S-ResearchStack
diff --git a/‎.gitignore
+6 b/‎.gitignore
+6
diff --git a/‎account-role/src/main/kotlin/com/samsung/healthcare/account/application/accesscontrol/AccessControlAspect.kt
+20-23 b/‎account-role/src/main/kotlin/com/samsung/healthcare/account/application/accesscontrol/AccessControlAspect.kt
+20-23
diff --git a/‎account-role/src/main/kotlin/com/samsung/healthcare/account/domain/Account.kt
+2-2 b/‎account-role/src/main/kotlin/com/samsung/healthcare/account/domain/Account.kt
+2-2
diff --git a/‎account-role/src/main/kotlin/com/samsung/healthcare/account/domain/GrantedAuthorities.kt
+41-3 b/‎account-role/src/main/kotlin/com/samsung/healthcare/account/domain/GrantedAuthorities.kt
+41-3
diff --git a/‎account-role/src/main/kotlin/com/samsung/healthcare/account/domain/Role.kt
+48-15 b/‎account-role/src/main/kotlin/com/samsung/healthcare/account/domain/Role.kt
+48-15
diff --git a/‎account-role/src/main/kotlin/com/samsung/healthcare/account/domain/RoleFactory.kt
+10-8 b/‎account-role/src/main/kotlin/com/samsung/healthcare/account/domain/RoleFactory.kt
+10-8
diff --git a/‎account-role/src/test/kotlin/com/samsung/healthcare/account/application/accesscontrol/AccessControlAspectTest.kt
+18-18 b/‎account-role/src/test/kotlin/com/samsung/healthcare/account/application/accesscontrol/AccessControlAspectTest.kt
+18-18
@@ -35,3 +35,9 @@ out/
 
 ### VS Code ###
 .vscode/
+
+### deploy
+**/deploy/
+
+### gen
+branch-logic-engine/**/gen/
@@ -1,10 +1,10 @@
 package com.samsung.healthcare.account.application.accesscontrol
 
 import com.samsung.healthcare.account.application.context.ContextHolder
-import com.samsung.healthcare.account.domain.AccessProjectAuthority
 import com.samsung.healthcare.account.domain.Account
 import com.samsung.healthcare.account.domain.AssignRoleAuthority
 import com.samsung.healthcare.account.domain.GlobalAuthority
+import com.samsung.healthcare.account.domain.ProjectAuthority
 import com.samsung.healthcare.account.domain.Role.ProjectRole
 import org.aspectj.lang.ProceedingJoinPoint
 import org.aspectj.lang.annotation.Around
@@ -22,7 +22,7 @@ class AccessControlAspect {
     fun withAuthorize(joinPoint: ProceedingJoinPoint, requires: Requires): Any {
         return ContextHolder.getAccount()
             .switchIfEmpty { Mono.error(IllegalAccessException()) }
-            .map { account -> checkRoles(account, requires, joinPoint) }
+            .map { account -> checkAuthorities(account, requires, joinPoint) }
             .onErrorMap { ex -> ex.printStackTrace(); IllegalAccessException() }
             .then(proceed(joinPoint))
     }
@@ -33,45 +33,42 @@ class AccessControlAspect {
         }
     }
 
-    private fun checkRoles(account: Account, requires: Requires, joinPoint: ProceedingJoinPoint) {
+    private fun checkAuthorities(account: Account, requires: Requires, joinPoint: ProceedingJoinPoint) {
         checkGlobalAuthorities(account, requires)
         checkProjectAuthorities(account, requires, joinPoint)
     }
 
     private fun checkProjectAuthorities(account: Account, requires: Requires, joinPoint: ProceedingJoinPoint) {
-        checkAccessProjectAuthorities(account, requires, joinPoint)
-        checkAssignRoleAuthorities(account, requires, joinPoint)
-    }
-
-    private fun checkAccessProjectAuthorities(account: Account, requires: Requires, joinPoint: ProceedingJoinPoint) {
-        val projectIds = joinPoint.args.filterIsInstance(String::class.java)
-        checkPermissions(account, requires, projectIds, AccessProjectAuthority::class)
+        val requiredAuthorities = requires.authorities.toSet()
+            .filter { it.isSubclassOf(ProjectAuthority::class) }
+        if (requiredAuthorities.any { it.isSubclassOf(AssignRoleAuthority::class) })
+            checkAssignRoleAuthorities(account, joinPoint)
+        else {
+            val projectIds = joinPoint.args.filterIsInstance(String::class.java)
+            requiredAuthorities.forEach {
+                checkPermissions(account, it, projectIds)
+            }
+        }
     }
 
