onc_certification_g10_test_kit 7.1.0 → 7.2.0

data/lib/onc_certification_g10_test_kit/smart_limited_app_group.rb

@@ -10,13 +10,13 @@ module ONCCertificationG10TestKit
 
     input_instructions %(
       The purpose of this test is to verify that patient app users can restrict
-      access granted to apps to a limited number of resources Enter which
-      resources the user will grant access to below, and during the launch
-      process only grant access to those resources. Inferno will verify that
-      access granted matches these expectations.
+      access granted to apps to a limited number of resources. This test can
+      only be run after the Standalone Patient App test, and all other inputs
+      are locked to ensure the same launch configuration in both tests.
 
-      All other inputs are locked to ensure the same app configuration as in the
-      Standalone Patient App - Full Access test.
+      Enter which resources the user will grant access to below, and during the
+      launch process only grant access to those resources. Inferno will verify
+      that access granted matches these expectations.
     )
 
     description %(
@@ -38,18 +38,62 @@ module ONCCertificationG10TestKit
     id :g10_smart_limited_app
     run_as_group
 
+    input :expected_resources,
+          title: 'Expected Resource Grant for Limited Access Launch',
+          description: 'the user will only grant access to the following resources during authorization.',
+          default: 'patient, condition, observation'
+
     input_order :expected_resources,
-                :use_pkce,
-                :pkce_code_challenge_method,
-                :url,
-                :standalone_client_id,
-                :standalone_client_secret,
-                :smart_authorization_url,
-                :smart_token_url,
-                :standalone_requested_scopes,
-                :authorization_method,
-                :client_auth_type,
-                :client_auth_encryption_method
+                :url
+
+    config(
+      inputs: {
+        url: { locked: true },
+        code: { name: :limited_code },
+        state: { name: :limited_state },
+        patient_id: { name: :limited_patient_id },
+        received_scopes: { name: :limited_received_scopes }
+      },
+      outputs: {
+        code: { name: :limited_code },
+        state: { name: :limited_state },
+        id_token: { name: :limited_id_token },
+        patient_id: { name: :limited_patient_id },
+        encounter_id: { name: :limited_encounter_id },
+        received_scopes: { name: :limited_received_scopes },
+        intent: { name: :limited_intent },
+        smart_auth_info: { name: :limited_smart_auth_info }
+      },
+      requests: {
+        redirect: { name: :limited_redirect },
+        token: { name: :limited_token }
+      },
+      options: {
+        ignore_missing_scopes_check: true,
+        redirect_message_proc: lambda do |auth_url|
+          expected_resource_string =
+            expected_resources
+              .split(',')
+              .map(&:strip)
+              .map { |resource_type| "* #{resource_type}\n" }
+              .join
+
+          <<~MESSAGE
+            ### #{self.class.parent.parent.title}
+
+            [Follow this link to authorize with the SMART
+            server](#{auth_url}).
+
+            Tests will resume once Inferno receives a request at
+            `#{REDIRECT_URI}` with a state of `#{state}`.
+
+            Access should only be granted to the following resources:
+
+            #{expected_resource_string}
+          MESSAGE
+        end
+      }
+    )
 
     group from: :smart_standalone_launch do
       title 'Standalone Launch With Limited Scope'
@@ -91,99 +135,20 @@ module ONCCertificationG10TestKit
 
       config(
         inputs: {
-          client_id: { locked: true },
-          client_secret: { locked: true, optional: false },
-          url: { locked: true },
-          requested_scopes: { locked: true },
-          code: { name: :limited_code },
-          state: { name: :limited_state },
-          patient_id: { name: :limited_patient_id },
-          access_token: { name: :limited_access_token },
-          # TODO: separate standalone/ehr discovery outputs
-          smart_authorization_url: { locked: true, title: 'SMART Authorization Url' },
-          smart_token_url: { locked: true, title: 'SMART Token Url' },
-          received_scopes: { name: :limited_received_scopes },
-          smart_credentials: { name: :limited_smart_credentials }
-        },
-        outputs: {
-          code: { name: :limited_code },
-          token_retrieval_time: { name: :limited_token_retrieval_time },
-          state: { name: :limited_state },
-          id_token: { name: :limited_id_token },
-          refresh_token: { name: :limited_refresh_token },
-          access_token: { name: :limited_access_token },
-          expires_in: { name: :limited_expires_in },
-          patient_id: { name: :limited_patient_id },
-          encounter_id: { name: :limited_encounter_id },
-          received_scopes: { name: :limited_received_scopes },
-          intent: { name: :limited_intent },
-          smart_credentials: { name: :limited_smart_credentials }
-        },
-        requests: {
-          redirect: { name: :limited_redirect },
-          token: { name: :limited_token }
-        },
-        options: {
-          ignore_missing_scopes_check: true,
-          redirect_message_proc: lambda do |auth_url|
-            expected_resource_string =
-              expected_resources
-                .split(',')
-                .map(&:strip)
-                .map { |resource_type| "* #{resource_type}\n" }
-                .join
-
-            <<~MESSAGE
-              ### #{self.class.parent.parent.title}
-
-              [Follow this link to authorize with the SMART
-              server](#{auth_url}).
-
-              Tests will resume once Inferno receives a request at
-              `#{REDIRECT_URI}` with a state of `#{state}`.
-
-              Access should only be granted to the following resources:
-
-              #{expected_resource_string}
-            MESSAGE
-          end
+          smart_auth_info: {
+            name: :standalone_smart_auth_info,
+            title: 'Standalone Launch Credentials',
+            locked: true
+          }
         }
       )
 
