onc_certification_g10_test_kit 5.4.2 → 6.0.0

data/lib/onc_certification_g10_test_kit/smart_public_standalone_launch_group_stu2.rb

@@ -1,7 +1,7 @@
 module ONCCertificationG10TestKit
   class SMARTPublicStandaloneLaunchGroupSTU2 < SMARTAppLaunch::StandaloneLaunchGroupSTU2
-    title 'SMART Public Client Standalone Launch with OpenID Connect'
-    short_title 'SMART Public Client Launch'
+    title 'Public Client Standalone Launch with OpenID Connect'
+    short_title 'Public Client Launch'
     input_instructions %(
       Register Inferno as a standalone application using the following information:
 
@@ -12,6 +12,27 @@ module ONCCertificationG10TestKit
       fhirUser), refresh tokens (offline_access), and patient context
       (launch/patient) are required.
     )
+    description %(
+
+      This scenario verifies the ability of systems to support public clients
+      as described in the SMART App Launch implementation specification.  Previous
+      scenarios have not required the system under test to demonstrate this
+      specific type of SMART App Launch client.
+
+      Prior to executing this test, register Inferno as a public standalone
+      application using the following information:
+
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+
+      Inferno will act as a public client redirect the tester to the the
+      authorization endpoint so that they may provide any required credentials
+      and authorize the application. Upon successful authorization, Inferno will
+      exchange the authorization code provided for an access token.
+
+      For more information on the #{title}:
+
+      * [Standalone Launch Sequence](http://hl7.org/fhir/smart-app-launch/1.0.0/index.html#standalone-launch-sequence)
+    )
     id :g10_public_standalone_launch_stu2
     run_as_group
 
@@ -106,8 +127,7 @@ module ONCCertificationG10TestKit
                 :smart_authorization_url,
                 :smart_token_url,
                 :authorization_method,
-                :public_client_auth_type,
-                :client_auth_encryption_method
+                :public_client_auth_type
 
     test from: :g10_patient_context,
          config: {
@@ -134,5 +154,9 @@ module ONCCertificationG10TestKit
         assert id_token.present?, 'Token response did not provide an id_token as required.'
       end
     end
+
+    children.each do |child|
+      child.inputs.delete(:client_auth_encryption_method)
+    end
   end
 end

data/lib/onc_certification_g10_test_kit/smart_scopes_test.rb

@@ -69,6 +69,8 @@ module ONCCertificationG10TestKit
     V6_PATIENT_COMPARTMENT_RESOURCE_TYPES =
       (V5_PATIENT_COMPARTMENT_RESOURCE_TYPES + ['Coverage', 'MedicationDispense', 'Specimen']).freeze
 
+    attr_accessor :received_or_requested
+
     def patient_compartment_resource_types
       return V5_PATIENT_COMPARTMENT_RESOURCE_TYPES if using_us_core_5?
 
@@ -94,36 +96,43 @@ module ONCCertificationG10TestKit
     end
 
     def scope_version
-      config.options[:scope_version]
+      case received_or_requested
+      when 'received'
+        config.options[:received_scope_version] || config.options[:scope_version]
+      when 'requested'
+        config.options[:requested_scope_version] || config.options[:scope_version]
+      else
+        config.options[:scope_version]
+      end
+    end
+
+    def requested_scope_version
+      config.options[:requested_scope_version]
     end
 
     def read_format
-      @read_format ||=
-        begin
-          v1_read_format = 'read'
-          v2_read_format = 'c?ru?d?s?'
-
-          case scope_version
-          when :v1
-            "#{v1_read_format} | *"
-          when :v2
-            "#{v2_read_format} | *"
-          else
-            [v1_read_format, v2_read_format, '*'].join(' | ')
-          end
-        end
+      v1_read_format = 'read'
+      v2_read_format = 'c?ru?d?s?'
+
+      case scope_version
+      when :v1
+        "#{v1_read_format} | *"
+      when :v2
+        "#{v2_read_format} | *"
+      else
+        [v1_read_format, v2_read_format, '*'].join(' | ')
+      end
     end
 
     def access_level_regex
-      @access_level_regex ||=
-        case scope_version
-        when :v1
-          /\A(\*|read)\b/
-        when :v2
-          /\A(\*|c?ru?d?s?)\b/
-        else
-          /\A(\*|read|c?ru?d?s?)\b/
-        end
+      case scope_version
+      when :v1
+        /\A(\*|read)\b/
+      when :v2
+        /\A(\*|c?ru?d?s?)\b/
+      else
+        /\A(\*|read|c?ru?d?s?)\b/
+      end
     end
 
     def bad_format_message(scope, scope_direction = 'Requested')
@@ -229,7 +238,7 @@ module ONCCertificationG10TestKit
         }
       ].each do |metadata|
         scopes = metadata[:scopes].split
-        received_or_requested = metadata[:received_or_requested]
+        self.received_or_requested = metadata[:received_or_requested]
 
         missing_scopes = required_scopes - scopes
         assert missing_scopes.empty?,

data/lib/onc_certification_g10_test_kit/smart_standalone_patient_app_group.rb

@@ -24,16 +24,25 @@ module ONCCertificationG10TestKit
     )
 
     description %(
-        This scenario demonstrates the ability of a system to perform a Patient
+        This scenario verifies the ability of a system to perform a single
+        SMART App Launch.  Specifically, this scenario performs a Patient
         Standalone Launch to a SMART on FHIR confidential client with a patient
         context, refresh token, OpenID Connect (OIDC) identity token, and use
-        the GET HTTP method for code exchange. After launch, a simple Patient
-        resource read is performed on the patient in context. The access token
-        is then refreshed, and the Patient resource is read using the new access
-        token to ensure that the refresh was successful. The authentication
-        information provided by OpenID Connect is decoded and validated, and
-        simple queries are performed to ensure that access is granted to all
-        USCDI data elements.
+        the GET HTTP method for code exchange.
+
+        After launch, a simple Patient resource read is performed on the patient
+        in context. The access token is then refreshed, and the Patient resource
+        is read using the new access token to ensure that the refresh was
+        successful. The authentication information provided by OpenID Connect is
+        decoded and validated, and simple queries are performed to ensure that
+        access is granted to all USCDI data elements.
+
+        Prior to running the scenario, register Inferno as a confidential client
+        with the following information:
+
+        * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+
+        The following implementation specifications are relevant to this scenario:
 
         * [SMART on FHIR
           (STU1)](http://www.hl7.org/fhir/smart-app-launch/1.0.0/)
@@ -93,12 +102,14 @@ module ONCCertificationG10TestKit
                  'launch-standalone',
                  'client-public',
                  'client-confidential-symmetric',
+                 'client-confidential-asymmetric',
                  'sso-openid-connect',
                  'context-standalone-patient',
                  'permission-offline',
                  'permission-patient',
                  'authorize-post',
-                 'permission-v2'
+                 'permission-v2',
+                 'permission-v1'
                ]
              }
            }

