Clickhouse only db

pom.xml

@@ -31,7 +31,7 @@
     <frontend.version>v6.4.1</frontend.version>
     <!-- THIS SHOULD BE KEPT IN SYNC TO VERSION IN CGDS.SQL -->
     <db.version>2.14.5</db.version>
-    <derived_table.version>1.0.2</derived_table.version>
+    <derived_table.version>1.0.3</derived_table.version>
 
     <!-- Version properties for dependencies that should have same version. -->
     <!-- The rest can be set in the dependencyManagement section -->

src/main/java/org/cbioportal/application/rest/mapper/CancerStudyMetadataMapper.java

@@ -14,14 +14,10 @@ public interface CancerStudyMetadataMapper {
   @Mapping(target = "importDate", source = "importDate", dateFormat = "yyyy-MM-dd HH:mm:ss")
   @Mapping(target = "studyId", source = "cancerStudyIdentifier")
   @Mapping(target = "cancerTypeId", source = "typeOfCancerId")
+  @Mapping(target = "cancerType", source = "typeOfCancer")
   // TODO: ReadPermission needs to be implemented
   @Mapping(target = "readPermission", source = "publicStudy")
   CancerStudyMetadataDTO toDto(CancerStudyMetadata cancerStudyMetadata);
 
-  @Mapping(target = "importDate", source = "importDate", dateFormat = "yyyy-MM-dd HH:mm:ss")
-  @Mapping(target = "studyId", source = "cancerStudyIdentifier")
-  @Mapping(target = "cancerTypeId", source = "typeOfCancerId")
-  // TODO: ReadPermission needs to be implemented
-  @Mapping(target = "readPermission", source = "publicStudy")
   List<CancerStudyMetadataDTO> toDtos(List<CancerStudyMetadata> cancerStudyMetadataList);
 }

src/main/java/org/cbioportal/application/rest/response/CancerStudyMetadataDTO.java

@@ -29,5 +29,5 @@ public record CancerStudyMetadataDTO(
     String referenceGenome,
     Integer treatmentCount,
     Integer structuralVariantCount,
-    TypeOfCancer typeOfCancer,
+    TypeOfCancer cancerType,
     Boolean readPermission) {}

src/main/java/org/cbioportal/application/security/README.md

@@ -0,0 +1,48 @@
+# 🛡️ Study Permission Evaluator
+
+This class is an implementation of the **Spring Security `PermissionEvaluator`** interface. Its purpose is to enforce fine-grained access control across the application's data model, ensuring that authenticated users have the required `AccessLevel` to interact with specific cancer research entities.
+
+Access control is centrally determined at the **`CancerStudy`** level. All other related entities (profiles, lists, patients) inherit their access policy from their associated study.
+
+***
+
+## Core Functionality
+
+The evaluator implements two primary permission checking methods:
+
+### 1. Object-Based Permission Check
+
+| Method | `hasPermission(Authentication, Object targetDomainObject, Object permission)` |
+| :--- | :--- |
+| **Purpose** | Checks permission on a **single, loaded domain object instance** (e.g., a `MolecularProfile` object). |
+| **Process** | It uses `extractCancerStudy()` to resolve the target object back to its parent `CancerStudy` and delegates the final access check to a business logic method (`hasAccessToCancerStudy`). |
+
+### 2. ID-Based Permission Check
+
+| Method | `hasPermission(Authentication, Serializable targetId, String targetType, Object permission)` |
+| :--- | :--- |
+| **Purpose** | Checks permission on resources identified by an **ID, a collection of IDs, or a filter object**. |
+| **Process** | It resolves the IDs/filter into a collection of unique `CancerStudy` objects. It then enforces an **all-or-nothing** policy: access is granted only if the user has permission to **every single** associated `CancerStudy`. |
+
+***
+
+## Supported Target Types
+
+The evaluator is designed to handle access checks for objects and identifiers spanning the core data model:
+
+| Target Object/ID Type | Description |
+| :--- | :--- |
+| `CancerStudy` | Direct object or ID. The root entity for access control. |
+| `MolecularProfile` | Object or ID. Access is determined by its parent study. |
+| `SampleList` | Object or ID. Access is determined by its parent study. |
+| `Patient` | Direct object. Access is determined by its parent study. |
+| `Collection<...Ids>` | A bulk check on a collection of any supported ID type. |
+| `*Filter` Objects | Various application-specific filter classes (e.g., `SampleFilter`, `StudyViewFilter`) that implicitly reference a set of `CancerStudy` IDs. |
+
+***
+
+## Dependencies
+
+* **`Authentication`**: The standard Spring Security principal representing the logged-in user.
+* **`cacheMapUtil`**: A utility used for high-performance retrieval of domain objects (like `CancerStudy`, `MolecularProfile`) by their string identifiers, crucial for efficient ID-based permission checks.
+* **`AccessLevel`**: An external enumeration (cast from the `permission` object) defining the specific level of access requested (e.g., `READ`, `WRITE`).

