feat(pep): integrate with real Nuts node for token introspection and DPoP

component/pdp/capabilities.go

@@ -41,7 +41,8 @@ func capabilityForScope(ctx context.Context, scope string) (fhir.CapabilityState
 }
 
 func evalCapabilityPolicy(ctx context.Context, input PolicyInput) (PolicyInput, PolicyResult) {
-	if input.Action.Properties.ContentType != "application/fhir+json" {
+	// Skip capability checking for requests that don't target a specific resource type (e.g., /metadata, /)
+	if input.Resource.Type == nil {
 		return input, Allow()
 	}
 
@@ -100,7 +101,7 @@ func evalInteraction(
 	var resourceDescriptions []fhir.CapabilityStatementRestResource
 	for _, rest := range statement.Rest {
 		for _, res := range rest.Resource {
-			if res.Type == input.Resource.Type {
+			if res.Type == *input.Resource.Type {
 				resourceDescriptions = append(resourceDescriptions, res)
 			}
 		}

component/pdp/capabilities_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"testing"
 
+	"github.com/nuts-foundation/nuts-knooppunt/lib/to"
 	"github.com/stretchr/testify/assert"
 	"github.com/zorgbijjou/golang-fhir-models/fhir-models/fhir"
 )
@@ -17,7 +18,7 @@ func TestComponent_reject_interaction(t *testing.T) {
 			},
 		},
 		Resource: PolicyResource{
-			Type: fhir.ResourceTypeOrganization,
+			Type: to.Ptr(fhir.ResourceTypeOrganization),
 			Properties: PolicyResourceProperties{
 				ResourceId: "118876",
 			},
@@ -47,7 +48,7 @@ func TestComponent_allow_interaction(t *testing.T) {
 			},
 		},
 		Resource: PolicyResource{
-			Type: fhir.ResourceTypeOrganization,
+			Type: to.Ptr(fhir.ResourceTypeOrganization),
 			Properties: PolicyResourceProperties{
 				ResourceId: "118876",
 			},
@@ -77,7 +78,7 @@ func TestComponent_allow_search_param(t *testing.T) {
 			},
 		},
 		Resource: PolicyResource{
-			Type: fhir.ResourceTypeOrganization,
+			Type: to.Ptr(fhir.ResourceTypeOrganization),
 			Properties: PolicyResourceProperties{
 				ResourceId: "118876",
 			},
@@ -108,7 +109,7 @@ func TestComponent_reject_search_param(t *testing.T) {
 			},
 		},
 		Resource: PolicyResource{
-			Type: fhir.ResourceTypeOrganization,
+			Type: to.Ptr(fhir.ResourceTypeOrganization),
 			Properties: PolicyResourceProperties{
 				ResourceId: "118876",
 			},
@@ -138,6 +139,9 @@ func TestComponent_reject_interaction_type(t *testing.T) {
 				SubjectOrganizationId: "00000666",
 			},
 		},
+		Resource: PolicyResource{
+			Type: to.Ptr(fhir.ResourceTypeOrganization),
+		},
 		Action: PolicyAction{
 			Properties: PolicyActionProperties{
 				ContentType:     "application/fhir+json",
@@ -163,7 +167,7 @@ func TestComponent_allow_include(t *testing.T) {
 			},
 		},
 		Resource: PolicyResource{
-			Type: fhir.ResourceTypeLocation,
+			Type: to.Ptr(fhir.ResourceTypeLocation),
 			Properties: PolicyResourceProperties{
 				ResourceId: "88716123",
 			},
@@ -194,7 +198,7 @@ func TestComponent_reject_include(t *testing.T) {
 			},
 		},
 		Resource: PolicyResource{
-			Type: fhir.ResourceTypeEndpoint,
+			Type: to.Ptr(fhir.ResourceTypeEndpoint),
 			Properties: PolicyResourceProperties{
 				ResourceId: "88716123",
 			},
@@ -225,7 +229,7 @@ func TestComponent_reject_revinclude(t *testing.T) {
 			},
 		},
 		Resource: PolicyResource{
-			Type: fhir.ResourceTypePractitioner,
+			Type: to.Ptr(fhir.ResourceTypePractitioner),
 			Properties: PolicyResourceProperties{
 				ResourceId: "88716123",
 			},
@@ -256,7 +260,7 @@ func TestComponent_allow_revinclude(t *testing.T) {
 			},
 		},
 		Resource: PolicyResource{
-			Type: fhir.ResourceTypeOrganization,
+			Type: to.Ptr(fhir.ResourceTypeOrganization),
 			Properties: PolicyResourceProperties{
 				ResourceId: "88716123",
 			},

