Issue/175 Template Engine for HTML UIs

.gitignore

@@ -12,11 +12,13 @@
 ###
 # dsf-bpe ignores
 ###
+dsf-bpe/dsf-bpe-server-jetty/conf/config.properties
 dsf-bpe/dsf-bpe-server-jetty/docker/dsf_bpe.jar
 dsf-bpe/dsf-bpe-server-jetty/docker/dsf_status_client.jar
 dsf-bpe/dsf-bpe-server-jetty/docker/lib/*.jar
 dsf-bpe/dsf-bpe-server-jetty/docker/lib_external/*.jar
 dsf-bpe/dsf-bpe-server-jetty/process/*.jar
+dsf-bpe/dsf-bpe-server-jetty/ui
 
 ###
 # dsf-fhir ignores
@@ -26,6 +28,7 @@ dsf-fhir/dsf-fhir-server-jetty/conf/config.properties
 dsf-fhir/dsf-fhir-server-jetty/docker/dsf_fhir.jar
 dsf-fhir/dsf-fhir-server-jetty/docker/dsf_status_client.jar
 dsf-fhir/dsf-fhir-server-jetty/docker/lib/*.jar
+dsf-fhir/dsf-fhir-server-jetty/ui
 dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/bundle.xml
 
 ###
@@ -36,6 +39,7 @@ dsf-docker-test-setup/bpe/log/*.log.gz
 dsf-docker-test-setup/bpe/lib_external/*.jar
 dsf-docker-test-setup/bpe/process/*.jar
 dsf-docker-test-setup/bpe/secrets/*.pem
+dsf-docker-test-setup/bpe/.env
 
 dsf-docker-test-setup/fhir/log/*.log
 dsf-docker-test-setup/fhir/log/*.log.gz

dsf-bpe/dsf-bpe-server-jetty/src/main/java/dev/dsf/bpe/config/BpeHttpJettyConfig.java

@@ -1,6 +1,5 @@
 package dev.dsf.bpe.config;
 
-import java.util.Arrays;
 import java.util.List;
 
 import org.glassfish.jersey.servlet.init.JerseyServletContainerInitializer;
@@ -20,6 +19,6 @@ protected String mavenServerModuleName()
 	@Override
 	protected List<Class<? extends ServletContainerInitializer>> servletContainerInitializers()
 	{
-		return Arrays.asList(JerseyServletContainerInitializer.class, SpringServletContainerInitializer.class);
+		return List.of(JerseyServletContainerInitializer.class, SpringServletContainerInitializer.class);
 	}
 }

dsf-bpe/dsf-bpe-server-jetty/src/main/java/dev/dsf/bpe/config/BpeHttpsJettyConfig.java

@@ -1,6 +1,5 @@
 package dev.dsf.bpe.config;
 
-import java.util.Arrays;
 import java.util.List;
 
 import org.glassfish.jersey.servlet.init.JerseyServletContainerInitializer;
@@ -20,6 +19,6 @@ protected String mavenServerModuleName()
 	@Override
 	protected List<Class<? extends ServletContainerInitializer>> servletContainerInitializers()
 	{
-		return Arrays.asList(JerseyServletContainerInitializer.class, SpringServletContainerInitializer.class);
+		return List.of(JerseyServletContainerInitializer.class, SpringServletContainerInitializer.class);
 	}
 }

dsf-bpe/dsf-bpe-server/pom.xml

@@ -46,6 +46,10 @@
 			<groupId>dev.dsf</groupId>
 			<artifactId>dsf-common-status</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>dev.dsf</groupId>
+			<artifactId>dsf-common-ui</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>de.hs-heilbronn.mi</groupId>
 			<artifactId>crypto-utils</artifactId>

dsf-bpe/dsf-bpe-server/src/main/java/dev/dsf/bpe/BpeJerseyApplication.java

@@ -1,11 +1,13 @@
 package dev.dsf.bpe;
 
 import org.glassfish.jersey.server.ResourceConfig;
+import org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.WebApplicationContextUtils;
 
+import dev.dsf.common.auth.filter.AuthenticationFilter;
 import jakarta.inject.Inject;
 import jakarta.servlet.ServletContext;
 import jakarta.ws.rs.ApplicationPath;
@@ -36,5 +38,8 @@ public BpeJerseyApplication(ServletContext servletContext)
 
 			register(b);
 		});
+
+		register(AuthenticationFilter.class);
+		register(RolesAllowedDynamicFeature.class);
 	}
 }

dsf-bpe/dsf-bpe-server/src/main/java/dev/dsf/bpe/authentication/BpeServerRole.java

@@ -1,8 +1,15 @@
 package dev.dsf.bpe.authentication;
 
+import java.util.stream.Stream;
+
 import dev.dsf.common.auth.conf.DsfRole;
 
 public enum BpeServerRole implements DsfRole
 {
-	ORGANIZATION
+	ADMIN;
+
+	public static boolean isValid(String role)
+	{
+		return role != null && !role.isBlank() && Stream.of(values()).map(Enum::name).anyMatch(n -> n.equals(role));
+	}
 }

dsf-bpe/dsf-bpe-server/src/main/java/dev/dsf/bpe/authentication/IdentityProviderImpl.java

