onc_certification_g10_test_kit 6.0.3 → 7.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/inferno/repositiories/validators.rb +0 -6
- data/lib/inferno/repositiories/value_sets.rb +1 -7
- data/lib/inferno/terminology/expected_manifest.yml +5 -5
- data/lib/inferno/terminology/fhir_package_manager.rb +13 -4
- data/lib/inferno/terminology/loader.rb +2 -1
- data/lib/inferno/terminology/tasks/download_fhir_terminology.rb +2 -1
- data/lib/inferno/terminology/tasks/download_umls.rb +2 -1
- data/lib/inferno/terminology/tasks/expand_value_set_to_file.rb +1 -1
- data/lib/inferno/terminology/tasks/run_umls_jar.rb +2 -1
- data/lib/inferno/terminology/validator.rb +1 -0
- data/lib/inferno/terminology/value_set.rb +2 -0
- data/lib/onc_certification_g10_test_kit/all_resources.rb +74 -0
- data/lib/onc_certification_g10_test_kit/bulk_data_group_export_validation.rb +361 -59
- data/lib/onc_certification_g10_test_kit/bulk_export_validation_tester.rb +4 -3
- data/lib/onc_certification_g10_test_kit/g10_options.rb +20 -1
- data/lib/onc_certification_g10_test_kit/limited_scope_grant_test.rb +4 -0
- data/lib/onc_certification_g10_test_kit/multi_patient_api_stu1.rb +2 -1
- data/lib/onc_certification_g10_test_kit/multi_patient_api_stu2.rb +2 -1
- data/lib/onc_certification_g10_test_kit/patient_scope_test.rb +1 -1
- data/lib/onc_certification_g10_test_kit/profile_selector.rb +40 -15
- data/lib/onc_certification_g10_test_kit/restricted_resource_type_access_group.rb +89 -2
- data/lib/onc_certification_g10_test_kit/short_id_map.yml +1417 -12
- data/lib/onc_certification_g10_test_kit/single_patient_us_core_7_api_group.rb +219 -0
- data/lib/onc_certification_g10_test_kit/smart_app_launch_invalid_aud_group.rb +41 -1
- data/lib/onc_certification_g10_test_kit/smart_asymmetric_launch_group.rb +33 -1
- data/lib/onc_certification_g10_test_kit/smart_ehr_patient_launch_group_stu2_2.rb +128 -0
- data/lib/onc_certification_g10_test_kit/smart_ehr_practitioner_app_group.rb +234 -0
- data/lib/onc_certification_g10_test_kit/smart_fine_grained_scopes_group_stu2_2.rb +188 -0
- data/lib/onc_certification_g10_test_kit/smart_fine_grained_scopes_us_core_7_group.rb +188 -0
- data/lib/onc_certification_g10_test_kit/smart_fine_grained_scopes_us_core_7_group_stu2_2.rb +188 -0
- data/lib/onc_certification_g10_test_kit/smart_granular_scope_selection_group.rb +67 -1
- data/lib/onc_certification_g10_test_kit/smart_limited_app_group.rb +128 -1
- data/lib/onc_certification_g10_test_kit/smart_public_standalone_launch_group_stu2_2.rb +162 -0
- data/lib/onc_certification_g10_test_kit/smart_scopes_test.rb +10 -2
- data/lib/onc_certification_g10_test_kit/smart_standalone_patient_app_group.rb +159 -0
- data/lib/onc_certification_g10_test_kit/smart_v1_scopes_group.rb +117 -0
- data/lib/onc_certification_g10_test_kit/terminology_binding_validator.rb +5 -1
- data/lib/onc_certification_g10_test_kit/token_introspection_group_stu2_2.rb +97 -0
- data/lib/onc_certification_g10_test_kit/unrestricted_resource_type_access_group.rb +85 -31
