Redesign FP Date Shift Architecture

Author: trobanga

clinical-domain-agent/src/main/java/care/smith/fts/cda/impl/FhirPseudonymizerConfig.java

@@ -0,0 +1,31 @@
+package care.smith.fts.cda.impl;
+
+import care.smith.fts.api.DateShiftPreserve;
+import care.smith.fts.util.HttpClientConfig;
+import care.smith.fts.util.tca.TcaDomains;
+import java.io.File;
+import java.time.Duration;
+import java.util.Optional;
+
+public record FhirPseudonymizerConfig(
+    HttpClientConfig serviceUrl,
+    File anonymizationConfig,
+    TCAConfig trustCenterAgent,
+    Duration maxDateShift,
+    DateShiftPreserve dateShiftPreserve) {
+
+  public FhirPseudonymizerConfig(
+      HttpClientConfig serviceUrl,
+      File anonymizationConfig,
+      TCAConfig trustCenterAgent,
+      Duration maxDateShift,
+      DateShiftPreserve dateShiftPreserve) {
+    this.serviceUrl = serviceUrl;
+    this.anonymizationConfig = anonymizationConfig;
+    this.trustCenterAgent = trustCenterAgent;
+    this.maxDateShift = maxDateShift;
+    this.dateShiftPreserve = Optional.ofNullable(dateShiftPreserve).orElse(DateShiftPreserve.NONE);
+  }
+
+  public record TCAConfig(HttpClientConfig server, TcaDomains domains) {}
+}

clinical-domain-agent/src/main/java/care/smith/fts/cda/impl/FhirPseudonymizerStep.java

@@ -0,0 +1,150 @@
+package care.smith.fts.cda.impl;
+
+import static care.smith.fts.util.MediaTypes.APPLICATION_FHIR_JSON;
+import static care.smith.fts.util.RetryStrategies.defaultRetryStrategy;
+
+import care.smith.fts.api.ConsentedPatientBundle;
+import care.smith.fts.api.DateShiftPreserve;
+import care.smith.fts.api.TransportBundle;
+import care.smith.fts.api.cda.Deidentificator;
+import care.smith.fts.util.fhir.DateShiftAnonymizer;
+import care.smith.fts.util.tca.TcaDomains;
+import care.smith.fts.util.tca.TransportMappingResponse;
+import io.micrometer.core.instrument.MeterRegistry;
+import java.time.Duration;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+import lombok.extern.slf4j.Slf4j;
+import org.hl7.fhir.r4.model.Bundle;
+import org.springframework.http.MediaType;
+import org.springframework.web.reactive.function.client.WebClient;
+import reactor.core.publisher.Mono;
+
+/**
+ * Deidentification step using an external FHIR Pseudonymizer service. Handles date nullification
+ * locally, delegates ID pseudonymization to FP (which calls TCA), then consolidates all mappings
+ * via TCA.
+ */
+@Slf4j
+class FhirPseudonymizerStep implements Deidentificator {
+
+  private static final Pattern TID_PATTERN = Pattern.compile("[A-Za-z0-9_-]{32}");
+
+  private final WebClient fpClient;
+  private final WebClient tcaClient;
+  private final TcaDomains domains;
+  private final Duration maxDateShift;
+  private final DateShiftPreserve preserve;
+  private final List<String> dateShiftPaths;
+  private final MeterRegistry meterRegistry;
+
+  FhirPseudonymizerStep(
+      WebClient fpClient,
+      WebClient tcaClient,
+      TcaDomains domains,
+      Duration maxDateShift,
+      DateShiftPreserve preserve,
+      List<String> dateShiftPaths,
+      MeterRegistry meterRegistry) {
+    this.fpClient = fpClient;
+    this.tcaClient = tcaClient;
+    this.domains = domains;
+    this.maxDateShift = maxDateShift;
+    this.preserve = preserve;
+    this.dateShiftPaths = dateShiftPaths;
+    this.meterRegistry = meterRegistry;
+  }
+
+  @Override
+  public Mono<TransportBundle> deidentify(ConsentedPatientBundle bundle) {
+    return Mono.defer(
+        () -> {
+          var patient = bundle.consentedPatient();
+          var dateMappings = DateShiftAnonymizer.nullifyDates(bundle.bundle(), dateShiftPaths);
+
+          log.trace(
+              "Nullified {} date elements, sending to FHIR Pseudonymizer", dateMappings.size());
+
+          return sendToFhirPseudonymizer(bundle.bundle())
+              .flatMap(
+                  pseudonymizedBundle -> {
+                    var identityTIds = extractTransportIds(pseudonymizedBundle);
+                    if (identityTIds.isEmpty() && dateMappings.isEmpty()) {
+                      return Mono.empty();
+                    }
+                    return consolidateViaTca(
+                            patient.identifier(), identityTIds, dateMappings)
+                        .map(
+                            transferId ->
+                                new TransportBundle(pseudonymizedBundle, transferId));
+                  });
+        });
+  }
+
+  private Mono<Bundle> sendToFhirPseudonymizer(Bundle bundle) {
+    return fpClient
+        .post()
+        .uri("/$de-identify")
+        .headers(h -> h.setContentType(APPLICATION_FHIR_JSON))
+        .headers(h -> h.setAccept(List.of(APPLICATION_FHIR_JSON)))
+        .bodyValue(bundle)
+        .retrieve()
+        .bodyToMono(Bundle.class)
+        .timeout(Duration.ofSeconds(60))
+        .retryWhen(defaultRetryStrategy(meterRegistry, "sendToFhirPseudonymizer"))
+        .doOnError(e -> log.error("FHIR Pseudonymizer call failed: {}", e.getMessage()));
+  }
+
+  /**
+   * Extracts transport IDs from the pseudonymized bundle. After FP processing, resource IDs that
+   * were pseudonymized will be 32-char Base64URL tIDs from TCA.
+   */
+  static Set<String> extractTransportIds(Bundle bundle) {
+    return bundle.getEntry().stream()
+        .map(Bundle.BundleEntryComponent::getResource)
+        .filter(r -> r != null && r.hasId())
+        .map(r -> r.getIdElement().getIdPart())
+        .filter(id -> id != null && TID_PATTERN.matcher(id).matches())
+        .collect(Collectors.toSet());
+  }
+
+  private Mono<String> consolidateViaTca(
+      String patientIdentifier, Set<String> identityTIds, Map<String, String> dateMappings) {
+
+    var request =
+        new FpTransportMappingRequest(
+            patientIdentifier, identityTIds, dateMappings, domains.dateShift(), maxDateShift, preserve);
+
+    log.trace(
+        "Consolidating {} identity tIDs + {} date mappings via TCA",
+        identityTIds.size(),
+        dateMappings.size());
+
+    return tcaClient
+        .post()
+        .uri("/api/v2/cd/fhir-pseudonymizer/transport-mapping")
+        .headers(h -> h.setContentType(MediaType.APPLICATION_JSON))
+        .bodyValue(request)
+        .retrieve()
+        .bodyToMono(TransportMappingResponse.class)
+        .timeout(Duration.ofSeconds(30))
+        .retryWhen(defaultRetryStrategy(meterRegistry, "consolidateViaTca"))
+        .doOnError(e -> log.error("TCA consolidation failed: {}", e.getMessage()))
+        .map(TransportMappingResponse::transferId);
+  }
+
+  /**
+   * DTO matching TCA's FpTransportMappingRequest. Duplicated here to avoid cross-module dependency
+   * on the TCA rest package.
+   */
+  record FpTransportMappingRequest(
+      String patientIdentifier,
+      Set<String> transportIds,
+      Map<String, String> dateMappings,
+      String dateShiftDomain,
+      Duration maxDateShift,
+      DateShiftPreserve dateShiftPreserve) {}
+}

clinical-domain-agent/src/main/java/care/smith/fts/cda/impl/FhirPseudonymizerStepFactory.java

