Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attribute based access control implementation #398

Merged
merged 148 commits into from Dec 1, 2023
Merged

Attribute based access control implementation #398

merged 148 commits into from Dec 1, 2023

Conversation

litvinovg
Copy link
Contributor

@litvinovg litvinovg commented Jun 14, 2023
edited by gneissone

VIVO GitHub issue

VIVO PR

What does this pull request do?

Re-implements authorization subsystem to use attribute based access control allowing to define flexible access rules:
For example rules that only apply to certain roles and or conditions computed by SPARQL queries.
Provides the same interface to control access to entities as was provided in Advanced Role Management PR

Policy logic

Policy configuration contains set of access rules, each access rule has attributes. If attributes match, then rule is enforced to authorize or not authorize request. If at least one of attributes didn't match, then the rule is skipped.
Policies can be prioritized by setting priority to a long value. By default policy priority is 0.
Attribute matching is firstly done for less computation expensive attributes:

  1. Equality checks
  2. Contains in set checks
  3. Attributes that use SPARQL to check matching.

What's new?

  • A new graph http://vitro.mannlib.cornell.edu/default/access-control has been created to store access control configurations.
  • Created Dynamic policies to be loaded from graph configurations that replaced old policies in java files, stored in accessControl/firsttime/ directory.
  • Created PolicyStore instead of PolicyList to store policy instances
  • Permissions were converted into simple permission policies.
  • Policies were converted into dynamic policy configurations in n3 files.
  • AuthorizationRequests was refactored to only serve as a container for authorization request, action classes were converted into access objects.
  • Created access rules
  • Removed outdated identifier factories
  • Created attributes, attribute types, access objects
  • All java policies were replaced by dynamically loaded policy configuration from n3 files.
  • Fixed authorization requests to provide more information
  • Some singleton classes were refactored to remove not needed dependencies on servlet context.
  • Created code to load policies and update test data sets in policies.
  • Created migration code for migrations from annotation based authorization currently in use in Vitro and VIVO
  • Created migration code for migrations from ARM based authorization used by some Vitro and VIVO community members.
  • Test were created to test policy loading and migration

How should this be tested?

There are 2 ways to test it:

  • Migration from currently in use VIVO instance
    Apply changes in PR for Vitro and for VIVO, build and deploy your VIVO.
    Check if access works the same as it worked before for object properties, data properties, faux object properties and faux data properties.
    If you want to try new policies, try edit policies in firsttime directory, reload VIVO and see results.
  • Migration from Advanced role management
    Apply changes in PR for Vitro and for VIVO
    Make sure to retain entity permission configurations you had in auth firsttime folder you used for ARM for conversion of ARM permissions into policy datasets.
    Build and deploy your VIVO.
    Check if access works the same as it worked in ARM. Standard VIVO checks are required to test this PR.
    If you want to try new policies, try edit policies in firsttime directory, reload VIVO and see results.

Additional notes

  • Documentation will need to be updated.

Interested parties

@chenejac @vivo-project/vivo-committers

This was referenced Jun 14, 2023
Merged
Closed
@chenejac chenejac requested review from chenejac and a user August 17, 2023 14:58
chenejac
chenejac requested changes Aug 29, 2023
View reviewed changes
Copy link
Contributor

@chenejac chenejac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@litvinovg all your works are great, but this one is amazing. I really like level of tests you covered auth module, as well as comments you added in some classes. I have noticed that License preamble is missing in a lot of Java files as well as ending empty line. Moreover you can find my other comments in my review.

home/src/main/resources/rdf/auth/firsttime/permission_config.n3 Outdated Show resolved Hide resolved
home/src/main/resources/rdf/accessControl/firsttime/attribute_types.n3 Outdated Show resolved Hide resolved
api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/migration/configuration.n3 Outdated Show resolved Hide resolved
home/src/main/resources/rdf/accessControl/firsttime/decisions.n3 Outdated Show resolved Hide resolved
home/src/main/resources/rdf/accessControl/firsttime/ontology.n3 Outdated Show resolved Hide resolved
...main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/AndAuthorizationRequest.java Show resolved Hide resolved
api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/rules/AccessRuleFactory.java Outdated Show resolved Hide resolved
...main/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualRdfAssembler.java Outdated Show resolved Hide resolved
api/src/main/java/edu/cornell/mannlib/vitro/webapp/servlet/setup/ConfigurationModelsSetup.java Outdated Show resolved Hide resolved
...src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/modelaccess/ModelAccessFactoryStub.java Outdated Show resolved Hide resolved
@chenejac chenejac linked an issue Aug 31, 2023 that may be closed by this pull request
VIVO-206: Implement statement-level authorization control on PrimitiveDelete vivo-project/VIVO#1898
Closed
chenejac
chenejac previously approved these changes Sep 12, 2023
View reviewed changes
Copy link
Contributor

@chenejac chenejac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@litvinovg well done. After additional discussion about the ontology, I think this might be ready for merging.

