenticationService and RASPassportService. Implement RAS Passport handling and polling. Added SessionService for session management with caching support. Implemented unit tests for RASAuthenticationService and RASPassPortService to validate RAS authentication flows and passport handling.
Introduced a set to track public access roles in `RoleService` and automatically assign these roles to users in `UserService`. This ensures every user has access to public datasets by default.
We no longer use the security context to retrieve the user. We now use the authentication token. This ensures we don't have lazy loading exceptions associated with the previous approach.
Extracted expired visa validation from `validateVisa` method to simplify the logic and duty separation. Modified tests to use a parsed visa for more accurate validation simulations. Added placeholder `updateExpirationTime` method to JWTUtil for future use.
Extend the `CustomLogoutHandler` to remove the user's passport upon logout by calling the new `removeUserPassport` method in `UserService`.
This update introduces checks for RAS passport validity, including expiration validation and issuer. Additionally, a new configuration property for passport issuer was added. Test cases were extended to include these validation steps.
8782b6e
to
e2a9d92
Compare
...auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/UserService.java
Outdated
Show resolved
Hide resolved
…lach/auth/service/impl/UserService.java
ToString does no include visas for security purposes.
Updated the logging messages to include additional context by incorporating the authorization code and user subject. These changes were made to allow for chaining logs in splunk.
c933640
to
ca691a2
Compare
ca691a2
to
5ea2384
Compare
...auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/RoleService.java
Show resolved
Hide resolved
Reduced the fixed delay for passport validation from 3000000 to 300000 milliseconds to ensure more frequent checks. Added logging to indicate the start of the passport validation process for better traceability.
|
||
import java.util.List; | ||
|
||
public class Ga4ghPassportV1 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be a pain, but do we want to name these what they actually stand for and json map them individually? At the very least we should add documentation what they mean
...rvices/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/RASPassPortService.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Didn't have time to review tests.
...ervices/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/AccessRuleService.java
Outdated
Show resolved
Hide resolved
@@ -280,6 +283,14 @@ public void setToken(String token) { | |||
this.token = token; | |||
} | |||
|
|||
public String getPassport() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is a passport?
...vices/src/main/java/edu/harvard/hms/dbmi/avillach/auth/enums/PassportValidationResponse.java
Show resolved
Hide resolved
...services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/rest/AuthenticationController.java
Outdated
Show resolved
Hide resolved
...services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/PrivilegeService.java
Show resolved
Hide resolved
...auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/RoleService.java
Outdated
Show resolved
Hide resolved
...auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/RoleService.java
Outdated
Show resolved
Hide resolved
...uth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/TokenService.java
Show resolved
Hide resolved
...auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/UserService.java
Show resolved
Hide resolved
...auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/UserService.java
Show resolved
Hide resolved
Refactor RoleService to modularize role extraction and validation logic during fence mapping permission creation. Cleaned up the initialization logic in RASPassPortService and improved string handling. Simplified access rule cache eviction and standardized user variable naming across authentication services.
Reversed the condition to correctly handle non-empty authentication responses. Previously, the code incorrectly treated non-empty responses as empty, leading to skipped session initialization.
Changed the token refresh service to return typed `RefreshToken` responses instead of maps. Introduced `ValidRefreshToken` and `InvalidRefreshToken` types. Updated tests and controller to handle the new response types appropriately.
Created a migration script to add a 'passport' column of type TEXT to the 'user' table.
OktaAuthenticationService
by extracting generic OKTA authentication code.Passport
property to User entity.