@@ -0,0 +1,55 @@
+package care.smith.fts.cda.impl;
+
+import static java.util.Objects.requireNonNull;
+
+import care.smith.fts.api.cda.Deidentificator;
+import care.smith.fts.util.WebClientFactory;
+import care.smith.fts.util.fhir.DateShiftAnonymizer;
+import io.micrometer.core.instrument.MeterRegistry;
+import java.io.IOException;
+import java.util.List;
+import org.springframework.stereotype.Component;
+
+@Component("fhir-pseudonymizerDeidentificator")
+public class FhirPseudonymizerStepFactory
+    implements Deidentificator.Factory<FhirPseudonymizerConfig> {
+
+  private final WebClientFactory clientFactory;
+  private final MeterRegistry meterRegistry;
+
+  public FhirPseudonymizerStepFactory(
+      WebClientFactory clientFactory, MeterRegistry meterRegistry) {
+    this.clientFactory = clientFactory;
+    this.meterRegistry = meterRegistry;
+  }
+
+  @Override
+  public Class<FhirPseudonymizerConfig> getConfigType() {
+    return FhirPseudonymizerConfig.class;
+  }
+
+  @Override
+  public Deidentificator create(
+      Deidentificator.Config commonConfig, FhirPseudonymizerConfig implConfig) {
+    var fpClient = clientFactory.create(implConfig.serviceUrl());
+    var tcaClient = clientFactory.create(implConfig.trustCenterAgent().server());
+
+    List<String> dateShiftPaths;
+    try {
+      dateShiftPaths =
+          DateShiftAnonymizer.parseDateShiftPaths(
+              requireNonNull(implConfig.anonymizationConfig()));
+    } catch (IOException e) {
+      throw new IllegalStateException("Failed to parse anonymization config", e);
+    }
+
+    return new FhirPseudonymizerStep(
+        fpClient,
+        tcaClient,
+        implConfig.trustCenterAgent().domains(),
+        implConfig.maxDateShift(),
+        implConfig.dateShiftPreserve(),
+        dateShiftPaths,
+        meterRegistry);
+  }
+}

clinical-domain-agent/src/test/java/care/smith/fts/cda/impl/FhirPseudonymizerStepTest.java

