jembi · drizzentic · May 20, 2024 · May 24, 2024 · May 15, 2024 · May 16, 2024
diff --git a/config.yaml b/config.yaml
@@ -27,6 +27,7 @@ packages:
   - database-postgres
   - reprocess-mediator
   - fhir-ig-importer
+  - fhir-info-gateway
   - openfn
   - datalake
 
@@ -49,6 +50,7 @@ profiles:
       - kafka-unbundler-consumer
       - fhir-ig-importer
       - reprocess-mediator
+      - fhir-info-gateway
       - datalake
     envFiles:
       - cdr-dw.env
@@ -66,6 +68,8 @@ profiles:
       - client-registry-jempi
       - identity-access-manager-keycloak
       - openhim-mapping-mediator
+      - fhir-ig-importer
+      - fhir-info-gateway
     envFiles:
       - cdr.env
 

diff --git a/documentation/SUMMARY.md b/documentation/SUMMARY.md
@@ -52,6 +52,8 @@
   - [Reverse Proxy Nginx](packages/reverse-proxy-nginx/README.md)
     - [Local Development](packages/reverse-proxy-nginx/local-development.md)
     - [Environment Variables](packages/reverse-proxy-nginx/environment-variables.md)
+  - [FHIR Info Gateway](packages/fhir-info-gateway/README.md)
+    - [Environment Variables](packages/fhir-info-gateway/environment-variables.md)
   - [OpenFn](packages/openfn/README.md)
     - [Environment Variables](packages/openfn/environment-variables.md)
   - [Reverse Proxy Traefik](packages/reverse-proxy-traefik/README.md)

diff --git a/documentation/packages/fhir-info-gateway/README.md b/documentation/packages/fhir-info-gateway/README.md
@@ -0,0 +1,138 @@
+# Table of Contents
+
+- [Overview](#overview)
+- [System Configuration](#system-configuration)
+- [Routing FHIR Requests](#routing-fhir-requests)
+- [Authentication Setup](#authentication-setup)
+- [Client Role Management](#client-role-management)
+- [API Testing](#api-testing)
+- [References](#references)
+
+---
+
+## Overview
+
+This document outlines the setup and integration of the FHIR Info Gateway to enhance the handling of FHIR-based requests. The system leverages OpenHIM for routing, Keycloak for authentication, and custom configurations for managing client access and secure data exchange. This setup enables seamless orchestration of Create/Read operations for patient clinical data.
+
+---
+
+## System Configuration
+
+### Prerequisite Setup
+
+- **Keycloak Integration**: Keycloak is configured as the primary access token provider.
+- **Initialization**: Use the following command to initialize the FHIR Info Gateway package:
+
+  ```bash
+  ./instant-linux package init -n fhir-info-gateway --dev
+  ```
+
+### Default Environment Variables
+
+| Variable           | Description                             | Example Value               |
+| ------------------ | --------------------------------------- | --------------------------- |
+| `ACCESS_CHECKER`   | Enables role-based scope checking       | `scope`                     |
+| `REALM_URL`        | Keycloak realm URL for token generation | `http://localhost:9088`     |
+| `GATEWAY_ENDPOINT` | Endpoint for FHIR Info Gateway API      | `http://localhost:8080/api` |
+
+---
+
+## Routing FHIR Requests
+
+### Updating OpenHIM Channels
+
+1. Navigate to the OpenHIM console.
+2. Update the MPI Channel settings:
+   - **Channel Name**: MPI Orchestrations
+   - Ensure all Create/Read requests are routed through the FHIR Info Gateway.
-1. Navigate to the OpenHIM console.
-2. Update the MPI Channel settings:
-   - **Channel Name**: MPI Orchestrations
-   - Ensure all Create/Read requests are routed through the FHIR Info Gateway.
+1. Navigate to the OpenHIM console.
+2. Update the MPI Channel settings:
+   - **Channel Name**: MPI Orchestrations
+   - Ensure all Create/Read requests are routed through the FHIR Info Gateway.
+3. Configure the following route settings:
+   - Primary Route: http://fhir-info-gateway:3000
+   - Route Type: HTTP
+   - Add additional routes for FHIR resource endpoints
+
+Note: By default, direct FHIR request routing is disabled. Enable it only for advanced use cases.
-1. Navigate to the OpenHIM console.
-2. Update the MPI Channel settings:
-   - **Channel Name**: MPI Orchestrations
-   - Ensure all Create/Read requests are routed through the FHIR Info Gateway.
+1. Navigate to the OpenHIM console.
+2. Update the MPI Channel settings:
+   - **Channel Name**: MPI Orchestrations
+   - Ensure all Create/Read requests are routed through the FHIR Info Gateway.