-    private fun checkAssignRoleAuthorities(account: Account, requires: Requires, joinPoint: ProceedingJoinPoint) {
+    private fun checkAssignRoleAuthorities(account: Account, joinPoint: ProceedingJoinPoint) {
         val projectIds = joinPoint.args.filterIsInstance(Collection::class.java)
             .flatten()
             .filterIsInstance(ProjectRole::class.java)
             .map { it.projectId }
-        checkPermissions(account, requires, projectIds, AssignRoleAuthority::class)
+        checkPermissions(account, AssignRoleAuthority::class, projectIds)
     }
 
     private fun checkPermissions(
         account: Account,
-        requires: Requires,
+        authorityClass: KClass<*>,
         projectIds: List<String>,
-        authorityClass: KClass<*>
     ) {
-        val hasAllPermissions = requires.authorities
-            .filter { it.isSubclassOf(authorityClass) }
-            .flatMap { kClass ->
-                projectIds.map {
-                    kClass.primaryConstructor!!.call(it)
-                }
-            }
-            .all { authority -> account.hasPermission(authority as GrantedAuthority) }
+        val hasPermission = projectIds.map {
+            authorityClass.primaryConstructor!!.call(it)
+        }.all { authority -> account.hasPermission(authority as GrantedAuthority) }
 
-        if (!hasAllPermissions) throw IllegalAccessException()
+        if (!hasPermission) throw IllegalAccessException()
     }
 
     private fun checkGlobalAuthorities(account: Account, requires: Requires) {
 
@@ -1,7 +1,7 @@
 package com.samsung.healthcare.account.domain
 
 import com.samsung.healthcare.account.domain.Role.ProjectRole
-import com.samsung.healthcare.account.domain.Role.ProjectRole.ProjectOwner
+import com.samsung.healthcare.account.domain.Role.ProjectRole.StudyCreator
 import com.samsung.healthcare.account.domain.Role.ServiceAccount
 import org.springframework.security.core.GrantedAuthority
 
@@ -12,7 +12,7 @@ data class Account(
     val profiles: Map<String, Any> = emptyMap()
 ) {
     fun canAssignProjectRole(projectId: String): Boolean =
-        roles.filterIsInstance<ProjectOwner>()
+        roles.filterIsInstance<StudyCreator>()
             .any { it.canAccessProject(projectId) }
 
     fun canCreateRole(): Boolean =
 
@@ -15,11 +15,49 @@ object CreateRoleAuthority : GlobalAuthority {
 interface ProjectAuthority : GrantedAuthority
 
 data class AssignRoleAuthority(val projectId: String) : ProjectAuthority {
-
     override fun getAuthority(): String = "assign-role:$projectId"
 }
 
