More work on auth module
This commit is contained in:
parent
bb96ae4e25
commit
6d0dcc0213
|
@ -1,5 +1,25 @@
|
|||
package ca.uhn.fhir.rest.gclient;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
import org.hl7.fhir.instance.model.api.IIdType;
|
||||
|
||||
public interface IUpdateTyped extends IUpdateExecutable {
|
||||
|
|
|
@ -1,5 +1,25 @@
|
|||
package ca.uhn.fhir.rest.method;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
import java.util.Collection;
|
||||
|
||||
import org.hl7.fhir.instance.model.api.IBaseResource;
|
||||
|
|
|
@ -1,5 +1,25 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
import org.hl7.fhir.instance.model.api.IBaseResource;
|
||||
|
||||
import ca.uhn.fhir.rest.method.RequestDetails;
|
||||
|
|
|
@ -1,5 +1,25 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
enum AppliesTypeEnum {
|
||||
ALL_RESOURCES, TYPES
|
||||
|
||||
|
|
|
@ -1,5 +1,25 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
import static org.apache.commons.lang3.StringUtils.defaultString;
|
||||
|
||||
import java.util.ArrayList;
|
||||
|
@ -69,7 +89,7 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
|
|||
IAuthRule decidingRule = null;
|
||||
|
||||
for (IAuthRule nextRule : theRules) {
|
||||
RuleModeEnum decision = nextRule.applyRule(theOperation, theRequestDetails, theInputResource, theOutputResource);
|
||||
RuleVerdictEnum decision = nextRule.applyRule(theOperation, theRequestDetails, theInputResource, theOutputResource);
|
||||
|
||||
switch (decision) {
|
||||
case NO_DECISION:
|
||||
|
@ -127,7 +147,7 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
|
|||
case EXTENDED_OPERATION_TYPE:
|
||||
case METADATA:
|
||||
// Security does not apply to these operations
|
||||
return OperationExamineDirection.NONE;
|
||||
return OperationExamineDirection.IN;
|
||||
|
||||
case DELETE:
|
||||
// Delete is a special case
|
||||
|
|
|
@ -1,5 +1,25 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
enum ClassifierTypeEnum {
|
||||
IN_COMPARTMENT, ANY_ID
|
||||
|
||||
|
|
|
@ -1,5 +1,25 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
import org.hl7.fhir.instance.model.api.IBaseResource;
|
||||
|
||||
import ca.uhn.fhir.rest.api.RestOperationTypeEnum;
|
||||
|
@ -18,9 +38,9 @@ public interface IAuthRule {
|
|||
* The resource being input by the client, or <code>null</code>
|
||||
* @param theOutputResource
|
||||
* The resource being returned by the server, or <code>null</code>
|
||||
* @return Returns a policy decision, or <code>null</code> if the rule does not apply
|
||||
* @return Returns a policy decision, or {@link RuleVerdictEnum#NO_DECISION} if the rule does not apply
|
||||
*/
|
||||
RuleModeEnum applyRule(RestOperationTypeEnum theOperation, RequestDetails theRequestDetails, IBaseResource theInputResource, IBaseResource theOutputResource);
|
||||
RuleVerdictEnum applyRule(RestOperationTypeEnum theOperation, RequestDetails theRequestDetails, IBaseResource theInputResource, IBaseResource theOutputResource);
|
||||
|
||||
/**
|
||||
* Returns a name for this rule, to be used in logs and error messages
|
||||
|
|
|
@ -1,5 +1,25 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
/**
|
||||
* Used by {@link AuthorizationInterceptor} in order to allow user code to define authorization
|
||||
* rules.
|
||||
|
|
|
@ -1,7 +1,36 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
public interface IAuthRuleBuilderRule {
|
||||
|
||||
/**
|
||||
* This rules applies to the metadata operation (retrieve the
|
||||
* server's conformance statement)
|
||||
* <p>
|
||||
* This call completes the rule and adds the rule to the chain.
