RubyGems - onc_certification_g10_test_kit - Versions diffs - 7.1.0 → 7.2.0 - Mend

onc_certification_g10_test_kit 7.1.0 → 7.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

data/lib/onc_certification_g10_test_kit/smart_v1_scopes_group.rb CHANGED Viewed

@@ -55,46 +55,67 @@ module ONCCertificationG10TestKit
     config(
       inputs: {
-        client_secret: {
-          optional: false,
-          name: :standalone_client_secret
-        },
-        requested_scopes: {
-          name: :v1_requested_scopes,
-          default: %(
-            launch/patient openid fhirUser offline_access
-            patient/Medication.read patient/AllergyIntolerance.read
-            patient/CarePlan.read patient/CareTeam.read patient/Condition.read
-            patient/Device.read patient/DiagnosticReport.read
-            patient/DocumentReference.read patient/Encounter.read
-            patient/Goal.read patient/Immunization.read patient/Location.read
-            patient/MedicationRequest.read patient/Observation.read
-            patient/Organization.read patient/Patient.read
-            patient/Practitioner.read patient/Procedure.read
-            patient/Provenance.read patient/PractitionerRole.read
-            patient/Specimen.read patient/Coverage.read
-            patient/MedicationDispense.read patient/ServiceRequest.read
-          ).gsub(/\s{2,}/, ' ').strip
+        smart_auth_info: {
+          name: :v1_smart_auth_info,
+          title: 'Launch with v1 Scopes Credentials',
+          options: {
+            mode: 'auth',
+            components: [
+              {
+                name: :requested_scopes,
+                default: %(
+                  launch/patient openid fhirUser offline_access
+                  patient/Medication.read patient/AllergyIntolerance.read
+                  patient/CarePlan.read patient/CareTeam.read
+                  patient/Condition.read patient/Device.read
+                  patient/DiagnosticReport.read patient/DocumentReference.read
+                  patient/Encounter.read patient/Goal.read
+                  patient/Immunization.read patient/Location.read
+                  patient/MedicationRequest.read patient/Observation.read
+                  patient/Organization.read patient/Patient.read
+                  patient/Practitioner.read patient/Procedure.read
+                  patient/Provenance.read patient/PractitionerRole.read
+                  patient/Specimen.read patient/Coverage.read
+                  patient/MedicationDispense.read patient/ServiceRequest.read
+                ).gsub(/\s{2,}/, ' ').strip
+              },
+              {
+                name: :auth_type,
+                default: 'symmetric',
+                locked: true
+              },
+              {
+                name: :auth_request_method,
+                default: 'GET',
+                locked: true
+              },
+              {
+                name: :use_discovery,
+                locked: true
+              },
+              {
+                name: :pkce_support,
+                default: 'enabled',
+                locked: true
+              },
+              {
+                name: :pkce_code_challenge_method,
+                default: 'S256',
+                locked: true
+              }
+            ]
+          }
         },
-        received_scopes: { name: :v1_received_scopes },
-        smart_credentials: { name: :v1_smart_credentials }
+        patient_id: { name: :v1_patient_id },
+        received_scopes: { name: :v1_received_scopes }
       },
       outputs: {
+        smart_auth_info: { name: :v1_smart_auth_info },
         received_scopes: { name: :v1_received_scopes },
         patient_id: { name: :v1_patient_id }
       }
     )
-    input_order :url,
-                :standalone_client_id,
-                :standalone_client_secret,
-                :v1_requested_scopes,
-                :use_pkce,
-                :pkce_code_challenge_method,
-                :standalone_authorization_method,
-                :client_auth_type,
-                :client_auth_encryption_method
     group from: :smart_discovery_stu2 do
       required_suite_options(G10Options::SMART_2_REQUIREMENT)
       test from: 'g10_smart_well_known_capabilities',
@@ -140,30 +161,7 @@ module ONCCertificationG10TestKit
     end
     group from: :smart_standalone_launch_stu2,
-          required_suite_options: G10Options::SMART_2_REQUIREMENT,
-          config: {
-            inputs: {
-              use_pkce: {
-                default: 'true',
-                locked: true
-              },
-              pkce_code_challenge_method: {
-                locked: true
-              },
-              authorization_method: {
-                name: :standalone_authorization_method,
-                default: 'get',
-                locked: true
-              },
-              client_auth_type: {
-                locked: true,
-                default: 'confidential_symmetric'
-              }
-            },
-            outputs: {
-              smart_credentials: { name: :v1_smart_credentials }
-            }
-          } do
+          required_suite_options: G10Options::SMART_2_REQUIREMENT do
       title 'Standalone Launch With Patient Scope'
       description %(
         # Background
@@ -201,20 +199,9 @@ module ONCCertificationG10TestKit
         )
       end
-      test from: :g10_unauthorized_access,
-           config: {
-             inputs: {
-               patient_id: { name: :v1_patient_id }
-             }
-           }
+      test from: :g10_unauthorized_access
-      test from: :g10_patient_context,
-           config: {
-             inputs: {
-               patient_id: { name: :v1_patient_id },
-               smart_credentials: { name: :v1_smart_credentials }
-             }
-           }
+      test from: :g10_patient_context
       tests[0].config(
         outputs: {
@@ -233,30 +220,7 @@ module ONCCertificationG10TestKit
       )
     end
     group from: :smart_standalone_launch_stu2_2, # rubocop:disable Naming/VariableNumber
-          required_suite_options: G10Options::SMART_2_2_REQUIREMENT,
-          config: {
-            inputs: {
-              use_pkce: {
-                default: 'true',
-                locked: true
-              },
-              pkce_code_challenge_method: {
-                locked: true
-              },
-              authorization_method: {
-                name: :standalone_authorization_method,
-                default: 'get',
-                locked: true
-              },
-              client_auth_type: {
-                locked: true,
-                default: 'confidential_symmetric'
-              }
-            },
-            outputs: {
-              smart_credentials: { name: :v1_smart_credentials }
-            }
-          } do
+          required_suite_options: G10Options::SMART_2_2_REQUIREMENT do
       title 'Standalone Launch With Patient Scope'
       description %(
         # Background
@@ -294,20 +258,9 @@ module ONCCertificationG10TestKit
         )
       end
-      test from: :g10_unauthorized_access,
-           config: {
-             inputs: {
-               patient_id: { name: :v1_patient_id }
-             }
-           }
+      test from: :g10_unauthorized_access
-      test from: :g10_patient_context,
-           config: {
-             inputs: {
-               patient_id: { name: :v1_patient_id },
-               smart_credentials: { name: :v1_smart_credentials }
-             }
-           }
+      test from: :g10_patient_context
       tests[0].config(
         outputs: {
@@ -326,14 +279,7 @@ module ONCCertificationG10TestKit
       )
     end
-    group from: :g10_unrestricted_resource_type_access,
-          config: {
-            inputs: {
-              received_scopes: { name: :v1_received_scopes },
-              patient_id: { name: :v1_patient_id },
-              smart_credentials: { name: :v1_smart_credentials }
-            }
-          }
+    group from: :g10_unrestricted_resource_type_access
     test from: :g10_incorrectly_permitted_tls_versions_messages_setup,
          id: :g10_auth_incorrectly_permitted_tls_versions_messages_setup,

