Skip to content

Feature - Permit Bulk Export on Compartment by FHIR Query #7310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 28 commits into
base: rel_8_6
Choose a base branch
from
Open

Feature - Permit Bulk Export on Compartment by FHIR Query #7310

Show file tree
Hide file tree
Changes from 20 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
6bba3cb
draft implementation - no support for typefilter yet
Oct 17, 2025
f795113
revise and create draft of new permissions arg format w/ implied reso…
Oct 20, 2025
4d57ea8
add new rule for group query, with tests
Oct 21, 2025
c80280d
Merge branch 'master' into jd-20251017-bulk-export-permissions
Oct 21, 2025
384ff31
- formatting
Oct 21, 2025
e070201
add Group rule builder code
Oct 21, 2025
33d0df7
implement basic Patient rule with tests
Oct 23, 2025
5575871
Implement rule building for patient by matcher
Oct 24, 2025
6ff269b
spotless
Oct 24, 2025
6c5d860
type level ITs, fix some tests and bugs
Oct 28, 2025
640c9ef
spotless
Oct 28, 2025
2f02a09
add javadocs, remove unused code after some design changes, updated s…
Oct 29, 2025
10fd885
spotless
Oct 29, 2025
af123a9
round 2 - add javadocs, remove unused code after some design changes,…
Oct 29, 2025
bd3ca50
round 4 - add javadocs, remove unused code after some design changes,…
Oct 29, 2025
5873e18
round 5 - remove todos
Oct 29, 2025
0d906c4
changelogs, more java docs
Oct 29, 2025
78324a9
Merge remote-tracking branch 'origin/rel_8_6' into jd-20251017-bulk-e…
Oct 29, 2025
9727733
round 1 of addressing review comments
Oct 30, 2025
f8b3d41
spotless
Oct 30, 2025
7fdc3a4
refactor rule classes to have a base class for common logic
Oct 30, 2025
31d143c
spotless
Oct 31, 2025
17ed1ad
Revert "spotless"
Oct 31, 2025
5f52b36
Revert "refactor rule classes to have a base class for common logic"
Oct 31, 2025
5390b9b
round 2 - address code review comments
Oct 31, 2025
1f83598
spotless
Oct 31, 2025
b50a5aa
draft implementation of combining RuleBuilder apis
Nov 17, 2025
d558587
spotless
Nov 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions ...pi/fhir/changelog/8_6_0/7342-enhance-rulebuilder-to-support-compartments-by-matchers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
type: add
issue: 7342
title: "Enhanced the bulk export RuleBuilder code to support the identification of allowable Groups/Patients to export by a FHIR query matcher."
7 changes: 7 additions & 0 deletions hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/config/JpaConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@
import ca.uhn.fhir.jpa.entity.TermValueSet;
import ca.uhn.fhir.jpa.esr.ExternallyStoredResourceServiceRegistry;
import ca.uhn.fhir.jpa.graphql.DaoRegistryGraphQLStorageServices;
import ca.uhn.fhir.jpa.interceptor.AuthResourceResolver;
import ca.uhn.fhir.jpa.interceptor.CascadingDeleteInterceptor;
import ca.uhn.fhir.jpa.interceptor.JpaConsentContextServices;
import ca.uhn.fhir.jpa.interceptor.OverridePathBasedReferentialIntegrityForDeletesInterceptor;
Expand Down Expand Up @@ -205,6 +206,7 @@
import ca.uhn.fhir.rest.api.server.storage.IResourcePersistentId;
import ca.uhn.fhir.rest.server.interceptor.ResponseTerminologyTranslationInterceptor;
import ca.uhn.fhir.rest.server.interceptor.ResponseTerminologyTranslationSvc;
import ca.uhn.fhir.rest.server.interceptor.auth.IAuthResourceResolver;
import ca.uhn.fhir.rest.server.interceptor.consent.IConsentContextServices;
import ca.uhn.fhir.rest.server.interceptor.partition.RequestTenantPartitionInterceptor;
import ca.uhn.fhir.rest.server.util.ISearchParamRegistry;
Expand Down Expand Up @@ -530,6 +532,11 @@ public IConsentContextServices consentContextServices() {
return new JpaConsentContextServices();
}