- data/lib/onc_certification_g10_test_kit/version.rb +1 -1
- data/lib/onc_certification_g10_test_kit/visual_inspection_and_attestations_group.rb +171 -0
- data/lib/onc_certification_g10_test_kit/well_known_capabilities_test.rb +1 -1
- data/lib/onc_certification_g10_test_kit.rb +72 -5
- metadata +18 -10
@@ -115,6 +115,28 @@ module ONCCertificationG10TestKit
|
|
115
115
|
}
|
116
116
|
end
|
117
117
|
|
118
|
+
group from: :smart_discovery_stu2_2 do # rubocop:disable Naming/VariableNumber
|
119
|
+
required_suite_options(G10Options::SMART_2_2_REQUIREMENT)
|
120
|
+
test from: 'g10_smart_well_known_capabilities',
|
121
|
+
config: {
|
122
|
+
options: {
|
123
|
+
required_capabilities: [
|
124
|
+
'launch-standalone',
|
125
|
+
'client-public',
|
126
|
+
'client-confidential-symmetric',
|
127
|
+
'client-confidential-asymmetric',
|
128
|
+
'sso-openid-connect',
|
129
|
+
'context-standalone-patient',
|
130
|
+
'permission-offline',
|
131
|
+
'permission-patient',
|
132
|
+
'authorize-post',
|
133
|
+
'permission-v2',
|
134
|
+
'permission-v1'
|
135
|
+
]
|
136
|
+
}
|
137
|
+
}
|
138
|
+
end
|
139
|
+
|
118
140
|
group from: :smart_standalone_launch do
|
119
141
|
required_suite_options(G10Options::SMART_1_REQUIREMENT)
|
120
142
|
|
@@ -323,7 +345,144 @@ module ONCCertificationG10TestKit
|
|
323
345
|
)
|
324
346
|
end
|
325
347
|
|
348
|
+
group from: :smart_standalone_launch_stu2_2, # rubocop:disable Naming/VariableNumber
|
349
|
+
config: {
|
350
|
+
inputs: {
|
351
|
+
use_pkce: {
|
352
|
+
default: 'true',
|
353
|
+
locked: true
|
354
|
+
},
|
355
|
+
pkce_code_challenge_method: {
|
356
|
+
locked: true
|
357
|
+
},
|
358
|
+
authorization_method: {
|
359
|
+
name: :standalone_authorization_method,
|
360
|
+
default: 'get',
|
361
|
+
locked: true
|
362
|
+
},
|
363
|
+
client_auth_type: {
|
364
|
+
locked: true,
|
365
|
+
default: 'confidential_symmetric'
|
366
|
+
}
|
367
|
+
}
|
368
|
+
} do
|
369
|
+
required_suite_options(G10Options::SMART_2_2_REQUIREMENT)
|
370
|
+
title 'Standalone Launch With Patient Scope'
|
371
|
+
description %(
|
372
|
+
# Background
|
373
|
+
|
374
|
+
The [Standalone
|
375
|
+
Launch Sequence](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#launch-app-standalone-launch)
|
376
|
+
allows an app, like Inferno, to be launched independent of an
|
377
|
+
existing EHR session. It is one of the two launch methods described in
|
378
|
+
the SMART App Launch Framework alongside EHR Launch. The app will
|
379
|
+
request authorization for the provided scope from the authorization
|
380
|
+
endpoint, ultimately receiving an authorization token which can be used
|
381
|
+
to gain access to resources on the FHIR server.
|
382
|
+
|
383
|
+
# Test Methodology
|
384
|
+
|
385
|
+
Inferno will redirect the user to the the authorization endpoint so that
|
386
|
+
they may provide any required credentials and authorize the application.
|
387
|
+
Upon successful authorization, Inferno will exchange the authorization
|
388
|
+
code provided for an access token.
