google / fhir-access-proxy Goto Github PK
View Code? Open in Web Editor NEWA generic proxy server for applying access-control policies for a FHIR-store.
License: Other
A generic proxy server for applying access-control policies for a FHIR-store.
License: Other
We should track and expose test-coverage data publicly. A long time ago, we used Codecov for the Analytics repo but we need to check the spectrum of possible options now again. This is also related to #98 and what we choose for continuously running our tests.
For post-processing and updating the list of patients, we rely on full resources to be returned from the server. We should not rely on the FHIR store default config and instead set the "Prefer" header as described in the spec.
We currently have support for extracting patient IDs from a request URL (or a Bundle) and the idea is that the AccessChecker
decides whether to grant access based on those patient IDs. One implication of this is that for example to fetch an Observation by ID, the client needs to provide the corresponding patient
query parameter as well. To support directly fetch/mutate a resource by ID, we can first fetch that resource from the server, extract the patient from it (based on patient compartment) and then decide. This is a useful feature to be implemented in the shared library in the server
module.
Parent bug - #108
ONA enabled preprocessing of request for an access decision - opensrp@09584ef.
We wanted to support Query rewrite option in the design doc - https://github.com/google/fhir-gateway/blob/main/doc/design.md
Parent Issue - #108
We currently do not support DELETE
operations in the access-checkers; we should fix this.
It's currently a P3 because it is not clear how important it is for the immediate use-cases we know of.
Right now, in many error cases, we send large stack-traces to the client. This is probably of little value to the proxy user and the proxy developer should have access to the logs (which is were these traces are already printed and should be kept).
PatientFinder is an important interface for developers implementing access checkers. Create a page for how to use PatientFinder specifically.
Parent issue - #108
Provide a resource finder for processing bundles similar to ONA's implementation - Resource finder.
The current architecture assumes that any request to the gateway is eventually passed to the FHIR server for returning a response. There are use-cases where we may want to support custom (non-FHIR) endpoints, e.g., in the context of sync as mentioned in #122. There are different ways to support this. We should first evaluate the requirements for this feature and make a conscious decision whether to support it. If the answer is yes, we should have a mini-design to close this issue.
Parent issue - #108
ONA's implementation - opensrp@55bb437
The main job of the proxy is to relay FHIR calls from the client to the FHIR store server. But there are cases that a new FHIR API call is initiated by the proxy, e.g., to check existence of a patient, checking/patching access List resource, etc. For these cases, instead of handcrafting the query, we should use a FHIR library like HAPI FHIR client.
We use HAPI in a few different situations - end-to-end testing (automatic & manual) and for illustrative purposes.
The one in Gateway is nice because it has data preloaded into it.
But, the one in Data-pipes is not as nice because you have to run the uploader. And we cannot use the one in Gateway because data-pipes depends on having Postgres as the underlying database.
Suggestion:
Proxy is always setting the response content type to a default header - proxyResponse.getResponseWriter
We are ignoring the Accept header sent by the client.
We expect the FHIR response to be in JSON. If we send application/xml then this will break the code.
fhir-access-proxy/plugins/src/main/java/com/google/fhir/proxy/plugin/AccessGrantedAndUpdateList.java
I tried the create Patient API with "Accept: application/fhir+xml" and I get this error in AccessGrantedAndUpdateList "Content does not appear to be FHIR JSON, first non-whitespace character was: "
We need to add support for client specified Accept header and return the corresponding Content-type
If there is an error in a FHIR API call, we currently do not pass the HTTP response entity body to the client.
Current:
When an invalid or malformed access token is sent in the header, it returns 500 Internal Server Error.
Expected:
When an invalid or malformed access token is sent in the header, it should return 401 Unauthorized Access.
cc: @bashir2
Currently we keep many of the default claims in the sample Keycloak config. This is confusing to the users who try the gateway for the first time. We should clean-up these default tokens and remove most of the optional/unnecessary claims.
We should revisit what headers we pass to the FHIR store; in particular missing If-Match
and ETag
is currently a bug. In general, we should make sure all FHIR related headers are passed to the FHIR store or dropped for good reasons.
In reference to the conversation here in PR , remove the duplicated logic of Bundle processing in PatientAccessChecker. Possibly refactor any Bundle processing related code in other AccessCheckers as well.
Idea is to create a separate abstraction for Bundle processing which can be used by different implementations like PatientFinder and for any specific implementation of Bundle processing in the AccessCheckers.
We need to update the original design doc and create a public version of it.
As of now, the AllowedQueriesChecker
only checks for by-passing any access based checks on a request by the request path. However, in case of a bundled request, we should allow the same checks for by-passing on each bundle entry request.
