onc_certification_g10_test_kit 5.4.2 → 6.0.0

data/lib/onc_certification_g10_test_kit/token_introspection_group.rb

@@ -0,0 +1,110 @@
+require 'smart_app_launch/standalone_launch_group'
+require 'smart_app_launch/discovery_stu1_group'
+require 'smart_app_launch/token_introspection_group'
+
+require_relative 'g10_options'
+
+module ONCCertificationG10TestKit
+  class TokenIntrospectionGroup < SMARTAppLaunch::SMARTTokenIntrospectionGroup
+    id :g10_token_introspection
+
+    description <<~DESCRIPTION
+
+      This scenario verifies the ability of an authorization server to
+      perform token introspection in accordance with the [SMART App Launch STU2
+      Implementation Guide Section on Token
+      Introspection](https://hl7.org/fhir/smart-app-launch/STU2/token-introspection.html).
+      Inferno first acts as a registered SMART App Launch client to request and
+      receive a valid access token, and then as an authorized resource server that
+      queries the authorization server for information about this access token.
+
+      The system under test must perform the following in order to pass this
+      scenario:
+      * Issue a new bearer token to Inferno acting as a registered SMART App
+        Launch client.  The tester has flexibility in deciding what type of SMART
+        App Launch client is used (e.g. public or confidential).  This is
+        redundant to tests earlier in this test suite, but is performed to ensure
+        an active token can be introspected.
+      * Respond to a token introspection request from Inferno acting as a
+        resource server for both valid and invalid tokens.  Systems have flexibility
+        in how access control for this service is implemented.  To account for
+        this flexibility, the tester has the ability to add an Authorization
+        Header to the request (provided out-of-band of these tests), as well as
+        additional Introspect parameters, as allowed by the specification.
+
+    DESCRIPTION
+
+    input_instructions <<~INSTRUCTIONS
+      If the introspection endpoint is access controlled, testers must enter their own
+      HTTP Authorization header for the introspection request. See [RFC 7616 The
+      'Basic' HTTP Authentication
+      Scheme](https://datatracker.ietf.org/doc/html/rfc7617) for the most common
+      approach that uses client credentials. Testers may also provide any
+      additional parameters needed for their authorization server to complete
+      the introspection request.
+
+      **Note:** For both the Authorization header and request parameters, user-input
+      values will be sent exactly as entered and therefore the tester must
+      URI-encode any appropriate values.
+    INSTRUCTIONS
+
+    run_as_group
+
+    input :well_known_introspection_url,
+          title: 'Token Introspection Endpoint',
+          description: <<~DESCRIPTION,
+            The complete URL of the token introspection endpoint. This will be
+            populated automatically if included in the server's discovery
+            endpoint.
+          DESCRIPTION
+          optional: true
+
+    input_order :url,
+                :well_known_introspection_url,
+                :custom_authorization_header,
+                :optional_introspection_request_params,
+                :standalone_client_id,
+                :standalone_client_secret,
+                :authorization_method,
+                :use_pkce,
+                :pkce_code_challenge_method,
+                :standalone_requested_scopes,
+                :token_introspection_auth_type,
+                :client_auth_encryption_method
+
+    config(
+      inputs: {
+        client_auth_type: {
+          name: :token_introspection_auth_type
+        }
+      }
+    )
+
+    groups.first.description <<~DESCRIPTION
+      These tests are perform discovery and a standalone launch in order to
+      receive a new, active access token that will be provided for token
+      introspection.
+    DESCRIPTION
+
+    groups[1].description <<~DESCRIPTION
+      This group of tests executes the token introspection requests and ensures
+      the correct HTTP response is returned but does not validate the contents
+      of the token introspection response.
+    DESCRIPTION
+
+    # The token introspection tests are SMART v2 only, so they use v2 discovery
+    # and launch groups. g10 needs them for SMART v1 and v2, so this sets the
+    # original discovery and launch groups to only appear when using SMART v2,
+    # and adds the v1 groups when using v1.
+
+    groups.first.groups.each do |group|
+      group.required_suite_options(G10Options::SMART_2_REQUIREMENT)
+    end
+
+    groups.first.group from: :smart_discovery,
+                       required_suite_options: G10Options::SMART_1_REQUIREMENT
+
+    groups.first.group from: :smart_standalone_launch,
+                       required_suite_options: G10Options::SMART_1_REQUIREMENT
+  end
+end

data/lib/onc_certification_g10_test_kit/token_revocation_group.rb

@@ -2,7 +2,7 @@ module ONCCertificationG10TestKit
   class TokenRevocationGroup < Inferno::TestGroup
     title 'Token Revocation'
     description %(
-      Demonstrate the Health IT module is capable of revoking access granted to
+      This scenario verifies the ability of the system to revoke access granted to
       an application at the direction of a patient.  Access to the application
       must be revoked within one hour of the patient's request.
     )

data/lib/onc_certification_g10_test_kit/version.rb

@@ -1,3 +1,3 @@
 module ONCCertificationG10TestKit
-  VERSION = '5.4.2'.freeze
+  VERSION = '6.0.0'.freeze
 end

data/lib/onc_certification_g10_test_kit/visual_inspection_and_attestations_group.rb

@@ -189,43 +189,6 @@ module ONCCertificationG10TestKit
       end
     end
 
-    test do
-      title 'Health IT developer demonstrated the ability of the Health IT Module / ' \
-            'authorization server to validate token it has issued.'
-      description %(
-        Health IT developer demonstrated the ability of the Health IT Module /
-        authorization server to validate token it has issued
-      )
-      id 'Test06'
-      input :token_validation_support,
-            title: 'Health IT developer demonstrated the ability of the Health IT Module / authorization server to validate token it has issued.', # rubocop:disable Layout/LineLength
-            type: 'radio',
-            default: 'false',
-            options: {
-              list_options: [
-                {
-                  label: 'Yes',
-                  value: 'true'
-                },
-                {
-                  label: 'No',
-                  value: 'false'
-                }
-              ]
-            }
-      input :token_validation_notes,
-            title: 'Notes, if applicable:',
-            type: 'textarea',
-            optional: true
-
-      run do
-        assert token_validation_support == 'true',
-               'Health IT Module did not demonstrate the ability of the Health IT Module / ' \
-               'authorization server to validate token it has issued'
-        pass token_validation_notes if token_validation_notes.present?
-      end
-    end
-
     test do
       title 'Tester verifies that all information is accurate and without omission.'
       description %(
@@ -646,5 +609,62 @@ module ONCCertificationG10TestKit
         pass bulk_v2_since_attestation_notes if bulk_v2_since_attestation_notes.present?
       end
     end
+
+    test do
+      required_suite_options G10Options::SMART_2_REQUIREMENT.merge(G10Options::US_CORE_6_REQUIREMENT)
+      title 'Health IT developer attested that the Health IT Module supports ' \
+            'granting a sub resource scope for Clinical Test Observations.'
+
+      description <<~DESCRIPTION
+        As finalized in the HTI-1 Final Rule (89 FR 1294), Health IT Modules are
+        required to support SMART App Launch v2.0.0 "Finer-grained resource
+        constraints using search parameters" for the “category” parameter for
+        the Condition resource with Condition sub-resources Encounter Diagnosis,
+        Problem List, and Health Concern, and the Observation resource with
+        Observation sub-resources Clinical Test, Laboratory, Social History,
+        SDOH, Survey, and Vital Signs. We defer to the implementation guides
+        referenced at § 170.215(b)(1) and § 170.215(c) for specific
+        implementation guidance for this requirement. In the context of the US
+        Core 6.1.0 implementation guide, the Observation sub-resources of
+        Clinical Test and SDOH may have scopes supported as follows:
+
+        * support for scopes for the Observation sub-resource Clinical Test
+          using the "procedure" code from the US Core Clinical Result
+          Observation Category value set.
+
+        * support for scopes for the Observation sub-resource SDOH using the
+          "sdoh" code from the US Core Category code system .
+      DESCRIPTION
+      id :g10_clinical_test_scope_attestation
+      input :clinical_test_scope_attestation,
+            title: 'Health IT developer attested that the Health IT Module supports ' \
+                   'granting a sub resource scope for Clinical Test Observations.',
+            type: 'radio',
+            default: 'false',
+            options: {
+              list_options: [
+                {
+                  label: 'Yes',
+                  value: 'true'
+                },
+                {
+                  label: 'No',
+                  value: 'false'
+                }
+              ]
+            }
+      input :clinical_test_scope_attestation_notes,
+            title: 'Notes, if applicable:',
+            type: 'textarea',
+            optional: true
+
+      run do
+        assert clinical_test_scope_attestation == 'true',
+               'Health IT developer did not attest that the Health IT Module supports ' \
+               'granting a sub resource scope for Clinical Test Observations.'
+
+        pass clinical_test_scope_attestation_notes if clinical_test_scope_attestation_notes.present?
+      end
+    end
   end
 end

