Source code

001/*-
002 * #%L
003 * HAPI FHIR - Server Framework
004 * %%
005 * Copyright (C) 2014 - 2025 Smile CDR, Inc.
006 * %%
007 * Licensed under the Apache License, Version 2.0 (the "License");
008 * you may not use this file except in compliance with the License.
009 * You may obtain a copy of the License at
010 *
011 *      http://www.apache.org/licenses/LICENSE-2.0
012 *
013 * Unless required by applicable law or agreed to in writing, software
014 * distributed under the License is distributed on an "AS IS" BASIS,
015 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
016 * See the License for the specific language governing permissions and
017 * limitations under the License.
018 * #L%
019 */
020package ca.uhn.fhir.rest.server.interceptor;
021
022import ca.uhn.fhir.interceptor.api.Hook;
023import ca.uhn.fhir.interceptor.api.Pointcut;
024import ca.uhn.fhir.rest.api.EncodingEnum;
025import ca.uhn.fhir.rest.api.server.RequestDetails;
026import ca.uhn.fhir.rest.server.RestfulServerUtils;
027import ca.uhn.fhir.rest.server.exceptions.AuthenticationException;
028import ca.uhn.fhir.rest.server.exceptions.UnprocessableEntityException;
029import ca.uhn.fhir.rest.server.method.ResourceParameter;
030import ca.uhn.fhir.validation.FhirValidator;
031import ca.uhn.fhir.validation.ResultSeverityEnum;
032import ca.uhn.fhir.validation.ValidationOptions;
033import ca.uhn.fhir.validation.ValidationResult;
034import jakarta.servlet.http.HttpServletRequest;
035import jakarta.servlet.http.HttpServletResponse;
036
037import java.nio.charset.Charset;
038
039import static org.apache.commons.lang3.StringUtils.isBlank;
040
041/**
042 * This interceptor intercepts each incoming request and if it contains a FHIR resource, validates that resource. The
043 * interceptor may be configured to run any validator modules, and will then add headers to the response or fail the
044 * request with an {@link UnprocessableEntityException HTTP 422 Unprocessable Entity}.
045 */
046public class RequestValidatingInterceptor extends BaseValidatingInterceptor<String> {
047
048        /**
049         * X-HAPI-Request-Validation
050         */
051        public static final String DEFAULT_RESPONSE_HEADER_NAME = "X-FHIR-Request-Validation";
052
053        private static final org.slf4j.Logger ourLog =
054                        org.slf4j.LoggerFactory.getLogger(RequestValidatingInterceptor.class);
055        private boolean myAddValidationResultsToResponseOperationOutcome = true;
056
057        @Override
058        ValidationResult doValidate(FhirValidator theValidator, String theRequest, ValidationOptions theOptions) {
059                return theValidator.validateWithResult(theRequest, theOptions);
060        }
061
062        @Hook(Pointcut.SERVER_INCOMING_REQUEST_POST_PROCESSED)
063        public boolean incomingRequestPostProcessed(
064                        RequestDetails theRequestDetails, HttpServletRequest theRequest, HttpServletResponse theResponse)
065                        throws AuthenticationException {
066                EncodingEnum encoding = RestfulServerUtils.determineRequestEncodingNoDefault(theRequestDetails);
067                if (encoding == null) {
068                        ourLog.trace("Incoming request does not appear to be FHIR, not going to validate");
069                        return true;
070                }
071
072                Charset charset = ResourceParameter.determineRequestCharset(theRequestDetails);
073                String requestText = new String(theRequestDetails.loadRequestContents(), charset);
074
075                if (isBlank(requestText)) {
076                        ourLog.trace("Incoming request does not have a body");
077                        return true;
078                }
079
080                ValidationResult validationResult = validate(requestText, theRequestDetails);
081
082                if (myAddValidationResultsToResponseOperationOutcome) {
083                        addValidationResultToRequestDetails(theRequestDetails, validationResult);
084                }
085
086                return true;
087        }
088
089        /**
090         * If set to {@literal true} (default is true), the validation results
091         * will be added to the OperationOutcome being returned to the client,
092         * unless the response being returned is not an OperationOutcome
093         * to begin with (e.g. if the client has requested
094         * <code>Return: prefer=representation</code>)
095         */
096        public boolean isAddValidationResultsToResponseOperationOutcome() {
097                return myAddValidationResultsToResponseOperationOutcome;
098        }
099
100        /**
101         * If set to {@literal true} (default is true), the validation results
102         * will be added to the OperationOutcome being returned to the client,
103         * unless the response being returned is not an OperationOutcome
104         * to begin with (e.g. if the client has requested
105         * <code>Return: prefer=representation</code>)
106         */
107        public void setAddValidationResultsToResponseOperationOutcome(
108                        boolean theAddValidationResultsToResponseOperationOutcome) {
109                myAddValidationResultsToResponseOperationOutcome = theAddValidationResultsToResponseOperationOutcome;
110        }
111
112        @Override
113        String provideDefaultResponseHeaderName() {
114                return DEFAULT_RESPONSE_HEADER_NAME;
115        }
116
117        /**
118         * Sets the name of the response header to add validation failures to
119         *
120         * @see #DEFAULT_RESPONSE_HEADER_NAME
121         * @see #setAddResponseHeaderOnSeverity(ResultSeverityEnum)
122         */
123        @Override
124        public void setResponseHeaderName(String theResponseHeaderName) {
125                super.setResponseHeaderName(theResponseHeaderName);
126        }
127}