Merge pull request #158 from medizininformatik-initiative/release-v2.2.0

Release v2.2.0

.github/integration-test/basic-auth/docker-compose.yml

@@ -0,0 +1,47 @@
+services:
+  data-store:
+    image: "samply/blaze:0.26.2"
+    healthcheck:
+      test: ["CMD-SHELL", "curl --fail -s http://localhost:8080/health"]
+      interval: "5s"
+      timeout: "5s"
+      retries: "3"
+      start_period: "60s"
+    environment:
+      BASE_URL: "http://data-store:8080"
+      JAVA_TOOL_OPTIONS: "-Xmx1g"
+      LOG_LEVEL: "debug"
+    ports:
+      - "8082:8080"
+    volumes:
+      - "data-store-data:/app/data"
+  flare:
+    image: "flare:latest"
+    healthcheck:
+      test: ["CMD-SHELL", "curl --fail -s http://localhost:8080/cache/stats"]
+      interval: "5s"
+      timeout: "5s"
+      retries: "3"
+      start_period: "60s"
+    environment:
+      JAVA_TOOL_OPTIONS: "-Xmx1g"
+      FLARE_FHIR_SERVER: "http://proxy:8080/fhir"
+      FLARE_FHIR_USER: "test"
+      FLARE_FHIR_PASSWORD: "bar"
+      LOG_LEVEL: "debug"
+    ports:
+      - "8080:8080"
+    volumes:
+      - "flare-cache:/app/cache"
+      - "../synthea-test-mapping:/app/ontology"
+    depends_on:
+      - data-store
+  proxy:
+    image: "nginx:1.27.0"
+    volumes:
+      - "./nginx.conf:/etc/nginx/nginx.conf"
+      - "./proxy.htpasswd:/etc/auth/.htpasswd"
+
+volumes:
+  data-store-data:
+  flare-cache:

.github/integration-test/basic-auth/load-data.sh

@@ -0,0 +1,5 @@
+#!/bin/bash -e
+
+SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
+
+blazectl --no-progress --server http://localhost:8082/fhir upload "$SCRIPT_DIR/../../test-data/synthea"

.github/integration-test/basic-auth/nginx.conf

@@ -0,0 +1,37 @@
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log debug;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include     /etc/nginx/mime.types;
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+    access_log  /var/log/nginx/access.log  main;
+    sendfile        on;
+    keepalive_timeout  65;
+
+    server {
+        listen 8080;
+        listen [::]:8080;
+
+        location / {
+            root /usr/share/nginx/html;
+            index index.html;
+        }
+
+        location /fhir {
+            auth_basic "Test Area";
+            auth_basic_user_file /etc/auth/.htpasswd;
+
+            proxy_pass http://data-store:8080;
+            proxy_read_timeout 43200s;
+        }
+    }
+}

.github/integration-test/basic-auth/proxy.htpasswd

@@ -0,0 +1 @@
+test:$apr1$4ihrtZR3$7fCQXazNsjIaSbt6CuWi/1

.github/integration-test/docker-compose.yml → .github/integration-test/no-auth/docker-compose.yml

@@ -1,6 +1,12 @@
 services:
   data-store:
-    image: "samply/blaze:0.22"
+    image: "samply/blaze:0.26.2"
+    healthcheck:
+      test: ["CMD-SHELL", "curl --fail -s http://localhost:8080/health"]
+      interval: "5s"
+      timeout: "5s"
+      retries: "3"
+      start_period: "60s"
     environment:
       BASE_URL: "http://data-store:8080"
       JAVA_TOOL_OPTIONS: "-Xmx1g"
@@ -11,6 +17,12 @@ services:
       - "data-store-data:/app/data"
   flare:
     image: "flare:latest"
+    healthcheck:
+      test: ["CMD-SHELL", "curl --fail -s http://localhost:8080/cache/stats"]
+      interval: "5s"
+      timeout: "5s"
+      retries: "3"
+      start_period: "60s"
     environment:
       JAVA_TOOL_OPTIONS: "-Xmx1g"
       FLARE_FHIR_SERVER: "http://data-store:8080/fhir"
@@ -19,7 +31,7 @@ services:
       - "8080:8080"
     volumes:
       - "flare-cache:/app/cache"
-      - "./synthea-test-mapping:/app/ontology"
+      - "../synthea-test-mapping:/app/ontology"
     depends_on:
       - data-store
 volumes:

.github/integration-test/no-auth/load-data.sh

@@ -0,0 +1,5 @@
+#!/bin/bash -e
+
+SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
+
+blazectl --no-progress --server http://localhost:8082/fhir upload "$SCRIPT_DIR/../../test-data/synthea"

.github/integration-test/oauth/docker-compose.yml

@@ -0,0 +1,140 @@
+services:
+  generate-cert:
+    image: alpine/openssl
+    networks:
+      test-oauth:
+    entrypoint: ["sh", "-c"]
+    command:
+      - openssl req -nodes -subj "/CN=proxy"
+        -addext "basicConstraints=CA:false"
+        -addext "subjectAltName = DNS:secure-data-store, DNS:secure-keycloak"
+        -x509 -newkey rsa:4096 -days 99999
+        -keyout /keys/key.pem -out /certs/cert.pem
+    volumes:
+      - "certs:/certs"
+      - "keys:/keys"
+  generate-trust-store:
+    image: eclipse-temurin:21
+    networks:
+      test-oauth:
+    entrypoint: ["bash", "-c"]
+    command:
+      - rm -rf "/trusts/trust-store.p12";
+        keytool -importcert -storetype PKCS12 -keystore "/trusts/trust-store.p12"
+        -storepass "insecure" -alias ca -file "/certs/cert.pem" -noprompt
+    volumes:
+      - "certs:/certs"
+      - "trusts:/trusts"
+    depends_on:
+      generate-cert:
+        condition: service_completed_successfully
+  keycloak:
+    image: "keycloak/keycloak:24.0.5"
+    command: ["start", "--import-realm"]
+    healthcheck:
+      test: ["CMD-SHELL", "exec 3<>/dev/tcp/127.0.0.1/8080;echo -e \"GET /health/ready HTTP/1.1\r\nhost: localhost\r\nConnection: close\r\n\r\n\" >&3;grep \"HTTP/1.1 200 OK\" <&3"]
+      interval: "5s"
+      timeout: "5s"
+      retries: "3"
+      start_period: "30s"
+    networks:
+      test-oauth:
+    environment:
+      KC_HOSTNAME_URL: "https://secure-keycloak:8443"
+      KC_HOSTNAME_ADMIN_URL: "https://secure-keycloak:8443"
+      KC_HTTP_RELATIVE_PATH: "/"
+      KC_PROXY_HEADERS: "xforwarded"
+      KC_HTTP_ENABLED: "true"
+      KC_HEALTH_ENABLED: "true"
+      KC_LOG_LEVEL: "info"
+    volumes:
+      - "./realm-test.json:/opt/keycloak/data/import/realm-test.json"
+  proxy:
+    image: "nginx:1.27.0"
+    healthcheck:
+      test: ["CMD-SHELL", "curl --fail -s http://localhost:8080"]
+      interval: "5s"
+      timeout: "5s"
+      retries: "3"
+      start_period: "5s"
+    networks:
+      test-oauth:
+        aliases:
+          - secure-data-store
+          - secure-keycloak
+    volumes:
+      - "./nginx.conf:/etc/nginx/nginx.conf"
+      - "certs:/etc/nginx/certs"
+      - "keys:/etc/nginx/keys"
+    depends_on:
+      generate-cert:
+        condition: service_completed_successfully
+      keycloak:
+        condition: service_healthy
+  data-store:
+    image: "samply/blaze:0.26.2"
+    healthcheck:
+      test: ["CMD-SHELL", "curl --fail -s http://localhost:8080/health"]
+      interval: "5s"
+      timeout: "5s"
+      retries: "3"
+      start_period: "60s"
+    networks:
+      test-oauth:
+    environment:
+      BASE_URL: "https://data-store:8080"
+      JAVA_TOOL_OPTIONS: "-Xmx1g"
+      OPENID_PROVIDER_URL: "https://secure-keycloak:8443/realms/test"
+      OPENID_CLIENT_TRUST_STORE: "/trusts/trust-store.p12"
+      OPENID_CLIENT_TRUST_STORE_PASS: "insecure"
+      LOG_LEVEL: "debug"
+    ports:
+      - "8082:8080"
+    volumes:
+      - "data-store-data:/app/data"
+      - "trusts:/trusts"
+    depends_on:
+      generate-trust-store:
+        condition: service_completed_successfully
+      keycloak:
+        condition: service_healthy
+      proxy:
+        condition: service_healthy
+  flare:
+    image: "flare:latest"
+    healthcheck:
+      test: ["CMD-SHELL", "curl --fail -s http://localhost:8080/cache/stats"]
+      interval: "5s"
+      timeout: "5s"
+      retries: "3"
+      start_period: "60s"
+    networks:
+      test-oauth:
+    environment:
+      JAVA_TOOL_OPTIONS: "-Xmx1g"
+      FLARE_FHIR_SERVER: "https://secure-data-store:8443/fhir"
+      FLARE_FHIR_OAUTH_ISSUER_URI: "https://secure-keycloak:8443/realms/test"
+      FLARE_FHIR_OAUTH_CLIENT_ID: "account"
+      FLARE_FHIR_OAUTH_CLIENT_SECRET: "test"
+      LOG_LEVEL: "debug"
+    ports:
+      - "8080:8080"
+    volumes:
+      - "flare-cache:/app/cache"
+      - "../synthea-test-mapping:/app/ontology"
+      - "certs:/app/certs"
+    depends_on:
+      generate-cert:
+        condition: service_completed_successfully
+      data-store:
+        condition: service_healthy
+      proxy:
+        condition: service_healthy
+volumes:
+  data-store-data:
+  certs:
+  keys:
+  trusts:
+  flare-cache:
+networks:
+  test-oauth:

