Merge pull request #2675 from IBM/lee-main-2

lmsurpre · web-flow · commit d0545fbe546e · 2021-08-11T10:10:14.000-04:00
Add support for user/ scopes
diff --git a/fhir-smart/src/main/java/com/ibm/fhir/smart/AuthzPolicyEnforcementPersistenceInterceptor.java b/fhir-smart/src/main/java/com/ibm/fhir/smart/AuthzPolicyEnforcementPersistenceInterceptor.java
@@ -436,6 +436,16 @@ private boolean isAllowed(Resource resource, Set<String> contextIds, Permission
                 // Then group the scopes by their context type
                 .collect(Collectors.groupingBy(s -> s.getContextType()));
 
+        if (approvedScopeMap.containsKey(ContextType.USER)) {
+            // For `user` scopes, we grant access to all resources of the requested type.
+            // Implementers that use these scopes are encouraged to layer on their own permissions model beyond this.
+            if (log.isLoggable(Level.FINE)) {
+                log.fine(requiredPermission.value() + " permission for '" + resourceType + "/" + resource.getId() +
+                    "' is granted via scope " + approvedScopeMap.get(ContextType.USER));
+            }
+            return true;
+        }
+
         if (approvedScopeMap.containsKey(ContextType.PATIENT)) {
             if (resource instanceof Provenance) {
                 // Addressed for issue #1881, Provenance is a special-case:  a Patient-compartment resource type that
@@ -476,10 +486,6 @@ private boolean isAllowed(Resource resource, Set<String> contextIds, Permission
             return isInCompartment(resource, CompartmentType.PATIENT, contextIds);
         }
 
-        if (approvedScopeMap.containsKey(ContextType.USER)) {
-            throw new UnsupportedOperationException("SMART scopes with context type 'user' are not yet supported.");
-        }
-
         return false;
     }
 
diff --git a/fhir-smart/src/test/java/com/ibm/fhir/smart/test/AuthzPolicyEnforcementTest.java b/fhir-smart/src/test/java/com/ibm/fhir/smart/test/AuthzPolicyEnforcementTest.java
@@ -778,6 +778,7 @@ public static Object[][] scopeStrings() {
         final Set<ResourceType.Value> provenance = Collections.singleton(PROVENANCE);
 
         return new Object[][] {
+            //String scopeString, Set<ResourceType.Value> resourceTypesPermittedByScope, Permission permission
             {"patient/*.*", all_resources, Permission.ALL},
             {"patient/*.read", all_resources, Permission.READ},
             {"patient/*.write", all_resources, Permission.WRITE},
@@ -798,6 +799,10 @@ public static Object[][] scopeStrings() {
 
             {"patient/Patient.read patient/Observation.read", union(patient, observation), Permission.READ},
 
+            {"user/*.*", all_resources, Permission.ALL},
+            {"user/Patient.read", patient, Permission.READ},
+            {"user/Observation.write", observation, Permission.WRITE},
+
             {"openid profile", Collections.EMPTY_SET, null},
         };
     }
