onc_certification_g10_test_kit 6.0.3 → 7.0.0

data/lib/onc_certification_g10_test_kit/smart_standalone_patient_app_group.rb

@@ -115,6 +115,28 @@ module ONCCertificationG10TestKit
            }
     end
 
+    group from: :smart_discovery_stu2_2 do # rubocop:disable Naming/VariableNumber
+      required_suite_options(G10Options::SMART_2_2_REQUIREMENT)
+      test from: 'g10_smart_well_known_capabilities',
+           config: {
+             options: {
+               required_capabilities: [
+                 'launch-standalone',
+                 'client-public',
+                 'client-confidential-symmetric',
+                 'client-confidential-asymmetric',
+                 'sso-openid-connect',
+                 'context-standalone-patient',
+                 'permission-offline',
+                 'permission-patient',
+                 'authorize-post',
+                 'permission-v2',
+                 'permission-v1'
+               ]
+             }
+           }
+    end
+
     group from: :smart_standalone_launch do
       required_suite_options(G10Options::SMART_1_REQUIREMENT)
 
@@ -323,7 +345,144 @@ module ONCCertificationG10TestKit
       )
     end
 
+    group from: :smart_standalone_launch_stu2_2, # rubocop:disable Naming/VariableNumber
+          config: {
+            inputs: {
+              use_pkce: {
+                default: 'true',
+                locked: true
+              },
+              pkce_code_challenge_method: {
+                locked: true
+              },
+              authorization_method: {
+                name: :standalone_authorization_method,
+                default: 'get',
+                locked: true
+              },
+              client_auth_type: {
+                locked: true,
+                default: 'confidential_symmetric'
+              }
+            }
+          } do
+      required_suite_options(G10Options::SMART_2_2_REQUIREMENT)
+      title 'Standalone Launch With Patient Scope'
+      description %(
+        # Background
+
+        The [Standalone
+        Launch Sequence](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#launch-app-standalone-launch)
+        allows an app, like Inferno, to be launched independent of an
+        existing EHR session. It is one of the two launch methods described in
+        the SMART App Launch Framework alongside EHR Launch. The app will
+        request authorization for the provided scope from the authorization
+        endpoint, ultimately receiving an authorization token which can be used
+        to gain access to resources on the FHIR server.
+
+        # Test Methodology
+
+        Inferno will redirect the user to the the authorization endpoint so that
+        they may provide any required credentials and authorize the application.
+        Upon successful authorization, Inferno will exchange the authorization
+        code provided for an access token.
+
+        For more information on the #{title}:
+
+        * [Standalone Launch
+          Sequence](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#launch-app-standalone-launch)
+      )
+
+      config(
+        inputs: {
+          requested_scopes: {
+            default: %(
+              launch/patient openid fhirUser offline_access
+              patient/Medication.rs patient/AllergyIntolerance.rs
+              patient/CarePlan.rs patient/CareTeam.rs patient/Condition.rs
+              patient/Device.rs patient/DiagnosticReport.rs
+              patient/DocumentReference.rs patient/Encounter.rs
+              patient/Goal.rs patient/Immunization.rs patient/Location.rs
+              patient/MedicationRequest.rs patient/Observation.rs
+              patient/Organization.rs patient/Patient.rs
+              patient/Practitioner.rs patient/Procedure.rs
+              patient/Provenance.rs patient/PractitionerRole.rs
+            ).gsub(/\s{2,}/, ' ').strip
+          }
+        }
+      )
+
+      test from: :g10_smart_scopes do
+        config(
+          inputs: {
+            requested_scopes: { name: :standalone_requested_scopes },
+            received_scopes: { name: :standalone_received_scopes }
+          },
+          options: {
+            scope_version: :v22,
+            required_scope_type: 'patient',
+            required_scopes: ['openid', 'fhirUser', 'launch/patient', 'offline_access']
+          }
+        )
+      end
+
+      test from: :g10_unauthorized_access,
+           config: {
+             inputs: {
+               patient_id: { name: :standalone_patient_id }
+             }
+           }
+
+      test from: :g10_patient_context,
+           config: {
+             inputs: {
+               patient_id: { name: :standalone_patient_id },
+               smart_credentials: { name: :standalone_smart_credentials }
+             }
+           }
+
+      tests[0].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :auth_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+
+      tests[3].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :token_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+    end
+
+    group from: :smart_openid_connect,
+          required_suite_options: G10Options::SMART_1_REQUIREMENT,
+          config: {
+            inputs: {
+              id_token: { name: :standalone_id_token },
+              client_id: { name: :standalone_client_id },
+              requested_scopes: { name: :standalone_requested_scopes },
+              smart_credentials: { name: :standalone_smart_credentials }
+            }
+          }
+
     group from: :smart_openid_connect,
+          required_suite_options: G10Options::SMART_2_REQUIREMENT,
+          id: :smart_openid_connect_stu2,
+          config: {
+            inputs: {
+              id_token: { name: :standalone_id_token },
+              client_id: { name: :standalone_client_id },
+              requested_scopes: { name: :standalone_requested_scopes },
+              smart_credentials: { name: :standalone_smart_credentials }
+            }
+          }
+
+    group from: :smart_openid_connect_stu2_2, # rubocop:disable Naming/VariableNumber
+          required_suite_options: G10Options::SMART_2_2_REQUIREMENT,
           config: {
             inputs: {
               id_token: { name: :standalone_id_token },

