RubyGems - onc_certification_g10_test_kit - Versions diffs - 3.0.1 → 3.2.0 - Mend

onc_certification_g10_test_kit 3.0.1 → 3.2.0

Files changed (41) hide show

data/lib/onc_certification_g10_test_kit/single_patient_api_group.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+require_relative 'incorrectly_permitted_tls_versions_messages_setup_test'
 module ONCCertificationG10TestKit
   class SinglePatientAPIGroup < Inferno::TestGroup
     id :g10_single_patient_api
@@ -79,6 +81,9 @@ module ONCCertificationG10TestKit
     USCoreTestKit::USCoreV311::USCoreTestSuite.groups.each do |group|
       test_group = group.ancestors[1]
+      next if test_group.optional?
       id = test_group.id
       group_config = {}
@@ -89,5 +94,7 @@ module ONCCertificationG10TestKit
       group(from: id, exclude_optional: true, config: group_config)
     end
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup
   end
 end

data/lib/onc_certification_g10_test_kit/single_patient_us_core_4_api_group.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+require_relative 'incorrectly_permitted_tls_versions_messages_setup_test'
 module ONCCertificationG10TestKit
   class SinglePatientUSCore4APIGroup < Inferno::TestGroup
     id :g10_single_patient_us_core_4_api
@@ -79,6 +81,9 @@ module ONCCertificationG10TestKit
     USCoreTestKit::USCoreV400::USCoreTestSuite.groups.each do |group|
       test_group = group.ancestors[1]
+      next if test_group.optional?
       id = test_group.id
       group_config = {}
@@ -89,5 +94,7 @@ module ONCCertificationG10TestKit
       group(from: id, exclude_optional: true, config: group_config)
     end
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup
   end
 end

data/lib/onc_certification_g10_test_kit/single_patient_us_core_5_api_group.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+require_relative 'incorrectly_permitted_tls_versions_messages_setup_test'
 module ONCCertificationG10TestKit
   class SinglePatientUSCore5APIGroup < Inferno::TestGroup
     id :g10_single_patient_us_core_5_api
@@ -6,7 +8,7 @@ module ONCCertificationG10TestKit
       For each of the relevant USCDI data elements provided in the
       CapabilityStatement, this test executes the [required supported
       searches](http://hl7.org/fhir/us/core/STU4/CapabilityStatement-us-core-server.html)
-      as defined by the US Core Implementation Guide v4.0.0.
+      as defined by the US Core Implementation Guide v5.0.1.
       The test begins by searching by one or more patients, with the expectation
       that the Bearer token provided to the test grants access to all USCDI
@@ -14,7 +16,7 @@ module ONCCertificationG10TestKit
       queries and checks that the results are consistent with the provided
       search parameters. It then performs a read on each Resource returned and
       validates the response against the relevant
-      [profile](http://hl7.org/fhir/us/core/STU4/profiles-and-extensions.html)
+      [profile](http://hl7.org/fhir/us/core/STU5.0.1/profiles-and-extensions.html)
       as currently defined in the US Core Implementation Guide.
       All MUST SUPPORT elements must be seen before the test can pass, as well
@@ -79,6 +81,9 @@ module ONCCertificationG10TestKit
     USCoreTestKit::USCoreV501::USCoreTestSuite.groups.each do |group|
       test_group = group.ancestors[1]
+      next if test_group.optional?
       id = test_group.id
       group_config = {}
@@ -89,5 +94,7 @@ module ONCCertificationG10TestKit
       group(from: id, exclude_optional: true, config: group_config)
     end
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup
   end
 end

data/lib/onc_certification_g10_test_kit/smart_app_launch_invalid_aud_group.rb CHANGED Viewed

@@ -91,7 +91,7 @@ module ONCCertificationG10TestKit
                 :smart_authorization_url
     test from: :smart_app_redirect do
-      required_suite_options smart_app_launch_version: 'smart_app_launch_1'
+      required_suite_options G10Options::SMART_1_REQUIREMENT
       input :client_secret,
             name: :standalone_client_secret,
@@ -118,7 +118,7 @@ module ONCCertificationG10TestKit
     end
     test from: :smart_app_redirect_stu2 do
-      required_suite_options smart_app_launch_version: 'smart_app_launch_2'
+      required_suite_options G10Options::SMART_2_REQUIREMENT
       config(
         inputs: {

data/lib/onc_certification_g10_test_kit/smart_ehr_practitioner_app_group.rb CHANGED Viewed

