Merge branch 'main' into patch-9

.github/workflows/deploy.yaml

@@ -0,0 +1,105 @@
+name: 'Deploy'
+on:
+  push:
+    tags:
+      - v*
+
+env:
+  S3_BUCKET_DEV: shc-verifier-services-dev
+  S3_BUCKET_TEST: shc-verifier-services-test
+  S3_BUCKET_PROD: shc-verifier-services-prod
+  S3_DIR: vci-directory
+  LOCAL_SOURCE_FILE: vci-issuers.json
+  LOCAL_SOURCE_INCLUDE_LOG_DIR: logs/*
+  REGION: us-east-1
+  ROLE_TO_ASSUME: arn:aws:iam::789379687343:role/GithubECSRole
+  ROLE_SESSION_NAME: GithubActionsECSDev
+
+jobs:
+  deployDev:
+    if: contains(github.ref, 'dev')
+    name: 'Deploy VCI issuers list to TCP dev'
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+    - name: 'Configure Dev AWS Role'
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.TERRAFORM_AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.TERRAFORM_AWS_SECRET_ACCESS_KEY }}
+        aws-region: ${{ env.REGION }}
+        role-to-assume: ${{ env.ROLE_TO_ASSUME }}
+        role-duration-seconds: 1200
+        role-session-name: ${{ env.ROLE_SESSION_NAME }}
+    - name: 'Sync issuers file to S3'
+      run: |
+        aws s3 sync . 's3://${{ env.S3_BUCKET_DEV }}/${{ env.S3_DIR }}' --exclude='*' --include='${{ env.LOCAL_SOURCE_FILE }}' --include='${{ env.LOCAL_SOURCE_INCLUDE_LOG_DIR }}'
+
+  deployTest:
+    if: contains(github.ref, 'test')
+    name: 'Deploy VCI issuers list to TCP test'
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+    - name: 'Configure Test AWS Role'
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.TERRAFORM_AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.TERRAFORM_AWS_SECRET_ACCESS_KEY }}
+        aws-region: ${{ env.REGION }}
+        role-to-assume: ${{ env.ROLE_TO_ASSUME }}
+        role-duration-seconds: 1200
+        role-session-name: ${{ env.ROLE_SESSION_NAME }}
+    - name: 'Sync issuers file to S3'
+      run: |
+        aws s3 sync . 's3://${{ env.S3_BUCKET_TEST }}/${{ env.S3_DIR }}' --exclude='*' --include='${{ env.LOCAL_SOURCE_FILE }}' --include='${{ env.LOCAL_SOURCE_INCLUDE_LOG_DIR }}'
+
+  deployProd:
+    if: contains(github.ref, '-prod')
+    name: 'Deploy VCI issuers list to TCP production'
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+    - name: 'Configure Prod AWS Role'
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.TERRAFORM_AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.TERRAFORM_AWS_SECRET_ACCESS_KEY }}
+        aws-region: ${{ env.REGION }}
+        role-to-assume: ${{ env.ROLE_TO_ASSUME }}
+        role-duration-seconds: 1200
+        role-session-name: ${{ env.ROLE_SESSION_NAME }}
+    - name: 'Sync issuers file to S3'
+      run: |
+        aws s3 sync . 's3://${{ env.S3_BUCKET_PROD }}/${{ env.S3_DIR }}' --exclude='*' --include='${{ env.LOCAL_SOURCE_FILE }} --include='${{ env.LOCAL_SOURCE_INCLUDE_LOG_DIR }}'
+
+  updateReadme:
+    runs-on: ubuntu-latest
+    name: 'Update VCI-Issuers.md if vci-issuers.json has changed'
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+      - name: Check for changes in vci-issuers.json
+        id: file_check
+        run: |
+          echo "Checking for changes in vci-issuers.json"
+          if git diff --name-only ${{ github.sha }} ${{ github.event.before }} | grep -q "vci-issuers.json"; then
+            echo "::set-output name=changed::true"
+          else
+            echo "::set-output name=changed::false"
+          fi
+      - name: Generate VCI-Issuers.md
+        if: steps.file_check.outputs.changed == 'true'
+        run: python scripts/update_vci_issuer_md.py
+      - name: Commit and Push if changed
+        if: steps.file_check.outputs.changed == 'true'
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "GitHub Actions"
+          git add VCI-Issuers.md
+          git diff --staged --quiet || git commit -m "Update VCI-Issuers.md"
+          git push origin HEAD:refs/heads/${{ github.ref }}
+

