RubyGems - onc_certification_g10_test_kit - Versions diffs - 7.2.8 → 7.2.9 - Mend

onc_certification_g10_test_kit 7.2.8 → 7.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '09dba4195d680b5ed4b0a60ea7f64a10bb669b1ea20926b39e17ac52a61946ce'
-  data.tar.gz: e5b9bae6e06f32020a93b05ccee328aef761d20d2754b6e5dc6e0b36c3e9d2ca
+  metadata.gz: a519770018d63590e33677acbce9ae4a7c98d64c17ff977fc0b08513211c66b5
+  data.tar.gz: 255002f2ebe5cc624962e5842f188892f3060db5d24a568523e0953201b88583
 SHA512:
-  metadata.gz: 7d1f81c971bc2f89c951738f039c4c56ff2b8fdb435ff9206222e1be576526eaa87717dce2d04f5b6a112bc4cf6b833e0a7e3582bac113ac6fb02fd541989b39
-  data.tar.gz: 7222a17c3fdd82e3c298fc3295ed047be019d26d82dbf9ce13db2c04169d5944c440eb8d4bc4b56f34fed27bab54dd60551367729ed97fc012db59b0f5aa194b
+  metadata.gz: 577ba0110ad39c56e9611941bdb5be784bc2b88b0a01ac139be8cef10f9548b1d33ea24c9bf25f9a7556f2cde02b789e43141eab43882149de7f167f0cd5a318
+  data.tar.gz: 5d540c0c65dd6d4bdb3236ca5b1cb67212694d8bb6e9ea52f7ffc1984a7306731ad9b4a01e4384e342e7bd5555a923d9460500af71c4cbf4553bcc929b649d99

