davinci_crd_test_kit 0.9.0

data/lib/davinci_crd_test_kit/client_tests/token_header_test.rb

@@ -0,0 +1,34 @@
+module DaVinciCRDTestKit
+  class TokenHeaderTest < Inferno::Test
+    id :crd_token_header
+    title 'Authorization token header contains required information'
+    description %(
+      Verify that the JWT header contains the header fields required by the [CDS hooks spec](https://cds-hooks.hl7.org/2.0#trusting-cds-clients).
+      The `alg`, `kid`, and `typ` fields are required. This test also verifies that the `typ` field is set to `JWT` and
+      that the key used to sign the token can be identified in the JWKS.
+    )
+
+    input :auth_token_header_json, :crd_jwks_keys_json
+    output :auth_token_jwk_json
+
+    run do
+      header = JSON.parse(auth_token_header_json)
+
+      algorithm = header['alg']
+      assert algorithm.present?, 'Token header must have the `alg` field'
+      assert algorithm != 'none', 'Token header `alg` field cannot be set to none'
+
+      assert header['typ'].present?, 'Token header must have the `typ` field'
+      assert header['typ'] == 'JWT', "Token header `typ` field must be set to 'JWT', instead was #{header['typ']}"
+
+      assert header['kid'].present?, 'Token header must have the `kid` field'
+      kid = header['kid']
+      keys = JSON.parse(crd_jwks_keys_json)
+
+      jwk = keys.find { |key| key['kid'] == kid }
+      assert jwk.present?, "JWKS did not contain a public key with an id of `#{kid}`"
+
+      output auth_token_jwk_json: jwk.to_json
+    end
+  end
+end

data/lib/davinci_crd_test_kit/client_tests/token_payload_test.rb

@@ -0,0 +1,61 @@
+module DaVinciCRDTestKit
+  class TokenPayloadTest < Inferno::Test
+    include URLs
+    id :crd_token_payload
+    title 'Authorization token payload has required claims and a valid signature'
+    description %(
+      Verify that the JWT payload contains the payload fields required by the
+      [CDS hooks spec](https://cds-hooks.hl7.org/2.0#trusting-cds-clients).
+      The `iss`, `aud`, `exp`, `iat`, and `jti` claims are required.
+      Additionally:
+
+      - `iss` must match the `issuer` from the `iss` input
+      - `aud` must match the URL of the CDS Service endpoint being invoked
+      - `exp` must represent a time in the future
+      - `jti` must be a non-blank string that uniquely identifies this authentication JWT
+    )
+
+    REQUIRED_CLAIMS = ['iss', 'aud', 'exp', 'iat', 'jti'].freeze
+
+    def required_claims
+      REQUIRED_CLAIMS.dup
+    end
+
+    def hook_url
+      base_url + config.options[:hook_path]
+    end
+
+    input :auth_token,
+          :auth_token_jwk_json,
+          :iss
+
+    run do
+      begin
+        jwk = JSON.parse(auth_token_jwk_json).deep_symbolize_keys
+
+        payload, =
+          JWT.decode(
+            auth_token,
+            JWT::JWK.import(jwk).public_key,
+            true,
+            algorithms: [jwk[:alg]],
+            exp_leeway: 60,
+            iss:,
+            aud: hook_url,
+            verify_not_before: false,
+            verify_iat: false,
+            verify_jti: true,
+            verify_iss: true,
+            verify_aud: true
+          )
+      rescue StandardError => e
+        assert false, "Token validation error: #{e.message}"
+      end
+
+      missing_claims = required_claims - payload.keys
+      missing_claims_string = missing_claims.map { |claim| "`#{claim}`" }.join(', ')
+
+      assert missing_claims.empty?, "JWT payload missing required claims: #{missing_claims_string}"
+    end
+  end
+end

