Added new Admin JSON endpoint /system-config, which prepares a ZIP file containing JVM information, a thread dump, the node module config, and node health statuses.

Realtime Export now supports a new property called Transaction-Based Processing. When enabled, Realtime Export will process full transactions as single logical units against the remote database.

Added bundle import support in channel import, which will behave similar to POSTing a bundle to '/' endpoint and depending on the bundle type will either treat the bundle as a resource and modify it depending on the operation type or ignore the operation type of the payload and handle each resource independently

Add a new property for cluster manager: audit_log.request_headers_to_store. This can be set to a comma-delimited list of header names. During Audit Event creation, Smile CDR will attempt to extract the named headers from the request and store them with the Audit Event

Support for accepting and processing HL7 v2.x VXU (Vaccine/Immuization) messages has been added.

Added support for Group Bulk export via the /Group/[id]/$export operation, which limited support for query parameters. The documentation indicate contains more details.

The FHIR Gateway module now supports the following additional search parameters:

• _has
• _profile

Added support for system/ and user/ scopes, which mirror the patient/ scopes.

Extend ldap inbound to better support static and dynamic groups. Add optional attribute for member property to onSuccess handler context isMemberOfGroup(). Added queryStringAttributes() to onSuccess handler context to fetch attribute values during the callback. Add new config property authenticator.bind.user.attributes to the LDAP inbound security module to define a list of attributes to query during authentication.

A new setting has been added to the FHIR Gateway target configuration called headersToForward. HTTP headers identified in this configuration will be forwarded from the original client request through the gateway and on to the target server.

Add user data to UserSessionDetailsJson for use in hooks.

Added new config parameter to database connection called 'db.expect_writable', default false. When set to 'true', then health-checks on this server will fail if that database connection is read-only.

Support has been added for the fhirUser scope in the SMART Outbound Security module.

The FHIR Endpoint module can now be configured to return an HTTP 401 for all security issues, instead of returning a 403 when insufficient permissions are found for an otherwise authenticated user.

Added support for Fhir.patch operation in the JavaScript execution environment.

Hybrid Providers are now able to register their own health-checks to report on the status of their connection to external systems they depend on.

The SMART OIDC login flow now has an optional terms-of-service (TOS) page.

The ZIP file generated by admin-json endpoint /system-config now includes a file called cdr-version.txt which contains the HAPI FHIR and Smile CDR build versions

Support string values for resource versions in the audit log. This is needed by the Gateway when fronting servers that use non-numeric resource versions.

A new configuration item has been added to the FHIR Gateway Target document that allows a target to be configured to always use HTTP POST form for FHIR search operations.

Two new configuration properties have been added to the FHIR Endpoint modules that can be used to automatically populate missing Coding.display values, and to automatically enrich CodeableConcepts using available translations. Both features leverage a validation support repository and can be used on all kinds of FHIR endpoints. See Response Terminology Enhancement for more information.

Added configuration to Realtime Export module to allow for multiple consumers

When Auto-Create Placeholder Reference Targets is enabled, Smile CDR now automatically creates Search Parameters for the placeholder extension. This search parameter can be queried as Patient?resource-placeholder=true.

All FHIR Endpoint modules now include support for the Prefer: handling=lenient directive that allows for unknown search parameters to be ignored.

The CapabilityStatement exported by the FHIR Endpoint module will now include supported profiles (StructureDefinition.url) as well as any custom SearchParameter resources supported by the server.

The expect-writable heath-check was not accurately determining when the cluster-manager database is read-only. This has been corrected.

It is now possible to account for third-party Authorization (OIDC) servers that use nonstandard claim names to communicate the list of approved scopes associated with an access token.

The SMART Outbound Security module can now optionally be configured to allow self registration of users.

A new option has been added to the Storage Module, which enables :mdm search parameter qualifier. If an MDM module exists and this option is enabled, MDM search expansion will be enabled. You can read more about MDM expansion in the HAPI FHIR Docs

A new optional element has been added to the FHIR Gateway module's target configuration, serverCapabilityStatementValidationEnabled. If this is supplied a boolean value of false, the gateway will not validate the target server's CapabilityStatement with a request to /metadata. Default is true.

A new method getStringArrayClaim has been added to the JWT processing callback API, granting callback scripts access to claims in the form of an array of strings.

A new setting has been added to the validation section of the FHIR Storage (RDBMS) module called Unknown CodeSystem Validation Policy. When acting as a validation support repository, this setting controls how the system will respond when it encounters a Coding that uses a CodeSystem URL that can not be resolved.

A new optional feature has been added to the FHIR Gateway module's target client creation, to allow setting a client interceptor (using IClientInterceptor), before the FHIR client is called to read or search resources from targets. If this is supplied (via BaseRequest), the client interceptor will then be called before sending the request to a target server, and after the response is received from it.

A new option has been added to the ETL Import module that causes import jobs to be executed asynchronously. This can help to more evenly distribute load across a cluster and ensure that HTTP calls return faster.

When automatically creating a placeholder reference that is set to auto-populate identifiers, logic has been improved. If the reference does not contain an identifier, but the inline match URL does, the identifier found in the match URL will be added to the target. If both are populated, they will both be added to the target.

A new optional element has been added to the FHIR Gateway module's target configuration, allowedToFail, default value 'false'. If this is supplied a boolean value of true, the gateway will allow the target to fail silently (but with warning entries in the log), in search routes, without returning an error to the client unless all targets for a given search request have failed. This permits sending partial target results in response to client requests when a target cannot be reached or fails to handle the request. Read routes are not modified by this new configuration, and are still not allowed to fail on any target.

Added revoke-url, scopes and other recommended fields to the .well-known/smart-configuration url. Also, added a configuration item scopes_to_enforce to configure the scopes field. Renamed the user revoke endpoint to session management endpoint. The url changed from oauth/revoke to session/management

Added support for operations in FHIR Gateway. Currently only $meta and $process-message are supported.

Add getHeader function to RequestDetailsJson to allow to allow consent service to access request headers if exists

A new command has been added to the SmileUtil tool that can be used to ingest CSV Bulk Import files with the CSV-to-FHIR processing happening in the client instead of the server.

The relevant OIDC client was added to the audit log entries for SMART terms-of-service, and the OIDC scope revoke events.

A new setting has been added to the FHIR Storage (RDBMS) module called Enable Match URL Cache. This setting improves write performance on servers with frequent use of conditional URLs (e.g. conditional creates, conditional updates, etc.)

The HL7 v2.x Sending (outbound) endpoint now supports several new ADT and Orders transaction types, and several new segments, as well as support for DFT^P01 messages.

It is now possible to specify a tenant name for an HL7 v2.x Listening endpoint as a configuration option. Setting this on a partitioned server will determine which partition is used to store the data receievd in HL7 v2.x messages.

The Smile CDR Docker build has been bumped to a base of openjdk-11.0.11-slim-buster.

As of Smile CDR 2021.05.R01, users of the Infinispan Caching module will be required to include their own Infinispan client JAR in the customer_lib directory of their installation. Previously, a client JAR version 9.4.21.Final was included. Note that there is now a known CVE reported that affects this particular version (CVE-2021-21295) so it is no longer recommended for use.

The version of the Bootstrap framework used in the SMART Outbound Security module has been bumped from 3.8.x to 4.6.x, due to the rising number of reported CVEs against the 3.x series. This change will affect any skins that have been developed using the built-in library.

Under some circumstances, processing a received HL7 v2.x ORU^R01 message failed with an unrecoverable NullPointerException. This has been corrected.

When using Smile CDR in Federated OAuth2 mode to connect to a third-party OpenID Connect provider, Smile CDR would fail to process the authorization if the third-party server used an ID Token signature algorithm other than RSA-256. This has been corrected.

A regression was fixed: If a FHIR Endpoint module is paired with a FHIR Storage module (RDBMS), the endpoint should use the FHIR Storage module for validation support if no explicit validation support module is specified.

A regression in Smile CDR 2021.02 meant that OAuth2 Code Exchange flows required a client_secret request parameter, as opposed to also allowing authentication through an Authorization header. This has been resolved.

Smile CDR was not correctly recognizing the Group Bulk Export provider, this has been rectified.

The SMART Discovery Document served from the FHIR Endpoint module was not available on endpoints with a non-default context root. This has been corrected.

Change RTE single-quote escape policy from a backslash to doubled up quotes

When performing a federated OIDC login with a provider that has a JWKS containing both an EC256 and an EC512 key, the wrong key may be selected for verification, resulting in a false negative. This has been corrected.

A new pointcut has been added to the CDR Interceptor framework that allows FHIR Gateway search operations to be intercepted after the search has completed on each target server, potentially modifying the results before they are returned to the client.

The FHIR Gateway module will now gracefully handle search responses from any targets that do not correctly supply self or previous paging links in their search response Bundles.

Not all Mongo storage pointcuts were being called properly. Specifically, STORAGE_PREACCESS_RESOURCES and STORAGE_PRESHOW_RESOURCES were not being called for read, search and delete operations. This has been corrected.

When performing a cascading delete, information about the results of the cascade was not correctly showing up in the OperationOutcome resource returned to the client, even though the cascade succeeded.

