/// <summary> /// Generates a list of valid scopes which will be used to determine authorization. /// No validation is done on the parameters. /// </summary> /// <param name="type">The type: System or User.</param> /// <param name="requirement">The requirement to get the resource and access from.</param> /// <returns>An array of acceptable scopes.</returns> private static string[] GetAcceptedScopes(string type, FhirRequirement requirement) { string[] acceptedScopes = new string[] { $"{type}/{FhirResource.Wildcard}.{FhirAccessType.Wildcard}", $"{type}/{FhirResource.Wildcard}.{requirement.AccessType}", $"{type}/{requirement.Resource}.{FhirAccessType.Wildcard}", $"{type}/{requirement.Resource}.{requirement.AccessType}", }; return(acceptedScopes); }
private string?GetResourceHDID(FhirRequirement requirement) { string?retVal = null; if (requirement.Lookup == Constants.FhirResourceLookup.Route) { retVal = this.httpContextAccessor.HttpContext.Request.RouteValues[RouteResourceIdentifier] as string; } else if (requirement.Lookup == Constants.FhirResourceLookup.Parameter) { retVal = this.httpContextAccessor.HttpContext.Request.Query[RouteResourceIdentifier]; } return(retVal); }
/// <summary> /// Check if the authenticated user has delegated read to the patient resource being accessed. /// </summary> /// <param name="context">The authorization handler context.</param> /// <param name="resourceHDID">The health data resource subject identifier.</param> /// <param name="requirement">The Fhir requirement to satisfy.</param> private bool IsDelegated(AuthorizationHandlerContext context, string resourceHDID, FhirRequirement requirement) { bool retVal = false; this.logger.LogInformation($"Performing user delegation validation for resource {resourceHDID}"); string?userHDID = context.User.FindFirst(c => c.Type == GatewayClaims.HDID)?.Value; if (userHDID != null) { if (this.resourceDelegateDelegate.Exists(resourceHDID, userHDID)) { if (this.IsExpired(resourceHDID)) { this.logger.LogError($"Performing Observation delegation on resource {resourceHDID} failed as delegation is expired."); } else { this.logger.LogInformation($"Authorized user {userHDID} to have {requirement.AccessType} access to Observation resource {resourceHDID}"); retVal = true; } } else { this.logger.LogWarning($"Delegation validation for User {userHDID} on Observation resource {resourceHDID} failed"); } } return(retVal); }
/// <summary> /// Check if the authenticated user has delegated read to the patient resource being accessed. /// </summary> /// <param name="context">The authorization handler context.</param> /// <param name="resourceHDID">The health data resource subject identifier.</param> /// <param name="requirement">The Fhir requirement to satisfy.</param> private bool IsDelegated(AuthorizationHandlerContext context, string resourceHDID, FhirRequirement requirement) { bool retVal = false; if (context.User.HasClaim(c => c.Type == GatewayClaims.Scope)) { string scopeclaim = context.User.FindFirstValue(GatewayClaims.Scope); string[] scopes = scopeclaim.Split(' '); this.logger.LogInformation($"Performing system delegation validation for Patient resource {resourceHDID}"); this.logger.LogInformation($"Caller has the following scopes: {scopeclaim}"); string[] systemDelegatedScopes = GetAcceptedScopes(System, requirement); if (scopes.Intersect(systemDelegatedScopes).Any()) { this.logger.LogInformation($"Authorized caller as system to have {requirement.AccessType} access to Patient resource {resourceHDID}"); retVal = true; } else { this.logger.LogInformation($"Performing user delegation validation for Patient resource {resourceHDID}"); string[] userDelegatedScopes = GetAcceptedScopes(User, requirement); if (context.User.HasClaim(c => c.Type == GatewayClaims.HDID) && scopes.Intersect(userDelegatedScopes).Any()) { this.logger.LogError("user delgation is not implemented, returning not authorized"); // TODO: Future check needed for patient to patient delegation. } else { this.logger.LogWarning($"Patient delgation validation for Patient resource {resourceHDID} failed"); } } } return(retVal); }
/// <summary> /// Check if the authenticated user has system delegated access to the resource. /// </summary> /// <param name="context">The authorization handler context.</param> /// <param name="resourceHDID">The health data resource subject identifier.</param> /// <param name="requirement">The Fhir requirement to satisfy.</param> /// <returns>True if the authenticated user has system delegated scope, false otherwise.</returns> protected bool IsSystemDelegated(AuthorizationHandlerContext context, string resourceHDID, FhirRequirement requirement) { bool retVal = false; if (context.User.HasClaim(c => c.Type == GatewayClaims.Scope)) { string scopeclaim = context.User.FindFirstValue(GatewayClaims.Scope); string[] scopes = scopeclaim.Split(' '); this.logger.LogInformation($"Performing system delegation validation for resource {resourceHDID}"); this.logger.LogInformation($"Caller has the following scopes: {scopeclaim}"); string[] systemDelegatedScopes = GetAcceptedScopes(System, requirement); if (scopes.Intersect(systemDelegatedScopes).Any()) { this.logger.LogInformation($"Authorized caller as system to have {requirement.AccessType} access to resource {resourceHDID}"); retVal = true; } } return(retVal); }
private bool ValidateObservationDelegate(AuthorizationHandlerContext context, string resourceHDID, FhirRequirement requirement) { bool retVal = false; if (this.userDelegateDelegate != null) { this.logger.LogInformation($"Performing user delegation validation for resource {resourceHDID}"); if (context.User.HasClaim(c => c.Type == GatewayClaims.HDID)) { string userHDID = context.User.FindFirst(c => c.Type == GatewayClaims.HDID).Value; if (this.userDelegateDelegate.Exists(resourceHDID, userHDID)) { this.logger.LogInformation($"Authorized user {userHDID} to have {requirement.AccessType} access to Observation resource {resourceHDID}"); retVal = true; } else { this.logger.LogWarning($"Delegation validation for User {userHDID} on Observation resource {resourceHDID} failed"); } } } else { this.logger.LogError($"Performing Observation delegation on resource {resourceHDID} failed as userDelegateDelegate is null"); } return(retVal); }
/// <summary> /// Check if the authenticated user has delegated read to the patient resource being accessed. /// </summary> /// <param name="context">The authorization handler context.</param> /// <param name="resourceHDID">The health data resource subject identifier.</param> /// <param name="requirement">The Fhir requirement to satisfy.</param> private bool IsDelegated(AuthorizationHandlerContext context, string resourceHDID, FhirRequirement requirement) { bool retVal = false; if (context.User.HasClaim(c => c.Type == GatewayClaims.Scope)) { string scopeclaim = context.User.FindFirstValue(GatewayClaims.Scope); string[] scopes = scopeclaim.Split(' '); this.logger.LogInformation($"Performing system delegation validation for resource {resourceHDID}"); this.logger.LogInformation($"Caller has the following scopes: {scopeclaim}"); string[] systemDelegatedScopes = GetAcceptedScopes(System, requirement); if (scopes.Intersect(systemDelegatedScopes).Any()) { this.logger.LogInformation($"Authorized caller as system to have {requirement.AccessType} access to resource {resourceHDID}"); retVal = true; } else { switch (requirement.Resource) { case FhirResource.Observation: retVal = this.ValidateObservationDelegate(context, resourceHDID, requirement); break; default: this.logger.LogError($"User delegation is not implemented on resource type {requirement.Resource.GetType().Name} for Resource {resourceHDID}"); break; } } } return(retVal); }