968: add Validation Support for Resources

968: extract validator to own module

968: use validator in rest-api and admin-api

968: remove double checking of profiles from db

968: add validation feature toggle

968: fix paranthesis

968: transform db profile to input stream instead of string

968: add system tests for validator feature toggle

968: add validation for Bundle requests

968: add integration tests

968: rename enable validation env var, docs

Author: Tobias Machein

.github/scripts/validation-patient.sh

@@ -0,0 +1,150 @@
+#!/bin/bash -e
+
+SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
+. "$SCRIPT_DIR/util.sh"
+
+patient-valid-no-profile() {
+cat <<END
+{
+  "resourceType": "Patient"
+}
+END
+}
+
+patient-invalid-with-profile() {
+cat <<END
+{
+  "resourceType": "Patient",
+  "meta": {
+    "profile": "http://example.org/url-114730"
+  }
+}
+END
+}
+
+patient-valid-with-profile() {
+cat <<END
+{
+  "resourceType": "Patient",
+  "active": true,
+  "meta": {
+    "profile": "http://example.org/url-114730"
+  }
+}
+END
+}
+
+patient-valid-with-profile-as-bundle() {
+cat <<END
+{
+  "resourceType": "Patient",
+  "active": true,
+  "meta": {
+    "profile": "http://example.org/url-114730"
+  }
+}
+END
+}
+
+bundle-valid-patient-with-profile() {
+cat <<END
+{ 
+  "resourceType": "Bundle",
+  "type": "transaction",
+  "entry": [
+    {
+      "resource": $(patient-valid-with-profile),
+      "request": {
+        "method": "POST",
+        "url": "/Patient"
+      }
+    }
+  ]
+}
+END
+}
+
+structure-definition-patient() {
+cat <<END
+{
+    "resourceType": "StructureDefinition",
+    "name": "Patient-profile-1",
+    "status": "active",
+    "kind": "resource",
+    "abstract": false,
+    "url": "http://example.org/url-114730",
+    "type": "Patient",
+    "baseDefinition": "http://hl7.org/fhir/StructureDefinition/Patient",
+    "derivation": "constraint",
+    "differential": {
+        "element": [
+            {
+                "id": "patient-active-rule",
+                "path": "Patient.active",
+                "mustSupport": true,
+                "min": 1
+            }
+        ]
+    }
+}
+END
+}
+
+BASE="http://localhost:8080/fhir"
+
+echo "1: testing before Patient profile created"
+
+echo "testing valid patient without profile"
+RESULT_NO_PROFILE=$(patient-valid-no-profile | curl -s -H 'Accept: application/fhir+json' -H "Content-Type: application/fhir+json" -d @- "$BASE/Patient")
+test "resource type" "$(echo "$RESULT_NO_PROFILE" | jq -r .resourceType)" "Patient"
+
+echo "testing invalid patient with profile"
+RESULT_INVALID_WITH_PROFILE=$(patient-invalid-with-profile | curl -s -H 'Accept: application/fhir+json' -H "Content-Type: application/fhir+json" -d @- "$BASE/Patient")
+test "resource type" "$(echo "$RESULT_INVALID_WITH_PROFILE" | jq -r .resourceType)" "OperationOutcome"
+test "issue diagnostics" "$(echo "$RESULT_INVALID_WITH_PROFILE" | jq -r .issue[0].diagnostics)" "Profile reference 'http://example.org/url-114730' has not been checked because it could not be found"
+
+echo "testing valid patient with profile"
+RESULT_VALID_WITH_PROFILE=$(patient-valid-with-profile | curl -s -H 'Accept: application/fhir+json' -H "Content-Type: application/fhir+json" -d @- "$BASE/Patient")
+test "resource type" "$(echo "$RESULT_VALID_WITH_PROFILE" | jq -r .resourceType)" "OperationOutcome"
+test "issue diagnostics" "$(echo "$RESULT_VALID_WITH_PROFILE" | jq -r .issue[0].diagnostics)" "Profile reference 'http://example.org/url-114730' has not been checked because it could not be found"
+
+echo "testing valid patient with profile as bundle"
+RESULT_BUNDLE_VALID_WITH_PROFILE=$(bundle-valid-patient-with-profile | curl -s -H 'Accept: application/fhir+json' -H "Content-Type: application/fhir+json" -d @- "$BASE")
+test "resource type" "$(echo "$RESULT_VALID_WITH_PROFILE" | jq -r .resourceType)" "OperationOutcome"
+test "issue diagnostics" "$(echo "$RESULT_VALID_WITH_PROFILE" | jq -r .issue[0].diagnostics)" "Profile reference 'http://example.org/url-114730' has not been checked because it could not be found"
+
+echo "2: creating the patient profile"
+RESULT_STRUCTURE_DEFINITION=$(structure-definition-patient | curl -s -H 'Accept: application/fhir+json' -H "Content-Type: application/fhir+json" -d @- "$BASE/StructureDefinition")
+test "resource type" "$(echo "$RESULT_STRUCTURE_DEFINITION" | jq -r .resourceType)" "StructureDefinition"
+STRUCTURE_DEFINITION_ID=$(echo "$RESULT_STRUCTURE_DEFINITION" | jq -r .id)
+
+sleep 1
+echo "3: testing after Patient profile created"
+echo "testing valid patient without profile"
+RESULT_NO_PROFILE=$(patient-valid-no-profile | curl -s -H 'Accept: application/fhir+json' -H "Content-Type: application/fhir+json" -d @- "$BASE/Patient")
+test "resource type" "$(echo "$RESULT_NO_PROFILE" | jq -r .resourceType)" "Patient"
+
+echo "testing invalid patient with profile"
+RESULT_INVALID_WITH_PROFILE=$(patient-invalid-with-profile | curl -s -H 'Accept: application/fhir+json' -H "Content-Type: application/fhir+json" -d @- "$BASE/Patient")
+test "resource type" "$(echo "$RESULT_INVALID_WITH_PROFILE" | jq -r .resourceType)" "OperationOutcome"
+test "issue diagnostics" "$(echo "$RESULT_INVALID_WITH_PROFILE" | jq -r .issue[0].diagnostics)" "Patient.active: minimum required = 1, but only found 0 (from http://example.org/url-114730)"
+
+echo "testing valid patient with profile"
+RESULT_VALID_WITH_PROFILE=$(patient-valid-with-profile | curl -s -H 'Accept: application/fhir+json' -H "Content-Type: application/fhir+json" -d @- "$BASE/Patient")
+test "resource type" "$(echo "$RESULT_VALID_WITH_PROFILE" | jq -r .resourceType)" "Patient"
+
+echo "testing valid patient with profile as bundle"
+RESULT_BUNDLE_VALID_WITH_PROFILE=$(bundle-valid-patient-with-profile | curl -s -H 'Accept: application/fhir+json' -H "Content-Type: application/fhir+json" -d @- "$BASE")
+echo "$RESULT_BUNDLE_VALID_WITH_PROFILE"
+test "resource type" "$(echo "$RESULT_BUNDLE_VALID_WITH_PROFILE" | jq -r .resourceType)" "Bundle"
+test "response status" "$(echo "$RESULT_BUNDLE_VALID_WITH_PROFILE" | jq -r .entry[0].response.status)" "201"
+
+sleep 1
+echo "4: deleting Patient profile and testing invalid again"
+RESULT_STRUCTURE_DEFINITION_DELETE=$(structure-definition-patient | curl -s -X DELETE -H 'Accept: application/fhir+json' -H "Content-Type: application/fhir+json" -d @- "$BASE/StructureDefinition/$STRUCTURE_DEFINITION_ID")
+test "delete response is empty" "$RESULT_STRUCTURE_DEFINITION_DELETE" ""
+
+echo "testing invalid patient with profile"
+RESULT_INVALID_WITH_PROFILE=$(patient-invalid-with-profile | curl -s -H 'Accept: application/fhir+json' -H "Content-Type: application/fhir+json" -d @- "$BASE/Patient")
+test "resource type" "$(echo "$RESULT_INVALID_WITH_PROFILE" | jq -r .resourceType)" "OperationOutcome"
+test "issue diagnostics" "$(echo "$RESULT_INVALID_WITH_PROFILE" | jq -r .issue[0].diagnostics)" "Profile reference 'http://example.org/url-114730' has not been checked because it could not be found"

.github/workflows/build.yml

@@ -1725,7 +1725,7 @@ jobs:
     - name: Expand Most KDS Terminology Resources
       run: .github/value-set-expand/expand-most.sh
 
-  integration-test-validation:
+  integration-test-terminology-service-validation:
     needs: build
     runs-on: ubuntu-24.04
 
@@ -1800,6 +1800,52 @@ jobs:
     - name: SNOMED CT Validate Code
       run: .github/scripts/snomed-ct-validate-code.sh
 
+
+  integration-test-validation:
+    needs: build
+    runs-on: ubuntu-24.04
+
+    steps:
+    - name: Setup Java
+      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5
+      with:
+        distribution: 'temurin'
+        java-version: '21'
+
+    - name: Check out Git repository
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+      with:
+        node-version-file: .nvmrc
+
+    - name: Install Blazectl
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: .github/scripts/install-blazectl.sh
+
+    - name: Download Blaze Image
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
+      with:
+        name: blaze-image
+        path: /tmp
+
+    - name: Load Blaze Image
+      run: docker load --input /tmp/blaze.tar
+
+    - name: Run Blaze
+      run: docker run --name blaze -d -e JAVA_TOOL_OPTIONS=-Xmx8g -e ENABLE_VALIDATION_ON_INGEST=true -p 8080:8080 --read-only --tmpfs /tmp:exec -v blaze-data:/app/data blaze:latest
+
+    - name: Wait for Blaze
+      run: .github/scripts/wait-for-url.sh http://localhost:8080/health
+
+    - name: Docker Logs
+      run: docker logs blaze
+
+    - name: Run Validation tests
+      run: .github/scripts/validation-patient.sh
+
   terminology-tests:
     needs: build
     runs-on: ubuntu-24.04
@@ -2682,6 +2728,7 @@ jobs:
     - integration-test-kds
     - integration-test-patient-purge
     - integration-test-value-set-expand
+    - integration-test-terminology-service-validation
     - integration-test-validation
     - terminology-tests
     - not-enforcing-referential-integrity-test

docs/.vitepress/config.ts

@@ -160,6 +160,12 @@ export default defineConfig({
 					{ text: 'Validation', link: '/terminology-service/validation' }
 				]
 			},
+			{
+				text: 'Validation',
+				items: [
+					{ text: 'Overview', link: '/validation' }
+				]
+			},
 			{
 				text: 'Usage',
 				items: [

docs/deployment/environment-variables.md

@@ -464,9 +464,13 @@ Enable SNOMED CT for the Terminology Service by using the value `true`.
 
 Path of an official SNOMED CT release.
 
-[1]: <https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/doc-files/net-properties.html#Proxies>
-[2]: <https://github.com/facebook/rocksdb/wiki/Setup-Options-and-Basic-Tuning#block-cache-size>
-[3]: <https://github.com/facebook/rocksdb/wiki/Thread-Pool>
-[4]: <https://openid.net/connect/>
-[5]: <../authentication.md>
-[6]: <http://tx.fhir.org/r4>
+#### `ENABLE_VALIDATION_ON_INGEST` <Badge type="warning" text="Since unreleased"/>
+
+Enable [Validation](../validation.md).
+
+[1]: https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/doc-files/net-properties.html#Proxies
+[2]: https://github.com/facebook/rocksdb/wiki/Setup-Options-and-Basic-Tuning#block-cache-size
+[3]: https://github.com/facebook/rocksdb/wiki/Thread-Pool
+[4]: https://openid.net/connect/
+[5]: ../authentication.md
+[6]: http://tx.fhir.org/r4