The FHIR Gateway module will now gracefully handle search responses from any targets that incorrectly supply prev paging links instead of previous paging links in their search response Bundles.

When using the SMART Outbound Security module to execute the Refresh Token flow, the Launch Context Resource IDs associated with the user session were not persisted with the refresh token, meaning they were not available to the callback scripts. This has been corrected.

The FHIR Gateway module was incorrectly invoking the FHIRGW_SEARCH_TARGET_PREINVOKE interceptor hook instead of the FHIRGW_READ_TARGET_PREINVOKE interceptor hook. This has been fixed.

Both the FHIR Gateway REST Endpoint and Hybrid Providers REST Endpoint modules provided configuration for consent service scripts; however, neither actually invoked these scripts. This has been corrected.

Removed reference to deprecated MDM-specific TerserUtil class from the SurvivorshipHelper class and added isGoldenResourceOlderThanTarget() method.

The initial implementation of FHIR Gateway module did not include support for _id and _source search parameters. Support for these search parameters has now been added.

In the SMART Outbound Security module, any authorities added to the user in the onTokenGenerating callback script were not respected in the eventual user session. This has been corrected.

The FHIR Gateway module was setting the fullUrl values incorrectly in search results when targets were configured without resourceIdPrefix value. This has been fixed.

Calls to /runtime-status/node-statuses/health-checks and /runtime-status/node-statuses/complete used to require both ACCESS_ADMIN_JSON and VIEW_MODULE_STATUS. This has been changed so that only VIEW_MODULE_STATUS permissions are required.

When processing an ORU^R01 message in the HL7 v2.x Listening Module, under some circumstances a message could cause a processing failure with an invalid request error. This has been corrected.

The SMART authentication module failed to process login when configured with a context path and the terms-of-service feature was active. This has been fixed.

The SMART authentication module failed to process login for a second application on the same user session when the terms-of-service feature is active. This has been fixed.

NPE Occurs When Issuing DSTU3 PUT ProcedureRequest Where occurrenceTiming.repeat.boundsPeriod.end Is Not Provided

Addressed the following CVE reports:

• CVE-2021-27568
• CVE-2020-28491
• CVE-2021-23341
• CVE-2018-14040
• WS-2020-0287 This was addressed by ensuring the JMX name is never set on the BasicDataSource bean.

Backported from: 2021.05.R01

NPE Occurs When Issuing DSTU3 PUT ProcedureRequest Where occurrenceTiming.repeat.boundsPeriod.end Is Not Provided

Backported from: 2021.05.R01

A new setting has been added to the FHIR Gateway target configuration called headersToForward. HTTP headers identified in this configuration will be forwarded from the original client request through the gateway and on to the target server.

Backported from: 2021.05.R01

The FHIR Endpoint module can now be configured to return an HTTP 401 for all security issues, instead of returning a 403 when insufficient permissions are found for an otherwise authenticated user.

Backported from: 2021.05.R01

The SMART Discovery Document served from the FHIR Endpoint module was not available on endpoints with a non-default context root. This has been corrected.

Backported from: 2021.05.R01

Change RTE single-quote escape policy from a backslash to doubled up quotes

When converting HL7 v2.x messages via the HL7 v2.x Listening Endpoint module, if MessageHeader creation is enabled, the MSH-10 Control ID value will now be copied to an extension in the generated MessageHeader resource.

A new validation mode called Repository Validation has been added, as well as a new ability to use a FHIR Storage (RDBMS) module specifically to provide validation support. This significantly improves the ability to require conformance to specific IGs in FHIR CDRs.

Refactoring of the SmileCDR Enterprise Master Patient Index solution to a Master Data Management solution to accommodate corresponding changes in HAPI FHIR EMPI. The following changes were made:

• Module name was changed from cdr-persistence-empi to cdr-persistence-mdm
• EMPI match on the Patient / Provider resources was changed to use new MDM semantic
• New MDM match ($mdm-match) operation was introduced.
• EMPI operations were renamed to MDM. E.g. $empi-update-link to $mdm-update-link, $empi-merge-persons to $mdm-merge-golden-resources, etc.
• RESTful Service Path URLs path prefix changed from /empi to /mdm
• EMPI permission category, while still in existence, is deprecated
• Permission category for MDM was added

Added new OAuth2Exceptions API within the SMART on FHIR Outbound Security JavaScript execution environment to support returning failure codes other than HTTP 500 Internal Server Error. Returning HTTP 401 Unauthorized and HTTP 403 Forbidden are now also supported.

An example user revocation page skin has been added to the Demo Skin for the SMART Outbound Security module.

