onc_certification_g10_test_kit 2.3.0 → 3.0.0

data/lib/onc_certification_g10_test_kit/smart_invalid_token_group_stu2.rb

@@ -0,0 +1,211 @@
+module ONCCertificationG10TestKit
+  class SMARTInvalidTokenGroupSTU2 < Inferno::TestGroup
+    title 'SMART App Launch Error: Invalid Access Token Request'
+    short_title 'SMART Invalid Token Request'
+    input_instructions %(
+      Register Inferno as a standalone application using the following information:
+
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+    )
+    description %(
+      # Background
+
+      The Invalid Access Token Request Sequence verifies that a SMART Launch
+      Sequence, specifically the [Standalone
+      Launch](http://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#launch-app-standalone-launch)
+      Sequence, does not work in the case where the client sends an invalid
+      Authorization code or client ID during the code exchange step. This must
+      not result in a successful launch.
+
+      This test is not included as part of a regular SMART Launch Sequence
+      because some servers may not accept an authorization code after it has
+      been used unsuccessfully in this manner.
+    )
+    id :g10_smart_invalid_token_request_stu2
+    run_as_group
+
+    input :use_pkce,
+          title: 'Proof Key for Code Exchange (PKCE)',
+          type: 'radio',
+          default: 'true',
+          locked: true,
+          options: {
+            list_options: [
+              {
+                label: 'Enabled',
+                value: 'true'
+              },
+              {
+                label: 'Disabled',
+                value: 'false'
+              }
+            ]
+          }
+    input :pkce_code_challenge_method,
+          optional: true,
+          title: 'PKCE Code Challenge Method',
+          type: 'radio',
+          default: 'S256',
+          locked: true,
+          options: {
+            list_options: [
+              {
+                label: 'S256',
+                value: 'S256'
+              },
+              {
+                label: 'Plain',
+                value: 'plain'
+              }
+            ]
+          }
+
+    input_order :url,
+                :standalone_client_id,
+                :standalone_client_secret,
+                :standalone_requested_scopes,
+                :use_pkce,
+                :pkce_code_challenge_method,
+                :smart_authorization_url,
+                :smart_token_url
+
+    config(
+      inputs: {
+        client_id: {
+          name: :standalone_client_id,
+          title: 'Standalone Client ID',
+          description: 'Client ID provided during registration of Inferno as a standalone application'
+        },
+        client_secret: {
+          name: :standalone_client_secret,
+          title: 'Standalone Client Secret',
+          description: 'Client Secret provided during registration of Inferno as a standalone application'
+        },
+        requested_scopes: {
+          name: :standalone_requested_scopes,
+          title: 'Standalone Scope',
+          description: 'OAuth 2.0 scope provided by system to enable all required functionality',
+          type: 'textarea',
+          default: %(
+            launch/patient openid fhirUser offline_access
+            patient/Medication.read patient/AllergyIntolerance.read
+            patient/CarePlan.read patient/CareTeam.read patient/Condition.read
+            patient/Device.read patient/DiagnosticReport.read
+            patient/DocumentReference.read patient/Encounter.read
+            patient/Goal.read patient/Immunization.read patient/Location.read
+            patient/MedicationRequest.read patient/Observation.read
+            patient/Organization.read patient/Patient.read
+            patient/Practitioner.read patient/Procedure.read
+            patient/Provenance.read patient/PractitionerRole.read
+          ).gsub(/\s{2,}/, ' ').strip
+        },
+        url: {
+          title: 'Standalone FHIR Endpoint',
+          description: 'URL of the FHIR endpoint used by standalone applications'
+        },
+        code: {
+          name: :invalid_token_code
+        },
+        state: {
+          name: :invalid_token_state
+        },
+        smart_authorization_url: {
+          title: 'OAuth 2.0 Authorize Endpoint',
+          description: 'OAuth 2.0 Authorize Endpoint provided during the patient standalone launch'
+        },
+        smart_token_url: {
+          title: 'OAuth 2.0 Token Endpoint',
+          description: 'OAuth 2.0 Token Endpoint provided during the patient standalone launch'
+        },
+        pkce_code_verifier: {
+          name: :invalid_token_pkce_code_verifier
+        }
+      },
+      outputs: {
+        code: { name: :invalid_token_code },
+        state: { name: :invalid_token_state },
+        expires_in: { name: :invalid_token_expires_in },
+        pkce_code_verifier: { name: :invalid_token_pkce_code_verifier }
+      },
+      requests: {
+        redirect: { name: :invalid_token_redirect },
+        token: { name: :invalid_token_token }
+      }
+    )
+
+    test from: :smart_app_redirect_stu2
+    test from: :smart_code_received
+
+    test do
+      title ' OAuth token exchange fails when supplied invalid code'
+      description %(
+        If the request failed verification or is invalid, the authorization
+        server returns an error response.
+      )
+      uses_request :redirect
+
+      input :use_pkce, :pkce_code_verifier, :client_id, :client_secret, :smart_token_url
+
+      run do
+        skip_if request.query_parameters['error'].present?, 'Error during authorization request'
+
+        oauth2_params = {
+          grant_type: 'authorization_code',
+          code: 'BAD_CODE',
+          redirect_uri: config.options[:redirect_uri]
+        }
+        oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }
+
+        if client_secret.present?
+          client_credentials = "#{client_id}:#{client_secret}"
+          oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
+        else
+          oauth2_params[:client_id] = client_id
+        end
+
+        oauth2_params[:code_verifier] = pkce_code_verifier if use_pkce == 'true'
+
+        post(smart_token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
+
+        assert_response_status(400)
+      end
+    end
+
+    test do
+      title 'OAuth token exchange fails when supplied invalid client ID'
+      description %(
+        If the request failed verification or is invalid, the authorization
+        server returns an error response.
+      )
+      uses_request :redirect
+
+      input :use_pkce, :pkce_code_verifier, :code, :smart_token_url, :client_secret
+
+      run do
+        skip_if request.query_parameters['error'].present?, 'Error during authorization request'
+
+        client_id = 'BAD_CLIENT_ID'
+
+        oauth2_params = {
+          grant_type: 'authorization_code',
+          code: code,
+          redirect_uri: config.options[:redirect_uri]
+        }
+        oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }
+
+        if client_secret.present?
+          client_credentials = "#{client_id}:#{client_secret}"
+          oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
+        else
+          oauth2_params[:client_id] = client_id
+        end
+
+        oauth2_params[:code_verifier] = pkce_code_verifier if use_pkce == 'true'
+
+        post(smart_token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
+
+        assert_response_status([400, 401])
+      end
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/smart_limited_app_group.rb

