shc_vaccination_test_kit 0.2.0 → 0.3.0

data/lib/covid19_vci/file_download.rb

@@ -1,109 +0,0 @@
-require_relative 'vc_fhir_validation'
-require_relative 'vc_headers'
-require_relative 'vc_payload_verification'
-require_relative 'vc_signature_verification'
-
-module Covid19VCI
-  class FileDownload < Inferno::TestGroup
-    id 'vci_file_download'
-    title 'Download and validate a health card via file download'
-
-    input :file_download_url
-
-    test do
-      id 'vci-file-01'
-      title 'Health card can be downloaded'
-      description 'The health card can be downloaded and is a valid JSON object'
-      makes_request :vci_file_download
-
-      run do
-        get(file_download_url, name: :vci_file_download)
-
-        assert_response_status(200)
-        assert_valid_json(response[:body])
-      end
-    end
-
-    test do
-      id 'vci-file-02'
-      title 'Response contains correct Content-Type of application/smart-health-card'
-      uses_request :vci_file_download
-
-      run do
-        skip_if request.status != 200, 'Health card not successfully downloaded'
-
-        content_type = request.response_header('Content-Type')
-
-        assert content_type.present?, 'Response did not include a Content-Type header'
-        assert content_type.value.match?(%r{\Aapplication/smart-health-card(\z|\W)}),
-               "Content-Type header was '#{content_type.value}' instead of 'application/smart-health-card'"
-      end
-    end
-
-    test do
-      id 'vci-file-03'
-      title 'Health card is provided as a file download with a .smart-health-card extension'
-      uses_request :vci_file_download
-
-      run do
-        skip_if request.status != 200, 'Health card not successfully downloaded'
-
-        pass_if request.url.ends_with?('.smart-health-card')
-
-        content_disposition = request.response_header('Content-Disposition')
-        assert content_disposition.present?,
-               "Url did not end with '.smart-health-card' and response did not include a Content-Disposition header"
-
-        attachment_pattern = /\Aattachment;/
-        assert content_disposition.value.match?(attachment_pattern),
-               "Url did not end with '.smart-health-card' and " \
-               "Content-Disposition header does not indicate file should be downloaded: '#{content_disposition}'"
-
-        extension_pattern = /filename=".*\.smart-health-card"/
-        assert content_disposition.value.match?(extension_pattern),
-               "Url did not end with '.smart-health-card' and Content-Disposition header does not indicate " \
-               "file should have a '.smart-health-card' extension: '#{content_disposition}'"
-      end
-    end
-
-    test do
-      id 'vci-file-04'
-      title 'Response contains an array of Verifiable Credential strings'
-      uses_request :vci_file_download
-      output :credential_strings
-
-      run do
-        skip_if request.status != 200, 'Health card not successfully downloaded'
-
-        body = JSON.parse(response[:body])
-        assert body.include?('verifiableCredential'),
-               "Health card does not contain 'verifiableCredential' field"
-
-        vc = body['verifiableCredential']
-
-        assert vc.is_a?(Array), "'verifiableCredential' field must contain an Array"
-        assert vc.length.positive?, "'verifiableCredential' field must contain at least one verifiable credential"
-
-        output credential_strings: vc.join(',')
-
-        pass "Received #{vc.length} verifiable #{'credential'.pluralize(vc.length)}"
-      end
-    end
-
-    test from: :vc_headers do
-      id 'vci-file-05'
-    end
-
-    test from: :vc_signature_verification do
-      id 'vci-file-06'
-    end
-
-    test from: :vc_payload_verification do
-      id 'vci-file-07'
-    end
-
-    test from: :vc_fhir_verification do
-      id 'vci-file-08'
-    end
-  end
-end

