honeymoose
/
hapi-fhir
mirror of https://github.com/hapifhir/hapi-fhir.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Test formatting only

This commit is contained in:
jamesagnew 2017-11-22 19:22:32 -05:00
parent 3aebfb575a
commit be76b90e7a
1 changed files with 132 additions and 131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

263
hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/dstu3/AuthorizationInterceptorResourceProviderDstu3Test.java
View File

@ -1,39 +1,39 @@
package ca.uhn.fhir.jpa.provider.dstu3; package ca.uhn.fhir.jpa.provider.dstu3;
import ca.uhn.fhir.model.primitive.IdDt;
import ca.uhn.fhir.rest.api.Constants; import ca.uhn.fhir.rest.api.Constants;
import ca.uhn.fhir.rest.api.MethodOutcome;
import static org.hamcrest.Matchers.startsWith; import ca.uhn.fhir.rest.api.server.RequestDetails;
import static org.junit.Assert.*; import ca.uhn.fhir.rest.server.exceptions.ForbiddenOperationException;
import ca.uhn.fhir.rest.server.interceptor.IServerInterceptor;
import ca.uhn.fhir.rest.server.interceptor.auth.AuthorizationInterceptor;
import ca.uhn.fhir.rest.server.interceptor.auth.IAuthRule;
import ca.uhn.fhir.rest.server.interceptor.auth.PolicyEnum;
import ca.uhn.fhir.rest.server.interceptor.auth.RuleBuilder;
import ca.uhn.fhir.util.TestUtil;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpDelete;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.ContentType;
import org.apache.http.entity.StringEntity;
import org.hl7.fhir.dstu3.model.IdType;
import org.hl7.fhir.dstu3.model.Observation;
import org.hl7.fhir.dstu3.model.Observation.ObservationStatus;
import org.hl7.fhir.dstu3.model.Patient;
import org.hl7.fhir.dstu3.model.Reference;
import org.hl7.fhir.instance.model.api.IIdType;
import org.junit.AfterClass;
import org.junit.Test;
import java.io.IOException; import java.io.IOException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import org.apache.http.client.methods.*; import static org.hamcrest.Matchers.startsWith;
import org.apache.http.entity.ContentType; import static org.junit.Assert.*;
import org.apache.http.entity.StringEntity;
import org.hl7.fhir.dstu3.model.*;
import org.hl7.fhir.dstu3.model.Observation.ObservationStatus;
import org.hl7.fhir.instance.model.api.IIdType;
import org.junit.AfterClass;
import org.junit.Test;
import ca.uhn.fhir.model.primitive.IdDt;
import ca.uhn.fhir.rest.api.MethodOutcome;
import ca.uhn.fhir.rest.api.server.RequestDetails;
import ca.uhn.fhir.rest.server.exceptions.ForbiddenOperationException;
import ca.uhn.fhir.rest.server.interceptor.IServerInterceptor;
import ca.uhn.fhir.rest.server.interceptor.auth.*;
import ca.uhn.fhir.util.TestUtil;
public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResourceProviderDstu3Test { public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResourceProviderDstu3Test {
@AfterClass
public static void afterClassClearContext() {
TestUtil.clearAllStaticFieldsForUnitTest();
}
@Override @Override
public void before() throws Exception { public void before() throws Exception {
super.before(); super.before();
@ -41,96 +41,66 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
unregisterInterceptors(); unregisterInterceptors();
} }
private void unregisterInterceptors() {
for (IServerInterceptor next : new ArrayList<IServerInterceptor>(ourRestServer.getInterceptors())) {
if (next instanceof AuthorizationInterceptor) {
ourRestServer.unregisterInterceptor(next);
}
}
}
/** /**
* See #503 * See #667
*/ */
@Test @Test
public void testDeleteIsBlocked() { public void testBlockUpdatingPatientUserDoesnNotHaveAccessTo() throws IOException {
Patient pt1 = new Patient();
pt1.setActive(true);
final IIdType pid1 = ourClient.create().resource(pt1).execute().getId().toUnqualifiedVersionless();
Patient pt2 = new Patient();
pt2.setActive(false);
final IIdType pid2 = ourClient.create().resource(pt2).execute().getId().toUnqualifiedVersionless();
ourRestServer.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) { ourRestServer.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
@Override @Override
public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) { public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
return new RuleBuilder() return new RuleBuilder()
.deny().delete().allResources().withAnyId().andThen() .allow().write().allResources().inCompartment("Patient", pid1).andThen()
.allowAll() .build();
.build();
} }
}); });
Patient patient = new Patient();
patient.addIdentifier().setSystem("http://uhn.ca/mrns").setValue("100");
patient.addName().setFamily("Tester").addGiven("Raghad");
IIdType id = ourClient.create().resource(patient).execute().getId();
try { Observation obs = new Observation();
ourClient.delete().resourceById(id.toUnqualifiedVersionless()).execute(); obs.setStatus(ObservationStatus.FINAL);
fail(); obs.setSubject(new Reference(pid1));
} catch (ForbiddenOperationException e) { IIdType oid = ourClient.create().resource(obs).execute().getId().toUnqualified();
// good
}
patient = ourClient.read().resource(Patient.class).withId(id.toUnqualifiedVersionless()).execute();
