Enhance Roles with granular Admin roles and multiple Sites; (DOECODE-798)

Author: sowerstl

src/main/java/gov/osti/entity/UserRole.java

@@ -0,0 +1,158 @@
+/*
+ */
+package gov.osti.entity;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import java.io.Serializable;
+import java.util.Objects;
+import java.util.List;
+import java.util.ArrayList;
+import javax.persistence.EntityManager;
+import gov.osti.listeners.DoeServletContextListener;
+import javax.persistence.TypedQuery;
+
+/**
+ * A Generic Identifier for role; includes Admin and Standard roles.
+ * 
+ * @author sowerst
+ */
+@JsonIgnoreProperties ( ignoreUnknown = true )
+public class UserRole implements Serializable {
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Enumeration of valid Admin Roles for a Role.
+     */
+    public static enum RoleType {
+        ADMIN, STANDARD;
+    }
+
+    private String value;
+    private String label;
+    private String description;
+
+    public UserRole() {
+
+    }
+
+    public UserRole(String value, String label, String description) {
+        this.setValue(value);
+        this.setLabel(label);
+        this.setDescription(description);
+    }
+
+    /**
+     * @return the value
+     */
+    public String getValue() {
+        return value;
+    }
+
+    /**
+     * @param value the value to set
+     */
+    public void setValue(String value) {
+        this.value = value;
+    }
+
+    /**
+     * @return the value
+     */
+    public String getLabel() {
+        return label;
+    }
+
+    /**
+     * @param value the value to set
+     */
+    public void setLabel(String value) {
+        this.label = value;
+    }
+
+    /**
+     * @return the value
+     */
+    public String getDescription() {
+        return description;
+    }
+
+    /**
+     * @param value the value to set
+     */
+    public void setDescription(String value) {
+        this.description = value;
+    }
+
+    public static List<UserRole> GetRoles(RoleType roleType) {
+        List<UserRole> roles = new ArrayList<>();
+        if (RoleType.ADMIN.equals(roleType)) {
+            roles.add(new UserRole("RecordAdmin", "Record Admin", "Permission to edit any project, regardless of Site affiliation."));
+            roles.add(new UserRole("SiteAdmin", "Site Admin", "Permission to edit any Site and POC notifications."));
+            roles.add(new UserRole("UserAdmin", "User Admin", "Permission to edit any User information and Role associations."));
+            roles.add(new UserRole("ApprovalAdmin", "Approval Admin", "Permission to approve any project for biblio indexing."));
+            roles.add(new UserRole("ContentAdmin", "Content Admin", "Permission to access content controls, such as Refresh, Reindex, etc."));
+        }
+        else if (RoleType.STANDARD.equals(roleType)) {
+            EntityManager em = DoeServletContextListener.createEntityManager();        
+            try {
+                // get ALL SITES
+                TypedQuery<Site> query = em.createNamedQuery("Site.findAll", Site.class);
+                List<Site> siteList = query.getResultList();
+    
+                for (Site site:siteList) {
+                    String code = site.getSiteCode();
+                    String lab = site.getLab();
+                    roles.add(new UserRole(code, code, lab));
+                }
+            } finally {
+                em.close();
+            }
+        }
+
+        return roles;
+    }
+
+    public static List<String> GetRoleList(RoleType roleType) {
+        List<String> roles = new ArrayList<>();
+        if (RoleType.ADMIN.equals(roleType)) {
+            roles.add("RecordAdmin");
+            roles.add("SiteAdmin");
+            roles.add("UserAdmin");
+            roles.add("ApprovalAdmin");
+            roles.add("ContentAdmin");
+        }
+        else if (RoleType.STANDARD.equals(roleType)) {
+            EntityManager em = DoeServletContextListener.createEntityManager();        
+            try {
+                // get ALL SITES
+                TypedQuery<Site> query = em.createNamedQuery("Site.findAll", Site.class);
+                List<Site> siteList = query.getResultList();
+    
+                for (Site site:siteList) {
+                    roles.add(site.getSiteCode());
+                }
+            } finally {
+                em.close();
+            }
+        }
+    
+        return roles;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (o instanceof UserRole ) {
+            return ((UserRole)o).getValue().equals(getValue());
+        }
+
+        return false;
+    }
+
+    @Override
+    public int hashCode() {
+        int hash = 7;
+        hash = 83 * hash + Objects.hashCode(this.value);
+        return hash;
+    }
+
+}