+3. Configure the following route settings:
+   - Primary Route: http://fhir-info-gateway:3000
+   - Route Type: HTTP
+   - Add additional routes for FHIR resource endpoints
+
+Note: By default, direct FHIR request routing is disabled. Enable it only for advanced use cases.
+
+#### Route Configuration Example
+
+<!-- _Add configuration details here._ -->
+
+![RouteConfiguration](images/RouteConfiguration.png "Route Configuration")
+
+## Authentication Setup
+
+### Retrieve the User UUID
+
+The User UUID is the Keycloak user UUID. Obtain this UUID by querying Keycloak or checking the admin console.
+
+![userUuid](images/userUuid.png "User UUID")
+
+### Create a New Client in OpenHIM
+
+1. Use the retrieved Keycloak User UUID as the Client ID.
+2. Create a new client in OpenHIM using this UUID.
+
+![NewClient](images/NewClient.png "New Client in OpenHIM")
+
+### Generating Client Credentials
+
+Run the following command to generate an access token:
+
+```bash
+curl -X POST -d 'client_id=emr' -d 'username=fhiruser' \
+-d 'password=dev_password_only' -d 'grant_type=password' \
+"http://localhost:9088/realms/platform-realm/protocol/openid-connect/token" | jq
+```
+
+Replace `localhost:9088` with the appropriate Keycloak server address.
+
+![GeneratingClientCredentials](images/GeneratingClientCredentials.png "Generating Client Credentials")
+
+### Token Usage
+
+Include the generated token in the Authorization header of API requests:
+
+- **In Postman or similar tools**:
+  - Use the Bearer Token in the Authorization tab.
+  - Add the token generated in the above step.
+
+---
+
+## Client Role Management
+
+### Restricting Client Access
+
+1. Open Keycloak Admin Console.
+2. Navigate to the **Client Scopes** section for the FHIR resource.
+3. Update roles and permissions to enforce restricted access.
+
-1. Open Keycloak Admin Console.
-2. Navigate to the **Client Scopes** section for the FHIR resource.
-3. Update roles and permissions to enforce restricted access.
+1. Open Keycloak Admin Console.
+2. Navigate to the **Client Scopes** section for the FHIR resource.
+3. Default Configuration:
+   - Role: fhir-readonly
+   - Default Client: fhir_client (service account enabled)
+   - Default Scopes: fhir:read, fhir:write
+
+4. Modify roles and permissions:
+   - Navigate to Clients → fhir_client → Service Account Roles
+   - Add/remove roles to modify access levels
-1. Open Keycloak Admin Console.
-2. Navigate to the **Client Scopes** section for the FHIR resource.
-3. Update roles and permissions to enforce restricted access.
+1. Open Keycloak Admin Console.
+2. Navigate to the **Client Scopes** section for the FHIR resource.
+3. Default Configuration:
+   - Role: fhir-readonly
+   - Default Client: fhir_client (service account enabled)
+   - Default Scopes: fhir:read, fhir:write
+
+4. Modify roles and permissions:
+   - Navigate to Clients → fhir_client → Service Account Roles
+   - Add/remove roles to modify access levels
+### Disabling Authentication (Development Only)
+
+- Allow anonymous access via Keycloak settings.
+- Update the OpenHIM channel to bypass authentication temporarily.
+
+---
+
+## API Testing
+
+### Testing FHIR Requests
+
+- Use tools like Postman or cURL.
+- Add the Bearer token to the Authorization header.
+
+#### Example Request
+
+```bash
+curl -X GET \
+-H "Authorization: Bearer <token>" \
+"http://localhost:5001/fhir/Encounter"
+```
+
+### Verifying Responses
+
+- Ensure that responses comply with FHIR standards and contain the required patient data.
