Merge branch 'master' into issue-2851-upload-terminology-valueset-parallel-versioning

hapi-fhir-base/src/main/java/ca/uhn/fhir/util/FhirTerser.java

@@ -48,6 +48,7 @@ import java.util.IdentityHashMap;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 import java.util.regex.Matcher;
@@ -704,6 +705,21 @@ public class FhirTerser {
 	 * @throws IllegalArgumentException If theTarget does not contain both a resource type and ID
 	 */
 	public boolean isSourceInCompartmentForTarget(String theCompartmentName, IBaseResource theSource, IIdType theTarget) {
+		return isSourceInCompartmentForTarget(theCompartmentName, theSource, theTarget, null);
+	}
+
+	/**
+	 * Returns <code>true</code> if <code>theSource</code> is in the compartment named <code>theCompartmentName</code>
+	 * belonging to resource <code>theTarget</code>
+	 *
+	 * @param theCompartmentName The name of the compartment
+	 * @param theSource          The potential member of the compartment
+	 * @param theTarget          The owner of the compartment. Note that both the resource type and ID must be filled in on this IIdType or the method will throw an {@link IllegalArgumentException}
+	 * @param theAdditionalCompartmentParamNames If provided, search param names provided here will be considered as included in the given compartment for this comparison.
+	 * @return <code>true</code> if <code>theSource</code> is in the compartment or one of the additional parameters matched.
+	 * @throws IllegalArgumentException If theTarget does not contain both a resource type and ID
+	 */
+	public boolean isSourceInCompartmentForTarget(String theCompartmentName, IBaseResource theSource, IIdType theTarget, Set<String> theAdditionalCompartmentParamNames) {
 		Validate.notBlank(theCompartmentName, "theCompartmentName must not be null or blank");
 		Validate.notNull(theSource, "theSource must not be null");
 		Validate.notNull(theTarget, "theTarget must not be null");
@@ -720,6 +736,20 @@ public class FhirTerser {
 		}
 
 		List<RuntimeSearchParam> params = sourceDef.getSearchParamsForCompartmentName(theCompartmentName);
+
+		//If passed an additional set of searchparameter names, add them for comparison purposes.
+		if (theAdditionalCompartmentParamNames != null) {
+			List<RuntimeSearchParam> additionalParams = theAdditionalCompartmentParamNames.stream().map(sourceDef::getSearchParam)
+				.filter(Objects::nonNull)
+				.collect(Collectors.toList());
+			if (params == null || params.isEmpty()) {
+				params = additionalParams;
+			} else {
+				params.addAll(additionalParams);
+			}
+		}
+
+
 		for (RuntimeSearchParam nextParam : params) {
 			for (String nextPath : nextParam.getPathsSplit()) {
 

hapi-fhir-docs/src/main/java/ca/uhn/hapi/fhir/docs/AuthorizationInterceptors.java

@@ -39,6 +39,7 @@ import org.hl7.fhir.dstu3.model.IdType;
 import org.hl7.fhir.instance.model.api.IBaseResource;
 import org.hl7.fhir.r4.model.Patient;
 
+import java.util.Collections;
 import java.util.List;
 
 import static org.apache.commons.lang3.StringUtils.isNotBlank;
@@ -205,6 +206,19 @@ public class AuthorizationInterceptors {
 		};
 		//END SNIPPET: bulkExport
 
+		//START SNIPPET: advancedCompartment
+		new AuthorizationInterceptor(PolicyEnum.DENY) {
+			@Override
+			public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
+				AdditionalCompartmentSearchParameters additionalSearchParams = new AdditionalCompartmentSearchParameters();
+				additionalSearchParams.addSearchParameters("device:patient", "device:subject");
+				return new RuleBuilder()
+					.allow().read().allResources().inCompartmentWithAdditionalSearchParams("Patient", new IdType("Patient/123"), additionalSearchParams)
+					.build();
+			}
+		};
+		//END SNIPPET: advancedCompartment
+
 
 	}
 

hapi-fhir-docs/src/main/resources/ca/uhn/hapi/fhir/changelog/5_6_0/2989-additional-sps-in-compartments.yaml

