Merge branch 'master' of github.com:jamesagnew/hapi-fhir

This commit is contained in:
James Agnew 2016-10-25 11:45:42 -04:00
commit a246809c92
5 changed files with 36 additions and 19 deletions

View File

@ -221,20 +221,16 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
IIdType inputResourceId = null; IIdType inputResourceId = null;
switch (determineOperationDirection(theOperation, theProcessedRequest.getResource())) { switch (determineOperationDirection(theOperation, theProcessedRequest.getResource())) {
case IN_UNCATEGORIZED:
inputResourceId = theProcessedRequest.getId();
if (inputResourceId == null || inputResourceId.hasIdPart() == false) {
return;
} else {
break;
}
case IN: case IN:
case BOTH: case BOTH:
inputResource = theProcessedRequest.getResource(); inputResource = theProcessedRequest.getResource();
inputResourceId = theProcessedRequest.getId(); inputResourceId = theProcessedRequest.getId();
break; break;
case NONE:
case OUT: case OUT:
inputResource = null;
inputResourceId = theProcessedRequest.getId();
break;
case NONE:
return; return;
} }
@ -257,8 +253,6 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
@Override @Override
public boolean outgoingResponse(RequestDetails theRequestDetails, IBaseResource theResponseObject) { public boolean outgoingResponse(RequestDetails theRequestDetails, IBaseResource theResponseObject) {
switch (determineOperationDirection(theRequestDetails.getRestOperationType(), null)) { switch (determineOperationDirection(theRequestDetails.getRestOperationType(), null)) {
case IN_UNCATEGORIZED:
return true;
case IN: case IN:
case NONE: case NONE:
return true; return true;
@ -354,7 +348,6 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
private enum OperationExamineDirection { private enum OperationExamineDirection {
IN, IN,
IN_UNCATEGORIZED,
NONE, NONE,
OUT, OUT,
BOTH, BOTH,

View File

@ -63,7 +63,16 @@ class RuleImplOp extends BaseRule implements IAuthRule {
switch (myOp) { switch (myOp) {
case READ: case READ:
if (theOutputResource == null) { if (theOutputResource == null) {
return null; switch (theOperation) {
case READ:
appliesToResourceId = theInputResourceId;
break;
case SEARCH_SYSTEM:
case SEARCH_TYPE:
return new Verdict(PolicyEnum.ALLOW, this);
default:
return null;
}
} }
appliesToResource = theOutputResource; appliesToResource = theOutputResource;
break; break;

View File

@ -118,11 +118,20 @@ public class JpaConformanceProviderDstu3 extends org.hl7.fhir.dstu3.hapi.rest.se
} }
} }
massage(retVal);
retVal.getImplementation().setDescription(myImplementationDescription); retVal.getImplementation().setDescription(myImplementationDescription);
myCachedValue = retVal; myCachedValue = retVal;
return retVal; return retVal;
} }
/**
* Subclasses may override
*/
protected void massage(Conformance theStatement) {
// nothing
}
public void setDaoConfig(DaoConfig myDaoConfig) { public void setDaoConfig(DaoConfig myDaoConfig) {
this.myDaoConfig = myDaoConfig; this.myDaoConfig = myDaoConfig;
} }

View File

@ -167,7 +167,7 @@ public class AuthorizationInterceptorDstu2Test {
ourLog.info(response); ourLog.info(response);
assertThat(response, containsString("Access denied by rule: Rule 1")); assertThat(response, containsString("Access denied by rule: Rule 1"));
assertEquals(403, status.getStatusLine().getStatusCode()); assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod); assertFalse(ourHitMethod);
ourHitMethod = false; ourHitMethod = false;
httpGet = new HttpGet("http://localhost:" + ourPort + "/Patient/1/$validate"); httpGet = new HttpGet("http://localhost:" + ourPort + "/Patient/1/$validate");
@ -321,7 +321,7 @@ public class AuthorizationInterceptorDstu2Test {
ourLog.info(response); ourLog.info(response);
assertThat(response, containsString("Access denied by rule: Default Rule")); assertThat(response, containsString("Access denied by rule: Default Rule"));
assertEquals(403, status.getStatusLine().getStatusCode()); assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod); assertFalse(ourHitMethod);
ourHitMethod = false; ourHitMethod = false;
httpGet = new HttpGet("http://localhost:" + ourPort + "/Patient/1/$validate"); httpGet = new HttpGet("http://localhost:" + ourPort + "/Patient/1/$validate");
@ -625,7 +625,7 @@ public class AuthorizationInterceptorDstu2Test {
ourLog.info(response); ourLog.info(response);
assertThat(response, containsString("Access denied by default policy (no applicable rules)")); assertThat(response, containsString("Access denied by default policy (no applicable rules)"));
assertEquals(403, status.getStatusLine().getStatusCode()); assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod); assertFalse(ourHitMethod);
ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/2")); ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/2"));
ourHitMethod = false; ourHitMethod = false;
@ -679,8 +679,8 @@ public class AuthorizationInterceptorDstu2Test {
httpGet = new HttpGet("http://localhost:" + ourPort + "/Observation/10"); httpGet = new HttpGet("http://localhost:" + ourPort + "/Observation/10");
status = ourClient.execute(httpGet); status = ourClient.execute(httpGet);
extractResponseAndClose(status); extractResponseAndClose(status);
assertEquals(200, status.getStatusLine().getStatusCode()); assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod); assertFalse(ourHitMethod);
ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/1")); ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/1"));
ourHitMethod = false; ourHitMethod = false;
@ -719,7 +719,7 @@ public class AuthorizationInterceptorDstu2Test {
ourLog.info(response); ourLog.info(response);
assertThat(response, containsString("Access denied by default policy (no applicable rules)")); assertThat(response, containsString("Access denied by default policy (no applicable rules)"));
assertEquals(403, status.getStatusLine().getStatusCode()); assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod); assertFalse(ourHitMethod);
ourReturn = Arrays.asList(createObservation(10, "Patient/2")); ourReturn = Arrays.asList(createObservation(10, "Patient/2"));
ourHitMethod = false; ourHitMethod = false;
@ -729,7 +729,7 @@ public class AuthorizationInterceptorDstu2Test {
ourLog.info(response); ourLog.info(response);
assertThat(response, containsString("Access denied by default policy (no applicable rules)")); assertThat(response, containsString("Access denied by default policy (no applicable rules)"));
assertEquals(403, status.getStatusLine().getStatusCode()); assertEquals(403, status.getStatusLine().getStatusCode());
assertTrue(ourHitMethod); assertFalse(ourHitMethod);
ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/2")); ourReturn = Arrays.asList(createPatient(1), createObservation(10, "Patient/2"));
ourHitMethod = false; ourHitMethod = false;

View File

@ -225,6 +225,12 @@
Remove unused field (myIsContained) from ResourceTable Remove unused field (myIsContained) from ResourceTable
in JPA server. in JPA server.
</action> </action>
<action type="add">
AuthorizationInterceptor is now a bit more aggressive
at blocking read operations, stopping them on the
way in if there is no way they will be accepted
to the resource check on the way out
</action>
</release> </release>
<release version="2.0" date="2016-08-30"> <release version="2.0" date="2016-08-30">
<action type="fix"> <action type="fix">