Implement standalone launch sequence (#5)

Author: VaishSiddharth

omod/src/main/java/org/openmrs/module/smartonfhir/page/controller/FindPatientPageController.java

@@ -9,37 +9,33 @@
  */
 package org.openmrs.module.smartonfhir.page.controller;
 
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+
 import org.openmrs.module.appframework.domain.AppDescriptor;
 import org.openmrs.module.appui.UiSessionContext;
 import org.openmrs.module.coreapps.helper.BreadcrumbHelper;
 import org.openmrs.ui.framework.UiUtils;
 import org.openmrs.ui.framework.page.PageModel;
 import org.springframework.web.bind.annotation.RequestParam;
 
+@SuppressWarnings("unused")
 public class FindPatientPageController {
 
-	/**
-	 * This page is built to be shared across multiple apps. To use it, you must pass an "app" request
-	 * parameter, which must be the id of an existing app that is an instance of
-	 * coreapps.template.findPatient
-	 *
-	 * @param model
-	 * @param app
-	 * @param sessionContext
-	 */
 	public void get(PageModel model, @RequestParam("app") AppDescriptor app, @RequestParam("token") String token,
-	        UiSessionContext sessionContext, UiUtils ui) {
-		System.out.println("in FindPatientPageController" + token);
-		model.addAttribute("afterSelectedUrl", app.getConfig().get("afterSelectedUrl").getTextValue() + "&token=" + token);
+	        UiSessionContext sessionContext, UiUtils ui) throws UnsupportedEncodingException {
+		model.addAttribute("afterSelectedUrl", app.getConfig().get("afterSelectedUrl").getTextValue() + "&token="
+		        + URLEncoder.encode(token, StandardCharsets.UTF_8.name()));
 		model.addAttribute("heading", app.getConfig().get("heading").getTextValue());
 		model.addAttribute("label", app.getConfig().get("label").getTextValue());
 		model.addAttribute("showLastViewedPatients", app.getConfig().get("showLastViewedPatients").getBooleanValue());
+		
 		if (app.getConfig().get("registrationAppLink") == null) {
 			model.addAttribute("registrationAppLink", "");
 		} else {
 			model.addAttribute("registrationAppLink", app.getConfig().get("registrationAppLink").getTextValue());
 		}
 		BreadcrumbHelper.addBreadcrumbsIfDefinedInApp(app, model, ui);
 	}
-	
 }

omod/src/main/java/org/openmrs/module/smartonfhir/web/KeycloakConfig.java

@@ -0,0 +1,37 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at http://mozilla.org/MPL/2.0/. OpenMRS is also distributed under
+ * the terms of the Healthcare Disclaimer located at http://openmrs.org/license.
+ *
+ * Copyright (C) OpenMRS Inc. OpenMRS is a registered trademark and the OpenMRS
+ * graphic logo is a trademark of OpenMRS Inc.
+ */
+package org.openmrs.module.smartonfhir.web;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Data;
+
+@Data
+@JsonInclude(JsonInclude.Include.NON_EMPTY)
+public class KeycloakConfig {
+	
+	@JsonProperty(value = "realm", required = true)
+	private String realm;
+	
+	@JsonProperty(value = "auth-server-url", required = true)
+	private String authServerUrl;
+	
+	@JsonProperty(value = "ssl-required", required = false)
+	private String sslRequired;
+	
+	@JsonProperty(value = "resource", required = false)
+	private String resource;
+	
+	@JsonProperty(value = "public-client", required = false)
+	private String publicClient;
+	
+	@JsonProperty(value = "confidential-port", required = false)
+	private int confidentialPort;
+}

omod/src/main/java/org/openmrs/module/smartonfhir/web/SmartConformance.java

@@ -9,16 +9,18 @@
  */
 package org.openmrs.module.smartonfhir.web;
 
+import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import lombok.Data;
 
 @Data
+@JsonInclude(JsonInclude.Include.NON_EMPTY)
 public class SmartConformance {
 
