onc_certification_g10_test_kit 2.0.0.rc1

data/lib/onc_certification_g10_test_kit/smart_public_standalone_launch_group.rb

@@ -0,0 +1,113 @@
+module ONCCertificationG10TestKit
+  class SMARTPublicStandaloneLaunchGroup < SMARTAppLaunch::StandaloneLaunchGroup
+    title 'Public Client Standalone Launch with OpenID Connect'
+    short_title 'SMART Public Client Launch'
+    description %(
+      # Background
+
+      The [Standalone
+      Launch](http://hl7.org/fhir/smart-app-launch/#standalone-launch-sequence)
+      Sequence allows an app, like Inferno, to be launched independent of an
+      existing EHR session. It is one of the two launch methods described in
+      the SMART App Launch Framework alongside EHR Launch. The app will
+      request authorization for the provided scope from the authorization
+      endpoint, ultimately receiving an authorization token which can be
+      used to gain access to resources on the FHIR server.
+
+      # Test Methodology
+
+      Inferno will redirect the user to the the authorization endpoint so
+      that they may provide any required credentials and authorize the
+      application. Upon successful authorization, Inferno will exchange the
+      authorization code provided for an access token.
+
+      For more information on the #{title}:
+
+      * [Standalone Launch Sequence](http://hl7.org/fhir/smart-app-launch/#standalone-launch-sequence)
+    )
+    id :g10_public_standalone_launch
+    run_as_group
+
+    config(
+      inputs: {
+        client_id: {
+          name: :public_client_id
+        },
+        client_secret: {
+          name: :public_client_secret,
+          default: nil,
+          optional: true,
+          locked: true
+        },
+        requested_scopes: {
+          name: :public_requested_scopes
+        },
+        url: {
+          title: 'Standalone FHIR Endpoint',
+          description: 'URL of the FHIR endpoint used by standalone applications'
+        },
+        code: {
+          name: :public_code
+        },
+        state: {
+          name: :public_state
+        },
+        smart_authorization_url: {
+          title: 'OAuth 2.0 Authorize Endpoint',
+          description: 'OAuth 2.0 Authorize Endpoint provided during the patient standalone launch'
+        },
+        smart_token_url: {
+          title: 'OAuth 2.0 Token Endpoint',
+          description: 'OAuth 2.0 Token Endpoint provided during the patient standalone launch'
+        },
+        smart_credentials: {
+          name: :public_smart_credentials
+        }
+      },
+      outputs: {
+        code: { name: :public_code },
+        token_retrieval_time: { name: :public_token_retrieval_time },
+        state: { name: :public_state },
+        id_token: { name: :public_id_token },
+        refresh_token: { name: :public_refresh_token },
+        access_token: { name: :public_access_token },
+        expires_in: { name: :public_expires_in },
+        patient_id: { name: :public_patient_id },
+        encounter_id: { name: :public_encounter_id },
+        received_scopes: { name: :public_received_scopes },
+        intent: { name: :public_intent },
+        smart_credentials: { name: :public_smart_credentials }
+      },
+      requests: {
+        redirect: { name: :public_redirect },
+        token: { name: :public_token }
+      }
+    )
+
+    test from: :g10_patient_context,
+         config: {
+           inputs: {
+             patient_id: { name: :public_patient_id },
+             smart_credentials: { name: :public_smart_credentials }
+           }
+         }
+
+    test do
+      title 'OAuth token exchange response contains OpenID Connect id_token'
+      description %(
+        This test requires that an OpenID Connect id_token is provided to
+        demonstrate authentication capabilies for public clients.
+      )
+      id :g10_public_launch_id_token
+
+      input :id_token,
+            name: :public_id_token,
+            locked: true,
+            optional: true
+
+      run do
+        assert id_token.present?, 'Token response did not provide an id_token as required.'
+      end
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/smart_scopes_test.rb

@@ -0,0 +1,153 @@
+module ONCCertificationG10TestKit
+  class SMARTScopesTest < Inferno::Test
+    title 'Patient-level access with OpenID Connect and Refresh Token scopes used.'
+    description %(
+      The scopes being input must follow the guidelines specified in the
+      smart-app-launch guide. All scopes requested are expected to be granted.
