smart_app_launch_test_kit 0.4.4 → 0.4.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1565daad4304e65881d1a3a373d29c8674d19d57bf46342a1cdc95db6c29b6f4
-  data.tar.gz: 4923648577e4d53631a8efa7ccae1f254957d490e579359415ca4f9d426ac5fe
+  metadata.gz: af89139a6750969a3efa3731229c4ff2a8754738f75024b10aa986cb69325dbb
+  data.tar.gz: 8b412a1bb5601e932bc149f0de5e5dc59aaf5a7dc5be962a98a575a378fb297e
 SHA512:
-  metadata.gz: c1266d06f6b1bd55a93e84b93cdd0de9d628ac5d5eb084dc38817e5639869a35ccb2f5173163f0966786937ef3821a5b1e317233af2be5e042afca840f4649c3
-  data.tar.gz: 5101dabbab6be10be047d9e378f43fc939d605f7adcb5277c07c738f2aabbf80e5b565cb1a1885ed35184ac5b5bdf2b9a4311396498bb02766ed925986ce2433
+  metadata.gz: c67c07a022b652ab979b1d5f1d857d2ffb44b63030e00f11f0d1ed5b0cede5a1371abef7263ea8e6c517acb617c33e3698bf74686fdec407eac5d37a48ceedc6
+  data.tar.gz: cef63d441dfd3f5b1cc2d0c902bab6632006f447b494ba39ebbb2a4c8b87d82cf457c60f0108a22f752c5ac525a94b69d962622b234901805aaf72a8f750e53f

data/lib/smart_app_launch/cors_metadata_request_test.rb

@@ -0,0 +1,40 @@
+require_relative 'url_helpers'
+
+module SMARTAppLaunch
+  class CORSMetadataRequest < Inferno::Test
+    id :smart_cors_metadata_request
+
+    include URLHelpers
+
+    title 'SMART metadata Endpoint Enables Cross-Origin Resource Sharing (CORS)'
+    description %(
+      The SMART [Considerations for Cross-Origin Resource Sharing (CORS) support](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-cross-origin-resource-sharing-cors-support)
+      specifies that servers that support purely browser-based apps SHALL enable Cross-Origin Resource Sharing (CORS)
+      as follows:
+
+        - For requests from any origin, CORS configuration permits access to the public discovery endpoints
+          (.well-known/smart-configuration and metadata).
+
+      This test verifies that the metadata request is returned with the appropriate CORS header.
+    )
+    optional
+
+    input :url
+
+    fhir_client do
+      url :url
+      headers 'Origin' => Inferno::Application['inferno_host']
+    end
+
+    run do
+      fhir_get_capability_statement
+
+      assert_response_status(200)
+      inferno_origin = Inferno::Application['inferno_host']
+      cors_allow_origin = request.response_header('Access-Control-Allow-Origin')&.value
+      assert cors_allow_origin.present?, 'No `Access-Control-Allow-Origin` header received.'
+      assert cors_allow_origin == inferno_origin || cors_allow_origin == '*',
+             "`Access-Control-Allow-Origin` must be `#{inferno_origin}`, but received: `#{cors_allow_origin}`"
+    end
+  end
+end

