davinci_pas_test_kit 0.12.2 → 0.13.1

data/lib/davinci_pas_test_kit/custom_groups/v2.0.1/client_registration/configuration_smart_display_test.rb

@@ -0,0 +1,37 @@
+require_relative '../../../urls'
+
+module DaVinciPASTestKit
+  module DaVinciPASV201
+    class PASClientRegistrationConfigurationSMARTDisplay < Inferno::Test
+      include URLs
+
+      id :pas_client_v201_reg_config_smart_display
+      title 'Confirm client configuration'
+      description %(
+        This test provides all the information needed for testers to configure
+        the client under test to communicate with Inferno's simulated PAS server
+        including SMART endpoints to obtain access tokens.
+      )
+
+      input :client_id
+
+      run do
+        wait(
+          identifier: client_id,
+          message: %(
+            **Inferno Simulated Server Details**:
+
+            FHIR Base URL: `#{fhir_base_url}`
+
+            Authentication Details:
+            - SMART Client Id: `#{client_id}`
+            - Token endpoint: `#{token_url}`
+
+            [Click here](#{resume_pass_url}?token=#{client_id}) once you have configured
+            the client to connect to Inferno at the above endpoints.
+          )
+        )
+      end
+    end
+  end
+end

data/lib/davinci_pas_test_kit/custom_groups/v2.0.1/client_registration/configuration_udap_display_test.rb

@@ -0,0 +1,37 @@
+require_relative '../../../urls'
+
+module DaVinciPASTestKit
+  module DaVinciPASV201
+    class PASClientRegistrationConfigurationUDAPDisplay < Inferno::Test
+      include URLs
+
+      id :pas_client_v201_reg_config_udap_display
+      title 'Confirm client configuration'
+      description %(
+        This test provides all the information needed for testers to configure
+        the client under test to communicate with Inferno's simulated PAS server
+        including UDAP endpoints to obtain access tokens.
+      )
+
+      input :client_id
+
+      run do
+        wait(
+          identifier: client_id,
+          message: %(
+            **Inferno Simulated Server Details**:
+
+            FHIR Base URL: `#{fhir_base_url}`
+
+            Authentication Details:
+            - UDAP Client Id: `#{client_id}`
+            - Token endpoint: `#{token_url}`
+
+            [Click here](#{resume_pass_url}?token=#{client_id}) once you have configured
+            the client to connect to Inferno at the above endpoints.
+          )
+        )
+      end
+    end
+  end
+end

data/lib/davinci_pas_test_kit/custom_groups/v2.0.1/client_registration/other_auth_attest_test.rb

@@ -0,0 +1,36 @@
+require_relative '../../../urls'
+
+module DaVinciPASTestKit
+  module DaVinciPASV201
+    class PASClientRegistrationOtherAuthAttest < Inferno::Test
+      include URLs
+
+      id :pas_client_v201_reg_other_auth_attest
+      title 'Verify that the client supports an approach for authenticating itself to the server (Attestation)'
+      description %(
+        Since a standard auth approach was not chosen for this session, this test provides testers with an
+        opportunity to attest to their client's ability to authenticate itself to a server
+        using a method that this Inferno test suite does not support, such as mutual authentication
+        TLS.
+      )
+
+      run do
+        identifier = SecureRandom.hex(32)
+        wait(
+          identifier:,
+          message: %(
+            **Other Authentication Attestation**:
+
+            I attest that the client system can authenticate itself with a PAS server using
+            a mechanism other than the SMART Backend Services or UDAP B2B client credentials
+            flows.
+
+            [Click here](#{resume_pass_url}?token=#{identifier}) if the above statement is true.
+
+            [Click here](#{resume_fail_url}?token=#{identifier}) if the above statement is false.
+          )
+        )
+      end
+    end
+  end
+end

data/lib/davinci_pas_test_kit/custom_groups/v2.0.1/client_tests/pas_client_approval_submit_test.rb

@@ -1,11 +1,14 @@
 require_relative '../../../urls'
+require_relative '../../../descriptions'
 require_relative '../../../user_input_response'
+require_relative '../../../session_identification'
 
 module DaVinciPASTestKit
   module DaVinciPASV201
     class PASClientApprovalSubmitTest < Inferno::Test
       include URLs
       include UserInputResponse
+      include SessionIdentification
 
       id :pas_client_v201_approval_submit_test
       title 'Client submits a claim using the $submit operation'
@@ -17,12 +20,6 @@ module DaVinciPASTestKit
       verifies_requirements 'hl7.fhir.us.davinci-pas_2.0.1@58', 'hl7.fhir.us.davinci-pas_2.0.1@62',
                             'hl7.fhir.us.davinci-pas_2.0.1@70', 'hl7.fhir.us.davinci-pas_2.0.1@202'
 
-      input :access_token,
-            title: 'Access Token',
-            description: %(
-              Access token that the client will provide in the Authorization header of each request
-              made during this test.
-            )
       input :approval_json_response,
             title: 'Claim approved response JSON',
             type: 'textarea',
@@ -34,6 +31,19 @@ module DaVinciPASTestKit
               If not provided, an approval response will be generated from the submitted Claim.
               In either case, the response will be validated against the PAS Response Bundle profile.
             )
+      input :client_id,
+            title: 'Client Id',
+            type: 'text',
+            optional: true,
+            locked: true,
+            description: INPUT_CLIENT_ID_LOCKED
+      input :session_url_path,
+            title: 'Session-specific URL path extension',
+            type: 'text',
+            optional: true,
+            locked: true,
+            description: INPUT_SESSION_URL_PATH_LOCKED
+
       submit_respond_with :approval_json_response
 
       run do
@@ -47,16 +57,17 @@ module DaVinciPASTestKit
           ))
         end
 
+        wait_identifier = session_wait_identifier(client_id, session_url_path)
+        submit_endpoint = session_endpont_url(:submit, client_id, session_url_path)
+
         wait(
-          identifier: access_token,
+          identifier: wait_identifier,
           message: %(
             **Approval Workflow Test**:
 
             Submit a PAS request to
 
-            `#{submit_url}`
-
-            The request must have an `Authorization` header with the value `Bearer #{access_token}`.
+            `#{submit_endpoint}`
 
             If the optional '**#{input_title(:approval_json_response)}**' input is populated, it will
             be returned, updated with current timestamps. Otherwise, an approval response will

data/lib/davinci_pas_test_kit/custom_groups/v2.0.1/client_tests/pas_client_denial_submit_test.rb

@@ -1,10 +1,13 @@
 require_relative '../../../urls'
+require_relative '../../../descriptions'
 require_relative '../../../user_input_response'
+require_relative '../../../session_identification'
 
 module DaVinciPASTestKit
   module DaVinciPASV201
     class PASClientDenialSubmitTest < Inferno::Test
       include URLs
+      include SessionIdentification
       include UserInputResponse
 
       id :pas_client_v201_denial_submit_test
@@ -17,12 +20,6 @@ module DaVinciPASTestKit
       verifies_requirements 'hl7.fhir.us.davinci-pas_2.0.1@58', 'hl7.fhir.us.davinci-pas_2.0.1@62',
                             'hl7.fhir.us.davinci-pas_2.0.1@70', 'hl7.fhir.us.davinci-pas_2.0.1@202'
 
-      input :access_token,
-            title: 'Access Token',
-            description: %(
-              Access token that the client will provide in the Authorization header of each request
-              made during this test.
-            )
       input :denial_json_response,
             title: 'Claim denied response JSON',
             type: 'textarea',
@@ -34,6 +31,18 @@ module DaVinciPASTestKit
               If not provided, a denial response will be generated from the submitted Claim.
               In either case, the response will be validated against the PAS Response Bundle profile.
             )
+      input :client_id,
+            title: 'Client Id',
+            type: 'text',
+            optional: true,
+            locked: true,
+            description: INPUT_CLIENT_ID_LOCKED
+      input :session_url_path,
+            title: 'Session-specific URL path extension',
+            type: 'text',
+            optional: true,
+            locked: true,
+            description: INPUT_SESSION_URL_PATH_LOCKED
       submit_respond_with :denial_json_response
 
       run do
@@ -47,16 +56,17 @@ module DaVinciPASTestKit
           ))
         end
 
+        wait_identifier = session_wait_identifier(client_id, session_url_path)
+        submit_endpoint = session_endpont_url(:submit, client_id, session_url_path)
+
         wait(
-          identifier: access_token,
+          identifier: wait_identifier,
           message: %(
             **Denial Workflow Test**:
 