data/lib/onc_certification_g10_test_kit.rb

@@ -7,26 +7,32 @@ require_relative 'onc_certification_g10_test_kit/version'
 
 require_relative 'onc_certification_g10_test_kit/feature'
 require_relative 'onc_certification_g10_test_kit/g10_options'
+require_relative 'onc_certification_g10_test_kit/multi_patient_api_stu1'
+require_relative 'onc_certification_g10_test_kit/multi_patient_api_stu2'
 require_relative 'onc_certification_g10_test_kit/single_patient_api_group'
 require_relative 'onc_certification_g10_test_kit/single_patient_us_core_4_api_group'
 require_relative 'onc_certification_g10_test_kit/single_patient_us_core_5_api_group'
 require_relative 'onc_certification_g10_test_kit/single_patient_us_core_6_api_group'
 require_relative 'onc_certification_g10_test_kit/smart_app_launch_invalid_aud_group'
+require_relative 'onc_certification_g10_test_kit/smart_asymmetric_launch_group'
+require_relative 'onc_certification_g10_test_kit/smart_granular_scope_selection_group'
 require_relative 'onc_certification_g10_test_kit/smart_invalid_token_group'
 require_relative 'onc_certification_g10_test_kit/smart_invalid_token_group_stu2'
 require_relative 'onc_certification_g10_test_kit/smart_invalid_pkce_group'
 require_relative 'onc_certification_g10_test_kit/smart_limited_app_group'
 require_relative 'onc_certification_g10_test_kit/smart_standalone_patient_app_group'
-require_relative 'onc_certification_g10_test_kit/smart_ehr_practitioner_app_group'
 require_relative 'onc_certification_g10_test_kit/smart_public_standalone_launch_group'
 require_relative 'onc_certification_g10_test_kit/smart_public_standalone_launch_group_stu2'
 require_relative 'onc_certification_g10_test_kit/smart_ehr_patient_launch_group'
 require_relative 'onc_certification_g10_test_kit/smart_ehr_patient_launch_group_stu2'
-require_relative 'onc_certification_g10_test_kit/multi_patient_api_stu1'
-require_relative 'onc_certification_g10_test_kit/multi_patient_api_stu2'
+require_relative 'onc_certification_g10_test_kit/smart_ehr_practitioner_app_group'
+require_relative 'onc_certification_g10_test_kit/smart_fine_grained_scopes_group'
+require_relative 'onc_certification_g10_test_kit/smart_v1_scopes_group'
 require_relative 'onc_certification_g10_test_kit/terminology_binding_validator'
+require_relative 'onc_certification_g10_test_kit/token_introspection_group'
 require_relative 'onc_certification_g10_test_kit/token_revocation_group'
 require_relative 'onc_certification_g10_test_kit/visual_inspection_and_attestations_group'
+
 require_relative 'inferno/terminology'
 require_relative 'onc_certification_g10_test_kit/short_id_manager'
 
@@ -251,13 +257,37 @@ module ONCCertificationG10TestKit
     )
 
     description %(
-      The ONC Certification (g)(10) Standardized API Test Kit is a testing tool for
-      Health Level 7 (HL7®) Fast Healthcare Interoperability Resources (FHIR®)
-      services seeking to meet the requirements of the Standardized API for
-      Patient and Population Services criterion § 170.315(g)(10) in the ONC Certification Program.
-
-      To get started, please first register the Inferno client as a SMART App
-      with the following information:
+      The ONC Certification (g)(10) Standardized API Test Suite is a testing
+      tool for Health Level 7 (HL7®) Fast Healthcare Interoperability Resources
+      (FHIR®) services seeking to meet the requirements of the Standardized API
+      for Patient and Population Services criterion § 170.315(g)(10) in the ONC
+      Certification Program.
+
+      This test suite is organized into testing scenarios that in sum cover all
+      requirements within the § 170.315(g)(10) certification criterion.  The
+      scenarios are intended to be run in order during certification, but can
+      be run out of order to support testing during development or certification
+      preparation.  Some scenarios depend on data collected during previous
+      scenarios to function.  In these cases, the scenario description describes
+      these dependencies.
+
+      The best way to learn about how to use these tests is the
+      [(g)(10) Standardized API Test Kit walkthrough](https://github.com/onc-healthit/onc-certification-g10-test-kit/wiki/Walkthrough),
+      which demonstrates the tests running against a simulated system.
+
+      The first three scenarios require the system under test to demonstrate
+      basic SMART App Launch functionality.  The fourth uses a valid token
+      provided during earlier tests to verify support for the Single Patient API
+      as described in the criterion.  The fifth verifies support for the Multi
+      Patient API, including Backend Services for authorization.  Not all
+      authorization-related requirements are verified in the first three
+      scenarios, and the 'Additional Authorization Tests' verify these
+      additional requirements.  The last scenario contains a list of
+      'attestations' and 'visual inspections' for requirements that could not
+      be verified through automated testing.
+
+      To get started with the first group of scenarios, please first register the
+      Inferno client as a SMART App with the following information:
 
       * SMART Launch URI: `#{SMARTAppLaunch::AppLaunchTest.config.options[:launch_uri]}`
       * OAuth Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
@@ -267,7 +297,7 @@ module ONCCertificationG10TestKit
 
       * `#{Inferno::Application[:base_url]}/custom/g10_certification/.well-known/jwks.json`
 
-      Systems must pass all tests in order to qualify for ONC certification.
+      Systems must pass all tests to qualify for ONC certification.
     )
 
     suite_summary %(
@@ -315,14 +345,22 @@ module ONCCertificationG10TestKit
           required_suite_options: G10Options::BULK_DATA_2_REQUIREMENT
 
     group do
-      title 'Additional Tests'
+      title 'Additional Authorization Tests'
       id 'Group06'
       description %(
-        Not all requirements that need to be tested fit within the previous
-        scenarios. The tests contained in this section addresses remaining
-        testing requirements. Each of these tests need to be run independently.
-        Please read the instructions for each in the 'About' section, as they
-        may require special setup on the part of the tester.
+        The (g)(10) Standardized Test Suite attempts to minimize effort required
+        by testers by creating scenarios that validate as many requirements as
+        possible with just a handful of SMART App Launches.  However, not all
+        SMART App Launch and (g)(10) Standardized API criterion requirements
+        that need to be verified fit within the first few test scenarios in this
+        suite.
+
+        The scenarios contained in this section verify remaining testing
+        requirements for the (g)(10) Standardized API criterion relevant to
+        the SMART App Launch implementation specification. Each of these scenarios
+        need to be run independently.  Please read the instructions for each in
+        the 'About' section, as they may require special setup on the part of
+        the tester.
       )
 
       default_redirect_message_proc = lambda do |auth_url|
@@ -336,6 +374,14 @@ module ONCCertificationG10TestKit
         )
       end
 
+      config(
+        inputs: {
+          client_auth_encryption_method: {
+            locked: false
+          }
+        }
+      )
+
       group from: :g10_public_standalone_launch,
             required_suite_options: G10Options::SMART_1_REQUIREMENT,
             config: { options: { redirect_message_proc: default_redirect_message_proc } }
@@ -363,8 +409,28 @@ module ONCCertificationG10TestKit
       group from: :g10_ehr_patient_launch_stu2,
             required_suite_options: G10Options::SMART_2_REQUIREMENT
 