-	@JsonProperty("authorization_endpoint")
+	@JsonProperty(value = "authorization_endpoint", required = true)
 	private String authorizationEndpoint;
 
-	@JsonProperty("token_endpoint")
+	@JsonProperty(value = "token_endpoint", required = true)
 	private String tokenEndpoint;
 
 	@JsonProperty("token_endpoint_auth_methods_supported")
@@ -42,6 +44,6 @@ public class SmartConformance {
 	@JsonProperty("revocation_endpoint")
 	private String revocationEndpoint;
 
-	@JsonProperty("capabilities")
+	@JsonProperty(value = "capabilities", required = true)
 	private String[] capabilities;
 }

omod/src/main/java/org/openmrs/module/smartonfhir/web/SmartSecretKey.java

@@ -0,0 +1,22 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at http://mozilla.org/MPL/2.0/. OpenMRS is also distributed under
+ * the terms of the Healthcare Disclaimer located at http://openmrs.org/license.
+ *
+ * Copyright (C) OpenMRS Inc. OpenMRS is a registered trademark and the OpenMRS
+ * graphic logo is a trademark of OpenMRS Inc.
+ */
+package org.openmrs.module.smartonfhir.web;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Data;
+
+@Data
+@JsonInclude(JsonInclude.Include.NON_EMPTY)
+public class SmartSecretKey {
+	
+	@JsonProperty(value = "smart-shared-secret-key", required = true)
+	private String smartSharedSecretKey;
+}

omod/src/main/java/org/openmrs/module/smartonfhir/web/filter/AuthenticationByPassFilter.java