@@ -1,150 +1,73 @@
 package dev.dsf.bpe.authentication;
 
 import java.security.cert.X509Certificate;
-import java.util.Collections;
+import java.util.Objects;
 import java.util.Optional;
-import java.util.Set;
 
-import javax.security.auth.x500.X500Principal;
-
-import org.hl7.fhir.r4.model.Coding;
 import org.hl7.fhir.r4.model.Organization;
 import org.hl7.fhir.r4.model.Practitioner;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.InitializingBean;
 
-import dev.dsf.common.auth.DsfOpenIdCredentials;
-import dev.dsf.common.auth.conf.DsfRole;
+import dev.dsf.bpe.service.LocalOrganizationProvider;
+import dev.dsf.common.auth.conf.AbstractIdentityProvider;
 import dev.dsf.common.auth.conf.Identity;
 import dev.dsf.common.auth.conf.IdentityProvider;
-import dev.dsf.common.auth.conf.OrganizationIdentity;
-import dev.dsf.common.auth.conf.PractitionerIdentity;
+import dev.dsf.common.auth.conf.PractitionerIdentityImpl;
+import dev.dsf.common.auth.conf.RoleConfig;
 
-public class IdentityProviderImpl implements IdentityProvider
+public class IdentityProviderImpl extends AbstractIdentityProvider implements IdentityProvider, InitializingBean
 {
-	@Override
-	public Identity getIdentity(DsfOpenIdCredentials credentials)
-	{
-		return new PractitionerIdentity()
-		{
-			@Override
-			public String getName()
-			{
-				return credentials.getUserId();
-			}
-
-			@Override
-			public String getDisplayName()
-			{
-				return getName();
-			}
-
-			@Override
-			public boolean isLocalIdentity()
-			{
-				return true;
-			}
+	private static final Logger logger = LoggerFactory.getLogger(IdentityProviderImpl.class);
 
-			@Override
-			public boolean hasDsfRole(DsfRole role)
-			{
-				return BpeServerRole.ORGANIZATION.equals(role);
-			}
+	private final LocalOrganizationProvider organizationProvider;
 
-			@Override
-			public Set<DsfRole> getDsfRoles()
-			{
-				return Collections.singleton(BpeServerRole.ORGANIZATION);
-			}
-
-			@Override
-			public Optional<String> getOrganizationIdentifierValue()
-			{
-				return Optional.empty();
-			}
-
-			@Override
-			public Organization getOrganization()
-			{
-				return null;
-			}
+	public IdentityProviderImpl(RoleConfig roleConfig, LocalOrganizationProvider organizationProvider)
+	{
+		super(roleConfig);
 
-			@Override
-			public Practitioner getPractitioner()
-			{
-				return null;
-			}
+		this.organizationProvider = organizationProvider;
+	}
 
-			@Override
-			public Set<Coding> getPractionerRoles()
-			{
-				return Collections.emptySet();
-			}
+	@Override
+	public void afterPropertiesSet() throws Exception
+	{
+		super.afterPropertiesSet();
 
-			@Override
-			public Optional<DsfOpenIdCredentials> getCredentials()
-			{
-				return Optional.of(credentials);
-			}
+		Objects.requireNonNull(organizationProvider, "organizationProvider");
+	}
 
-			@Override
-			public Optional<X509Certificate> getCertificate()
-			{
-				return Optional.empty();
-			}
-		};
+	@Override
+	protected Optional<Organization> getLocalOrganization()
+	{
+		return organizationProvider.getLocalOrganization();
 	}
 
 	@Override
 	public Identity getIdentity(X509Certificate[] certificates)
 	{
-		return new OrganizationIdentity()
-		{
-			@Override
-			public String getName()
-			{
-				return certificates[0].getSubjectX500Principal().getName(X500Principal.RFC1779);
-			}
-
-			@Override
-			public String getDisplayName()
-			{
-				return getName();
-			}
+		if (certificates == null || certificates.length == 0)
+			return null;
 
-			@Override
-			public Set<DsfRole> getDsfRoles()
-			{
-				return Collections.singleton(BpeServerRole.ORGANIZATION);
-			}
+		String thumbprint = getThumbprint(certificates[0]);
 
-			@Override
-			public Organization getOrganization()
-			{
-				return null;
-			}
-
-			@Override
-			public boolean isLocalIdentity()
-			{
-				return true;
-			}
-
-			@Override
-			public Optional<String> getOrganizationIdentifierValue()
-			{
-				return Optional.empty();
-			}
-
-			@Override
-			public boolean hasDsfRole(DsfRole role)
-			{
-				return BpeServerRole.ORGANIZATION.equals(role);
-			}
+		Optional<Practitioner> practitioner = toPractitioner(certificates[0]);
+		Optional<Organization> localOrganization = organizationProvider.getLocalOrganization();
+		if (practitioner.isPresent() && localOrganization.isPresent())
+		{
+			Practitioner p = practitioner.get();
+			Organization o = localOrganization.get();
 