@@ -20,13 +20,17 @@ module ONCCertificationG10TestKit
 
     description %(
       This scenario demonstrates the ability to perform a Patient Standalone
-      Launch to a [SMART on FHIR](http://hl7.org/fhir/smart-app-launch/1.0.0/)
-      confidential client with limited access granted to the app based on user
-      input. The tester is expected to grant the application access to a subset
-      of desired resource types.  The launch is performed using the same app
-      configuration as in the Standalone Patient App test, demonstrating that
-      the user is control over what scopes are granted to the app as required in
-      the (g)(10) Standardized API criterion.
+      Launch to a SMART on FHIR confidential client with limited access granted
+      to the app based on user input. The tester is expected to grant the
+      application access to a subset of desired resource types. The launch is
+      performed using the same app configuration as in the Standalone Patient
+      App test, demonstrating that the user is control over what scopes are
+      granted to the app as required in the (g)(10) Standardized API criterion.
+
+      * [SMART on FHIR
+        (STU1)](http://www.hl7.org/fhir/smart-app-launch/1.0.0/)
+      * [SMART on FHIR
+        (STU2)](http://hl7.org/fhir/smart-app-launch/STU2)
     )
     id :g10_smart_limited_app
     run_as_group
@@ -76,14 +80,14 @@ module ONCCertificationG10TestKit
           Sequence](http://hl7.org/fhir/smart-app-launch/1.0.0/index.html#standalone-launch-sequence)
       )
 
+      required_suite_options smart_app_launch_version: 'smart_app_launch_1'
+
       config(
         inputs: {
           client_id: { locked: true },
           client_secret: { locked: true, optional: false },
           url: { locked: true },
           requested_scopes: { locked: true },
-          use_pkce: { locked: true },
-          pkce_code_challenge_method: { locked: true },
           code: { name: :limited_code },
           state: { name: :limited_state },
           patient_id: { name: :limited_patient_id },
@@ -161,6 +165,128 @@ module ONCCertificationG10TestKit
       end
     end
 
