smart_app_launch_test_kit 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 047dcb8643e2524e9bdcd7653db652640f08e672085d18fd589d4a50e717cd08
-  data.tar.gz: cf7fe4c64a2e9c9bb9e50bcc2176e7ee5a8c5cac6a970376fb29b8d31e50ca96
+  metadata.gz: fbce79e8d195045070c2257dc897fa511b981071d366875bf3aa36ccb338dbdd
+  data.tar.gz: 5ea51bb46c93c23186fa620908287f69bab62d42c8f5ecbf0ff70d39ec8523e0
 SHA512:
-  metadata.gz: 4b0bd4cfc4a2d2db72017cf433482edb59aeb22ea4d538a03a44f14664631d86e9426a4b1b521175673275c7464a0b3f33f673fc488a1b2b9581c5df6a97e7bf
-  data.tar.gz: a99702f36d6b8501102cadfca039b0f7b6e46e65e19068da1a52971afee24758228fa59f0c3273c6bad730b47f107d80074e5b222bb9dfd5921c35473e423f1e
+  metadata.gz: 7f6d08a9ea9be426cd26e67fcbfa96bc4051b83aa9d38837f77fda2f9715a84e766182993a8e1f725fa945ea9c0bbf68f32155827482d7100036e20f02fd9e97
+  data.tar.gz: cba999b57e6317c865fc1b98dd56a042b98d2439af5ec8e28ffefd58d52e871513cd7152f640a9d449f1145a870b66ae1fd6d2343376cf0347eb52f8c2373c6d

data/config/presets/inferno_reference_server_preset.json

@@ -9,95 +9,24 @@
       "value": "https://inferno.healthit.gov/reference-server/r4"
     },
     {
-      "name": "standalone_client_id",
-      "type": "text",
-      "value": "SAMPLE_PUBLIC_CLIENT_ID"
-    },
-    {
-      "name": "standalone_requested_scopes",
-      "type": "text",
-      "value": "launch/patient openid fhirUser offline_access patient/*.read"
-    },
-    {
-      "name": "use_pkce",
-      "type": "radio",
-      "title": "Proof Key for Code Exchange (PKCE)",
-      "options": {
-        "list_options": [
-          {
-            "label": "Enabled",
-            "value": "true"
-          },
-          {
-            "label": "Disabled",
-            "value": "false"
-          }
-        ]
-      },
-      "value": "false"
-    },
-    {
-      "name": "pkce_code_challenge_method",
-      "type": "radio",
-      "optional": true,
-      "title": "PKCE Code Challenge Method",
-      "options": {
-        "list_options": [
-          {
-            "label": "S256",
-            "value": "S256"
-          },
-          {
-            "label": "plain",
-            "value": "plain"
-          }
-        ]
-      },
-      "value": "S256"
-    },
-    {
-      "name": "client_auth_type",
-      "value": "public",
-      "_title": "Client Authentication Method",
-      "_type": "radio",
-      "_options": {
-        "list_options": [
-          {
-            "label": "Public",
-            "value": "public"
-          },
-          {
-            "label": "Confidential Symmetric",
-            "value": "confidential_symmetric"
-          },
-          {
-            "label": "Confidential Asymmetric",
-            "value": "confidential_asymmetric"
-          }
-        ]
+      "name": "standalone_smart_auth_info",
+      "type": "auth_info",
+      "value": {
+        "auth_type": "public",
+        "requested_scopes": "launch/patient openid fhirUser offline_access patient/*.read",
+        "client_id": "SAMPLE_PUBLIC_CLIENT_ID",
+        "pkce_support": "disabled"
       }
     },
     {
-      "name": "standalone_client_secret",
-      "type": "text",
-      "optional": true,
-      "value": null
-    },
-    {
-      "name": "ehr_client_id",
-      "type": "text",
-      "value": "SAMPLE_PUBLIC_CLIENT_ID"
-    },
-    {
-      "name": "ehr_requested_scopes",
-      "type": "text",
-      "value": "launch openid fhirUser offline_access user/*.read"
-    },
-    {
-      "name": "ehr_client_secret",
-      "type": "text",
-      "optional": true,
-      "value": null
+      "name": "ehr_smart_auth_info",
+      "type": "auth_info",
+      "value": {
+        "auth_type": "public",
+        "requested_scopes": "launch openid fhirUser offline_access user/*.read",
+        "client_id": "SAMPLE_PUBLIC_CLIENT_ID",
+        "pkce_support": "disabled"
+      }
     }
   ]
 }

data/config/presets/inferno_reference_server_stu2_2_preset.json

@@ -9,81 +9,32 @@
       "value": "https://inferno.healthit.gov/reference-server/r4"
     },
     {
-      "name": "standalone_client_id",
-      "type": "text",
-      "value": "SAMPLE_PUBLIC_CLIENT_ID"
-    },
-    {
-      "name": "standalone_requested_scopes",
-      "type": "text",
-      "value": "launch/patient openid fhirUser offline_access patient/*.read"
-    },
-    {
-      "name": "standalone_client_secret",
-      "type": "text",
-      "optional": true,
-      "value": null
-    },
-    {
-      "name": "ehr_client_id",
-      "type": "text",
-      "value": "SAMPLE_PUBLIC_CLIENT_ID"
-    },
-    {
-      "name": "ehr_requested_scopes",
-      "type": "text",
-      "value": "launch openid fhirUser offline_access user/*.read"
-    },
-    {
-      "name": "ehr_client_secret",
-      "type": "text",
-      "optional": true,
-      "value": null
-    },
-    {
-      "name": "client_auth_encryption_method",
-      "value": "ES384",
-      "_title": "Encryption Method (Confidential Asymmetric Client Auth Only)",
-      "_type": "radio",
-      "_options": {
-        "list_options": [
-          {
-            "label": "ES384",
-            "value": "ES384"
-          },
-          {
-            "label": "RS384",
-            "value": "RS384"
-          }
-        ]
+      "name": "standalone_smart_auth_info",
+      "type": "auth_info",
+      "value": {
+        "auth_type":"public",
+        "requested_scopes":"launch/patient openid fhirUser offline_access patient/*.rs",
+        "client_id":"SAMPLE_PUBLIC_CLIENT_ID"
       }
     },
     {
-      "name": "client_auth_type",
-      "value": "public",
-      "_title": "Client Authentication Method",
-      "_type": "radio",
-      "_options": {
-        "list_options": [
-          {
-            "label": "Public",
-            "value": "public"
-          },
-          {
-            "label": "Confidential Symmetric",
-            "value": "confidential_symmetric"
-          },
-          {
-            "label": "Confidential Asymmetric",
-            "value": "confidential_asymmetric"
-          }
-        ]
+      "name": "ehr_smart_auth_info",
+      "type": "auth_info",
+      "value": {
+        "auth_type":"public",
+        "requested_scopes":"launch openid fhirUser offline_access user/*.rs",
+        "client_id":"SAMPLE_PUBLIC_CLIENT_ID"
       }
     },
     {
-      "name": "backend_services_client_id",
-      "type": "text",
-      "value": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InJlZ2lzdHJhdGlvbi10b2tlbiJ9.eyJqd2tzX3VybCI6Imh0dHA6Ly8xMC4xNS4yNTIuNzMvaW5mZXJuby8ud2VsbC1rbm93bi9qd2tzLmpzb24iLCJhY2Nlc3NUb2tlbnNFeHBpcmVJbiI6MTUsImlhdCI6MTU5NzQxMzE5NX0.q4v4Msc74kN506KTZ0q_minyapJw0gwlT6M_uiL73S4"
+      "name": "backend_services_smart_auth_info",
+      "type": "auth_info",
+      "value": {
+        "auth_type":"backend_services",
+        "requested_scopes":"system/*.read",
+        "client_id":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InJlZ2lzdHJhdGlvbi10b2tlbiJ9.eyJqd2tzX3VybCI6Imh0dHA6Ly8xMC4xNS4yNTIuNzMvaW5mZXJuby8ud2VsbC1rbm93bi9qd2tzLmpzb24iLCJhY2Nlc3NUb2tlbnNFeHBpcmVJbiI6MTUsImlhdCI6MTU5NzQxMzE5NX0.q4v4Msc74kN506KTZ0q_minyapJw0gwlT6M_uiL73S4",
+        "encryption_algorithm":"ES384"
+      }
     }
   ]
 }

