Fix _security label filtering with :not operator in the in-memory matcher

hapi-fhir-docs/src/main/resources/ca/uhn/hapi/fhir/changelog/7_8_0/6692-fix-security-label-filtering-with-not-operator.yaml

@@ -0,0 +1,7 @@
+---
+type: fix
+issue: 6692
+jira: SMILE-9736
+title: "Previously, when the in-memory matcher was used to match resources with a `_security` label filter 
+and a `:not` operator (i.e. `_security:not=http://terminology.hl7.org/CodeSystem/v3-ActCode|NODSCLCD`), 
+resources with no security labels at all were not matched. This has been fixed."

hapi-fhir-jpaserver-searchparam/src/main/java/ca/uhn/fhir/jpa/searchparam/matcher/InMemoryResourceMatcher.java

@@ -72,6 +72,7 @@
 import java.util.stream.Collectors;
 
 import static ca.uhn.fhir.jpa.searchparam.extractor.ResourceIndexedSearchParams.isMatchSearchParam;
+import static org.apache.commons.lang3.ObjectUtils.isEmpty;
 import static org.apache.commons.lang3.StringUtils.isBlank;
 import static org.apache.commons.lang3.StringUtils.isNotBlank;
 
@@ -438,6 +439,10 @@ private boolean matchTagOrSecurity(IQueryParameterType theParam, IBaseResource t
 		}
 
 		if (param.getModifier() == TokenParamModifier.NOT) {
+			// :not filters for security labels / tags should always match resources with no security labels / tags
+			if (isEmpty(list)) {
+				return true;
+			}
 			haveMatch = !haveMatch;
 		}
 

hapi-fhir-jpaserver-searchparam/src/test/java/ca/uhn/fhir/jpa/searchparam/matcher/InMemoryResourceMatcherR5Test.java

@@ -21,6 +21,7 @@
 import ca.uhn.fhir.rest.server.util.ISearchParamRegistry;
 import jakarta.annotation.Nonnull;
 import org.hl7.fhir.r5.model.BaseDateTimeType;
+import org.hl7.fhir.r5.model.Bundle;
 import org.hl7.fhir.r5.model.CodeableConcept;
 import org.hl7.fhir.r5.model.Coding;
 import org.hl7.fhir.r5.model.DateTimeType;
@@ -68,6 +69,9 @@ public class InMemoryResourceMatcherR5Test {
 	private static final String REQUEST_ID = "a_request_id";
 	private static final String TEST_SOURCE = SOURCE_URI + "#" + REQUEST_ID;
 
+	public static final String SECURITY_LABEL_SYSTEM = "http://terminology.hl7.org/CodeSystem/v3-ActCode";
+	public static final String SECURITY_LABEL_CODE = "NODSCLCD";
+
 	@MockBean
 	ISearchParamRegistry mySearchParamRegistry;
 	@MockBean
@@ -327,6 +331,42 @@ public void testNowPast() {
 		assertTrue(result.matched());
 	}
 
+	@Test
+	public void testNotSecurityFilter_onBundleWithDisallowedSecurityTag_isNotMatched() {
+		String filter = "_security:not=%s|%s".formatted(SECURITY_LABEL_SYSTEM, SECURITY_LABEL_CODE);
+
+		Bundle bundle = new Bundle();
+		bundle.getMeta().addSecurity().setSystem(SECURITY_LABEL_SYSTEM).setCode(SECURITY_LABEL_CODE);
+
+		InMemoryMatchResult result = myInMemoryResourceMatcher.match(filter, bundle, null, newRequest());
+		assertThat(result.supported()).as(result.getUnsupportedReason()).isTrue();
+		assertThat(result.matched()).isFalse();
+	}
+
+	@Test
+	public void testNotSecurityFilter_onBundleWithAllowedSecurityTag_isMatched() {
+		String filter = "_security:not=%s|%s".formatted(SECURITY_LABEL_SYSTEM, SECURITY_LABEL_CODE);
+
+		Bundle bundle = new Bundle();
+		bundle.getMeta().addSecurity().setSystem(SECURITY_LABEL_SYSTEM).setCode("ANOTHER_CODE");
+
+		InMemoryMatchResult result = myInMemoryResourceMatcher.match(filter, bundle, null, newRequest());
+		assertThat(result.supported()).as(result.getUnsupportedReason()).isTrue();
+		assertThat(result.matched()).isTrue();
+	}
+
+	@Test
+	public void testNotSecurityFilter_onBundleWithNoSecurityTags_isMatched() {
+		String filter = "_security:not=%s|%s".formatted(SECURITY_LABEL_SYSTEM, SECURITY_LABEL_CODE);
+
+		Bundle bundle = new Bundle();
+		assertThat(bundle.getMeta().getSecurity()).isEmpty();
+
+		InMemoryMatchResult result = myInMemoryResourceMatcher.match(filter, bundle, null, newRequest());
+		assertThat(result.supported()).as(result.getUnsupportedReason()).isTrue();
+		assertThat(result.matched()).isTrue();
+	}
+
 	@Test
 	public void testNowNextWeek() {
 		Observation futureObservation = new Observation();