-data class AccessProjectAuthority(val projectId: String) : ProjectAuthority {
+data class ReadStudyOverviewAuthority(val projectId: String) : ProjectAuthority {
+    override fun getAuthority(): String = "read-study-overview:$projectId"
+}
+
+data class ReadParticipantDataAuthority(val projectId: String) : ProjectAuthority {
+    override fun getAuthority(): String = "read-participant-data:$projectId"
+}
+
+data class ReadDeIdentifiedParticipantDataAuthority(val projectId: String) : ProjectAuthority {
+    override fun getAuthority(): String = "read-de-identified-participant-data:$projectId"
+}
+
+data class AccessInLabVisitAuthority(val projectId: String) : ProjectAuthority {
+    override fun getAuthority(): String = "access-in-lab-visit:$projectId"
+}
+
+data class AccessTaskAuthority(val projectId: String) : ProjectAuthority {
+    override fun getAuthority(): String = "access-task:$projectId"
+}
+
+data class AccessDocumentAuthority(val projectId: String) : ProjectAuthority {
+    override fun getAuthority(): String = "access-document:$projectId"
+}
+
+data class ReadAggSensorDataAuthority(val projectId: String) : ProjectAuthority {
+    override fun getAuthority(): String = "read-aggregated-sensor-data:$projectId"
+}
+
+data class QueryRawDataAuthority(val projectId: String) : ProjectAuthority {
+    override fun getAuthority(): String = "query-raw-data:$projectId"
+}
+
+data class QueryDeIdentifiedDataAuthority(val projectId: String) : ProjectAuthority {
+    override fun getAuthority(): String = "query-de-identified-data:$projectId"
+}
+
+data class ReadProjectMemberAuthority(val projectId: String) : ProjectAuthority {
+    override fun getAuthority(): String = "read-project-member:$projectId"
+}
 
-    override fun getAuthority(): String = "access-project:$projectId"
+data class AccessProjectMemberAuthority(val projectId: String) : ProjectAuthority {
+    override fun getAuthority(): String = "access-project-member:$projectId"
 }
@@ -6,9 +6,10 @@ sealed class Role private constructor(val roleName: String) {
     companion object {
         const val TEAM_ADMIN = "team-admin"
         const val SERVICE_ACCOUNT = "service-account"
-        const val PROJECT_OWNER = "project-owner"
-        const val HEAD_RESEARCHER = "head-researcher"
-        const val RESEARCHER = "researcher"
+        const val STUDY_CREATOR = "study-creator"
+        const val PRINCIPAL_INVESTIGATOR = "principal-investigator"
+        const val RESEARCH_ASSISTANT = "research-assistant"
+        const val DATA_SCIENTIST = "data-scientist"
     }
 
     abstract val authorities: Collection<GrantedAuthority>
@@ -39,33 +40,65 @@ sealed class Role private constructor(val roleName: String) {
 
         fun canAccessProject(pid: String): Boolean = projectId == pid
 
-        class ProjectOwner(projectId: String) : ProjectRole(projectId, PROJECT_OWNER) {
+        class StudyCreator(projectId: String) : ProjectRole(projectId, STUDY_CREATOR) {
             override val authorities: Collection<GrantedAuthority> = listOf(
                 AssignRoleAuthority(projectId),
-                AccessProjectAuthority(projectId)
+                ReadStudyOverviewAuthority(projectId),
+                ReadParticipantDataAuthority(projectId),
+                ReadDeIdentifiedParticipantDataAuthority(projectId),
+                AccessInLabVisitAuthority(projectId),
+                AccessTaskAuthority(projectId),
+                AccessDocumentAuthority(projectId),
+                ReadAggSensorDataAuthority(projectId),
+                QueryRawDataAuthority(projectId),
+                QueryDeIdentifiedDataAuthority(projectId),
+                ReadProjectMemberAuthority(projectId),
+                AccessProjectMemberAuthority(projectId),
             )
         }
 
-        class HeadResearcher(projectId: String) : ProjectRole(projectId, HEAD_RESEARCHER) {
+        class PrincipalInvestigator(projectId: String) : ProjectRole(projectId, PRINCIPAL_INVESTIGATOR) {
             override val authorities: Collection<GrantedAuthority> = listOf(
                 AssignRoleAuthority(projectId),
-                AccessProjectAuthority(projectId)
+                ReadStudyOverviewAuthority(projectId),
+                ReadParticipantDataAuthority(projectId),
+                ReadDeIdentifiedParticipantDataAuthority(projectId),
+                AccessInLabVisitAuthority(projectId),
+                AccessTaskAuthority(projectId),
+                AccessDocumentAuthority(projectId),
+                ReadAggSensorDataAuthority(projectId),
+                QueryRawDataAuthority(projectId),
+                QueryDeIdentifiedDataAuthority(projectId),
+                ReadProjectMemberAuthority(projectId),
+                AccessProjectMemberAuthority(projectId),
             )
         }
 
