onc_certification_g10_test_kit 2.3.0 → 3.0.0

data/lib/onc_certification_g10_test_kit/unrestricted_resource_type_access_group.rb

@@ -27,6 +27,8 @@ module ONCCertificationG10TestKit
         * Practitioner
         * Organization
 
+      If testing against USCDI v2, ServiceRequest is also checked.
+
       For each of the resource types that can be mapped to USCDI data class or
       elements, this set of tests performs a minimum number of requests to
       determine that the resource type can be accessed given the scope granted.
@@ -38,10 +40,22 @@ module ONCCertificationG10TestKit
       parameter.
 
       This set of tests does not attempt to access resources that do not
-      directly map to USCDI v1, including Encounter, Location, Organization, and
-      Practitioner. It also does not test Provenance, as this resource type is
-      accessed by queries through other resource types. These resources types
-      are accessed in the more comprehensive Single Patient Query tests.
+      directly map to USCDI. For USCDI v1 this includes:
+
+        * Encounter
+        * Location
+        * Organization
+        * Practitioner
+
+      For USCDI v2 this includes:
+
+        * Location
+        * Organization
+        * Practitioner
+
+      It also does not test Provenance, as this resource type is accessed by
+      queries through other resource types. These resources types are accessed
+      in the more comprehensive Single Patient Query tests.
 
       However, the authorization system must indicate that access is granted to
       the Encounter, Practitioner and Organization resource types by providing
@@ -58,6 +72,44 @@ module ONCCertificationG10TestKit
       oauth_credentials :smart_credentials
     end
 
+    ALL_RESOURCES =
+      [
+        'AllergyIntolerance',
+        'CarePlan',
+        'CareTeam',
+        'Condition',
+        'Device',
+        'DiagnosticReport',
+        'DocumentReference',
+        'Goal',
+        'Immunization',
+        'MedicationRequest',
+        'Observation',
+        'Procedure',
+        'Patient',
+        'Provenance',
+        'Encounter',
+        'Practitioner',
+        'Organization'
+      ].freeze
+
+    V5_ALL_RESOURCES = (ALL_RESOURCES + ['ServiceRequest']).freeze
+
+    NON_PATIENT_COMPARTMENT_RESOURCES =
+      [
+        'Encounter',
+        'Device',
+        'Location',
+        'Medication',
+        'Organization',
+        'Practitioner',
+        'PractitionerRole',
+        'RelatedPerson'
+      ].freeze
+
+    V5_NON_PATIENT_COMPARTMENT_RESOURCES =
+      (NON_PATIENT_COMPARTMENT_RESOURCES - ['Encounter'] + ['ServiceRequest']).freeze
+
     test do
       title 'Scope granted enables access to all US Core resource types.'
       description %(
@@ -66,52 +118,34 @@ module ONCCertificationG10TestKit
       )
 
       def all_resources
-        [
-          'AllergyIntolerance',
-          'CarePlan',
-          'CareTeam',
-          'Condition',
-          'Device',
-          'DiagnosticReport',
-          'DocumentReference',
-          'Goal',
-          'Immunization',
-          'MedicationRequest',
-          'Observation',
-          'Procedure',
-          'Patient',
-          'Provenance',
-          'Encounter',
-          'Practitioner',
-          'Organization'
-        ]
+        return V5_ALL_RESOURCES if suite_options[:us_core_version] == 'us_core_5'
+
+        ALL_RESOURCES
       end
 
       def non_patient_compartment_resources
-        [
-          'Encounter',
-          'Device',
-          'Location',
-          'Medication',
-          'Organization',
-          'Practitioner',
-          'PractitionerRole',
-          'RelatedPerson'
-        ]
+        return V5_NON_PATIENT_COMPARTMENT_RESOURCES if suite_options[:us_core_version] == 'us_core_5'
+
+        NON_PATIENT_COMPARTMENT_RESOURCES
       end
 
