smart_app_launch_test_kit 0.4.5 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 956da1bf90eccfbfda23b793f3870ad7ce7f50fdeaeee25cda93d392fcab8d3b
-  data.tar.gz: c927a7c94eb03a22b891c244a3349f593dacb4432f2f959da410a0c9dbc293cc
+  metadata.gz: 047dcb8643e2524e9bdcd7653db652640f08e672085d18fd589d4a50e717cd08
+  data.tar.gz: cf7fe4c64a2e9c9bb9e50bcc2176e7ee5a8c5cac6a970376fb29b8d31e50ca96
 SHA512:
-  metadata.gz: 26afb54c26303bd57f5fe9b9005b887b9c37c579a3b7efd95e91e4bb52bbce91db9d39aa16aee8581dbb4f195b69eca82842f616e089575e2eb6b9c8c0915ad0
-  data.tar.gz: f7b3cc01e93eab4057917bf2a7805f73922b3994a56767e9a012e4cd0ac8a2e03fb1994da35154c5830a4b8c6e458bb5d44987ea6812d09bbb7b3737722a50de
+  metadata.gz: 4b0bd4cfc4a2d2db72017cf433482edb59aeb22ea4d538a03a44f14664631d86e9426a4b1b521175673275c7464a0b3f33f673fc488a1b2b9581c5df6a97e7bf
+  data.tar.gz: a99702f36d6b8501102cadfca039b0f7b6e46e65e19068da1a52971afee24758228fa59f0c3273c6bad730b47f107d80074e5b222bb9dfd5921c35473e423f1e

data/config/presets/inferno_reference_server_preset.json

@@ -0,0 +1,103 @@
+{
+  "title": "Inferno Reference Server",
+  "id": "smart_stu1_reference_server",
+  "test_suite_id": "smart",
+  "inputs": [
+    {
+      "name": "url",
+      "type": "text",
+      "value": "https://inferno.healthit.gov/reference-server/r4"
+    },
+    {
+      "name": "standalone_client_id",
+      "type": "text",
+      "value": "SAMPLE_PUBLIC_CLIENT_ID"
+    },
+    {
+      "name": "standalone_requested_scopes",
+      "type": "text",
+      "value": "launch/patient openid fhirUser offline_access patient/*.read"
+    },
+    {
+      "name": "use_pkce",
+      "type": "radio",
+      "title": "Proof Key for Code Exchange (PKCE)",
+      "options": {
+        "list_options": [
+          {
+            "label": "Enabled",
+            "value": "true"
+          },
+          {
+            "label": "Disabled",
+            "value": "false"
+          }
+        ]
+      },
+      "value": "false"
+    },
+    {
+      "name": "pkce_code_challenge_method",
+      "type": "radio",
+      "optional": true,
+      "title": "PKCE Code Challenge Method",
+      "options": {
+        "list_options": [
+          {
+            "label": "S256",
+            "value": "S256"
+          },
+          {
+            "label": "plain",
+            "value": "plain"
+          }
+        ]
+      },
+      "value": "S256"
+    },
+    {
+      "name": "client_auth_type",
+      "value": "public",
+      "_title": "Client Authentication Method",
+      "_type": "radio",
+      "_options": {
+        "list_options": [
+          {
+            "label": "Public",
+            "value": "public"
+          },
+          {
+            "label": "Confidential Symmetric",
+            "value": "confidential_symmetric"
+          },
+          {
+            "label": "Confidential Asymmetric",
+            "value": "confidential_asymmetric"
+          }
+        ]
+      }
+    },
+    {
+      "name": "standalone_client_secret",
+      "type": "text",
+      "optional": true,
+      "value": null
+    },
+    {
+      "name": "ehr_client_id",
+      "type": "text",
+      "value": "SAMPLE_PUBLIC_CLIENT_ID"
+    },
+    {
+      "name": "ehr_requested_scopes",
+      "type": "text",
+      "value": "launch openid fhirUser offline_access user/*.read"
+    },
+    {
+      "name": "ehr_client_secret",
+      "type": "text",
+      "optional": true,
+      "value": null
+    }
+  ]
+}

data/config/presets/inferno_reference_server_stu2_2_preset.json

@@ -0,0 +1,89 @@
+{
+  "title": "Inferno Reference Server",
+  "id": "smart_stu2_2_reference_server",
+  "test_suite_id": "smart_stu2_2",
+  "inputs": [
+    {
+      "name": "url",
+      "type": "text",
+      "value": "https://inferno.healthit.gov/reference-server/r4"
+    },
+    {
+      "name": "standalone_client_id",
+      "type": "text",
+      "value": "SAMPLE_PUBLIC_CLIENT_ID"
+    },
+    {
+      "name": "standalone_requested_scopes",
+      "type": "text",
+      "value": "launch/patient openid fhirUser offline_access patient/*.read"
+    },
+    {
+      "name": "standalone_client_secret",
+      "type": "text",
+      "optional": true,
+      "value": null
+    },
+    {
+      "name": "ehr_client_id",
+      "type": "text",
+      "value": "SAMPLE_PUBLIC_CLIENT_ID"
+    },
+    {
+      "name": "ehr_requested_scopes",
+      "type": "text",
+      "value": "launch openid fhirUser offline_access user/*.read"
+    },
+    {
+      "name": "ehr_client_secret",
+      "type": "text",
+      "optional": true,
+      "value": null
+    },
+    {
+      "name": "client_auth_encryption_method",
+      "value": "ES384",
+      "_title": "Encryption Method (Confidential Asymmetric Client Auth Only)",
+      "_type": "radio",
+      "_options": {
+        "list_options": [
+          {
+            "label": "ES384",
+            "value": "ES384"
+          },
+          {
+            "label": "RS384",
+            "value": "RS384"
+          }
+        ]
+      }
+    },
+    {
+      "name": "client_auth_type",
+      "value": "public",
+      "_title": "Client Authentication Method",
+      "_type": "radio",
+      "_options": {
+        "list_options": [
+          {
+            "label": "Public",
+            "value": "public"
+          },
+          {
+            "label": "Confidential Symmetric",
+            "value": "confidential_symmetric"
+          },
+          {
+            "label": "Confidential Asymmetric",
+            "value": "confidential_asymmetric"
+          }
+        ]
+      }
+    },
+    {
+      "name": "backend_services_client_id",
+      "type": "text",
+      "value": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InJlZ2lzdHJhdGlvbi10b2tlbiJ9.eyJqd2tzX3VybCI6Imh0dHA6Ly8xMC4xNS4yNTIuNzMvaW5mZXJuby8ud2VsbC1rbm93bi9qd2tzLmpzb24iLCJhY2Nlc3NUb2tlbnNFeHBpcmVJbiI6MTUsImlhdCI6MTU5NzQxMzE5NX0.q4v4Msc74kN506KTZ0q_minyapJw0gwlT6M_uiL73S4"
+    }
+  ]
+}

data/config/presets/inferno_reference_server_stu2_preset.json

@@ -0,0 +1,89 @@
+{
+  "title": "Inferno Reference Server",
+  "id": "smart_stu2_reference_server",
+  "test_suite_id": "smart_stu2",
+  "inputs": [
+    {
+      "name": "url",
+      "type": "text",
+      "value": "https://inferno.healthit.gov/reference-server/r4"
+    },
+    {
+      "name": "standalone_client_id",
+      "type": "text",
+      "value": "SAMPLE_PUBLIC_CLIENT_ID"
+    },
+    {
+      "name": "standalone_requested_scopes",
+      "type": "text",
+      "value": "launch/patient openid fhirUser offline_access patient/*.read"
+    },
+    {
+      "name": "standalone_client_secret",
+      "type": "text",
+      "optional": true,
+      "value": null
+    },
+    {
+      "name": "ehr_client_id",
+      "type": "text",
+      "value": "SAMPLE_PUBLIC_CLIENT_ID"
+    },
+    {
+      "name": "ehr_requested_scopes",
+      "type": "text",
+      "value": "launch openid fhirUser offline_access user/*.read"
+    },
+    {
+      "name": "ehr_client_secret",
+      "type": "text",
+      "optional": true,
+      "value": null
+    },
+    {
+      "name": "client_auth_encryption_method",
+      "value": "ES384",
+      "_title": "Encryption Method (Confidential Asymmetric Client Auth Only)",
+      "_type": "radio",
+      "_options": {
+        "list_options": [
+          {
+            "label": "ES384",
+            "value": "ES384"
+          },
+          {
+            "label": "RS384",
+            "value": "RS384"
+          }
+        ]
+      }
+    },
+    {
+      "name": "client_auth_type",
+      "value": "public",
+      "_title": "Client Authentication Method",
+      "_type": "radio",
+      "_options": {
+        "list_options": [
+          {
+            "label": "Public",
+            "value": "public"
+          },
+          {
+            "label": "Confidential Symmetric",
+            "value": "confidential_symmetric"
+          },
+          {
+            "label": "Confidential Asymmetric",
+            "value": "confidential_asymmetric"
+          }
+        ]
+      }
+    },
+    {
+      "name": "backend_services_client_id",
+      "type": "text",
+      "value": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InJlZ2lzdHJhdGlvbi10b2tlbiJ9.eyJqd2tzX3VybCI6Imh0dHA6Ly8xMC4xNS4yNTIuNzMvaW5mZXJuby8ud2VsbC1rbm93bi9qd2tzLmpzb24iLCJhY2Nlc3NUb2tlbnNFeHBpcmVJbiI6MTUsImlhdCI6MTU5NzQxMzE5NX0.q4v4Msc74kN506KTZ0q_minyapJw0gwlT6M_uiL73S4"
+    }
+  ]
+}

data/config/presets/smart_access_brands.json.erb

@@ -0,0 +1,13 @@
+{
+  "title": "Inferno Example SMART Access Brands Bundle",
+  "id": "smart_access_brands_bundle_example_inferno",
+  "test_suite_id": "smart_access_brands",
+  "inputs": [
+    {
+      "name": "smart_access_brands_publication_url",
+      "value": "<%= Inferno::Application['base_url'] %>/custom/smart_access_brands/examples/smart_access_brands_example.json",
+      "title": "SMART Access Brands Bundle URL",
+      "type": "text"
+    }
+  ]
+}

data/config/presets/smart_access_brands_example_1.json

@@ -0,0 +1,37 @@
+{
+  "title": "Labs with Locations Nationwide IG Example SMART Access Brands Bundle",
+  "id": "smart_access_brands_bundle_example_1",
+  "test_suite_id": "smart_access_brands",
+  "inputs": [
+    {
+      "name": "user_access_brands_publication_url",
+      "value": "https://hl7.org/fhir/smart-app-launch/STU2.2/Bundle-example1.json",
+      "title": "User Access Brands Publication URL",
+      "type": "text"
+    },
+    {
+      "name": "endpoint_availability_success_rate",
+      "default": "all",
+      "description": "Select an option to choose how many Endpoints have to be available and send back a valid capability       statement for the Endpoint validation test to pass.",
+      "options": {
+        "list_options": [
+          {
+            "label": "All",
+            "value": "all"
+          },
+          {
+            "label": "At Least 1",
+            "value": "at_least_1"
+          },
+          {
+            "label": "None",
+            "value": "none"
+          }
+        ]
+      },
+      "title": "Endpoint Availability Success Rate",
+      "type": "radio",
+      "value": "none"
+    }
+  ]
+}

