More improvements and fixes for the ACL linter

Add a strategy for resolving parent ACL identity. The interface will be
added to gsec, but we need it now for clarity.

Fix Hibernate.getClass() called incorrectly on a class.

Support for linting parent of assays and samples, looking up both
datasets and subsets. In the latter case, the assay must have the source
experiment as parent in the ACL structure.

Author: arteymix

gemma-core/src/main/java/ubic/gemma/core/security/authorization/acl/AclLinterServiceImpl.java

@@ -0,0 +1,21 @@
+package ubic.gemma.core.security.authorization.acl;
+
+import org.springframework.security.acls.model.ObjectIdentity;
+
+import javax.annotation.Nullable;
+
+/**
+ * Strategy for locating parent ACL identities.
+ *
+ * @author poirigui
+ */
+public interface ParentIdentityRetrievalStrategy {
+
+    /**
+     * Obtain the parent ACL identity for the given ACL identity.
+     *
+     * @return the parent ACL identity if it can be determined, null otherwise
+     */
+    @Nullable
+    ObjectIdentity getParentIdentity( ObjectIdentity aoi );
+}

gemma-core/src/main/java/ubic/gemma/core/security/authorization/acl/ParentIdentityRetrievalStrategy.java

@@ -0,0 +1,146 @@
+package ubic.gemma.core.security.authorization.acl;
+
+import gemma.gsec.acl.domain.AclObjectIdentity;
+import lombok.extern.apachecommons.CommonsLog;
+import org.hibernate.Hibernate;
+import org.hibernate.SessionFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.acls.model.ObjectIdentity;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+import ubic.gemma.model.common.auditAndSecurity.Securable;
+import ubic.gemma.model.common.auditAndSecurity.SecuredChild;
+import ubic.gemma.model.expression.bioAssay.BioAssay;
+import ubic.gemma.model.expression.bioAssayData.MeanVarianceRelation;
+import ubic.gemma.model.expression.biomaterial.BioMaterial;
+import ubic.gemma.model.expression.experiment.ExperimentalDesign;
+import ubic.gemma.model.expression.experiment.ExperimentalFactor;
+import ubic.gemma.model.expression.experiment.ExpressionExperiment;
+import ubic.gemma.model.expression.experiment.FactorValue;
+import ubic.gemma.persistence.service.expression.experiment.ExpressionExperimentService;
+
+import java.util.Collection;
+
+/**
+ * Use domain-specific logic to resolve parent ACL identities.
+ *
+ * @author poirigui
+ */
+@Service
+@CommonsLog
+public class ParentIdentityRetrievalStrategyImpl implements ParentIdentityRetrievalStrategy {
+
+    @Autowired
+    private SessionFactory sessionFactory;
+
+    @Autowired
+    private ExpressionExperimentService expressionExperimentService;
+
+    @Override
+    @Transactional(readOnly = true)
+    public ObjectIdentity getParentIdentity( ObjectIdentity aoi ) {
+        //noinspection unchecked
+        Class<? extends SecuredChild<?>> clazz = sessionFactory.getClassMetadata( aoi.getType() ).getMappedClass();
+        Class<? extends Securable> parentType;
+        Long parentIdentifier;
+        if ( ExperimentalDesign.class.isAssignableFrom( clazz ) ) {
+            ExperimentalDesign design = ( ExperimentalDesign ) sessionFactory.getCurrentSession()
+                    .get( ExperimentalDesign.class, aoi.getIdentifier() );
+            if ( design == null ) {
+                log.warn( "Could not find " + clazz.getSimpleName() + " with ID " + aoi.getIdentifier() + "." );
+                return null;
+            }
+            ExpressionExperiment ee = expressionExperimentService.findByDesign( design );
+            parentType = ExpressionExperiment.class;
+            parentIdentifier = ee != null ? ee.getId() : null;
+        } else if ( ExperimentalFactor.class.isAssignableFrom( clazz ) ) {
+            ExperimentalFactor factor = ( ExperimentalFactor ) sessionFactory.getCurrentSession()
+                    .get( ExperimentalFactor.class, aoi.getIdentifier() );
+            if ( factor == null ) {
+                log.warn( "Could not find " + clazz.getSimpleName() + " with ID " + aoi.getIdentifier() + "." );
+                return null;
+            }
+            ExpressionExperiment ee = expressionExperimentService.findByFactor( factor );
+            parentType = ExpressionExperiment.class;
+            parentIdentifier = ee != null ? ee.getId() : null;
+        } else if ( FactorValue.class.isAssignableFrom( clazz ) ) {
+            FactorValue factor = ( FactorValue ) sessionFactory.getCurrentSession()
+                    .get( FactorValue.class, aoi.getIdentifier() );
+            if ( factor == null ) {