The SMART Client Revocation Page will now revoke active access and refresh token, as well as forgetting any previously approved scopes.

Access tokens generated by the SMART Outbound Security module will now include a claim called scope that contains a list of approved scopes associated with the token.

As IT Admin, I need ability to allow SmileCDR clients automatically receive their OIC secrets during creation process

Added new CDS-Hooks module that implements Version 1.1 of the CDS-Hooks specification.

Support has been added for the launch (EHR Launch Context) scope in the SMART Outbound Security module.

Added new functionality to the Realtime Export module to support retaining all historical versions of resources. This can be enabled by setting retainAllHistory to true in the JSON configuration of Realtime Export.

Added two auto-prefetch features to CDS-Hooks: auto prefetch from FHIR endpoint specified in request and auto-prefetch from FHIR Storage module.

Two improvements have been made to the Smile CDR .well-known discovery docs: * The OIDC discovery doc now includes the mandatory subject_types_supported element, which was previously missing * Support has been added for the SMART discovery endpoint, which supercedes the extensions added to the FHIR CapabilityStatement (although these have not been removed

Improved Channel Import to be able to handle plaintext, CSV, and non-FHIR JSON payloads. See the Documentation for more details about how to process incoming messages.

Added new variable ${client_attestation_accepted} that is now available to the login and approve skins that indicates whether or not that client has accepted the attestation to the policy.

Added support for the $evaluate-measure Operation as part of adding CQL support.

Two new variables ${client_scopes} and ${client_auto_grant_scopes} that are now available to the login skin that contain lists of oidc client scopes and auto-grant scopes respectively.

When using the Javascript Execution Environment Fhir object to access a FHIR Storage module that is configured to run in Request Tenant Selection Mode, a new method has been added to the JS API that allows tenant selection.

Mongo search default and maximum page sizes are now configurable. Also added Mongo support for searching with _offset.

The 2020.11.R01 release of Smile CDR introduced a new optimized SQL generator for RDBMS repositories. This new system was disabled by default in 2020.11 but has been enabled by default in 2021.02.R01

With a new version of HAPI comes an upgrade from Hibernate Search 5 to Hibernate Search 6. Anybody using fulltext search, terminology expansion, or the lastN operation will need to reindex all their data, as field formats have changed between versions. This change requires those using Elasticsearch as a backend to upgrade their Elasticsearch clusters to 7.10. Additionally, HTTPS connections to Elasticsearch clusters are now supported via the protocol property on the Elasticsearch Provider. WARNING: If you use Lucene in any capacity (fulltext search, terminology expansion, lastN), you must empty out your lucene storage directory before upgrading, as Lucene's index storage format has changed.

The instructions in the Smile CDR tutorial for launching the Growth Chart app have been replaced with new instructions that leverage the latest version of the app launched directly from the source code instead of using an old version that is bundled into Smile CDR.

When using the SMART Outbound Security module, the onTokenGenerating callback script was not called for authentications using the Client Credentials Grant type. This has been corrected.

When using the JSON API, searching the transaction log by transaction ID failed with a ClassCastException. This has been corrected.

With new modules accepting external input into kafka channels, Smile CDR now drops messages that fail deserialization (poison pills). Previously they would block the consumers as they were stuck on the poisoned offset.

When a client is configured to be allowed a SMART 'star scope' such as patient/*.read, it should be automatically permitted to request an equivalent but narrower scope such as patient/Observation.read. A regression in 2020.11 meant that the approval was allowed, but the narrower scope couldn't actually be used in any API calls. This has been corrected.

The onTokenGenerating(..) callback previously provided a mechanism to access approved scopes, but it was not populated and was therefore not usable. This has been corrected, and this function can now access and modify the list of approved scopes.

Fixed a bug that would cause message receive failure in Channel Import module when using ActiveMQ as a broker.

Smile CDR's JavaScript Execution Environment's FHIR Model API now supports extensions on primitive types using an underscore prefix (i.e. _).

A number of issues were found to occur when migrating Smile CDR databases with flyway disabled. These issues are now fixed.

When trying to retrieve a list of users from JSON Admin console, an error was returned if no sort criteria was selected. This has been fixed.

Tab is now supported as a delimiter by ETL Importer.

Addressed the following CVE reports via the removal of hibernate search 5, and related Elasticsearch libraries:

• CVE-2019-7611
• CVE-2019-7614
• CVE-2020-7020
• CVE-2017-12629

When Suppress Error Details was enabled, OIDC Client Credentials grants did not suppress the fact that an invalid client ID was truly unknown, allowing a malicious user to search for valid client IDs. This has been corrected.