private OperationOutcome ValidateOrganisationInteraction(string asid, string orgCode, bool isProviderCheck)
{
var providerInteractions = new string[] { FhirConstants.CreateInteractionId, FhirConstants.UpdateInteractionId, FhirConstants.DeleteInteractionId };
var cache = _sdsService.GetFor(asid);
if (cache != null)
{
var valid = false;
if (!string.IsNullOrEmpty(orgCode) && !string.IsNullOrEmpty(cache.OdsCode) && cache.OdsCode == orgCode)
{
valid = true;
}
if (isProviderCheck && (cache.Interactions == null || !cache.Interactions.Any(x => providerInteractions.Contains(x))))
{
valid = false;
}
if (valid)
{
return(null);
}
}
return(OperationOutcomeFactory.CreateAccessDenied());
}
private OperationOutcome ValidateOrganisationInteraction(string asid, string orgCode, bool isProviderCheck)
{
var providerInteractions = new string[] { FhirConstants.CreateInteractionId, FhirConstants.UpdateInteractionId, FhirConstants.DeleteInteractionId };
var map = _cache.Get<ClientAsidMap>(ClientAsidMap.Key);
if (!string.IsNullOrEmpty(asid) && map != null && map.ClientAsids != null)
{
var asidMap = map.ClientAsids.FirstOrDefault(x => x.Key == asid);
if (asidMap.Value != null)
{
var valid = false;
if (!string.IsNullOrEmpty(orgCode) && !string.IsNullOrEmpty(asidMap.Value.OrgCode) && asidMap.Value.OrgCode == orgCode)
{
valid = true;
}
if(isProviderCheck && (asidMap.Value.Interactions == null || !asidMap.Value.Interactions.Any(x => providerInteractions.Contains(x))))
{
valid = false;
}
if (valid)
{
return null;
}
}
}
return OperationOutcomeFactory.CreateAccessDenied();
}
public async SystemTasks.Task Invoke(HttpContext context, IOptionsSnapshot <ApiSetting> nrlsApiSettings)
{
_nrlsApiSettings = nrlsApiSettings.Get("NrlsApiSetting");
//Order of validation is Important
var request = context.Request;
var headers = request.Headers;
var method = request.Method;
//Accept is optional but must be valid if supplied
//Check is delegated to FhirInputMiddleware
var authorization = GetHeaderValue(headers, HeaderNames.Authorization);
var scope = method == HttpMethods.Get ? JwtScopes.Read : JwtScopes.Write;
var jwtResponse = _nrlsValidation.ValidJwt(new Tuple <JwtScopes, string>(scope, "DocumentReference"), authorization);
if (string.IsNullOrEmpty(authorization) || !jwtResponse.Success)
{
SetJwtError(HeaderNames.Authorization, jwtResponse.Message);
}
var fromASID = GetHeaderValue(headers, FhirConstants.HeaderFromAsid);
var clientCache = _sdsService.GetFor(fromASID);
if (clientCache == null)
{
SetError(FhirConstants.HeaderFromAsid, null);
}
var toASID = GetHeaderValue(headers, FhirConstants.HeaderToAsid);
if (string.IsNullOrEmpty(toASID) || toASID != _spineSettings.Asid)
{
SetError(FhirConstants.HeaderToAsid, null);
}
var interactionId = GetInteractionId(method, request.Path.Value);
if (string.IsNullOrEmpty(interactionId) || !clientCache.Interactions.Contains(interactionId))
{
throw new HttpFhirException("Client interaction request invalid", OperationOutcomeFactory.CreateAccessDenied(), HttpStatusCode.Forbidden);
}
//We've Passed! Continue to App...
await _next.Invoke(context);
return;
}
private static bool ValidateClient(X509Certificate2 cert, X509Chain chain, SslPolicyErrors error)
{
using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
store.Open(OpenFlags.ReadOnly);
//Just validate that we recognise
//Update to ensure we grab certs in a cross platform way
//Asid match will be done in middleware
var clientCertificates = store.Certificates.Find(X509FindType.FindByThumbprint, cert.Thumbprint, false);
if (clientCertificates.Count < 1) // || error != SslPolicyErrors.None
{
throw new HttpFhirException("Invalid Client Request Exception", OperationOutcomeFactory.CreateAccessDenied(), HttpStatusCode.Unauthorized);
}
return(true);
}
}
private void SetError()
{
throw new HttpFhirException("Invalid Client Request", OperationOutcomeFactory.CreateAccessDenied(), HttpStatusCode.Unauthorized);
}
