AuthzPolicyEnforcement should prevent access to the whole-system history api

[lmsurpre]

Is your feature request related to a problem? Please describe.
The fhir-smart AuthzPolicyEnforcementPersistenceInterceptor can be used to provide user-scoped authorization to the the FHIR Server's APIs.

For example, it scopes all searches to the patient compartment that matches the patient context for a given session.

However, one thing it doesn't prevent access to is the whole-system history endpoint.
This endpoint provides an overview of all the create/update/delete interactions serviced on the server.
Therefor, a use with access to the api would be able to determine all of the resource ids on the server.

Describe the solution you'd like
Currently the whole-system-history implementation doesn't execute any beforeX or afterX hooks in our PersistenceInterceptor framework. Since this is the mechanism used by AuthzPolicyEnforcementPersistenceInterceptor to restrict access, we should first add these hooks (or use the existing beforeHistory and afterHistory ones).

Next, we should either filter the list of results somehow or, more likely, just prohibit this interaction altogether.

Describe alternatives you've considered
We already have support for restricting access to the whole-system history endpoint and that is to filter the "history" interaction on the "Resource" resource in the fhir-server-config.json (as described at https://ibm.github.io/FHIR/guides/FHIRServerUsersGuide#412-fhir-rest-api ).
This might be sufficient, but it requires the operator to override this setting on each configured resource type.

Example:

"resources": {
    "open": false,
    "Condition": {
        "interactions": ["read", "vread", "history", "search"]
    },
    "Observation": {
        "interactions": ["read", "vread", "history", "search"]
    },
    "Patient": {
        "interactions": ["read", "vread", "search"]
    }
}

Acceptance Criteria
1.
GIVEN a deployment with fhir-smart installed
AND a request scoped to a particular patient
WHEN they invoke the whole-system history endpoint
THEN they should not see the resource ids for any resources to which they do not have access

Additional context
Relates to #2026 which rounds out our support for proper "whole-system history" behavior.

QA suggestions

1. Test system-level history: Requires user/*.read or system/*.read authority
   Example: https://localhost:9443/fhir-server/api/v4/_history
2. Test system-level history (with _type parameter): Requires user/<resource_type>.read or system/<resource_type>.read authority to each resource type in the _type parameter.
   Example: https://localhost:9443/fhir-server/api/v4/_history?_type=Patient,Observation
3. Test type-level history: Requires user/<resource_type>.read or system/<resource_type>.read authority to the resource type.
   Example: https://localhost:9443/fhir-server/api/v4/Patient/_history

[lmsurpre]

the whole-system history endpoint impl should call the beforeHistory and afterHistory hooks in the interceptor with a resource type of "Resource"

[lmsurpre]

two separate tasks:

1. call the interceptor hooks
2. update fhir-smart to properly controll access to this

[kmbarton423]

Confirmed behavior is as expected. Below is a sample of the OperationOutcome received when attempting without the appropriate scope:

403 Forbidden
{
"resourceType": "OperationOutcome",
"id": "ac-11-ae-6c-485c69c3-21c8-4243-bef5-62151b93b7bb",
"issue": [
{
"severity": "fatal",
"code": "forbidden",
"details": {
"text": "Read permission for system history of '[Condition, AllergyIntolerance]' is not granted by any of the provided scopes: [patient/*.read, user/Condition.read]"
}
}
]
}