From ffd62d4f794e6acd6281fdaa8837a0de63b98404 Mon Sep 17 00:00:00 2001 From: Jamie Albinson Date: Wed, 11 Dec 2024 16:25:57 -0500 Subject: [PATCH] 12/11/24 --- prime-router/docs/authz/authz-requirements.md | 201 ++++++++++++------ .../src/test/kotlin/tokens/ScopeTests.kt | 19 ++ 2 files changed, 157 insertions(+), 63 deletions(-) diff --git a/prime-router/docs/authz/authz-requirements.md b/prime-router/docs/authz/authz-requirements.md index 8ed4a3c55fe..142db5dbdb9 100644 --- a/prime-router/docs/authz/authz-requirements.md +++ b/prime-router/docs/authz/authz-requirements.md @@ -1,63 +1,138 @@ -### Authorization requirements by endpoint -This is valid as of 12/10/24 - - -| Location | Function Name | Verb | URL | Auth Strategy | Authz requirements | -|-------------------------------------------------------------------------------------------|-----------------------------|------------------|-------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|------------------------------------------------------------------| -| [SenderFilesFunction](../../src/main/kotlin/azure/SenderFilesFunction.kt) | getSenderFiles | GET | /api/sender-files | [OktaAuthentication](../../src/main/kotlin/tokens/OktaAuthentication.kt) | System Admin | -| [AdminApiFunctions](../../src/main/kotlin/azure/AdminApiFunctions.kt) | getSendFailures | GET | /api/adm/getsendfailures | [OktaAuthentication](../../src/main/kotlin/tokens/OktaAuthentication.kt) | System Admin | -| [AdminApiFunctions](../../src/main/kotlin/azure/AdminApiFunctions.kt) | listreceiversconnstatus | GET | /api/adm/listreceiversconnstatus | [OktaAuthentication](../../src/main/kotlin/tokens/OktaAuthentication.kt) | System Admin | -| [AdminApiFunctions](../../src/main/kotlin/azure/AdminApiFunctions.kt) | getresend | GET | /api/adm/getresend | [OktaAuthentication](../../src/main/kotlin/tokens/OktaAuthentication.kt) | System Admin | -| [ApiKeysFunctions](../../src/main/kotlin/azure/ApiKeysFunctions.kt) | getApiKeys | GET | /api/settings/organizations/{organizationName}/public-keys | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, or org user | -| [ApiKeysFunctions](../../src/main/kotlin/azure/ApiKeysFunctions.kt) | getApiKeysV1 | GET | /api/v1/settings/organizations/{organizationName}/public-keys | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, or org user | -| [ApiKeysFunctions](../../src/main/kotlin/azure/ApiKeysFunctions.kt) | postApiKey | POST | /api/settings/organizations/{organizationName}/public-keys | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin or org admin | -| [ApiKeysFunctions](../../src/main/kotlin/azure/ApiKeysFunctions.kt) | deleteApiKey | DELETE | settings/organizations/{organizationName}/public-keys/{scope}/{kid} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin or org admin | -| [CheckFunction](../../src/main/kotlin/azure/CheckFunction.kt) | check | GET,POST | /api/check | x-functions-key | None | -| [CheckFunction](../../src/main/kotlin/azure/CheckFunction.kt) | checkreceiver | POST | /api/checkreceiver/org/{orgName}/receiver/{receiverName} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin or org admin | -| [CovidResultMetadataFunction](../../src/main/kotlin/azure/CovidResultMetaDataFunction.kt) | save-covid-result-metadata | GET | /api/saveTestData | x-functions-key | None | -| [EmailEngineFunction](../../src/main/kotlin/azure/EmailEngineFunction.kt) | createEmailSchedule | POST | /api/email-schedule | EmailEngineFunction.validateUser (Custom Okta) | System Admin | -| [EmailEngineFunction](../../src/main/kotlin/azure/EmailEngineFunction.kt) | deleteEmailSchedule | DELETE | /api/email-schedule/{scheduleId} | EmailEngineFunction.validateUser (Custom Okta) | System Admin | -| [EmailSenderFunction](../../src/main/kotlin/azure/EmailSenderFunction.kt) | emailRegisteredOrganization | POST | /api/email-registered | None | None | -| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | getOrganizations | GET,HEAD | /api/settings/organizations | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | HEAD: System Admin
GET: System Admin, org admin, or org user | -| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | getOneOrganization | GET | /api/settings/organizations/{organizationName} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, or org user | -| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | getSenders | GET | /api/settings/organizations/{organizationName}/senders | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, or org user | -| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | updateOneOrganization | DELETE,PUT | /api/settings/organizations/{organizationName} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | -| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | getOneSender | GET | /api/settings/organizations/{organizationName}/senders/{senderName} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, or org user | -| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | updateOneSender | DELETE,PUT | /api/settings/organizations/{organizationName}/senders/{senderName} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | -| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | getReceivers | GET | /api/settings/organizations/{organizationName}/receivers | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, or org user | -| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | getOneReceiver | GET | /api/settings/organizations/{organizationName}/receivers/{receiverName} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, or org user | -| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | updateOneReceiver | DELETE,PUT | /api/settings/organizations/{organizationName}/receivers/{receiverName} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | -| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | getSettingRevisionHistory | GET | /api/waters/org/{organizationName}/settings/revs/{settingSelector} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, or org user | -| [RequeueFunction](../../src/main/kotlin/azure/RequeueFunction.kt) | requeue | POST | /api/requeue/send | x-functions-key | None | -| [RequeueFunction](../../src/main/kotlin/azure/RequeueFunction.kt) | doResendFunction | POST | /api/adm/resend | [OktaAuthentication](../../src/main/kotlin/tokens/OktaAuthentication.kt) | System Admin | -| [TokenFunction](../../src/main/kotlin/azure/TokenFunction.kt) | token | POST | /api/token | [Server2ServerAuthentication](../../src/main/kotlin/tokens/Server2ServerAuthentication.kt) | Requires properly signed client assertion JWT | -| [HistoryFunctions](../../src/main/kotlin/azure/HistoryFunctions.kt) | getReports | GET,HEAD,OPTIONS | /api/history/report | HistoryFunctions.checkAuthenticated (Custom) | System Admin, org admin, or org user | -| [HistoryFunctions](../../src/main/kotlin/azure/HistoryFunctions.kt) | searchReports | POST | /api/v1/reports/search | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | -| [HistoryFunctions](../../src/main/kotlin/azure/HistoryFunctions.kt) | getReportById | GET | /api/history/report/{reportId} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | -| [HistoryFunctions](../../src/main/kotlin/azure/HistoryFunctions.kt) | getFacilitiesByReportId | GET | /api/history/report/{reportId}/facilities | HistoryFunctions.checkAuthenticated (Custom) | System Admin, org admin, org user | -| [LookupTableFunctions](../../src/main/kotlin/azure/LookupTableFunctions.kt) | getLookupTableList | GET,HEAD | /api/lookuptables/list | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | None | -| [LookupTableFunctions](../../src/main/kotlin/azure/LookupTableFunctions.kt) | getLookupTableData | GET | /api/lookuptables/{tableName}/{tableVersion}/content | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | None | -| [LookupTableFunctions](../../src/main/kotlin/azure/LookupTableFunctions.kt) | getActiveLookupTableData | GET | /api/lookuptables/{tableName}/content | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | None | -| [LookupTableFunctions](../../src/main/kotlin/azure/LookupTableFunctions.kt) | getLookupTableInfo | GET | /api/lookuptables/{tableName}/{tableVersion}/info | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | None | -| [LookupTableFunctions](../../src/main/kotlin/azure/LookupTableFunctions.kt) | createLookupTable | POST | /api/lookuptables/{tableName} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | -| [LookupTableFunctions](../../src/main/kotlin/azure/LookupTableFunctions.kt) | activateLookupTable | PUT | /api/lookuptables/{tableName}/{tableVersion}/activate | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | -| [MessagesFunctions](../../src/main/kotlin/azure/MessagesFunctions.kt) | messageSearch | GET | /api/messages | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | -| [MessagesFunctions](../../src/main/kotlin/azure/MessagesFunctions.kt) | messageDetails | GET | /api/message/{id} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | -| [MetaDataFunction](../../src/main/kotlin/azure/MetaDataFunction.kt) | getLivdData | GET | /api/metadata/livd | None | None | -| [ReportFunction](../../src/main/kotlin/azure/ReportFunction.kt) | reports | POST | /api/reports | x-functions-key | None | -| [ReportFunction](../../src/main/kotlin/azure/ReportFunction.kt) | getMessagesFromTestBank | POST | /api/reports/testing | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | -| [ReportFunction](../../src/main/kotlin/azure/ReportFunction.kt) | processFhirDataRequest | POST | /api/reports/testing/test | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | -| [ReportFunction](../../src/main/kotlin/azure/ReportFunction.kt) | downloadReport | GET | /api/reports/download | x-functions-key | None | -| [ReportFunction](../../src/main/kotlin/azure/ReportFunction.kt) | waters | POST | /api/waters | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | -| [ValidateFunction](../../src/main/kotlin/azure/ValidateFunction.kt) | validate | POST | /api/validate | None | None | -| [DeliveryFunction](../../src/main/kotlin/history/azure/DeliveryFunction.kt) | getDeliveriesV1 | POST | /api/v1/receivers/{receiverName}/deliveries | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | -| [DeliveryFunction](../../src/main/kotlin/history/azure/DeliveryFunction.kt) | getDeliveriesHistory | POST | /api/v1/waters/org/{organization}/deliveries | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | -| [DeliveryFunction](../../src/main/kotlin/history/azure/DeliveryFunction.kt) | getDeliveries | GET | /api/waters/org/{organization}/deliveries | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | -| [DeliveryFunction](../../src/main/kotlin/history/azure/DeliveryFunction.kt) | getDeliveryDetails | GET | /api/waters/report/{id}/delivery | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | -| [DeliveryFunction](../../src/main/kotlin/history/azure/DeliveryFunction.kt) | getEtorMetadataForDelivery | GET | /api/waters/report/{reportId}/delivery/etorMetadata | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | -| [DeliveryFunction](../../src/main/kotlin/history/azure/DeliveryFunction.kt) | getDeliveryFacilities | GET | /api/waters/report/{id}/facilities | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | -| [DeliveryFunction](../../src/main/kotlin/history/azure/DeliveryFunction.kt) | getReportItemsV1 | GET | /api/v1/report/{reportId}/items | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | -| [DeliveryFunction](../../src/main/kotlin/history/azure/DeliveryFunction.kt) | getSubmittersV1 | POST | /api/v1/receivers/{receiverName}/deliveries/submitters/search | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | -| [SubmissionFunction](../../src/main/kotlin/history/azure/SubmissionFunction.kt) | getOrgSubmissionsList | GET | /api/waters/org/{organization}/submissions | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | -| [SubmissionFunction](../../src/main/kotlin/history/azure/SubmissionFunction.kt) | getReportDetailedHistory | GET | /api/waters/report/{id}/history | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | -| [SubmissionFunction](../../src/main/kotlin/history/azure/SubmissionFunction.kt) | getEtorMetadataForHistory | GET | /api/waters/report/{reportId}/history/etorMetadata | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | +# Authorization Deep Dive + +## Current implementation + +To authorize a user for an endpoint, we compare the scopes that are present on the access token versus what scope is +required. + +### Scope Design + +- Scopes are in the format of `{organization}.{senderOrReceiver}.{role}` +- `organization` and `senderOrReceiver` can be omitted with a wildcard `*` or `default` + +There are 4 possible roles + +| Role | Definition | +|------------|---------------------------------------------------------------------------| +| primeadmin | system administrator with full access to all endpoints | +| admin | administrator with access to endpoints that manage their own organization | +| report | user with read access to endpoints scoped to their organization | +| report | able to submit a report as an organization | + + +Here are some examples given an organization of md-phd (Maryland Public Health Department) + +| Scope | Access | +|-------------------------|-------------------------------------------------------------| +| `*.*.primeadmin` | System Administrator | +| `md-phd.*.admin` | Organization Administrator | +| `md-phd.*.user` | Organization User | +| `md-phd.*.report` | Organization Report Submitter | +| `md-phd.default.admin` | Organization Administrator | +| `md-phd.default.user` | Organization User | +| `md-phd.default.report` | Organization Report Submitter | +| `md-phd.abc.admin` | Organization Administrator scoped to abc sender or receiver | +| `md-phd.abc.user` | Organization User scoped to abc sender or receiver | + + + +We currently have three methods of authenticating and authorizing a user or machine for accessing +ReportStream endpoints. + +### Server2Server + +This is ReportStream code that handles the client credentials OAuth 2.0 flow. This is most often used in machine-to-machine +communication such as senders. The important bit for authorization happens based on the scope requested in the request +to the /api/token endpoint. A member of the engagement team sets up a public key under a specific scope in the +organization settings. When a request for an access token comes in with a requested scope, we check the JWT assertion +against the public key under that scope in settings. + +If the request is successful, an access token is granted with a scope matching the pattern above. + +### Okta + +Users are all set up under our Okta instance. We add users to appropriate groups in Okta that correspond to what they +should be allowed to access. Those groups are in a custom claim called `organization` in the access token which +we then map to scopes that our system can handle. + +Here is the Okta group to Scope mapping strategy given an organization of md-phd (Maryland Public Health Department) + +| Okta Group | ReportStream Scope | +|-------------------------|--------------------| +| `DHPrimeAdmins` | `*.