.github/workflows/test-scripts-pass.yaml

@@ -0,0 +1,23 @@
+name: "Test Scripts"
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+    paths-ignore:
+      - 'vci-issuers*.json'
+      - 'scripts/*.py'
+      - '.github/workflows/test-scripts.yaml'
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - 'vci-issuers*.json'
+      - 'scripts/*.py'
+      - '.github/workflows/test-scripts.yaml'
+
+jobs:
+  runTests:
+    name: "Test Scripts"
+    runs-on: [ubuntu-latest]
+    steps:
+      - run: 'echo "No build required" '

.github/workflows/test_scripts.yaml → .github/workflows/test-scripts.yaml

@@ -3,6 +3,10 @@ name: "Test Scripts"
 on:
   pull_request_target:
     types: [opened, synchronize]
+    paths:
+      - 'vci-issuers*.json'
+      - 'scripts/*.py'
+      - '.github/workflows/test-scripts.yaml'
 
 jobs:
   runTests:

.github/workflows/upload-snapshot.yaml

@@ -0,0 +1,55 @@
+name: 'Deploy'
+on:
+  push:
+    branches:
+       - main
+env:
+  S3_BUCKET_DEV: vci-snapshot-dev
+  S3_BUCKET_QA: vci-snapshot-preprod
+  S3_BUCKET_PROD: vci-snapshot-prod
+  S3_DIR: current-snapshot
+  ISSUER_FILE: vci-issuers.json
+  META_FILE: vci-issuers-metadata.json
+  LOCAL_SOURCE_INCLUDE_LOG_DIR: logs/*
+  REGION: us-east-1
+  ROLE_TO_ASSUME: 
+  ROLE_SESSION_NAME: 
+
+jobs:
+  uploadSnapShot:
+    name: 'Send Snapshot to S3'
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - bucket: '${S3_BUCKET_DEV}'
+            assume-role: arn:aws:iam::789379687343:role/GithubECSRole
+            role-session-name: GithubActionsECSDev
+          - bucket: '${S3_BUCKET_QA}'
+            assume-role: arn:aws:iam::496986085600:role/GithubECSRole
+            role-session-name: GithubActionsECSQA
+          - bucket: '${S3_BUCKET_PROD}'
+            assume-role: arn:aws:iam::583457431358:role/GithubECSRole
+            role-session-name: GithubActionsECSProd
+        bucket: [ '${S3_BUCKET_DEV}', '${S3_BUCKET_QA}', '${S3_BUCKET_PROD}' ]
+    steps:
+      - name: "List bucket"
+        run: |
+          echo "uploading to ${{matrix.bucket}}"
+
+      - uses: actions/checkout@master
+      - name: 'Configure AWS Role'
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.TERRAFORM_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.TERRAFORM_AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ env.REGION }}
+          role-to-assume: ${{ matrix.assume-role }}
+          role-duration-seconds: 1200
+          role-session-name: ${{ matrix.role-session-name }}
+      - name: 'Sync issuers file to S3'
+        run: |
+          aws s3 sync . "s3://${{matrix.bucket}}/${{env.S3_DIR}}" --exclude='*' \
+          --include='${{ env.ISSUER_FILE }}' \
+          --include='${{ env.META_FILE }}' 
+