|
389
|
+
|
390
|
+
For more information on the #{title}:
|
391
|
+
|
392
|
+
* [Standalone Launch
|
393
|
+
Sequence](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#launch-app-standalone-launch)
|
394
|
+
)
|
395
|
+
|
396
|
+
config(
|
397
|
+
inputs: {
|
398
|
+
requested_scopes: {
|
399
|
+
default: %(
|
400
|
+
launch/patient openid fhirUser offline_access
|
401
|
+
patient/Medication.rs patient/AllergyIntolerance.rs
|
402
|
+
patient/CarePlan.rs patient/CareTeam.rs patient/Condition.rs
|
403
|
+
patient/Device.rs patient/DiagnosticReport.rs
|
404
|
+
patient/DocumentReference.rs patient/Encounter.rs
|
405
|
+
patient/Goal.rs patient/Immunization.rs patient/Location.rs
|
406
|
+
patient/MedicationRequest.rs patient/Observation.rs
|
407
|
+
patient/Organization.rs patient/Patient.rs
|
408
|
+
patient/Practitioner.rs patient/Procedure.rs
|
409
|
+
patient/Provenance.rs patient/PractitionerRole.rs
|
410
|
+
).gsub(/\s{2,}/, ' ').strip
|
411
|
+
}
|
412
|
+
}
|
413
|
+
)
|
414
|
+
|
415
|
+
test from: :g10_smart_scopes do
|
416
|
+
config(
|
417
|
+
inputs: {
|
418
|
+
requested_scopes: { name: :standalone_requested_scopes },
|
419
|
+
received_scopes: { name: :standalone_received_scopes }
|
420
|
+
},
|
421
|
+
options: {
|
422
|
+
scope_version: :v22,
|
423
|
+
required_scope_type: 'patient',
|
424
|
+
required_scopes: ['openid', 'fhirUser', 'launch/patient', 'offline_access']
|
425
|
+
}
|
426
|
+
)
|
427
|
+
end
|
428
|
+
|
429
|
+
test from: :g10_unauthorized_access,
|
430
|
+
config: {
|
431
|
+
inputs: {
|
432
|
+
patient_id: { name: :standalone_patient_id }
|
433
|
+
}
|
434
|
+
}
|
435
|
+
|
436
|
+
test from: :g10_patient_context,
|
437
|
+
config: {
|
438
|
+
inputs: {
|
439
|
+
patient_id: { name: :standalone_patient_id },
|
440
|
+
smart_credentials: { name: :standalone_smart_credentials }
|
441
|
+
}
|
442
|
+
}
|
443
|
+
|
444
|
+
tests[0].config(
|
445
|
+
outputs: {
|
446
|
+
incorrectly_permitted_tls_versions_messages: {
|
447
|
+
name: :auth_incorrectly_permitted_tls_versions_messages
|
448
|
+
}
|
449
|
+
}
|
450
|
+
)
|
451
|
+
|
452
|
+
tests[3].config(
|
453
|
+
outputs: {
|
454
|
+
incorrectly_permitted_tls_versions_messages: {
|
455
|
+
name: :token_incorrectly_permitted_tls_versions_messages
|
456
|
+
}
|
457
|
+
}
|
458
|
+
)
|
459
|
+
end
|
460
|
+
|
461
|
+
group from: :smart_openid_connect,
|
462
|
+
required_suite_options: G10Options::SMART_1_REQUIREMENT,
|
463
|
+
config: {
|
464
|
+
inputs: {
|
465
|
+
id_token: { name: :standalone_id_token },
|
466
|
+
client_id: { name: :standalone_client_id },
|
467
|
+
requested_scopes: { name: :standalone_requested_scopes },
|
468
|
+
smart_credentials: { name: :standalone_smart_credentials }
|
469
|
+
}
|
470
|
+
}
|
471
|
+
|
326
472
|
group from: :smart_openid_connect,
|
473
|
+
required_suite_options: G10Options::SMART_2_REQUIREMENT,
|
474
|
+
id: :smart_openid_connect_stu2,
|
475
|
+
config: {
|
476
|
+
inputs: {
|
477
|
+
id_token: { name: :standalone_id_token },
|
478
|
+
client_id: { name: :standalone_client_id },
|
479
|
+
requested_scopes: { name: :standalone_requested_scopes },
|
480
|
+
smart_credentials: { name: :standalone_smart_credentials }
|
481
|
+
}
|
482
|
+
}
|
483
|
+
|
484
|
+
group from: :smart_openid_connect_stu2_2, # rubocop:disable Naming/VariableNumber
|
485
|
+