data/lib/onc_certification_g10_test_kit/tasks/generate_matrix.rb CHANGED Viewed

@@ -212,22 +212,13 @@ module ONCCertificationG10TestKit
         workbook.worksheets[2]
       end
-      def columns # rubocop:disable Metrics/CyclomaticComplexity
+      def columns
         @columns ||= [
           ['', 3, ->(_test) { '' }],
           ['', 3, ->(_test) { '' }],
           ['Inferno Test ID', 22, ->(test) { test.short_id.to_s }],
           ['Inferno Test Name', 65, lambda(&:title)],
-          ['Inferno Test Description', 65, lambda do |test|
-                                             description = test.description || ''
-                                             natural_indent =
-                                               description
-                                                 .lines
-                                                 .collect { |l| l.index(/[^ ]/) }
-                                                 .select { |l| !l.nil? && l.positive? }
-                                                 .min || 0
-                                             description.lines.map { |l| l[natural_indent..] || "\n" }.join.strip
-                                           end],
+          ['Inferno Test Description', 65, ->(test) { test.description&.strip }],
           ['Test Procedure Steps', 30, ->(test) { inferno_to_procedure_map[test.short_id].join(', ') }],
           ['Standard Version Filter', 30, lambda do |test|
                                             applicable_options(test).map(&:value).uniq.join(', ')

data/lib/onc_certification_g10_test_kit/token_introspection_group.rb CHANGED Viewed

@@ -63,19 +63,21 @@ module ONCCertificationG10TestKit
                 :well_known_introspection_url,
                 :custom_authorization_header,
                 :optional_introspection_request_params,
-                :standalone_client_id,
-                :standalone_client_secret,
-                :authorization_method,
-                :use_pkce,
-                :pkce_code_challenge_method,
-                :standalone_requested_scopes,
-                :token_introspection_auth_type,
-                :client_auth_encryption_method
+                :standalone_smart_auth_info
     config(
       inputs: {
-        client_auth_type: {
-          name: :token_introspection_auth_type
+        smart_auth_info: {
+          name: :standalone_smart_auth_info,
+          title: 'Standalone Launch Credentials',
+          options: {
+            components: [
+              {
+                name: :jwks,
+                locked: true
+              }
+            ]
+          }
         }
       }
     )
@@ -91,20 +93,5 @@ module ONCCertificationG10TestKit
       the correct HTTP response is returned but does not validate the contents
       of the token introspection response.
     DESCRIPTION
-    # The token introspection tests are SMART v2 only, so they use v2 discovery
-    # and launch groups. g10 needs them for SMART v1 and v2, so this sets the
-    # original discovery and launch groups to only appear when using SMART v2,
-    # and adds the v1 groups when using v1.
-    groups.first.groups.each do |group|
-      group.required_suite_options(G10Options::SMART_2_REQUIREMENT)
-    end
-    groups.first.group from: :smart_discovery,
-                       required_suite_options: G10Options::SMART_1_REQUIREMENT
-    groups.first.group from: :smart_standalone_launch,
-                       required_suite_options: G10Options::SMART_1_REQUIREMENT
   end
 end

data/lib/onc_certification_g10_test_kit/token_introspection_group_stu2_2.rb CHANGED Viewed

@@ -61,19 +61,21 @@ module ONCCertificationG10TestKit
                 :well_known_introspection_url,
                 :custom_authorization_header,
                 :optional_introspection_request_params,
-                :standalone_client_id,
-                :standalone_client_secret,
-                :authorization_method,
-                :use_pkce,
-                :pkce_code_challenge_method,
-                :standalone_requested_scopes,
-                :token_introspection_auth_type,
-                :client_auth_encryption_method
+                :standalone_smart_auth_info
     config(
       inputs: {
-        client_auth_type: {
-          name: :token_introspection_auth_type
+        smart_auth_info: {
+          name: :standalone_smart_auth_info,
+          title: 'Standalone Launch Credentials',
+          options: {
+            components: [
+              {
+                name: :jwks,
+                locked: true
+              }
+            ]
+          }
         }
       }
     )
@@ -89,9 +91,5 @@ module ONCCertificationG10TestKit
       the correct HTTP response is returned but does not validate the contents
       of the token introspection response.
     DESCRIPTION
-    groups.first.groups.each do |group|
-      group.required_suite_options(G10Options::SMART_2_2_REQUIREMENT)
-    end
   end
 end