+                log.warn( "Could not find " + clazz.getSimpleName() + " with ID " + aoi.getIdentifier() + "." );
+                return null;
+            }
+            ExpressionExperiment ee = expressionExperimentService.findByFactorValue( factor );
+            parentType = ExpressionExperiment.class;
+            parentIdentifier = ee != null ? ee.getId() : null;
+        } else if ( BioAssay.class.isAssignableFrom( clazz ) ) {
+            BioAssay ba = ( BioAssay ) sessionFactory.getCurrentSession()
+                    .get( BioAssay.class, aoi.getIdentifier() );
+            if ( ba == null ) {
+                log.warn( "Could not find " + clazz.getSimpleName() + " with ID " + aoi.getIdentifier() + "." );
+                return null;
+            }
+            ExpressionExperiment ee = expressionExperimentService.findByBioAssay( ba, true );
+            parentType = ExpressionExperiment.class;
+            parentIdentifier = ee != null ? ee.getId() : null;
+        } else if ( BioMaterial.class.isAssignableFrom( clazz ) ) {
+            BioMaterial bm = ( BioMaterial ) sessionFactory.getCurrentSession()
+                    .get( BioMaterial.class, aoi.getIdentifier() );
+            if ( bm == null ) {
+                log.warn( "Could not find " + clazz.getSimpleName() + " with ID " + aoi.getIdentifier() + "." );
+                return null;
+            }
+            Collection<ExpressionExperiment> ees = expressionExperimentService.findByBioMaterial( bm, true );
+            parentType = ExpressionExperiment.class;
+            if ( ees.size() == 1 ) {
+                parentIdentifier = ees.iterator().next().getId();
+            } else if ( ees.size() > 1 ) {
+                log.warn( "More than one ExpressionExperiment refer to " + bm + ", cannot pick its parent ACL identity." );
+                parentIdentifier = null;
+            } else {
+                log.warn( "Could not find " + clazz.getSimpleName() + " with ID " + aoi.getIdentifier() + "." );
+                parentIdentifier = null;
+            }
+        } else if ( MeanVarianceRelation.class.isAssignableFrom( clazz ) ) {
+            MeanVarianceRelation mvr = ( MeanVarianceRelation ) sessionFactory.getCurrentSession()
+                    .get( MeanVarianceRelation.class, aoi.getIdentifier() );
+            if ( mvr == null ) {
+                log.warn( "Could not find " + clazz.getSimpleName() + " with ID " + aoi.getIdentifier() + "." );
+                return null;
+            }
+            ExpressionExperiment ee = expressionExperimentService.findByMeanVarianceRelation( mvr );
+            parentType = ExpressionExperiment.class;
+            parentIdentifier = ee != null ? ee.getId() : null;
+        } else {
+            // try automated!
+            SecuredChild<?> sc = ( SecuredChild<?> ) sessionFactory.getCurrentSession()
+                    .get( clazz, aoi.getIdentifier() );
+            if ( sc == null ) {
+                log.warn( "Could not find " + clazz.getSimpleName() + " with ID " + aoi.getIdentifier() + "." );
+                return null;
+            }
+            if ( sc.getSecurityOwner() != null ) {
+                // this is necessary because we rely on the class name for querying
+                //noinspection unchecked
+                parentType = Hibernate.getClass( sc.getSecurityOwner() );
+                parentIdentifier = sc.getSecurityOwner().getId();
+            } else {
+                log.warn( String.format( "Cannot resolve parent ACL identity for %s Id=%s: its security owner is not populated.",
+                        clazz.getSimpleName(), aoi.getIdentifier() ) );
+                parentType = null;
+                parentIdentifier = null;
+            }
+        }
+
+        if ( parentIdentifier != null ) {
+            return ( AclObjectIdentity ) sessionFactory.getCurrentSession()
+                    .createQuery( "select aoi from AclObjectIdentity aoi where aoi.type = :type and aoi.identifier = :identifier" )
+                    .setParameter( "type", parentType.getName() )
+                    .setParameter( "identifier", parentIdentifier )
+                    .uniqueResult();
+        } else {
+            log.warn( String.format( "Could not locate parent identifier for %s Id=%s.", clazz.getSimpleName(), aoi.getIdentifier() ) );
+            return null;
+        }
+    }
+}

gemma-core/src/main/java/ubic/gemma/core/security/authorization/acl/ParentIdentityRetrievalStrategyImpl.java