-        class Researcher(projectId: String) : ProjectRole(projectId, RESEARCHER) {
+        class ResearchAssistant(projectId: String) : ProjectRole(projectId, RESEARCH_ASSISTANT) {
             override val authorities: Collection<GrantedAuthority> = listOf(
-                AccessProjectAuthority(projectId)
+                ReadStudyOverviewAuthority(projectId),
+                ReadParticipantDataAuthority(projectId),
+                ReadDeIdentifiedParticipantDataAuthority(projectId),
+                AccessInLabVisitAuthority(projectId),
+                AccessTaskAuthority(projectId),
+                AccessDocumentAuthority(projectId),
+                ReadAggSensorDataAuthority(projectId),
+                QueryRawDataAuthority(projectId),
+                QueryDeIdentifiedDataAuthority(projectId),
+                ReadProjectMemberAuthority(projectId),
+                AccessProjectMemberAuthority(projectId),
             )
         }
 
-        class CustomRole(projectId: String, projectRoleName: String) : ProjectRole(projectId, projectRoleName) {
-            init {
-                require(projectRoleName.isNotBlank())
-            }
-
+        class DataScientist(projectId: String) : ProjectRole(projectId, DATA_SCIENTIST) {
             override val authorities: Collection<GrantedAuthority> = listOf(
-                AccessProjectAuthority(projectId)
+                ReadStudyOverviewAuthority(projectId),
+                ReadDeIdentifiedParticipantDataAuthority(projectId),
+                AccessTaskAuthority(projectId),
+                AccessDocumentAuthority(projectId),
+                ReadAggSensorDataAuthority(projectId),
+                QueryDeIdentifiedDataAuthority(projectId),
+                ReadProjectMemberAuthority(projectId),
             )
         }
     }
 
@@ -1,10 +1,10 @@
 package com.samsung.healthcare.account.domain
 
 import com.samsung.healthcare.account.domain.Role.ProjectRole
-import com.samsung.healthcare.account.domain.Role.ProjectRole.CustomRole
-import com.samsung.healthcare.account.domain.Role.ProjectRole.HeadResearcher
-import com.samsung.healthcare.account.domain.Role.ProjectRole.ProjectOwner
-import com.samsung.healthcare.account.domain.Role.ProjectRole.Researcher
+import com.samsung.healthcare.account.domain.Role.ProjectRole.DataScientist
+import com.samsung.healthcare.account.domain.Role.ProjectRole.PrincipalInvestigator
+import com.samsung.healthcare.account.domain.Role.ProjectRole.StudyCreator
+import com.samsung.healthcare.account.domain.Role.ProjectRole.ResearchAssistant
 import com.samsung.healthcare.account.domain.Role.ServiceAccount
 import com.samsung.healthcare.account.domain.Role.TeamAdmin
 
@@ -27,11 +27,13 @@ object RoleFactory {
     }
 
     private fun createProjectRole(projectId: String, roleName: String): Role {
+        require(roleName.isNotBlank())
         return when (roleName) {
-            Role.HEAD_RESEARCHER -> HeadResearcher(projectId)
-            Role.RESEARCHER -> Researcher(projectId)
-            Role.PROJECT_OWNER -> ProjectOwner(projectId)
-            else -> CustomRole(projectId, roleName)
+            Role.PRINCIPAL_INVESTIGATOR -> PrincipalInvestigator(projectId)
+            Role.RESEARCH_ASSISTANT -> ResearchAssistant(projectId)
+            Role.STUDY_CREATOR -> StudyCreator(projectId)
+            Role.DATA_SCIENTIST -> DataScientist(projectId)
+            else -> throw IllegalArgumentException()
         }
     }
 }
@@ -3,13 +3,13 @@ package com.samsung.healthcare.account.application.accesscontrol
 import com.samsung.healthcare.account.NEGATIVE_TEST
 import com.samsung.healthcare.account.POSITIVE_TEST
 import com.samsung.healthcare.account.application.context.ContextHolder
-import com.samsung.healthcare.account.domain.AccessProjectAuthority
 import com.samsung.healthcare.account.domain.Account
 import com.samsung.healthcare.account.domain.AssignRoleAuthority
 import com.samsung.healthcare.account.domain.Email
+import com.samsung.healthcare.account.domain.ReadStudyOverviewAuthority
 import com.samsung.healthcare.account.domain.Role
-import com.samsung.healthcare.account.domain.Role.ProjectRole.ProjectOwner
-import com.samsung.healthcare.account.domain.Role.ProjectRole.Researcher
+import com.samsung.healthcare.account.domain.Role.ProjectRole.StudyCreator
+import com.samsung.healthcare.account.domain.Role.ProjectRole.ResearchAssistant
 import org.junit.jupiter.api.Tag
 import org.junit.jupiter.api.Test
 import org.springframework.aop.aspectj.annotation.AspectJProxyFactory
@@ -19,15 +19,15 @@ import reactor.test.StepVerifier
 