data/lib/onc_certification_g10_test_kit/smart_v1_scopes_group.rb

@@ -96,6 +96,29 @@ module ONCCertificationG10TestKit
                 :client_auth_encryption_method
 
     group from: :smart_discovery_stu2 do
+      required_suite_options(G10Options::SMART_2_REQUIREMENT)
+      test from: 'g10_smart_well_known_capabilities',
+           config: {
+             options: {
+               required_capabilities: [
+                 'launch-standalone',
+                 'client-public',
+                 'client-confidential-symmetric',
+                 'client-confidential-asymmetric',
+                 'sso-openid-connect',
+                 'context-standalone-patient',
+                 'permission-offline',
+                 'permission-patient',
+                 'authorize-post',
+                 'permission-v2',
+                 'permission-v1'
+               ]
+             }
+           }
+    end
+    group from: :smart_discovery_stu2_2 do # rubocop:disable Naming/VariableNumber
+      required_suite_options(G10Options::SMART_2_2_REQUIREMENT)
+
       test from: 'g10_smart_well_known_capabilities',
            config: {
              options: {
@@ -117,6 +140,7 @@ module ONCCertificationG10TestKit
     end
 
     group from: :smart_standalone_launch_stu2,
+          required_suite_options: G10Options::SMART_2_REQUIREMENT,
           config: {
             inputs: {
               use_pkce: {
@@ -208,6 +232,99 @@ module ONCCertificationG10TestKit
         }
       )
     end
+    group from: :smart_standalone_launch_stu2_2, # rubocop:disable Naming/VariableNumber
+          required_suite_options: G10Options::SMART_2_2_REQUIREMENT,
+          config: {
+            inputs: {
+              use_pkce: {
+                default: 'true',
+                locked: true
+              },
+              pkce_code_challenge_method: {
+                locked: true
+              },
+              authorization_method: {
+                name: :standalone_authorization_method,
+                default: 'get',
+                locked: true
+              },
+              client_auth_type: {
+                locked: true,
+                default: 'confidential_symmetric'
+              }
+            },
+            outputs: {
+              smart_credentials: { name: :v1_smart_credentials }
+            }
+          } do
+      title 'Standalone Launch With Patient Scope'
+      description %(
+        # Background
+
+        The [Standalone
+        Launch Sequence](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#launch-app-standalone-launch)
+        allows an app, like Inferno, to be launched independent of an
+        existing EHR session. It is one of the two launch methods described in
+        the SMART App Launch Framework alongside EHR Launch. The app will
+        request authorization for the provided scope from the authorization
+        endpoint, ultimately receiving an authorization token which can be used
+        to gain access to resources on the FHIR server.
+
+        # Test Methodology
+
+        Inferno will redirect the user to the the authorization endpoint so that
+        they may provide any required credentials and authorize the application.
+        Upon successful authorization, Inferno will exchange the authorization
+        code provided for an access token.
+
+        For more information on the #{title}:
+
+        * [Standalone Launch
+          Sequence](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#launch-app-standalone-launch)
+      )
+
+      test from: :g10_smart_scopes do
+        config(
+          options: {
+            requested_scope_version: :v1,
+            received_scope_version: :any,
+            required_scope_type: 'patient',
+            required_scopes: ['openid', 'fhirUser', 'launch/patient', 'offline_access']
+          }
+        )
+      end
+
+      test from: :g10_unauthorized_access,
+           config: {
+             inputs: {
+               patient_id: { name: :v1_patient_id }
+             }
+           }
+
+      test from: :g10_patient_context,
+           config: {
+             inputs: {
+               patient_id: { name: :v1_patient_id },
+               smart_credentials: { name: :v1_smart_credentials }
+             }
+           }
+
+      tests[0].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :auth_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+
+      tests[3].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :token_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+    end
 