required_suite_options: G10Options::SMART_2_2_REQUIREMENT,
|
327
486
|
config: {
|
328
487
|
inputs: {
|
329
488
|
id_token: { name: :standalone_id_token },
|
@@ -96,6 +96,29 @@ module ONCCertificationG10TestKit
|
|
96
96
|
:client_auth_encryption_method
|
97
97
|
|
98
98
|
group from: :smart_discovery_stu2 do
|
99
|
+
required_suite_options(G10Options::SMART_2_REQUIREMENT)
|
100
|
+
test from: 'g10_smart_well_known_capabilities',
|
101
|
+
config: {
|
102
|
+
options: {
|
103
|
+
required_capabilities: [
|
104
|
+
'launch-standalone',
|
105
|
+
'client-public',
|
106
|
+
'client-confidential-symmetric',
|
107
|
+
'client-confidential-asymmetric',
|
108
|
+
'sso-openid-connect',
|
109
|
+
'context-standalone-patient',
|
110
|
+
'permission-offline',
|
111
|
+
'permission-patient',
|
112
|
+
'authorize-post',
|
113
|
+
'permission-v2',
|
114
|
+
'permission-v1'
|
115
|
+
]
|
116
|
+
}
|
117
|
+
}
|
118
|
+
end
|
119
|
+
group from: :smart_discovery_stu2_2 do # rubocop:disable Naming/VariableNumber
|
120
|
+
required_suite_options(G10Options::SMART_2_2_REQUIREMENT)
|
121
|
+
|
99
122
|
test from: 'g10_smart_well_known_capabilities',
|
100
123
|
config: {
|
101
124
|
options: {
|
@@ -117,6 +140,7 @@ module ONCCertificationG10TestKit
|
|
117
140
|
end
|
118
141
|
|
119
142
|
group from: :smart_standalone_launch_stu2,
|
143
|
+
required_suite_options: G10Options::SMART_2_REQUIREMENT,
|
120
144
|
config: {
|
121
145
|
inputs: {
|
122
146
|
use_pkce: {
|
@@ -208,6 +232,99 @@ module ONCCertificationG10TestKit
|
|
208
232
|
}
|
209
233
|
)
|
210
234
|
end
|
235
|
+
group from: :smart_standalone_launch_stu2_2, # rubocop:disable Naming/VariableNumber
|
236
|
+
required_suite_options: G10Options::SMART_2_2_REQUIREMENT,
|
237
|
+
config: {
|
238
|
+
inputs: {
|
239
|
+
use_pkce: {
|
240
|
+
default: 'true',
|
241
|
+
locked: true
|
242
|
+
},
|
243
|
+
pkce_code_challenge_method: {
|
244
|
+
locked: true
|
245
|
+
},
|
246
|
+
authorization_method: {
|
247
|
+
name: :standalone_authorization_method,
|
248
|
+
default: 'get',
|
249
|
+
locked: true
|
250
|
+
},
|
251
|
+
client_auth_type: {
|
252
|
+
locked: true,
|
253
|
+
default: 'confidential_symmetric'
|
254
|
+
}
|
255
|
+
},
|
256
|
+
outputs: {
|
257
|
+
smart_credentials: { name: :v1_smart_credentials }
|
258
|
+
}
|
259
|
+
} do
|
260
|
+
title 'Standalone Launch With Patient Scope'
|
261
|
+
description %(
|
262
|
+
# Background
|
263
|
+
|
264
|
+
The [Standalone
|
265
|
+
Launch Sequence](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#launch-app-standalone-launch)
|
266
|
+
allows an app, like Inferno, to be launched independent of an
|
267
|
+
existing EHR session. It is one of the two launch methods described in
|
268
|
+
the SMART App Launch Framework alongside EHR Launch. The app will
|
269
|
+
request authorization for the provided scope from the authorization
|
270
|
+
endpoint, ultimately receiving an authorization token which can be used
|
271
|
+
to gain access to resources on the FHIR server.
|
272
|
+
|
273
|
+
# Test Methodology
|
274
|
+
|
275
|
+
Inferno will redirect the user to the the authorization endpoint so that
|
276
|
+
they may provide any required credentials and authorize the application.
|
277
|
+
Upon successful authorization, Inferno will exchange the authorization
|
278
|
+
code provided for an access token.