 interface Target {
     fun testAssignRole(roles: List<Role>): Mono<Void>
-    fun testAccessProject(projectId: String): Mono<Void>
+    fun testReadStudyOverviewAuthority(projectId: String): Mono<Void>
 }
 
 open class TestTarget : Target {
     @Requires([AssignRoleAuthority::class])
     override fun testAssignRole(roles: List<Role>) = Mono.empty<Void>()
 
-    @Requires([AccessProjectAuthority::class])
-    override fun testAccessProject(projectId: String) = Mono.empty<Void>()
+    @Requires([ReadStudyOverviewAuthority::class])
+    override fun testReadStudyOverviewAuthority(projectId: String) = Mono.empty<Void>()
 }
 
 internal class AccessControlAspectTest {
@@ -45,23 +45,23 @@ internal class AccessControlAspectTest {
         StepVerifier.create(
             withAccountContext(
                 target.testAssignRole(
-                    listOf(Researcher(projectId))
+                    listOf(ResearchAssistant(projectId))
                 ),
-                testAccount(Researcher(projectId))
+                testAccount(ResearchAssistant(projectId))
             )
         ).verifyError<IllegalAccessException>()
     }
 
     @Test
     @Tag(POSITIVE_TEST)
-    fun `should return ok when account does have project owner roles and assign researcher`() {
+    fun `should return ok when account does have study creator roles and assign research-assistant`() {
         val projectId = "project-id"
-        val roles = listOf(Researcher(projectId))
+        val roles = listOf(ResearchAssistant(projectId))
 
         StepVerifier.create(
             withAccountContext(
                 target.testAssignRole(roles),
-                testAccount(ProjectOwner(projectId))
+                testAccount(StudyCreator(projectId))
             )
         ).verifyComplete()
     }
@@ -74,7 +74,7 @@ internal class AccessControlAspectTest {
         ).verifyError<IllegalAccessException>()
 
         StepVerifier.create(
-            target.testAccessProject("project-id")
+            target.testReadStudyOverviewAuthority("project-id")
         ).verifyError<IllegalAccessException>()
     }
 
@@ -84,10 +84,10 @@ internal class AccessControlAspectTest {
         val projectId = "project-id"
         StepVerifier.create(
             withAccountContext(
-                target.testAccessProject(
+                target.testReadStudyOverviewAuthority(
                     projectId
                 ),
-                testAccount(Researcher("another-project-id"))
+                testAccount(ResearchAssistant("another-project-id"))
             )
         ).verifyError<IllegalAccessException>()
     }
@@ -99,15 +99,15 @@ internal class AccessControlAspectTest {
 
         StepVerifier.create(
             withAccountContext(
-                target.testAccessProject(projectId),
-                testAccount(Researcher(projectId))
+                target.testReadStudyOverviewAuthority(projectId),
+                testAccount(ResearchAssistant(projectId))
             )
         ).verifyComplete()
 
         StepVerifier.create(
             withAccountContext(
-                target.testAccessProject(projectId),
-                testAccount(ProjectOwner(projectId))
+                target.testReadStudyOverviewAuthority(projectId),
+                testAccount(StudyCreator(projectId))
             )
         ).verifyComplete()
     }