Merge branch 'master' of github.com:jamesagnew/hapi-fhir

This commit is contained in:
James Agnew 2016-10-25 11:45:42 -04:00
commit a246809c92
5 changed files with 36 additions and 19 deletions

View File

@ -221,20 +221,16 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
IIdType inputResourceId = null;
switch (determineOperationDirection(theOperation, theProcessedRequest.getResource())) {
case IN_UNCATEGORIZED:
inputResourceId = theProcessedRequest.getId();
if (inputResourceId == null || inputResourceId.hasIdPart() == false) {
return;
} else {
break;
}
case IN:
case BOTH:
inputResource = theProcessedRequest.getResource();
inputResourceId = theProcessedRequest.getId();
break;
case NONE:
case OUT:
inputResource = null;
inputResourceId = theProcessedRequest.getId();
break;
case NONE:
return;
}
@ -257,8 +253,6 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
@Override
public boolean outgoingResponse(RequestDetails theRequestDetails, IBaseResource theResponseObject) {
switch (determineOperationDirection(theRequestDetails.getRestOperationType(), null)) {
case IN_UNCATEGORIZED:
return true;
case IN:
case NONE:
return true;
@ -354,7 +348,6 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
private enum OperationExamineDirection {
IN,
IN_UNCATEGORIZED,
NONE,
OUT,
BOTH,

View File

@ -63,7 +63,16 @@ class RuleImplOp extends BaseRule implements IAuthRule {
switch (myOp) {
case READ:
if (theOutputResource == null) {
return null;
switch (theOperation) {
case READ:
appliesToResourceId = theInputResourceId;
break;
case SEARCH_SYSTEM:
case SEARCH_TYPE:
return new Verdict(PolicyEnum.ALLOW, this);
default:
return null;
}
}
appliesToResource = theOutputResource;
break;

View File

@ -118,11 +118,20 @@ public class JpaConformanceProviderDstu3 extends org.hl7.fhir.dstu3.hapi.rest.se
}
}
massage(retVal);
retVal.getImplementation().setDescription(myImplementationDescription);
myCachedValue = retVal;
return retVal;
}
/**
* Subclasses may override
*/
protected void massage(Conformance theStatement) {
// nothing
}
public void setDaoConfig(DaoConfig myDaoConfig) {
this.myDaoConfig = myDaoConfig;
}

View File

@ -167,7 +167,7 @@ public class AuthorizationInterceptorDstu2Test {
ourLog.info(response);
assertThat(response, containsString("Access denied by rule: Rule 1"));
assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod);
assertFalse(ourHitMethod);
ourHitMethod = false;
httpGet = new HttpGet("http://localhost:" + ourPort + "/Patient/1/$validate");
@ -321,7 +321,7 @@ public class AuthorizationInterceptorDstu2Test {
ourLog.info(response);
assertThat(response, containsString("Access denied by rule: Default Rule"));
assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod);
assertFalse(ourHitMethod);
ourHitMethod = false;
httpGet = new HttpGet("http://localhost:" + ourPort + "/Patient/1/$validate");
@ -625,7 +625,7 @@ public class AuthorizationInterceptorDstu2Test {
ourLog.info(response);
assertThat(response, containsString("Access denied by default policy (no applicable rules)"));
assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod);
assertFalse(ourHitMethod);
ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/2"));
ourHitMethod = false;
@ -679,8 +679,8 @@ public class AuthorizationInterceptorDstu2Test {
httpGet = new HttpGet("http://localhost:" + ourPort + "/Observation/10");
status = ourClient.execute(httpGet);
extractResponseAndClose(status);
assertEquals(200, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod);
assertEquals(403, status.getStatusLine().getStatusCode());
assertFalse(ourHitMethod);
ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/1"));
ourHitMethod = false;
@ -719,7 +719,7 @@ public class AuthorizationInterceptorDstu2Test {
ourLog.info(response);
assertThat(response, containsString("Access denied by default policy (no applicable rules)"));
assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod);
assertFalse(ourHitMethod);
ourReturn = Arrays.asList(createObservation(10, "Patient/2"));
ourHitMethod = false;
@ -729,7 +729,7 @@ public class AuthorizationInterceptorDstu2Test {
ourLog.info(response);
assertThat(response, containsString("Access denied by default policy (no applicable rules)"));
assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod);
assertFalse(ourHitMethod);
ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/2"));
ourHitMethod = false;

View File

@ -225,6 +225,12 @@
Remove unused field (myIsContained) from ResourceTable
in JPA server.
</action>
<action type="add">
AuthorizationInterceptor is now a bit more aggressive
at blocking read operations, stopping them on the
way in if there is no way they will be accepted
to the resource check on the way out
</action>
</release>
<release version="2.0" date="2016-08-30">
<action type="fix">