onc_certification_g10_test_kit 7.0.3 → 7.2.0

data/lib/onc_certification_g10_test_kit/token_introspection_group.rb

@@ -63,19 +63,21 @@ module ONCCertificationG10TestKit
                 :well_known_introspection_url,
                 :custom_authorization_header,
                 :optional_introspection_request_params,
-                :standalone_client_id,
-                :standalone_client_secret,
-                :authorization_method,
-                :use_pkce,
-                :pkce_code_challenge_method,
-                :standalone_requested_scopes,
-                :token_introspection_auth_type,
-                :client_auth_encryption_method
+                :standalone_smart_auth_info
 
     config(
       inputs: {
-        client_auth_type: {
-          name: :token_introspection_auth_type
+        smart_auth_info: {
+          name: :standalone_smart_auth_info,
+          title: 'Standalone Launch Credentials',
+          options: {
+            components: [
+              {
+                name: :jwks,
+                locked: true
+              }
+            ]
+          }
         }
       }
     )
@@ -91,20 +93,5 @@ module ONCCertificationG10TestKit
       the correct HTTP response is returned but does not validate the contents
       of the token introspection response.
     DESCRIPTION
-
-    # The token introspection tests are SMART v2 only, so they use v2 discovery
-    # and launch groups. g10 needs them for SMART v1 and v2, so this sets the
-    # original discovery and launch groups to only appear when using SMART v2,
-    # and adds the v1 groups when using v1.
-
-    groups.first.groups.each do |group|
-      group.required_suite_options(G10Options::SMART_2_REQUIREMENT)
-    end
-
-    groups.first.group from: :smart_discovery,
-                       required_suite_options: G10Options::SMART_1_REQUIREMENT
-
-    groups.first.group from: :smart_standalone_launch,
-                       required_suite_options: G10Options::SMART_1_REQUIREMENT
   end
 end

data/lib/onc_certification_g10_test_kit/token_introspection_group_stu2_2.rb

@@ -61,19 +61,21 @@ module ONCCertificationG10TestKit
                 :well_known_introspection_url,
                 :custom_authorization_header,
                 :optional_introspection_request_params,
-                :standalone_client_id,
-                :standalone_client_secret,
-                :authorization_method,
-                :use_pkce,
-                :pkce_code_challenge_method,
-                :standalone_requested_scopes,
-                :token_introspection_auth_type,
-                :client_auth_encryption_method
+                :standalone_smart_auth_info
 
     config(
       inputs: {
-        client_auth_type: {
-          name: :token_introspection_auth_type
+        smart_auth_info: {
+          name: :standalone_smart_auth_info,
+          title: 'Standalone Launch Credentials',
+          options: {
+            components: [
+              {
+                name: :jwks,
+                locked: true
+              }
+            ]
+          }
         }
       }
     )
@@ -89,9 +91,5 @@ module ONCCertificationG10TestKit
       the correct HTTP response is returned but does not validate the contents
       of the token introspection response.
     DESCRIPTION
-
-    groups.first.groups.each do |group|
-      group.required_suite_options(G10Options::SMART_2_2_REQUIREMENT)
-    end
   end
 end

data/lib/onc_certification_g10_test_kit/token_revocation_group.rb

@@ -11,13 +11,43 @@ module ONCCertificationG10TestKit
 
     input_order :token_revocation_attestation,
                 :token_revocation_notes,
-                :standalone_access_token,
-                :standalone_refresh_token,
                 :standalone_patient_id,
-                :url,
-                :smart_token_url,
-                :standalone_client_id,
-                :standalone_client_secret
+                :url
+
+    config(
+      inputs: {
+        smart_auth_info: {
+          title: 'Revoked Bearer Token',
+          description: 'Prior to the test, please revoke this bearer token from patient standalone launch.',
+          options: {
+            mode: 'access',
+            components: [
+              Inferno::DSL::AuthInfo.default_auth_type_component_without_backend_services,
+              {
+                name: :client_id,
+                locked: true
+              },
+              {
+                name: :client_secret,
+                locked: true
+              },
+              {
+                name: :refresh_token,
+                optional: false
+              },
+              {
+                name: :token_url,
+                optional: false
+              },
+              {
+                name: :jwks,
+                locked: true
+              }
+            ]
+          }
+        }
+      }
+    )
 
