onc_certification_g10_test_kit 2.2.2 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fb3530831315a74fef8ddffba6114b0934ab651d459e516a662ef2482f53af51
-  data.tar.gz: add2b2f5e8f8483932cd75a971d3d4f94992c5cae208f60124c7201b43293b85
+  metadata.gz: 26db3a7b89aa5bfcd52c5e918543a6a8883e7672825b4c821bc90b7d86f92f39
+  data.tar.gz: ae93cb1f1d78eda01567a1e85071605a190e6e3c6473a65508a6977229282236
 SHA512:
-  metadata.gz: 6042c6a5161cb50757ebee1f17ddfb7ce8ae6734229a8d30342a99c24192cf3bd11b9d43c0326d3eb679837af46912b4c6b6735c4fcdd7148a2a42e264a163c3
-  data.tar.gz: 6add8a740467b5d1bc88148083d1ac244e3fdfa83fb45d4f6915040d1c35f0e2f5c7e67e26d21ff178815a889adf07256572cf38f701db03ce8fcf3f2cedbdb3
+  metadata.gz: c9f971806d40478dd207b333073433741a9dc3b596de17d0bd6d6e3b2507dcdac2031dad2227eec0b090aec38bc79f21271d1b0fd17d8233c6d1f517359671ff
+  data.tar.gz: 70a818c745d8f7068bb0834885f3e0215b20115232f1a73c2265a499df8fc164265c73706d75d6eb6934f3a6bbe4fa7e71001766603b86933b0d0fe0cdb98c98

data/lib/onc_certification_g10_test_kit/authorization_request_builder.rb

@@ -7,7 +7,8 @@ module ONCCertificationG10TestKit
     end
 
     def self.bulk_data_jwks
-      @bulk_data_jwks ||= JSON.parse(File.read(File.join(__dir__, 'bulk_data_jwks.json')))
+      @bulk_data_jwks ||= JSON.parse(File.read(ENV.fetch('G10_BULK_DATA_JWKS',
+                                                         File.join(__dir__, 'bulk_data_jwks.json'))))
     end
 
     attr_reader :encryption_method, :scope, :iss, :sub, :aud, :content_type, :grant_type, :client_assertion_type, :exp,

data/lib/onc_certification_g10_test_kit/bulk_data_authorization.rb

@@ -4,18 +4,6 @@ module ONCCertificationG10TestKit
   class BulkDataAuthorization < Inferno::TestGroup
     title 'Bulk Data Authorization'
     short_description 'Demonstrate SMART Backend Services Authorization for Bulk Data.'
-    description <<~DESCRIPTION
-      Bulk Data servers are required to authorize clients using the
-      [Backend Service Authorization](http://hl7.org/fhir/uv/bulkdata/STU1.0.1/authorization/index.html)
-      specification as defined in the [FHIR Bulk Data Access IG v1.0.1](http://hl7.org/fhir/uv/bulkdata/STU1.0.1/).
-
-      In this set of tests, Inferno serves as a Bulk Data client that requests authorization
-      from the Bulk Data authorization server.  It also performs a number of negative tests
-      to validate that the authorization service does not improperly authorize invalid
-      requests.
-
-      This test returns an access token.
-    DESCRIPTION
 
     id :bulk_data_authorization
 

data/lib/onc_certification_g10_test_kit/{bulk_data_group_export.rb → bulk_data_group_export_stu1.rb}

@@ -1,13 +1,12 @@
 require_relative 'export_kick_off_performer'
 
 module ONCCertificationG10TestKit
-  class BulkDataGroupExport < Inferno::TestGroup
+  class BulkDataGroupExportSTU1 < Inferno::TestGroup
     title 'Group Compartment Export Tests'
     short_description 'Verify that the system supports Group compartment export.'
     description <<~DESCRIPTION
       Verify that system level export on the Bulk Data server follow the Bulk Data Access Implementation Guide
     DESCRIPTION
-
     id :bulk_data_group_export
 
     input :bearer_token
@@ -79,7 +78,6 @@ module ONCCertificationG10TestKit
         Additionally, this test provides a warning if the bulk data server does
         not include the following URL in its `CapabilityStatement.instantiates`
         element: http://hl7.org/fhir/uv/bulkdata/CapabilityStatement/bulk-data
-
       DESCRIPTION
 
       run do
@@ -285,13 +283,7 @@ module ONCCertificationG10TestKit
         perform_export_kick_off_request
         assert_response_status(202)
 
-        polling_url = request.response_header('content-location')&.value
-        assert polling_url.present?, 'Export response header did not include "Content-Location"'
-
-        headers = { accept: 'application/json', authorization: "Bearer #{bearer_token}" }
-
-        delete(polling_url, headers: headers)
-        assert_response_status(202)
+        delete_export_kick_off_request
       end
     end
   end

data/lib/onc_certification_g10_test_kit/bulk_data_group_export_stu2.rb

@@ -0,0 +1,41 @@
+require_relative 'bulk_data_group_export_stu1'
+require_relative 'export_kick_off_performer'
+
+module ONCCertificationG10TestKit
+  class BulkDataGroupExportSTU2 < BulkDataGroupExportSTU1
+    title 'Group Compartment Export Tests STU2'
+    id :bulk_data_group_export_stu2
+
+    test do
+      title 'Bulk Data Server supports "_outputFormat" query parameter'
+      description <<~DESCRIPTION
+        [_outputFormat](http://hl7.org/fhir/uv/bulkdata/STU2/export.html#query-parameters):
+        The format for the requested Bulk Data files to be
+        generated as per FHIR Asynchronous Request Pattern. Defaults to
+        application/fhir+ndjson. The server SHALL support Newline Delimited
+        JSON, but MAY choose to support additional output formats. The server
+        SHALL accept the full content type of application/fhir+ndjson as well
+        as the abbreviated representations application/ndjson and ndjson.
+      DESCRIPTION
+
+      id :output_format_in_export_response
+
+      include ExportKickOffPerformer
+
+      input :bearer_token, :group_id, :bulk_server_url
+
+      http_client :bulk_server do
+        url :bulk_server_url
+      end
+
+      run do
+        ['application/fhir+ndjson', 'application/ndjson', 'ndjson'].each do |format|
+          perform_export_kick_off_request(params: "_outputFormat=#{format}")
+          assert_response_status(202)
+
+          delete_export_kick_off_request
+        end
+      end
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/export_kick_off_performer.rb

@@ -1,12 +1,24 @@
 module ONCCertificationG10TestKit
   module ExportKickOffPerformer
-    def perform_export_kick_off_request(use_token: true)
+    def perform_export_kick_off_request(use_token: true, params: '')
       skip_if use_token && bearer_token.blank?, 'Could not verify this functionality when bearer token is not set'
 
       headers = { accept: 'application/fhir+json', prefer: 'respond-async' }
       headers.merge!({ authorization: "Bearer #{bearer_token}" }) if use_token
 
-      get("Group/#{group_id}/$export", client: :bulk_server, name: :export, headers: headers)
+      url = "Group/#{group_id}/$export"
+      url.concat("?#{params}") unless params.empty?
+      get(url, client: :bulk_server, name: :export, headers: headers)
+    end
+
+    def delete_export_kick_off_request
+      polling_url = request&.response_header('content-location')&.value
+      assert polling_url.present?, 'Export response header did not include "Content-Location"'
+
+      headers = { accept: 'application/json', authorization: "Bearer #{bearer_token}" }
+
+      delete(polling_url, headers: headers)
+      assert_response_status(202)
     end
   end
 end

data/lib/onc_certification_g10_test_kit/feature.rb

@@ -0,0 +1,13 @@
+module ONCCertificationG10TestKit
+  module Feature
+    class << self
+      def us_core_v4?
+        ENV.fetch('US_CORE_4_ENABLED', 'false')&.casecmp?('true')
+      end
+
+      def bulk_data_v2?
+        ENV.fetch('BULk_DATA_V2_ENABLED', 'false')&.casecmp?('true')
+      end
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/{multi_patient_api.rb → multi_patient_api_stu1.rb}

@@ -1,9 +1,9 @@
 require_relative 'bulk_data_authorization'
-require_relative 'bulk_data_group_export'
+require_relative 'bulk_data_group_export_stu1'
 require_relative 'bulk_data_group_export_validation'
 
 module ONCCertificationG10TestKit
-  class MultiPatientAPIGroup < Inferno::TestGroup
+  class MultiPatientAPIGroupSTU1 < Inferno::TestGroup
     title 'Multi-Patient Authorization and API'
     short_title 'Multi-Patient API'
 
@@ -47,7 +47,21 @@ module ONCCertificationG10TestKit
                 :lines_to_validate,
                 :bulk_timeout
 
-    group from: :bulk_data_authorization
+    group from: :bulk_data_authorization,
+          description: <<~DESCRIPTION
+            Bulk Data servers are required to authorize clients using the [Backend Service
+            Authorization](http://hl7.org/fhir/uv/bulkdata/STU1.0.1/authorization/index.html)
+            specification as defined in the [FHIR Bulk Data Access IG
+            v1.0.1](http://hl7.org/fhir/uv/bulkdata/STU1.0.1/).
+
+            In this set of tests, Inferno serves as a Bulk Data client that requests authorization
+            from the Bulk Data authorization server.  It also performs a number of negative tests
+            to validate that the authorization service does not improperly authorize invalid
+            requests.
+
+            This test returns an access token.
+          DESCRIPTION
+
     group from: :bulk_data_group_export
     group from: :bulk_data_group_export_validation
   end

data/lib/onc_certification_g10_test_kit/multi_patient_api_stu2.rb

@@ -0,0 +1,68 @@
+require_relative 'bulk_data_authorization'
+require_relative 'bulk_data_group_export_stu2'
+require_relative 'bulk_data_group_export_validation'
+
+module ONCCertificationG10TestKit
+  class MultiPatientAPIGroupSTU2 < Inferno::TestGroup
+    title 'Multi-Patient Authorization and API STU2'
+    short_title 'Multi-Patient API STU2'
+
+    input_instructions %(
+      Register Inferno as a bulk data client with the following information, and
+      enter the client id and client registration in the appropriate fields.
+      This set of tests only checks the Group export. Enter the group export
+      information in the appropriate box.
+
+      Register Inferno with the following JWK Set Url:
+
+      * `#{Inferno::Application[:base_url]}/custom/g10_certification/.well-known/jwks.json`
+    )
+
+    description %(
+      Demonstrate the ability to export clinical data for multiple patients in
+      a group using [FHIR Bulk Data Access
+      IG](https://hl7.org/fhir/uv/bulkdata/STU2/). This test uses [Backend Services
+      Authorization](http://www.hl7.org/fhir/smart-app-launch/backend-services.html)
+      to obtain an access token from the server. After authorization, a group
+      level bulk data export request is initialized. Finally, this test reads
+      exported NDJSON files from the server and validates the resources in
+      each file. To run the test successfully, the selected group export is
+      required to have every type of resource mapped to [USCDI data
+      elements](https://www.healthit.gov/isa/us-core-data-interoperability-uscdi).
+      Additionally, it is expected the server will provide Encounter,
+      Location, Organization, and Practitioner resources as they are
+      referenced as must support elements in required resources.
+    )
+    id :multi_patient_api_stu2
+    run_as_group
+
+    input_order :bulk_server_url,
+                :bulk_token_endpoint,
+                :bulk_client_id,
+                :bulk_scope,
+                :bulk_encryption_method,
+                :group_id,
+                :bulk_patient_ids_in_group,
+                :bulk_device_types_in_group,
+                :lines_to_validate,
+                :bulk_timeout
+
+    group from: :bulk_data_authorization,
+          description: <<~DESCRIPTION
+            Bulk Data servers are required to authorize clients using the [Backend Service
+            Authorization](http://www.hl7.org/fhir/smart-app-launch/backend-services.html)
+            specification as defined in the [FHIR Bulk Data Access IG
+            v2.0.0](https://hl7.org/fhir/uv/bulkdata/STU2/).
+
+            In this set of tests, Inferno serves as a Bulk Data client that requests authorization
+            from the Bulk Data authorization server.  It also performs a number of negative tests
+            to validate that the authorization service does not improperly authorize invalid
+            requests.
+
+            This test returns an access token.
+          DESCRIPTION
+
+    group from: :bulk_data_group_export_stu2
+    group from: :bulk_data_group_export_validation
+  end
+end

data/lib/onc_certification_g10_test_kit/resource_access_test.rb

@@ -80,7 +80,7 @@ module ONCCertificationG10TestKit
             assert false, error_message
           end
           fhir_search(
-            :allergy_intolerance,
+            resource_type,
             params: search_params.merge(status_search_params)
           )
         end

data/lib/onc_certification_g10_test_kit/single_patient_us_core_4_api_group.rb

@@ -0,0 +1,93 @@
+module ONCCertificationG10TestKit
+  class SinglePatientUSCore4APIGroup < Inferno::TestGroup
+    id :g10_single_patient_us_core_4_api
+    title 'Single Patient API (US Core 4.0.0)'
+    description %(
+      For each of the relevant USCDI data elements provided in the
+      CapabilityStatement, this test executes the [required supported
+      searches](http://hl7.org/fhir/us/core/STU4/CapabilityStatement-us-core-server.html)
+      as defined by the US Core Implementation Guide v4.0.0.
+
+      The test begins by searching by one or more patients, with the expectation
+      that the Bearer token provided to the test grants access to all USCDI
+      resources. It uses results returned from that query to generate other
+      queries and checks that the results are consistent with the provided
+      search parameters. It then performs a read on each Resource returned and
+      validates the response against the relevant
+      [profile](http://hl7.org/fhir/us/core/STU4/profiles-and-extensions.html)
+      as currently defined in the US Core Implementation Guide.
+
+      All MUST SUPPORT elements must be seen before the test can pass, as well
+      as Data Absent Reason to demonstrate that the server can properly handle
+      missing data. Note that Encounter, Organization and Practitioner resources
+      must be accessible as references in some US Core profiles to satisfy must
+      support requirements, and those references will be validated to their US
+      Core profile. These resources will not be tested for FHIR search support.
+    )
+    run_as_group
+
+    input :url,
+          title: 'FHIR Endpoint',
+          description: 'URL of the FHIR endpoint used by SMART applications'
+    input :patient_id,
+          title: 'Patient ID from SMART App Launch',
+          locked: true
+    input :additional_patient_ids,
+          title: 'Additional Patient IDs',
+          description: <<~DESCRIPTION,
+            Comma separated list of Patient IDs that together with the Patient
+            ID from the SMART App Launch contain all MUST SUPPORT elements.
+          DESCRIPTION
+          optional: true
+    input :smart_credentials,
+          title: 'SMART App Launch Credentials',
+          type: :oauth_credentials,
+          locked: true
+
+    fhir_client do
+      url :url
+      oauth_credentials :smart_credentials
+    end
+
+    input_order :url, :patient_id, :additional_patient_ids, :implantable_device_codes, :smart_credentials
+
+    test do
+      id :g10_patient_id_setup
+      title 'Manage patient id list'
+
+      input :patient_id, :additional_patient_ids
+      output :patient_ids
+
+      run do
+        smart_app_launch_patient_id = patient_id.presence
+        additional_patient_ids_list =
+          if additional_patient_ids.present?
+            additional_patient_ids
+              .split(',')
+              .map(&:strip)
+              .map(&:presence)
+              .compact
+          else
+            []
+          end
+
+        all_patient_ids = ([smart_app_launch_patient_id] + additional_patient_ids_list).compact.uniq
+
+        output patient_ids: all_patient_ids.join(',')
+      end
+    end
+
+    USCoreTestKit::USCoreV400::USCoreTestSuite.groups.each do |group|
+      test_group = group.ancestors[1]
+      id = test_group.id
+
+      group_config = {}
+      if test_group.respond_to?(:metadata) && test_group.metadata.delayed?
+        test_group.children.reject! { |child| child.include? USCoreTestKit::SearchTest }
+        group_config[:options] = { read_all_resources: true }
+      end
+
+      group(from: id, exclude_optional: true, config: group_config)
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/smart_ehr_practitioner_app_group.rb

@@ -32,6 +32,11 @@ module ONCCertificationG10TestKit
       resource is read using the new access token to ensure that the refresh was
       successful. Finally, the authentication information provided by OpenID
       Connect is decoded and validated.
+
+      For EHRs that use Internet Explorer 11 to display embedded apps,
+      please review [instructions on how to complete the EHR Practitioner App
+      test](https://github.com/onc-healthit/onc-certification-g10-test-kit/wiki/Completing-EHR-Practitioner-App-test-in-Internet-Explorer/).
+
     )
     id :g10_smart_ehr_practitioner_app
     run_as_group

data/lib/onc_certification_g10_test_kit/smart_limited_app_group.rb

@@ -8,11 +8,14 @@ module ONCCertificationG10TestKit
     short_title 'Limited Access App'
 
     input_instructions %(
-      The purpose of this test is to demonstrate that users can restrict access
-      granted to apps to a limited number of resources. Enter which resources the
-      user will grant access to below, and during the launch process only grant
-      access to those resources. Inferno will verify that access granted matches
-      these expectations.
+      The purpose of this test is to demonstrate that app users can restrict
+      access granted to apps to a limited number of resources. Enter which
+      resources the user will grant access to below, and during the launch
+      process only grant access to those resources. Inferno will verify that
+      access granted matches these expectations.
+
+      All other inputs are locked to ensure the same app configuration as in the
+      Standalone Patient App - Full Access test.
     )
 
     description %(
@@ -20,13 +23,15 @@ module ONCCertificationG10TestKit
       Launch to a [SMART on FHIR](http://hl7.org/fhir/smart-app-launch/1.0.0/)
       confidential client with limited access granted to the app based on user
       input. The tester is expected to grant the application access to a subset
-      of desired resource types.
+      of desired resource types.  The launch is performed using the same app
+      configuration as in the Standalone Patient App test, demonstrating that
+      the user is control over what scopes are granted to the app as required in
+      the (g)(10) Standardized API criterion.
     )
     id :g10_smart_limited_app
     run_as_group
 
     input_order :expected_resources,
-                :limited_requested_scopes,
                 :use_pkce,
                 :pkce_code_challenge_method,
                 :url,
@@ -45,16 +50,25 @@ module ONCCertificationG10TestKit
         allows an app, like Inferno, to be launched independent of an
         existing EHR session. It is one of the two launch methods described in
         the SMART App Launch Framework alongside EHR Launch. The app will
-        request authorization for the provided scope from the authorization
-        endpoint, ultimately receiving an authorization token which can be used
-        to gain access to resources on the FHIR server.
+        request authorization for the provided scope(s) from the authorization
+        endpoint, and the user of the app will choose to either grant
+        the app access to the requested scope(s), or to deny one or all of the requested
+        scope(s).
+
+        This test verifies the ability of a server to provide a user
+        with the choice of which scopes to grant an app.  Allowing users to choose
+        which resource types to grant access to is a requirement of the ONC
+        (g)(10) certification criteria.  Prior to the test, the tester specifies
+        which resource types will be granted, and then during the authorization
+        process the tester grants access to those scopes.
 
         # Test Methodology
 
-        Inferno will redirect the user to the the authorization endpoint so that
+        Inferno will redirect the user to the authorization endpoint so that
         they may provide any required credentials and authorize the application.
         Upon successful authorization, Inferno will exchange the authorization
-        code provided for an access token.
+        code provided for an access token. Inferno verifies that the server only
+        grants access to the resources specified by the user.
 
         For more information on the #{title}:
 
@@ -65,16 +79,15 @@ module ONCCertificationG10TestKit
       config(
         inputs: {
           client_id: { locked: true },
-          client_secret: { locked: true },
+          client_secret: { locked: true, optional: false },
           url: { locked: true },
+          requested_scopes: { locked: true },
+          use_pkce: { locked: true },
+          pkce_code_challenge_method: { locked: true },
           code: { name: :limited_code },
           state: { name: :limited_state },
           patient_id: { name: :limited_patient_id },
           access_token: { name: :limited_access_token },
-          requested_scopes: {
-            name: :limited_requested_scopes,
-            title: 'Limited Access Scope'
-          },
           # TODO: separate standalone/ehr discovery outputs
           smart_authorization_url: { locked: true, title: 'SMART Authorization Url' },
           smart_token_url: { locked: true, title: 'SMART Token Url' },
@@ -98,6 +111,31 @@ module ONCCertificationG10TestKit
         requests: {
           redirect: { name: :limited_redirect },
           token: { name: :limited_token }
+        },
+        options: {
+          ignore_missing_scopes_check: true,
+          redirect_message_proc: lambda do |auth_url|
+            expected_resource_string =
+              expected_resources
+                .split(',')
+                .map(&:strip)
+                .map { |resource_type| "* #{resource_type}\n" }
+                .join
+
+            <<~MESSAGE
+              ### #{self.class.parent.parent.title}
+
+              [Follow this link to authorize with the SMART
+              server](#{auth_url}).
+
+              Tests will resume once Inferno receives a request at
+              `#{config.options[:redirect_uri]}` with a state of `#{state}`.
+
+              Access should only be granted to the following resources:
+
+              #{expected_resource_string}
+            MESSAGE
+          end
         }
       )
 
@@ -117,7 +155,6 @@ module ONCCertificationG10TestKit
       test from: :g10_limited_scope_grant do
         config(
           inputs: {
-            requested_scopes: { name: :limited_requested_scopes },
             received_scopes: { name: :limited_received_scopes }
           }
         )
@@ -128,7 +165,6 @@ module ONCCertificationG10TestKit
           config: {
             inputs: {
               patient_id: { name: :limited_patient_id },
-              requested_scopes: { name: :limited_requested_scopes },
               received_scopes: { name: :limited_received_scopes },
               smart_credentials: { name: :limited_smart_credentials }
             }

data/lib/onc_certification_g10_test_kit/version.rb

@@ -1,3 +1,3 @@
 module ONCCertificationG10TestKit
-  VERSION = '2.2.2'.freeze
+  VERSION = '2.3.0'.freeze
 end

data/lib/onc_certification_g10_test_kit.rb

@@ -1,17 +1,24 @@
+require_relative 'onc_certification_g10_test_kit/feature'
+
 require 'smart_app_launch/smart_stu1_suite'
 require 'us_core_test_kit/generated/v3.1.1/us_core_test_suite'
+require 'us_core_test_kit/generated/v4.0.0/us_core_test_suite' if ONCCertificationG10TestKit::Feature.us_core_v4?
 
 require_relative 'onc_certification_g10_test_kit/configuration_checker'
 require_relative 'onc_certification_g10_test_kit/version'
 
 require_relative 'onc_certification_g10_test_kit/single_patient_api_group'
+if ONCCertificationG10TestKit::Feature.us_core_v4?
+  require_relative 'onc_certification_g10_test_kit/single_patient_us_core_4_api_group'
+end
 require_relative 'onc_certification_g10_test_kit/smart_app_launch_invalid_aud_group'
 require_relative 'onc_certification_g10_test_kit/smart_invalid_token_group'
 require_relative 'onc_certification_g10_test_kit/smart_limited_app_group'
 require_relative 'onc_certification_g10_test_kit/smart_standalone_patient_app_group'
 require_relative 'onc_certification_g10_test_kit/smart_ehr_practitioner_app_group'
 require_relative 'onc_certification_g10_test_kit/smart_public_standalone_launch_group'
-require_relative 'onc_certification_g10_test_kit/multi_patient_api'
+require_relative 'onc_certification_g10_test_kit/multi_patient_api_stu1'
+require_relative 'onc_certification_g10_test_kit/multi_patient_api_stu2'
 require_relative 'onc_certification_g10_test_kit/terminology_binding_validator'
 require_relative 'onc_certification_g10_test_kit/token_revocation_group'
 require_relative 'onc_certification_g10_test_kit/visual_inspection_and_attestations_group'
@@ -25,6 +32,20 @@ module ONCCertificationG10TestKit
     short_title '(g)(10) Standardized API'
     version VERSION
     id :g10_certification
+    links [
+      {
+        label: 'Report Issue',
+        url: 'https://github.com/onc-healthit/onc-certification-g10-test-kit/issues/'
+      },
+      {
+        label: 'Open Source',
+        url: 'https://github.com/onc-healthit/onc-certification-g10-test-kit/'
+      },
+      {
+        label: 'Download',
+        url: 'https://github.com/onc-healthit/onc-certification-g10-test-kit/releases'
+      }
+    ]
 
     check_configuration do
       ConfigurationChecker.new.configuration_messages
@@ -73,9 +94,11 @@ module ONCCertificationG10TestKit
     end
 
     def self.jwks_json
-      bulk_data_jwks = JSON.parse(
-        File.read(File.join(__dir__, 'onc_certification_g10_test_kit', 'bulk_data_jwks.json'))
-      )
+      bulk_data_jwks = JSON.parse(File.read(
+                                    ENV.fetch('G10_BULK_DATA_JWKS',
+                                              File.join(__dir__, 'onc_certification_g10_test_kit',
+                                                        'bulk_data_jwks.json'))
+                                  ))
       @jwks_json ||= JSON.pretty_generate(
         { keys: bulk_data_jwks['keys'].select { |key| key['key_ops']&.include?('verify') } }
       )
@@ -91,6 +114,36 @@ module ONCCertificationG10TestKit
       well_known_route_handler
     )
 
+    if Feature.us_core_v4?
+      suite_option :us_core_version,
+                   title: 'US Core Version',
+                   list_options: [
+                     {
+                       label: 'US Core 3.1.1',
+                       value: 'us_core_3'
+                     },
+                     {
+                       label: 'US Core 4.0.0',
+                       value: 'us_core_4'
+                     }
+                   ]
+    end
+
+    if Feature.bulk_data_v2?
+      suite_option :multi_patient_version,
+                   title: 'Multi-Patient Authorization and API Version',
+                   list_options: [
+                     {
+                       label: 'Multi-Patient Authorization and API STU1',
+                       value: 'multi_patient_api_stu1'
+                     },
+                     {
+                       label: 'Multi-Patient Authorization and API STU2',
+                       value: 'multi_patient_api_stu2'
+                     }
+                   ]
+    end
+
     description %(
       The ONC Certification (g)(10) Standardized API Test Kit is a testing tool for
       Health Level 7 (HL7®) Fast Healthcare Interoperability Resources (FHIR®)
@@ -135,12 +188,27 @@ module ONCCertificationG10TestKit
 
     group from: 'g10_smart_ehr_practitioner_app'
 
-    group from: 'g10_single_patient_api'
+    group from: 'g10_single_patient_api' do
+      required_suite_options us_core_version: 'us_core_3' if Feature.us_core_v4?
+    end
 
-    group from: 'multi_patient_api'
+    if Feature.us_core_v4?
+      group from: 'g10_single_patient_us_core_4_api',
+            required_suite_options: { us_core_version: 'us_core_4' }
+    end
+
+    group from: 'multi_patient_api' do
+      required_suite_options multi_patient_version: 'multi_patient_api_stu1' if Feature.bulk_data_v2?
+    end
+
+    if Feature.bulk_data_v2?
+      group from: 'multi_patient_api_stu2',
+            required_suite_options: { multi_patient_version: 'multi_patient_api_stu2' }
+    end
 
     group do
       title 'Additional Tests'
+      id 'Group06'
       description %(
         Not all requirements that need to be tested fit within the previous
         scenarios. The tests contained in this section addresses remaining
@@ -149,6 +217,22 @@ module ONCCertificationG10TestKit
         may require special setup on the part of the tester.
       )
 
+      config(
+        options: {
+          redirect_message_proc: lambda do |auth_url|
+            %(
+              ### #{self.class.parent.title}
+
+              [Follow this link to authorize with the SMART
+              server](#{auth_url}).
+
+              Tests will resume once Inferno receives a request at
+              `#{config.options[:redirect_uri]}` with a state of `#{state}`.
+            )
+          end
+        }
+      )
+
       group from: :g10_public_standalone_launch
       group from: :g10_token_revocation
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: onc_certification_g10_test_kit
 version: !ruby/object:Gem::Version
-  version: 2.2.2
+  version: 2.3.0
 platform: ruby
 authors:
 - Stephen MacVicar
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-07-11 00:00:00.000000000 Z
+date: 2022-08-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bloomer
@@ -42,16 +42,16 @@ dependencies:
   name: inferno_core
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 0.2.0
+        version: 0.3.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 0.2.0
+        version: 0.3.7
 - !ruby/object:Gem::Dependency
   name: json-jwt
   requirement: !ruby/object:Gem::Requirement
@@ -114,14 +114,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.1.4
+        version: 0.1.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.1.4
+        version: 0.1.5
 - !ruby/object:Gem::Dependency
   name: tls_test_kit
   requirement: !ruby/object:Gem::Requirement
@@ -142,14 +142,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.2.4
+        version: 0.2.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.2.4
+        version: 0.2.5
 - !ruby/object:Gem::Dependency
   name: database_cleaner-sequel
   requirement: !ruby/object:Gem::Requirement
@@ -249,12 +249,14 @@ files:
 - lib/onc_certification_g10_test_kit/authorization_request_builder.rb
 - lib/onc_certification_g10_test_kit/base_token_refresh_group.rb
 - lib/onc_certification_g10_test_kit/bulk_data_authorization.rb
-- lib/onc_certification_g10_test_kit/bulk_data_group_export.rb
+- lib/onc_certification_g10_test_kit/bulk_data_group_export_stu1.rb
+- lib/onc_certification_g10_test_kit/bulk_data_group_export_stu2.rb
 - lib/onc_certification_g10_test_kit/bulk_data_group_export_validation.rb
 - lib/onc_certification_g10_test_kit/bulk_data_jwks.json
 - lib/onc_certification_g10_test_kit/bulk_export_validation_tester.rb
 - lib/onc_certification_g10_test_kit/configuration_checker.rb
 - lib/onc_certification_g10_test_kit/export_kick_off_performer.rb
+- lib/onc_certification_g10_test_kit/feature.rb
 - lib/onc_certification_g10_test_kit/igs/StructureDefinition-bodyheight.json
 - lib/onc_certification_g10_test_kit/igs/StructureDefinition-bodytemp.json
 - lib/onc_certification_g10_test_kit/igs/StructureDefinition-bodyweight.json
@@ -262,7 +264,8 @@ files:
 - lib/onc_certification_g10_test_kit/igs/StructureDefinition-heartrate.json
 - lib/onc_certification_g10_test_kit/igs/StructureDefinition-resprate.json
 - lib/onc_certification_g10_test_kit/limited_scope_grant_test.rb
-- lib/onc_certification_g10_test_kit/multi_patient_api.rb
+- lib/onc_certification_g10_test_kit/multi_patient_api_stu1.rb
+- lib/onc_certification_g10_test_kit/multi_patient_api_stu2.rb
 - lib/onc_certification_g10_test_kit/onc_program_procedure.yml
 - lib/onc_certification_g10_test_kit/patient_context_test.rb
 - lib/onc_certification_g10_test_kit/profile_guesser.rb
@@ -270,6 +273,7 @@ files:
 - lib/onc_certification_g10_test_kit/restricted_access_test.rb
 - lib/onc_certification_g10_test_kit/restricted_resource_type_access_group.rb
 - lib/onc_certification_g10_test_kit/single_patient_api_group.rb
+- lib/onc_certification_g10_test_kit/single_patient_us_core_4_api_group.rb
 - lib/onc_certification_g10_test_kit/smart_app_launch_invalid_aud_group.rb
 - lib/onc_certification_g10_test_kit/smart_ehr_practitioner_app_group.rb
 - lib/onc_certification_g10_test_kit/smart_invalid_token_group.rb
@@ -292,7 +296,7 @@ licenses:
 metadata:
   homepage_uri: https://github.com/inferno_framework/onc-certification-g10-test-kit
   source_code_uri: https://github.com/inferno_framework/onc-certification-g10-test-kit
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -308,7 +312,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.1.6
-signing_key:
+signing_key: 
 specification_version: 4
 summary: ONC Certification (g)(10) Test Kit
 test_files: []