onc_certification_g10_test_kit 2.0.0.rc1

data/lib/onc_certification_g10_test_kit/bulk_data_authorization.rb

@@ -0,0 +1,235 @@
+require_relative 'authorization_request_builder'
+
+module ONCCertificationG10TestKit
+  class BulkDataAuthorization < Inferno::TestGroup
+    title 'Bulk Data Authorization'
+    short_description 'Demonstrate SMART Backend Services Authorization for Bulk Data.'
+    description <<~DESCRIPTION
+      Bulk Data servers are required to authorize clients using the
+      [Backend Service Authorization](http://hl7.org/fhir/uv/bulkdata/STU1/authorization/)
+      specification as defined in the [FHIR Bulk Data Access IG v1.0.0](http://hl7.org/fhir/uv/bulkdata/STU1/).
+
+      In this set of tests, Inferno serves as a Bulk Data client that requests authorization
+      from the Bulk Data authorization server.  It also performs a number of negative tests
+      to validate that the authorization service does not improperly authorize invalid
+      requests.
+
+      This test returns an access token.
+    DESCRIPTION
+
+    id :bulk_data_authorization
+
+    input :bulk_token_endpoint,
+          title: 'Backend Services Token Endpoint',
+          description: 'The OAuth 2.0 Token Endpoint used by the Backend Services specification
+                        to provide bearer tokens.'
+    input :bulk_client_id,
+          title: 'Bulk Data Client ID',
+          description: 'Client ID provided at registration to the Inferno application.'
+    input :bulk_scope,
+          title: 'Bulk Data Scopes',
+          description: 'Bulk Data Scopes provided at registration to the Inferno application.',
+          default: 'system/*.read'
+    input :bulk_encryption_method,
+          title: 'Encryption Method',
+          description: 'The server is required to suport either ES384 or RS384 encryption methods
+                        for JWT signature verification. Select which method to use.',
+          type: 'radio',
+          default: 'ES384',
+          options: {
+            list_options: [
+              {
+                label: 'ES384',
+                value: 'ES384'
+              },
+              {
+                label: 'RS384',
+                value: 'RS384'
+              }
+            ]
+          }
+    output :bearer_token
+
+    http_client :token_endpoint do
+      url :bulk_token_endpoint
+    end
+
+    test from: :tls_version_test do
+      title 'Authorization service token endpoint secured by transport layer security'
+      description <<~DESCRIPTION
+        [§170.315(g)(10) Test
+        Procedure](https://www.healthit.gov/test-method/standardized-api-patient-and-population-services)
+        requires that all exchanges described herein between a client and a
+        server SHALL be secured using Transport Layer Security (TLS) Protocol
+        Version 1.2 (RFC5246).
+      DESCRIPTION
+      id :g10_bulk_token_tls_version
+
+      config(
+        inputs: { url: { name: :bulk_token_endpoint } },
+        options: {  minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION }
+      )
+    end
+
+    test do
+      title 'Authorization request fails when client supplies invalid grant_type'
+      description <<~DESCRIPTION
+        The Backend Service Authorization specification defines the required fields for the
+        authorization request, made via HTTP POST to authorization token endpoint.
+        This includes the `grant_type` parameter, where the value must be `client_credentials`.
+
+        The OAuth 2.0 Authorization Framework describes the proper response for an
+        invalid request in the client credentials grant flow:
+
+        ```
+        If the request failed client authentication or is invalid, the authorization server returns an
+        error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2).
+        ```
+      DESCRIPTION
+      # link 'http://hl7.org/fhir/uv/bulkdata/authorization/index.html#protocol-details'
+
+      run do
+        post_request_content = AuthorizationRequestBuilder.build(encryption_method: bulk_encryption_method,
+                                                                 scope: bulk_scope,
+                                                                 iss: bulk_client_id,
+                                                                 sub: bulk_client_id,
+                                                                 aud: bulk_token_endpoint,
+                                                                 grant_type: 'not_a_grant_type')
+
+        post({ client: :token_endpoint }.merge(post_request_content))
+
+        assert_response_status(400)
+      end
+    end
+
+    test do
+      title 'Authorization request fails when supplied invalid client_assertion_type'
+      description <<~DESCRIPTION
+        The Backend Service Authorization specification defines the required fields for the
+        authorization request, made via HTTP POST to authorization token endpoint.
+        This includes the `client_assertion_type` parameter, where the value must be `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`.
+
+        The OAuth 2.0 Authorization Framework describes the proper response for an
+        invalid request in the client credentials grant flow:
+
+        ```
+        If the request failed client authentication or is invalid, the authorization server returns an
+        error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2).
+        ```
+      DESCRIPTION
+      # link 'http://hl7.org/fhir/uv/bulkdata/authorization/index.html#protocol-details'
+
+      run do
+        post_request_content = AuthorizationRequestBuilder.build(encryption_method: bulk_encryption_method,
+                                                                 scope: bulk_scope,
+                                                                 iss: bulk_client_id,
+                                                                 sub: bulk_client_id,
+                                                                 aud: bulk_token_endpoint,
+                                                                 client_assertion_type: 'not_an_assertion_type')
+
+        post({ client: :token_endpoint }.merge(post_request_content))
+
+        assert_response_status(400)
+      end
+    end
+
+    test do
+      title 'Authorization request fails when client supplies invalid JWT token'
+      description <<~DESCRIPTION
+        The Backend Service Authorization specification defines the required fields for the
+        authorization request, made via HTTP POST to authorization token endpoint.
+        This includes the `client_assertion` parameter, where the value must be
+        a valid JWT. The JWT SHALL include the following claims, and SHALL be signed with the client’s private key.
+
+        | JWT Claim | Required? | Description |
+        | --- | --- | --- |
+        | iss | required | Issuer of the JWT -- the client's client_id, as determined during registration with the FHIR authorization server (note that this is the same as the value for the sub claim) |
+        | sub | required | The service's client_id, as determined during registration with the FHIR authorization server (note that this is the same as the value for the iss claim) |
+        | aud | required | The FHIR authorization server's "token URL" (the same URL to which this authentication JWT will be posted) |
+        | exp | required | Expiration time integer for this authentication JWT, expressed in seconds since the "Epoch" (1970-01-01T00:00:00Z UTC). This time SHALL be no more than five minutes in the future. |
+        | jti | required | A nonce string value that uniquely identifies this authentication JWT. |
+
+        The OAuth 2.0 Authorization Framework describes the proper response for an
+        invalid request in the client credentials grant flow:
+
+        ```
+        If the request failed client authentication or is invalid, the authorization server returns an
+        error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2).
+        ```
+      DESCRIPTION
+      # link 'http://hl7.org/fhir/uv/bulkdata/authorization/index.html#protocol-details'
+
+      run do
+        post_request_content = AuthorizationRequestBuilder.build(encryption_method: bulk_encryption_method,
+                                                                 scope: bulk_scope,
+                                                                 iss: 'not_a_valid_iss',
+                                                                 sub: bulk_client_id,
+                                                                 aud: bulk_token_endpoint)
+
+        post({ client: :token_endpoint }.merge(post_request_content))
+
+        assert_response_status([400, 401])
+      end
+    end
+
+    test do
+      title 'Authorization request succeeds when supplied correct information'
+      description <<~DESCRIPTION
+        If the access token request is valid and authorized, the authorization server SHALL issue an access token in response.
+      DESCRIPTION
+      # link 'http://hl7.org/fhir/uv/bulkdata/authorization/index.html#issuing-access-tokens'
+
+      output :authentication_response
+
+      run do
+        post_request_content = AuthorizationRequestBuilder.build(encryption_method: bulk_encryption_method,
+                                                                 scope: bulk_scope,
+                                                                 iss: bulk_client_id,
+                                                                 sub: bulk_client_id,
+                                                                 aud: bulk_token_endpoint)
+
+        authentication_response = post({ client: :token_endpoint }.merge(post_request_content))
+
+        assert_response_status([200, 201])
+
+        output authentication_response: authentication_response.response_body
+      end
+    end
+
+    test do
+      title 'Authorization request response body contains required information encoded in JSON'
+      description <<~DESCRIPTION
+        The access token response SHALL be a JSON object with the following properties:
+
+        | Token Property | Required? | Description |
+        | --- | --- | --- |
+        | access_token | required | The access token issued by the authorization server. |
+        | token_type | required | Fixed value: bearer. |
+        | expires_in | required | The lifetime in seconds of the access token. The recommended value is 300, for a five-minute token lifetime. |
+        | scope | required | Scope of access authorized. Note that this can be different from the scopes requested by the app. |
+      DESCRIPTION
+      # link 'http://hl7.org/fhir/uv/bulkdata/authorization/index.html#issuing-access-tokens'
+
+      input :authentication_response
+      output :bearer_token
+
+      run do
+        skip_if authentication_response.blank?, 'No authentication response received.'
+
+        assert_valid_json(authentication_response)
+        response_body = JSON.parse(authentication_response)
+
+        access_token = response_body['access_token']
+        assert access_token.present?, 'Token response did not contain access_token as required'
+
+        output bearer_token: access_token
+
+        required_keys = ['token_type', 'expires_in', 'scope']
+
+        required_keys.each do |key|
+          assert response_body[key].present?, "Token response did not contain #{key} as required"
+        end
+      end
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/bulk_data_group_export.rb

@@ -0,0 +1,255 @@
+require_relative 'export_kick_off_performer'
+
+module ONCCertificationG10TestKit
+  class BulkDataGroupExport < Inferno::TestGroup
+    title 'Group Compartment Export Tests'
+    short_description 'Verify that the system supports Group compartment export.'
+    description <<~DESCRIPTION
+      Verify that system level export on the Bulk Data server follow the Bulk Data Access Implementation Guide
+    DESCRIPTION
+
+    id :bulk_data_group_export
+
+    input :bearer_token
+    input :bulk_server_url,
+          title: 'Bulk Data FHIR URL',
+          description: 'The URL of the Bulk FHIR server.'
+    input :group_id,
+          title: 'Group ID',
+          description: 'The Group ID associated with the group of patients to be exported.'
+    input :bulk_timeout,
+          title: 'Export Times Out after (1-600)',
+          description: 'While testing, Inferno waits for the server to complete the exporting task.
+          If the calculated totalTime is greater than the timeout value specified here,
+          Inferno bulk client stops testing. Please enter an integer for the maximum wait time in seconds.
+          If timeout is less than 1, Inferno uses default value 180.
+          If the timeout is greater than 600 (10 minutes), Inferno uses the maximum value 600.',
+          default: 180
+
+    output :requires_access_token, :status_output, :bulk_download_url
+
+    fhir_client :bulk_server do
+      url :bulk_server_url
+    end
+
+    http_client :bulk_server do
+      url :bulk_server_url
+    end
+
+    test from: :tls_version_test do
+      title 'Bulk Data Server is secured by transport layer security'
+      description <<~DESCRIPTION
+        [§170.315(g)(10) Test
+        Procedure](https://www.healthit.gov/test-method/standardized-api-patient-and-population-services)
+        requires that all exchanges described herein between a client and a
+        server SHALL be secured using Transport Layer Security (TLS) Protocol
+        Version 1.2 (RFC5246).
+      DESCRIPTION
+      id :g10_bulk_data_server_tls_version
+
+      config(
+        inputs: { url: { name: :bulk_server_url } },
+        options: { minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION }
+      )
+    end
+
+    test do
+      title 'Bulk Data Server declares support for Group export operation in CapabilityStatement'
+      description <<~DESCRIPTION
+        The Bulk Data Server SHALL declare support for Group/[id]/$export operation in its server CapabilityStatement
+      DESCRIPTION
+      # link 'http://hl7.org/fhir/uv/bulkdata/OperationDefinition-group-export.html'
+
+      run do
+        fhir_get_capability_statement(client: :bulk_server)
+        assert_response_status([200, 201])
+
+        assert_valid_json(request.response_body)
+        capability_statement = FHIR.from_contents(request.response_body)
+
+        has_export_operation = capability_statement&.rest&.any? do |rest|
+          rest.resource&.any? do |resource|
+            resource.type == 'Group' &&
+              resource.respond_to?(:operation) &&
+              resource.operation&.find do |operation|
+                operation.definition&.match(%r{^http://hl7.org/fhir/uv/bulkdata/OperationDefinition/group-export(\|\S+)?})
+              end
+          end
+        end
+
+        assert has_export_operation,
+               'Server CapabilityStatement did not declare support for export operation in Group resource'
+      end
+    end
+
+    test do
+      title 'Bulk Data Server rejects $export request without authorization'
+      description <<~DESCRIPTION
+        The FHIR server SHALL limit the data returned to only those FHIR resources for which the client is authorized.
+
+        [FHIR R4 Security](http://build.fhir.org/security.html#AccessDenied) and
+        [The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://tools.ietf.org/html/rfc6750#section-3.1)
+        recommend using HTTP status code 401 for invalid token but also allow the actual result be controlled by policy and context.
+      DESCRIPTION
+      # link 'http://hl7.org/fhir/uv/bulkdata/export/index.html#bulk-data-kick-off-request'
+
+      include ExportKickOffPerformer
+
+      run do
+        skip_if bearer_token.blank?, 'Could not verify this functionality when bearer token is not set'
+
+        perform_export_kick_off_request(use_token: false)
+        assert_response_status([400, 401])
+      end
+    end
+
+    test do
+      title 'Bulk Data Server returns "202 Accepted" and "Content-location" for $export operation'
+      description <<~DESCRIPTION
+        Response - Success
+
+        * HTTP Status Code of 202 Accepted
+        * Content-Location header with the absolute URL of an endpoint for subsequent status requests (polling location)
+      DESCRIPTION
+      # link 'http://hl7.org/fhir/uv/bulkdata/export/index.html#response---success'
+
+      include ExportKickOffPerformer
+
+      output :polling_url
+
+      run do
+        perform_export_kick_off_request
+        assert_response_status(202)
+
+        polling_url = request.response_header('content-location')&.value
+        assert polling_url.present?, 'Export response headers did not include "Content-Location"'
+
+        output polling_url: polling_url
+      end
+    end
+
+    test do
+      title 'Bulk Data Server returns "202 Accepted" or "200 OK" for status check'
+      description <<~DESCRIPTION
+        Clients SHOULD follow an exponential backoff approach when polling for status. Servers SHOULD respond with
+
+        * In-Progress Status: HTTP Status Code of 202 Accepted
+        * Complete Status: HTTP status of 200 OK and Content-Type header of application/json
+
+        The JSON object of Complete Status SHALL contain these required field:
+
+        * transactionTime, request, requiresAccessToken, output, and error
+      DESCRIPTION
+      # link 'http://hl7.org/fhir/uv/bulkdata/export/index.html#bulk-data-status-request'
+
+      input :polling_url
+
+      output :status_response, :requires_access_token
+
+      run do
+        skip 'Server response did not have Content-Location in header' unless polling_url.present?
+
+        timeout = bulk_timeout.to_i
+
+        if !timeout.positive?
+          timeout = 180
+        elsif timeout > 600
+          timeout = 600
+        end
+
+        wait_time = 1
+        start = Time.now
+
+        loop do
+          get(polling_url, headers: { authorization: "Bearer #{bearer_token}" })
+
+          retry_after_val = request.response_header('retry-after')&.value.to_i
+
+          wait_time = retry_after_val.positive? ? retry_after_val : wait_time *= 2
+
+          seconds_used = Time.now - start + wait_time
+
+          break if response[:status] != 202 || seconds_used > timeout
+
+          sleep wait_time
+        end
+
+        skip "Server took more than #{timeout} seconds to process the request." if response[:status] == 202
+        assert_response_status(200)
+
+        assert request.response_header('content-type')&.value&.include?('application/json'),
+               'Content-Type not application/json'
+
+        response_body = JSON.parse(response[:body])
+
+        ['transactionTime', 'request', 'requiresAccessToken', 'output', 'error'].each do |key|
+          assert response_body.key?(key), "Complete Status response did not contain \"#{key}\" as required"
+        end
+
+        output requires_access_token: response_body['requiresAccessToken'].to_s.downcase
+        output status_response: response[:body]
+      end
+    end
+
+    test do
+      title 'Bulk Data Server returns output with type and url for status complete'
+      description <<~DESCRIPTION
+        The value of output field is an array of file items with one entry for each generated file.
+        If no resources are returned from the kick-off request, the server SHOULD return an empty array.
+
+        Each file item SHALL contain the following fields:
+
+        * type - the FHIR resource type that is contained in the file.
+
+        Each file SHALL contain resources of only one type, but a server MAY create more than one file for each resource type returned.
+
+        * url - the path to the file. The format of the file SHOULD reflect that requested in the _outputFormat parameter of the initial kick-off request.
+      DESCRIPTION
+      # link 'http://hl7.org/fhir/uv/bulkdata/export/index.html#response---complete-status'
+
+      input :status_response
+
+      output :status_output, :bulk_download_url
+
+      run do
+        assert status_response.present?, 'Bulk Data Server status response not found'
+
+        status_output = JSON.parse(status_response)['output']
+        assert status_output, 'Bulk Data Server status response does not contain output'
+
+        output status_output: status_output.to_json,
+               bulk_download_url: status_output[0]['url']
+
+        status_output.each do |file|
+          ['type', 'url'].each do |key|
+            assert file.key?(key), "Output file did not contain \"#{key}\" as required"
+          end
+        end
+      end
+    end
+
+    test do
+      title 'Bulk Data Server returns "202 Accepted" for delete request'
+      description <<~DESCRIPTION
+        After a bulk data request has been started, a client MAY send a delete request to the URL provided in the Content-Location header to cancel the request.
+        Bulk Data Server MUST support client's delete request and return HTTP Status Code of "202 Accepted"
+      DESCRIPTION
+      # link 'http://hl7.org/fhir/uv/bulkdata/export/index.html#bulk-data-delete-request'
+
+      include ExportKickOffPerformer
+
+      run do
+        perform_export_kick_off_request
+        assert_response_status(202)
+
+        polling_url = request.response_header('content-location')&.value
+        assert polling_url.present?, 'Export response header did not include "Content-Location"'
+
+        headers = { accept: 'application/json', authorization: "Bearer #{bearer_token}" }
+
+        delete(polling_url, headers: headers)
+        assert_response_status(202)
+      end
+    end
+  end
+end