Refactor to support arbitrary additional SPs based on Type for a compartment

2021-09-14 01:02:19 -04:00 · 2021-09-14 01:02:19 -04:00 · 3d24a4ce16
parent b2d6f75964
commit 3d24a4ce16
6 changed files with 162 additions and 5 deletions
--- a/hapi-fhir-base/src/main/java/ca/uhn/fhir/util/FhirTerser.java
+++ b/hapi-fhir-base/src/main/java/ca/uhn/fhir/util/FhirTerser.java
@ -704,6 +704,21 @@ public class FhirTerser {
 	 * @throws IllegalArgumentException If theTarget does not contain both a resource type and ID
 	 */
 	public boolean isSourceInCompartmentForTarget(String theCompartmentName, IBaseResource theSource, IIdType theTarget) {
+		return isSourceInCompartmentForTarget(theCompartmentName, theSource, theTarget, null);
+	}
+
+	/**
+	 * Returns <code>true</code> if <code>theSource</code> is in the compartment named <code>theCompartmentName</code>
+	 * belonging to resource <code>theTarget</code>
+	 *
+	 * @param theCompartmentName The name of the compartment
+	 * @param theSource          The potential member of the compartment
+	 * @param theTarget          The owner of the compartment. Note that both the resource type and ID must be filled in on this IIdType or the method will throw an {@link IllegalArgumentException}
+	 * @param theAdditionalCompartmentParamNames If provided, search param names provided here will be considered as included in the given compartment for this comparison.
+	 * @return <code>true</code> if <code>theSource</code> is in the compartment or one of the additional parameters matched.
+	 * @throws IllegalArgumentException If theTarget does not contain both a resource type and ID
+	 */
+	public boolean isSourceInCompartmentForTarget(String theCompartmentName, IBaseResource theSource, IIdType theTarget, Set<String> theAdditionalCompartmentParamNames) {
 		Validate.notBlank(theCompartmentName, "theCompartmentName must not be null or blank");
 		Validate.notNull(theSource, "theSource must not be null");
 		Validate.notNull(theTarget, "theTarget must not be null");
@ -720,6 +735,18 @@ public class FhirTerser {
 		}

 		List<RuntimeSearchParam> params = sourceDef.getSearchParamsForCompartmentName(theCompartmentName);
+
+		//If passed an additional set of searchparameter names, add them for comparison purposes.
+		if (theAdditionalCompartmentParamNames != null) {
+			List<RuntimeSearchParam> additionalParams = theAdditionalCompartmentParamNames.stream().map(paramName -> sourceDef.getSearchParam(paramName)).collect(Collectors.toList());
+			if (params == null || params.isEmpty()) {
+				params = additionalParams;
+			} else {
+				params.addAll(additionalParams);
+			}
+		}
+
+
 		for (RuntimeSearchParam nextParam : params) {
 			for (String nextPath : nextParam.getPathsSplit()) {

--- a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/AppliesTypeEnum.java
+++ b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/AppliesTypeEnum.java
@ -22,7 +22,4 @@ package ca.uhn.fhir.rest.server.interceptor.auth;

 enum AppliesTypeEnum {
 	ALL_RESOURCES, TYPES, INSTANCES
-
-	
-	
 }
--- a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRuleOpClassifier.java
+++ b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRuleOpClassifier.java
@ -21,6 +21,7 @@ package ca.uhn.fhir.rest.server.interceptor.auth;
 */

 import java.util.Collection;
+import java.util.List;

 import org.hl7.fhir.instance.model.api.IIdType;

@ -58,6 +59,8 @@ public interface IAuthRuleBuilderRuleOpClassifier {
 	 */
 	IAuthRuleBuilderRuleOpClassifierFinished inCompartment(String theCompartmentName, Collection<? extends IIdType> theOwners);

+	IAuthRuleBuilderRuleOpClassifierFinished inCompartmentWithAdditionalSearchParams(String theCompartmentName, IIdType theOwner, List<String> additionalTypeSearchParamNames);
+
 	/**
 	 * Rule applies to any resource instances
 	 * <p>
--- a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java
+++ b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java
@ -451,6 +451,7 @@ public class RuleBuilder implements IAuthRuleBuilder {
 				private Collection<? extends IIdType> myInCompartmentOwners;
 				private Collection<IIdType> myAppliesToInstances;
 				private RuleImplOp myRule;
+				private List<String> myAdditionalSearchParamsForCompartmentTypes;

 				/**
 				 * Constructor
@ -483,6 +484,7 @@ public class RuleBuilder implements IAuthRuleBuilder {
 					myRule.setClassifierCompartmentOwners(myInCompartmentOwners);
 					myRule.setAppliesToDeleteCascade(myOnCascade);
 					myRule.setAppliesToDeleteExpunge(myOnExpunge);
+					myRule.setAdditionalSearchParamsForCompartmentTypes(myAdditionalSearchParamsForCompartmentTypes);
 					myRules.add(myRule);

 					return new RuleBuilderFinished(myRule);
@ -519,6 +521,26 @@ public class RuleBuilder implements IAuthRuleBuilder {
 					return finished();
 				}