-      input :expected_resources,
-            title: 'Expected Resource Grant for Limited Access Launch',
-            description: 'The user will only grant access to the following resources during authorization.',
-            default: 'Patient, Condition, Observation'
-
-      test from: :g10_patient_context,
-           config: {
-             inputs: {
-               patient_id: { name: :limited_patient_id },
-               smart_credentials: { name: :limited_smart_credentials }
-             }
-           }
-
-      test from: :g10_limited_scope_grant do
-        config(
-          inputs: {
-            received_scopes: { name: :limited_received_scopes }
-          }
-        )
-      end
+      test from: :g10_patient_context
+
+      test from: :g10_limited_scope_grant
     end
 
-    group from: :smart_standalone_launch_stu2,
-          config: {
-            inputs: {
-              use_pkce: {
-                default: 'true',
-                locked: true
-              },
-              pkce_code_challenge_method: {
-                locked: true
-              }
-            }
-          } do
+    group from: :smart_standalone_launch_stu2 do
       title 'Standalone Launch With Limited Scope'
       description %(
         # Background
@@ -214,103 +179,20 @@ module ONCCertificationG10TestKit
 
       config(
         inputs: {
-          client_id: { locked: true },
-          client_secret: { locked: true },
-          url: { locked: true },
-          requested_scopes: { locked: true },
-          code: { name: :limited_code },
-          state: { name: :limited_state },
-          patient_id: { name: :limited_patient_id },
-          access_token: { name: :limited_access_token },
-          # TODO: separate standalone/ehr discovery outputs
-          smart_authorization_url: { locked: true, title: 'SMART Authorization Url' },
-          smart_token_url: { locked: true, title: 'SMART Token Url' },
-          received_scopes: { name: :limited_received_scopes },
-          smart_credentials: { name: :limited_smart_credentials },
-          client_auth_type: {
-            locked: true,
-            default: 'confidential_symmetric'
+          smart_auth_info: {
+            name: :standalone_smart_auth_info,
+            title: 'Standalone Launch Credentials',
+            locked: true
           }
-        },
-        outputs: {
-          code: { name: :limited_code },
-          token_retrieval_time: { name: :limited_token_retrieval_time },
-          state: { name: :limited_state },
-          id_token: { name: :limited_id_token },
-          refresh_token: { name: :limited_refresh_token },
-          access_token: { name: :limited_access_token },
-          expires_in: { name: :limited_expires_in },
-          patient_id: { name: :limited_patient_id },
-          encounter_id: { name: :limited_encounter_id },
-          received_scopes: { name: :limited_received_scopes },
-          intent: { name: :limited_intent },
-          smart_credentials: { name: :limited_smart_credentials }
-        },
-        requests: {
-          redirect: { name: :limited_redirect },
-          token: { name: :limited_token }
-        },
-        options: {
-          ignore_missing_scopes_check: true,
-          redirect_message_proc: lambda do |auth_url|
-            expected_resource_string =
-              expected_resources
-                .split(',')
-                .map(&:strip)
-                .map { |resource_type| "* #{resource_type}\n" }
-                .join
-
-            <<~MESSAGE
-              ### #{self.class.parent.parent.title}
-
-              [Follow this link to authorize with the SMART
-              server](#{auth_url}).
-
-              Tests will resume once Inferno receives a request at
-              `#{REDIRECT_URI}` with a state of `#{state}`.
-
-              Access should only be granted to the following resources:
-
-              #{expected_resource_string}
-            MESSAGE
-          end
         }
       )
 
-      input :expected_resources,
-            title: 'Expected Resource Grant for Limited Access Launch',
-            description: 'The user will only grant access to the following resources during authorization.',
-            default: 'Patient, Condition, Observation'
-
-      test from: :g10_patient_context,
-           config: {
-             inputs: {
-               patient_id: { name: :limited_patient_id },
-               smart_credentials: { name: :limited_smart_credentials }
-             }
-           }
-
-      test from: :g10_limited_scope_grant do
-        config(
-          inputs: {
-            received_scopes: { name: :limited_received_scopes }
-          }
-        )
-      end
+      test from: :g10_patient_context
+
+      test from: :g10_limited_scope_grant
     end
 
-    group from: :smart_standalone_launch_stu2_2, # rubocop:disable Naming/VariableNumber
-          config: {
-            inputs: {
-              use_pkce: {
-                default: 'true',
-                locked: true
-              },
-              pkce_code_challenge_method: {
-                locked: true
-              }
-            }
-          } do
+    group from: :smart_standalone_launch_stu2_2 do # rubocop:disable Naming/VariableNumber
       title 'Standalone Launch With Limited Scope'
       description %(
         # Background
@@ -341,97 +223,23 @@ module ONCCertificationG10TestKit
 
       config(
         inputs: {
-          client_id: { locked: true },
-          client_secret: { locked: true },
-          url: { locked: true },
-          requested_scopes: { locked: true },
-          code: { name: :limited_code },
-          state: { name: :limited_state },
-          patient_id: { name: :limited_patient_id },
-          access_token: { name: :limited_access_token },
-          # TODO: separate standalone/ehr discovery outputs
-          smart_authorization_url: { locked: true, title: 'SMART Authorization Url' },
-          smart_token_url: { locked: true, title: 'SMART Token Url' },
-          received_scopes: { name: :limited_received_scopes },
-          smart_credentials: { name: :limited_smart_credentials },
-          client_auth_type: {
-            locked: true,
-            default: 'confidential_symmetric'
+          smart_auth_info: {
+            name: :standalone_smart_auth_info,
+            title: 'Standalone Launch Credentials',
+            locked: true
           }
-        },
-        outputs: {
-          code: { name: :limited_code },
-          token_retrieval_time: { name: :limited_token_retrieval_time },
-          state: { name: :limited_state },
-          id_token: { name: :limited_id_token },
-          refresh_token: { name: :limited_refresh_token },
-          access_token: { name: :limited_access_token },
-          expires_in: { name: :limited_expires_in },
-          patient_id: { name: :limited_patient_id },
-          encounter_id: { name: :limited_encounter_id },
-          received_scopes: { name: :limited_received_scopes },
-          intent: { name: :limited_intent },
-          smart_credentials: { name: :limited_smart_credentials }
-        },
-        requests: {
-          redirect: { name: :limited_redirect },
-          token: { name: :limited_token }
-        },
-        options: {
-          ignore_missing_scopes_check: true,
-          redirect_message_proc: lambda do |auth_url|
-            expected_resource_string =
-              expected_resources
-                .split(',')
-                .map(&:strip)
-                .map { |resource_type| "* #{resource_type}\n" }
-                .join
-
-            <<~MESSAGE
-              ### #{self.class.parent.parent.title}
-
-              [Follow this link to authorize with the SMART
-              server](#{auth_url}).
-
-              Tests will resume once Inferno receives a request at
-              `#{REDIRECT_URI}` with a state of `#{state}`.
-
-              Access should only be granted to the following resources:
-
-              #{expected_resource_string}
-            MESSAGE
-          end
         }
       )
 
-      input :expected_resources,
-            title: 'Expected Resource Grant for Limited Access Launch',
-            description: 'The user will only grant access to the following resources during authorization.',
-            default: 'Patient, Condition, Observation'
-
-      test from: :g10_patient_context,
-           config: {
-             inputs: {
-               patient_id: { name: :limited_patient_id },
-               smart_credentials: { name: :limited_smart_credentials }
-             }
-           }
-
-      test from: :g10_limited_scope_grant do
-        config(
-          inputs: {
-            received_scopes: { name: :limited_received_scopes }
-          }
-        )
-      end
+      test from: :g10_patient_context
+
+      test from: :g10_limited_scope_grant
     end
 
     group from: :g10_restricted_resource_type_access,
           config: {
             inputs: {
-              patient_id: { name: :limited_patient_id },
-              received_scopes: { name: :limited_received_scopes },
-              smart_credentials: { name: :limited_smart_credentials }
+              smart_auth_info: { name: :limited_smart_auth_info }
             }
           }
   end

