Fix a big with the new permissions

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptor.java

@@ -30,6 +30,8 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang3.Validate;
+import org.apache.commons.lang3.builder.ToStringBuilder;
+import org.apache.commons.lang3.builder.ToStringStyle;
 import org.hl7.fhir.instance.model.api.IBaseBundle;
 import org.hl7.fhir.instance.model.api.IBaseParameters;
 import org.hl7.fhir.instance.model.api.IBaseResource;
@@ -72,14 +74,16 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
 	/**
 	 * Constructor
 	 * 
-	 * @param theDefaultPolicy The default policy if no rules apply (must not be null)
+	 * @param theDefaultPolicy
+	 *           The default policy if no rules apply (must not be null)
 	 */
 	public AuthorizationInterceptor(PolicyEnum theDefaultPolicy) {
 		this();
 		setDefaultPolicy(theDefaultPolicy);
 	}
 
-	private void applyRulesAndFailIfDeny(RestOperationTypeEnum theOperation, RequestDetails theRequestDetails, IBaseResource theInputResource, IIdType theInputResourceId, IBaseResource theOutputResource) {
+	private void applyRulesAndFailIfDeny(RestOperationTypeEnum theOperation, RequestDetails theRequestDetails, IBaseResource theInputResource, IIdType theInputResourceId,
+			IBaseResource theOutputResource) {
 		Verdict decision = applyRulesAndReturnDecision(theOperation, theRequestDetails, theInputResource, theInputResourceId, theOutputResource);
 
 		if (decision.getDecision() == PolicyEnum.ALLOW) {
@@ -90,7 +94,8 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
 	}
 
 	@Override
-	public Verdict applyRulesAndReturnDecision(RestOperationTypeEnum theOperation, RequestDetails theRequestDetails, IBaseResource theInputResource, IIdType theInputResourceId, IBaseResource theOutputResource) {
+	public Verdict applyRulesAndReturnDecision(RestOperationTypeEnum theOperation, RequestDetails theRequestDetails, IBaseResource theInputResource, IIdType theInputResourceId,
+			IBaseResource theOutputResource) {
 		List<IAuthRule> rules = buildRuleList(theRequestDetails);
 		ourLog.trace("Applying {} rules to render an auth decision for operation {}", rules.size(), theOperation);
 
@@ -120,13 +125,13 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
 	 * an appropriate rule chain.
 	 * </p>
 	 * 
-	 * @param theRequestDetails The individual request currently being applied
+	 * @param theRequestDetails
+	 *           The individual request currently being applied
 	 */
 	public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
 		return new ArrayList<IAuthRule>();
 	}
 
-	
 	private OperationExamineDirection determineOperationDirection(RestOperationTypeEnum theOperation, IBaseResource theRequestResource) {
 		switch (theOperation) {
 		case ADD_TAGS:
@@ -247,7 +252,8 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
 
 	@Override
 	@CoverageIgnore
-	public boolean outgoingResponse(RequestDetails theRequestDetails, Bundle theResponseObject, HttpServletRequest theServletRequest, HttpServletResponse theServletResponse) throws AuthenticationException {
+	public boolean outgoingResponse(RequestDetails theRequestDetails, Bundle theResponseObject, HttpServletRequest theServletRequest, HttpServletResponse theServletResponse)
+			throws AuthenticationException {
 		throw failForDstu1();
 	}
 
@@ -309,7 +315,8 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
 
 	@CoverageIgnore
 	@Override
-	public boolean outgoingResponse(RequestDetails theRequestDetails, TagList theResponseObject, HttpServletRequest theServletRequest, HttpServletResponse theServletResponse) throws AuthenticationException {
+	public boolean outgoingResponse(RequestDetails theRequestDetails, TagList theResponseObject, HttpServletRequest theServletRequest, HttpServletResponse theServletResponse)
+			throws AuthenticationException {
 		throw failForDstu1();
 	}
 