data/lib/onc_certification_g10_test_kit/bulk_data_authorization.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require_relative 'authorization_request_builder'
+require_relative 'bulk_data_jwks_helper'
 module ONCCertificationG10TestKit
   class BulkDataAuthorization < Inferno::TestGroup
@@ -29,6 +29,7 @@ module ONCCertificationG10TestKit
               },
               {
                 name: :jwks,
+                default: BulkDataJWKSHelper.jwks_json,
                 locked: true
               }
             ]
@@ -53,178 +54,107 @@ module ONCCertificationG10TestKit
       end
       config(
-        options: {  minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION }
+        options: { minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION }
       )
     end
-    test do
-      title 'Authorization request fails when client supplies invalid grant_type'
-      description <<~DESCRIPTION
-        The Backend Service Authorization specification defines the required fields for the
-        authorization request, made via HTTP POST to authorization token endpoint.
-        This includes the `grant_type` parameter, where the value must be `client_credentials`.
-        The OAuth 2.0 Authorization Framework describes the proper response for an
-        invalid request in the client credentials grant flow:
-        ```
-        If the request failed client authentication or is invalid, the authorization server returns an
-        error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2).
-        ```
-      DESCRIPTION
-      # link 'http://hl7.org/fhir/uv/bulkdata/STU1.0.1/authorization/index.html#protocol-details'
-      run do
-        post_request_content =
-          AuthorizationRequestBuilder.build(
-            encryption_method: bulk_smart_auth_info.encryption_algorithm,
-            scope: bulk_smart_auth_info.requested_scopes,
-            iss: bulk_smart_auth_info.client_id,
-            sub: bulk_smart_auth_info.client_id,
-            aud: bulk_smart_auth_info.token_url,
-            grant_type: 'not_a_grant_type'
-          )
-        post(bulk_smart_auth_info.token_url, **post_request_content)
-        assert_response_status(400)
-      end
-    end
-    test do
-      title 'Authorization request fails when supplied invalid client_assertion_type'
-      description <<~DESCRIPTION
-        The Backend Service Authorization specification defines the required fields for the
-        authorization request, made via HTTP POST to authorization token endpoint.
-        This includes the `client_assertion_type` parameter, where the value must be `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`.
-        The OAuth 2.0 Authorization Framework describes the proper response for an
-        invalid request in the client credentials grant flow:
-        ```
-        If the request failed client authentication or is invalid, the authorization server returns an
-        error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2).
-        ```
-      DESCRIPTION
-      # link 'http://hl7.org/fhir/uv/bulkdata/STU1.0.1/authorization/index.html#protocol-details'
-      run do
-        post_request_content =
-          AuthorizationRequestBuilder.build(
-            encryption_method: bulk_smart_auth_info.encryption_algorithm,
-            scope: bulk_smart_auth_info.requested_scopes,
-            iss: bulk_smart_auth_info.client_id,
-            sub: bulk_smart_auth_info.client_id,
-            aud: bulk_smart_auth_info.token_url,
-            client_assertion_type: 'not_an_assertion_type'
-          )
-        post(bulk_smart_auth_info.token_url, **post_request_content)
-        assert_response_status([400, 401])
-      end
-    end
-    test do
-      title 'Authorization request fails when client supplies invalid JWT token'
-      description <<~DESCRIPTION
-        The Backend Service Authorization specification defines the required fields for the
-        authorization request, made via HTTP POST to authorization token endpoint.
-        This includes the `client_assertion` parameter, where the value must be
-        a valid JWT. The JWT SHALL include the following claims, and SHALL be signed with the client’s private key.
-        | JWT Claim | Required? | Description |
-        | --- | --- | --- |
-        | iss | required | Issuer of the JWT -- the client's client_id, as determined during registration with the FHIR authorization server (note that this is the same as the value for the sub claim) |
-        | sub | required | The service's client_id, as determined during registration with the FHIR authorization server (note that this is the same as the value for the iss claim) |
-        | aud | required | The FHIR authorization server's "token URL" (the same URL to which this authentication JWT will be posted) |
-        | exp | required | Expiration time integer for this authentication JWT, expressed in seconds since the "Epoch" (1970-01-01T00:00:00Z UTC). This time SHALL be no more than five minutes in the future. |
-        | jti | required | A nonce string value that uniquely identifies this authentication JWT. |
-        The OAuth 2.0 Authorization Framework describes the proper response for an
-        invalid request in the client credentials grant flow:
-        ```
-        If the request failed client authentication or is invalid, the authorization server returns an
-        error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2).
-        ```
-      DESCRIPTION
-      # link 'http://hl7.org/fhir/uv/bulkdata/STU1.0.1/authorization/index.html#protocol-details'
-      run do
-        post_request_content =
-          AuthorizationRequestBuilder.build(
-            encryption_method: bulk_smart_auth_info.encryption_algorithm,
-            scope: bulk_smart_auth_info.requested_scopes,
-            iss: 'not_a_valid_iss',
-            sub: bulk_smart_auth_info.client_id,
-            aud: bulk_smart_auth_info.token_url
-          )
-        post(bulk_smart_auth_info.token_url, **post_request_content)
-        assert_response_status([400, 401])
-      end
-    end
-    test do
-      title 'Authorization request succeeds when supplied correct information'
-      description <<~DESCRIPTION
-        If the access token request is valid and authorized, the authorization server SHALL issue an access token in response.
-      DESCRIPTION
-      # link 'http://hl7.org/fhir/uv/bulkdata/STU1.0.1/authorization/index.html#issuing-access-tokens'
-      makes_request :bulk_authentication
-      run do
-        post_request_content =
-          AuthorizationRequestBuilder.build(
-            encryption_method: bulk_smart_auth_info.encryption_algorithm,
-            scope: bulk_smart_auth_info.requested_scopes,
-            iss: bulk_smart_auth_info.client_id,
-            sub: bulk_smart_auth_info.client_id,
-            aud: bulk_smart_auth_info.token_url
-          )
-        post(bulk_smart_auth_info.token_url, **post_request_content, name: :bulk_authentication)
-        assert_response_status([200, 201])
-      end
-    end
-    test do
-      title 'Authorization request response body contains required information encoded in JSON'