     test do
       title 'Health IT developer demonstrated the ability of the Health IT Module to revoke tokens within one hour of a patient\'s request.' # rubocop:disable Layout/LineLength
@@ -68,21 +98,18 @@ module ONCCertificationG10TestKit
             name: :standalone_patient_id,
             title: 'Patient ID',
             description: 'Patient ID associated with revoked tokens provided as context in the patient standalone launch. This will be used to verify access is no longer granted using the revoked token.' # rubocop:disable Layout/LineLength
-      input :access_token,
-            name: :standalone_access_token,
-            title: 'Revoked Bearer Token',
-            description: 'Prior to the test, please revoke this bearer token from patient standalone launch.'
+      input :smart_auth_info, type: :auth_info
 
       fhir_client :revoked_token do
         url :url
-        bearer_token :access_token
+        auth_info :smart_auth_info
       end
 
       run do
         skip_if patient_id.blank?,
                 'Patient ID not provided to test. The patient ID is typically provided ' \
                 'during a SMART launch context.'
-        skip_if access_token.blank?,
+        skip_if smart_auth_info.access_token.blank?,
                 'Bearer token not provided. This test verifies that the bearer token can ' \
                 'no longer be used to access a Patient resource.'
 
@@ -98,38 +125,22 @@ module ONCCertificationG10TestKit
         This test checks that refreshing token fails after token revocation.
       )
 
-      input :smart_token_url,
-            title: 'OAuth 2.0 Token Endpoint',
-            description: 'OAuth token endpoint provided during the patient standalone launch'
-      input :refresh_token,
-            name: :standalone_refresh_token,
-            title: 'Revoked Refresh Token',
-            description: 'Prior to the test, please revoke this refresh token from patient standalone launch.'
-      input :client_id,
-            name: :standalone_client_id,
-            title: 'Standalone Client ID',
-            description: 'Client ID provided during registration of Inferno as a standalone application',
-            locked: true
-      input :client_secret,
-            name: :standalone_client_secret,
-            title: 'Standalone Client Secret',
-            description: 'Client Secret provided during registration of Inferno as a standalone application',
-            locked: true
+      input :smart_auth_info, type: :auth_info
 
       run do
-        skip_if refresh_token.blank?,
+        skip_if smart_auth_info.refresh_token.blank?,
                 'Refresh token not provided to test.'
         oauth2_params = {
           'grant_type' => 'refresh_token',
-          'refresh_token' => refresh_token
+          'refresh_token' => smart_auth_info.refresh_token
         }
-        client_credentials = "#{client_id}:#{client_secret}"
+        client_credentials = "#{smart_auth_info.client_id}:#{smart_auth_info.client_secret}"
         oauth2_headers = {
           'Content-Type' => 'application/x-www-form-urlencoded',
           'Authorization' => "Basic #{Base64.strict_encode64(client_credentials)}"
         }
 
-        post(smart_token_url, body: oauth2_params, headers: oauth2_headers)
+        post(smart_auth_info.token_url, body: oauth2_params, headers: oauth2_headers)
 
         assert_response_status([400, 401])
       end

data/lib/onc_certification_g10_test_kit/unrestricted_resource_type_access_group.rb

@@ -86,12 +86,12 @@ module ONCCertificationG10TestKit
     )
     id :g10_unrestricted_resource_type_access
 
-    input :url, :smart_credentials, :patient_id, :received_scopes
-    input :smart_credentials, type: :oauth_credentials
+    input :url, :patient_id, :received_scopes
+    input :smart_auth_info, type: 'auth_info'
 
     fhir_client do
       url :url
-      oauth_credentials :smart_credentials
+      oauth_credentials :smart_auth_info
     end
 
     V5_EXCLUDED_RESOURCES = ['RelatedPerson'].freeze

data/lib/onc_certification_g10_test_kit/urls.rb

@@ -0,0 +1,4 @@
+module ONCCertificationG10TestKit
+  REDIRECT_URI = "#{Inferno::Application['base_url']}/custom/smart/redirect".freeze
+  LAUNCH_URI = "#{Inferno::Application['base_url']}/custom/smart/launch".freeze
+end

data/lib/onc_certification_g10_test_kit/version.rb

@@ -1,3 +1,4 @@
 module ONCCertificationG10TestKit
-  VERSION = '7.0.3'.freeze
+  VERSION = '7.2.0'.freeze
+  LAST_UPDATED = '2025-04-08'.freeze # TODO: update next release
 end

data/lib/onc_certification_g10_test_kit.rb

@@ -3,8 +3,9 @@ require 'smart_app_launch/smart_stu2_suite'
 require 'smart_app_launch/smart_stu2_2_suite'
 require 'us_core_test_kit'
 
+require_relative 'onc_certification_g10_test_kit/metadata'
 require_relative 'onc_certification_g10_test_kit/configuration_checker'
-require_relative 'onc_certification_g10_test_kit/version'
+require_relative 'onc_certification_g10_test_kit/urls'
 
 require_relative 'onc_certification_g10_test_kit/feature'
 require_relative 'onc_certification_g10_test_kit/g10_options'
@@ -50,7 +51,6 @@ module ONCCertificationG10TestKit
   class G10CertificationSuite < Inferno::TestSuite
     title 'ONC Certification (g)(10) Standardized API'
     short_title '(g)(10) Standardized API'
-    version VERSION
     id :g10_certification
     links [
       {
@@ -89,26 +89,16 @@ module ONCCertificationG10TestKit
     ].freeze
 
     def self.setup_validator(us_core_version_requirement) # rubocop:disable Metrics/CyclomaticComplexity
-      validator_method = if Feature.use_hl7_resource_validator?
-                           method(:fhir_resource_validator)
-                         else
-                           method(:validator)
-                         end
-
-      validator_method.call :default, required_suite_options: us_core_version_requirement do
-        if Feature.use_hl7_resource_validator?
-          cli_context do
-            txServer nil
-            displayWarnings true
-            disableDefaultResourceFetcher true
-          end
+      fhir_resource_validator :default, required_suite_options: us_core_version_requirement do
+        cli_context do
+          txServer nil
+          displayWarnings true
+          disableDefaultResourceFetcher true
+        end
 
-          us_core_version_num = G10Options::US_CORE_VERSION_NUMBERS[us_core_version_requirement[:us_core_version]]
+        us_core_version_num = G10Options::US_CORE_VERSION_NUMBERS[us_core_version_requirement[:us_core_version]]
 
-          igs("hl7.fhir.us.core##{us_core_version_num}")
-        else
-          url ENV.fetch('G10_VALIDATOR_URL', 'http://validator_service:4567')
-        end
+        igs("hl7.fhir.us.core##{us_core_version_num}")
 
         us_core_message_filters =
           case (us_core_version_requirement[:us_core_version])
@@ -263,12 +253,6 @@ module ONCCertificationG10TestKit
                  ]
 
     config(
-      inputs: {
-        client_auth_encryption_method: {
-          title: 'Client Authentication Encryption Method',
-          locked: true
-        }
-      },
       options: {
         post_authorization_uri: "#{Inferno::Application['base_url']}/custom/smart_stu2/post_auth",
         incorrectly_permitted_tls_version_message_type: 'warning'
@@ -308,8 +292,8 @@ module ONCCertificationG10TestKit
       To get started with the first group of scenarios, please first register the
       Inferno client as a SMART App with the following information:
 
