onc_certification_g10_test_kit 2.3.0 → 3.0.0

data/lib/onc_certification_g10_test_kit/smart_ehr_practitioner_app_group.rb

@@ -2,6 +2,7 @@ require_relative 'base_token_refresh_group'
 require_relative 'smart_scopes_test'
 require_relative 'unauthorized_access_test'
 require_relative 'well_known_capabilities_test'
+require_relative 'encounter_context_test'
 
 module ONCCertificationG10TestKit
   class SmartEHRPractitionerAppGroup < Inferno::TestGroup
@@ -14,29 +15,35 @@ module ONCCertificationG10TestKit
       * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
 
       Enter in the appropriate scope to enable user-level access to all relevant
-      resources. In addition, support for the OpenID Connect (openid fhirUser),
-      refresh tokens (offline_access), and EHR context (launch) are required. This
-      test expects that the EHR will launch the application with a patient context.
+      resources. If using SMART v2, v2-style scopes must be used. In addition,
+      support for the OpenID Connect (openid fhirUser), refresh tokens
+      (offline_access), and EHR context (launch) are required. This test expects
+      that the EHR will launch the application with a patient context.
 
       After submit is pressed, Inferno will wait for the system under test to launch
       the application.
     )
 
     description %(
-      Demonstrate the ability to perform an EHR launch to a [SMART on
-      FHIR](https://hl7.org/fhir/smart-app-launch/1.0.0/) confidential client with
-      patient context, refresh token, and [OpenID Connect
-      (OIDC)](https://openid.net/specs/openid-connect-core-1_0.html) identity
-      token. After launch, a simple Patient resource read is performed on the
-      patient in context. The access token is then refreshed, and the Patient
-      resource is read using the new access token to ensure that the refresh was
-      successful. Finally, the authentication information provided by OpenID
-      Connect is decoded and validated.
+      Demonstrate the ability to perform an EHR launch to a SMART on FHIR
+      confidential client with patient context, refresh token, OpenID Connect
+      (OIDC) identity token, and (SMART v2 only) use the POST HTTP method for
+      code exchange. After launch, a simple Patient resource read is performed
+      on the patient in context. The access token is then refreshed, and the
+      Patient resource is read using the new access token to ensure that the
+      refresh was successful. Finally, the authentication information provided
+      by OpenID Connect is decoded and validated.
 
       For EHRs that use Internet Explorer 11 to display embedded apps,
       please review [instructions on how to complete the EHR Practitioner App
       test](https://github.com/onc-healthit/onc-certification-g10-test-kit/wiki/Completing-EHR-Practitioner-App-test-in-Internet-Explorer/).
 
+      * [SMART on FHIR
+        (STU1)](http://www.hl7.org/fhir/smart-app-launch/1.0.0/)
+      * [SMART on FHIR
+        (STU2)](http://hl7.org/fhir/smart-app-launch/STU2)
+      * [OpenID Connect
+        (OIDC)](https://openid.net/specs/openid-connect-core-1_0.html)
     )
     id :g10_smart_ehr_practitioner_app
     run_as_group
@@ -52,6 +59,8 @@ module ONCCertificationG10TestKit
     input_order :url, :ehr_client_id, :ehr_client_secret
 
     group from: :smart_discovery do
+      required_suite_options(smart_app_launch_version: 'smart_app_launch_1')
+
       test from: 'g10_smart_well_known_capabilities',
            config: {
              options: {
@@ -69,7 +78,32 @@ module ONCCertificationG10TestKit
            }
     end
 
