Rework authorization providers in ManagedWebAccess

Author: dotasek

RELEASE_NOTES.md

@@ -1,4 +1,4 @@
-## Security Notices 
+## Security Notices
 
 * TODO: HTTP Authentication Notes
 * This release of the Validator supports scoped packages (see [security advisory note](todo))
@@ -13,20 +13,20 @@
 * Fix bugs in expansion and validation when valueset includes two different versions of the same code system
 * Various Performance Improvements
 * Package Regenerator
-  * Performance Improvements 
-  * more robust against errors in FHIRPath expressions 
-  * Don't produce duplicate value sets 
+  * Performance Improvements
+  * more robust against errors in FHIRPath expressions
+  * Don't produce duplicate value sets
 * Fix bug parsing with multiple profiles for a type
 * fix bug validating codes with no server
 
 ## Other code changes
 
 * The IWorkerContext has been changed, which impacts on all uses of the HAPI core library:
   * Introduce VersionResolutionRules when resolving versions for canonical references
-  * Add Identifier when resolving References to support logical references 
+  * Add Identifier when resolving References to support logical references
   * Add the methods storeAnalysis/retrieveAnalysis for caching analysis of the loaded resources - caches are wiped when loaded content changes
   * Remove the NamingSystem related function in preference to using the analysis methods
-* Fix NPE rendering Questionnaires 
+* Fix NPE rendering Questionnaires
 * Expansion bugs: imported valueSet excludes ignored + expansion.total inconsistent
 * Remove FTPClient, tests, and supporting dependencies
 * Fix rendering bug where naming system resolution was a little random

org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java

@@ -143,24 +143,4 @@ private void zipDirectory(OutputStream outputStream) throws IOException {
       });
     }
   }
-
-  public void commit(String token) throws IOException {
-    // create a zip of all the files
-    ByteArrayOutputStream bs = new ByteArrayOutputStream();
-    zipDirectory(bs);
-
-    // post it to
-    String url = "https://tx.fhir.org/post/tx-cache/" + ghOrg + "/" + ghRepo + "/" + ghBranch + ".zip";
-    log.info("Sending tx-cache to " + url + " (" + Utilities.describeSize(bs.toByteArray().length) + ")");
-
-    HTTPResult res = ManagedWebAccess.accessor(Arrays.asList("web"))
-     .withBasicAuth(token.substring(0, token.indexOf(':')), token.substring(token.indexOf(':') + 1))
-     .put(url, bs.toByteArray(), null, "application/zip");
-    if (res.getCode() >= 300) {
-      log.error("sending cache failed: " + res.getCode());
-    } else {
-      log.info("Sent cache");
-    }
-  }
-
 }

org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/terminologies/TerminologyCacheManager.java

@@ -144,7 +144,7 @@ private void zipDirectory(OutputStream outputStream) throws IOException {
     }
   }
 
-  
+  /*FIXME delete this if need be or implement basic auth
   public void commit(String token) throws IOException {
     // create a zip of all the files 
     ByteArrayOutputStream bs = new ByteArrayOutputStream();
@@ -163,5 +163,5 @@ public void commit(String token) throws IOException {
       log.info("Sent cache");
     }
   }
-
+*/
 }

org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/http/HTTPAuthProvider.java

@@ -0,0 +1,15 @@
+package org.hl7.fhir.utilities.http;
+
+import java.net.URL;
+import java.util.Map;
+
+/**
+ * Provides necessary information for authenticating HTTP requests for specific URLs.
+ */
+public interface IHTTPAuthenticationProvider {
+
+  public boolean canProvideHeaders(URL url);
+
+  public Map<String, String> getHeaders(URL url);
+
+}

org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/http/IHTTPAuthenticationProvider.java

@@ -44,8 +44,8 @@ public ManagedFhirWebAccessor withLogger(ToolingClientLogger logger) {
     return this;
   }
 
