AuthorizationInterceptor no longer works on response of $document operation

[gijsbert802]

Describe the bug
Starting with HAPI 7.4.0, the AuthorizationInterceptor seem to apply it's rules to the Bundle resource created by a $document operation instead of the resources contained in the response Bundle.
I believe this may be a regression caused by Fix authorization handling for Bundle resources in the output #5953 (@codeforgreen)

I don't quite understand how it works, but AuthorizationInterceptor#shouldExamineBundleChildResources now returns false when the resource is not an instance of IBaseParameters or IBaseBundle. Previously, it returned true in the case of a $document operation on Composition.

To Reproduce
I use these rules:

ruleBuilder
  .allow().operation().named("\$document").onInstance(resourceIdType).andRequireExplicitResponseAuthorization().andThen()
  .allow().read().instance(resourceIdType)
  .build()

Expected behavior
I expect the rules to be applied to the resources contained in the response Bundle, not to the Bundle itself.

Environment (please complete the following information):

• HAPI FHIR Version 7.4.0

[jamesagnew]

If you specify andRequireExplicitResponseAuthorization then you need to also provide rules that would actually allow the user to see the individual resources in the document. So, in the case of the rules you listed, unless the response bundle only contains the one single resource identified by resourceIdType, I'd expect a failure.

[gijsbert802]

Yes I add these rules for the Composition resource and for all resources referenced from that Composition. Sorry if that wasn't clear from the description.

[jamesagnew]

Could you create a unit test on AuthorizationInterceptorR4Test with a minimal data set which demonstrates your issue?

[gijsbert802]

I'm trying to reproduce it in a unit test, but it behaves slightly different. In the test theResponseObject in the interceptor is the Bundle, while if I debug my own app it's the Composition.
The only difference I see so far is it's invoked from another pointcut (SERVER_OUTGOING_RESPONSE in the unit test, STORAGE_PRESHOW_RESOURCES in my app).

I'll do some more digging next week.

[gijsbert802]

If I understand correctly, the STORAGE_PRESHOW_RESOURCES is only triggered from the JPA server. I don't know how to replicate that in the unit test.
Here's the unit test in AuthorizationInterceptorR4Test: 6258-AuthorizationInterceptor-no-longer-works-on-response-of-%24document-operation

[jamesagnew]

Ah ok - you may need to implement this in AuthorizationInterceptorJpaR4Test instead then

[gijsbert802]

Ah yes, of course. I updated my branch: master...gijsbert802:hapi-fhir:6258-AuthorizationInterceptor-no-longer-works-on-response-of-$document-operation

This test passes on v7.2.x, but fails on v7.4.x and on master.

[jamesagnew]

That's a great test, short and to the point!

Will give it a try.