data/lib/smart_app_launch/cors_openid_fhir_user_claim_test.rb

@@ -0,0 +1,48 @@
+module SMARTAppLaunch
+  class CORSOpenIDFHIRUserClaimTest < Inferno::Test
+    id :smart_cors_openid_fhir_user_claim
+    title 'SMART FHIR User REST API Endpoint Enables Cross-Origin Resource Sharing (CORS)'
+    description %(
+      The SMART [Considerations for Cross-Origin Resource Sharing (CORS) support](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-cross-origin-resource-sharing-cors-support)
+      specifies that servers that support purely browser-based apps SHALL enable Cross-Origin Resource Sharing (CORS)
+      as follows:
+
+        - For requests from a client's registered origin(s), CORS configuration permits access to the token
+          endpoint and to FHIR REST API endpoints.
+
+      This test verifies that a request to the FHIR REST API endpoint for the FHIR user is returned with the appropriate
+      CORS header.
+    )
+    optional
+
+    input :url, :id_token_fhir_user
+    input :smart_credentials, type: :oauth_credentials
+
+    fhir_client do
+      url :url
+      oauth_credentials :smart_credentials
+      headers 'Origin' => Inferno::Application['inferno_host']
+    end
+
+    run do
+      valid_fhir_user_resource_types = ['Patient', 'Practitioner', 'RelatedPerson', 'Person']
+
+      fhir_user_segments = id_token_fhir_user.split('/')
+      fhir_user_resource_type = fhir_user_segments[-2]
+      fhir_user_id = fhir_user_segments.last
+
+      assert valid_fhir_user_resource_types.include?(fhir_user_resource_type),
+             "ID token `fhirUser` claim does not refer to a valid resource type: #{id_token_fhir_user}"
+
+      fhir_read(fhir_user_resource_type, fhir_user_id)
+
+      assert_response_status(200)
+
+      inferno_origin = Inferno::Application['inferno_host']
+      cors_allow_origin = request.response_header('Access-Control-Allow-Origin')&.value
+      assert cors_allow_origin.present?, 'No `Access-Control-Allow-Origin` header received.'
+      assert cors_allow_origin == inferno_origin || cors_allow_origin == '*',
+             "`Access-Control-Allow-Origin` must be `#{inferno_origin}`, but received: `#{cors_allow_origin}`"
+    end
+  end
+end

data/lib/smart_app_launch/cors_token_exchange_test.rb

@@ -0,0 +1,35 @@
+module SMARTAppLaunch
+  class CORSTokenExchangeTest < Inferno::Test
+    title 'SMART Token Endpoint Enables Cross-Origin Resource Sharing (CORS)'
+    description %(
+      The SMART [Considerations for Cross-Origin Resource Sharing (CORS) support](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-cross-origin-resource-sharing-cors-support)
+      specifies that servers that support purely browser-based apps SHALL enable Cross-Origin Resource Sharing (CORS)
+      as follows:
+
+        - For requests from a client's registered origin(s), CORS configuration permits access to the token
+          endpoint
+
+      This test verifies that the token endpoint contains the appropriate CORS header in the response.
+    )
+    id :smart_cors_token_exchange
+
+    uses_request :cors_token_request
+
+    input :client_auth_type
+
+    run do
+      omit_if client_auth_type != 'public', %(
+        Client type is not public, Cross-Origin Resource Sharing (CORS) is not required to be supported for
+        non-public client types
+      )
+
+      skip_if request.status != 200, 'Previous request was unsuccessful, cannot check for CORS support'
+
+      inferno_origin = Inferno::Application['inferno_host']
+      cors_header = request.response_header('Access-Control-Allow-Origin')&.value
+
+      assert cors_header == inferno_origin || cors_header == '*',
+             "Request must have `Access-Control-Allow-Origin` header containing `#{inferno_origin}`"
+    end
+  end
+end

data/lib/smart_app_launch/cors_well_known_endpoint_test.rb

@@ -0,0 +1,40 @@
+require_relative 'url_helpers'
+
+module SMARTAppLaunch
+  class CORSWellKnownEndpointTest < Inferno::Test
+    include URLHelpers
+
+    title 'SMART .well-known/smart-configuration Endpoint Enables Cross-Origin Resource Sharing (CORS)'
+    id :smart_cors_well_known_endpoint
+    description %(
+      The SMART [Considerations for Cross-Origin Resource Sharing (CORS) support](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-cross-origin-resource-sharing-cors-support)
+      specifies that servers that support purely browser-based apps SHALL enable Cross-Origin Resource Sharing (CORS)
+      as follows:
+
+        - For requests from any origin, CORS configuration permits access to the public discovery endpoints
+          (.well-known/smart-configuration and metadata).
+
+      This test verifies that the .well-known/smart-configuration request is returned with the appropriate CORS header.
+    )
+    optional
+
+    input :url,
+          title: 'FHIR Endpoint',
+          description: 'URL of the FHIR endpoint used by SMART applications'
+
+    run do
+      well_known_configuration_url = "#{url.chomp('/')}/.well-known/smart-configuration"
+      inferno_origin = Inferno::Application['inferno_host']
+
+      get(well_known_configuration_url,
+          headers: { 'Accept' => 'application/json',
+                     'Origin' => inferno_origin })
+      assert_response_status(200)
+
+      cors_allow_origin = request.response_header('Access-Control-Allow-Origin')&.value
+      assert cors_allow_origin.present?, 'No `Access-Control-Allow-Origin` header received.'
+      assert cors_allow_origin == inferno_origin || cors_allow_origin == '*',
+             "`Access-Control-Allow-Origin` must be `#{inferno_origin}`, but received: `#{cors_allow_origin}`"
+    end
+  end
+end