+				@Override
+				public IAuthRuleBuilderRuleOpClassifierFinished inCompartmentWithAdditionalSearchParams(String theCompartmentName, IIdType theOwner, List<String> additionalTypeSearchParamNames) {
+					Validate.notBlank(theCompartmentName, "theCompartmentName must not be null");
+					Validate.notNull(theOwner, "theOwner must not be null");
+					validateOwner(theOwner);
+					myClassifierType = ClassifierTypeEnum.IN_COMPARTMENT;
+					myInCompartmentName = theCompartmentName;
+					Optional<RuleImplOp> oRule = findMatchingRule();
+
+					if (oRule.isPresent()) {
+						RuleImplOp rule = oRule.get();
+						rule.setAdditionalSearchParamsForCompartmentTypes(additionalTypeSearchParamNames);
+						rule.addClassifierCompartmentOwner(theOwner);
+						return new RuleBuilderFinished(rule);
+					}
+					myInCompartmentOwners = Collections.singletonList(theOwner);
+					return finished();
+				}
+
+
 				private Optional<RuleImplOp> findMatchingRule() {
 					return myRules.stream()
 						.filter(RuleImplOp.class::isInstance)
--- a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleImplOp.java
+++ b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleImplOp.java
@ -18,6 +18,7 @@ import ca.uhn.fhir.util.UrlUtil;
 import ca.uhn.fhir.util.bundle.BundleEntryParts;
 import com.google.common.annotations.VisibleForTesting;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.Validate;
 import org.apache.commons.lang3.builder.ToStringBuilder;
 import org.apache.commons.lang3.builder.ToStringStyle;
 import org.hl7.fhir.instance.model.api.IBaseBundle;
@ -28,6 +29,8 @@ import javax.annotation.Nullable;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@ -69,6 +72,8 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
 	private Collection<IIdType> myAppliesToInstances;
 	private boolean myAppliesToDeleteCascade;
 	private boolean myAppliesToDeleteExpunge;
+	private boolean myDeviceIncludedInPatientCompartment;
+	private Map<String, Set<String>> myAdditionalCompartmentSearchParamMap;

 	/**
 	 * Constructor
@ -337,7 +342,12 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {

 		for (IIdType next : myClassifierCompartmentOwners) {
 			if (target.resource != null) {
-				if (t.isSourceInCompartmentForTarget(myClassifierCompartmentName, target.resource, next)) {
+
+				Set<String> additionalSearchParamNames = null;
+				if (myAdditionalCompartmentSearchParamMap != null) {
+					additionalSearchParamNames = myAdditionalCompartmentSearchParamMap.get(target.resourceType);
+				}
+				if (t.isSourceInCompartmentForTarget(myClassifierCompartmentName, target.resource, next, additionalSearchParamNames)) {
 					foundMatch = true;
 					break;
 				}
@ -372,6 +382,12 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
 				String compartmentOwnerResourceType = next.getResourceType();
 				if (!StringUtils.equals(target.resourceType, compartmentOwnerResourceType)) {
 					List<RuntimeSearchParam> params = sourceDef.getSearchParamsForCompartmentName(compartmentOwnerResourceType);
+					if (target.resourceType.equalsIgnoreCase("Device") && myDeviceIncludedInPatientCompartment) {
+						if (params == null || params.isEmpty()) {
+							params = new ArrayList<>();
+						}
+						params.add(sourceDef.getSearchParam("patient"));
+					}
 					if (!params.isEmpty()) {

 						/*
@ -656,6 +672,10 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
 		myAppliesToDeleteExpunge = theAppliesToDeleteExpunge;
 	}

+	void setDeviceIncludedInPatientCompartment(boolean theDeviceIncludedInPatientCompartment) {
+		myDeviceIncludedInPatientCompartment = theDeviceIncludedInPatientCompartment;
+	}
+
 	public void addClassifierCompartmentOwner(IIdType theOwner) {
 		List<IIdType> newList = new ArrayList<>(myClassifierCompartmentOwners);
 		newList.add(theOwner);
@ -681,4 +701,17 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
 				return false;
 		}
 	}
+
+	public void setAdditionalSearchParamsForCompartmentTypes(List<String> theTypeAndParams) {
+		if (myAdditionalCompartmentSearchParamMap == null) {
+			myAdditionalCompartmentSearchParamMap = new HashMap<>();
+		}
+
+		for (String typeAndParam: theTypeAndParams) {
+			String[] split = typeAndParam.split(",");
+			Validate.isTrue(split.length == 2);
+			myAdditionalCompartmentSearchParamMap.computeIfAbsent(split[0], (v) -> new HashSet<>()).add(split[1]);
+		}
+		this.myAdditionalCompartmentSearchParamMap = myAdditionalCompartmentSearchParamMap;
+	}
 }
--- a/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptorR4Test.java
+++ b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptorR4Test.java
@ -376,7 +376,39 @@ public class AuthorizationInterceptorR4Test {
 		assertTrue(ourHitMethod);