data/lib/onc_certification_g10_test_kit/token_revocation_group.rb CHANGED Viewed

@@ -11,13 +11,43 @@ module ONCCertificationG10TestKit
     input_order :token_revocation_attestation,
                 :token_revocation_notes,
-                :standalone_access_token,
-                :standalone_refresh_token,
                 :standalone_patient_id,
-                :url,
-                :smart_token_url,
-                :standalone_client_id,
-                :standalone_client_secret
+                :url
+    config(
+      inputs: {
+        smart_auth_info: {
+          title: 'Revoked Bearer Token',
+          description: 'Prior to the test, please revoke this bearer token from patient standalone launch.',
+          options: {
+            mode: 'access',
+            components: [
+              Inferno::DSL::AuthInfo.default_auth_type_component_without_backend_services,
+              {
+                name: :client_id,
+                locked: true
+              },
+              {
+                name: :client_secret,
+                locked: true
+              },
+              {
+                name: :refresh_token,
+                optional: false
+              },
+              {
+                name: :token_url,
+                optional: false
+              },
+              {
+                name: :jwks,
+                locked: true
+              }
+            ]
+          }
+        }
+      }
+    )
     test do
       title 'Health IT developer demonstrated the ability of the Health IT Module to revoke tokens within one hour of a patient\'s request.' # rubocop:disable Layout/LineLength
@@ -68,21 +98,18 @@ module ONCCertificationG10TestKit
             name: :standalone_patient_id,
             title: 'Patient ID',
             description: 'Patient ID associated with revoked tokens provided as context in the patient standalone launch. This will be used to verify access is no longer granted using the revoked token.' # rubocop:disable Layout/LineLength
-      input :access_token,
-            name: :standalone_access_token,
-            title: 'Revoked Bearer Token',
-            description: 'Prior to the test, please revoke this bearer token from patient standalone launch.'
+      input :smart_auth_info, type: :auth_info
       fhir_client :revoked_token do
         url :url
-        bearer_token :access_token
+        auth_info :smart_auth_info
       end
       run do
         skip_if patient_id.blank?,
                 'Patient ID not provided to test. The patient ID is typically provided ' \
                 'during a SMART launch context.'
-        skip_if access_token.blank?,
+        skip_if smart_auth_info.access_token.blank?,
                 'Bearer token not provided. This test verifies that the bearer token can ' \
                 'no longer be used to access a Patient resource.'
@@ -98,38 +125,22 @@ module ONCCertificationG10TestKit
         This test checks that refreshing token fails after token revocation.
       )
-      input :smart_token_url,
-            title: 'OAuth 2.0 Token Endpoint',
-            description: 'OAuth token endpoint provided during the patient standalone launch'
-      input :refresh_token,
-            name: :standalone_refresh_token,
-            title: 'Revoked Refresh Token',
-            description: 'Prior to the test, please revoke this refresh token from patient standalone launch.'
-      input :client_id,
-            name: :standalone_client_id,
-            title: 'Standalone Client ID',
-            description: 'Client ID provided during registration of Inferno as a standalone application',
-            locked: true
-      input :client_secret,
-            name: :standalone_client_secret,
-            title: 'Standalone Client Secret',
-            description: 'Client Secret provided during registration of Inferno as a standalone application',
-            locked: true
+      input :smart_auth_info, type: :auth_info
       run do
-        skip_if refresh_token.blank?,
+        skip_if smart_auth_info.refresh_token.blank?,
                 'Refresh token not provided to test.'
         oauth2_params = {
           'grant_type' => 'refresh_token',
-          'refresh_token' => refresh_token
+          'refresh_token' => smart_auth_info.refresh_token
         }
-        client_credentials = "#{client_id}:#{client_secret}"
+        client_credentials = "#{smart_auth_info.client_id}:#{smart_auth_info.client_secret}"
         oauth2_headers = {
           'Content-Type' => 'application/x-www-form-urlencoded',
           'Authorization' => "Basic #{Base64.strict_encode64(client_credentials)}"
         }
-        post(smart_token_url, body: oauth2_params, headers: oauth2_headers)
+        post(smart_auth_info.token_url, body: oauth2_params, headers: oauth2_headers)
         assert_response_status([400, 401])
       end

data/lib/onc_certification_g10_test_kit/unrestricted_resource_type_access_group.rb CHANGED Viewed