data/lib/smart_app_launch/discovery_stu2_2_group.rb

@@ -0,0 +1,12 @@
+require_relative 'cors_metadata_request_test'
+require_relative 'cors_well_known_endpoint_test'
+require_relative 'discovery_stu2_group'
+
+module SMARTAppLaunch
+  class DiscoverySTU22Group < DiscoverySTU2Group
+    id :smart_discovery_stu2_2
+
+    test from: :smart_cors_well_known_endpoint
+    test from: :smart_cors_metadata_request
+  end
+end

data/lib/smart_app_launch/ehr_launch_group_stu2_2.rb

@@ -1,5 +1,7 @@
 require_relative 'ehr_launch_group_stu2'
 require_relative 'token_response_body_test_stu2_2'
+require_relative 'cors_token_exchange_test'
+require_relative 'token_exchange_stu2_2_test'
 
 module SMARTAppLaunch
   class EHRLaunchGroupSTU22 < EHRLaunchGroupSTU2
@@ -46,9 +48,21 @@ module SMARTAppLaunch
       }
     )
 
+    test from: :smart_token_exchange_stu2_2
+
+    token_exchange_index = children.find_index { |child| child.id.to_s.end_with? 'smart_token_exchange' }
+    children[token_exchange_index] = children.pop
+
     test from: :smart_token_response_body_stu2_2
 
     token_response_body_index = children.find_index { |child| child.id.to_s.end_with? 'token_response_body' }
     children[token_response_body_index] = children.pop
+
+    test from: :smart_cors_token_exchange,
+         config: {
+           requests: {
+             cors_token_request: { name: :ehr_token }
+           }
+         }
   end
 end

data/lib/smart_app_launch/openid_connect_group_stu2_2.rb

@@ -0,0 +1,40 @@
+require_relative 'cors_openid_fhir_user_claim_test'
+require_relative 'openid_connect_group'
+
+module SMARTAppLaunch
+  class OpenIDConnectGroupSTU22 < OpenIDConnectGroup
+    id :smart_openid_connect_stu2_2
+    title 'OpenID Connect'
+    short_description 'Demonstrate the ability to authenticate users with OpenID Connect.'
+
+    description %(
+      # Background
+
+      OpenID Connect (OIDC) provides the ability to verify the identity of the
+      authorizing user. Within the [SMART App Launch
+      Framework](https://www.hl7.org/fhir/smart-app-launch/STU2.2/), Applications can
+      request an `id_token` be provided with by including the `openid fhirUser`
+      scopes when requesting authorization.
+
+      # Test Methodology
+
+      This sequence validates the id token returned as part of the OAuth 2.0
+      token response. Once the token is decoded, the server's OIDC configuration
+      is retrieved from its well-known configuration endpoint. This
+      configuration is checked to ensure that all required fields are present.
+      Next the keys used to cryptographically sign the id token are retrieved
+      from the url contained in the OIDC configuration. Then the header,
+      payload, and signature of the id token are validated. Finally, the FHIR
+      resource from the `fhirUser` claim in the id token is fetched from the
+      FHIR server.
+
+      For more information see:
+
+      * [SMART App Launch Framework](https://www.hl7.org/fhir/smart-app-launch/STU2.2/)
+      * [Scopes for requesting identity data](https://www.hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context/index.html#scopes-for-requesting-identity-data)
+      * [Apps Requesting Authorization](https://www.hl7.org/fhir/smart-app-launch/STU2.2/index.html#step-1-app-asks-for-authorization)
+      * [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html)
+    )
+    test from: :smart_cors_openid_fhir_user_claim
+  end
+end

