294 lines
11 KiB
Go
294 lines
11 KiB
Go
package models
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"fmt"
|
|
"github.com/fastenhealth/fasten-onprem/backend/pkg/jwk"
|
|
sourcesPkg "github.com/fastenhealth/fasten-sources/pkg"
|
|
"github.com/google/uuid"
|
|
"github.com/lestrrat-go/jwx/v2/jwa"
|
|
"github.com/lestrrat-go/jwx/v2/jwt"
|
|
"io"
|
|
"log"
|
|
"net/http"
|
|
"net/url"
|
|
"time"
|
|
)
|
|
|
|
// SourceCredential Data/Medical Provider Credentials
|
|
// similar to LighthouseSourceDefinition from fasten-source
|
|
type SourceCredential struct {
|
|
ModelBase
|
|
User *User `json:"user,omitempty"`
|
|
UserID uuid.UUID `json:"user_id" gorm:"uniqueIndex:idx_user_source_patient"`
|
|
SourceType sourcesPkg.SourceType `json:"source_type" gorm:"uniqueIndex:idx_user_source_patient"`
|
|
Patient string `json:"patient" gorm:"uniqueIndex:idx_user_source_patient"`
|
|
|
|
LatestBackgroundJob *BackgroundJob `json:"latest_background_job,omitempty"`
|
|
LatestBackgroundJobID *uuid.UUID `json:"-"`
|
|
|
|
//oauth endpoints
|
|
AuthorizationEndpoint string `json:"authorization_endpoint"`
|
|
TokenEndpoint string `json:"token_endpoint"`
|
|
IntrospectionEndpoint string `json:"introspection_endpoint"`
|
|
RegistrationEndpoint string `json:"registration_endpoint"` //optional - required when Dynamic Client Registration mode is set
|
|
|
|
Scopes []string `json:"scopes_supported" gorm:"type:text;serializer:json"`
|
|
Issuer string `json:"issuer"`
|
|
GrantTypesSupported []string `json:"grant_types_supported" gorm:"type:text;serializer:json"`
|
|
ResponseType []string `json:"response_types_supported" gorm:"type:text;serializer:json"`
|
|
ResponseModesSupported []string `json:"response_modes_supported" gorm:"type:text;serializer:json"`
|
|
Audience string `json:"aud"` //optional - required for some providers
|
|
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported" gorm:"type:text;serializer:json"`
|
|
|
|
//Fasten custom configuration
|
|
UserInfoEndpoint string `json:"userinfo_endpoint"` //optional - supported by some providers, not others.
|
|
ApiEndpointBaseUrl string `json:"api_endpoint_base_url"` //api endpoint we'll communicate with after authentication
|
|
ClientId string `json:"client_id"`
|
|
RedirectUri string `json:"redirect_uri"` //lighthouse url the provider will redirect to (registered with App)
|
|
|
|
Confidential bool `json:"confidential"` //if enabled, requires client_secret to authenticate with provider (PKCE)
|
|
DynamicClientRegistrationMode string `json:"dynamic_client_registration_mode"` //if enabled, will dynamically register client with provider (https://oauth.net/2/dynamic-client-registration/)
|
|
CORSRelayRequired bool `json:"cors_relay_required"` //if true, requires CORS proxy/relay, as provider does not return proper response to CORS preflight
|
|
//SecretKeyPrefix string `json:"-"` //the secret key prefix to use, if empty (default) will use the sourceType value
|
|
|
|
// auth/credential data
|
|
AccessToken string `json:"access_token"`
|
|
RefreshToken string `json:"refresh_token"`
|
|
IdToken string `json:"id_token"`
|
|
ExpiresAt int64 `json:"expires_at"`
|
|
CodeChallenge string `json:"code_challenge"`
|
|
CodeVerifier string `json:"code_verifier"`
|
|
|
|
//dynamic client auth/credential data
|
|
DynamicClientJWKS []map[string]string `json:"dynamic_client_jwks" gorm:"type:text;serializer:json"`
|
|
DynamicClientId string `json:"dynamic_client_id"`
|
|
}
|
|
|
|
func (s *SourceCredential) GetSourceType() sourcesPkg.SourceType {
|
|
return s.SourceType
|
|
}
|
|
|
|
func (s *SourceCredential) GetClientId() string {
|
|
return s.ClientId
|
|
}
|
|
|
|
func (s *SourceCredential) GetPatientId() string {
|
|
return s.Patient
|
|
}
|
|
|
|
func (s *SourceCredential) GetOauthAuthorizationEndpoint() string {
|
|
return s.AuthorizationEndpoint
|
|
}
|
|
|
|
func (s *SourceCredential) GetOauthTokenEndpoint() string {
|
|
return s.TokenEndpoint
|
|
}
|
|
|
|
func (s *SourceCredential) GetApiEndpointBaseUrl() string {
|
|
return s.ApiEndpointBaseUrl
|
|
}
|
|
|
|
func (s *SourceCredential) GetRefreshToken() string {
|
|
return s.RefreshToken
|
|
}
|
|
|
|
func (s *SourceCredential) GetAccessToken() string {
|
|
return s.AccessToken
|
|
}
|
|
|
|
func (s *SourceCredential) GetExpiresAt() int64 {
|
|
return s.ExpiresAt
|
|
}
|
|
|
|
func (s *SourceCredential) SetTokens(accessToken string, refreshToken string, expiresAt int64) {
|
|
if expiresAt > 0 && expiresAt != s.ExpiresAt {
|
|
s.ExpiresAt = expiresAt
|
|
}
|
|
|
|
if accessToken != s.AccessToken {
|
|
// update the "source" credential with new data (which will need to be sent
|
|
s.AccessToken = accessToken
|
|
// Don't overwrite `RefreshToken` with an empty value
|
|
// if this was a token refreshing request.
