PDP: Decode HTTP request parameters, normalize scope (dash-to-underscore) (#375)

Author: reinkrul

component/pdp/component.go

@@ -121,6 +121,8 @@ func (c *Component) HandleMainPolicy(w http.ResponseWriter, r *http.Request) {
 
 	// TODO: Implement support for multiple scopes
 	policy := qualifications[0]
+	// OPA doesn't support dashes in package and rule names, so we replace them with underscores.
+	policy = strings.ReplaceAll(policy, "-", "_")
 
 	// Step 2: Parse the PDP input and translate to the policy input
 	policyInput, policyResult := NewPolicyInput(reqBody)

component/pdp/component_test.go

@@ -196,6 +196,18 @@ func TestHandleMainPolicy_Integration(t *testing.T) {
 	})
 	t.Run("pzp", func(t *testing.T) {
 		testCases := []testCase{
+			{
+				name:                 "allow - dash is normalized to underscore",
+				clientQualifications: []string{"pzp-gf"},
+				httpRequest:          `GET /Patient?identifier=http://fhir.nl/fhir/NamingSystem/bsn|123456789`,
+				decision:             true,
+			},
+			{
+				name:                 "allow - patient identifier is encoded",
+				clientQualifications: []string{"pzp-gf"},
+				httpRequest:          `GET /Patient?identifier=http://fhir.nl/fhir/NamingSystem/bsn%7C123456789`,
+				decision:             true,
+			},
 			{
 				name:                 "allow - Patient search with BSN identifier",
 				clientQualifications: []string{"pzp_gf"},

component/pdp/fhirreq.go

@@ -70,6 +70,11 @@ var definitions = []PathDef{
 		PathDef:     []string{"[type]", "_search?"},
 		Verb:        "POST",
 	},
+	{
+		Interaction: fhir.TypeRestfulInteractionSearchType,
+		PathDef:     []string{"[type]", "_search"},
+		Verb:        "POST",
+	},
 	{
 		Interaction: fhir.TypeRestfulInteractionSearchSystem,
 		PathDef:     []string{"?"},
@@ -368,8 +373,19 @@ func getSingleParameter(params url.Values, name string) (string, error) {
 func NewPolicyInput(request PDPRequest) (PolicyInput, PolicyResult) {
 	var policyInput PolicyInput
 
+	// URL decode query parameters
+	decodeHTTPRequest := request.Input.Request
+	decodedQueryParams, err := urlValuesDecode(request.Input.Request.QueryParams)
+	if err != nil {
+		return policyInput, Deny(ResultReason{
+			Code:        TypeResultCodeUnexpectedInput,
+			Description: "unable to decode query parameters: " + err.Error(),
+		})
+	}
+	decodeHTTPRequest.QueryParams = *decodedQueryParams
+
 	policyInput.Subject = request.Input.Subject
-	policyInput.Action.Request = request.Input.Request
+	policyInput.Action.Request = decodeHTTPRequest
 	policyInput.Context.DataHolderOrganizationId = request.Input.Context.DataHolderOrganizationId
 	policyInput.Context.DataHolderFacilityType = request.Input.Context.DataHolderFacilityType
 	policyInput.Context.PatientBSN = request.Input.Context.PatientBSN
@@ -385,7 +401,7 @@ func NewPolicyInput(request PDPRequest) (PolicyInput, PolicyResult) {
 	if !ok {
 		reason := ResultReason{
 			Code:        TypeResultCodeUnexpectedInput,
-			Description: "unexpected input, unable to parse fhir request",
+			Description: "unable to parse FHIR request",
 		}
 		return policyInput, Deny(reason)
 	}
@@ -417,17 +433,17 @@ func NewPolicyInput(request PDPRequest) (PolicyInput, PolicyResult) {
 			hasFormData
 
 	if paramsInBody {
-		values, err := url.ParseQuery(request.Input.Request.Body)
+		decodedBody, err := url.ParseQuery(request.Input.Request.Body)
 		if err != nil {
 			reason := ResultReason{
 				Code:        TypeResultCodeUnexpectedInput,
-				Description: "Could not parse form encoded data",
+				Description: fmt.Sprintf("could not parse form encoded request body: %v", err),
 			}
 			return PolicyInput{}, Deny(reason)
 		}
-		rawParams = values
+		rawParams = decodedBody
 	} else {
-		rawParams = request.Input.Request.QueryParams
+		rawParams = *decodedQueryParams
 	}
 
 	params := groupParams(rawParams)
@@ -462,3 +478,17 @@ func NewPolicyInput(request PDPRequest) (PolicyInput, PolicyResult) {
 
 	return policyInput, result
 }
+
+func urlValuesDecode(in url.Values) (*url.Values, error) {
+	out := make(url.Values)
+	for key, values := range in {
+		for _, value := range values {
+			decodedValue, err := url.QueryUnescape(value)
+			if err != nil {
+				return nil, fmt.Errorf("parameter '%s': %w", key, err)
+			}
+			out.Add(key, decodedValue)
+		}
+	}
+	return &out, nil
+}

