hapifhir · jdar8 · Oct 17, 2025 · Oct 20, 2025 · Oct 21, 2025 · Oct 21, 2025
diff --git a/...pi/fhir/changelog/8_6_0/7342-enhance-rulebuilder-to-support-compartments-by-matchers.yaml b/...pi/fhir/changelog/8_6_0/7342-enhance-rulebuilder-to-support-compartments-by-matchers.yaml
@@ -0,0 +1,4 @@
+---
+type: add
+issue: 7342
+title: "Enhanced the bulk export RuleBuilder code to support the identification of allowable Groups/Patients to export by a FHIR query matcher."
diff --git a/hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/config/JpaConfig.java b/hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/config/JpaConfig.java
@@ -93,6 +93,7 @@
 import ca.uhn.fhir.jpa.entity.TermValueSet;
 import ca.uhn.fhir.jpa.esr.ExternallyStoredResourceServiceRegistry;
 import ca.uhn.fhir.jpa.graphql.DaoRegistryGraphQLStorageServices;
+import ca.uhn.fhir.jpa.interceptor.AuthResourceResolver;
 import ca.uhn.fhir.jpa.interceptor.CascadingDeleteInterceptor;
 import ca.uhn.fhir.jpa.interceptor.JpaConsentContextServices;
 import ca.uhn.fhir.jpa.interceptor.OverridePathBasedReferentialIntegrityForDeletesInterceptor;
@@ -205,6 +206,7 @@
 import ca.uhn.fhir.rest.api.server.storage.IResourcePersistentId;
 import ca.uhn.fhir.rest.server.interceptor.ResponseTerminologyTranslationInterceptor;
 import ca.uhn.fhir.rest.server.interceptor.ResponseTerminologyTranslationSvc;
+import ca.uhn.fhir.rest.server.interceptor.auth.IAuthResourceResolver;
 import ca.uhn.fhir.rest.server.interceptor.consent.IConsentContextServices;
 import ca.uhn.fhir.rest.server.interceptor.partition.RequestTenantPartitionInterceptor;
 import ca.uhn.fhir.rest.server.util.ISearchParamRegistry;
@@ -530,6 +532,11 @@ public IConsentContextServices consentContextServices() {
 		return new JpaConsentContextServices();
 	}
 
+	@Bean
+	public IAuthResourceResolver authResourceResolver(DaoRegistry theDaoRegistry) {
+		return new AuthResourceResolver(theDaoRegistry);
+	}
+
 	@Bean
 	@Lazy
 	public DiffProvider diffProvider() {

diff --git a/hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/interceptor/AuthResourceResolver.java b/hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/interceptor/AuthResourceResolver.java
@@ -0,0 +1,57 @@
+/*-
+ * #%L
+ * HAPI FHIR JPA Server
+ * %%
+ * Copyright (C) 2014 - 2025 Smile CDR, Inc.
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+package ca.uhn.fhir.jpa.interceptor;
+
+import ca.uhn.fhir.jpa.api.dao.DaoRegistry;
+import ca.uhn.fhir.jpa.searchparam.SearchParameterMap;
+import ca.uhn.fhir.rest.api.Constants;
+import ca.uhn.fhir.rest.api.server.SystemRequestDetails;
+import ca.uhn.fhir.rest.param.TokenOrListParam;
+import ca.uhn.fhir.rest.server.interceptor.auth.IAuthResourceResolver;
+import org.hl7.fhir.instance.model.api.IBaseResource;
+import org.hl7.fhir.instance.model.api.IIdType;
+
+import java.util.List;
+
+/**
+ * Small service class to inject DB access into an interceptor
+ * For example, used in bulk export security to allow querying for resource to match against permission argument filters
+ */
+public class AuthResourceResolver implements IAuthResourceResolver {
+	private final DaoRegistry myDaoRegistry;
+
+	public AuthResourceResolver(DaoRegistry myDaoRegistry) {
+		this.myDaoRegistry = myDaoRegistry;
+	}
+
+	public IBaseResource resolveResourceById(IIdType theResourceId) {
+		return myDaoRegistry
+				.getResourceDao(theResourceId.getResourceType())
+				.read(theResourceId, new SystemRequestDetails());
+	}
+
+	public List<IBaseResource> resolveResourcesByIds(List<String> theResourceIds, String theResourceType) {
+		TokenOrListParam t = new TokenOrListParam(null, theResourceIds.toArray(String[]::new));
+
+		SearchParameterMap m = new SearchParameterMap();
+		m.add(Constants.PARAM_ID, t);
+		return myDaoRegistry.getResourceDao(theResourceType).searchForResources(m, new SystemRequestDetails());
+	}
+}
diff --git a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/BaseRule.java b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/BaseRule.java
@@ -93,6 +93,31 @@ private boolean applyTesters(
 		return retVal;
 	}
 
