Merge branch 'master' of github.com:jamesagnew/hapi-fhir
This commit is contained in:
commit
a246809c92
|
@ -221,20 +221,16 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
|
|||
IIdType inputResourceId = null;
|
||||
|
||||
switch (determineOperationDirection(theOperation, theProcessedRequest.getResource())) {
|
||||
case IN_UNCATEGORIZED:
|
||||
inputResourceId = theProcessedRequest.getId();
|
||||
if (inputResourceId == null || inputResourceId.hasIdPart() == false) {
|
||||
return;
|
||||
} else {
|
||||
break;
|
||||
}
|
||||
case IN:
|
||||
case BOTH:
|
||||
inputResource = theProcessedRequest.getResource();
|
||||
inputResourceId = theProcessedRequest.getId();
|
||||
break;
|
||||
case NONE:
|
||||
case OUT:
|
||||
inputResource = null;
|
||||
inputResourceId = theProcessedRequest.getId();
|
||||
break;
|
||||
case NONE:
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -257,8 +253,6 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
|
|||
@Override
|
||||
public boolean outgoingResponse(RequestDetails theRequestDetails, IBaseResource theResponseObject) {
|
||||
switch (determineOperationDirection(theRequestDetails.getRestOperationType(), null)) {
|
||||
case IN_UNCATEGORIZED:
|
||||
return true;
|
||||
case IN:
|
||||
case NONE:
|
||||
return true;
|
||||
|
@ -354,7 +348,6 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
|
|||
|
||||
private enum OperationExamineDirection {
|
||||
IN,
|
||||
IN_UNCATEGORIZED,
|
||||
NONE,
|
||||
OUT,
|
||||
BOTH,
|
||||
|
|
|
@ -63,7 +63,16 @@ class RuleImplOp extends BaseRule implements IAuthRule {
|
|||
switch (myOp) {
|
||||
case READ:
|
||||
if (theOutputResource == null) {
|
||||
return null;
|
||||
switch (theOperation) {
|
||||
case READ:
|
||||
appliesToResourceId = theInputResourceId;
|
||||
break;
|
||||
case SEARCH_SYSTEM:
|
||||
case SEARCH_TYPE:
|
||||
return new Verdict(PolicyEnum.ALLOW, this);
|
||||
default:
|
||||
return null;
|
||||
}
|
||||
}
|
||||
appliesToResource = theOutputResource;
|
||||
break;
|
||||
|
|
|
@ -118,11 +118,20 @@ public class JpaConformanceProviderDstu3 extends org.hl7.fhir.dstu3.hapi.rest.se
|
|||
}
|
||||
}
|
||||
|
||||
massage(retVal);
|
||||
|
||||
retVal.getImplementation().setDescription(myImplementationDescription);
|
||||
myCachedValue = retVal;
|
||||
return retVal;
|
||||
}
|
||||
|
||||
/**
|
||||
* Subclasses may override
|
||||
*/
|
||||
protected void massage(Conformance theStatement) {
|
||||
// nothing
|
||||
}
|
||||
|
||||
public void setDaoConfig(DaoConfig myDaoConfig) {
|
||||
this.myDaoConfig = myDaoConfig;
|
||||
}
|
||||
|
|
|
@ -167,7 +167,7 @@ public class AuthorizationInterceptorDstu2Test {
|
|||
ourLog.info(response);
|
||||
assertThat(response, containsString("Access denied by rule: Rule 1"));
|
||||
assertEquals(403, status.getStatusLine().getStatusCode());
|
||||
assertTrue(ourHitMethod);
|
||||
assertFalse(ourHitMethod);
|
||||
|
||||
ourHitMethod = false;
|
||||
httpGet = new HttpGet("http://localhost:" + ourPort + "/Patient/1/$validate");
|
||||
|
@ -321,7 +321,7 @@ public class AuthorizationInterceptorDstu2Test {
|
|||
ourLog.info(response);
|
||||
assertThat(response, containsString("Access denied by rule: Default Rule"));
|
||||
assertEquals(403, status.getStatusLine().getStatusCode());
|
||||
assertTrue(ourHitMethod);
|
||||
assertFalse(ourHitMethod);
|
||||
|
||||
ourHitMethod = false;
|
||||
httpGet = new HttpGet("http://localhost:" + ourPort + "/Patient/1/$validate");
|
||||
|
@ -625,7 +625,7 @@ public class AuthorizationInterceptorDstu2Test {
|
|||
ourLog.info(response);
|
||||
assertThat(response, containsString("Access denied by default policy (no applicable rules)"));
|
||||
assertEquals(403, status.getStatusLine().getStatusCode());
|
||||
assertTrue(ourHitMethod);
|
||||
assertFalse(ourHitMethod);
|
||||
|
||||
ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/2"));
|
||||
ourHitMethod = false;
|
||||
|
@ -679,8 +679,8 @@ public class AuthorizationInterceptorDstu2Test {
|
|||
httpGet = new HttpGet("http://localhost:" + ourPort + "/Observation/10");
|
||||
status = ourClient.execute(httpGet);
|
||||
extractResponseAndClose(status);
|
||||
assertEquals(200, status.getStatusLine().getStatusCode());
|
||||
assertTrue(ourHitMethod);
|
||||
assertEquals(403, status.getStatusLine().getStatusCode());
|
||||
assertFalse(ourHitMethod);
|
||||
|
||||
ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/1"));
|
||||
ourHitMethod = false;
|
||||
|
@ -719,7 +719,7 @@ public class AuthorizationInterceptorDstu2Test {
|
|||
ourLog.info(response);
|
||||
assertThat(response, containsString("Access denied by default policy (no applicable rules)"));
|
||||
assertEquals(403, status.getStatusLine().getStatusCode());
|
||||
assertTrue(ourHitMethod);
|
||||
assertFalse(ourHitMethod);
|
||||
|
||||
ourReturn = Arrays.asList(createObservation(10, "Patient/2"));
|
||||
ourHitMethod = false;
|
||||
|
@ -729,7 +729,7 @@ public class AuthorizationInterceptorDstu2Test {
|
|||
ourLog.info(response);
|
||||
assertThat(response, containsString("Access denied by default policy (no applicable rules)"));
|
||||
assertEquals(403, status.getStatusLine().getStatusCode());
|
||||
assertTrue(ourHitMethod);
|
||||
assertFalse(ourHitMethod);
|
||||
|
||||
ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/2"));
|
||||
ourHitMethod = false;
|
||||
|
|
|
@ -225,6 +225,12 @@
|
|||
Remove unused field (myIsContained) from ResourceTable
|
||||
in JPA server.
|
||||
</action>
|
||||
<action type="add">
|
||||
AuthorizationInterceptor is now a bit more aggressive
|
||||
at blocking read operations, stopping them on the
|
||||
way in if there is no way they will be accepted
|
||||
to the resource check on the way out
|
||||
</action>
|
||||
</release>
|
||||
<release version="2.0" date="2016-08-30">
|
||||
<action type="fix">
|
||||
|
|
Loading…
Reference in New Issue