/// <summary>
/// Generates a list of valid scopes which will be used to determine authorization.
/// No validation is done on the parameters.
/// </summary>
/// <param name="type">The type: System or User.</param>
/// <param name="requirement">The requirement to get the resource and access from.</param>
/// <returns>An array of acceptable scopes.</returns>
private static string[] GetAcceptedScopes(string type, FhirRequirement requirement)
{
string[] acceptedScopes = new string[]
{
$"{type}/{FhirResource.Wildcard}.{FhirAccessType.Wildcard}",
$"{type}/{FhirResource.Wildcard}.{requirement.AccessType}",
$"{type}/{requirement.Resource}.{FhirAccessType.Wildcard}",
$"{type}/{requirement.Resource}.{requirement.AccessType}",
};
return(acceptedScopes);
}
private string?GetResourceHDID(FhirRequirement requirement)
{
string?retVal = null;
if (requirement.Lookup == Constants.FhirResourceLookup.Route)
{
retVal = this.httpContextAccessor.HttpContext.Request.RouteValues[RouteResourceIdentifier] as string;
}
else if (requirement.Lookup == Constants.FhirResourceLookup.Parameter)
{
retVal = this.httpContextAccessor.HttpContext.Request.Query[RouteResourceIdentifier];
}
return(retVal);
}
/// <summary>
/// Check if the authenticated user has delegated read to the patient resource being accessed.
/// </summary>
/// <param name="context">The authorization handler context.</param>
/// <param name="resourceHDID">The health data resource subject identifier.</param>
/// <param name="requirement">The Fhir requirement to satisfy.</param>
private bool IsDelegated(AuthorizationHandlerContext context, string resourceHDID, FhirRequirement requirement)
{
bool retVal = false;
this.logger.LogInformation($"Performing user delegation validation for resource {resourceHDID}");
string?userHDID = context.User.FindFirst(c => c.Type == GatewayClaims.HDID)?.Value;
if (userHDID != null)
{
if (this.resourceDelegateDelegate.Exists(resourceHDID, userHDID))
{
if (this.IsExpired(resourceHDID))
{
this.logger.LogError($"Performing Observation delegation on resource {resourceHDID} failed as delegation is expired.");
}
else
{
this.logger.LogInformation($"Authorized user {userHDID} to have {requirement.AccessType} access to Observation resource {resourceHDID}");
retVal = true;
}
}
else
{
this.logger.LogWarning($"Delegation validation for User {userHDID} on Observation resource {resourceHDID} failed");
}
}
return(retVal);
}
/// <summary>
/// Check if the authenticated user has delegated read to the patient resource being accessed.
/// </summary>
/// <param name="context">The authorization handler context.</param>
/// <param name="resourceHDID">The health data resource subject identifier.</param>
/// <param name="requirement">The Fhir requirement to satisfy.</param>
private bool IsDelegated(AuthorizationHandlerContext context, string resourceHDID, FhirRequirement requirement)
{
bool retVal = false;
if (context.User.HasClaim(c => c.Type == GatewayClaims.Scope))
{
string scopeclaim = context.User.FindFirstValue(GatewayClaims.Scope);
string[] scopes = scopeclaim.Split(' ');
this.logger.LogInformation($"Performing system delegation validation for Patient resource {resourceHDID}");
this.logger.LogInformation($"Caller has the following scopes: {scopeclaim}");
string[] systemDelegatedScopes = GetAcceptedScopes(System, requirement);
if (scopes.Intersect(systemDelegatedScopes).Any())
{
this.logger.LogInformation($"Authorized caller as system to have {requirement.AccessType} access to Patient resource {resourceHDID}");
retVal = true;
}
else
{
this.logger.LogInformation($"Performing user delegation validation for Patient resource {resourceHDID}");
string[] userDelegatedScopes = GetAcceptedScopes(User, requirement);
if (context.User.HasClaim(c => c.Type == GatewayClaims.HDID) && scopes.Intersect(userDelegatedScopes).Any())
{
this.logger.LogError("user delgation is not implemented, returning not authorized");
// TODO: Future check needed for patient to patient delegation.