       def scope_granting_access?(resource_type)
-        received_scopes.split.find do |scope|
-          return true if non_patient_compartment_resources.include?(resource_type) &&
-                         ["user/#{resource_type}.read", "user/#{resource_type}.*"].include?(scope)
-
-          [
-            'patient/*.read',
-            'patient/*.*',
-            "patient/#{resource_type}.read",
-            "patient/#{resource_type}.*"
-          ].include?(scope)
-        end
+        possible_prefixes =
+          if non_patient_compartment_resources.include?(resource_type)
+            ["patient/#{resource_type}", 'patient/*', "user/#{resource_type}", 'user/*']
+          else
+            ["patient/#{resource_type}", 'patient/*']
+          end
+
+        received_scopes
+          .split
+          .select { |scope| scope.start_with?(*possible_prefixes) }
+          .any? do |scope|
+            _type, resource_access = scope.split('/')
+            _resource, access_level = resource_access.split('.')
+
+            access_level.match?(/\A(\*|read|c?ru?d?s?\b)/)
+          end
       end
 
       run do
@@ -141,13 +175,7 @@ module ONCCertificationG10TestKit
     test from: :g10_resource_access_test do
       title 'Access to Patient resources granted'
       description %(
-        This test ensures that access to the Patient is granted or
-        denied based on the selection by the tester prior to the execution of
-        the test. If the tester indicated that access will be granted to this
-        resource, this test verifies that a search by patient in this resource
-        does not result in an access denied result. If the tester indicated that
-        access will be denied for this resource, this verifies that search by
-        patient in the resource results in an access denied result.
+        This test ensures that access to the Patient is granted.
       )
       id :g10_patient_unrestricted_access
 
@@ -159,13 +187,7 @@ module ONCCertificationG10TestKit
     test from: :g10_resource_access_test do
       title 'Access to AllergyIntolerance resources granted'
       description %(
-        This test ensures that access to the AllergyIntolerance is granted or
-        denied based on the selection by the tester prior to the execution of
-        the test. If the tester indicated that access will be granted to this
-        resource, this test verifies that a search by patient in this resource
-        does not result in an access denied result. If the tester indicated that
-        access will be denied for this resource, this verifies that search by
-        patient in the resource results in an access denied result.
+        This test ensures that access to the AllergyIntolerance is granted.
       )
       id :g10_allergy_intolerance_unrestricted_access
 
@@ -177,13 +199,7 @@ module ONCCertificationG10TestKit
     test from: :g10_resource_access_test do
       title 'Access to CarePlan resources granted'
       description %(
-        This test ensures that access to the CarePlan is granted or
-        denied based on the selection by the tester prior to the execution of
-        the test. If the tester indicated that access will be granted to this
-        resource, this test verifies that a search by patient in this resource
-        does not result in an access denied result. If the tester indicated that
-        access will be denied for this resource, this verifies that search by
-        patient in the resource results in an access denied result.
+        This test ensures that access to the CarePlan is granted.
       )
       id :g10_care_plan_unrestricted_access
 
@@ -195,13 +211,7 @@ module ONCCertificationG10TestKit
     test from: :g10_resource_access_test do
       title 'Access to CareTeam resources granted'
       description %(
-        This test ensures that access to the CareTeam is granted or
-        denied based on the selection by the tester prior to the execution of
-        the test. If the tester indicated that access will be granted to this
-        resource, this test verifies that a search by patient in this resource
-        does not result in an access denied result. If the tester indicated that
-        access will be denied for this resource, this verifies that search by
-        patient in the resource results in an access denied result.
+        This test ensures that access to the CareTeam is granted.
       )
       id :g10_care_team_unrestricted_access
 
@@ -213,13 +223,7 @@ module ONCCertificationG10TestKit
     test from: :g10_resource_access_test do
       title 'Access to Condition resources granted'
       description %(
-        This test ensures that access to the Condition is granted or
-        denied based on the selection by the tester prior to the execution of
-        the test. If the tester indicated that access will be granted to this
-        resource, this test verifies that a search by patient in this resource
-        does not result in an access denied result. If the tester indicated that
-        access will be denied for this resource, this verifies that search by
-        patient in the resource results in an access denied result.
+        This test ensures that access to the Condition is granted.
       )
       id :g10_condition_unrestricted_access
 