@@ -86,12 +86,12 @@ module ONCCertificationG10TestKit
     )
     id :g10_unrestricted_resource_type_access
-    input :url, :smart_credentials, :patient_id, :received_scopes
-    input :smart_credentials, type: :oauth_credentials
+    input :url, :patient_id, :received_scopes
+    input :smart_auth_info, type: 'auth_info'
     fhir_client do
       url :url
-      oauth_credentials :smart_credentials
+      oauth_credentials :smart_auth_info
     end
     V5_EXCLUDED_RESOURCES = ['RelatedPerson'].freeze

data/lib/onc_certification_g10_test_kit/version.rb CHANGED Viewed

@@ -1,4 +1,4 @@
 module ONCCertificationG10TestKit
-  VERSION = '7.1.0'.freeze
-  LAST_UPDATED = '2025-03-13'.freeze # TODO: update next release
+  VERSION = '7.2.0'.freeze
+  LAST_UPDATED = '2025-04-08'.freeze # TODO: update next release
 end

data/lib/onc_certification_g10_test_kit.rb CHANGED Viewed

@@ -253,12 +253,6 @@ module ONCCertificationG10TestKit
                  ]
     config(
-      inputs: {
-        client_auth_encryption_method: {
-          title: 'Client Authentication Encryption Method',
-          locked: true
-        }
-      },
       options: {
         post_authorization_uri: "#{Inferno::Application['base_url']}/custom/smart_stu2/post_auth",
         incorrectly_permitted_tls_version_message_type: 'warning'
@@ -337,7 +331,24 @@ module ONCCertificationG10TestKit
     group from: 'g10_smart_standalone_patient_app'
-    group from: 'g10_smart_limited_app'
+    group from: 'g10_smart_limited_app' do
+      # This has to be configured here, otherwise the `smart_auth_info` config
+      # will get clobbered and will use `standalone_smart_auth_info` instead of
+      # `limited_smart_auth_info`
+      groups
+        .select { |group| group.id.include? 'smart_standalone_launch' }
+        .flat_map(&:tests)
+        .select { |test| test.id.include? 'g10_patient_context' }
+        .each do |test|
+        test
+          .config(
+            inputs: {
+              patient_id: { name: :limited_patient_id },
+              smart_auth_info: { name: :limited_smart_auth_info }
+            }
+          )
+      end
+    end
     group from: 'g10_smart_ehr_practitioner_app'
@@ -387,14 +398,6 @@ module ONCCertificationG10TestKit
         )
       end
-      config(
-        inputs: {
-          client_auth_encryption_method: {
-            locked: false
-          }
-        }
-      )
       group from: :g10_public_standalone_launch,
             required_suite_options: G10Options::SMART_1_REQUIREMENT,
             config: { options: { redirect_message_proc: default_redirect_message_proc } }
@@ -406,6 +409,7 @@ module ONCCertificationG10TestKit
             config: { options: { redirect_message_proc: default_redirect_message_proc } }
       group from: :g10_token_revocation
       group from: :g10_smart_invalid_aud,
             config: { options: { redirect_message_proc: default_redirect_message_proc } }
@@ -445,34 +449,94 @@ module ONCCertificationG10TestKit
             required_suite_options: G10Options::SMART_2_2_REQUIREMENT
       group from: :g10_smart_v1_scopes,
-            required_suite_options: G10Options::SMART_2_REQUIREMENT,
-            config: {
-              inputs: {
-                client_auth_encryption_method: { locked: true }
-              }
-            }
+            required_suite_options: G10Options::SMART_2_REQUIREMENT
       group from: :g10_smart_v1_scopes,
             id: :g10_smart_v1_scopes_stu2_2, # rubocop:disable Naming/VariableNumber
-            required_suite_options: G10Options::SMART_2_2_REQUIREMENT,
-            config: {
-              inputs: {
-                client_auth_encryption_method: { locked: true }
-              }
-            }
+            required_suite_options: G10Options::SMART_2_2_REQUIREMENT
+      group from: :g10_smart_fine_grained_scopes, exclude_optional: true do
