Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issues/124 125 OIDC support #126

Merged
merged 4 commits into from
Oct 30, 2023
Merged

Issues/124 125 OIDC support #126

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
aa93c1d
"build" properties for fhir_proxy, fhir and bpe services
hhund Oct 30, 2023
23d6db3
adds X-Forwarded-Proto header for proxy request to the fhir app server
hhund Oct 30, 2023
0fcfc9c
only send X-ClientCert header if variable SSL_CLIENT_CERT is not empty
hhund Oct 30, 2023
0ba0191
adds mail address based on the iss and sub values from the access token
hhund Oct 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions dsf-docker-test-setup-3dic-ttp/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ services:
--spi-truststore-file-hostname-verification-policy=STRICT

dic1-fhir:
build: ../dsf-fhir/dsf-fhir-server-jetty/docker
image: datasharingframework/fhir
restart: "no"
ports:
Expand Down Expand Up @@ -175,6 +176,7 @@ services:
- keycloak

dic2-fhir:
build: ../dsf-fhir/dsf-fhir-server-jetty/docker
image: datasharingframework/fhir
restart: "no"
ports:
Expand Down Expand Up @@ -243,6 +245,7 @@ services:
- keycloak

dic3-fhir:
build: ../dsf-fhir/dsf-fhir-server-jetty/docker
image: datasharingframework/fhir
restart: "no"
ports:
Expand Down Expand Up @@ -311,6 +314,7 @@ services:
- keycloak

ttp-fhir:
build: ../dsf-fhir/dsf-fhir-server-jetty/docker
image: datasharingframework/fhir
restart: "no"
ports:
Expand Down Expand Up @@ -386,6 +390,7 @@ services:
- keycloak

dic1-bpe:
build: ../dsf-bpe/dsf-bpe-server-jetty/docker
image: datasharingframework/bpe
restart: "no"
ports:
Expand Down Expand Up @@ -452,6 +457,7 @@ services:
- keycloak

dic2-bpe:
build: ../dsf-bpe/dsf-bpe-server-jetty/docker
image: datasharingframework/bpe
restart: "no"
ports:
Expand Down Expand Up @@ -518,6 +524,7 @@ services:
- keycloak

dic3-bpe:
build: ../dsf-bpe/dsf-bpe-server-jetty/docker
image: datasharingframework/bpe
restart: "no"
ports:
Expand Down Expand Up @@ -585,6 +592,7 @@ services:
- keycloak

ttp-bpe:
build: ../dsf-bpe/dsf-bpe-server-jetty/docker
image: datasharingframework/bpe
restart: "no"
ports:
Expand Down
1 change: 1 addition & 0 deletions dsf-docker-test-setup/bpe/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
version: '3.8'
services:
app:
build: ../../dsf-bpe/dsf-bpe-server-jetty/docker
image: datasharingframework/bpe
restart: "no"
ports:
Expand Down
2 changes: 2 additions & 0 deletions dsf-docker-test-setup/fhir/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
version: '3.8'
services:
proxy:
build: ../../dsf-docker/fhir_proxy
image: datasharingframework/fhir_proxy
restart: "no"
ports:
Expand Down Expand Up @@ -28,6 +29,7 @@ services:
- app

app:
build: ../../dsf-fhir/dsf-fhir-server-jetty/docker
image: datasharingframework/fhir
restart: "no"
ports:
Expand Down
9 changes: 6 additions & 3 deletions dsf-docker/fhir_proxy/conf/extra/host-ssl.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,19 +36,22 @@ RequestHeader set X-ClientCert ""
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

<Location "${SERVER_CONTEXT_PATH}">
RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s
RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s "expr=-n %{SSL_CLIENT_CERT}"
RequestHeader set X-Forwarded-Proto %{REQUEST_SCHEME}s

ProxyPass http://${APP_SERVER_IP}:8080/fhir/ timeout=${PROXY_PASS_TIMEOUT_HTTP} connectiontimeout=${PROXY_PASS_CONNECTION_TIMEOUT_HTTP}
ProxyPassReverse http://${APP_SERVER_IP}:8080/fhir/
</Location>
<Location "${SERVER_CONTEXT_PATH}/">
RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s
RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s "expr=-n %{SSL_CLIENT_CERT}"
RequestHeader set X-Forwarded-Proto %{REQUEST_SCHEME}s

ProxyPass http://${APP_SERVER_IP}:8080/fhir/ timeout=${PROXY_PASS_TIMEOUT_HTTP} connectiontimeout=${PROXY_PASS_CONNECTION_TIMEOUT_HTTP}
ProxyPassReverse http://${APP_SERVER_IP}:8080/fhir/
</Location>
<Location "${SERVER_CONTEXT_PATH}/ws">
RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s
RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s "expr=-n %{SSL_CLIENT_CERT}"
RequestHeader set X-Forwarded-Proto %{REQUEST_SCHEME}s

ProxyWebsocketFallbackToProxyHttp off
ProxyPass ws://${APP_SERVER_IP}:8080/fhir/ws timeout=${PROXY_PASS_TIMEOUT_WS} connectiontimeout=${PROXY_PASS_CONNECTION_TIMEOUT_WS}
Expand Down
25 changes: 21 additions & 4 deletions ...r/dsf-fhir-server/src/main/java/dev/dsf/fhir/authentication/PractitionerProviderImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
package dev.dsf.fhir.authentication;

import java.net.MalformedURLException;
import java.net.URL;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
Expand Down Expand Up @@ -88,26 +90,41 @@ private Practitioner toPractitioner(JcaX509CertificateHolder certificate)
.filter(n -> n.getTagNo() == GeneralName.rfc822Name).map(GeneralName::getName)
.map(IETFUtils::valueToString).toList();

Stream<String> emails = Stream.concat(Stream.concat(email1.stream(), email2.stream()), rfc822Names.stream())
.filter(e -> e != null).filter(e -> e.contains("@"));
Stream<String> emails = Stream.concat(Stream.concat(email1.stream(), email2.stream()), rfc822Names.stream());
return toPractitioner(!surnames.isEmpty() ? surnames.stream() : commonName.stream(), givennames.stream(),
emails);
}

private Practitioner toPractitioner(DsfOpenIdCredentials credentials)
{
String iss = credentials.getStringClaimOrDefault("iss", "");
String sub = credentials.getStringClaimOrDefault("sub", "");

Stream<String> surname = Stream.of((String) credentials.getStringClaimOrDefault("family_name", ""));
Stream<String> givenNames = Stream.of((String) credentials.getStringClaimOrDefault("given_name", ""));
Stream<String> emails = Stream.of((String) credentials.getStringClaimOrDefault("email", ""));
Stream<String> emails = Stream.of((String) credentials.getStringClaimOrDefault("email", ""), toEmail(iss, sub));

return toPractitioner(surname, givenNames, emails);
}

private String toEmail(String iss, String sub)
{
try
{
return sub + "@" + new URL(iss).getHost();
}
catch (MalformedURLException e)
{
return null;
}
}

private Practitioner toPractitioner(Stream<String> surname, Stream<String> givenNames, Stream<String> emails)
{
Practitioner practitioner = new Practitioner();

emails.map(e -> new Identifier().setSystem(PRACTITIONER_IDENTIFIER_SYSTEM).setValue(e))
emails.filter(e -> e != null).filter(e -> e.contains("@"))
.map(e -> new Identifier().setSystem(PRACTITIONER_IDENTIFIER_SYSTEM).setValue(e))
.forEach(practitioner::addIdentifier);

HumanName name = new HumanName();
Expand Down