smart_app_launch_test_kit 0.5.1 → 0.6.0

data/lib/smart_app_launch/backend_services_authorization_request_success_test.rb

@@ -1,8 +1,8 @@
 require_relative 'backend_services_authorization_request_builder'
 require_relative 'backend_services_authorization_group'
 
-module SMARTAppLaunch 
-  class BackendServicesAuthorizationRequestSuccessTest < Inferno::Test 
+module SMARTAppLaunch
+  class BackendServicesAuthorizationRequestSuccessTest < Inferno::Test
     id :smart_backend_services_auth_request_success
     title 'Authorization request succeeds when supplied correct information'
     description <<~DESCRIPTION
@@ -10,32 +10,37 @@ module SMARTAppLaunch
       states "If the access token request is valid and authorized, the authorization server SHALL issue an access token in response."
     DESCRIPTION
 
-    input :client_auth_encryption_method, 
-          :backend_services_requested_scope, 
-          :backend_services_client_id, 
-          :smart_token_url
-    input :backend_services_jwks_kid,
-          optional: true
+    input :smart_auth_info,
+          type: :auth_info,
+          options: {
+            mode: 'auth',
+            components: [
+              {
+                name: :auth_type,
+                default: 'backend_services',
+                locked: 'true'
+              }
+            ]
+          }
 
     output :authentication_response
 
-    http_client :token_endpoint do
-      url :smart_token_url
-    end
-
     run do
-      post_request_content = BackendServicesAuthorizationRequestBuilder.build(encryption_method: client_auth_encryption_method,
-                                                                scope: backend_services_requested_scope,
-                                                                iss: backend_services_client_id,
-                                                                sub: backend_services_client_id,
-                                                                aud: smart_token_url,
-                                                                kid: backend_services_jwks_kid)
-
-      authentication_response = post(**{ client: :token_endpoint }.merge(post_request_content))
+      post_request_content = BackendServicesAuthorizationRequestBuilder.build(
+        encryption_method: smart_auth_info.encryption_algorithm,
+        scope: smart_auth_info.requested_scopes,
+        iss: smart_auth_info.client_id,
+        sub: smart_auth_info.client_id,
+        aud: smart_auth_info.token_url,
+        kid: smart_auth_info.kid,
+        custom_jwks: smart_auth_info.jwks
+      )
+
+      authentication_response = post(smart_auth_info.token_url, **post_request_content)
 
       assert_response_status([200, 201])
 
       output authentication_response: authentication_response.response_body
     end
   end
-end
+end

data/lib/smart_app_launch/backend_services_authorization_response_body_test.rb

@@ -1,7 +1,7 @@
 require_relative 'backend_services_authorization_request_builder'
 
-module SMARTAppLaunch 
-  class BackendServicesAuthorizationResponseBodyTest < Inferno::Test 
+module SMARTAppLaunch
+  class BackendServicesAuthorizationResponseBodyTest < Inferno::Test
     id :smart_backend_services_auth_response_body
     title 'Authorization request response body contains required information encoded in JSON'
     description <<~DESCRIPTION
@@ -17,7 +17,19 @@ module SMARTAppLaunch
     DESCRIPTION
 
     input :authentication_response
-    output :bearer_token
+    input :smart_auth_info,
+          type: :auth_info,
+          options: {
+            mode: 'auth',
+            components: [
+              {
+                name: :auth_type,
+                default: 'backend_services',
+                locked: 'true'
+              }
+            ]
+          }
+    output :bearer_token, :smart_auth_info
 
     run do
       skip_if authentication_response.blank?, 'No authentication response received.'
@@ -28,7 +40,9 @@ module SMARTAppLaunch
       access_token = response_body['access_token']
       assert access_token.present?, 'Token response did not contain access_token as required'
 
-      output bearer_token: access_token
+      smart_auth_info.access_token = access_token
+
+      output bearer_token: access_token, smart_auth_info: smart_auth_info
 
       required_keys = ['token_type', 'expires_in', 'scope']
 
@@ -37,4 +51,4 @@ module SMARTAppLaunch
       end
     end
   end
-end
+end

data/lib/smart_app_launch/backend_services_invalid_client_assertion_test.rb

@@ -1,45 +1,50 @@
 require_relative 'backend_services_authorization_request_builder'
 
-module SMARTAppLaunch 
-  class BackendServicesInvalidClientAssertionTest < Inferno::Test 
+module SMARTAppLaunch
+  class BackendServicesInvalidClientAssertionTest < Inferno::Test
     id :smart_backend_services_invalid_client_assertion
     title 'Authorization request fails when supplied invalid client_assertion_type'
     description <<~DESCRIPTION
       The [SMART App Launch 2.0.0 IG specification for Backend Services](https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1)
-      defines the required fields for the authorization request, made via HTTP POST to authorization 
+      defines the required fields for the authorization request, made via HTTP POST to authorization
       token endpoint.
       This includes the `client_assertion_type` parameter, where the value must be `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`.
 