*.primeadmin` | +| `DHmd-phdAdmins` | `md-phd.*.admin` | +| `DHSender_md-phdAdmins` | `md-phd.*.admin` | +| `DHSender_md-phd` | `md-phd.*.user` | +| `DHmd-phd` | `md-phd.*.user` | +* Note: There is no group that maps to the `report` role + + +### Azure Function Keys + +This is the default authentication process built into the Azure functions library. It is still used on some endpoints +for its simplicity of setup. It includes no authorization check at all and should be deprecated for that reason. + + +## Authorization requirements by endpoint + +| Location | Function Name | Verb | URL | Auth Strategy | Role requirements | Restrictions | +|-------------------------------------------------------------------------------------------|-----------------------------|------------------|-------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|------------------------------------------------------------------|----------------------------------| +| [SenderFilesFunction](../../src/main/kotlin/azure/SenderFilesFunction.kt) | getSenderFiles | GET | /api/sender-files | [OktaAuthentication](../../src/main/kotlin/tokens/OktaAuthentication.kt) | System Admin | None | +| [AdminApiFunctions](../../src/main/kotlin/azure/AdminApiFunctions.kt) | getSendFailures | GET | /api/adm/getsendfailures | [OktaAuthentication](../../src/main/kotlin/tokens/OktaAuthentication.kt) | System Admin | None | +| [AdminApiFunctions](../../src/main/kotlin/azure/AdminApiFunctions.kt) | listreceiversconnstatus | GET | /api/adm/listreceiversconnstatus | [OktaAuthentication](../../src/main/kotlin/tokens/OktaAuthentication.kt) | System Admin | None | +| [AdminApiFunctions](../../src/main/kotlin/azure/AdminApiFunctions.kt) | getresend | GET | /api/adm/getresend | [OktaAuthentication](../../src/main/kotlin/tokens/OktaAuthentication.kt) | System Admin | None | +| [ApiKeysFunctions](../../src/main/kotlin/azure/ApiKeysFunctions.kt) | getApiKeys | GET | /api/settings/organizations/{organizationName}/public-keys | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, or org user | Organization | +| [ApiKeysFunctions](../../src/main/kotlin/azure/ApiKeysFunctions.kt) | getApiKeysV1 | GET | /api/v1/settings/organizations/{organizationName}/public-keys | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, or org user | Organization | +| [ApiKeysFunctions](../../src/main/kotlin/azure/ApiKeysFunctions.kt) | postApiKey | POST | /api/settings/organizations/{organizationName}/public-keys | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin or org admin | Organization | +| [ApiKeysFunctions](../../src/main/kotlin/azure/ApiKeysFunctions.kt) | deleteApiKey | DELETE | settings/organizations/{organizationName}/public-keys/{scope}/{kid} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin or org admin | Organization | +| [CheckFunction](../../src/main/kotlin/azure/CheckFunction.kt) | check | GET,POST | /api/check | x-functions-key | None | None | +| [CheckFunction](../../src/main/kotlin/azure/CheckFunction.kt) | checkreceiver | POST | /api/checkreceiver/org/{orgName}/receiver/{receiverName} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin or org admin | Organization | +| [CovidResultMetadataFunction](../../src/main/kotlin/azure/CovidResultMetaDataFunction.kt) | save-covid-result-metadata | GET | /api/saveTestData | x-functions-key | None | None | +| [EmailEngineFunction](../../src/main/kotlin/azure/EmailEngineFunction.kt) | createEmailSchedule | POST | /api/email-schedule | EmailEngineFunction.validateUser (Custom Okta) | System Admin | None | +| [EmailEngineFunction](../../src/main/kotlin/azure/EmailEngineFunction.kt) | deleteEmailSchedule | DELETE | /api/email-schedule/{scheduleId} | EmailEngineFunction.validateUser (Custom Okta) | System Admin | None | +| [EmailSenderFunction](../../src/main/kotlin/azure/EmailSenderFunction.kt) | emailRegisteredOrganization | POST | /api/email-registered | None | None | None | +| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | getOrganizations | GET,HEAD | /api/settings/organizations | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | HEAD: System Admin
GET: System Admin, org admin, or org user | Head: None
