0.9.2 - Security Release

General remarks:

• This is a drop-in replacement release for DSF version 0.9.1. With the 0.9.2 release, a security issue has been fixed. No configuration changes are required.
• To Update an existing 0.9.1 installation, please see the 0.9.1 -> 0.9.2 Upgrade Guide.
• For a fresh deployment please see the NUM‐CODEX DSF 0.9.2 Deployment and HiGHmed DSF 0.9.2 Deployment guides.

Fixes include:

• Do to a flaw in the Task authorization rule, users authenticated via a valid client certificate from trusted certificate authorities and a corresponding entry in the local DSF allow-list, were able to execute processes that should otherwise not be allowed via the ActivityDefinition authorization extension of the process.

Clients released in the binary assets:

• MPI client PDQ: dsf-mpi-client-pdq-0.9.2.zip
• openEHR client: dsf-openehr-client-impl-0.9.2.zip

Docker containers for this release can be access via the GitHub Docker registry - ghcr.io:

• bpe: ghcr.io/highmed/bpe:0.9.2
• fhir: ghcr.io/highmed/fhir:0.9.2
• fhir_proxy: ghcr.io/highmed/fhir_proxy:0.9.2

Issues closed:

• Unauthorized Process Execution for Authenticated Organizations #406

This release contains contributions from @schwzr, @wetret and @hhund.

How to check whether the vulnerability has been exploited at your site

The history of the task resources and the associated log files can be used to track whether the vulnerability has been exploited at your site and by whom. To do this, you can proceed as follows:

1. Query the history of all task resources: "/fhir/Task/_history?_count=1000&_page=1" (page=2, page=3, etc. until all pages have been viewed).
2. look for the word "draft" on each page
3. if the word "draft" is not found, you are not affected

Instead of steps 1-3, you can alternatively run the following command in the secrets folder of your DSF FHIR installation:

curl -v --cert client_certificate.pem --key client_certificate_private_key.pem --pass "$(< client_certificate_private_key.pem.password)" -H "Accept: application/fhir+json" https://DSF_FHIR_SERVER/fhir/Task/_history?_count=1000000 | grep -o draft

If you don't have a password set on the private key, you can omit --pass "$(< client_certificate_private_key.pem.password)".

If you get a "HTTP/1.1 200 OK" response and do not find any lines with the output "draft", then you are not affected.

4. if the word "draft" was found:
   4.1 Query the history of the task resource via "/fhir/Task//_history".
   4.2 Check if "Task.status=draft" changed to "Task.status=requested" and if "Task.requester.identifier", "Task.restriction.recipient.identifier", "Task.instantiatesUri" and the "Task.input" fields changed
   4.3 If you have found changes, you might be affected by the vulnerability

If you are affected by the gap, you can use the DSF FHIR audit log to trace which user made the update of the task resource from the status "draft" to the status "requested". To do this, follow these steps:

1. search for the ID and the update date in the task resource with status "requested" under "Task.id" or "Task.meta.lastUpdated".
2. in the folder "/opt/fhir/log" you should find the FHIR audit logs, open the file of the day with the update date
3. search for the ID of the task resource and take the organization name from the log entry
4. Contact us with the organization name so that we can take the next steps together.

0.9.1 - Maintenance Release

General remarks:

• This is a drop-in replacement release for DSF version 0.9.0. With the 0.9.1 release, a few minor bugs have been fixed and software libraries (dependencies) updated. No configuration changes are required.
• To Update an existing 0.9.0 installation, please see the 0.9.0 -> 0.9.1 Upgrade Guide.
• For a fresh deployment please see the NUM‐CODEX DSF 0.9.1 Deployment and HiGHmed DSF 0.9.1 Deployment guides.