+    group from: :smart_discovery_stu2 do
+      required_suite_options(smart_app_launch_version: 'smart_app_launch_2')
+
+      test from: 'g10_smart_well_known_capabilities',
+           config: {
+             options: {
+               required_capabilities: [
+                 'launch-ehr',
+                 'client-confidential-symmetric',
+                 'sso-openid-connect',
+                 'context-banner',
+                 'context-style',
+                 'context-ehr-patient',
+                 'permission-offline',
+                 'permission-user',
+                 'authorize-post',
+                 'permission-v1',
+                 'permission-v2'
+               ]
+             }
+           }
+    end
+
     group from: :smart_ehr_launch do
+      required_suite_options(smart_app_launch_version: 'smart_app_launch_1')
+
       title 'EHR Launch With Practitioner Scope'
       input :client_secret,
             name: :ehr_client_secret,
@@ -101,6 +135,9 @@ module ONCCertificationG10TestKit
           inputs: {
             requested_scopes: { name: :ehr_requested_scopes },
             received_scopes: { name: :ehr_received_scopes }
+          },
+          options: {
+            scope_version: :v1
           }
         )
 
@@ -108,7 +145,7 @@ module ONCCertificationG10TestKit
           ['openid', 'fhirUser', 'launch', 'offline_access']
         end
 
-        def scope_type
+        def required_scope_type
           'user'
         end
       end
@@ -128,6 +165,151 @@ module ONCCertificationG10TestKit
              }
            }
 
+      test from: :g10_encounter_context,
+           config: {
+             inputs: {
+               encounter_id: { name: :ehr_encounter_id },
+               access_token: { name: :ehr_access_token }
+             }
+           },
+           required_suite_options: { us_core_version: 'us_core_5' }
+
+      test do
+        title 'Launch context contains smart_style_url which links to valid JSON'
+        description %(
+          In order to mimic the style of the SMART host more closely, SMART apps
+          can check for the existence of this launch context parameter and
+          download the JSON file referenced by the URL value.
+        )
+        id :Test13
+        uses_request :token
+
+        run do
+          skip_if request.status != 200, 'No token response received'
+          assert_valid_json response[:body]
+
+          body = JSON.parse(response[:body])
+
+          assert body['smart_style_url'].present?,
+                 'Token response did not contain `smart_style_url`'
+
+          get(body['smart_style_url'])
+
+          assert_response_status(200)
+          assert_valid_json(response[:body])
+        end
+      end
+
+      test do
+        title 'Launch context contains need_patient_banner'
+        description %(
+          `need_patient_banner` is a boolean value indicating whether the app
+          was launched in a UX context where a patient banner is required (when
+          true) or not required (when false).
+        )
+        id :Test14
+        uses_request :token
+
+        run do
+          skip_if request.status != 200, 'No token response received'
+          assert_valid_json response[:body]
+
+          body = JSON.parse(response[:body])
+
+          assert body.key?('need_patient_banner'),
+                 'Token response did not contain `need_patient_banner`'
+        end
+      end
+    end
+
+    group from: :smart_ehr_launch_stu2,
+          config: {
+            inputs: {
+              use_pkce: {
+                default: 'true',
+                locked: true
+              },
+              pkce_code_challenge_method: {
+                locked: true
+              },
+              authorization_method: {
+                name: :ehr_authorization_method,
+                default: 'post',
+                locked: true
+              }
+            }
+          } do
+      required_suite_options(smart_app_launch_version: 'smart_app_launch_2')
+
+      title 'EHR Launch With Practitioner Scope'
+      input :client_secret,
+            name: :ehr_client_secret,
+            title: 'EHR Launch Client Secret',
+            description: 'Client Secret provided during registration of Inferno as an EHR launch application',
+            optional: false
+
+      config(
+        inputs: {
+          requested_scopes: {
+            default: %(
+              launch openid fhirUser offline_access user/Medication.rs
+              user/AllergyIntolerance.rs user/CarePlan.rs user/CareTeam.rs
+              user/Condition.rs user/Device.rs user/DiagnosticReport.rs
+              user/DocumentReference.rs user/Encounter.rs user/Goal.rs
+              user/Immunization.rs user/Location.rs user/MedicationRequest.rs
+              user/Observation.rs user/Organization.rs user/Patient.rs
+              user/Practitioner.rs user/Procedure.rs user/Provenance.rs
+              user/PractitionerRole.rs
+            ).gsub(/\s{2,}/, ' ').strip
+          }
+        }
+      )
+
+      test from: :g10_smart_scopes do
+        title 'User-level access with OpenID Connect and Refresh Token scopes used.'
+        config(
+          inputs: {
+            requested_scopes: { name: :ehr_requested_scopes },
+            received_scopes: { name: :ehr_received_scopes }
+          },
+          options: {
+            scope_version: :v2
+          }
+        )
+
+        def required_scopes
+          ['openid', 'fhirUser', 'launch', 'offline_access']
+        end
+
+        def required_scope_type
+          'user'
+        end
+      end
+
+      test from: :g10_unauthorized_access,
+           config: {
+             inputs: {
+               patient_id: { name: :ehr_patient_id }
+             }
+           }
+
+      test from: :g10_patient_context,
+           config: {
+             inputs: {
+               patient_id: { name: :ehr_patient_id },
+               access_token: { name: :ehr_access_token }
+             }
+           }
+
+      test from: :g10_encounter_context,
+           config: {
+             inputs: {
+               encounter_id: { name: :ehr_encounter_id },
+               access_token: { name: :ehr_access_token }
+             }
+           },
+           required_suite_options: { us_core_version: 'us_core_5' }
+
       test do
         title 'Launch context contains smart_style_url which links to valid JSON'
         description %(
@@ -136,6 +318,7 @@ module ONCCertificationG10TestKit
           download the JSON file referenced by the URL value.
         )
         uses_request :token
+        id :g10_smart_style_url
 
         run do
           skip_if request.status != 200, 'No token response received'
@@ -161,6 +344,7 @@ module ONCCertificationG10TestKit
           true) or not required (when false).
         )
         uses_request :token
+        id :g10_smart_need_patient_banner
 
         run do
           skip_if request.status != 200, 'No token response received'

data/lib/onc_certification_g10_test_kit/smart_invalid_pkce_group.rb

@@ -0,0 +1,310 @@
+module ONCCertificationG10TestKit
+  class InvalidSMARTTokenRequestTest < Inferno::Test
+    title 'OAuth token exchange fails when supplied invalid code_verifier'
+    description %(
+      If the request failed verification or is invalid, the authorization
+      server returns an error response.
+    )
+    uses_request :redirect
+    id :invalid_pkce_request
+
+    input :code, :use_pkce, :pkce_code_verifier, :client_id, :client_secret, :smart_token_url
+
+    def modify_oauth_params(oauth_params)
+      oauth_params
+    end
+
+    run do
+      skip_if request.query_parameters['error'].present?, 'Error during authorization request'
+
+      oauth2_params = {
+        grant_type: 'authorization_code',
+        code: code,
+        redirect_uri: config.options[:redirect_uri]
+      }
+
+      oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }
+
+      if client_secret.present?
+        client_credentials = "#{client_id}:#{client_secret}"
+        oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
+      else
+        oauth2_params[:client_id] = client_id
+      end
+
+      modify_oauth_params(oauth2_params)
+
+      post(smart_token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
+
+      assert_response_status([400, 401])
+    end
+  end
+
+  class SMARTInvalidPKCEGroup < Inferno::TestGroup
+    title 'SMART App Launch Error: Invalid PKCE Code Verifier'
+    short_title 'SMART Invalid PKCE Code Verifier'
+    input_instructions %(
+      Register Inferno as a standalone application using the following information:
+
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+    )
+    description %(
+      # Background
+
+      The #{title} Group verifies that a SMART Launch Sequence, specifically the
+      [Standalone
+      Launch](http://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#launch-app-standalone-launch)
+      Sequence, verifies that servers properly support PKCE.  It does this by ensuring the launch fails
+      in the case where the client sends an invalid PKCE `code_verifier`.
+
+      This group performs four launches with various forms of an invalid `code_verifier`
+      (e.g. incorrect `code_verifier`, blank `code_identifier`) and verifies that these do
+      not result in a successful launch.  Testers can expect to be prompted four times
+      that a redirect will occur in this test.
+
+      This test is not included as part of the Single Patient App group
+      because there is no way for a client to infer that PKCE is supported on the server
+      properly without performing extra launches.  Attempting to verify this within the
+      same launch cannot be done because some servers may not accept an authorization code
+      after it has been used unsuccessfully in this manner.
+    )
+    id :g10_smart_invalid_pkce_code_verifier_group
+    run_as_group
+
+    input :use_pkce,
+          title: 'Proof Key for Code Exchange (PKCE)',
+          type: 'radio',
+          default: 'true',
+          locked: true,
+          options: {
+            list_options: [
+              {
+                label: 'Enabled',
+                value: 'true'
+              },
+              {
+                label: 'Disabled',
+                value: 'false'
+              }
+            ]
+          }
+    input :pkce_code_challenge_method,
+          optional: true,
+          title: 'PKCE Code Challenge Method',
+          type: 'radio',
+          default: 'S256',
