Refactor GZIP encoding check (#199)

google · Oct 25, 2023 · 5c14912 · 5c14912
1 parent 4376a58
commit 5c14912
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 9 deletions.
diff --git a/doc/design.md b/doc/design.md
@@ -367,7 +367,7 @@ The mapping from resources to patients is done through the
 [patient compartment](https://www.hl7.org/fhir/compartmentdefinition-patient.html)
 definition. Note that we can still access many resources in one query; in
 particular through
-[Patient/ID/$everything](https://hl7.org/fhir/patient-operation-everything.html)
+[Patient/ID/\$everything](https://hl7.org/fhir/patient-operation-everything.html)
 queries, we can fetch all updates for a single patient.
 
 This approach helps support both the **flexible-access-control** and
@@ -553,10 +553,10 @@ In the main text, we refer to these examples by "all-patients",
 ## Notes
 
 [^1]:
-    The simplified
-    [Implicit](https://smilecdr.com/docs/smart/smart_on_fhir_authorization_flows.html#launch-flow-implicit-grant)
-    flow could work for our use-case too but that has important security
-    shortcomings. For example, it exposes access_token in URLs which can leak
-    through browser history. Another more important shortcoming is that we
-    cannot implement PKCE in the Implicit flow as the access_token is directly
-    returned in the first request.
+  The simplified
+  [Implicit](https://smilecdr.com/docs/smart/smart_on_fhir_authorization_flows.html#launch-flow-implicit-grant)
+  flow could work for our use-case too but that has important security
+  shortcomings. For example, it exposes access_token in URLs which can leak
+  through browser history. Another more important shortcoming is that we cannot
+  implement PKCE in the Implicit flow as the access_token is directly returned
+  in the first request.
diff --git a/server/src/main/java/com/google/fhir/gateway/BearerAuthorizationInterceptor.java b/server/src/main/java/com/google/fhir/gateway/BearerAuthorizationInterceptor.java
@@ -38,6 +38,7 @@
 import java.io.Reader;
 import java.io.StringReader;
 import java.io.Writer;
+import java.util.Locale;
 import org.apache.http.Header;
 import org.apache.http.HttpEntity;
 import org.apache.http.HttpResponse;
@@ -211,7 +212,7 @@ private boolean sendGzippedResponse(ServletRequestDetails requestDetails) {
     if (acceptEncodingValue == null) {
       return false;
     }
-    return GZIP_ENCODING_VALUE.equalsIgnoreCase(acceptEncodingValue);
+    return acceptEncodingValue.toLowerCase(Locale.ENGLISH).contains(GZIP_ENCODING_VALUE);
   }
 
   /**

diff --git a/server/src/test/java/com/google/fhir/gateway/BearerAuthorizationInterceptorTest.java b/server/src/test/java/com/google/fhir/gateway/BearerAuthorizationInterceptorTest.java
@@ -337,4 +337,42 @@ public void shouldSendGzippedResponseWhenRequested() throws IOException {
     assertThat(
         proxyServletResponseMock.getHeader("Content-Encoding".toLowerCase()), equalTo("gzip"));
   }
+
+  @Test
+  public void shouldSendGzippedResponseWhenRequestedCaseInsensitive() throws IOException {
+    testInstance = createTestInstance(true, null);
+    String responseJson = "{\"resourceType\": \"Bundle\"}";
+    when(requestMock.getHeader("Authorization")).thenReturn("Bearer ANYTHING");
+    when(requestMock.getHeader("Accept-Encoding".toLowerCase())).thenReturn("GZIP");
+    when(requestMock.getServer()).thenReturn(serverMock);
+    ServletRestfulResponse proxyResponseMock = new ServletRestfulResponse(requestMock);
+    when(requestMock.getResponse()).thenReturn(proxyResponseMock);
+    HttpServletResponse proxyServletResponseMock = new MockHttpServletResponse();
+    when(requestMock.getServletResponse()).thenReturn(proxyServletResponseMock);
+    TestUtil.setUpFhirResponseMock(fhirResponseMock, responseJson);
+
+    testInstance.authorizeRequest(requestMock);
+
+    assertThat(
+        proxyServletResponseMock.getHeader("Content-Encoding".toLowerCase()), equalTo("gzip"));
+  }
+
+  @Test
+  public void shouldSendGzippedResponseWhenRequestedMultipleEncodingFormats() throws IOException {
+    testInstance = createTestInstance(true, null);
+    String responseJson = "{\"resourceType\": \"Bundle\"}";
+    when(requestMock.getHeader("Authorization")).thenReturn("Bearer ANYTHING");
+    when(requestMock.getHeader("Accept-Encoding".toLowerCase())).thenReturn("gzip, deflate, br");
+    when(requestMock.getServer()).thenReturn(serverMock);
+    ServletRestfulResponse proxyResponseMock = new ServletRestfulResponse(requestMock);
+    when(requestMock.getResponse()).thenReturn(proxyResponseMock);
+    HttpServletResponse proxyServletResponseMock = new MockHttpServletResponse();
+    when(requestMock.getServletResponse()).thenReturn(proxyServletResponseMock);
+    TestUtil.setUpFhirResponseMock(fhirResponseMock, responseJson);
+
+    testInstance.authorizeRequest(requestMock);
+
+    assertThat(
+        proxyServletResponseMock.getHeader("Content-Encoding".toLowerCase()), equalTo("gzip"));
+  }
 }