onc_certification_g10_test_kit 2.0.0.rc1

data/lib/onc_certification_g10_test_kit/smart_app_launch_invalid_aud_group.rb

@@ -0,0 +1,136 @@
+module ONCCertificationG10TestKit
+  class SMARTAppLaunchInvalidAudGroup < Inferno::TestGroup
+    title 'SMART App Launch Error: Invalid AUD Parameter'
+    short_title 'SMART Invalid AUD Launch'
+    description %(
+      # Background
+
+      The Invalid AUD Sequence verifies that a SMART Launch Sequence,
+      specifically the [Standalone
+      Launch](http://hl7.org/fhir/smart-app-launch/#standalone-launch-sequence)
+      Sequence, does not work in the case where the client sends an invalid FHIR
+      server as the `aud` parameter during launch. This must fail to ensure that
+      a genuine bearer token is not leaked to a counterfit resource server.
+
+      This test is not included as part of a regular SMART Launch Sequence
+      because it requires the browser of the user to be redirected to the
+      authorization service, and there is no expectation that the authorization
+      service redirects the user back to Inferno with an error message. The only
+      requirement is that Inferno is not granted a code to exchange for a valid
+      access token. Since this is a special case, it is tested independently in
+      a separate sequence.
+
+      Note that this test will launch a new browser window. The user is required
+      to 'Attest' in the Inferno user interface after the launch does not
+      succeed, if the server does not return an error code.
+    )
+    id :g10_smart_invalid_aud
+    run_as_group
+
+    input :client_id,
+          :client_secret,
+          :requested_scopes,
+          :url,
+          :smart_authorization_url,
+          :smart_token_url
+
+    config(
+      inputs: {
+        client_id: {
+          name: :standalone_client_id,
+          title: 'Standalone Client ID',
+          description: 'Client ID provided during registration of Inferno as a standalone application'
+        },
+        client_secret: {
+          name: :standalone_client_secret,
+          title: 'Standalone Client Secret',
+          description: 'Client Secret provided during registration of Inferno as a standalone application'
+        },
+        requested_scopes: {
+          name: :standalone_requested_scopes,
+          title: 'Standalone Scope',
+          description: 'OAuth 2.0 scope provided by system to enable all required functionality',
+          type: 'textarea',
+          default: %(
+            launch/patient openid fhirUser offline_access
+            patient/Medication.read patient/AllergyIntolerance.read
+            patient/CarePlan.read patient/CareTeam.read patient/Condition.read
+            patient/Device.read patient/DiagnosticReport.read
+            patient/DocumentReference.read patient/Encounter.read
+            patient/Goal.read patient/Immunization.read patient/Location.read
+            patient/MedicationRequest.read patient/Observation.read
+            patient/Organization.read patient/Patient.read
+            patient/Practitioner.read patient/Procedure.read
+            patient/Provenance.read patient/PractitionerRole.read
+          ).gsub(/\s{2,}/, ' ').strip
+        },
+        url: {
+          title: 'Standalone FHIR Endpoint',
+          description: 'URL of the FHIR endpoint used by standalone applications'
+        },
+        smart_authorization_url: {
+          title: 'OAuth 2.0 Authorize Endpoint',
+          description: 'OAuth 2.0 Authorize Endpoint provided during the patient standalone launch'
+        },
+        smart_token_url: {
+          title: 'OAuth 2.0 Token Endpoint',
+          description: 'OAuth 2.0 Token Endpoint provided during the patient standalone launch'
+        }
+      },
+      outputs: {
+        state: { name: :invalid_aud_state }
+      },
+      requests: {
+        redirect: { name: :invalid_aud_redirect }
+      }
+    )
+
+    test from: :smart_app_redirect do
+      def aud
+        'https://inferno.healthit.gov/invalid_aud'
+      end
+
+      def wait_message(auth_url)
+        %(
+          Inferno will redirect you to an external website for authorization.
+          **It is expected this will fail**. If the server does not return to
+          Inferno automatically, but does provide an error message, you may
+          return to Inferno and confirm that an error was presented in this
+          window.
+
+          * [Perform Invalid Launch](#{auth_url})
+          * [Attest launch failed](/custom/smart/redirect?state=#{state}&confirm_fail=true)
+        )
+      end
+    end
+
+    test do
+      title 'Inferno client app does not receive code parameter redirect URI'
+      description %(
+        Inferno redirected the user to the authorization service with an invalid AUD.
+        Inferno expects that the authorization request will not succeed.  This can
+        either be from the server explicitely pass an error, or stopping and the
+        tester returns to Inferno to confirm that the server presented them a failure.
+      )
+      uses_request :redirect
+
+      run do
+        params = request.query_parameters
+
+        assert params['code'].blank?,
+               'Authorization has incorrectly succeeded because access code provided to Inferno.'
+
+        pass_message =
+          if params['error'].present?
+            'Server redirected the user back to the app with an error.'
+          elsif params['confirm_fail']
+            'Tester attested that the authorization service did not succeed due to invalid AUD parameter.'
+          else
+            'Server redirected the user back to the app without an access code.'
+          end
+
+        pass pass_message
+      end
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/smart_ehr_practitioner_app_group.rb

@@ -0,0 +1,209 @@
+require_relative 'base_token_refresh_group'
+require_relative 'smart_scopes_test'
+require_relative 'unauthorized_access_test'
+require_relative 'well_known_capabilities_test'
+
+module ONCCertificationG10TestKit
+  class SmartEHRPractitionerAppGroup < Inferno::TestGroup
+    title 'EHR Practitioner App'
+    short_title 'EHR Practitioner App'
+    input_instructions %(
+      Register Inferno as an EHR-launched application using the following information:
+
+      * Launch URI: `#{SMARTAppLaunch::AppLaunchTest.config.options[:launch_uri]}`
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+
+      Enter in the appropriate scope to enable user-level access to all relevant
+      resources. In addition, support for the OpenID Connect (openid fhirUser),
+      refresh tokens (offline_access), and EHR context (launch) are required. This
+      test expects that the EHR will launch the application with a patient context.
+
+      After submit is pressed, Inferno will wait for the system under test to launch
+      the application.
+    )
+
+    description %(
+      Demonstrate the ability to perform an EHR launch to a [SMART on
+      FHIR](http://www.hl7.org/fhir/smart-app-launch/) confidential client with
+      patient context, refresh token, and [OpenID Connect
+      (OIDC)](https://openid.net/specs/openid-connect-core-1_0.html) identity
+      token. After launch, a simple Patient resource read is performed on the
+      patient in context. The access token is then refreshed, and the Patient
+      resource is read using the new access token to ensure that the refresh was
+      successful. Finally, the authentication information provided by OpenID
+      Connect is decoded and validated.
+    )
+    id :g10_smart_ehr_practitioner_app
+    run_as_group
+
+    config(
+      inputs: {
+        client_secret: {
+          optional: false
+        },
+        smart_credentials: {
+          name: :ehr_smart_credentials
+        }
+      }
+    )
+
+    group from: :smart_discovery do
+      test from: 'g10_smart_well_known_capabilities'
+    end
+
+    group from: :smart_ehr_launch do
+      title 'EHR Launch With Practitioner Scope'
+
+      config(
+        inputs: {
+          requested_scopes: {
+            default: %(
+              launch openid fhirUser offline_access user/Medication.read
+              user/AllergyIntolerance.read user/CarePlan.read user/CareTeam.read
+              user/Condition.read user/Device.read user/DiagnosticReport.read
+              user/DocumentReference.read user/Encounter.read user/Goal.read
+              user/Immunization.read user/Location.read
+              user/MedicationRequest.read user/Observation.read
+              user/Organization.read user/Patient.read user/Practitioner.read
+              user/Procedure.read user/Provenance.read
+              user/PractitionerRole.read
+            ).gsub(/\s{2,}/, ' ').strip
+          }
+        }
+      )
+
+      test from: :g10_smart_scopes do
+        title 'User-level access with OpenID Connect and Refresh Token scopes used.'
+        config(
+          inputs: {
+            requested_scopes: { name: :ehr_requested_scopes },
+            received_scopes: { name: :ehr_received_scopes }
+          }
+        )
+
+        def required_scopes
+          ['openid', 'fhirUser', 'launch', 'offline_access']
+        end
+
+        def scope_type
+          'user'
+        end
+      end
+
+      test from: :g10_unauthorized_access,
+           config: {
+             inputs: {
+               patient_id: { name: :ehr_patient_id }
+             }
+           }
+
+      test from: :g10_patient_context,
+           config: {
+             inputs: {
+               patient_id: { name: :ehr_patient_id },
+               access_token: { name: :ehr_access_token }
+             }
+           }
+
+      test do
+        title 'Launch context contains smart_style_url which links to valid JSON'
+        description %(
+          In order to mimic the style of the SMART host more closely, SMART apps
+          can check for the existence of this launch context parameter and
+          download the JSON file referenced by the URL value.