data/lib/covid19_vci/vc_fhir_validation.rb

@@ -1,75 +0,0 @@
-module Covid19VCI
-  class VCFHIRVerification < Inferno::Test
-    title 'Health Card payloads conform to the Vaccination Credential Bundle Profiles'
-    input :credential_strings
-
-    id :vc_fhir_verification
-
-    run do
-      skip_if credential_strings.blank?, 'No Verifiable Credentials received'
-
-      credential_strings.split(',').each do |credential|
-        raw_payload = HealthCards::JWS.from_jws(credential).payload
-        assert raw_payload&.length&.positive?, 'No payload found'
-
-        decompressed_payload =
-          begin
-            Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(raw_payload)
-          rescue Zlib::DataError
-            assert false, 'Payload compression error. Unable to inflate payload.'
-          end
-
-        assert decompressed_payload.length.positive?, 'Payload compression error. Unable to inflate payload.'
-
-        payload_length = decompressed_payload.length
-        health_card = HealthCards::COVIDHealthCard.from_jws(credential)
-        health_card_length = health_card.to_json.length
-
-        assert_valid_json decompressed_payload, 'Payload is not valid JSON'
-
-        payload = JSON.parse(decompressed_payload)
-        vc = payload['vc']
-        assert vc.is_a?(Hash), "Expected 'vc' claim to be a JSON object, but found #{vc.class}"
-
-        subject = vc['credentialSubject']
-        assert subject.is_a?(Hash), "Expected 'vc.credentialSubject' to be a JSON object, but found #{subject.class}"
-
-        raw_bundle = subject['fhirBundle']
-        assert raw_bundle.is_a?(Hash), "Expected 'vc.fhirBundle' to be a JSON object, but found #{raw_bundle.class}"
-
-        bundle = FHIR::Bundle.new(raw_bundle)
-
-        # assert bundle.entry.any? { |r| r.resource.is_a?(FHIR::Immunization) } || bundle.entry.any? { |r| r.resource.is_a?(FHIR::Observation) },
-        # "Bundle must have either Immunization entries or Observation entries"
-
-        # if bundle.entry.any? { |r| r.resource.is_a?(FHIR::Immunization) }
-          assert_valid_resource(
-            resource: bundle,
-            profile_url: 'http://hl7.org/fhir/uv/smarthealthcards-vaccination/StructureDefinition/vaccination-credential-bundle'
-          )
-
-          warning do
-            assert_valid_resource(
-              resource: bundle,
-              profile_url: 'http://hl7.org/fhir/uv/smarthealthcards-vaccination/StructureDefinition/vaccination-credential-bundle-dm'
-            )
-          end
-        # end
-
-        if bundle.entry.any? { |r| r.resource.is_a?(FHIR::Observation) }
-          assert_valid_resource(
-            resource: bundle,
-            profile_url: 'http://hl7.org/fhir/uv/smarthealthcards-vaccination/StructureDefinition/covid19-laboratory-bundle'
-          )
-
-          warning do
-            assert_valid_resource(
-              resource: bundle,
-              profile_url: 'http://hl7.org/fhir/uv/smarthealthcards-vaccination/StructureDefinition/covid19-laboratory-bundle-dm'
-            )
-          end
-        end
-      end
-    end
-  end
-end

data/lib/covid19_vci/vc_headers.rb

@@ -1,21 +0,0 @@
-module Covid19VCI
-  class VCHeaders < Inferno::Test
-    title 'Health Cards contain the correct headers'
-    input :credential_strings
-
-    id :vc_headers
-
-    run do
-      skip_if credential_strings.blank?, 'No Verifiable Credentials received'
-      credential_strings.split(',').each do |credential|
-        header = HealthCards::JWS.from_jws(credential).header
-
-        assert header['zip'] == 'DEF', "Expected 'zip' header to equal 'DEF', but found '#{header['zip']}'"
-        assert header['alg'] == 'ES256', "Expected 'alg' header to equal 'ES256', but found '#{header['alg']}'"
-        assert header['kid'].present?, "No 'kid' header was present"
-      rescue StandardError => e
-        assert false, "Error decoding credential: #{e.message}"
-      end
-    end
-  end
-end