@@ -1,4 +1,5 @@
 require_relative 'base_token_refresh_group'
+require_relative 'smart_invalid_token_refresh_test'
 require_relative 'smart_scopes_test'
 require_relative 'unauthorized_access_test'
 require_relative 'well_known_capabilities_test'
@@ -59,7 +60,7 @@ module ONCCertificationG10TestKit
     input_order :url, :ehr_client_id, :ehr_client_secret
     group from: :smart_discovery do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_1')
+      required_suite_options(G10Options::SMART_1_REQUIREMENT)
       test from: 'g10_smart_well_known_capabilities',
            config: {
@@ -79,7 +80,7 @@ module ONCCertificationG10TestKit
     end
     group from: :smart_discovery_stu2 do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_2')
+      required_suite_options(G10Options::SMART_2_REQUIREMENT)
       test from: 'g10_smart_well_known_capabilities',
            config: {
@@ -102,7 +103,7 @@ module ONCCertificationG10TestKit
     end
     group from: :smart_ehr_launch do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_1')
+      required_suite_options(G10Options::SMART_1_REQUIREMENT)
       title 'EHR Launch With Practitioner Scope'
       input :client_secret,
@@ -172,7 +173,7 @@ module ONCCertificationG10TestKit
                access_token: { name: :ehr_access_token }
              }
            },
-           required_suite_options: { us_core_version: 'us_core_5' }
+           required_suite_options: G10Options::US_CORE_5_REQUIREMENT
       test do
         title 'Launch context contains smart_style_url which links to valid JSON'
@@ -220,6 +221,22 @@ module ONCCertificationG10TestKit
                  'Token response did not contain `need_patient_banner`'
         end
       end
+      tests[2].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :auth_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+      tests[5].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :token_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
     end
     group from: :smart_ehr_launch_stu2,
@@ -239,7 +256,7 @@ module ONCCertificationG10TestKit
               }
             }
           } do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_2')
+      required_suite_options(G10Options::SMART_2_REQUIREMENT)
       title 'EHR Launch With Practitioner Scope'
       input :client_secret,
@@ -308,7 +325,7 @@ module ONCCertificationG10TestKit
                access_token: { name: :ehr_access_token }
              }
            },
-           required_suite_options: { us_core_version: 'us_core_5' }
+           required_suite_options: G10Options::US_CORE_5_REQUIREMENT
       test do
         title 'Launch context contains smart_style_url which links to valid JSON'
@@ -356,6 +373,22 @@ module ONCCertificationG10TestKit
                  'Token response did not contain `need_patient_banner`'
         end
       end
+      tests[2].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :auth_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+      tests[5].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :token_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
     end
     group from: :smart_openid_connect,
@@ -399,6 +432,8 @@ module ONCCertificationG10TestKit
         )
         uses_request :token_refresh
       end
+      test from: :g10_invalid_token_refresh
     end
     test do
@@ -414,5 +449,25 @@ module ONCCertificationG10TestKit
                patient_id: ehr_patient_id
       end
     end
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup,
+         id: :g10_auth_incorrectly_permitted_tls_versions_messages_setup,
+         config: {
+           inputs: {
+             incorrectly_permitted_tls_versions_messages: {
+               name: :auth_incorrectly_permitted_tls_versions_messages
+             }
+           }
+         }
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup,
+         id: :g10_token_incorrectly_permitted_tls_versions_messages_setup,
+         config: {
+           inputs: {
+             incorrectly_permitted_tls_versions_messages: {
+               name: :token_incorrectly_permitted_tls_versions_messages
+             }
+           }
+         }
   end
 end

data/lib/onc_certification_g10_test_kit/smart_invalid_token_refresh_test.rb ADDED Viewed