-      description <<~DESCRIPTION
-        The access token response SHALL be a JSON object with the following properties:
-        | Token Property | Required? | Description |
-        | --- | --- | --- |
-        | access_token | required | The access token issued by the authorization server. |
-        | token_type | required | Fixed value: bearer. |
-        | expires_in | required | The lifetime in seconds of the access token. The recommended value is 300, for a five-minute token lifetime. |
-        | scope | required | Scope of access authorized. Note that this can be different from the scopes requested by the app. |
-      DESCRIPTION
-      # link 'http://hl7.org/fhir/uv/bulkdata/STU1.0.1/authorization/index.html#issuing-access-tokens'
-      uses_request :bulk_authentication
-      output :bulk_smart_auth_info
-      run do
-        assert_valid_json(request.response_body)
-        response_body = JSON.parse(request.response_body)
-        access_token = response_body['access_token']
-        assert access_token.present?, 'Token response did not contain access_token as required'
-        bulk_smart_auth_info.update_from_response_body(request)
-        output bulk_smart_auth_info: bulk_smart_auth_info
-        required_keys = ['token_type', 'expires_in', 'scope']
-        required_keys.each do |key|
-          assert response_body[key].present?, "Token response did not contain #{key} as required"
-        end
-      end
-    end
+    test from: :smart_backend_services_invalid_grant_type,
+         title: 'Authorization request fails when client supplies invalid grant_type',
+         description: <<~DESCRIPTION,
+           The Backend Service Authorization specification defines the required fields for the
+           authorization request, made via HTTP POST to authorization token endpoint.
+           This includes the `grant_type` parameter, where the value must be `client_credentials`.
+           The OAuth 2.0 Authorization Framework describes the proper response for an
+           invalid request in the client credentials grant flow:
+           ```
+           If the request failed client authentication or is invalid, the authorization server returns an
+           error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2).
+           ```
+         DESCRIPTION
+         config: {
+           inputs: { smart_auth_info: { name: :bulk_smart_auth_info } }
+         }
+    test from: :smart_backend_services_invalid_client_assertion,
+         title: 'Authorization request fails when supplied invalid client_assertion_type',
+         description: <<~DESCRIPTION,
+           The Backend Service Authorization specification defines the required fields for the
+           authorization request, made via HTTP POST to authorization token endpoint.
+           This includes the `client_assertion_type` parameter, where the value must be `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`.
+           The OAuth 2.0 Authorization Framework describes the proper response for an
+           invalid request in the client credentials grant flow:
+           ```
+           If the request failed client authentication or is invalid, the authorization server returns an
+           error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2).
+           ```
+         DESCRIPTION
+         config: {
+           inputs: { smart_auth_info: { name: :bulk_smart_auth_info } }
+         }
+    test from: :smart_backend_services_invalid_jwt,
+         title: 'Authorization request fails when client supplies invalid JWT token',
+         description: <<~DESCRIPTION,
+           The Backend Service Authorization specification defines the required fields for the
+           authorization request, made via HTTP POST to authorization token endpoint.
+           This includes the `client_assertion` parameter, where the value must be
+           a valid JWT. The JWT SHALL include the following claims, and SHALL be signed with the client’s private key.
+           | JWT Claim | Required? | Description |
+           | --- | --- | --- |
+           | iss | required | Issuer of the JWT -- the client's client_id, as determined during registration with the FHIR authorization server (note that this is the same as the value for the sub claim) |
+           | sub | required | The service's client_id, as determined during registration with the FHIR authorization server (note that this is the same as the value for the iss claim) |
+           | aud | required | The FHIR authorization server's "token URL" (the same URL to which this authentication JWT will be posted) |
+           | exp | required | Expiration time integer for this authentication JWT, expressed in seconds since the "Epoch" (1970-01-01T00:00:00Z UTC). This time SHALL be no more than five minutes in the future. |
+           | jti | required | A nonce string value that uniquely identifies this authentication JWT. |
+           The OAuth 2.0 Authorization Framework describes the proper response for an
+           invalid request in the client credentials grant flow:
+           ```
+           If the request failed client authentication or is invalid, the authorization server returns an
+           error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2).
+           ```
+         DESCRIPTION
+         config: {
+           inputs: { smart_auth_info: { name: :bulk_smart_auth_info } }
+         }
+    test from: :smart_backend_services_auth_request_success,
+         title: 'Authorization request succeeds when supplied correct information',
+         description: <<~DESCRIPTION,
+           If the access token request is valid and authorized, the authorization server SHALL issue an access token in response.
+         DESCRIPTION
+         config: {
+           inputs: { smart_auth_info: { name: :bulk_smart_auth_info } },
+           outputs: {
+             smart_auth_info: { name: :bulk_smart_auth_info },
+             authentication_response: { name: :bulk_authentication }
+           }
+         }
+    test from: :smart_backend_services_auth_response_body,
+         title: 'Authorization request response body contains required information encoded in JSON',
+         description: <<~DESCRIPTION,
+           The access token response SHALL be a JSON object with the following properties:
+           | Token Property | Required? | Description |
+           | --- | --- | --- |
+           | access_token | required | The access token issued by the authorization server. |
+           | token_type | required | Fixed value: bearer. |
+           | expires_in | required | The lifetime in seconds of the access token. The recommended value is 300, for a five-minute token lifetime. |
+           | scope | required | Scope of access authorized. Note that this can be different from the scopes requested by the app. |
+         DESCRIPTION
+         config: {
+           inputs: {
+             smart_auth_info: { name: :bulk_smart_auth_info },
+             authentication_response: { name: :bulk_authentication }
+           },
+           outputs: { smart_auth_info: { name: :bulk_smart_auth_info } }
+         }
   end
 end

data/lib/onc_certification_g10_test_kit/bulk_data_jwks_helper.rb ADDED Viewed

@@ -0,0 +1,19 @@
+require 'json'
+module ONCCertificationG10TestKit
+  module BulkDataJWKSHelper
+    def self.jwks_json
+      @jwks_json ||= File.read(ENV.fetch('G10_BULK_DATA_JWKS', File.join(__dir__, 'bulk_data_jwks.json')))
+    end
+    def self.public_jwks_json
+      @public_jwks_json ||=
+        begin
+          jwks = JSON.parse(jwks_json)
+          JSON.pretty_generate(
+            { keys: jwks['keys'].select { |key| key['key_ops']&.include?('verify') } }
+          )
+        end
+    end
+  end
+end

data/lib/onc_certification_g10_test_kit/g10_certification_suite.rb CHANGED Viewed

@@ -6,6 +6,7 @@ require_relative 'feature'
 require_relative 'g10_options'
 require_relative 'multi_patient_api_stu1'
 require_relative 'multi_patient_api_stu2'
+require_relative 'bulk_data_jwks_helper'
 require_relative 'single_patient_api_group'
 require_relative 'single_patient_us_core_4_api_group'
 require_relative 'single_patient_us_core_5_api_group'
@@ -239,13 +240,7 @@ module ONCCertificationG10TestKit
     end
     def self.jwks_json
-      bulk_data_jwks =
-        JSON.parse(
-          File.read(ENV.fetch('G10_BULK_DATA_JWKS', File.join(__dir__, 'bulk_data_jwks.json')))
-        )
-      @jwks_json ||= JSON.pretty_generate(
-        { keys: bulk_data_jwks['keys'].select { |key| key['key_ops']&.include?('verify') } }
-      )
+      BulkDataJWKSHelper.public_jwks_json
     end
     def self.well_known_route_handler

data/lib/onc_certification_g10_test_kit/g10_certification_suite_short_id_map.yml CHANGED Viewed

@@ -2608,11 +2608,11 @@ g10_certification-g10_single_patient_us_core_7_api-g10_incorrectly_permitted_tls
 g10_certification-multi_patient_api: '7'
 g10_certification-multi_patient_api-bulk_data_authorization: '7.1'
 g10_certification-multi_patient_api-bulk_data_authorization-g10_bulk_token_tls_version: 7.1.01
-g10_certification-multi_patient_api-bulk_data_authorization-Test02: 7.1.02
-g10_certification-multi_patient_api-bulk_data_authorization-Test03: 7.1.03
-g10_certification-multi_patient_api-bulk_data_authorization-Test04: 7.1.04
-g10_certification-multi_patient_api-bulk_data_authorization-Test05: 7.1.05
-g10_certification-multi_patient_api-bulk_data_authorization-Test06: 7.1.06
+g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_invalid_grant_type: 7.1.02
+g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_invalid_client_assertion: 7.1.03
+g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_invalid_jwt: 7.1.04
+g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_auth_request_success: 7.1.05
+g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_auth_response_body: 7.1.06
 g10_certification-multi_patient_api-g10_bulk_auth_tls_messages_setup: '7.01'
 g10_certification-multi_patient_api-bulk_data_group_export: '7.2'
 g10_certification-multi_patient_api-bulk_data_group_export-g10_bulk_data_server_tls_version: 7.2.01
@@ -2674,11 +2674,11 @@ g10_certification-multi_patient_api-g10_bulk_data_export_cancel_stu1-g10_bulk_ex
 g10_certification-multi_patient_api_stu2: '8'
 g10_certification-multi_patient_api_stu2-bulk_data_authorization: '8.1'
 g10_certification-multi_patient_api_stu2-bulk_data_authorization-g10_bulk_token_tls_version: 8.1.01
-g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test02: 8.1.02
-g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test03: 8.1.03
-g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test04: 8.1.04
-g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test05: 8.1.05
-g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test06: 8.1.06
+g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_invalid_grant_type: 8.1.02
+g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_invalid_client_assertion: 8.1.03
+g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_invalid_jwt: 8.1.04
+g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_auth_request_success: 8.1.05
+g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_auth_response_body: 8.1.06
 g10_certification-multi_patient_api_stu2-g10_bulk_auth_tls_messages_setup: '8.01'
 g10_certification-multi_patient_api_stu2-bulk_data_group_export_stu2: '8.2'
 g10_certification-multi_patient_api_stu2-bulk_data_group_export_stu2-g10_bulk_data_server_tls_version: 8.2.01

