Merge remote-tracking branch 'origin/post_spring_school_cleanup' into

hhund · hhund · commit 96f54aa6d6d4 · 2025-04-15T07:58:13.000+02:00
develop_2
diff --git a/dsf-bpe/dsf-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/spring/ApiServiceConfig.java b/dsf-bpe/dsf-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/spring/ApiServiceConfig.java
@@ -93,7 +93,6 @@ public class ApiServiceConfig
 	@Autowired
 	private BpeOidcClientProvider bpeOidcClientProvider;
 
-
 	@Bean
 	public ProcessPluginApi processPluginApiV2()
 	{
diff --git a/dsf-bpe/dsf-bpe-process-api-v2/src/main/java/dev/dsf/bpe/v2/constants/CodeSystems.java b/dsf-bpe/dsf-bpe-process-api-v2/src/main/java/dev/dsf/bpe/v2/constants/CodeSystems.java
@@ -500,4 +500,52 @@ public static final boolean isDsfAdmin(Coding coding)
 			return isSame(SYSTEM, Codes.DSF_ADMIN, coding);
 		}
 	}
+
+	public static final class ReadAccessTag
+	{
+		private ReadAccessTag()
+		{
+		}
+
+		public static final String SYSTEM = "http://dsf.dev/fhir/CodeSystem/read-access-tag";
+
+		public static Coding withCode(String code)
+		{
+			return new Coding().setSystem(SYSTEM).setCode(code);
+		}
+
+		public static final class Codes
+		{
+			private Codes()
+			{
+			}
+
+			public static final String LOCAL = "LOCAL";
+			public static final String ORGANIZATION = "ORGANIZATION";
+			public static final String ROLE = "ROLE";
+			public static final String ALL = "ALL";
+		}
+
+		public static final Coding local()
+		{
+			return new Coding(SYSTEM, Codes.LOCAL, "Read access for local users");
+		}
+
+		public static final Coding organization()
+		{
+			return new Coding(SYSTEM, Codes.ORGANIZATION,
+					"Read access for organization specified via extension http://dsf.dev/fhir/StructureDefinition/extension-read-access-organization");
+		}
+
+		public static final Coding role()
+		{
+			return new Coding(SYSTEM, Codes.ROLE,
+					"Read access for member organizations with role in consortium (parent organization) specified via extension http://dsf.dev/fhir/StructureDefinition/extension-read-access-consortium-role");
+		}
+
+		public static final Coding all()
+		{
+			return new Coding(SYSTEM, Codes.ALL, "Read access for remote and local users");
+		}
+	}
 }
diff --git a/dsf-bpe/dsf-bpe-process-api-v2/src/main/java/dev/dsf/bpe/v2/spring/ActivityPrototypeBeanCreator.java b/dsf-bpe/dsf-bpe-process-api-v2/src/main/java/dev/dsf/bpe/v2/spring/ActivityPrototypeBeanCreator.java
@@ -17,7 +17,7 @@
 
 /**
  * Helper class to register {@link Activity}s as prototype beans. Must be configured as a <code>static</code>
- * {@link Bean} inside a {@link Configuration} classes.
+ * {@link Bean} inside a {@link Configuration} class.
  * <p>
  * Usage:
  * <p>
diff --git a/dsf-bpe/dsf-bpe-server/src/main/resources/bpe/api/v1/allowed-bpe-classes.list b/dsf-bpe/dsf-bpe-server/src/main/resources/bpe/api/v1/allowed-bpe-classes.list
@@ -18,15 +18,18 @@ org.camunda.bpm.engine.ProcessEngine
 org.camunda.bpm.engine.RuntimeService
 org.camunda.bpm.engine.variable
 org.camunda.bpm.model.bpmn.instance
+org.joda.time
 org.glassfish.jersey
 org.slf4j.Logger
 org.slf4j.LoggerFactory
 org.springframework.beans
 org.springframework.cglib
 org.springframework.context
+org.springframework.core
 org.springframework.lang
 org.springframework.util
 org.springframework.web.util.UriComponents
 org.springframework.web.util.UriComponentsBuilder
 org.w3c.dom
-org.xml.sax
+org.xml.sax
+sun.misc.Unsafe
diff --git a/dsf-bpe/dsf-bpe-server/src/main/resources/bpe/api/v2/allowed-bpe-classes.list b/dsf-bpe/dsf-bpe-server/src/main/resources/bpe/api/v2/allowed-bpe-classes.list
@@ -28,6 +28,7 @@ org.slf4j.LoggerFactory
 org.springframework.beans
 org.springframework.cglib
 org.springframework.context
+org.springframework.core
 org.springframework.lang
 org.springframework.util
 org.w3c.dom
diff --git a/dsf-bpe/dsf-bpe-test-plugin-v2/src/main/java/dev/dsf/bpe/test/json/JsonPojo.java b/dsf-bpe/dsf-bpe-test-plugin-v2/src/main/java/dev/dsf/bpe/test/json/JsonPojo.java
@@ -1,34 +1,14 @@
 package dev.dsf.bpe.test.json;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
-import com.fasterxml.jackson.annotation.JsonGetter;
 import com.fasterxml.jackson.annotation.JsonProperty;
 