@@ -97,8 +97,13 @@ class Identifiers {
     @Nullable
     ExpressionExperiment findByBioAssay( BioAssay ba );
 
+    @Nullable
+    ExpressionExperiment findByBioAssay( BioAssay ba, boolean includeSubSets );
+
     Collection<ExpressionExperiment> findByBioMaterial( BioMaterial bm );
 
+    Collection<ExpressionExperiment> findByBioMaterial( BioMaterial bm, boolean includeSubSets );
+
     Map<ExpressionExperiment, Collection<BioMaterial>> findByBioMaterials( Collection<BioMaterial> bms );
 
     Collection<ExpressionExperiment> findByExpressedGene( Gene gene, Double rank );

gemma-core/src/main/java/ubic/gemma/persistence/service/expression/experiment/ExpressionExperimentDao.java

@@ -283,24 +283,54 @@ public Collection<ExpressionExperiment> findByBibliographicReference( Bibliograp
 
     @Override
     public ExpressionExperiment findByBioAssay( BioAssay ba ) {
-        return ( ExpressionExperiment ) this.getSessionFactory().getCurrentSession()
+        return findByBioAssay( ba, false );
+    }
+
+    @Override
+    public ExpressionExperiment findByBioAssay( BioAssay ba, boolean includeSubSets ) {
+        ExpressionExperiment ee = ( ExpressionExperiment ) this.getSessionFactory().getCurrentSession()
                 .createQuery( "select ee from ExpressionExperiment as ee "
                         + "join ee.bioAssays as ba "
                         + "where ba = :ba "
                         + "group by ee" )
                 .setParameter( "ba", ba )
                 .uniqueResult();
+        if ( ee == null && includeSubSets ) {
+            ee = ( ExpressionExperiment ) this.getSessionFactory().getCurrentSession()
+                    .createQuery( "select eess.sourceExperiment from ExpressionExperimentSubSet as eess "
+                            + "join eess.bioAssays as ba "
+                            + "where ba = :ba "
+                            + "group by eess.sourceExperiment" )
+                    .setParameter( "ba", ba )
+                    .uniqueResult();
+        }
+        return ee;
     }
 
     @Override
     public Collection<ExpressionExperiment> findByBioMaterial( BioMaterial bm ) {
+        return findByBioMaterial( bm, false );
+    }
+
+    @Override
+    public Collection<ExpressionExperiment> findByBioMaterial( BioMaterial bm, boolean includeSubSets ) {
         //noinspection unchecked
-        return this.getSessionFactory().getCurrentSession()
+        List<ExpressionExperiment> results = this.getSessionFactory().getCurrentSession()
                 .createQuery( "select ee from ExpressionExperiment as ee "
                         + "join ee.bioAssays as ba join ba.sampleUsed as sample where sample = :bm "
                         + "group by ee" )
                 .setParameter( "bm", bm )
                 .list();
+        if ( results == null && includeSubSets ) {
+            //noinspection unchecked
+            results = this.getSessionFactory().getCurrentSession()
+                    .createQuery( "select eess.sourceExperiment from ExpressionExperimentSubSet as eess "
+                            + "join eess.bioAssays as ba join ba.sampleUsed as sample where sample = :bm "
+                            + "group by eess.sourceExperiment" )
+                    .setParameter( "bm", bm )
+                    .list();
+        }
+        return results;
     }
 
     @Override

gemma-core/src/main/java/ubic/gemma/persistence/service/expression/experiment/ExpressionExperimentDaoImpl.java

@@ -354,13 +354,26 @@ public interface ExpressionExperimentService extends SecurableBaseService<Expres
     @Secured({ "IS_AUTHENTICATED_ANONYMOUSLY", "AFTER_ACL_READ" })
     ExpressionExperiment findByBioAssay( BioAssay ba );
 
+    /**
+     * @param includeSubSets include assays that belong to subsets of the experiment
+     */
+    @Secured({ "IS_AUTHENTICATED_ANONYMOUSLY", "AFTER_ACL_READ" })
+    ExpressionExperiment findByBioAssay( BioAssay ba, boolean includeSubSets );
+
     /**
      * @param bm bio material
      * @return experiment the given biomaterial is associated with
      */
     @Secured({ "IS_AUTHENTICATED_ANONYMOUSLY", "AFTER_ACL_COLLECTION_READ" })
     Collection<ExpressionExperiment> findByBioMaterial( BioMaterial bm );
 