data/lib/covid19_vci/vc_payload_verification.rb

@@ -1,115 +0,0 @@
-module Covid19VCI
-  class VCPayloadVerification < Inferno::Test
-    title 'Health Card payloads follow the spec requirements'
-    input :credential_strings
-
-    id :vc_payload_verification
-
-    run do
-      skip_if credential_strings.blank?, 'No Verifiable Credentials received'
-
-      credential_strings.split(',').each do |credential|
-        raw_payload = HealthCards::JWS.from_jws(credential).payload
-        assert raw_payload&.length&.positive?, 'No payload found'
-
-        decompressed_payload =
-          begin
-            Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(raw_payload)
-          rescue Zlib::DataError
-            assert false, 'Payload compression error. Unable to inflate payload.'
-          end
-
-        assert decompressed_payload.length.positive?, 'Payload compression error. Unable to inflate payload.'
-
-        payload_length = decompressed_payload.length
-        health_card = HealthCards::HealthCard.from_jws(credential)
-        health_card_length = health_card.to_json.length
-
-        warning do
-          assert payload_length <= health_card_length,
-                 "Payload may not be properly minified. Received a payload with length #{payload_length}, " \
-                 "but was able to generate a payload with length #{health_card_length}"
-        end
-
-        assert_valid_json decompressed_payload, 'Payload is not valid JSON'
-
-        payload = JSON.parse(decompressed_payload)
-
-        warning do
-          nbf = payload['nbf']
-          assert nbf.present?, "Payload does not include an 'nbf' claim"
-          assert nbf.is_a?(Numeric), "Expected 'nbf' claim to be Numeric, but found #{nbf.class}"
-          issue_time = Time.at(nbf).to_datetime
-          assert issue_time < DateTime.now, "'nbf' is in the future: #{issue_time.rfc822}"
-        end
-
-        vc = payload['vc']
-        assert vc.is_a?(Hash), "Expected 'vc' claim to be a JSON object, but found #{vc.class}"
-        type = vc['type']
-
-        warning do
-          assert type.is_a?(Array), "Expected 'vc.type' to be an array, but found #{type.class}"
-          assert type.include?('https://smarthealth.cards#health-card'),
-                 "'vc.type' does not include 'https://smarthealth.cards#health-card'"
-        end
-
-        subject = vc['credentialSubject']
-        assert subject.is_a?(Hash), "Expected 'vc.credentialSubject' to be a JSON object, but found #{subject.class}"
-
-        warning do
-          assert subject['fhirVersion'].present?, "'vc.credentialSubject.fhirVersion' not provided"
-        end
-
-        raw_bundle = subject['fhirBundle']
-        assert raw_bundle.is_a?(Hash), "Expected 'vc.fhirBundle' to be a JSON object, but found #{raw_bundle.class}"
-
-        resource_scheme_regex = /\Aresource:\d+\z/
-        warning do
-          urls = raw_bundle['entry'].map { |entry| entry['fullUrl'] }
-          bad_urls = urls.reject { |url| url.match?(resource_scheme_regex) }
-          assert bad_urls.empty?,
-                 "The following Bundle entry urls do not use short resource-scheme URIs: #{bad_urls.join(', ')}"
-        end
-
-        bundle = FHIR::Bundle.new(raw_bundle)
-        resources = bundle.entry.map(&:resource)
-        bundle.entry.each { |entry| entry.resource = nil }
-        resources << bundle
-
-        resources.each do |resource|
-          warning { assert resource.id.nil?, "#{resource.resourceType} resource should not have an 'id' element" }
-
-          if resource.respond_to? :text
-            warning { assert resource.text.nil?, "#{resource.resourceType} resource should not have a 'text' element" }
-          end
-
-          resource.each_element(resource) do |value, meta, path|
-            case meta['type']
-            when 'CodeableConcept'
-              warning { assert value.text.nil?, "#{resource.resourceType} should not have a #{path}.text element" }
-            when 'Coding'
-              warning do
-                assert value.display.nil?, "#{resource.resourceType} should not have a #{path}.display element"
-              end
-            when 'Reference'
-              warning do
-                next if value.reference.nil?
-
-                assert value.reference.match?(resource_scheme_regex),
-                       "#{resource.resourceType}.#{path}.reference is not using the short resource URI scheme: " \
-                       "#{value.reference}"
-              end
-            when 'Meta'
-              hash = value.to_hash
-              warning do
-                assert hash.length == 1 && hash.include?('security'),
-                       "If present, Bundle 'meta' field should only include 'security', " \
-                       "but found: #{hash.keys.join(', ')}"
-              end
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/covid19_vci/vc_signature_verification.rb

