Add docs and changelog

This commit is contained in:
Tadgh 2021-09-14 01:54:59 -04:00
parent 3d24a4ce16
commit 75a16f3b13
7 changed files with 106 additions and 29 deletions

View File

@ -39,6 +39,7 @@ import org.hl7.fhir.dstu3.model.IdType;
import org.hl7.fhir.instance.model.api.IBaseResource;
import org.hl7.fhir.r4.model.Patient;
import java.util.Collections;
import java.util.List;
import static org.apache.commons.lang3.StringUtils.isNotBlank;
@ -100,7 +101,7 @@ public class AuthorizationInterceptors {
.denyAll()
.build();
}
// If the user is an admin, allow everything
if (userIsAdmin) {
return new RuleBuilder()
@ -205,6 +206,18 @@ public class AuthorizationInterceptors {
};
//END SNIPPET: bulkExport
//START SNIPPET: advancedCompartment
new AuthorizationInterceptor(PolicyEnum.DENY) {
@Override
public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
List<String> additionalCompartmentSpNames = Collections.singletonList("device:patient");
return new RuleBuilder()
.allow().read().allResources().inCompartmentWithAdditionalSearchParams("Patient", new IdType("Patient/123"), additionalCompartmentSpNames)
.build();
}
};
//END SNIPPET: advancedCompartment
}

View File

@ -0,0 +1,5 @@
---
type: add
jira: SMILE-1118
title: "Add new RuleBuilder options which allow you to specify additional resources and search parameters which match a given compartment. More explanations of
the enhancements can be found in [the documentation](/hapi-fhir/docs/security/authorization_interceptor.html#advanced-compartment-authorization)."

View File

@ -83,3 +83,14 @@ AuthorizationInterceptor can be used to provide nuanced control over the kinds o
```java
{{snippet:classpath:/ca/uhn/hapi/fhir/docs/AuthorizationInterceptors.java|bulkExport}}
```
# Advanced Compartment authorization
AuthorizationInterceptor can be used to provide fine-grained control over compartment reads and writes as well. There is a strict FHIR definition
of which resources and related search parameters fall into a given compartment. However, sometimes the defaults do not suffice. The following is an example
of an R4 ruleset which allows `device.patient` to be considered in the Patient compartment, on top of all the standard search parameters.
```java
{{snippet:classpath:/ca/uhn/hapi/fhir/docs/AuthorizationInterceptors.java|advancedCompartment}}
```

View File

@ -43,6 +43,28 @@ public interface IAuthRuleBuilderRuleOpClassifier {
*/
IAuthRuleBuilderRuleOpClassifierFinished inCompartment(String theCompartmentName, IIdType theOwner);
/**
* Rule applies to resources in the given compartment.
* <p>
* For example, to apply the rule to any observations in the patient compartment
* belonging to patient "123", you would invoke this with</br>
* <code>inCompartment("Patient", new IdType("Patient", "123"))</code>
*
* This call also allows you to pass additional search parameters that count as being included in the given compartment,
* passed in as a list of `resourceType:search-parameter-name`. For example, if you select a compartment name of "patient",
* you could pass in a singleton list consisting of the string "device:patient", which would cause any devices belonging
* to the patient to be permitted by the authorization rule.
*
* </p>
* <p>
* This call completes the rule and adds the rule to the chain.
* </p>
*
* @param theCompartmentName The name of the compartment (must not be null or blank)
* @param theOwner The owner of the compartment. Note that both the resource type and ID must be populated in this ID.
* @param theAdditionalTypeSearchParamNames A list of strings for additional resource types and search parameters which count as being in the compartment, in the form "resourcetype:search-parameter-name".
*/
IAuthRuleBuilderRuleOpClassifierFinished inCompartmentWithAdditionalSearchParams(String theCompartmentName, IIdType theOwner, List<String> theAdditionalTypeSearchParamNames);
/**
* Rule applies to resources in the given compartment.
* <p>
@ -59,7 +81,31 @@ public interface IAuthRuleBuilderRuleOpClassifier {
*/
IAuthRuleBuilderRuleOpClassifierFinished inCompartment(String theCompartmentName, Collection<? extends IIdType> theOwners);
IAuthRuleBuilderRuleOpClassifierFinished inCompartmentWithAdditionalSearchParams(String theCompartmentName, IIdType theOwner, List<String> additionalTypeSearchParamNames);
/**
* Rule applies to resources in the given compartment.
* <p>
* For example, to apply the rule to any observations in the patient compartment
* belonging to patient "123", you would invoke this with</br>
* <code>inCompartment("Patient", new IdType("Patient", "123"))</code>
*
* This call also allows you to pass additional search parameters that count as being included in the given compartment,
* passed in as a list of `resourceType:search-parameter-name`. For example, if you select a compartment name of "patient",
* you could pass in a singleton list consisting of the string "device:patient", which would cause any devices belonging
* to the patient to be permitted by the authorization rule.
*
* </p>
* <p>
* This call completes the rule and adds the rule to the chain.
* </p>
*
* @param theCompartmentName The name of the compartment (must not be null or blank)
* @param theOwners The owners of the compartment. Note that both the resource type and ID must be populated in these IDs.
* @param theAdditionalTypeSearchParamNames A list of strings for additional resource types and search parameters which count as being in the compartment, in the form "resourcetype:search-parameter-name".
*
**/
IAuthRuleBuilderRuleOpClassifierFinished inCompartmentWithAdditionalSearchParams(String theCompartmentName, Collection<? extends IIdType> theOwners, List<String> theAdditionalTypeSearchParamNames);
/**
* Rule applies to any resource instances