data/lib/onc_certification_g10_test_kit/smart_public_standalone_launch_group.rb

@@ -1,5 +1,9 @@
+require_relative 'scope_constants'
+
 module ONCCertificationG10TestKit
   class SMARTPublicStandaloneLaunchGroup < SMARTAppLaunch::StandaloneLaunchGroup
+    include ScopeConstants
+
     title 'Public Client Standalone Launch with OpenID Connect'
     short_title 'Public Client Launch'
     input_instructions %(
@@ -38,32 +42,23 @@ module ONCCertificationG10TestKit
 
     config(
       inputs: {
-        client_id: {
-          name: :public_client_id,
-          title: 'Public Launch Client ID'
-        },
-        client_secret: {
-          name: :public_client_secret,
-          title: 'Public Launch Client Secret',
-          default: nil,
-          optional: true,
-          locked: true
-        },
-        requested_scopes: {
-          name: :public_requested_scopes,
-          title: 'Public Launch Scope',
-          default: %(
-            launch/patient openid fhirUser offline_access
-            patient/Medication.read patient/AllergyIntolerance.read
-            patient/CarePlan.read patient/CareTeam.read patient/Condition.read
-            patient/Device.read patient/DiagnosticReport.read
-            patient/DocumentReference.read patient/Encounter.read
-            patient/Goal.read patient/Immunization.read patient/Location.read
-            patient/MedicationRequest.read patient/Observation.read
-            patient/Organization.read patient/Patient.read
-            patient/Practitioner.read patient/Procedure.read
-            patient/Provenance.read patient/PractitionerRole.read
-          ).gsub(/\s{2,}/, ' ').strip
+        smart_auth_info: {
+          name: :public_smart_auth_info,
+          title: 'Public Launch Credentials',
+          options: {
+            mode: 'auth',
+            components: [
+              {
+                name: :auth_type,
+                default: 'public',
+                locked: true
+              },
+              {
+                name: :requested_scopes,
+                default: STANDALONE_SMART_1_SCOPES
+              }
+            ]
+          }
         },
         url: {
           title: 'Public Launch FHIR Endpoint',
@@ -75,31 +70,19 @@ module ONCCertificationG10TestKit
         state: {
           name: :public_state
         },
-        smart_authorization_url: {
-          title: 'OAuth 2.0 Authorize Endpoint',
-          description: 'OAuth 2.0 Authorize Endpoint provided during the patient standalone launch'
-        },
-        smart_token_url: {
-          title: 'OAuth 2.0 Token Endpoint',
-          description: 'OAuth 2.0 Token Endpoint provided during the patient standalone launch'
-        },
-        smart_credentials: {
-          name: :public_smart_credentials
+        patient_id: {
+          name: :public_patient_id
         }
       },
       outputs: {
         code: { name: :public_code },
-        token_retrieval_time: { name: :public_token_retrieval_time },
         state: { name: :public_state },
         id_token: { name: :public_id_token },
-        refresh_token: { name: :public_refresh_token },
-        access_token: { name: :public_access_token },
-        expires_in: { name: :public_expires_in },
         patient_id: { name: :public_patient_id },
         encounter_id: { name: :public_encounter_id },
         received_scopes: { name: :public_received_scopes },
         intent: { name: :public_intent },
-        smart_credentials: { name: :public_smart_credentials }
+        smart_auth_info: { name: :public_smart_auth_info }
       },
       requests: {
         redirect: { name: :public_redirect },
@@ -107,22 +90,7 @@ module ONCCertificationG10TestKit
       }
     )
 
-    input_order :url,
-                :public_client_id,
-                :public_client_secret,
-                :public_requested_scopes,
-                :use_pkce,
-                :pkce_code_challenge_method,
-                :smart_authorization_url,
-                :smart_token_url
-
-    test from: :g10_patient_context,
-         config: {
-           inputs: {
-             patient_id: { name: :public_patient_id },
-             smart_credentials: { name: :public_smart_credentials }
-           }
-         }
+    test from: :g10_patient_context
 
     test do
       title 'OAuth token exchange response contains OpenID Connect id_token'
@@ -141,5 +109,10 @@ module ONCCertificationG10TestKit
         assert id_token.present?, 'Token response did not provide an id_token as required.'
       end
     end
+
+    test from: :well_known_endpoint
+
+    # Move the well-known endpoint test to the beginning
+    children.prepend(children.pop)
   end
 end