+	/**
+	 * Apply testers, and return true if at least 1 tester matches.
+	 * Returns false if all testers do not match.
+	 */
+	boolean atLeastOneTesterMatches(
+			RestOperationTypeEnum theOperation,
+			RequestDetails theRequestDetails,
+			IBaseResource theInputResource,
+			IRuleApplier theRuleApplier) {
+
+		boolean retVal = false;
+
+		IAuthRuleTester.RuleTestRequest inputRequest = new IAuthRuleTester.RuleTestRequest(
+				myMode, theOperation, theRequestDetails, null, theInputResource, theRuleApplier);
+
+		for (IAuthRuleTester next : getTesters()) {
+			if (next.matches(inputRequest)) {
+				retVal = true;
+				break;
+			}
+		}
+
+		return retVal;
+	}
+
 	PolicyEnum getMode() {
 		return myMode;
 	}

diff --git a/...-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthResourceResolver.java b/...-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthResourceResolver.java
@@ -0,0 +1,41 @@
+/*-
+ * #%L
+ * HAPI FHIR - Server Framework
+ * %%
+ * Copyright (C) 2014 - 2025 Smile CDR, Inc.
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+package ca.uhn.fhir.rest.server.interceptor.auth;
+
+import org.hl7.fhir.instance.model.api.IBaseResource;
+import org.hl7.fhir.instance.model.api.IIdType;
+
+import java.util.List;
+
+/**
+ * Small service class to inject DB access into an interceptor
+ * For example, used in bulk export security to allow querying for resource to match against permission argument filters
+ */
+public interface IAuthResourceResolver {
+	IBaseResource resolveResourceById(IIdType theResourceId);
+
+	/**
+	 * Resolve a list of resources by ID. All resources should be the same type.
+	 * @param theResourceIds the FHIR id of the resource(s)
+	 * @param theResourceType the type of resource
+	 * @return A list of resources resolved by ID
+	 */
+	List<IBaseResource> resolveResourcesByIds(List<String> theResourceIds, String theResourceType);
+}
diff --git a/...rc/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRuleBulkExport.java b/...rc/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRuleBulkExport.java
@@ -46,6 +46,24 @@ default IAuthRuleBuilderRuleBulkExportWithTarget groupExportOnGroup(@Nonnull IId
 	 */
 	IAuthRuleBuilderRuleBulkExportWithTarget groupExportOnGroup(@Nonnull String theFocusResourceId);
 
+	/**
+	 * Allow/deny <b>group-level</b> export rule applies to the Group by matching on the provided FHIR query filter,
+	 * e.g. <code>?identifier=foo|bar</code>
+	 * Note that resource type is implied to be Group
+	 *
+	 * @since 8.6.0
+	 */
+	IAuthRuleBuilderRuleBulkExportWithTarget groupExportOnFilter(@Nonnull String theCompartmentFilterMatcher);
+
+	/**
+	 * Allow/deny <b>patient-level</b> export rule applies to the Patient by matching on the provided FHIR query filter,
+	 * e.g. <code>?identifier=foo|bar</code>
+	 * Note that resource type is implied to be Patient
+	 *
+	 * @since 8.6.0
+	 */
+	IAuthRuleBuilderRuleBulkExportWithTarget patientExportOnFilter(@Nonnull String theCompartmentFilterMatcher);
+
 	/**
 	 * Allow/deny <b>patient-level</b> export rule applies to the Group with the given resource ID, e.g. <code>Group/123</code>
 	 *