data/lib/onc_certification_g10_test_kit/requirements/generated/g10_certification_requirements_coverage.csv CHANGED Viewed

@@ -191,14 +191,14 @@ application with revoked access to receive patient EHI.",SHALL,Server,false,,,"9
 170.315(g)(10)-test-procedure,AUT-SYS-1,https://www.healthit.gov/test-method/standardized-api-patient-and-population-services#test_procedure,"The health IT developer demonstrates the ability of the Health IT
 Module to support OAuth 2.0 client credentials grant flow in
 accordance with an implementation specification adopted in §
-170.215(d).",SHALL,Server,false,,,"7.1.02, 7.1.03, 7.1.04, 7.1.05, 7.1.06, 8.1.02, 8.1.03, 8.1.04, 8.1.05, 8.1.06","g10_certification-multi_patient_api-bulk_data_authorization-Test02, g10_certification-multi_patient_api-bulk_data_authorization-Test03, g10_certification-multi_patient_api-bulk_data_authorization-Test04, g10_certification-multi_patient_api-bulk_data_authorization-Test05, g10_certification-multi_patient_api-bulk_data_authorization-Test06, g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test02, g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test03, g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test04, g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test05, g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test06"
+170.215(d).",SHALL,Server,false,,,"7.1.02, 7.1.03, 7.1.04, 7.1.05, 7.1.06, 8.1.02, 8.1.03, 8.1.04, 8.1.05, 8.1.06","g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_invalid_grant_type, g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_invalid_client_assertion, g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_invalid_jwt, g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_auth_request_success, g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_auth_response_body, g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_invalid_grant_type, g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_invalid_client_assertion, g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_invalid_jwt, g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_auth_request_success, g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_auth_response_body"
 170.315(g)(10)-test-procedure,AUT-SYS-2,https://www.healthit.gov/test-method/standardized-api-patient-and-population-services#test_procedure,"The health IT developer demonstrates the ability of the Health IT
 Module to support the following parameters according to an
 implementation specification adopted in § 170.215(d):
 * “scope”;
 * “grant_type”;
 * “client_assertion_type”; and
-* “client_assertion”.",SHALL,Server,false,,,"7.1.05, 8.1.05","g10_certification-multi_patient_api-bulk_data_authorization-Test05, g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test05"
+* “client_assertion”.",SHALL,Server,false,,,"7.1.05, 8.1.05","g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_auth_request_success, g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_auth_request_success"
 170.315(g)(10)-test-procedure,AUT-SYS-3,https://www.healthit.gov/test-method/standardized-api-patient-and-population-services#test_procedure,"The health IT developer demonstrates the ability of the Health IT
 Module to support the following JSON Web Token (JWT) Headers and
 Claims according to an implementation specification adopted in §
@@ -210,22 +210,22 @@ Claims according to an implementation specification adopted in §
 * “sub” claim;
 * “aud” claim;
 * “exp” claim; and
-* “jti” claim.",SHALL,Server,false,,,"7.1.05, 8.1.05","g10_certification-multi_patient_api-bulk_data_authorization-Test05, g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test05"
+* “jti” claim.",SHALL,Server,false,,,"7.1.05, 8.1.05","g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_auth_request_success, g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_auth_request_success"
 170.315(g)(10)-test-procedure,AUT-SYS-4,https://www.healthit.gov/test-method/standardized-api-patient-and-population-services#test_procedure,"The health IT developer demonstrates the ability of the Health IT
 Module to receive and process the JSON Web Key (JWK) Set via a
 TLS-protected URL to support authorization for system scopes in §
-170.315(g)(10)(v)(B).",SHALL,Server,false,,,"7.1.05, 8.1.05","g10_certification-multi_patient_api-bulk_data_authorization-Test05, g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test05"
+170.315(g)(10)(v)(B).",SHALL,Server,false,,,"7.1.05, 8.1.05","g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_auth_request_success, g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_auth_request_success"
 170.315(g)(10)-test-procedure,AUT-SYS-5,https://www.healthit.gov/test-method/standardized-api-patient-and-population-services#test_procedure,"The health IT developer demonstrates that the Health IT Module does
 not cache a JWK Set received via a TLS-protected URL for longer than
 the “cache-control” header sent by an application indicates.",SHALL,Server,false,,,11.10,g10_certification-g10_visual_inspection_and_attestations-Test10
 170.315(g)(10)-test-procedure,AUT-SYS-6,https://www.healthit.gov/test-method/standardized-api-patient-and-population-services#test_procedure,"The health IT developer demonstrates the ability of the Health IT
 Module to validate an application’s JWT, including its JSON Web
 Signatures, according to an implementation specification adopted in §
-170.215(d).",SHALL,Server,false,,,"7.1.05, 8.1.05","g10_certification-multi_patient_api-bulk_data_authorization-Test05, g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test05"
+170.215(d).",SHALL,Server,false,,,"7.1.05, 8.1.05","g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_auth_request_success, g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_auth_request_success"
 170.315(g)(10)-test-procedure,AUT-SYS-7,https://www.healthit.gov/test-method/standardized-api-patient-and-population-services#test_procedure,"The health IT developer demonstrates the ability of the Health IT
 Module to respond with an “invalid_client” error for errors
 encountered during the authentication process according to an
-implementation specification adopted in § 170.215(d).",SHALL,Server,false,,,"7.1.02, 7.1.03, 7.1.04, 8.1.02, 8.1.03, 8.1.04","g10_certification-multi_patient_api-bulk_data_authorization-Test02, g10_certification-multi_patient_api-bulk_data_authorization-Test03, g10_certification-multi_patient_api-bulk_data_authorization-Test04, g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test02, g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test03, g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test04"
+implementation specification adopted in § 170.215(d).",SHALL,Server,false,,,"7.1.02, 7.1.03, 7.1.04, 8.1.02, 8.1.03, 8.1.04","g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_invalid_grant_type, g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_invalid_client_assertion, g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_invalid_jwt, g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_invalid_grant_type, g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_invalid_client_assertion, g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_invalid_jwt"
 170.315(g)(10)-test-procedure,AUT-SYS-8,https://www.healthit.gov/test-method/standardized-api-patient-and-population-services#test_procedure,"The health IT developer demonstrates the ability of the Health IT
 Module to assure the scope granted based on the scope requested by an
 application is no greater than the pre-authorized scope for multiple
@@ -238,10 +238,10 @@ accordance with an implementation specification adopted in §
 * “access_token”;
 * “token_type”;
 * “expires_in”; and
-* “scope”.",SHALL,Server,false,,,"7.1.06, 8.1.06","g10_certification-multi_patient_api-bulk_data_authorization-Test06, g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test06"
+* “scope”.",SHALL,Server,false,,,"7.1.06, 8.1.06","g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_auth_response_body, g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_auth_response_body"
 170.315(g)(10)-test-procedure,AUT-SYS-10,https://www.healthit.gov/test-method/standardized-api-patient-and-population-services#test_procedure,"The health IT developer demonstrates the ability of the Health IT
 Module to respond to errors using the appropriate error messages as
-specified in an implementation specification adopted in § 170.215(d).",SHALL,Server,false,,,"7.1.02, 7.1.03, 7.1.04, 7.2.03, 8.1.02, 8.1.03, 8.1.04, 8.2.03","g10_certification-multi_patient_api-bulk_data_authorization-Test02, g10_certification-multi_patient_api-bulk_data_authorization-Test03, g10_certification-multi_patient_api-bulk_data_authorization-Test04, g10_certification-multi_patient_api-bulk_data_group_export-Test03, g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test02, g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test03, g10_certification-multi_patient_api_stu2-bulk_data_authorization-Test04, g10_certification-multi_patient_api_stu2-bulk_data_group_export_stu2-Test03"
+specified in an implementation specification adopted in § 170.215(d).",SHALL,Server,false,,,"7.1.02, 7.1.03, 7.1.04, 7.2.03, 8.1.02, 8.1.03, 8.1.04, 8.2.03","g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_invalid_grant_type, g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_invalid_client_assertion, g10_certification-multi_patient_api-bulk_data_authorization-smart_backend_services_invalid_jwt, g10_certification-multi_patient_api-bulk_data_group_export-Test03, g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_invalid_grant_type, g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_invalid_client_assertion, g10_certification-multi_patient_api_stu2-bulk_data_authorization-smart_backend_services_invalid_jwt, g10_certification-multi_patient_api_stu2-bulk_data_group_export_stu2-Test03"
 170.315(g)(10)-test-procedure,TOK-INTRO-1,https://www.healthit.gov/test-method/standardized-api-patient-and-population-services#test_procedure,"The health IT developer demonstrates the ability of the Health IT
 Module to receive and validate a token it has issued in accordance
 with an implementation specification in § 170.215(c).",SHALL,Server,false,,,"9.11.2.01, 9.11.2.02, 9.11.3.01, 9.11.3.02, 9.20.2.01, 9.20.2.02, 9.20.3.01, 9.20.3.02, 11.06","g10_certification-Group06-g10_token_introspection-smart_token_introspection_request_group-Test01, g10_certification-Group06-g10_token_introspection-smart_token_introspection_request_group-Test02, g10_certification-Group06-g10_token_introspection-smart_token_introspection_response_group-Test01, g10_certification-Group06-g10_token_introspection-smart_token_introspection_response_group-Test02, g10_certification-Group06-g10_token_introspection_stu2_2-smart_token_introspection_request_group-Test01, g10_certification-Group06-g10_token_introspection_stu2_2-smart_token_introspection_request_group-Test02, g10_certification-Group06-g10_token_introspection_stu2_2-smart_token_introspection_response_group-Test01, g10_certification-Group06-g10_token_introspection_stu2_2-smart_token_introspection_response_group-Test02, g10_certification-g10_visual_inspection_and_attestations-Test06"

data/lib/onc_certification_g10_test_kit/smart_invalid_token_refresh_test.rb CHANGED Viewed

@@ -1,4 +1,6 @@
 module ONCCertificationG10TestKit
+  require 'smart_app_launch/client_assertion_builder'
   class SMARTInvalidTokenRefreshTest < Inferno::Test
     id :g10_invalid_token_refresh
     title 'Refresh token exchange fails when supplied an invalid refresh token'
@@ -26,6 +28,17 @@ module ONCCertificationG10TestKit
       if smart_auth_info.symmetric_auth?
         credentials = Base64.strict_encode64("#{smart_auth_info.client_id}:#{smart_auth_info.client_secret}")
         oauth2_headers['Authorization'] = "Basic #{credentials}"
+      elsif smart_auth_info.asymmetric_auth?
+        oauth2_params.merge!(
+          client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+          client_assertion: SMARTAppLaunch::ClientAssertionBuilder.build(
+            iss: smart_auth_info.client_id,
+            sub: smart_auth_info.client_id,
+            aud: smart_auth_info.token_url,
+            client_auth_encryption_method: smart_auth_info.encryption_algorithm,
+            custom_jwks: smart_auth_info.jwks
+          )
+        )
       else
         oauth2_params['client_id'] = smart_auth_info.client_id
       end