data/lib/onc_certification_g10_test_kit/smart_v1_scopes_group.rb

@@ -0,0 +1,241 @@
+require_relative 'base_token_refresh_group'
+require_relative 'patient_context_test'
+require_relative 'smart_invalid_token_refresh_test'
+require_relative 'smart_scopes_test'
+require_relative 'unauthorized_access_test'
+require_relative 'unrestricted_resource_type_access_group'
+require_relative 'well_known_capabilities_test'
+require_relative 'incorrectly_permitted_tls_versions_messages_setup_test'
+
+module ONCCertificationG10TestKit
+  class SmartV1ScopesGroup < Inferno::TestGroup
+    title 'App Launch with SMART v1 scopes'
+    short_title 'Launch with v1 Scopes'
+
+    input_instructions %(
+      Register Inferno as a standalone application using the following information:
+
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+
+      Enter in the appropriate v1 scopes to enable patient-level access to all
+      relevant resources. In addition, support for the OpenID Connect (openid
+      fhirUser), refresh tokens (offline_access), and patient context
+      (launch/patient) are required.
+    )
+
+    description %(
+        This scenario verifies the ability of a system to support a
+        Standalone Launch when v1 scopes are requested by the client.
+        It verifies that systems implement the `permission-v1` capability as required.
+        Previous scenarios focus on the use of the `permission-v2` capability,
+        and thus a dedicated launch is required to verify that systems
+        can support a client that requests `permission-v1` style scopes.
+
+        This scenario does not place any constraints on the form of scopes
+        granted.  Systems are free to grant v1-style scopes in response to the
+        request for v1-style scopes, as recommended in the [SMART App Launch Guide STU2](http://hl7.org/fhir/smart-app-launch/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources).
+        Or they can upgrade them to v2-style scopes.  The scenario only ensures
+        that systems can grant access to clients that request v1-style scopes
+        and that the client has access to resources as expected.
+
+        All relevant resource types must be granted, in a similar manner to the
+        'Standalone Patient App' scenario.
+
+        This scenario expects Inferno to be registered as a 'Confidential
+        Symmetric' client.  Systems may either reuse a `client_id` associated
+        with Inferno used in a previous scenario, or register Inferno with a new
+        `client_id` as a standalone client with the following information:
+
+        * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+
+      )
+
+    id :g10_smart_v1_scopes
+    run_as_group
+
+    config(
+      inputs: {
+        client_secret: {
+          optional: false,
+          name: :standalone_client_secret
+        },
+        requested_scopes: {
+          name: :v1_requested_scopes,
+          default: %(
+            launch/patient openid fhirUser offline_access
+            patient/Medication.read patient/AllergyIntolerance.read
+            patient/CarePlan.read patient/CareTeam.read patient/Condition.read
+            patient/Device.read patient/DiagnosticReport.read
+            patient/DocumentReference.read patient/Encounter.read
+            patient/Goal.read patient/Immunization.read patient/Location.read
+            patient/MedicationRequest.read patient/Observation.read
+            patient/Organization.read patient/Patient.read
+            patient/Practitioner.read patient/Procedure.read
+            patient/Provenance.read patient/PractitionerRole.read
+            patient/Specimen.read patient/Coverage.read
+            patient/MedicationDispense.read patient/ServiceRequest.read
+          ).gsub(/\s{2,}/, ' ').strip
+        },
+        received_scopes: { name: :v1_received_scopes },
+        smart_credentials: { name: :v1_smart_credentials }
+      },
+      outputs: {
+        received_scopes: { name: :v1_received_scopes },
+        patient_id: { name: :v1_patient_id }
+      }
+    )
+
+    input_order :url,
+                :standalone_client_id,
+                :standalone_client_secret,
+                :v1_requested_scopes,
+                :use_pkce,
+                :pkce_code_challenge_method,
+                :standalone_authorization_method,
+                :client_auth_type,
+                :client_auth_encryption_method
+
+    group from: :smart_discovery_stu2 do
+      test from: 'g10_smart_well_known_capabilities',
+           config: {
+             options: {