assertEquals(id.getValue(), patient.getId());
}
/**
* See #503 #751 unregisterInterceptors();
*/
@Test
public void testDeleteIsAllowedForCompartment() {
Patient patient = new Patient();
patient.addIdentifier().setSystem("http://uhn.ca/mrns").setValue("100");
patient.addName().setFamily("Tester").addGiven("Raghad");
final IIdType id = ourClient.create().resource(patient).execute().getId();
Observation obsInCompartment = new Observation();
obsInCompartment.setStatus(ObservationStatus.FINAL);
obsInCompartment.getSubject().setReferenceElement(id.toUnqualifiedVersionless());
IIdType obsInCompartmentId = ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless();
// create a 2nd observation to be deleted by url Observation?patient=id
ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless();
Observation obsNotInCompartment = new Observation();
obsNotInCompartment.setStatus(ObservationStatus.FINAL);
IIdType obsNotInCompartmentId = ourClient.create().resource(obsNotInCompartment).execute().getId().toUnqualifiedVersionless();
ourRestServer.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) { ourRestServer.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
@Override @Override
public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) { public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
return new RuleBuilder() return new RuleBuilder()
.allow().delete().resourcesOfType(Observation.class).inCompartment("Patient", id).andThen() .allow().write().allResources().inCompartment("Patient", pid2).andThen()
.deny().delete().allResources().withAnyId().andThen() .build();
.allowAll()
.build();
} }
}); });
ourClient.delete().resourceById(obsInCompartmentId.toUnqualifiedVersionless()).execute(); /*
ourClient.delete().resourceConditionalByUrl("Observation?patient=" + id.toUnqualifiedVersionless()).execute(); * Try to update to a new patient. The user has access to write to things in
* pid2's compartment, so this would normally be ok, but in this case they are overwriting
* a resource that is already in pid1's compartment, which shouldn't be allowed.
*/
obs = new Observation();
obs.setId(oid);
obs.setStatus(ObservationStatus.FINAL);
obs.setSubject(new Reference(pid2));
try { try {
ourClient.delete().resourceById(obsNotInCompartmentId.toUnqualifiedVersionless()).execute(); ourClient.update().resource(obs).execute();
fail(); fail();
} catch (ForbiddenOperationException e) { } catch (ForbiddenOperationException e) {
// good // good
} }
} }
@Test @Test
public void testCreateConditional() { public void testCreateConditional() {
Patient patient = new Patient(); Patient patient = new Patient();
patient.addIdentifier().setSystem("http://uhn.ca/mrns").setValue("100"); patient.addIdentifier().setSystem("http://uhn.ca/mrns").setValue("100");
patient.addName().setFamily("Tester").addGiven("Raghad"); patient.addName().setFamily("Tester").addGiven("Raghad");
@ -139,15 +109,13 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
ourRestServer.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) { ourRestServer.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
@Override @Override
public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) { public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
//@formatter:off
return new RuleBuilder() return new RuleBuilder()
.allow("Rule 2").write().allResources().inCompartment("Patient", new IdDt("Patient/" + output1.getId().getIdPart())).andThen() .allow("Rule 2").write().allResources().inCompartment("Patient", new IdDt("Patient/" + output1.getId().getIdPart())).andThen()
.allow().updateConditional().allResources() .allow().updateConditional().allResources()
.build(); .build();
//@formatter:on
} }
}); });
patient = new Patient(); patient = new Patient();
patient.setId(output1.getId().toUnqualifiedVersionless()); patient.setId(output1.getId().toUnqualifiedVersionless());
patient.addIdentifier().setSystem("http://uhn.ca/mrns").setValue("100"); patient.addIdentifier().setSystem("http://uhn.ca/mrns").setValue("100");
@ -155,7 +123,7 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
MethodOutcome output2 = ourClient.update().resource(patient).conditionalByUrl("Patient?identifier=http://uhn.ca/mrns|100").execute(); MethodOutcome output2 = ourClient.update().resource(patient).conditionalByUrl("Patient?identifier=http://uhn.ca/mrns|100").execute();
assertEquals(output1.getId().getIdPart(), output2.getId().getIdPart()); assertEquals(output1.getId().getIdPart(), output2.getId().getIdPart());
patient = new Patient(); patient = new Patient();
patient.addIdentifier().setSystem("http://uhn.ca/mrns").setValue("100"); patient.addIdentifier().setSystem("http://uhn.ca/mrns").setValue("100");
patient.addName().setFamily("Tester").addGiven("Raghad"); patient.addName().setFamily("Tester").addGiven("Raghad");
@ -180,62 +148,82 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
} }
/** /**
* See #667 * See #503 #751
*/ */
@Test @Test
