Adds access control rules and allowed process configurations #77

hhund · 2020-03-11T02:32:50Z

adds access control rules for all implemented resources
adds differentiation of MeDIC and TTP deployments
adds ActivityDefinition based control of what processes can be accessed by remote or local users as well as based on organization type (MeDIC/TTP)
adds audit logger with entries in separate audit log file
fixes a few minor issues, upgrades dependency versions
includes camunda upgrade from 7.11 to 7.12 (breaking db change)

closes #58
closes #21
closes #19
closes #15
closes #5
first steps for #65

Conflicts: dsf-fhir/dsf-fhir-server/src/main/java/org/highmed/dsf/fhir/spring/config/WebserviceConfig.java

processAuthorization_ActivityDefinition Conflicts: dsf-fhir/dsf-fhir-server/src/main/java/org/highmed/dsf/fhir/dao/jdbc/CodeSystemDaoJdbc.java dsf-fhir/dsf-fhir-server/src/main/java/org/highmed/dsf/fhir/dao/jdbc/ValueSetDaoJdbc.java dsf-fhir/dsf-fhir-server/src/main/java/org/highmed/dsf/fhir/webservice/impl/ConformanceServiceImpl.java

ResearchStudy, Practitioner, PractitionerRole

Process authorization extension now differentiates between requesting and receiving organization type, this allows for specifying the organization type that can execute a process

same organizations check now based on id of the organization resources only

now checks if the contained resource can be read (authorization rule read allowed) by users, skips user if not allowed fixes fhir parser config -> strip versions false

fixes fhir parser config -> strip versions false

added new BPMN container for lists of fhir resources simple feasibility process now works in 3medic/ttp docker test setup with new authorization rules

hhund · 2020-03-11T02:43:25Z

@wetret please check if the json files in the bpe process modules can still be used to start/test the processes. I only checked the java starter classes.

wetret · 2020-03-13T09:31:43Z

@wetret please check if the json files in the bpe process modules can still be used to start/test the processes. I only checked the java starter classes.

I removed the json files, since they have not been used anymore.

Parsing errors now result in a HTTP Status 403 FORBIDDEN.

hhund added 30 commits January 26, 2020 02:13

com.google.common.base.Objects.equal to java.util.Objects.equals

27c28fe

added resource ActivityDefinition and some search parameters

be263c9

Merge branch 'master' into processAuthorization_ActivityDefinition

b23ba53

Merge branch 'master' into processAuthorization_ActivityDefinition

f340b79

Conflicts: dsf-fhir/dsf-fhir-server/src/main/java/org/highmed/dsf/fhir/spring/config/WebserviceConfig.java

security facade rework

c44e71a

work on authorization rules

f6d8bc0

new config parameter to distinguish between MeDIC and TTP

57ee565

more work on authorization rules and user filters

1c2d284

work on binary rules, integration tests, fhir client error handling

d796bce

work on binary auth rules, user filter and integration test

d032fef

organization/endpoint id-systems to NamingSystem, work on auth rules

1d45b10

work on authorization, passwords as char[], dependency version upgrades

59f77ee

hapi version upgrade to 4.2.0, ..DaoJdbc, ...UserFilter cleanup

b2ca062

work on authorization rules, include/revinclude filter during search

6ae3dbf

work on authorization in handling of batch and transaction bundles

266d08c

work on authorization rules

ca45baf

integration test fix

9b40f6e

work on authorization rules, i.a. ActivityDefinition and Task

83bb9b1

work on authorization rules, create of ping, pong and start-ping working

6d73d33

work on authorization rules, Task authorization -> update

447fe46

work on authorization rules, more rules not tested yet

64bd431

ResearchStudy, Practitioner, PractitionerRole

work on authorization rules, i.a. requestSimpleFeasibility bundle test

7e2a130

work on authorization rules, i.a. GroupAuthorizationRule/GroupUserFilter

322b9ae

ActivityDefinitions for all processes, requesting/receiving org type

e68d342

Process authorization extension now differentiates between requesting and receiving organization type, this allows for specifying the organization type that can execute a process

additional auth rules and user filters

4d69aa7

test bundle fixes, added missing auth tags

0e2c685

docker-compose version upgrade

25e14fc

added separate audit logger to log into file fhir-audit.log

10758f8

added missing EndpointAddress search parameter

e5b26fd

hhund added 18 commits March 10, 2020 16:36

copy/paste error fix -> wrong version

b509eb9

removed zero length whitespace characters

7062cd6

fixed search parameter definition urls and alpha. sort order in DAOs

0770d0d

added authorization tag to created whitelist transaction bundle

4c74545

fixed message name (case sensitive) and process version (now 0.1.0)

7f71f9e

process version number changes 1.0.0 -> 0.1.0

03cf9c1

fixed message-names

89fd235

increased remote read and connection timeouts

2d13844

additional practitioner.active = true check

c124041

removed old comment, added debug old/new resource as json log entry

8824195

isCurrentUserPartOfReferencedOrganization now only checks id not version

71eee51

same organizations check now based on id of the organization resources only

logging fix

a79a670

EventManager now checks if resource can be read before sending event

c11cda2

now checks if the contained resource can be read (authorization rule read allowed) by users, skips user if not allowed fixes fhir parser config -> strip versions false

removed not neede constructor param, fhir parser config fix

54b1a47

fixes fhir parser config -> strip versions false

missing active=true for test Practitioner resource

06e697f

changed authorization extension to support multiple authorization-roles

d028c4c

fixed starter to conform to resource validation

edf7293

fixed serialization issues, feasibility process works with new authoriz.

3a5fb73

added new BPMN container for lists of fhir resources simple feasibility process now works in 3medic/ttp docker test setup with new authorization rules

hhund requested a review from wetret March 11, 2020 02:32

removes unneeded starter json files

a0c378c

wetret approved these changes Mar 13, 2020

View reviewed changes

hhund added 5 commits March 17, 2020 15:15

removed redundant check, better error message

f318640

added null check

3bb535b

added DataFormatExceptionHandler to handle HAPI parsing errors -> 403

305f17a

Parsing errors now result in a HTTP Status 403 FORBIDDEN.

additional integration tests

153ed93

camunda upgrade 7.11 to 7.12

d7054f4

hhund merged commit f0908d5 into master Mar 17, 2020

hhund deleted the access_control branch March 17, 2020 18:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Adds access control rules and allowed process configurations #77

Adds access control rules and allowed process configurations #77

hhund commented Mar 11, 2020 •

edited

Loading

hhund commented Mar 11, 2020

wetret commented Mar 13, 2020

Adds access control rules and allowed process configurations #77

Adds access control rules and allowed process configurations #77

Conversation

hhund commented Mar 11, 2020 • edited Loading

hhund commented Mar 11, 2020

wetret commented Mar 13, 2020

hhund commented Mar 11, 2020 •

edited

Loading