onc_certification_g10_test_kit 7.1.0 → 7.2.0

data/lib/onc_certification_g10_test_kit/smart_invalid_token_group.rb

@@ -1,5 +1,9 @@
+require_relative 'scope_constants'
+
 module ONCCertificationG10TestKit
   class SMARTInvalidTokenGroup < Inferno::TestGroup
+    include ScopeConstants
+
     title 'Invalid Access Token Request'
     short_title 'Invalid Token Request'
     input_instructions %(
@@ -22,78 +26,34 @@ module ONCCertificationG10TestKit
     id :g10_smart_invalid_token_request
     run_as_group
 
-    input :use_pkce,
-          title: 'Proof Key for Code Exchange (PKCE)',
-          type: 'radio',
-          default: 'false',
+    config(
+      inputs: {
+        smart_auth_info: {
+          name: :standalone_smart_auth_info,
+          title: 'Standalone Launch Credentials',
           options: {
-            list_options: [
+            mode: 'auth',
+            components: [
               {
-                label: 'Enabled',
-                value: 'true'
+                name: :requested_scopes,
+                default: STANDALONE_SMART_1_SCOPES
               },
               {
-                label: 'Disabled',
-                value: 'false'
-              }
-            ]
-          }
-    input :pkce_code_challenge_method,
-          optional: true,
-          title: 'PKCE Code Challenge Method',
-          type: 'radio',
-          default: 'S256',
-          options: {
-            list_options: [
+                name: :auth_type,
+                default: 'symmetric',
+                locked: true
+              },
               {
-                label: 'S256',
-                value: 'S256'
+                name: :auth_request_method,
+                default: 'GET',
+                locked: true
               },
               {
-                label: 'plain',
-                value: 'plain'
+                name: :use_discovery,
+                locked: true
               }
             ]
           }
-
-    input_order :url,
-                :standalone_client_id,
-                :standalone_client_secret,
-                :standalone_requested_scopes,
-                :use_pkce,
-                :pkce_code_challenge_method,
-                :smart_authorization_url,
-                :smart_token_url
-
-    config(
-      inputs: {
-        client_id: {
-          name: :standalone_client_id,
-          title: 'Standalone Client ID',
-          description: 'Client ID provided during registration of Inferno as a standalone application'
-        },
-        client_secret: {
-          name: :standalone_client_secret,
-          title: 'Standalone Client Secret',
-          description: 'Client Secret provided during registration of Inferno as a standalone application'
-        },
-        requested_scopes: {
-          name: :standalone_requested_scopes,
-          title: 'Standalone Scope',
-          description: 'OAuth 2.0 scope provided by system to enable all required functionality',
-          type: 'textarea',
-          default: %(
-            launch/patient openid fhirUser offline_access
-            patient/Medication.read patient/AllergyIntolerance.read
-            patient/CarePlan.read patient/CareTeam.read patient/Condition.read
-            patient/Device.read patient/DiagnosticReport.read
-            patient/DocumentReference.read patient/Encounter.read
-            patient/Goal.read patient/Immunization.read patient/Location.read
-            patient/MedicationRequest.read patient/Observation.read
-            patient/Organization.read patient/Patient.read
-            patient/Practitioner.read patient/Procedure.read
-            patient/Provenance.read patient/PractitionerRole.read
-          ).gsub(/\s{2,}/, ' ').strip
         },
         url: {
           title: 'Standalone FHIR Endpoint',
@@ -105,14 +65,6 @@ module ONCCertificationG10TestKit
         state: {
           name: :invalid_token_state
         },
-        smart_authorization_url: {
-          title: 'OAuth 2.0 Authorize Endpoint',
-          description: 'OAuth 2.0 Authorize Endpoint provided during the patient standalone launch'
-        },
-        smart_token_url: {
-          title: 'OAuth 2.0 Token Endpoint',
-          description: 'OAuth 2.0 Token Endpoint provided during the patient standalone launch'
-        },
         pkce_code_verifier: {
           name: :invalid_token_pkce_code_verifier
         }
@@ -121,7 +73,8 @@ module ONCCertificationG10TestKit
         code: { name: :invalid_token_code },
         state: { name: :invalid_token_state },
         expires_in: { name: :invalid_token_expires_in },
-        pkce_code_verifier: { name: :invalid_token_pkce_code_verifier }
+        pkce_code_verifier: { name: :invalid_token_pkce_code_verifier },
+        smart_auth_info: { name: :standalone_smart_auth_info }
       },
       requests: {
         redirect: { name: :invalid_token_redirect },
@@ -129,10 +82,13 @@ module ONCCertificationG10TestKit
       }
     )
 