+        )
+        uses_request :token
+
+        run do
+          skip_if request.status != 200, 'No token response received'
+          assert_valid_json response[:body]
+
+          body = JSON.parse(response[:body])
+
+          assert body['smart_style_url'].present?,
+                 'Token response did not contain `smart_style_url`'
+
+          get(body['smart_style_url'])
+
+          assert_response_status(200)
+          assert_valid_json(response[:body])
+        end
+      end
+
+      test do
+        title 'Launch context contains need_patient_banner'
+        description %(
+          `need_patient_banner` is a boolean value indicating whether the app
+          was launched in a UX context where a patient banner is required (when
+          true) or not required (when false).
+        )
+        uses_request :token
+
+        run do
+          skip_if request.status != 200, 'No token response received'
+          assert_valid_json response[:body]
+
+          body = JSON.parse(response[:body])
+
+          assert body.key?('need_patient_banner'),
+                 'Token response did not contain `need_patient_banner`'
+        end
+      end
+    end
+
+    group from: :smart_openid_connect,
+          config: {
+            inputs: {
+              id_token: { name: :ehr_id_token },
+              client_id: { name: :ehr_client_id },
+              requested_scopes: { name: :ehr_requested_scopes },
+              smart_credentials: { name: :ehr_smart_credentials }
+            }
+          }
+
+    group from: :g10_token_refresh do
+      id :g10_smart_ehr_token_refresh
+
+      config(
+        inputs: {
+          refresh_token: { name: :ehr_refresh_token },
+          client_id: { name: :ehr_client_id },
+          client_secret: { name: :ehr_client_secret },
+          received_scopes: { name: :ehr_received_scopes }
+        },
+        outputs: {
+          refresh_token: { name: :ehr_refresh_token },
+          received_scopes: { name: :ehr_received_scopes },
+          access_token: { name: :ehr_access_token },
+          token_retrieval_time: { name: :ehr_token_retrieval_time },
+          expires_in: { name: :ehr_expires_in },
+          smart_credentials: { name: :ehr_smart_credentials }
+        }
+      )
+
+      test from: :g10_patient_context do
+        config(
+          inputs: {
+            patient_id: { name: :ehr_patient_id }
+          },
+          options: {
+            refresh_test: true
+          }
+        )
+        uses_request :token_refresh
+      end
+    end
+
+    test do
+      id :g10_ehr_credentials_export
+      title 'Set SMART Credentials to EHR Launch Credentials'
+
+      input :ehr_smart_credentials, type: :oauth_credentials
+      output :smart_credentials
+
+      run do
+        output smart_credentials: ehr_smart_credentials.to_s
+      end
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/smart_invalid_token_group.rb

@@ -0,0 +1,197 @@
+module ONCCertificationG10TestKit
+  class SMARTInvalidTokenGroup < Inferno::TestGroup
+    title 'SMART App Launch Error: Invalid Access Token Request'
+    short_title 'SMART Invalid Token Request'
+    description %(
+      # Background
+
+      The Invalid Access Token Request Sequence verifies that a SMART Launch
+      Sequence, specifically the [Standalone
+      Launch](http://hl7.org/fhir/smart-app-launch/#standalone-launch-sequence)
+      Sequence, does not work in the case where the client sends an invalid
+      Authorization code or client ID during the code exchange step. This must
+      not result in a successful launch.
+
+      This test is not included as part of a regular SMART Launch Sequence
+      because some servers may not accept an authorization code after it has
+      been used unsuccessfully in this manner.
