SYNC2 - whitelist of children

Tags: #<Tag:0x00007fb8543430f0> #<Tag:0x00007fb854342fb0> #<Tag:0x00007fb854342e48>

(Wojciech Buława) #1

Hi Everyone,

I’m working on a possibility for a parent to decide which child could push data to it

At this point, the parent needs to create an account with the access to certain endpoints. The child needs the credentials to this account in order to authenticate while pushing. The most common case is to create one account for all children. Please note that in this solution the parent does not track list of children with the access.

I want to add a whitelist of instances ids of children in the parent configuration, so it would be able to identify and verify children. I can easily add an instance id to messages sent by the child. Unfortunately, I cannot modify REST’s and FHIR’s endpoints, because validating instance ids is related to the SYNC2 module and users should be able to use FHIR and REST even when they do not need SYNC2.

Our solution is adding a separate controller for REST and FIHR in the SYNC2 module which will validate instance id, and then it will send the same message but with localhost instead of parent’s IP e.g. localhost/ws/rest/sync2/messages/261ce010-ade4-4a68-9ec6-15378c391f70 instead of (the figure points: 3, 4 and 5).

FHIR’s and REST’s endpoints will not be removed because they have to be independent of the SYNC2 module (the figure points: 1 and 2). The security concerns are tackled by the user’s credentials, so the purpose of the whitelist is not to secure the parent, but to give it a possibility to cut off unnecessary requests.

Optionally the admin can go to […]/openmrs/admin/maintenance/settings.list?show=Webservices and set the ‘Rest Allowedips’ to localhost in order to disable these endpoints.

If you see any anomaly in this solution or you have any thoughts please let me know

Thanks in advance!


(Jakub Trzebiatowski) #3

Hi @wbulawa I have a couple of questions to clarify.

  1. Is the ability to decide what data should children be able to pull also in scope of this ticket?

  2. Why can’t FHIR / REST permissions be revoked for a certain user, or even temporairly changed the password of a user to disallow a child to push the data?

  3. If the children sends it’s ID in the request, then any children can use this ID to spoof it’s authenticity. Sure we can say the ID has to be kept secret, but in this case it just becomes functionally a password ( and it can be simplified to 2. )

(Wojciech Buława) #4

Hello @jtrzebiatowski,

  1. No, this is out of the scope.
  2. This solution does not prohibit adding separate users for every child instance. It is still possible, but it is much easier for an admin to edit a whitelist containing only instanceIDs than creating those accounts.
  3. If you want to be authenticated you have to provide instanceID and credentials, so there is no possibility to spoof endpoint using only instanceID. I didn’t consider spoofing authenticity between the children, so you are right. But the instanceID should be unique value e.g. UUID, so even when one child will try to guess somebody’s id it will take a lot of requests.