src/main/java/org/cbioportal/application/security/config/MethodSecurityConfig.java

@@ -14,7 +14,8 @@
 @EnableMethodSecurity(prePostEnabled = true)
 // We are allowing users to enable method_authorization if optional_oauth2 is selected
 @ConditionalOnExpression(
-    "{'oauth2','saml', 'saml_plus_basic'}.contains('${authenticate}') or ('optional_oauth2' eq '${authenticate}' and 'true' eq '${security.method_authorization_enabled}')")
+    "{'oauth2','saml', 'saml_plus_basic'}.contains('${authenticate}') or ('optional_oauth2' eq"
+        + " '${authenticate}' and 'true' eq '${security.method_authorization_enabled}')")
 public class MethodSecurityConfig {
 
   @Bean

src/main/java/org/cbioportal/domain/cancerstudy/usecase/GetCancerStudyMetadataUseCase.java

@@ -7,6 +7,7 @@
 import org.cbioportal.shared.SortAndSearchCriteria;
 import org.cbioportal.shared.enums.ProjectionType;
 import org.springframework.context.annotation.Profile;
+import org.springframework.security.access.prepost.PostFilter;
 import org.springframework.stereotype.Service;
 
 /**
@@ -25,7 +26,7 @@
  * private final GetCancerStudyMetadataUseCase getCancerStudyMetadataUseCase;
  *
  * public CancerStudyController(GetCancerStudyMetadataUseCase getCancerStudyMetadataUseCase) {
- *     this.getCancerStudyMetadataUseCase = getCancerStudyMetadataUseCase;
+ *   this.getCancerStudyMetadataUseCase = getCancerStudyMetadataUseCase;
  * }
  *
  * // Retrieve detailed metadata for cancer studies
@@ -41,7 +42,7 @@
  */
 @Service
 @Profile("clickhouse")
-public final class GetCancerStudyMetadataUseCase {
+public class GetCancerStudyMetadataUseCase {
 
   private final CancerStudyRepository studyRepository;
 
@@ -75,6 +76,8 @@ public GetCancerStudyMetadataUseCase(CancerStudyRepository studyRepository) {
    * @see ProjectionType
    * @see CancerStudyMetadata
    */
+  @PostFilter(
+      "hasPermission(filterObject, T(org.cbioportal.legacy.utils.security.AccessLevel).READ)")
   public List<CancerStudyMetadata> execute(
       ProjectionType projectionType, SortAndSearchCriteria sortAndSearchCriteria) {
     return switch (projectionType) {

src/main/java/org/cbioportal/domain/sample/usecase/GetAllSamplesInStudyUseCase.java

@@ -28,7 +28,7 @@ public List<Sample> execute(
       String sortBy,
       String direction)
       throws StudyNotFoundException {
-    studyService.getStudy(studyId);
+    studyService.studyExists(studyId);
 
     return sampleRepository.getAllSamplesInStudy(
         studyId, projection, pageSize, pageNumber, sortBy, direction);

src/main/java/org/cbioportal/domain/sample/usecase/GetMetaSamplesInStudyUseCase.java

@@ -20,7 +20,7 @@ public GetMetaSamplesInStudyUseCase(
   }
 
   public BaseMeta execute(String studyId) throws StudyNotFoundException {
-    studyService.getStudy(studyId);
+    studyService.studyExists(studyId);
 
     return sampleRepository.getMetaSamplesInStudy(studyId);
   }

src/main/java/org/cbioportal/domain/sample/usecase/GetSampleInStudyUseCase.java

@@ -21,7 +21,7 @@ public GetSampleInStudyUseCase(SampleRepository sampleRepository, StudyService s
 
   public Sample execute(String studyId, String sampleId)
       throws SampleNotFoundException, StudyNotFoundException {
-    studyService.getStudy(studyId);
+    studyService.studyExists(studyId);
     Sample sample = sampleRepository.getSampleInStudy(studyId, sampleId);
 
     if (sample == null) {

src/main/java/org/cbioportal/legacy/persistence/mybatis/ClinicalEventMapper.java

@@ -34,7 +34,7 @@ List<ClinicalEvent> getSamplesOfPatientsPerEventType(
       List<String> studyIds, List<String> sampleIds);
 
   List<ClinicalEvent> getPatientsDistinctClinicalEventInStudies(
-      List<String> studyIds, List<String> patientIds);
+      List<String> studyIds, List<String> patientIds, List<ClinicalEvent> clinicalEvents);
 
