onc_certification_g10_test_kit 6.0.3 → 7.0.1

data/lib/onc_certification_g10_test_kit/smart_fine_grained_scopes_us_core_7_group_stu2_2.rb

@@ -0,0 +1,188 @@
+module ONCCertificationG10TestKit
+  class SmartFineGrainedScopesUSCore7GroupSTU22 < USCoreTestKit::USCoreV700::SmartGranularScopesGroup
+    title 'SMART App Launch with fine-grained scopes'
+    short_title 'SMART Launch with Fine-Grained Scopes'
+
+    input_instructions %(
+      If necessary, register Inferno as a standalone application using the following information:
+
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+
+      Inferno may be registered multiple times with different `client_ids`, or this
+      may reuse a single registration of Inferno.`
+
+      This test will perform two launches, with each launch requiring a separate
+      separate set of finer-grained scopes to be granted:
+
+      Group 1:
+      * `Condition.rs?category=http://terminology.hl7.org/CodeSystem/condition-category|encounter-diagnosis`
+      * `Condition.rs?category=http://hl7.org/fhir/us/core/CodeSystem/condition-category|health-concern`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|laboratory`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|social-history`
+
+      Group 2:
+      * `Condition.rs?category=http://terminology.hl7.org/CodeSystem/condition-category|problem-list-item`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|vital-signs`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|survey`
+      * `Observation.rs?category=http://hl7.org/fhir/us/core/CodeSystem/us-core-category|sdoh`
+    )
+
+    description <<~DESCRIPTION
+
+      As finalized in the [HTI-1 Final Rule](https://www.federalregister.gov/d/2023-28857/p-1250), Health IT Modules are
+      required to support SMART App Launch v2.0.0 "Finer-grained resource
+      constraints using search parameters" for the "category" parameter for the
+      Condition resource with Condition sub-resources Encounter Diagnosis, Problem
+      List, and Health Concern, and the Observation resource with Observation
+      sub-resources Clinical Test, Laboratory, Social History, SDOH, Survey, and
+      Vital Signs.
+
+      This is also reflected in the (g)(10) Standardized API for patient and
+      populations [Test
+      Procedure](https://www.healthit.gov/test-method/standardized-api-patient-and-population-services#test_procedure):
+
+      > [AUT-PAT-28] SMART v2 scope syntax for patient-level and user-level scopes to support
+        the “permission-v2” “SMART on FHIR® Capability”, including support for
+        finer-grained resource constraints using search parameters according to
+        section 3.0.2.3 of the implementation specification at § 170.215(c)(2) for
+        the “category” parameter for the following resources: (1) Condition
+        resource with Condition sub-resources Encounter Diagnosis, Problem List,
+        and Health Concern; and (2) Observation resource with Observation
+        sub-resources Clinical Test, Laboratory, Social History, SDOH, Survey, and
+        Vital Signs
+
+      Prior to running this scenario, first run the Single Patient API tests using
+      resource-level scopes, as this scenario uses content saved from that scenario
+      as a baseline for comparison when finer-grained scopes are granted.
+
+      This scenario contains two groups of finer-grained scope tests, each of
+      which includes a SMART Standalone Launch that requests a subset of
+      finer-grained scopes, followed by FHIR API requests to verify that scopes
+      are appropriately granted. The app launches require that the subset of the
+      requested finer-grained scopes are granted by the user. The FHIR API tests then repeat all
+      of the queries from the original Single Patient API tests that were run
+      using resource-level scopes, and verify that only resources matching the
+      current finer-grained scopes are returned. Each group requires a separate
+      set of finer-grained scopes to be granted:
+
+      Group 1:
+      * `Condition.rs?category=http://terminology.hl7.org/CodeSystem/condition-category|encounter-diagnosis`
+      * `Condition.rs?category=http://hl7.org/fhir/us/core/CodeSystem/condition-category|health-concern`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|laboratory`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|social-history`