data/config/presets/smart_access_brands_example_2.json

@@ -0,0 +1,37 @@
+{
+  "title": "Regional Health System IG Example SMART Access Brands Bundle",
+  "id": "smart_access_brands_bundle_example_2",
+  "test_suite_id": "smart_access_brands",
+  "inputs": [
+    {
+      "name": "user_access_brands_publication_url",
+      "value": "https://hl7.org/fhir/smart-app-launch/STU2.2/Bundle-example2.json",
+      "title": "User Access Brands Publication URL",
+      "type": "text"
+    },
+    {
+      "name": "endpoint_availability_success_rate",
+      "default": "all",
+      "description": "Select an option to choose how many Endpoints have to be available and send back a valid capability       statement for the Endpoint validation test to pass.",
+      "options": {
+        "list_options": [
+          {
+            "label": "All",
+            "value": "all"
+          },
+          {
+            "label": "At Least 1",
+            "value": "at_least_1"
+          },
+          {
+            "label": "None",
+            "value": "none"
+          }
+        ]
+      },
+      "title": "Endpoint Availability Success Rate",
+      "type": "radio",
+      "value": "none"
+    }
+  ]
+}

data/config/presets/smart_access_brands_example_3.json

@@ -0,0 +1,37 @@
+{
+  "title": "Different EHRs IG Example SMART Access Brands Bundle",
+  "id": "smart_access_brands_bundle_example_3",
+  "test_suite_id": "smart_access_brands",
+  "inputs": [
+    {
+      "name": "user_access_brands_publication_url",
+      "value": "https://hl7.org/fhir/smart-app-launch/STU2.2/Bundle-example3.json",
+      "title": "User Access Brands Publication URL",
+      "type": "text"
+    },
+    {
+      "name": "endpoint_availability_success_rate",
+      "default": "all",
+      "description": "Select an option to choose how many Endpoints have to be available and send back a valid capability       statement for the Endpoint validation test to pass.",
+      "options": {
+        "list_options": [
+          {
+            "label": "All",
+            "value": "all"
+          },
+          {
+            "label": "At Least 1",
+            "value": "at_least_1"
+          },
+          {
+            "label": "None",
+            "value": "none"
+          }
+        ]
+      },
+      "title": "Endpoint Availability Success Rate",
+      "type": "radio",
+      "value": "none"
+    }
+  ]
+}

data/config/presets/smart_access_brands_example_4.json

@@ -0,0 +1,37 @@
+{
+  "title": "Co-equal Brands IG Example SMART Access Brands Bundle",
+  "id": "smart_access_brands_bundle_example_4",
+  "test_suite_id": "smart_access_brands",
+  "inputs": [
+    {
+      "name": "user_access_brands_publication_url",
+      "value": "https://hl7.org/fhir/smart-app-launch/STU2.2/Bundle-example4.json",
+      "title": "User Access Brands Publication URL",
+      "type": "text"
+    },
+    {
+      "name": "endpoint_availability_success_rate",
+      "default": "all",
+      "description": "Select an option to choose how many Endpoints have to be available and send back a valid capability       statement for the Endpoint validation test to pass.",
+      "options": {
+        "list_options": [
+          {
+            "label": "All",
+            "value": "all"
+          },
+          {
+            "label": "At Least 1",
+            "value": "at_least_1"
+          },
+          {
+            "label": "None",
+            "value": "none"
+          }
+        ]
+      },
+      "title": "Endpoint Availability Success Rate",
+      "type": "radio",
+      "value": "none"
+    }
+  ]
+}

data/lib/smart_app_launch/cors_metadata_request_test.rb

@@ -0,0 +1,40 @@
+require_relative 'url_helpers'
+
+module SMARTAppLaunch
+  class CORSMetadataRequest < Inferno::Test
+    id :smart_cors_metadata_request
+
+    include URLHelpers
+
+    title 'SMART metadata Endpoint Enables Cross-Origin Resource Sharing (CORS)'
+    description %(
+      The SMART [Considerations for Cross-Origin Resource Sharing (CORS) support](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-cross-origin-resource-sharing-cors-support)
+      specifies that servers that support purely browser-based apps SHALL enable Cross-Origin Resource Sharing (CORS)
+      as follows:
+
+        - For requests from any origin, CORS configuration permits access to the public discovery endpoints
+          (.well-known/smart-configuration and metadata).
+
+      This test verifies that the metadata request is returned with the appropriate CORS header.
+    )
+    optional
+
+    input :url
+
+    fhir_client do
+      url :url
+      headers 'Origin' => Inferno::Application['inferno_host']
+    end
+
+    run do
+      fhir_get_capability_statement
+
+      assert_response_status(200)
+      inferno_origin = Inferno::Application['inferno_host']
+      cors_allow_origin = request.response_header('Access-Control-Allow-Origin')&.value
+      assert cors_allow_origin.present?, 'No `Access-Control-Allow-Origin` header received.'
+      assert cors_allow_origin == inferno_origin || cors_allow_origin == '*',
+             "`Access-Control-Allow-Origin` must be `#{inferno_origin}`, but received: `#{cors_allow_origin}`"
+    end
+  end
+end

data/lib/smart_app_launch/cors_openid_fhir_user_claim_test.rb

@@ -0,0 +1,48 @@
+module SMARTAppLaunch
+  class CORSOpenIDFHIRUserClaimTest < Inferno::Test
+    id :smart_cors_openid_fhir_user_claim
+    title 'SMART FHIR User REST API Endpoint Enables Cross-Origin Resource Sharing (CORS)'
+    description %(
+      The SMART [Considerations for Cross-Origin Resource Sharing (CORS) support](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-cross-origin-resource-sharing-cors-support)
+      specifies that servers that support purely browser-based apps SHALL enable Cross-Origin Resource Sharing (CORS)
+      as follows:
+
+        - For requests from a client's registered origin(s), CORS configuration permits access to the token
+          endpoint and to FHIR REST API endpoints.
+
+      This test verifies that a request to the FHIR REST API endpoint for the FHIR user is returned with the appropriate
+      CORS header.
+    )
+    optional
+
+    input :url, :id_token_fhir_user
+    input :smart_credentials, type: :oauth_credentials
+
+    fhir_client do
+      url :url
+      oauth_credentials :smart_credentials
+      headers 'Origin' => Inferno::Application['inferno_host']
+    end
+
+    run do
+      valid_fhir_user_resource_types = ['Patient', 'Practitioner', 'RelatedPerson', 'Person']
+
+      fhir_user_segments = id_token_fhir_user.split('/')
+      fhir_user_resource_type = fhir_user_segments[-2]
+      fhir_user_id = fhir_user_segments.last
+
+      assert valid_fhir_user_resource_types.include?(fhir_user_resource_type),
+             "ID token `fhirUser` claim does not refer to a valid resource type: #{id_token_fhir_user}"
+
+      fhir_read(fhir_user_resource_type, fhir_user_id)
+
+      assert_response_status(200)
+
+      inferno_origin = Inferno::Application['inferno_host']
+      cors_allow_origin = request.response_header('Access-Control-Allow-Origin')&.value
+      assert cors_allow_origin.present?, 'No `Access-Control-Allow-Origin` header received.'
+      assert cors_allow_origin == inferno_origin || cors_allow_origin == '*',
+             "`Access-Control-Allow-Origin` must be `#{inferno_origin}`, but received: `#{cors_allow_origin}`"
+    end
+  end
+end

data/lib/smart_app_launch/cors_token_exchange_test.rb

@@ -0,0 +1,35 @@
+module SMARTAppLaunch
+  class CORSTokenExchangeTest < Inferno::Test
+    title 'SMART Token Endpoint Enables Cross-Origin Resource Sharing (CORS)'
+    description %(
+      The SMART [Considerations for Cross-Origin Resource Sharing (CORS) support](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-cross-origin-resource-sharing-cors-support)
+      specifies that servers that support purely browser-based apps SHALL enable Cross-Origin Resource Sharing (CORS)
+      as follows:
+
+        - For requests from a client's registered origin(s), CORS configuration permits access to the token
+          endpoint
+
+      This test verifies that the token endpoint contains the appropriate CORS header in the response.
+    )
+    id :smart_cors_token_exchange
+
+    uses_request :cors_token_request
+
+    input :client_auth_type
+
+    run do
+      omit_if client_auth_type != 'public', %(
+        Client type is not public, Cross-Origin Resource Sharing (CORS) is not required to be supported for
+        non-public client types
+      )
+
+      skip_if request.status != 200, 'Previous request was unsuccessful, cannot check for CORS support'
+
+      inferno_origin = Inferno::Application['inferno_host']
+      cors_header = request.response_header('Access-Control-Allow-Origin')&.value
+
+      assert cors_header == inferno_origin || cors_header == '*',
+             "Request must have `Access-Control-Allow-Origin` header containing `#{inferno_origin}`"
+    end
+  end
+end