@litvinovg
abac cleaned, squashed
731b115
@litvinovg
and authorization request
0f7e0c0
@litvinovg
reverted page controller modifications
d25f027
@litvinovg
removed AccessRullStore with tests
88d69c3
@litvinovg
proximity checker fixes
b1e033e
@litvinovg
fix for prev commit
48532d2
@litvinovg
new rules in amdin update object property policy, debug statements
757825c
@litvinovg
Created faux object/data property/property statement access objects
6b81737
@litvinovg
refactoring and cleanup
fba625b
@litvinovg
implemented getUri methods in access objects
63be928
@litvinovg
created editable pages policy
84f599c
@litvinovg
fixed update admin policies
f011d36
@litvinovg
fixed debug log in entity policy controller
18d364c
@litvinovg
Added migration script from upstream, faux property policies, tests
2321c49
@litvinovg
RDFService
c020408
@litvinovg
moved policy configurations from everytime
72a1653
@litvinovg
fixed faux property policies, fixed faux property assignment in web i…
6ee958b 
…nterface
@litvinovg
created special graph for access control configurations
fc1d998
@litvinovg
remove values in annotation migration
0d7086f
@litvinovg
refactoring AuthMigrator
a98f5e0
@litvinovg
renamed access:policyDataSet to access:hasDataSet
f173919
@litvinovg
renamed PolicyDataSet to DataSet
1164640
@litvinovg
renamed :dataSetTemplateKey to hasDataSetTemplateKey
c72fa70
@litvinovg
renamed :dataSetKey to hasDataSetKey and :dataSetKeyTemplate to :hasD…
9cdd825 
…ataSetKeyTemplate
@litvinovg
renamed :templateKey to hasTemplateKeyComponent
c6cbfae
@litvinovg
renamed :keyComponent to :hasKeyComponent and :keyComponentTemplate t…
dce9e8c 
…o :hasKeyComponentTemplate
@litvinovg
renamed :dataSetValues to :hasRelatedValueSet
2354c25
@litvinovg
Created subclasses of :AttributeValuePattern : :AttributeUriValue, :S…
145ac5a 
…parqlSelectValuesQuery, :AttributeValuePrefix
@litvinovg
fix: reuse role value pattern if it is already exists on new data set…
5d457cd 
… creation.
@litvinovg
Added rdfs:label as default value to object property template value sets
6423a09
@litvinovg
improved simple permission migrator logging
6377d21
@litvinovg
fixed ARM migrator test
87d63f8
@litvinovg
improved logging in PolicyDecisionLogger
305bea5
@litvinovg
Split editable pages policy into policy for self editors and policy f…
e6e73e3 
…or other roles.
@litvinovg
set correct range for value property
0873154
@litvinovg
moved proxymity query
a556de2
@litvinovg
Renamed property access:attribute to access:hasTypeToCheck
45eaf1e
@litvinovg
Renamed property access:decision to access:hasDecision
6c65b60
@litvinovg
Allow rdfs:label on ARM migration
434a557
@litvinovg
fix: renamed Vitro value sets for rdfs:label data property
978a2d5
@litvinovg
fix: do not create of new array list on each request
3906ee4
@litvinovg
checkstyle fix for prev commit
131ffb4
chenejac
chenejac requested changes Dec 1, 2023
View reviewed changes
Copy link
Contributor

@chenejac chenejac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@litvinovg please check one my suggestion

.../cornell/mannlib/vitro/webapp/web/templatemodels/individual/BaseIndividualTemplateModel.java Outdated
@@ -120,7 +120,7 @@ public GroupedPropertyList getPropertyList() {
*/
public boolean isEditable() {
ObjectPropertyStatementAccessObject aops = new ObjectPropertyStatementAccessObject(vreq.getJenaOntModel(), individual.getURI(), SOME_PREDICATE, SOME_URI);
SimpleAuthorizationRequest addSomeObjectProperty = new SimpleAuthorizationRequest(aops, AccessOperation.ADD);
SimpleAuthorizationRequest addSomeObjectProperty = new SimpleAuthorizationRequest(aops, AccessOperation.EDIT);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
SimpleAuthorizationRequest addSomeObjectProperty = new SimpleAuthorizationRequest(aops, AccessOperation.EDIT);
SimpleAuthorizationRequest editSomeObjectProperty = new SimpleAuthorizationRequest(aops, AccessOperation.EDIT);

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed variable

chenejac
chenejac approved these changes Dec 1, 2023
View reviewed changes
Copy link
Contributor

@chenejac chenejac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@litvinovg well done. It was really a complex PR and you made it.

@chenejac chenejac merged commit 5bc701e into vivo-project:main Dec 1, 2023
1 check passed
@chenejac chenejac linked an issue Dec 1, 2023 that may be closed by this pull request
VIVO-1436: Advanced role management vivo-project/VIVO#3027
Closed
This was referenced Dec 7, 2023
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthiasluehr matthiasluehr matthiasluehr left review comments

@chenejac chenejac chenejac approved these changes

@ivanmrsulja ivanmrsulja ivanmrsulja approved these changes

@brianjlowe brianjlowe Awaiting requested review from brianjlowe

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@litvinovg @brianjlowe @chenejac @ivanmrsulja @matthiasluehr