|
|
if refreshToken != "" {
|
|
s.RefreshToken = refreshToken
|
|
}
|
|
}
|
|
}
|
|
|
|
/*
|
|
serverUrl: connectData.message.api_endpoint_base_url,
|
|
clientId: connectData.message.client_id,
|
|
redirectUri: connectData.message.redirect_uri,
|
|
tokenUri: `${connectData.message.oauth_endpoint_base_url}/token`,
|
|
scope: connectData.message.scopes.join(' '),
|
|
tokenResponse: payload,
|
|
expiresAt: getAccessTokenExpiration(payload, new BrowserAdapter()),
|
|
codeChallenge: codeChallenge,
|
|
codeVerifier: codeVerifier
|
|
*/
|
|
|
|
// IsDynamicClient this method is used to check if this source uses dynamic client registration (used to customize token refresh logic)
|
|
func (s *SourceCredential) IsDynamicClient() bool {
|
|
return len(s.DynamicClientRegistrationMode) > 0
|
|
}
|
|
|
|
// This method will generate a new keypair, register a new dynamic client with the provider
|
|
// it will set the following fields:
|
|
// - DynamicClientJWKS
|
|
// - DynamicClientId
|
|
func (s *SourceCredential) RegisterDynamicClient() error {
|
|
|
|
//this source requires dynamic client registration
|
|
// see https://fhir.epic.com/Documentation?docId=Oauth2§ion=Standalone-Oauth2-OfflineAccess-0
|
|
|
|
// Generate a public-private key pair
|
|
// Must be 2048 bits (larger keys will silently fail when used with Epic, untested on other providers)
|
|
sourceSpecificClientKeyPair, err := jwk.JWKGenerate()
|
|
if err != nil {
|
|
return fmt.Errorf("an error occurred while generating device-specific keypair for dynamic client: %w", err)
|
|
}
|
|
|
|
//store in sourceCredential
|
|
serializedKeypair, err := jwk.JWKSerialize(sourceSpecificClientKeyPair)
|
|
if err != nil {
|
|
return fmt.Errorf("an error occurred while serializing keypair for dynamic client: %w", err)
|
|
}
|
|
s.DynamicClientJWKS = []map[string]string{
|
|
serializedKeypair,
|
|
}
|
|
|
|
//generate dynamic client registration request
|
|
payload := ClientRegistrationRequest{
|
|
SoftwareId: s.ClientId,
|
|
Jwks: ClientRegistrationRequestJwks{
|
|
Keys: []ClientRegistrationRequestJwksKey{
|
|
{
|
|
KeyType: "RSA",
|
|
KeyId: serializedKeypair["kid"],
|
|
Modulus: serializedKeypair["n"],
|
|
PublicExponent: serializedKeypair["e"],
|
|
},
|
|
},
|
|
},
|
|
}
|
|
payloadBytes, err := json.Marshal(payload)
|
|
if err != nil {
|
|
return fmt.Errorf("an error occurred while marshalling dynamic client registration request: %w", err)
|
|
}
|
|
|
|
//http.Post("https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token", "application/x-www-form-urlencoded", bytes.NewBuffer([]byte(fmt.Sprintf("grant_type=client_credentials&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=%s&scope=system/Patient.read", sourceSpecificClientKeyPair))))
|
|
req, err := http.NewRequest(http.MethodPost, s.RegistrationEndpoint, bytes.NewBuffer(payloadBytes))
|
|
if err != nil {
|
|
return fmt.Errorf("an error occurred while generating dynamic client registration request: %w", err)
|
|
}
|
|
req.Header.Set("Content-Type", "application/json")
|
|
req.Header.Set("Accept", "application/json")
|
|
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", s.AccessToken))
|
|
|
|
registrationResponse, err := http.DefaultClient.Do(req)
|
|
|
|
if err != nil {
|
|
return fmt.Errorf("an error occurred while sending dynamic client registration request: %w", err)
|
|
}
|
|
defer registrationResponse.Body.Close()
|
|
if registrationResponse.StatusCode >= 300 || registrationResponse.StatusCode < 200 {
|
|
b, err := io.ReadAll(registrationResponse.Body)
|
|
if err == nil {
|
|