   List<ClinicalEvent> getTimelineEvents(
       List<String> studyIds, List<String> patientIds, List<ClinicalEvent> clinicalEvents);

src/main/java/org/cbioportal/legacy/persistence/mybatis/ClinicalEventMyBatisRepository.java

@@ -2,6 +2,7 @@
 
 import static java.util.stream.Collectors.groupingBy;
 
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -86,7 +87,8 @@ public Map<String, Set<String>> getSamplesOfPatientsPerEventTypeInStudy(
   @Override
   public List<ClinicalEvent> getPatientsDistinctClinicalEventInStudies(
       List<String> studyIds, List<String> patientIds) {
-    return clinicalEventMapper.getPatientsDistinctClinicalEventInStudies(studyIds, patientIds);
+    return clinicalEventMapper.getPatientsDistinctClinicalEventInStudies(
+        studyIds, patientIds, Collections.emptyList());
   }
 
   @Override

src/main/java/org/cbioportal/legacy/persistence/mybatis/GenesetMyBatisRepository.java

@@ -22,7 +22,7 @@ public List<Geneset> getAllGenesets(String projection, Integer pageSize, Integer
         projection,
         pageSize,
         PaginationCalculator.offset(pageSize, pageNumber),
-        "EXTERNAL_ID",
+        "external_id",
         "ASC");
   }
 

src/main/java/org/cbioportal/legacy/persistence/mybatis/MutationMyBatisRepository.java

@@ -62,25 +62,16 @@ public List<Mutation> getMutationsInMultipleMolecularProfiles(
       String sortBy,
       String direction) {
 
-    return molecularProfileCaseIdentifierUtil
-        .getGroupedCasesByMolecularProfileId(molecularProfileIds, sampleIds)
-        .entrySet()
-        .stream()
-        .flatMap(
-            entry ->
-                mutationMapper
-                    .getMutationsInMultipleMolecularProfiles(
-                        Arrays.asList(entry.getKey()),
-                        new ArrayList<>(entry.getValue()),
-                        entrezGeneIds,
-                        false,
-                        projection,
-                        pageSize,
-                        PaginationCalculator.offset(pageSize, pageNumber),
-                        sortBy,
-                        direction)
-                    .stream())
-        .collect(Collectors.toList());
+    return mutationMapper.getMutationsInMultipleMolecularProfiles(
+        molecularProfileIds,
+        sampleIds,
+        entrezGeneIds,
+        false,
+        projection,
+        pageSize,
+        PaginationCalculator.offset(pageSize, pageNumber),
+        sortBy,
+        direction);
   }
 
   @Override

src/main/java/org/cbioportal/legacy/persistence/mybatis/ResourceDataMapper.java

@@ -33,22 +33,4 @@ List<ResourceData> getResourceDataForStudy(
       Integer offset,
       String sortBy,
       String direction);
-
-  List<ResourceData> getResourceDataForAllPatientsInStudy(
-      String studyId,
-      String resourceId,
-      String projection,
-      Integer limit,
-      Integer offset,
-      String sortBy,
-      String direction);
-
-  List<ResourceData> getResourceDataForAllSamplesInStudy(
-      String studyId,
-      String resourceId,
-      String projection,
-      Integer limit,
-      Integer offset,
-      String sortBy,
-      String direction);
 }

src/main/java/org/cbioportal/legacy/persistence/mybatis/ResourceDataMyBatisRepository.java

@@ -86,8 +86,9 @@ public List<ResourceData> getResourceDataForAllPatientsInStudy(
       String sortBy,
       String direction) {
 
-    return resourceDataMapper.getResourceDataForAllPatientsInStudy(
+    return resourceDataMapper.getResourceDataOfPatientInStudy(
         studyId,
+        null,
         resourceId,
         projection,
         pageSize,
@@ -106,8 +107,9 @@ public List<ResourceData> getResourceDataForAllSamplesInStudy(
       String sortBy,
       String direction) {
 
-    return resourceDataMapper.getResourceDataForAllSamplesInStudy(
+    return resourceDataMapper.getResourceDataOfSampleInStudy(
         studyId,
+        null,
         resourceId,
         projection,
         pageSize,

src/main/java/org/cbioportal/legacy/persistence/mybatis/StructuralVariantMyBatisRepository.java

@@ -23,11 +23,8 @@
 
 package org.cbioportal.legacy.persistence.mybatis;
 