data/lib/davinci_crd_test_kit/crd_client_suite.rb

@@ -0,0 +1,156 @@
+require_relative 'client_fhir_api_group'
+require_relative 'client_hooks_group'
+require_relative 'routes/cds_services_discovery_handler'
+require_relative 'tags'
+require_relative 'urls'
+require_relative 'crd_options'
+require_relative 'routes/hook_request_endpoint'
+require_relative 'ext/inferno_core/runnable'
+require_relative 'version'
+
+module DaVinciCRDTestKit
+  class CRDClientSuite < Inferno::TestSuite
+    id :crd_client
+    title 'Da Vinci CRD Client Test Suite'
+    description <<~DESCRIPTION
+      The Da Vinci CRD Client Test Suite tests the conformance of client systems
+      to [version 2.0.1 of the Da Vinci Coverage Requirements Discovery (CRD)
+      Implementation Guide](https://hl7.org/fhir/us/davinci-crd/STU2).
+
+      ## Overview
+      This suite contains two groups of tests. The Hooks group receives and
+      responds to incoming CDS Hooks requests from CRD clients. The FHIR API
+      group makes FHIR requests to CRD Clients to verify that they support the
+      FHIR interactions defined in the implementation guide.
+
+      ## CDS Services
+      This suite provides basic CDS services for [the six hooks contained in the
+      implementation
+      guide](https://hl7.org/fhir/us/davinci-crd/STU2/hooks.html). The discovery
+      endpoint is located at:
+
+      * `#{Inferno::Application['base_url']}/custom/#{id}/cds-services`
+
+      ## SMART App Launch
+      Use this information when registering Inferno as a SMART App:
+
+      * Launch URI: `#{SMARTAppLaunch::AppLaunchTest.config.options[:launch_uri]}`
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+
+      If a client receives a SMART App Launch card in a response and would like
+      to test their ability to launch Inferno as a SMART App, first run the
+      SMART on FHIR Discovery and SMART EHR Launch groups under FHIR API >
+      Authorization. When running the SMART EHR Launch group, Inferno will wait
+      for the incoming SMART App Launch request, and this is the time to perform
+      the launch from the client being tested.
+
+      ## Running the Tests
+      If you would like to try out the tests against [the public CRD reference
+      client](https://crd-request-generator.davinci.hl7.org/), you can do so by:
+      1. Selecting the *CRD Request Generator RI* option from the Preset
+         dropdown in the upper left.
+      2. Selecting the *order-sign* hook group on the left menu.
+      3. Clicking on the *RUN TESTS* button in the upper right.
+      4. Clicking the *Submit* button at the bottom of the input dialog.
+      5. Follow the instructions in the wait dialog.
+      6. Open the reference client in another tab/browser.
+      7. Update the *CRD Server* field in the client configuration to point to
+         the discovery endpoint of this suite provided above, and the *Order
+         Sign Rest End Point*
+         to the service id provided in the wait dialog.
+      8. Select the patient data to be used to form the request, then submit the
+         request.
+
+      You can run these tests using your own client by updating the inputs with
+      your own data.
+
+      Note that:
+      - You can only sequentially *RUN ALL TESTS* if your system supports all
+        hooks.
+      - Systems are not expected to pass the *FHIR RESTful Capabilities* tests
+        based on the provided inputs, as the resource might not exist on the
+        client's FHIR server.
+
+      ## Limitations
+      The test suite does not implement any sort of payer business logic, so the
+      responses to hook calls are simple hard-coded responses. Hook
+      configuration is not tested.
+    DESCRIPTION
+
+    suite_summary <<~SUMMARY
+      The Da Vinci CRD Client Test Suite tests the conformance of client systems
+      to [version 2.0.1 of the Da Vinci Coverage Requirements Discovery (CRD)
+      Implementation Guide](https://hl7.org/fhir/us/davinci-crd/STU2).
+    SUMMARY
+
+    version VERSION
+
+    links [
+      {
+        label: 'Report Issue',
+        url: 'https://github.com/inferno-framework/davinci-crd-test-kit/issues'
+      },
+      {
+        label: 'Open Source',
+        url: 'https://github.com/inferno-framework/davinci-crd-test-kit'
+      },
+      {
+        label: 'Download',
+        url: 'https://github.com/inferno-framework/davinci-crd-test-kit/releases'
+      }
+    ]
+
+    fhir_resource_validator do
+      igs('hl7.fhir.us.davinci-crd', 'hl7.fhir.us.core')
+
+      exclude_message do |message|
+        message.message.match?(/\A\S+: \S+: URL value '.*' does not resolve/)
+      end
+    end
+
+    suite_option :smart_app_launch_version,
+                 title: 'SMART App Launch Version',
+                 list_options: [
+                   {
+                     label: 'SMART App Launch 1.0.0',
+                     value: CRDOptions::SMART_1
+                   },
+                   {
+                     label: 'SMART App Launch 2.0.0',
+                     value: CRDOptions::SMART_2
+                   }
+                 ]
+
+    def self.test_resumes?(test)
+      !test.config.options[:accepts_multiple_requests]
+    end
+
+    def self.extract_token_from_query_params(request)
+      request.query_parameters['token']
+    end
+
+    route :get, '/cds-services', Routes::CDSServicesDiscoveryHandler
+    # TODO
+    # route :post, '/cds-services/:cds-service_id', cds_service_handler
+
+    allow_cors APPOINTMENT_BOOK_PATH, ENCOUNTER_START_PATH, ENCOUNTER_DISCHARGE_PATH, ORDER_DISPATCH_PATH,
+               ORDER_SELECT_PATH, ORDER_SIGN_PATH
+    suite_endpoint :post, APPOINTMENT_BOOK_PATH, HookRequestEndpoint
+    suite_endpoint :post, ENCOUNTER_START_PATH, HookRequestEndpoint
+    suite_endpoint :post, ENCOUNTER_DISCHARGE_PATH, HookRequestEndpoint
+    suite_endpoint :post, ORDER_DISPATCH_PATH, HookRequestEndpoint
+    suite_endpoint :post, ORDER_SELECT_PATH, HookRequestEndpoint
+    suite_endpoint :post, ORDER_SIGN_PATH, HookRequestEndpoint
+
+    resume_test_route :get, RESUME_PASS_PATH do |request|
+      CRDClientSuite.extract_token_from_query_params(request)
+    end
+    resume_test_route :get, RESUME_FAIL_PATH, result: 'fail' do |request|
+      CRDClientSuite.extract_token_from_query_params(request)
+    end
+
+    group from: :crd_client_hooks
+
+    group from: :crd_client_fhir_api
+  end
+end

data/lib/davinci_crd_test_kit/crd_jwks.json

@@ -0,0 +1,59 @@
+{
+  "keys": [
+    {
+      "kty": "EC",
+      "crv": "P-384",
+      "x": "JQKTsV6PT5Szf4QtDA1qrs0EJ1pbimQmM2SKvzOlIAqlph3h1OHmZ2i7MXahIF2C",
+      "y": "bRWWQRJBgDa6CTgwofYrHjVGcO-A7WNEnu4oJA5OUJPPPpczgx1g2NsfinK-D2Rw",
+      "use": "sig",
+      "key_ops": [
+        "verify"
+      ],
+      "ext": true,
+      "kid": "4b49a739d1eb115b3225f4cf9beb6d1b",
+      "alg": "ES384"
+    },
+    {
+      "kty": "EC",
+      "crv": "P-384",
+      "d": "kDkn55p7gryKk2tj6z2ij7ExUnhi0ngxXosvqa73y7epwgthFqaJwApmiXXU2yhK",
+      "x": "JQKTsV6PT5Szf4QtDA1qrs0EJ1pbimQmM2SKvzOlIAqlph3h1OHmZ2i7MXahIF2C",
+      "y": "bRWWQRJBgDa6CTgwofYrHjVGcO-A7WNEnu4oJA5OUJPPPpczgx1g2NsfinK-D2Rw",
+      "key_ops": [
+        "sign"
+      ],
+      "ext": true,
+      "kid": "4b49a739d1eb115b3225f4cf9beb6d1b",
+      "alg": "ES384"
+    },
+    {
+      "kty": "RSA",
+      "alg": "RS384",
+      "n": "vjbIzTqiY8K8zApeNng5ekNNIxJfXAue9BjoMrZ9Qy9m7yIA-tf6muEupEXWhq70tC7vIGLqJJ4O8m7yiH8H2qklX2mCAMg3xG3nbykY2X7JXtW9P8VIdG0sAMt5aZQnUGCgSS3n0qaooGn2LUlTGIR88Qi-4Nrao9_3Ki3UCiICeCiAE224jGCg0OlQU6qj2gEB3o-DWJFlG_dz1y-Mxo5ivaeM0vWuodjDrp-aiabJcSF_dx26sdC9dZdBKXFDq0t19I9S9AyGpGDJwzGRtWHY6LsskNHLvo8Zb5AsJ9eRZKpnh30SYBZI9WHtzU85M9WQqdScR69Vyp-6Uhfbvw",
+      "e": "AQAB",
+      "use": "sig",
+      "key_ops": [
+        "verify"
+      ],
+      "ext": true,
+      "kid": "b41528b6f37a9500edb8a905a595bdd7"
+    },
+    {
+      "kty": "RSA",
+      "alg": "RS384",
+      "n": "vjbIzTqiY8K8zApeNng5ekNNIxJfXAue9BjoMrZ9Qy9m7yIA-tf6muEupEXWhq70tC7vIGLqJJ4O8m7yiH8H2qklX2mCAMg3xG3nbykY2X7JXtW9P8VIdG0sAMt5aZQnUGCgSS3n0qaooGn2LUlTGIR88Qi-4Nrao9_3Ki3UCiICeCiAE224jGCg0OlQU6qj2gEB3o-DWJFlG_dz1y-Mxo5ivaeM0vWuodjDrp-aiabJcSF_dx26sdC9dZdBKXFDq0t19I9S9AyGpGDJwzGRtWHY6LsskNHLvo8Zb5AsJ9eRZKpnh30SYBZI9WHtzU85M9WQqdScR69Vyp-6Uhfbvw",