data/lib/smart_app_launch/smart_stu2_2_suite.rb

@@ -2,12 +2,11 @@ require 'tls_test_kit'
 
 require_relative 'jwks'
 require_relative 'version'
-require_relative 'discovery_stu2_group'
+require_relative 'discovery_stu2_2_group'
 require_relative 'standalone_launch_group_stu2_2'
 require_relative 'ehr_launch_group_stu2_2'
-require_relative 'openid_connect_group'
+require_relative 'openid_connect_group_stu2_2'
 require_relative 'token_introspection_group_stu2_2'
-require_relative 'token_refresh_stu2_group'
 require_relative 'backend_services_authorization_group'
 
 module SMARTAppLaunch
@@ -55,6 +54,9 @@ module SMARTAppLaunch
       following JWK Set URL:
 
       * `#{Inferno::Application[:base_url]}/custom/smart_stu2_2/.well-known/jwks.json`
+
+      **NOTE:** This suite does not currently test [CORS
+        support](http://hl7.org/fhir/smart-app-launch/app-launch.html#considerations-for-cross-origin-resource-sharing-cors-support).
     DESCRIPTION
 
     input_instructions %(
@@ -89,10 +91,10 @@ module SMARTAppLaunch
 
       run_as_group
 
-      group from: :smart_discovery_stu2
+      group from: :smart_discovery_stu2_2
       group from: :smart_standalone_launch_stu2_2
 
-      group from: :smart_openid_connect,
+      group from: :smart_openid_connect_stu2_2,
             config: {
               inputs: {
                 id_token: { name: :standalone_id_token },
@@ -164,11 +166,11 @@ module SMARTAppLaunch
 
       run_as_group
 
-      group from: :smart_discovery_stu2
+      group from: :smart_discovery_stu2_2
 
       group from: :smart_ehr_launch_stu2_2
 
-      group from: :smart_openid_connect,
+      group from: :smart_openid_connect_stu2_2,
             config: {
               inputs: {
                 id_token: { name: :ehr_id_token },
@@ -234,7 +236,7 @@ module SMARTAppLaunch
 
       run_as_group
 
-      group from: :smart_discovery_stu2
+      group from: :smart_discovery_stu2_2
       group from: :backend_services_authorization
     end
 

data/lib/smart_app_launch/standalone_launch_group_stu2_2.rb

@@ -1,5 +1,7 @@
 require_relative 'token_response_body_test_stu2_2'
 require_relative 'standalone_launch_group_stu2'
+require_relative 'cors_token_exchange_test'
+require_relative 'token_exchange_stu2_2_test'
 
 module SMARTAppLaunch
   class StandaloneLaunchGroupSTU22 < StandaloneLaunchGroupSTU2
@@ -44,9 +46,21 @@ module SMARTAppLaunch
       }
     )
 
+    test from: :smart_token_exchange_stu2_2
+
+    token_exchange_index = children.find_index { |child| child.id.to_s.end_with? 'token_exchange' }
+    children[token_exchange_index] = children.pop
+
     test from: :smart_token_response_body_stu2_2
 
     token_response_body_index = children.find_index { |child| child.id.to_s.end_with? 'token_response_body' }
     children[token_response_body_index] = children.pop
+
+    test from: :smart_cors_token_exchange,
+         config: {
+           requests: {
+             cors_token_request: { name: :standalone_token }
+           }
+         }
   end
 end

data/lib/smart_app_launch/token_exchange_stu2_2_test.rb

@@ -0,0 +1,30 @@
+require_relative 'token_exchange_stu2_test'
+
+module SMARTAppLaunch
+  class TokenExchangeSTU22Test < TokenExchangeSTU2Test
+    id :smart_token_exchange_stu2_2
+
+    def add_credentials_to_request(oauth2_params, oauth2_headers)
+      if client_auth_type == 'confidential_symmetric'
+        assert client_secret.present?,
+               'A client secret must be provided when using confidential symmetric client authentication.'
+
+        client_credentials = "#{client_id}:#{client_secret}"
+        oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
+      elsif client_auth_type == 'public'
+        oauth2_params[:client_id] = client_id
+        oauth2_headers['Origin'] = Inferno::Application['inferno_host']
+      else
+        oauth2_params.merge!(
+          client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+          client_assertion: ClientAssertionBuilder.build(
+            iss: client_id,
+            sub: client_id,
+            aud: smart_token_url,
+            client_auth_encryption_method:
+          )
+        )
+      end
+    end
+  end
+end

data/lib/smart_app_launch/token_exchange_test.rb

@@ -51,7 +51,7 @@ module SMARTAppLaunch
       skip_if request.query_parameters['error'].present?, 'Error during authorization request'
 
       oauth2_params = {
-        code: code,
+        code:,
         redirect_uri: config.options[:redirect_uri],
         grant_type: 'authorization_code'
       }
@@ -59,9 +59,7 @@ module SMARTAppLaunch
 
       add_credentials_to_request(oauth2_params, oauth2_headers)
 
-      if use_pkce == 'true'
-        oauth2_params[:code_verifier] = pkce_code_verifier
-      end
+      oauth2_params[:code_verifier] = pkce_code_verifier if use_pkce == 'true'
 
       post(smart_token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
 
@@ -72,17 +70,15 @@ module SMARTAppLaunch
 
       token_response_body = JSON.parse(request.response_body)
 
-
       output smart_credentials: {
-               refresh_token: token_response_body['refresh_token'],
-               access_token: token_response_body['access_token'],
-               expires_in: token_response_body['expires_in'],
-               client_id: client_id,
-               client_secret: client_secret,
-               token_retrieval_time: token_retrieval_time,
-               token_url: smart_token_url
-             }.to_json
-      
+        refresh_token: token_response_body['refresh_token'],
+        access_token: token_response_body['access_token'],
+        expires_in: token_response_body['expires_in'],
+        client_id:,
+        client_secret:,
+        token_retrieval_time:,
+        token_url: smart_token_url
+      }.to_json
     end
   end
 end

data/lib/smart_app_launch/token_introspection_access_token_group_stu2_2.rb

@@ -1,7 +1,7 @@
 require_relative 'standalone_launch_group_stu2_2'
 
 module SMARTAppLaunch
-  class SMARTTokenIntrospectionAccessTokenGroupSTU22 < SMARTTokenIntrospectionAccessTokenGroup
+  class SMARTTokenIntrospectionAccessTokenGroupSTU22 < Inferno::TestGroup
     title 'Request New Access Token to Introspect'
     run_as_group
 
@@ -20,9 +20,7 @@ module SMARTAppLaunch
       Register Inferno as a Standalone SMART App and provide the registration details below.
     )
 
+    group from: :smart_discovery_stu2_2
     group from: :smart_standalone_launch_stu2_2
-
-    standalone_launch_index = children.find_index { |child| child.id.to_s.end_with? 'standalone_launch_stu2' }
-    children[standalone_launch_index] = children.pop
   end
 end

data/lib/smart_app_launch/token_introspection_group.rb

@@ -57,13 +57,12 @@ module SMARTAppLaunch
 
       If the introspection endpoint is protected, testers must enter their own HTTP Authorization header for the introspection request.  See
       [RFC 7616 The 'Basic' HTTP Authentication Scheme](https://datatracker.ietf.org/doc/html/rfc7617) for the most common
-      approach that uses client credentials.  Testers may also provide any additional parameters needed for their authorization 
+      approach that uses client credentials.  Testers may also provide any additional parameters needed for their authorization
       server to complete the introspection request.
 
       **Note:** For both the Authorization header and request parameters, user-input
       values will be sent exactly as entered and therefore the tester must
       URI-encode any appropriate values.
     )
-
   end
 end

data/lib/smart_app_launch/token_introspection_group_stu2_2.rb

@@ -43,26 +43,5 @@ module SMARTAppLaunch
 
     access_token_group_index = children.find_index { |child| child.id.to_s.end_with? 'access_token_group' }
     children[access_token_group_index] = children.pop
-
-    input_order :url, :standalone_client_id, :standalone_client_secret,
-                :authorization_method, :use_pkce, :pkce_code_challenge_method,
-                :standalone_requested_scopes, :client_auth_encryption_method,
-                :client_auth_type, :custom_authorization_header,
-                :optional_introspection_request_params
-    input_instructions %(
-      Executing tests at this level will run all three Token Introspection groups back-to-back.  If test groups need
-      to be run independently, exit this window and select a specific test group instead.
-
-      These tests are currently designed such that the token introspection URL must be present in the SMART well-known endpoint.
-
-      If the introspection endpoint is protected, testers must enter their own HTTP Authorization header for the introspection request.  See
-      [RFC 7616 The 'Basic' HTTP Authentication Scheme](https://datatracker.ietf.org/doc/html/rfc7617) for the most common
-      approach that uses client credentials.  Testers may also provide any additional parameters needed for their authorization
-      server to complete the introspection request.
-
-      **Note:** For both the Authorization header and request parameters, user-input
-      values will be sent exactly as entered and therefore the tester must
-      URI-encode any appropriate values.
-    )
   end
 end

data/lib/smart_app_launch/token_introspection_request_group.rb

@@ -11,42 +11,44 @@ module SMARTAppLaunch
     id :smart_token_introspection_request_group
     description %(
       This group of tests executes the token introspection requests and ensures the correct HTTP response is returned
-      but does not validate the contents of the token introspection response. 
+      but does not validate the contents of the token introspection response.
 
-      If Inferno cannot reasonably be configured to be authorized to access the token introspection endpoint, these tests 
+      If Inferno cannot reasonably be configured to be authorized to access the token introspection endpoint, these tests
       can be skipped.  Instead, an out-of-band token introspection request must be completed and the response body
       manually provided as input for the Validate Introspection Response test group.
       )
 
     input_instructions %(
-      If the Request New Access Token group was executed, the access token input will auto-populate with that token. 
-      Otherwise an active access token needs to be obtained out-of-band and input.  
-        
-      Per [RFC-7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2), "the definition of an active token is 
-      currently dependent upon the authorization server, but this is commonly a token that has been issued by this 
-      authorization server, is not expired, has not been revoked, and is valid for use at the protected resource making 
+      If the Request New Access Token group was executed, the access token input will auto-populate with that token.
+      Otherwise an active access token needs to be obtained out-of-band and input.
+
+      Per [RFC-7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2), "the definition of an active token is
+      currently dependent upon the authorization server, but this is commonly a token that has been issued by this
+      authorization server, is not expired, has not been revoked, and is valid for use at the protected resource making
       the introspection call."
 
       If the introspection endpoint is protected, testers must enter their own HTTP Authorization header for the introspection request.  See
       [RFC 7616 The 'Basic' HTTP Authentication Scheme](https://datatracker.ietf.org/doc/html/rfc7617) for the most common
-      approach that uses client credentials.  Testers may also provide any additional parameters needed for their authorization 
+      approach that uses client credentials.  Testers may also provide any additional parameters needed for their authorization
       server to complete the introspection request.
 
       **Note:** For both the Authorization header and request parameters, user-input
       values will be sent exactly as entered and therefore the tester must URI-encode any appropriate values.
     )
 
-    input :well_known_introspection_url, 
-          title: 'Token Introspection Endpoint URL', 
+    input :well_known_introspection_url,
+          title: 'Token Introspection Endpoint URL',
           description: 'The complete URL of the token introspection endpoint.'
 