+        required_suite_options G10Options::SMART_2_REQUIREMENT.merge(G10Options::US_CORE_6_REQUIREMENT)
+        groups.first.config(
+          inputs: {
+            smart_auth_info: { name: :granular_scopes_1_auth_info }
+          },
+          outputs: {
+            smart_auth_info: { name: :granular_scopes_1_auth_info }
+          }
+        )
+        groups.last.config(
+          inputs: {
+            smart_auth_info: { name: :granular_scopes_2_auth_info }
+          },
+          outputs: {
+            smart_auth_info: { name: :granular_scopes_2_auth_info }
+          }
+        )
+      end
-      group from: :g10_smart_fine_grained_scopes,
-            required_suite_options: G10Options::SMART_2_REQUIREMENT.merge(G10Options::US_CORE_6_REQUIREMENT),
-            exclude_optional: true
-      group from: :g10_smart_fine_grained_scopes_stu2_2, # rubocop:disable Naming/VariableNumber
-            required_suite_options: G10Options::SMART_2_2_REQUIREMENT.merge(G10Options::US_CORE_6_REQUIREMENT),
-            exclude_optional: true
-      group from: :g10_us_core_7_smart_fine_grained_scopes,
-            required_suite_options: G10Options::SMART_2_REQUIREMENT.merge(G10Options::US_CORE_7_REQUIREMENT),
-            exclude_optional: true
-      group from: :g10_us_core_7_smart_fine_grained_scopes_stu2_2, # rubocop:disable Naming/VariableNumber
-            required_suite_options: G10Options::SMART_2_2_REQUIREMENT.merge(G10Options::US_CORE_7_REQUIREMENT),
-            exclude_optional: true
+      group from: :g10_smart_fine_grained_scopes_stu2_2, exclude_optional: true do # rubocop:disable Naming/VariableNumber
+        required_suite_options G10Options::SMART_2_2_REQUIREMENT.merge(G10Options::US_CORE_6_REQUIREMENT)
+        groups.first.config(
+          inputs: {
+            smart_auth_info: { name: :granular_scopes_1_auth_info }
+          },
+          outputs: {
+            smart_auth_info: { name: :granular_scopes_1_auth_info }
+          }
+        )
+        groups.last.config(
+          inputs: {
+            smart_auth_info: { name: :granular_scopes_2_auth_info }
+          },
+          outputs: {
+            smart_auth_info: { name: :granular_scopes_2_auth_info }
+          }
+        )
+      end
+      group from: :g10_us_core_7_smart_fine_grained_scopes, exclude_optional: true do
+        required_suite_options G10Options::SMART_2_REQUIREMENT.merge(G10Options::US_CORE_7_REQUIREMENT)
+        groups.first.config(
+          inputs: {
+            smart_auth_info: { name: :granular_scopes_1_auth_info }
+          },
+          outputs: {
+            smart_auth_info: { name: :granular_scopes_1_auth_info }
+          }
+        )
+        groups.last.config(
+          inputs: {
+            smart_auth_info: { name: :granular_scopes_2_auth_info }
+          },
+          outputs: {
+            smart_auth_info: { name: :granular_scopes_2_auth_info }
+          }
+        )
+      end
+      group from: :g10_us_core_7_smart_fine_grained_scopes_stu2_2, exclude_optional: true do # rubocop:disable Naming/VariableNumber
+        required_suite_options G10Options::SMART_2_2_REQUIREMENT.merge(G10Options::US_CORE_7_REQUIREMENT)
+        groups.first.config(
+          inputs: {
+            smart_auth_info: { name: :granular_scopes_1_auth_info }
+          },
+          outputs: {
+            smart_auth_info: { name: :granular_scopes_1_auth_info }
+          }
+        )
+        groups.last.config(
+          inputs: {
+            smart_auth_info: { name: :granular_scopes_2_auth_info }
+          },
+          outputs: {
+            smart_auth_info: { name: :granular_scopes_2_auth_info }
+          }
+        )
+      end
       group from: :g10_smart_granular_scope_selection,
             required_suite_options: G10Options::SMART_2_REQUIREMENT.merge(G10Options::US_CORE_6_REQUIREMENT)