-  public ManagedFhirWebAccessor(String userAgent, List<ServerDetailsPOJO> serverAuthDetails) {
-    super(Arrays.asList("fhir"), userAgent, serverAuthDetails);
+  public ManagedFhirWebAccessor(String userAgent, IHTTPAuthenticationProvider authenticationProvider) {
+    super(Arrays.asList("fhir"), userAgent, authenticationProvider);
     this.timeout = 5000;
     this.timeoutUnit = TimeUnit.MILLISECONDS;
   }
@@ -70,40 +70,9 @@ protected HTTPRequest requestWithAuthorizationHeaders(HTTPRequest httpRequest) {
       headers.add(new HTTPHeader(entry.getKey(), entry.getValue()));
     }
 
-    if (getAuthenticationMode() != null) {
-      if (getAuthenticationMode() != HTTPAuthenticationMode.NONE) {
-        switch (getAuthenticationMode()) {
-          case BASIC:
-            final String basicCredential = Credentials.basic(getUsername(), getPassword());
-            headers.add(new HTTPHeader("Authorization", basicCredential));
-            break;
-          case TOKEN:
-            String tokenCredential = "Bearer " + getToken();
-            headers.add(new HTTPHeader("Authorization", tokenCredential));
-            break;
-          case APIKEY:
-            String apiKeyCredential = getToken();
-            headers.add(new HTTPHeader("Api-Key", apiKeyCredential));
-            break;
-        }
-      }
-    } else {
-      ServerDetailsPOJO settings = ManagedWebAccessUtils.getServer(getServerTypes(), httpRequest.getUrl().toString(), getServerAuthDetails());
-      if (settings != null) {
-        switch (settings.getAuthenticationType()) {
-          case "basic":
-            final String basicCredential = Credentials.basic(settings.getUsername(), settings.getPassword());
-            headers.add(new HTTPHeader("Authorization", basicCredential));
-            break;
-          case "token":
-            String tokenCredential = "Bearer " + settings.getToken();
-            headers.add(new HTTPHeader("Authorization", tokenCredential));
-            break;
-          case "apikey":
-            String apiKeyCredential = settings.getApikey();
-            headers.add(new HTTPHeader("Api-Key", apiKeyCredential));
-            break;
-        }
+    if (getHttpAuthHeaderProvider() != null && getHttpAuthHeaderProvider().canProvideHeaders(httpRequest.getUrl())) {
+      for (Map.Entry<String, String> entry : getHttpAuthHeaderProvider().getHeaders(httpRequest.getUrl()).entrySet()) {
+           headers.add(new HTTPHeader(entry.getKey(), entry.getValue()));
       }
     }
     return httpRequest.withHeaders(headers);

org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/http/ManagedFhirWebAccessor.java

@@ -82,7 +82,9 @@ public enum WebAccessPolicy {
 
   @Getter
   private static String userAgent;
-  private static List<ServerDetailsPOJO> serverAuthDetails;
+
+  private static List<ServerDetailsPOJO> serverDetailsList;
+  private static IHTTPAuthenticationProvider defaultAuthenticationProvider;
 
   public static WebAccessPolicy getAccessPolicy() {
     return accessPolicy;
@@ -109,11 +111,19 @@ public static void setUserAgent(String userAgent) {
   }
 
   public static ManagedWebAccessor accessor(Iterable<String> serverTypes) {
-    return new ManagedWebAccessor(serverTypes, userAgent, serverAuthDetails);
+    return new ManagedWebAccessor(serverTypes, userAgent, defaultAuthenticationProvider);
+  }
+
+  public static ManagedWebAccessor accessor(Iterable<String> serverTypes, IHTTPAuthenticationProvider authenticationProvider) {
+    return new ManagedWebAccessor(serverTypes, userAgent, authenticationProvider);
   }
 
