honeymoose
/
hapi-fhir
mirror of https://github.com/hapifhir/hapi-fhir.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make authorizationinterceptor stricter

This commit is contained in:
James 2016-10-22 18:00:55 -04:00
parent 27208127e0
commit 2a7fa4d8a5
4 changed files with 27 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptor.java
View File

@ -221,20 +221,16 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
IIdType inputResourceId = null; IIdType inputResourceId = null;
switch (determineOperationDirection(theOperation, theProcessedRequest.getResource())) { switch (determineOperationDirection(theOperation, theProcessedRequest.getResource())) {
case IN_UNCATEGORIZED:
inputResourceId = theProcessedRequest.getId();
if (inputResourceId == null || inputResourceId.hasIdPart() == false) {
return;
} else {
break;
}
case IN: case IN:
case BOTH: case BOTH:
inputResource = theProcessedRequest.getResource(); inputResource = theProcessedRequest.getResource();
inputResourceId = theProcessedRequest.getId(); inputResourceId = theProcessedRequest.getId();
break; break;
case NONE:
case OUT: case OUT:
inputResource = null;
inputResourceId = theProcessedRequest.getId();
break;
case NONE:
return; return;
} }
@ -257,8 +253,6 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
@Override @Override
public boolean outgoingResponse(RequestDetails theRequestDetails, IBaseResource theResponseObject) { public boolean outgoingResponse(RequestDetails theRequestDetails, IBaseResource theResponseObject) {
switch (determineOperationDirection(theRequestDetails.getRestOperationType(), null)) { switch (determineOperationDirection(theRequestDetails.getRestOperationType(), null)) {
case IN_UNCATEGORIZED:
return true;
case IN: case IN:
case NONE: case NONE:
return true; return true;
@ -354,7 +348,6 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
private enum OperationExamineDirection { private enum OperationExamineDirection {
IN, IN,
IN_UNCATEGORIZED,
NONE, NONE,
OUT, OUT,
BOTH, BOTH,

9
hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleImplOp.java
View File

@ -63,8 +63,17 @@ class RuleImplOp extends BaseRule implements IAuthRule {
switch (myOp) { switch (myOp) {
case READ: case READ:
if (theOutputResource == null) { if (theOutputResource == null) {
switch (theOperation) {
case READ:
appliesToResourceId = theInputResourceId;
break;
case SEARCH_SYSTEM:
case SEARCH_TYPE:
return new Verdict(PolicyEnum.ALLOW, this);
default:
return null; return null;
} }
}
appliesToResource = theOutputResource; appliesToResource = theOutputResource;
break; break;
case WRITE: case WRITE:

14
hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptorDstu2Test.java
View File

@ -167,7 +167,7 @@ public class AuthorizationInterceptorDstu2Test {
ourLog.info(response); ourLog.info(response);
assertThat(response, containsString("Access denied by rule: Rule 1")); assertThat(response, containsString("Access denied by rule: Rule 1"));
assertEquals(403, status.getStatusLine().getStatusCode()); assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod); assertFalse(ourHitMethod);
ourHitMethod = false; ourHitMethod = false;
httpGet = new HttpGet("http://localhost:" + ourPort + "/Patient/1/$validate"); httpGet = new HttpGet("http://localhost:" + ourPort + "/Patient/1/$validate");
@ -321,7 +321,7 @@ public class AuthorizationInterceptorDstu2Test {
ourLog.info(response); ourLog.info(response);
assertThat(response, containsString("Access denied by rule: Default Rule")); assertThat(response, containsString("Access denied by rule: Default Rule"));
assertEquals(403, status.getStatusLine().getStatusCode()); assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod); assertFalse(ourHitMethod);
ourHitMethod = false; ourHitMethod = false;
httpGet = new HttpGet("http://localhost:" + ourPort + "/Patient/1/$validate"); httpGet = new HttpGet("http://localhost:" + ourPort + "/Patient/1/$validate");
@ -625,7 +625,7 @@ public class AuthorizationInterceptorDstu2Test {
ourLog.info(response); ourLog.info(response);
assertThat(response, containsString("Access denied by default policy (no applicable rules)")); assertThat(response, containsString("Access denied by default policy (no applicable rules)"));
assertEquals(403, status.getStatusLine().getStatusCode()); assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod); assertFalse(ourHitMethod);
ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/2")); ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/2"));
ourHitMethod = false; ourHitMethod = false;
@ -679,8 +679,8 @@ public class AuthorizationInterceptorDstu2Test {
httpGet = new HttpGet("http://localhost:" + ourPort + "/Observation/10"); httpGet = new HttpGet("http://localhost:" + ourPort + "/Observation/10");
status = ourClient.execute(httpGet); status = ourClient.execute(httpGet);
extractResponseAndClose(status); extractResponseAndClose(status);
assertEquals(200, status.getStatusLine().getStatusCode()); assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod); assertFalse(ourHitMethod);
ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/1")); ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/1"));
ourHitMethod = false; ourHitMethod = false;
@ -719,7 +719,7 @@ public class AuthorizationInterceptorDstu2Test {
ourLog.info(response); ourLog.info(response);
assertThat(response, containsString("Access denied by default policy (no applicable rules)")); assertThat(response, containsString("Access denied by default policy (no applicable rules)"));
assertEquals(403, status.getStatusLine().getStatusCode()); assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod); assertFalse(ourHitMethod);
ourReturn = Arrays.asList(createObservation(10, "Patient/2")); ourReturn = Arrays.asList(createObservation(10, "Patient/2"));
ourHitMethod = false; ourHitMethod = false;
@ -729,7 +729,7 @@ public class AuthorizationInterceptorDstu2Test {
ourLog.info(response); ourLog.info(response);
assertThat(response, containsString("Access denied by default policy (no applicable rules)")); assertThat(response, containsString("Access denied by default policy (no applicable rules)"));
assertEquals(403, status.getStatusLine().getStatusCode()); assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod); assertFalse(ourHitMethod);
ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/2")); ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/2"));
ourHitMethod = false; ourHitMethod = false;

6
src/changes/changes.xml
View File

@ -221,6 +221,12 @@
the generated bundle. Thanks to Hannes Venter for the pull the generated bundle. Thanks to Hannes Venter for the pull
request and contribution! request and contribution!
</action> </action>
<action type="add">
AuthorizationInterceptor is now a bit more aggressive
at blocking read operations, stopping them on the
way in if there is no way they will be accepted
to the resource check on the way out
</action>
</release> </release>
<release version="2.0" date="2016-08-30"> <release version="2.0" date="2016-08-30">
<action type="fix"> <action type="fix">