log.Printf("Error Response body: %s", string(b))
|
|
}
|
|
return fmt.Errorf("an error occurred while reading dynamic client registration response, status code was not 200: %d", registrationResponse.StatusCode)
|
|
|
|
}
|
|
|
|
//read response
|
|
var registrationResponseBytes ClientRegistrationResponse
|
|
err = json.NewDecoder(registrationResponse.Body).Decode(®istrationResponseBytes)
|
|
if err != nil {
|
|
return fmt.Errorf("an error occurred while parsing dynamic client registration response: %w", err)
|
|
}
|
|
|
|
//store the dynamic client id
|
|
s.DynamicClientId = registrationResponseBytes.ClientId
|
|
return nil
|
|
}
|
|
|
|
// this will set/update the AccessToken and Expiry using the dynamic client credentials
|
|
// it will set the following fields:
|
|
// - AccessToken
|
|
// - ExpiresAt
|
|
func (s *SourceCredential) RefreshDynamicClientAccessToken() error {
|
|
if len(s.DynamicClientRegistrationMode) == 0 {
|
|
return fmt.Errorf("dynamic client registration mode not set")
|
|
}
|
|
if len(s.DynamicClientJWKS) == 0 {
|
|
return fmt.Errorf("dynamic client jwks not set")
|
|
}
|
|
if len(s.DynamicClientId) == 0 {
|
|
return fmt.Errorf("dynamic client id not set")
|
|
}
|
|
|
|
//convert the serialized dynamic-client credentials to a jwx.Key
|
|
jwkeypair, err := jwk.JWKDeserialize(s.DynamicClientJWKS[0])
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// see https://github.com/lestrrat-go/jwx/tree/v2/jwt#token-usage
|
|
t := jwt.New()
|
|
t.Set("kid", jwkeypair.KeyID())
|
|
t.Set(jwt.SubjectKey, s.DynamicClientId)
|
|
t.Set(jwt.AudienceKey, s.TokenEndpoint)
|
|
t.Set(jwt.JwtIDKey, uuid.New().String())
|
|
t.Set(jwt.ExpirationKey, time.Now().Add(time.Minute*2).Unix()) // must be less than 5 minutes from now. Time when this JWT expires
|
|
t.Set(jwt.IssuedAtKey, time.Now().Unix())
|
|
t.Set(jwt.IssuerKey, s.DynamicClientId)
|
|
|
|
//sign the jwt with the private key
|
|
// Signing a token (using raw rsa.PrivateKey)
|
|
signed, err := jwt.Sign(t, jwt.WithKey(jwa.RS256, jwkeypair))
|
|
if err != nil {
|
|
return fmt.Errorf("failed to sign dynamic-client jwt: %s", err)
|
|
}
|
|
|
|
//send this signed jwt to the token endpoint to get a new access token
|
|
// https://fhir.epic.com/Documentation?docId=oauth2§ion=JWKS
|
|
|
|
postForm := url.Values{
|
|
"grant_type": {"urn:ietf:params:oauth:grant-type:jwt-bearer"},
|
|
"assertion": {string(signed)},
|
|
"client_id": {s.DynamicClientId},
|
|
}
|
|
|
|
tokenResp, err := http.PostForm(s.TokenEndpoint, postForm)
|
|
|
|
if err != nil {
|
|
return fmt.Errorf("an error occurred while sending dynamic client token request, %s", err)
|
|
}
|
|
|
|
defer tokenResp.Body.Close()
|
|
if tokenResp.StatusCode >= 300 || tokenResp.StatusCode < 200 {
|
|
|
|
b, err := io.ReadAll(tokenResp.Body)
|
|
if err == nil {
|
|
log.Printf("Error Response body: %s", string(b))
|
|
}
|
|
|
|
return fmt.Errorf("an error occurred while reading dynamic client token response, status code was not 200: %d", tokenResp.StatusCode)
|
|
}
|
|
|
|
var registrationTokenResponseBytes ClientRegistrationTokenResponse
|
|
err = json.NewDecoder(tokenResp.Body).Decode(®istrationTokenResponseBytes)
|
|
if err != nil {
|
|
return fmt.Errorf("an error occurred while parsing dynamic client token response: %v", err)
|
|
}
|
|
|
|
//update the source credential with the new access token
|
|
s.AccessToken = registrationTokenResponseBytes.AccessToken
|
|
s.ExpiresAt = time.Now().Add(time.Second * time.Duration(registrationTokenResponseBytes.ExpiresIn)).Unix()
|
|
|
|
return nil
|
|
}
|