Fixes include:

• BPE closed the websocket connection for QuestionnaireResponse resources, if a matching User Task was not present in the current process instance. Error during QuestionnaireResponse are now caught to ensure further QuestionnaireResponse resources can be processed without restarting the BPE. Fixed in #399
• Due to an changes in PostgreSQL behavior it was no longer possible to delete and recreate the database schema in automated build tests. The test infrastructure was adapted to fix this problem. Fixed in #401

Clients released in the binary assets:

• MPI client PDQ: dsf-mpi-client-pdq-0.9.1.zip
• openEHR client: dsf-openehr-client-impl-0.9.1.zip

Docker containers for this release can be access via the GitHub Docker registry - ghcr.io:

• bpe: ghcr.io/highmed/bpe:0.9.1
• fhir: ghcr.io/highmed/fhir:0.9.1
• fhir_proxy: ghcr.io/highmed/fhir_proxy:0.9.1

Issues closed:

• Don't close QuestionnaireResponse websocket connection on failed user task #394
• Fixed build (Fixed tests including postgres database) #400
• Update dependencies #402
• Updated FHIR proxy to close #396

This release contains contributions from @schwzr, @wetret and @hhund.

0.9.0 - User Tasks & New Process Plugin API

General remarks:

• Upgrading to version 0.9.0 is necessary to execute the data transfer process for the 7th MII Projectathon. Upgrading is also highly recommended as the new release updates several dependencies.
• See NUM-CODEX internal mail communication for upgrade deadlines, especially regarding expiring client certificates of the GTH in the test- and production environments.
• To Update an existing 0.7.0 installation, please see the 0.7.0 -> 0.8.0 Upgrade Guide.
• To Update an existing 0.8.0 installation, please see the 0.8.0 -> 0.9.0 Upgrade Guide.
• For a fresh deployment please see the NUM‐CODEX DSF 0.9.0 Deployment and HiGHmed DSF 0.9.0 Deployment guides.
• Due to a breaking internal API change the 0.9.0 release is not compatible with process plugins released for older versions of the DSF.

Features include:

• For a list of features implemented since the 0.7.0 release, see the 0.8.0 release notes.
• The UserTask implementation has been improved over the 0.7.0 release. QuestionnaireResponse resources can not be configured to be read by external authenticated organizations anymore. For additional Information regarding UserTask see the 0.8.0 release notes.
• New debug feature for process plugin developers: If enabled debug log message before and after every process step are generated, allowing for easy tracing of process executions. This feature should only be enabled for development.
• Checks for Java Code availability in process plugins during startup has been improved.
• A method to execute code after QuestionnaireResponse resources have been created in the DSF FHIR server by the DefaultUserTaskListener has been added. This for example enables process plugin developers to send mails with information that a QuestionnaireResponse has to be filled out, while the business process is waiting for the completion of the corresponding User Task.

Fixes include:

• DSF versions prior to 0.9.0 where not able to execute multiple instances of the same process in parallel.
• The history endpoint for Questionnaire and QuestionnaireResponse resources did not work in DSF version 0.8.0.

Clients released in the binary assets:

• MPI client PDQ: dsf-mpi-client-pdq-0.9.0.zip
• openEHR client: dsf-openehr-client-impl-0.9.0.zip

Docker containers for this release can be access via the GitHub Docker registry - ghcr.io:

• bpe: ghcr.io/highmed/bpe:0.9.0
• fhir: ghcr.io/highmed/fhir:0.9.0
• fhir_proxy: ghcr.io/highmed/fhir_proxy:0.9.0

Issues closed:

• Add Support For BPMN User Tasks #139
• Start New Development Cycle #382
• BPE Unable to Execute Multiple Instances of a Process in Parallel #384
• BPE Unable to Execute Listener #387

This release contains contributions from @wetret and @hhund.

Second Release Candidate for 0.9.0

General remarks:

• This is the second pre-release version (RC2) of 0.9.0, we recommend not to use this release in production. This release includes a breaking change to the API used by process plugins. As a result, process plugins written for DSF releases prior to version 0.9.0 are not compatible with this release.

Features include:

• For a list of features implemented since the 0.7.0 release, see the 0.8.0 release notes.
• New debug feature for process plugin developers: If enabled debug log message before and after every process step are generated, allowing for easy tracing of process executions. This feature should only be enabled for development.
• Checks for Java Code availability in process plugins during startup has been improved.
• A method to execute code after QuestionnaireResponse resource for User Tasks has been added to the default User Task Listener. This for example enables process plugin developers to send mails with information that a QuestionnaireResponse has to be filled out.

Fixes include:

• DSF versions prior to 0.9.0 where not able to execute multiple instances of the same process in parallel.