+               required_capabilities: [
+                 'launch-standalone',
+                 'client-public',
+                 'client-confidential-symmetric',
+                 'client-confidential-asymmetric',
+                 'sso-openid-connect',
+                 'context-standalone-patient',
+                 'permission-offline',
+                 'permission-patient',
+                 'authorize-post',
+                 'permission-v2',
+                 'permission-v1'
+               ]
+             }
+           }
+    end
+
+    group from: :smart_standalone_launch_stu2,
+          config: {
+            inputs: {
+              use_pkce: {
+                default: 'true',
+                locked: true
+              },
+              pkce_code_challenge_method: {
+                locked: true
+              },
+              authorization_method: {
+                name: :standalone_authorization_method,
+                default: 'get',
+                locked: true
+              },
+              client_auth_type: {
+                locked: true,
+                default: 'confidential_symmetric'
+              }
+            },
+            outputs: {
+              smart_credentials: { name: :v1_smart_credentials }
+            }
+          } do
+      title 'Standalone Launch With Patient Scope'
+      description %(
+        # Background
+
+        The [Standalone
+        Launch Sequence](http://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#launch-app-standalone-launch)
+        allows an app, like Inferno, to be launched independent of an
+        existing EHR session. It is one of the two launch methods described in
+        the SMART App Launch Framework alongside EHR Launch. The app will
+        request authorization for the provided scope from the authorization
+        endpoint, ultimately receiving an authorization token which can be used
+        to gain access to resources on the FHIR server.
+
+        # Test Methodology
+
+        Inferno will redirect the user to the the authorization endpoint so that
+        they may provide any required credentials and authorize the application.
+        Upon successful authorization, Inferno will exchange the authorization
+        code provided for an access token.
+
+        For more information on the #{title}:
+
+        * [Standalone Launch
+          Sequence](http://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#launch-app-standalone-launch)
+      )
+
+      test from: :g10_smart_scopes do
+        config(
+          options: {
+            requested_scope_version: :v1,
+            received_scope_version: :any,
+            required_scope_type: 'patient',
+            required_scopes: ['openid', 'fhirUser', 'launch/patient', 'offline_access']
+          }
+        )
+      end
+
+      test from: :g10_unauthorized_access,
+           config: {
+             inputs: {
+               patient_id: { name: :v1_patient_id }
+             }
+           }
+
+      test from: :g10_patient_context,
+           config: {
+             inputs: {
+               patient_id: { name: :v1_patient_id },
+               smart_credentials: { name: :v1_smart_credentials }
+             }
+           }
+
+      tests[0].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :auth_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+
+      tests[3].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :token_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+    end
+
+    group from: :g10_unrestricted_resource_type_access,
+          config: {
+            inputs: {
+              received_scopes: { name: :v1_received_scopes },
+              patient_id: { name: :v1_patient_id },
+              smart_credentials: { name: :v1_smart_credentials }
+            }
+          }
+
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup,
+         id: :g10_auth_incorrectly_permitted_tls_versions_messages_setup,
+         config: {
+           inputs: {
+             incorrectly_permitted_tls_versions_messages: {
+               name: :auth_incorrectly_permitted_tls_versions_messages
+             }
+           }
+         }
+
+    test from: :g10_incorrectly_permitted_tls_versions_messages_setup,
+         id: :g10_token_incorrectly_permitted_tls_versions_messages_setup,
+         config: {
+           inputs: {
+             incorrectly_permitted_tls_versions_messages: {
+               name: :token_incorrectly_permitted_tls_versions_messages
+             }
+           }
+         }
+  end
+end

