honeymoose
/
hapi-fhir
mirror of https://github.com/hapifhir/hapi-fhir.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

First stab at a solution

This commit is contained in:
Luke deGruchy 2024-03-11 17:27:15 -04:00
parent df047a9dea
commit b5ffb4068a
3 changed files with 52 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptor.java
View File

@ -159,6 +159,12 @@ public class AuthorizationInterceptor implements IRuleApplier {
rules = buildRuleList(theRequestDetails);
theRequestDetails.getUserData().put(myRequestRuleListKey, rules);
}
// LUKETODO: rules do not contain any reference to PATCH
/*
0 = {RuleImplOp@40767} "RuleImplOp[testers=<null>,op=TRANSACTION,transactionAppliesToOp=ANY_OPERATION,appliesTo=<null>,appliesToTypes=<null>,classifierCompartmentName=<null>,classifierCompartmentOwners=<null>,classifierType=<null>]"
1 = {RuleImplOp@40768} "RuleImplOp[testers=<null>,op=WRITE,transactionAppliesToOp=<null>,appliesTo=TYPES,appliesToTypes=[Patient],classifierCompartmentName=<null>,classifierCompartmentOwners=<null>,classifierType=ANY_ID]"
*/
Set<AuthorizationFlagsEnum> flags = getFlags();
ourLog.trace(
@ -168,7 +174,23 @@ public class AuthorizationInterceptor implements IRuleApplier {
getResourceTypeOrEmpty(theInputResource),
getResourceTypeOrEmpty(theOutputResource));
Verdict verdict = null;
// LUKETODO: try to just check for FHIR_PATCH if this is a FHIR_PATCH and if it's not there, then return a deny verdict
if (theOperation == RestOperationTypeEnum.PATCH) {
// if (rules.stream()
// .filter(RuleImplOp.class::isInstance)
// .map(RuleImplOp.class::cast)
// .noneMatch(rule -> rule.getOp() == RuleOpEnum.PATCH)) {
if (rules.stream()
.noneMatch(RuleImplPatch.class::isInstance)) {
// LUKETODO: this results in a 403 but is that what we want?
verdict = new Verdict(PolicyEnum.DENY, null);
}
}
if (verdict == null) {
for (IAuthRule nextRule : rules) {
ourLog.trace("Rule being applied - {}", nextRule);
verdict = nextRule.applyRule(
@ -185,6 +207,7 @@ public class AuthorizationInterceptor implements IRuleApplier {
break;
}
}
}
if (verdict == null) {
ourLog.trace("No rules returned a decision, applying default {}", myDefaultPolicy);

9
hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java
View File

@ -834,10 +834,17 @@ public class RuleBuilder implements IAuthRuleBuilder {
@Override
public IAuthRuleFinished allRequests() {
// LUKETODO: should we be building this simple ruleImplOp or should be we basing this off RuleImplOp?
BaseRule rule =
new RuleImplPatch(myRuleName).setAllRequests(true).setMode(myRuleMode);
// LUKETODO: HTTP 500 Server Error: HAPI-0335: Unable to apply security to event of type PATCH
RuleImplOp ruleImplOp = new RuleImplOp(myRuleName);
ruleImplOp.setMode(myRuleMode);
ruleImplOp.setOp(RuleOpEnum.PATCH);
ruleImplOp.setTransactionAppliesToOp(TransactionAppliesToEnum.ANY_OPERATION);
// myRules.add(ruleImplOp);
myRules.add(rule);
return new RuleBuilderFinished(rule);
return new RuleBuilderFinished(ruleImplOp);
}
}

15
hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleImplOp.java
View File

@ -240,6 +240,7 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
}
break;
case PATCH:
// LUKETODO: should we just short-circuit here and let the PATCH case decide this?
target.resource = null;
if (theInputResourceId != null) {
target.resourceIds = Collections.singletonList(theInputResourceId);
@ -348,6 +349,16 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
theRuleApplier);
}
return null;
// case PATCH:
// // LUKETODO: ?
// // LUKETODO: do we need applies to types to correspond to
// target.resource = null;
// if (theInputResourceId != null) {
// target.resourceIds = Collections.singletonList(theInputResourceId);
// } else {
// return null;
// }
// break;
default:
// Should not happen
throw new IllegalStateException(
@ -959,6 +970,10 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
return false;
}
public RuleOpEnum getOp() {
return myOp;
}
public void setAppliesTo(AppliesTypeEnum theAppliesTo) {
myAppliesTo = theAppliesTo;
}