             Submit a PAS request to
 
-            `#{submit_url}`
-
-            The request must have an `Authorization` header with the value `Bearer #{access_token}`.
+            `#{submit_endpoint}`
 
             If the optional '**#{input_title(:denial_json_response)}**' input is populated, it will
             be returned, updated with current timestamps. Otherwise, a denial response will

data/lib/davinci_pas_test_kit/custom_groups/v2.0.1/client_tests/pas_client_inquire_must_support_test.rb

@@ -1,9 +1,12 @@
 require_relative '../../../urls'
+require_relative '../../../descriptions'
+require_relative '../../../session_identification'
 
 module DaVinciPASTestKit
   module DaVinciPASV201
     class PASClientInquireMustSupportTest < Inferno::Test
       include URLs
+      include SessionIdentification
 
       id :pas_client_inquire_v201_must_support_test
       title 'Client inquires about claims using the $inquire operation to demonstrate coverage of must support elements'
@@ -11,17 +14,26 @@ module DaVinciPASTestKit
         This test allows the client to send $inquire requests in addition to any already sent in previous test groups
         for Inferno to evaluate coverage of must support elements.
       )
-      input :access_token,
-            title: 'Access Token',
-            description: %(
-              Access token that the client will provide in the Authorization header of each request
-              made during this test.
-            )
+      input :client_id,
+            title: 'Client Id',
+            type: 'text',
+            optional: true,
+            locked: true,
+            description: INPUT_CLIENT_ID_LOCKED
+      input :session_url_path,
+            title: 'Session-specific URL path extension',
+            type: 'text',
+            optional: true,
+            locked: true,
+            description: INPUT_SESSION_URL_PATH_LOCKED
       config options: { accepts_multiple_requests: true }
 
       run do
+        wait_identifier = session_wait_identifier(client_id, session_url_path)
+        inquire_endpoint = session_endpont_url(:inquire, client_id, session_url_path)
+
         wait(
-          identifier: access_token,
+          identifier: wait_identifier,
           message: %(
             The client system may now make multiple $inquire requests before continuing. These requests should
             cumulatively demonstrate coverage of all required profiles and all must support elements within those
@@ -40,9 +52,9 @@ module DaVinciPASTestKit
 
             Submit PAS requests to
 
-            `#{inquire_url}`
+            `#{inquire_endpoint}`
 
-            and [click here](#{resume_pass_url}?token=#{access_token}) when done.
+            and [click here](#{resume_pass_url}?token=#{wait_identifier}) when done.
           )
         )
       end

data/lib/davinci_pas_test_kit/custom_groups/v2.0.1/client_tests/pas_client_pended_submit_test.rb

@@ -1,11 +1,14 @@
 require_relative '../../../urls'
+require_relative '../../../descriptions'
 require_relative '../../../user_input_response'
 require_relative '../../../pas_bundle_validation'
+require_relative '../../../session_identification'
 
 module DaVinciPASTestKit
   module DaVinciPASV201
     class PASClientPendedSubmitTest < Inferno::Test
       include URLs
+      include SessionIdentification
       include UserInputResponse
       include PasBundleValidation
 
@@ -25,12 +28,6 @@ module DaVinciPASTestKit
                             'hl7.fhir.us.davinci-pas_2.0.1@203'
 
       config options: { accepts_multiple_requests: true }
-      input :access_token,
-            title: 'Access Token',
-            description: %(
-              Access token that the client will provide in the Authorization header of each request
-              made during this test.
-            )
       input :notification_bundle,
             title: 'Claim updated notification JSON',
             type: 'textarea',
@@ -77,6 +74,19 @@ module DaVinciPASTestKit
               in the `channel.header` element. If a value for the `authorization` header is provided in
               `channel.header`, this value will override it.
             )
+      input :client_id,
+            title: 'Client Id',
+            type: 'text',
+            optional: true,
+            locked: true,
+            description: INPUT_CLIENT_ID_LOCKED
+      input :session_url_path,
+            title: 'Session-specific URL path extension',
+            type: 'text',
+            optional: true,
+            locked: true,
+            description: INPUT_SESSION_URL_PATH_LOCKED
+
       submit_respond_with :pended_json_response
       inquire_respond_with :inquire_json_response
 
@@ -120,17 +130,19 @@ module DaVinciPASTestKit
           ))
         end
 
+        wait_identifier = session_wait_identifier(client_id, session_url_path)
+        submit_endpoint = session_endpont_url(:submit, client_id, session_url_path)
+        inquire_endpoint = session_endpont_url(:inquire, client_id, session_url_path)
+
         wait(
-          identifier: access_token,
+          identifier: wait_identifier,
           timeout: 600,
           message: %(
             **Pended Workflow Test**:
 
             1. Submit a PAS request to
 
-            `#{submit_url}`
-
-            The request must have an `Authorization` header with the value `Bearer #{access_token}`.
+            `#{submit_endpoint}`
 
             If the optional '**#{input_title(:pended_json_response)}**' input is populated, it will
             be returned, updated with current timestamps. Otherwise, a pended response will
@@ -144,9 +156,7 @@ module DaVinciPASTestKit
 
             3. Once the notification has been received, submit a PAS inquiry request to
 
-            `#{inquire_url}`
-
-            The request must have an `Authorization` header with the value `Bearer #{access_token}`.
+            `#{inquire_endpoint}`
 
             If the optional '**#{input_title(:inquire_json_response)}**' input is populated, it will
             be returned, updated with current timestamps. Otherwise, an approval response will
@@ -158,7 +168,7 @@ module DaVinciPASTestKit
             to be able to faithfully answer the attestations.
 
             Once the client has completed these steps,
-            [click here to complete the test](#{resume_pass_url}?token=#{access_token})
+            [click here to complete the test](#{resume_pass_url}?token=#{wait_identifier})
             and continue Inferno's evaluation of the interaction.
           )
         )

data/lib/davinci_pas_test_kit/custom_groups/v2.0.1/client_tests/pas_client_response_attest.rb

@@ -12,12 +12,6 @@ module DaVinciPASTestKit
         the receipt of response and attest that users are able to see the appropriate
         updates to the corresponding prior authorization request in their system.
       )
-      input :access_token,
-            title: 'Access Token',
-            description: %(
-              Access token that the client will provide in the Authorization header of each request
-              made during this test.
-            )
 
       def workflow_tag
         config.options[:workflow_tag]
@@ -39,16 +33,17 @@ module DaVinciPASTestKit
       end
 
       run do
+        identifier = SecureRandom.hex(32)
         wait(
-          identifier: access_token,
+          identifier:,
           message: %(
             **#{workflow_name} Workflow Test**:
 
             #{attest_message}
 
-            [Click here](#{resume_pass_url}?token=#{access_token}) if the above statement is **true**.
+            [Click here](#{resume_pass_url}?token=#{identifier}) if the above statement is **true**.
 
-            [Click here](#{resume_fail_url}?token=#{access_token}) if the above statement is **false**.
+            [Click here](#{resume_fail_url}?token=#{identifier}) if the above statement is **false**.
           )
         )
       end

data/lib/davinci_pas_test_kit/custom_groups/v2.0.1/client_tests/pas_client_submit_must_support_test.rb

@@ -1,9 +1,12 @@
 require_relative '../../../urls'
+require_relative '../../../descriptions'
+require_relative '../../../session_identification'
 
 module DaVinciPASTestKit
   module DaVinciPASV201
     class PASClientSubmitMustSupportTest < Inferno::Test
       include URLs
+      include SessionIdentification
 
       id :pas_client_submit_v201_must_support_test
       title 'Client submits claims using the $submit operation to demonstrate coverage of must support elements'
@@ -14,17 +17,26 @@ module DaVinciPASTestKit
       verifies_requirements 'hl7.fhir.us.davinci-pas_2.0.1@58', 'hl7.fhir.us.davinci-pas_2.0.1@62',
                             'hl7.fhir.us.davinci-pas_2.0.1@70', 'hl7.fhir.us.davinci-pas_2.0.1@202'
 
-      input :access_token,
-            title: 'Access Token',
-            description: %(
-              Access token that the client will provide in the Authorization header of each request
-              made during this test.
-            )
+      input :client_id,
+            title: 'Client Id',
+            type: 'text',
+            optional: true,
+            locked: true,
+            description: INPUT_CLIENT_ID_LOCKED
+      input :session_url_path,
+            title: 'Session-specific URL path extension',
+            type: 'text',
+            optional: true,
+            locked: true,
+            description: INPUT_SESSION_URL_PATH_LOCKED
       config options: { accepts_multiple_requests: true }
 
       run do
+        wait_identifier = session_wait_identifier(client_id, session_url_path)
+        submit_endpoint = session_endpont_url(:submit, client_id, session_url_path)
+
         wait(
-          identifier: access_token,
+          identifier: wait_identifier,
           message: %(
             The client system may now make multiple $submit requests before continuing. These requests should
             cumulatively demonstrate coverage of all required profiles and all must support elements within those
@@ -49,9 +61,9 @@ module DaVinciPASTestKit
 
             Submit PAS requests to
 
-            `#{submit_url}`
+            `#{submit_endpoint}`
 
-            and [click here](#{resume_pass_url}?token=#{access_token}) when done.
+            and [click here](#{resume_pass_url}?token=#{wait_identifier}) when done.
           )
         )
       end

data/lib/davinci_pas_test_kit/custom_groups/v2.0.1/client_tests/pas_client_subscription_create_test.rb

@@ -1,9 +1,12 @@
 require_relative '../../../urls'
+require_relative '../../../descriptions'
+require_relative '../../../session_identification'
 
 module DaVinciPASTestKit
   module DaVinciPASV201
     class PASClientSubscriptionCreateTest < Inferno::Test
       include URLs
+      include SessionIdentification
 
       id :pas_client_v201_subscription_create_test
       title 'Client submits a Subscription Creation Request'
@@ -14,33 +17,40 @@ module DaVinciPASTestKit
       verifies_requirements 'hl7.fhir.us.davinci-pas_2.0.1@137', 'hl7.fhir.us.davinci-pas_2.0.1@140',
                             'hl7.fhir.us.davinci-pas_2.0.1@142'
 
-      input :access_token,
-            title: 'Access Token',
-            description: %(
-              Access token that the client will provide in the Authorization header of each request
-              made during this test.
-            )
+      input :client_id,
+            title: 'Client Id',
+            type: 'text',
+            optional: true,
+            locked: true,
+            description: INPUT_CLIENT_ID_LOCKED
+      input :session_url_path,
+            title: 'Session-specific URL path extension',
+            type: 'text',
+            optional: true,
+            locked: true,
+            description: INPUT_SESSION_URL_PATH_LOCKED
       input :client_endpoint_access_token,
             optional: true,
             title: 'Client Notification Access Token',
             description: %(
               The bearer token that Inferno will send on requests to the client under test's rest-hook notification
-              endpoint. Not needed if the client under test will create a Subscription with an appropriate header value
-              in the `channel.header` element. If a value for the `authorization` header is provided in
-              `channel.header`, this value will override it.
+              endpoint, including handshake notifications sent after Subscription creation. Not needed if the client
+              under test will create a Subscription with an appropriate header value in the `channel.header` element.
+              If a value for the `authorization` header is provided in `channel.header`, this value will override it.
             )
 
       run do
+        wait_identifier = session_wait_identifier(client_id, session_url_path)
+        subscription_endpoint = session_endpont_url(:subscription, client_id, session_url_path)
+
         wait(
-          identifier: access_token,
+          identifier: wait_identifier,
           message: %(
             **Subscription Creation Test**:
 
             Submit a POST with a Subscription to:
 
-            `#{fhir_subscription_url}`
-
-            The request must have an `Authorization` header with the value `Bearer #{access_token}`.
+            `#{subscription_endpoint}`
 
             Upon receipt, Inferno will send a handshake request to verify that notifications can be
             delivered and continue the test with a pass or fail based on the result.

data/lib/davinci_pas_test_kit/custom_groups/v2.0.1/client_tests/pas_client_subscription_pas_conformance_test.rb

@@ -1,8 +1,12 @@
 # frozen_string_literal: true
 
+require_relative '../../../pas_subscription_verification'
+
 module DaVinciPASTestKit
   module DaVinciPASV201
     class SubscriptionPASConformanceTest < Inferno::Test
+      include PASSubscriptionVerification
+
       id :pas_client_v201_subscription_pas_conformance_test
       title 'Client Subscription PAS Conformance Verification'
       description %(
@@ -19,30 +23,7 @@ module DaVinciPASTestKit
         skip_if(requests.none?, 'Inferno did not receive a Subscription creation request')
         subscription_resource = request.request_body
 
-        assert_valid_json(subscription_resource)
-        subscription = JSON.parse(subscription_resource)
-
-        unless subscription['criteria'] == 'http://hl7.org/fhir/us/davinci-pas/SubscriptionTopic/PASSubscriptionTopic'
-          add_message('error', %(
-            The created Subscription must use the PAS-defined Subscription topic
-            `http://hl7.org/fhir/us/davinci-pas/SubscriptionTopic/PASSubscriptionTopic`
-            in the `Subscription.criteria` element.
-          ))
-        end
-
-        filter_criteria = subscription.dig('_criteria', 'extension')
-          &.select do |ext|
-            ext['url'] == 'http://hl7.org/fhir/uv/subscriptions-backport/StructureDefinition/backport-filter-criteria'
-          end
-        unless filter_criteria&.length == 1
-          add_message('error', %(
-            The created Subscription must include a single filter on the submitting organization
-            in the `Subscription.criteria.extension` element.
-          ))
-        end
-
-        assert messages.none? { |msg| msg[:type] == 'error' },
-               'The Created Subscription does not conform to PAS requirements - see messages for details.'
+        verify_pas_subscription(subscription_resource)
       end
     end
   end

data/lib/davinci_pas_test_kit/custom_groups/v2.0.1/error_tests/pas_inquiry_error_test.rb

@@ -19,6 +19,7 @@ module DaVinciPASTestKit
         via the error capability.
       )
       makes_request :pa_invalid_inquiry
+      verifies_requirements 'hl7.fhir.us.davinci-pas_2.0.1@112', 'hl7.fhir.us.davinci-pas_2.0.1@113'
 
       run do
         file_path = File.join(File.dirname(__FILE__), 'nonconformant_pas_bundle.json')

data/lib/davinci_pas_test_kit/custom_groups/v2.0.1/error_tests/pas_submission_error_test.rb

@@ -20,7 +20,9 @@ module DaVinciPASTestKit
 
         The server SHOULD respond within 15 seconds.
       }
-      verifies_requirements 'hl7.fhir.us.davinci-pas_2.0.1@70'
+      verifies_requirements 'hl7.fhir.us.davinci-pas_2.0.1@104', 'hl7.fhir.us.davinci-pas_2.0.1@105',
+                            'hl7.fhir.us.davinci-pas_2.0.1@106', 'hl7.fhir.us.davinci-pas_2.0.1@112',
+                            'hl7.fhir.us.davinci-pas_2.0.1@113'
 
       output :response_time
       makes_request :pa_invalid_request