component/pdp/fhirreq_test.go

@@ -299,13 +299,13 @@ func TestNewPolicyInput(t *testing.T) {
 		})
 	})
 	t.Run("patient BSN parsing", func(t *testing.T) {
-		t.Run("ok", func(t *testing.T) {
+		t.Run("in query parameter, unencoded", func(t *testing.T) {
 			pdpRequest := PDPRequest{
 				Input: PDPInput{
 					Request: HTTPRequest{
 						Method:   "GET",
 						Protocol: "HTTP/1.1",
-						Path:     "/Patient",
+						Path:     "/Patient?",
 						QueryParams: url.Values{
 							"identifier": []string{"http://fhir.nl/fhir/NamingSystem/bsn|900186021"},
 						},
@@ -318,6 +318,46 @@ func TestNewPolicyInput(t *testing.T) {
 			policyInput, _ := NewPolicyInput(pdpRequest)
 			assert.Equal(t, "900186021", policyInput.Context.PatientBSN)
 		})
+		t.Run("in query parameter, encoded", func(t *testing.T) {
+			pdpRequest := PDPRequest{
+				Input: PDPInput{
+					Request: HTTPRequest{
+						Method:   "GET",
+						Protocol: "HTTP/1.1",
+						Path:     "/Patient?",
+						QueryParams: url.Values{
+							"identifier": []string{"http://fhir.nl/fhir/NamingSystem/bsn%7C900186021"},
+						},
+					},
+					Context: PDPContext{
+						ConnectionTypeCode: "hl7-fhir-rest",
+					},
+				},
+			}
+			policyInput, _ := NewPolicyInput(pdpRequest)
+			assert.Equal(t, "900186021", policyInput.Context.PatientBSN)
+		})
+		t.Run("in POST body, encoded", func(t *testing.T) {
+			pdpRequest := PDPRequest{
+				Input: PDPInput{
+					Request: HTTPRequest{
+						Method:   "POST",
+						Protocol: "HTTP/1.1",
+						Path:     "/Patient/_search",
+						Header: http.Header{
+							"Content-Type": []string{"application/x-www-form-urlencoded"},
+						},
+						Body: "identifier=http://fhir.nl/fhir/NamingSystem/bsn%7C900186021",
+					},
+					Context: PDPContext{
+						ConnectionTypeCode: "hl7-fhir-rest",
+					},
+				},
+			}
+			policyInput, policyResult := NewPolicyInput(pdpRequest)
+			assert.Equal(t, "900186021", policyInput.Context.PatientBSN)
+			assert.Empty(t, policyResult.Reasons)
+		})
 		t.Run("incorrect system", func(t *testing.T) {
 			pdpRequest := PDPRequest{
 				Input: PDPInput{

component/pdp/opa.go

@@ -47,10 +47,10 @@ func createOPAService(ctx context.Context, opaBundleBaseURL string) (*sdk.OPA, e
 	return result, nil
 }
 
-// evalRegoPolicy evaluates a Rego policy using Open Policy Agent for the given scope and input
-func (c *Component) evalRegoPolicy(ctx context.Context, scope string, policyInput PolicyInput) (*PolicyResult, error) {
+// evalRegoPolicy evaluates a Rego policy using Open Policy Agent for the given policy and input
+func (c *Component) evalRegoPolicy(ctx context.Context, policy string, policyInput PolicyInput) (*PolicyResult, error) {
 	// get the named policy decision for the specified input
-	result, err := c.opaService.Decision(ctx, sdk.DecisionOptions{Path: "/" + scope + "/allow", Input: policyInput})
+	result, err := c.opaService.Decision(ctx, sdk.DecisionOptions{Path: "/" + policy + "/allow", Input: policyInput})
 	if err != nil {
 		return nil, fmt.Errorf("failed to evaluate policy: %w", err)
 	} else if _, ok := result.Result.(bool); !ok {
@@ -59,7 +59,8 @@ func (c *Component) evalRegoPolicy(ctx context.Context, scope string, policyInpu
 
 	allowed := result.Result.(bool)
 	policyResult := PolicyResult{
-		Allow: allowed,
+		Allow:  allowed,
+		Policy: policy,
 	}
 	if !allowed {
 		policyResult.Reasons = []ResultReason{

component/pdp/shared.go

@@ -3,6 +3,7 @@ package pdp
 import (
 	"fmt"
 	"net/http"
+	"net/url"
 
 	fhirclient "github.com/SanteonNL/go-fhir-client"
 	"github.com/nuts-foundation/nuts-knooppunt/component/mitz"
@@ -33,12 +34,12 @@ type SubjectProperties struct {
 }
 
 type HTTPRequest struct {
-	Method      string              `json:"method"`
-	Protocol    string              `json:"protocol"` // "HTTP/1.0"
-	Path        string              `json:"path"`
-	QueryParams map[string][]string `json:"query_params"`
-	Header      http.Header         `json:"header"`
-	Body        string              `json:"body"`
+	Method      string      `json:"method"`
+	Protocol    string      `json:"protocol"` // "HTTP/1.0"
+	Path        string      `json:"path"`
+	QueryParams url.Values  `json:"query_params"`
+	Header      http.Header `json:"header"`
+	Body        string      `json:"body"`
 }
 
 type PDPContext struct {