RubyGems - smart_app_launch_test_kit - Versions diffs - 0.0.1 - Mend

smart_app_launch_test_kit 0.0.1

Files changed (26) hide show

checksums.yaml +7 -0
data/LICENSE +201 -0
data/lib/smart_app_launch/app_launch_test.rb +25 -0
data/lib/smart_app_launch/app_redirect_test.rb +61 -0
data/lib/smart_app_launch/code_received_test.rb +31 -0
data/lib/smart_app_launch/discovery_group.rb +229 -0
data/lib/smart_app_launch/ehr_launch_group.rb +117 -0
data/lib/smart_app_launch/launch_received_test.rb +19 -0
data/lib/smart_app_launch/openid_connect_group.rb +83 -0
data/lib/smart_app_launch/openid_decode_id_token_test.rb +30 -0
data/lib/smart_app_launch/openid_fhir_user_claim_test.rb +30 -0
data/lib/smart_app_launch/openid_required_configuration_fields_test.rb +50 -0
data/lib/smart_app_launch/openid_retrieve_configuration_test.rb +31 -0
data/lib/smart_app_launch/openid_retrieve_jwks_test.rb +43 -0
data/lib/smart_app_launch/openid_token_header_test.rb +39 -0
data/lib/smart_app_launch/openid_token_payload_test.rb +64 -0
data/lib/smart_app_launch/standalone_launch_group.rb +104 -0
data/lib/smart_app_launch/token_exchange_test.rb +47 -0
data/lib/smart_app_launch/token_payload_validation.rb +47 -0
data/lib/smart_app_launch/token_refresh_body_test.rb +52 -0
data/lib/smart_app_launch/token_refresh_group.rb +45 -0
data/lib/smart_app_launch/token_refresh_test.rb +52 -0
data/lib/smart_app_launch/token_response_body_test.rb +53 -0
data/lib/smart_app_launch/token_response_headers_test.rb +27 -0
data/lib/smart_app_launch_test_kit.rb +141 -0
metadata +168 -0

data/lib/smart_app_launch/token_refresh_group.rb ADDED Viewed

@@ -0,0 +1,45 @@
+require_relative 'token_refresh_test'
+require_relative 'token_refresh_body_test'
+require_relative 'token_response_headers_test'
+module SMARTAppLaunch
+  class TokenRefreshGroup < Inferno::TestGroup
+    id :smart_token_refresh
+    title 'SMART Token Refresh'
+    description %(
+      # Background
+      The #{title} Sequence tests the ability of the system to successfuly
+      exchange a refresh token for an access token. Refresh tokens are typically
+      longer lived than access tokens and allow client applications to obtain a
+      new access token Refresh tokens themselves cannot provide access to
+      resources on the server.
+      Token refreshes are accomplished through a `POST` request to the token
+      exchange endpoint as described in the [SMART App Launch
+      Framework](http://www.hl7.org/fhir/smart-app-launch/#step-5-later-app-uses-a-refresh-token-to-obtain-a-new-access-token).
+      # Test Methodology
+      This test attempts to exchange the refresh token for a new access token
+      and verify that the information returned contains the required fields and
+      uses the proper headers.
+      For more information see:
+      * [The OAuth 2.0 Authorization
+        Framework](https://tools.ietf.org/html/rfc6749)
+      * [Using a refresh token to obtain a new access
+        token](http://hl7.org/fhir/smart-app-launch/#step-5-later-app-uses-a-refresh-token-to-obtain-a-new-access-token)
+    )
+    test from: :smart_token_refresh
+    test from: :smart_token_refresh_body
+    test from: :smart_token_response_headers,
+         config: {
+           requests: {
+             token: { name: :token_refresh }
+           }
+         }
+  end
+end