@@ -0,0 +1,146 @@
+package care.smith.fts.cda.impl;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.lenient;
+import static org.mockito.Mockito.when;
+
+import care.smith.fts.api.ConsentedPatient;
+import care.smith.fts.api.ConsentedPatientBundle;
+import care.smith.fts.api.DateShiftPreserve;
+import care.smith.fts.util.tca.TcaDomains;
+import care.smith.fts.util.tca.TransportMappingResponse;
+import io.micrometer.core.instrument.simple.SimpleMeterRegistry;
+import java.time.Duration;
+import java.util.List;
+import java.util.function.Consumer;
+import org.hl7.fhir.r4.model.Bundle;
+import org.hl7.fhir.r4.model.Encounter;
+import org.hl7.fhir.r4.model.Patient;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.web.reactive.function.client.WebClient;
+import reactor.core.publisher.Mono;
+import reactor.test.StepVerifier;
+
+@SuppressWarnings("unchecked")
+@ExtendWith(MockitoExtension.class)
+class FhirPseudonymizerStepTest {
+
+  @Mock private WebClient fpClient;
+  @Mock private WebClient tcaClient;
+  @Mock private WebClient.RequestBodyUriSpec fpPostSpec;
+  @Mock private WebClient.RequestBodySpec fpBodySpec;
+  @Mock private WebClient.RequestHeadersSpec fpHeadersSpec;
+  @Mock private WebClient.ResponseSpec fpResponseSpec;
+  @Mock private WebClient.RequestBodyUriSpec tcaPostSpec;
+  @Mock private WebClient.RequestBodySpec tcaBodySpec;
+  @Mock private WebClient.RequestHeadersSpec tcaHeadersSpec;
+  @Mock private WebClient.ResponseSpec tcaResponseSpec;
+
+  private FhirPseudonymizerStep step;
+
+  @BeforeEach
+  void setUp() {
+    var domains = new TcaDomains("pseudo-domain", "salt-domain", "dateshift-domain");
+    step =
+        new FhirPseudonymizerStep(
+            fpClient,
+            tcaClient,
+            domains,
+            Duration.ofDays(14),
+            DateShiftPreserve.NONE,
+            List.of(),
+            new SimpleMeterRegistry());
+
+    // FP client mock chain (lenient: not all tests exercise FP)
+    lenient().when(fpClient.post()).thenReturn(fpPostSpec);
+    lenient().when(fpPostSpec.uri(any(String.class))).thenReturn(fpBodySpec);
+    lenient().when(fpBodySpec.headers(any(Consumer.class))).thenReturn(fpBodySpec);
+    lenient().when(fpBodySpec.bodyValue(any())).thenReturn(fpHeadersSpec);
+    lenient().when(fpHeadersSpec.retrieve()).thenReturn(fpResponseSpec);
+
+    // TCA client mock chain (lenient: not all tests exercise TCA)
+    lenient().when(tcaClient.post()).thenReturn(tcaPostSpec);
+    lenient().when(tcaPostSpec.uri(any(String.class))).thenReturn(tcaBodySpec);
+    lenient().when(tcaBodySpec.headers(any(Consumer.class))).thenReturn(tcaBodySpec);
+    lenient().when(tcaBodySpec.bodyValue(any())).thenReturn(tcaHeadersSpec);
+    lenient().when(tcaHeadersSpec.retrieve()).thenReturn(tcaResponseSpec);
+  }
+
+  @Test
+  void extractTransportIdsFinds32CharBase64UrlIds() {
+    var bundle = new Bundle();
+
+    var patient = new Patient();
+    patient.setId("AbCdEfGhIjKlMnOpQrStUvWxYz012345"); // 32 chars Base64URL
+    bundle.addEntry().setResource(patient);
+
+    var encounter = new Encounter();
+    encounter.setId("short-id"); // Not a tID
+    bundle.addEntry().setResource(encounter);
+
+    var encounter2 = new Encounter();
+    encounter2.setId("a-uuid-that-is-longer-than-32-chars-total"); // Not a 32-char tID
+    bundle.addEntry().setResource(encounter2);
+
+    var tIds = FhirPseudonymizerStep.extractTransportIds(bundle);
+
+    assertThat(tIds).containsExactly("AbCdEfGhIjKlMnOpQrStUvWxYz012345");
+  }
+
+  @Test
+  void extractTransportIdsReturnsEmptyForNoMatches() {
+    var bundle = new Bundle();
+    var patient = new Patient();
+    patient.setId("regular-uuid-id");
+    bundle.addEntry().setResource(patient);
+
+    var tIds = FhirPseudonymizerStep.extractTransportIds(bundle);
+
+    assertThat(tIds).isEmpty();
+  }
+
+  @Test
+  void deidentifyReturnsBundleWithTransferId() {
+    var pseudonymizedBundle = new Bundle();
+    var pseudoPatient = new Patient();
+    pseudoPatient.setId("AbCdEfGhIjKlMnOpQrStUvWxYz012345");
+    pseudonymizedBundle.addEntry().setResource(pseudoPatient);
+
+    when(fpResponseSpec.bodyToMono(Bundle.class)).thenReturn(Mono.just(pseudonymizedBundle));
+    when(tcaResponseSpec.bodyToMono(TransportMappingResponse.class))
+        .thenReturn(Mono.just(new TransportMappingResponse("transfer-id-abc")));
+
+    var patient = new ConsentedPatient("patient-1", "http://system");
+    var inputBundle = new Bundle();
+    inputBundle.addEntry().setResource(new Patient());
+
+    var result = step.deidentify(new ConsentedPatientBundle(inputBundle, patient));
+
+    StepVerifier.create(result)
+        .assertNext(
+            transport -> {
+              assertThat(transport.transferId()).isEqualTo("transfer-id-abc");
+              assertThat(transport.bundle()).isEqualTo(pseudonymizedBundle);
+            })
+        .verifyComplete();
+  }
+
+  @Test
+  void deidentifyReturnsEmptyWhenNoMappings() {
+    var emptyBundle = new Bundle();
+
+    when(fpResponseSpec.bodyToMono(Bundle.class)).thenReturn(Mono.just(emptyBundle));
+
+    var patient = new ConsentedPatient("patient-1", "http://system");
+    var inputBundle = new Bundle();
+
+    var result = step.deidentify(new ConsentedPatientBundle(inputBundle, patient));
+
+    StepVerifier.create(result).verifyComplete();
+  }
+}