-public class JsonPojo
+public record JsonPojo(@JsonProperty("value-1") String value1, @JsonProperty("value-2") String value2)
 {
-	@JsonProperty("value-1")
-	private final String value1;
-
-	@JsonProperty("value-2")
-	private final String value2;
-
 	@JsonCreator
 	public JsonPojo(@JsonProperty("value-1") String value1, @JsonProperty("value-2") String value2)
 	{
 		this.value1 = value1;
 		this.value2 = value2;
 	}
-
-	@JsonGetter
-	public String getValue1()
-	{
-		return value1;
-	}
-
-	@JsonGetter
-	public String getValue2()
-	{
-		return value2;
-	}
-
 }
diff --git a/dsf-bpe/dsf-bpe-test-plugin-v2/src/main/java/dev/dsf/bpe/test/service/JsonVariableTestGet.java b/dsf-bpe/dsf-bpe-test-plugin-v2/src/main/java/dev/dsf/bpe/test/service/JsonVariableTestGet.java
@@ -25,8 +25,8 @@ public void getJsonVariable(Variables variables) throws Exception
 		JsonPojo variable = variables.getVariable(JsonVariableTestSet.JSON_VARIABLE);
 
 		expectNotNull(variable);
-		expectSame(JsonVariableTestSet.TEST_VALUE_1, variable.getValue1());
-		expectSame(JsonVariableTestSet.TEST_VALUE_2, variable.getValue2());
+		expectSame(JsonVariableTestSet.TEST_VALUE_1, variable.value1());
+		expectSame(JsonVariableTestSet.TEST_VALUE_2, variable.value2());
 	}
 
 	@PluginTest
diff --git a/dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/auth/BackChannelLogoutAuthenticator.java b/dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/auth/BackChannelLogoutAuthenticator.java
@@ -4,7 +4,6 @@
 import java.util.Objects;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
-import java.util.concurrent.ExecutionException;
 
 import org.eclipse.jetty.http.HttpHeader;
 import org.eclipse.jetty.http.HttpMethod;
@@ -91,60 +90,55 @@ private boolean isContentTypeFormEncoded(Request request)
 	public AuthenticationState validateRequest(Request request, Response response, Callback callback)
 			throws ServerAuthException
 	{
-		try
+
+		Fields formFields = FormFields.getFields(request);
+		Field logoutTokenField = formFields.get("logout_token");
+
+		if (logoutTokenField == null || logoutTokenField.getValues().size() != 1)
 		{
-			Fields formFields = FormFields.from(request).get();
-			Field logoutTokenField = formFields.get("logout_token");
+			Response.writeError(request, response, callback, HttpStatus.FORBIDDEN_403);
+			return AuthenticationState.SEND_FAILURE;
+		}
 
-			if (logoutTokenField == null || logoutTokenField.getValues().size() != 1)
+		Algorithm algorithm = Algorithm.RSA256(openIdConfiguration.getRsaKeyProvider());
+		JWTVerifier verifier = JWT.require(algorithm).withIssuer(openIdConfiguration.getIssuer())
+				.withAudience(openIdConfiguration.getClientId()).acceptLeeway(1)
+				.withClaim("events",
+						(claim, jwt) -> claim.asMap().containsKey("http://schemas.openid.net/event/backchannel-logout"))
+				.build();
+
+		try
+		{
+			DecodedJWT jwt = verifier.verify(logoutTokenField.getValue());
+			if (!jwt.getClaims().containsKey("sub") && !jwt.getClaims().containsKey("sid"))
 			{
-				Response.writeError(request, response, callback, HttpStatus.FORBIDDEN_403);
+				logger.warn("Logout Token has no sub and no sid claim");
+				Response.writeError(request, response, callback, HttpStatus.BAD_REQUEST_400);
 				return AuthenticationState.SEND_FAILURE;
 			}
 
