Support authz policy enforcement in the bulkdata operation #2777
Comments
lmsurpre
added a commit
that referenced
this issue
Sep 20, 2021
1. Introduce beforeInvoke and afterInvoke to the FHIRPersistenceInterceptor interface. I wanted these to take the FHIROperationContext which is in fhir-server, so that lead to: 2. Move the FHIRPersistenceInterceptor (and related classes) from fhir-persistence to fhir-server (where they are called from). Unfortunately, fhir-notification implements FHIRPersistenceInterceptor, but fhir-server depends on fhir-notification. I tried breaking this dependency but it was difficult because fhir-server currently initializes the websocket notification impl differently than the kafka and nats ones. So that lead to: 3. Move fhir-notification and all 3 implementations into fhir-server. At first I didn't like this, but this was the easiest way out of the dependency mess. If we want to break them back out, we should introduce a proper notification spi. This should get revisited when we get to #1289 4. Finally, I made the change I actually wanted to make, which is to add support for `system/[resourceType].[read|write]` scopes in fhir-smart and check these scopes before we allow requests to `$export`, `$import`, and `$bulkdata-status`. Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
lmsurpre
added a commit
that referenced
this issue
Sep 20, 2021
1. Introduce beforeInvoke and afterInvoke to the FHIRPersistenceInterceptor interface. I wanted these to take the FHIROperationContext which is in fhir-server, so that lead to: 2. Move the FHIRPersistenceInterceptor (and related classes) from fhir-persistence to fhir-server (where they are called from). Unfortunately, fhir-notification implements FHIRPersistenceInterceptor, but fhir-server depends on fhir-notification. I tried breaking this dependency but it was difficult because fhir-server currently initializes the websocket notification impl differently than the kafka and nats ones. So that lead to: 3. Move fhir-notification and all 3 implementations into fhir-server. At first I didn't like this, but this was the easiest way out of the dependency mess. If we want to break them back out, we should introduce a proper notification spi. This should get revisited when we get to #1289 4. Finally, I made the change I actually wanted to make, which is to add support for `system/[resourceType].[read|write]` scopes in fhir-smart and check these scopes before we allow requests to `$export`, `$import`, and `$bulkdata-status`. Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
lmsurpre
added a commit
that referenced
this issue
Sep 21, 2021
1. Introduce beforeInvoke and afterInvoke to the FHIRPersistenceInterceptor interface. I wanted these to take the FHIROperationContext which is in fhir-server, so that lead to: 2. Move the FHIRPersistenceInterceptor (and related classes) from fhir-persistence to fhir-server (where they are called from). Unfortunately, fhir-notification implements FHIRPersistenceInterceptor, but fhir-server depends on fhir-notification. I tried breaking this dependency but it was difficult because fhir-server currently initializes the websocket notification impl differently than the kafka and nats ones. So that lead to: 3. Move fhir-notification and all 3 implementations into fhir-server. At first I didn't like this, but this was the easiest way out of the dependency mess. If we want to break them back out, we should introduce a proper notification spi. This should get revisited when we get to #1289 4. Finally, I made the change I actually wanted to make, which is to add support for `system/[resourceType].[read|write]` scopes in fhir-smart and check these scopes before we allow requests to `$export`, `$import`, and `$bulkdata-status`. Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
lmsurpre
added a commit
that referenced
this issue
Sep 21, 2021
1. Introduce beforeInvoke and afterInvoke to the FHIRPersistenceInterceptor interface. I wanted these to take the FHIROperationContext which is in fhir-server, so that lead to: 2. Move the FHIRPersistenceInterceptor (and related classes) from fhir-persistence to fhir-server (where they are called from). Unfortunately, fhir-notification implements FHIRPersistenceInterceptor, but fhir-server depends on fhir-notification. I tried breaking this dependency but it was difficult because fhir-server currently initializes the websocket notification impl differently than the kafka and nats ones. So that lead to: 3. Move fhir-notification and all 3 implementations into fhir-server. At first I didn't like this, but this was the easiest way out of the dependency mess. If we want to break them back out, we should introduce a proper notification spi. This should get revisited when we get to #1289 4. Finally, I made the change I actually wanted to make, which is to add support for `system/[resourceType].[read|write]` scopes in fhir-smart and check these scopes before we allow requests to `$export`, `$import`, and `$bulkdata-status`. Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
lmsurpre
added a commit
that referenced
this issue
Sep 21, 2021
1. Introduce beforeInvoke and afterInvoke to the FHIRPersistenceInterceptor interface. I wanted these to take the FHIROperationContext which is in fhir-server, so that lead to: 2. Move the FHIRPersistenceInterceptor (and related classes) from fhir-persistence to fhir-server (where they are called from). Unfortunately, fhir-notification implements FHIRPersistenceInterceptor, but fhir-server depends on fhir-notification. I tried breaking this dependency but it was difficult because fhir-server currently initializes the websocket notification impl differently than the kafka and nats ones. So that lead to: 3. Move fhir-notification and all 3 implementations into fhir-server. At first I didn't like this, but this was the easiest way out of the dependency mess. If we want to break them back out, we should introduce a proper notification spi. This should get revisited when we get to #1289 4. Finally, I made the change I actually wanted to make, which is to add support for `system/[resourceType].[read|write]` scopes in fhir-smart and check these scopes before we allow requests to `$export`, `$import`, and `$bulkdata-status`. Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
lmsurpre
added a commit
that referenced
this issue
Sep 21, 2021
