angels-on-earth · ArtyomyuS · Oct 23, 2024 · Oct 11, 2024
diff --git a/src/main/java/earth/angelson/security/AuthorizationInterceptor.java b/src/main/java/earth/angelson/security/AuthorizationInterceptor.java
@@ -1,5 +1,6 @@
 package earth.angelson.security;
 
+import ca.uhn.fhir.rest.server.interceptor.auth.RuleBuilder;
 import earth.angelson.security.cache.TokenCacheService;
 import ca.uhn.fhir.rest.api.server.RequestDetails;
 import ca.uhn.fhir.rest.server.interceptor.auth.IAuthRule;
@@ -10,16 +11,23 @@
 public class AuthorizationInterceptor extends ca.uhn.fhir.rest.server.interceptor.auth.AuthorizationInterceptor {
 
 	private final TokenCacheService tokenCacheService;
+	private final List<String> allowedUrls;
 
-	public AuthorizationInterceptor(TokenCacheService tokenCacheService) {
+	public AuthorizationInterceptor(TokenCacheService tokenCacheService, List<String> allowedUrls) {
 		this.tokenCacheService = tokenCacheService;
+		this.allowedUrls = allowedUrls;
 	}
 
 	@Override
 	public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
 		String authHeader = theRequestDetails.getHeader("Authorization");
 
-		//todo if service return empty unauthorized request 403
+		for (String url : allowedUrls) {
+			if (theRequestDetails.getCompleteUrl().contains(url)) {
+				return new RuleBuilder().allowAll().build();
+			}
+		}
+
 		return tokenCacheService.getData(authHeader);
 	}
 }
diff --git a/src/main/java/earth/angelson/security/cache/TokenCacheService.java b/src/main/java/earth/angelson/security/cache/TokenCacheService.java
@@ -1,9 +1,9 @@
 package earth.angelson.security.cache;
 
 
-import earth.angelson.security.dto.RoleAttachmentsDTO;
 import ca.uhn.fhir.rest.server.interceptor.auth.IAuthRule;
 import ca.uhn.fhir.rest.server.interceptor.auth.RuleBuilder;
+import earth.angelson.security.dto.UserRoleAttachmentsDTO;
 import org.springframework.cache.annotation.Cacheable;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
@@ -29,43 +29,24 @@ public List<IAuthRule> getData(String token) {
 		headers.set("Authorization", token);
 
 		// Create HttpEntity with headers
-		HttpEntity<RoleAttachmentsDTO> entity = new HttpEntity<>(headers);
+		HttpEntity<UserRoleAttachmentsDTO> entity = new HttpEntity<>(headers);
 
-		ResponseEntity<RoleAttachmentsDTO> response =
-			restTemplate.exchange(url, HttpMethod.GET, entity, RoleAttachmentsDTO.class);
+		ResponseEntity<UserRoleAttachmentsDTO> response =
+			restTemplate.exchange(url, HttpMethod.GET, entity, UserRoleAttachmentsDTO.class);
 
 
 		if (response.getBody() != null) {
 			var builder = new RuleBuilder().build();
-			var role = response.getBody();
-			role.getRoles().stream().forEach(roleWithRuleDTO -> {
-				roleWithRuleDTO.getRules().forEach(rule -> {
-					switch (rule.getOperation()) {
-						case "READ": {
-							builder.addAll(new RuleBuilder()
-								.allow()
-								.read()
-								.allResources()
-								.withAnyId()
-								.build());
-							break;
-						}
-						case "WRITE": {
-							builder.addAll(new RuleBuilder()
-								.allow()
-								.write()
-								.allResources()
-								.withAnyId()
-								.build());
-							break;
-						}
-						case "ALL": {
-							builder.addAll(new RuleBuilder().allowAll().build());
-							break;
-						}
+			var userInfo = response.getBody();
+
+			userInfo.user().roles().forEach(role -> {
+				switch (role.name().toUpperCase()) {
+					case "ADMIN", "PRACTITIONER", "OPERATOR": {
+						builder.addAll(new RuleBuilder().allowAll().build());
+						break;
 					}
+				}
 
-				});
 			});
 			return builder;
 		}

diff --git a/src/main/java/earth/angelson/security/config/SecurityConfiguration.java b/src/main/java/earth/angelson/security/config/SecurityConfiguration.java
@@ -10,24 +10,28 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
+import java.util.List;
 import java.util.concurrent.TimeUnit;
 
 @EnableCaching
 @Configuration
 public class SecurityConfiguration {
 
 
-	@Value("${security.service.url:http://localhost:8081/account/info}")
+	@Value("${security.service.url:http://localhost:8090/account/info}")
 	private String securityServiceUrl;
 
+	@Value("#{'${security.service.allowed-urls:swagger-ui,api-docs}'.split(',')}")
+	private List<String> allowedUrls;
+
 	@Bean
 	public TokenCacheService tokenCacheService() {
 		return new TokenCacheService(securityServiceUrl);
 	}
 
 	@Bean
 	public AuthorizationInterceptor authorizationInterceptor(TokenCacheService tokenCacheService) {
-		return new AuthorizationInterceptor(tokenCacheService);
+		return new AuthorizationInterceptor(tokenCacheService, allowedUrls);
 	}
 
 	@Bean

diff --git a/src/main/java/earth/angelson/security/dto/RoleAttachmentsDTO.java b/src/main/java/earth/angelson/security/dto/RoleAttachmentsDTO.java
diff --git a/src/main/java/earth/angelson/security/dto/RoleDTO.java b/src/main/java/earth/angelson/security/dto/RoleDTO.java
@@ -0,0 +1,7 @@
+package earth.angelson.security.dto;
+
+import java.util.UUID;
+
+public record RoleDTO(UUID id, String name) {
+}
+
diff --git a/src/main/java/earth/angelson/security/dto/RoleWithRuleDTO.java b/src/main/java/earth/angelson/security/dto/RoleWithRuleDTO.java
diff --git a/src/main/java/earth/angelson/security/dto/RuleDTO.java b/src/main/java/earth/angelson/security/dto/RuleDTO.java
diff --git a/src/main/java/earth/angelson/security/dto/UserDTO.java b/src/main/java/earth/angelson/security/dto/UserDTO.java
@@ -0,0 +1,8 @@
+package earth.angelson.security.dto;
+
+import java.util.Set;
+import java.util.UUID;
+
+public record UserDTO(UUID id, String practitionerId, String organizationId, String firstName, String lastName, String username,
+							 String password, boolean enabled, Set<RoleDTO> roles) {
+}
diff --git a/src/main/java/earth/angelson/security/dto/UserRoleAttachmentsDTO.java b/src/main/java/earth/angelson/security/dto/UserRoleAttachmentsDTO.java
@@ -0,0 +1,7 @@
+package earth.angelson.security.dto;
+
+import java.util.Set;
+
+public record UserRoleAttachmentsDTO(UserDTO user, Set<Object> attachments) {
+}
+
diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
@@ -168,7 +168,7 @@ hapi:
     #    allowed_bundle_types: COLLECTION,DOCUMENT,MESSAGE,TRANSACTION,TRANSACTIONRESPONSE,BATCH,BATCHRESPONSE,HISTORY,SEARCHSET
     #    allow_cascading_deletes: true
     #    allow_contains_searches: true
-    #    allow_external_references: true
+    allow_external_references: true
     #    allow_multiple_delete: true
     #    allow_override_default_search_params: true
     #    auto_create_placeholder_reference_targets: false
@@ -236,8 +236,8 @@ hapi:
     # comma-separated list of fully qualified interceptor classes. 
     # classes listed here will be fetched from the Spring context when combined with 'custom-bean-packages', 
     # or will be instantiated via reflection using an no-arg contructor; then registered with the server  
-    #custom-interceptor-classes:  
-
+    custom-interceptor-classes:
+        - earth.angelson.security.AuthorizationInterceptor
     # comma-separated list of fully qualified provider classes. 
     # classes listed here will be fetched from the Spring context when combined with 'custom-bean-packages', 
     # or will be instantiated via reflection using an no-arg contructor; then registered with the server