-      group from: :g10_visual_inspection_and_attestations
+      group from: :g10_token_introspection
+
+      group from: :g10_asymmetric_launch,
+            required_suite_options: G10Options::SMART_2_REQUIREMENT
+
+      group from: :g10_smart_v1_scopes,
+            required_suite_options: G10Options::SMART_2_REQUIREMENT,
+            config: {
+              inputs: {
+                client_auth_encryption_method: { locked: true }
+              }
+            }
+
+      group from: :g10_smart_fine_grained_scopes,
+            required_suite_options: G10Options::SMART_2_REQUIREMENT.merge(G10Options::US_CORE_6_REQUIREMENT),
+            exclude_optional: true
+
+      group from: :g10_smart_granular_scope_selection,
+            required_suite_options: G10Options::SMART_2_REQUIREMENT.merge(G10Options::US_CORE_6_REQUIREMENT)
     end
+
+    group from: :g10_visual_inspection_and_attestations
   end
 end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: onc_certification_g10_test_kit
 version: !ruby/object:Gem::Version
-  version: 5.4.2
+  version: 6.0.0
 platform: ruby
 authors:
 - Stephen MacVicar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-07-10 00:00:00.000000000 Z
+date: 2024-08-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bloomer
@@ -114,14 +114,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.4.2
+        version: 0.4.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.4.2
+        version: 0.4.3
 - !ruby/object:Gem::Dependency
   name: tls_test_kit
   requirement: !ruby/object:Gem::Requirement
@@ -142,14 +142,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.7.2
+        version: 0.8.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.7.2
+        version: 0.8.0
 - !ruby/object:Gem::Dependency
   name: database_cleaner-sequel
   requirement: !ruby/object:Gem::Requirement
@@ -249,6 +249,7 @@ files:
 - lib/onc_certification_g10_test_kit.rb
 - lib/onc_certification_g10_test_kit/authorization_request_builder.rb
 - lib/onc_certification_g10_test_kit/base_token_refresh_group.rb
+- lib/onc_certification_g10_test_kit/base_token_refresh_stu2_group.rb
 - lib/onc_certification_g10_test_kit/bulk_data_authorization.rb
 - lib/onc_certification_g10_test_kit/bulk_data_group_export_cancel_stu1.rb
 - lib/onc_certification_g10_test_kit/bulk_data_group_export_cancel_stu2.rb
@@ -291,9 +292,13 @@ files:
 - lib/onc_certification_g10_test_kit/single_patient_us_core_5_api_group.rb
 - lib/onc_certification_g10_test_kit/single_patient_us_core_6_api_group.rb
 - lib/onc_certification_g10_test_kit/smart_app_launch_invalid_aud_group.rb
+- lib/onc_certification_g10_test_kit/smart_asymmetric_launch_group.rb
 - lib/onc_certification_g10_test_kit/smart_ehr_patient_launch_group.rb
 - lib/onc_certification_g10_test_kit/smart_ehr_patient_launch_group_stu2.rb
 - lib/onc_certification_g10_test_kit/smart_ehr_practitioner_app_group.rb
+- lib/onc_certification_g10_test_kit/smart_fine_grained_scopes_group.rb
+- lib/onc_certification_g10_test_kit/smart_granular_scope_selection_group.rb
+- lib/onc_certification_g10_test_kit/smart_granular_scope_selection_test.rb
 - lib/onc_certification_g10_test_kit/smart_invalid_pkce_group.rb
 - lib/onc_certification_g10_test_kit/smart_invalid_token_group.rb
 - lib/onc_certification_g10_test_kit/smart_invalid_token_group_stu2.rb
@@ -303,9 +308,11 @@ files:
 - lib/onc_certification_g10_test_kit/smart_public_standalone_launch_group_stu2.rb
 - lib/onc_certification_g10_test_kit/smart_scopes_test.rb
 - lib/onc_certification_g10_test_kit/smart_standalone_patient_app_group.rb
+- lib/onc_certification_g10_test_kit/smart_v1_scopes_group.rb
 - lib/onc_certification_g10_test_kit/tasks/generate_matrix.rb
 - lib/onc_certification_g10_test_kit/tasks/test_procedure.rb
 - lib/onc_certification_g10_test_kit/terminology_binding_validator.rb
+- lib/onc_certification_g10_test_kit/token_introspection_group.rb
 - lib/onc_certification_g10_test_kit/token_revocation_group.rb
 - lib/onc_certification_g10_test_kit/unauthorized_access_test.rb
 - lib/onc_certification_g10_test_kit/unrestricted_resource_type_access_group.rb