.github/workflows/validate-issuers-on-push-pass.yaml

@@ -0,0 +1,23 @@
+name: "Validate on push"
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+    paths-ignore:
+      - 'vci-issuers*.json'
+      - 'scripts/*.py'
+      - '.github/workflows/validate-issuers.yaml'
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - 'vci-issuers*.json'
+      - 'scripts/*.py'
+      - '.github/workflows/validate-issuers.yaml'
+
+jobs:
+  runTests:
+    name: "Validate Issuers File"
+    runs-on: [ubuntu-latest]
+    steps:
+      - run: 'echo "No build required" '

.github/workflows/validate_vci_issuers_on_push.yaml → .github/workflows/validate-issuers-on-push.yaml

@@ -1,8 +1,12 @@
-name: "Validate Issuers File On Push"
+name: "Validate on push"
 
 on:
   pull_request_target:
     types: [opened, synchronize]
+    paths:
+      - 'vci-issuers*.json'
+      - 'scripts/*.py'
+      - '.github/workflows/validate-issuers.yaml'
 
 jobs:
   runTests:

.github/workflows/validate_vci_issuers_periodic.yaml → .github/workflows/validate-issuers-periodic.yaml

@@ -1,4 +1,4 @@
-name: "Validate Issuers File Periodically"
+name: "Validate on schedule"
 
 on:
   schedule:

.github/workflows/vci-directory-audit.yaml

@@ -0,0 +1,69 @@
+name: Nightly audit
+on:
+  schedule:
+      - cron: '30 4 * * *'
+  push:
+    tags:
+      - audit*
+jobs:
+  vci-directory-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: main
+          token: ${{ secrets.GIT_PUSH_TOKEN }}
+      - uses: actions/setup-node@v2
+        with:
+          node-version: '14'
+      - name: npm setup
+        run: |
+          cd scripts/vci-directory-auditor
+          npm install
+          npm run build --if-present
+      - name: run audit scripts
+        run: |
+          cd scripts/vci-directory-auditor
+          npm run audit -- -o ../../logs/new_log.json -p ../../logs/daily_log.json -s ../../logs/daily_log_snapshot.json -a ../../logs/daily_audit.json -d ../../vci-issuers.json
+          mv ../../logs/new_log.json ../../logs/daily_log.json
+          npm run assemble -- -s ../../logs/vci_snapshot.json -c ../../logs/daily_log_snapshot.json
+      - name: sign snapshot
+        env:
+          PRIVATE_SIG_KEY_PWD: ${{ secrets.PRIVATE_SIG_KEY_PWD }}
+          PRIVATE_SIG_KEY: ${{ secrets.PRIVATE_SIG_KEY }}
+        run: |
+          echo "$PRIVATE_SIG_KEY" > private.pem
+          openssl dgst -sha512 -sign private.pem -out logs/vci_snapshot.sig -passin env:PRIVATE_SIG_KEY_PWD logs/vci_snapshot.json
+          rm private.pem
+      - name: git check in
+        env:
+          GIT_OWNER_EMAIL: ${{ secrets.GIT_OWNER_EMAIL }}
+          GIT_OWNER_NAME: ${{ secrets.GIT_OWNER_NAME }}
+          GIT_REPO_PATH: ${{ secrets.GIT_REPO_PATH }}
+          GIT_PUSH_TOKEN: ${{ secrets.GIT_PUSH_TOKEN }}
+        run: |
+          git config user.email "$GIT_OWNER_EMAIL"
+          git config user.name "$GIT_OWNER_NAME"
+          if [[ `git status --porcelain` ]]; then
+            git add -f logs/daily_log.json
+            git add -f logs/daily_log_snapshot.json
+            git add -f logs/daily_audit.json
+            git add -f logs/vci_snapshot.json
+            git add -f logs/vci_snapshot.sig
+            git commit -a -m "daily dir and audit snapshot"
+            COMMIT=$(git rev-parse HEAD)
+            DATETIME=$(git log -n 1 --no-decorate --date=iso-strict -- logs/daily_log.json | head -3 | grep Date | cut -c 9-)
+            echo $COMMIT, $DATETIME >> logs/audit-index.csv
+            git add -f logs/audit-index.csv
+            git commit -a -m "added commit hash to audit index"
+            git remote add myorigin https://$GIT_OWNER_NAME:[email protected]/$GIT_REPO_PATH/vci-directory.git
+            git pull --rebase
+            git push myorigin HEAD:main --force
+          else
+            echo 'no changes'
+          fi
+      - name: save log files
+        uses: actions/upload-artifact@v2
+        with:
+          name: save-log-files
+          path: logs/*

