From 4e252063b81bc8e4eda69149d9497127d90516a8 Mon Sep 17 00:00:00 2001 From: James Agnew Date: Tue, 16 Oct 2018 19:54:55 -0400 Subject: [PATCH] Allow transactions and batches with transaction permission in AuthorizationInterceptor --- .../interceptor/auth/IAuthRuleBuilderRule.java | 3 ++- .../rest/server/interceptor/auth/RuleBuilder.java | 12 ++++++++++-- .../auth/AuthorizationInterceptorDstu2Test.java | 2 +- .../AuthorizationInterceptorDstu3Test.java | 2 +- .../interceptor/AuthorizationInterceptorR4Test.java | 4 ++-- src/changes/changes.xml | 5 +++++ 6 files changed, 21 insertions(+), 7 deletions(-) diff --git a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRule.java b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRule.java index 80e68a7725d..4f68b723377 100644 --- a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRule.java +++ b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRule.java @@ -83,7 +83,8 @@ public interface IAuthRuleBuilderRule { /** * This rule applies to the FHIR transaction operation. Transaction is a special - * case in that it bundles other operations + * case in that it bundles other operations. This permission also allows FHIR + * batch to be performed. */ IAuthRuleBuilderRuleTransaction transaction(); diff --git a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java index bc0ead08d80..058a85e0c12 100644 --- a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java +++ b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java @@ -223,7 +223,6 @@ public class RuleBuilder implements IAuthRuleBuilder { @Override public IAuthRuleBuilderRuleTransaction transaction() { - myRuleOp = RuleOpEnum.TRANSACTION; return new RuleBuilderRuleTransaction(); } @@ -520,11 +519,20 @@ public class RuleBuilder implements IAuthRuleBuilder { @Override public IAuthRuleBuilderRuleOpClassifierFinished andApplyNormalRules() { + // Allow transaction RuleImplOp rule = new RuleImplOp(myRuleName); rule.setMode(myRuleMode); - rule.setOp(myRuleOp); + rule.setOp(RuleOpEnum.TRANSACTION); rule.setTransactionAppliesToOp(TransactionAppliesToEnum.ANY_OPERATION); myRules.add(rule); + + // Allow batch + rule = new RuleImplOp(myRuleName); + rule.setMode(myRuleMode); + rule.setOp(RuleOpEnum.BATCH); + rule.setTransactionAppliesToOp(TransactionAppliesToEnum.ANY_OPERATION); + myRules.add(rule); + return new RuleBuilderFinished(rule); } diff --git a/hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptorDstu2Test.java b/hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptorDstu2Test.java index 3fd96f88573..fe533d76b7c 100644 --- a/hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptorDstu2Test.java +++ b/hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptorDstu2Test.java @@ -262,7 +262,7 @@ public class AuthorizationInterceptorDstu2Test { httpPost.setEntity(createFhirResourceEntity(input)); status = ourClient.execute(httpPost); extractResponseAndClose(status); - assertEquals(403, status.getStatusLine().getStatusCode()); + assertEquals(200, status.getStatusLine().getStatusCode()); } @Test diff --git a/hapi-fhir-structures-dstu3/src/test/java/ca/uhn/fhir/rest/server/interceptor/AuthorizationInterceptorDstu3Test.java b/hapi-fhir-structures-dstu3/src/test/java/ca/uhn/fhir/rest/server/interceptor/AuthorizationInterceptorDstu3Test.java index 217204e8489..e985aa452b4 100644 --- a/hapi-fhir-structures-dstu3/src/test/java/ca/uhn/fhir/rest/server/interceptor/AuthorizationInterceptorDstu3Test.java +++ b/hapi-fhir-structures-dstu3/src/test/java/ca/uhn/fhir/rest/server/interceptor/AuthorizationInterceptorDstu3Test.java @@ -495,7 +495,7 @@ public class AuthorizationInterceptorDstu3Test { httpPost.setEntity(createFhirResourceEntity(input)); status = ourClient.execute(httpPost); extractResponseAndClose(status); - assertEquals(403, status.getStatusLine().getStatusCode()); + assertEquals(200, status.getStatusLine().getStatusCode()); } @Test diff --git a/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/AuthorizationInterceptorR4Test.java b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/AuthorizationInterceptorR4Test.java index 34cce97509d..d1fcb352631 100644 --- a/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/AuthorizationInterceptorR4Test.java +++ b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/AuthorizationInterceptorR4Test.java @@ -469,7 +469,7 @@ public class AuthorizationInterceptorR4Test { } @Test - public void testBatchWhenOnlyTransactionAllowed() throws Exception { + public void testBatchAllowed() throws Exception { ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) { @Override public List buildRuleList(RequestDetails theRequestDetails) { @@ -498,7 +498,7 @@ public class AuthorizationInterceptorR4Test { httpPost.setEntity(createFhirResourceEntity(input)); status = ourClient.execute(httpPost); extractResponseAndClose(status); - assertEquals(403, status.getStatusLine().getStatusCode()); + assertEquals(200, status.getStatusLine().getStatusCode()); } @Test diff --git a/src/changes/changes.xml b/src/changes/changes.xml index ce8791e6c1c..e06eb146ba0 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -95,6 +95,11 @@ When using the testpage overlay to delete a resource, currently a crash can occur if an unqualified ID is placed in the ID text box. This has been corrected. + + AuthorizationInterceptor did not allow FHIR batch operations when the transaction() + permission is granted. This has been corrected so that transaction() allows both + batch and transaction requests to proceed. +