First stab at a solution
This commit is contained in:
Luke deGruchy
parent
df047a9dea
commit
b5ffb4068a
|
|
@ -159,6 +159,12 @@ public class AuthorizationInterceptor implements IRuleApplier {
|
||||||
rules = buildRuleList(theRequestDetails);
|
rules = buildRuleList(theRequestDetails);
|
||||||
theRequestDetails.getUserData().put(myRequestRuleListKey, rules);
|
theRequestDetails.getUserData().put(myRequestRuleListKey, rules);
|
||||||
}
|
}
|
||||||
|
// LUKETODO: rules do not contain any reference to PATCH
|
||||||
|
/*
|
||||||
|
0 = {RuleImplOp@40767} "RuleImplOp[testers=<null>,op=TRANSACTION,transactionAppliesToOp=ANY_OPERATION,appliesTo=<null>,appliesToTypes=<null>,classifierCompartmentName=<null>,classifierCompartmentOwners=<null>,classifierType=<null>]"
|
||||||
|
1 = {RuleImplOp@40768} "RuleImplOp[testers=<null>,op=WRITE,transactionAppliesToOp=<null>,appliesTo=TYPES,appliesToTypes=[Patient],classifierCompartmentName=<null>,classifierCompartmentOwners=<null>,classifierType=ANY_ID]"
|
||||||
|
*/
|
||||||
|
|
||||||
Set<AuthorizationFlagsEnum> flags = getFlags();
|
Set<AuthorizationFlagsEnum> flags = getFlags();
|
||||||
|
|
||||||
ourLog.trace(
|
ourLog.trace(
|
||||||
|
|
@ -168,7 +174,23 @@ public class AuthorizationInterceptor implements IRuleApplier {
|
||||||
getResourceTypeOrEmpty(theInputResource),
|
getResourceTypeOrEmpty(theInputResource),
|
||||||
getResourceTypeOrEmpty(theOutputResource));
|
getResourceTypeOrEmpty(theOutputResource));
|
||||||
|
|
||||||
|
|
||||||
Verdict verdict = null;
|
Verdict verdict = null;
|
||||||
|
|
||||||
|
// LUKETODO: try to just check for FHIR_PATCH if this is a FHIR_PATCH and if it's not there, then return a deny verdict
|
||||||
|
if (theOperation == RestOperationTypeEnum.PATCH) {
|
||||||
|
// if (rules.stream()
|
||||||
|
// .filter(RuleImplOp.class::isInstance)
|
||||||
|
// .map(RuleImplOp.class::cast)
|
||||||
|
// .noneMatch(rule -> rule.getOp() == RuleOpEnum.PATCH)) {
|
||||||
|
if (rules.stream()
|
||||||
|
.noneMatch(RuleImplPatch.class::isInstance)) {
|
||||||
|
// LUKETODO: this results in a 403 but is that what we want?
|
||||||
|
verdict = new Verdict(PolicyEnum.DENY, null);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (verdict == null) {
|
||||||
for (IAuthRule nextRule : rules) {
|
for (IAuthRule nextRule : rules) {
|
||||||
ourLog.trace("Rule being applied - {}", nextRule);
|
ourLog.trace("Rule being applied - {}", nextRule);
|
||||||
verdict = nextRule.applyRule(
|
verdict = nextRule.applyRule(
|
||||||
|
|
@ -185,6 +207,7 @@ public class AuthorizationInterceptor implements IRuleApplier {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (verdict == null) {
|
if (verdict == null) {
|
||||||
ourLog.trace("No rules returned a decision, applying default {}", myDefaultPolicy);
|
ourLog.trace("No rules returned a decision, applying default {}", myDefaultPolicy);
|
||||||
|
|
|
||||||
|
|
@ -834,10 +834,17 @@ public class RuleBuilder implements IAuthRuleBuilder {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public IAuthRuleFinished allRequests() {
|
public IAuthRuleFinished allRequests() {
|
||||||
|
// LUKETODO: should we be building this simple ruleImplOp or should be we basing this off RuleImplOp?
|
||||||
BaseRule rule =
|
BaseRule rule =
|
||||||
new RuleImplPatch(myRuleName).setAllRequests(true).setMode(myRuleMode);
|
new RuleImplPatch(myRuleName).setAllRequests(true).setMode(myRuleMode);
|
||||||
|
// LUKETODO: HTTP 500 Server Error: HAPI-0335: Unable to apply security to event of type PATCH
|
||||||
|
RuleImplOp ruleImplOp = new RuleImplOp(myRuleName);
|
||||||
|
ruleImplOp.setMode(myRuleMode);
|
||||||
|
ruleImplOp.setOp(RuleOpEnum.PATCH);
|
||||||
|
ruleImplOp.setTransactionAppliesToOp(TransactionAppliesToEnum.ANY_OPERATION);
|
||||||
|
// myRules.add(ruleImplOp);
|
||||||
myRules.add(rule);
|
myRules.add(rule);
|
||||||
return new RuleBuilderFinished(rule);
|
return new RuleBuilderFinished(ruleImplOp);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -240,6 +240,7 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case PATCH:
|
case PATCH:
|
||||||
|
// LUKETODO: should we just short-circuit here and let the PATCH case decide this?
|
||||||
target.resource = null;
|
target.resource = null;
|
||||||
if (theInputResourceId != null) {
|
if (theInputResourceId != null) {
|
||||||
target.resourceIds = Collections.singletonList(theInputResourceId);
|
target.resourceIds = Collections.singletonList(theInputResourceId);
|
||||||
|
|
@ -348,6 +349,16 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
|
||||||
theRuleApplier);
|
theRuleApplier);
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
|
// case PATCH:
|
||||||
|
// // LUKETODO: ?
|
||||||
|
// // LUKETODO: do we need applies to types to correspond to
|
||||||
|
// target.resource = null;
|
||||||
|
// if (theInputResourceId != null) {
|
||||||
|
// target.resourceIds = Collections.singletonList(theInputResourceId);
|
||||||
|
// } else {
|
||||||
|
// return null;
|
||||||
|
// }
|
||||||
|
// break;
|
||||||
default:
|
default:
|
||||||
// Should not happen
|
// Should not happen
|
||||||
throw new IllegalStateException(
|
throw new IllegalStateException(
|
||||||
|
|
@ -959,6 +970,10 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public RuleOpEnum getOp() {
|
||||||
|
return myOp;
|
||||||
|
}
|
||||||
|
|
||||||
public void setAppliesTo(AppliesTypeEnum theAppliesTo) {
|
public void setAppliesTo(AppliesTypeEnum theAppliesTo) {
|
||||||
myAppliesTo = theAppliesTo;
|
myAppliesTo = theAppliesTo;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue