Merge remote-tracking branch 'origin/issues/124_125_oidc_support' into

develop

dsf-docker-test-setup-3dic-ttp/docker-compose.yml

@@ -107,6 +107,7 @@ services:
       --spi-truststore-file-hostname-verification-policy=STRICT
 
   dic1-fhir:
+    build: ../dsf-fhir/dsf-fhir-server-jetty/docker
     image: datasharingframework/fhir
     restart: "no"
     ports:
@@ -175,6 +176,7 @@ services:
       - keycloak
 
   dic2-fhir:
+    build: ../dsf-fhir/dsf-fhir-server-jetty/docker
     image: datasharingframework/fhir
     restart: "no"
     ports:
@@ -243,6 +245,7 @@ services:
       - keycloak
 
   dic3-fhir:
+    build: ../dsf-fhir/dsf-fhir-server-jetty/docker
     image: datasharingframework/fhir
     restart: "no"
     ports:
@@ -311,6 +314,7 @@ services:
       - keycloak
 
   ttp-fhir:
+    build: ../dsf-fhir/dsf-fhir-server-jetty/docker
     image: datasharingframework/fhir
     restart: "no"
     ports:
@@ -386,6 +390,7 @@ services:
       - keycloak
 
   dic1-bpe:
+    build: ../dsf-bpe/dsf-bpe-server-jetty/docker
     image: datasharingframework/bpe
     restart: "no"
     ports:
@@ -452,6 +457,7 @@ services:
       - keycloak
 
   dic2-bpe:
+    build: ../dsf-bpe/dsf-bpe-server-jetty/docker
     image: datasharingframework/bpe
     restart: "no"
     ports:
@@ -518,6 +524,7 @@ services:
       - keycloak
 
   dic3-bpe:
+    build: ../dsf-bpe/dsf-bpe-server-jetty/docker
     image: datasharingframework/bpe
     restart: "no"
     ports:
@@ -585,6 +592,7 @@ services:
       - keycloak
 
   ttp-bpe:
+    build: ../dsf-bpe/dsf-bpe-server-jetty/docker
     image: datasharingframework/bpe
     restart: "no"
     ports:

dsf-docker-test-setup/bpe/docker-compose.yml

@@ -1,6 +1,7 @@
 version: '3.8'
 services:
   app:
+    build: ../../dsf-bpe/dsf-bpe-server-jetty/docker
     image: datasharingframework/bpe
     restart: "no"
     ports:

dsf-docker-test-setup/fhir/docker-compose.yml

@@ -1,6 +1,7 @@
 version: '3.8'
 services:
   proxy:
+    build: ../../dsf-docker/fhir_proxy
     image: datasharingframework/fhir_proxy
     restart: "no"
     ports:
@@ -28,6 +29,7 @@ services:
       - app
 
   app:
+    build: ../../dsf-fhir/dsf-fhir-server-jetty/docker
     image: datasharingframework/fhir
     restart: "no"
     ports:

dsf-docker/fhir_proxy/conf/extra/host-ssl.conf

@@ -36,19 +36,22 @@ RequestHeader set X-ClientCert ""
 Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
 
 <Location "${SERVER_CONTEXT_PATH}">
-	RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s
+	RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s "expr=-n %{SSL_CLIENT_CERT}"
+	RequestHeader set X-Forwarded-Proto %{REQUEST_SCHEME}s
 
 	ProxyPass http://${APP_SERVER_IP}:8080/fhir/ timeout=${PROXY_PASS_TIMEOUT_HTTP} connectiontimeout=${PROXY_PASS_CONNECTION_TIMEOUT_HTTP}
 	ProxyPassReverse http://${APP_SERVER_IP}:8080/fhir/
 </Location>
 <Location "${SERVER_CONTEXT_PATH}/">
-	RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s
+	RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s "expr=-n %{SSL_CLIENT_CERT}"
+	RequestHeader set X-Forwarded-Proto %{REQUEST_SCHEME}s
 
 	ProxyPass http://${APP_SERVER_IP}:8080/fhir/ timeout=${PROXY_PASS_TIMEOUT_HTTP} connectiontimeout=${PROXY_PASS_CONNECTION_TIMEOUT_HTTP}
 	ProxyPassReverse http://${APP_SERVER_IP}:8080/fhir/
 </Location>
 <Location "${SERVER_CONTEXT_PATH}/ws">
-	RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s
+	RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s "expr=-n %{SSL_CLIENT_CERT}"
+	RequestHeader set X-Forwarded-Proto %{REQUEST_SCHEME}s
 
 	ProxyWebsocketFallbackToProxyHttp off
 	ProxyPass ws://${APP_SERVER_IP}:8080/fhir/ws timeout=${PROXY_PASS_TIMEOUT_WS} connectiontimeout=${PROXY_PASS_CONNECTION_TIMEOUT_WS}

dsf-fhir/dsf-fhir-server/src/main/java/dev/dsf/fhir/authentication/PractitionerProviderImpl.java

@@ -1,5 +1,7 @@
 package dev.dsf.fhir.authentication;
 
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -88,26 +90,41 @@ private Practitioner toPractitioner(JcaX509CertificateHolder certificate)
 						.filter(n -> n.getTagNo() == GeneralName.rfc822Name).map(GeneralName::getName)
 						.map(IETFUtils::valueToString).toList();
 
-		Stream<String> emails = Stream.concat(Stream.concat(email1.stream(), email2.stream()), rfc822Names.stream())
-				.filter(e -> e != null).filter(e -> e.contains("@"));
+		Stream<String> emails = Stream.concat(Stream.concat(email1.stream(), email2.stream()), rfc822Names.stream());
 		return toPractitioner(!surnames.isEmpty() ? surnames.stream() : commonName.stream(), givennames.stream(),
 				emails);
 	}
 
 	private Practitioner toPractitioner(DsfOpenIdCredentials credentials)
 	{
+		String iss = credentials.getStringClaimOrDefault("iss", "");
+		String sub = credentials.getStringClaimOrDefault("sub", "");
+
 		Stream<String> surname = Stream.of((String) credentials.getStringClaimOrDefault("family_name", ""));
 		Stream<String> givenNames = Stream.of((String) credentials.getStringClaimOrDefault("given_name", ""));
-		Stream<String> emails = Stream.of((String) credentials.getStringClaimOrDefault("email", ""));
+		Stream<String> emails = Stream.of((String) credentials.getStringClaimOrDefault("email", ""), toEmail(iss, sub));
 
 		return toPractitioner(surname, givenNames, emails);
 	}
 
+	private String toEmail(String iss, String sub)
+	{
+		try
+		{
+			return sub + "@" + new URL(iss).getHost();
+		}
+		catch (MalformedURLException e)
+		{
+			return null;
+		}
+	}
+
 	private Practitioner toPractitioner(Stream<String> surname, Stream<String> givenNames, Stream<String> emails)
 	{
 		Practitioner practitioner = new Practitioner();
 
-		emails.map(e -> new Identifier().setSystem(PRACTITIONER_IDENTIFIER_SYSTEM).setValue(e))
+		emails.filter(e -> e != null).filter(e -> e.contains("@"))
+				.map(e -> new Identifier().setSystem(PRACTITIONER_IDENTIFIER_SYSTEM).setValue(e))
 				.forEach(practitioner::addIdentifier);
 
 		HumanName name = new HumanName();