@@ -1,69 +0,0 @@
-module Covid19VCI
-  class VCSignatureVerification < Inferno::Test
-    title 'Verifiable Credential signatures can be verified'
-    input :credential_strings
-
-    id :vc_signature_verification
-
-    run do
-      skip_if credential_strings.blank?, 'No Verifiable Credentials received'
-      credential_strings.split(',').each do |credential|
-        card = HealthCards::HealthCard.from_jws(credential)
-        iss = card.issuer
-
-        jws = HealthCards::JWS.from_jws(credential)
-
-        assert iss.present?, 'Credential contains no `iss`'
-        warning { assert iss.start_with?('https://'), "`iss` SHALL use the `https` scheme: #{iss}" }
-        assert !iss.end_with?('/'), "`iss` SHALL NOT include a trailing `/`: #{iss}"
-
-        key_set_url = "#{card.issuer}/.well-known/jwks.json"
-
-        get(key_set_url)
-
-        assert_response_status(200)
-        assert_valid_json(response[:body])
-
-        cors_header = request.response_header('Control-Allow-Origin')
-        warning do
-          assert cors_header.present?,
-                 'No CORS header received. Issuers SHALL publish their public keys with CORS enabled'
-          assert cors_header.value == '*',
-                 "Expected CORS header value of `*`, but actual value was `#{cors_header.value}`"
-        end
-
-        key_set = JSON.parse(response[:body])
-
-        public_key = key_set['keys'].find { |key| key['kid'] == jws.kid }
-        key_object = HealthCards::Key.from_jwk(public_key)
-
-        assert public_key.present?, "Key set did not contain a key with a `kid` of #{jws.kid}"
-
-        warning { assert public_key['kty'] == 'EC', "Key had a `kty` value of `#{public_key['kty']}` instead of `EC`" }
-        warning do
-          assert public_key['use'] == 'sig', "Key had a `use` value of `#{public_key['use']}` instead of `sig`"
-        end
-        warning do
-          assert public_key['alg'] == 'ES256', "Key had an `alg` value of `#{public_key['alg']}` instead of `ES256`"
-        end
-        warning do
-          assert public_key['crv'] == 'P-256', "Key had a `crv` value of `#{public_key['crv']}` instead of `P-256`"
-        end
-        warning { assert !public_key.include?('d'), 'Key SHALL NOT have the private key parameter `d`' }
-        warning do
-          assert public_key['kid'] == key_object.kid,
-                 "'kid' SHALL be equal to the base64url-encoded SHA-256 JWK Thumbprint of the key. " \
-                 "Received: '#{public_key['kid']}', Expected: '#{key_object.kid}'"
-        end
-
-        verifier = HealthCards::Verifier.new(keys: key_object, resolve_keys: false)
-
-        begin
-          assert verifier.verify(jws), 'JWS signature invalid'
-        rescue StandardError => e
-          assert false, "Error decoding credential: #{e.message}"
-        end
-      end
-    end
-  end
-end

data/lib/covid19_vci/version.rb

@@ -1,3 +0,0 @@
-module Covid19VCI
-  VERSION = '0.2.0'.freeze
-end