Merge pull request #2973 from IBM/issue-harden-audit-log

Harden Bulk Data Audit Logging with Skippable Updates

Author: prb112

fhir-bulkdata-webapp/src/main/java/com/ibm/fhir/bulkdata/audit/BulkAuditLogger.java

@@ -250,9 +250,39 @@ public void logUpdateOnImport(Resource oldResource, Resource updatedResource, Da
         final String METHODNAME = "logUpdateOnImport";
         log.entering(CLASSNAME, METHODNAME);
         if (shouldLog()) {
-            // Right now, we don't log or treat the oldResource. The signature is left for the commonality with the REST
-            // Audit Logger.
-            log(AuditLogEventType.FHIR_UPDATE, "U", "FHIR BulkData Update request", null, updatedResource, startTime, endTime, responseStatus, null, null, location, users);
+            if (Response.Status.CREATED.equals(responseStatus)) {
+                logCreateOnImport(updatedResource, startTime, endTime, responseStatus, location, users);
+            } else {
+                // Right now, we don't log or treat the oldResource. The signature is left for the commonality with the REST
+                // Audit Logger.
+                log(AuditLogEventType.FHIR_UPDATE, "U", "FHIR BulkData Update request", null, updatedResource, startTime, endTime, responseStatus, null, null, location, users);
+            }
+        }
+        log.exiting(CLASSNAME, METHODNAME);
+    }
+
+    /**
+     * Builds an audit log entry for an 'update' skipped in a bulkdata service invocation.
+     *
+     * @param resource
+     *            The updated version of the Resource.
+     * @param startTime
+     *            The start time of the update request execution.
+     * @param endTime
+     *            The end time of the update request execution.
+     * @param responseStatus
+     *            The response status.
+     * @param location
+     *            the destination or source for the export or import
+     * @param users
+     *            the principals that initiated the request
+     */
+    public void logUpdateOnImportSkipped(Resource resource, Date startTime, Date endTime, Response.Status responseStatus, String location,
+            String users) throws Exception {
+        final String METHODNAME = "logUpdateOnImport";
+        log.entering(CLASSNAME, METHODNAME);
+        if (shouldLog()) {
+            log(AuditLogEventType.FHIR_UPDATE, "U", "FHIR BulkData Update Resource Skipped request", null, resource, startTime, endTime, responseStatus, null, null, location, users);
         }
         log.exiting(CLASSNAME, METHODNAME);
     }

fhir-bulkdata-webapp/src/main/java/com/ibm/fhir/bulkdata/jbatch/load/ChunkWriter.java

@@ -54,11 +54,11 @@
 import com.ibm.fhir.operation.bulkdata.model.type.OperationFields;
 import com.ibm.fhir.operation.bulkdata.model.type.StorageType;
 import com.ibm.fhir.persistence.FHIRPersistence;
+import com.ibm.fhir.persistence.InteractionStatus;
 import com.ibm.fhir.persistence.SingleResourceResult;
 import com.ibm.fhir.persistence.context.FHIRPersistenceContext;
 import com.ibm.fhir.persistence.context.FHIRPersistenceContextFactory;
 import com.ibm.fhir.persistence.context.FHIRPersistenceEvent;
-import com.ibm.fhir.persistence.exception.FHIRPersistenceException;
 import com.ibm.fhir.persistence.helper.FHIRPersistenceHelper;
 import com.ibm.fhir.persistence.helper.FHIRTransactionHelper;
 import com.ibm.fhir.persistence.payload.PayloadPersistenceHelper;
@@ -186,7 +186,6 @@ public void writeItems(List<java.lang.Object> arg0) throws Exception {
 
             // Get the Skippable Update status
             boolean skip = adapter.enableSkippableUpdates();
-            Map<String,SaltHash> localCache = new HashMap<>();
             try {
                 for (Object objResJsonList : arg0) {
                     @SuppressWarnings("unchecked")
@@ -222,13 +221,7 @@ public void writeItems(List<java.lang.Object> arg0) throws Exception {
 
                                 // Set up the persistence context to include the deleted resources when we read
                                 FHIRPersistenceContext persistenceContext = FHIRPersistenceContextFactory.createPersistenceContext(event, true);
-                                long startTime = System.currentTimeMillis();
-                                operationOutcome = conditionalFingerprintUpdate(chunkData, skip, localCache, fhirPersistence, persistenceContext, id, fhirResource);
-                                if (auditLogger.shouldLog()) {
-                                    long endTime = System.currentTimeMillis();
-                                    String location = "@source:" + ctx.getSource() + "/" + ctx.getImportPartitionWorkitem();
-                                    auditLogger.logUpdateOnImport(null, fhirResource, new Date(startTime), new Date(endTime), Response.Status.OK, location, "BulkDataOperator");
-                                }
+                                operationOutcome = conditionalFingerprintUpdate(chunkData, skip, fhirPersistence, persistenceContext, id, fhirResource, ctx);
                             }
 