     input :custom_authorization_header,
-          title: 'HTTP Authorization Header for Introspection Request',
+          title: 'Custom HTTP Headers for Introspection Request',
           type: 'textarea',
           optional: true,
           description: %(
-            Include header name, auth scheme, and auth parameters.
-            Ex: 'Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW' 
+            Add custom headers for the introspection request by adding each header's name and value with a new line
+            between each header.
+            Ex:
+              <Header 1 Name>: <Value 1>
             )
 
     input :optional_introspection_request_params,
@@ -54,69 +56,78 @@ module SMARTAppLaunch
           type: 'textarea',
           optional: true,
           description: %(
-            Any additional parameters to append to the request body, separated by &. Example: 'param1=abc&param2=def'  
+            Any additional parameters to append to the request body, separated by &. Example: 'param1=abc&param2=def'
           )
 
     test do
       title 'Token introspection endpoint returns a response when provided an active token'
       description %(
       This test will execute a token introspection request for an active token and ensure a 200 status and valid JSON
-      body are returned in the response. 
+      body are returned in the response.
       )
 
-      input :standalone_access_token, 
+      input :standalone_access_token,
             title: 'Access Token',
             description: 'The access token to be introspected. MUST be active.'
 
-
       output :active_token_introspection_response_body
 
       run do
-
         # If this is being chained from an earlier test, it might be blank if not present in the well-known endpoint
         skip_if well_known_introspection_url.nil?, 'No introspection URL present in SMART well-known endpoint.'
 
-        headers = {'Accept' => 'application/json', 'Content-Type' => 'application/x-www-form-urlencoded'}
+        headers = { 'Accept' => 'application/json', 'Content-Type' => 'application/x-www-form-urlencoded' }
         body = "token=#{standalone_access_token}"
 
         if custom_authorization_header.present?
-          parsed_header = custom_authorization_header.split(':', 2)
-          assert parsed_header.length == 2, "Incorrect custom HTTP header format input, expected: '<header name>: <header value>'"
-          headers[parsed_header[0]] = parsed_header[1].strip
+          custom_headers = custom_authorization_header.split("\n")
+          custom_headers.each do |custom_header|
+            parsed_header = custom_header.split(':', 2)
+            assert parsed_header.length == 2,
+                   'Incorrect custom HTTP header format input, expected: "<header name>: <header value>"'
+            headers[parsed_header[0]] = parsed_header[1].strip
+          end
         end
 
-        if optional_introspection_request_params.present?
-          body += "&#{optional_introspection_request_params}"
-        end
+        body += "&#{optional_introspection_request_params}" if optional_introspection_request_params.present?
 
-        post(well_known_introspection_url, body: body, headers: headers)
+        post(well_known_introspection_url, body:, headers:)
 
         assert_response_status(200)
         output active_token_introspection_response_body: request.response_body
       end
-    
     end
 
-    test do 
+    test do
       title 'Token introspection endpoint returns a response when provided an invalid token'
       description %(
         This test will execute a token introspection request for an invalid token and ensure a 200 status and valid JSON
-        body are returned in response. 
+        body are returned in response.
       )
 
       output :invalid_token_introspection_response_body
       run do
-
         # If this is being chained from an earlier test, it might be blank if not present in the well-known endpoint
         skip_if well_known_introspection_url.nil?, 'No introspection URL present in SMART well-known endpoint.'
 
-        headers = {'Accept' => 'application/json', 'Content-Type' => 'application/x-www-form-urlencoded'}
-        body = "token=invalid_token_value"
-        post(well_known_introspection_url, body: body, headers: headers)
-        
+        headers = { 'Accept' => 'application/json', 'Content-Type' => 'application/x-www-form-urlencoded' }
+        body = 'token=invalid_token_value'
+
+        if custom_authorization_header.present?
+          custom_headers = custom_authorization_header.split("\n")
+          custom_headers.each do |custom_header|
+            parsed_header = custom_header.split(':', 2)
+            assert parsed_header.length == 2,
+                   'Incorrect custom HTTP header format input, expected: "<header name>: <header value>"'
+            headers[parsed_header[0]] = parsed_header[1].strip
+          end
+        end
+
+        post(well_known_introspection_url, body:, headers:)
+
         assert_response_status(200)
         output invalid_token_introspection_response_body: request.response_body
       end
     end
   end
-end
+end

data/lib/smart_app_launch/token_refresh_test.rb

@@ -30,6 +30,10 @@ module SMARTAppLaunch
       end
     end
 
+    def make_auth_token_request(smart_token_url, oauth2_params, oauth2_headers)
+      post(smart_token_url, body: oauth2_params, name: :token_refresh, headers: oauth2_headers)
+    end
+
     run do
       skip_if refresh_token.blank?
 