+
+      Group 2:
+      * `Condition.rs?category=http://terminology.hl7.org/CodeSystem/condition-category|problem-list-item`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|vital-signs`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|survey`
+      * `Observation.rs?category=http://hl7.org/fhir/us/core/CodeSystem/us-core-category|sdoh`
+
+      Note that Inferno will only request the finer grained scopes in each case,
+      but the system under test can display more scopes to the tester during
+      authorization.  In this case, it is expected that the tester will only
+      approve the appropriate scopes in each group as described above.
+
+      For more information, please refer to [finer-grained resource constraints
+      using search
+      parameters](https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#finer-grained-resource-constraints-using-search-parameters).
+
+    DESCRIPTION
+
+    id :g10_us_core_7_smart_fine_grained_scopes_stu2_2 # rubocop:disable Naming/VariableNumber
+
+    input :url
+
+    children.each(&:run_as_group)
+
+    # Replace generic finer-grained scope auth group with which allows standalone or
+    # ehr launch with just the standalone launch group
+    granular_scopes_group1 = children.first
+    granular_scopes_group1.children[0] = granular_scopes_group1.children.first.children[1]
+    standalone_launch_group1 = granular_scopes_group1.children[0]
+    standalone_launch_group1.required
+
+    granular_scopes_group2 = children.last
+    granular_scopes_group2.children[0] = granular_scopes_group2.children.first.children[1]
+    standalone_launch_group2 = granular_scopes_group2.children[0]
+    standalone_launch_group2.required
+
+    # Move the granular scope API groups to the top level
+    api_group1 = granular_scopes_group1.children.pop
+    api_group1.children.each do |group|
+      group.children.select!(&:required?)
+      granular_scopes_group1.children << group
+    end
+
+    api_group2 = granular_scopes_group2.children.pop
+    api_group2.children.each do |group|
+      group.children.select!(&:required?)
+      granular_scopes_group2.children << group
+    end
+
+    # Remove OIDC and refresh token tests
+    standalone_launch_group1.children.pop(2)
+    standalone_launch_group2.children.pop(2)
+
+    config(
+      inputs: {
+        authorization_method: {
+          name: :granular_scopes_authorization_method,
+          title: 'Granular Scopes Authorization Request Method'
+        },
+        client_auth_type: {
+          name: :granular_scopes_client_auth_type,
+          title: 'Granular Scopes Client Authentication Type'
+        },
+        received_scopes: {
+          name: :standalone_received_scopes
+        }
+      }
+    )
+
+    granular_scopes_group1.config(
+      inputs: {
+        client_id: {
+          name: :granular_scopes1_client_id,
+          title: 'Granular Scopes Group 1 Client ID'
+        },
+        client_secret: {
+          name: :granular_scopes1_client_secret,
+          title: 'Granular Scopes Group 1 Client Secret'
+        },
+        requested_scopes: {
+          title: 'Granular Scopes Group 1 Scopes'
+        }
+      }
+    )
+
+    granular_scopes_group2.config(
+      inputs: {
+        client_id: {
+          name: :granular_scopes2_client_id,
+          title: 'Granular Scopes Group 2 Client ID'
+        },
+        client_secret: {
+          name: :granular_scopes2_client_secret,
+          title: 'Granular Scopes Group 2 Client Secret'
+        },
+        requested_scopes: {
+          title: 'Granular Scopes Group 2 Scopes'
+        }
+      }
+    )
+
+    input_order :url,
+                :granular_scopes1_client_id,
+                :requested_scopes_group1,
+                :granular_scopes_authorization_method,
+                :granular_scopes_client_auth_type,
+                :granular_scopes1_client_secret,
+                :client_auth_encryption_method,
+                :granular_scopes2_client_id,
+                :requested_scopes_group2,
+                :granular_scopes2_client_secret,
+                :use_pkce,
+                :pkce_code_challenge_method,
+                :patient_ids
+  end
+end

data/lib/onc_certification_g10_test_kit/smart_granular_scope_selection_group.rb

@@ -84,9 +84,13 @@ module ONCCertificationG10TestKit
       }
     )
 
-    group from: :smart_discovery_stu2
+    group from: :smart_discovery_stu2,
+          required_suite_options: G10Options::SMART_2_REQUIREMENT
+    group from: :smart_discovery_stu2_2, # rubocop:disable Naming/VariableNumber
+          required_suite_options: G10Options::SMART_2_2_REQUIREMENT
 
     group from: :smart_standalone_launch_stu2 do
+      required_suite_options(G10Options::SMART_2_REQUIREMENT)
       id :g10_granular_scope_selection_v2_scopes
       title 'Granular Scope Selection with v2 Scopes'
 
@@ -145,6 +149,68 @@ module ONCCertificationG10TestKit
         end
       end
 
+      test from: :g10_smart_granular_scope_selection
+    end
+    group from: :smart_standalone_launch_stu2_2 do # rubocop:disable Naming/VariableNumber
+      required_suite_options(G10Options::SMART_2_2_REQUIREMENT)
+      id :g10_granular_scope_selection_v2_2_scopes
+      title 'Granular Scope Selection with v2 Scopes'
+
+      config(
+        inputs: {
+          client_id: {
+            name: :granular_scope_selection_v2_client_id,
+            title: 'Granular Scope Selection w/v2 Scopes Client ID'
+          },
+          client_secret: {
+            name: :granular_scope_selection_v2_client_secret,
+            title: 'Granular Scope Selection w/v2 Scopes Client Secret',
+            default: nil,
+            optional: true
+          },
+          requested_scopes: {
+            name: :granular_scope_selection_v2_requested_scopes,
+            title: 'Granular Scope Selection v2 Scopes',
+            default: %(
+              launch/patient openid fhirUser offline_access patient/Condition.rs
+              patient/Observation.rs patient/Patient.rs
+            ).gsub(/\s{2,}/, ' ').strip
+          },
+          received_scopes: { name: :granular_scope_selection_v2_received_scopes }
+        },
+        outputs: {
+          requested_scopes: { name: :granular_scope_selection_v2_requested_scopes },
+          received_scopes: { name: :granular_scope_selection_v2_received_scopes }
+        },
+        options: {
+          redirect_message_proc: proc do |auth_url|
+            %(
+              ### #{self.class.parent&.parent&.title}
+
+              [Follow this link to authorize with the SMART server](#{auth_url}).
+
+              Tests will resume once Inferno receives a request at
+              `#{config.options[:redirect_uri]}` with a state of `#{state}`.
+            )
+          end,
+          ignore_missing_scopes_check: true
+        }
+      )
+
+      test from: :g10_smart_scopes do
+        config(
+          options: {
+            scope_version: :v22,
+            required_scope_type: 'patient',
+            required_scopes: ['openid', 'fhirUser', 'launch/patient', 'offline_access']
+          }
+        )
+
+        def patient_compartment_resource_types
+          ['Patient', 'Condition', 'Observation']
+        end
+      end
+
       test from: :g10_smart_granular_scope_selection
     end
   end

data/lib/onc_certification_g10_test_kit/smart_limited_app_group.rb

@@ -210,7 +210,134 @@ module ONCCertificationG10TestKit
           Sequence](http://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#launch-app-standalone-launch)
       )
 
-      required_suite_options G10Options::SMART_2_REQUIREMENT
+      required_suite_options(G10Options::SMART_2_REQUIREMENT)
+
+      config(
+        inputs: {
+          client_id: { locked: true },
+          client_secret: { locked: true },
+          url: { locked: true },
+          requested_scopes: { locked: true },
+          code: { name: :limited_code },
+          state: { name: :limited_state },
+          patient_id: { name: :limited_patient_id },
+          access_token: { name: :limited_access_token },
+          # TODO: separate standalone/ehr discovery outputs
+          smart_authorization_url: { locked: true, title: 'SMART Authorization Url' },
+          smart_token_url: { locked: true, title: 'SMART Token Url' },
+          received_scopes: { name: :limited_received_scopes },
+          smart_credentials: { name: :limited_smart_credentials },
+          client_auth_type: {
+            locked: true,
+            default: 'confidential_symmetric'
+          }
+        },
+        outputs: {
+          code: { name: :limited_code },
+          token_retrieval_time: { name: :limited_token_retrieval_time },
+          state: { name: :limited_state },
+          id_token: { name: :limited_id_token },
+          refresh_token: { name: :limited_refresh_token },
+          access_token: { name: :limited_access_token },
+          expires_in: { name: :limited_expires_in },
+          patient_id: { name: :limited_patient_id },
+          encounter_id: { name: :limited_encounter_id },
+          received_scopes: { name: :limited_received_scopes },
+          intent: { name: :limited_intent },
+          smart_credentials: { name: :limited_smart_credentials }
+        },
+        requests: {
+          redirect: { name: :limited_redirect },
+          token: { name: :limited_token }
+        },
+        options: {
+          ignore_missing_scopes_check: true,
+          redirect_message_proc: lambda do |auth_url|
+            expected_resource_string =
+              expected_resources
+                .split(',')
+                .map(&:strip)
+                .map { |resource_type| "* #{resource_type}\n" }
+                .join
+
+            <<~MESSAGE
+              ### #{self.class.parent.parent.title}
+
+              [Follow this link to authorize with the SMART
+              server](#{auth_url}).
+
+              Tests will resume once Inferno receives a request at
+              `#{config.options[:redirect_uri]}` with a state of `#{state}`.
+
+              Access should only be granted to the following resources:
+
+              #{expected_resource_string}
+            MESSAGE
+          end
+        }
+      )
+
+      input :expected_resources,
+            title: 'Expected Resource Grant for Limited Access Launch',
+            description: 'The user will only grant access to the following resources during authorization.',
+            default: 'Patient, Condition, Observation'
+
+      test from: :g10_patient_context,
+           config: {
+             inputs: {
+               patient_id: { name: :limited_patient_id },
+               smart_credentials: { name: :limited_smart_credentials }
+             }
+           }
+
+      test from: :g10_limited_scope_grant do
+        config(
+          inputs: {
+            received_scopes: { name: :limited_received_scopes }
+          }
+        )
+      end
+    end
+
+    group from: :smart_standalone_launch_stu2_2, # rubocop:disable Naming/VariableNumber
+          config: {
+            inputs: {
+              use_pkce: {
+                default: 'true',
+                locked: true
+              },
+              pkce_code_challenge_method: {
+                locked: true
+              }
+            }
+          } do
+      title 'Standalone Launch With Limited Scope'
+      description %(
+        # Background
+
+        The [Standalone
+        Launch Sequence](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#launch-app-standalone-launch)
+        allows an app, like Inferno, to be launched independent of an
+        existing EHR session. It is one of the two launch methods described in
+        the SMART App Launch Framework alongside EHR Launch. The app will
+        request authorization for the provided scope from the authorization
+        endpoint, ultimately receiving an authorization token which can be used
+        to gain access to resources on the FHIR server.
+
+        # Test Methodology
+
+        Inferno will redirect the user to the the authorization endpoint so that
+        they may provide any required credentials and authorize the application.
+        Upon successful authorization, Inferno will exchange the authorization
+        code provided for an access token.
+
+        For more information on the #{title}:
+
+        * [Standalone Launch
+          Sequence](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#launch-app-standalone-launch)
+      )
+
+      required_suite_options(G10Options::SMART_2_2_REQUIREMENT)
 
       config(
         inputs: {

data/lib/onc_certification_g10_test_kit/smart_public_standalone_launch_group_stu2_2.rb

@@ -0,0 +1,162 @@
+module ONCCertificationG10TestKit
+  class SMARTPublicStandaloneLaunchGroupTestSTU22 < SMARTAppLaunch::StandaloneLaunchGroupSTU2
+    title 'Public Client Standalone Launch with OpenID Connect'
+    short_title 'Public Client Launch'
+    input_instructions %(
+      Register Inferno as a standalone application using the following information:
+
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+
+      Enter in the appropriate scope to enable patient-level access to all
+      relevant resources. In addition, support for the OpenID Connect (openid
+      fhirUser), refresh tokens (offline_access), and patient context
+      (launch/patient) are required.
+    )
+    description %(
+
+      This scenario verifies the ability of systems to support public clients
+      as described in the SMART App Launch implementation specification.  Previous
+      scenarios have not required the system under test to demonstrate this
+      specific type of SMART App Launch client.
+
+      Prior to executing this test, register Inferno as a public standalone
+      application using the following information:
+
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+
+      Inferno will act as a public client redirect the tester to the the
+      authorization endpoint so that they may provide any required credentials
+      and authorize the application. Upon successful authorization, Inferno will
+      exchange the authorization code provided for an access token.
+
+      For more information on the #{title}:
+
+      * [Standalone Launch Sequence](http://hl7.org/fhir/smart-app-launch/STU2.2/index.html#standalone-launch-sequence)
+    )
+    id :g10_public_standalone_launch_stu2_2 # rubocop:disable Naming/VariableNumber
+    run_as_group
+
+    config(
+      inputs: {
+        client_id: {
+          name: :public_client_id,
+          title: 'Public Launch Client ID'
+        },
+        client_secret: {
+          name: :public_client_secret,
+          title: 'Public Launch Client Secret',
+          default: nil,
+          optional: true,
+          locked: true
+        },
+        requested_scopes: {
+          name: :public_requested_scopes,
+          title: 'Public Launch Scope',
+          default: %(
+            launch/patient openid fhirUser offline_access patient/Medication.rs
+            patient/AllergyIntolerance.rs patient/CarePlan.rs
+            patient/CareTeam.rs patient/Condition.rs patient/Device.rs
+            patient/DiagnosticReport.rs patient/DocumentReference.rs
+            patient/Encounter.rs patient/Goal.rs patient/Immunization.rs
+            patient/Location.rs patient/MedicationRequest.rs
+            patient/Observation.rs patient/Organization.rs patient/Patient.rs
+            patient/Practitioner.rs patient/Procedure.rs patient/Provenance.rs
+            patient/PractitionerRole.rs
+          ).gsub(/\s{2,}/, ' ').strip
+        },
+        url: {
+          title: 'Public Launch FHIR Endpoint',
+          description: 'URL of the FHIR endpoint used by standalone applications'
+        },
+        code: {
+          name: :public_code
+        },
+        state: {
+          name: :public_state
+        },
+        smart_authorization_url: {
+          title: 'OAuth 2.0 Authorize Endpoint',
+          description: 'OAuth 2.0 Authorize Endpoint provided during the patient standalone launch'
+        },
+        smart_token_url: {
+          title: 'OAuth 2.0 Token Endpoint',
+          description: 'OAuth 2.0 Token Endpoint provided during the patient standalone launch'
+        },
+        smart_credentials: {
+          name: :public_smart_credentials
+        },
+        use_pkce: {
+          default: 'true',
+          locked: true
+        },
+        pkce_code_challenge_method: {
+          locked: true
+        },
+        client_auth_type: {
+          name: :public_client_auth_type,
+          locked: true,
+          default: 'public'
+        }
+      },
+      outputs: {
+        code: { name: :public_code },
+        token_retrieval_time: { name: :public_token_retrieval_time },
+        state: { name: :public_state },
+        id_token: { name: :public_id_token },
+        refresh_token: { name: :public_refresh_token },
+        access_token: { name: :public_access_token },
+        expires_in: { name: :public_expires_in },
+        patient_id: { name: :public_patient_id },
+        encounter_id: { name: :public_encounter_id },
+        received_scopes: { name: :public_received_scopes },
+        intent: { name: :public_intent },
+        smart_credentials: { name: :public_smart_credentials }
+      },
+      requests: {
+        redirect: { name: :public_redirect },
+        token: { name: :public_token }
+      }
+    )
+
+    input_order :url,
+                :public_client_id,
+                :public_client_secret,
+                :public_requested_scopes,
+                :use_pkce,
+                :pkce_code_challenge_method,
+                :smart_authorization_url,
+                :smart_token_url,
+                :authorization_method,
+                :public_client_auth_type
+
+    test from: :g10_patient_context,
+         config: {
+           inputs: {
+             patient_id: { name: :public_patient_id },
+             smart_credentials: { name: :public_smart_credentials }
+           }
+         }
+
+    test do
+      title 'OAuth token exchange response contains OpenID Connect id_token'
+      description %(
+        This test requires that an OpenID Connect id_token is provided to
+        demonstrate authentication capabilies for public clients.
+      )
+      id :g10_public_launch_id_token
+
+      input :id_token,
+            name: :public_id_token,
+            locked: true,
+            optional: true
+
+      run do
+        assert id_token.present?, 'Token response did not provide an id_token as required.'
+      end
+    end
+
+    children.each do |child|
+      child.inputs.delete(:client_auth_encryption_method)
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/smart_scopes_test.rb

@@ -46,6 +46,8 @@ module ONCCertificationG10TestKit
     V6_VALID_RESOURCE_TYPES =
       (V5_VALID_RESOURCE_TYPES + ['Coverage', 'MedicationDispense', 'RelatedPerson', 'Specimen']).freeze
 
+    V7_VALID_RESOURCE_TYPES = (V6_VALID_RESOURCE_TYPES + ['Location'])
+
     PATIENT_COMPARTMENT_RESOURCE_TYPES = [
       '*',
       'Patient',
@@ -69,6 +71,8 @@ module ONCCertificationG10TestKit
     V6_PATIENT_COMPARTMENT_RESOURCE_TYPES =
       (V5_PATIENT_COMPARTMENT_RESOURCE_TYPES + ['Coverage', 'MedicationDispense', 'Specimen']).freeze
 
+    V7_PATIENT_COMPARTMENT_RESOURCE_TYPES = (V6_PATIENT_COMPARTMENT_RESOURCE_TYPES + ['Location']).freeze
+
     attr_accessor :received_or_requested
 
     def patient_compartment_resource_types
@@ -76,6 +80,8 @@ module ONCCertificationG10TestKit
 
       return V6_PATIENT_COMPARTMENT_RESOURCE_TYPES if using_us_core_6?
 
+      return V7_PATIENT_COMPARTMENT_RESOURCE_TYPES if using_us_core_7?
+
       PATIENT_COMPARTMENT_RESOURCE_TYPES
     end
 
@@ -84,6 +90,8 @@ module ONCCertificationG10TestKit
 
       return V6_VALID_RESOURCE_TYPES if using_us_core_6?
 
+      return V7_VALID_RESOURCE_TYPES if using_us_core_7?
+
       VALID_RESOURCE_TYPES
     end
 
@@ -117,7 +125,7 @@ module ONCCertificationG10TestKit
       case scope_version
       when :v1
         "#{v1_read_format} | *"
-      when :v2
+      when :v2, :v22
         "#{v2_read_format} | *"
       else
         [v1_read_format, v2_read_format, '*'].join(' | ')
@@ -128,7 +136,7 @@ module ONCCertificationG10TestKit
       case scope_version
       when :v1
         /\A(\*|read)\b/
-      when :v2
+      when :v2, :v22
         /\A(\*|c?ru?d?s?)\b/
       else
         /\A(\*|read|c?ru?d?s?)\b/