@Bean
public IAuthResourceResolver authResourceResolver(DaoRegistry theDaoRegistry) {
return new AuthResourceResolver(theDaoRegistry);
}

@Bean
@Lazy
public DiffProvider diffProvider() {
Expand Down
59 changes: 59 additions & 0 deletions hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/interceptor/AuthResourceResolver.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
/*-
* #%L
* HAPI FHIR JPA Server
* %%
* Copyright (C) 2014 - 2025 Smile CDR, Inc.
* %%
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
* #L%
*/
package ca.uhn.fhir.jpa.interceptor;

import ca.uhn.fhir.jpa.api.dao.DaoRegistry;
import ca.uhn.fhir.jpa.searchparam.SearchParameterMap;
import ca.uhn.fhir.rest.api.Constants;
import ca.uhn.fhir.rest.api.server.SystemRequestDetails;
import ca.uhn.fhir.rest.param.TokenOrListParam;
import ca.uhn.fhir.rest.server.interceptor.auth.IAuthResourceResolver;
import org.hl7.fhir.instance.model.api.IBaseResource;
import org.hl7.fhir.instance.model.api.IIdType;
import org.springframework.stereotype.Service;

import java.util.List;

/**
* Small service class to inject DB access into an interceptor
* For example, used in bulk export security to allow querying for resource to match against permission argument filters
*/
@Service
public class AuthResourceResolver implements IAuthResourceResolver {
Copy link
Collaborator

@jamesagnew jamesagnew Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes me nervous. I get the design, but it's breaking the well-established pattern we have that auth interceptor doesn't resolve anything, it just looks at the data it's passed and makes a decision.

Instead of creating a loading infrastructure, could we add a new parameter object to STORAGE_PRE_INITIATE_BULK_EXPORT so that BulkExportJobService could handle loading the Group and pass it to AuthInterceptor as a part of the interceptor request? That way AuthInterceptor could look at it and make its decisions without needing to know how to fetch anything

private final DaoRegistry myDaoRegistry;

public AuthResourceResolver(DaoRegistry myDaoRegistry) {
this.myDaoRegistry = myDaoRegistry;
}

public IBaseResource resolveCompartmentById(IIdType theResourceId) {
return myDaoRegistry
.getResourceDao(theResourceId.getResourceType())
.read(theResourceId, new SystemRequestDetails());
}

public List<IBaseResource> resolveCompartmentByIds(List<String> theResourceIds, String theResourceType) {
TokenOrListParam t = new TokenOrListParam(null, theResourceIds.toArray(String[]::new));

SearchParameterMap m = new SearchParameterMap();
m.add(Constants.PARAM_ID, t);
return myDaoRegistry.getResourceDao(theResourceType).searchForResources(m, new SystemRequestDetails());
}
}
25 changes: 25 additions & 0 deletions hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/BaseRule.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,31 @@ private boolean applyTesters(
return retVal;
}

/**
* Apply testers, and return true if at least 1 tester matches.
* Returns false if all testers do not match.
*/
boolean applyTestersAtLeastOneMatch(
RestOperationTypeEnum theOperation,
RequestDetails theRequestDetails,
IBaseResource theInputResource,
IRuleApplier theRuleApplier) {

boolean retVal = false;

IAuthRuleTester.RuleTestRequest inputRequest = new IAuthRuleTester.RuleTestRequest(
myMode, theOperation, theRequestDetails, null, theInputResource, theRuleApplier);

for (IAuthRuleTester next : getTesters()) {
if (next.matches(inputRequest)) {
retVal = true;
break;
}
}

return retVal;
}

PolicyEnum getMode() {
return myMode;
}
Expand Down
41 changes: 41 additions & 0 deletions ...-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthResourceResolver.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
/*-
* #%L
* HAPI FHIR - Server Framework
* %%
* Copyright (C) 2014 - 2025 Smile CDR, Inc.
* %%
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
* #L%
*/
package ca.uhn.fhir.rest.server.interceptor.auth;

import org.hl7.fhir.instance.model.api.IBaseResource;
import org.hl7.fhir.instance.model.api.IIdType;

import java.util.List;

/**
* Small service class to inject DB access into an interceptor
* For example, used in bulk export security to allow querying for resource to match against permission argument filters
*/
public interface IAuthResourceResolver {
IBaseResource resolveCompartmentById(IIdType theResourceId);