1. Introduce beforeInvoke and afterInvoke to the FHIRPersistenceInterceptor interface. I wanted these to take the FHIROperationContext which is in fhir-server, so that lead to: 2. Move the FHIRPersistenceInterceptor (and related classes) from fhir-persistence to fhir-server (where they are called from). Unfortunately, fhir-notification implements FHIRPersistenceInterceptor, but fhir-server depends on fhir-notification. I tried breaking this dependency but it was difficult because fhir-server currently initializes the websocket notification impl differently than the kafka and nats ones. So that lead to: 3. Move fhir-notification and all 3 implementations into fhir-server. At first I didn't like this, but this was the easiest way out of the dependency mess. If we want to break them back out, we should introduce a proper notification spi. This should get revisited when we get to #1289 4. Finally, I made the change I actually wanted to make, which is to add support for `system/[resourceType].[read|write]` scopes in fhir-smart and check these scopes before we allow requests to `$export`, `$import`, and `$bulkdata-status`. Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
lmsurpre
added a commit
that referenced
this issue
Sep 21, 2021
1. Introduce beforeInvoke and afterInvoke to the FHIRPersistenceInterceptor interface. I wanted these to take the FHIROperationContext which is in fhir-server, so that lead to: 2. Move the FHIRPersistenceInterceptor (and related classes) from fhir-persistence to fhir-server (where they are called from). Unfortunately, fhir-notification implements FHIRPersistenceInterceptor, but fhir-server depends on fhir-notification. I tried breaking this dependency but it was difficult because fhir-server currently initializes the websocket notification impl differently than the kafka and nats ones. So that lead to: 3. Move fhir-notification and all 3 implementations into fhir-server. At first I didn't like this, but this was the easiest way out of the dependency mess. If we want to break them back out, we should introduce a proper notification spi. This should get revisited when we get to #1289 4. Finally, I made the change I actually wanted to make, which is to add support for `system/[resourceType].[read|write]` scopes in fhir-smart and check these scopes before we allow requests to `$export`, `$import`, and `$bulkdata-status`. Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
lmsurpre
added a commit
that referenced
this issue
Sep 22, 2021
Previously, it was only enabled for export. Now, it will check for system/[resourceType].write access for each resource type being imported. For bulkdata-status, we intercept the request just before the response is returned and verify that the token has scopes that cover all the various resource types in the output of the export job. For import status, there's only OperationOutcome and so there's not much to check. Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
lmsurpre
added a commit
that referenced
this issue
Oct 18, 2021
1. Introduce beforeInvoke and afterInvoke to the FHIRPersistenceInterceptor interface. I wanted these to take the FHIROperationContext which is in fhir-server, so that lead to: 2. Move the FHIRPersistenceInterceptor (and related classes) from fhir-persistence to fhir-server (where they are called from). Unfortunately, fhir-notification implements FHIRPersistenceInterceptor, but fhir-server depends on fhir-notification. I tried breaking this dependency but it was difficult because fhir-server currently initializes the websocket notification impl differently than the kafka and nats ones. So that lead to: 3. Move fhir-notification and all 3 implementations into fhir-server. At first I didn't like this, but this was the easiest way out of the dependency mess. If we want to break them back out, we should introduce a proper notification spi. This should get revisited when we get to #1289 4. Finally, I made the change I actually wanted to make, which is to add support for `system/[resourceType].[read|write]` scopes in fhir-smart and check these scopes before we allow requests to `$export`, `$import`, and `$bulkdata-status`. Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
lmsurpre
added a commit
that referenced
this issue
Oct 18, 2021
Previously, it was only enabled for export. Now, it will check for system/[resourceType].write access for each resource type being imported. For bulkdata-status, we intercept the request just before the response is returned and verify that the token has scopes that cover all the various resource types in the output of the export job. For import status, there's only OperationOutcome and so there's not much to check. Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
lmsurpre
added a commit
that referenced
this issue
Oct 22, 2021
issue #2777 - bulkdata authz enforcement in fhir-smart
|
I am able to invoke a system export when I use a scope like Additionally, I found that the list of scopes in the error message only includes system scopes which is confusing if the client has obtained a token with |
lmsurpre
added a commit
that referenced
this issue
Oct 26, 2021
1. `_types` should have been `_type` 2. introduce new checkScopes variant that clarifies the scopes we're echoing back are just the 'system/' ones Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
lmsurpre
added a commit
that referenced
this issue
Oct 26, 2021
1. `_types` should have been `_type` 2. introduce new checkScopes variant that clarifies the scopes we're echoing back are just the 'system/' ones Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
lmsurpre
added a commit
that referenced
this issue
Oct 27, 2021
… or system/ scope Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
lmsurpre
added a commit
that referenced
this issue
Oct 27, 2021
… or system/ scope Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
lmsurpre
added a commit
that referenced
this issue
Oct 28, 2021
issue #2777 - allow access to Patient resource(s) if covered by user/ or system/ scope
|
Tested with Keycloak env and verified that different scopes worked correctly with bulk data export and import |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Describe the solution you'd like
Describe alternatives you've considered
Put the auth code right into fhir-operation-bulkdata.
Acceptance Criteria
AND [another precondition]
WHEN [test step]
AND [test step]
THEN [verification step]
AND [verification step]
Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: