haste-access-control 0.12.0

Access control utilities for Haste Health FHIR server and clients.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100

use crate::request_reflection::RequestReflection;
use haste_fhir_client::{
    FHIRClient,
    request::{FHIRRequest, FHIRResponse},
};
use haste_fhir_operation_error::{OperationOutcomeError, derive::OperationOutcomeError};
use haste_fhirpath::FPEngine;
use haste_jwt::{ProjectId, TenantId};
use haste_reflect::{MetaValue, derive::Reflect};
use std::{collections::HashMap, sync::Arc};

#[derive(PartialEq, Eq, Debug)]
pub enum PermissionLevel {
    Deny,
    Undetermined,
    Allow,
}

impl From<&PermissionLevel> for i8 {
    fn from(level: &PermissionLevel) -> Self {
        match level {
            PermissionLevel::Deny => -1,
            PermissionLevel::Undetermined => 0,
            PermissionLevel::Allow => 1,
        }
    }
}

#[derive(Debug, OperationOutcomeError)]
pub enum PermissionLevelError {
    #[error(
        code = "invalid",
        diagnostic = "Invalid permission level value: '{arg0}'."
    )]
    InvalidPermissionLevel(i8),
}

impl TryFrom<i8> for PermissionLevel {
    type Error = PermissionLevelError;

    fn try_from(value: i8) -> Result<Self, Self::Error> {
        match value {
            -1 => Ok(PermissionLevel::Deny),
            0 => Ok(PermissionLevel::Undetermined),
            1 => Ok(PermissionLevel::Allow),
            _ => Err(PermissionLevelError::InvalidPermissionLevel(value)),
        }
    }
}

#[derive(Debug, Reflect)]
pub struct UserInfo {
    pub id: String,
}

#[derive(Debug)]
pub struct PolicyEnvironment {
    pub tenant: TenantId,
    pub project: ProjectId,
    pub request: Arc<RequestReflection>,
    pub user: Arc<UserInfo>,
}

impl PolicyEnvironment {
    pub fn new(
        tenant: TenantId,
        project: ProjectId,
        request: FHIRRequest,
        user: Arc<UserInfo>,
    ) -> Self {
        Self {
            tenant,
            project,
            request: Arc::new(RequestReflection::from(request)),
            user,
        }
    }
}

pub struct PolicyContext<CTX, Client: FHIRClient<CTX, OperationOutcomeError>> {
    pub fp_engine: haste_fhirpath::FPEngine,
    pub client: Arc<Client>,
    pub client_context: CTX,

    #[allow(dead_code)]
    attributes_cache: HashMap<String, FHIRResponse>,
    pub environment: PolicyEnvironment,
}

impl<CTX, Client: FHIRClient<CTX, OperationOutcomeError>> PolicyContext<CTX, Client> {
    pub fn new(client: Arc<Client>, client_context: CTX, environment: PolicyEnvironment) -> Self {
        Self {
            fp_engine: FPEngine::new(),
            client,
            client_context,
            attributes_cache: HashMap::new(),
            environment,
        }
    }
}