+    )
+    id :g10_smart_scopes
+    input :requested_scopes, :received_scopes
+    uses_request :token
+
+    def valid_resource_types
+      [
+        '*',
+        'Patient',
+        'AllergyIntolerance',
+        'Binary',
+        'CarePlan',
+        'CareTeam',
+        'Condition',
+        'Device',
+        'DiagnosticReport',
+        'DocumentReference',
+        'Encounter',
+        'Goal',
+        'Immunization',
+        'Location',
+        'Medication',
+        'MedicationOrder',
+        'MedicationRequest',
+        'MedicationStatement',
+        'Observation',
+        'Organization',
+        'Person',
+        'Practitioner',
+        'PractitionerRole',
+        'Procedure',
+        'Provenance',
+        'RelatedPerson'
+      ]
+    end
+
+    def requested_scope_test(scopes, patient_compartment_resource_types)
+      patient_scope_found = false
+
+      scopes.each do |scope|
+        bad_format_message =
+          "Requested scope '#{scope}' does not follow the format: `#{scope_type}" \
+          '/[ resource | * ].[ read | * ]`'
+
+        scope_pieces = scope.split('/')
+        assert scope_pieces.count == 2, bad_format_message
+
+        resource_access = scope_pieces[1].split('.')
+        bad_resource_message = "'#{resource_access[0]}' must be either a valid resource type or '*'"
+
+        if scope_type == 'patient' && patient_compartment_resource_types.exclude?(resource_access[0])
+          assert ['user', 'patient'].include?(scope_pieces[0]),
+                 "Requested scope '#{scope}' must begin with either 'user/' or 'patient/'"
+        else
+          assert scope_pieces[0] == scope_type, bad_format_message
+        end
+
+        assert resource_access.count == 2, bad_format_message
+        assert valid_resource_types.include?(resource_access[0]), bad_resource_message
+        assert resource_access[1] =~ /^(\*|read)/, bad_format_message
+
+        patient_scope_found = true
+      end
+
+      assert patient_scope_found,
+             "#{scope_type.capitalize}-level scope in the format: " \
+             "`#{scope_type}/[ resource | * ].[ read | *]` was not requested."
+    end
+
+    def received_scope_test(scopes, patient_compartment_resource_types)
+      granted_resource_types = []
+
+      scopes.each do |scope|
+        scope_pieces = scope.split('/')
+        next unless scope_pieces.count == 2
+
+        resource_access = scope_pieces[1].split('.')
+        next unless resource_access.count == 2
+
+        granted_resource_types << resource_access[0] if resource_access[1] =~ /^(\*|read)/
+      end
+
+      missing_resource_types =
+        if granted_resource_types.include?('*')
+          []
+        else
+          patient_compartment_resource_types - granted_resource_types - ['*']
+        end
+
+      assert missing_resource_types.empty?,
+             "Request scopes #{missing_resource_types.join(', ')} were not granted by authorization server."
+    end
+
+    run do
+      skip_if request.status != 200, 'Token exchange was unsuccessful'
+
+      patient_compartment_resource_types = [
+        '*',
+        'Patient',
+        'AllergyIntolerance',
+        'CarePlan',
+        'CareTeam',
+        'Condition',
+        'DiagnosticReport',
+        'DocumentReference',
+        'Goal',
+        'Immunization',
+        'MedicationRequest',
+        'Observation',
+        'Procedure',
+        'Provenance'
+      ].freeze
+
+      [
+        {
+          scopes: requested_scopes,
+          received_or_requested: 'requested'
+        },
+        {
+          scopes: received_scopes,
+          received_or_requested: 'received'
+        }
+      ].each do |metadata|
+        scopes = metadata[:scopes].split
+        received_or_requested = metadata[:received_or_requested]
+
+        missing_scopes = required_scopes - scopes
+        assert missing_scopes.empty?,
+               "Required scopes were not #{received_or_requested}: #{missing_scopes.join(', ')}"
+
+        scopes -= required_scopes
+
+        # Other 'okay' scopes. Also scopes may include both 'launch' and
+        # 'launch/patient' for EHR launch and Standalone launch.
+        # 'launch/encounter' is mentioned by SMART App Launch though not in
+        # (g)(10) test procedure
+        scopes -= ['online_access', 'launch', 'launch/patient', 'launch/encounter']
+
+        if received_or_requested == 'requested'
+          requested_scope_test(scopes, patient_compartment_resource_types)
+        else
+          received_scope_test(scopes, patient_compartment_resource_types)
+        end
+      end
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/smart_standalone_patient_app_group.rb

@@ -0,0 +1,177 @@
+require_relative 'base_token_refresh_group'
+require_relative 'patient_context_test'
+require_relative 'smart_scopes_test'
+require_relative 'unauthorized_access_test'
+require_relative 'unrestricted_resource_type_access_group'
+require_relative 'well_known_capabilities_test'
+
+module ONCCertificationG10TestKit
+  class SmartStandalonePatientAppGroup < Inferno::TestGroup
+    title 'Standalone Patient App - Full Access'
+    short_title 'Standalone Patient App'
+
+    input_instructions %(
+      Register Inferno as a standalone application using the following information:
+
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+
+      Enter in the appropriate scope to enable patient-level access to all
+      relevant resources. In addition, support for the OpenID Connect (openid
+      fhirUser), refresh tokens (offline_access), and patient context
+      (launch/patient) are required.