 	}
+	@Test
+	public void testDeviceIsPartOfPatientCompartment() throws Exception {
+		ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
+			@Override
+			public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
+				List<String> bonusPatientCompartmentSearchParams = Collections.singletonList("device:patient");
+				return new RuleBuilder()
+					.allow().read().allResources()
+					.inCompartmentWithAdditionalSearchParams("Patient", new IdType("Patient/123"), bonusPatientCompartmentSearchParams)
+					.andThen().denyAll()
+					.build();
+			}
+		});

+		HttpGet httpGet;
+		HttpResponse status;
+
+		Patient patient;
+
+
+		patient = new Patient();
+		patient.setId("Patient/123");
+		Device d = new Device();
+		d.getPatient().setResource(patient);
+
+		ourHitMethod = false;
+		ourReturn = Collections.singletonList(d);
+		httpGet = new HttpGet("http://localhost:" + ourPort + "/Device/124456");
+		status = ourClient.execute(httpGet);
+		extractResponseAndClose(status);
+		assertEquals(200, status.getStatusLine().getStatusCode());
+		assertTrue(ourHitMethod);
+	}
 	@Test
 	public void testAllowByCompartmentUsingUnqualifiedIds() throws Exception {
 		ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
@ -437,6 +469,24 @@ public class AuthorizationInterceptorR4Test {
 		extractResponseAndClose(status);
 		assertEquals(403, status.getStatusLine().getStatusCode());
 		assertTrue(ourHitMethod);
+
+
+		patient = new Patient();
+		patient.setId("Patient/123");
+		carePlan = new CarePlan();
+		carePlan.setStatus(CarePlan.CarePlanStatus.ACTIVE);
+		carePlan.getSubject().setResource(patient);
+
+		Device d = new Device();
+		d.getPatient().setResource(patient);
+
+		ourHitMethod = false;
+		ourReturn = Collections.singletonList(d);
+		httpGet = new HttpGet("http://localhost:" + ourPort + "/Device/123456");
+		status = ourClient.execute(httpGet);
+		extractResponseAndClose(status);
+		assertEquals(200, status.getStatusLine().getStatusCode());
+		assertTrue(ourHitMethod);
 	}

 	/**
@ -3619,6 +3669,30 @@ public class AuthorizationInterceptorR4Test {
 		}
 	}

+	public static class DummyDeviceResourceProvider implements IResourceProvider {
+
+		@Override
+		public Class<? extends IBaseResource> getResourceType() {
+			return Device.class;
+		}
+
+		@Read(version = true)
+		public Device read(@IdParam IdType theId) {
+			ourHitMethod = true;
+			if (ourReturn.isEmpty()) {
+				throw new ResourceNotFoundException(theId);
+			}
+			return (Device) ourReturn.get(0);
+		}
+		@Search()
+		public List<Resource> search(
+			@OptionalParam(name = "patient") ReferenceParam thePatient
+		) {
+			ourHitMethod = true;
+			return ourReturn;
+		}
+	}
+
 	@SuppressWarnings("unused")
 	public static class DummyObservationResourceProvider implements IResourceProvider {

@ -3953,12 +4027,13 @@ public class AuthorizationInterceptorR4Test {
 		DummyEncounterResourceProvider encProv = new DummyEncounterResourceProvider();
 		DummyCarePlanResourceProvider cpProv = new DummyCarePlanResourceProvider();
 		DummyDiagnosticReportResourceProvider drProv = new DummyDiagnosticReportResourceProvider();
+		DummyDeviceResourceProvider devProv = new DummyDeviceResourceProvider();
 		PlainProvider plainProvider = new PlainProvider();

 		ServletHandler proxyHandler = new ServletHandler();
 		ourServlet = new RestfulServer(ourCtx);
 		ourServlet.setFhirContext(ourCtx);
-		ourServlet.registerProviders(patProvider, obsProv, encProv, cpProv, orgProv, drProv);
+		ourServlet.registerProviders(patProvider, obsProv, encProv, cpProv, orgProv, drProv, devProv);
 		ourServlet.registerProvider(new DummyServiceRequestResourceProvider());
 		ourServlet.registerProvider(new DummyConsentResourceProvider());
 		ourServlet.setPlainProviders(plainProvider);