+          locked: true,
+          options: {
+            list_options: [
+              {
+                label: 'S256',
+                value: 'S256'
+              },
+              {
+                label: 'Plain',
+                value: 'plain'
+              }
+            ]
+          }
+
+    input_order :url,
+                :standalone_client_id,
+                :standalone_client_secret,
+                :standalone_requested_scopes,
+                :use_pkce,
+                :pkce_code_challenge_method,
+                :smart_authorization_url,
+                :smart_token_url
+
+    config(
+      inputs: {
+        client_id: {
+          name: :standalone_client_id,
+          title: 'Standalone Client ID',
+          description: 'Client ID provided during registration of Inferno as a standalone application'
+        },
+        client_secret: {
+          name: :standalone_client_secret,
+          title: 'Standalone Client Secret',
+          description: 'Client Secret provided during registration of Inferno as a standalone application'
+        },
+        requested_scopes: {
+          name: :standalone_requested_scopes,
+          title: 'Standalone Scope',
+          description: 'OAuth 2.0 scope provided by system to enable all required functionality',
+          type: 'textarea',
+          default: %(
+            launch/patient openid fhirUser offline_access
+            patient/Medication.read patient/AllergyIntolerance.read
+            patient/CarePlan.read patient/CareTeam.read patient/Condition.read
+            patient/Device.read patient/DiagnosticReport.read
+            patient/DocumentReference.read patient/Encounter.read
+            patient/Goal.read patient/Immunization.read patient/Location.read
+            patient/MedicationRequest.read patient/Observation.read
+            patient/Organization.read patient/Patient.read
+            patient/Practitioner.read patient/Procedure.read
+            patient/Provenance.read patient/PractitionerRole.read
+          ).gsub(/\s{2,}/, ' ').strip
+        },
+        url: {
+          title: 'Standalone FHIR Endpoint',
+          description: 'URL of the FHIR endpoint used by standalone applications'
+        },
+        code: {
+          name: :invalid_token_code
+        },
+        state: {
+          name: :invalid_token_state
+        },
+        smart_authorization_url: {
+          title: 'OAuth 2.0 Authorize Endpoint',
+          description: 'OAuth 2.0 Authorize Endpoint provided during the patient standalone launch'
+        },
+        smart_token_url: {
+          title: 'OAuth 2.0 Token Endpoint',
+          description: 'OAuth 2.0 Token Endpoint provided during the patient standalone launch'
+        },
+        pkce_code_challenge: {
+          name: :invalid_token_pkce_code_challenge
+        },
+        pkce_code_verifier: {
+          name: :invalid_token_pkce_code_verifier
+        }
+      },
+      outputs: {
+        code: { name: :invalid_token_code },
+        state: { name: :invalid_token_state },
+        expires_in: { name: :invalid_token_expires_in },
+        pkce_code_challenge: { name: :invalid_token_pkce_code_challenge },
+        pkce_code_verifier: { name: :invalid_token_pkce_code_verifier }
+      },
+      requests: {
+        redirect: { name: :invalid_token_redirect },
+        token: { name: :invalid_token_token }
+      }
+    )
+
+    test from: :smart_app_redirect_stu2,
+         id: :smart_no_code_verifier_redirect,
+         config: {
+           options: {
+             redirect_message_proc: lambda do |auth_url|
+               %(
+                ### Invalid PKCE code_verifier 1/4
+
+                This launch does not provide a `code_verifier` and verifies the
+                server does not issue an access token.
+
+                [Follow this link to authorize with the SMART
+                server](#{auth_url}).
+