+    )
+
+    description %(
+        This scenario demonstrates the ability of a system to perform a Patient
+        Standalone Launch to a [SMART on
+        FHIR](http://www.hl7.org/fhir/smart-app-launch/) confidential client
+        with a patient context, refresh token, 1 1 and [OpenID Connect
+        (OIDC)](https://openid.net/specs/openid-connect-core-1_0.html) identity
+        token. After launch, a simple Patient resource read is performed on the
+        patient in context. The access token is then refreshed, and the Patient
+        resource is read using the new access token to ensure that the refresh
+        was successful. The authentication information provided by OpenID
+        Connect is decoded and validated, and simple queries are performed to
+        ensure that access is granted to all USCDI data elements.
+      )
+    id :g10_smart_standalone_patient_app
+    run_as_group
+
+    config(
+      inputs: {
+        client_secret: {
+          optional: false
+        }
+      }
+    )
+
+    group from: :smart_discovery do
+      test from: 'g10_smart_well_known_capabilities'
+    end
+
+    group from: :smart_standalone_launch do
+      title 'Standalone Launch With Patient Scope'
+      description %(
+        # Background
+
+        The [Standalone
+        Launch](http://hl7.org/fhir/smart-app-launch/#standalone-launch-sequence)
+        Sequence allows an app, like Inferno, to be launched independent of an
+        existing EHR session. It is one of the two launch methods described in
+        the SMART App Launch Framework alongside EHR Launch. The app will
+        request authorization for the provided scope from the authorization
+        endpoint, ultimately receiving an authorization token which can be used
+        to gain access to resources on the FHIR server.
+
+        # Test Methodology
+
+        Inferno will redirect the user to the the authorization endpoint so that
+        they may provide any required credentials and authorize the application.
+        Upon successful authorization, Inferno will exchange the authorization
+        code provided for an access token.
+
+        For more information on the #{title}:
+
+        * [Standalone Launch
+          Sequence](http://hl7.org/fhir/smart-app-launch/#standalone-launch-sequence)
+      )
+
+      test from: :g10_smart_scopes do
+        config(
+          inputs: {
+            requested_scopes: { name: :standalone_requested_scopes },
+            received_scopes: { name: :standalone_received_scopes }
+          }
+        )
+
+        def required_scopes
+          ['openid', 'fhirUser', 'launch/patient', 'offline_access']
+        end
+
+        def scope_type
+          'patient'
+        end
+      end
+
+      test from: :g10_unauthorized_access,
+           config: {
+             inputs: {
+               patient_id: { name: :standalone_patient_id }
+             }
+           }
+
+      test from: :g10_patient_context,
+           config: {
+             inputs: {
+               patient_id: { name: :standalone_patient_id },
+               smart_credentials: { name: :standalone_smart_credentials }
+             }
+           }
+    end
+
+    group from: :smart_openid_connect,
+          config: {
+            inputs: {
+              id_token: { name: :standalone_id_token },
+              client_id: { name: :standalone_client_id },
+              requested_scopes: { name: :standalone_requested_scopes },
+              smart_credentials: { name: :standalone_smart_credentials }
+            }
+          }
+
+    group from: :g10_token_refresh do
+      id :g10_smart_standalone_token_refresh
+
+      config(
+        inputs: {
+          refresh_token: { name: :standalone_refresh_token },
+          client_id: { name: :standalone_client_id },
+          client_secret: { name: :standalone_client_secret },
+          received_scopes: { name: :standalone_received_scopes }
+        },
+        outputs: {
+          refresh_token: { name: :standalone_refresh_token },
+          received_scopes: { name: :standalone_received_scopes },
+          access_token: { name: :standalone_access_token },
+          token_retrieval_time: { name: :standalone_token_retrieval_time },
+          expires_in: { name: :standalone_expires_in },
+          smart_credentials: { name: :standalone_smart_credentials }
+        }
+      )
+
+      test from: :g10_patient_context do
+        config(
+          inputs: {
+            patient_id: { name: :standalone_patient_id },
+            smart_credentials: { name: :standalone_smart_credentials }
+          },
+          options: {
+            refresh_test: true
+          }
+        )
+        uses_request :token_refresh
+      end
+    end
+
+    group from: :g10_unrestricted_resource_type_access,
+          config: {
+            inputs: {
+              received_scopes: { name: :standalone_received_scopes },
+              patient_id: { name: :standalone_patient_id },
+              smart_credentials: { name: :standalone_smart_credentials }
+            }
+          }
+
+    test do
+      id :g10_standalone_credentials_export
+      title 'Set SMART Credentials to Standalone Launch Credentials'
+
+      input :standalone_smart_credentials, type: :oauth_credentials
+      output :smart_credentials
+
+      run do
+        output smart_credentials: standalone_smart_credentials.to_s
+      end
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/terminology_binding_validator.rb

@@ -0,0 +1,140 @@
+require_relative '../inferno/terminology/terminology_validation'
+require_relative '../inferno/exceptions'
+
+module ONCCertificationG10TestKit
+  class TerminologyBindingValidator
+    include USCoreTestKit::FHIRResourceNavigation
+    include Inferno::Terminology::TerminologyValidation
+
+    def self.validate(...)