-			@Override
-			public Optional<X509Certificate> getCertificate()
-			{
-				return Optional.of(certificates[0]);
-			}
-		};
+			return new PractitionerIdentityImpl(o, getDsfRolesFor(p, thumbprint, null, null), certificates[0], p,
+					getPractitionerRolesFor(p, thumbprint, null, null), null);
+		}
+		else
+		{
+			logger.warn(
+					"Certificate with thumbprint '{}' for '{}' unknown, not part of allowlist and not configured as local user or local organization",
+					thumbprint, getDn(certificates[0]));
+			return null;
+		}
 	}
 }

dsf-bpe/dsf-bpe-server/src/main/java/dev/dsf/bpe/plugin/AbstractProcessPlugin.java

@@ -145,12 +145,12 @@ Resource getResource()
 			.compile(Pattern.quote(PLACEHOLDER_PREFIX_TMP));
 	private static final Pattern PLACEHOLDER_PREFIX_PATTERN = Pattern.compile(Pattern.quote(PLACEHOLDER_PREFIX));
 
-	private static final String ACTIVITY_DEFINITION_URL_PATTERN_STRING = "^(?<processUrl>http[s]{0,1}://(?<domain>(?:(?:[a-zA-Z0-9]{1,63}|[a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9])\\.)+(?:[a-zA-Z0-9]{1,63}))"
+	private static final String ACTIVITY_DEFINITION_URL_PATTERN_STRING = "^(?<processUrl>http[s]{0,1}://(?<domain>(?:(?:[a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9])\\.)+(?:[a-zA-Z0-9]{1,63}))"
 			+ "/bpe/Process/(?<processName>[a-zA-Z0-9-]+))$";
 	private static final Pattern ACTIVITY_DEFINITION_URL_PATTERN = Pattern
 			.compile(ACTIVITY_DEFINITION_URL_PATTERN_STRING);
 
-	private static final String INSTANTIATES_CANONICAL_PATTERN_STRING = "(?<processUrl>http[s]{0,1}://(?<domain>(?:(?:[a-zA-Z0-9]{1,63}|[a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9])\\.)+(?:[a-zA-Z0-9]{1,63}))"
+	private static final String INSTANTIATES_CANONICAL_PATTERN_STRING = "(?<processUrl>http[s]{0,1}://(?<domain>(?:(?:[a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9])\\.)+(?:[a-zA-Z0-9]{1,63}))"
 			+ "/bpe/Process/(?<processName>[a-zA-Z0-9-]+))\\|(?<processVersion>\\d+\\.\\d+)$";
 	private static final Pattern INSTANTIATES_CANONICAL_PATTERN = Pattern
 			.compile(INSTANTIATES_CANONICAL_PATTERN_STRING);

dsf-bpe/dsf-bpe-server/src/main/java/dev/dsf/bpe/service/LocalOrganizationProvider.java

@@ -0,0 +1,10 @@
+package dev.dsf.bpe.service;
+
+import java.util.Optional;
+
+import org.hl7.fhir.r4.model.Organization;
+
+public interface LocalOrganizationProvider
+{
+	Optional<Organization> getLocalOrganization();
+}

dsf-bpe/dsf-bpe-server/src/main/java/dev/dsf/bpe/service/LocalOrganizationProviderImpl.java

@@ -0,0 +1,54 @@
+package dev.dsf.bpe.service;
+
+import java.time.LocalDateTime;
+import java.time.temporal.TemporalAmount;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.concurrent.atomic.AtomicReference;
+
+import org.hl7.fhir.r4.model.Organization;
+import org.springframework.beans.factory.InitializingBean;
+
+import dev.dsf.bpe.v1.service.OrganizationProvider;
+
+public class LocalOrganizationProviderImpl implements LocalOrganizationProvider, InitializingBean
+{
+	private record OrganizationEntry(Optional<Organization> organization, LocalDateTime readTime)
+	{
+	}
+
+	private final AtomicReference<OrganizationEntry> organization = new AtomicReference<>();
+
+	private final TemporalAmount cacheTimeout;
+	private final OrganizationProvider delegate;
+
+	public LocalOrganizationProviderImpl(TemporalAmount cacheTimeout, OrganizationProvider delegate)
+	{
+		this.cacheTimeout = cacheTimeout;
+		this.delegate = delegate;
+	}
+
+	@Override
+	public void afterPropertiesSet() throws Exception
+	{
+		Objects.requireNonNull(cacheTimeout, "cacheTimeout");
+		Objects.requireNonNull(delegate, "delegate");
+	}
+
+	@Override
+	public Optional<Organization> getLocalOrganization()
+	{
+		OrganizationEntry organization = this.organization.get();
+		if (organization == null || organization.organization().isEmpty()
+				|| !organization.readTime().plus(cacheTimeout).isAfter(LocalDateTime.now()))
+		{
+			Optional<Organization> o = delegate.getLocalOrganization();
+			if (this.organization.compareAndSet(organization, new OrganizationEntry(o, LocalDateTime.now())))
+				return o;
+			else
+				return this.organization.get().organization();
+		}
+		else
+			return organization.organization();
+	}
+}