Proposed feature

Extending anonymization / pseudonymization to values which are part of Conditional References.
The most common example is probably identifier match urls, i.e. "reference": "Patient?identifier=http://fhir.test.de/sid/patient-id|123".

Use cases

1. Conditional References in transaction bundles (https://www.hl7.org/fhir/http.html#trules):

{
  "resourceType": "Bundle",
  "type": "transaction",
  "entry": [
    {
      "resourceType": "Observation",
      "subject": {
        "reference": "Patient?identifier=http://fhir.test.de/sid/patient-id|123"
       }
    }]
}

2. Request urls in Conditional updates (https://www.hl7.org/fhir/http.html#cond-update):

"request": {
  "method": "PUT",
  "url": "Patient?identifier=http://fhir.test.de/sid/patient-id|123"
}

Proposed changes

This can be achieved by adding an additional Regular expression in the ReferencyUtility class matching those Ids in conditional references.
Currently, only literal references are supported. I suggest treating conditional references as resource references, too (since they are both refering to a FHIR resource and are checked against supported resource types).

In addition, the feature which implicitly sets the domain name (if omitted in the settings) could also be extended.
The resource type can be parsed from both literal and conditional references.

I have tested these changes locally and will create a pull request to further discuss this proposal and review changes. I intend to only support identifier match urls for now, since those are - in my opinion - the most common use case.

• Default to using the much faster System.Text.Json-based FHIR parser and remove the option to unset it
• For backwards-compatibility reasons back when only gPAS was supported as a pseudonymization service, we've defaulted PseudonymizationService to gPAS. In the next version, this should be set to None. Possibly log a warning/error if the anonymization.yaml uses a pseudonymize method but no backend is defined at startup.
• Instead of vendoring the Tools-for-health-data-anonymization, use the provided Nuget package (microsoft/Tools-for-Health-Data-Anonymization#74). This might require additional effort to get our custom processors to work.
• remove the gPAS__Version setting, defaulting it to 2023 in the hopes that the published FHIR endpoint is now stable enough.
• remove Jaeger tracing support. Using only OTEL from now on.
• move metrics config inside a Metrics.Enabled and Metrics.Port complex type

The GPAS URL is not correctly interpreted if the tailing / is missing.

Expected behavior:
GPAS__URL: " ... /ttp-fhir/fhir/gpas/" has the same result as GPAS__URL: "/ttp-fhir/fhir/gpas"

Without the / the requests to GPAS leads to an 405 Operation not allowed

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: Cannot find preset's package (github>whitesource/merge-confidence:beta)

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update docker.io/bitnami/kubectl:1.29.3 docker digest to f5fc0d5
• chore(deps): update docker.io/library/postgres:16.2 docker digest to 4aea012
• chore(deps): update all non-major dependencies (Duende.AccessTokenManagement, FakeItEasy, Grpc.Tools, Hl7.Fhir.Base, Hl7.Fhir.R4, Microsoft.AspNetCore.Mvc.Testing, Microsoft.Extensions.Http.Polly, NBomber, NBomber.Http, OpenTelemetry, OpenTelemetry.Exporter.OpenTelemetryProtocol, OpenTelemetry.Extensions.Hosting, OpenTelemetry.Instrumentation.AspNetCore, OpenTelemetry.Instrumentation.Http, Swashbuckle.AspNetCore, Verify.Xunit, YamlDotNet, csharpier, docker.io/bitnami/kubectl, docker.io/jaegertracing/all-in-one, docker.io/library/postgres, dotnet-outdated-tool, mcr.microsoft.com/dotnet/aspnet, mcr.microsoft.com/dotnet/sdk, quay.io/keycloak/keycloak, xunit, xunit.runner.visualstudio)
• chore(deps): update github-actions (actions/checkout, actions/download-artifact, actions/upload-artifact, docker/setup-buildx-action, github/codeql-action, helm/kind-action, miracum/.github, ossf/scorecard-action)
• chore(deps): update dependency verify.xunit to v24
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

There's a special case when using the cryptoHash method on literal references nodes:

There is a special case when crypto hashing a literal reference element. The tool captures and transforms only the id part from a reference, for example, reference Patient/123 will be hashed to Patient/a3c024f01cccb3b63457d848b0d2f89c1f744a3d. In this way, you can easily resolve references across anonymized FHIR resources.

However, this only covers reference string nodes. I would propose extending this feature to reference uri nodes like Bundle.request.url.

This would serve the same purpose (i.e. targeting resource ids). The gPAS pseudonymization processor which provides the same feature (for pseudonymization), already covers handling uri nodes. In my opinion, this feature is incomplete without handling those, as well.

@chgl What do you think?

https://grafana.com/blog/2024/03/13/an-opentelemetry-backend-in-a-docker-image-introducing-grafana/otel-lgtm/

https://simplifier.net/guide/ttp-fhir-gateway-ig/pseudonymizeAllowCreate

Afaik, the following changes were made in gPAS TTP GW:

• changed names of parameters (e.g. target instead of domain)
• changed names of methods (e.g. $pseudonymizeAllowCreate instead of $pseudonymize-allow-create)
• changed context path (http[s]://:/ttp-fhir/fhir/gpas instead of http[s]://:/ttp-fhir/fhir/)

and maybe more...

have tried to reserve memory: 4g, unfortunately it doesn't work. Has anyone such problem?

🚨 The automated release from the master branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you can benefit from your bug fixes and new features again.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can fix this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here are some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Cannot push to the Git repository.

semantic-release cannot push the version tag to the branch master on the remote Git repository with URL https://x-access-token:[secure]@github.com/miracum/fhir-pseudonymizer.

This can be caused by:

• a misconfiguration of the repositoryUrl option
• the repository being unavailable
• or missing push permission for the user configured via the Git credentials on your CI environment

Good luck with your project ✨

Your semantic-release bot 📦🚀