3400 bulk export rules incorrectly applied to group and patient exports

hapi-fhir-docs/src/main/resources/ca/uhn/hapi/fhir/changelog/6_0_0/3400-bulk-export-rules-incorrectly-applied-to-group-and-patient-exports.yml

@@ -0,0 +1,4 @@
+---
+type: fix
+issue: 3400
+title: "User was permitted to bulk export all groups/patients when they were unauthorized. This issue has been fixed."

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBulkExportImpl.java

@@ -80,6 +80,8 @@ public AuthorizationInterceptor.Verdict applyRule(RestOperationTypeEnum theOpera
 			String actualGroupId = options.getGroupId().toUnqualifiedVersionless().getValue();
 			if (Objects.equals(expectedGroupId, actualGroupId)) {
 				return newVerdict(theOperation, theRequestDetails, theInputResource, theInputResourceId, theOutputResource);
+			} else {
+				return new AuthorizationInterceptor.Verdict(PolicyEnum.DENY,this);
 			}
 		}
 

hapi-fhir-server/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBulkExportImplTest.java

@@ -1,6 +1,7 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
 import ca.uhn.fhir.interceptor.api.Pointcut;
+import ca.uhn.fhir.model.primitive.IdDt;
 import ca.uhn.fhir.rest.api.RestOperationTypeEnum;
 import ca.uhn.fhir.rest.api.server.RequestDetails;
 import ca.uhn.fhir.rest.api.server.bulk.BulkDataExportOptions;
@@ -19,7 +20,8 @@
 
 @ExtendWith(MockitoExtension.class)
 public class RuleBulkExportImplTest {
-
+	private RestOperationTypeEnum myOperation = RestOperationTypeEnum.EXTENDED_OPERATION_SERVER;
+	private Pointcut myPointcut = Pointcut.STORAGE_INITIATE_BULK_EXPORT;
 	@Mock
 	private RequestDetails myRequestDetails;
 	@Mock
@@ -30,8 +32,6 @@ public class RuleBulkExportImplTest {
 	@Test
 	public void testDenyBulkRequestWithInvalidResourcesTypes() {
 		RuleBulkExportImpl myRule = new RuleBulkExportImpl("a");
-		RestOperationTypeEnum myOperation = RestOperationTypeEnum.EXTENDED_OPERATION_SERVER;
-		Pointcut myPointcut = Pointcut.STORAGE_INITIATE_BULK_EXPORT;
 
 		Set<String> myTypes = new HashSet<>();
 		myTypes.add("Patient");
@@ -43,6 +43,7 @@ public void testDenyBulkRequestWithInvalidResourcesTypes() {
 
 		BulkDataExportOptions options = new BulkDataExportOptions();
 		options.setResourceTypes(myWantTypes);
+
 		when(myRequestDetails.getAttribute(any())).thenReturn(options);
 
 		AuthorizationInterceptor.Verdict verdict = myRule.applyRule(myOperation, myRequestDetails, null, null, null, myRuleApplier, myFlags, myPointcut);
@@ -52,8 +53,6 @@ public void testDenyBulkRequestWithInvalidResourcesTypes() {
 	@Test
 	public void testBulkRequestWithValidResourcesTypes() {
 		RuleBulkExportImpl myRule = new RuleBulkExportImpl("a");
-		RestOperationTypeEnum myOperation = RestOperationTypeEnum.EXTENDED_OPERATION_SERVER;
-		Pointcut myPointcut = Pointcut.STORAGE_INITIATE_BULK_EXPORT;
 
 		Set<String> myTypes = new HashSet<>();
 		myTypes.add("Patient");
@@ -66,10 +65,43 @@ public void testBulkRequestWithValidResourcesTypes() {
 
 		BulkDataExportOptions options = new BulkDataExportOptions();
 		options.setResourceTypes(myWantTypes);
+
 		when(myRequestDetails.getAttribute(any())).thenReturn(options);
 
