inferno_core 0.4.39 → 0.4.40

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1c569fc01e07576cb3aa512c37a69d730bc7b9848bd24ed95935b23a0d52759c
-  data.tar.gz: 41165f4f56dcf7c7e552ec0c391b868e5020feed0957f12d508489835a91d140
+  metadata.gz: 62cf688066c4ae8b8855f9ba04cd376c78ec6ae3238d74c4e34f4fdf3a926aef
+  data.tar.gz: 301885b06d03b494d74f7b2f053b741d0fc5d546371fc2eaf602f5b73e00462c
 SHA512:
-  metadata.gz: 03cb4fec0a859ba0967d891b62d4741b6a241839bce017ac0a9f212c06cabbec45e3d8c9464d8a75421c697c6e547af19e5bdbe8055ab7ea630344a781dfdf5e
-  data.tar.gz: ad2fc2e5f42777535e912e4bc8217f48d9d90babb074b071b7437fb3b987f4f8470f505f9e1bd29b1b893f7b6ccc36800145ad62fe82664188e0eab965b71cf5
+  metadata.gz: 6081f531d0f06172ed695265ac0c772182fc1481a97290441758d40e1013b08f1d684683e38e496a4d8fae4ac05210ec11c07ee7d2ca5e4513eda0cc5eae3f43
+  data.tar.gz: 5fe4104c0e129a061f81ebaffe2bb6f993a8424aabe1b0118aeae49f1eea29e72f1c1ac1120c8d480e54514547386e47faa04b750988af1aaa7b8499965ef275

data/lib/inferno/apps/web/router.rb

@@ -53,6 +53,9 @@ module Inferno
       # Should not need Content-Type header but GitHub Codespaces will not work without them.
       # This could be investigated and likely removed if addressed properly elsewhere.
       get '/', to: ->(_env) { [200, { 'Content-Type' => 'text/html' }, [client_page]] }
+      get '/jwks.json', to: lambda { |_env|
+                              [200, { 'Content-Type' => 'application/json' }, [Inferno::JWKS.jwks_json]]
+                            }, as: :jwks
 
       Inferno.routes.each do |route|
         cleaned_id = route[:suite].id.gsub(/[^a-zA-Z\d\-._~]/, '_')

data/lib/inferno/config/application.rb

@@ -13,6 +13,7 @@ module Inferno
     raw_js_host = ENV.fetch('JS_HOST', '')
     base_path = ENV.fetch('BASE_PATH', '')
     public_path = base_path.blank? ? '/public' : "/#{base_path}/public"
+    jwks_path = base_path.blank? ? '/jwks.json' : "/#{base_path}/jwks.json"
     js_host = raw_js_host.present? ? "#{raw_js_host}/public" : public_path
 
     Application.register('js_host', js_host)
@@ -21,6 +22,7 @@ module Inferno
     Application.register('async_jobs', ENV['ASYNC_JOBS'] != 'false')
     Application.register('inferno_host', ENV.fetch('INFERNO_HOST', 'http://localhost:4567'))
     Application.register('base_url', URI.join(Application['inferno_host'], base_path).to_s)
+    Application.register('jwks_url', URI.join(Application['inferno_host'], jwks_path).to_s)
     Application.register('cache_bust_token', SecureRandom.uuid)
 
     configure do |config|

data/lib/inferno/dsl/auth_info.rb

@@ -1,4 +1,5 @@
 require_relative '../entities/attributes'
+require_relative 'jwks'
 
 module Inferno
   module DSL
@@ -19,7 +20,7 @@ module Inferno
     # to normal inputs.
     #
     # The AuthInfo input type supports two different modes in the UI. Different
-    # fields will be presented to the user dependengi on which mode is selected.
+    # fields will be presented to the user depending on which mode is selected.
     # - `auth` - This presents the inputs needed to perform authorization, and
     #   is appropriate to use as an input to test groups which perform
     #   authorization
@@ -161,13 +162,148 @@ module Inferno
 
       # @private
       def add_to_client(client)
-        # TODO
-        # client.auth = self
-        # self.client = client
+        client.auth_info = self
+        self.client = client
+        # TODO: do we want to perform authorization if no access_token or rely on SMART/ other auth tests?
+        return unless access_token.present?
 
-        # return unless access_token.present?
+        client.set_bearer_token(access_token)
+      end
+
+      # @private
+      def need_to_refresh?
+        return false if access_token.blank? || (!backend_services? && refresh_token.blank?)
+
+        return true if expires_in.blank?
+
+        issue_time.to_i + expires_in.to_i - DateTime.now.to_i < 60
+      end
+
+      # @private
+      def able_to_refresh?
+        token_url.present? && (backend_services? || refresh_token.present?)
+      end
+
+      # @private
+      def backend_services?
+        auth_type == 'backend_services'
+      end
+
+      # @private
+      def oauth2_refresh_params
+        case auth_type
+        when 'public'
+          public_auth_refresh_params
+        when 'symmetric'
+          symmetric_auth_refresh_params
+        when 'asymmetric'
+          asymmetric_auth_refresh_params
+        when 'backend_services'
+          backend_services_auth_refresh_params
+        end
+      end
+
+      # @private
+      def symmetric_auth_refresh_params
+        {
+          'grant_type' => 'refresh_token',
+          'refresh_token' => refresh_token
+        }
+      end
+
+      # @private
+      def public_auth_refresh_params
+        symmetric_auth_refresh_params.merge('client_id' => client_id)
+      end
+
+      # @private
+      def asymmetric_auth_refresh_params
+        symmetric_auth_refresh_params.merge(
+          'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+          'client_assertion' => client_assertion
+        )
+      end
+
+      # @private
+      def backend_services_auth_refresh_params
+        {
+          'grant_type' => 'client_credentials',
+          'scope' => requested_scopes,
+          'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+          'client_assertion' => client_assertion
+        }
+      end
+
+      # @private
+      def oauth2_refresh_headers
+        base_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }
+
+        return base_headers unless auth_type == 'symmetric'
+
+        credentials = "#{client_id}:#{client_secret}"
+
+        base_headers.merge(
+          'Authorization' => "Basic #{Base64.strict_encode64(credentials)}"
+        )
+      end
+
+      # @private
+      def private_key
+        @private_key ||= JWKS.jwks(user_jwks: jwks)
+          .select { |key| key[:key_ops]&.include?('sign') }
+          .select { |key| key[:alg] == encryption_algorithm }
+          .find { |key| !kid || key[:kid] == kid }
+      end
+
+      # @private
+      def signing_key
+        if private_key.nil?
+          raise Inferno::Exceptions::AssertionException,
+                "No signing key found for inputs: encryption method = '#{encryption_algorithm}' and kid = '#{kid}'"
+        end
+
+        @private_key.signing_key
+      end
+
+      # @private
+      def auth_jwt_header
+        {
+          'alg' => encryption_algorithm,
+          'kid' => private_key['kid'],
+          'typ' => 'JWT',
+          'jku' => Inferno::Application['jwks_url']
+        }
+      end
+
+      # @private
+      def auth_jwt_claims
+        {
+          'iss' => client_id,
+          'sub' => client_id,
+          'aud' => token_url,
+          'exp' => 5.minutes.from_now.to_i,
+          'jti' => SecureRandom.hex(32)
+        }
+      end
+
+      # @private
+      def client_assertion
+        JWT.encode auth_jwt_claims, signing_key, encryption_algorithm, auth_jwt_header
+      end
+
+      # @private
+      def update_from_response_body(request)
+        token_response_body = JSON.parse(request.response_body)
+
+        expires_in = token_response_body['expires_in'].is_a?(Numeric) ? token_response_body['expires_in'] : nil
+
+        self.access_token = token_response_body['access_token']
+        self.refresh_token = token_response_body['refresh_token'] if token_response_body['refresh_token'].present?
+        self.expires_in = expires_in
+        self.issue_time = DateTime.now
 
-        # client.set_bearer_token(access_token)
+        add_to_client(client)
+        self
       end
     end
   end

data/lib/inferno/dsl/fhir_client.rb

@@ -347,7 +347,7 @@ module Inferno
 
       # @private
       def perform_refresh(client)
-        credentials = client.oauth_credentials
+        credentials = client.auth_info || client.oauth_credentials
 
         post(
           credentials.token_url,
@@ -363,7 +363,7 @@ module Inferno
           Inferno::Repositories::SessionData.new.save(
             name: credentials.name,
             value: credentials,
-            type: 'oauth_credentials',
+            type: credentials.is_a?(Inferno::DSL::AuthInfo) ? 'auth_info' : 'oauth_credentials',
             test_session_id:
           )
         end

data/lib/inferno/dsl/fhir_client_builder.rb

@@ -20,6 +20,20 @@ module Inferno
     #     url :url
     #     bearer_token :access_token
     #   end
+    #
+    # @example
+    #   input :url
+    #   input :fhir_auth,
+    #          type: :auth_info,
+    #          options: {
+    #             mode: 'access'
+    #           }
+    #
+    #   fhir_client do
+    #     url :url
+    #     headers 'My-Custom_header' => 'CUSTOM_HEADER_VALUE'
+    #     auth_info :fhir_auth
+    #   end
     class FHIRClientBuilder
       attr_accessor :runnable
 
@@ -33,6 +47,7 @@ module Inferno
           client.default_json
           client.set_bearer_token bearer_token if bearer_token
           oauth_credentials&.add_to_client(client)
+          auth_info&.add_to_client(client)
         end
       end
 
@@ -80,6 +95,20 @@ module Inferno
           end
       end
 
+      # Define auth info for a client. Auth info contains info needed for client
+      # to perform authorization and refresh access token when necessary
+      #
+      # @param auth_info [Inferno::DSL::AuthInfo, Symbol]
+      # @return [void]
+      def auth_info(auth_info = nil)
+        @auth_info ||=
+          if auth_info.is_a? Symbol
+            runnable.send(auth_info)
+          else
+            auth_info
+          end
+      end
+
       # Define custom headers for a client
       #
       # @param headers [Hash]

data/lib/inferno/dsl/fhir_resource_validation.rb

@@ -277,32 +277,36 @@ module Inferno
         end
 
         # @private
-        def operation_outcome_from_hl7_wrapped_response(response)
-          res = JSON.parse(response)
-          if res['sessionId'] != @session_id
-            validator_session_repo.save(test_suite_id:, validator_session_id: res['sessionId'],
+        def operation_outcome_from_hl7_wrapped_response(response_hash)
+          if response_hash['sessionId'] && response_hash['sessionId'] != @session_id
+            validator_session_repo.save(test_suite_id:, validator_session_id: response_hash['sessionId'],
                                         validator_name: name.to_s, suite_options: requirements)
-            @session_id = res['sessionId']
+            @session_id = response_hash['sessionId']
           end
 
           # assume for now that one resource -> one request
-          issues = res['outcomes'][0]['issues']&.map do |i|
+          issues = response_hash['outcomes'][0]['issues']&.map do |i|
             { severity: i['level'].downcase, expression: i['location'], details: { text: i['message'] } }
           end
           # this is circuitous, ideally we would map this response directly to message_hashes
           FHIR::OperationOutcome.new(issue: issues)
         end
 
+        # @private
+        def remove_invalid_characters(string)
+          string.gsub(/[^[:print:]\r\n]+/, '')
+        end
+
         # @private
         def operation_outcome_from_validator_response(response, runnable)
-          if response.body.start_with? '{'
-            operation_outcome_from_hl7_wrapped_response(response.body)
-          else
-            runnable.add_message('error', "Validator Response: HTTP #{response.status}\n#{response.body}")
-            raise Inferno::Exceptions::ErrorInValidatorException,
-                  'Validator response was an unexpected format. ' \
-                  'Review Messages tab or validator service logs for more information.'
-          end
+          sanitized_body = remove_invalid_characters(response.body)
+
+          operation_outcome_from_hl7_wrapped_response(JSON.parse(sanitized_body))
+        rescue JSON::ParserError
+          runnable.add_message('error', "Validator Response: HTTP #{response.status}\n#{sanitized_body}")
+          raise Inferno::Exceptions::ErrorInValidatorException,
+                'Validator response was an unexpected format. ' \
+                'Review Messages tab or validator service logs for more information.'
         end
       end
 

data/lib/inferno/dsl/fhir_validation.rb

@@ -124,7 +124,7 @@ module Inferno
             runnable.add_message('error', e.message)
             raise Inferno::Exceptions::ErrorInValidatorException, "Unable to connect to validator at #{url}."
           end
-          outcome = operation_outcome_from_validator_response(response.body, runnable)
+          outcome = operation_outcome_from_validator_response(response, runnable)
 
           message_hashes = message_hashes_from_outcome(outcome, resource, profile_url)
 
@@ -212,16 +212,21 @@ module Inferno
           ).post('validate', resource.source_contents)
         end
 
+        # @private
+        def remove_invalid_characters(string)
+          string.gsub(/[^[:print:]\r\n]+/, '')
+        end
+
         # @private
         def operation_outcome_from_validator_response(response, runnable)
-          if response.start_with? '{'
-            FHIR::OperationOutcome.new(JSON.parse(response))
-          else
-            runnable.add_message('error', "Validator Response:\n#{response}")
-            raise Inferno::Exceptions::ErrorInValidatorException,
-                  'Validator response was an unexpected format. '\
-                  'Review Messages tab or validator service logs for more information.'
-          end
+          sanitized_body = remove_invalid_characters(response.body)
+
+          FHIR::OperationOutcome.new(JSON.parse(sanitized_body))
+        rescue JSON::ParserError
+          runnable.add_message('error', "Validator Response: HTTP #{response.status}\n#{sanitized_body}")
+          raise Inferno::Exceptions::ErrorInValidatorException,
+                'Validator response was an unexpected format. ' \
+                'Review Messages tab or validator service logs for more information.'
         end
       end
 

data/lib/inferno/dsl/fhirpath_evaluation.rb

@@ -0,0 +1,121 @@
+module Inferno
+  module DSL
+    # This module contains the methods needed to perform FHIRPath evaluations
+    # on FHIR resources/elements. The actual evaluation is typically performed by an external
+    # FHIRPath evaluation service.
+    #
+    # Tests can leverage the evaluation functionality by  calling `evaluate_fhirpath` to retrieve
+    # results of FHIRPath expressions.
+    #
+    # @example
+    #
+    #   results = evaluate_fhirpath(resource: patient_resource, path: 'Patient.name.given')
+    #
+    # results will be an array representing the result of evaluating the given
+    # expression against the given root element.  Each "result" in the returned
+    # array will be in the form
+    # `{ "type": "[FHIR datatype of the result]", "element": "[result value of the FHIRPath expression]" }`.
+    # @note the `element` field can either be a primitive value (string, boolean, etc.) or a FHIR::Model.
+    module FhirpathEvaluation
+      def self.included(klass)
+        klass.extend ClassMethods
+      end
+
+      # Evaluates a fhirpath expression for a given FHIR resource
+      #
+      # @param resource [FHIR::Model] the root FHIR resource to use when evaluating the fhirpath expression.
+      # @param path [String] The FHIRPath expression to evaluate.
+      # @param url [String] the url of the fhirpath service to use.
+      # @return [Array<Hash>] An array of hashes representing the result of evaluating the given expression against
+      #   the given root resource.
+      def evaluate_fhirpath(resource:, path:, url: nil)
+        self.class.evaluator(url).evaluate_fhirpath(resource, path, self)
+      end
+
+      class Evaluator
+        # @private
+        def initialize(url = nil)
+          url(url)
+        end
+
+        # @private
+        def default_fhirpath_url
+          ENV.fetch('FHIRPATH_URL')
+        end
+
+        # Set/Get the url of the fhirpath service
+        #
+        # @param fhirpath_url [String]
+        # @return [String]
+        def url(fhirpath_url = nil)
+          @url ||= fhirpath_url || default_fhirpath_url
+        end
+
+        # Evaluates a fhirpath expression for a given FHIR resource
+        #
+        # @param fhir_resource [FHIR::Model] the root FHIR resource to use when evaluating the fhirpath expression.
+        # @param fhirpath_expression [String] The FHIRPath expression to evaluate.
+        # @param runnable [Inferno::Test] to add any error message that occurs.
+        # @return [Array<Hash>] An array hashes representing the result of evaluating the given expression against
+        #   the given root resource. Each "result" in the returned array will be in the form
+        #   `{ "type": "[FHIR datatype of the result]", "element": "[result value of the FHIRPath expression]" }`.
+        # @note the `element` field can either be a primitive value (string, boolean, etc.) or a FHIR::Model.
+        def evaluate_fhirpath(fhir_resource, fhirpath_expression, runnable)
+          begin
+            response = call_fhirpath_service(fhir_resource, fhirpath_expression)
+          rescue StandardError => e
+            # This could be a complete failure to connect (fhirpath service isn't running)
+            # or a timeout (fhirpath service took too long to respond).
+            runnable.add_message('error', e.message)
+            raise Inferno::Exceptions::ErrorInFhirpathException, "Unable to connect to FHIRPath service at #{url}."
+          end
+
+          sanitized_body = remove_invalid_characters(response.body)
+          return transform_fhirpath_results(JSON.parse(sanitized_body)) if response.status.to_s.start_with? '2'
+
+          runnable.add_message('error', "FHIRPath service Response: HTTP #{response.status}\n#{sanitized_body}")
+          raise Inferno::Exceptions::ErrorInFhirpathException,
+                'FHIRPath service call failed. Review Messages tab for more information.'
+        rescue JSON::ParserError
+          runnable.add_message('error', "Invalid FHIRPath service response format:\n#{sanitized_body}")
+          raise Inferno::Exceptions::ErrorInFhirpathException,
+                'Error occurred in the FHIRPath service. Review Messages tab for more information.'
+        end
+
+        # @private
+        def transform_fhirpath_results(fhirpath_results)
+          fhirpath_results.each do |result|
+            klass = FHIR.const_get(result['type'])
+            result['element'] = klass.new(result['element'])
+          rescue NameError
+            next
+          end
+          fhirpath_results
+        end
+
+        def call_fhirpath_service(fhir_resource, fhirpath_expression)
+          Faraday.new(
+            url,
+            request: { timeout: 600 }
+          ).post(
+            "evaluate?path=#{fhirpath_expression}",
+            fhir_resource.to_json,
+            content_type: 'application/json'
+          )
+        end
+
+        # @private
+        def remove_invalid_characters(string)
+          string.gsub(/[^[:print:]\r\n]+/, '')
+        end
+      end
+
+      module ClassMethods
+        # @private
+        def evaluator(url = nil)
+          @evaluator ||= Inferno::DSL::FhirpathEvaluation::Evaluator.new(url)
+        end
+      end
+    end
+  end
+end

data/lib/inferno/dsl/jwks.rb

@@ -0,0 +1,79 @@
+module Inferno
+  module DSL
+    # The JWKS class provides methods to handle JSON Web Key Sets (JWKS)
+    # within Inferno.
+    #
+    # This class allows users to fetch, parse, and manage JWKS, ensuring
+    # that the necessary keys for verifying tokens are available.
+    class JWKS
+      class << self
+        # Returns a formatted JSON string of the JWKS public keys that are used for verification.
+        # This method filters out keys that do not have the 'verify' operation.
+        #
+        # @return [String] The formatted JSON string of the JWKS public keys.
+        #
+        # @example
+        #   jwks_json = Inferno::JWKS.jwks_json
+        #   puts jwks_json
+        def jwks_json
+          @jwks_json ||=
+            JSON.pretty_generate(
+              { keys: jwks.export[:keys].select { |key| key[:key_ops]&.include?('verify') } }
+            )
+        end
+
+        # Provides the default file path to the JWKS file.
+        # This method is primarily used internally to locate the default JWKS file.
+        #
+        # @return [String] The default JWKS file path.
+        #
+        # @private
+        def default_jwks_path
+          @default_jwks_path ||= File.join(__dir__, 'jwks.json')
+        end
+
+        # Fetches the JWKS file path from the environment variable `INFERNO_JWKS_PATH`.
+        # If the environment variable is not set, it falls back to the default path
+        # provided by `.default_jwks_path`.
+        #
+        # @return [String] The JWKS file path.
+        #
+        # @private
+        def jwks_path
+          @jwks_path ||=
+            ENV.fetch('INFERNO_JWKS_PATH', default_jwks_path)
+        end
+
+        # Reads the JWKS content from the file located at the JWKS path.
+        #
+        # @return [String] The json content of the JWKS file.
+        #
+        # @private
+        def default_jwks_json
+          @default_jwks_json ||= File.read(jwks_path)
+        end
+
+        # Parses and returns a `JWT::JWK::Set` object from the provided JWKS string
+        # or from the file located at the JWKS path. If a user-provided JWKS string
+        # is not available, it reads the JWKS from the file.
+        #
+        # @param user_jwks [String, nil] An optional json containing the JWKS.
+        #   If not provided, the method reads from the file.
+        # @return [JWT::JWK::Set] The parsed JWKS set.
+        #
+        # @example
+        #   # Using a user-provided JWKS string
+        #   user_jwks = '{"keys":[...]}'
+        #   jwks_set = Inferno::JWKS.jwks(user_jwks: user_jwks)
+        #
+        #   # Using the default JWKS file
+        #   jwks_set = Inferno::JWKS.jwks
+        def jwks(user_jwks: nil)
+          JWT::JWK::Set.new(JSON.parse(user_jwks.presence || default_jwks_json))
+        end
+      end
+    end
+  end
+
+  JWKS = DSL::JWKS
+end

data/lib/inferno/dsl/messages.rb

@@ -0,0 +1,71 @@
+require_relative '../utils/markdown_formatter'
+
+module Inferno
+  module DSL
+    # This module contains methods to add meessages to runnable results
+    module Messages
+      include Inferno::Utils::MarkdownFormatter
+      # @private
+      def messages
+        @messages ||= []
+      end
+
+      # Add a message to the result.
+      #
+      # @param type [String] error, warning, or info
+      # @param message [String]
+      # @return [void]
+      def add_message(type, message)
+        messages << { type: type.to_s, message: format_markdown(message) }
+      end
+
+      # Add an informational message to the results of a test. If passed a
+      # block, a failed assertion will become an info message and test execution
+      # will continue.
+      #
+      # @param message [String]
+      # @return [void]
+      # @example
+      #   # Add an info message
+      #   info 'This message will be added to the test results'
+      #
+      #   # The message for the failed assertion will be treated as an info
+      #   # message. Test exection will continue.
+      #   info { assert false == true }
+      def info(message = nil)
+        unless block_given?
+          add_message('info', message) unless message.nil?
+          return
+        end
+
+        yield
+      rescue Exceptions::AssertionException => e
+        add_message('info', e.message)
+      end
+
+      # Add a warning message to the results of a test. If passed a block, a
+      # failed assertion will become a warning message and test execution will
+      # continue.
+      #
+      # @param message [String]
+      # @return [void]
+      # @example
+      #   # Add a warning message
+      #   warning 'This message will be added to the test results'
+      #
+      #   # The message for the failed assertion will be treated as a warning
+      #   # message. Test exection will continue.
+      #   warning { assert false == true }
+      def warning(message = nil)
+        unless block_given?
+          add_message('warning', message) unless message.nil?
+          return
+        end
+
+        yield
+      rescue Exceptions::AssertionException => e
+        add_message('warning', e.message)
+      end
+    end
+  end
+end

data/lib/inferno/dsl/runnable.rb

@@ -291,6 +291,18 @@ module Inferno
         to_s
       end
 
+      # Set/Get the block that is executed when a runnable is run
+      #
+      # @param block [Proc]
+      # @return [Proc] the block that is executed when a runnable is run
+      def block(&block)
+        return @block unless block_given?
+
+        @block = block
+      end
+
+      alias run block
+
       # @private
       def all_children
         @all_children ||= []