|
||||
* </p>
|
||||
*/
|
||||
IAuthRuleBuilderRuleOpClassifierFinished metadata();
|
||||
|
||||
/**
|
||||
* This rule applies to any FHIR operation involving reading, including
|
||||
* <code>read</code>, <code>vread</code>, <code>search</code>, and
|
||||
|
@ -9,16 +38,16 @@ public interface IAuthRuleBuilderRule {
|
|||
*/
|
||||
IAuthRuleBuilderRuleOp read();
|
||||
|
||||
/**
|
||||
* This rule applies to any FHIR operation involving writing, including
|
||||
* <code>create</code>, and <code>update</code>
|
||||
*/
|
||||
IAuthRuleBuilderRuleOp write();
|
||||
|
||||
/**
|
||||
* This rule applies to the FHIR transaction operation. Transaction is a special
|
||||
* case in that it bundles other operations
|
||||
*/
|
||||
IAuthRuleBuilderRuleTransaction transaction();
|
||||
|
||||
/**
|
||||
* This rule applies to any FHIR operation involving writing, including
|
||||
* <code>create</code>, and <code>update</code>
|
||||
*/
|
||||
IAuthRuleBuilderRuleOp write();
|
||||
|
||||
}
|
||||
|
|
|
@ -1,5 +1,25 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
import org.hl7.fhir.instance.model.api.IBaseResource;
|
||||
|
||||
public interface IAuthRuleBuilderRuleOp {
|
||||
|
|
|
@ -1,5 +1,25 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
import java.util.Collection;
|
||||
|
||||
import org.hl7.fhir.instance.model.api.IIdType;
|
||||
|
|
|
@ -1,5 +1,25 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
public interface IAuthRuleBuilderRuleOpClassifierFinished {
|
||||
|
||||
/**
|
||||
|
|
|
@ -1,5 +1,25 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
public interface IAuthRuleBuilderRuleTransaction {
|
||||
|
||||
/**
|
||||
|
@ -9,5 +29,5 @@ public interface IAuthRuleBuilderRuleTransaction {
|
|||
* This call completes the rule and adds the rule to the chain.
|
||||
* </p>
|
||||
*/
|
||||
IAuthRuleBuilderRuleOpClassifierFinished withAnyOperation();
|
||||
IAuthRuleBuilderRuleTransactionOp withAnyOperation();
|
||||
}
|
||||
|
|
|
@ -1,5 +1,27 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
public interface IAuthRuleBuilderRuleTransactionOp {
|
||||
|
||||
IAuthRuleBuilderRuleOpClassifierFinished andApplyNormalRules();
|
||||
|
||||
}
|
||||
|
|
|
@ -1,5 +1,25 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
public enum PolicyEnum {
|
||||
|
||||
ALLOW,
|
||||
|
|
|
@ -1,5 +1,25 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.Set;
|
||||
|
||||
|
@ -18,7 +38,7 @@ class Rule implements IAuthRule {
|
|||
private String myClassifierCompartmentName;
|
||||
private Collection<? extends IIdType> myClassifierCompartmentOwners;
|
||||
private ClassifierTypeEnum myClassifierType;
|
||||
private RuleModeEnum myMode;
|
||||
private RuleVerdictEnum myMode;
|
||||
private String myName;
|
||||
private RuleOpEnum myOp;
|
||||
private TransactionAppliesToEnum myTransactionAppliesToOp;
|
||||
|
@ -28,7 +48,7 @@ class Rule implements IAuthRule {
|
|||
}
|
||||
|
||||
@Override
|
||||
public RuleModeEnum applyRule(RestOperationTypeEnum theOperation, RequestDetails theRequestDetails, IBaseResource theInputResource, IBaseResource theOutputResource) {
|
||||
public RuleVerdictEnum applyRule(RestOperationTypeEnum theOperation, RequestDetails theRequestDetails, IBaseResource theInputResource, IBaseResource theOutputResource) {
|
||||
FhirContext ctx = theRequestDetails.getServer().getFhirContext();
|
||||
|
||||
IBaseResource appliesTo;
|
||||
|
@ -42,9 +62,15 @@ class Rule implements IAuthRule {
|
|||
case TRANSACTION:
|
||||
return myMode;
|
||||
case ALLOW_ALL:
|
||||
return RuleModeEnum.ALLOW;
|
||||
return RuleVerdictEnum.ALLOW;
|
||||
