001package ca.uhn.fhir.validation;
002
003/*
004 * #%L
005 * HAPI FHIR - Core Library
006 * %%
007 * Copyright (C) 2014 - 2022 Smile CDR, Inc.
008 * %%
009 * Licensed under the Apache License, Version 2.0 (the "License");
010 * you may not use this file except in compliance with the License.
011 * You may obtain a copy of the License at
012 *
013 *      http://www.apache.org/licenses/LICENSE-2.0
014 *
015 * Unless required by applicable law or agreed to in writing, software
016 * distributed under the License is distributed on an "AS IS" BASIS,
017 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
018 * See the License for the specific language governing permissions and
019 * limitations under the License.
020 * #L%
021 */
022
023import ca.uhn.fhir.context.ConfigurationException;
024import ca.uhn.fhir.context.FhirContext;
025import ca.uhn.fhir.i18n.Msg;
026import ca.uhn.fhir.rest.api.EncodingEnum;
027import ca.uhn.fhir.util.ClasspathUtil;
028import org.hl7.fhir.instance.model.api.IBaseResource;
029import org.w3c.dom.ls.LSInput;
030import org.w3c.dom.ls.LSResourceResolver;
031import org.xml.sax.SAXException;
032import org.xml.sax.SAXNotRecognizedException;
033import org.xml.sax.SAXParseException;
034
035import javax.xml.XMLConstants;
036import javax.xml.transform.Source;
037import javax.xml.transform.stream.StreamSource;
038import javax.xml.validation.Schema;
039import javax.xml.validation.SchemaFactory;
040import javax.xml.validation.Validator;
041import java.io.ByteArrayInputStream;
042import java.io.IOException;
043import java.io.StringReader;
044import java.util.Collections;
045import java.util.HashMap;
046import java.util.HashSet;
047import java.util.Map;
048import java.util.Set;
049
050public class SchemaBaseValidator implements IValidatorModule {
051        public static final String RESOURCES_JAR_NOTE = "Note that as of HAPI FHIR 1.2, DSTU2 validation files are kept in a separate JAR (hapi-fhir-validation-resources-XXX.jar) which must be added to your classpath. See the HAPI FHIR download page for more information.";
052
053        private static final org.slf4j.Logger ourLog = org.slf4j.LoggerFactory.getLogger(SchemaBaseValidator.class);
054        private static final Set<String> SCHEMA_NAMES;
055        private static boolean ourJaxp15Supported;
056
057        static {
058                HashSet<String> sn = new HashSet<>();
059                sn.add("xml.xsd");
060                sn.add("xhtml1-strict.xsd");
061                sn.add("fhir-single.xsd");
062                sn.add("fhir-xhtml.xsd");
063                sn.add("tombstone.xsd");
064                sn.add("opensearch.xsd");
065                sn.add("opensearchscore.xsd");
066                sn.add("xmldsig-core-schema.xsd");
067                SCHEMA_NAMES = Collections.unmodifiableSet(sn);
068        }
069
070        private final Map<String, Schema> myKeyToSchema = new HashMap<>();
071        private FhirContext myCtx;
072
073        public SchemaBaseValidator(FhirContext theContext) {
074                myCtx = theContext;
075        }
076
077        private void doValidate(IValidationContext<?> theContext) {
078                Schema schema = loadSchema();
079
080                try {
081                        Validator validator = schema.newValidator();
082                        MyErrorHandler handler = new MyErrorHandler(theContext);
083                        validator.setErrorHandler(handler);
084                        String encodedResource;
085                        if (theContext.getResourceAsStringEncoding() == EncodingEnum.XML) {
086                                encodedResource = theContext.getResourceAsString();
087                        } else {
088                                encodedResource = theContext.getFhirContext().newXmlParser().encodeResourceToString((IBaseResource) theContext.getResource());
089                        }
090
091                        try {
092                                /*
093                                 * See https://github.com/hapifhir/hapi-fhir/issues/339
094                                 * https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
095                                 */
096                                validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
097                                validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
098                        } catch (SAXNotRecognizedException ex) {
099                                ourLog.debug("Jaxp 1.5 Support not found.", ex);
100                        }
101
102                        validator.validate(new StreamSource(new StringReader(encodedResource)));
103                } catch (SAXParseException e) {
104                        SingleValidationMessage message = new SingleValidationMessage();
105                        message.setLocationLine(e.getLineNumber());
106                        message.setLocationCol(e.getColumnNumber());
107                        message.setMessage(e.getLocalizedMessage());
108                        message.setSeverity(ResultSeverityEnum.FATAL);
109                        theContext.addValidationMessage(message);
110                } catch (SAXException | IOException e) {
111                        // Catch all
112                        throw new ConfigurationException(Msg.code(1967) + "Could not load/parse schema file", e);
113                }
114        }
115
116        private Schema loadSchema() {
