Merge pull request #846 from medizininformatik-initiative/release/v8.4.0

Release v8.4.0

Author: michael-82

.github/workflows/ci.yml

@@ -164,7 +164,7 @@ jobs:
     needs: tests
     runs-on: ubuntu-latest
     env:
-      ONTOLOGY_GIT_TAG: v3.9.5
+      ONTOLOGY_GIT_TAG: v3.9.6
       ELASTIC_HOST: http://localhost:9200
       ELASTIC_FILEPATH: https://github.com/medizininformatik-initiative/fhir-ontology-generator/releases/download/TAGPLACEHOLDER/
       ELASTIC_FILENAME: elastic.zip

CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
+## [8.4.0] - 2026-02-10
+
+- Based on ontology **[v3.9.6](https://github.com/medizininformatik-initiative/fhir-ontology-generator/releases/tag/v3.9.6)**
+
+### Changed
+- Update ontology to [v3.9.6](https://github.com/medizininformatik-initiative/fhir-ontology-generator/releases/tag/v3.9.6) ([#844](https://github.com/medizininformatik-initiative/dataportal-backend/issues/844))
+### Fixed
+- Check children fields when validating CRTDL and checking attributeRefs ([#842](https://github.com/medizininformatik-initiative/dataportal-backend/issues/842))
+- DSF Client Key PW may be null ([#776](https://github.com/medizininformatik-initiative/dataportal-backend/issues/776))
+### Security
+- update dependencies
+
 ## [8.3.0] - 2026-02-06
 
 - Based on ontology **[v3.9.5](https://github.com/medizininformatik-initiative/fhir-ontology-generator/releases/tag/v3.9.5)**

Dockerfile

@@ -1,4 +1,4 @@
-FROM eclipse-temurin:25.0.1_8-jre-alpine@sha256:9c65fe190cb22ba92f50b8d29a749d0f1cfb2437e09fe5fbf9ff927c45fc6e99
+FROM eclipse-temurin:25.0.2_10-jre-alpine@sha256:f10d6259d0798c1e12179b6bf3b63cea0d6843f7b09c9f9c9c422c50e44379ec
 
 WORKDIR /opt/dataportal-backend
 

docker-compose.yml

@@ -140,13 +140,11 @@ services:
     environment:
       ES_HOST: http://dataportal-elastic
       ES_PORT: 9200
-      ONTO_GIT_TAG: v3.9.5
+      ONTO_GIT_TAG: v3.9.6
       ONTO_REPO: https://github.com/medizininformatik-initiative/fhir-ontology-generator/releases/download
       DOWNLOAD_FILENAME: elastic.zip
       EXIT_ON_EXISTING_INDICES: false
 
 volumes:
   dataportal-postgres-data:
-    name: "dataportal-postgres-data"
-  dataportal-elastic-data:
-    name: "dataportal-elastic-data"
+  dataportal-elastic-data:

pom.xml

@@ -12,7 +12,7 @@
 
   <groupId>de.medizininformatik-initiative</groupId>
   <artifactId>DataportalBackend</artifactId>
-  <version>8.3.0</version>
+  <version>8.4.0</version>
 
   <name>Dataportal Backend</name>
   <description>Backend of the Dataportal</description>
@@ -27,7 +27,7 @@
     <java.version>17</java.version>
     <mockwebserver.version>5.3.2</mockwebserver.version>
     <okhttp3.version>4.10.0</okhttp3.version>
-    <ontology-tag>v3.9.5</ontology-tag>
+    <ontology-tag>v3.9.6</ontology-tag>
   </properties>
 
   <dependencies>
@@ -103,7 +103,7 @@
     <dependency>
       <groupId>com.nimbusds</groupId>
       <artifactId>oauth2-oidc-sdk</artifactId>
-      <version>11.31.1</version>
+      <version>11.33</version>
     </dependency>
 
     <dependency>

src/main/java/de/medizininformatikinitiative/dataportal/backend/config/AsyncConfig.java

@@ -0,0 +1,9 @@
+package de.medizininformatikinitiative.dataportal.backend.config;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.scheduling.annotation.EnableAsync;
+
+@Configuration
+@EnableAsync
+public class AsyncConfig {
+}

src/main/java/de/medizininformatikinitiative/dataportal/backend/query/api/validation/DataExtractionValidator.java

@@ -4,6 +4,7 @@
 import de.medizininformatikinitiative.dataportal.backend.common.api.TermCode;
 import de.medizininformatikinitiative.dataportal.backend.dse.DseService;
 import de.medizininformatikinitiative.dataportal.backend.dse.api.DseProfile;
+import de.medizininformatikinitiative.dataportal.backend.dse.api.Field;
 import de.medizininformatikinitiative.dataportal.backend.query.api.Attribute;
 import de.medizininformatikinitiative.dataportal.backend.query.api.AttributeGroup;
 import de.medizininformatikinitiative.dataportal.backend.query.api.DataExtraction;
@@ -62,6 +63,20 @@ public boolean isValid(DataExtraction dataExtraction,
     return !containsInvalidEntries(ctx, dataExtraction);
   }
 
+  private boolean fieldOrChildrenMatch(Field field, String attributeRef) {
+
+    if (field.id().equalsIgnoreCase(attributeRef)) {
+      return true;
+    }
+
+    if (field.children() != null && !field.children().isEmpty()) {
+      return field.children().stream()
+              .anyMatch(child -> fieldOrChildrenMatch(child, attributeRef));
+    }
+
+    return false;
+  }
+
   private boolean containsInvalidEntries(ConstraintValidatorContext ctx, DataExtraction dataExtraction) {
     if (dataExtraction == null || dataExtraction.attributeGroups() == null || dataExtraction.attributeGroups().isEmpty()) return false;
     var hasErrors = false;
@@ -109,8 +124,9 @@ private boolean attributesContainErrors(ConstraintValidatorContext ctx,
       var attribute = attributeGroup.attributes().get(i);
 
       if (dseProfile != null) {
-        // ensure linkedGroup exists for each attribute of type "reference" in dse profile
+
         if (dseProfile.references().stream().anyMatch(ref -> ref.id().equalsIgnoreCase(attribute.attributeRef()))) {
+          // ensure linkedGroup exists for each attribute of type "reference" in dse profile
           if (attribute.linkedGroups() == null || attribute.linkedGroups().isEmpty()) {
             ValidationErrorBuilder.addError(
                 ctx,
@@ -119,7 +135,7 @@ private boolean attributesContainErrors(ConstraintValidatorContext ctx,
             );
             hasErrors = true;
           }
-        } else if (dseProfile.fields().stream().noneMatch(field -> field.id().equalsIgnoreCase(attribute.attributeRef()))) {
+        } else if (dseProfile.fields().stream().noneMatch(field -> fieldOrChildrenMatch(field, attribute.attributeRef()))) {
           // attributes of DSE features (attributeGroups) (fields) not in ontology profile for feature
           ValidationErrorBuilder.addError(
               ctx,

src/main/java/de/medizininformatikinitiative/dataportal/backend/query/broker/dsf/DSFFhirSecurityContextProvider.java

@@ -3,27 +3,30 @@
 import de.rwh.utils.crypto.CertificateHelper;
 import de.rwh.utils.crypto.io.CertificateReader;
 import de.rwh.utils.crypto.io.PemIo;
+import org.apache.commons.text.RandomStringGenerator;
 
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.security.cert.Certificate;
 
+import static com.google.common.base.Strings.isNullOrEmpty;
+
 /**
  * An entity that can provide a security context for communicating with a FHIR server.
  */
 public class DSFFhirSecurityContextProvider implements FhirSecurityContextProvider {
 
   private final String clientKeyFile;
-  private final char[] clientKeyPassword;
+  private final String clientKeyPassword;
   private final String trustCertificateFile;
   private String clientCertificateFile;
 
-  public DSFFhirSecurityContextProvider(String clientCertificateFile, String clientKeyFile, char[] clientKeyPassword,
+  public DSFFhirSecurityContextProvider(String clientCertificateFile, String clientKeyFile, String keyStorePassword,
                                         String trustCertificateFile) {
     this.clientCertificateFile = clientCertificateFile;
     this.clientKeyFile = clientKeyFile;
-    this.clientKeyPassword = clientKeyPassword;
+    this.clientKeyPassword = keyStorePassword;
     this.trustCertificateFile = trustCertificateFile;
   }
 