case DENY_ALL:
|
||||
return RuleModeEnum.DENY;
|
||||
return RuleVerdictEnum.DENY;
|
||||
case METADATA:
|
||||
if (theOperation == RestOperationTypeEnum.METADATA) {
|
||||
return myMode;
|
||||
} else {
|
||||
return RuleVerdictEnum.NO_DECISION;
|
||||
}
|
||||
default:
|
||||
// Should not happen
|
||||
throw new IllegalStateException("Unable to apply security to event of type " + theOperation);
|
||||
|
@ -55,7 +81,7 @@ class Rule implements IAuthRule {
|
|||
break;
|
||||
case TYPES:
|
||||
if (myAppliesToTypes.contains(appliesTo.getClass()) == false) {
|
||||
return RuleModeEnum.NO_DECISION;
|
||||
return RuleVerdictEnum.NO_DECISION;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
|
@ -75,7 +101,7 @@ class Rule implements IAuthRule {
|
|||
}
|
||||
}
|
||||
if (!foundMatch) {
|
||||
return RuleModeEnum.NO_DECISION;
|
||||
return RuleVerdictEnum.NO_DECISION;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
|
@ -114,7 +140,7 @@ class Rule implements IAuthRule {
|
|||
myClassifierType = theClassifierType;
|
||||
}
|
||||
|
||||
public void setMode(RuleModeEnum theRuleMode) {
|
||||
public void setMode(RuleVerdictEnum theRuleMode) {
|
||||
myMode = theRuleMode;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,5 +1,25 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
|
@ -11,7 +31,7 @@ import org.hl7.fhir.instance.model.api.IIdType;
|
|||
|
||||
class RuleBuilder implements IAuthRuleBuilder {
|
||||
|
||||
private RuleModeEnum myRuleMode;
|
||||
private RuleVerdictEnum myRuleMode;
|
||||
|
||||
private String myRuleName;
|
||||
|
||||
|
@ -28,7 +48,7 @@ class RuleBuilder implements IAuthRuleBuilder {
|
|||
|
||||
@Override
|
||||
public IAuthRuleBuilderRule allow(String theRuleName) {
|
||||
myRuleMode = RuleModeEnum.ALLOW;
|
||||
myRuleMode = RuleVerdictEnum.ALLOW;
|
||||
myRuleName = theRuleName;
|
||||
return new RuleBuilderRule();
|
||||
}
|
||||
|
@ -51,7 +71,7 @@ class RuleBuilder implements IAuthRuleBuilder {
|
|||
|
||||
@Override
|
||||
public IAuthRuleBuilderRule deny(String theRuleName) {
|
||||
myRuleMode = RuleModeEnum.DENY;
|
||||
myRuleMode = RuleVerdictEnum.DENY;
|
||||
myRuleName = theRuleName;
|
||||
return new RuleBuilderRule();
|
||||
}
|
||||
|
@ -84,18 +104,27 @@ class RuleBuilder implements IAuthRuleBuilder {
|
|||
|
||||
private RuleOpEnum myRuleOp;
|
||||
|
||||
@Override
|
||||
public RuleBuilderFinished metadata() {
|
||||
Rule rule = new Rule(myRuleName);
|
||||
rule.setOp(RuleOpEnum.METADATA);
|
||||
rule.setMode(myRuleMode);
|
||||
myRules.add(rule);
|
||||
return new RuleBuilderFinished(myRules);
|
||||
}
|
||||
|
||||
@Override
|
||||
public IAuthRuleBuilderRuleOp read() {
|
||||
myRuleOp = RuleOpEnum.READ;
|
||||
return new RuleBuilderRuleOp();
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public IAuthRuleBuilderRuleTransaction transaction() {
|
||||
myRuleOp = RuleOpEnum.TRANSACTION;
|
||||
return new RuleBuilderRuleTransaction();
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public IAuthRuleBuilderRuleOp write() {
|
||||
myRuleOp = RuleOpEnum.WRITE;
|
||||
|
@ -179,17 +208,28 @@ class RuleBuilder implements IAuthRuleBuilder {
|
|||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
public class RuleBuilderRuleTransaction implements IAuthRuleBuilderRuleTransaction {
|
||||
|
||||
@Override
|
||||
public IAuthRuleBuilderRuleOpClassifierFinished withAnyOperation() {
|
||||
Rule rule = new Rule(myRuleName);
|
||||
rule.setOp(myRuleOp);
|
||||
rule.setTransactionAppliesToOp(TransactionAppliesToEnum.ANY_OPERATION);
|
||||
myRules.add(rule);
|
||||
return new RuleBuilderFinished(myRules);
|
||||
