public static async Task <FHIRResponse> callFHIRServer(string requestBody, HttpRequest req, ILogger log, string res, string id, string hist, string vid)
{
FHIRClient fhirClient = FHIRClientFactory.getClient(log);
FHIRResponse fhirresp = null;
if (req.Method.Equals("GET"))
{
var qs = req.QueryString.HasValue ? req.QueryString.Value : null;
StringBuilder sb = new StringBuilder();
sb.Append(res);
if (!string.IsNullOrEmpty(id))
{
sb.Append("/" + id);
if (!string.IsNullOrEmpty(hist))
{
sb.Append("/" + hist);
if (!string.IsNullOrEmpty(vid))
{
sb.Append("/" + vid);
}
}
}
fhirresp = await fhirClient.LoadResource(sb.ToString(), qs, false, req.Headers);
}
else
{
if (req.Method.Equals("DELETE"))
{
fhirresp = await fhirClient.DeleteResource(res + (id == null ? "" : "/" + id), req.Headers);
}
else if (req.Method.Equals("POST") && !string.IsNullOrEmpty(id) && id.StartsWith("_search"))
{
var qs = req.QueryString.HasValue ? req.QueryString.Value : null;
fhirresp = await fhirClient.PostCommand(res + "/" + id, requestBody, qs, req.Headers);
}
else
{
fhirresp = await fhirClient.SaveResource(res, requestBody, req.Method, req.Headers);
}
}
return(fhirresp);
}
public static async Task <IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", "put", "patch", "delete", Route = "fhir/{res?}/{id?}")] HttpRequest req,
ILogger log, ClaimsPrincipal principal, string res, string id)
{
/*The basic FHIR proxy by default only validates that the user principal is authenticated (AuthN).
* You can clone this code and add your own authorization logic, pre and post processing logic to fit your business
* use cases. This function will accept standard REST Verbs as used by HL7 FHIR
*
* IMPORTANT: Do not publish this function without Authentication (Easy Auth or APIM) you will compromise your FHIR server!
*
*/
log.LogInformation("FHIR ProxyBase Function Invoked");
if (!principal.Identity.IsAuthenticated)
{
return(new ContentResult()
{
Content = "User is not Authenticated", StatusCode = (int)System.Net.HttpStatusCode.Unauthorized
});
}
/* Load the ClaimsIdentity for use in RBAC based logic */
ClaimsIdentity ci = (ClaimsIdentity)principal.Identity;
/* Load the tenant Name from principal */
string aadten = ci.Tenant();
/* Load the principal Name */
string name = principal.Identity.Name;
/* Minimum Authorization must be in an access Role Reader, Writer or Admin based on HTTP Verb*/
bool admin = ci.IsInFHIRRole(Environment.GetEnvironmentVariable("ADMIN_ROLE"));
//GET (READ)
if (req.Method.Equals("GET"))
{
if (!admin && !ci.IsInFHIRRole(Environment.GetEnvironmentVariable("READER_ROLE")))
{
return(new ContentResult()
{
Content = Utils.genOOErrResponse("auth-access", "User/Application must be in a reader role to access"), StatusCode = (int)System.Net.HttpStatusCode.Unauthorized, ContentType = "application/json"
});
}
}
else
{ //OTHER VERBS ARE WRITER
if (!admin && !ci.IsInFHIRRole(Environment.GetEnvironmentVariable("WRITER_ROLE")))
{
return(new ContentResult()
{
Content = Utils.genOOErrResponse("auth-access", "User/Application must be in a writer role to update"), StatusCode = (int)System.Net.HttpStatusCode.Unauthorized, ContentType = "application/json"
});
}
}
/* Load the request contents */
string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
/* Get/update/check current bearer token to authenticate the proxy to the FHIR Server
* The following parameters must be defined in environment variables:
* To use Manged Service Identity or Service Client:
* FS_URL = the fully qualified URL to the FHIR Server
* FS_RESOURCE = the audience or resource for the FHIR Server for Azure API for FHIR should be https://azurehealthcareapis.com
* To use a Service Client Principal the following must also be specified:
* FS_TENANT_NAME = the GUID or UPN of the AAD tenant that is hosting FHIR Server Authentication
* FS_CLIENT_ID = the client or app id of the private client authorized to access the FHIR Server