@@ -0,0 +1,5 @@
+---
+type: add
+jira: SMILE-1118
+title: "Add new RuleBuilder options which allow you to specify additional resources and search parameters which match a given compartment. More explanations of
+the enhancements can be found in [the documentation](/hapi-fhir/docs/security/authorization_interceptor.html#advanced-compartment-authorization)."

hapi-fhir-docs/src/main/resources/ca/uhn/hapi/fhir/changelog/5_6_0/3014-prevent-delete-expunge-and-cascade.yaml

@@ -0,0 +1,4 @@
+---
+type: change
+jira: SMILE-3128
+title: "Prevent _expunge and _cascade from being used on the same DELETE operation"

hapi-fhir-docs/src/main/resources/ca/uhn/hapi/fhir/docs/security/authorization_interceptor.md

@@ -83,3 +83,14 @@ AuthorizationInterceptor can be used to provide nuanced control over the kinds o
 ```java
 {{snippet:classpath:/ca/uhn/hapi/fhir/docs/AuthorizationInterceptors.java|bulkExport}}
 ```
+
+# Advanced Compartment authorization
+
+AuthorizationInterceptor can be used to provide fine-grained control over compartment reads and writes as well. There is a strict FHIR definition
+of which resources and related search parameters fall into a given compartment. However, sometimes the defaults do not suffice. The following is an example 
+of an R4 ruleset which allows `device.patient` to be considered in the Patient compartment, on top of all the standard search parameters. 
+
+
+```java
+{{snippet:classpath:/ca/uhn/hapi/fhir/docs/AuthorizationInterceptors.java|advancedCompartment}}
+```

hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/dao/BaseHapiFhirResourceDao.java

@@ -86,6 +86,7 @@ import ca.uhn.fhir.rest.server.IRestfulServerDefaults;
 import ca.uhn.fhir.rest.server.RestfulServerUtils;
 import ca.uhn.fhir.rest.server.exceptions.InvalidRequestException;
 import ca.uhn.fhir.rest.server.exceptions.MethodNotAllowedException;
+import ca.uhn.fhir.rest.server.exceptions.NotImplementedOperationException;
 import ca.uhn.fhir.rest.server.exceptions.PreconditionFailedException;
 import ca.uhn.fhir.rest.server.exceptions.ResourceNotFoundException;
 import ca.uhn.fhir.rest.server.exceptions.ResourceVersionConflictException;
@@ -136,12 +137,9 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
-import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
-import java.util.LinkedList;
 import java.util.List;
-import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.UUID;
@@ -588,6 +586,10 @@ public abstract class BaseHapiFhirResourceDao<T extends IBaseResource> extends B
 			throw new MethodNotAllowedException("_expunge is not enabled on this server: " + getConfig().cannotDeleteExpungeReason());
 		}
 
+		if (theUrl.contains(Constants.PARAMETER_CASCADE_DELETE) || (theRequest.getHeader(Constants.HEADER_CASCADE) != null && theRequest.getHeader(Constants.HEADER_CASCADE).equals(Constants.CASCADE_DELETE))) {
+			throw new InvalidRequestException("_expunge cannot be used with _cascade");
+		}
+
 		List<String> urlsToDeleteExpunge = Collections.singletonList(theUrl);
 		try {
 			JobExecution jobExecution = myDeleteExpungeJobSubmitter.submitJob(getConfig().getExpungeBatchSize(), urlsToDeleteExpunge, theRequest);

hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/dao/expunge/DeleteExpungeDaoTest.java