public IAuthRuleBuilderRuleTransactionOp withAnyOperation() {
|
||||
return new RuleBuilderRuleTransactionOp();
|
||||
}
|
||||
|
||||
|
||||
class RuleBuilderRuleTransactionOp implements IAuthRuleBuilderRuleTransactionOp {
|
||||
|
||||
@Override
|
||||
public IAuthRuleBuilderRuleOpClassifierFinished andApplyNormalRules() {
|
||||
Rule rule = new Rule(myRuleName);
|
||||
rule.setOp(myRuleOp);
|
||||
rule.setTransactionAppliesToOp(TransactionAppliesToEnum.ANY_OPERATION);
|
||||
myRules.add(rule);
|
||||
return new RuleBuilderFinished(myRules);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -1,7 +0,0 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
enum RuleModeEnum {
|
||||
ALLOW,
|
||||
DENY,
|
||||
NO_DECISION
|
||||
}
|
|
@ -1,9 +1,30 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
enum RuleOpEnum {
|
||||
READ,
|
||||
WRITE,
|
||||
ALLOW_ALL,
|
||||
DENY_ALL,
|
||||
TRANSACTION
|
||||
TRANSACTION,
|
||||
METADATA
|
||||
}
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
enum RuleVerdictEnum {
|
||||
ALLOW,
|
||||
DENY,
|
||||
NO_DECISION
|
||||
}
|
|
@ -1,5 +1,25 @@
|
|||
package ca.uhn.fhir.rest.server.interceptor.auth;
|
||||
|
||||
/*
|
||||
* #%L
|
||||
* HAPI FHIR - Core Library
|
||||
* %%
|
||||
* Copyright (C) 2014 - 2016 University Health Network
|
||||
* %%
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
* #L%
|
||||
*/
|
||||
|
||||
enum TransactionAppliesToEnum {
|
||||
ANY_OPERATION
|
||||
|
||||
|
|
|
@ -46,12 +46,15 @@ import org.mockito.stubbing.Answer;
|
|||
|
||||
import ca.uhn.fhir.context.FhirContext;
|
||||
import ca.uhn.fhir.model.api.Bundle;
|
||||
import ca.uhn.fhir.model.api.ExtensionDt;
|
||||
import ca.uhn.fhir.model.api.Include;
|
||||
import ca.uhn.fhir.model.api.ResourceMetadataKeyEnum;
|
||||
import ca.uhn.fhir.model.dstu2.composite.IdentifierDt;
|
||||
import ca.uhn.fhir.model.dstu2.composite.MetaDt;
|
||||
import ca.uhn.fhir.model.dstu2.resource.Bundle.Entry;
|
||||
import ca.uhn.fhir.model.dstu2.resource.Bundle.Link;
|
||||
import ca.uhn.fhir.model.dstu2.resource.Conformance.Rest;
|
||||
import ca.uhn.fhir.model.dstu2.resource.Conformance.RestSecurity;
|
||||
import ca.uhn.fhir.model.dstu2.resource.Conformance;
|
||||
import ca.uhn.fhir.model.dstu2.resource.Observation;
|
||||
import ca.uhn.fhir.model.dstu2.resource.OperationOutcome;
|
||||
|
@ -165,6 +168,37 @@ public class GenericClientDstu2Test {
|
|||
idx++;
|
||||
}
|
||||
|
||||
/**
|
||||
* See #322
|
||||
*/
|
||||
@Test
|
||||
public void testFetchConformanceWithSmartExtensions() throws Exception {
|
||||
final String respString = IOUtils.toString(GenericClientDstu2Test.class.getResourceAsStream("/conformance_322.json"));
|
||||
ArgumentCaptor<HttpUriRequest> capt = ArgumentCaptor.forClass(HttpUriRequest.class);
|
||||
when(myHttpClient.execute(capt.capture())).thenReturn(myHttpResponse);
|
||||
when(myHttpResponse.getStatusLine()).thenReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 200, "OK"));
|
||||
when(myHttpResponse.getEntity().getContentType()).thenReturn(new BasicHeader("content-type", Constants.CT_FHIR_JSON + "; charset=UTF-8"));
|
||||
when(myHttpResponse.getEntity().getContent()).thenAnswer(new Answer<ReaderInputStream>() {
|
||||
@Override
|
||||
public ReaderInputStream answer(InvocationOnMock theInvocation) throws Throwable {
|
||||
return new ReaderInputStream(new StringReader(respString), Charset.forName("UTF-8"));
|
||||
}
|
||||
});
|
||||
|
||||
IGenericClient client = ourCtx.newRestfulGenericClient("http://localhost:8080/fhir");
|
||||
Conformance conf = client.fetchConformance().ofType(Conformance.class).execute();