+    )
+    id :g10_smart_invalid_token_request
+    run_as_group
+
+    input :client_id, :client_secret, :requested_scopes, :url, :smart_authorization_url, :smart_token_url
+
+    input :use_pkce,
+          title: 'Proof Key for Code Exchange (PKCE)',
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Enabled',
+                value: 'true'
+              },
+              {
+                label: 'Disabled',
+                value: 'false'
+              }
+            ]
+          }
+    input :pkce_code_challenge_method,
+          optional: true,
+          title: 'PKCE Code Challenge Method',
+          type: 'radio',
+          default: 'S256',
+          options: {
+            list_options: [
+              {
+                label: 'S256',
+                value: 'S256'
+              },
+              {
+                label: 'plain',
+                value: 'plain'
+              }
+            ]
+          }
+
+    config(
+      inputs: {
+        client_id: {
+          name: :standalone_client_id,
+          title: 'Standalone Client ID',
+          description: 'Client ID provided during registration of Inferno as a standalone application'
+        },
+        client_secret: {
+          name: :standalone_client_secret,
+          title: 'Standalone Client Secret',
+          description: 'Client Secret provided during registration of Inferno as a standalone application'
+        },
+        requested_scopes: {
+          name: :standalone_requested_scopes,
+          title: 'Standalone Scope',
+          description: 'OAuth 2.0 scope provided by system to enable all required functionality',
+          type: 'textarea',
+          default: %(
+            launch/patient openid fhirUser offline_access
+            patient/Medication.read patient/AllergyIntolerance.read
+            patient/CarePlan.read patient/CareTeam.read patient/Condition.read
+            patient/Device.read patient/DiagnosticReport.read
+            patient/DocumentReference.read patient/Encounter.read
+            patient/Goal.read patient/Immunization.read patient/Location.read
+            patient/MedicationRequest.read patient/Observation.read
+            patient/Organization.read patient/Patient.read
+            patient/Practitioner.read patient/Procedure.read
+            patient/Provenance.read patient/PractitionerRole.read
+          ).gsub(/\s{2,}/, ' ').strip
+        },
+        url: {
+          title: 'Standalone FHIR Endpoint',
+          description: 'URL of the FHIR endpoint used by standalone applications'
+        },
+        code: {
+          name: :invalid_token_code
+        },
+        state: {
+          name: :invalid_token_state
+        },
+        smart_authorization_url: {
+          title: 'OAuth 2.0 Authorize Endpoint',
+          description: 'OAuth 2.0 Authorize Endpoint provided during the patient standalone launch'
+        },
+        smart_token_url: {
+          title: 'OAuth 2.0 Token Endpoint',
+          description: 'OAuth 2.0 Token Endpoint provided during the patient standalone launch'
+        },
+        pkce_code_verifier: {
+          name: :invalid_token_pkce_code_verifier
+        }
+      },
+      outputs: {
+        code: { name: :invalid_token_code },
+        state: { name: :invalid_token_state },
+        expires_in: { name: :invalid_token_expires_in },
+        pkce_code_verifier: { name: :invalid_token_pkce_code_verifier }
+      },
+      requests: {
+        redirect: { name: :invalid_token_redirect },
+        token: { name: :invalid_token_token }
+      }
+    )
+
+    test from: :smart_app_redirect
+    test from: :smart_code_received
+
+    test do
+      title ' OAuth token exchange fails when supplied invalid code'
+      description %(
+        If the request failed verification or is invalid, the authorization
+        server returns an error response.
+      )
+      uses_request :redirect
+
+      input :use_pkce, :pkce_code_verifier
+
+      run do
+        skip_if request.query_parameters['error'].present?, 'Error during authorization request'
+
+        oauth2_params = {
+          grant_type: 'authorization_code',
+          code: 'BAD_CODE',
+          redirect_uri: config.options[:redirect_uri]
+        }
+        oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }
+
+        if client_secret.present?
+          client_credentials = "#{client_id}:#{client_secret}"
+          oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
+        else
+          oauth2_params[:client_id] = client_id
+        end
+
+        oauth2_params[:code_verifier] = pkce_code_verifier if use_pkce == 'true'
+
+        post(smart_token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
+
+        assert_response_status(400)
+      end
+    end
+
+    test do
+      title 'OAuth token exchange fails when supplied invalid client ID'
+      description %(
+        If the request failed verification or is invalid, the authorization
+        server returns an error response.
+      )
+      uses_request :redirect
+
+      input :use_pkce, :pkce_code_verifier, :code
+
+      run do
+        skip_if request.query_parameters['error'].present?, 'Error during authorization request'
+
+        client_id = 'BAD_CLIENT_ID'
+
+        oauth2_params = {
+          grant_type: 'authorization_code',
+          code: code,
+          redirect_uri: config.options[:redirect_uri]
+        }
+        oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }
+
+        if client_secret.present?
