Skip to content

Commit

Permalink
update authorization interceptor to be compatible with new security a… (
Browse files Browse the repository at this point in the history
  • Loading branch information
ArtyomyuS authored Oct 23, 2024
2 parents 4397934 + c088672 commit 2c274f4
Show file tree
Hide file tree
Showing 10 changed files with 53 additions and 180 deletions.
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
package earth.angelson.security;

import ca.uhn.fhir.rest.server.interceptor.auth.RuleBuilder;
import earth.angelson.security.cache.TokenCacheService;
import ca.uhn.fhir.rest.api.server.RequestDetails;
import ca.uhn.fhir.rest.server.interceptor.auth.IAuthRule;
Expand All @@ -10,16 +11,23 @@
public class AuthorizationInterceptor extends ca.uhn.fhir.rest.server.interceptor.auth.AuthorizationInterceptor {

private final TokenCacheService tokenCacheService;
private final List<String> allowedUrls;

public AuthorizationInterceptor(TokenCacheService tokenCacheService) {
public AuthorizationInterceptor(TokenCacheService tokenCacheService, List<String> allowedUrls) {
this.tokenCacheService = tokenCacheService;
this.allowedUrls = allowedUrls;
}

@Override
public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
String authHeader = theRequestDetails.getHeader("Authorization");

//todo if service return empty unauthorized request 403
for (String url : allowedUrls) {
if (theRequestDetails.getCompleteUrl().contains(url)) {
return new RuleBuilder().allowAll().build();
}
}

return tokenCacheService.getData(authHeader);
}
}
43 changes: 12 additions & 31 deletions src/main/java/earth/angelson/security/cache/TokenCacheService.java
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
package earth.angelson.security.cache;


import earth.angelson.security.dto.RoleAttachmentsDTO;
import ca.uhn.fhir.rest.server.interceptor.auth.IAuthRule;
import ca.uhn.fhir.rest.server.interceptor.auth.RuleBuilder;
import earth.angelson.security.dto.UserRoleAttachmentsDTO;
import org.springframework.cache.annotation.Cacheable;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
Expand All @@ -29,43 +29,24 @@ public List<IAuthRule> getData(String token) {
headers.set("Authorization", token);

// Create HttpEntity with headers
HttpEntity<RoleAttachmentsDTO> entity = new HttpEntity<>(headers);
HttpEntity<UserRoleAttachmentsDTO> entity = new HttpEntity<>(headers);

ResponseEntity<RoleAttachmentsDTO> response =
restTemplate.exchange(url, HttpMethod.GET, entity, RoleAttachmentsDTO.class);
ResponseEntity<UserRoleAttachmentsDTO> response =
restTemplate.exchange(url, HttpMethod.GET, entity, UserRoleAttachmentsDTO.class);


if (response.getBody() != null) {
var builder = new RuleBuilder().build();
var role = response.getBody();
role.getRoles().stream().forEach(roleWithRuleDTO -> {
roleWithRuleDTO.getRules().forEach(rule -> {
switch (rule.getOperation()) {
case "READ": {
builder.addAll(new RuleBuilder()
.allow()
.read()
.allResources()
.withAnyId()
.build());
break;
}
case "WRITE": {
builder.addAll(new RuleBuilder()
.allow()
.write()
.allResources()
.withAnyId()
.build());
break;
}
case "ALL": {
builder.addAll(new RuleBuilder().allowAll().build());
break;
}
var userInfo = response.getBody();

userInfo.user().roles().forEach(role -> {
switch (role.name().toUpperCase()) {
case "ADMIN", "PRACTITIONER", "OPERATOR": {
builder.addAll(new RuleBuilder().allowAll().build());
break;
}
}

});
});
return builder;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,24 +10,28 @@
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import java.util.List;
import java.util.concurrent.TimeUnit;

@EnableCaching
@Configuration
public class SecurityConfiguration {


@Value("${security.service.url:http://localhost:8081/account/info}")
@Value("${security.service.url:http://localhost:8090/account/info}")
private String securityServiceUrl;

@Value("#{'${security.service.allowed-urls:swagger-ui,api-docs}'.split(',')}")
private List<String> allowedUrls;

@Bean
public TokenCacheService tokenCacheService() {
return new TokenCacheService(securityServiceUrl);
}

@Bean
public AuthorizationInterceptor authorizationInterceptor(TokenCacheService tokenCacheService) {
return new AuthorizationInterceptor(tokenCacheService);
return new AuthorizationInterceptor(tokenCacheService, allowedUrls);
}

@Bean
Expand Down
33 changes: 0 additions & 33 deletions src/main/java/earth/angelson/security/dto/RoleAttachmentsDTO.java

This file was deleted.

7 changes: 7 additions & 0 deletions src/main/java/earth/angelson/security/dto/RoleDTO.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
package earth.angelson.security.dto;

import java.util.UUID;

public record RoleDTO(UUID id, String name) {
}

43 changes: 0 additions & 43 deletions src/main/java/earth/angelson/security/dto/RoleWithRuleDTO.java

This file was deleted.

66 changes: 0 additions & 66 deletions src/main/java/earth/angelson/security/dto/RuleDTO.java

This file was deleted.

8 changes: 8 additions & 0 deletions src/main/java/earth/angelson/security/dto/UserDTO.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
package earth.angelson.security.dto;

import java.util.Set;
import java.util.UUID;

public record UserDTO(UUID id, String practitionerId, String organizationId, String firstName, String lastName, String username,
String password, boolean enabled, Set<RoleDTO> roles) {
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
package earth.angelson.security.dto;

import java.util.Set;

public record UserRoleAttachmentsDTO(UserDTO user, Set<Object> attachments) {
}

6 changes: 3 additions & 3 deletions src/main/resources/application.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@ hapi:
# allowed_bundle_types: COLLECTION,DOCUMENT,MESSAGE,TRANSACTION,TRANSACTIONRESPONSE,BATCH,BATCHRESPONSE,HISTORY,SEARCHSET
# allow_cascading_deletes: true
# allow_contains_searches: true
# allow_external_references: true
allow_external_references: true
# allow_multiple_delete: true
# allow_override_default_search_params: true
# auto_create_placeholder_reference_targets: false
Expand Down Expand Up @@ -236,8 +236,8 @@ hapi:
# comma-separated list of fully qualified interceptor classes.
# classes listed here will be fetched from the Spring context when combined with 'custom-bean-packages',
# or will be instantiated via reflection using an no-arg contructor; then registered with the server
#custom-interceptor-classes:

custom-interceptor-classes:
- earth.angelson.security.AuthorizationInterceptor
# comma-separated list of fully qualified provider classes.
# classes listed here will be fetched from the Spring context when combined with 'custom-bean-packages',
# or will be instantiated via reflection using an no-arg contructor; then registered with the server
Expand Down

0 comments on commit 2c274f4

Please sign in to comment.