                             succeededNum++;
@@ -293,15 +286,17 @@ public void writeItems(List<java.lang.Object> arg0) throws Exception {
      *
      * @param chunkData the transient user data used increment the number of skips
      * @param skip should skip the resource if it matches
-     * @param localCache map containing the key-saltHash
      * @param persistence used to facilitate the calls to the underlying db
      * @param context used in db calls
      * @param logicalId the logical id of the FHIR resource (e.g. 1-2-3-4)
      * @param resource the FHIR Resource
+     * @param ctx the bulk data context
      * @return outcomes including information or warnings
-     * @throws FHIRPersistenceException
+     * @throws Exception
      */
-    public OperationOutcome conditionalFingerprintUpdate(ImportTransientUserData chunkData, boolean skip, Map<String, SaltHash> localCache, FHIRPersistence persistence, FHIRPersistenceContext context, String logicalId, Resource resource) throws FHIRPersistenceException {
+    public OperationOutcome conditionalFingerprintUpdate(ImportTransientUserData chunkData, boolean skip, FHIRPersistence persistence, FHIRPersistenceContext context, String logicalId, Resource resource, BulkDataContext ctx) throws Exception {
+        long startTime = System.currentTimeMillis();
+        Response.Status status = Response.Status.OK;
 
         // Since issue 1869, we must perform the read at this point in order to obtain the
         // latest version id. The persistence layer no longer makes any changes to the
@@ -317,27 +312,29 @@ public OperationOutcome conditionalFingerprintUpdate(ImportTransientUserData chu
 
         // If the resource was previously deleted, we need to treat this as a not to skip, otherwise we end up with really inconsistent data
         // when there is a DELETED resource.
+        boolean skipped = false;
         OperationOutcome oo;
-        if (skip && !oldResourceResult.isDeleted()) {
-            // Key is scoped to the ResourceType.
-            String key = resourceType + "/" + logicalId;
-            SaltHash oldBaseLine = localCache.get(key);
-
-            ResourceFingerprintVisitor fp = new ResourceFingerprintVisitor();
-            if (oldBaseLine == null) {
-                // If the resource exists, then we need to fingerprint.
-                if (oldResource != null) {
-                    ResourceFingerprintVisitor fpOld = new ResourceFingerprintVisitor();
-                    oldResource.accept(fpOld);
-                    oldBaseLine = fpOld.getSaltAndHash();
-                    fp = new ResourceFingerprintVisitor(oldBaseLine);
-                }
+        if (!skip || oldResourceResult.isDeleted() || oldResource == null) {
+            SingleResourceResult<? extends Resource> result = persistence.updateWithMeta(context, resource);
+
+            if (result.getStatus() == InteractionStatus.MODIFIED) {
+                status = Response.Status.CREATED;
             }
+            oo = result.getOutcome();
+        } else {
+            // Fingerprint old base line
+            ResourceFingerprintVisitor fpOld = new ResourceFingerprintVisitor();
+            oldResource.accept(fpOld);
+            SaltHash oldBaseLine = fpOld.getSaltAndHash();
 
+            // Fingerprint new base line
+            ResourceFingerprintVisitor fp = new ResourceFingerprintVisitor(oldBaseLine);
             resource.accept(fp);
             SaltHash newBaseLine = fp.getSaltAndHash();
 
             if (oldBaseLine != null && oldBaseLine.equals(newBaseLine)) {
+                // Outcome is an informational message (no change to datastore)
+                String key = resource.getClass().getSimpleName() + "/" + logicalId;
                 if (logger.isLoggable(Level.FINE)) {
                     logger.fine("Skipping $import - update for '" + key + "'");
                 }
@@ -347,22 +344,31 @@ public OperationOutcome conditionalFingerprintUpdate(ImportTransientUserData chu
                         .severity(IssueSeverity.INFORMATION)
                         .code(IssueType.INFORMATIONAL)
                         .details(CodeableConcept.builder()
-                            .text(string("Update resource matches the existing resource; skipping the update for '" + key + "'"))
+                            .text(string("Update to an existing resource matches the stored resource's hash; skipping the update for '" + key + "'"))
                             .build())
                         .build())
                     .build();
+                skipped = true;
             } else {
+                // Outcome is an Update
                 // We need to update the db and update the local cache
-                if (oldResource != null) {
-                    // Old Resource is set so we avoid an extra read
-                    context.getPersistenceEvent().setPrevFhirResource(oldResource);
-                }
-                oo = persistence.updateWithMeta(context, resource).getOutcome();
-                localCache.put(key, newBaseLine);
+                // Old Resource is set so we avoid an extra read
+                context.getPersistenceEvent().setPrevFhirResource(oldResource);
+                SingleResourceResult<? extends Resource> result = persistence.updateWithMeta(context, resource);
+                oo = result.getOutcome();
+            }
+        }
+
+        // Audit Logging
+        if (auditLogger.shouldLog()) {
+            long endTime = System.currentTimeMillis();
+            String location = "@source:" + ctx.getSource() + "/" + ctx.getImportPartitionWorkitem();
+            if (!skipped) {
+                auditLogger.logUpdateOnImport(oldResource, resource, new Date(startTime), new Date(endTime), status, location, "BulkDataOperator");
+            } else {
+                auditLogger.logUpdateOnImportSkipped(resource, new Date(startTime), new Date(endTime), status, location, "BulkDataOperator");
             }
-        } else {
-            oo = persistence.updateWithMeta(context, resource).getOutcome();
         }
         return oo;
     }
-}
+}