+    /**
+     *
+     * @param includeSubSets include samples that are associated to assays that belong to subsets of the experiment
+     */
+    @Secured({ "IS_AUTHENTICATED_ANONYMOUSLY", "AFTER_ACL_COLLECTION_READ" })
+    Collection<ExpressionExperiment> findByBioMaterial( BioMaterial bm, boolean includeSubSets );
+
     @Secured({ "IS_AUTHENTICATED_ANONYMOUSLY", "AFTER_ACL_COLLECTION_READ" })
     Map<ExpressionExperiment, Collection<BioMaterial>> findByBioMaterials( Collection<BioMaterial> biomaterials );
 

gemma-core/src/main/java/ubic/gemma/persistence/service/expression/experiment/ExpressionExperimentService.java

@@ -578,6 +578,12 @@ public ExpressionExperiment findByBioAssay( final BioAssay ba ) {
         return this.expressionExperimentDao.findByBioAssay( ba );
     }
 
+    @Override
+    @Transactional(readOnly = true)
+    public ExpressionExperiment findByBioAssay( BioAssay ba, boolean includeSubSets ) {
+        return this.expressionExperimentDao.findByBioAssay( ba, includeSubSets );
+    }
+
     /**
      * @see ExpressionExperimentService#findByBioMaterial(BioMaterial)
      */
@@ -587,6 +593,12 @@ public Collection<ExpressionExperiment> findByBioMaterial( final BioMaterial bm
         return this.expressionExperimentDao.findByBioMaterial( bm );
     }
 
+    @Override
+    @Transactional(readOnly = true)
+    public Collection<ExpressionExperiment> findByBioMaterial( BioMaterial bm, boolean includeSubSets ) {
+        return this.expressionExperimentDao.findByBioMaterial( bm, includeSubSets );
+    }
+
     @Override
     public Map<ExpressionExperiment, Collection<BioMaterial>> findByBioMaterials( Collection<BioMaterial> biomaterials ) {
         return this.expressionExperimentDao.findByBioMaterials( biomaterials );

gemma-core/src/main/java/ubic/gemma/persistence/service/expression/experiment/ExpressionExperimentServiceImpl.java

@@ -14,6 +14,8 @@
 import ubic.gemma.core.util.test.BaseDatabaseTest;
 import ubic.gemma.model.analysis.expression.diff.DifferentialExpressionAnalysis;
 import ubic.gemma.model.analysis.expression.diff.ExpressionAnalysisResultSet;
+import ubic.gemma.model.expression.bioAssay.BioAssay;
+import ubic.gemma.model.expression.biomaterial.BioMaterial;
 import ubic.gemma.model.expression.experiment.ExpressionExperiment;
 import ubic.gemma.persistence.service.expression.experiment.ExpressionExperimentService;
 
@@ -37,6 +39,11 @@ public ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy() {
             return new ObjectIdentityRetrievalStrategyImpl();
         }
 
+        @Bean
+        public ParentIdentityRetrievalStrategy parentObjectRetrievalStrategy() {
+            return new ParentIdentityRetrievalStrategyImpl();
+        }
+
         @Bean
         public ExpressionExperimentService expressionExperimentService() {
             return mock();
@@ -62,9 +69,18 @@ public void test() {
         aclLinterService.lintAcls( ExpressionExperiment.class, config );
         aclLinterService.lintAcls( ExpressionExperiment.class, 1L, config );
 
+        aclLinterService.lintAcls( ExpressionAnalysisResultSet.class, config );
         aclLinterService.lintAcls( ExpressionAnalysisResultSet.class, 1L, config );
+
+        aclLinterService.lintAcls( DifferentialExpressionAnalysis.class, config );
         aclLinterService.lintAcls( DifferentialExpressionAnalysis.class, 1L, config );
 
+        aclLinterService.lintAcls( BioAssay.class, config );
+        aclLinterService.lintAcls( BioAssay.class, 1L, config );
+
+        aclLinterService.lintAcls( BioMaterial.class, config );
+        aclLinterService.lintAcls( BioMaterial.class, 1L, config );
+
         config = AclLinterConfig.builder()
                 .lintDanglingIdentities( true )
                 .lintSecurablesLackingIdentities( true )