support for introspect "sub" missing base URL and/or resource type wh…

…en fully-qualiied "fhirUser" is available as a fallback
OHSUCMP · Dec 2, 2024 · 22bdd2b · 22bdd2b
1 parent 3869e28
commit 22bdd2b
Show file tree

Hide file tree

Showing 4 changed files with 620 additions and 5 deletions.
diff --git a/pom.xml b/pom.xml
@@ -372,13 +372,11 @@
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter-api</artifactId>
-            <version>5.7.2</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter-engine</artifactId>
-            <version>5.7.2</version>
             <scope>test</scope>
         </dependency>
 

diff --git a/src/main/java/edu/ohsu/cmp/ecp/sds/SupplementalDataStoreAuthBase.java b/src/main/java/edu/ohsu/cmp/ecp/sds/SupplementalDataStoreAuthBase.java
@@ -1,5 +1,7 @@
 package edu.ohsu.cmp.ecp.sds;
 
+import java.util.function.Consumer;
+
 import org.hl7.fhir.instance.model.api.IIdType;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -80,8 +82,14 @@ private LaunchContext launchContextFromAuthentication(Authentication authenticat
 		if (null == contextPatient)
 			return null;
 
-
-		IIdType contextPatientId = idFromContextParameter( contextPatient.toString() ).withResourceType( "Patient" ) ;
+		IIdType contextPatientId =
+			coerceToResourceType(
+				idFromContextParameter( contextPatient.toString() ),
+				"Patient",
+				(actualResourceType) -> {
+					throw new AuthenticationException(Msg.code(644) + "Launch Context Patient \"" + contextPatient + "\" must be the id of a patient, but found a resource type of \"" + actualResourceType + "\"");
+				}
+			) ;
 		IIdType fullyQualifiedContextPatientId = fullyQualifiedContextPatientId( contextPatientId, oauth2Principal );
 
 		return new LaunchContext() {
@@ -94,6 +102,20 @@ public IIdType getPatient() {
 		};
 	}
 
+	private static IIdType coerceToResourceType( IIdType id, String resourceType, Consumer<String> onResourceTypeMismatch ) {
+		if ( id.hasResourceType() ) {
+			if ( null != onResourceTypeMismatch && !resourceType.equals( id.getResourceType() ) ) {
+				onResourceTypeMismatch.accept( id.getResourceType() ) ;
+			}
+		}
+
+		if ( id.hasBaseUrl() ) {
+			return id.withServerBase( id.getBaseUrl(), resourceType ) ;
+		} else {
+			return id.withResourceType( resourceType ) ;
+		}
+	}
+
 	private IIdType fullyQualifiedContextPatientId( IIdType contextPatientId, OAuth2AuthenticatedPrincipal oauth2Principal ) {
 		if ( contextPatientId.hasBaseUrl() )
 			return contextPatientId ;