diff --git a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IRuleApplier.java b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IRuleApplier.java
@@ -50,5 +50,15 @@ Verdict applyRulesAndReturnDecision(
 	default IAuthorizationSearchParamMatcher getSearchParamMatcher() {
 		return null;
 	}
-	;
+
+	/**
+	 * The auth resource resolve is a service that allows you to query the DB for a resource, given a resource ID
+	 * WARNING: This is slow, and should have limited use in authorization.
+	 *
+	 * It is currently used for bulk-export, to support permissible Group/Patient exports by matching a FHIR query
+	 * This is ok, since bulk-export is a slow and (relatively) rare operation
+	 */
+	default IAuthResourceResolver getAuthResourceResolver() {
+		return null;
+	}
 }
diff --git a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java
@@ -259,7 +259,7 @@ private class RuleBuilderRule implements IAuthRuleBuilderRule {
 		private final String myRuleName;
 		private RuleBuilderRuleOp myReadRuleBuilder;
 		private RuleBuilderRuleOp myWriteRuleBuilder;
-		private RuleBuilderBulkExport ruleBuilderBulkExport;
+		private RuleBuilderBulkExport myRuleBuilderBulkExport;
 
 		RuleBuilderRule(PolicyEnum theRuleMode, String theRuleName) {
 			myRuleMode = theRuleMode;
@@ -341,10 +341,10 @@ public IAuthRuleBuilderGraphQL graphQL() {
 
 		@Override
 		public IAuthRuleBuilderRuleBulkExport bulkExport() {
-			if (ruleBuilderBulkExport == null) {
-				ruleBuilderBulkExport = new RuleBuilderBulkExport();
+			if (myRuleBuilderBulkExport == null) {
+				myRuleBuilderBulkExport = new RuleBuilderBulkExport();
 			}
-			return ruleBuilderBulkExport;
+			return myRuleBuilderBulkExport;
 		}
 
 		@Override
@@ -888,6 +888,8 @@ public IAuthRuleFinished any() {
 
 		private class RuleBuilderBulkExport implements IAuthRuleBuilderRuleBulkExport {
 			private RuleBulkExportImpl myRuleBulkExport;
+			private RuleGroupBulkExportByCompartmentMatcherImpl myRuleGroupBulkExportByCompartmentMatcher;
+			private RulePatientBulkExportByCompartmentMatcherImpl myRulePatientBulkExportByCompartmentMatcher;
 
 			@Override
 			public IAuthRuleBuilderRuleBulkExportWithTarget groupExportOnGroup(@Nonnull String theFocusResourceId) {
@@ -985,6 +987,51 @@ public IAuthRuleBuilderRuleBulkExportWithTarget any() {
 				return new RuleBuilderBulkExportWithTarget(rule);
 			}
 