@@ -7,6 +7,8 @@ import ca.uhn.fhir.jpa.batch.writer.SqlExecutorWriter;
 import ca.uhn.fhir.jpa.dao.r4.BaseJpaR4Test;
 import ca.uhn.fhir.jpa.model.util.JpaConstants;
 import ca.uhn.fhir.jpa.partition.SystemRequestDetails;
+import ca.uhn.fhir.rest.api.Constants;
+import ca.uhn.fhir.rest.server.exceptions.BaseServerResponseException;
 import ca.uhn.fhir.test.utilities.BatchJobHelper;
 import ca.uhn.fhir.util.BundleBuilder;
 import org.hl7.fhir.instance.model.api.IIdType;
@@ -15,9 +17,11 @@ import org.hl7.fhir.r4.model.OperationOutcome;
 import org.hl7.fhir.r4.model.Organization;
 import org.hl7.fhir.r4.model.Patient;
 import org.hl7.fhir.r4.model.Reference;
+import org.hl7.fhir.r5.model.StructureDefinition;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.mockito.stubbing.Answer;
 import org.springframework.batch.core.BatchStatus;
 import org.springframework.batch.core.JobExecution;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -27,6 +31,9 @@ import java.util.List;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.containsString;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.nullable;
+import static org.mockito.Mockito.when;
 
 class DeleteExpungeDaoTest extends BaseJpaR4Test {
 	@Autowired
@@ -51,6 +58,41 @@ class DeleteExpungeDaoTest extends BaseJpaR4Test {
 		myDaoConfig.setExpungeBatchSize(defaultDaoConfig.getExpungeBatchSize());
 	}
 
+	@Test
+	public void testDeleteCascadeExpungeReturns400() {
+		// Create new organization
+		Organization organization = new Organization();
+		organization.setName("FOO");
+		IIdType organizationId = myOrganizationDao.create(organization).getId().toUnqualifiedVersionless();
+
+		Patient patient = new Patient();
+		patient.setManagingOrganization(new Reference(organizationId));
+		IIdType patientId = myPatientDao.create(patient).getId().toUnqualifiedVersionless();
+
+		// Try to delete _cascade and _expunge on the organization
+		BaseServerResponseException e = assertThrows(BaseServerResponseException.class, () -> {
+			myOrganizationDao
+				.deleteByUrl("Organization?" + "_cascade=delete&" + JpaConstants.PARAM_DELETE_EXPUNGE + "=true", mySrd);
+		});
+
+		// Get not implemented HTTP 400 error
+		assertEquals(Constants.STATUS_HTTP_400_BAD_REQUEST, e.getStatusCode());
+		assertEquals("_expunge cannot be used with _cascade", e.getMessage());
+
+
+		// Try to delete with header 'X-Cascade' = delete
+		when(mySrd.getHeader(Constants.HEADER_CASCADE)).thenReturn(Constants.CASCADE_DELETE);
+		e = assertThrows(BaseServerResponseException.class, () -> {
+			myOrganizationDao
+				.deleteByUrl("Organization?" + JpaConstants.PARAM_DELETE_EXPUNGE + "=true", mySrd);
+		});
+
+		// Get not implemented HTTP 400 error
+		assertEquals(Constants.STATUS_HTTP_400_BAD_REQUEST, e.getStatusCode());
+		assertEquals("_expunge cannot be used with _cascade", e.getMessage());
+	}
+
+
 	@Test
 	public void testDeleteExpungeThrowExceptionIfForeignKeyLinksExists() {
 		// setup

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/AdditionalCompartmentSearchParameters.java

@@ -0,0 +1,42 @@
+package ca.uhn.fhir.rest.server.interceptor.auth;
+
+import javax.annotation.Nonnull;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * This class is used in RuleBuilder, as a way to provide a compartment permission additional resource search params that
+ * are to be included as "in" the given compartment. For example, if you were to populate this map with
+ * [device -> ["patient", "subject"]
+ * and apply it to compartment Patient/123, then any device with Patient/123 as its patient would be considered "in"
+ * the compartment, despite the fact that device is technically not part of the compartment definition for patient.
+ */
+public class AdditionalCompartmentSearchParameters {
+	private Map<String, Set<String>> myResourceTypeToParameterCodeMap;
+
+	public AdditionalCompartmentSearchParameters() {
+		myResourceTypeToParameterCodeMap = new HashMap<>();
+	}
+
+	public void addSearchParameters(@Nonnull String... theQualifiedSearchParameters) {
+		Arrays.stream(theQualifiedSearchParameters).forEach(code -> {
+			if (code == null || !code.contains(":")) {
+				throw new IllegalArgumentException(code + " is not a valid search parameter. Search parameters must be in the form resourcetype:parametercode, e.g. 'Device:patient'");
+			}
+			String[] split = code.split(":");
+			if (split.length != 2) {
+				throw new IllegalArgumentException(code + " is not a valid search parameter. Search parameters must be in the form resourcetype:parametercode, e.g. 'Device:patient'");
+			} else {
+				myResourceTypeToParameterCodeMap.computeIfAbsent(split[0].toLowerCase(), (key) -> new HashSet<>()).add(split[1].toLowerCase());
+			}
+		});
+	}
+
+	public Set<String> getSearchParamNamesForResourceType(@Nonnull String theResourceType) {
+		return myResourceTypeToParameterCodeMap.computeIfAbsent(theResourceType.toLowerCase(), (key) -> new HashSet<>());
+	}
+}