+    test from: :well_known_endpoint
+
     test from: :smart_app_redirect
     test from: :smart_code_received
 
     test do
+      id 'Test03'
       title ' OAuth token exchange fails when supplied invalid code'
       description %(
         If the request failed verification or is invalid, the authorization
@@ -140,9 +96,8 @@ module ONCCertificationG10TestKit
       )
       uses_request :redirect
 
-      input :use_pkce, :client_id, :client_secret, :smart_token_url
-      input :pkce_code_verifier,
-            optional: true
+      input :smart_auth_info, type: :auth_info
+      input :pkce_code_verifier, optional: true
 
       run do
         skip_if request.query_parameters['error'].present?, 'Error during authorization request'
@@ -154,22 +109,23 @@ module ONCCertificationG10TestKit
         }
         oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }
 
-        if client_secret.present?
-          client_credentials = "#{client_id}:#{client_secret}"
+        if smart_auth_info.symmetric_auth?
+          client_credentials = "#{smart_auth_info.client_id}:#{smart_auth_info.client_secret}"
           oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
         else
-          oauth2_params[:client_id] = client_id
+          oauth2_params[:client_id] = smart_auth_info.client_id
         end
 
-        oauth2_params[:code_verifier] = pkce_code_verifier if use_pkce == 'true'
+        oauth2_params[:code_verifier] = pkce_code_verifier if smart_auth_info.pkce_enabled?
 
-        post(smart_token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
+        post(smart_auth_info.token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
 
         assert_response_status(400)
       end
     end
 
     test do
+      id 'Test04'
       title 'OAuth token exchange fails when supplied invalid client ID'
       description %(
         If the request failed verification or is invalid, the authorization
@@ -177,9 +133,9 @@ module ONCCertificationG10TestKit
       )
       uses_request :redirect
 
-      input :use_pkce, :code, :smart_token_url, :client_secret
-      input :pkce_code_verifier,
-            optional: true
+      input :smart_auth_info, type: :auth_info
+      input :code
+      input :pkce_code_verifier, optional: true
 
       run do
         skip_if request.query_parameters['error'].present?, 'Error during authorization request'
@@ -193,16 +149,16 @@ module ONCCertificationG10TestKit
         }
         oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }
 
-        if client_secret.present?
-          client_credentials = "#{client_id}:#{client_secret}"
+        if smart_auth_info.symmetric_auth?
+          client_credentials = "#{client_id}:#{smart_auth_info.client_secret}"
           oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
         else
           oauth2_params[:client_id] = client_id
         end
 
-        oauth2_params[:code_verifier] = pkce_code_verifier if use_pkce == 'true'
+        oauth2_params[:code_verifier] = pkce_code_verifier if smart_auth_info.pkce_enabled?
 
-        post(smart_token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
+        post(smart_auth_info.token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
 
         assert_response_status([400, 401])
       end

data/lib/onc_certification_g10_test_kit/smart_invalid_token_group_stu2.rb

@@ -1,5 +1,9 @@
+require_relative 'scope_constants'
+
 module ONCCertificationG10TestKit
   class SMARTInvalidTokenGroupSTU2 < Inferno::TestGroup
+    include ScopeConstants
+
     title 'Invalid Access Token Request'
     short_title 'Invalid Token Request'
     input_instructions %(
@@ -22,80 +26,44 @@ module ONCCertificationG10TestKit
     id :g10_smart_invalid_token_request_stu2
     run_as_group
 