+			@Override
+			public IAuthRuleBuilderRuleBulkExportWithTarget groupExportOnFilter(
+					@Nonnull String theCompartmentFilterMatcher) {
+				if (myRuleGroupBulkExportByCompartmentMatcher == null) {
+					RuleGroupBulkExportByCompartmentMatcherImpl rule =
+							new RuleGroupBulkExportByCompartmentMatcherImpl(myRuleName);
+					rule.setAppliesToGroupExportOnGroup(theCompartmentFilterMatcher);
+					rule.setMode(myRuleMode);
+					myRuleGroupBulkExportByCompartmentMatcher = rule;
+				} else {
+					myRuleGroupBulkExportByCompartmentMatcher.setAppliesToGroupExportOnGroup(
+							theCompartmentFilterMatcher);
+				}
+
+				// prevent duplicate rules from being added
+				if (!myRules.contains(myRuleGroupBulkExportByCompartmentMatcher)) {
+					myRules.add(myRuleGroupBulkExportByCompartmentMatcher);
+				}
+
+				return new RuleBuilderGroupBulkExportWithFilter(myRuleGroupBulkExportByCompartmentMatcher);
+			}
+
+			@Override
+			public IAuthRuleBuilderRuleBulkExportWithTarget patientExportOnFilter(
+					@Nonnull String theCompartmentFilterMatcher) {
+				if (myRulePatientBulkExportByCompartmentMatcher == null) {
+					RulePatientBulkExportByCompartmentMatcherImpl rule =
+							new RulePatientBulkExportByCompartmentMatcherImpl(myRuleName);
+
+					rule.addAppliesToPatientExportOnPatient(theCompartmentFilterMatcher);
+					rule.setMode(myRuleMode);
+					myRulePatientBulkExportByCompartmentMatcher = rule;
+				} else {
+					myRulePatientBulkExportByCompartmentMatcher.addAppliesToPatientExportOnPatient(
+							theCompartmentFilterMatcher);
+				}
+
+				// prevent duplicate rules from being added
+				if (!myRules.contains(myRulePatientBulkExportByCompartmentMatcher)) {
+					myRules.add(myRulePatientBulkExportByCompartmentMatcher);
+				}
+
+				return new RuleBuilderPatientBulkExportWithFilter(myRulePatientBulkExportByCompartmentMatcher);
+			}
+
 			private class RuleBuilderBulkExportWithTarget extends RuleBuilderFinished
 					implements IAuthRuleBuilderRuleBulkExportWithTarget {
 				private final RuleBulkExportImpl myRule;
@@ -1000,6 +1047,38 @@ public IAuthRuleBuilderRuleBulkExportWithTarget withResourceTypes(Collection<Str
 					return this;
 				}
 			}
+
+			private class RuleBuilderGroupBulkExportWithFilter extends RuleBuilderFinished
+					implements IAuthRuleBuilderRuleBulkExportWithTarget {
+				private final RuleGroupBulkExportByCompartmentMatcherImpl myRule;
+
+				private RuleBuilderGroupBulkExportWithFilter(RuleGroupBulkExportByCompartmentMatcherImpl theRule) {
+					super(theRule);
+					myRule = theRule;
+				}
+
+				@Override
+				public IAuthRuleBuilderRuleBulkExportWithTarget withResourceTypes(Collection<String> theResourceTypes) {
+					myRule.setResourceTypes(theResourceTypes);
+					return this;
+				}
+			}
+
+			private class RuleBuilderPatientBulkExportWithFilter extends RuleBuilderFinished
+					implements IAuthRuleBuilderRuleBulkExportWithTarget {
+				private final RulePatientBulkExportByCompartmentMatcherImpl myRule;
+
+				private RuleBuilderPatientBulkExportWithFilter(RulePatientBulkExportByCompartmentMatcherImpl theRule) {
+					super(theRule);
+					myRule = theRule;
+				}
+
+				@Override
+				public IAuthRuleBuilderRuleBulkExportWithTarget withResourceTypes(Collection<String> theResourceTypes) {
+					myRule.setResourceTypes(theResourceTypes);
+					return this;
+				}
+			}
 		}
 	}
 

diff --git a/...hir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBulkExportImpl.java b/...hir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBulkExportImpl.java
@@ -34,6 +34,7 @@
 import java.util.Set;
 import java.util.stream.Collectors;
 
+import static ca.uhn.fhir.rest.server.interceptor.auth.AuthorizationInterceptor.REQUEST_ATTRIBUTE_BULK_DATA_EXPORT_OPTIONS;
 import static org.apache.commons.collections4.CollectionUtils.isEmpty;
 import static org.apache.commons.collections4.CollectionUtils.isNotEmpty;
 import static org.apache.commons.lang3.StringUtils.isNotBlank;
@@ -70,9 +71,8 @@ public AuthorizationInterceptor.Verdict applyRule(
 			return null;
 		}
 
-		BulkExportJobParameters inboundBulkExportRequestOptions = (BulkExportJobParameters) theRequestDetails
-				.getUserData()
-				.get(AuthorizationInterceptor.REQUEST_ATTRIBUTE_BULK_DATA_EXPORT_OPTIONS);
+		BulkExportJobParameters inboundBulkExportRequestOptions = (BulkExportJobParameters)
+				theRequestDetails.getUserData().get(REQUEST_ATTRIBUTE_BULK_DATA_EXPORT_OPTIONS);
 		// if style doesn't match - abstain
 		if (!myWantAnyStyle && inboundBulkExportRequestOptions.getExportStyle() != myWantExportStyle) {
 			return null;
@@ -120,11 +120,12 @@ public AuthorizationInterceptor.Verdict applyRule(
 
 		// 1. If each of the requested resource IDs in the parameters are present in the users permissions, Approve
 		// 2. If any requested ID is not present in the users permissions, Deny.
-		if (myWantExportStyle == BulkExportJobParameters.ExportStyle.PATIENT)
+		if (myWantExportStyle == BulkExportJobParameters.ExportStyle.PATIENT) {
 			// Unfiltered Type Level
 			if (myAppliesToAllPatients) {
 				return allowVerdict;
 			}
+		}
 
 		// Instance level, or filtered type level
 		if (isNotEmpty(myPatientIds)) {