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/AppliesTypeEnum.java

@@ -22,7 +22,4 @@ package ca.uhn.fhir.rest.server.interceptor.auth;
 
 enum AppliesTypeEnum {
 	ALL_RESOURCES, TYPES, INSTANCES
-
-	
-	
 }

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRuleOpClassifier.java

@@ -21,6 +21,7 @@ package ca.uhn.fhir.rest.server.interceptor.auth;
  */
 
 import java.util.Collection;
+import java.util.List;
 
 import org.hl7.fhir.instance.model.api.IIdType;
 
@@ -42,6 +43,30 @@ public interface IAuthRuleBuilderRuleOpClassifier {
 	 */
 	IAuthRuleBuilderRuleOpClassifierFinished inCompartment(String theCompartmentName, IIdType theOwner);
 
+	/**
+	 * Rule applies to resources in the given compartment.
+	 * <p>
+	 * For example, to apply the rule to any observations in the patient compartment
+	 * belonging to patient "123", you would invoke this with</br>
+	 * <code>inCompartment("Patient", new IdType("Patient", "123"))</code>
+	 *
+	 * This call also allows you to pass additional search parameters that count as being included in the given compartment,
+	 * passed in as a list of `resourceType:search-parameter-name`. For example, if you select a compartment name of "patient",
+	 * you could pass in a singleton list consisting of the string "device:patient", which would cause any devices belonging
+	 * to the patient to be permitted by the authorization rule.
+	 *
+	 * </p>
+	 * <p>
+	 * This call completes the rule and adds the rule to the chain.
+	 * </p>
+	 *
+	 * @param theCompartmentName The name of the compartment (must not be null or blank)
+	 * @param theOwner The owner of the compartment. Note that both the resource type and ID must be populated in this ID.
+	 * @param theAdditionalTypeSearchParamNames A list of strings for additional resource types and search parameters which count as being in the compartment, in the form "resourcetype:search-parameter-name".
+	 */
+	IAuthRuleBuilderRuleOpClassifierFinished inCompartmentWithAdditionalSearchParams(String theCompartmentName, IIdType theOwner, AdditionalCompartmentSearchParameters theAdditionalTypeSearchParamNames);
+
+
 	/**
 	 * Rule applies to resources in the given compartment.
 	 * <p>
@@ -58,6 +83,32 @@ public interface IAuthRuleBuilderRuleOpClassifier {
 	 */
 	IAuthRuleBuilderRuleOpClassifierFinished inCompartment(String theCompartmentName, Collection<? extends IIdType> theOwners);
 
