Improvements for ACL advice

Author: arteymix

gemma-core/src/main/java/ubic/gemma/core/security/authorization/acl/AclAdvice.java

@@ -19,32 +19,26 @@
 package ubic.gemma.core.security.authorization.acl;
 
 import gemma.gsec.acl.BaseAclAdvice;
+import gemma.gsec.acl.ObjectTransientnessRetrievalStrategy;
+import gemma.gsec.acl.ParentIdentityRetrievalStrategy;
 import gemma.gsec.acl.domain.AclService;
-import gemma.gsec.model.GroupAuthority;
 import gemma.gsec.model.Securable;
 import gemma.gsec.model.User;
 import gemma.gsec.model.UserGroup;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.hibernate.SessionFactory;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.acls.model.*;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.acls.model.ObjectIdentityRetrievalStrategy;
 import org.springframework.stereotype.Component;
 import ubic.gemma.model.analysis.Investigation;
-import ubic.gemma.model.analysis.SingleExperimentAnalysis;
 import ubic.gemma.model.common.auditAndSecurity.AuditTrail;
 import ubic.gemma.model.common.auditAndSecurity.curation.CurationDetails;
 import ubic.gemma.model.expression.arrayDesign.ArrayDesign;
 import ubic.gemma.model.expression.bioAssay.BioAssay;
-import ubic.gemma.model.expression.experiment.BioAssaySet;
 import ubic.gemma.model.expression.experiment.ExpressionExperiment;
 import ubic.gemma.persistence.util.Pointcuts;
 
-import javax.annotation.Nullable;
-import java.util.Collection;
-
 /**
  * For permissions modification to be triggered, the method name must match certain patterns, which include "create", or
  * "remove". These patterns are defined in the {@link Pointcuts}. Other methods that would require
@@ -58,14 +52,17 @@ public class AclAdvice extends BaseAclAdvice {
     private static final Log log = LogFactory.getLog( AclAdvice.class );
 
     @Autowired
-    public AclAdvice( AclService aclService, SessionFactory sessionFactory, ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy ) {
-        super( aclService, sessionFactory, objectIdentityRetrievalStrategy );
+    public AclAdvice( AclService aclService, SessionFactory sessionFactory,
+            ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy,
+            ParentIdentityRetrievalStrategy parentIdentityRetrievalStrategy,
+            ObjectTransientnessRetrievalStrategy objectTransientnessRetrievalStrategy ) {
+        super( aclService, sessionFactory, objectIdentityRetrievalStrategy, parentIdentityRetrievalStrategy,
+                objectTransientnessRetrievalStrategy );
     }
 
     @Override
     protected boolean canSkipAclCheck( Object object ) {
-        return AuditTrail.class.isAssignableFrom( object.getClass() ) || CurationDetails.class
-                .isAssignableFrom( object.getClass() );
+        return object instanceof AuditTrail || object instanceof CurationDetails;
     }
 
     @Override
@@ -75,7 +72,7 @@ protected boolean canSkipAssociationCheck( Object object, String propertyName )
          * If this is an expression experiment, don't go down the data vectors - it has no securable associations and
          * would be expensive to traverse.
          */
-        if ( ExpressionExperiment.class.isAssignableFrom( object.getClass() )
+        if ( object instanceof ExpressionExperiment
                 && ( propertyName.equals( "rawExpressionDataVectors" )
                 || propertyName.equals( "processedExpressionDataVectors" )
                 || propertyName.equals( "singleCellExpressionDataVectors" ) ) ) {
@@ -87,7 +84,7 @@ protected boolean canSkipAssociationCheck( Object object, String propertyName )
         /*
          * Array design has some non (directly) securable associations that would be expensive to load
          */
-        if ( ArrayDesign.class.isAssignableFrom( object.getClass() ) && propertyName.equals( "compositeSequences" ) ) {
+        if ( object instanceof ArrayDesign && propertyName.equals( "compositeSequences" ) ) {
             if ( AclAdvice.log.isTraceEnabled() )
                 AclAdvice.log.trace( "Skipping checking acl on probes on " + object );
             return true;
@@ -97,60 +94,13 @@ protected boolean canSkipAssociationCheck( Object object, String propertyName )
     }
 