@@ -43,7 +47,7 @@ module SMARTAppLaunch
 
       add_credentials_to_request(oauth2_headers, oauth2_params)
 
-      post(smart_token_url, body: oauth2_params, name: :token_refresh, headers: oauth2_headers)
+      make_auth_token_request(smart_token_url, oauth2_params, oauth2_headers)
 
       assert_response_status(200)
       assert_valid_json(request.response_body)
@@ -52,14 +56,14 @@ module SMARTAppLaunch
 
       token_response_body = JSON.parse(request.response_body)
       output smart_credentials: {
-               refresh_token: token_response_body['refresh_token'].presence || refresh_token,
-               access_token: token_response_body['access_token'],
-               expires_in: token_response_body['expires_in'],
-               client_id: client_id,
-               client_secret: client_secret,
-               token_retrieval_time: token_retrieval_time,
-               token_url: smart_token_url
-             }.to_json
+        refresh_token: token_response_body['refresh_token'].presence || refresh_token,
+        access_token: token_response_body['access_token'],
+        expires_in: token_response_body['expires_in'],
+        client_id:,
+        client_secret:,
+        token_retrieval_time:,
+        token_url: smart_token_url
+      }.to_json
     end
   end
 end

data/lib/smart_app_launch/version.rb

@@ -1,3 +1,3 @@
 module SMARTAppLaunch
-  VERSION = '0.4.4'.freeze
+  VERSION = '0.4.6'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smart_app_launch_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.4.4
+  version: 0.4.6
 platform: ruby
 authors:
 - Stephen MacVicar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-04 00:00:00.000000000 Z
+date: 2024-10-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core
@@ -157,7 +157,12 @@ files:
 - lib/smart_app_launch/backend_services_invalid_jwt_test.rb
 - lib/smart_app_launch/client_assertion_builder.rb
 - lib/smart_app_launch/code_received_test.rb
+- lib/smart_app_launch/cors_metadata_request_test.rb
+- lib/smart_app_launch/cors_openid_fhir_user_claim_test.rb
+- lib/smart_app_launch/cors_token_exchange_test.rb
+- lib/smart_app_launch/cors_well_known_endpoint_test.rb
 - lib/smart_app_launch/discovery_stu1_group.rb
+- lib/smart_app_launch/discovery_stu2_2_group.rb
 - lib/smart_app_launch/discovery_stu2_group.rb
 - lib/smart_app_launch/ehr_launch_group.rb
 - lib/smart_app_launch/ehr_launch_group_stu2.rb
@@ -165,6 +170,7 @@ files:
 - lib/smart_app_launch/jwks.rb
 - lib/smart_app_launch/launch_received_test.rb
 - lib/smart_app_launch/openid_connect_group.rb
+- lib/smart_app_launch/openid_connect_group_stu2_2.rb
 - lib/smart_app_launch/openid_decode_id_token_test.rb
 - lib/smart_app_launch/openid_fhir_user_claim_test.rb
 - lib/smart_app_launch/openid_required_configuration_fields_test.rb
@@ -190,6 +196,7 @@ files:
 - lib/smart_app_launch/standalone_launch_group.rb
 - lib/smart_app_launch/standalone_launch_group_stu2.rb
 - lib/smart_app_launch/standalone_launch_group_stu2_2.rb
+- lib/smart_app_launch/token_exchange_stu2_2_test.rb
 - lib/smart_app_launch/token_exchange_stu2_test.rb
 - lib/smart_app_launch/token_exchange_test.rb
 - lib/smart_app_launch/token_introspection_access_token_group.rb
@@ -234,7 +241,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.9
+rubygems_version: 3.5.7
 signing_key:
 specification_version: 4
 summary: Inferno Tests for the SMART Application Launch Framework Implementation Guide