Merge pull request #982 from b2ihealthcare/issue/FHIR_version_URI_validation

cmark · web-flow · commit 08802d2432b5 · 2022-02-24T09:46:37.000+01:00
fix(fhir): Validate system URL against version given in subsumption request
diff --git a/fhir/com.b2international.snowowl.fhir.rest.tests/src/com/b2international/snowowl/fhir/rest/tests/codesystem/FhirCodeSystemSubsumesOperationTest.java b/fhir/com.b2international.snowowl.fhir.rest.tests/src/com/b2international/snowowl/fhir/rest/tests/codesystem/FhirCodeSystemSubsumesOperationTest.java
@@ -34,6 +34,7 @@ public class FhirCodeSystemSubsumesOperationTest extends FhirRestTest {
 	
 	private static final String PROCEDURE = "71388002";
 	private static final String ORGANISM_TOP_LEVEL = "410607006";
+	private static final Object MICROORGANISM = "264395009";
 
 	@Test
 	public void GET_CodeSystem_$subsumes_Subsumes() throws Exception {
@@ -87,39 +88,35 @@ public class FhirCodeSystemSubsumesOperationTest extends FhirRestTest {
 			.body("parameter[0].valueCode", equalTo(SubsumptionType.EQUIVALENT.name()));
 	}
 	
-//	@Test
-//	public void subsumedByWithVersionTest() throws Exception {
-//		
-//		String responseString = givenAuthenticatedRequest(FHIR_ROOT_CONTEXT)
-//			.queryParam("codeA", BACTERIA) //Bacteria
-//			.queryParam("codeB", MICROORGANISM) //Microorganism (parent)
-//			.queryParam("system", "http://snomed.info/sct/900000000000207008/version/20180131")
-//			.when().get(CODESYSTEM_SUBSUMES)
-//			.then().assertThat()
-//			.statusCode(200)
-//			.extract().asString();
-//		
-//		SubsumptionResult result = convertToSubsumptionResult(responseString);
-//		Assert.assertEquals(SubsumptionType.SUBSUMED_BY, result.getOutcome());
-//	}
-//	
-//	//invalid
-//	@Test
-//	public void twoVersionsTest() throws Exception {
-//		
-//		givenAuthenticatedRequest(FHIR_ROOT_CONTEXT)
-//			.queryParam("codeA", BACTERIA) //Bacteria
-//			.queryParam("codeB", MICROORGANISM) //Microorganism (parent)
-//			.queryParam("system", "http://snomed.info/sct/900000000000207008/version/20170131")
-//			.queryParam("version", "2018-01-31")
-//			.when().get(CODESYSTEM_SUBSUMES)
-//			.then()
-//			.body("resourceType", equalTo("OperationOutcome"))
-//			.body("issue.severity", hasItem("error"))
-//			.body("issue.code", hasItem("invalid"))
-//			.body("issue.diagnostics", hasItem("Version specified in the URI [http://snomed.info/sct/900000000000207008/version/20170131] "
-//					+ "does not match the version set in the request [2018-01-31]"))
-//			.statusCode(400);
-//	}
+	@Test
+	public void GET_CodeSystem_$subsumes_SubsumedBy_WithVersion() throws Exception {
+		
+		givenAuthenticatedRequest(FHIR_ROOT_CONTEXT)
+			.queryParam("codeA", BACTERIA) //Bacteria
+			.queryParam("codeB", MICROORGANISM) //Microorganism (parent)
+			.queryParam("system", "http://snomed.info/sct/900000000000207008/version/20180131")
+			.when().get(CODESYSTEM_SUBSUMES)
+			.then().assertThat()
+			.statusCode(200)
+			.body("parameter[0].name", equalTo("outcome"))
+			.body("parameter[0].valueCode", equalTo(SubsumptionType.SUBSUMED_BY.name()));
+	}
 	
-}
+	@Test
+	public void GET_CodeSystem_$subsumes_SubsumedBy_WithAmbiguousVersions() throws Exception {
+		
+		givenAuthenticatedRequest(FHIR_ROOT_CONTEXT)
+			.queryParam("codeA", BACTERIA) //Bacteria
+			.queryParam("codeB", MICROORGANISM) //Microorganism (parent)
+			.queryParam("system", "http://snomed.info/sct/900000000000207008/version/20170131")
+			.queryParam("version", "2018-01-31")
+			.when().get(CODESYSTEM_SUBSUMES)
+			.then()
+			.body("resourceType", equalTo("OperationOutcome"))
+			.body("issue[0].severity", equalTo("error"))
+			.body("issue[0].code", equalTo("invalid"))
+			.body("issue[0].diagnostics", equalTo("Version specified in the URI [http://snomed.info/sct/900000000000207008/version/20170131] "
+					+ "does not match the version set in the request [2018-01-31]"))
+			.statusCode(400);
+	}
+}
diff --git a/fhir/com.b2international.snowowl.fhir.rest/src/com/b2international/snowowl/fhir/rest/FhirCodeSystemSubsumesOperationController.java b/fhir/com.b2international.snowowl.fhir.rest/src/com/b2international/snowowl/fhir/rest/FhirCodeSystemSubsumesOperationController.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2021 B2i Healthcare Pte Ltd, http://b2i.sg
+ * Copyright 2021-2022 B2i Healthcare Pte Ltd, http://b2i.sg
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,9 +15,9 @@
  */
 package com.b2international.snowowl.fhir.rest;
 