Clients released in the binary assets:

• MPI client PDQ: dsf-mpi-client-pdq-0.9.0-RC2.zip
• openEHR client: dsf-openehr-client-impl-0.9.0-RC2.zip

Docker containers for this release can be access via the GitHub Docker registry - ghcr.io:

• bpe: ghcr.io/highmed/bpe:0.9.0-RC2
• fhir: ghcr.io/highmed/fhir:0.9.0-RC2
• fhir_proxy: ghcr.io/highmed/fhir_proxy:0.9.0-RC2

Issues closed:

• BPE Unable to Execute Multiple Instances of a Process in Parallel #384
• Start New Development Cycle #382
• BPE Unable to Execute Listener #387

First Release Candidate for 0.9.0

General remarks:

• This is the first pre-release version (RC1) of 0.9.0, we recommend not to use this release in production. This release includes a breaking change to the API used by process plugins. As a result, process plugins written for DSF releases prior to version 0.9.0 are not compatible with this release.

Features include:

• For a list of features implemented since the 0.7.0 release, see the 0.8.0 release notes.

Fixes include:

• DSF versions prior to 0.9.0 where not able to execute multiple instances of the same process in parallel.

Clients released in the binary assets:

• MPI client PDQ: dsf-mpi-client-pdq-0.9.0-RC1.zip
• openEHR client: dsf-openehr-client-impl-0.9.0-RC1.zip

Docker containers for this release can be access via the GitHub Docker registry - ghcr.io:

• bpe: ghcr.io/highmed/bpe:0.9.0-RC1
• fhir: ghcr.io/highmed/fhir:0.9.0-RC1
• fhir_proxy: ghcr.io/highmed/fhir_proxy:0.9.0-RC1

Issues closed:

• BPE Unable to Execute Multiple Instances of a Process in Parallel #384
• Start New Development Cycle #382

0.8.0 - User Tasks

This release has a known bug (#384) and will be replaced with Version 0.9.0 in the coming days.

General remarks:

• Upgrading to version 0.8.0 is necessary to execute the data transfer process for the 7th MII Projectathon. Upgrading is also highly recommended as the new release updates several dependencies.
• See NUM-CODEX internal mail communication for upgrade deadlines.
• To Update an existing 0.7.0 installation, please see the Upgrade Guide.
• For a fresh deployment please see the NUM‐CODEX DSF 0.8.0 Deployment and HiGHmed DSF 0.8.0 Deployment guides.
• The 0.8.0 release is not compatible with the following outdated process plugins:
  • dsf-bpe-process-feasibility v0.5.0
  • dsf-bpe-process-local-services v0.5.0

Features include:

• User Tasks are now supported in BPMN processes. Questionnaire and QuestionnaireResponse FHIR resources are used to allow users to answer questions relevant for a process execution in case of a BPMN User Task. As soon as a process enters a User Task a QuestionnaireResponse resource is created on the local DSF FHIR server, based on a specified Questionnaire resource from the process plugin. The process continues if this QuestionnaireResponse resource has been filled out and the status of the resource changed from in-progress to completed.
• The DSF FHIR server can display QuestionnaireResponse as a HTML form to be filled out by users. This allows the use of User Tasks within process plugins without the need for external tools.
• A FHIR Subscription with a websocket connection is used to synchronize updates to QuestionnaireResponse resources from the DSF FHIR server to the DSF BPE server similar to Task resources.
• The last_event/time.file mechanism has been removed. Information on the last Task (and now also QuestionnaireResponse) resource handled by the DSF BPE server is now stored in the database of the DSF BPE server.
• An SMTP mail client has been added to the DSF BPE server. This mail client / service can be configured to send auto generated e-mails from processes as well as messages with log entries triggered by error log events. For example in case of unknown software exceptions.

Fixes include:

• An issues with displaying specific StructureDefinition resources as HTML has been fixed in the DSF FHIR server, for details see #363.

Clients released in the binary assets:

• MPI client PDQ: dsf-mpi-client-pdq-0.8.0.zip
• openEHR client: dsf-openehr-client-impl-0.8.0.zip

Docker containers for this release can be access via the GitHub Docker registry - ghcr.io:

• bpe: ghcr.io/highmed/bpe:0.8.0
• fhir: ghcr.io/highmed/fhir:0.8.0
• fhir_proxy: ghcr.io/highmed/fhir_proxy:0.8.0

Issues closed:

• Upgrade Dependencies #375
• Add an eMail Notification Service #370
• ValidationSupportWithCustomResources Should Support Versions #367
• Move the last_event/time.file Inside the BPE Database #364
• Cannot get StructureDefinitions as HTML if the current ping process is deployed #363
• Add Support For BPMN User Tasks #139

This release contains contributions from @wetret and @hhund. Special thanks to @schwzr for helping to test this release.