* FS_SECRET = the client secret to pass to FHIR Server Authentication
*/
if (!string.IsNullOrEmpty(System.Environment.GetEnvironmentVariable("FS_RESOURCE")) && FHIRClient.isTokenExpired(_bearerToken))
{
lock (_lock)
{
if (FHIRClient.isTokenExpired(_bearerToken))
{
log.LogInformation($"Obtaining new OAUTH2 Bearer Token for access to FHIR Server");
_bearerToken = FHIRClient.GetOAUTH2BearerToken(System.Environment.GetEnvironmentVariable("FS_RESOURCE"), System.Environment.GetEnvironmentVariable("FS_TENANT_NAME"),
System.Environment.GetEnvironmentVariable("FS_CLIENT_ID"), System.Environment.GetEnvironmentVariable("FS_SECRET")).GetAwaiter().GetResult();
}
}
}
/*
* Create User Custom Headers these headers are passed to the FHIR Server to communicate credentials of the authorized user for each proxy call
* this is ensures accruate audit trails for FHIR server access. Note: This headers are honored by the Azure API for FHIR Server
*/
List <HeaderParm> auditheaders = new List <HeaderParm>();
auditheaders.Add(new HeaderParm("X-MS-AZUREFHIR-AUDIT-USERID", principal.Identity.Name));
auditheaders.Add(new HeaderParm("X-MS-AZUREFHIR-AUDIT-TENANT", ci.Tenant()));
auditheaders.Add(new HeaderParm("X-MS-AZUREFHIR-AUDIT-SOURCE", req.HttpContext.Connection.RemoteIpAddress.ToString()));
auditheaders.Add(new HeaderParm("X-MS-AZUREFHIR-AUDIT-PROXY", "FHIRProxy-ProxyBase"));
/* Preserve FHIR Specific change control headers and include in the proxy call */
List <HeaderParm> customandrestheaders = new List <HeaderParm>();
foreach (string key in req.Headers.Keys)
{
string s = key.ToLower();
if (s.Equals("etag"))
{
customandrestheaders.Add(new HeaderParm(key, req.Headers[key].First()));
}
else if (s.StartsWith("if-"))
{
customandrestheaders.Add(new HeaderParm(key, req.Headers[key].First()));
}
}
/* Add User Audit Headers */
customandrestheaders.AddRange(auditheaders);
/* Get a FHIR Client instance to talk to the FHIR Server */
log.LogInformation($"Instanciating FHIR Client Proxy");
FHIRClient fhirClient = new FHIRClient(System.Environment.GetEnvironmentVariable("FS_URL"), _bearerToken);
FHIRResponse fhirresp = null;
/*
* TODO: Add your pre-call Filter Logic here
* Any custom pre FHIR filtering, security, validations
* or transform mappings.
*/
/* Proxy the call to the FHIR Server */
JObject result = null;
if (req.Method.Equals("GET"))
{
var qs = req.QueryString.HasValue ? req.QueryString.Value : null;
fhirresp = fhirClient.LoadResource(res + (id == null ? "" : "/" + id), qs, false, customandrestheaders.ToArray());
}
else
{
if (req.Method.Equals("DELETE"))
{
fhirresp = fhirClient.DeleteResource(res + (id == null ? "" : "/" + id), customandrestheaders.ToArray());
}
else
{
fhirresp = fhirClient.SaveResource(res, requestBody, req.Method, customandrestheaders.ToArray());
}
}
/* Fix location header to proxy address */
if (fhirresp.Headers.ContainsKey("Location"))
{
fhirresp.Headers["Location"].Value = fhirresp.Headers["Location"].Value.Replace(Environment.GetEnvironmentVariable("FS_URL"), req.Scheme + "://" + req.Host.Value + req.Path.Value.Substring(0, req.Path.Value.IndexOf(res) - 1));
}
var str = fhirresp.Content == null ? "" : (string)fhirresp.Content;
/* Fix server locations to proxy address */
str = str.Replace(Environment.GetEnvironmentVariable("FS_URL"), req.Scheme + "://" + req.Host.Value + (res != null ? req.Path.Value.Substring(0, req.Path.Value.IndexOf(res) - 1) : req.Path.Value));
result = (string.IsNullOrEmpty(str) ? null : JObject.Parse(str));
/*
* TODO: Add your Filter Logic here
* Any custom post FHIR filtering or security checks
* or transform mappings.
*/
/* Add Headers from FHIR Server Response */
foreach (string key in fhirresp.Headers.Keys)
{
req.HttpContext.Response.Headers.Remove(key);
req.HttpContext.Response.Headers.Add(key, fhirresp.Headers[key].Value);
}
var jr = new JsonResult(result);
jr.StatusCode = (int)fhirresp.StatusCode;
return(jr);
}