}
else
{
this.logger.LogWarning($"Patient delgation validation for Patient resource {resourceHDID} failed");
}
}
}
return(retVal);
}
/// <summary>
/// Check if the authenticated user has system delegated access to the resource.
/// </summary>
/// <param name="context">The authorization handler context.</param>
/// <param name="resourceHDID">The health data resource subject identifier.</param>
/// <param name="requirement">The Fhir requirement to satisfy.</param>
/// <returns>True if the authenticated user has system delegated scope, false otherwise.</returns>
protected bool IsSystemDelegated(AuthorizationHandlerContext context, string resourceHDID, FhirRequirement requirement)
{
bool retVal = false;
if (context.User.HasClaim(c => c.Type == GatewayClaims.Scope))
{
string scopeclaim = context.User.FindFirstValue(GatewayClaims.Scope);
string[] scopes = scopeclaim.Split(' ');
this.logger.LogInformation($"Performing system delegation validation for resource {resourceHDID}");
this.logger.LogInformation($"Caller has the following scopes: {scopeclaim}");
string[] systemDelegatedScopes = GetAcceptedScopes(System, requirement);
if (scopes.Intersect(systemDelegatedScopes).Any())
{
this.logger.LogInformation($"Authorized caller as system to have {requirement.AccessType} access to resource {resourceHDID}");
retVal = true;
}
}
return(retVal);
}
private bool ValidateObservationDelegate(AuthorizationHandlerContext context, string resourceHDID, FhirRequirement requirement)
{
bool retVal = false;
if (this.userDelegateDelegate != null)
{
this.logger.LogInformation($"Performing user delegation validation for resource {resourceHDID}");
if (context.User.HasClaim(c => c.Type == GatewayClaims.HDID))
{
string userHDID = context.User.FindFirst(c => c.Type == GatewayClaims.HDID).Value;
if (this.userDelegateDelegate.Exists(resourceHDID, userHDID))
{
this.logger.LogInformation($"Authorized user {userHDID} to have {requirement.AccessType} access to Observation resource {resourceHDID}");
retVal = true;
}
else
{
this.logger.LogWarning($"Delegation validation for User {userHDID} on Observation resource {resourceHDID} failed");
}
}
}
else
{
this.logger.LogError($"Performing Observation delegation on resource {resourceHDID} failed as userDelegateDelegate is null");
}
return(retVal);
}
/// <summary>
/// Check if the authenticated user has delegated read to the patient resource being accessed.
/// </summary>
/// <param name="context">The authorization handler context.</param>
/// <param name="resourceHDID">The health data resource subject identifier.</param>
/// <param name="requirement">The Fhir requirement to satisfy.</param>
private bool IsDelegated(AuthorizationHandlerContext context, string resourceHDID, FhirRequirement requirement)
{
bool retVal = false;
if (context.User.HasClaim(c => c.Type == GatewayClaims.Scope))
{
string scopeclaim = context.User.FindFirstValue(GatewayClaims.Scope);
string[] scopes = scopeclaim.Split(' ');
this.logger.LogInformation($"Performing system delegation validation for resource {resourceHDID}");
this.logger.LogInformation($"Caller has the following scopes: {scopeclaim}");
string[] systemDelegatedScopes = GetAcceptedScopes(System, requirement);
if (scopes.Intersect(systemDelegatedScopes).Any())
{
this.logger.LogInformation($"Authorized caller as system to have {requirement.AccessType} access to resource {resourceHDID}");
retVal = true;
}
else
{
switch (requirement.Resource)
{
case FhirResource.Observation:
retVal = this.ValidateObservationDelegate(context, resourceHDID, requirement);
break;
default:
this.logger.LogError($"User delegation is not implemented on resource type {requirement.Resource.GetType().Name} for Resource {resourceHDID}");
break;
}
}
}
return(retVal);
}