Create a sample plugin in fhir-app-examples using our maven artifact to build new plugins.
Currently in PatientAccessChecker we do not apply the SoF scope constraints. We need to support patient/*.*
scopes as this AccessChecker
is intended to honor patient launch/scopes scenarios in the SoF spec.
Parent Issue - #103
We need to release all the changes to maven to allow partners to use the latest Fhir gateway changes.
http://hl7.org/fhir/http.html#upsert
Add support for update as create operations in the existing Access Checkers:
Design an access control model which can solve requirements for location/role based access control from different partners.
Parent issue - #103
Parent - #108
ONA requires capability to allow access without a valid access tokens for some APIs. We should allow unauthenticated allowed queries.
This is used to fetch Composition and some Binary resources before login.
.
Current
When user access is denied, an error code of 401 is thrown.
Expected
It should return 403 Forbidden error message to the unauthorized user.
It worked by:
Updating exception to ForbiddenOperationException.class instead of throwing AuthenticationException.class in
https://github.com/google/fhir-access-proxy/blob/3bf8a400e257f234f677154442f63570cd131307/server/src/main/java/com/google/fhir/proxy/BearerAuthorizationInterceptor.java#L238
cc : @bashir2
We need to have a clear recommendation on how to use the access-proxy core for users who develop their own AccessChecker
plugin. As part of this exercise we should create our own release process, possibly including pushing binary artifacts to a binary repository. The users, should not need to fork the server code.
Reported by @omarismail94 :
When we send a Bundle, we load the entire response in memory. Depending on the maximum size, this might cause memory issues for the proxy.
See the BearerAuthorizationInterceptor.replaceAndCopyResponse
method as a way to avoid this by using a StringReader
.
Sounds like we're switching to either FHIR-info-gateway or maybe just FHIR-gateway. In which case, we should be updating various parts of the docs & diagrams in here, like this on here:
https://github.com/google/fhir-access-proxy/
May need to update package / repo names, etc.
This can wait for a fast follow.
We currently use Kokoro for our e2e test-infra. The main drawback of this is that it depends on some [Google] internal tools/config. We should evaluate other options like Cloud-Build or GitHub-Actions and possibly switch to one of those.
This issue does not seem to be relevant to this repo; closing.
Originally posted by @bashir2 in #9 (comment)
ONA has created a forked repo - https://github.com/opensrp/fhir-access-proxy
They have updated the server and the added their plugin.
We should try to bring the server changes to the main repo and help them to just created their plugin using the released maven release for the server.
Sub-issues:
We should support "gzip" encoding for fetching responses from the FHIR resource server, as this is crucial towards optimising for network bandwidth. The client can tell the server that it can accept the "gzip" encoding with Accept-Encoding
header value
HAPI
should be used for generic FHIR servers; it would be good to name the option to something more generic as well.
Currently, if the post-processing step fails, it is possible that a Patient resource might be added but its ID is not added to the access list.
We added support to mutate query params for GET Http method in #122
Currently there is no requirement for supporting mutates for the post body.
We intentionally wanted to restrict any random mutation to the payload by the gateway.
This might be required for Search by POST. We can think of supporting this after we fix #87
We should re-evaluate this in future based on the client requirements.
http://hl7.org/fhir/http.html#search
Add support for POST based search in the existing Access Checkers:
We have had several important features over the last few months and that warrants a new release; namely:
AllowedQueriesChecker
Reported by @omarismail94
The proxy does not support having ORs in search parameters.
If I do a direct request to GCP FHIR Store, it works:
curl -X GET -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
"https://healthcare.googleapis.com/v1alpha2/projects/[PROJECT]/locations/us/datasets/[DATASET]/fhirStores/gcs-data/fhir/Observation?_id=3f6cb1cf-2c0d-739d-0790-5ab8a26daf2e&subject=Patient/92a950eb-6aae-0e82-c297-d91585b22edf,performer=Patient/123"
If I send the same to proxy, I get an error saying that the patient id cannot be found.
Also we should turn any request that has searches that contain OR, e.g. subject=P1,P2 into an access check for both P1 AND P2, i.e. client should have access to P1 and P2.
Any practical Healthcare solution needs some form of Role based access control and also limit the access based on the primary location, organization, careteam of a practitioner.
We should support a configurable access checker to ease onboarding process for our partners.
Blocked on
Parent Issue - #108
While running through the fhir-app-examples instructions, William and I noticed that the instructions make references to the following docker images:
us-docker.pkg.dev/fhir-proxy-build/stable/fhir-access-proxy:latest
Two things here.
Reported by @omarismail94:
Right now, we only support Transaction bundles. Look into supporting batch bundles.
Update @bashir2:
Marking this as P3 until we have a specific use-case that needs it.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.