@@ -0,0 +1,37 @@
+module ONCCertificationG10TestKit
+  class SMARTInvalidTokenRefreshTest < Inferno::Test
+    id :g10_invalid_token_refresh
+    title 'Refresh token exchange fails when supplied an invalid refresh token'
+    description %(
+      If the request failed verification or is invalid, the authorization server
+      returns an error response.
+      [OAuth 2.0 RFC (6749)](https://www.rfc-editor.org/rfc/rfc6749#section-6)
+    )
+    input :refresh_token, :smart_token_url, :client_id, :received_scopes
+    input :client_secret, optional: true
+    run do
+      skip_if refresh_token.blank?, 'No refresh token was received'
+      oauth2_params = {
+        'grant_type' => 'refresh_token',
+        'refresh_token' => SecureRandom.uuid
+      }
+      oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }
+      oauth2_params['scope'] = received_scopes if config.options[:include_scopes]
+      if client_secret.present?
+        credentials = Base64.strict_encode64("#{client_id}:#{client_secret}")
+        oauth2_headers['Authorization'] = "Basic #{credentials}"
+      else
+        oauth2_params['client_id'] = client_id
+      end
+      post(smart_token_url, body: oauth2_params, headers: oauth2_headers)
+      assert_response_status([400, 401])
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/smart_limited_app_group.rb CHANGED Viewed

@@ -1,3 +1,4 @@
+require_relative 'g10_options'
 require_relative 'patient_context_test'
 require_relative 'limited_scope_grant_test'
 require_relative 'restricted_resource_type_access_group'
@@ -80,7 +81,7 @@ module ONCCertificationG10TestKit
           Sequence](http://hl7.org/fhir/smart-app-launch/1.0.0/index.html#standalone-launch-sequence)
       )
-      required_suite_options smart_app_launch_version: 'smart_app_launch_1'
+      required_suite_options G10Options::SMART_1_REQUIREMENT
       config(
         inputs: {
@@ -203,7 +204,7 @@ module ONCCertificationG10TestKit
           Sequence](http://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#launch-app-standalone-launch)
       )
-      required_suite_options smart_app_launch_version: 'smart_app_launch_2'
+      required_suite_options G10Options::SMART_2_REQUIREMENT
       config(
         inputs: {

data/lib/onc_certification_g10_test_kit/smart_scopes_test.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 module ONCCertificationG10TestKit
   class SMARTScopesTest < Inferno::Test
+    include G10Options
     title 'Patient-level access with OpenID Connect and Refresh Token scopes used.'
     description %(
       The scopes being input must follow the guidelines specified in the
@@ -62,13 +64,13 @@ module ONCCertificationG10TestKit
       (PATIENT_COMPARTMENT_RESOURCE_TYPES + ['ServiceRequest']).freeze
     def patient_compartment_resource_types
-      return PATIENT_COMPARTMENT_RESOURCE_TYPES unless suite_options[:us_core_version] == 'us_core_5'
+      return PATIENT_COMPARTMENT_RESOURCE_TYPES unless using_us_core_5?
       V5_PATIENT_COMPARTMENT_RESOURCE_TYPES
     end
     def valid_resource_types
-      return VALID_RESOURCE_TYPES unless suite_options[:us_core_version] == 'us_core_5'
+      return VALID_RESOURCE_TYPES unless using_us_core_5?
       V5_VALID_RESOURCE_TYPES
     end

data/lib/onc_certification_g10_test_kit/smart_standalone_patient_app_group.rb CHANGED Viewed