data/lib/smart_app_launch/cors_well_known_endpoint_test.rb

@@ -0,0 +1,40 @@
+require_relative 'url_helpers'
+
+module SMARTAppLaunch
+  class CORSWellKnownEndpointTest < Inferno::Test
+    include URLHelpers
+
+    title 'SMART .well-known/smart-configuration Endpoint Enables Cross-Origin Resource Sharing (CORS)'
+    id :smart_cors_well_known_endpoint
+    description %(
+      The SMART [Considerations for Cross-Origin Resource Sharing (CORS) support](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-cross-origin-resource-sharing-cors-support)
+      specifies that servers that support purely browser-based apps SHALL enable Cross-Origin Resource Sharing (CORS)
+      as follows:
+
+        - For requests from any origin, CORS configuration permits access to the public discovery endpoints
+          (.well-known/smart-configuration and metadata).
+
+      This test verifies that the .well-known/smart-configuration request is returned with the appropriate CORS header.
+    )
+    optional
+
+    input :url,
+          title: 'FHIR Endpoint',
+          description: 'URL of the FHIR endpoint used by SMART applications'
+
+    run do
+      well_known_configuration_url = "#{url.chomp('/')}/.well-known/smart-configuration"
+      inferno_origin = Inferno::Application['inferno_host']
+
+      get(well_known_configuration_url,
+          headers: { 'Accept' => 'application/json',
+                     'Origin' => inferno_origin })
+      assert_response_status(200)
+
+      cors_allow_origin = request.response_header('Access-Control-Allow-Origin')&.value
+      assert cors_allow_origin.present?, 'No `Access-Control-Allow-Origin` header received.'
+      assert cors_allow_origin == inferno_origin || cors_allow_origin == '*',
+             "`Access-Control-Allow-Origin` must be `#{inferno_origin}`, but received: `#{cors_allow_origin}`"
+    end
+  end
+end

data/lib/smart_app_launch/discovery_stu2_2_group.rb

@@ -0,0 +1,12 @@
+require_relative 'cors_metadata_request_test'
+require_relative 'cors_well_known_endpoint_test'
+require_relative 'discovery_stu2_group'
+
+module SMARTAppLaunch
+  class DiscoverySTU22Group < DiscoverySTU2Group
+    id :smart_discovery_stu2_2
+
+    test from: :smart_cors_well_known_endpoint
+    test from: :smart_cors_metadata_request
+  end
+end

data/lib/smart_app_launch/ehr_launch_group_stu2_2.rb

@@ -1,5 +1,7 @@
 require_relative 'ehr_launch_group_stu2'
 require_relative 'token_response_body_test_stu2_2'
+require_relative 'cors_token_exchange_test'
+require_relative 'token_exchange_stu2_2_test'
 
 module SMARTAppLaunch
   class EHRLaunchGroupSTU22 < EHRLaunchGroupSTU2
@@ -46,9 +48,21 @@ module SMARTAppLaunch
       }
     )
 
+    test from: :smart_token_exchange_stu2_2
+
+    token_exchange_index = children.find_index { |child| child.id.to_s.end_with? 'smart_token_exchange' }
+    children[token_exchange_index] = children.pop
+
     test from: :smart_token_response_body_stu2_2
 
     token_response_body_index = children.find_index { |child| child.id.to_s.end_with? 'token_response_body' }
     children[token_response_body_index] = children.pop
+
+    test from: :smart_cors_token_exchange,
+         config: {
+           requests: {
+             cors_token_request: { name: :ehr_token }
+           }
+         }
   end
 end