/**
* Resolve a list of resources by ID. All resources should be the same type.
* @param theResourceIds the FHIR id of the resource(s)
* @param theResourceType the type of resource
* @return A list of resources resolved by ID
*/
List<IBaseResource> resolveCompartmentByIds(List<String> theResourceIds, String theResourceType);
}
16 changes: 16 additions & 0 deletions ...r-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRule.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,22 @@ public interface IAuthRuleBuilderRule {
*/
IAuthRuleBuilderRuleBulkExport bulkExport();

/**
* This rule permits the user to initiate a FHIR bulk export
* by providing a filter matcher on Group compartment(s).
*
* @since 8.6.0
*/
IAuthRuleBuilderRuleGroupMatcherBulkExport bulkExportGroupCompartmentMatcher();
Copy link
Collaborator

@jamesagnew jamesagnew Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't love the names of these new methods - All of the existing methods in this interface are verbs (update(), patch(), bulkExport(), etc) that read fluently, but these new ones break that pattern with a really cryptic noun instead.

Do we need these new interfaces and methods at all? E.g. could we move the new functionality into IAuthRuleBuilderRuleBulkExport so that instead of needing to add rule:

builder.allow().bulkExportGroupCompartmentMatcher().groupExportOnGroup("?" + theCompartmentMatcherFilter).withResourceTypes(resourceTypes);

could we just allow a syntax like:

```java
builder.allow().bulkExport().groupExportOnFilter("?" + theCompartmentMatcherFilter).withResourceTypes(resourceTypes);

This would make the API a lot cleaner, and make the new features more discoverable since we wouldn't have 3 top level methods about the same operation.


/**
* This rule permits the user to initiate a FHIR bulk export
* by providing a filter matcher on Patient compartment(s).
*
* @since 8.6.0
*/
IAuthRuleBuilderRulePatientMatcherBulkExport bulkExportPatientCompartmentMatcher();

/**
* This rule specifically allows a user to perform a FHIR update on the historical version of a resource
*
Expand Down
34 changes: 34 additions & 0 deletions .../ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRuleGroupMatcherBulkExport.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
/*-
* #%L
* HAPI FHIR - Server Framework
* %%
* Copyright (C) 2014 - 2025 Smile CDR, Inc.
* %%
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
* #L%
*/
package ca.uhn.fhir.rest.server.interceptor.auth;

import jakarta.annotation.Nonnull;

/**
* @since 8.6.0
*/
public interface IAuthRuleBuilderRuleGroupMatcherBulkExport {
/**
* Allow/deny <b>group-level</b> export rule applies to the Group with the given resource ID, e.g. <code>Group/123</code>
*
* @since 8.6.0
*/
IAuthRuleBuilderRuleBulkExportWithTarget groupExportOnGroup(@Nonnull String theCompartmentFilterMatcher);
}
34 changes: 34 additions & 0 deletions ...a/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRulePatientMatcherBulkExport.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
/*-
* #%L
* HAPI FHIR - Server Framework
* %%
* Copyright (C) 2014 - 2025 Smile CDR, Inc.
* %%
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
* #L%
*/
package ca.uhn.fhir.rest.server.interceptor.auth;

import jakarta.annotation.Nonnull;

/**
* @since 8.6.0
*/
public interface IAuthRuleBuilderRulePatientMatcherBulkExport {
/**
* Allow/deny <b>group-level</b> export rule applies to the Group with the given resource ID, e.g. <code>Group/123</code>
*
* @since 8.6.0
*/
IAuthRuleBuilderRuleBulkExportWithTarget patientExportOnPatient(@Nonnull String theCompartmentFilterMatcher);
}
12 changes: 11 additions & 1 deletion hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IRuleApplier.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,5 +50,15 @@ Verdict applyRulesAndReturnDecision(
default IAuthorizationSearchParamMatcher getSearchParamMatcher() {
return null;
}
;

/**
* The auth resource resolve is a service that allows you to query the DB for a resource, given a resource ID
* WARNING: This is slow, and should have limited use in authorization.
*
* It is currently used for bulk-export, to support permissible Group/Patient exports by matching a FHIR query
* This is ok, since bulk-export is a slow and (relatively) rare operation
*/
default IAuthResourceResolver getAuthResourceResolver() {
return null;
}
}
Loading
Loading