data/lib/smart_app_launch/token_refresh_test.rb ADDED Viewed

@@ -0,0 +1,52 @@
+require_relative 'token_payload_validation'
+module SMARTAppLaunch
+  class TokenRefreshTest < Inferno::Test
+    include TokenPayloadValidation
+    id :smart_token_refresh
+    title 'Server successfully refreshes the access token when optional scope parameter omitted'
+    description %(
+      Server successfully exchanges refresh token at OAuth token endpoint
+      without providing scope in the body of the request.
+      The EHR authorization server SHALL return a JSON structure that includes
+      an access token or a message indicating that the authorization request
+      has been denied. `access_token`, `expires_in`, `token_type`, and `scope` are
+      required. `access_token` must be `Bearer`.
+      Although not required in the token refresh portion of the SMART App
+      Launch Guide, the token refresh response should include the HTTP
+      Cache-Control response header field with a value of no-store, as well as
+      the Pragma response header field with a value of no-cache to be
+      consistent with the requirements of the inital access token exchange.
+    )
+    input :well_known_token_url, :refresh_token, :client_id, :received_scopes
+    input :client_secret, optional: true
+    makes_request :token_refresh
+    run do
+      skip_if refresh_token.blank?
+      oauth2_params = {
+        'grant_type' => 'refresh_token',
+        'refresh_token' => refresh_token
+      }
+      oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }
+      oauth2_params['scope'] = received_scopes if config.options[:include_scopes]
+      if client_secret.present?
+        credentials = Base64.strict_encode64("#{client_id}:#{client_secret}")
+        oauth2_headers['Authorization'] = "Basic #{credentials}"
+      else
+        oauth2_params['client_id'] = client_id
+      end
+      post(well_known_token_url, body: oauth2_params, name: :token_refresh, headers: oauth2_headers)
+      assert_response_status(200)
+      assert_valid_json(response[:body])
+    end
+  end
+end

data/lib/smart_app_launch/token_response_body_test.rb ADDED Viewed

@@ -0,0 +1,53 @@
+require_relative 'token_payload_validation'
+module SMARTAppLaunch
+  class TokenResponseBodyTest < Inferno::Test
+    include TokenPayloadValidation
+    title 'Token exchange response body contains required information encoded in JSON'
+    description %(
+      The EHR authorization server shall return a JSON structure that includes
+      an access token or a message indicating that the authorization request
+      has been denied. `access_token`, `token_type`, and `scope` are required.
+      `token_type` must be Bearer. `expires_in` is required for token
+      refreshes.
+    )
+    id :smart_token_response_body
+    input :requested_scopes
+    output :id_token,
+           :refresh_token,
+           :access_token,
+           :expires_in,
+           :patient_id,
+           :encounter_id,
+           :received_scopes,
+           :intent
+    uses_request :token
+    run do
+      skip_if request.status != 200, 'Token exchange was unsuccessful'
+      assert_valid_json(request.response_body)
+      token_response_body = JSON.parse(request.response_body)
+      output id_token: token_response_body['id_token'],
+             refresh_token: token_response_body['refresh_token'],
+             access_token: token_response_body['access_token'],
+             expires_in: token_response_body['expires_in'],
+             patient_id: token_response_body['patient'],
+             encounter_id: token_response_body['encounter'],
+             received_scopes: token_response_body['scope'],
+             intent: token_response_body['intent']
+      validate_required_fields_present(token_response_body, ['access_token', 'token_type', 'expires_in', 'scope'])
+      validate_token_field_types(token_response_body)
+      validate_token_type(token_response_body)
+      check_for_missing_scopes(requested_scopes, token_response_body)
+      assert access_token.present?, 'Token response did not contain an access token'
+      assert token_response_body['token_type']&.casecmp('Bearer')&.zero?,
+             '`token_type` field must have a value of `Bearer`'
+    end
+  end
+end

data/lib/smart_app_launch/token_response_headers_test.rb ADDED Viewed

@@ -0,0 +1,27 @@
+module SMARTAppLaunch
+  class TokenResponseHeadersTest < Inferno::Test
+    title 'Response includes correct HTTP Cache-Control and Pragma headers'
+    description %(
+      The authorization servers response must include the HTTP Cache-Control
+      response header field with a value of no-store, as well as the Pragma
+      response header field with a value of no-cache.
+    )
+    id :smart_token_response_headers
+    uses_request :token
+    run do
+      skip_if request.status != 200, 'Token exchange was unsuccessful'
+      cc_header = request.response_header('Cache-Control')&.value
+      assert cc_header&.downcase&.include?('no-store'),
+             'Token response must have `Cache-Control` header containing `no-store`.'
+      pragma_header = request.response_header('Pragma')&.value
+      assert pragma_header&.downcase&.include?('no-cache'),
+             'Token response must have `Pragma` header containing `no-cache`.'
+    end
+  end
+end

data/lib/smart_app_launch_test_kit.rb ADDED Viewed

@@ -0,0 +1,141 @@
+require_relative 'smart_app_launch/discovery_group'
+require_relative 'smart_app_launch/standalone_launch_group'
+require_relative 'smart_app_launch/ehr_launch_group'
+require_relative 'smart_app_launch/openid_connect_group'
+require_relative 'smart_app_launch/token_refresh_group'
+module SMARTAppLaunch
+  class SMARTSuite < Inferno::TestSuite
+    id 'smart'
+    title 'SMART'
+    resume_test_route :get, '/launch' do
+      request.query_parameters['iss']
+    end
+    resume_test_route :get, '/redirect' do
+      request.query_parameters['state']
+    end
+    config options: {
+      redirect_uri: "#{Inferno::Application['inferno_host']}/custom/smart/redirect",
+      launch_uri: "#{Inferno::Application['inferno_host']}/custom/smart/launch"
+    }
+    group do
+      title 'Standalone Launch'
+      run_as_group
+      group from: :smart_discovery
+      group from: :smart_standalone_launch
+      group from: :smart_openid_connect,
+            config: {
+              inputs: {
+                id_token: { name: :standalone_id_token },
+                client_id: { name: :standalone_client_id },
+                requested_scopes: { name: :standalone_requested_scopes }
+              }
+            }
+      group from: :smart_token_refresh,
+            id: :smart_standalone_refresh_without_scopes,
+            title: 'SMART Token Refresh Without Scopes',
+            config: {
+              inputs: {
+                refresh_token: { name: :standalone_refresh_token },
+                client_id: { name: :standalone_client_id },
+                client_secret: { name: :standalone_client_secret },
+                received_scopes: { name: :standalone_received_scopes }
+              },
+              outputs: {
+                refresh_token: { name: :standalone_refresh_token },
+                received_scopes: { name: :standalone_received_scopes },
+                access_token: { name: :standalone_access_token },
+                token_retrieval_time: { name: :standalone_token_retrieval_time },
+                expires_in: { name: :standalone_expires_in }
+              }
+            }
+      group from: :smart_token_refresh,
+            id: :smart_standalone_refresh_with_scopes,
+            title: 'SMART Token Refresh With Scopes',
+            config: {
+              options: { include_scopes: true },
+              inputs: {
+                refresh_token: { name: :standalone_refresh_token },
+                client_id: { name: :standalone_client_id },
+                client_secret: { name: :standalone_client_secret },
+                received_scopes: { name: :standalone_received_scopes }
+              },
+              outputs: {
+                refresh_token: { name: :standalone_refresh_token },
+                received_scopes: { name: :standalone_received_scopes },
+                access_token: { name: :standalone_access_token },
+                token_retrieval_time: { name: :standalone_token_retrieval_time },
+                expires_in: { name: :standalone_expires_in }
+              }
+            }
+    end
+    group do
+      title 'EHR Launch'
+      run_as_group
+      group from: :smart_discovery
+      group from: :smart_ehr_launch
+      group from: :smart_openid_connect,
+            config: {
+              inputs: {
+                id_token: { name: :ehr_id_token },
+                client_id: { name: :ehr_client_id },
+                requested_scopes: { name: :standalone_requested_scopes }
+              }
+            }
+      group from: :smart_token_refresh,
+            id: :smart_ehr_refresh_without_scopes,
+            title: 'SMART Token Refresh Without Scopes',
+            config: {
+              inputs: {
+                refresh_token: { name: :ehr_refresh_token },
+                client_id: { name: :ehr_client_id },
+                client_secret: { name: :ehr_client_secret },
+                received_scopes: { name: :ehr_received_scopes }
+              },
+              outputs: {
+                refresh_token: { name: :ehr_refresh_token },
+                received_scopes: { name: :ehr_received_scopes },
+                access_token: { name: :ehr_access_token },
+                token_retrieval_time: { name: :ehr_token_retrieval_time },
+                expires_in: { name: :ehr_expires_in }
+              }
+            }
+      group from: :smart_token_refresh,
+            id: :smart_ehr_refresh_with_scopes,
+            title: 'SMART Token Refresh With Scopes',
+            config: {
+              options: { include_scopes: true },
+              inputs: {
+                refresh_token: { name: :ehr_refresh_token },
+                client_id: { name: :ehr_client_id },
+                client_secret: { name: :ehr_client_secret },
+                received_scopes: { name: :ehr_received_scopes }
+              },
+              outputs: {
+                refresh_token: { name: :ehr_refresh_token },
+                received_scopes: { name: :ehr_received_scopes },
+                access_token: { name: :ehr_access_token },
+                token_retrieval_time: { name: :ehr_token_retrieval_time },
+                expires_in: { name: :ehr_expires_in }
+              }
+            }
+    end
+  end
+end

