This commit is contained in:
James Agnew 2024-09-10 10:02:52 -04:00
parent 7ad2524272
commit 703924938f
3 changed files with 30 additions and 26 deletions

View File

@ -593,7 +593,8 @@ public class AuthorizationInterceptor implements IRuleApplier {
}
@Nonnull
public static List<IBaseResource> toListOfResourcesAndExcludeContainer(IBaseResource theResponseObject, FhirContext fhirContext) {
public static List<IBaseResource> toListOfResourcesAndExcludeContainer(
IBaseResource theResponseObject, FhirContext fhirContext) {
List<IBaseResource> retVal;
retVal = fhirContext.newTerser().getAllPopulatedChildElementsOfType(theResponseObject, IBaseResource.class);

View File

@ -98,14 +98,6 @@ class OperationRule extends BaseRule implements IAuthRule {
Pointcut thePointcut) {
FhirContext ctx = theRequestDetails.getServer().getFhirContext();
// Operation rules apply to the execution of the operation itself, not to side effects like
// loading resources (that will presumably be reflected in the response). Those loads need
// to be explicitly authorized
if (!myAllowAllResourcesAccess && isResourceAccess(thePointcut)) {
// return null;
// FIXME: remove
}
boolean applies = false;
switch (theOperation) {
case EXTENDED_OPERATION_SERVER:
@ -174,26 +166,28 @@ class OperationRule extends BaseRule implements IAuthRule {
if (theOutputResource == null) {
// This is the request part
return newVerdict(
theOperation,
theRequestDetails,
theInputResource,
theInputResourceId,
theOutputResource,
theRuleApplier);
} else {
// This is the response part, so we might want to check all of the
// resources in the response
if (myAllowAllResponses) {
return newVerdict(
theOperation,
theRequestDetails,
theInputResource,
theInputResourceId,
theOutputResource,
theRuleApplier);
} else {
// This is the response part, so we might want to check all of the
// resources in the response
if (myAllowAllResponses) {
return newVerdict(
theOperation,
theRequestDetails,
theInputResource,
theInputResourceId,
theOutputResource,
theRuleApplier);
} else {
List<IBaseResource> outputResources = AuthorizationInterceptor.toListOfResourcesAndExcludeContainer( theOutputResource, theRequestDetails.getFhirContext());
return RuleImplOp.applyRulesToResponseResources(theRequestDetails, theRuleApplier, thePointcut, outputResources);
List<IBaseResource> outputResources = AuthorizationInterceptor.toListOfResourcesAndExcludeContainer(
theOutputResource, theRequestDetails.getFhirContext());
return RuleImplOp.applyRulesToResponseResources(
theRequestDetails, theRuleApplier, thePointcut, outputResources);
}
}
}

View File

@ -835,14 +835,23 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
}
@Nullable
private static Verdict applyRulesToResponseBundle(RequestDetails theRequestDetails, IBaseResource theOutputResource, IRuleApplier theRuleApplier, Pointcut thePointcut) {
List<IBaseResource> outputResources = AuthorizationInterceptor.toListOfResourcesAndExcludeContainerUnlessStandalone(
theOutputResource, theRequestDetails.getFhirContext());
private static Verdict applyRulesToResponseBundle(
RequestDetails theRequestDetails,
IBaseResource theOutputResource,
IRuleApplier theRuleApplier,
Pointcut thePointcut) {
List<IBaseResource> outputResources =
AuthorizationInterceptor.toListOfResourcesAndExcludeContainerUnlessStandalone(
theOutputResource, theRequestDetails.getFhirContext());
return applyRulesToResponseResources(theRequestDetails, theRuleApplier, thePointcut, outputResources);
}
@Nullable
public static Verdict applyRulesToResponseResources(RequestDetails theRequestDetails, IRuleApplier theRuleApplier, Pointcut thePointcut, List<IBaseResource> outputResources) {
public static Verdict applyRulesToResponseResources(
RequestDetails theRequestDetails,
IRuleApplier theRuleApplier,
Pointcut thePointcut,
List<IBaseResource> outputResources) {
Verdict verdict = null;
for (IBaseResource nextResource : outputResources) {
if (nextResource == null) {