     @Override
-    protected void createOrUpdateAclSpecialCases( MutableAcl acl, @Nullable Acl parentAcl, Sid sid, Securable object ) {
-
-        // Treating Analyses as special case. It'll inherit ACL from ExpressionExperiment
-        // If aclParent is passed to this method we overwrite it.
-        if ( SingleExperimentAnalysis.class.isAssignableFrom( object.getClass() ) ) {
-            SingleExperimentAnalysis<?> experimentAnalysis = ( SingleExperimentAnalysis<?> ) object;
-
-            BioAssaySet bioAssaySet = experimentAnalysis.getExperimentAnalyzed();
-            ObjectIdentity oi_temp = this.makeObjectIdentity( bioAssaySet );
-
-            parentAcl = this.getAclService().readAclById( oi_temp );
-            if ( parentAcl == null ) {
-                // This is possible if making an EESubSet is part of the transaction.
-                parentAcl = this.getAclService().createAcl( oi_temp );
-            }
-            acl.setEntriesInheriting( true );
-            acl.setParent( parentAcl );
-            //noinspection UnusedAssignment //Owner of the experiment owns analyses even if administrator ran them.
-            sid = parentAcl.getOwner();
-        }
-
-    }
-
-    @Override
-    protected GrantedAuthority getUserGroupGrantedAuthority( Securable object ) {
-        Collection<? extends GroupAuthority> authorities = ( ( UserGroup ) object ).getAuthorities();
-        assert authorities.size() == 1;
-        return new SimpleGrantedAuthority( authorities.iterator().next().getAuthority() );
-    }
-
-    @Override
-    protected String getUserName( Securable user ) {
-        return ( ( User ) user ).getUserName();
-    }
-
-    @Override
-    protected boolean objectIsUser( Securable object ) {
-        return User.class.isAssignableFrom( object.getClass() );
-    }
-
-    @Override
-    protected boolean objectIsUserGroup( Securable object ) {
-        return UserGroup.class.isAssignableFrom( object.getClass() );
-    }
-
-    @Override
-    protected boolean specialCaseForAssociationFollow( Object object, String property ) {
-        return BioAssay.class.isAssignableFrom( object.getClass() ) && ( property.equals( "sampleUsed" ) || property
-                .equals( "arrayDesignUsed" ) );
+    protected boolean canFollowAssociation( Object object, String property ) {
+        return object instanceof BioAssay && ( property.equals( "sampleUsed" ) || property.equals( "arrayDesignUsed" ) );
     }
 
     @Override
-    protected boolean specialCaseToKeepPrivateOnCreation( Securable object ) {
-        return super.specialCaseToKeepPrivateOnCreation( object )
+    protected boolean isKeepPrivateOnCreation( Securable object ) {
+        return super.isKeepPrivateOnCreation( object )
                 || object instanceof UserGroup
                 || object instanceof User
                 || object instanceof Investigation;

gemma-core/src/main/java/ubic/gemma/core/security/authorization/acl/AclLinterServiceImpl.java

@@ -1,10 +1,10 @@
 package ubic.gemma.core.security.authorization.acl;
 
+import gemma.gsec.acl.ParentIdentityRetrievalStrategy;
 import gemma.gsec.acl.domain.AclGrantedAuthoritySid;
 import gemma.gsec.acl.domain.AclObjectIdentity;
 import gemma.gsec.acl.domain.AclService;
 import lombok.extern.apachecommons.CommonsLog;
-import org.hibernate.Hibernate;
 import org.hibernate.Query;
 import org.hibernate.SessionFactory;
 import org.hibernate.dialect.function.SQLFunction;
@@ -30,7 +30,6 @@
 import ubic.gemma.model.expression.bioAssayData.MeanVarianceRelation;
 import ubic.gemma.model.expression.biomaterial.BioMaterial;
 import ubic.gemma.model.expression.experiment.*;
-import ubic.gemma.persistence.service.expression.experiment.ExpressionExperimentService;
 