+          client_credentials = "#{client_id}:#{client_secret}"
+          oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
+        else
+          oauth2_params[:client_id] = client_id
+        end
+
+        oauth2_params[:code_verifier] = pkce_code_verifier if use_pkce == 'true'
+
+        post(smart_token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
+
+        assert_response_status([400, 401])
+      end
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/smart_limited_app_group.rb

@@ -0,0 +1,123 @@
+require_relative 'patient_context_test'
+require_relative 'limited_scope_grant_test'
+require_relative 'restricted_resource_type_access_group'
+
+module ONCCertificationG10TestKit
+  class SmartLimitedAppGroup < Inferno::TestGroup
+    title 'Standalone Patient App - Limited Access'
+    short_title 'Limited Access App'
+
+    input_instructions %(
+      The purpose of this test is to demonstrate that users can restrict access
+      granted to apps to a limited number of resources. Enter which resources the
+      user will grant access to below, and during the launch process only grant
+      access to those resources. Inferno will verify that access granted matches
+      these expectations.
+    )
+
+    description %(
+      This scenario demonstrates the ability to perform a Patient Standalone
+      Launch to a [SMART on FHIR](http://www.hl7.org/fhir/smart-app-launch/)
+      confidential client with limited access granted to the app based on user
+      input. The tester is expected to grant the application access to a subset
+      of desired resource types.
+    )
+    id :g10_smart_limited_app
+    run_as_group
+
+    group from: :smart_standalone_launch do
+      title 'Standalone Launch With Limited Scope'
+      description %(
+        # Background
+
+        The [Standalone
+        Launch](http://hl7.org/fhir/smart-app-launch/#standalone-launch-sequence)
+        Sequence allows an app, like Inferno, to be launched independent of an
+        existing EHR session. It is one of the two launch methods described in
+        the SMART App Launch Framework alongside EHR Launch. The app will
+        request authorization for the provided scope from the authorization
+        endpoint, ultimately receiving an authorization token which can be used
+        to gain access to resources on the FHIR server.
+
+        # Test Methodology
+
+        Inferno will redirect the user to the the authorization endpoint so that
+        they may provide any required credentials and authorize the application.
+        Upon successful authorization, Inferno will exchange the authorization
+        code provided for an access token.
+
+        For more information on the #{title}:
+
+        * [Standalone Launch
+          Sequence](http://hl7.org/fhir/smart-app-launch/#standalone-launch-sequence)
+      )
+
+      config(
+        inputs: {
+          client_id: { locked: true },
+          client_secret: { locked: true },
+          url: { locked: true },
+          code: { name: :limited_code },
+          state: { name: :limited_state },
+          patient_id: { name: :limited_patient_id },
+          access_token: { name: :limited_access_token },
+          requested_scopes: { name: :limited_requested_scopes },
+          smart_authorization_url: { locked: true }, # TODO: separate standalone/ehr discovery outputs
+          smart_token_url: { locked: true }, # TODO: separate standalone/ehr discovery outputs
+          received_scopes: { name: :limited_received_scopes },
+          smart_credentials: { name: :limited_smart_credentials }
+        },
+        outputs: {
+          code: { name: :limited_code },
+          token_retrieval_time: { name: :limited_token_retrieval_time },
+          state: { name: :limited_state },
+          id_token: { name: :limited_id_token },
+          refresh_token: { name: :limited_refresh_token },
+          access_token: { name: :limited_access_token },
+          expires_in: { name: :limited_expires_in },
+          patient_id: { name: :limited_patient_id },
+          encounter_id: { name: :limited_encounter_id },
+          received_scopes: { name: :limited_received_scopes },
+          intent: { name: :limited_intent },
+          smart_credentials: { name: :limited_smart_credentials }
+        },
+        requests: {
+          redirect: { name: :limited_redirect },
+          token: { name: :limited_token }
+        }
+      )
+
+      input :expected_resources,
+            title: 'Expected Resource Grant',
+            description: 'The user will only grant access to the following resources during authorization.',
+            default: 'Patient, Condition, Observation'
+
+      test from: :g10_patient_context,
+           config: {
+             inputs: {
+               patient_id: { name: :limited_patient_id },
+               smart_credentials: { name: :limited_smart_credentials }
+             }
+           }
+
+      test from: :g10_limited_scope_grant do
+        config(
+          inputs: {
+            requested_scopes: { name: :limited_requested_scopes },
+            received_scopes: { name: :limited_received_scopes }
+          }
+        )
+      end
+    end
+
+    group from: :g10_restricted_resource_type_access,
+          config: {
+            inputs: {
+              patient_id: { name: :limited_patient_id },
+              requested_scopes: { name: :limited_requested_scopes },
+              received_scopes: { name: :limited_received_scopes },
+              smart_credentials: { name: :limited_smart_credentials }
+            }
+          }
+  end
+end