 		AuthorizationInterceptor.Verdict verdict = myRule.applyRule(myOperation, myRequestDetails, null, null, null, myRuleApplier, myFlags, myPointcut);
 		assertNull(verdict);
 	}
 
-}
+	@Test
+	public void testDenyBulkRequestWithInvalidGroupId() {
+		RuleBulkExportImpl myRule = new RuleBulkExportImpl("a");
+		myRule.setAppliesToGroupExportOnGroup("invalid group");
+		myRule.setMode(PolicyEnum.ALLOW);
+
+		BulkDataExportOptions options = new BulkDataExportOptions();
+		options.setExportStyle(BulkDataExportOptions.ExportStyle.GROUP);
+		options.setGroupId(new IdDt("Group/123"));
+
+		when(myRequestDetails.getAttribute(any())).thenReturn(options);
+
+		AuthorizationInterceptor.Verdict verdict = myRule.applyRule(myOperation, myRequestDetails, null, null, null, myRuleApplier, myFlags, myPointcut);
+		assertEquals(PolicyEnum.DENY, verdict.getDecision());
+	}
+
+	@Test
+	public void testAllowBulkRequestWithValidGroupId() {
+		RuleBulkExportImpl myRule = new RuleBulkExportImpl("a");
+		myRule.setAppliesToGroupExportOnGroup("Group/1");
+		myRule.setMode(PolicyEnum.ALLOW);
+
+		BulkDataExportOptions options = new BulkDataExportOptions();
+		options.setExportStyle(BulkDataExportOptions.ExportStyle.GROUP);
+		options.setGroupId(new IdDt("Group/1"));
+
+		when(myRequestDetails.getAttribute(any())).thenReturn(options);
+
+		AuthorizationInterceptor.Verdict verdict = myRule.applyRule(myOperation, myRequestDetails, null, null, null, myRuleApplier, myFlags, myPointcut);
+		assertEquals(PolicyEnum.ALLOW, verdict.getDecision());
+	}
+
+}

hapi-fhir-storage/src/main/java/ca/uhn/fhir/jpa/bulk/export/provider/BulkDataExportProvider.java

@@ -128,7 +128,7 @@ public void groupExport(
 		validatePreferAsyncHeader(theRequestDetails);
 		BulkDataExportOptions bulkDataExportOptions = buildGroupBulkExportOptions(theOutputFormat, theType, theSince, theTypeFilter, theIdParam, theMdm);
 		validateResourceTypesAllContainPatientSearchParams(bulkDataExportOptions.getResourceTypes());
-		IBulkDataExportSvc.JobInfo outcome = myBulkDataExportSvc.submitJob(bulkDataExportOptions, shouldUseCache(theRequestDetails), null);
+		IBulkDataExportSvc.JobInfo outcome = myBulkDataExportSvc.submitJob(bulkDataExportOptions, shouldUseCache(theRequestDetails), theRequestDetails);
 		writePollingLocationToResponseHeaders(theRequestDetails, outcome);
 	}
 
@@ -158,7 +158,7 @@ public void patientExport(
 		validatePreferAsyncHeader(theRequestDetails);
 		BulkDataExportOptions bulkDataExportOptions = buildPatientBulkExportOptions(theOutputFormat, theType, theSince, theTypeFilter);
 		validateResourceTypesAllContainPatientSearchParams(bulkDataExportOptions.getResourceTypes());
-		IBulkDataExportSvc.JobInfo outcome = myBulkDataExportSvc.submitJob(bulkDataExportOptions, shouldUseCache(theRequestDetails), null);
+		IBulkDataExportSvc.JobInfo outcome = myBulkDataExportSvc.submitJob(bulkDataExportOptions, shouldUseCache(theRequestDetails), theRequestDetails);
 		writePollingLocationToResponseHeaders(theRequestDetails, outcome);
 	}