+    group from: :smart_standalone_launch_stu2,
+          config: {
+            inputs: {
+              use_pkce: {
+                default: 'true',
+                locked: true
+              },
+              pkce_code_challenge_method: {
+                locked: true
+              }
+            }
+          } do
+      title 'Standalone Launch With Limited Scope'
+      description %(
+        # Background
+
+        The [Standalone
+        Launch Sequence](http://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#launch-app-standalone-launch)
+        allows an app, like Inferno, to be launched independent of an
+        existing EHR session. It is one of the two launch methods described in
+        the SMART App Launch Framework alongside EHR Launch. The app will
+        request authorization for the provided scope from the authorization
+        endpoint, ultimately receiving an authorization token which can be used
+        to gain access to resources on the FHIR server.
+
+        # Test Methodology
+
+        Inferno will redirect the user to the the authorization endpoint so that
+        they may provide any required credentials and authorize the application.
+        Upon successful authorization, Inferno will exchange the authorization
+        code provided for an access token.
+
+        For more information on the #{title}:
+
+        * [Standalone Launch
+          Sequence](http://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#launch-app-standalone-launch)
+      )
+
+      required_suite_options smart_app_launch_version: 'smart_app_launch_2'
+
+      config(
+        inputs: {
+          client_id: { locked: true },
+          client_secret: { locked: true },
+          url: { locked: true },
+          requested_scopes: { locked: true },
+          code: { name: :limited_code },
+          state: { name: :limited_state },
+          patient_id: { name: :limited_patient_id },
+          access_token: { name: :limited_access_token },
+          # TODO: separate standalone/ehr discovery outputs
+          smart_authorization_url: { locked: true, title: 'SMART Authorization Url' },
+          smart_token_url: { locked: true, title: 'SMART Token Url' },
+          received_scopes: { name: :limited_received_scopes },
+          smart_credentials: { name: :limited_smart_credentials }
+        },
+        outputs: {
+          code: { name: :limited_code },
+          token_retrieval_time: { name: :limited_token_retrieval_time },
+          state: { name: :limited_state },
+          id_token: { name: :limited_id_token },
+          refresh_token: { name: :limited_refresh_token },
+          access_token: { name: :limited_access_token },
+          expires_in: { name: :limited_expires_in },
+          patient_id: { name: :limited_patient_id },
+          encounter_id: { name: :limited_encounter_id },
+          received_scopes: { name: :limited_received_scopes },
+          intent: { name: :limited_intent },
+          smart_credentials: { name: :limited_smart_credentials }
+        },
+        requests: {
+          redirect: { name: :limited_redirect },
+          token: { name: :limited_token }
+        },
+        options: {
+          redirect_message_proc: lambda do |auth_url|
+            expected_resource_string =
+              expected_resources
+                .split(',')
+                .map(&:strip)
+                .map { |resource_type| "* #{resource_type}\n" }
+                .join
+
+            <<~MESSAGE
+              ### #{self.class.parent.parent.title}
+
+              [Follow this link to authorize with the SMART
+              server](#{auth_url}).
+
+              Tests will resume once Inferno receives a request at
+              `#{config.options[:redirect_uri]}` with a state of `#{state}`.
+
+              Access should only be granted to the following resources:
+
+              #{expected_resource_string}
+            MESSAGE
+          end
+        }
+      )
+
+      input :expected_resources,
+            title: 'Expected Resource Grant for Limited Access Launch',
+            description: 'The user will only grant access to the following resources during authorization.',
+            default: 'Patient, Condition, Observation'
+
+      test from: :g10_patient_context,
+           config: {
+             inputs: {
+               patient_id: { name: :limited_patient_id },
+               smart_credentials: { name: :limited_smart_credentials }
+             }
+           }
+
+      test from: :g10_limited_scope_grant do
+        config(
+          inputs: {
+            received_scopes: { name: :limited_received_scopes }
+          }
+        )
+      end
+    end
+
     group from: :g10_restricted_resource_type_access,
           config: {
             inputs: {

data/lib/onc_certification_g10_test_kit/smart_public_standalone_launch_group.rb

@@ -8,9 +8,9 @@ module ONCCertificationG10TestKit
       * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
 
       Enter in the appropriate scope to enable patient-level access to all
-      relevant resources. In addition, support for the OpenID Connect (openid
-      fhirUser), refresh tokens (offline_access), and patient context
-      (launch/patient) are required.
+      relevant resources. If using SMART v2, v2-style scopes must be used. In
+      addition, support for the OpenID Connect (openid fhirUser), refresh tokens
+      (offline_access), and patient context (launch/patient) are required.
     )
     description %(
       # Background
@@ -53,7 +53,19 @@ module ONCCertificationG10TestKit
         },
         requested_scopes: {
           name: :public_requested_scopes,
-          title: 'Public Launch Scope'
+          title: 'Public Launch Scope',
+          default: %(
+            launch/patient openid fhirUser offline_access
+            patient/Medication.read patient/AllergyIntolerance.read
+            patient/CarePlan.read patient/CareTeam.read patient/Condition.read
+            patient/Device.read patient/DiagnosticReport.read
+            patient/DocumentReference.read patient/Encounter.read
+            patient/Goal.read patient/Immunization.read patient/Location.read
+            patient/MedicationRequest.read patient/Observation.read
+            patient/Organization.read patient/Patient.read
+            patient/Practitioner.read patient/Procedure.read
+            patient/Provenance.read patient/PractitionerRole.read
+          ).gsub(/\s{2,}/, ' ').strip
         },
         url: {
           title: 'Public Launch FHIR Endpoint',

data/lib/onc_certification_g10_test_kit/smart_public_standalone_launch_group_stu2.rb

