Handle AuthorizationInterceptor rejection of by-type reads on the wrong type earlier in the process

This commit is contained in:
James Agnew 2019-08-15 09:16:45 -04:00
parent 1e07fcd2b3
commit afb682dfe9
3 changed files with 86 additions and 14 deletions

View File

@ -412,7 +412,9 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
}
}
if (appliesToResourceType != null) {
if (myAppliesToTypes.contains(appliesToResourceType)) {
if (!myAppliesToTypes.contains(appliesToResourceType)) {
return null;
}
if (!applyTesters(theOperation, theRequestDetails, theInputResourceId, theInputResource, theOutputResource)) {
return null;
}
@ -422,7 +424,6 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
// ok we'll check below
}
}
}
break;
default:
throw new IllegalStateException("Unable to apply security to event of applies to type " + myAppliesTo);

View File

@ -43,10 +43,7 @@ import org.junit.*;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.*;
import java.util.concurrent.TimeUnit;
import static org.apache.commons.lang3.StringUtils.isNotBlank;
@ -2136,6 +2133,41 @@ public class AuthorizationInterceptorR4Test {
}
@Test
public void testReadByTypeWithAnyId() throws Exception {
ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
@Override
public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
return new RuleBuilder()
.allow("Rule 1").read().resourcesOfType(ServiceRequest.class).withAnyId().andThen()
.build();
}
});
HttpGet httpGet;
HttpResponse status;
String response;
ourReturn = Collections.singletonList(new Consent().setDateTime(new Date()).setId("Consent/123"));
ourHitMethod = false;
httpGet = new HttpGet("http://localhost:" + ourPort + "/Consent");
status = ourClient.execute(httpGet);
extractResponseAndClose(status);
assertEquals(403, status.getStatusLine().getStatusCode());
assertFalse(ourHitMethod);
ourReturn = Collections.singletonList(new ServiceRequest().setAuthoredOn(new Date()).setId("ServiceRequest/123"));
ourHitMethod = false;
httpGet = new HttpGet("http://localhost:" + ourPort + "/ServiceRequest");
status = ourClient.execute(httpGet);
extractResponseAndClose(status);
assertTrue(ourHitMethod);
assertEquals(200, status.getStatusLine().getStatusCode());
}
@Test
public void testReadByCompartmentReadByIdParam() throws Exception {
ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
@ -3607,6 +3639,38 @@ public class AuthorizationInterceptorR4Test {
}
public static class DummyServiceRequestResourceProvider implements IResourceProvider {
@Override
public Class<? extends IBaseResource> getResourceType() {
return ServiceRequest.class;
}
@Search
public List<Resource> search() {
assert ourReturn != null;
ourHitMethod = true;
return ourReturn;
}
}
public static class DummyConsentResourceProvider implements IResourceProvider {
@Override
public Class<? extends IBaseResource> getResourceType() {
return Consent.class;
}
@Search
public List<Resource> search() {
assert ourReturn != null;
ourHitMethod = true;
return ourReturn;
}
}
@SuppressWarnings("unused")
public static class DummyPatientResourceProvider implements IResourceProvider {
@ -3825,7 +3889,9 @@ public class AuthorizationInterceptorR4Test {
ServletHandler proxyHandler = new ServletHandler();
ourServlet = new RestfulServer(ourCtx);
ourServlet.setFhirContext(ourCtx);
ourServlet.setResourceProviders(patProvider, obsProv, encProv, cpProv, orgProv, drProv);
ourServlet.registerProviders(patProvider, obsProv, encProv, cpProv, orgProv, drProv);
ourServlet.registerProvider(new DummyServiceRequestResourceProvider());
ourServlet.registerProvider(new DummyConsentResourceProvider());
ourServlet.setPlainProviders(plainProvider);
ourServlet.setPagingProvider(new FifoMemoryPagingProvider(100));
ourServlet.setDefaultResponseEncoding(EncodingEnum.JSON);

View File

@ -24,6 +24,11 @@
were incorrectly performing a partial match. This has been corrected. Thanks to
Marc Sandberg for pointing this out!
</action>
<action type="add">
When using the AuthorizationInterceptor with a rule to allow all reads by resource type,
the server will now reject requests for other resource types earlier in the processing
cycle. Thanks to Anders Havn for the suggestion!
</action>
</release>
<release version="4.0.0" date="2019-08-14" description="Igloo">
<action type="add">