Allow request mutation by Access checkers

plugins/src/main/java/com/google/fhir/gateway/plugin/AccessGrantedAndUpdateList.java

@@ -26,6 +26,8 @@
 import com.google.fhir.gateway.HttpFhirClient;
 import com.google.fhir.gateway.HttpUtil;
 import com.google.fhir.gateway.interfaces.AccessDecision;
+import com.google.fhir.gateway.interfaces.RequestDetailsReader;
+import com.google.fhir.gateway.interfaces.RequestMutation;
 import java.io.IOException;
 import java.util.Set;
 import org.apache.http.HttpResponse;
@@ -62,6 +64,11 @@ private AccessGrantedAndUpdateList(
     this.resourceTypeExpected = resourceTypeExpected;
   }
 
+  @Override
+  public RequestMutation preprocess(RequestDetailsReader requestDetailsReader) {
+    return null;
+  }
+
   @Override
   public boolean canAccess() {
     return true;

server/src/main/java/com/google/fhir/gateway/BearerAuthorizationInterceptor.java

@@ -39,6 +39,7 @@
 import com.google.fhir.gateway.interfaces.AccessCheckerFactory;
 import com.google.fhir.gateway.interfaces.AccessDecision;
 import com.google.fhir.gateway.interfaces.RequestDetailsReader;
+import com.google.fhir.gateway.interfaces.RequestMutation;
 import com.google.gson.JsonObject;
 import com.google.gson.JsonParser;
 import java.io.IOException;
@@ -62,6 +63,7 @@
 import org.apache.http.util.EntityUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.util.CollectionUtils;
 
 @Interceptor
 public class BearerAuthorizationInterceptor {
@@ -270,6 +272,7 @@ public boolean authorizeRequest(RequestDetails requestDetails) {
       return false;
     }
     AccessDecision outcome = checkAuthorization(requestDetails);
+    preprocessRequest(servletDetails, outcome);
     logger.debug("Authorized request path " + requestPath);
     try {
       HttpResponse response = fhirClient.handleRequest(servletDetails);
@@ -390,4 +393,21 @@ private void serveWellKnown(ServletRequestDetails request) {
       ExceptionUtil.throwRuntimeExceptionAndLog(logger, e.getMessage(), e);
     }
   }
+
+  private void preprocessRequest(
+      ServletRequestDetails servletRequestDetails, AccessDecision accessDecision) {
+    RequestMutation mutation =
+        accessDecision.preprocess(new RequestDetailsToReader(servletRequestDetails));
+    if (mutation == null || CollectionUtils.isEmpty(mutation.getQueryParams())) {
+      return ;
+    }
+
+    mutation
+        .getQueryParams()
+        .forEach((key, value) -> servletRequestDetails.addParameter(
+            key, value.toArray(new String[0])));
+
+    // TODO update the query params in search by Post
+
+  }
 }

server/src/main/java/com/google/fhir/gateway/CapabilityPostProcessor.java

@@ -20,6 +20,8 @@
 import com.google.common.base.Preconditions;
 import com.google.common.io.CharStreams;
 import com.google.fhir.gateway.interfaces.AccessDecision;
+import com.google.fhir.gateway.interfaces.RequestDetailsReader;
+import com.google.fhir.gateway.interfaces.RequestMutation;
 import java.io.IOException;
 import org.apache.http.HttpResponse;
 import org.hl7.fhir.instance.model.api.IBaseResource;
@@ -52,6 +54,11 @@ static synchronized CapabilityPostProcessor getInstance(FhirContext fhirContext)
     return instance;
   }
 
+  @Override
+  public RequestMutation preprocess(RequestDetailsReader requestDetailsReader) {
+    return null;
+  }
+
   @Override
   public boolean canAccess() {
     return true;

server/src/main/java/com/google/fhir/gateway/interfaces/AccessDecision.java

@@ -20,7 +20,17 @@
 
 public interface AccessDecision {
 
-  /** @return true iff access was granted. */
+  /**
+   * Allows the incoming request mutation based on the access decision.
+   *
+   * @param requestDetailsReader details about the resource and operation requested
+   * @return the mutation to be applied on the incoming request
+   */
+  RequestMutation preprocess(RequestDetailsReader requestDetailsReader);
+
+  /**
+   * @return true iff access was granted.
+   */
   boolean canAccess();
 
   /**

server/src/main/java/com/google/fhir/gateway/interfaces/NoOpAccessDecision.java

@@ -25,6 +25,11 @@ public NoOpAccessDecision(boolean accessGranted) {
     this.accessGranted = accessGranted;
   }
 
+  @Override
+  public RequestMutation preprocess(RequestDetailsReader requestDetailsReader) {
+    return null;
+  }
+
   @Override
   public boolean canAccess() {
     return accessGranted;

server/src/main/java/com/google/fhir/gateway/interfaces/RequestMutation.java

@@ -0,0 +1,16 @@
+package com.google.fhir.gateway.interfaces;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import lombok.Builder;
+import lombok.Getter;
+
+/** Defines mutations that can be applied to the incoming request by an {@link AccessChecker}. */
+@Builder
+@Getter
+public class RequestMutation {
+
+  // Additional query parameters that should be added to the outgoing FHIR request
+  @Builder.Default Map<String, List<String>> queryParams = new HashMap<>();
+}