+                  Tests will resume once Inferno receives a request at
+                  `#{config.options[:redirect_uri]}` with a state of `#{state}`.
+               )
+             end
+           }
+         }
+    test from: :smart_code_received,
+         id: :smart_no_code_verifier_code_received
+    test from: :invalid_pkce_request do
+      title 'OAuth token exchange fails when no code_verifier is given'
+      id :smart_no_verifier_token_request
+    end
+
+    test from: :smart_app_redirect_stu2,
+         id: :smart_blank_code_verifier_redirect,
+         config: {
+           options: {
+             redirect_message_proc: lambda do |auth_url|
+               %(
+                ### Invalid PKCE code_verifier 2/4
+
+                This launch provides a blank `code_verifier` and verifies the
+                server does not issue an access token.
+
+                [Follow this link to authorize with the SMART
+                server](#{auth_url}).
+
+                  Tests will resume once Inferno receives a request at
+                  `#{config.options[:redirect_uri]}` with a state of `#{state}`.
+               )
+             end
+           }
+         }
+    test from: :smart_code_received,
+         id: :smart_blank_code_verifier_code_received
+    test from: :invalid_pkce_request do
+      title 'OAuth token exchange fails when code_verifier is blank'
+      id :smart_blank_verifier_token_request
+
+      def modify_oauth_params(oauth_params)
+        oauth_params.merge!(code_verifier: '')
+      end
+    end
+
+    test from: :smart_app_redirect_stu2,
+         id: :smart_bad_code_verifier_redirect,
+         config: {
+           options: {
+             redirect_message_proc: lambda do |auth_url|
+               %(
+                ### Invalid PKCE code_verifier 3/4
+
+                This launch provides an invalid `code_verifier` and verifies the
+                server does not issue an access token.
+
+                [Follow this link to authorize with the SMART
+                server](#{auth_url}).
+
+                  Tests will resume once Inferno receives a request at
+                  `#{config.options[:redirect_uri]}` with a state of `#{state}`.
+               )
+             end
+           }
+         }
+    test from: :smart_code_received,
+         id: :smart_bad_code_verifier_code_received
+    test from: :invalid_pkce_request do
+      title 'OAuth token exchange fails when code_verifier is incorrect'
+      id :smart_bad_code_verifier_token_request
+
+      def modify_oauth_params(oauth_params)
+        oauth_params.merge!(code_verifier: "#{SecureRandom.uuid}-#{SecureRandom.uuid}")
+      end
+    end
+
+    test from: :smart_app_redirect_stu2,
+         id: :smart_plain_code_verifier_redirect,
+         config: {
+           options: {
+             redirect_message_proc: lambda do |auth_url|
+               %(
+                ### Invalid PKCE code_verifier 4/4
+
+                This launch provides a `plain` `code_verifier` instead of one
+                encoded with `S256` and verifies the server does not issue an
+                access token.
+
+                [Follow this link to authorize with the SMART
+                server](#{auth_url}).
+
+                  Tests will resume once Inferno receives a request at
+                  `#{config.options[:redirect_uri]}` with a state of `#{state}`.
+               )
+             end
+           }
+         }
+    test from: :smart_code_received,
+         id: :smart_plain_code_verifier_code_received
+    test from: :invalid_pkce_request do
+      title 'OAuth token exchange fails when code_verifier matches code_challenge'
+      id :smart_plain_code_verifier_token_request
+
+      input :pkce_code_challenge
+
+      def modify_oauth_params(oauth_params)
+        oauth_params.merge!(code_verifier: pkce_code_challenge)
+      end
+    end
+  end
+end