data/lib/onc_certification_g10_test_kit/version.rb CHANGED Viewed

@@ -1,4 +1,4 @@
 module ONCCertificationG10TestKit
-  VERSION = '7.2.8'.freeze
-  LAST_UPDATED = '2026-01-13'.freeze # TODO: update next release
+  VERSION = '7.2.9'.freeze
+  LAST_UPDATED = '2026-02-06'.freeze # TODO: update next release
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: onc_certification_g10_test_kit
 version: !ruby/object:Gem::Version
-  version: 7.2.8
+  version: 7.2.9
 platform: ruby
 authors:
 - Stephen MacVicar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-01-13 00:00:00.000000000 Z
+date: 2026-02-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bloomer
@@ -47,7 +47,7 @@ dependencies:
         version: '1.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.7
+        version: 1.0.8
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -57,7 +57,7 @@ dependencies:
         version: '1.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.7
+        version: 1.0.8
 - !ruby/object:Gem::Dependency
   name: json-jwt
   requirement: !ruby/object:Gem::Requirement
@@ -198,7 +198,6 @@ files:
 - lib/inferno/terminology/value_set.rb
 - lib/onc_certification_g10_test_kit.rb
 - lib/onc_certification_g10_test_kit/all_resources.rb
-- lib/onc_certification_g10_test_kit/authorization_request_builder.rb
 - lib/onc_certification_g10_test_kit/base_token_refresh_group.rb
 - lib/onc_certification_g10_test_kit/base_token_refresh_stu2_group.rb
 - lib/onc_certification_g10_test_kit/bulk_data_authorization.rb
@@ -209,6 +208,7 @@ files:
 - lib/onc_certification_g10_test_kit/bulk_data_group_export_stu2.rb
 - lib/onc_certification_g10_test_kit/bulk_data_group_export_validation.rb
 - lib/onc_certification_g10_test_kit/bulk_data_jwks.json
+- lib/onc_certification_g10_test_kit/bulk_data_jwks_helper.rb
 - lib/onc_certification_g10_test_kit/bulk_export_validation_tester.rb
 - lib/onc_certification_g10_test_kit/configuration_checker.rb
 - lib/onc_certification_g10_test_kit/encounter_context_test.rb

data/lib/onc_certification_g10_test_kit/authorization_request_builder.rb DELETED Viewed

@@ -1,88 +0,0 @@
-require 'json/jwt'
-module ONCCertificationG10TestKit
-  class AuthorizationRequestBuilder
-    def self.build(...)
-      new(...).authorization_request
-    end
-    def self.bulk_data_jwks
-      @bulk_data_jwks ||= JSON.parse(File.read(ENV.fetch('G10_BULK_DATA_JWKS',
-                                                         File.join(__dir__, 'bulk_data_jwks.json'))))
-    end
-    attr_reader :encryption_method, :scope, :iss, :sub, :aud, :content_type, :grant_type, :client_assertion_type, :exp,
-                :jti
-    def initialize(
-      encryption_method:,
-      scope:,
-      iss:,
-      sub:,
-      aud:,
-      content_type: 'application/x-www-form-urlencoded',
-      grant_type: 'client_credentials',
-      client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
-      exp: 5.minutes.from_now,
-      jti: SecureRandom.hex(32)
-    )
-      @encryption_method = encryption_method
-      @scope = scope
-      @iss = iss
-      @sub = sub
-      @aud = aud
-      @content_type = content_type
-      @grant_type = grant_type
-      @client_assertion_type = client_assertion_type
-      @exp = exp
-      @jti = jti
-    end
-    def bulk_private_key
-      @bulk_private_key ||=
-        self.class.bulk_data_jwks['keys']
-          .select { |key| key['key_ops']&.include?('sign') }
-          .find { |key| key['alg'] == encryption_method }
-    end
-    def jwt_token
-      @jwt_token ||= JSON::JWT.new(iss:, sub:, aud:, exp:, jti:).compact
-    end
-    def jwk
-      @jwk ||= JSON::JWK.new(bulk_private_key)
-    end
-    def authorization_request_headers
-      {
-        content_type:,
-        accept: 'application/json'
-      }.compact
-    end
-    def authorization_request_query_values
-      {
-        'scope' => scope,
-        'grant_type' => grant_type,
-        'client_assertion_type' => client_assertion_type,
-        'client_assertion' => client_assertion.to_s
-      }.compact
-    end
-    def client_assertion
-      @client_assertion ||=
-        begin
-          jwt_token.kid = jwk['kid']
-          jwk_private_key = jwk.to_key
-          jwt_token.sign(jwk_private_key, bulk_private_key['alg'])
-        end
-    end
-    def authorization_request
-      uri = Addressable::URI.new
-      uri.query_values = authorization_request_query_values
-      { body: uri.query, headers: authorization_request_headers }
-    end
-  end
-end