metadata ADDED Viewed

@@ -0,0 +1,168 @@
+--- !ruby/object:Gem::Specification
+name: smart_app_launch_test_kit
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Stephen MacVicar
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2021-10-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: inferno_core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.0.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.0.6
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.2
+- !ruby/object:Gem::Dependency
+  name: database_cleaner-sequel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: factory_bot
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.1'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.10'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.11'
+description: Inferno Tests for the SMART Application Launch Framework Implementation
+  Guide
+email:
+- inferno@groups.mitre.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- lib/smart_app_launch/app_launch_test.rb
+- lib/smart_app_launch/app_redirect_test.rb
+- lib/smart_app_launch/code_received_test.rb
+- lib/smart_app_launch/discovery_group.rb
+- lib/smart_app_launch/ehr_launch_group.rb
+- lib/smart_app_launch/launch_received_test.rb
+- lib/smart_app_launch/openid_connect_group.rb
+- lib/smart_app_launch/openid_decode_id_token_test.rb
+- lib/smart_app_launch/openid_fhir_user_claim_test.rb
+- lib/smart_app_launch/openid_required_configuration_fields_test.rb
+- lib/smart_app_launch/openid_retrieve_configuration_test.rb
+- lib/smart_app_launch/openid_retrieve_jwks_test.rb
+- lib/smart_app_launch/openid_token_header_test.rb
+- lib/smart_app_launch/openid_token_payload_test.rb
+- lib/smart_app_launch/standalone_launch_group.rb
+- lib/smart_app_launch/token_exchange_test.rb
+- lib/smart_app_launch/token_payload_validation.rb
+- lib/smart_app_launch/token_refresh_body_test.rb
+- lib/smart_app_launch/token_refresh_group.rb
+- lib/smart_app_launch/token_refresh_test.rb
+- lib/smart_app_launch/token_response_body_test.rb
+- lib/smart_app_launch/token_response_headers_test.rb
+- lib/smart_app_launch_test_kit.rb
+homepage: https://github.com/inferno_community/smart-app-launch-test-kit
+licenses:
+- Apache-2.0
+metadata:
+  homepage_uri: https://github.com/inferno_community/smart-app-launch-test-kit
+  source_code_uri: https://github.com/inferno_community/smart-app-launch-test-kit
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key:
+specification_version: 4
+summary: Inferno Tests for the SMART Application Launch Framework Implementation Guide
+test_files: []