Source code

001/*
002 * #%L
003 * HAPI FHIR - Server Framework
004 * %%
005 * Copyright (C) 2014 - 2025 Smile CDR, Inc.
006 * %%
007 * Licensed under the Apache License, Version 2.0 (the "License");
008 * you may not use this file except in compliance with the License.
009 * You may obtain a copy of the License at
010 *
011 *      http://www.apache.org/licenses/LICENSE-2.0
012 *
013 * Unless required by applicable law or agreed to in writing, software
014 * distributed under the License is distributed on an "AS IS" BASIS,
015 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
016 * See the License for the specific language governing permissions and
017 * limitations under the License.
018 * #L%
019 */
020package ca.uhn.fhir.rest.server.interceptor.auth;
021
022import ca.uhn.fhir.interceptor.auth.CompartmentSearchParameterModifications;
023import jakarta.annotation.Nonnull;
024import org.hl7.fhir.instance.model.api.IIdType;
025
026import java.util.Collection;
027
028public interface IAuthRuleBuilderRuleOpClassifier {
029
030        /**
031         * Rule applies to resources in the given compartment.
032         * <p>
033         * For example, to apply the rule to any observations in the patient compartment
034         * belonging to patient "123", you would invoke this with</br>
035         * <code>inCompartment("Patient", new IdType("Patient", "123"))</code>
036         * </p>
037         * <p>
038         * This call completes the rule and adds the rule to the chain.
039         * </p>
040         *
041         * @param theCompartmentName The name of the compartment (must not be null or blank)
042         * @param theOwner The owner of the compartment. Note that both the resource type and ID must be populated in this ID.
043         */
044        IAuthRuleBuilderRuleOpClassifierFinished inCompartment(String theCompartmentName, IIdType theOwner);
045
046        /**
047         * Rule applies to resources in the given compartment.
048         * <p>
049         * For example, to apply the rule to any observations in the patient compartment
050         * belonging to patient "123", you would invoke this with</br>
051         * <code>inCompartment("Patient", new IdType("Patient", "123"))</code>
052         *
053         * This call also allows you to pass additional search parameters that count as being included in the given compartment,
054         * passed in as a list of `resourceType:search-parameter-name`. For example, if you select a compartment name of "patient",
055         * you could pass in a singleton list consisting of the string "device:patient", which would cause any devices belonging
056         * to the patient to be permitted by the authorization rule.
057         *
058         * </p>
059         * <p>
060         * This call completes the rule and adds the rule to the chain.
061         * </p>
062         *
063         * @param theCompartmentName The name of the compartment (must not be null or blank)
064         * @param theOwner The owner of the compartment. Note that both the resource type and ID must be populated in this ID.
065         * @param theModifications A list of strings for additional resource types and search parameters which count as being in the compartment, in the form "resourcetype:search-parameter-name".
066         */
067        IAuthRuleBuilderRuleOpClassifierFinished inModifiedCompartment(
068                        String theCompartmentName, IIdType theOwner, CompartmentSearchParameterModifications theModifications);
069
070        /**
071         * Rule applies to resources in the given compartment.
072         * <p>
073         * For example, to apply the rule to any observations in the patient compartment
074         * belonging to patient "123", you would invoke this with</br>
075         * <code>inCompartment("Patient", new IdType("Patient", "123"))</code>
076         * </p>
077         * <p>
078         * This call completes the rule and adds the rule to the chain.
079         * </p>
080         *
081         * @param theCompartmentName The name of the compartment (must not be null or blank)
082         * @param theOwners The owner of the compartment. Note that both the resource type and ID must be populated in this ID.
083         */
084        IAuthRuleBuilderRuleOpClassifierFinished inCompartment(
085                        String theCompartmentName, Collection<? extends IIdType> theOwners);
086
087        /**
088         * Rule applies to resources in the given compartment.
089         * <p>
090         * For example, to apply the rule to any observations in the patient compartment
091         * belonging to patient "123", you would invoke this with</br>
092         * <code>inCompartment("Patient", new IdType("Patient", "123"))</code>
093         *
094         * This call also allows you to pass special case handling adding (or omitting) search parameters that count as being included in the given compartment.
095         * For example, if you select a compartment name of "patient",
096         * you could pass in a singleton list consisting of the"device" and "patient", which would cause any devices belonging
097         * to the patient to be permitted by the authorization rule.
098         *
099         * </p>
100         * <p>
101         * This call completes the rule and adds the rule to the chain.
102         * </p>
103         *
104         * @param theCompartmentName The name of the compartment (must not be null or blank)
105         * @param theOwners The owners of the compartment. Note that both the resource type and ID must be populated in these IDs.
106         * @param theModifications A {@link CompartmentSearchParameterModifications} which allows you to expand (or limit) the search space for what is considered "in" the compartment.
107         *
108         **/
109        IAuthRuleBuilderRuleOpClassifierFinished inModifiedCompartment(
110                        String theCompartmentName,
111                        Collection<? extends IIdType> theOwners,
112                        CompartmentSearchParameterModifications theModifications);
113
114        /**
115         * Rule applies to any resource instances
116         * <p>
117         * This call completes the rule and adds the rule to the chain.
118         * </p>
119         */
120        IAuthRuleBuilderRuleOpClassifierFinished withAnyId();
121
122        /**
123         * Rule applies to resources where the given search parameter would be satisfied by a code in the given ValueSet
124         * @param theSearchParameterName The search parameter name, e.g. <code>"code"</code>
125         * @param theValueSetUrl The valueset URL, e.g. <code>"http://my-value-set"</code>
126         * @since 6.0.0
127         */
128        IAuthRuleBuilderRuleOpClassifierFinished withCodeInValueSet(
129                        @Nonnull String theSearchParameterName, @Nonnull String theValueSetUrl);
130
131        /**
132         * Rule applies to resources where the given search parameter would be satisfied by a code not in the given ValueSet
133         * @param theSearchParameterName The search parameter name, e.g. <code>"code"</code>
134         * @param theValueSetUrl The valueset URL, e.g. <code>"http://my-value-set"</code>
135         * @since 6.0.0
136         */
137        IAuthRuleFinished withCodeNotInValueSet(@Nonnull String theSearchParameterName, @Nonnull String theValueSetUrl);
138
139        IAuthRuleFinished inCompartmentWithFilter(String theCompartment, IIdType theIdElement, String theFilter);
140
141        IAuthRuleFinished withFilter(String theFilter);
142}