@@ -0,0 +1,130 @@
+module ONCCertificationG10TestKit
+  class SMARTPublicStandaloneLaunchGroupSTU2 < SMARTAppLaunch::StandaloneLaunchGroupSTU2
+    title 'Public Client Standalone Launch with OpenID Connect'
+    short_title 'SMART Public Client Launch'
+    input_instructions %(
+      Register Inferno as a standalone application using the following information:
+
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+
+      Enter in the appropriate scope to enable patient-level access to all
+      relevant resources. In addition, support for the OpenID Connect (openid
+      fhirUser), refresh tokens (offline_access), and patient context
+      (launch/patient) are required.
+    )
+    id :g10_public_standalone_launch_stu2
+    run_as_group
+
+    config(
+      inputs: {
+        client_id: {
+          name: :public_client_id,
+          title: 'Public Launch Client ID'
+        },
+        client_secret: {
+          name: :public_client_secret,
+          title: 'Public Launch Client Secret',
+          default: nil,
+          optional: true,
+          locked: true
+        },
+        requested_scopes: {
+          name: :public_requested_scopes,
+          title: 'Public Launch Scope',
+          default: %(
+            launch/patient openid fhirUser offline_access patient/Medication.rs
+            patient/AllergyIntolerance.rs patient/CarePlan.rs
+            patient/CareTeam.rs patient/Condition.rs patient/Device.rs
+            patient/DiagnosticReport.rs patient/DocumentReference.rs
+            patient/Encounter.rs patient/Goal.rs patient/Immunization.rs
+            patient/Location.rs patient/MedicationRequest.rs
+            patient/Observation.rs patient/Organization.rs patient/Patient.rs
+            patient/Practitioner.rs patient/Procedure.rs patient/Provenance.rs
+            patient/PractitionerRole.rs
+          ).gsub(/\s{2,}/, ' ').strip
+        },
+        url: {
+          title: 'Public Launch FHIR Endpoint',
+          description: 'URL of the FHIR endpoint used by standalone applications'
+        },
+        code: {
+          name: :public_code
+        },
+        state: {
+          name: :public_state
+        },
+        smart_authorization_url: {
+          title: 'OAuth 2.0 Authorize Endpoint',
+          description: 'OAuth 2.0 Authorize Endpoint provided during the patient standalone launch'
+        },
+        smart_token_url: {
+          title: 'OAuth 2.0 Token Endpoint',
+          description: 'OAuth 2.0 Token Endpoint provided during the patient standalone launch'
+        },
+        smart_credentials: {
+          name: :public_smart_credentials
+        },
+        use_pkce: {
+          default: 'true',
+          locked: true
+        },
+        pkce_code_challenge_method: {
+          locked: true
+        }
+      },
+      outputs: {
+        code: { name: :public_code },
+        token_retrieval_time: { name: :public_token_retrieval_time },
+        state: { name: :public_state },
+        id_token: { name: :public_id_token },
+        refresh_token: { name: :public_refresh_token },
+        access_token: { name: :public_access_token },
+        expires_in: { name: :public_expires_in },
+        patient_id: { name: :public_patient_id },
+        encounter_id: { name: :public_encounter_id },
+        received_scopes: { name: :public_received_scopes },
+        intent: { name: :public_intent },
+        smart_credentials: { name: :public_smart_credentials }
+      },
+      requests: {
+        redirect: { name: :public_redirect },
+        token: { name: :public_token }
+      }
+    )
+
+    input_order :url,
+                :public_client_id,
+                :public_client_secret,
+                :public_requested_scopes,
+                :use_pkce,
+                :pkce_code_challenge_method,
+                :smart_authorization_url,
+                :smart_token_url
+
+    test from: :g10_patient_context,
+         config: {
+           inputs: {
+             patient_id: { name: :public_patient_id },
+             smart_credentials: { name: :public_smart_credentials }
+           }
+         }
+
+    test do
+      title 'OAuth token exchange response contains OpenID Connect id_token'
+      description %(
+        This test requires that an OpenID Connect id_token is provided to
+        demonstrate authentication capabilies for public clients.
+      )
+      id :g10_public_launch_id_token
+
+      input :id_token,
+            name: :public_id_token,
+            locked: true,
+            optional: true
+
+      run do
+        assert id_token.present?, 'Token response did not provide an id_token as required.'
+      end
+    end
+  end
+end