+
+	/**
+	 * Rule applies to resources in the given compartment.
+	 * <p>
+	 * For example, to apply the rule to any observations in the patient compartment
+	 * belonging to patient "123", you would invoke this with</br>
+	 * <code>inCompartment("Patient", new IdType("Patient", "123"))</code>
+	 *
+	 * This call also allows you to pass additional search parameters that count as being included in the given compartment,
+	 * passed in as a list of `resourceType:search-parameter-name`. For example, if you select a compartment name of "patient",
+	 * you could pass in a singleton list consisting of the string "device:patient", which would cause any devices belonging
+	 * to the patient to be permitted by the authorization rule.
+	 *
+	 * </p>
+	 * <p>
+	 * This call completes the rule and adds the rule to the chain.
+	 * </p>
+	 *
+	 * @param theCompartmentName The name of the compartment (must not be null or blank)
+	 * @param theOwners The owners of the compartment. Note that both the resource type and ID must be populated in these IDs.
+	 * @param theAdditionalTypeSearchParamNames A {@link AdditionalCompartmentSearchParameters} which allows you to expand the search space for what is considered "in" the compartment.
+	 *
+	 **/
+	IAuthRuleBuilderRuleOpClassifierFinished inCompartmentWithAdditionalSearchParams(String theCompartmentName, Collection<? extends IIdType> theOwners, AdditionalCompartmentSearchParameters theAdditionalTypeSearchParamNames);
+
+
 	/**
 	 * Rule applies to any resource instances
 	 * <p>

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java

@@ -451,6 +451,7 @@ public class RuleBuilder implements IAuthRuleBuilder {
 				private Collection<? extends IIdType> myInCompartmentOwners;
 				private Collection<IIdType> myAppliesToInstances;
 				private RuleImplOp myRule;
+				private AdditionalCompartmentSearchParameters myAdditionalSearchParamsForCompartmentTypes = new AdditionalCompartmentSearchParameters();
 
 				/**
 				 * Constructor
@@ -483,6 +484,7 @@ public class RuleBuilder implements IAuthRuleBuilder {
 					myRule.setClassifierCompartmentOwners(myInCompartmentOwners);
 					myRule.setAppliesToDeleteCascade(myOnCascade);
 					myRule.setAppliesToDeleteExpunge(myOnExpunge);
+					myRule.setAdditionalSearchParamsForCompartmentTypes(myAdditionalSearchParamsForCompartmentTypes);
 					myRules.add(myRule);
 
 					return new RuleBuilderFinished(myRule);
@@ -490,6 +492,11 @@ public class RuleBuilder implements IAuthRuleBuilder {
 
 				@Override
 				public IAuthRuleBuilderRuleOpClassifierFinished inCompartment(String theCompartmentName, Collection<? extends IIdType> theOwners) {
+					return inCompartmentWithAdditionalSearchParams(theCompartmentName, theOwners, new AdditionalCompartmentSearchParameters());
+				}
+
+				@Override
+				public IAuthRuleBuilderRuleOpClassifierFinished inCompartmentWithAdditionalSearchParams(String theCompartmentName, Collection<? extends IIdType> theOwners, AdditionalCompartmentSearchParameters theAdditionalTypeSearchParams) {
 					Validate.notBlank(theCompartmentName, "theCompartmentName must not be null");
 					Validate.notNull(theOwners, "theOwners must not be null");
 					Validate.noNullElements(theOwners, "theOwners must not contain any null elements");
@@ -498,20 +505,28 @@ public class RuleBuilder implements IAuthRuleBuilder {
 					}
 					myInCompartmentName = theCompartmentName;
 					myInCompartmentOwners = theOwners;
+					myAdditionalSearchParamsForCompartmentTypes = theAdditionalTypeSearchParams;
 					myClassifierType = ClassifierTypeEnum.IN_COMPARTMENT;
 					return finished();
 				}
 
 				@Override
 				public IAuthRuleBuilderRuleOpClassifierFinished inCompartment(String theCompartmentName, IIdType theOwner) {
+					return inCompartmentWithAdditionalSearchParams(theCompartmentName, theOwner, new AdditionalCompartmentSearchParameters());
+				}
+
+				@Override
+				public IAuthRuleBuilderRuleOpClassifierFinished inCompartmentWithAdditionalSearchParams(String theCompartmentName, IIdType theOwner, AdditionalCompartmentSearchParameters theAdditionalTypeSearchParamNames) {
 					Validate.notBlank(theCompartmentName, "theCompartmentName must not be null");
 					Validate.notNull(theOwner, "theOwner must not be null");
 					validateOwner(theOwner);
 					myClassifierType = ClassifierTypeEnum.IN_COMPARTMENT;
 					myInCompartmentName = theCompartmentName;
+					myAdditionalSearchParamsForCompartmentTypes = theAdditionalTypeSearchParamNames;
 					Optional<RuleImplOp> oRule = findMatchingRule();
 					if (oRule.isPresent()) {
 						RuleImplOp rule = oRule.get();
+						rule.setAdditionalSearchParamsForCompartmentTypes(myAdditionalSearchParamsForCompartmentTypes);
 						rule.addClassifierCompartmentOwner(theOwner);
 						return new RuleBuilderFinished(rule);
 					}
@@ -519,6 +534,7 @@ public class RuleBuilder implements IAuthRuleBuilder {
 					return finished();
 				}
 
