Add data access token user role filter feature

core/src/main/java/org/mskcc/cbio/portal/util/GlobalProperties.java

@@ -368,6 +368,12 @@ public static String parseUrl(String url)
     @Value("${download_group:}") // default is empty string
     public void setDownloadGroup(String property) { downloadGroup = property; }
 
+    public static final String DEFAULT_DAT_METHOD = "none";
+
+    private static String tokenAccessUserRole;
+    @Value("${dat.filter_user_role:}") // default is empty string
+    public void setTokenAccessUserRole(String property) { tokenAccessUserRole = property; }
+
     private static Logger LOG = LoggerFactory.getLogger(GlobalProperties.class);
     private static ConfigPropertyResolver portalProperties = new ConfigPropertyResolver();
     private static Properties mavenProperties = initializeProperties(MAVEN_PROPERTIES_FILE_NAME);
@@ -1296,4 +1302,16 @@ public static String getDownloadControl() {
             }
         }
     }
+
+    public static String getDataAccessTokenMethod() {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        String dataAccessTokenMethod = getProperty("dat.method");
+
+        if (authentication != null &&
+            StringUtils.isNotEmpty(tokenAccessUserRole)) {
+            return authentication.getAuthorities().contains(new SimpleGrantedAuthority(tokenAccessUserRole)) ? dataAccessTokenMethod : DEFAULT_DAT_METHOD;
+        } else {
+            return dataAccessTokenMethod;
+        }
+    }
 }

docs/deployment/authorization-and-authentication/Authenticating-Users-via-Tokens.md

@@ -45,6 +45,12 @@ The following properties must be present in portal.properties in order to allow
 * **Permissible Values**: jwt, uuid, oauth2, none
 * **Default Value**: none
 
+**Property**: dat.filter\_user\_role (optional)
+
+* **Description**: This property determines users access in token generation. If present, this role will be checked in user roles before generating a token.
+* **Permissible Values**: A string value.
+* **Default Value**: none
+
 **Property**: dat.unauth\_users (optional, not used for dat.method = oauth2)
 
 * **Description**: A list of users that should not be allowed to download a data access token.

portal/src/main/webapp/config_service.jsp

@@ -31,7 +31,6 @@
         String[] propNameArray = {
             "app.version",
             "app.name",
-            "dat.method",
             "oncoprint.custom_driver_annotation.binary.menu_label",
             "disabled_tabs",
             "civic.url",
@@ -204,6 +203,8 @@
         obj.put("sessionServiceEnabled", !StringUtils.isEmpty(GlobalProperties.getSessionServiceUrl()));
 
         obj.put("skin_hide_download_controls", GlobalProperties.getDownloadControl());
+        
+        obj.put("dat_method", GlobalProperties.getDataAccessTokenMethod());
 
         out.println(obj.toJSONString());
 

src/main/resources/portal.properties.EXAMPLE

@@ -171,6 +171,7 @@ dat.method=none
 dat.ttl_seconds=2592000
 dat.uuid.max_number_per_user=1
 dat.jwt.secret_key=
+dat.filter_user_role=
 
 # OAuth2 token data access settings
 #dat.oauth2.clientId=<client-id>

web/src/main/java/org/cbioportal/web/DataAccessTokenController.java

@@ -20,7 +20,7 @@
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiParam;
-import io.swagger.models.HttpMethod;
+import org.apache.commons.lang3.StringUtils;
 import org.cbioportal.model.DataAccessToken;
 import org.cbioportal.service.DataAccessTokenService;
 import org.cbioportal.service.exception.DataAccessTokenNoUserIdentityException;
@@ -32,6 +32,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.client.HttpClientErrorException;
@@ -54,6 +55,10 @@ public class DataAccessTokenController {
     @Value("${dat.unauth_users:anonymousUser}")
     private String[] USERS_WHO_CANNOT_USE_TOKENS;
 