-    input :use_pkce,
-          title: 'Proof Key for Code Exchange (PKCE)',
-          type: 'radio',
-          default: 'true',
-          locked: true,
+    config(
+      inputs: {
+        smart_auth_info: {
+          name: :standalone_smart_auth_info,
+          title: 'Standalone Launch Credentials',
           options: {
-            list_options: [
+            mode: 'auth',
+            components: [
               {
-                label: 'Enabled',
-                value: 'true'
+                name: :requested_scopes,
+                default: STANDALONE_SMART_1_SCOPES
               },
               {
-                label: 'Disabled',
-                value: 'false'
-              }
-            ]
-          }
-    input :pkce_code_challenge_method,
-          optional: true,
-          title: 'PKCE Code Challenge Method',
-          type: 'radio',
-          default: 'S256',
-          locked: true,
-          options: {
-            list_options: [
+                name: :auth_type,
+                default: 'symmetric',
+                locked: true
+              },
+              {
+                name: :auth_request_method,
+                default: 'GET',
+                locked: true
+              },
+              {
+                name: :use_discovery,
+                locked: true
+              },
               {
-                label: 'S256',
-                value: 'S256'
+                name: :pkce_support,
+                default: 'enabled',
+                locked: true
               },
               {
-                label: 'Plain',
-                value: 'plain'
+                name: :pkce_code_challenge_method,
+                default: 'S256',
+                locked: true
               }
             ]
           }
-
-    input_order :url,
-                :standalone_client_id,
-                :standalone_client_secret,
-                :standalone_requested_scopes,
-                :use_pkce,
-                :pkce_code_challenge_method,
-                :smart_authorization_url,
-                :smart_token_url
-
-    config(
-      inputs: {
-        client_id: {
-          name: :standalone_client_id,
-          title: 'Standalone Client ID',
-          description: 'Client ID provided during registration of Inferno as a standalone application'
-        },
-        client_secret: {
-          name: :standalone_client_secret,
-          title: 'Standalone Client Secret',
-          description: 'Client Secret provided during registration of Inferno as a standalone application'
-        },
-        requested_scopes: {
-          name: :standalone_requested_scopes,
-          title: 'Standalone Scope',
-          description: 'OAuth 2.0 scope provided by system to enable all required functionality',
-          type: 'textarea',
-          default: %(
-            launch/patient openid fhirUser offline_access
-            patient/Medication.read patient/AllergyIntolerance.read
-            patient/CarePlan.read patient/CareTeam.read patient/Condition.read
-            patient/Device.read patient/DiagnosticReport.read
-            patient/DocumentReference.read patient/Encounter.read
-            patient/Goal.read patient/Immunization.read patient/Location.read
-            patient/MedicationRequest.read patient/Observation.read
-            patient/Organization.read patient/Patient.read
-            patient/Practitioner.read patient/Procedure.read
-            patient/Provenance.read patient/PractitionerRole.read
-          ).gsub(/\s{2,}/, ' ').strip
         },
         url: {
           title: 'Standalone FHIR Endpoint',
@@ -107,27 +75,16 @@ module ONCCertificationG10TestKit
         state: {
           name: :invalid_token_state
         },
-        smart_authorization_url: {
-          title: 'OAuth 2.0 Authorize Endpoint',
-          description: 'OAuth 2.0 Authorize Endpoint provided during the patient standalone launch'
-        },
-        smart_token_url: {
-          title: 'OAuth 2.0 Token Endpoint',
-          description: 'OAuth 2.0 Token Endpoint provided during the patient standalone launch'
-        },
         pkce_code_verifier: {
           name: :invalid_token_pkce_code_verifier
-        },
-        client_auth_type: {
-          locked: true,
-          default: 'confidential_symmetric'
         }
       },
       outputs: {
         code: { name: :invalid_token_code },
         state: { name: :invalid_token_state },
         expires_in: { name: :invalid_token_expires_in },
-        pkce_code_verifier: { name: :invalid_token_pkce_code_verifier }
+        pkce_code_verifier: { name: :invalid_token_pkce_code_verifier },
+        smart_auth_info: { name: :standalone_smart_auth_info }
       },
       requests: {
         redirect: { name: :invalid_token_redirect },
@@ -135,10 +92,13 @@ module ONCCertificationG10TestKit
       }
     )
 
+    test from: :well_known_endpoint
+
     test from: :smart_app_redirect_stu2
     test from: :smart_code_received
 
     test do
+      id 'Test03'
       title ' OAuth token exchange fails when supplied invalid code'
       description %(
         If the request failed verification or is invalid, the authorization
@@ -146,7 +106,7 @@ module ONCCertificationG10TestKit
       )
       uses_request :redirect
 
-      input :use_pkce, :client_id, :client_secret, :smart_token_url
+      input :smart_auth_info, type: :auth_info
       input :pkce_code_verifier,
             optional: true
       run do
@@ -159,22 +119,23 @@ module ONCCertificationG10TestKit
         }
         oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }
 
-        if client_secret.present?
-          client_credentials = "#{client_id}:#{client_secret}"
+        if smart_auth_info.symmetric_auth?
+          client_credentials = "#{smart_auth_info.client_id}:#{smart_auth_info.client_secret}"
           oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
         else
-          oauth2_params[:client_id] = client_id
+          oauth2_params[:client_id] = smart_auth_info.client_id
         end
 
-        oauth2_params[:code_verifier] = pkce_code_verifier if use_pkce == 'true'
+        oauth2_params[:code_verifier] = pkce_code_verifier if smart_auth_info.pkce_enabled?
 
-        post(smart_token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
+        post(smart_auth_info.token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
 
         assert_response_status(400)
       end
     end
 
     test do
+      id 'Test04'
       title 'OAuth token exchange fails when supplied invalid client ID'
       description %(
         If the request failed verification or is invalid, the authorization
@@ -182,7 +143,8 @@ module ONCCertificationG10TestKit
       )
       uses_request :redirect
 
-      input :use_pkce, :code, :smart_token_url, :client_secret
+      input :code
+      input :smart_auth_info, type: :auth_info
       input :pkce_code_verifier,
             optional: true
 
@@ -198,16 +160,16 @@ module ONCCertificationG10TestKit
         }
         oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }
 
-        if client_secret.present?
-          client_credentials = "#{client_id}:#{client_secret}"
+        if smart_auth_info.symmetric_auth?
+          client_credentials = "#{client_id}:#{smart_auth_info.client_secret}"
           oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
         else
           oauth2_params[:client_id] = client_id
         end
 
-        oauth2_params[:code_verifier] = pkce_code_verifier if use_pkce == 'true'
+        oauth2_params[:code_verifier] = pkce_code_verifier if smart_auth_info.pkce_enabled?
 
-        post(smart_token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
+        post(smart_auth_info.token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
 
         assert_response_status([400, 401])
       end

data/lib/onc_certification_g10_test_kit/smart_invalid_token_refresh_test.rb

@@ -8,10 +8,13 @@ module ONCCertificationG10TestKit
 
       [OAuth 2.0 RFC (6749)](https://www.rfc-editor.org/rfc/rfc6749#section-6)
     )
-    input :refresh_token, :smart_token_url, :client_id, :received_scopes
-    input :client_secret, optional: true
+    input :smart_auth_info, type: 'auth_info'
+    input :received_scopes
 
     run do
+      skip_if smart_auth_info.refresh_token.blank?,
+              'No refresh token was received'
+
       oauth2_params = {
         'grant_type' => 'refresh_token',
         'refresh_token' => SecureRandom.uuid
@@ -20,14 +23,14 @@ module ONCCertificationG10TestKit
 
       oauth2_params['scope'] = received_scopes if config.options[:include_scopes]
 
-      if client_secret.present?
-        credentials = Base64.strict_encode64("#{client_id}:#{client_secret}")
+      if smart_auth_info.symmetric_auth?
+        credentials = Base64.strict_encode64("#{smart_auth_info.client_id}:#{smart_auth_info.client_secret}")
         oauth2_headers['Authorization'] = "Basic #{credentials}"
       else
-        oauth2_params['client_id'] = client_id
+        oauth2_params['client_id'] = smart_auth_info.client_id
       end
 
-      post(smart_token_url, body: oauth2_params, headers: oauth2_headers)
+      post(smart_auth_info.token_url, body: oauth2_params, headers: oauth2_headers)
 
       assert_response_status([400, 401])
     end