117                String key = "fhir-single.xsd";
118
119                synchronized (myKeyToSchema) {
120                        Schema schema = myKeyToSchema.get(key);
121                        if (schema != null) {
122                                return schema;
123                        }
124
125                        Source baseSource = loadXml("fhir-single.xsd");
126
127                        SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
128                        schemaFactory.setResourceResolver(new MyResourceResolver());
129
130                        try {
131                                try {
132                                        /*
133                                         * See https://github.com/hapifhir/hapi-fhir/issues/339
134                                         * https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
135                                         */
136                                        schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
137                                        ourJaxp15Supported = true;
138                                } catch (SAXNotRecognizedException e) {
139                                        ourJaxp15Supported = false;
140                                        ourLog.warn("Jaxp 1.5 Support not found.", e);
141                                }
142                                schema = schemaFactory.newSchema(new Source[]{baseSource});
143                        } catch (SAXException e) {
144                                throw new ConfigurationException(Msg.code(1968) + "Could not load/parse schema file: " + "fhir-single.xsd", e);
145                        }
146                        myKeyToSchema.put(key, schema);
147                        return schema;
148                }
149        }
150
151        Source loadXml(String theSchemaName) {
152                String pathToBase = myCtx.getVersion().getPathToSchemaDefinitions() + '/' + theSchemaName;
153                ourLog.debug("Going to load resource: {}", pathToBase);
154
155                String contents = ClasspathUtil.loadResource(pathToBase, ClasspathUtil.withBom());
156                return new StreamSource(new StringReader(contents), null);
157        }
158
159        @Override
160        public void validateResource(IValidationContext<IBaseResource> theContext) {
161                doValidate(theContext);
162        }
163
164        private final class MyResourceResolver implements LSResourceResolver {
165                private MyResourceResolver() {
166                }
167
168                @Override
169                public LSInput resolveResource(String theType, String theNamespaceURI, String thePublicId, String theSystemId, String theBaseURI) {
170                        if (theSystemId != null && SCHEMA_NAMES.contains(theSystemId)) {
171                                LSInputImpl input = new LSInputImpl();
172                                input.setPublicId(thePublicId);
173                                input.setSystemId(theSystemId);
174                                input.setBaseURI(theBaseURI);
175                                String pathToBase = myCtx.getVersion().getPathToSchemaDefinitions() + '/' + theSystemId;
176
177                                ourLog.debug("Loading referenced schema file: " + pathToBase);
178
179                                byte[] bytes = ClasspathUtil.loadResourceAsByteArray(pathToBase);
180                                input.setByteStream(new ByteArrayInputStream(bytes));
181                                return input;
182
183                        }
184
185                        throw new ConfigurationException(Msg.code(1969) + "Unknown schema: " + theSystemId);
186                }
187        }
188
189        private static class MyErrorHandler implements org.xml.sax.ErrorHandler {
190
191                private IValidationContext<?> myContext;
192
193                MyErrorHandler(IValidationContext<?> theContext) {
194                        myContext = theContext;
195                }
196
197                private void addIssue(SAXParseException theException, ResultSeverityEnum theSeverity) {
198                        SingleValidationMessage message = new SingleValidationMessage();
199                        message.setLocationLine(theException.getLineNumber());
200                        message.setLocationCol(theException.getColumnNumber());
201                        message.setMessage(theException.getLocalizedMessage());
202                        message.setSeverity(theSeverity);
203                        myContext.addValidationMessage(message);
204                }
205
206                @Override
207                public void error(SAXParseException theException) {
208                        addIssue(theException, ResultSeverityEnum.ERROR);
209                }
210
211                @Override
212                public void fatalError(SAXParseException theException) {
213                        addIssue(theException, ResultSeverityEnum.FATAL);
214                }
215
216                @Override
217                public void warning(SAXParseException theException) {
218                        addIssue(theException, ResultSeverityEnum.WARNING);
219                }
220
221        }
222
223        public static boolean isJaxp15Supported() {
224                return ourJaxp15Supported;
225        }
226
227}