Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement RAS Authentication Provider #195

Merged
merged 31 commits into from
Aug 22, 2024
Merged

Implement RAS Authentication Provider #195

merged 31 commits into from
Aug 22, 2024

Conversation

Gcolon021
Copy link
Contributor

@Gcolon021 Gcolon021 commented Aug 2, 2024
edited
Loading

  • Create OktaAuthenticationService by extracting generic OKTA authentication code.
  • Create & Implement RASAuthenticationService and RASAuthenticationServiceTest.
  • Create & Implement RASPassportService and RASPassportServiceTest.
  • Implement RAS Passport handling and polling.
    • Add new enum for potential passport validation responses. This is used to ensure all potential return values are handled with in a switch statement.
  • Add model for RAS Passport and RAS Visas.
  • Add Passport property to User entity.
    • Includes a corresponding migration script to add new column to database.
  • Add new methods to the JWTUtil class to assist with decoding and parsing RAS Passports which use a JWT format.
  • Included SessionService for session management with caching support.

@Gcolon021
Implement RAS Authentication Provider
d43e4a6 
Create OktaAuthenticationService to extract OKTA implementation. Added RASAuthenticationService and RASPassportService. Implement RAS Passport handling and polling. Added SessionService for session management with caching support. Implemented unit tests for RASAuthenticationService and RASPassPortService to validate RAS authentication flows and passport handling.
@Gcolon021 Gcolon021 self-assigned this Aug 2, 2024
@Gcolon021 Gcolon021 added the enhancement New feature or request label Aug 2, 2024
@Gcolon021
Remove RasAPIEndpoints enum class
3952dff
@Gcolon021
Refactor passport validation and logging
4dd8cb5
@Gcolon021
Add public dataset access to default user roles
9e7da73 
Introduced a set to track public access roles in `RoleService` and automatically assign these roles to users in `UserService`. This ensures every user has access to public datasets by default.
@Gcolon021
Refactor exception handling and add RAS passport check
fe1af3a
@Gcolon021
Change fetch type of privileges to EAGER
858688d
@Gcolon021
Change fetch types for Application and Privilege entities.
c6b365d
@Gcolon021
Add id_token to authorization code flow test
b22e717
@Gcolon021
Refactor refreshToken logic and remove redundant tests.
208387c 
We no longer use the security context to retrieve the user. We now use the authentication token. This ensures we don't have lazy loading exceptions associated with the previous approach.
@Gcolon021
Refactor visa validation logic and update tests
9321274 
Extracted expired visa validation from `validateVisa` method to simplify the logic and duty separation. Modified tests to use a parsed visa for more accurate validation simulations. Added placeholder `updateExpirationTime` method to JWTUtil for future use.
@Gcolon021
Log RAS passport details during authentication
f4649bb
@Gcolon021
Log RAS passport details during authentication
18d1a5a
@Gcolon021
Add user passport removal on logout
e876285 
Extend the `CustomLogoutHandler` to remove the user's passport upon logout by calling the new `removeUserPassport` method in `UserService`.
@Gcolon021
Add RAS passport validation in authentication service
e2a9d92 
This update introduces checks for RAS passport validity, including expiration validation and issuer. Additionally, a new configuration property for passport issuer was added. Test cases were extended to include these validation steps.
Gcolon021 and others added 6 commits August 13, 2024 10:17
@Gcolon021
Update pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avil…
1c7d81e 
…lach/auth/service/impl/UserService.java
@Gcolon021
Update log message for RAS passport
7a70f92
@Gcolon021
Verify Issued at (iat) in passport claims
b7a0fdf
@Gcolon021
Refactor log messages for clarity and add Passport toString
d34c01a 
ToString does no include visas for security purposes.
@Gcolon021
Refactor logging statements for clarity and consistency
f93acb2
@Gcolon021
Enhance login logging in RASAuthenticationService
cfdafd6 
Updated the logging messages to include additional context by incorporating the authorization code and user subject. These changes were made to allow for chaining logs in splunk.
@Gcolon021
Update passport validation schedule and add logging
539fd80 
Reduced the fixed delay for passport validation from 3000000 to 300000 milliseconds to ensure more frequent checks. Added logging to indicate the start of the passport validation process for better traceability.
@Gcolon021
Add check for users with passports before validation
a523b46
@Gcolon021
Remove unused property from application.properties
226e166
ramari16
ramari16 reviewed Aug 19, 2024
View reviewed changes
...uth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/model/ras/Ga4ghPassportV1.java

import java.util.List;

public class Ga4ghPassportV1 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be a pain, but do we want to name these what they actually stand for and json map them individually? At the very least we should add documentation what they mean

Luke-Sikina
Luke-Sikina reviewed Aug 19, 2024
View reviewed changes
Copy link
Member

@Luke-Sikina Luke-Sikina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didn't have time to review tests.

...ervices/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/AccessRuleService.java Outdated Show resolved Hide resolved
pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/entity/User.java
@@ -280,6 +283,14 @@ public void setToken(String token) {
this.token = token;
}

public String getPassport() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is a passport?

...vices/src/main/java/edu/harvard/hms/dbmi/avillach/auth/enums/PassportValidationResponse.java Show resolved Hide resolved
...services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/rest/AuthenticationController.java Outdated Show resolved Hide resolved
...services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/PrivilegeService.java Show resolved Hide resolved
...auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/RoleService.java Outdated Show resolved Hide resolved
...auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/RoleService.java Outdated Show resolved Hide resolved
...uth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/TokenService.java Show resolved Hide resolved
...auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/UserService.java Show resolved Hide resolved
...auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/UserService.java Show resolved Hide resolved
@Gcolon021
Refactor role service initialization and clean up RAS PassPortService
7cb3e4c 
Refactor RoleService to modularize role extraction and validation logic during fence mapping permission creation. Cleaned up the initialization logic in RASPassPortService and improved string handling. Simplified access rule cache eviction and standardized user variable naming across authentication services.
@Gcolon021
Fix authentication logic in AuthenticationController
fca1548 
Reversed the condition to correctly handle non-empty authentication responses. Previously, the code incorrectly treated non-empty responses as empty, leading to skipped session initialization.
@Gcolon021
Refactor token refresh response handling.
29b140b 
Changed the token refresh service to return typed `RefreshToken` responses instead of maps. Introduced `ValidRefreshToken` and `InvalidRefreshToken` types. Updated tests and controller to handle the new response types appropriately.
@Gcolon021
Remove unnecessary comment
90c0cca
@Gcolon021
Add passport column to user table
7dc39e1 
Created a migration script to add a 'passport' column of type TEXT to the 'user' table.
@Gcolon021 Gcolon021 merged commit e726eb3 into release Aug 22, 2024
2 checks passed
@Gcolon021 Gcolon021 deleted the RAS-Passport branch September 18, 2024 22:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JamesPeck JamesPeck JamesPeck left review comments

@ramari16 ramari16 ramari16 left review comments

@Luke-Sikina Luke-Sikina Luke-Sikina left review comments

Assignees

@Gcolon021 Gcolon021

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Gcolon021 @JamesPeck @ramari16 @Luke-Sikina