 import javax.annotation.Nullable;
 import java.lang.reflect.Modifier;
@@ -66,8 +65,13 @@ private static void addSecuredChildToParent( Class<? extends SecuredChild<?>> cl
     static {
         // FIXME: handle sub-assays and sub-biomaterials in the child to parent query, or recursively resolve parents as
         //        a special case
-        addSecuredChildToParent( BioAssay.class, ExpressionExperiment.class, null );
-        addSecuredChildToParent( BioMaterial.class, ExpressionExperiment.class, null );
+        // this cover cases where the BioAssay is attached to a EE or a subset of an EE
+        addSecuredChildToParent( BioAssay.class, ExpressionExperiment.class,
+                //language=HQL
+                "select coalesce(ee.id, eess.sourceExperiment.id) from ExpressionExperiment ee join ee.bioAssays ba, ExpressionExperimentSubSet eess join eess.bioAssays eessba where ba.id = aoi.identifier or eessba.id = aoi.identifier" );
+        addSecuredChildToParent( BioMaterial.class, ExpressionExperiment.class,
+                //language=HQL
+                "select coalesce(ee.id, eess.sourceExperiment.id) from ExpressionExperiment ee join ee.bioAssays ba join ba.sampleUsed bm, ExpressionExperimentSubSet eess join eess.bioAssays eessba join eessba.sampleUsed eessbm where bm.id = aoi.identifier or eessbm.id = aoi.identifier" );
         addSecuredChildToParent( ExpressionExperimentSubSet.class, ExpressionExperiment.class,
                 //language=HQL
                 "select ears.analysis.id from ExpressionAnalysisResultSet ears where ears.id = aoi.identifier" );
@@ -108,7 +112,7 @@ private static void addSecuredChildToParent( Class<? extends SecuredChild<?>> cl
     @Autowired
     private SessionFactory sessionFactory;
     @Autowired
-    private ExpressionExperimentService expressionExperimentService;
+    private ParentIdentityRetrievalStrategy parentIdentityRetrievalStrategy;
 