-import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.*;
 
+import com.b2international.commons.StringUtils;
 import com.b2international.snowowl.core.events.util.Promise;
 import com.b2international.snowowl.fhir.core.exceptions.BadRequestException;
 import com.b2international.snowowl.fhir.core.model.codesystem.SubsumptionRequest;
@@ -190,51 +190,48 @@ private void validateSubsumptionRequest(String codeSystemId, String codeA, Strin
 	
 	private void validateSubsumptionRequest(String codeSystemId, String codeA, String codeB, String system, String version, Coding codingA, Coding codingB) {
 		
-		//check the systems
+		// check the systems
 		if (StringUtils.isEmpty(system) && StringUtils.isEmpty(codeSystemId)) {
 			throw new BadRequestException("Parameter 'system' is not specified for subsumption testing.", "SubsumptionRequest.system");
 		}
 		
-		//TODO: this probably incorrect as codeSystemId is an internal id vs. system that is external
-		if (!StringUtils.isEmpty(system) && !StringUtils.isEmpty(codeSystemId)) {
-			if (!codeSystemId.equals(system)) {
-				throw new BadRequestException(String.format("Parameter 'system: %s' and path parameter 'codeSystem: %s' are not the same.", system, codeSystemId), "SubsumptionRequest.system");
-			}
-		}
-		
-		//all empty
-		if (StringUtils.isEmpty(codeA) && StringUtils.isEmpty(codeA) && codingA == null && codingB == null) {
-			throw new BadRequestException("No codes or Codings are provided for subsumption testing.", "SubsumptionRequest");
+		// TODO: this probably incorrect as codeSystemId is an internal id vs. system that is external
+		if (!StringUtils.isEmpty(system) && !StringUtils.isEmpty(codeSystemId) && !codeSystemId.equals(system)) {
+			throw new BadRequestException(String.format("Parameter 'system: %s' and path parameter 'codeSystem: %s' are not the same.", system, codeSystemId), "SubsumptionRequest.system");
 		}
 		
-		//No codes
-		if (StringUtils.isEmpty(codeA) && StringUtils.isEmpty(codeA)) {
+		if (StringUtils.isEmpty(codeA) && StringUtils.isEmpty(codeB)) {
+			// No codes and no codings
+			if (codingA == null && codingB == null) {
+				throw new BadRequestException("No codes or Codings are provided for subsumption testing.", "SubsumptionRequest");
+			}
+
+			// One coding is present, but the other is missing (both can not be missing as it was handled above)
 			if (codingA == null || codingB == null) {
 				throw new BadRequestException("No Codings are provided for subsumption testing.", "SubsumptionRequest.Coding");
 			}
-		}
-		
-		//No codings
-		if (codingA == null && codingB == null) {
-			if (StringUtils.isEmpty(codeA) || StringUtils.isEmpty(codeB)) {
-				throw new BadRequestException("No codes are provided for subsumption testing.", "SubsumptionRequest.code");
-			}
-		}
-		
-		//Codes are there
-		if (!StringUtils.isEmpty(codeA) && !StringUtils.isEmpty(codeA)) {
+			
+			// Both codings are present at this point
+			
+		} else {
+
+			// Some codes were provided, but a coding is also present, ambiguous
 			if (codingA != null || codingB != null) {
 				throw new BadRequestException("Provide either codes or Codings.", "SubsumptionRequest");
 			}
-		}
-		
-		//Coding are there
-		if (codingA != null && codingB != null) {
-			if (!StringUtils.isEmpty(codeA) || !StringUtils.isEmpty(codeA)) {
-				throw new BadRequestException("Provide either codes or Codings.", "SubsumptionRequest");
+
+			// One code is present, but the other is missing (both can not be missing as it was handled in the outer "if" block above)
+			if (StringUtils.isEmpty(codeA) || StringUtils.isEmpty(codeB)) {
+				throw new BadRequestException("No codes are provided for subsumption testing.", "SubsumptionRequest.code");		
 			}
+			
+			// Both codes are present at this point
 		}
-	}
 
-	
+		// Check system (URL) against version 
+		if (!StringUtils.isEmpty(system) && !StringUtils.isEmpty(version) && !system.endsWith("/" + version)) {
+			throw new BadRequestException(String.format("Version specified in the URI [%s] does not match the version set in the request [%s]",
+				system, version));
+		}
+	}
 }