METADATA.md

@@ -1,14 +1,60 @@
 # Issuer Metadata
 
+## Metadata Representation
+
 [vci-issuer-metadata.json](vci-issuers-metadata.json) represents metadata about an Issuer that may be useful to applications and websites.
 
 | Attribute | Meaning |
 |-----------|---------|
 | `canonical_iss` | The matches the `iss` or `canonical_iss` of the issuer in `vci-issuers.json` |
 | `website` | A website where the consumer can get their SMART Health Card or learn where they can get their SMART Health Card |
 | `help_line` | A phone number a consumer can call for assistance |
-| `issuer_type` | The type of issuer |
-| `state` | Which state, province, territory, or other administrative division within a country the issuer represents |
-| `country` | The country the issuer represents as ISO 3166 2 or 3 letter code |
+| `issuer_type` | The type of issuer (see below for details) |
+| `label` | A representative label for the issuer. Used when issuer name may be too long, misrepresentative, or provides more common nomenclature. |
+| `currently_issuing` | Boolean variable that indicates if an issuer is currently issuing. It is assumed an issuer is actively issuing if not included in metadata. |
+| `locations` | A list of locations (see below for details) that the issuer is associated with |
+
+## Issuer Type Representation
+
+The type of institution an issuer represents may be important for verifiers and holders. This value set captures the currently permitted and participating [issuer types in the VCI Directory](https://github.com/the-commons-project/vci-directory#types-of-issuers): clinical health systems and hospitals providing patient care, pharmacies, laboratory diagnostics providers, health insurance payors, and government and governmental agencies.
+
+A simple hierarchy provides an easier means to segregate government and non-governmental issuers for those who find that valuable.
+
+| Attribute | Meaning |
+|-----------|---------|
+| `organizational.health_system` | A clinical health system or hospital providing patient care |
+| `organizational.pharmacy` | A national or regional pharmacy chain |
+| `organizational.laboratory` | A national or regional laboratory diagnostics provider |
+| `organizational.insurer` | A national or regional health insurance payor |
+| `governmental.nation` | A nation or national governmental agency issuing for a nation |
+| `governmental.state_province_territory` | A state, province, territory or governmental agency issuing for a state, province, or territory |
+| `governmental.city_county` | A city, county or governmental agency issuing for a city |
+| `governmental.health_jurisdiction` | A jurisdiction or governmental agency issuing for a jurisdiction |
+| `governmental.agency` | A governmental agency |
+
+## Location Representation
+
+In order to best represent the reality of a SHC issuer issuing SHCs in multiple locations, an issuer can be associated to multiple country-state locations.
+
+This location representation is heavily inspired by the [FHIR `Address` type][fhir-address-type].
+
+| Attribute | Meaning |
+|-----------|---------|
+| `state` | The state, province, territory, or other administrative division within a country associated with the issuer |
+| `country` | The country associated with the issuer expressed as ISO 3166 2 or 3 letter code |
+
+Each location within the list of `locations` should be independently-defined. For
+example, if an issuer has operations in the states of New York and New Jersey, each of its
+`locations` should include both state and country:
+
+
+```json
+locations: [
+  { "state": "NY", "country": "US" },
+  { "state": "NJ", "country": "US" }
+]
+```
 
 [example-metadata.json](example-metadata.json) shows basic example representing what an entry in the metadata file would look like.
+
+[fhir-address-type]:https://www.hl7.org/fhir/datatypes.html#Address