GET: Organization | +| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | getOneOrganization | GET | /api/settings/organizations/{organizationName} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, or org user | Organization | +| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | getSenders | GET | /api/settings/organizations/{organizationName}/senders | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, or org user | Organization | +| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | updateOneOrganization | DELETE,PUT | /api/settings/organizations/{organizationName} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | None | +| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | getOneSender | GET | /api/settings/organizations/{organizationName}/senders/{senderName} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, or org user | Organization | +| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | updateOneSender | DELETE,PUT | /api/settings/organizations/{organizationName}/senders/{senderName} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | None | +| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | getReceivers | GET | /api/settings/organizations/{organizationName}/receivers | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, or org user | Organization | +| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | getOneReceiver | GET | /api/settings/organizations/{organizationName}/receivers/{receiverName} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, or org user | Organization | +| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | updateOneReceiver | DELETE,PUT | /api/settings/organizations/{organizationName}/receivers/{receiverName} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | None | +| [SettingsFunctions](../../src/main/kotlin/azure/SettingsFunctions.kt) | getSettingRevisionHistory | GET | /api/waters/org/{organizationName}/settings/revs/{settingSelector} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, or org user | Organization | +| [RequeueFunction](../../src/main/kotlin/azure/RequeueFunction.kt) | requeue | POST | /api/requeue/send | x-functions-key | None | None | +| [RequeueFunction](../../src/main/kotlin/azure/RequeueFunction.kt) | doResendFunction | POST | /api/adm/resend | [OktaAuthentication](../../src/main/kotlin/tokens/OktaAuthentication.kt) | System Admin | None | +| [TokenFunction](../../src/main/kotlin/azure/TokenFunction.kt) | token | POST | /api/token | [Server2ServerAuthentication](../../src/main/kotlin/tokens/Server2ServerAuthentication.kt) | Requires properly signed client assertion JWT | None | +| [HistoryFunctions](../../src/main/kotlin/azure/HistoryFunctions.kt) | getReports | GET,HEAD,OPTIONS | /api/history/report | HistoryFunctions.checkAuthenticated (Custom) | System Admin or org user (no org Admin) | Organization | +| [HistoryFunctions](../../src/main/kotlin/azure/HistoryFunctions.kt) | searchReports | POST | /api/v1/reports/search | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | None | +| [HistoryFunctions](../../src/main/kotlin/azure/HistoryFunctions.kt) | getReportById | GET | /api/history/report/{reportId} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | Organization | +| [HistoryFunctions](../../src/main/kotlin/azure/HistoryFunctions.kt) | getFacilitiesByReportId | GET | /api/history/report/{reportId}/facilities | HistoryFunctions.checkAuthenticated (Custom) | System Admin or org user (no org Admin) | Organization | +| [LookupTableFunctions](../../src/main/kotlin/azure/LookupTableFunctions.kt) | getLookupTableList | GET,HEAD | /api/lookuptables/list | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | None | None | +| [LookupTableFunctions](../../src/main/kotlin/azure/LookupTableFunctions.kt) | getLookupTableData | GET | /api/lookuptables/{tableName}/{tableVersion}/content | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | None | None | +| [LookupTableFunctions](../../src/main/kotlin/azure/LookupTableFunctions.kt) | getActiveLookupTableData | GET | /api/lookuptables/{tableName}/content | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | None | None | +| [LookupTableFunctions](../../src/main/kotlin/azure/LookupTableFunctions.kt) | getLookupTableInfo | GET | /api/lookuptables/{tableName}/{tableVersion}/info | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | None | None | +| [LookupTableFunctions](../../src/main/kotlin/azure/LookupTableFunctions.kt) | createLookupTable | POST | /api/lookuptables/{tableName} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | None | +| [LookupTableFunctions](../../src/main/kotlin/azure/LookupTableFunctions.kt) | activateLookupTable | PUT | /api/lookuptables/{tableName}/{tableVersion}/activate | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | None | +| [MessagesFunctions](../../src/main/kotlin/azure/MessagesFunctions.kt) | messageSearch | GET | /api/messages | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | None | +| [MessagesFunctions](../../src/main/kotlin/azure/MessagesFunctions.kt) | messageDetails | GET | /api/message/{id} | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | None | +| [MetaDataFunction](../../src/main/kotlin/azure/MetaDataFunction.kt) | getLivdData | GET | /api/metadata/livd | None | None | None | +| [ReportFunction](../../src/main/kotlin/azure/ReportFunction.kt) | reports | POST | /api/reports | x-functions-key | None | None | +| [ReportFunction](../../src/main/kotlin/azure/ReportFunction.kt) | getMessagesFromTestBank | POST | /api/reports/testing | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | None | +| [ReportFunction](../../src/main/kotlin/azure/ReportFunction.kt) | processFhirDataRequest | POST | /api/reports/testing/test | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | None | +| [ReportFunction](../../src/main/kotlin/azure/ReportFunction.kt) | downloadReport | GET | /api/reports/download | x-functions-key | None | None | +| [ReportFunction](../../src/main/kotlin/azure/ReportFunction.kt) | waters | POST | /api/waters | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | Organization and Sender | +| [ValidateFunction](../../src/main/kotlin/azure/ValidateFunction.kt) | validate | POST | /api/validate | None | None | None | +| [DeliveryFunction](../../src/main/kotlin/history/azure/DeliveryFunction.kt) | getDeliveriesV1 | POST | /api/v1/receivers/{receiverName}/deliveries | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | Organization | +| [DeliveryFunction](../../src/main/kotlin/history/azure/DeliveryFunction.kt) | getDeliveriesHistory | POST | /api/v1/waters/org/{organization}/deliveries | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | Organization | +| [DeliveryFunction](../../src/main/kotlin/history/azure/DeliveryFunction.kt) | getDeliveries | GET | /api/waters/org/{organization}/deliveries | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | Organization | +| [DeliveryFunction](../../src/main/kotlin/history/azure/DeliveryFunction.kt) | getDeliveryDetails | GET | /api/waters/report/{id}/delivery | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | Organization | +| [DeliveryFunction](../../src/main/kotlin/history/azure/DeliveryFunction.kt) | getEtorMetadataForDelivery | GET | /api/waters/report/{reportId}/delivery/etorMetadata | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | Organization | +| [DeliveryFunction](../../src/main/kotlin/history/azure/DeliveryFunction.kt) | getDeliveryFacilities | GET | /api/waters/report/{id}/facilities | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | Organization | +| [DeliveryFunction](../../src/main/kotlin/history/azure/DeliveryFunction.kt) | getReportItemsV1 | GET | /api/v1/report/{reportId}/items | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin | None | +| [DeliveryFunction](../../src/main/kotlin/history/azure/DeliveryFunction.kt) | getSubmittersV1 | POST | /api/v1/receivers/{receiverName}/deliveries/submitters/search | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | Organization | +| [SubmissionFunction](../../src/main/kotlin/history/azure/SubmissionFunction.kt) | getOrgSubmissionsList | GET | /api/waters/org/{organization}/submissions | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | Organization | +| [SubmissionFunction](../../src/main/kotlin/history/azure/SubmissionFunction.kt) | getReportDetailedHistory | GET | /api/waters/report/{id}/history | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | Organization | +| [SubmissionFunction](../../src/main/kotlin/history/azure/SubmissionFunction.kt) | getEtorMetadataForHistory | GET | /api/waters/report/{reportId}/history/etorMetadata | [AuthenticatedClaims](../../src/main/kotlin/tokens/AuthenticatedClaims.kt) | System Admin, org admin, org user, or report | Organization | + +*This is valid as of 12/11/24 \ No newline at end of file diff --git a/prime-router/src/test/kotlin/tokens/ScopeTests.kt b/prime-router/src/test/kotlin/tokens/ScopeTests.kt index 8e3e1ad53b2..c0d0caf36da 100644 --- a/prime-router/src/test/kotlin/tokens/ScopeTests.kt +++ b/prime-router/src/test/kotlin/tokens/ScopeTests.kt @@ -144,4 +144,23 @@ class ScopeTests { assertThat(Scope.scopeListContainsScope("x x", "")).isFalse() assertThat(Scope.scopeListContainsScope("x x", " ")).isFalse() } + + @Test + fun `test mapped scopes`() { + val groupMemberships = listOf( + "DHPrimeAdmins", + "DHmd-phdAdmins", + "DHSender_md-phd", + "DHmd-phd" + ) + + val mappedScopes = Scope.mapOktaGroupsToScopes(groupMemberships) + + val expected = setOf( + "*.*.primeadmin", + "md-phd.*.admin", + "md-phd.*.user" + ) + assertThat(mappedScopes).isEqualTo(expected) + } } \ No newline at end of file