onc_certification_g10_test_kit 2.0.0.rc1

data/lib/onc_certification_g10_test_kit/token_revocation_group.rb

@@ -0,0 +1,133 @@
+module ONCCertificationG10TestKit
+  class TokenRevocationGroup < Inferno::TestGroup
+    title 'Token Revocation'
+    description 'Demonstrate the Health IT module is capable of revoking access granted to an application.'
+    id :g10_token_revocation
+    run_as_group
+    input :token_revocation_attestation,
+          title: 'Prior to executing test, Health IT developer demonstrated revoking tokens provided during patient standalone launch.', # rubocop:disable Layout/LineLength
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :token_revocation_notes,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+    input :url, :access_token, :refresh_token, :smart_token_url, :patient_id, :client_id, :client_secret
+
+    config(
+      inputs: {
+        url: {
+          title: 'FHIR Endpoint',
+          description: 'URL of the FHIR endpoint used by standalone applications'
+        },
+        smart_token_url: {
+          title: 'OAuth 2.0 Token Endpoint',
+          description: 'OAuth token endpoint provided during the patient standalone launch'
+        },
+        access_token: {
+          name: :standalone_access_token,
+          title: 'Revoked Bearer Token',
+          description: 'Prior to the test, please revoke this bearer token from patient standalone launch.'
+        },
+        refresh_token: {
+          name: :standalone_refresh_token,
+          title: 'Revoked Refresh Token',
+          description: 'Prior to the test, please revoke this refresh token from patient standalone launch.'
+        },
+        patient_id: {
+          name: :standalone_patient_id,
+          title: 'Patient ID',
+          description: 'Patient ID associated with revoked tokens provided as context in the patient standalone launch. This will be used to verify access is no longer granted using the revoked token.' # rubocop:disable Layout/LineLength
+        },
+        client_id: {
+          name: :standalone_client_id,
+          title: 'Standalone Client ID',
+          description: 'Client ID provided during registration of Inferno as a standalone application',
+          locked: true
+        },
+        client_secret: {
+          name: :standalone_client_secret,
+          title: 'Standalone Client Secret',
+          description: 'Client Secret provided during registration of Inferno as a standalone application',
+          locked: true
+        }
+      }
+    )
+
+    test do
+      title 'Health IT developer demonstrated the ability of the Health IT Module to revoke tokens.'
+      description %(
+        Health IT developer demonstrated the ability of the Health IT Module /
+        authorization server to revoke tokens.
+      )
+
+      run do
+        assert token_revocation_attestation == 'true',
+               'Health IT Module did not demonstrate support for application registration for single patients.'
+        pass token_revocation_notes if token_revocation_notes.present?
+      end
+    end
+
+    test do
+      title 'Access to Patient resource returns unauthorized after token revocation.'
+      description %(
+        This test checks that the Patient resource returns unuathorized after token revocation.
+      )
+
+      fhir_client :revoked_token do
+        url :url
+        bearer_token :access_token
+      end
+
+      run do
+        skip_if patient_id.blank?,
+                'Patient ID not provided to test. The patient ID is typically provided ' \
+                'during a SMART launch context.'
+        skip_if access_token.blank?,
+                'Bearer token not provided. This test verifies that the bearer token can ' \
+                'no longer be used to access a Patient resource.'
+
+        fhir_read(:patient, patient_id, client: :revoked_token)
+
+        assert_response_status([401, 403, 404])
+      end
+    end
+
+    test do
+      title 'Token refresh fails after token revocation.'
+      description %(
+        This test checks that refreshing token fails after token revokation.
+      )
+
+      run do
+        skip_if refresh_token.blank?,
+                'Refresh token not provided to test.'
+        oauth2_params = {
+          'grant_type' => 'refresh_token',
+          'refresh_token' => refresh_token
+        }
+        client_credentials = "#{client_id}:#{client_secret}"
+        oauth2_headers = {
+          'Content-Type' => 'application/x-www-form-urlencoded',
+          'Authorization' => "Basic #{Base64.strict_encode64(client_credentials)}"
+        }
+
+        post(smart_token_url, body: oauth2_params, headers: oauth2_headers)
+
+        assert_response_status([400, 401])
+      end
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/unauthorized_access_test.rb

@@ -0,0 +1,25 @@
+module ONCCertificationG10TestKit
+  class UnauthorizedAccessTest < Inferno::Test
+    title 'Server rejects unauthorized access'
+    description %(
+      A server SHALL reject any unauthorized requests by returning an HTTP 401
+      unauthorized response code.
+    )
+    id :g10_unauthorized_access
+    input :patient_id, :url
+    uses_request :token
+
+    fhir_client :unauthenticated do
+      url :url
+    end
+
+    run do
+      skip_if request.status != 200, 'Token exchange was unsuccessful'
+      skip_if patient_id.blank?, 'Patient context expected to verify unauthorized read.'
+
+      fhir_read(:patient, patient_id, client: :unauthenticated)
+
+      assert_response_status(401)
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/unrestricted_resource_type_access_group.rb

@@ -0,0 +1,375 @@
+require_relative 'resource_access_test'
+
+module ONCCertificationG10TestKit
+  class UnrestrictedResourceTypeAccessGroup < Inferno::TestGroup
+    title 'Unrestricted Resource Type Access'
+    description %(
+      This test ensures that apps have full access to USCDI resources if granted
+      access by the tester. The tester must grant access to the following
+      resources during the SMART Launch process, and this test ensures they all
+      can be accessed:
+
+        * AllergyIntolerance
+        * CarePlan
+        * CareTeam
+        * Condition
+        * Device
+        * DiagnosticReport
+        * DocumentReference
+        * Goal
+        * Immunization
+        * MedicationRequest
+        * Observation
+        * Procedure
+        * Patient
+        * Provenance
+        * Encounter
+        * Practitioner
+        * Organization
+
+      For each of the resource types that can be mapped to USCDI data class or
+      elements, this set of tests performs a minimum number of requests to
+      determine that the resource type can be accessed given the scope granted.
+      In the case of the Patient resource, this test simply performs a read
+      request. For other resources, it performs a search by patient that must be
+      supported by the server. In some cases, servers can return an error
+      message if a status search parameter is not provided. For these, the test
+      will perform an additional search with the required status search
+      parameter.
+
+      This set of tests does not attempt to access resources that do not
+      directly map to USCDI v1, including Encounter, Location, Organization, and
+      Practitioner. It also does not test Provenance, as this resource type is
+      accessed by queries through other resource types. These resources types
+      are accessed in the more comprehensive Single Patient Query tests.
+
+      However, the authorization system must indicate that access is granted to
+      the Encounter, Practitioner and Organization resource types by providing
+      them in the returned scopes because they are required to support the read
+      interaction.
+    )
+    id :g10_unrestricted_resource_type_access
+
+    input :url, :smart_credentials, :patient_id, :received_scopes
+    input :smart_credentials, type: :oauth_credentials
+
+    fhir_client do
+      url :url
+      oauth_credentials :smart_credentials
+    end
+
+    test do
+      title 'Scope granted enables access to all US Core resource types.'
+      description %(
+        This test confirms that the scopes granted during authorization are
+        sufficient to access all relevant US Core resources.
+      )
+
+      def all_resources
+        [
+          'AllergyIntolerance',
+          'CarePlan',
+          'CareTeam',
+          'Condition',
+          'Device',
+          'DiagnosticReport',
+          'DocumentReference',
+          'Goal',
+          'Immunization',
+          'MedicationRequest',
+          'Observation',
+          'Procedure',
+          'Patient',
+          'Provenance',
+          'Encounter',
+          'Practitioner',
+          'Organization'
+        ]
+      end
+
+      def non_patient_compartment_resources
+        [
+          'Encounter',
+          'Device',
+          'Location',
+          'Medication',
+          'Organization',
+          'Practitioner',
+          'PractitionerRole',
+          'RelatedPerson'
+        ]
+      end
+
+      def scope_granting_access?(resource_type)
+        received_scopes.split.find do |scope|
+          return true if non_patient_compartment_resources.include?(resource_type) &&
+                         ["user/#{resource_type}.read", "user/#{resource_type}.*"].include?(scope)
+
+          [
+            'patient/*.read',
+            'patient/*.*',
+            "patient/#{resource_type}.read",
+            "patient/#{resource_type}.*"
+          ].include?(scope)
+        end
+      end
+
+      run do
+        skip_if received_scopes.blank?, 'A list of granted scopes was not provided to this test as required.'
+
+        allowed_resources = all_resources.select { |resource_type| scope_granting_access?(resource_type) }
+        denied_resources = all_resources - allowed_resources
+
+        assert denied_resources.empty?, %(
+          This test requires access to all US Core resources with patient
+          information, but the received scope:
+
+
+
+          `#{received_scopes}`
+
+
+
+          does not grant access to the `#{denied_resources.join(', ')}` resource
+          type(s).
+        )
+
+        pass 'Scopes received indicate access to all necessary resources.'
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to Patient resources granted'
+      description %(
+        This test ensures that access to the Patient is granted or
+        denied based on the selection by the tester prior to the execution of
+        the test. If the tester indicated that access will be granted to this
+        resource, this test verifies that a search by patient in this resource
+        does not result in an access denied result. If the tester indicated that
+        access will be denied for this resource, this verifies that search by
+        patient in the resource results in an access denied result.
+      )
+      id :g10_patient_unrestricted_access
+
+      def resource_group
+        USCoreTestKit::PatientGroup
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to AllergyIntolerance resources granted'
+      description %(
+        This test ensures that access to the AllergyIntolerance is granted or
+        denied based on the selection by the tester prior to the execution of
+        the test. If the tester indicated that access will be granted to this
+        resource, this test verifies that a search by patient in this resource
+        does not result in an access denied result. If the tester indicated that
+        access will be denied for this resource, this verifies that search by
+        patient in the resource results in an access denied result.
+      )
+      id :g10_allergy_intolerance_unrestricted_access
+
+      def resource_group
+        USCoreTestKit::AllergyIntoleranceGroup
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to CarePlan resources granted'
+      description %(
+        This test ensures that access to the CarePlan is granted or
+        denied based on the selection by the tester prior to the execution of
+        the test. If the tester indicated that access will be granted to this
+        resource, this test verifies that a search by patient in this resource
+        does not result in an access denied result. If the tester indicated that
+        access will be denied for this resource, this verifies that search by
+        patient in the resource results in an access denied result.
+      )
+      id :g10_care_plan_unrestricted_access
+
+      def resource_group
+        USCoreTestKit::CarePlanGroup
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to CareTeam resources granted'
+      description %(
+        This test ensures that access to the CareTeam is granted or
+        denied based on the selection by the tester prior to the execution of
+        the test. If the tester indicated that access will be granted to this
+        resource, this test verifies that a search by patient in this resource
+        does not result in an access denied result. If the tester indicated that
+        access will be denied for this resource, this verifies that search by
+        patient in the resource results in an access denied result.
+      )
+      id :g10_care_team_unrestricted_access
+
+      def resource_group
+        USCoreTestKit::CareTeamGroup
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to Condition resources granted'
+      description %(
+        This test ensures that access to the Condition is granted or
+        denied based on the selection by the tester prior to the execution of
+        the test. If the tester indicated that access will be granted to this
+        resource, this test verifies that a search by patient in this resource
+        does not result in an access denied result. If the tester indicated that
+        access will be denied for this resource, this verifies that search by
+        patient in the resource results in an access denied result.
+      )
+      id :g10_condition_unrestricted_access
+
+      def resource_group
+        USCoreTestKit::ConditionGroup
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to Device resources granted'
+      description %(
+        This test ensures that access to the Device is granted or
+        denied based on the selection by the tester prior to the execution of
+        the test. If the tester indicated that access will be granted to this
+        resource, this test verifies that a search by patient in this resource
+        does not result in an access denied result. If the tester indicated that
+        access will be denied for this resource, this verifies that search by
+        patient in the resource results in an access denied result.
+      )
+      id :g10_device_unrestricted_access
+
+      def resource_group
+        USCoreTestKit::DeviceGroup
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to DiagnosticReport resources granted'
+      description %(
+        This test ensures that access to the DiagnosticReport is granted or
+        denied based on the selection by the tester prior to the execution of
+        the test. If the tester indicated that access will be granted to this
+        resource, this test verifies that a search by patient in this resource
+        does not result in an access denied result. If the tester indicated that
+        access will be denied for this resource, this verifies that search by
+        patient in the resource results in an access denied result.
+      )
+      id :g10_diagnostic_report_unrestricted_access
+
+      def resource_group
+        USCoreTestKit::DiagnosticReportLabGroup
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to DocumentReference resources granted'
+      description %(
+        This test ensures that access to the DocumentReference is granted or
+        denied based on the selection by the tester prior to the execution of
+        the test. If the tester indicated that access will be granted to this
+        resource, this test verifies that a search by patient in this resource
+        does not result in an access denied result. If the tester indicated that
+        access will be denied for this resource, this verifies that search by
+        patient in the resource results in an access denied result.
+      )
+      id :g10_document_reference_unrestricted_access
+
+      def resource_group
+        USCoreTestKit::DocumentReferenceGroup
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to Goal resources granted'
+      description %(
+        This test ensures that access to the Goal is granted or
+        denied based on the selection by the tester prior to the execution of
+        the test. If the tester indicated that access will be granted to this
+        resource, this test verifies that a search by patient in this resource
+        does not result in an access denied result. If the tester indicated that
+        access will be denied for this resource, this verifies that search by
+        patient in the resource results in an access denied result.
+      )
+      id :g10_goal_unrestricted_access
+
+      def resource_group
+        USCoreTestKit::GoalGroup
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to Immunization resources granted'
+      description %(
+        This test ensures that access to the Immunization is granted or
+        denied based on the selection by the tester prior to the execution of
+        the test. If the tester indicated that access will be granted to this
+        resource, this test verifies that a search by patient in this resource
+        does not result in an access denied result. If the tester indicated that
+        access will be denied for this resource, this verifies that search by
+        patient in the resource results in an access denied result.
+      )
+      id :g10_immunization_unrestricted_access
+
+      def resource_group
+        USCoreTestKit::ImmunizationGroup
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to MedicationRequest resources granted'
+      description %(
+        This test ensures that access to the MedicationRequest is granted or
+        denied based on the selection by the tester prior to the execution of
+        the test. If the tester indicated that access will be granted to this
+        resource, this test verifies that a search by patient in this resource
+        does not result in an access denied result. If the tester indicated that
+        access will be denied for this resource, this verifies that search by
+        patient in the resource results in an access denied result.
+      )
+      id :g10_medication_request_access
+
+      def resource_group
+        USCoreTestKit::MedicationRequestGroup
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to Observation resources granted'
+      description %(
+        This test ensures that access to the Observation is granted or
+        denied based on the selection by the tester prior to the execution of
+        the test. If the tester indicated that access will be granted to this
+        resource, this test verifies that a search by patient in this resource
+        does not result in an access denied result. If the tester indicated that
+        access will be denied for this resource, this verifies that search by
+        patient in the resource results in an access denied result.
+      )
+      id :g10_observation_unrestricted_access
+
+      def resource_group
+        USCoreTestKit::PulseOximetryGroup
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to Procedure resources granted'
+      description %(
+        This test ensures that access to the Procedure is granted or
+        denied based on the selection by the tester prior to the execution of
+        the test. If the tester indicated that access will be granted to this
+        resource, this test verifies that a search by patient in this resource
+        does not result in an access denied result. If the tester indicated that
+        access will be denied for this resource, this verifies that search by
+        patient in the resource results in an access denied result.
+      )
+      id :g10_procedure_unrestricted_access
+
+      def resource_group
+        USCoreTestKit::ProcedureGroup
+      end
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/version.rb

@@ -0,0 +1,3 @@
+module ONCCertificationG10TestKit
+  VERSION = '2.0.0.rc1'.freeze
+end