@@ -1,9 +1,11 @@
 require_relative 'base_token_refresh_group'
 require_relative 'patient_context_test'
+require_relative 'smart_invalid_token_refresh_test'
 require_relative 'smart_scopes_test'
 require_relative 'unauthorized_access_test'
 require_relative 'unrestricted_resource_type_access_group'
 require_relative 'well_known_capabilities_test'
+require_relative 'incorrectly_permitted_tls_versions_messages_setup_test'
 module ONCCertificationG10TestKit
   class SmartStandalonePatientAppGroup < Inferno::TestGroup
@@ -55,7 +57,7 @@ module ONCCertificationG10TestKit
     input_order :url, :standalone_client_id, :standalone_client_secret
     group from: :smart_discovery do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_1')
+      required_suite_options(G10Options::SMART_1_REQUIREMENT)
       test from: 'g10_smart_well_known_capabilities',
            config: {
@@ -74,7 +76,7 @@ module ONCCertificationG10TestKit
     end
     group from: :smart_discovery_stu2 do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_2')
+      required_suite_options(G10Options::SMART_2_REQUIREMENT)
       test from: 'g10_smart_well_known_capabilities',
            config: {
@@ -97,7 +99,7 @@ module ONCCertificationG10TestKit
     end
     group from: :smart_standalone_launch do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_1')
+      required_suite_options(G10Options::SMART_1_REQUIREMENT)
       title 'Standalone Launch With Patient Scope'
       description %(
@@ -178,6 +180,22 @@ module ONCCertificationG10TestKit
                smart_credentials: { name: :standalone_smart_credentials }
              }
            }
+      tests[0].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :auth_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+      tests[3].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :token_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
     end
     group from: :smart_standalone_launch_stu2,
@@ -197,7 +215,7 @@ module ONCCertificationG10TestKit
               }
             }
           } do
-      required_suite_options(smart_app_launch_version: 'smart_app_launch_2')
+      required_suite_options(G10Options::SMART_2_REQUIREMENT)
       title 'Standalone Launch With Patient Scope'
       description %(
@@ -278,6 +296,22 @@ module ONCCertificationG10TestKit
                smart_credentials: { name: :standalone_smart_credentials }
              }
            }
+      tests[0].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :auth_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+      tests[3].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :token_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
     end
     group from: :smart_openid_connect,
@@ -322,6 +356,8 @@ module ONCCertificationG10TestKit
         )
         uses_request :token_refresh
       end
+      test from: :g10_invalid_token_refresh
     end
     group from: :g10_unrestricted_resource_type_access,
@@ -346,5 +382,25 @@ module ONCCertificationG10TestKit
                patient_id: standalone_patient_id
       end
     end
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup,
+         id: :g10_auth_incorrectly_permitted_tls_versions_messages_setup,
+         config: {
+           inputs: {
+             incorrectly_permitted_tls_versions_messages: {
+               name: :auth_incorrectly_permitted_tls_versions_messages
+             }
+           }
+         }
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup,
+         id: :g10_token_incorrectly_permitted_tls_versions_messages_setup,
+         config: {
+           inputs: {
+             incorrectly_permitted_tls_versions_messages: {
+               name: :token_incorrectly_permitted_tls_versions_messages
+             }
+           }
+         }
   end
 end

data/lib/onc_certification_g10_test_kit/unrestricted_resource_type_access_group.rb CHANGED Viewed

@@ -1,3 +1,4 @@
+require_relative 'g10_options'
 require_relative 'resource_access_test'
 module ONCCertificationG10TestKit
@@ -111,6 +112,8 @@ module ONCCertificationG10TestKit
       (NON_PATIENT_COMPARTMENT_RESOURCES - ['Encounter'] + ['ServiceRequest']).freeze
     test do
+      include G10Options
       title 'Scope granted enables access to all US Core resource types.'
       description %(
         This test confirms that the scopes granted during authorization are
@@ -118,13 +121,13 @@ module ONCCertificationG10TestKit
       )
       def all_resources
-        return V5_ALL_RESOURCES if suite_options[:us_core_version] == 'us_core_5'
+        return V5_ALL_RESOURCES if using_us_core_5?
         ALL_RESOURCES
       end
       def non_patient_compartment_resources
-        return V5_NON_PATIENT_COMPARTMENT_RESOURCES if suite_options[:us_core_version] == 'us_core_5'
+        return V5_NON_PATIENT_COMPARTMENT_RESOURCES if using_us_core_5?
         NON_PATIENT_COMPARTMENT_RESOURCES
       end
@@ -335,7 +338,7 @@ module ONCCertificationG10TestKit
       )
       id :g10_encounter_unrestricted_access
-      required_suite_options us_core_version: 'us_core_5'
+      required_suite_options G10Options::US_CORE_5_REQUIREMENT
       def resource_group
         USCoreTestKit::USCoreV501::EncounterGroup
@@ -349,7 +352,7 @@ module ONCCertificationG10TestKit
       )
       id :g10_service_request_unrestricted_access
-      required_suite_options us_core_version: 'us_core_5'
+      required_suite_options G10Options::US_CORE_5_REQUIREMENT
       def resource_group
         USCoreTestKit::USCoreV501::ServiceRequestGroup

data/lib/onc_certification_g10_test_kit/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module ONCCertificationG10TestKit
-  VERSION = '3.0.1'.freeze
+  VERSION = '3.2.0'.freeze
 end