|
||||
|
||||
Rest rest = conf.getRest().get(0);
|
||||
RestSecurity security = rest.getSecurity();
|
||||
|
||||
List<ExtensionDt> ext = security.getUndeclaredExtensionsByUrl("http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris");
|
||||
List<ExtensionDt> tokenExts = ext.get(0).getUndeclaredExtensionsByUrl("token");
|
||||
ExtensionDt tokenExt = tokenExts.get(0);
|
||||
UriDt value = (UriDt) tokenExt.getValue();
|
||||
assertEquals("https://my-server.org/token", value.getValueAsString());
|
||||
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAcceptHeaderPreflightConformance() throws Exception {
|
||||
String methodName = "testAcceptHeaderPreflightConformance";
|
||||
|
|
|
@ -109,6 +109,74 @@ public class AuthorizationInterceptorDstu2Test {
|
|||
return responseContent;
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testMetadataAllow() throws Exception {
|
||||
ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
|
||||
@Override
|
||||
protected void buildRuleList(RequestDetails theRequestDetails, IAuthRuleBuilder theRuleBuilder) {
|
||||
theRuleBuilder.allow("Rule 1").metadata();
|
||||
}
|
||||
});
|
||||
|
||||
HttpGet httpGet;
|
||||
HttpResponse status;
|
||||
String response;
|
||||
|
||||
ourReturn = Arrays.asList(createPatient(2));
|
||||
ourHitMethod = false;
|
||||
httpGet = new HttpGet("http://localhost:" + ourPort + "/metadata");
|
||||
status = ourClient.execute(httpGet);
|
||||
extractResponseAndClose(status);
|
||||
assertEquals(200, status.getStatusLine().getStatusCode());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testTransactionWriteGood() throws Exception {
|
||||
ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
|
||||
@Override
|
||||
protected void buildRuleList(RequestDetails theRequestDetails, IAuthRuleBuilder theRuleBuilder) {
|
||||
theRuleBuilder
|
||||
.allow("Rule 1").transaction().withAnyOperation().andApplyNormalRules().andThen()
|
||||
.allow("Rule 2").write().allResources().inCompartment("Patient", new IdDt("Patient/1")).andThen()
|
||||
.allow("Rule 2").read().allResources().inCompartment("Patient", new IdDt("Patient/1")).andThen();
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
|
||||
// HttpGet httpGet;
|
||||
// HttpResponse status;
|
||||
// String response;
|
||||
//
|
||||
// ourReturn = Arrays.asList(createPatient(2));
|
||||
// ourHitMethod = false;
|
||||
// httpGet = new HttpGet("http://localhost:" + ourPort + "/metadata");
|
||||
// status = ourClient.execute(httpGet);
|
||||
// extractResponseAndClose(status);
|
||||
// assertEquals(200, status.getStatusLine().getStatusCode());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testMetadataDeny() throws Exception {
|
||||
ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.ALLOW) {
|
||||
@Override
|
||||
protected void buildRuleList(RequestDetails theRequestDetails, IAuthRuleBuilder theRuleBuilder) {
|
||||
theRuleBuilder.deny("Rule 1").metadata();
|
||||
}
|
||||
});
|
||||
|
||||
HttpGet httpGet;
|
||||
HttpResponse status;
|
||||
String response;
|
||||
|
||||
ourReturn = Arrays.asList(createPatient(2));
|
||||
ourHitMethod = false;
|
||||
httpGet = new HttpGet("http://localhost:" + ourPort + "/metadata");
|
||||
status = ourClient.execute(httpGet);
|
||||
extractResponseAndClose(status);
|
||||
assertEquals(401, status.getStatusLine().getStatusCode());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testReadByAnyId() throws Exception {
|
||||
ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
|
||||
|
|
|
@ -0,0 +1,110 @@
|
|||
{
|
||||
"resourceType":"Conformance",
|
||||
"publisher":"Cloudyle",
|
||||