+
 				private Optional<RuleImplOp> findMatchingRule() {
 					return myRules.stream()
 						.filter(RuleImplOp.class::isInstance)

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleImplOp.java

@@ -30,7 +30,9 @@ import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import static org.apache.commons.lang3.StringUtils.defaultString;
 import static org.apache.commons.lang3.StringUtils.isNotBlank;
@@ -69,6 +71,7 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
 	private Collection<IIdType> myAppliesToInstances;
 	private boolean myAppliesToDeleteCascade;
 	private boolean myAppliesToDeleteExpunge;
+	private AdditionalCompartmentSearchParameters myAdditionalCompartmentSearchParamMap;
 
 	/**
 	 * Constructor
@@ -337,7 +340,12 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
 
 		for (IIdType next : myClassifierCompartmentOwners) {
 			if (target.resource != null) {
-				if (t.isSourceInCompartmentForTarget(myClassifierCompartmentName, target.resource, next)) {
+
+				Set<String> additionalSearchParamNames = null;
+				if (myAdditionalCompartmentSearchParamMap != null) {
+					additionalSearchParamNames = myAdditionalCompartmentSearchParamMap.getSearchParamNamesForResourceType(ctx.getResourceType(target.resource));
+				}
+				if (t.isSourceInCompartmentForTarget(myClassifierCompartmentName, target.resource, next, additionalSearchParamNames)) {
 					foundMatch = true;
 					break;
 				}
@@ -371,7 +379,17 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
 				RuntimeResourceDefinition sourceDef = theRequestDetails.getFhirContext().getResourceDefinition(target.resourceType);
 				String compartmentOwnerResourceType = next.getResourceType();
 				if (!StringUtils.equals(target.resourceType, compartmentOwnerResourceType)) {
+
 					List<RuntimeSearchParam> params = sourceDef.getSearchParamsForCompartmentName(compartmentOwnerResourceType);
+
+					Set<String> additionalParamNames = myAdditionalCompartmentSearchParamMap.getSearchParamNamesForResourceType(sourceDef.getName());
+					List<RuntimeSearchParam> additionalParams = additionalParamNames.stream().map(sourceDef::getSearchParam).filter(Objects::nonNull).collect(Collectors.toList());
+					if (params == null || params.isEmpty()) {
+						params = additionalParams;
+					} else {
+						params.addAll(additionalParams);
+					}
+
 					if (!params.isEmpty()) {
 
 						/*
@@ -681,4 +699,8 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
 				return false;
 		}
 	}
+
+	public void setAdditionalSearchParamsForCompartmentTypes(AdditionalCompartmentSearchParameters theAdditionalParameters) {
+		myAdditionalCompartmentSearchParamMap = theAdditionalParameters;
+	}
 }

hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptorR4Test.java

@@ -84,6 +84,8 @@ import java.util.concurrent.TimeUnit;
 import static org.apache.commons.lang3.StringUtils.isNotBlank;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.is;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
@@ -377,6 +379,160 @@ public class AuthorizationInterceptorR4Test {
 