data/lib/onc_certification_g10_test_kit/visual_inspection_and_attestations_group.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+require_relative 'g10_options'
 module ONCCertificationG10TestKit
   class VisualInspectionAndAttestationsGroup < Inferno::TestGroup
     title 'Visual Inspection and Attestation'
@@ -374,7 +376,7 @@ module ONCCertificationG10TestKit
       )
       id 'Test11'
-      required_suite_options us_core_version: 'us_core_3'
+      required_suite_options G10Options::US_CORE_3_REQUIREMENT
       input :patient_suffix_attestation,
             title: 'Health IT developer demonstrates support for the Patient Demographics Suffix USCDI v1 element.',
@@ -416,7 +418,7 @@ module ONCCertificationG10TestKit
       )
       id 'Test12'
-      required_suite_options us_core_version: 'us_core_3'
+      required_suite_options G10Options::US_CORE_3_REQUIREMENT
       input :patient_previous_name_attestation,
             title: 'Health IT developer demonstrates support for the Patient Demographics Previous Name USCDI v1 element.', # rubocop:disable Layout/LineLength
@@ -486,5 +488,89 @@ module ONCCertificationG10TestKit
         pass native_refresh_notes if native_refresh_notes.present?
       end
     end
+    test do
+      title 'Health IT developer demonstrates the public location of its base URLs'
+      description %(
+        To fulfill the API Maintenance of Certification requirement at §
+        170.404(b)(2), the health IT developer demonstrates the public location
+        of its certified API technology service base URLs.
+      )
+      id :g10_public_url_attestation
+      input :public_url_attestation,
+            title: 'Health IT developer demonstrates the public location of its certified API technology service base URLs', # rubocop:disable Layout/LineLength
+            type: 'radio',
+            default: 'false',
+            options: {
+              list_options: [
+                {
+                  label: 'Yes',
+                  value: 'true'
+                },
+                {
+                  label: 'No',
+                  value: 'false'
+                }
+              ]
+            }
+      input :public_url_attestation_notes,
+            title: 'Notes, if applicable:',
+            type: 'textarea',
+            optional: true
+      run do
+        assert public_url_attestation == 'true',
+               'Health IT developer did not demonstrate the public location of its certified API technology service base URLs.' # rubocop:disable Layout/LineLength
+        pass public_url_attestation_notes if public_url_attestation_notes.present?
+      end
+    end
+    test do
+      title 'TLS version 1.2 or above must be enforced'
+      description %(
+        If TLS connections below version 1.2 have been allowed in any previous
+        tests, Health IT developers must document how the Health IT Module
+        enforces TLS version 1.2 or above.
+        If no TLS connections below version 1.2 have been allowed, no
+        documentation is necessary and this test will automatically pass.
+      )
+      id :g10_tls_version_attestation
+      input :unique_incorrectly_permitted_tls_versions_messages,
+            title: 'TLS Issues',
+            type: 'textarea',
+            locked: true,
+            optional: true
+      input :tls_documentation_required,
+            title: 'Health IT developers must document how the Health IT Module enforces TLs version 1.2 or above',
+            type: 'radio',
+            default: 'false',
+            locked: true,
+            options: {
+              list_options: [
+                {
+                  label: 'Yes',
+                  value: 'true'
+                },
+                {
+                  label: 'No',
+                  value: 'false'
+                }
+              ]
+            }
+      input :tls_version_attestation_notes,
+            title: 'Document how TLS version 1.2 or above is enforced, if required:',
+            type: 'textarea',
+            optional: true
+      run do
+        if tls_documentation_required == 'true'
+          assert tls_version_attestation_notes.present?,
+                 'Health IT developer did not document how the system under test enforces TLS version 1.2 or above'
+        end
+        pass tls_version_attestation_notes if tls_version_attestation_notes.present?
+      end
+    end
   end
 end

data/lib/onc_certification_g10_test_kit/well_known_capabilities_test.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 module ONCCertificationG10TestKit
   class SMARTWellKnownCapabilitiesTest < Inferno::Test
+    include G10Options
     title 'Well-known configuration declares support for required capabilities'
     description %(
       A SMART on FHIR server SHALL convey its capabilities to app developers
@@ -21,8 +23,8 @@ module ONCCertificationG10TestKit
       required_capabilities = config.options[:required_capabilities] || []
-      if suite_options[:us_core_version] == 'us_core_5' && required_capabilities.include?('launch-ehr')
-        required_capabilities << 'context-ehr-encounter'
+      if using_us_core_5? && required_capabilities.include?('launch-ehr')
+        required_capabilities += ['context-ehr-encounter']
       end
       missing_capabilities = required_capabilities - capabilities