First Release Candidate for 0.8.0

General remarks:

• This is the first pre-release version (RC1) of 0.8.0, we recommend not to use this release in production. Especially since upgrading from 0.8.0-RC1 to the final 0.8.0 release may not be possible.

Features include:

• User Tasks are now supported in BPMN processes based on Questionnaire and QuestionnaireResponse FHIR resources. Processes with User Tasks will automatically create a QuestionnaireResponse resource, based on a specified Questionnaire resource provided by the process plugin, as soon as a process enters a User Task. The process continues if the corresponding QuestionnaireResponse resource has been filled out and the status changes from in-progress to completed.
• The DSF FHIR server can display QuestionnaireResponse as HTML form to be filled out by users. This allows the uses of User Tasks within process plugins without the need for external tools.
• A FHIR Subscription with a websocket connection is used to synchronize updates to QuestionnaireResponse resources from the DSF FHIR server to the DSF BPE server similar to Task resources.
• The last_event/time.file has been removed. Information on the last Task (and now also QuestionnaireResponse) resource handled by the DSF BPE server is now stored in the database of the DSF BPE server.
• A SMTP mail client has been added the DSF BPE server. This mail client can be configured to receive generated e-mail from processes as well as automatic messages for logged errors.

Fixes include:

• An issues with displaying specific StructureDefinition resources as HTML has been fixed in the DSF FHIR server, See #363.

Clients released in the binary assets:

• MPI client PDQ: dsf-mpi-client-pdq-0.8.0-RC1.zip
• openEHR client: dsf-openehr-client-impl-0.8.0-RC1.zip

Docker containers for this release can be access via the GitHub Docker registry - ghcr.io:

• bpe: ghcr.io/highmed/bpe:0.8.0-RC1
• fhir: ghcr.io/highmed/fhir:0.8.0-RC1
• fhir_proxy: ghcr.io/highmed/fhir_proxy:0.8.0-RC1

Issues closed:

• Upgrade Dependencies #375
• Add an eMail Notification Service #370
• ValidationSupportWithCustomResources Should Support Versions #367
• Move the last_event/time.file Inside the BPE Database #364
• Cannot get StructureDefinitions as HTML if the current ping process is deployed #363
• Add Support For BPMN User Tasks #139

This release contains contributions from @wetret and @hhund.

0.7.0 - FHIR Validation Support for Process Plugins

General remarks:

• Upgrading to version 0.7.0 is necessary to execute the 0.5.0 NUM-CODEX data transfer process plugin with included FHIR validation. Upgrading is also highly recommended as the new release updates several dependencies.
• To Update an existing 0.6.0 installation, please see the Upgrade Guide.
• For a fresh deployment please see the NUM‐CODEX DSF 0.7.0 Deployment and HiGHmed DSF 0.7.0 Deployment guides.
• The 0.7.0 release is not compatible with the following outdated process plugins:
  • dsf-bpe-process-feasibility v0.5.0
  • dsf-bpe-process-local-services v0.5.0

Features include:

• Added java dependencies to the dsf-bpe-process-base module, making implementation of FHIR validation within process plugins easier.
• Improved extensibility of the StructureDefinition snapshot generator classes.
• New mechanism to correlate process instances with an alternative business-key. The new method createAndSaveAlternativeBusinessKey() in AbstractTaskMessageSend enables processes to create an alternative business key before sending a task to a target. A returned task from the target with the alternative business key is correlated to the original process instance.
• Improved logging of webservice end websocket client configurations during startup. New config option to enable verbose request/response logging for the webservice clients.
• Checking of literal external references in Task.input parameters is now skipped during updates of Task resources with new status failed or completed. Since modification of input parameters is not allowed after a Task resource is in status requested, checking for referential integrity of literal external references in Task.input parameters is not needed. This mechanism allows process plugins to implement permanent delete operations in local processes at an appropriate time after a remote process has been started or continued (referencing the local resource to be deleted) and before that remote process completes.