docs/validation.md

@@ -0,0 +1,29 @@
+# Validation
+
+Blaze supports validation based on profiles (`StructureDefinition`) upon resource ingest (create and update).
+To enable validation, set the environment variable `ENABLE_VALIDATION_ON_INGEST` to true.
+
+The profile, which a resource is validated against, has to exist on the server and needs to be named in `meta.profile` of the resource.
+Validation also works if they are inserted as part of a [transaction/batch](./api/interaction/transaction.md) request.
+
+Example:
+
+```json
+{
+    "resourceType": "Patient",
+    ...
+    "meta": {
+        "profile": "http://example.org/url-114730"
+    }
+}
+```
+
+**Note:** Validation skips empty resources in a `Bundle`, as they are not a valid use case.
+
+## Caching
+
+Validation profiles are cached upon initialization of the `validator`. If a new profiles is created or an existing profile is modified or deleted this cache gets invalidated and rebuilt automatically.
+
+## Performance
+
+Validation of resources comes at a performance cost, roughly doubling the time of the create or update request.

modules/admin-api/deps.edn

@@ -34,59 +34,13 @@
   blaze/spec
   {:local/root "../spec"}
 
+  blaze/validator
+  {:local/root "../validator"}
+
   fi.metosin/reitit-openapi
   {:mvn/version "0.9.1"
    :exclusions [javax.xml.bind/jaxb-api]}
 
-  ca.uhn.hapi.fhir/hapi-fhir-validation
-  {:mvn/version "8.4.0"
-   :exclusions
-   [com.nimbusds/nimbus-jose-jwt
-    commons-beanutils/commons-beanutils
-    info.cqframework/cql
-    info.cqframework/qdm
-    info.cqframework/quick
-    info.cqframework/cql-to-elm
-    info.cqframework/elm
-    info.cqframework/model
-    io.opentelemetry.instrumentation/opentelemetry-instrumentation-annotations
-    net.sf.saxon/Saxon-HE
-    net.sourceforge.plantuml/plantuml-mit
-    org.ogce/xpp3
-    ognl/ognl
-    org.attoparser/attoparser
-    org.unbescape/unbescape
-    org.xerial/sqlite-jdbc
-    org.apache.commons/commons-collections4
-    org.apache.httpcomponents/httpclient
-    com.google.errorprone/error_prone_annotations
-    org.apache.santuario/xmlsec
-    org.commonmark/commonmark
-    org.commonmark/commonmark-ext-gfm-tables]}
-
-  ca.uhn.hapi.fhir/hapi-fhir-structures-r4
-  {:mvn/version "8.4.0"
-   :exclusions
-   [com.google.code.findbugs/jsr305
-    commons-net/commons-net
-    io.opentelemetry.instrumentation/opentelemetry-instrumentation-annotations
-    ;; Remove after https://github.com/hapifhir/hapi-fhir/issues/7005 is fixed
-    org.apache.jena/jena-shex
-    net.sf.saxon/Saxon-HE]}
-
-  ca.uhn.hapi.fhir/hapi-fhir-validation-resources-r4
-  {:mvn/version "8.4.0"
-   :exclusions
-   [com.google.code.findbugs/jsr305
-    io.opentelemetry/opentelemetry-api
-    io.opentelemetry.instrumentation/opentelemetry-instrumentation-annotations
-    org.slf4j/jcl-over-slf4j]}
-
-  ca.uhn.hapi.fhir/hapi-fhir-caching-caffeine
-  {:mvn/version "8.4.0"
-   :exclusions
-   [io.opentelemetry.instrumentation/opentelemetry-instrumentation-annotations]}
-
   com.fasterxml.jackson.datatype/jackson-datatype-jsr310
   {:mvn/version "2.20.0"}