Add Auth to Second Fhir Server

medizininformatik-initiative · Jan 10, 2025 · f082967 · f082967
1 parent 19cce29
commit f082967
Show file tree

Hide file tree

Showing 22 changed files with 388 additions and 176 deletions.
diff --git a/.github/integration-test/basic-auth/Dockerfile b/.github/integration-test/basic-auth/Dockerfile
@@ -0,0 +1,4 @@
+# Image is used as base for a dummy container from which curl can request data within the same network as the other containers
+FROM alpine
+RUN apk add --no-cache curl
+ENTRYPOINT ["tail", "-f", "/dev/null"]
diff --git a/.github/integration-test/basic-auth/docker-compose.yml b/.github/integration-test/basic-auth/docker-compose.yml
@@ -19,11 +19,23 @@ services:
     image: fhir-data-evaluator
     environment:
       CONVERT_TO_CSV: ${FDE_CONVERT_TO_CSV:-true}
-      FHIR_SERVER: "http://proxy:8080/fhir"
-      FHIR_USER: "test"
-      FHIR_PASSWORD: "bar"
+      FHIR_SOURCE_SERVER: "http://proxy:8080/fhir"
+      FHIR_SOURCE_USER: "test"
+      FHIR_SOURCE_PASSWORD: "bar"
+      FHIR_REPORT_SERVER: "http://proxy:8080/fhir"
+      FHIR_REPORT_USER: "test"
+      FHIR_REPORT_PASSWORD: "bar"
+      SEND_REPORT_TO_SERVER: ${FDE_SEND_REPORT_TO_SERVER:-false}
+      AUTHOR_IDENTIFIER_SYSTEM: ${FDE_AUTHOR_IDENTIFIER_SYSTEM:-}
+      AUTHOR_IDENTIFIER_VALUE: ${FDE_AUTHOR_IDENTIFIER_VALUE:-}
+      PROJECT_IDENTIFIER_SYSTEM: ${FDE_PROJECT_IDENTIFIER_SYSTEM:-}
+      PROJECT_IDENTIFIER_VALUE: ${FDE_PROJECT_IDENTIFIER_VALUE:-}
     volumes:
       - "${FDE_INPUT_MEASURE:-../Documentation/example-measures/example-measure-kds.json}:/app/measure.json"
       - "${FDE_OUTPUT_DIR:-../output}:/app/output"
+  curl-tester: # dummy container from which curl can request data within the same network as the other containers
+    build: .
+    entrypoint: [ "tail", "-f", "/dev/null" ]
+    command: ""
 volumes:
   data-store-data:
diff --git a/.github/integration-test/evaluate-and-post-different-doc-ref.sh b/.github/integration-test/evaluate-and-post-different-doc-ref.sh
@@ -1,11 +1,11 @@
 #!/bin/bash -e
 
-PROJECT_IDENTIFIER_VALUE="$1"
-
-DOCKER_COMPOSE_FILE=.github/integration-test/no-auth/docker-compose.yml
+AUTH="$1"
+DOCKER_COMPOSE_FILE=.github/integration-test/"$1"/docker-compose.yml
+PROJECT_IDENTIFIER_VALUE="$2"
 export FDE_INPUT_MEASURE=/${PWD}/.github/integration-test/measures/icd10-measure.json
+export FDE_OUTPUT_DIR=$PWD/.github/integration-test/evaluate-and-post
 export FDE_CONVERT_TO_CSV=false
-export FDE_FHIR_REPORT_DESTINATION_SERVER=http://fhir-server:8080/fhir
 export FDE_AUTHOR_IDENTIFIER_SYSTEM=http://dsf.dev/sid/organization-identifier
 export FDE_AUTHOR_IDENTIFIER_VALUE=Test_DIC1
 export FDE_PROJECT_IDENTIFIER_SYSTEM=http://medizininformatik-initiative.de/sid/project-identifier
@@ -14,8 +14,42 @@ export FDE_SEND_REPORT_TO_SERVER=true
 
 docker compose -f "$DOCKER_COMPOSE_FILE" run -e TZ="$(cat /etc/timezone)" fhir-data-evaluator
 
-reference_response=$(curl -s "http://localhost:8082/fhir/DocumentReference" \
-    -H "Content-Type: application/fhir+json")
+get_response() {
+  URL="$1"
+  CURL_TESTER_ID=$(docker ps --filter "name=$AUTH-curl-tester-1" --format "{{.ID}}")
+  if [ "$AUTH" == "no-auth" ]; then
+    response=$(docker exec "$CURL_TESTER_ID" sh -c "
+      curl -s 'http://fhir-server:8080/fhir/$URL' -H 'Content-Type: application/fhir+json'")
+    echo "$response"
+  elif [ "$AUTH" == "basic-auth" ]; then
+    response=$(docker exec "$CURL_TESTER_ID" sh -c "
+          curl -s 'http://proxy:8080/fhir/$URL' \
+                -H 'Content-Type: application/fhir+json' \
+                -u 'test:bar'")
+    echo "$response"
+  else
+    docker exec "$CURL_TESTER_ID" sh -c "
+      cp /app/certs/cert.pem /usr/local/share/ca-certificates/cert.crt &&
+      update-ca-certificates"
+
+    oauth_response=$(docker exec "$CURL_TESTER_ID" sh -c "
+              curl -s -X POST 'https://secure-keycloak:8443/realms/test/protocol/openid-connect/token' \
+                      -H 'Content-Type: application/x-www-form-urlencoded' \
+                      -d 'grant_type=client_credentials' \
+                      -d 'client_id=account' \
+                      -d 'client_secret=test'")
+    FHIR_REPORT_BEARER_TOKEN=$(echo "$oauth_response" | jq -r '.access_token')
+
+    response=$(docker exec "$CURL_TESTER_ID" sh -c "
+                  curl -s 'https://secure-fhir-server:8443/fhir/$URL' \
+                           -H 'Content-Type: application/fhir+json' \
+                           -H 'Authorization: Bearer $FHIR_REPORT_BEARER_TOKEN'")
+
+    echo "$response"
+  fi
+}
+
+reference_response=$(get_response "DocumentReference")
 
 reference_count=$(echo "$reference_response" | jq -r '.entry | length')
 

diff --git a/.github/integration-test/evaluate-and-post-report.sh b/.github/integration-test/evaluate-and-post-report.sh
@@ -1,23 +1,58 @@
 #!/bin/bash -e
 
-PROJECT_IDENTIFIER_VALUE="$1"
-DOCKER_COMPOSE_FILE=.github/integration-test/no-auth/docker-compose.yml
+AUTH="$1"
+DOCKER_COMPOSE_FILE=.github/integration-test/"$1"/docker-compose.yml
+PROJECT_IDENTIFIER_VALUE="$2"
 export FDE_INPUT_MEASURE=/${PWD}/.github/integration-test/measures/icd10-measure.json
+export FDE_OUTPUT_DIR=$PWD/.github/integration-test/evaluate-and-post
 export FDE_CONVERT_TO_CSV=false
-export FDE_FHIR_REPORT_DESTINATION_SERVER=http://fhir-server:8080/fhir
 export FDE_AUTHOR_IDENTIFIER_SYSTEM=http://dsf.dev/sid/organization-identifier
 export FDE_AUTHOR_IDENTIFIER_VALUE=Test_DIC1
 export FDE_PROJECT_IDENTIFIER_SYSTEM=http://medizininformatik-initiative.de/sid/project-identifier
 export FDE_PROJECT_IDENTIFIER_VALUE="$PROJECT_IDENTIFIER_VALUE"
 export FDE_SEND_REPORT_TO_SERVER=true
 
+mkdir "$FDE_OUTPUT_DIR"
 docker compose -f "$DOCKER_COMPOSE_FILE" run -e TZ="$(cat /etc/timezone)" fhir-data-evaluator
 
-report_response=$(curl -s "http://localhost:8082/fhir/MeasureReport" \
-     -H "Content-Type: application/fhir+json")
+get_response() {
+  URL="$1"
+  CURL_TESTER_ID=$(docker ps --filter "name=$AUTH-curl-tester-1" --format "{{.ID}}")
+  if [ "$AUTH" == "no-auth" ]; then
+    response=$(docker exec "$CURL_TESTER_ID" sh -c "
+      curl -s 'http://fhir-server:8080/fhir/$URL' -H 'Content-Type: application/fhir+json'")
+    echo "$response"
+  elif [ "$AUTH" == "basic-auth" ]; then
+    response=$(docker exec "$CURL_TESTER_ID" sh -c "
+          curl -s 'http://proxy:8080/fhir/$URL' \
+                -H 'Content-Type: application/fhir+json' \
+                -u 'test:bar'")
+    echo "$response"
+  else
+    docker exec "$CURL_TESTER_ID" sh -c "
+      cp /app/certs/cert.pem /usr/local/share/ca-certificates/cert.crt &&
+      update-ca-certificates"
 
-reference_response=$(curl -s "http://localhost:8082/fhir/DocumentReference" \
-    -H "Content-Type: application/fhir+json")
+    oauth_response=$(docker exec "$CURL_TESTER_ID" sh -c "
+              curl -s -X POST 'https://secure-keycloak:8443/realms/test/protocol/openid-connect/token' \
+                      -H 'Content-Type: application/x-www-form-urlencoded' \
+                      -d 'grant_type=client_credentials' \
+                      -d 'client_id=account' \
+                      -d 'client_secret=test'")
+    FHIR_REPORT_BEARER_TOKEN=$(echo "$oauth_response" | jq -r '.access_token')
+
+    response=$(docker exec "$CURL_TESTER_ID" sh -c "
+                  curl -s 'https://secure-fhir-server:8443/fhir/$URL' \
+                           -H 'Content-Type: application/fhir+json' \
+                           -H 'Authorization: Bearer $FHIR_REPORT_BEARER_TOKEN'")
+
+    echo "$response"
+  fi
+}
+
+report_response=$(get_response "MeasureReport")
+
+reference_response=$(get_response "DocumentReference")
 
 report_url=MeasureReport/$(echo "$report_response" | jq -r  '.entry[0].resource.id')
 reference_url=$(echo "$reference_response" | jq -r '.entry[0].resource.content[0].attachment.url')

diff --git a/.github/integration-test/evaluate-and-post-update.sh b/.github/integration-test/evaluate-and-post-update.sh
@@ -1,27 +1,60 @@
 #!/bin/bash -e
 
-PROJECT_IDENTIFIER_VALUE="$1"
-
-DOCKER_COMPOSE_FILE=.github/integration-test/no-auth/docker-compose.yml
+AUTH="$1"
+DOCKER_COMPOSE_FILE=.github/integration-test/"$1"/docker-compose.yml
+PROJECT_IDENTIFIER_VALUE="$2"
 export FDE_INPUT_MEASURE=/${PWD}/.github/integration-test/measures/icd10-measure.json
+export FDE_OUTPUT_DIR=$PWD/.github/integration-test/evaluate-and-post
 export FDE_CONVERT_TO_CSV=false
-export FDE_FHIR_REPORT_DESTINATION_SERVER=http://fhir-server:8080/fhir
 export FDE_AUTHOR_IDENTIFIER_SYSTEM=http://dsf.dev/sid/organization-identifier
 export FDE_AUTHOR_IDENTIFIER_VALUE=Test_DIC1
 export FDE_PROJECT_IDENTIFIER_SYSTEM=http://medizininformatik-initiative.de/sid/project-identifier
 export FDE_PROJECT_IDENTIFIER_VALUE="$PROJECT_IDENTIFIER_VALUE"
 export FDE_SEND_REPORT_TO_SERVER=true
 
-reference_response=$(curl -s "http://localhost:8082/fhir/DocumentReference" \
-    -H "Content-Type: application/fhir+json")
+get_response() {
+  URL="$1"
+  CURL_TESTER_ID=$(docker ps --filter "name=$AUTH-curl-tester-1" --format "{{.ID}}")
+  if [ "$AUTH" == "no-auth" ]; then
+    response=$(docker exec "$CURL_TESTER_ID" sh -c "
+      curl -s 'http://fhir-server:8080/fhir/$URL' -H 'Content-Type: application/fhir+json'")
+    echo "$response"
+  elif [ "$AUTH" == "basic-auth" ]; then
+    response=$(docker exec "$CURL_TESTER_ID" sh -c "
+          curl -s 'http://proxy:8080/fhir/$URL' \
+                -H 'Content-Type: application/fhir+json' \
+                -u 'test:bar'")
+    echo "$response"
+  else
+    docker exec "$CURL_TESTER_ID" sh -c "
+      cp /app/certs/cert.pem /usr/local/share/ca-certificates/cert.crt &&
+      update-ca-certificates"
+
+    oauth_response=$(docker exec "$CURL_TESTER_ID" sh -c "
+              curl -s -X POST 'https://secure-keycloak:8443/realms/test/protocol/openid-connect/token' \
+                      -H 'Content-Type: application/x-www-form-urlencoded' \
+                      -d 'grant_type=client_credentials' \
+                      -d 'client_id=account' \
+                      -d 'client_secret=test'")
+    FHIR_REPORT_BEARER_TOKEN=$(echo "$oauth_response" | jq -r '.access_token')
+
+    response=$(docker exec "$CURL_TESTER_ID" sh -c "
+                  curl -s 'https://secure-fhir-server:8443/fhir/$URL' \
+                           -H 'Content-Type: application/fhir+json' \
+                           -H 'Authorization: Bearer $FHIR_REPORT_BEARER_TOKEN'")
+
+    echo "$response"
+  fi
+}
+
+reference_response=$(get_response "DocumentReference")
 reference_url_before=$(echo "$reference_response" | jq -r '.entry[0].resource.content[0].attachment.url')
 
 docker compose -f "$DOCKER_COMPOSE_FILE" run -e TZ="$(cat /etc/timezone)" fhir-data-evaluator
 
-report_response=$(curl -s "http://localhost:8082/fhir/MeasureReport" \
-     -H "Content-Type: application/fhir+json")
-reference_response=$(curl -s "http://localhost:8082/fhir/DocumentReference" \
-    -H "Content-Type: application/fhir+json")
+report_response=$(get_response "MeasureReport")
+
+reference_response=$(get_response "DocumentReference")
 
 report_count=$(echo "$report_response" | jq -r  '.entry | length')
 reference_count=$(echo "$reference_response" | jq -r '.entry | length')

diff --git a/.github/integration-test/missing-permissions-test.sh b/.github/integration-test/missing-permissions-test.sh
@@ -6,7 +6,7 @@ mkdir "$BASE_OUTPUT_DIR"
 # Allow docker to exit with an error
 set +e
 OUTPUT=$(docker run -v "$PWD"/.github/integration-test/measures/code-measure.json:/app/measure.json \
-      -v "$BASE_OUTPUT_DIR":/app/output:ro -e FHIR_SERVER=http://fhir-server:8080/fhir fhir-data-evaluator 2>&1)
+      -v "$BASE_OUTPUT_DIR":/app/output:ro -e FHIR_SOURCE_SERVER=http://fhir-server:8080/fhir fhir-data-evaluator 2>&1)
 EXIT_CODE=$?
 set -e
 

diff --git a/.github/integration-test/no-auth/Dockerfile b/.github/integration-test/no-auth/Dockerfile
@@ -0,0 +1,4 @@
+# Image is used as base for a dummy container from which curl can request data within the same network as the other containers
+FROM alpine
+RUN apk add --no-cache curl
+ENTRYPOINT ["tail", "-f", "/dev/null"]
diff --git a/.github/integration-test/no-auth/docker-compose.yml b/.github/integration-test/no-auth/docker-compose.yml
@@ -14,8 +14,8 @@ services:
     image: fhir-data-evaluator
     environment:
       CONVERT_TO_CSV: ${FDE_CONVERT_TO_CSV:-true}
-      FHIR_SERVER: "http://fhir-server:8080/fhir"
-      FHIR_REPORT_DESTINATION_SERVER: ${FDE_FHIR_REPORT_DESTINATION_SERVER:-http://localhost:8080/fhir}
+      FHIR_SOURCE_SERVER: "http://fhir-server:8080/fhir"
+      FHIR_REPORT_SERVER: "http://fhir-server:8080/fhir"
       SEND_REPORT_TO_SERVER: ${FDE_SEND_REPORT_TO_SERVER:-false}
       AUTHOR_IDENTIFIER_SYSTEM: ${FDE_AUTHOR_IDENTIFIER_SYSTEM:-}
       AUTHOR_IDENTIFIER_VALUE: ${FDE_AUTHOR_IDENTIFIER_VALUE:-}
@@ -24,6 +24,10 @@ services:
     volumes:
       - "${FDE_INPUT_MEASURE:-../Documentation/example-measures/example-measure-kds.json}:/app/measure.json"
       - "${FDE_OUTPUT_DIR:-../output}:/app/output"
+  curl-tester: # dummy container from which curl can request data within the same network as the other containers
+    build: .
+    entrypoint: ["tail", "-f", "/dev/null"]
+    command: ""
 
 volumes:
   data-store-data:
diff --git a/.github/integration-test/oauth/Dockerfile b/.github/integration-test/oauth/Dockerfile
@@ -0,0 +1,6 @@
+# Image is used as base for a dummy container from which curl can request data within the same network as the other containers
+FROM alpine
+RUN apk add --no-cache ca-certificates
+RUN apk add --no-cache curl
+RUN mkdir -p /usr/local/share/ca-certificates/
+ENTRYPOINT ["tail", "-f", "/dev/null"]
diff --git a/.github/integration-test/oauth/docker-compose.yml b/.github/integration-test/oauth/docker-compose.yml
@@ -107,14 +107,31 @@ services:
       test-oauth:
     environment:
       CONVERT_TO_CSV: ${FDE_CONVERT_TO_CSV:-true}
-      FHIR_SERVER: "https://secure-fhir-server:8443/fhir"
-      FHIR_OAUTH_ISSUER_URI: "https://secure-keycloak:8443/realms/test"
-      FHIR_OAUTH_CLIENT_ID: "account"
-      FHIR_OAUTH_CLIENT_SECRET: "test"
+      FHIR_SOURCE_SERVER: "https://secure-fhir-server:8443/fhir"
+      FHIR_SOURCE_OAUTH_ISSUER_URI: "https://secure-keycloak:8443/realms/test"
+      FHIR_SOURCE_OAUTH_CLIENT_ID: "account"
+      FHIR_SOURCE_OAUTH_CLIENT_SECRET: "test"
+      FHIR_REPORT_SERVER: "https://secure-fhir-server:8443/fhir"
+      FHIR_REPORT_OAUTH_ISSUER_URI: "https://secure-keycloak:8443/realms/test"
+      FHIR_REPORT_OAUTH_CLIENT_ID: "account"
+      FHIR_REPORT_OAUTH_CLIENT_SECRET: "test"
+      SEND_REPORT_TO_SERVER: ${FDE_SEND_REPORT_TO_SERVER:-false}
+      AUTHOR_IDENTIFIER_SYSTEM: ${FDE_AUTHOR_IDENTIFIER_SYSTEM:-}
+      AUTHOR_IDENTIFIER_VALUE: ${FDE_AUTHOR_IDENTIFIER_VALUE:-}
+      PROJECT_IDENTIFIER_SYSTEM: ${FDE_PROJECT_IDENTIFIER_SYSTEM:-}
+      PROJECT_IDENTIFIER_VALUE: ${FDE_PROJECT_IDENTIFIER_VALUE:-}
     volumes:
       - "${FDE_INPUT_MEASURE:-../Documentation/example-measures/example-measure-kds.json}:/app/measure.json"
       - "${FDE_OUTPUT_DIR:-../output}:/app/output"
       - "certs:/app/certs"
+  curl-tester: # dummy container from which curl can request data within the same network as the other containers
+    build: .
+    entrypoint: [ "tail", "-f", "/dev/null" ]
+    command: ""
+    networks:
+      test-oauth:
+    volumes:
+      - "certs:/app/certs"
 volumes:
   data-store-data:
   certs:

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -155,17 +155,14 @@ jobs:
       - name: Run Integration Test to check if it correctly exits when there are insufficient writing permissions
         run: .github/integration-test/missing-permissions-test.sh
 
-      - name: Run Integration Test for Posting the MeasureReport to the FHIR server
-        run: .github/integration-test/evaluate-and-post-report.sh Test_PROJECT_Evaluation_1
-        if: matrix.test == 'no-auth'
+      - name: Run Integration Test for Posting the MeasureReport to the Report FHIR server
+        run: .github/integration-test/evaluate-and-post-report.sh ${{ matrix.test }} Test_PROJECT_Evaluation_1
 
-      - name: Run Integration Test for Posting the MeasureReport to the FHIR server with the Same Project Identifier
-        run: .github/integration-test/evaluate-and-post-update.sh Test_PROJECT_Evaluation_1
-        if: matrix.test == 'no-auth'
+      - name: Run Integration Test for Posting the MeasureReport to the Report FHIR server with the Same Project Identifier
+        run: .github/integration-test/evaluate-and-post-update.sh ${{ matrix.test }} Test_PROJECT_Evaluation_1
 
-      - name: Run Integration Test for Posting the MeasureReport to the FHIR server with a Different Project Identifier
-        run: .github/integration-test/evaluate-and-post-different-doc-ref.sh Test_PROJECT_Evaluation_2
-        if: matrix.test == 'no-auth'
+      - name: Run Integration Test for Posting the MeasureReport to the Report FHIR server with a Different Project Identifier
+        run: .github/integration-test/evaluate-and-post-different-doc-ref.sh ${{ matrix.test }} Test_PROJECT_Evaluation_2
 
       - name: Remove Blaze volumes
         run: docker compose -f .github/integration-test/${{ matrix.test }}/docker-compose.yml down -v

diff --git a/Documentation/performance/average-time-test.sh b/Documentation/performance/average-time-test.sh
@@ -11,7 +11,7 @@ mkdir -p "$OUTPUT_DIR"
 
 for ((i=0;i<ITERATIONS;i++))
 do
-  docker run -v "/$MEASURE_FILE":/app/measure.json -v "/$OUTPUT_DIR":/app/output/ -e FHIR_SERVER=http://host.docker.internal:8080/fhir -e FHIR_PAGE_COUNT=500 -it "$DOCKER_IMAGE"
+  docker run -v "/$MEASURE_FILE":/app/measure.json -v "/$OUTPUT_DIR":/app/output/ -e FHIR_SOURCE_SERVER=http://host.docker.internal:8080/fhir -e FHIR_SOURCE_PAGE_COUNT=500 -it "$DOCKER_IMAGE"
 done
 
 result=$(\