Fixes include:

• A few minor issue within the DSF FHIR Server UI have been fixed.

Clients released in the binary assets:

• MPI client PDQ: dsf-mpi-client-pdq-0.7.0.zip
• openEHR client: dsf-openehr-client-impl-0.7.0.zip

Docker containers for this release can be access via the GitHub Docker registry - ghcr.io:

• bpe: ghcr.io/highmed/bpe:0.7.0
• fhir: ghcr.io/highmed/fhir:0.7.0
• fhir_proxy: ghcr.io/highmed/fhir_proxy:0.7.0

Issues closed:

• Disable Reference Checks for External References in task.input if Task Update In-Progress to Completed or to Failed #357
• Improve Logging #353
• Start New Development Cycle #351
• The BPE Should Support Alternative Business Keys #350
• Add Java Dependencies for Implementing FHIR Validation to dsf-bpe-process-base #349

This release contains contributions from @wetret and @hhund. Special thanks to @FloSeidel for helping to test this release.

First Release Candidate for 0.7.0

General remarks:

• This is the first pre-release version (RC1) of 0.7.0, we recommend not to use it in production. Especially since upgrading from 0.7.0-RC1 to the final 0.7.0 release may not be possible.

Features include:

• Added java dependencies to the dsf-bpe-process-base module, making implementation of FHIR validation within process plugins easier.
• Improved extensibility of the StructureDefinition snapshot generator classes.
• New mechanism to correlate process instances with an alternative business-key. The new method createAndSaveAlternativeBusinessKey() in AbstractTaskMessageSend enables processes to create an alternative business key before sending a task to a target. A returned task from the target with the alternative business key is correlated to the original process instance.
• Improved logging of webservice end websocket client configurations during startup. New config option to enable verbose request/response logging for the webservice clients.
• New a rule for skipping checks of literal external references in Task.input during updates of Task resources with new status failed or completed. Since modification of input parameters is not allowed after a Task resource is in status requested, checking for referential integrity of literal external references in Task.input parameters is not needed. This mechanism allows process plugins to implement permanent delete operations at an appropriate time after a remote process has been started or continued (referencing a local resource) and before that remote process completes.

Fixes include:

• A few minor issue within the DSF FHIR Server UI have been fixed.

Clients released in the binary assets:

• MPI client PDQ: dsf-mpi-client-pdq-0.7.0-RC1.zip
• openEHR client: dsf-openehr-client-impl-0.7.0-RC1.zip

Docker containers for this release can be access via the GitHub Docker registry - ghcr.io:

• bpe: ghcr.io/highmed/bpe:0.7.0-RC1
• fhir: ghcr.io/highmed/fhir:0.7.0-RC1
• fhir_proxy: ghcr.io/highmed/fhir_proxy:0.7.0-RC1

Issues closed:

• Disable Reference Checks for External References in task.input if Task Update In-Progress to Completed or to Failed #357
• Improve Logging #353
• Start New Development Cycle #351
• The BPE Should Support Alternative Business Keys #350
• Add Java Dependencies for Implementing FHIR Validation to dsf-bpe-process-base #349

0.6.0 - Improved Usability

General remarks:

• Updating to version 0.6.0 is highly recommended as it updates several dependencies.
• To Update an existing 0.5.5 install, please see the Wiki Upgrade Guide.
• Starting from version 0.6.0 the bpe_proxy docker image will no longer be provided. The bpe_proxy image was never used in standard deployments.
• The 0.6.0 release is not compatible with the following process plugins:
  • dsf-bpe-process-feasibility v0.5.0
  • dsf-bpe-process-local-services v0.5.0

Features include:

• Property placeholder substitution using #{date} and #{version} can now be used in FHIR and BPMN files of process plugins. The old style ${version} should no longer be used in FHIR files and cannot be used in BPMN files. #248
• Markdown documentation of properties can be generated using a specific annotation during Maven builds #253 #307
• The MPI client has improved log messages and properties have default values where possible #260
• Process plugins are informed about their current deployment state on the BPE, this feature can be used to implement startup logic that depends on the process being active and not excluded #261
• Adds Consent and Pseudonymisation clients as well as improves the MPI and openEHR clients as preparations for the HiGHmed Data Sharing process #274
• Health-check http endpoints allow to check the current health state of the FHIR and BPE containers #282
• Because the organization type information moved to organization affiliation role, the system of the corresponding CodeSystem/ValueSet has changed as well from organization-type to organization-role. Process plugin developers are encouraged to use values from the new CodeSystem http://highmed.org/fhir/CodeSystem/organization-role when defining roles of organizations in the plugins ActivityDefinitions #284
• A mechanism to change FHIR resources on server startup in order to manage profile changes has been added #288
• Support for the DocumentReference resource was added to the FHIR server #310
• The connect and read timeouts of the Apache reverse proxy can now be configured using the environment variables PROXY_PASS_CONNECTION_TIMEOUT_HTTP, PROXY_PASS_CONNECTION_TIMEOUT_WS, PROXY_PASS_TIMEOUT_HTTP and PROXY_PASS_TIMEOUT_WS, additional Info can be found in the reverse proxy config parameters list #313
• All upgradable Java dependencies where increased to the newest applicable versions #317
• A few functions have been added to the HTML output of the DSF FHIR server: The currently displayed FHIR resource (aka the URL) can be saved as a bookmark in the browsers local storage, supported search query parameters can be overlaid for the currently displayed URL and the current resource can be downloaded as XML or JSON depending on the XML/JSON tab being displayed #331
• Auto detection of creators, fields and setters was disabled for the default JSON object mapper used by BPE variables. Auto detection of getters and is-getters will be disabled with a future release. Elements need to be explicitly annotated with @JsonCreator and @JsonProperty. For testing serialization of BPE variables, process plugins can use the new org.highmed.dsf.fhir.json.ObjectMapperFactory to get a ObjectMapper that is configured equally to the one used within the DSF BPE #339

Fixes include:

• While using the webfrontend of the FHIR Server refreshing the page (F5 / CTRL+R) will consistently send updates on resources if they changed #206
• A failed message send end event results in a failed Task resource and therefore in a failed process #273
• The order of the DateTime query parameter is now irrelevant, gt does not need to be before lt anymore #295
• Searches for profiles with a version are now supported and do not result in an empty response anymore #305
• Missing, empty and wildcard / Accept Header will return fhir+xml #312
• Java dependencies have been updated to the latest releases where possible #317
• The OperationOutcome after create and update now includes the external URL of the FHIR server and not the internally used IP address #328
• Process plugins are now allowed to fail during startup without crashing the BPE, warnings are generated for process plugins that failed to initialize and will not be available for execution #335

Clients released in the binary assets:

• MPI client PDQ: dsf-mpi-client-pdq-0.6.0.zip
• openEHR client: dsf-openehr-client-impl-0.6.0.zip

Docker containers for this release can be access via the GitHub Docker registry - ghcr.io:

• bpe: ghcr.io/highmed/bpe:0.6.0
• fhir: ghcr.io/highmed/fhir:0.6.0
• fhir_proxy: ghcr.io/highmed/fhir_proxy:0.6.0

Issues closed:

• Refreshing the page does not refresh the resource information #206
• Add property placeholder substitution mechanism to BPMN files #248
• Add annotations to properties for generating documentation #253
• Improve MPI client error handling, log messages and parameters #260
• Add mechanism to communicate process deployment state back to process plugin #261
• A failed message send event should result in a failed process #273
• Preparations for HiGHmed data sharing process #274
• Start new development cycle #276
• Add self-check URL endpoints #282
• Change CodeSystem/ValueSet organization-type to organization-role #284
• Add a migrator for existing FHIR ressources #288
• Order of DateTime query-parameters should be irrelevant #295
• _profile search parameter does not work with versioned profiles #305
• Create process configuration generator for properties #307
• Implement DocumentReference resource #310
• NullPointerExceptiont if no Accept-Header send #312
• Add config option for Apache reverse proxy read timeout #313
• Upgrade bcprov-jdk15on test dependency #317
• Bad URL in OperationOutcome after create and update #328
• Add bookmarking function to HTML output #331
• A Failed Process Plugin Crashes the BPE During Startup #335
• Add New Environment Variables of fhir_proxy to Readme File #337
• Jackson deserialization fails if setter/getter is a computed value and not present as field #339