.github/integration-test/oauth/load-data.sh

@@ -0,0 +1,7 @@
+#!/bin/bash -e
+
+SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
+
+TOKEN="$(docker compose -f $SCRIPT_DIR/docker-compose.yml exec -it proxy curl -s --cacert /etc/nginx/certs/cert.pem -d 'client_id=account' -d 'client_secret=test' -d 'grant_type=client_credentials' 'https://secure-keycloak:8443/realms/test/protocol/openid-connect/token' | jq -r '.access_token')"
+
+blazectl --no-progress --token "$TOKEN" --server http://localhost:8082/fhir upload "$SCRIPT_DIR/../../test-data/synthea"

.github/integration-test/oauth/nginx.conf

@@ -0,0 +1,82 @@
+user  nginx;
+worker_processes  1;
+
+error_log  /dev/stdout debug;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    log_format main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+    access_log /dev/stdout main;
+    sendfile on;
+    keepalive_timeout 65;
+
+     # SSL-Certificate and private key
+    ssl_certificate /etc/nginx/certs/cert.pem;
+    ssl_certificate_key /etc/nginx/keys/key.pem;
+
+    # The supported SSL Protocols
+    ssl_protocols TLSv1.2 TLSv1.3;
+
+    # DNS resolver needed for Docker
+    resolver 127.0.0.11 valid=10s;
+
+    # NGINX can impose its TLS cipher suite choices over those of a connecting browser, provided the browser supports them.
+    ssl_prefer_server_ciphers on;
+
+    # The supported SSL Ciphers
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:RC4-SHA';
+
+    ssl_session_cache builtin:1000 shared:SSL:10m;
+
+    server {
+        listen 8080;
+        listen [::]:8080;
+        server_name localhost;
+
+        location / {
+            root /usr/share/nginx/html;
+            index index.html;
+        }
+    }
+
+    server {
+        listen 8443 ssl;
+        listen [::]:8443 ssl;
+        http2 on;
+        server_name secure-data-store;
+
+        location / {
+            set $upstream data-store:8080;
+            proxy_pass http://$upstream;
+            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host  $http_host;
+            proxy_set_header X-Forwarded-Port  $server_port;
+            proxy_read_timeout 43200s;
+            client_max_body_size 100M;
+        }
+    }
+
+    server {
+        listen 8443 ssl;
+        listen [::]:8443 ssl;
+        server_name secure-keycloak;
+
+        location / {
+            set $upstream keycloak:8080;
+            proxy_pass http://$upstream;
+            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host  $http_host;
+            proxy_set_header X-Forwarded-Port  $server_port;
+            proxy_read_timeout 43200s;
+        }
+    }
+}