src/main/java/gov/osti/services/Authentication.java

@@ -231,7 +231,7 @@ public Response listCodeGovData()
     @Path("/listrecords")
     @Produces(MediaType.APPLICATION_JSON)
     @RequiresAuthentication
-    @RequiresRoles("OSTI")
+    @RequiresRoles("ContentAdmin")
     public Response listApprovedSnapshots()
             throws JsonProcessingException {
         EntityManager em = DoeServletContextListener.createEntityManager();

src/main/java/gov/osti/services/CodeGov.java

@@ -35,6 +35,8 @@
 import gov.osti.entity.Site;
 import gov.osti.entity.SponsoringOrganization;
 import gov.osti.entity.User;
+import gov.osti.entity.UserRole;
+import gov.osti.entity.UserRole.RoleType;
 import gov.osti.indexer.AgentSerializer;
 import gov.osti.listeners.DoeServletContextListener;
 import java.io.File;
@@ -304,7 +306,7 @@ public Response reserveDoi() throws IOException {
      * to succeeding.
      *
      * Ownership is defined as:  owner and user email match, OR user's roles
-     * include the SITE OWNERSHIP CODE of the record, OR user has the "OSTI"
+     * include the SITE OWNERSHIP CODE of the record, OR user has the "RecordAdmin"
      * special administrative role.
      * Result Codes:
      * 200 - OK, with JSON containing the metadata information
@@ -343,7 +345,7 @@ public Response getSingleRecord(@PathParam("codeId") Long codeId, @QueryParam("f
 
         // do you have permissions to get this?
         if ( !user.getEmail().equals(md.getOwner()) &&
-             !user.hasRole("OSTI") &&
+             !user.hasRole("RecordAdmin") &&
              !user.hasRole(md.getSiteOwnershipCode()))
             return ErrorResponse
                     .forbidden("Permission denied.")
@@ -478,20 +480,22 @@ public Response listProjects(
 
         try {
             Set<String> roles = user.getRoles();
-            String rolecode = (null==roles) ? "" :
-               (roles.isEmpty()) ? "" : roles.iterator().next();
+
+            List<String> allowedSites = UserRole.GetRoleList(RoleType.STANDARD);
+            allowedSites.retainAll(roles);
 
             TypedQuery<DOECodeMetadata> query;
             // admins see ALL PROJECTS
-            if ("OSTI".equals(rolecode)) {
+            if (roles.contains("RecordAdmin")) {
                 query = em.createQuery("SELECT md FROM DOECodeMetadata md", DOECodeMetadata.class);
-            } else if (StringUtils.isNotEmpty(rolecode)) {
-                // if you have another ROLE, it is assumed to be a SITE ADMIN; see all those records
-                query = em.createQuery("SELECT md FROM DOECodeMetadata md WHERE md.siteOwnershipCode = :site", DOECodeMetadata.class)
-                        .setParameter("site", rolecode);
+            } else if (!allowedSites.isEmpty()) {
+                // if you have any allowed site ROLE, it is assumed to be a SITE ADMIN; see all those records plus their own
+                query = em.createQuery("SELECT md FROM DOECodeMetadata md WHERE md.owner = :owner OR md.siteOwnershipCode IN :site", DOECodeMetadata.class)
+                        .setParameter("owner", user.getEmail())
+                        .setParameter("site", allowedSites);
             } else {
                 // no roles, you see only YOUR OWN projects
-                query = em.createQuery("SELECT md FROM DOECodeMetadata md WHERE md.owner = lower(:owner)", DOECodeMetadata.class)
+                query = em.createQuery("SELECT md FROM DOECodeMetadata md WHERE md.owner = :owner", DOECodeMetadata.class)
                         .setParameter("owner", user.getEmail());
             }
 