component/pdp/fhirreq.go

@@ -384,7 +384,7 @@ func NewPolicyInput(request PDPRequest) (PolicyInput, PolicyResult) {
 	}
 
 	if tokens.ResourceType != nil {
-		policyInput.Resource.Type = *tokens.ResourceType
+		policyInput.Resource.Type = tokens.ResourceType
 		if tokens.ResourceId != "" {
 			policyInput.Resource.Properties.ResourceId = tokens.ResourceId
 		}

component/pdp/shared.go

@@ -55,7 +55,7 @@ type PolicyInput struct {
 }
 
 type PolicyResource struct {
-	Type       fhir.ResourceType        `json:"type"`
+	Type       *fhir.ResourceType       `json:"type"`
 	Properties PolicyResourceProperties `json:"properties"`
 }
 

docker-compose.yml

@@ -183,17 +183,22 @@ services:
     volumes:
       - ./pep/logs:/var/log/nginx
     environment:
+      # Backend connections
       - FHIR_BACKEND_HOST=hapi-fhir
       - FHIR_BACKEND_PORT=7050
+      - FHIR_BASE_PATH=/fhir
+      - FHIR_UPSTREAM_PATH=/fhir/DEFAULT
       - KNOOPPUNT_PDP_HOST=knooppunt
       - KNOOPPUNT_PDP_PORT=8081
+      # Nuts node connection (Authorization Server)
+      - NUTS_NODE_HOST=knooppunt
+      - NUTS_NODE_INTERNAL_PORT=8081
+      # Data holder (this organization)
       - DATA_HOLDER_ORGANIZATION_URA=00000666
       - DATA_HOLDER_FACILITY_TYPE=Z3
-      - REQUESTING_FACILITY_TYPE=Z3
-      - PURPOSE_OF_USE=treatment
     depends_on:
       - hapi-fhir
-      - knooppunt # Knooppunt provides the PDP endpoint
+      - knooppunt # Knooppunt provides the PDP and proxies to Nuts node
     healthcheck:
       test:
         ["CMD", "wget", "--spider", "--quiet", "http://localhost:8080/health"]

helm/pep/templates/deployment.yaml

@@ -45,18 +45,22 @@ spec:
             value: {{ .Values.env.fhirBackendHost | quote }}
           - name: FHIR_BACKEND_PORT
             value: {{ .Values.env.fhirBackendPort | quote }}
+          - name: FHIR_BASE_PATH
+            value: {{ .Values.env.fhirBasePath | quote }}
           - name: KNOOPPUNT_PDP_HOST
             value: {{ .Values.env.knooppuntPdpHost | quote }}
           - name: KNOOPPUNT_PDP_PORT
             value: {{ .Values.env.knooppuntPdpPort | quote }}
+          - name: NUTS_NODE_HOST
+            value: {{ .Values.env.nutsNodeHost | quote }}
+          - name: NUTS_NODE_INTERNAL_PORT
+            value: {{ .Values.env.nutsNodeInternalPort | quote }}
           - name: DATA_HOLDER_ORGANIZATION_URA
             value: {{ .Values.env.dataHolderOrganizationUra | quote }}
           - name: DATA_HOLDER_FACILITY_TYPE
             value: {{ .Values.env.dataHolderFacilityType | quote }}
-          - name: REQUESTING_FACILITY_TYPE
-            value: {{ .Values.env.requestingFacilityType | quote }}
-          - name: PURPOSE_OF_USE
-            value: {{ .Values.env.purposeOfUse | quote }}
+          - name: NGINX_PORT
+            value: {{ .Values.service.port | quote }}
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}

helm/pep/values.yaml

@@ -15,14 +15,19 @@ image:
 
 # PEP configuration environment variables
 env:
+  # FHIR backend (upstream server)
   fhirBackendHost: "hapi-fhir"
   fhirBackendPort: "7050"
+  fhirBasePath: "/fhir"
+  # Knooppunt PDP for authorization decisions
   knooppuntPdpHost: "knooppunt"
   knooppuntPdpPort: "8081"
+  # Nuts node for token introspection (RFC 7662)
+  nutsNodeHost: "nuts-node"
+  nutsNodeInternalPort: "8081"
+  # Data holder organization identity
   dataHolderOrganizationUra: "00000001"
   dataHolderFacilityType: "Z3"
-  requestingFacilityType: "Z3"
-  purposeOfUse: "treatment"
 
 # This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
 imagePullSecrets: []