Merge pull request #806 from honestica/quickfix-imcompartment

fix inCompartment for a collection of owners
2018-03-19 06:16:12 -04:00 · 2018-03-19 06:16:12 -04:00 · e9ee87210a
parent 6e2acd0689 1f88823e8b
commit e9ee87210a
3 changed files with 121 additions and 0 deletions
--- a/hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/dstu3/AuthorizationInterceptorResourceProviderDstu3Test.java
+++ b/hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/dstu3/AuthorizationInterceptorResourceProviderDstu3Test.java
@ -20,6 +20,7 @@ import org.hl7.fhir.dstu3.model.IdType;
 import org.hl7.fhir.dstu3.model.Observation;
 import org.hl7.fhir.dstu3.model.Observation.ObservationStatus;
 import org.hl7.fhir.dstu3.model.Patient;
+import org.hl7.fhir.dstu3.model.Practitioner;
 import org.hl7.fhir.dstu3.model.Reference;
 import org.hl7.fhir.instance.model.api.IIdType;
 import org.junit.AfterClass;
@ -27,6 +28,7 @@ import org.junit.Test;

 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;

 import static org.hamcrest.Matchers.startsWith;
@ -41,6 +43,64 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
 		unregisterInterceptors();
 	}

+	/**
+	 * See #778
+	 */
+	@Test
+	public void testReadingObservationAccessRight() throws IOException {
+		Practitioner practitioner1 = new Practitioner();
+		final IIdType practitionerId1 = ourClient.create().resource(practitioner1).execute().getId().toUnqualifiedVersionless();
+
+		Practitioner practitioner2 = new Practitioner();
+		final IIdType practitionerId2 = ourClient.create().resource(practitioner2).execute().getId().toUnqualifiedVersionless();
+
+		Patient patient = new Patient();
+		patient.setActive(true);
+		final IIdType patientId = ourClient.create().resource(patient).execute().getId().toUnqualifiedVersionless();
+
+		ourRestServer.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
+			@Override
+			public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
+				// allow write all Observation resource
+				// allow read only Observation resource in which it has a practitioner1 or practitioner2 compartment
+				return new RuleBuilder().allow()
+					.write()
+					.resourcesOfType(Observation.class)
+					.withAnyId()
+					.andThen()
+					.allow()
+					.read()
+					.resourcesOfType(Observation.class)
+					.inCompartment("Practitioner", Arrays.asList(practitionerId1, practitionerId2))
+					.andThen()
+					.denyAll()
+					.build();
+			}
+		});
+
+		Observation obs1 = new Observation();
+		obs1.setStatus(ObservationStatus.FINAL);
+		obs1.setPerformer(
+			Arrays.asList(new Reference(practitionerId1), new Reference(practitionerId2)));
+		IIdType oid1 = ourClient.create().resource(obs1).execute().getId().toUnqualified();
+
+		// Observation with practitioner1 and practitioner1 as the Performer -> should have the read access
+		ourClient.read().resource(Observation.class).withId(oid1).execute();
+
+		Observation obs2 = new Observation();
+		obs2.setStatus(ObservationStatus.FINAL);
+		obs2.setSubject(new Reference(patientId));
+		IIdType oid2 = ourClient.create().resource(obs2).execute().getId().toUnqualified();
+
+		// Observation with patient as the subject -> read access should be blocked
+		try {
+			ourClient.read().resource(Observation.class).withId(oid2).execute();
+			fail();
+		} catch (ForbiddenOperationException e) {
+			// good
+		}
+	}
+
 	/**
 	 * See #667
 	 */
--- a/hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/r4/AuthorizationInterceptorResourceProviderR4Test.java
+++ b/hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/r4/AuthorizationInterceptorResourceProviderR4Test.java
@ -25,6 +25,7 @@ import org.junit.Test;

 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;

 import static org.hamcrest.Matchers.startsWith;
@ -39,6 +40,64 @@ public class AuthorizationInterceptorResourceProviderR4Test extends BaseResource
 		unregisterInterceptors();
 	}

+	/**
+	 * See #778
+	 */
+	@Test
+	public void testReadingObservationAccessRight() throws IOException {
+		Practitioner practitioner1 = new Practitioner();
+		final IIdType practitionerId1 = myClient.create().resource(practitioner1).execute().getId().toUnqualifiedVersionless();
+
+		Practitioner practitioner2 = new Practitioner();
+		final IIdType practitionerId2 = myClient.create().resource(practitioner2).execute().getId().toUnqualifiedVersionless();
+
+		Patient patient = new Patient();
+		patient.setActive(true);
+		final IIdType patientId = myClient.create().resource(patient).execute().getId().toUnqualifiedVersionless();
+
+		ourRestServer.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
+			@Override
+			public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
+				// allow write all Observation resource
+				// allow read only Observation resource in which it has a practitioner1 or practitioner2 compartment
+				return new RuleBuilder().allow()
+					.write()
+					.resourcesOfType(Observation.class)
+					.withAnyId()
+					.andThen()
+					.allow()
+					.read()
+					.resourcesOfType(Observation.class)
+					.inCompartment("Practitioner", Arrays.asList(practitionerId1, practitionerId2))
+					.andThen()
+					.denyAll()
+					.build();
+			}
+		});
+
+		Observation obs1 = new Observation();
+		obs1.setStatus(ObservationStatus.FINAL);
+		obs1.setPerformer(
+			Arrays.asList(new Reference(practitionerId1), new Reference(practitionerId2)));
+		IIdType oid1 = myClient.create().resource(obs1).execute().getId().toUnqualified();
+
+		// Observation with practitioner1 and practitioner1 as the Performer -> should have the read access
+		myClient.read().resource(Observation.class).withId(oid1).execute();
+
+		Observation obs2 = new Observation();
+		obs2.setStatus(ObservationStatus.FINAL);
+		obs2.setSubject(new Reference(patientId));
+		IIdType oid2 = myClient.create().resource(obs2).execute().getId().toUnqualified();
+
+		// Observation with patient as the subject -> read access should be blocked
+		try {
+			myClient.read().resource(Observation.class).withId(oid2).execute();
+			fail();
+		} catch (ForbiddenOperationException e) {
+			// good
+		}
+	}
+
 	/**
 	 * See #667
 	 */
--- a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java
+++ b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java
@ -362,6 +362,8 @@ public class RuleBuilder implements IAuthRuleBuilder {
 					for (IIdType next : theOwners) {
 						validateOwner(next);
 					}
+					myInCompartmentName = theCompartmentName;
+					myInCompartmentOwners = theOwners;
 					myClassifierType = ClassifierTypeEnum.IN_COMPARTMENT;
 					return finished();
 				}