+      "e": "AQAB",
+      "d": "rriV9GYimi5by7TOW4xNh6_gYBHVRDBsft2OFF8qapdVHt2GNuRDDxc_B6ga6TY2Enh2MLKLTr1dD3W4FIdTCJiMerrorp07FJS7nJEMgWQDxrfgkX4_EqrhW42L5d4vypYnRXEEW6u4gzkx5uFOkdvJBIK7CsIdSaBFYhochnynNgvbKWasi4rl2hayEH8tdf3B7Z6OIH9alspBTaq3j_zJt_KkrpYEzIUb4UgALB5NTWn5YKr0Avk_asOg8YfjViQwO9ASGaWjQeJ2Rx8OEQwBMQHSDMCSWNiWmYOu9PcwSZFc1vLxqzyIM8QrQSJHCCMo_wGYgke_r0CLeONHEQ",
+      "p": "5hH_QApWGeobRi1n7XbMfJYohB8K3JDPa0MspfplHpJ-17JiGG2sNoBdBcpaPRf9OX48P8VqO0qrSSRAk-I-uO6OO9BHbIukXJILqnY2JmurYzbcYbt5FVbknlHRJojkF6-7sFBazpueUlOnXCw7X7Z_SkfNE4QX5Ejm2Zm5mek",
+      "q": "06bZz7c7K9s1-aEZsxYnLJ9eTpKlt1tIBDA_LwIh5W3w259pes2kUtimbnkyOf-V2ZIERsFCh5s-S9IOEMvAIa6M5j9GW1ILNT7AcHIUfcyFcH-FF8BU_KJdRP5PXnIXFdYcylvsdoIdchy1AaUIzyiKRCU3HBYI75hez0l_F2c",
+      "dp": "h_sVIXW6hCCRND48EedIX06k7conMkxIu_39ErDXOWWeoMAnKIcR5TijQnviL__QxD1vQMXezuKIMHfDz2RGbClbWdD1lhtG7wvG515tDPJQXxia0wzqOQmdoFF9S8hXAAT26vPjaAAkaEZXQaxG_4Au5elgNWu6b0wDXZN1Vpk",
+      "dq": "GqS0YpuUTU8JGmWXUJ4HTGy7eHSpe8134V8ZdRd1oOYYHe2RX64nc25mdR24nuh3uq3Q7_9AGsYGL5E_yAl-JD9O6WUpvDE1y_wcSYty3Os0GRdUb8r8Z9kgmKDS6Pa_xTXw5eBwgfKbNlQ6zPwzgbB-x1lP-K8lbNPni3ybDR0",
+      "qi": "cqQfoi0sM5Su8ZOhznmdWrDIQB28H6fBKiabgaIKkbWZV4e0nwFvLquHjPOvv4Ao8iEGU5dyhvg0n5BKYPi-4mp6M6OA1sy0NrTr7EsKSYGyu2pBq9rw4oAYTM2LXKg6K-awgUUlkc451IwxHBAe15PWCBM3kvLQeijNid0Vz5I",
+      "key_ops": [
+        "sign"
+      ],
+      "ext": true,
+      "kid": "b41528b6f37a9500edb8a905a595bdd7"
+    }
+  ]
+}

data/lib/davinci_crd_test_kit/crd_options.rb

@@ -0,0 +1,9 @@
+module DaVinciCRDTestKit
+  module CRDOptions
+    SMART_1 = 'smart_app_launch_1'.freeze
+    SMART_2 = 'smart_app_launch_2'.freeze
+
+    SMART_1_REQUIREMENT = { smart_app_launch_version: SMART_1 }.freeze
+    SMART_2_REQUIREMENT = { smart_app_launch_version: SMART_2 }.freeze
+  end
+end