+
+---
+
+## References
+
+- **GitHub Pull Request**: FHIR Info Gateway Integration
+- **Documentation Commands**:
+
+  ```bash
+  ./instant-linux package init -n fhir-info-gateway --dev
+
+  ```
diff --git a/documentation/packages/fhir-info-gateway/images/GeneratingClientCredentials.png b/documentation/packages/fhir-info-gateway/images/GeneratingClientCredentials.png
diff --git a/documentation/packages/fhir-info-gateway/images/NewClient.png b/documentation/packages/fhir-info-gateway/images/NewClient.png
diff --git a/documentation/packages/fhir-info-gateway/images/RouteConfiguration.png b/documentation/packages/fhir-info-gateway/images/RouteConfiguration.png
diff --git a/.../fhir-info-gateway/images/screenshot-localhost_9088-2024_12_17-14_16_13 (1).png b/.../fhir-info-gateway/images/screenshot-localhost_9088-2024_12_17-14_16_13 (1).png
diff --git a/.../fhir-info-gateway/images/screenshot-localhost_9088-2024_12_17-14_48_35 (1).png b/.../fhir-info-gateway/images/screenshot-localhost_9088-2024_12_17-14_48_35 (1).png
diff --git a/documentation/packages/fhir-info-gateway/images/userUuid.png b/documentation/packages/fhir-info-gateway/images/userUuid.png
diff --git a/fhir-info-gateway/docker-compose.dev.yml b/fhir-info-gateway/docker-compose.dev.yml
@@ -0,0 +1,8 @@
+version: '3.9'
+
+services:
+  fhir-info-gateway:
+    ports:
+      - target: 8080
+        published: 8880
+        mode: host
diff --git a/fhir-info-gateway/docker-compose.yml b/fhir-info-gateway/docker-compose.yml
@@ -0,0 +1,33 @@
+version: "3.9"
+services:
+  fhir-info-gateway:
+    image: ${FHIR_INFO_GATEWAY_IMAGE}
+    networks:
+      openhim:
+      keycloak:
+      default:
+    environment:
+      TOKEN_ISSUER: ${KC_API_URL}/realms/${KC_REALM_NAME}
+      ACCESS_CHECKER: ${ACCESS_CHECKER}
+      PROXY_TO: ${GATEWAY_MPI_PROXY_URL}
+      BACKEND_TYPE: ${BACKEND_TYPE}
+      RUN_MODE: ${RUN_MODE}
+    deploy:
+      replicas: ${FHIR_INFO_GATEWAY_INSTANCES}
+      placement:
+        max_replicas_per_node: ${FHIR_INFO_GATEWAY_MAX_REPLICAS_PER_NODE}
+      resources:
+        limits:
+          cpus: ${FHIR_INFO_GATEWAY_CPU_LIMIT}
+          memory: ${FHIR_INFO_GATEWAY_MEMORY_LIMIT}
+        reservations:
+          cpus: ${FHIR_INFO_GATEWAY_CPU_RESERVE}
+          memory: ${FHIR_INFO_GATEWAY_MEMORY_RESERVE}
+networks:
+    openhim:
+      name: openhim_public
+      external: true
+    keycloak:
+      name: keycloak_public
+      external: true
+    default:
diff --git a/fhir-info-gateway/importer/docker-compose-smart_keycloak.yml b/fhir-info-gateway/importer/docker-compose-smart_keycloak.yml
@@ -0,0 +1,18 @@
+version: "3.9"
+
+services:
+  smart-config:
+    image: jembi/keycloak-config:v0.0.1
+    networks:
+      keycloak:
+    environment:
+      KEYCLOAK_BASE_URL: ${KC_API_URL}
+      KEYCLOAK_USER: ${KC_ADMIN_USERNAME}
+      KEYCLOAK_PASSWORD: ${KC_ADMIN_PASSWORD}
+      KEYCLOAK_REALM: ${KC_REALM_NAME}
+    command: [ "-configFile", "config/backend-services-config.json" ]
+
+networks:
+  keycloak:
+    name: keycloak_public
+    external: true
diff --git a/fhir-info-gateway/importer/docker-compose.config.yml b/fhir-info-gateway/importer/docker-compose.config.yml
@@ -0,0 +1,36 @@
+version: "3.9"
+services:
+  update-keycloak-config:
+    image: node:erbium-alpine
+    environment:
+      KEYCLOAK_SERVER_URL: ${KC_API_URL}
+      KEYCLOAK_REALM: ${KC_REALM_NAME}
+      KEYCLOAK_ADMIN_USER: ${KC_ADMIN_USERNAME}
+      KEYCLOAK_ADMIN_PASSWORD: ${KC_ADMIN_PASSWORD}
+    command: sh -c "cd / && npm i axios && node keycloakConfig.js"
+    configs:
+      - source: keycloak-config-importer-updateConfig.js
+        target: /keycloakConfig.js
+      - source: keycloak-config-importer-updateConfig.json
+        target: /keycloak-config.json
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: none
+    networks:
+      keycloak:
+configs:
+  keycloak-config-importer-updateConfig.js:
+    file: ./update-keycloak-config.js
+    name: keycloak-config-importer-updateConfig.js-${keycloak_config_importer_updateConfig_js_DIGEST:?err}
+    labels:
+      name: keycloakConfig
+  keycloak-config-importer-updateConfig.json:
+    file: ./keycloak-config.json
+    name: keycloak-config-importer-updateConfig.json-${keycloak_config_importer_updateConfig_json_DIGEST:?err}
+    labels:
+      name: keycloakConfigJson
+networks:
+  keycloak:
+    name: keycloak_public
+    external: true