Authentication Flag

.github/workflows/ci.yaml

@@ -69,6 +69,8 @@ jobs:
         run: |
           echo "AIDBOX_LICENSE=${{ secrets.AIDBOX_LICENSE }}" > .env
           echo "DATABASE_URL=postgresql://postgres:pw@localhost:5432/tefca_db" >> .env
+          echo "AIDBOX_BASE_URL=http://aidbox:8080" >> .env
+          echo "APP_HOSTNAME=http://query-connector:3000" >> .env
       - name: Build Query Connector and Run Playwright Tests
         id: run_tests
         working-directory: ./query-connector

.github/workflows/ecs_terraform.yaml

@@ -19,6 +19,14 @@ on:
           - dev
           - demo
         default: dev
+      # auth_flag:
+      #   description: "Do you want to disable authentication ?"
+      #   required: true
+      #   type: choice
+      #   options:
+      #     - true
+      #     - false
+      #   default: "false"
 
 concurrency:
   group: ${{ github.event.inputs.workspace }}-terraform
@@ -104,6 +112,13 @@ jobs:
             echo dev
           fi
           )" >> $GITHUB_OUTPUT
+      #Finish this logic up
+      - name: Set Authentication flag
+        id: set-authentication-flag
+        run: |-
+          if [[ "${{ steps.set-workspace.outputs.workspace }}" == "demo" ]]; then
+            echo "AUTH_DISABLED=true" >> $GITHUB_OUTPUT
+          else
 
       - name: Set URL format
         id: set-url-format

query-connector/Dockerfile

@@ -43,7 +43,10 @@ RUN ln -s /flyway/flyway /usr/local/bin/flyway
 # Don't run production as root
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 nextjs
-USER nextjs
+
+# Ensure writable directories
+RUN mkdir -p /app /data /logs && \
+    chown -R nextjs:nodejs /app /data /logs
 
 # Set hostname to localhost
 ENV HOSTNAME="0.0.0.0"
@@ -61,6 +64,14 @@ COPY --from=installer --chown=nextjs:nodejs /app/.next/standalone ./
 COPY --from=installer --chown=nextjs:nodejs /app/.next/static ./.next/static
 COPY --from=installer --chown=nextjs:nodejs /app/public ./public
 COPY --from=installer --chown=nextjs:nodejs /app/start.sh ./start.sh
+COPY --from=installer --chown=nextjs:nodejs /app/keys ./keys
+
+RUN mkdir -p .next/static public && \
+    chown -R nextjs:nodejs .next/static public
+
+USER nextjs
+
+
 RUN ls -R
 # Set environment variables for Flyway and Node.js telemetry
 ENV NEXT_TELEMETRY_DISABLED=1

query-connector/Dockerfile.aidbox-seeder

@@ -11,4 +11,4 @@ RUN chmod +x /seed_aidbox.sh
 RUN mkdir /data
 
 ENTRYPOINT ["/bin/bash", "-c"]
-CMD ["/seed_aidbox.sh $AIDBOX_BASE_URL"]
+CMD ["/seed_aidbox.sh $AIDBOX_BASE_URL $APP_HOSTNAME"]

query-connector/docker-compose-dev.yaml

@@ -1,7 +1,7 @@
 services:
   # Postgresql DB
   db:
-    image: "postgres:alpine"
+    image: "postgres:17.4"
     ports:
       - "5432:5432"
     environment:
@@ -23,8 +23,8 @@ services:
   # Flyway migrations and DB version control
   flyway:
     image: flyway/flyway:11-alpine
-    environment:
-      - JAVA_OPTS_APPEND="-XX:UseSVE=0"
+    # environment:
+    # - JAVA_OPTS_APPEND="-XX:UseSVE=0"
     command: -configFiles=/flyway/conf/flyway.conf -schemas=public -connectRetries=60 migrate
     volumes:
       - ./flyway/sql:/flyway/sql
@@ -85,7 +85,7 @@ services:
       PGPASSWORD: gOxAmiyiz4
       PGPORT: "5432"
       BOX_SEARCH_INCLUDE_CONFORMANT: true
-      JAVA_TOOL_OPTIONS: "-XX:UseSVE=0"
+      # JAVA_TOOL_OPTIONS: "-XX:UseSVE=0"
     env_file:
       - .env
   aidbox-seeder:
@@ -96,6 +96,7 @@ services:
       - ./src/app/tests/assets/GoldenSickPatient.json:/data/GoldenSickPatient.json
     environment:
       - AIDBOX_BASE_URL=http://localhost:8080
+      - APP_HOSTNAME=http://host.docker.internal:3000
     depends_on:
       db:
         condition: service_healthy

query-connector/docker-compose-e2e.yaml

@@ -1,7 +1,7 @@
 services:
   # PostgreSQL DB for custom query and value set storage
   db:
-    image: "postgres:alpine"
+    image: "postgres:17.4"
     ports:
       - "5432:5432"
     environment:
@@ -76,8 +76,6 @@ services:
       - ./logs:/var/log
     env_file:
       - .env
-    environment:
-      - AIDBOX_BASE_URL=http://aidbox:8080
     depends_on:
       db:
         condition: service_healthy

query-connector/docker-compose-integration.yaml

@@ -1,7 +1,7 @@
 services:
   # PostgreSQL DB for custom query and value set storage
   db:
-    image: "postgres:alpine"
+    image: "postgres:17.4"
     ports:
       - "5432:5432"
     environment:

query-connector/docker-compose.yaml

@@ -1,7 +1,7 @@
 services:
   # PostgreSQL DB for custom query and value set storage
   db:
-    image: "postgres:alpine"
+    image: "postgres:17.4"
     ports:
       - "5432:5432"
     environment:

query-connector/e2e/constants.ts

@@ -123,3 +123,8 @@ export const CANCER_FRONTEND_NESTED_INPUT = {
     },
   },
 };
+
+// note: values here are also hard-coded in the seed script at seed_aidbox.sh,
+// so change them there as well if you change it here
+export const E2E_SMART_TEST_CLIENT_ID = "e2e-smart-test-client";
+export const E2E_SMART_TEST_CLIENT_SCOPES = "system/*.read";

query-connector/e2e/smart_on_fhir.spec.ts

@@ -0,0 +1,72 @@
+import { TEST_URL } from "../playwright-setup";
+import { test, expect } from "@playwright/test";
+import { E2E_SMART_TEST_CLIENT_ID } from "./constants";
+import {
+  createSmartJwt,
+  getOrCreateKeys,
+} from "@/app/backend/dbServices/smartOnFhir/lib";
+import { decodeJwt, decodeProtectedHeader } from "jose";
+
+test.describe("SMART on FHIR", () => {
+  test("successfully validates the e2e flow", async ({ page }) => {
+    await page.goto(`${TEST_URL}/fhirServers`);
+    expect(
+      page.getByRole("heading", { name: "FHIR server configuration" }),
+    ).toBeVisible();
+
+    await page.getByRole("button", { name: "New server" }).click();
+    await expect(
+      page.getByRole("heading", { name: "New server" }),
+    ).toBeVisible();
+    const serverName = `E2E Smart on FHIR ${Math.random() * 100}`;
+    await page.getByTestId("server-name").fill(serverName);
+
+    await page
+      .getByTestId("server-url")
+      .fill(`${process.env.AIDBOX_BASE_URL}/fhir`);
+
+    await page.getByTestId("auth-method").selectOption("SMART");
+    await page.getByTestId("client-id").fill(E2E_SMART_TEST_CLIENT_ID);
+
+    await page.getByTestId("scopes").fill("system/*.read");
+    await page
+      .getByTestId("token-endpoint")
+      .fill(`${process.env.AIDBOX_BASE_URL}/auth/token`);
+
+    await page.getByRole("button", { name: "Test connection" }).click();
+    await expect(page.getByRole("button", { name: "Success" })).toBeVisible();
+
+    await page.getByRole("button", { name: "Add server" }).click();
+
+    await expect(
+      page.getByRole("row").filter({ hasText: serverName }),
+    ).toHaveText(/Connected/);
+  });
+
+  // this integration test is stuck in the e2e because it requires connections
+  // to a fully-seeded Aidbox. That infra was deemed too much to add to the
+  // integration test docker compose at the time of this writing, so the
+  // test itself is added here
+  test("JWT creation generates the correct token and signing creates the right request payload", async () => {
+    const tokenEndpoint = `${process.env.AIDBOX_BASE_URL}/auth/token`;
+
+    // make sure key pair exist, and create them if they don't
+    await getOrCreateKeys();
+
+    const outputJWT = await createSmartJwt(
+      E2E_SMART_TEST_CLIENT_ID,
+      tokenEndpoint,
+    );
+
+    const header = decodeProtectedHeader(outputJWT);
+    expect(header.alg).toBe("RS384");
+    expect(header.typ).toBe("JWT");
+    expect(header.jku).toBe(
+      `${process.env.APP_HOSTNAME}/.well-known/jwks.json`,
+    );
+    const claims = decodeJwt(outputJWT);
+    expect(claims.aud).toBe(tokenEndpoint);
+    expect(claims.iss).toBe(E2E_SMART_TEST_CLIENT_ID);
+    expect(claims.sub).toBe(E2E_SMART_TEST_CLIENT_ID);
+  });
+});

query-connector/setup-scripts/seed_aidbox.sh

@@ -2,6 +2,7 @@
 
 # Environment variables set by docker-compose
 BASE_URL=$1
+APP_HOSTNAME=$2
 NETWORK_URL=http://aidbox:8080
 AIDBOX_CLIENT_SECRET="L6AGe_5V2O"
 DB_ADDRESS="db"
@@ -64,6 +65,53 @@ curl -L -X POST \
 
 echo "GoldenSickPatient data loaded successfully."
 
+# Client information for the SMART on FHIR test
+echo "Loading client information into Aidbox..."
+curl -L -X PUT \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  -d '{
+    "type": "client-confidential-asymmetric",
+    "active": true,
+    "auth": {
+      "client_credentials": {
+        "client_assertion_types": [
+          "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
+        ],
+        "access_token_expiration": 300,
+        "token_format": "jwt"
+      }
+    },
+    "scope": [
+      "system/*.read"
+    ],
+    "jwks_uri": "'${APP_HOSTNAME}'/.well-known/jwks.json",
+    "grant_types": [
+      "client_credentials"
+    ]
+  }' \
+  ${NETWORK_URL}/Client/e2e-smart-test-client
+
+echo "Client information data loaded successfully."
+
+# Access policy information for the SMART on FHIR test
+echo "Loading access policy information into Aidbox.."
+curl -L -X PUT \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  -d '{
+      "engine": "allow",
+      "link": [
+        {
+          "id": "e2e-smart-test-client",
+          "resourceType": "Client"
+        }
+      ]
+    }' \
+  ${NETWORK_URL}/AccessPolicy/e2e-smart-test-client
+
+echo "Access policy information data loaded successfully."
+
 # Get current datetime in ISO 8601 format
 CURRENT_DATETIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")