 	}
 
+	@Test
+	public void testCustomCompartmentSpsOnMultipleInstances() throws Exception {
+		//Given
+		ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
+			@Override
+			public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
+				AdditionalCompartmentSearchParameters additionalCompartmentSearchParameters = new AdditionalCompartmentSearchParameters();
+				additionalCompartmentSearchParameters.addSearchParameters("Device:patient");
+				List<IdType> relatedIds = new ArrayList<>();
+				relatedIds.add(new IdType("Patient/123"));
+				relatedIds.add(new IdType("Patient/456"));
+				return new RuleBuilder()
+					.allow().read().allResources()
+					.inCompartmentWithAdditionalSearchParams("Patient", relatedIds, additionalCompartmentSearchParameters)
+					.andThen().denyAll()
+					.build();
+			}
+		});
+
+		HttpGet httpGet;
+		HttpResponse status;
+
+		Patient patient;
+		patient = new Patient();
+		patient.setId("Patient/123");
+		Device d = new Device();
+		d.getPatient().setResource(patient);
+
+		ourHitMethod = false;
+		ourReturn = Collections.singletonList(d);
+
+		//When
+		httpGet = new HttpGet("http://localhost:" + ourPort + "/Device/124456");
+		status = ourClient.execute(httpGet);
+		extractResponseAndClose(status);
+
+		//Then
+		assertTrue(ourHitMethod);
+		assertEquals(200, status.getStatusLine().getStatusCode());
+	}
+
+	@Test
+	public void testCustomSearchParamsDontOverPermit() throws Exception {
+		//Given
+		ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
+			@Override
+			public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
+				AdditionalCompartmentSearchParameters additionalCompartmentSearchParameters = new AdditionalCompartmentSearchParameters();
+				additionalCompartmentSearchParameters.addSearchParameters("Encounter:patient");
+				List<IdType> relatedIds = new ArrayList<>();
+				relatedIds.add(new IdType("Patient/123"));
+				return new RuleBuilder()
+					.allow().read().allResources()
+					.inCompartmentWithAdditionalSearchParams("Patient", relatedIds, additionalCompartmentSearchParameters)
+					.andThen().denyAll()
+					.build();
+			}
+		});
+
+		HttpGet httpGet;
+		HttpResponse status;
+
+		Patient patient;
+		patient = new Patient();
+		patient.setId("Patient/123");
+		Device d = new Device();
+		d.getPatient().setResource(patient);
+
+		ourHitMethod = false;
+		ourReturn = Collections.singletonList(d);
+
+		//When
+		httpGet = new HttpGet("http://localhost:" + ourPort + "/Device/124456");
+		status = ourClient.execute(httpGet);
+		extractResponseAndClose(status);
+
+		//then
+		assertFalse(ourHitMethod);
+		assertEquals(403, status.getStatusLine().getStatusCode());
+	}
+
+
+	@Test
+	public void testNonsenseParametersThrowAtRuntime() throws Exception {
+		//Given
+		ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
+			@Override
+			public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
+				AdditionalCompartmentSearchParameters additionalCompartmentSearchParameters = new AdditionalCompartmentSearchParameters();
+				additionalCompartmentSearchParameters.addSearchParameters("device:garbage");
+				List<IdType> relatedIds = new ArrayList<>();
+				relatedIds.add(new IdType("Patient/123"));
+				return new RuleBuilder()
+					.allow().read().allResources()
+					.inCompartmentWithAdditionalSearchParams("Patient", relatedIds, additionalCompartmentSearchParameters)
+					.andThen().denyAll()
+					.build();
+			}
+		});
+
+		HttpGet httpGet;
+		HttpResponse status;
+
+		Patient patient;
+		patient = new Patient();
+		patient.setId("Patient/123");
+		Device d = new Device();
+		d.getPatient().setResource(patient);
+
+		ourHitMethod = false;
+		ourReturn = Collections.singletonList(d);
+
+		//When
+		httpGet = new HttpGet("http://localhost:" + ourPort + "/Device/124456");
+		status = ourClient.execute(httpGet);
+		extractResponseAndClose(status);
+
+		//then
+		assertFalse(ourHitMethod);
+		assertEquals(403, status.getStatusLine().getStatusCode());
+	}
+
+	@Test
+	public void testRuleBuilderAdditionalSearchParamsInvalidValues() {
+		//Too many colons
+		try {
+			AdditionalCompartmentSearchParameters additionalCompartmentSearchParameters = new AdditionalCompartmentSearchParameters();
+			additionalCompartmentSearchParameters.addSearchParameters("too:many:colons");
+			new RuleBuilder()
+				.allow().read().allResources()
+				.inCompartmentWithAdditionalSearchParams("Patient", new IdType("Patient/123"), additionalCompartmentSearchParameters)
+				.andThen().denyAll()
+				.build();
+			fail();
+		} catch (IllegalArgumentException e) {
+			assertThat(e.getMessage(), is(equalTo("too:many:colons is not a valid search parameter. Search parameters must be in the form resourcetype:parametercode, e.g. 'Device:patient'")));
+		}
+
+
+		//No colons
+		try {
+			AdditionalCompartmentSearchParameters additionalCompartmentSearchParameters = new AdditionalCompartmentSearchParameters();
+			additionalCompartmentSearchParameters.addSearchParameters("no-colons");
+			new RuleBuilder()
+				.allow().read().allResources()
+				.inCompartmentWithAdditionalSearchParams("Patient", new IdType("Patient/123"), additionalCompartmentSearchParameters)
+				.andThen().denyAll()
+				.build();
+			fail();
+		} catch (IllegalArgumentException e) {
+			assertThat(e.getMessage(), is(equalTo("no-colons is not a valid search parameter. Search parameters must be in the form resourcetype:parametercode, e.g. 'Device:patient'")));
+		}
+	}
+
 	@Test
 	public void testAllowByCompartmentUsingUnqualifiedIds() throws Exception {
 		ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
@@ -437,6 +593,13 @@ public class AuthorizationInterceptorR4Test {
 		extractResponseAndClose(status);
 		assertEquals(403, status.getStatusLine().getStatusCode());
 		assertTrue(ourHitMethod);
+
+
+		patient = new Patient();
+		patient.setId("Patient/123");
+		carePlan = new CarePlan();
+		carePlan.setStatus(CarePlan.CarePlanStatus.ACTIVE);
+		carePlan.getSubject().setResource(patient);
 	}
 