-import static java.util.Arrays.asList;
-
 import java.util.ArrayList;
 import java.util.List;
-import java.util.stream.Collectors;
 import org.cbioportal.legacy.model.GeneFilterQuery;
 import org.cbioportal.legacy.model.StructuralVariant;
 import org.cbioportal.legacy.model.StructuralVariantFilterQuery;
@@ -52,20 +49,8 @@ public List<StructuralVariant> fetchStructuralVariants(
     if (molecularProfileIds == null || molecularProfileIds.isEmpty()) {
       return new ArrayList<>();
     }
-    return molecularProfileCaseIdentifierUtil
-        .getGroupedCasesByMolecularProfileId(molecularProfileIds, sampleIds)
-        .entrySet()
-        .stream()
-        .flatMap(
-            entry ->
-                structuralVariantMapper
-                    .fetchStructuralVariants(
-                        asList(entry.getKey()),
-                        new ArrayList<>(entry.getValue()),
-                        entrezGeneIds,
-                        structuralVariantQueries)
-                    .stream())
-        .collect(Collectors.toList());
+    return structuralVariantMapper.fetchStructuralVariants(
+        molecularProfileIds, sampleIds, entrezGeneIds, structuralVariantQueries);
   }
 
   @Override

src/main/java/org/cbioportal/legacy/persistence/mybatis/util/SqlUtils.java

@@ -0,0 +1,44 @@
+package org.cbioportal.legacy.persistence.mybatis.util;
+
+import java.util.List;
+
+/** Utility class for SQL operations in MyBatis mappers */
+public class SqlUtils {
+
+  /**
+   * Combines study IDs and patient/sample IDs into unique keys for efficient array parameter usage.
+   * This helps optimize ClickHouse JDBC performance by reducing the number of prepared statement
+   * parameters.
+   *
+   * @param studyIds List of study identifiers
+   * @param entityIds List of patient or sample identifiers (corresponding to studyIds by index)
+   * @return Array of combined unique keys in format "studyId:entityId"
+   */
+  public static String[] combineStudyAndEntityIds(List<String> studyIds, List<String> entityIds) {
+    if (studyIds == null || entityIds == null || studyIds.size() != entityIds.size()) {
+      throw new IllegalArgumentException(
+          "studyIds and entityIds must be non-null and have the same size");
+    }
+
+    String[] combinedKeys = new String[studyIds.size()];
+    for (int i = 0; i < studyIds.size(); i++) {
+      combinedKeys[i] = studyIds.get(i) + ":" + entityIds.get(i);
+    }
+
+    return combinedKeys;
+  }
+
+  /**
+   * Converts a List of strings to a String array for use with ArrayTypeHandler. ArrayTypeHandler
+   * requires Java arrays, not ArrayList objects.
+   *
+   * @param list List of strings to convert
+   * @return Array of strings
+   */
+  public static String[] listToArray(List<String> list) {
+    if (list == null) {
+      return null;
+    }
+    return list.toArray(new String[0]);
+  }
+}

src/main/java/org/cbioportal/legacy/service/StudyService.java

@@ -31,4 +31,6 @@ List<CancerStudy> getAllStudies(
   CancerStudyTags getTags(String studyId, AccessLevel accessLevel);
 
   List<CancerStudyTags> getTagsForMultipleStudies(List<String> studyIds);
+
+  void studyExists(String studyId) throws StudyNotFoundException;
 }

src/main/java/org/cbioportal/legacy/service/impl/ClinicalAttributeServiceImpl.java

@@ -50,7 +50,7 @@ public BaseMeta getMetaClinicalAttributes() {
   public ClinicalAttribute getClinicalAttribute(String studyId, String clinicalAttributeId)
       throws ClinicalAttributeNotFoundException, StudyNotFoundException {
 
-    studyService.getStudy(studyId);
+    studyService.studyExists(studyId);
 
     ClinicalAttribute clinicalAttribute =
         clinicalAttributeRepository.getClinicalAttribute(studyId, clinicalAttributeId);
@@ -72,7 +72,7 @@ public List<ClinicalAttribute> getAllClinicalAttributesInStudy(
       String direction)
       throws StudyNotFoundException {
 
-    studyService.getStudy(studyId);
+    studyService.studyExists(studyId);
 
     return clinicalAttributeRepository.getAllClinicalAttributesInStudy(
         studyId, projection, pageSize, pageNumber, sortBy, direction);
@@ -81,7 +81,7 @@ public List<ClinicalAttribute> getAllClinicalAttributesInStudy(
   @Override
   public BaseMeta getMetaClinicalAttributesInStudy(String studyId) throws StudyNotFoundException {
 
-    studyService.getStudy(studyId);
+    studyService.studyExists(studyId);
 
     return clinicalAttributeRepository.getMetaClinicalAttributesInStudy(studyId);
   }