BI-2255 - Experimental Collaborator Micronaut Changes

[davedrp]

Description

BI-2255 - Experimental Collaborator Micronaut Changes

• Added EXPERIMENTAL_COLLABORATOR to the enum ProgramSecuredRole
• Changed ProgramSecuredRoleGroup.ALL to ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES.
• Added ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR to ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES
• Created the @ExperimentCollaboratorSecured annotation for endpoints with experimentId (or traitId)

Testing

see Acceptance Criteria in BI-2255

Checklist:

• I have performed a self-review of my own code
• I have tested my code and ensured it meets the acceptance criteria of the story
• I have tested that my code works with both the brapi-java-server and BreedBase
• I have create/modified unit tests to cover this change
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to documentation
• I have run TAF: <please include a link to TAF run>

[mlm483]

I haven't tested functionality yet, I wanted to get my change requests in ASAP.

See comments for changes, the most important of which is:

• ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES currently includes ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR and it should not.

[mlm483]

I'm concerned that defining EXPERIMENTAL_COLLABORATOR here as well as in the ProgramSecuredRole enum could lead to confusion.

[mlm483]

After seeing how this is used, I recommend deleting this file and using ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR in ExperimentCollaboratorSecuredAnnotationRule::isExperimentCoordinator instead.

[davedrp]

done.

[mlm483]

Per the Jira story, PROGRAM_SCOPED_ROLES should NOT include ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR, it should look like this:

PROGRAM_SCOPED_ROLES(List.of(ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.MEMBER, ProgramSecuredRole.BREEDER));

Technically, ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR is also program scoped... if you think of a better name than PROGRAM_SCOPED_ROLES, I'd take it.

What I was imagining when I wrote the story was that everywhere that previously used the ALL group would use the PROGRAM_SCOPED_ROLES group, and then the handful of endpoints that the Experimental Collaborator needs access to would explicitly list all of the roles. Later on, we could refactor and add back ALL to this enum to simplify those endpoints that explicitly list all of the roles, but I wanted to make sure we get the authorization logic right first.

[davedrp]

Thanks, I now understand the new role.
The recommended changes have been made.

[mlm483]

Does the Experimental Collaborator role need access to this endpoint? I think this change should be reverted.

[davedrp]

The code has been reverted.

[mlm483]

Does the addition of @ProgramSecured(...) have any effect here, given the @Secured(SecurityRule.IS_ANONYMOUS) annotation? I think this change should be reverted, or, if this endpoint actually needs to be secured (I don't think it does), the @Secured(SecurityRule.IS_ANONYMOUS) annotation should be removed.

[nickpalladino]

It also looks like the ImportControllerIntegrationTest::getSystemMappings test is failing

[davedrp]

The @ProgramSecured should not have been added. I have removed it.

[davedrp]

@nickpalladino yes it was causing a failure

[mlm483]

Remove if unused. (I think I wrote this method... it doesn't seem to be needed).

[nickpalladino]

Looks like it was probably moved to ExperimentCollaboratorSecuredAnnotationRule and updated

[davedrp]

removed

[mlm483]

Revert the changes that add SecurityService if it's not used.

[davedrp]

SecurityService is not used. It has been removed.

[mlm483]

Could you rename this method? We use the term "process" in a lot of our import code, and I think for that reason it is confusing to use it here. Something like checkAuthorization or getSecurityRuleResult would be more clear.

[davedrp]

renamed checkAuthorization

[mlm483]

Ultimately this method needs to allow Experimental Collaborator role access. You can either do that in this PR or I will make the change in BI-2258 (where I have also implemented filtering in this method).

[davedrp]

The roles now includes ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR

[mlm483]

Needs to allow Experimental Collaborator role access. You could do that in the PR or else I'll do it in BI-2258 where I've implemented filtering in this method.

[nickpalladino]

I'm seeing some integration tests failing that will need to be resolved. Some of them might be fixed by some of the suggested changes in this PR.

[dmeidlin]

When navigating to the system Programs section as a SysAdmin the back end returns a 500 response to GET calls to /v1/programs, resulting in no programs being listed.
ERROR o.b.a.v.c.InternalServerErrorHandler - Error Id: 91a2d7e4-f1a9-4527-906e-5caa9a9d0eb3
io.micronaut.http.server.exceptions.HttpServerException: Endpoint does not have program id to check roles against
at org.breedinginsight.api.auth.rules.ProgramSecuredAnnotationRule.check(ProgramSecuredAnnotationRule.java:66)
Same error also when loggin in as Program Admin and Read Only.

[davedrp]

When navigating to the system Programs section as a SysAdmin the back end returns a 500 response to GET calls to /v1/programs, resulting in no programs being listed. ERROR o.b.a.v.c.InternalServerErrorHandler - Error Id: 91a2d7e4-f1a9-4527-906e-5caa9a9d0eb3 io.micronaut.http.server.exceptions.HttpServerException: Endpoint does not have program id to check roles against at org.breedinginsight.api.auth.rules.ProgramSecuredAnnotationRule.check(ProgramSecuredAnnotationRule.java:66) Same error also when loggin in as Program Admin and Read Only.

Fixed