data/config/presets/inferno_reference_server_stu2_preset.json

@@ -9,81 +9,32 @@
       "value": "https://inferno.healthit.gov/reference-server/r4"
     },
     {
-      "name": "standalone_client_id",
-      "type": "text",
-      "value": "SAMPLE_PUBLIC_CLIENT_ID"
-    },
-    {
-      "name": "standalone_requested_scopes",
-      "type": "text",
-      "value": "launch/patient openid fhirUser offline_access patient/*.read"
-    },
-    {
-      "name": "standalone_client_secret",
-      "type": "text",
-      "optional": true,
-      "value": null
-    },
-    {
-      "name": "ehr_client_id",
-      "type": "text",
-      "value": "SAMPLE_PUBLIC_CLIENT_ID"
-    },
-    {
-      "name": "ehr_requested_scopes",
-      "type": "text",
-      "value": "launch openid fhirUser offline_access user/*.read"
-    },
-    {
-      "name": "ehr_client_secret",
-      "type": "text",
-      "optional": true,
-      "value": null
-    },
-    {
-      "name": "client_auth_encryption_method",
-      "value": "ES384",
-      "_title": "Encryption Method (Confidential Asymmetric Client Auth Only)",
-      "_type": "radio",
-      "_options": {
-        "list_options": [
-          {
-            "label": "ES384",
-            "value": "ES384"
-          },
-          {
-            "label": "RS384",
-            "value": "RS384"
-          }
-        ]
+      "name": "standalone_smart_auth_info",
+      "type": "auth_info",
+      "value": {
+        "auth_type": "public",
+        "requested_scopes":"launch/patient openid fhirUser offline_access patient/*.rs",
+        "client_id":"SAMPLE_PUBLIC_CLIENT_ID"
       }
     },
     {
-      "name": "client_auth_type",
-      "value": "public",
-      "_title": "Client Authentication Method",
-      "_type": "radio",
-      "_options": {
-        "list_options": [
-          {
-            "label": "Public",
-            "value": "public"
-          },
-          {
-            "label": "Confidential Symmetric",
-            "value": "confidential_symmetric"
-          },
-          {
-            "label": "Confidential Asymmetric",
-            "value": "confidential_asymmetric"
-          }
-        ]
+      "name": "ehr_smart_auth_info",
+      "type": "auth_info",
+      "value": {
+        "auth_type":"public",
+        "requested_scopes":"launch openid fhirUser offline_access user/*.rs",
+        "client_id":"SAMPLE_PUBLIC_CLIENT_ID"
       }
     },
     {
-      "name": "backend_services_client_id",
-      "type": "text",
-      "value": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InJlZ2lzdHJhdGlvbi10b2tlbiJ9.eyJqd2tzX3VybCI6Imh0dHA6Ly8xMC4xNS4yNTIuNzMvaW5mZXJuby8ud2VsbC1rbm93bi9qd2tzLmpzb24iLCJhY2Nlc3NUb2tlbnNFeHBpcmVJbiI6MTUsImlhdCI6MTU5NzQxMzE5NX0.q4v4Msc74kN506KTZ0q_minyapJw0gwlT6M_uiL73S4"
+      "name": "backend_services_smart_auth_info",
+      "type": "auth_info",
+      "value": {
+        "auth_type":"backend_services",
+        "requested_scopes":"system/*.read",
+        "client_id":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InJlZ2lzdHJhdGlvbi10b2tlbiJ9.eyJqd2tzX3VybCI6Imh0dHA6Ly8xMC4xNS4yNTIuNzMvaW5mZXJuby8ud2VsbC1rbm93bi9qd2tzLmpzb24iLCJhY2Nlc3NUb2tlbnNFeHBpcmVJbiI6MTUsImlhdCI6MTU5NzQxMzE5NX0.q4v4Msc74kN506KTZ0q_minyapJw0gwlT6M_uiL73S4",
+        "encryption_algorithm":"ES384"
+      }
     }
   ]
 }

data/lib/smart_app_launch/app_launch_test.rb

@@ -10,7 +10,13 @@ module SMARTAppLaunch
     input :url
     receives_request :launch
 
-    config options: { launch_uri: "#{Inferno::Application['base_url']}/custom/smart/launch" }
+    def default_launch_uri
+      "#{Inferno::Application['base_url']}/custom/smart/launch"
+    end
+
+    def launch_uri
+      config.options[:launch_uri].presence || default_launch_uri
+    end
 
     def wait_message
       return instance_exec(&config.options[:launch_message_proc]) if config.options[:launch_message_proc].present?
@@ -21,7 +27,7 @@ module SMARTAppLaunch
         Waiting for Inferno to be launched from the EHR.
 
         Tests will resume once Inferno receives a launch request at
-        `#{config.options[:launch_uri]}` with an `iss` of `#{url}`.
+        `#{launch_uri}` with an `iss` of `#{url}`.
       )
     end
 

data/lib/smart_app_launch/app_redirect_test.rb

@@ -9,45 +9,18 @@ module SMARTAppLaunch
     )
     id :smart_app_redirect
 
-    input :client_id, :requested_scopes, :url, :smart_authorization_url
-    input :use_pkce,
-          title: 'Proof Key for Code Exchange (PKCE)',
-          type: 'radio',
-          default: 'false',
-          options: {
-            list_options: [
-              {
-                label: 'Enabled',
-                value: 'true'
-              },
-              {
-                label: 'Disabled',
-                value: 'false'
-              }
-            ]
-          }
-    input :pkce_code_challenge_method,
-          optional: true,
-          title: 'PKCE Code Challenge Method',
-          type: 'radio',
-          default: 'S256',
-          options: {
-            list_options: [
-              {
-                label: 'S256',
-                value: 'S256'
-              },
-              {
-                label: 'plain',
-                value: 'plain'
-              }
-            ]
-          }
-
+    input :url
+    input :smart_auth_info, type: :auth_info, options: { mode: 'auth' }
     output :state, :pkce_code_challenge, :pkce_code_verifier
     receives_request :redirect
 
-    config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/smart/redirect" }
+    def default_redirect_uri
+      "#{Inferno::Application['base_url']}/custom/smart/redirect"
+    end
+
+    def redirect_uri
+      config.options[:redirect_uri].presence || default_redirect_uri
+    end
 
     def self.calculate_s256_challenge(verifier)
       Base64.urlsafe_encode64(Digest::SHA256.digest(verifier), padding: false)
@@ -68,7 +41,7 @@ module SMARTAppLaunch
         [Follow this link to authorize with the SMART server](#{auth_url}).
 
         Tests will resume once Inferno receives a request at
-        `#{config.options[:redirect_uri]}` with a state of `#{state}`.
+        `#{redirect_uri}` with a state of `#{state}`.
       )
     end
 
@@ -85,17 +58,17 @@ module SMARTAppLaunch
 
     run do
       assert_valid_http_uri(
-        smart_authorization_url,
-        "OAuth2 Authorization Endpoint '#{smart_authorization_url}' is not a valid URI"
+        smart_auth_info.auth_url,
+        "OAuth2 Authorization Endpoint '#{smart_auth_info.auth_url}' is not a valid URI"
       )
 
       output state: SecureRandom.uuid
 
       oauth2_params = {
         'response_type' => 'code',
-        'client_id' => client_id,
-        'redirect_uri' => config.options[:redirect_uri],
-        'scope' => requested_scopes,
+        'client_id' => smart_auth_info.client_id,
+        'redirect_uri' => redirect_uri,
+        'scope' => smart_auth_info.requested_scopes,
         'state' => state,
         'aud' => aud
       }
@@ -106,11 +79,11 @@ module SMARTAppLaunch
         oauth2_params['launch'] = launch
       end
 
-      if use_pkce == 'true'
+      if smart_auth_info.pkce_enabled?
         # code verifier must be between 43 and 128 characters
-        code_verifier = SecureRandom.uuid + '-' + SecureRandom.uuid
+        code_verifier = "#{SecureRandom.uuid}-#{SecureRandom.uuid}"
         code_challenge =
-          if pkce_code_challenge_method == 'S256'
+          if smart_auth_info.s256_code_challenge_method?
             self.class.calculate_s256_challenge(code_verifier)
           else
             code_verifier
@@ -118,11 +91,12 @@ module SMARTAppLaunch
 
         output pkce_code_verifier: code_verifier, pkce_code_challenge: code_challenge
 
-        oauth2_params.merge!('code_challenge' => code_challenge, 'code_challenge_method' => pkce_code_challenge_method)
+        oauth2_params.merge!('code_challenge' => code_challenge,
+                             'code_challenge_method' => smart_auth_info.pkce_code_challenge_method)
       end
 
       authorization_url = authorization_url_builder(
-        smart_authorization_url,
+        smart_auth_info.auth_url,
         oauth2_params
       )
 

data/lib/smart_app_launch/app_redirect_test_stu2.rb

@@ -15,29 +15,22 @@ module SMARTAppLaunch
       Request](http://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4)
     )
 