   public static ManagedFhirWebAccessor fhirAccessor() {
-    return new ManagedFhirWebAccessor(userAgent, serverAuthDetails);
+    return new ManagedFhirWebAccessor(userAgent, defaultAuthenticationProvider);
+  }
+
+  public static ManagedFhirWebAccessor fhirAccessor(IHTTPAuthenticationProvider authenticationProvider) {
+    return new ManagedFhirWebAccessor(userAgent, authenticationProvider);
   }
 
   public static HTTPResult get(Iterable<String> serverTypes, String url) throws IOException {
@@ -139,15 +149,8 @@ public static HTTPResult httpCall(HTTPRequest httpRequest) throws IOException {
   public static void loadFromFHIRSettings() {
     setAccessPolicy(FhirSettings.isProhibitNetworkAccess() ? WebAccessPolicy.PROHIBITED : WebAccessPolicy.DIRECT);
     setUserAgent("hapi-fhir-tooling-client");
-    serverAuthDetails = new ArrayList<>();
-    serverAuthDetails.addAll(FhirSettings.getServers());
-  }
-
-  public static void loadFromFHIRSettings(FhirSettings settings) {
-    setAccessPolicy(settings.isProhibitNetworkAccess() ? WebAccessPolicy.PROHIBITED : WebAccessPolicy.DIRECT);
-    setUserAgent("hapi-fhir-tooling-client");
-    serverAuthDetails = new ArrayList<>();
-    serverAuthDetails.addAll(settings.getServers());
+    serverDetailsList = FhirSettings.getServers();
+    defaultAuthenticationProvider = new ServerDetailsPOJOHTTPAuthProvider(serverDetailsList);
   }
 
   public static String makeSecureRef(String url) {
@@ -165,8 +168,8 @@ private static boolean isLocal(String url) {
 
       // Check if this URL matches a configured server with allowHttp: true
       // This allows HTTP for trusted internal servers (e.g., Docker service names)
-      if (serverAuthDetails != null) {
-        for (ServerDetailsPOJO server : serverAuthDetails) {
+      if (serverDetailsList != null) {
+        for (ServerDetailsPOJO server : serverDetailsList) {
           if (server.getAllowHttp() != null && server.getAllowHttp() && server.getUrl() != null && !server.getUrl().isEmpty()) {
             // Match if the URL starts with the configured server URL
             if (url.startsWith(server.getUrl())) {

org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/http/ManagedWebAccess.java

@@ -2,23 +2,42 @@
 
 import org.hl7.fhir.utilities.settings.ServerDetailsPOJO;
 
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+
 public class ManagedWebAccessUtils {
 
   public static ServerDetailsPOJO getServer(Iterable<String> serverTypes, String url, Iterable<ServerDetailsPOJO> serverAuthDetails) {
     if (serverAuthDetails != null) {
       for (ServerDetailsPOJO serverDetails : serverAuthDetails) {
         for (String serverType : serverTypes) {
-        if (url.startsWith(serverDetails.getUrl()) && typesMatch(serverType, serverDetails.getType())) {
-          return serverDetails;
-        }
+          if (url.startsWith(serverDetails.getUrl()) && typesMatch(serverType, serverDetails.getType())) {
+            return serverDetails;
+          }
         }
       }
     }
     return null;
   }
 
+  public static ServerDetailsPOJO getServer(String url, Iterable<ServerDetailsPOJO> serverAuthDetails) {
+    if (serverAuthDetails != null) {
+      for (ServerDetailsPOJO serverDetails : serverAuthDetails) {
+          if (url.startsWith(serverDetails.getUrl())) {
+            return serverDetails;
+          }
+      }
+    }
+    return null;
+  }
+
   private static boolean typesMatch(String criteria, String value) {
     return criteria == null || value == null || criteria.equals(value);
   }
 
+  public static byte[] getEncodedBasicAuth(String providedUsername, String providedPassword) {
+    String auth = providedUsername + ":" + providedPassword;
+    return Base64.getEncoder().encode(auth.getBytes(StandardCharsets.UTF_8));
+  }
+
 }