hapi-fhir icon indicating copy to clipboard operation
hapi-fhir copied to clipboard

Published 20 hours ago • verified publisher icon hapifhir

AuthorizationInteceptor deny() rule being mis-applied.

Open XcrigX opened this issue 2 years ago • 1 comments

I'm running against a pretty recent fork of HAPI JPA server based on HAPI 6.0.1.

I'm trying to construct an AuthorizationInterceptor rule such as:

new RuleBuilder()
.deny().read().resourcesOfType("Group").withAnyId().andThen()
.allow().read().allResources().inCompartment("Patient", resourceId)
.build();

Basically I want to allow Patient compartment reads, but want to explicitly deny some resources in the Patient compartment.

With the above rule in place, a request to /Patient fails. If I remove the deny rule, the search succeeds (there is a SearchNarrowingInterceptor in play also).

If I trace it, it eventually comes into RuleImplOp.applyRule() and it hits this switch case:

case SEARCH_TYPE:
  if (theFlags.contains(AuthorizationFlagsEnum.DO_NOT_PROACTIVELY_BLOCK_COMPARTMENT_READ_ACCESS)) {
    return newVerdict(theOperation, theRequestDetails, theInputResource, theInputResourceId, theOutputResource);
  }
  target.resourceType = theRequestDetails.getResourceName();
  target.setSearchParams(theRequestDetails);

  /*
   * If this is a search with an "_id" parameter, we can treat this
   * as a read for the given resource ID(s)
   */
  if (theRequestDetails.getParameters().containsKey(SP_RES_ID)) {
    setTargetFromResourceId(theRequestDetails, ctx, target);
  }
  break;

The DO_NOT_PROACTIVELY_BLOCK_COMPARTMENT_READ_ACCESS flag is present, and theOutputResource is null, so it renders a verdict without checking which resource the request is against and falls through to a default DENY decision.

I'll try to submit a proper test case, but that will take some time to get the core project set up to wade into it. Thought I'd post the error prior in case this is a known thing, or I'm doing something obviously wrong. If anything stands out, please let me know. I'll update here if I'm able to create a test case. Thanks.

XcrigX avatar Aug 01 '22 22:08 XcrigX

I created a unit test which reproduces the issue in my fork here: https://github.com/XcrigX/hapi-fhir/tree/3866_auth_deny_no_proactive_block_issue

I wasn't certain if I should create a PR for it since I just have a unit test and not a fix? Please advise.

XcrigX avatar Aug 02 '22 21:08 XcrigX