data/lib/davinci_crd_test_kit/crd_server_suite.rb

@@ -0,0 +1,115 @@
+require_relative 'jwt_helper'
+require_relative 'routes/jwk_set_endpoint_handler'
+require_relative 'server_discovery_group'
+require_relative 'server_hooks_group'
+require_relative 'version'
+
+module DaVinciCRDTestKit
+  class CRDServerSuite < Inferno::TestSuite
+    id :crd_server
+    title 'Da Vinci CRD Server Test Suite'
+    description <<~DESCRIPTION
+      The Da Vinci CRD Server Test Suite tests the conformance of server systems
+      to [version 2.0.1 of the Da Vinci Coverage Requirements Discovery (CRD)
+      Implementation Guide](https://hl7.org/fhir/us/davinci-crd/STU2).
+
+      ## Overview
+      This suite contains two groups of tests. The Discovery group validates a
+      CRD server's discovery response. The Hooks group makes CDS Hooks calls to
+      the server and validates the responses. By default, the hook requests are
+      based on examples from the CDS Hooks specification, but testers can
+      replace these with request bodies to elicit a particular response from
+      their system.
+
+      ## Trusting CDS Clients
+      As specified in the [CDS Hooks Spec](https://cds-hooks.hl7.org/2.0/#trusting-cds-clients),
+      Each time a CDS Client transmits a request to a CDS Service which
+      requires authentication, the request MUST include an Authorization
+      header presenting the JWT as a “Bearer” token:
+      `Authorization:  Bearer {{JWT}}`
+
+      Inferno self-issues the JWT for each CDS Service call. The following
+      info is needed to register Inferno:
+
+        - **ISS**:  `#{Inferno::Application[:base_url]}/custom/crd_server`
+        - **JWK Set Url**:
+            `#{Inferno::Application[:base_url]}/custom/crd_server/jwks.json`
+
+      ## Running the Tests
+      Execution of these tests require a significant amount of tester input in
+      the form of requests that Inferno will make against the server under test.
+
+      If you would like to try out the tests using examples from the IG and the
+      [CDS Hooks spec](https://cds-hooks.hl7.org/2.0/) against [the public CRD
+      reference server endpoint](https://crd.davinci.hl7.org/), you can do so
+      by:
+      1. Selecting the *CRD Server RI* option from the
+         Preset dropdown in the upper left
+      2. Clicking the *Run All Tests* button in the upper right
+      3. Clicking the *Submit* button at the bottom of the input dialog
+
+      You can run these tests using your own server by updating the "CRD server
+      base URL" and, if needed, providing requests inputs you wish to use for
+      each hook your server supports.
+
+      Note that the provided inputs for these tests are not complete and systems
+      are not expected to pass the tests based on them.
+
+
+      ## Limitations
+      Inferno is unable to determine what requests will result in specific kinds
+      of responses from the server under test (e.g., what will result in
+      Instructions being returned vs. Coverage Information). As a result, the
+      tester must supply the request bodies which will cause the system under
+      test to return the desired response types.
+
+      The ability of a CRD Server to request additional FHIR resources is not
+      tested. Hook configuration is not tested.
+    DESCRIPTION
+
+    suite_summary <<~SUMMARY
+      The Da Vinci CRD Server Test Suite tests the conformance of server systems
+      to [version 2.0.1 of the Da Vinci Coverage Requirements Discovery (CRD)
+      Implementation Guide](https://hl7.org/fhir/us/davinci-crd/STU2).
+    SUMMARY
+
+    version VERSION
+
+    links [
+      {
+        label: 'Report Issue',
+        url: 'https://github.com/inferno-framework/davinci-crd-test-kit/issues'
+      },
+      {
+        label: 'Open Source',
+        url: 'https://github.com/inferno-framework/davinci-crd-test-kit'
+      },
+      {
+        label: 'Download',
+        url: 'https://github.com/inferno-framework/davinci-crd-test-kit/releases'
+      }
+    ]
+
+    input :base_url,
+          title: 'CRD server base URL'
+
+    fhir_resource_validator do
+      igs('hl7.fhir.us.davinci-crd', 'hl7.fhir.us.core')
+
+      exclude_message do |message|
+        message.message.match?(/\A\S+: \S+: URL value '.*' does not resolve/)
+      end
+    end
+
+    def inferno_base_url
+      suite_id = self.class.suite.id
+      @inferno_base_url ||= "#{Inferno::Application['base_url']}/custom/#{suite_id}"
+    end
+
+    route :get, '/jwks.json', Routes::JWKSetEndpointHandler
+
+    group from: :crd_server_discovery_group
+
+    group from: :crd_server_hooks
+  end
+end

data/lib/davinci_crd_test_kit/ext/inferno_core/runnable.rb

@@ -0,0 +1,22 @@
+module Inferno
+  module DSL
+    module Runnable
+      PRE_FLIGHT_HANDLER = proc do
+        [
+          200,
+          {
+            'Access-Control-Allow-Origin' => '*',
+            'Access-Control-Allow-Headers' => 'Content-Type, Authorization'
+          },
+          ['']
+        ]
+      end
+
+      def allow_cors(*paths)
+        paths.each do |path|
+          route(:options, path, PRE_FLIGHT_HANDLER)
+        end
+      end
+    end
+  end
+end