-			Algorithm algorithm = Algorithm.RSA256(openIdConfiguration.getRsaKeyProvider());
-			JWTVerifier verifier = JWT.require(algorithm).withIssuer(openIdConfiguration.getIssuer())
-					.withAudience(openIdConfiguration.getClientId()).acceptLeeway(1).withClaim("events", (claim,
-							jwt) -> claim.asMap().containsKey("http://schemas.openid.net/event/backchannel-logout"))
-					.build();
+			logger.debug("logout token claims: {}", jwt.getClaims());
 
-			try
-			{
-				DecodedJWT jwt = verifier.verify(logoutTokenField.getValue());
-				if (!jwt.getClaims().containsKey("sub") && !jwt.getClaims().containsKey("sid"))
-				{
-					logger.warn("Logout Token has no sub and no sid claim");
-					Response.writeError(request, response, callback, HttpStatus.BAD_REQUEST_400);
-					return AuthenticationState.SEND_FAILURE;
-				}
-
-				logger.debug("logout token claims: {}", jwt.getClaims());
+			String sub = jwt.getClaim("sub").asString();
+			String sid = jwt.getClaim("sid").asString();
 
-				String sub = jwt.getClaim("sub").asString();
-				String sid = jwt.getClaim("sid").asString();
+			logger.debug("Invalidating session for sub/sid {}/{}", sub, sid);
 
-				logger.debug("Invalidating session for sub/sid {}/{}", sub, sid);
+			HttpSession sessionBySub = sessionsBySub.get(sub);
+			if (sessionBySub != null)
+				sessionBySub.invalidate();
 
-				HttpSession sessionBySub = sessionsBySub.get(sub);
-				if (sessionBySub != null)
-					sessionBySub.invalidate();
+			// session will have been removed if found by sub and invalidated
+			HttpSession sessionBySid = sessionsBySid.get(sid);
+			if (sessionBySid != null)
+				sessionBySid.invalidate();
 
-				// session will have been removed if found by sub and invalidated
-				HttpSession sessionBySid = sessionsBySid.get(sid);
-				if (sessionBySid != null)
-					sessionBySid.invalidate();
-
-				return AuthenticationState.SEND_SUCCESS;
-			}
-			catch (JWTVerificationException e)
-			{
-				Response.writeError(request, response, callback, HttpStatus.BAD_REQUEST_400);
-				return AuthenticationState.SEND_FAILURE;
-			}
+			return AuthenticationState.SEND_SUCCESS;
 		}
-		catch (InterruptedException | ExecutionException e)
+		catch (JWTVerificationException e)
 		{
-			throw new ServerAuthException(e);
+			Response.writeError(request, response, callback, HttpStatus.BAD_REQUEST_400);
+			return AuthenticationState.SEND_FAILURE;
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,6 @@ public class ApiServiceConfig`
`93`	`93`	`@Autowired`
`94`	`94`	`private BpeOidcClientProvider bpeOidcClientProvider;`
`95`	`95`
`96`		`-`
`97`	`96`	`@Bean`
`98`	`97`	`public ProcessPluginApi processPluginApiV2()`
`99`	`98`	`{`
Original file line number	Diff line number	Diff line change
`@@ -25,8 +25,8 @@ public void getJsonVariable(Variables variables) throws Exception`
`25`	`25`	`JsonPojo variable = variables.getVariable(JsonVariableTestSet.JSON_VARIABLE);`
`26`	`26`
`27`	`27`	`expectNotNull(variable);`
`28`		`- expectSame(JsonVariableTestSet.TEST_VALUE_1, variable.getValue1());`
`29`		`- expectSame(JsonVariableTestSet.TEST_VALUE_2, variable.getValue2());`
	`28`	`+ expectSame(JsonVariableTestSet.TEST_VALUE_1, variable.value1());`
	`29`	`+ expectSame(JsonVariableTestSet.TEST_VALUE_2, variable.value2());`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`@PluginTest`