google / fhir-access-proxy Goto Github PK
View Code? Open in Web Editor NEWA generic proxy server for applying access-control policies for a FHIR-store.
License: Other
A generic proxy server for applying access-control policies for a FHIR-store.
License: Other
The main job of the proxy is to relay FHIR calls from the client to the FHIR store server. But there are cases that a new FHIR API call is initiated by the proxy, e.g., to check existence of a patient, checking/patching access List resource, etc. For these cases, instead of handcrafting the query, we should use a FHIR library like HAPI FHIR client.
Design an access control model which can solve requirements for location/role based access control from different partners.
Parent issue - #103
http://hl7.org/fhir/http.html#upsert
Add support for update as create operations in the existing Access Checkers:
Parent bug - #108
ONA enabled preprocessing of request for an access decision - opensrp@09584ef.
We wanted to support Query rewrite option in the design doc - https://github.com/google/fhir-gateway/blob/main/doc/design.md
We need to update the original design doc and create a public version of it.
Right now, in many error cases, we send large stack-traces to the client. This is probably of little value to the proxy user and the proxy developer should have access to the logs (which is were these traces are already printed and should be kept).
If there is an error in a FHIR API call, we currently do not pass the HTTP response entity body to the client.
Create a sample plugin in fhir-app-examples using our maven artifact to build new plugins.
We need to release all the changes to maven to allow partners to use the latest Fhir gateway changes.
We currently use Kokoro for our e2e test-infra. The main drawback of this is that it depends on some [Google] internal tools/config. We should evaluate other options like Cloud-Build or GitHub-Actions and possibly switch to one of those.
Sounds like we're switching to either FHIR-info-gateway or maybe just FHIR-gateway. In which case, we should be updating various parts of the docs & diagrams in here, like this on here:
https://github.com/google/fhir-access-proxy/
May need to update package / repo names, etc.
This can wait for a fast follow.
Reported by @omarismail94
The proxy does not support having ORs in search parameters.
If I do a direct request to GCP FHIR Store, it works:
curl -X GET -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
"https://healthcare.googleapis.com/v1alpha2/projects/[PROJECT]/locations/us/datasets/[DATASET]/fhirStores/gcs-data/fhir/Observation?_id=3f6cb1cf-2c0d-739d-0790-5ab8a26daf2e&subject=Patient/92a950eb-6aae-0e82-c297-d91585b22edf,performer=Patient/123"
If I send the same to proxy, I get an error saying that the patient id cannot be found.
Also we should turn any request that has searches that contain OR, e.g. subject=P1,P2 into an access check for both P1 AND P2, i.e. client should have access to P1 and P2.
Current
When user access is denied, an error code of 401 is thrown.
Expected
It should return 403 Forbidden error message to the unauthorized user.
It worked by:
Updating exception to ForbiddenOperationException.class instead of throwing AuthenticationException.class in
https://github.com/google/fhir-access-proxy/blob/3bf8a400e257f234f677154442f63570cd131307/server/src/main/java/com/google/fhir/proxy/BearerAuthorizationInterceptor.java#L238
cc : @bashir2
For post-processing and updating the list of patients, we rely on full resources to be returned from the server. We should not rely on the FHIR store default config and instead set the "Prefer" header as described in the spec.
We currently have support for extracting patient IDs from a request URL (or a Bundle) and the idea is that the AccessChecker
decides whether to grant access based on those patient IDs. One implication of this is that for example to fetch an Observation by ID, the client needs to provide the corresponding patient
query parameter as well. To support directly fetch/mutate a resource by ID, we can first fetch that resource from the server, extract the patient from it (based on patient compartment) and then decide. This is a useful feature to be implemented in the shared library in the server
module.
Currently in PatientAccessChecker we do not apply the SoF scope constraints. We need to support patient/*.*
scopes as this AccessChecker
is intended to honor patient launch/scopes scenarios in the SoF spec.
Parent issue - #108
Provide a resource finder for processing bundles similar to ONA's implementation - Resource finder.
http://hl7.org/fhir/http.html#search
Add support for POST based search in the existing Access Checkers:
We should track and expose test-coverage data publicly. A long time ago, we used Codecov for the Analytics repo but we need to check the spectrum of possible options now again. This is also related to #98 and what we choose for continuously running our tests.
Currently, if the post-processing step fails, it is possible that a Patient resource might be added but its ID is not added to the access list.
HAPI
should be used for generic FHIR servers; it would be good to name the option to something more generic as well.
We should support "gzip" encoding for fetching responses from the FHIR resource server, as this is crucial towards optimising for network bandwidth. The client can tell the server that it can accept the "gzip" encoding with Accept-Encoding
header value
Reported by @omarismail94 :
When we send a Bundle, we load the entire response in memory. Depending on the maximum size, this might cause memory issues for the proxy.
