Skip to content

Issue/317 endpoint thumbprints #318

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hhund merged 11 commits into from
May 28, 2025
Merged

Issue/317 endpoint thumbprints #318

hhund merged 11 commits into from
May 28, 2025

Conversation

@hhund
Copy link
Member

@hhund hhund commented May 26, 2025
edited
Loading

Modifications to support optional thumbprints on Endpoint resource

  • Identity classes now include a field for the associated Endpoint resource. For a remote user authenticated by client certificate the code tries to find the matching Endpoint resource by looking for an Endpoint in the Database with a matching thumbprint, if no resource is found and only one Endpoint exists for the matched organization, the matching Endpoint resource is used. If there are multiple Endpoint resources for the matched organization, no Endpoint is returned and the Task authorization code falls back to the old behavior of using all ActivityDefinition resources of the organization, to allow Task creates. For the local client certificate or "practitioner" users the local Endpoint based on the baseUrl address is used.
  • When retrieving OrganizationAffiliation resources in the TaskAuthorizationRule for the requester and recipient, the associated Endpoint (if known) is used to query the DB more precisely.
  • Plugin loading code modified to change the baseDefinition property of StructureDefinition resource for Task profiles. The baseDefinition may not include a version in order for the Base-Task profile to be updated to version 2.0.0. Process plugins usually do not specify the Base-Task version specific.
  • OrganizationAffiliationHistoryIdentityFilter inheritance fix with no change to the behavior.
  • Changes the endpoint max value in the OrganizationAffiliation profile to reflect check in OrganizationAffiliationAuthorizationRule implementation.
  • Some additional tests, code cleanup, incl. class to record conversions.
  • Improved BundleGenerator to throw error if dependent resources not found, fixed DELETE entries missing from final bundle.
  • Keycloak and nginx version upgrades in 3dic/ttp dev setup.
  • Fixed missing 200 OK return in BackChannelLogoutAuthenticator.

closes #317

hhund added 4 commits May 26, 2025 19:19
@hhund
allow-list and task-base profile mods for thumbprints in endpoint (1/2)
e5acdfa 
- renamed files
@hhund
allow-list and task-base profile mods for thumbprints in endpoint (1/2)
14683eb 
- versions to 2.0.0
- thumbprint extension optionally allowed for Endpoint resources
- formatting
@hhund
improved BundleGenerator to throw error if dependent resources not found
0488178
@hhund
modifications to support optional thumbprints on endpoint resource
87cfbb5 
- Identity classes now include a field for the associated Endpoint
resource. For a remote user authenticated by client certificate the code
tries to find the matching Endpoint resource by looking for an Endpoint
in the Database with a matching thumbprint, if no resource is found and
only one Endpoint exists for the matched organization, the matching
Endpoint resource is used. If there are multiple Endpoint resources for
the matched organization, no Endpoint is returned and the Task
authorization code falls back to the old behavior of using all
ActivityDefinition resources of the organization, to allow Task creates.
For the local client certificate or "practitioner" users the local
Endpoint based on the baseUrl address is used.
- When retrieving OrganizationAffiliation resources in the
TaskAuthorizationRule for the requester and recipient, the associated
Endpoint (if known) is used to query the DB more precisely.
- Plugin loading code modified to change the baseDefinition property of
StructureDefinition resource for Task profiles. The baseDefinition may
not include a version in order for the Base-Task profile to be updated
to version 2.0.0. Process plugins usually do not specify the Base-Task
version specific.
- OrganizationAffiliationHistoryIdentityFilter inheritance fix with no
change to the behavior.
- Some additional tests, code cleanup, incl. class to record
conversions.
@hhund hhund added this to the 2.0.0 milestone May 26, 2025
@hhund hhund requested review from schwzr and wetret May 26, 2025 18:17
@hhund hhund self-assigned this May 26, 2025
@hhund hhund merged commit d35e8c1 into develop_2 May 28, 2025
4 checks passed
@hhund hhund linked an issue May 30, 2025 that may be closed by this pull request
Improve Allow-List and Enable Thumbprints on Endpoint Resources #317
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@schwzr schwzr schwzr approved these changes

@wetret wetret Awaiting requested review from wetret

Assignees

@hhund hhund

Labels

None yet

Projects

None yet

Milestone

2.0.0

Development

Successfully merging this pull request may close these issues.

Improve Allow-List and Enable Thumbprints on Endpoint Resources

3 participants

@hhund @schwzr