@@ -38,18 +41,20 @@ public FhirSecurityContext provideSecurityContext() throws FhirSecurityContextPr
       if (!Files.isReadable(localClientKeyFile)) {
         throw new IOException("Client key file '" + localClientKeyFile + "' not readable");
       }
+      var password = RandomStringGenerator.builder().withinRange(33, 126).get().generate(16).toCharArray();
       var localKeyStore = CertificateHelper.toJksKeyStore(
-          PemIo.readPrivateKeyFromPem(localClientKeyFile, clientKeyPassword),
+          isNullOrEmpty(clientKeyPassword) ? PemIo.readPrivateKeyFromPem(localClientKeyFile)
+              : PemIo.readPrivateKeyFromPem(localClientKeyFile, clientKeyPassword.toCharArray()),
           new Certificate[]{PemIo.readX509CertificateFromPem(localClientCertificateFile)},
-          "backend-cert", clientKeyPassword);
+          "backend-cert", password);
       var localTrustCertificateFile = Paths.get(trustCertificateFile);
       if (!Files.isReadable(localTrustCertificateFile)) {
         throw new IOException("Certificate file '" + trustCertificateFile + "' not readable");
       }
       var localTrustStore = CertificateReader.allFromCer(localTrustCertificateFile);
 
 
-      return new FhirSecurityContext(localKeyStore, localTrustStore, clientKeyPassword);
+      return new FhirSecurityContext(localKeyStore, localTrustStore, password);
     } catch (Exception e) {
       throw new FhirSecurityContextProvisionException(e);
     }

src/main/java/de/medizininformatikinitiative/dataportal/backend/query/broker/dsf/DSFSpringConfig.java

@@ -23,8 +23,8 @@ public class DSFSpringConfig {
   @Value("${app.broker.dsf.security.client.key.file}")
   private String clientKeyFile;
 
-  @Value("${app.broker.dsf.security.client.key.password}")
-  private char[] keyStorePassword;
+  @Value("${app.broker.dsf.security.client.key.password:#{null}}")
+  private String keyStorePassword;
 
   @Value("${app.broker.dsf.security.certificate}")
   private String certificateFile;

src/test/java/de/medizininformatikinitiative/dataportal/backend/query/broker/dsf/DSFFhirSecurityContextProviderTest.java

@@ -13,7 +13,7 @@
 
 public class DSFFhirSecurityContextProviderTest {
 
-  private static final char[] PASSWORD = "password".toCharArray();
+  private static final String PASSWORD = "password";
   static private CertificateFactory cf;
 
   @BeforeAll
@@ -23,10 +23,10 @@ static void setup() throws Exception {
 
   @Test
   void trustStoreContainsCertificateFromPEM() throws Exception {
-    DSFFhirSecurityContextProvider securityContextProvider = new DSFFhirSecurityContextProvider(
+    var securityContextProvider = new DSFFhirSecurityContextProvider(
         getFilePath("client.crt"), getFilePath("client.key"), PASSWORD, getFilePath("foo.pem"));
 
-    FhirSecurityContext securityContext = securityContextProvider.provideSecurityContext();
+    var securityContext = securityContextProvider.provideSecurityContext();
 
     assertThat(getCertificateAlias(securityContext, "foo.pem")).isNotBlank();
   }
@@ -44,10 +44,10 @@ void trustStoreContainsMultipleCertificatesFromPEM() throws Exception {
 
   @Test
   void keyStoreContainsClientCertificateAndKey() throws Exception {
-    DSFFhirSecurityContextProvider securityContextProvider = new DSFFhirSecurityContextProvider(
+    var securityContextProvider = new DSFFhirSecurityContextProvider(
         getFilePath("client.crt"), getFilePath("client.key"), PASSWORD, getFilePath("multiple.pem"));
 
-    FhirSecurityContext securityContext = securityContextProvider.provideSecurityContext();
+    var securityContext = securityContextProvider.provideSecurityContext();
 
     var alias = assertThat(Collections.list(securityContext.getKeyStore().aliases()))
         .hasSize(1)
@@ -58,7 +58,7 @@ void keyStoreContainsClientCertificateAndKey() throws Exception {
 
