From 0677f3584731bfe0cde3f531da11dbffc66395ff Mon Sep 17 00:00:00 2001 From: James Agnew Date: Tue, 23 Jan 2018 11:32:35 -0500 Subject: [PATCH] Implement tenant ID checking in authorizationinterceptor --- .../server/interceptor/auth/RuleBuilder.java | 20 ++++++++++++++----- .../AuthorizationInterceptorR4Test.java | 3 ++- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java index 728f23a8b9d..2fb762223a6 100644 --- a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java +++ b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java @@ -131,19 +131,23 @@ public class RuleBuilder implements IAuthRuleBuilder { @Override public IAuthRuleBuilderRuleOpClassifierFinishedWithTenantId forTenantIds(final Collection theTenantIds) { - myTenantApplicabilityChecker = new ITenantApplicabilityChecker(){ + setTenantApplicabilityChecker(new ITenantApplicabilityChecker() { @Override public boolean applies(RequestDetails theRequest) { return theTenantIds.contains(theRequest.getTenantId()); } - }; + }); + return this; + } + + private void setTenantApplicabilityChecker(ITenantApplicabilityChecker theTenantApplicabilityChecker) { + myTenantApplicabilityChecker = theTenantApplicabilityChecker; if (myOpRule != null) { myOpRule.setTenantApplicabilityChecker(myTenantApplicabilityChecker); } if (myOperationRule != null) { myOperationRule.setTenentApplicabilityChecker(myTenantApplicabilityChecker); } - return this; } @Override @@ -152,8 +156,14 @@ public class RuleBuilder implements IAuthRuleBuilder { } @Override - public IAuthRuleBuilderRuleOpClassifierFinishedWithTenantId notForTenantIds(Collection theTenantIds) { - return null;// TODO: implement method body + public IAuthRuleBuilderRuleOpClassifierFinishedWithTenantId notForTenantIds(final Collection theTenantIds) { + setTenantApplicabilityChecker(new ITenantApplicabilityChecker() { + @Override + public boolean applies(RequestDetails theRequest) { + return !theTenantIds.contains(theRequest.getTenantId()); + } + }); + return this; } } diff --git a/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/AuthorizationInterceptorR4Test.java b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/AuthorizationInterceptorR4Test.java index 0638be2e46a..5f97f9e0e92 100644 --- a/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/AuthorizationInterceptorR4Test.java +++ b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/AuthorizationInterceptorR4Test.java @@ -609,6 +609,7 @@ public class AuthorizationInterceptorR4Test { */ @Test public void testDenyActionsNotOnTenant() throws Exception { + ourServlet.setTenantIdentificationStrategy(new UrlBaseTenantIdentificationStrategy()); ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.ALLOW) { @Override public List buildRuleList(RequestDetails theRequestDetails) { @@ -634,7 +635,7 @@ public class AuthorizationInterceptorR4Test { status = ourClient.execute(httpGet); response = extractResponseAndClose(status); ourLog.info(response); - assertThat(response, containsString("Access denied by default policy (no applicable rules)")); + assertThat(response, containsString("Access denied by rule: (unnamed rule)")); assertEquals(403, status.getStatusLine().getStatusCode()); assertFalse(ourHitMethod);