+    private static String userRoleToAccessToken;
+    @Value("${download_group:}") // default is empty string
+    public void setUserRoleToAccessToken(String property) { userRoleToAccessToken = property; }
+
     @Autowired
     private DataAccessTokenService tokenService;
     private Set<String> usersWhoCannotUseTokenSet;
@@ -130,6 +135,10 @@ private String getAuthenticatedUser(Authentication authentication) {
         if (usersWhoCannotUseTokenSet.contains(username)) {
             throw new DataAccessTokenProhibitedUserException();
         }
+        if(StringUtils.isNotEmpty(userRoleToAccessToken) &&
+            !authentication.getAuthorities().contains(new SimpleGrantedAuthority(userRoleToAccessToken))) {
+            throw new DataAccessTokenProhibitedUserException();
+        }
         return username;
     }
 }

web/src/main/java/org/cbioportal/web/OAuth2DataAccessTokenController.java

@@ -35,8 +35,10 @@
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiParam;
+import org.apache.commons.lang3.StringUtils;
 import org.cbioportal.model.DataAccessToken;
 import org.cbioportal.service.DataAccessTokenService;
+import org.cbioportal.service.exception.DataAccessTokenNoUserIdentityException;
 import org.cbioportal.service.exception.DataAccessTokenProhibitedUserException;
 import org.cbioportal.web.config.annotation.InternalApi;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -46,6 +48,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.client.HttpClientErrorException;
@@ -76,6 +79,9 @@ public class OAuth2DataAccessTokenController {
     @Value("${dat.oauth2.clientId}")
     private String clientId;
 
+    @Value("${dat.filter_user_role:}") // default is empty string
+    private String userRoleToAccessToken;
+
     @Autowired
     private DataAccessTokenService tokenService;
     private String authorizationUrl;
@@ -98,6 +104,8 @@ public void postConstruct() throws UnsupportedEncodingException {
     public ResponseEntity<String> downloadDataAccessToken(Authentication authentication,
         HttpServletRequest request, HttpServletResponse response) throws IOException {
 
+        isUserAuthorizedToAccess(authentication);
+
         // redirect to authentication endpoint
         HttpHeaders headers = new HttpHeaders();
         headers.add("Location", authorizationUrl);
@@ -156,4 +164,15 @@ public void revokeDataAccessToken(@ApiParam(required = true, value = "token") @P
         throw new UnsupportedOperationException("this endpoint is does not apply to OAuth2 data access token method.");
     }
 
+    private void isUserAuthorizedToAccess(Authentication authentication) {
+        if (authentication == null || !authentication.isAuthenticated()) {
+            throw new DataAccessTokenNoUserIdentityException();
+        }
+
+        if(StringUtils.isNotEmpty(userRoleToAccessToken) &&
+            !authentication.getAuthorities().contains(new SimpleGrantedAuthority(userRoleToAccessToken))) {
+            throw new DataAccessTokenProhibitedUserException();
+        }
+    }
+
 }

web/src/test/java/org/cbioportal/web/DataAccessTokenControllerTest.java

@@ -37,6 +37,7 @@
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -190,6 +191,32 @@ public void createTokenValidUserTest() throws Exception {
             .andReturn();
     }
 
+    @Test
+    public void createTokenValidUserTestWithUserRole() throws Exception {
+        ReflectionTestUtils.setField(DataAccessTokenController.class, "userRoleToAccessToken", "PLACEHOLDER_ROLE");
+        Mockito.when(tokenService.createDataAccessToken(ArgumentMatchers.anyString())).thenReturn(MOCK_TOKEN_INFO);
+        HttpSession session = getSession(MOCK_USER, MOCK_PASSWORD);
+        MvcResult result = mockMvc.perform(MockMvcRequestBuilders.post("/data-access-tokens")
+                .session((MockHttpSession) session)
+                .accept(MediaType.APPLICATION_JSON)
+                .contentType(MediaType.APPLICATION_JSON))
+            .andExpect(MockMvcResultMatchers.status().isCreated())
+            .andReturn();
+    }
+
+    @Test
+    public void createTokenUnauthorizedUserTestWithUserRole() throws Exception {
+        ReflectionTestUtils.setField(DataAccessTokenController.class, "userRoleToAccessToken", "TEST");
+        Mockito.when(tokenService.createDataAccessToken(ArgumentMatchers.anyString())).thenReturn(MOCK_TOKEN_INFO);
+        HttpSession session = getSession(MOCK_USER, MOCK_PASSWORD);
+        MvcResult result = mockMvc.perform(MockMvcRequestBuilders.post("/data-access-tokens")
+                .session((MockHttpSession) session)
+                .accept(MediaType.APPLICATION_JSON)
+                .contentType(MediaType.APPLICATION_JSON))
+            .andExpect(MockMvcResultMatchers.status().isUnauthorized())
+            .andReturn();
+    }
+
     /* Tests mapping for DELETE /data-access-tokens
      * Checks response status code is 200 success
      * Checks that correct username argument is passed to service class