   @Test
   void failsOnMissingClientCertificate() throws Exception {
-    DSFFhirSecurityContextProvider securityContextProvider = new DSFFhirSecurityContextProvider(
+    var securityContextProvider = new DSFFhirSecurityContextProvider(
         "nonexisting.crt", getFilePath("client.key"), PASSWORD, getFilePath("foo.pem"));
 
     assertThatThrownBy(() -> securityContextProvider.provideSecurityContext()).cause()
@@ -67,7 +67,7 @@ void failsOnMissingClientCertificate() throws Exception {
 
   @Test
   void failsOnMissingClientKey() throws Exception {
-    DSFFhirSecurityContextProvider securityContextProvider = new DSFFhirSecurityContextProvider(
+    var securityContextProvider = new DSFFhirSecurityContextProvider(
         getFilePath("client.crt"), "nonexisting.key", PASSWORD, getFilePath("foo.pem"));
 
     assertThatThrownBy(() -> securityContextProvider.provideSecurityContext()).cause()
@@ -76,7 +76,7 @@ void failsOnMissingClientKey() throws Exception {
 
   @Test
   void failsOnMissingCaCertificate() throws Exception {
-    DSFFhirSecurityContextProvider securityContextProvider = new DSFFhirSecurityContextProvider(
+    var securityContextProvider = new DSFFhirSecurityContextProvider(
         getFilePath("client.crt"), getFilePath("client.key"), PASSWORD, "nonexisting.pem");
 
     assertThatThrownBy(() -> securityContextProvider.provideSecurityContext()).cause()
@@ -85,14 +85,47 @@ void failsOnMissingCaCertificate() throws Exception {
 
   @Test
   void failsOnWrongClientKeyPassword() throws Exception {
-    DSFFhirSecurityContextProvider securityContextProvider = new DSFFhirSecurityContextProvider(
-        getFilePath("client.crt"), getFilePath("client.key"), "WrongPassword".toCharArray(),
+    var securityContextProvider = new DSFFhirSecurityContextProvider(
+        getFilePath("client.crt"), getFilePath("client.key"), "WrongPassword",
         getFilePath("foo.pem"));
 
     assertThatThrownBy(() -> securityContextProvider.provideSecurityContext()).cause()
         .hasMessageContaining("unable to read encrypted data");
   }
 
+  @Test
+  void unencryptedClientKeyWithEmptyPassword() throws Exception {
+    var securityContextProvider = new DSFFhirSecurityContextProvider(
+        getFilePath("client.crt"), getFilePath("unencryptedClient.key"), "",
+        getFilePath("foo.pem"));
+
+    var securityContext = securityContextProvider.provideSecurityContext();
+
+    assertThat(getCertificateAlias(securityContext, "foo.pem")).isNotBlank();
+  }
+
+  @Test
+  void unencryptedClientKeyWithNullPassword() throws Exception {
+    var securityContextProvider = new DSFFhirSecurityContextProvider(
+        getFilePath("client.crt"), getFilePath("unencryptedClient.key"), null,
+        getFilePath("foo.pem"));
+
+    var securityContext = securityContextProvider.provideSecurityContext();
+
+    assertThat(getCertificateAlias(securityContext, "foo.pem")).isNotBlank();
+  }
+
+  @Test
+  void unencryptedClientKeyWithPassword() throws Exception {
+    var securityContextProvider = new DSFFhirSecurityContextProvider(
+        getFilePath("client.crt"), getFilePath("unencryptedClient.key"), "foobar",
+        getFilePath("foo.pem"));
+
+    var securityContext = securityContextProvider.provideSecurityContext();
+
+    assertThat(getCertificateAlias(securityContext, "foo.pem")).isNotBlank();
+  }
+
   private String getCertificateAlias(FhirSecurityContext securityContext, String fileName) throws Exception {
     InputStream resource = DSFFhirSecurityContextProviderTest.class.getResourceAsStream(fileName);
     Certificate cert = cf.generateCertificate(resource);