View File

@ -492,6 +492,11 @@ public class RuleBuilder implements IAuthRuleBuilder {
@Override
public IAuthRuleBuilderRuleOpClassifierFinished inCompartment(String theCompartmentName, Collection<? extends IIdType> theOwners) {
return inCompartmentWithAdditionalSearchParams(theCompartmentName, theOwners, new ArrayList<>());
}
@Override
public IAuthRuleBuilderRuleOpClassifierFinished inCompartmentWithAdditionalSearchParams(String theCompartmentName, Collection<? extends IIdType> theOwners, List<String> theAdditionalTypeSearchParamNames) {
Validate.notBlank(theCompartmentName, "theCompartmentName must not be null");
Validate.notNull(theOwners, "theOwners must not be null");
Validate.noNullElements(theOwners, "theOwners must not contain any null elements");
@ -500,39 +505,28 @@ public class RuleBuilder implements IAuthRuleBuilder {
}
myInCompartmentName = theCompartmentName;
myInCompartmentOwners = theOwners;
myAdditionalSearchParamsForCompartmentTypes = theAdditionalTypeSearchParamNames;
myClassifierType = ClassifierTypeEnum.IN_COMPARTMENT;
return finished();
}
@Override
public IAuthRuleBuilderRuleOpClassifierFinished inCompartment(String theCompartmentName, IIdType theOwner) {
Validate.notBlank(theCompartmentName, "theCompartmentName must not be null");
Validate.notNull(theOwner, "theOwner must not be null");
validateOwner(theOwner);
myClassifierType = ClassifierTypeEnum.IN_COMPARTMENT;
myInCompartmentName = theCompartmentName;
Optional<RuleImplOp> oRule = findMatchingRule();
if (oRule.isPresent()) {
RuleImplOp rule = oRule.get();
rule.addClassifierCompartmentOwner(theOwner);
return new RuleBuilderFinished(rule);
}
myInCompartmentOwners = Collections.singletonList(theOwner);
return finished();
return inCompartmentWithAdditionalSearchParams(theCompartmentName, theOwner, new ArrayList<>());
}
@Override
public IAuthRuleBuilderRuleOpClassifierFinished inCompartmentWithAdditionalSearchParams(String theCompartmentName, IIdType theOwner, List<String> additionalTypeSearchParamNames) {
public IAuthRuleBuilderRuleOpClassifierFinished inCompartmentWithAdditionalSearchParams(String theCompartmentName, IIdType theOwner, List<String> theAdditionalTypeSearchParamNames) {
Validate.notBlank(theCompartmentName, "theCompartmentName must not be null");
Validate.notNull(theOwner, "theOwner must not be null");
validateOwner(theOwner);
myClassifierType = ClassifierTypeEnum.IN_COMPARTMENT;
myInCompartmentName = theCompartmentName;
myAdditionalSearchParamsForCompartmentTypes = theAdditionalTypeSearchParamNames;
Optional<RuleImplOp> oRule = findMatchingRule();
if (oRule.isPresent()) {
RuleImplOp rule = oRule.get();
rule.setAdditionalSearchParamsForCompartmentTypes(additionalTypeSearchParamNames);
rule.setAdditionalSearchParamsForCompartmentTypes(myAdditionalSearchParamsForCompartmentTypes);
rule.addClassifierCompartmentOwner(theOwner);
return new RuleBuilderFinished(rule);
}