public void testBlockUpdatingPatientUserDoesnNotHaveAccessTo() throws IOException { public void testDeleteIsAllowedForCompartment() {
Patient pt1 = new Patient();
pt1.setActive(true);
final IIdType pid1 = ourClient.create().resource(pt1).execute().getId().toUnqualifiedVersionless();
Patient pt2 = new Patient(); Patient patient = new Patient();
pt2.setActive(false); patient.addIdentifier().setSystem("http://uhn.ca/mrns").setValue("100");
final IIdType pid2 = ourClient.create().resource(pt2).execute().getId().toUnqualifiedVersionless(); patient.addName().setFamily("Tester").addGiven("Raghad");
final IIdType id = ourClient.create().resource(patient).execute().getId();
Observation obsInCompartment = new Observation();
obsInCompartment.setStatus(ObservationStatus.FINAL);
obsInCompartment.getSubject().setReferenceElement(id.toUnqualifiedVersionless());
IIdType obsInCompartmentId = ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless();
// create a 2nd observation to be deleted by url Observation?patient=id
ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless();
Observation obsNotInCompartment = new Observation();
obsNotInCompartment.setStatus(ObservationStatus.FINAL);
IIdType obsNotInCompartmentId = ourClient.create().resource(obsNotInCompartment).execute().getId().toUnqualifiedVersionless();
ourRestServer.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) { ourRestServer.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
@Override @Override
public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) { public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
return new RuleBuilder() return new RuleBuilder()
.allow().write().allResources().inCompartment("Patient", pid1).andThen() .allow().delete().resourcesOfType(Observation.class).inCompartment("Patient", id).andThen()
.deny().delete().allResources().withAnyId().andThen()
.allowAll()
.build(); .build();
} }
}); });
Observation obs = new Observation();
obs.setStatus(ObservationStatus.FINAL);
obs.setSubject(new Reference(pid1));
IIdType oid = ourClient.create().resource(obs).execute().getId().toUnqualified();
ourClient.delete().resourceById(obsInCompartmentId.toUnqualifiedVersionless()).execute();
unregisterInterceptors(); ourClient.delete().resourceConditionalByUrl("Observation?patient=" + id.toUnqualifiedVersionless()).execute();
ourRestServer.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
@Override
public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
return new RuleBuilder()
.allow().write().allResources().inCompartment("Patient", pid2).andThen()
.build();
}
});
/*
* Try to update to a new patient. The user has access to write to things in
* pid2's compartment, so this would normally be ok, but in this case they are overwriting
* a resource that is already in pid1's compartment, which shouldn't be allowed.
*/
obs = new Observation();
obs.setId(oid);
obs.setStatus(ObservationStatus.FINAL);
obs.setSubject(new Reference(pid2));
try { try {
ourClient.update().resource(obs).execute(); ourClient.delete().resourceById(obsNotInCompartmentId.toUnqualifiedVersionless()).execute();
fail(); fail();
} catch (ForbiddenOperationException e) { } catch (ForbiddenOperationException e) {
// good // good
} }
} }
/**
* See #503
*/
@Test
public void testDeleteIsBlocked() {
ourRestServer.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
@Override
public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
return new RuleBuilder()
.deny().delete().allResources().withAnyId().andThen()
.allowAll()
.build();
}
});
Patient patient = new Patient();
patient.addIdentifier().setSystem("http://uhn.ca/mrns").setValue("100");
patient.addName().setFamily("Tester").addGiven("Raghad");
IIdType id = ourClient.create().resource(patient).execute().getId();
try {
ourClient.delete().resourceById(id.toUnqualifiedVersionless()).execute();
fail();
} catch (ForbiddenOperationException e) {
// good
}
patient = ourClient.read().resource(Patient.class).withId(id.toUnqualifiedVersionless()).execute();
assertEquals(id.getValue(), patient.getId());
}
@Test @Test
public void testDeleteResourceConditional() throws IOException { public void testDeleteResourceConditional() throws IOException {
String methodName = "testDeleteResourceConditional"; String methodName = "testDeleteResourceConditional";
@ -284,7 +272,7 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
//@formatter:on //@formatter:on
} }
}); });
HttpDelete delete = new HttpDelete(ourServerBase + "/Patient?name=" + methodName); HttpDelete delete = new HttpDelete(ourServerBase + "/Patient?name=" + methodName);
response = ourHttpClient.execute(delete); response = ourHttpClient.execute(delete);
try { try {
@ -303,4 +291,17 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
} }
private void unregisterInterceptors() {
for (IServerInterceptor next : new ArrayList<IServerInterceptor>(ourRestServer.getInterceptors())) {
if (next instanceof AuthorizationInterceptor) {
ourRestServer.unregisterInterceptor(next);
}
}
}
@AfterClass
public static void afterClassClearContext() {
TestUtil.clearAllStaticFieldsForUnitTest();
}
} }