See the BearerAuthorizationInterceptor.replaceAndCopyResponse
method as a way to avoid this by using a StringReader
.
Current:
When an invalid or malformed access token is sent in the header, it returns 500 Internal Server Error.
Expected:
When an invalid or malformed access token is sent in the header, it should return 401 Unauthorized Access.
cc: @bashir2
Parent Issue - #108
The current architecture assumes that any request to the gateway is eventually passed to the FHIR server for returning a response. There are use-cases where we may want to support custom (non-FHIR) endpoints, e.g., in the context of sync as mentioned in #122. There are different ways to support this. We should first evaluate the requirements for this feature and make a conscious decision whether to support it. If the answer is yes, we should have a mini-design to close this issue.
Currently we keep many of the default claims in the sample Keycloak config. This is confusing to the users who try the gateway for the first time. We should clean-up these default tokens and remove most of the optional/unnecessary claims.
We currently do not support DELETE
operations in the access-checkers; we should fix this.
It's currently a P3 because it is not clear how important it is for the immediate use-cases we know of.
Proxy is always setting the response content type to a default header - proxyResponse.getResponseWriter
We are ignoring the Accept header sent by the client.
We expect the FHIR response to be in JSON. If we send application/xml then this will break the code.
fhir-access-proxy/plugins/src/main/java/com/google/fhir/proxy/plugin/AccessGrantedAndUpdateList.java
I tried the create Patient API with "Accept: application/fhir+xml" and I get this error in AccessGrantedAndUpdateList "Content does not appear to be FHIR JSON, first non-whitespace character was: "
We need to add support for client specified Accept header and return the corresponding Content-type
In reference to the conversation here in PR , remove the duplicated logic of Bundle processing in PatientAccessChecker. Possibly refactor any Bundle processing related code in other AccessCheckers as well.
Idea is to create a separate abstraction for Bundle processing which can be used by different implementations like PatientFinder and for any specific implementation of Bundle processing in the AccessCheckers.
Reported by @omarismail94:
Right now, we only support Transaction bundles. Look into supporting batch bundles.
Update @bashir2:
Marking this as P3 until we have a specific use-case that needs it.
As of now, the AllowedQueriesChecker
only checks for by-passing any access based checks on a request by the request path. However, in case of a bundled request, we should allow the same checks for by-passing on each bundle entry request.
Parent - #108
ONA requires capability to allow access without a valid access tokens for some APIs. We should allow unauthenticated allowed queries.
This is used to fetch Composition and some Binary resources before login.
We need to have a clear recommendation on how to use the access-proxy core for users who develop their own AccessChecker
plugin. As part of this exercise we should create our own release process, possibly including pushing binary artifacts to a binary repository. The users, should not need to fork the server code.
This issue does not seem to be relevant to this repo; closing.
Originally posted by @bashir2 in #9 (comment)
Parent Issue - #103
Any practical Healthcare solution needs some form of Role based access control and also limit the access based on the primary location, organization, careteam of a practitioner.
We should support a configurable access checker to ease onboarding process for our partners.
Blocked on
ONA has created a forked repo - https://github.com/opensrp/fhir-access-proxy
They have updated the server and the added their plugin.
We should try to bring the server changes to the main repo and help them to just created their plugin using the released maven release for the server.
Sub-issues:
We should revisit what headers we pass to the FHIR store; in particular missing If-Match
and ETag
is currently a bug. In general, we should make sure all FHIR related headers are passed to the FHIR store or dropped for good reasons.
.
We added support to mutate query params for GET Http method in #122
Currently there is no requirement for supporting mutates for the post body.
We intentionally wanted to restrict any random mutation to the payload by the gateway.
This might be required for Search by POST. We can think of supporting this after we fix #87
We should re-evaluate this in future based on the client requirements.
While running through the fhir-app-examples instructions, William and I noticed that the instructions make references to the following docker images:
us-docker.pkg.dev/fhir-proxy-build/stable/fhir-access-proxy:latest
Two things here.
We have had several important features over the last few months and that warrants a new release; namely:
AllowedQueriesChecker
Parent Issue - #108
Parent issue - #108
ONA's implementation - opensrp@55bb437
PatientFinder is an important interface for developers implementing access checkers. Create a page for how to use PatientFinder specifically.
We use HAPI in a few different situations - end-to-end testing (automatic & manual) and for illustrative purposes.
The one in Gateway is nice because it has data preloaded into it.
But, the one in Data-pipes is not as nice because you have to run the uploader. And we cannot use the one in Gateway because data-pipes depends on having Postgres as the underlying database.
Suggestion:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.