@@ -231,13 +235,7 @@ module ONCCertificationG10TestKit
     test from: :g10_resource_access_test do
       title 'Access to Device resources granted'
       description %(
-        This test ensures that access to the Device is granted or
-        denied based on the selection by the tester prior to the execution of
-        the test. If the tester indicated that access will be granted to this
-        resource, this test verifies that a search by patient in this resource
-        does not result in an access denied result. If the tester indicated that
-        access will be denied for this resource, this verifies that search by
-        patient in the resource results in an access denied result.
+        This test ensures that access to the Device is granted.
       )
       id :g10_device_unrestricted_access
 
@@ -249,13 +247,7 @@ module ONCCertificationG10TestKit
     test from: :g10_resource_access_test do
       title 'Access to DiagnosticReport resources granted'
       description %(
-        This test ensures that access to the DiagnosticReport is granted or
-        denied based on the selection by the tester prior to the execution of
-        the test. If the tester indicated that access will be granted to this
-        resource, this test verifies that a search by patient in this resource
-        does not result in an access denied result. If the tester indicated that
-        access will be denied for this resource, this verifies that search by
-        patient in the resource results in an access denied result.
+        This test ensures that access to the DiagnosticReport is granted.
       )
       id :g10_diagnostic_report_unrestricted_access
 
@@ -267,13 +259,7 @@ module ONCCertificationG10TestKit
     test from: :g10_resource_access_test do
       title 'Access to DocumentReference resources granted'
       description %(
-        This test ensures that access to the DocumentReference is granted or
-        denied based on the selection by the tester prior to the execution of
-        the test. If the tester indicated that access will be granted to this
-        resource, this test verifies that a search by patient in this resource
-        does not result in an access denied result. If the tester indicated that
-        access will be denied for this resource, this verifies that search by
-        patient in the resource results in an access denied result.
+        This test ensures that access to the DocumentReference is granted.
       )
       id :g10_document_reference_unrestricted_access
 
@@ -285,13 +271,7 @@ module ONCCertificationG10TestKit
     test from: :g10_resource_access_test do
       title 'Access to Goal resources granted'
       description %(
-        This test ensures that access to the Goal is granted or
-        denied based on the selection by the tester prior to the execution of
-        the test. If the tester indicated that access will be granted to this
-        resource, this test verifies that a search by patient in this resource
-        does not result in an access denied result. If the tester indicated that
-        access will be denied for this resource, this verifies that search by
-        patient in the resource results in an access denied result.
+        This test ensures that access to the Goal is granted.
       )
       id :g10_goal_unrestricted_access
 
@@ -303,13 +283,7 @@ module ONCCertificationG10TestKit
     test from: :g10_resource_access_test do
       title 'Access to Immunization resources granted'
       description %(
-        This test ensures that access to the Immunization is granted or
-        denied based on the selection by the tester prior to the execution of
-        the test. If the tester indicated that access will be granted to this
-        resource, this test verifies that a search by patient in this resource
-        does not result in an access denied result. If the tester indicated that
-        access will be denied for this resource, this verifies that search by
-        patient in the resource results in an access denied result.
+        This test ensures that access to the Immunization is granted.
       )
       id :g10_immunization_unrestricted_access
 
@@ -321,13 +295,7 @@ module ONCCertificationG10TestKit
     test from: :g10_resource_access_test do
       title 'Access to MedicationRequest resources granted'
       description %(
-        This test ensures that access to the MedicationRequest is granted or
-        denied based on the selection by the tester prior to the execution of
-        the test. If the tester indicated that access will be granted to this
-        resource, this test verifies that a search by patient in this resource
-        does not result in an access denied result. If the tester indicated that
-        access will be denied for this resource, this verifies that search by
-        patient in the resource results in an access denied result.
+        This test ensures that access to the MedicationRequest is granted.
       )
       id :g10_medication_request_access
 
@@ -339,13 +307,7 @@ module ONCCertificationG10TestKit
     test from: :g10_resource_access_test do
       title 'Access to Observation resources granted'
       description %(
-        This test ensures that access to the Observation is granted or
-        denied based on the selection by the tester prior to the execution of
-        the test. If the tester indicated that access will be granted to this
-        resource, this test verifies that a search by patient in this resource
-        does not result in an access denied result. If the tester indicated that
-        access will be denied for this resource, this verifies that search by
-        patient in the resource results in an access denied result.
+        This test ensures that access to the Observation is granted.
       )
       id :g10_observation_unrestricted_access
 
@@ -357,13 +319,7 @@ module ONCCertificationG10TestKit
     test from: :g10_resource_access_test do
       title 'Access to Procedure resources granted'
       description %(
-        This test ensures that access to the Procedure is granted or
-        denied based on the selection by the tester prior to the execution of
-        the test. If the tester indicated that access will be granted to this
-        resource, this test verifies that a search by patient in this resource
-        does not result in an access denied result. If the tester indicated that
-        access will be denied for this resource, this verifies that search by
-        patient in the resource results in an access denied result.
+        This test ensures that access to the Procedure is granted.
       )
       id :g10_procedure_unrestricted_access
 
@@ -371,5 +327,33 @@ module ONCCertificationG10TestKit
         USCoreTestKit::USCoreV311::ProcedureGroup
       end
     end
+
+    test from: :g10_resource_access_test do
+      title 'Access to Encounter resources granted'
+      description %(
+        This test ensures that access to the Encounter is granted.
+      )
+      id :g10_encounter_unrestricted_access
+
+      required_suite_options us_core_version: 'us_core_5'
+
+      def resource_group
+        USCoreTestKit::USCoreV501::EncounterGroup
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to ServiceRequest resources granted'
+      description %(
+        This test ensures that access to the ServiceRequest is granted.
+      )
+      id :g10_service_request_unrestricted_access
+
+      required_suite_options us_core_version: 'us_core_5'
+
+      def resource_group
+        USCoreTestKit::USCoreV501::ServiceRequestGroup
+      end
+    end
   end
 end

data/lib/onc_certification_g10_test_kit/version.rb

@@ -1,3 +1,3 @@
 module ONCCertificationG10TestKit
-  VERSION = '2.3.0'.freeze
+  VERSION = '3.0.0'.freeze
 end

data/lib/onc_certification_g10_test_kit/visual_inspection_and_attestations_group.rb