View File

@ -34,6 +34,7 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import static org.apache.commons.lang3.StringUtils.defaultString;
import static org.apache.commons.lang3.StringUtils.isNotBlank;
@ -345,7 +346,7 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
Set<String> additionalSearchParamNames = null;
if (myAdditionalCompartmentSearchParamMap != null) {
additionalSearchParamNames = myAdditionalCompartmentSearchParamMap.get(target.resourceType);
additionalSearchParamNames = myAdditionalCompartmentSearchParamMap.get(ctx.getResourceType(target.resource).toLowerCase());
}
if (t.isSourceInCompartmentForTarget(myClassifierCompartmentName, target.resource, next, additionalSearchParamNames)) {
foundMatch = true;
@ -381,13 +382,17 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
RuntimeResourceDefinition sourceDef = theRequestDetails.getFhirContext().getResourceDefinition(target.resourceType);
String compartmentOwnerResourceType = next.getResourceType();
if (!StringUtils.equals(target.resourceType, compartmentOwnerResourceType)) {
List<RuntimeSearchParam> params = sourceDef.getSearchParamsForCompartmentName(compartmentOwnerResourceType);
if (target.resourceType.equalsIgnoreCase("Device") && myDeviceIncludedInPatientCompartment) {
if (params == null || params.isEmpty()) {
params = new ArrayList<>();
}
params.add(sourceDef.getSearchParam("patient"));
Set<String> additionalParamNames = myAdditionalCompartmentSearchParamMap.get(sourceDef.getName().toLowerCase());
List<RuntimeSearchParam> additionalParams = additionalParamNames.stream().map(paramName -> sourceDef.getSearchParam(paramName)).collect(Collectors.toList());
if (params == null || params.isEmpty()) {
params = additionalParams;
} else {
params.addAll(additionalParams);
}
if (!params.isEmpty()) {
/*
@ -708,10 +713,9 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
}
for (String typeAndParam: theTypeAndParams) {
String[] split = typeAndParam.split(",");
String[] split = typeAndParam.split(":");
Validate.isTrue(split.length == 2);
myAdditionalCompartmentSearchParamMap.computeIfAbsent(split[0], (v) -> new HashSet<>()).add(split[1]);
myAdditionalCompartmentSearchParamMap.computeIfAbsent(split[0].toLowerCase(), (v) -> new HashSet<>()).add(split[1].toLowerCase());
}
this.myAdditionalCompartmentSearchParamMap = myAdditionalCompartmentSearchParamMap;
}
}

View File

@ -376,15 +376,19 @@ public class AuthorizationInterceptorR4Test {
assertTrue(ourHitMethod);
}
@Test
public void testDeviceIsPartOfPatientCompartment() throws Exception {
public void testCustomCompartmentSpsOnMultipleInstances() throws Exception {
ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
@Override
public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
List<String> bonusPatientCompartmentSearchParams = Collections.singletonList("device:patient");
List<IdType> relatedIds = new ArrayList<>();
relatedIds.add(new IdType("Patient/123"));
relatedIds.add(new IdType("Patient/456"));
return new RuleBuilder()
.allow().read().allResources()
.inCompartmentWithAdditionalSearchParams("Patient", new IdType("Patient/123"), bonusPatientCompartmentSearchParams)
.inCompartmentWithAdditionalSearchParams("Patient", relatedIds, bonusPatientCompartmentSearchParams)
.andThen().denyAll()
.build();
}