-      * SMART Launch URI: `#{SMARTAppLaunch::AppLaunchTest.config.options[:launch_uri]}`
-      * OAuth Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+      * SMART Launch URI: `#{LAUNCH_URI}`
+      * OAuth Redirect URI: `#{REDIRECT_URI}`
 
       For the multi-patient API, register Inferno with the following JWK Set
       Url:
@@ -336,8 +320,8 @@ module ONCCertificationG10TestKit
     input_instructions %(
         Register Inferno as a SMART app using the following information:
 
-        * Launch URI: `#{SMARTAppLaunch::AppLaunchTest.config.options[:launch_uri]}`
-        * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+        * Launch URI: `#{LAUNCH_URI}`
+        * Redirect URI: `#{REDIRECT_URI}`
 
         For the multi-patient API, register Inferno with the following JWK Set
         Url:
@@ -347,7 +331,24 @@ module ONCCertificationG10TestKit
 
     group from: 'g10_smart_standalone_patient_app'
 
-    group from: 'g10_smart_limited_app'
+    group from: 'g10_smart_limited_app' do
+      # This has to be configured here, otherwise the `smart_auth_info` config
+      # will get clobbered and will use `standalone_smart_auth_info` instead of
+      # `limited_smart_auth_info`
+      groups
+        .select { |group| group.id.include? 'smart_standalone_launch' }
+        .flat_map(&:tests)
+        .select { |test| test.id.include? 'g10_patient_context' }
+        .each do |test|
+        test
+          .config(
+            inputs: {
+              patient_id: { name: :limited_patient_id },
+              smart_auth_info: { name: :limited_smart_auth_info }
+            }
+          )
+      end
+    end
 
     group from: 'g10_smart_ehr_practitioner_app'
 
@@ -393,18 +394,10 @@ module ONCCertificationG10TestKit
           [Follow this link to authorize with the SMART server](#{auth_url}).
 
           Tests will resume once Inferno receives a request at
-          `#{config.options[:redirect_uri]}` with a state of `#{state}`.
+          `#{REDIRECT_URI}` with a state of `#{state}`.
         )
       end
 
-      config(
-        inputs: {
-          client_auth_encryption_method: {
-            locked: false
-          }
-        }
-      )
-
       group from: :g10_public_standalone_launch,
             required_suite_options: G10Options::SMART_1_REQUIREMENT,
             config: { options: { redirect_message_proc: default_redirect_message_proc } }
@@ -416,6 +409,7 @@ module ONCCertificationG10TestKit
             config: { options: { redirect_message_proc: default_redirect_message_proc } }
 
       group from: :g10_token_revocation
+
       group from: :g10_smart_invalid_aud,
             config: { options: { redirect_message_proc: default_redirect_message_proc } }
 
@@ -455,34 +449,94 @@ module ONCCertificationG10TestKit
             required_suite_options: G10Options::SMART_2_2_REQUIREMENT
 
       group from: :g10_smart_v1_scopes,
-            required_suite_options: G10Options::SMART_2_REQUIREMENT,
-            config: {
-              inputs: {
-                client_auth_encryption_method: { locked: true }
-              }
-            }
+            required_suite_options: G10Options::SMART_2_REQUIREMENT
       group from: :g10_smart_v1_scopes,
             id: :g10_smart_v1_scopes_stu2_2, # rubocop:disable Naming/VariableNumber
-            required_suite_options: G10Options::SMART_2_2_REQUIREMENT,
-            config: {
-              inputs: {
-                client_auth_encryption_method: { locked: true }
-              }
-            }
+            required_suite_options: G10Options::SMART_2_2_REQUIREMENT
+
+      group from: :g10_smart_fine_grained_scopes, exclude_optional: true do
+        required_suite_options G10Options::SMART_2_REQUIREMENT.merge(G10Options::US_CORE_6_REQUIREMENT)
+        groups.first.config(
+          inputs: {
+            smart_auth_info: { name: :granular_scopes_1_auth_info }
+          },
+          outputs: {
+            smart_auth_info: { name: :granular_scopes_1_auth_info }
+          }
+        )
+
+        groups.last.config(
+          inputs: {
+            smart_auth_info: { name: :granular_scopes_2_auth_info }
+          },
+          outputs: {
+            smart_auth_info: { name: :granular_scopes_2_auth_info }
+          }
+        )
+      end
+
+      group from: :g10_smart_fine_grained_scopes_stu2_2, exclude_optional: true do # rubocop:disable Naming/VariableNumber
+        required_suite_options G10Options::SMART_2_2_REQUIREMENT.merge(G10Options::US_CORE_6_REQUIREMENT)
+        groups.first.config(
+          inputs: {
+            smart_auth_info: { name: :granular_scopes_1_auth_info }
+          },
+          outputs: {
+            smart_auth_info: { name: :granular_scopes_1_auth_info }
+          }
+        )
+
+        groups.last.config(
+          inputs: {
+            smart_auth_info: { name: :granular_scopes_2_auth_info }
+          },
+          outputs: {
+            smart_auth_info: { name: :granular_scopes_2_auth_info }
+          }
+        )
+      end
+
+      group from: :g10_us_core_7_smart_fine_grained_scopes, exclude_optional: true do
+        required_suite_options G10Options::SMART_2_REQUIREMENT.merge(G10Options::US_CORE_7_REQUIREMENT)
+        groups.first.config(
+          inputs: {
+            smart_auth_info: { name: :granular_scopes_1_auth_info }
+          },
+          outputs: {
+            smart_auth_info: { name: :granular_scopes_1_auth_info }
+          }
+        )
+
+        groups.last.config(
+          inputs: {
+            smart_auth_info: { name: :granular_scopes_2_auth_info }
+          },
+          outputs: {
+            smart_auth_info: { name: :granular_scopes_2_auth_info }
+          }
+        )
+      end
 
-      group from: :g10_smart_fine_grained_scopes,
-            required_suite_options: G10Options::SMART_2_REQUIREMENT.merge(G10Options::US_CORE_6_REQUIREMENT),
-            exclude_optional: true
-      group from: :g10_smart_fine_grained_scopes_stu2_2, # rubocop:disable Naming/VariableNumber
-            required_suite_options: G10Options::SMART_2_2_REQUIREMENT.merge(G10Options::US_CORE_6_REQUIREMENT),
-            exclude_optional: true
-
-      group from: :g10_us_core_7_smart_fine_grained_scopes,
-            required_suite_options: G10Options::SMART_2_REQUIREMENT.merge(G10Options::US_CORE_7_REQUIREMENT),
-            exclude_optional: true
-      group from: :g10_us_core_7_smart_fine_grained_scopes_stu2_2, # rubocop:disable Naming/VariableNumber
-            required_suite_options: G10Options::SMART_2_2_REQUIREMENT.merge(G10Options::US_CORE_7_REQUIREMENT),
-            exclude_optional: true
+      group from: :g10_us_core_7_smart_fine_grained_scopes_stu2_2, exclude_optional: true do # rubocop:disable Naming/VariableNumber
+        required_suite_options G10Options::SMART_2_2_REQUIREMENT.merge(G10Options::US_CORE_7_REQUIREMENT)
+        groups.first.config(
+          inputs: {
+            smart_auth_info: { name: :granular_scopes_1_auth_info }
+          },
+          outputs: {
+            smart_auth_info: { name: :granular_scopes_1_auth_info }
+          }
+        )
+
+        groups.last.config(
+          inputs: {
+            smart_auth_info: { name: :granular_scopes_2_auth_info }
+          },
+          outputs: {
+            smart_auth_info: { name: :granular_scopes_2_auth_info }
+          }
+        )
+      end
 
       group from: :g10_smart_granular_scope_selection,
             required_suite_options: G10Options::SMART_2_REQUIREMENT.merge(G10Options::US_CORE_6_REQUIREMENT)