     @Override
     @Transactional
@@ -205,7 +209,6 @@ private void lintAclObjectIdentityLackingSecurable( Class<? extends Securable> c
         }
         for ( AclObjectIdentity aoi : list ) {
             if ( config.isApplyFixes() ) {
-                // not removing child, but we will visit it later if it's also dangling
                 aclService.deleteAcl( aoi, true );
                 log.info( "Deleted dangling " + aoi + "." );
                 results.add( new LintResult( clazz, aoi.getIdentifier(), String.format( "%s has no corresponding %s entity with ID %d.", aoi, clazz.getName(), aoi.getIdentifier() ), true ) );
@@ -225,7 +228,7 @@ private void lintSecurableLackingObjectIdentity( Class<? extends Securable> claz
         //noinspection unchecked
         List<? extends Securable> list = sessionFactory.getCurrentSession()
                 .createQuery( "select e from " + clazz.getName() + " e "
-                        + "where e.id not in ( " + "select aoi.identifier from AclObjectIdentity aoi where aoi.type = :type" + ")" )
+                        + "where e.id not in (select aoi.identifier from AclObjectIdentity aoi where aoi.type = :type)" )
                 .setParameter( "type", clazz.getName() )
                 .setReadOnly( !config.isApplyFixes() )
                 .list();
@@ -248,7 +251,7 @@ private void lintSecurableLackingObjectIdentity( Class<? extends Securable> claz
     private void lintSecurableLackingObjectIdentity( Class<? extends Securable> clazz, Long identifier, AclLinterConfig config, Collection<LintResult> results ) {
         Securable s = ( Securable ) sessionFactory.getCurrentSession()
                 .createQuery( "select e from " + clazz.getName() + " e "
-                        + "where e.id = :identifier and e.id not in ( " + "select aoi.identifier from AclObjectIdentity aoi where aoi.type = :type" + ")" )
+                        + "where e.id = :identifier and e.id not in (select aoi.identifier from AclObjectIdentity aoi where aoi.type = :type and aoi.identifier = :identifier)" )
                 .setParameter( "identifier", identifier )
                 .setParameter( "type", clazz.getName() )
                 .setReadOnly( !config.isApplyFixes() )
@@ -286,7 +289,7 @@ private void lintSecuredChildWithoutParent( Class<? extends SecuredChild<?>> cla
         }
         for ( AclObjectIdentity aoi : list ) {
             if ( config.isApplyFixes() ) {
-                AclObjectIdentity parentAoi = getParentAclObjectIdentity( clazz, aoi );
+                AclObjectIdentity parentAoi = ( AclObjectIdentity ) parentIdentityRetrievalStrategy.locateParentIdentity( aoi );
                 String p = aoi.getType() + " Id=" + aoi.getIdentifier() + " has no parent ACL identity, it should be " + parentAoi + ".";
                 if ( parentAoi != null ) {
                     aoi.setParentObject( parentAoi );
@@ -311,12 +314,12 @@ private void lintSecuredChildWithoutParent( Class<? extends SecuredChild<?>> cla
                 .uniqueResult();
         String s = clazz.getSimpleName() + " Id=" + identifier;
         if ( aoi == null ) {
-            log.info( s + " has a parent ACL identity." );
+            log.warn( s + " does not have an ACL identity." );
             return;
         }
         String p = s + " has no parent ACL identity.";
         if ( config.isApplyFixes() ) {
-            AclObjectIdentity parentAoi = getParentAclObjectIdentity( clazz, aoi );
+            AclObjectIdentity parentAoi = ( AclObjectIdentity ) parentIdentityRetrievalStrategy.locateParentIdentity( aoi );
             if ( parentAoi != null ) {
                 aoi.setParentObject( parentAoi );
                 results.add( new LintResult( clazz, aoi.getIdentifier(), p, true ) );
@@ -351,7 +354,7 @@ private void lintSecuredChildWithIncorrectParent( Class<? extends SecuredChild<?
             String p = String.format( "%s Id=%d does not have a parent ACL identity of type %s: %s.", aoi.getType(),
                     aoi.getIdentifier(), expectedParentClass.getSimpleName(), currentParentAoi );
             if ( config.isApplyFixes() ) {
-                AclObjectIdentity parentAoi = getParentAclObjectIdentity( clazz, aoi );
+                AclObjectIdentity parentAoi = ( AclObjectIdentity ) parentIdentityRetrievalStrategy.locateParentIdentity( aoi );
                 if ( parentAoi != null ) {
                     aoi.setParentObject( parentAoi );
                     results.add( new LintResult( clazz, aoi.getIdentifier(), p, true ) );
@@ -380,15 +383,15 @@ private void lintSecuredChildWithIncorrectParent( Class<? extends SecuredChild<?
                 .uniqueResult();
         String s = clazz.getSimpleName() + " Id=" + identifier;
         if ( row == null ) {
-            log.info( s + " has no parent ACL identity identity." );
+            log.info( s + " has no parent ACL identity." );
             return;
         }
         AclObjectIdentity aoi = ( AclObjectIdentity ) row[0];
         AclObjectIdentity currentParentAoi = ( AclObjectIdentity ) row[1];
         String problem = String.format( "%s does not have a parent ACL identity of type %s: %s.", s,
                 expectedParentClass.getSimpleName(), currentParentAoi );
         if ( config.isApplyFixes() ) {
-            AclObjectIdentity parentAoi = getParentAclObjectIdentity( clazz, aoi );
+            AclObjectIdentity parentAoi = ( AclObjectIdentity ) parentIdentityRetrievalStrategy.locateParentIdentity( aoi );
             if ( parentAoi != null ) {
                 aoi.setParentObject( parentAoi );
                 results.add( new LintResult( clazz, aoi.getId(), problem, true ) );
@@ -400,82 +403,6 @@ private void lintSecuredChildWithIncorrectParent( Class<? extends SecuredChild<?
         }
     }
 