@@ -597,7 +601,7 @@ public Response listProjects(
     @Consumes (MediaType.APPLICATION_JSON)
     @Produces (MediaType.APPLICATION_JSON)
     @RequiresAuthentication
-    @RequiresRoles("OSTI")
+    @RequiresRoles("ApprovalAdmin")
     public Response listProjectsPending(@QueryParam("start") int start,
                                         @QueryParam("rows") int rows,
                                         @QueryParam("site") String siteCode,
@@ -765,7 +769,7 @@ private void store(EntityManager em, DOECodeMetadata md, User user) throws NotFo
 
         // must be OSTI user in order to add/update PROJECT KEYWORDS
         List<String> projectKeywords = md.getProjectKeywords();
-        if (projectKeywords != null && !projectKeywords.isEmpty() && !user.hasRole("OSTI"))
+        if (projectKeywords != null && !projectKeywords.isEmpty() && !user.hasRole("RecordAdmin"))
             throw new ValidationException("Project Keywords can only be set by authorized users.");
 
         // if there's a CODE ID, attempt to look up the record first and
@@ -789,7 +793,7 @@ private void store(EntityManager em, DOECodeMetadata md, User user) throws NotFo
                 // must be the OWNER, SITE ADMIN, or OSTI in order to UPDATE
                 if (!user.getEmail().equals(emd.getOwner()) &&
                      !user.hasRole(emd.getSiteOwnershipCode()) &&
-                     !user.hasRole("OSTI"))
+                     !user.hasRole("RecordAdmin"))
                     throw new IllegalAccessException("Invalid access attempt.");
 
                 // to Save, item must be non-existant, or already in Saved workflow status (if here, we know it exists)
@@ -1992,7 +1996,7 @@ public Response save(@FormDataParam("metadata") String metadata,
     @Produces (MediaType.APPLICATION_JSON)
     @Path ("/reindex")
     @RequiresAuthentication
-    @RequiresRoles ("OSTI")
+    @RequiresRoles ("ContentAdmin")
     public Response reindex() throws IOException {
         EntityManager em = DoeServletContextListener.createEntityManager();
 
@@ -2022,7 +2026,7 @@ public Response reindex() throws IOException {
     @Produces(MediaType.APPLICATION_JSON)
     @Path("/refresh")
     @RequiresAuthentication
-    @RequiresRoles("OSTI")
+    @RequiresRoles("ContentAdmin")
     public Response refresh() throws Exception {
         try {
             DoeServletContextListener.refreshCaches();
@@ -2054,7 +2058,7 @@ public Response refresh() throws Exception {
     @Path ("/approve/{codeId}")
     @Produces (MediaType.APPLICATION_JSON)
     @RequiresAuthentication
-    @RequiresRoles("OSTI")
+    @RequiresRoles("ApprovalAdmin")
     public Response approve(@PathParam("codeId") Long codeId) {
         EntityManager em = DoeServletContextListener.createEntityManager();
         Subject subject = SecurityUtils.getSubject();

src/main/java/gov/osti/services/Metadata.java

@@ -58,7 +58,7 @@ public SiteServices() {
      */
     @GET
     @RequiresAuthentication
-    @RequiresRoles("OSTI")
+    @RequiresRoles("SiteAdmin")
     @Consumes({MediaType.TEXT_HTML, MediaType.APPLICATION_JSON})
     @Produces(MediaType.APPLICATION_JSON)
     @Path("/info")
@@ -98,7 +98,7 @@ public Response getAllSiteInfo() {
      */
     @GET
     @RequiresAuthentication
-    @RequiresRoles("OSTI")
+    @RequiresRoles("SiteAdmin")
     @Consumes({MediaType.TEXT_HTML, MediaType.APPLICATION_JSON})
     @Produces(MediaType.APPLICATION_JSON)
     @Path("/info/{site}")
@@ -149,7 +149,7 @@ public Response getSpecificSiteInfo(@PathParam("site") String siteCode) {
      */
     @POST
     @RequiresAuthentication
-    @RequiresRoles("OSTI")
+    @RequiresRoles("SiteAdmin")
     @Produces(MediaType.APPLICATION_JSON)
     @Consumes(MediaType.APPLICATION_JSON)
     @Path("/update")