+      new(...).validate
+    end
+
+    attr_reader :resource, :binding_definition, :validation_messages
+
+    def initialize(resource, binding_definition)
+      @resource = resource
+      @binding_definition = binding_definition
+      @validation_messages = []
+    end
+
+    def validate
+      add_error(element_with_invalid_binding) if element_with_invalid_binding.present?
+
+      validation_messages
+    end
+
+    def path_source
+      return resource if binding_definition[:extensions].blank?
+
+      binding_definition[:extensions].reduce(Array.wrap(resource)) do |elements, extension_url|
+        elements.flat_map do |element|
+          element.extension.select { |extension| extension.url == extension_url }
+        end
+      end
+    end
+
+    def element_with_invalid_binding
+      @element_with_invalid_binding ||=
+        find_a_value_at(path_source, binding_definition[:path]) do |element|
+          invalid_binding? element
+        end
+    end
+
+    def add_error(element)
+      validation_messages << {
+        type: 'error',
+        message: invalid_binding_message(element)
+      }
+    end
+
+    def add_warning(message)
+      validation_messages << {
+        type: 'warning',
+        message: message
+      }
+    end
+
+    def element_code(element)
+      case element
+      when FHIR::CodeableConcept
+        element&.coding&.map do |coding|
+          "`#{coding.system}|#{coding.code}`"
+        end&.join(' or ')
+      when FHIR::Coding, FHIR::Quantity
+        "`#{element.system}|#{element.code}`"
+      else
+        "`#{element}`"
+      end
+    end
+
+    def resource_type
+      resource.resourceType
+    end
+
+    def invalid_binding_message(element)
+      system = binding_definition[:system].presence || 'the declared CodeSystem'
+
+      %(
+        #{resource_type}/#{resource.id} at #{resource_type}.#{binding_definition[:path]}
+        with code #{element_code(element)} is not in #{system}.
+      )
+    end
+
+    def invalid_binding?(element)
+      case binding_definition[:type]
+      when 'CodeableConcept'
+        invalid_codeable_concept? element
+      when 'Quantity', 'Coding'
+        invalid_coding? element
+      when 'code'
+        invalid_code? element
+      end
+    end
+
+    def invalid_codeable_concept?(element)
+      return unless element.is_a? FHIR::CodeableConcept
+
+      if binding_definition[:system].present?
+        element.coding.none? do |coding|
+          validate_code(
+            value_set_url: binding_definition[:system],
+            code: coding.code,
+            system: coding.system
+          )
+        rescue Inferno::ProhibitedSystemException => e
+          add_warning(e.message)
+          false
+        end
+      # If we're validating a codesystem (AKA if there's no 'system' URL)
+      # We want all of the codes to be in their respective systems
+      else
+        el.coding.any? do |coding|
+          !validate_code(
+            value_set_url: nil,
+            code: coding.code,
+            system: coding.system
+          )
+        rescue Inferno::ProhibitedSystemException => e
+          add_warning(e.message)
+          false
+        end
+      end
+    end
+
+    def invalid_coding?(element)
+      !validate_code(
+        value_set_url: binding_definition[:system],
+        code: element.code,
+        system: element.system
+      )
+    rescue Inferno::ProhibitedSystemException => e
+      add_warning(e.message)
+      false
+    end
+
+    def invalid_code?(element)
+      !validate_code(value_set_url: binding_definition[:system], code: element)
+    end
+  end
+end