-    input :authorization_method,
-          title: 'Authorization Request Method',
-          type: 'radio',
-          default: 'get',
-          options: {
-            list_options: [
-              {
-                label: 'GET',
-                value: 'get'
-              },
-              {
-                label: 'POST',
-                value: 'post'
-              }
-            ]
-          }
+    input :smart_auth_info, type: :auth_info, options: { mode: 'auth' }
+
+    def default_post_authorization_uri
+      "#{Inferno::Application['base_url']}/custom/smart_stu2/post_auth"
+    end
+
+    def post_authorization_uri
+      config.options[:post_authorization_uri].presence || default_post_authorization_uri
+    end
 
     def authorization_url_builder(url, params)
-      return super if authorization_method == 'get'
+      return super if smart_auth_info.get_auth_request?
 
       post_params = params.merge(auth_url: url)
 
-      post_url = URI(config.options[:post_authorization_uri])
+      post_url = URI(post_authorization_uri)
       post_url.query = URI.encode_www_form(post_params)
       post_url.to_s
     end

data/lib/smart_app_launch/backend_services_authorization_group.rb

@@ -13,67 +13,43 @@ module SMARTAppLaunch
 
     id :backend_services_authorization
 
-    input :smart_token_url,
-          title: 'Backend Services Token Endpoint',
-          description: <<~DESCRIPTION
-            The OAuth 2.0 Token Endpoint used by the Backend Services specification to provide bearer tokens.
-          DESCRIPTION
-
-    input :backend_services_client_id,
-          title: 'Backend Services Client ID',
-          description: 'Client ID provided at registration to the Inferno application.'
-    input :backend_services_requested_scope,
-          title: 'Backend Services Requested Scopes',
-          description: 'Backend Services Scopes provided at registration to the Inferno application; will be `system/` scopes',
-          default: 'system/*.read'
-
-    input :client_auth_encryption_method,
-      title: 'Encryption Method for Asymmetric Confidential Client Authorization',
-      description: <<~DESCRIPTION,
-        The server is required to suport either ES384 or RS384 encryption methods for JWT signature verification.
-        Select which method to use.
-      DESCRIPTION
-      type: 'radio',
-      default: 'ES384',
-      options: {
-        list_options: [
-          {
-            label: 'ES384',
-            value: 'ES384'
-          },
-          {
-            label: 'RS384',
-            value: 'RS384'
+    input :smart_auth_info,
+          title: 'Backend Services Credentials',
+          type: :auth_info,
+          options: {
+            mode: 'auth',
+            components: [
+              {
+                name: :auth_type,
+                default: 'backend_services',
+                locked: 'true'
+              },
+              {
+                name: :use_discovery,
+                locked: true
+              }
+            ]
           }
-        ]
-      }
-    input :backend_services_jwks_kid,
-          title: 'Backend Services JWKS kid',
-          description: <<~DESCRIPTION,
-            The key ID of the JWKS private key to use for signing the client assertion when fetching an auth token.
-            Defaults to the first JWK in the list if no kid is supplied.
-          DESCRIPTION
-          optional: true
 
     output :bearer_token
 
-    test from: :tls_version_test do
-      title 'Authorization service token endpoint secured by transport layer security'
-      description <<~DESCRIPTION
-        The [SMART App Launch 2.0.0 IG specification for Backend Services](https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1)
-        states "the client SHALL use the Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246) 
-        or a more recent version of TLS to authenticate the identity of the FHIR authorization server and to 
-        establish an encrypted, integrity-protected link for securing all exchanges between the client and the 
-        FHIR authorization server’s token endpoint. All exchanges described herein between the client and the 
-        FHIR server SHALL be secured using TLS V1.2 or a more recent version of TLS."
-      DESCRIPTION
-      id :smart_backend_services_token_tls_version
-
-      config(
-        inputs: { url: { name: :smart_token_url } },
-        options: {  minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION }
-      )
-    end
+    test from: :smart_tls,
+         id: :smart_backend_services_token_tls_version,
+         title: 'Authorization service token endpoint secured by transport layer security',
+         description: <<~DESCRIPTION,
+           The [SMART App Launch 2.0.0 IG specification for Backend Services](https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1)
+           states "the client SHALL use the Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246)
+           or a more recent version of TLS to authenticate the identity of the FHIR authorization server and to
+           establish an encrypted, integrity-protected link for securing all exchanges between the client and the
+           FHIR authorization server’s token endpoint. All exchanges described herein between the client and the
+           FHIR server SHALL be secured using TLS V1.2 or a more recent version of TLS."
+         DESCRIPTION
+         config: {
+           options: {
+             minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION,
+             smart_endpoint_key: :token_url
+           }
+         }
 
     test from: :smart_backend_services_invalid_grant_type