@@ -0,0 +1,209 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at http://mozilla.org/MPL/2.0/. OpenMRS is also distributed under
+ * the terms of the Healthcare Disclaimer located at http://openmrs.org/license.
+ *
+ * Copyright (C) OpenMRS Inc. OpenMRS is a registered trademark and the OpenMRS
+ * graphic logo is a trademark of OpenMRS Inc.
+ */
+package org.openmrs.module.smartonfhir.web.filter;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang.StringUtils;
+import org.keycloak.common.util.Base64;
+import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
+import org.keycloak.jose.jws.crypto.HMACProvider;
+import org.keycloak.representations.JsonWebToken;
+import org.openmrs.api.context.Context;
+import org.openmrs.api.context.ContextAuthenticationException;
+import org.openmrs.module.smartonfhir.web.SmartSecretKey;
+import org.openmrs.module.smartonfhir.web.smart.SmartTokenCredentials;
+import org.openmrs.util.OpenmrsUtil;
+import org.springframework.core.io.Resource;
+import org.springframework.core.io.support.PathMatchingResourcePatternResolver;
+
+@Slf4j
+public class AuthenticationByPassFilter implements Filter {
+	
+	public static final String SMART_AUTH_BYPASS = "SMART_AUTH_BYPASS";
+	
+	private static final String VALID_URLS_PARAM = "validUrls";
+	
+	private static final Pattern KEY_PARAM = Pattern.compile("^key=([^&]*)(?:&|$)");
+	
+	private static final ObjectMapper objectMapper = new ObjectMapper();
+	
+	private SmartSecretKey smartSecretKey;
+	
+	private List<String> validUrls = new ArrayList<>(0);
+	
+	@Override
+	public void init(FilterConfig filterConfig) {
+		String validUrlsParam = filterConfig.getInitParameter(VALID_URLS_PARAM);
+		if (StringUtils.isNotBlank(validUrlsParam)) {
+			validUrls = Arrays.stream(validUrlsParam.split(",")).filter(org.apache.commons.lang3.StringUtils::isNotBlank)
+			        .map(it -> {
+				        if (it.startsWith("/") || it.equals("*")) {
+					        return it;
+				        }
+				        
+				        return "/" + it;
+			        }).distinct().collect(Collectors.toList());
+		}
+	}
+	
+	@Override
+	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
+	        throws IOException, ServletException {
+		HttpServletRequest request = (HttpServletRequest) servletRequest;
+		HttpServletResponse response = (HttpServletResponse) servletResponse;
+		
+		if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
+			Context.logout();
+		}
+		
+		String pathInfo = request.getRequestURI();
+		
+		boolean isValidRequest = false;
+		if (pathInfo != null) {
+			final String thePathInfo = pathInfo.replaceFirst(request.getContextPath(), "");
+			isValidRequest = validUrls.stream().anyMatch(url -> {
+				if (url.endsWith("*")) {
+					if (url.length() < 3) {
+						return true;
+					} else {
+						String urlStart = url.substring(0, url.length() - 2);
+						return thePathInfo.startsWith(urlStart);
+					}
+				}
+				
+				return url.equals(thePathInfo);
+			});
+		}
+		
+		if (!isValidRequest) {
+			HttpSession session = request.getSession(false);
+			if (session != null && session.getAttribute(SMART_AUTH_BYPASS) != null) {
+				session.invalidate();
+				Context.logout();
+				request.getSession();
+			}
+			
+			filterChain.doFilter(request, response);
+			return;
+		}
+		
+		if (!Context.isAuthenticated()) {
+			final String tokenParam = request.getParameter("token");
+			
+			if (tokenParam != null) {
+				int keyPos = tokenParam.indexOf("key=");
+				if (keyPos >= 0) {
+					Matcher m = KEY_PARAM.matcher(tokenParam.substring(keyPos));
+					if (m.find()) {
+						final String key = m.group(1);
+						
+						final String userToken;
+						try {
+							JWSInput jwsInput = new JWSInput(key);
+							JsonWebToken webToken = jwsInput.readJsonContent(JsonWebToken.class);
+							
+							if (!webToken.isActive()) {
+								log.error("Token has expired");
+								response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Not authenticated");
+								return;
+							}
+							
+							userToken = (String) webToken.getOtherClaims().get("user");
+						}
+						catch (JWSInputException e) {
+							log.error("Error while reading JWS token", e);
+							response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Not authenticated");
+							return;
+						}
+						
+						if (userToken == null) {
+							log.error("Could not read user entry from token");
+							response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Not authenticated");
+							return;
+						}
+						
+						final String username;
+						try {
+							JWSInput jwsInput = new JWSInput(userToken);
+							if (!HMACProvider.verify(jwsInput, Base64.decode(getSecretKey()))) {
+								log.error("Error validating user token");
+								response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Not authenticated");
+								return;
+							}
+							
+							JsonWebToken webToken = jwsInput.readJsonContent(JsonWebToken.class);
+							username = webToken.getSubject();
+						}
+						catch (JWSInputException e) {
+							log.error("Error while reading user token", e);
+							response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Not authenticated");
+							return;
+						}
+						
+						try {
+							Context.authenticate(new SmartTokenCredentials(username));
+							Context.getUserContext().setLocation(Context.getLocationService().getDefaultLocation());
+							request.getSession().setAttribute(SMART_AUTH_BYPASS, true);
+						}
+						catch (ContextAuthenticationException e) {
+							log.error("Error while logging in as user {}", username, e);
+							response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Not authenticated");
+							return;
+						}
+					}
+				}
+			}
+		}
+		
+		filterChain.doFilter(request, response);
+	}
+	
+	private String getSecretKey() throws IOException {
+		final PathMatchingResourcePatternResolver resolver = new PathMatchingResourcePatternResolver();
+		Resource resource = resolver.getResource(
+		    OpenmrsUtil.getDirectoryInApplicationDataDirectory("config") + File.separator + "smart-secret-key.json");
+		if (resource != null) {
+			resource = resolver.getResource("classpath:smart-secret-key.json");
+			
+			InputStream secretKeyStream = resource.getInputStream();
+			
+			smartSecretKey = new SmartSecretKey();
+			smartSecretKey = objectMapper.readValue(secretKeyStream, SmartSecretKey.class);
+		}
+		
+		return smartSecretKey.getSmartSharedSecretKey();
+	}
+	
+	@Override
+	public void destroy() {
+	}
+}