Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attribute based access controll support #499

Merged
merged 29 commits into from
May 19, 2021
Merged

Attribute based access controll support #499

merged 29 commits into from
May 19, 2021

Conversation

jakesmolka
Copy link
Contributor

@jakesmolka jakesmolka commented May 5, 2021
edited
Loading

Changes

  • Adds ABAC integration support
  • Adds integration tests (needs fresh DB and are disabled by default)

A lot of configuration possible. See application.yml for information.

For a meta-perspective see AbacIntegrationTest.java.

For the implementation itself the CustomMethodSecurityExpressionRoot.

The whole feature is rather huge and complex, so see https://wiki.vitagroup.ag/display/ETHERCIS/ABAC+Integration for a better overview.

Related issue

closes https://github.com/ehrbase/project_management/issues/505

Additional information and checks

  • Pull request linked in changelog
  • Create separate issue to add the ABAC tests to the CI pipeline
  • Push documentation to public readthedocs documentation (the documentation will just be added into the current structure, see https://github.com/ehrbase/project_management/issues/521)

@jakesmolka
Adds first ABAC integration concept
9e0054f
@jakesmolka
Adds ABAC PostAuthz composition concept workflow
607a056
@jakesmolka
Adds more concept work re ABAC
e89ff42
@jakesmolka
Adds refactored ABAC handling and SpEL expression
d57cfc8
@jakesmolka
Fixes oauth config
6f52777
@jakesmolka
Merge branch 'develop' of github.com:ehrbase/ehrbase into feature/505…
ba64f92 
…_abac
@jakesmolka
Adds abac preauth check
1ab1bad
@jakesmolka
Merge branch 'develop' of github.com:ehrbase/ehrbase into feature/505…
1df2042 
…_abac
@jakesmolka
Adds refactoring of ABAC handling
fc0fdf7
@jakesmolka
Adds ABAC checks REST endpoints.
396c15d
@jakesmolka
Adds ABAC checks for versioned_compo and DEL compo
8b1ae36
@jakesmolka
Fixes ABAC spring bean injection order
669db96
@jakesmolka
Adds ABAC post contribution handling
9e44165
@jakesmolka
Adds ABAC processing of POST query endpoint
7f97936
@jakesmolka
Adds ABAC integration tests
1c22534
@jakesmolka
Adds final ABAC integration tests
5a5c5bd
@jakesmolka
Merge branch 'develop' of github.com:ehrbase/ehrbase into feature/505…
d61f8de 
…_abac
@jakesmolka
Cleanup and changelog entry for ABAC
434d2af
@jakesmolka
Fixes ABAC OAuth roles
e909fa9
@jakesmolka
Fixes OAuth robot test
c47e2d4
@jakesmolka
Cleanup of ABAC feature
b67184e
@subigre subigre self-requested a review May 7, 2021 07:36
subigre
subigre reviewed May 7, 2021
View reviewed changes
application/src/main/java/org/ehrbase/application/abac/AbacCheck.java Outdated
.POST(BodyPublishers.ofString(requestBody))
.build();

return HttpClient.newHttpClient().send(request, BodyHandlers.ofString());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not directly linked to this task but as a potential (future?) improvement, I would suggest to that we could reuse the HttpClient instance configured through ClientConfiguration and ClientProperties.
I do not know i EHRbase requires other external accesses than ABAC server and remote terminology servers?
It could be nice to have common configurations for all HTTP clients. For instance, if EHRbase running behind an authenticated proxy or if an ABAC instance also requires two-way authentication.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the foundation for this in the last commit. I does only allow to set a proxy yet, because I'm not sure how real auth requirements would look like. Can you recheck this too, and check if this is the direction you had in mind?

subigre
subigre reviewed May 7, 2021
View reviewed changes
application/src/main/java/org/ehrbase/application/config/SecurityConfig.java Outdated
@@ -30,6 +30,7 @@
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the readability and maintenance, I think that we should create separate configuration classes like : SecurityConfiguration, BasicSecurityConfigucation, OAuth2SecurityConfiguration
And we could enable the correct one using @ConditionalOnProperty annotation

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea! I refactored the config classes to be separated like you suggest. Can you check again if that looks okay?

subigre
subigre reviewed May 7, 2021
View reviewed changes
Copy link
Contributor

@subigre subigre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please find my comments. There are mostly improvements and "cosmetic" changes

application/src/main/java/org/ehrbase/application/abac/MethodSecurityConfig.java Outdated Show resolved Hide resolved
application/src/main/java/org/ehrbase/application/abac/CustomMethodSecurityExpressionRoot.java Outdated Show resolved Hide resolved
application/src/main/java/org/ehrbase/application/abac/CustomMethodSecurityExpressionRoot.java Outdated Show resolved Hide resolved
application/src/main/java/org/ehrbase/application/abac/CustomMethodSecurityExpressionRoot.java Outdated Show resolved Hide resolved
...-openehr/src/main/java/org/ehrbase/rest/openehr/controller/OpenehrCompositionController.java Outdated Show resolved Hide resolved
rest-openehr/src/main/java/org/ehrbase/rest/openehr/controller/OpenehrDirectoryController.java Outdated Show resolved Hide resolved
rest-openehr/src/main/java/org/ehrbase/rest/openehr/controller/OpenehrEhrStatusController.java Outdated Show resolved Hide resolved
rest-openehr/src/main/java/org/ehrbase/rest/openehr/controller/OpenehrQueryController.java Outdated Show resolved Hide resolved
...r/src/main/java/org/ehrbase/rest/openehr/controller/OpenehrVersionedEhrStatusController.java Outdated Show resolved Hide resolved
...-openehr/src/main/java/org/ehrbase/rest/openehr/controller/OpenehrCompositionController.java Show resolved Hide resolved
subigre
subigre reviewed May 11, 2021
View reviewed changes
application/src/main/java/org/ehrbase/application/abac/AbacCheck.java Outdated
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.stereotype.Component;

@ConditionalOnProperty(name = "abac.enabled")
Copy link
Contributor

@subigre subigre May 11, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is better to create the @bean in AbacConfig class in that specific case. I would say that @Component should be used for beans that are always created.
It is my own opinion and probably a personal preference .

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I refactored it.

subigre
subigre reviewed May 11, 2021
View reviewed changes
application/src/main/java/org/ehrbase/application/config/HttpClientConfig.java
@Configuration
@EnableConfigurationProperties
@ConfigurationProperties(prefix = "httpclient")
public class HttpClientConfig {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Proxy settings was just an example but I am sad that you do not want to use mine ? 😄
https://github.com/ehrbase/ehrbase/blob/87bc85527da3eca9b3d135c38c0f94114731690a/service/src/main/java/org/ehrbase/configuration/client/HttpClientConfiguration.java

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh interesting, didn't knew it was there. I'm not sure now. Why is yours in the service package? In the end two different http client config are obviously not a good practice. But it feels wrong to pull that client from the service layer into my ABAC stuff.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since there was no activity for 7 days I extracted that into the following issue, so I can continue with this PR here.
https://github.com/ehrbase/project_management/issues/522

subigre
subigre approved these changes May 11, 2021
View reviewed changes
Copy link
Contributor

@subigre subigre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good but I added two comments

@sonarcloud
Copy link

sonarcloud bot commented May 19, 2021

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 15 Code Smells

12.1% 12.1% Coverage
1.7% 1.7% Duplication

@jakesmolka jakesmolka merged commit ca3815c into develop May 19, 2021
@jakesmolka jakesmolka deleted the feature/505_abac branch May 19, 2021 12:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@subigre subigre subigre approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jakesmolka @subigre