data/lib/onc_certification_g10_test_kit/tasks/generate_matrix.rb

@@ -9,6 +9,8 @@ module ONCCertificationG10TestKit
     class GenerateMatrix
       include ONCCertificationG10TestKit
 
+      attr_accessor :row
+
       FILE_NAME = 'onc_certification_g10_matrix.xlsx'.freeze
 
       def inferno_to_procedure_map
@@ -35,6 +37,10 @@ module ONCCertificationG10TestKit
         @workbook ||= RubyXL::Workbook.new
       end
 
+      def next_row
+        self.row += 1
+      end
+
       def run
         generate_matrix_worksheet
         generate_test_procedure_worksheet
@@ -44,6 +50,10 @@ module ONCCertificationG10TestKit
         workbook.write(FILE_NAME)
       end
 
+      def all_descendant_tests(runnable)
+        runnable.tests + runnable.groups.flat_map { |group| all_descendant_tests(group) }
+      end
+
       def generate_matrix_worksheet # rubocop:disable Metrics/CyclomaticComplexity
         matrix_worksheet = workbook.worksheets[0]
         matrix_worksheet.sheet_name = 'Matrix'
@@ -64,11 +74,15 @@ module ONCCertificationG10TestKit
           next if group.short_id == '6' # Skip US Core 5
 
           matrix_worksheet.add_cell(1, col, group.title).change_text_wrap(true)
-          matrix_worksheet.merge_cells(1, col, 1, col + group.groups.length - 1)
+          matrix_worksheet.merge_cells(1, col, 1, col + group.groups.length - 1) if group.groups.length.positive?
           matrix_worksheet.change_column_border(col, :left, 'medium')
           matrix_worksheet.change_column_border_color(col, :left, '000000')
           column_borders << col
 
+          group.tests.each do |test|
+            column_map[test.short_id] = col
+          end
+
           group.groups.each do |test_case|
             matrix_worksheet.change_column_width(col, 4.2)
 
@@ -80,11 +94,7 @@ module ONCCertificationG10TestKit
             matrix_worksheet.change_column_border(col, :right, 'thin')
             matrix_worksheet.change_column_border_color(col, :right, '666666')
 
-            test_case.tests.each do |test|
-              # tests << { test_case: test_case, test: test }
-              # full_test_id = "#{test_case.prefix}#{test.id}"
-              column_map[test.short_id] = col
-            end
+            all_descendant_tests(test_case).each { |test| column_map[test.short_id] = col }
             col += 1
           end
         end
@@ -94,7 +104,7 @@ module ONCCertificationG10TestKit
         matrix_worksheet.change_row_horizontal_alignment(0, 'center')
 
         matrix_worksheet.add_cell(2, total_width + 2, 'Supported?')
-        row = 3
+        self.row = 3
 
         test_procedure.sections.each do |section|
           section.steps.each do |step|
@@ -120,7 +130,7 @@ module ONCCertificationG10TestKit
 
             matrix_worksheet.add_cell(row, total_width + 2, step.inferno_supported.upcase)
 
-            row += 1
+            next_row
           end
         end
         matrix_worksheet.change_column_horizontal_alignment(1, 'right')
@@ -161,14 +171,14 @@ module ONCCertificationG10TestKit
          'Inferno Notes',
          'Alternate Test Methodology'].each_with_index { |text, index| tp_worksheet.add_cell(0, index, text) }
 
-        row = 2
+        self.row = 2
 
         test_procedure.sections.each do |section|
           tp_worksheet.add_cell(row, 0, section.name)
-          row += 1
+          next_row
           section.steps.group_by(&:group).each do |group_name, steps|
             tp_worksheet.add_cell(row, 1, group_name)
-            row += 1
+            next_row
             steps.each do |step|
               longest_line = [step.s_u_t, step.t_l_v, step.inferno_notes, step.alternate_test].map do |text|
                 text&.lines&.count || 0
@@ -183,10 +193,10 @@ module ONCCertificationG10TestKit
               tp_worksheet.add_cell(row, 7, step.inferno_tests.join(', ')).change_text_wrap(true)
               tp_worksheet.add_cell(row, 8, step.inferno_notes).change_text_wrap(true)
               tp_worksheet.add_cell(row, 9, step.alternate_test).change_text_wrap(true)
-              row += 1
+              next_row
             end
           end
-          row += 1
+          next_row
         end
       end
 
@@ -198,61 +208,75 @@ module ONCCertificationG10TestKit
         runnable_and_parents.map(&:suite_option_requirements).compact.flatten
       end
 
-      def generate_inferno_test_worksheet # rubocop:disable Metrics/CyclomaticComplexity
-        workbook.add_worksheet('Inferno Tests')
-        inferno_worksheet = workbook.worksheets[2]
+      def inferno_worksheet
+        workbook.worksheets[2]
+      end
 