@@ -331,7 +338,8 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
 	/**
 	 * The default policy if no rules have been found to apply. Default value for this setting is {@link PolicyEnum#DENY}
 	 * 
-	 * @param theDefaultPolicy The policy (must not be <code>null</code>)
+	 * @param theDefaultPolicy
+	 *           The policy (must not be <code>null</code>)
 	 */
 	public void setDefaultPolicy(PolicyEnum theDefaultPolicy) {
 		Validate.notNull(theDefaultPolicy, "theDefaultPolicy must not be null");
@@ -368,10 +376,7 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
 	}
 
 	private enum OperationExamineDirection {
-		BOTH,
-		IN,
-		NONE, 
-		OUT, 
+		BOTH, IN, NONE, OUT,
 	}
 
 	public static class Verdict {
@@ -392,6 +397,14 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
 			return myDecision;
 		}
 
+		@Override
+		public String toString() {
+			ToStringBuilder b = new ToStringBuilder(this, ToStringStyle.SHORT_PREFIX_STYLE);
+			b.append("rule", myDecidingRule.getName());
+			b.append("decision", myDecision.name());
+			return b.build();
+		}
+
 	}
 
 }

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleImplOp.java

@@ -87,6 +87,9 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
 				}
 			}
 			appliesToResource = theOutputResource;
+			if (theOutputResource != null) {
+				appliesToResourceId = theOutputResource.getIdElement();
+			}
 			break;
 		case WRITE:
 			if (theInputResource == null && theInputResourceId == null) {

hapi-fhir-base/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/VerdictTest.java

@@ -0,0 +1,12 @@
+package ca.uhn.fhir.rest.server.interceptor.auth;
+
+import ca.uhn.fhir.rest.server.interceptor.auth.AuthorizationInterceptor.Verdict;
+
+public class VerdictTest {
+
+	public void testToString() {
+		Verdict v = new AuthorizationInterceptor.Verdict(PolicyEnum.ALLOW, new RuleImplOp("foo"));
+		v.toString();
+	}
+	
+}

hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptorDstu2Test.java

@@ -1777,6 +1777,56 @@ public class AuthorizationInterceptorDstu2Test {
 		assertFalse(ourHitMethod);
 
 	}
+	
+	
+	@Test
+	public void testReadByInstance() throws Exception {
+		ourConditionalCreateId = "1";
+
+		ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
+			@Override
+			public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
+				//@formatter:off
+				return new RuleBuilder()
+					.allow("Rule 1").read().instance("Observation/900").andThen()
+					.allow("Rule 1").read().instance("901").andThen()
+					.build();
+				//@formatter:on
+			}
+		});
+
+		HttpResponse status;
+		String response;
+		HttpGet httpGet;
+
+		ourReturn = Arrays.asList(createObservation(900, "Patient/1"));
+		ourHitMethod = false;
+		httpGet = new HttpGet("http://localhost:" + ourPort + "/Observation/900");
+		status = ourClient.execute(httpGet);
+		response = extractResponseAndClose(status);
+		assertEquals(200, status.getStatusLine().getStatusCode());
+		assertTrue(ourHitMethod);
+
+		ourReturn = Arrays.asList(createPatient(901));
+		ourHitMethod = false;
+		httpGet = new HttpGet("http://localhost:" + ourPort + "/Patient/901");
+		status = ourClient.execute(httpGet);
+		response = extractResponseAndClose(status);
+		assertEquals(200, status.getStatusLine().getStatusCode());
+		assertTrue(ourHitMethod);
+
+		ourReturn = Arrays.asList(createPatient(1));
+		ourHitMethod = false;
+		httpGet = new HttpGet("http://localhost:" + ourPort + "/Patient/1?_format=json");
+		status = ourClient.execute(httpGet);
+		response = extractResponseAndClose(status);
+		assertEquals(403, status.getStatusLine().getStatusCode());
+		assertEquals(ERR403, response);
+		assertFalse(ourHitMethod);
+
+	}
+
+	
 	@AfterClass
 	public static void afterClassClearContext() throws Exception {
 		ourServer.stop();