KOP-766: Alligned "User Authentication" AuditEvent with the TOP-11 re…

…quirements
Koppeltaal · Apr 5, 2024 · 04d6a6f · 04d6a6f
1 parent be17330
commit 04d6a6f
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 13 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+.idea
+__pycache__
diff --git a/application/fhir_logging_client/service.py b/application/fhir_logging_client/service.py
@@ -15,11 +15,11 @@
 class FhirLoggingService:
 
     @staticmethod
-    def register_idp_interaction(entity_what_reference: str, trace_headers: dict):
+    def register_idp_interaction(entity_what_reference: str, requesting_client_id: str, trace_headers: dict):
 
         logger.info(f"Registering idp interaction for entity: [{entity_what_reference}]")
 
-        audit_event = FhirLoggingService._get_audit_event(entity_what_reference, trace_headers)
+        audit_event = FhirLoggingService._get_audit_event(entity_what_reference, requesting_client_id, trace_headers)
         access_token = token_service.get_system_access_token()
 
         endpoint = f'{current_app.config["FHIR_CLIENT_SERVERURL"]}/AuditEvent'
@@ -38,7 +38,7 @@ def register_idp_interaction(entity_what_reference: str, trace_headers: dict):
         return response
 
     @staticmethod
-    def _get_audit_event(entity_what_reference: str, trace_headers: dict):
+    def _get_audit_event(entity_what_reference: str, requesting_client_id: str, trace_headers: dict):
 
         entity_type = entity_what_reference.split("/")[0]
         if entity_type != "Patient" and entity_type != "Practitioner":
@@ -92,14 +92,14 @@ def _get_audit_event(entity_what_reference: str, trace_headers: dict):
                         ]
                     },
                     "who": {
-                        "reference": f"Device/{current_app.config['SMART_BACKEND_SERVICE_DEVICE_ID']}",
+                        "reference": f"Device/{requesting_client_id}",
                         "type": "Device"
                     },
                     "requestor": True
                 }
             ],
             "source": {
-                "site": "DEFAULT tenant",
+                "site": current_app.config['AUTH_SERVER_ISS'],
                 "observer": {
                     "reference": f"Device/{current_app.config['SMART_BACKEND_SERVICE_DEVICE_ID']}",
                     "type": "Device"

diff --git a/application/idp_client/service.py b/application/idp_client/service.py
@@ -93,7 +93,7 @@ def consume_idp_code(self) -> Tuple[str, int]:
 
         logger.info(f'[{oauth2_session.id}] user id matched between HTI and IDP by user_identifier [{user_identifier}]')
 
-        fhir_logging_service.register_idp_interaction(f'Patient/{launching_user_resource["id"]}', trace_headers)
+        fhir_logging_service.register_idp_interaction(f'Patient/{launching_user_resource["id"]}', oauth2_session.client_id, trace_headers)
 
         # As the user has been verified, finish the initial OAuth launch flow by responding with the code
         return f'{oauth2_session.redirect_uri}?{urlencode({"code": oauth2_session.code, "state": oauth2_session.state})}', 302

diff --git a/test/test_fhir_logging_service.py b/test/test_fhir_logging_service.py
@@ -53,7 +53,7 @@ def testing_app(server_key: Key):
                       'OIDC_SMART_CONFIG_SIGNING_ALGS': ["RS384", "ES384", "RS512"],
                       'OIDC_JWT_PUBLIC_KEY': server_key.as_pem(),
                       'OIDC_JWT_PRIVATE_KEY': private_key_bytes,
-                      'SMART_BACKEND_SERVICE_DEVICE_ID': "my-unit-test-device-id"
+                      'SMART_BACKEND_SERVICE_DEVICE_ID': "my-unit-test-auth-server-device-id"
                       })
 
     with app.test_client() as client:
@@ -65,14 +65,14 @@ def testing_app(server_key: Key):
 def test_happy(mock1, testing_app: FlaskClient):
 
     testing_app.get("test")  # TODO: Ugly fix to initialize app context - mocking the flask.request would be nicer
-    resp = fhir_logging_service.register_idp_interaction("Patient/123", {})
+    resp = fhir_logging_service.register_idp_interaction("Patient/123", "456", {})
 
     json_content = resp.json()['json']
     resp_audit_event = AuditEvent(**json_content)
 
     assert resp_audit_event.entity[0].what.reference == "Patient/123"
-    assert resp_audit_event.agent[0].who.reference == "Device/my-unit-test-device-id"
-    assert resp_audit_event.source.observer.reference == "Device/my-unit-test-device-id"
+    assert resp_audit_event.agent[0].who.reference == "Device/456"
+    assert resp_audit_event.source.observer.reference == "Device/my-unit-test-auth-server-device-id"
     assert resp_audit_event.outcome == "0"
     assert 'Authorization' in resp.json()['headers']
     assert 'X-Request-Id' in resp.json()['headers']
@@ -86,14 +86,14 @@ def test_happy_headers(mock1, testing_app: FlaskClient):
         'X-Correlation-Id': str(uuid4()),
         'X-Trace-Id': str(uuid4())
     }
-    resp = fhir_logging_service.register_idp_interaction("Patient/123", trace_headers)
+    resp = fhir_logging_service.register_idp_interaction("Patient/123", "456", trace_headers)
 
     json_content = resp.json()['json']
     resp_audit_event = AuditEvent(**json_content)
 
     assert resp_audit_event.entity[0].what.reference == "Patient/123"
-    assert resp_audit_event.agent[0].who.reference == "Device/my-unit-test-device-id"
-    assert resp_audit_event.source.observer.reference == "Device/my-unit-test-device-id"
+    assert resp_audit_event.agent[0].who.reference == "Device/456"
+    assert resp_audit_event.source.observer.reference == "Device/my-unit-test-auth-server-device-id"
     assert resp_audit_event.extension[0].valueId == trace_headers['X-Request-Id']
     assert resp_audit_event.extension[1].valueId == trace_headers['X-Correlation-Id']
     assert resp_audit_event.extension[2].valueId == trace_headers['X-Trace-Id']