-        columns = [
+      def columns # rubocop:disable Metrics/CyclomaticComplexity
+        @columns ||= [
           ['', 3, ->(_test) { '' }],
           ['', 3, ->(_test) { '' }],
           ['Inferno Test ID', 22, ->(test) { test.short_id.to_s }],
           ['Inferno Test Name', 65, ->(test) { test.title }],
           ['Inferno Test Description', 65, lambda do |test|
-            description = test.description || ''
-            natural_indent =
-              description
-                .lines
-                .collect { |l| l.index(/[^ ]/) }
-                .select { |l| !l.nil? && l.positive? }
-                .min || 0
-            description.lines.map { |l| l[natural_indent..] || "\n" }.join.strip
-          end],
+                                             description = test.description || ''
+                                             natural_indent =
+                                               description
+                                                 .lines
+                                                 .collect { |l| l.index(/[^ ]/) }
+                                                 .select { |l| !l.nil? && l.positive? }
+                                                 .min || 0
+                                             description.lines.map { |l| l[natural_indent..] || "\n" }.join.strip
+                                           end],
           ['Test Procedure Steps', 30, ->(test) { inferno_to_procedure_map[test.short_id].join(', ') }],
           ['Standard Version Filter', 30, lambda do |test|
-            applicable_options(test).map(&:value).uniq.join(', ')
-          end]
-
+                                            applicable_options(test).map(&:value).uniq.join(', ')
+                                          end]
         ]
+      end
+
+      def add_test(test)
+        this_row = columns.map do |column|
+          column[2].call(test)
+        end
+
+        this_row.each_with_index do |value, index|
+          inferno_worksheet.add_cell(row, index, value).change_text_wrap(true)
+        end
+        inferno_worksheet
+          .change_row_height(row, [26, ((test.description || '').strip.lines.count * 10) + 10].max)
+        inferno_worksheet.change_row_vertical_alignment(row, 'top')
+        next_row
+      end
+
+      def add_group_title(group, column: 1)
+        inferno_worksheet.add_cell(row, column, "#{group.short_id}: #{group.title}")
+        inferno_worksheet.add_cell(row, 6, applicable_options(group).map(&:value).uniq.join(', '))
+        next_row
+      end
+
+      def add_group(group)
+        add_group_title(group)
+
+        group.tests.each { |test| add_test(test) }
+
+        group.groups.each { |nested_group| add_group(nested_group) }
+      end
+
+      def generate_inferno_test_worksheet
+        workbook.add_worksheet('Inferno Tests')
 
         columns.each_with_index do |row_name, index|
           inferno_worksheet.add_cell(0, index, row_name.first)
         end
 
-        row = 1
+        self.row = 1
 
         test_suite.groups.each do |group|
-          row += 1
-          inferno_worksheet.add_cell(row, 0, "#{group.short_id}: #{group.title}")
-          inferno_worksheet.add_cell(row, 6, applicable_options(group).map(&:value).uniq.join(', '))
-          row += 1
-          group.groups.each do |test_case|
-            inferno_worksheet.add_cell(row, 1, "#{test_case.short_id}: #{test_case.title}")
-            inferno_worksheet.add_cell(row, 6, applicable_options(test_case).map(&:value).uniq.join(', '))
-
-            row += 1
-            test_case.tests.each do |test|
-              this_row = columns.map do |column|
-                column[2].call(test)
-              end
+          next if group.short_id == '6' # Skip US Core 5
 
-              this_row.each_with_index do |value, index|
-                inferno_worksheet.add_cell(row, index, value).change_text_wrap(true)
-              end
-              inferno_worksheet.change_row_height(row, [26, ((test.description || '').strip.lines.count * 10) + 10].max)
-              inferno_worksheet.change_row_vertical_alignment(row, 'top')
-              row += 1
-            end
-          end
+          next_row
+          add_group(group)
         end
 
         columns.each_with_index do |column, index|