|
279
|
+
|
280
|
+
For more information on the #{title}:
|
281
|
+
|
282
|
+
* [Standalone Launch
|
283
|
+
Sequence](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#launch-app-standalone-launch)
|
284
|
+
)
|
285
|
+
|
286
|
+
test from: :g10_smart_scopes do
|
287
|
+
config(
|
288
|
+
options: {
|
289
|
+
requested_scope_version: :v1,
|
290
|
+
received_scope_version: :any,
|
291
|
+
required_scope_type: 'patient',
|
292
|
+
required_scopes: ['openid', 'fhirUser', 'launch/patient', 'offline_access']
|
293
|
+
}
|
294
|
+
)
|
295
|
+
end
|
296
|
+
|
297
|
+
test from: :g10_unauthorized_access,
|
298
|
+
config: {
|
299
|
+
inputs: {
|
300
|
+
patient_id: { name: :v1_patient_id }
|
301
|
+
}
|
302
|
+
}
|
303
|
+
|
304
|
+
test from: :g10_patient_context,
|
305
|
+
config: {
|
306
|
+
inputs: {
|
307
|
+
patient_id: { name: :v1_patient_id },
|
308
|
+
smart_credentials: { name: :v1_smart_credentials }
|
309
|
+
}
|
310
|
+
}
|
311
|
+
|
312
|
+
tests[0].config(
|
313
|
+
outputs: {
|
314
|
+
incorrectly_permitted_tls_versions_messages: {
|
315
|
+
name: :auth_incorrectly_permitted_tls_versions_messages
|
316
|
+
}
|
317
|
+
}
|
318
|
+
)
|
319
|
+
|
320
|
+
tests[3].config(
|
321
|
+
outputs: {
|
322
|
+
incorrectly_permitted_tls_versions_messages: {
|
323
|
+
name: :token_incorrectly_permitted_tls_versions_messages
|
324
|
+
}
|
325
|
+
}
|
326
|
+
)
|
327
|
+
end
|
211
328
|
|
212
329
|
group from: :g10_unrestricted_resource_type_access,
|
213
330
|
config: {
|
@@ -63,7 +63,11 @@ module ONCCertificationG10TestKit
|
|
63
63
|
def element_with_invalid_binding
|
64
64
|
@element_with_invalid_binding ||=
|
65
65
|
find_a_value_at(path_source, binding_definition[:path]) do |element|
|
66
|
-
|
66
|
+
if element.is_a? USCoreTestKit::PrimitiveType
|
67
|
+
invalid_binding? element.value
|
68
|
+
else
|
69
|
+
invalid_binding? element
|
70
|
+
end
|
67
71
|
end
|
68
72
|
end
|
69
73
|
|
@@ -0,0 +1,97 @@
|
|
1
|
+
require 'smart_app_launch/token_introspection_group'
|
2
|
+
|
3
|
+
require_relative 'g10_options'
|
4
|
+
|
5
|
+
module ONCCertificationG10TestKit
|
6
|
+
class TokenIntrospectionGroupSTU22 < SMARTAppLaunch::SMARTTokenIntrospectionGroupSTU22
|
7
|
+
id :g10_token_introspection_stu2_2 # rubocop:disable Naming/VariableNumber
|
8
|
+
|
9
|
+
description <<~DESCRIPTION
|
10
|
+
|
11
|
+
This scenario verifies the ability of an authorization server to
|
12
|
+
perform token introspection in accordance with the [SMART App Launch STU2
|
13
|
+
Implementation Guide Section on Token
|
14
|
+
Introspection](https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html).
|
15
|
+
Inferno first acts as a registered SMART App Launch client to request and
|
16
|
+
receive a valid access token, and then as an authorized resource server that
|
17
|
+
queries the authorization server for information about this access token.
|
18
|
+
|
19
|
+
The system under test must perform the following in order to pass this
|
20
|
+
scenario:
|
21
|
+
* Issue a new bearer token to Inferno acting as a registered SMART App
|
22
|
+
Launch client. The tester has flexibility in deciding what type of SMART
|
23
|
+
App Launch client is used (e.g. public or confidential). This is
|
24
|
+
redundant to tests earlier in this test suite, but is performed to ensure
|
25
|
+
an active token can be introspected.
|
26
|
+
* Respond to a token introspection request from Inferno acting as a
|
27
|
+
resource server for both valid and invalid tokens. Systems have flexibility
|
28
|
+
in how access control for this service is implemented. To account for
|
29
|
+
this flexibility, the tester has the ability to add an Authorization
|
30
|
+
Header to the request (provided out-of-band of these tests), as well as
|
31
|
+
additional Introspect parameters, as allowed by the specification.
|
32
|
+
|
33
|
+
DESCRIPTION
|
34
|
+
|
35
|
+
input_instructions <<~INSTRUCTIONS
|
36
|
+
If the introspection endpoint is access controlled, testers must enter their own
|
37
|
+
HTTP Authorization header for the introspection request. See [RFC 7616 The
|
38
|
+
'Basic' HTTP Authentication
|
39
|
+
Scheme](https://datatracker.ietf.org/doc/html/rfc7617) for the most common
|
40
|
+
approach that uses client credentials. Testers may also provide any
|
41
|
+
additional parameters needed for their authorization server to complete
|
42
|
+
the introspection request.
|
43
|
+
|
44
|
+
**Note:** For both the Authorization header and request parameters, user-input
|
45
|
+
values will be sent exactly as entered and therefore the tester must
|
46
|
+
URI-encode any appropriate values.
|
47
|
+
INSTRUCTIONS
|
48
|
+
|
49
|
+
run_as_group
|
50
|
+
|
51
|
+
input :well_known_introspection_url,
|
52
|
+
title: 'Token Introspection Endpoint',
|
53
|
+
description: <<~DESCRIPTION,
|
54
|
+
The complete URL of the token introspection endpoint. This will be
|
55
|
+
populated automatically if included in the server's discovery
|
56
|
+
endpoint.
|
57
|
+
DESCRIPTION
|
58
|
+
optional: true
|
59
|
+
|
60
|
+
input_order :url,
|
61
|
+
:well_known_introspection_url,
|
62
|
+
:custom_authorization_header,
|
63
|
+
:optional_introspection_request_params,
|
64
|
+
:standalone_client_id,
|
65
|
+
:standalone_client_secret,
|
66
|
+
:authorization_method,
|
67
|
+
:use_pkce,
|
68
|
+
:pkce_code_challenge_method,
|
69
|
+
:standalone_requested_scopes,
|
70
|
+
:token_introspection_auth_type,
|
71
|
+
:client_auth_encryption_method
|
72
|
+
|
73
|
+
config(
|
74
|
+
inputs: {
|
75
|
+
client_auth_type: {
|
76
|
+
name: :token_introspection_auth_type
|
77
|
+
}
|
78
|
+
}
|
79
|
+
)
|
80
|
+
|
81
|
+
groups.first.description <<~DESCRIPTION
|
82
|
+
These tests are perform discovery and a standalone launch in order to
|
83
|
+
receive a new, active access token that will be provided for token
|
84
|
+
introspection.
|
85
|
+
DESCRIPTION
|
86
|
+
|
87
|
+
groups[1].description <<~DESCRIPTION
|
88
|
+
This group of tests executes the token introspection requests and ensures
|
89
|
+
the correct HTTP response is returned but does not validate the contents
|
90
|
+
of the token introspection response.
|
91
|
+
DESCRIPTION
|
92
|
+
|
93
|
+
groups.first.groups.each do |group|
|
94
|
+
group.required_suite_options(G10Options::SMART_2_2_REQUIREMENT)
|
95
|
+
end
|
96
|
+
end
|
97
|
+
end
|
@@ -1,5 +1,5 @@
|
|
1
|
-
require_relative 'g10_options'
|
2
1
|
require_relative 'resource_access_test'
|
2
|
+
require_relative 'all_resources'
|
3
3
|
|
4
4
|
module ONCCertificationG10TestKit
|
5
5
|
class UnrestrictedResourceTypeAccessGroup < Inferno::TestGroup
|
@@ -30,7 +30,7 @@ module ONCCertificationG10TestKit
|
|
30
30
|
If testing against USCDI v2, Encounter and ServiceRequest are also
|
31
31
|
checked.
|
32
32
|
|
33
|
-
If testing against USCDI v3, Encounter, ServiceRequest, Coverage,
|
33
|
+
If testing against USCDI v3 and v4, Encounter, ServiceRequest, Coverage,
|
34
34
|
and MedicationDispense are also checked.
|
35
35
|
|
36
36
|
For each of the resource types that can be mapped to USCDI data class or
|
@@ -64,14 +64,24 @@ module ONCCertificationG10TestKit
|
|
64
64
|
* Practitioner
|
65
65
|
* RelatedPerson
|
66
66
|
|
67
|
+
For USCDI v4 this includes:
|
68
|
+
|
69
|
+
* Organization
|
70
|
+
* Practitioner
|
71
|
+
* RelatedPerson
|
72
|
+
|
67
73
|
It also does not test Provenance, as this resource type is accessed by
|
68
|
-
queries through other resource types, or Specimen in USCDI v3
|
69
|
-
requires support for read and search by id. These resources
|
70
|
-
accessed in the more comprehensive Single Patient Query tests.
|
74
|
+
queries through other resource types, or Specimen in USCDI v3 or Location from
|
75
|
+
USCDI v4 which only requires support for read and search by id. These resources
|
76
|
+
types are accessed in the more comprehensive Single Patient Query tests.
|
77
|
+
|
78
|
+
This test is not intended to check every resource type can be granted or not granted,
|
79
|
+
nor does it check resources that cannot be directly queried via a patient reference to
|
80
|
+
limit the complexity of the tests and effort required to run them.
|
71
81
|
|
72
82
|
However, the authorization system must indicate that access is granted to
|
73
83
|
the Encounter, Practitioner and Organization (and RelatedPerson and
|
74
|
-
Specimen for USCDI v3) resource types by providing them in the returned
|
84
|
+
Specimen for USCDI v3 and v4) resource types by providing them in the returned
|
75
85
|
scopes because they are required to support the read interaction.
|
76
86
|
)
|
77
87
|
id :g10_unrestricted_resource_type_access
|
@@ -84,30 +94,11 @@ module ONCCertificationG10TestKit
|
|
84
94
|
oauth_credentials :smart_credentials
|
85
95
|
end
|
86
96
|
|
87
|
-
|
88
|
-
[
|
89
|
-
'AllergyIntolerance',
|
90
|
-
'CarePlan',
|
91
|
-
'CareTeam',
|
92
|
-
'Condition',
|
93
|
-
'Device',
|
94
|
-
'DiagnosticReport',
|
95
|
-
'DocumentReference',
|
96
|
-
'Goal',
|
97
|
-
'Immunization',
|
98
|
-
'MedicationRequest',
|
99
|
-
'Observation',
|
100
|
-
'Procedure',
|
101
|
-
'Patient',
|
102
|
-
'Provenance',
|
103
|
-
'Encounter',
|
104
|
-
'Practitioner',
|
105
|
-
'Organization'
|
106
|
-
].freeze
|
97
|
+
V5_EXCLUDED_RESOURCES = ['RelatedPerson'].freeze
|
107
98
|
|
108
|
-
|
99
|
+
V6_EXCLUDED_RESOURCES = (V5_EXCLUDED_RESOURCES + ['Specimen']).freeze
|
109
100
|
|
110
|
-
|
101
|
+
V7_EXCLUDED_RESOURCES = V6_EXCLUDED_RESOURCES
|
111
102
|
|
112
103
|
NON_PATIENT_COMPARTMENT_RESOURCES =
|
113
104
|
[
|
@@ -126,8 +117,11 @@ module ONCCertificationG10TestKit
|
|
126
117
|
|
127
118
|
V6_NON_PATIENT_COMPARTMENT_RESOURCES = V5_NON_PATIENT_COMPARTMENT_RESOURCES
|
128
119
|
|
120
|
+
V7_NON_PATIENT_COMPARTMENT_RESOURCES = V6_NON_PATIENT_COMPARTMENT_RESOURCES
|
121
|
+
|
129
122
|
test do
|
130
123
|
include G10Options
|
124
|
+
include AllResources
|
131
125
|
|
132
126
|
title 'Scope granted enables access to all US Core resource types.'
