Skip to content

Feature - Permit Bulk Export on Compartment by FHIR Query #7310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 26 commits into
base: rel_8_6
Choose a base branch
from
Open

Feature - Permit Bulk Export on Compartment by FHIR Query #7310

wants to merge 26 commits into from

Conversation

@jdar8
Copy link
Collaborator

@jdar8 jdar8 commented Oct 17, 2025
edited
Loading

What was done:

  • Add new AuthResourceResolver
  • Add 2 new rules to support these permissions. They need to match resources/compartments based on a FHIR query (see cases in issue comments)
    • These rules use a new AuthResourceResolver service to query the DB to apply SearchParameter matching using an InMemoryResourceMatcher
  • Add new logic to rule builder, to allow building these new rules
  • Tests and changelog

Closes #7342

@jdar8 jdar8 requested a review from jamesagnew as a code owner October 17, 2025 18:10
@robogary
Copy link
Contributor

robogary commented Oct 17, 2025
edited
Loading

Formatting check succeeded!

@jdar8 jdar8 changed the title draft implementation - no support for typefilter yet Feature - Permit Bulk Export on Compartment by FHIR Query Oct 28, 2025
@jdar8 jdar8 changed the base branch from master to rel_8_6 October 29, 2025 20:10
@codecov
Copy link

codecov bot commented Oct 29, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (rel_8_6@ce8d22d). Learn more about missing BASE report.

Additional details and impacted files 
@@            Coverage Diff             @@
##             rel_8_6    #7310   +/-   ##
==========================================
  Coverage           ?   83.78%           
  Complexity         ?    30207           
==========================================
  Files              ?     1836           
  Lines              ?   116708           
  Branches           ?    14811           
==========================================
  Hits               ?    97786           
  Misses             ?    12617           
  Partials           ?     6305

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

TipzCM
TipzCM approved these changes Oct 30, 2025
View reviewed changes
tadgh
tadgh approved these changes Oct 31, 2025
View reviewed changes
Revert "spotless"
17ed1ad 
This reverts commit 31d143c.
jamesagnew
jamesagnew reviewed Nov 3, 2025
View reviewed changes
...fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRule.java
*
* @since 8.6.0
*/
IAuthRuleBuilderRuleGroupMatcherBulkExport bulkExportGroupCompartmentMatcher();
Copy link
Collaborator

@jamesagnew jamesagnew Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't love the names of these new methods - All of the existing methods in this interface are verbs (update(), patch(), bulkExport(), etc) that read fluently, but these new ones break that pattern with a really cryptic noun instead.

Do we need these new interfaces and methods at all? E.g. could we move the new functionality into IAuthRuleBuilderRuleBulkExport so that instead of needing to add rule:

builder.allow().bulkExportGroupCompartmentMatcher().groupExportOnGroup("?" + theCompartmentMatcherFilter).withResourceTypes(resourceTypes);

could we just allow a syntax like:

```java
builder.allow().bulkExport().groupExportOnFilter("?" + theCompartmentMatcherFilter).withResourceTypes(resourceTypes);

This would make the API a lot cleaner, and make the new features more discoverable since we wouldn't have 3 top level methods about the same operation.

jamesagnew
jamesagnew reviewed Nov 3, 2025
View reviewed changes
hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/interceptor/AuthResourceResolver.java
* Small service class to inject DB access into an interceptor
* For example, used in bulk export security to allow querying for resource to match against permission argument filters
*/
public class AuthResourceResolver implements IAuthResourceResolver {
Copy link
Collaborator

@jamesagnew jamesagnew Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes me nervous. I get the design, but it's breaking the well-established pattern we have that auth interceptor doesn't resolve anything, it just looks at the data it's passed and makes a decision.

Instead of creating a loading infrastructure, could we add a new parameter object to STORAGE_PRE_INITIATE_BULK_EXPORT so that BulkExportJobService could handle loading the Group and pass it to AuthInterceptor as a part of the interceptor request? That way AuthInterceptor could look at it and make its decisions without needing to know how to fetch anything

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tadgh tadgh tadgh approved these changes

@jamesagnew jamesagnew jamesagnew left review comments

@TipzCM TipzCM TipzCM approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Enhance RuleBuilder code to support compartment matching by FHIR query

6 participants

@jdar8 @robogary @tadgh @jamesagnew @TipzCM