issue #2777 - bulkdata authz enforcement in fhir-smart #2785
Conversation
lmsurpre
force-pushed
the
issue-2777
branch
5 times, most recently
from
3559081
to
c824e60
Compare
1. Introduce beforeInvoke and afterInvoke to the FHIRPersistenceInterceptor interface. I wanted these to take the FHIROperationContext which is in fhir-server, so that lead to: 2. Move the FHIRPersistenceInterceptor (and related classes) from fhir-persistence to fhir-server (where they are called from). Unfortunately, fhir-notification implements FHIRPersistenceInterceptor, but fhir-server depends on fhir-notification. I tried breaking this dependency but it was difficult because fhir-server currently initializes the websocket notification impl differently than the kafka and nats ones. So that lead to: 3. Move fhir-notification and all 3 implementations into fhir-server. At first I didn't like this, but this was the easiest way out of the dependency mess. If we want to break them back out, we should introduce a proper notification spi. This should get revisited when we get to #1289 4. Finally, I made the change I actually wanted to make, which is to add support for `system/[resourceType].[read|write]` scopes in fhir-smart and check these scopes before we allow requests to `$export`, `$import`, and `$bulkdata-status`. Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
Previously, it was only enabled for export. Now, it will check for system/[resourceType].write access for each resource type being imported. For bulkdata-status, we intercept the request just before the response is returned and verify that the token has scopes that cover all the various resource types in the output of the export job. For import status, there's only OperationOutcome and so there's not much to check. Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
lmsurpre
force-pushed
the
issue-2777
branch
2 times, most recently
from
e34f78b
to
f8e9156
Compare
Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
lmsurpre
requested review from
punktilious,
michaelwschroeder,
prb112 and
tbieste
| * | ||
| * To register an interceptor implementation, develop a class that implements the FHIRPersistenceInterceptor interface, | ||
| * and then insert your implementation class name into a file called | ||
| * META-INF/services/com.ibm.fhir.persistence.FHIRPersistenceInterceptor and store that file in your jar. |
There was a problem hiding this comment.
is the interceptor itself going to remain the same canonical name?
There was a problem hiding this comment.
good catch. I moved it to the com.ibm.fhir.server.interceptor package and so I'll update this doc to reflect that
|
Q: Modularity, this code seems to move all the code into the fhir-server. The modularity of the project is really blurring. Q: Re 4, do you need the operationName for downstream decisions? |
I tried to address this in point number 2 of the pull request description.
I need the operation code in the beforeInvoke and afterInvoke methods. I was surprised that it wasn't already in the FHIROperationContext and so I added it. It could have been "yet another property in the map" but I thought it was first-class enough to warrant its own member. |
Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
Currently, this module houses the SPI-related classes for: * Interceptors * Custom Operations As part of that effort, I moved the Interaction enum from FHIRRestHelper to its interface, FHIRResourceHelpers. I updated fhir-smart to depend on fhir-server-spi instead of fhir-server. I also updated all fhir-operation modules to depend on a 'provided'-scope fhir-server-spi instead of fhir-server, with the following exceptions: 1. fhir-operation-erase because that one still depends on RestAuditLogger which I decided not to move into the spi module 2. fhir-operation-term-cache because that depends on ServerRegistryResourceProvider (to clear its internal cache) Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
Introduce fhir-server-spi
fhir-server/src/main/java/com/ibm/fhir/server/operation/spi/FHIROperationContext.java
Outdated
Show resolved
Hide resolved
fhir-server/src/main/java/com/ibm/fhir/server/operation/spi/FHIRRestOperationResponse.java
Outdated
Show resolved
Hide resolved
fhir-server-spi/src/main/java/com/ibm/fhir/server/spi/operation/FHIROperationContext.java
Outdated
Show resolved
Hide resolved
fhir-server-spi/src/main/java/com/ibm/fhir/server/spi/operation/FHIRRestOperationResponse.java
Outdated
Show resolved
Hide resolved
fhir-server/src/main/java/com/ibm/fhir/server/rest/FHIRRestInteractionInvoke.java
Show resolved
Hide resolved
Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
Introduce beforeInvoke and afterInvoke to the
FHIRPersistenceInterceptor interface. I wanted these to take the
FHIROperationContext which is in fhir-server, so that lead to:
Move the FHIRPersistenceInterceptor (and related classes) from
fhir-persistence to fhir-server (where they are called from).
Unfortunately, fhir-notification implements FHIRPersistenceInterceptor,
but fhir-server depends on fhir-notification (and all its implementations).
I tried breaking this dependency but it was difficult because fhir-server currently
initializes the websocket notification impl differently than the kafka
and nats ones. So that lead to:
Move fhir-notification and all 3 implementations into fhir-server. At
first I didn't like this, but this was the easiest way out of the
dependency mess. If we want to break them back out, we should introduce
a proper notification spi. This should get revisited when we get to
Support for FHIR Subscription mechanism #1289
Finally, I made the change I actually wanted to make, which is to add
support for
system/[resourceType].[read|write]scopes in fhir-smartand check these scopes before we allow requests to
$export,$import,and double-check the scopes before we return the download urls from
$bulkdata-status.Signed-off-by: Lee Surprenant lmsurpre@us.ibm.com