 	/**
@@ -3619,6 +3782,30 @@ public class AuthorizationInterceptorR4Test {
 		}
 	}
 
+	public static class DummyDeviceResourceProvider implements IResourceProvider {
+
+		@Override
+		public Class<? extends IBaseResource> getResourceType() {
+			return Device.class;
+		}
+
+		@Read(version = true)
+		public Device read(@IdParam IdType theId) {
+			ourHitMethod = true;
+			if (ourReturn.isEmpty()) {
+				throw new ResourceNotFoundException(theId);
+			}
+			return (Device) ourReturn.get(0);
+		}
+		@Search()
+		public List<Resource> search(
+			@OptionalParam(name = "patient") ReferenceParam thePatient
+		) {
+			ourHitMethod = true;
+			return ourReturn;
+		}
+	}
+
 	@SuppressWarnings("unused")
 	public static class DummyObservationResourceProvider implements IResourceProvider {
 
@@ -3953,12 +4140,13 @@ public class AuthorizationInterceptorR4Test {
 		DummyEncounterResourceProvider encProv = new DummyEncounterResourceProvider();
 		DummyCarePlanResourceProvider cpProv = new DummyCarePlanResourceProvider();
 		DummyDiagnosticReportResourceProvider drProv = new DummyDiagnosticReportResourceProvider();
+		DummyDeviceResourceProvider devProv = new DummyDeviceResourceProvider();
 		PlainProvider plainProvider = new PlainProvider();
 
 		ServletHandler proxyHandler = new ServletHandler();
 		ourServlet = new RestfulServer(ourCtx);
 		ourServlet.setFhirContext(ourCtx);
-		ourServlet.registerProviders(patProvider, obsProv, encProv, cpProv, orgProv, drProv);
+		ourServlet.registerProviders(patProvider, obsProv, encProv, cpProv, orgProv, drProv, devProv);
 		ourServlet.registerProvider(new DummyServiceRequestResourceProvider());
 		ourServlet.registerProvider(new DummyConsentResourceProvider());
 		ourServlet.setPlainProviders(plainProvider);