-    @Nullable
-    private AclObjectIdentity getParentAclObjectIdentity( Class<? extends SecuredChild<?>> clazz, AclObjectIdentity aoi ) {
-        Class<? extends Securable> parentType;
-        Long parentIdentifier;
-        if ( ExperimentalFactor.class.isAssignableFrom( clazz ) ) {
-            parentType = ExpressionExperiment.class;
-            ExperimentalFactor factor = ( ExperimentalFactor ) sessionFactory.getCurrentSession()
-                    .get( ExperimentalFactor.class, aoi.getIdentifier() );
-            ExpressionExperiment ee = expressionExperimentService.findByFactor( factor );
-            parentIdentifier = ee != null ? ee.getId() : null;
-        } else if ( FactorValue.class.isAssignableFrom( clazz ) ) {
-            parentType = ExpressionExperiment.class;
-            FactorValue factor = ( FactorValue ) sessionFactory.getCurrentSession()
-                    .get( FactorValue.class, aoi.getIdentifier() );
-            ExpressionExperiment ee = expressionExperimentService.findByFactorValue( factor );
-            parentIdentifier = ee != null ? ee.getId() : null;
-        } else if ( BioAssay.class.isAssignableFrom( clazz ) ) {
-            parentType = ExpressionExperiment.class;
-            BioAssay ba = ( BioAssay ) sessionFactory.getCurrentSession()
-                    .get( BioAssay.class, aoi.getIdentifier() );
-            ExpressionExperiment ee = expressionExperimentService.findByBioAssay( ba );
-            parentIdentifier = ee != null ? ee.getId() : null;
-        } else if ( BioMaterial.class.isAssignableFrom( clazz ) ) {
-            parentType = ExpressionExperiment.class;
-            BioMaterial bm = ( BioMaterial ) sessionFactory.getCurrentSession()
-                    .get( BioMaterial.class, aoi.getIdentifier() );
-            Collection<ExpressionExperiment> ees = expressionExperimentService.findByBioMaterial( bm );
-            if ( ees.size() == 1 ) {
-                parentIdentifier = ees.iterator().next().getId();
-            } else if ( ees.size() > 1 ) {
-                log.warn( "More than one ExpressionExperiment refer to " + bm + ", cannot pick its parent ACL identity." );
-                parentIdentifier = null;
-            } else {
-                parentIdentifier = null;
-            }
-        } else if ( MeanVarianceRelation.class.isAssignableFrom( clazz ) ) {
-            MeanVarianceRelation mvr = ( MeanVarianceRelation ) sessionFactory.getCurrentSession()
-                    .get( MeanVarianceRelation.class, aoi.getIdentifier() );
-            ExpressionExperiment ee = expressionExperimentService.findByMeanVarianceRelation( mvr );
-            parentType = ExpressionExperiment.class;
-            parentIdentifier = ee != null ? ee.getId() : null;
-        } else {
-            // try automated!
-            SecuredChild<?> sc = ( SecuredChild<?> ) sessionFactory.getCurrentSession()
-                    .get( clazz, aoi.getIdentifier() );
-            if ( sc != null && sc.getSecurityOwner() != null ) {
-                //noinspection unchecked
-                parentType = Hibernate.getClass( sc.getSecurityOwner() );
-                parentIdentifier = sc.getSecurityOwner().getId();
-            } else if ( sc == null ) {
-                log.warn( "Cannot resolve ACL identity for " + clazz.getSimpleName() + " Id=" + aoi.getIdentifier() + "." );
-                parentType = null;
-                parentIdentifier = null;
-            } else {
-                log.warn( "Cannot resolve parent ACL identity for " + aoi.getType() + "." );
-                parentType = null;
-                parentIdentifier = null;
-            }
-        }
-        if ( parentIdentifier != null ) {
-            AclObjectIdentity parentAoi = ( AclObjectIdentity ) sessionFactory.getCurrentSession()
-                    .createQuery( "select aoi from AclObjectIdentity aoi where aoi.type = :type and aoi.identifier = :identifier" )
-                    .setParameter( "type", parentType.getName() )
-                    .setParameter( "identifier", parentIdentifier )
-                    .uniqueResult();
-            if ( parentAoi != null ) {
-                return parentAoi;
-            } else {
-                log.warn( "Could not resolve ACL identity for " + parentType.getSimpleName() + " Id=" + parentIdentifier + "." );
-                return null;
-            }
-        } else {
-            return null;
-        }
-    }
-
     /**
      * Lint for securable entities that are explicitly not children, but have a parent object set in their ACL identity.
      * <p>