     group from: :g10_unrestricted_resource_type_access,
           config: {

data/lib/onc_certification_g10_test_kit/terminology_binding_validator.rb

@@ -63,7 +63,11 @@ module ONCCertificationG10TestKit
     def element_with_invalid_binding
       @element_with_invalid_binding ||=
         find_a_value_at(path_source, binding_definition[:path]) do |element|
-          invalid_binding? element
+          if element.is_a? USCoreTestKit::PrimitiveType
+            invalid_binding? element.value
+          else
+            invalid_binding? element
+          end
         end
     end
 

data/lib/onc_certification_g10_test_kit/token_introspection_group_stu2_2.rb

@@ -0,0 +1,97 @@
+require 'smart_app_launch/token_introspection_group'
+
+require_relative 'g10_options'
+
+module ONCCertificationG10TestKit
+  class TokenIntrospectionGroupSTU22 < SMARTAppLaunch::SMARTTokenIntrospectionGroupSTU22
+    id :g10_token_introspection_stu2_2 # rubocop:disable Naming/VariableNumber
+
+    description <<~DESCRIPTION
+
+      This scenario verifies the ability of an authorization server to
+      perform token introspection in accordance with the [SMART App Launch STU2
+      Implementation Guide Section on Token
+      Introspection](https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html).
+      Inferno first acts as a registered SMART App Launch client to request and
+      receive a valid access token, and then as an authorized resource server that
+      queries the authorization server for information about this access token.
+
+      The system under test must perform the following in order to pass this
+      scenario:
+      * Issue a new bearer token to Inferno acting as a registered SMART App
+        Launch client.  The tester has flexibility in deciding what type of SMART
+        App Launch client is used (e.g. public or confidential).  This is
+        redundant to tests earlier in this test suite, but is performed to ensure
+        an active token can be introspected.
+      * Respond to a token introspection request from Inferno acting as a
+        resource server for both valid and invalid tokens.  Systems have flexibility
+        in how access control for this service is implemented.  To account for
+        this flexibility, the tester has the ability to add an Authorization
+        Header to the request (provided out-of-band of these tests), as well as
+        additional Introspect parameters, as allowed by the specification.
+
+    DESCRIPTION
+
+    input_instructions <<~INSTRUCTIONS
+      If the introspection endpoint is access controlled, testers must enter their own
+      HTTP Authorization header for the introspection request. See [RFC 7616 The
+      'Basic' HTTP Authentication
+      Scheme](https://datatracker.ietf.org/doc/html/rfc7617) for the most common
+      approach that uses client credentials. Testers may also provide any
+      additional parameters needed for their authorization server to complete
+      the introspection request.
+
+      **Note:** For both the Authorization header and request parameters, user-input
+      values will be sent exactly as entered and therefore the tester must
+      URI-encode any appropriate values.
+    INSTRUCTIONS
+
+    run_as_group
+
+    input :well_known_introspection_url,
+          title: 'Token Introspection Endpoint',
+          description: <<~DESCRIPTION,
+            The complete URL of the token introspection endpoint. This will be
+            populated automatically if included in the server's discovery
+            endpoint.
+          DESCRIPTION
+          optional: true
+
+    input_order :url,
+                :well_known_introspection_url,
+                :custom_authorization_header,
+                :optional_introspection_request_params,
+                :standalone_client_id,
+                :standalone_client_secret,
+                :authorization_method,
+                :use_pkce,
+                :pkce_code_challenge_method,
+                :standalone_requested_scopes,
+                :token_introspection_auth_type,
+                :client_auth_encryption_method
+
+    config(
+      inputs: {
+        client_auth_type: {
+          name: :token_introspection_auth_type
+        }
+      }
+    )
+
+    groups.first.description <<~DESCRIPTION
+      These tests are perform discovery and a standalone launch in order to
+      receive a new, active access token that will be provided for token
+      introspection.
+    DESCRIPTION
+
+    groups[1].description <<~DESCRIPTION
+      This group of tests executes the token introspection requests and ensures
+      the correct HTTP response is returned but does not validate the contents
+      of the token introspection response.
+    DESCRIPTION
+
+    groups.first.groups.each do |group|
+      group.required_suite_options(G10Options::SMART_2_2_REQUIREMENT)
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/unrestricted_resource_type_access_group.rb

@@ -1,5 +1,5 @@
-require_relative 'g10_options'
 require_relative 'resource_access_test'
+require_relative 'all_resources'
 
 module ONCCertificationG10TestKit
   class UnrestrictedResourceTypeAccessGroup < Inferno::TestGroup
@@ -30,7 +30,7 @@ module ONCCertificationG10TestKit
       If testing against USCDI v2, Encounter and ServiceRequest are also
       checked.
 
-      If testing against USCDI v3, Encounter, ServiceRequest, Coverage,
+      If testing against USCDI v3 and v4, Encounter, ServiceRequest, Coverage,
       and MedicationDispense are also checked.
 
       For each of the resource types that can be mapped to USCDI data class or
@@ -64,14 +64,24 @@ module ONCCertificationG10TestKit
       * Practitioner
       * RelatedPerson
 
+      For USCDI v4 this includes:
+
+      * Organization
+      * Practitioner
+      * RelatedPerson
+
       It also does not test Provenance, as this resource type is accessed by
-      queries through other resource types, or Specimen in USCDI v3 which only
-      requires support for read and search by id. These resources types are
-      accessed in the more comprehensive Single Patient Query tests.
+      queries through other resource types, or Specimen in USCDI v3 or Location from
+      USCDI v4 which only requires support for read and search by id. These resources
+      types are accessed in the more comprehensive Single Patient Query tests.
+
+      This test is not intended to check every resource type can be granted or not granted,
+      nor does it check resources that cannot be directly queried via a patient reference to
+      limit the complexity of the tests and effort required to run them.
 
       However, the authorization system must indicate that access is granted to
       the Encounter, Practitioner and Organization (and RelatedPerson and
-      Specimen for USCDI v3) resource types by providing them in the returned
+      Specimen for USCDI v3 and v4) resource types by providing them in the returned
       scopes because they are required to support the read interaction.
     )
     id :g10_unrestricted_resource_type_access
@@ -84,30 +94,11 @@ module ONCCertificationG10TestKit
       oauth_credentials :smart_credentials
     end
 
-    ALL_RESOURCES =
-      [
-        'AllergyIntolerance',
-        'CarePlan',
-        'CareTeam',
-        'Condition',
-        'Device',
-        'DiagnosticReport',
-        'DocumentReference',
-        'Goal',
-        'Immunization',
-        'MedicationRequest',
-        'Observation',
-        'Procedure',
-        'Patient',
-        'Provenance',
-        'Encounter',
-        'Practitioner',
-        'Organization'
-      ].freeze
+    V5_EXCLUDED_RESOURCES = ['RelatedPerson'].freeze
 
-    V5_ALL_RESOURCES = (ALL_RESOURCES + ['ServiceRequest']).freeze
+    V6_EXCLUDED_RESOURCES = (V5_EXCLUDED_RESOURCES + ['Specimen']).freeze
 
-    V6_ALL_RESOURCES = (V5_ALL_RESOURCES + ['Coverage', 'MedicationDispense']).freeze
+    V7_EXCLUDED_RESOURCES = V6_EXCLUDED_RESOURCES
 
     NON_PATIENT_COMPARTMENT_RESOURCES =
       [
@@ -126,8 +117,11 @@ module ONCCertificationG10TestKit
 
     V6_NON_PATIENT_COMPARTMENT_RESOURCES = V5_NON_PATIENT_COMPARTMENT_RESOURCES
 
+    V7_NON_PATIENT_COMPARTMENT_RESOURCES = V6_NON_PATIENT_COMPARTMENT_RESOURCES
+
     test do
       include G10Options
+      include AllResources
 
       title 'Scope granted enables access to all US Core resource types.'
       description %(
@@ -136,11 +130,13 @@ module ONCCertificationG10TestKit
       )
 
       def all_resources
-        return V5_ALL_RESOURCES if using_us_core_5?
+        return all_required_resources - V5_EXCLUDED_RESOURCES if using_us_core_5?
 
-        return V6_ALL_RESOURCES if using_us_core_6?
+        return all_required_resources - V6_EXCLUDED_RESOURCES if using_us_core_6?
 
-        ALL_RESOURCES
+        return all_required_resources - V7_EXCLUDED_RESOURCES if using_us_core_7?
+
+        all_required_resources
       end
 
       def non_patient_compartment_resources
@@ -148,6 +144,8 @@ module ONCCertificationG10TestKit
 
         return V6_NON_PATIENT_COMPARTMENT_RESOURCES if using_us_core_6?
 
+        return V7_NON_PATIENT_COMPARTMENT_RESOURCES if using_us_core_7?
+
         NON_PATIENT_COMPARTMENT_RESOURCES
       end
 
@@ -433,5 +431,61 @@ module ONCCertificationG10TestKit
         USCoreTestKit::USCoreV610::MedicationDispenseGroup
       end
     end
+
+    test from: :g10_resource_access_test do
+      title 'Access to Encounter resources granted'
+      description %(
+        This test ensures that access to the Encounter is granted.
+      )
+      id :g10_us_core_7_encounter_unrestricted_access
+
+      required_suite_options G10Options::US_CORE_7_REQUIREMENT
+
+      def resource_group
+        USCoreTestKit::USCoreV700::EncounterGroup
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to ServiceRequest resources granted'
+      description %(
+        This test ensures that access to the ServiceRequest is granted.
+      )
+      id :g10_us_core_7_service_request_unrestricted_access
+
+      required_suite_options G10Options::US_CORE_7_REQUIREMENT
+
+      def resource_group
+        USCoreTestKit::USCoreV700::ServiceRequestGroup
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to Coverage resources granted'
+      description %(
+        This test ensures that access to the Coverage is granted.
+      )
+      id :g10_us_core_7_coverage_unrestricted_access
+
+      required_suite_options G10Options::US_CORE_7_REQUIREMENT
+
+      def resource_group
+        USCoreTestKit::USCoreV700::CoverageGroup
+      end
+    end
+
+    test from: :g10_resource_access_test do
+      title 'Access to MedicationDispense resources granted'
+      description %(
+        This test ensures that access to the MedicationDispense is granted.
+      )
+      id :g10_us_core_7_medication_dispense_unrestricted_access
+
+      required_suite_options G10Options::US_CORE_7_REQUIREMENT
+
+      def resource_group
+        USCoreTestKit::USCoreV700::MedicationDispenseGroup
+      end
+    end
   end
 end

data/lib/onc_certification_g10_test_kit/version.rb

@@ -1,3 +1,3 @@
 module ONCCertificationG10TestKit
-  VERSION = '6.0.3'.freeze
+  VERSION = '7.0.0'.freeze
 end