|
133
127
|
description %(
|
@@ -136,11 +130,13 @@ module ONCCertificationG10TestKit
|
|
136
130
|
)
|
137
131
|
|
138
132
|
def all_resources
|
139
|
-
return
|
133
|
+
return all_required_resources - V5_EXCLUDED_RESOURCES if using_us_core_5?
|
140
134
|
|
141
|
-
return
|
135
|
+
return all_required_resources - V6_EXCLUDED_RESOURCES if using_us_core_6?
|
142
136
|
|
143
|
-
|
137
|
+
return all_required_resources - V7_EXCLUDED_RESOURCES if using_us_core_7?
|
138
|
+
|
139
|
+
all_required_resources
|
144
140
|
end
|
145
141
|
|
146
142
|
def non_patient_compartment_resources
|
@@ -148,6 +144,8 @@ module ONCCertificationG10TestKit
|
|
148
144
|
|
149
145
|
return V6_NON_PATIENT_COMPARTMENT_RESOURCES if using_us_core_6?
|
150
146
|
|
147
|
+
return V7_NON_PATIENT_COMPARTMENT_RESOURCES if using_us_core_7?
|
148
|
+
|
151
149
|
NON_PATIENT_COMPARTMENT_RESOURCES
|
152
150
|
end
|
153
151
|
|
@@ -433,5 +431,61 @@ module ONCCertificationG10TestKit
|
|
433
431
|
USCoreTestKit::USCoreV610::MedicationDispenseGroup
|
434
432
|
end
|
435
433
|
end
|
434
|
+
|
435
|
+
test from: :g10_resource_access_test do
|
436
|
+
title 'Access to Encounter resources granted'
|
437
|
+
description %(
|
438
|
+
This test ensures that access to the Encounter is granted.
|
439
|
+
)
|
440
|
+
id :g10_us_core_7_encounter_unrestricted_access
|
441
|
+
|
442
|
+
required_suite_options G10Options::US_CORE_7_REQUIREMENT
|
443
|
+
|
444
|
+
def resource_group
|
445
|
+
USCoreTestKit::USCoreV700::EncounterGroup
|
446
|
+
end
|
447
|
+
end
|
448
|
+
|
449
|
+
test from: :g10_resource_access_test do
|
450
|
+
title 'Access to ServiceRequest resources granted'
|
451
|
+
description %(
|
452
|
+
This test ensures that access to the ServiceRequest is granted.
|
453
|
+
)
|
454
|
+
id :g10_us_core_7_service_request_unrestricted_access
|
455
|
+
|
456
|
+
required_suite_options G10Options::US_CORE_7_REQUIREMENT
|
457
|
+
|
458
|
+
def resource_group
|
459
|
+
USCoreTestKit::USCoreV700::ServiceRequestGroup
|
460
|
+
end
|
461
|
+
end
|
462
|
+
|
463
|
+
test from: :g10_resource_access_test do
|
464
|
+
title 'Access to Coverage resources granted'
|
465
|
+
description %(
|
466
|
+
This test ensures that access to the Coverage is granted.
|
467
|
+
)
|
468
|
+
id :g10_us_core_7_coverage_unrestricted_access
|
469
|
+
|
470
|
+
required_suite_options G10Options::US_CORE_7_REQUIREMENT
|
471
|
+
|
472
|
+
def resource_group
|
473
|
+
USCoreTestKit::USCoreV700::CoverageGroup
|
474
|
+
end
|
475
|
+
end
|
476
|
+
|
477
|
+
test from: :g10_resource_access_test do
|
478
|
+
title 'Access to MedicationDispense resources granted'
|
479
|
+
description %(
|
480
|
+
This test ensures that access to the MedicationDispense is granted.
|
481
|
+
)
|
482
|
+
id :g10_us_core_7_medication_dispense_unrestricted_access
|
483
|
+
|
484
|
+
required_suite_options G10Options::US_CORE_7_REQUIREMENT
|
485
|
+
|
486
|
+
def resource_group
|
487
|
+
USCoreTestKit::USCoreV700::MedicationDispenseGroup
|
488
|
+
end
|
489
|
+
end
|
436
490
|
end
|
437
491
|
end
|