"date":"2016-03-30T14:53:23+02:00",
|
||||
"kind":"instance",
|
||||
"software":{
|
||||
"name":"HAPI FHIR Server",
|
||||
"version":"1.4"
|
||||
},
|
||||
"fhirVersion":"1.0.2",
|
||||
"acceptUnknown":"both",
|
||||
"format":[
|
||||
"application/xml+fhir",
|
||||
"application/json+fhir"
|
||||
],
|
||||
"rest":[
|
||||
{
|
||||
"mode":"server",
|
||||
"security":{
|
||||
"extension":[
|
||||
{
|
||||
"url":"http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris",
|
||||
"extension":[
|
||||
{
|
||||
"url":"token",
|
||||
"valueuri":"https://my-server.org/token"
|
||||
},
|
||||
{
|
||||
"url":"authorize",
|
||||
"valueuri":"https://my-server.org/authorize"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"service":[
|
||||
{
|
||||
"coding":[
|
||||
{
|
||||
"system":"http://hl7.org/fhir/restful-security-service",
|
||||
"code":"SMART-on-FHIR"
|
||||
}
|
||||
],
|
||||
"text":"OAuth2 using SMART-on-FHIR profile (see http://docs.smarthealthit.org)"
|
||||
}
|
||||
]
|
||||
},
|
||||
"resource":[
|
||||
{
|
||||
"type":"Observation",
|
||||
"profile":{
|
||||
"reference":"http://hl7.org/fhir/profiles/Observation"
|
||||
},
|
||||
"interaction":[
|
||||
{
|
||||
"code":"search-type"
|
||||
}
|
||||
],
|
||||
"searchParam":[
|
||||
{
|
||||
"name":"code",
|
||||
"type":"token",
|
||||
"documentation":"The code of the observation type"
|
||||
},
|
||||
{
|
||||
"name":"subject",
|
||||
"type":"string",
|
||||
"documentation":"The subject that the observation is about"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"type":"OperationDefinition",
|
||||
"profile":{
|
||||
"reference":"http://hl7.org/fhir/profiles/OperationDefinition"
|
||||
},
|
||||
"interaction":[
|
||||
{
|
||||
"code":"read"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"type":"Patient",
|
||||
"profile":{
|
||||
"reference":"http://hl7.org/fhir/profiles/Patient"
|
||||
},
|
||||
"interaction":[
|
||||
{
|
||||
"code":"read"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"type":"StructureDefinition",
|
||||
"profile":{
|
||||
"reference":"http://hl7.org/fhir/profiles/StructureDefinition"
|
||||
},
|
||||
"interaction":[
|
||||
{
|
||||
"code":"read"
|
||||
},
|
||||
{
|
||||
"code":"search-type"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -23,19 +23,18 @@ import org.apache.commons.io.IOUtils;
|
|||
import org.hl7.fhir.dstu3.hapi.validation.DefaultProfileValidationSupport;
|
||||
import org.hl7.fhir.dstu3.hapi.validation.FhirInstanceValidator;
|
||||
import org.hl7.fhir.dstu3.hapi.validation.IValidationSupport;
|
||||
import org.hl7.fhir.dstu3.hapi.validation.ValidationSupportChain;
|
||||
import org.hl7.fhir.dstu3.hapi.validation.IValidationSupport.CodeValidationResult;
|
||||
import org.hl7.fhir.dstu3.hapi.validation.ValidationSupportChain;
|
||||
import org.hl7.fhir.dstu3.model.CodeType;
|
||||
import org.hl7.fhir.dstu3.model.Observation;
|
||||
import org.hl7.fhir.dstu3.model.Observation.ObservationStatus;
|
||||
import org.hl7.fhir.dstu3.model.Patient;
|
||||
import org.hl7.fhir.dstu3.model.StringType;
|
||||
import org.hl7.fhir.dstu3.model.ValueSet;
|
||||
import org.hl7.fhir.dstu3.model.Observation.ObservationStatus;
|
||||
import org.hl7.fhir.dstu3.model.ValueSet.ConceptDefinitionComponent;
|
||||
import org.hl7.fhir.dstu3.model.ValueSet.ConceptSetComponent;
|
||||
import org.hl7.fhir.dstu3.model.ValueSet.ValueSetExpansionComponent;
|
||||
import org.hl7.fhir.instance.model.api.IBaseResource;
|
||||
import org.junit.After;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.Before;
|
||||
import org.junit.Ignore;
|
||||
|
|
Loading…
Reference in New Issue