@@ -12,6 +12,7 @@ module ONCCertificationG10TestKit
         Health IT Module demonstrated support for application registration for
         single patients.
       )
+      id 'Test01'
       input :single_patient_registration_supported,
             title: 'Health IT Module demonstrated support for application registration for single patients.',
             type: 'radio',
@@ -46,6 +47,7 @@ module ONCCertificationG10TestKit
         Health IT Module demonstrated support for supports application
         registration for multiple patients.
       )
+      id 'Test02'
       input :multiple_patient_registration_supported,
             title: 'Health IT Module demonstrated support for application registration for multiple patients.',
             type: 'radio',
@@ -80,6 +82,7 @@ module ONCCertificationG10TestKit
         Health IT Module demonstrated a graphical user interface for user to
         authorize FHIR resources
       )
+      id 'Test03'
       input :resource_authorization_gui_supported,
             title: 'Health IT Module demonstrated a graphical user interface for user to authorize FHIR resources.',
             type: 'radio',
@@ -114,6 +117,7 @@ module ONCCertificationG10TestKit
         Health IT Module informed patient when "offline_access" scope is being
         granted during authorization.
       )
+      id 'Test04'
       input :offline_access_notification_supported,
             title: 'Health IT Module informed patient when "offline_access" scope is being granted during authorization.', # rubocop:disable Layout/LineLength
             type: 'radio',
@@ -150,6 +154,7 @@ module ONCCertificationG10TestKit
         Health IT Module attested that it is capable of issuing refresh tokens
         that are valid for a period of no shorter than three months.
       )
+      id 'Test05'
       input :refresh_token_period_attestation,
             title: 'Health IT Module attested that it is capable of issuing refresh tokens that are valid for a period of no shorter than three months.', # rubocop:disable Layout/LineLength
             type: 'radio',
@@ -186,6 +191,7 @@ module ONCCertificationG10TestKit
         Health IT developer demonstrated the ability of the Health IT Module /
         authorization server to validate token it has issued
       )
+      id 'Test06'
       input :token_validation_support,
             title: 'Health IT developer demonstrated the ability of the Health IT Module / authorization server to validate token it has issued.', # rubocop:disable Layout/LineLength
             type: 'radio',
@@ -220,6 +226,7 @@ module ONCCertificationG10TestKit
       description %(
         Tester verifies that all information is accurate and without omission.
       )
+      id 'Test07'
       input :information_accuracy_attestation,
             title: 'Tester verifies that all information is accurate and without omission.',
             type: 'radio',
@@ -254,6 +261,7 @@ module ONCCertificationG10TestKit
         Information returned no greater than scopes pre-authorized for
         multi-patient queries.
       )
+      id 'Test08'
       input :multi_patient_scopes_attestation,
             title: 'Information returned no greater than scopes pre-authorized for multi-patient queries.',
             type: 'radio',
@@ -288,6 +296,7 @@ module ONCCertificationG10TestKit
         Health IT developer demonstrated the documentation is available at a
         publicly accessible URL.
       )
+      id 'Test09'
       input :developer_documentation_attestation,
             title: 'Health IT developer demonstrated the documentation is available at a publicly accessible URL.',
             type: 'radio',
@@ -324,6 +333,7 @@ module ONCCertificationG10TestKit
         JWK Set received via a TLS-protected URL for longer than the
         cache-control header indicates.
       )
+      id 'Test10'
       input :jwks_cache_attestation,
             title: 'Health IT developer confirms the Health IT module does not cache the JWK Set received via a TLS-protected URL for longer than the cache-control header indicates.', # rubocop:disable Layout/LineLength
             type: 'radio',
@@ -362,6 +372,10 @@ module ONCCertificationG10TestKit
         demonstrate support for this USCDI v1 element as described in the US
         Core Patient Profile implementation guidance.
       )
+      id 'Test11'
+
+      required_suite_options us_core_version: 'us_core_3'
+
       input :patient_suffix_attestation,
             title: 'Health IT developer demonstrates support for the Patient Demographics Suffix USCDI v1 element.',
             type: 'radio',
@@ -400,6 +414,10 @@ module ONCCertificationG10TestKit
         demonstrate support for this USCDI v1 element as described in the US
         Core Patient Profile implementation guidance.
       )
+      id 'Test12'
+
+      required_suite_options us_core_version: 'us_core_3'
+
       input :patient_previous_name_attestation,
             title: 'Health IT developer demonstrates support for the Patient Demographics Previous Name USCDI v1 element.', # rubocop:disable Layout/LineLength
             type: 'radio',
@@ -440,6 +458,7 @@ module ONCCertificationG10TestKit
         OAuth 2.0 authorization flow to ensure authorization is sufficiently
         secure for native applications.
       )
+      id 'Test13'
       input :native_refresh_attestation,
             title: 'Health IT developer demonstrates support for issuing refresh tokens to native applications.',
             type: 'radio',

data/lib/onc_certification_g10_test_kit/well_known_capabilities_test.rb

@@ -19,7 +19,13 @@ module ONCCertificationG10TestKit
       assert capabilities.is_a?(Array),
              "Expected the well-known capabilities to be an Array, but found #{capabilities.class.name}"
 
-      missing_capabilities = (config.options[:required_capabilities] || []) - capabilities
+      required_capabilities = config.options[:required_capabilities] || []
+
+      if suite_options[:us_core_version] == 'us_core_5' && required_capabilities.include?('launch-ehr')
+        required_capabilities << 'context-ehr-encounter'
+      end
+
+      missing_capabilities = required_capabilities - capabilities
       assert missing_capabilities.empty?,
              "The following capabilities required for this scenario are missing: #{missing_capabilities.join(', ')}"
     end