-      The [OAuth 2.0 Authorization Framework Section 4.3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3.3) 
+      The [OAuth 2.0 Authorization Framework Section 4.3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3.3)
       describes the proper response for an invalid request in the client credentials grant flow:
 
       "If the request failed client authentication or is invalid, the authorization server returns an
       error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2)."
     DESCRIPTION
 
-    input :client_auth_encryption_method, 
-          :backend_services_requested_scope, 
-          :backend_services_client_id, 
-          :smart_token_url
-    input :backend_services_jwks_kid, 
-          optional: true
-
-    http_client :token_endpoint do
-      url :smart_token_url
-    end
+    input :smart_auth_info,
+          type: :auth_info,
+          options: {
+            mode: 'auth',
+            components: [
+              {
+                name: :auth_type,
+                default: 'backend_services',
+                locked: 'true'
+              }
+            ]
+          }
 
     run do
-      post_request_content = BackendServicesAuthorizationRequestBuilder.build(encryption_method: client_auth_encryption_method,
-                                                                  scope: backend_services_requested_scope,
-                                                                  iss: backend_services_client_id,
-                                                                  sub: backend_services_client_id,
-                                                                  aud: smart_token_url,
-                                                                  client_assertion_type: 'not_an_assertion_type',
-                                                                  kid: backend_services_jwks_kid)
-
-      post(**{ client: :token_endpoint }.merge(post_request_content))
+      post_request_content = BackendServicesAuthorizationRequestBuilder.build(
+        encryption_method: smart_auth_info.encryption_algorithm,
+        scope: smart_auth_info.requested_scopes,
+        iss: smart_auth_info.client_id,
+        sub: smart_auth_info.client_id,
+        aud: smart_auth_info.token_url,
+        client_assertion_type: 'not_an_assertion_type',
+        kid: smart_auth_info.kid,
+        custom_jwks: smart_auth_info.jwks
+      )
+
+      post(smart_auth_info.token_url, **post_request_content)
 
       assert_response_status(400)
-    end 
+    end
   end
-end
+end

data/lib/smart_app_launch/backend_services_invalid_grant_type_test.rb

@@ -1,45 +1,51 @@
 require_relative 'backend_services_authorization_request_builder'
 
-module SMARTAppLaunch 
-  class BackendServicesInvalidGrantTypeTest < Inferno::Test 
+module SMARTAppLaunch
+  class BackendServicesInvalidGrantTypeTest < Inferno::Test
     id :smart_backend_services_invalid_grant_type
     title 'Authorization request fails when client supplies invalid grant_type'
     description <<~DESCRIPTION
       The [SMART App Launch 2.0.0 IG section on Backend Services](https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1)
-      defines the required fields for the authorization request, made via HTTP POST to authorization 
+      defines the required fields for the authorization request, made via HTTP POST to authorization
       token endpoint.
       This includes the `grant_type` parameter, where the value must be `client_credentials`.
 
-      The [OAuth 2.0 Authorization Framework Section 4.3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3.3) 
+      The [OAuth 2.0 Authorization Framework Section 4.3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3.3)
       describes the proper response for an invalid request in the client credentials grant flow:
 
       "If the request failed client authentication or is invalid, the authorization server returns an
       error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2)."
     DESCRIPTION
 
-    input :client_auth_encryption_method, 
-          :backend_services_requested_scope, 
-          :backend_services_client_id, 
-          :smart_token_url
-    input :backend_services_jwks_kid,
-          optional: true
+    input :smart_auth_info,
+          type: :auth_info,
+          options: {
+            mode: 'auth',
+            components: [
+              {
+                name: :auth_type,
+                default: 'backend_services',
+                locked: 'true'
+              }
+            ]
+          }
 
-    http_client :token_endpoint do
-      url :smart_token_url
-    end
 
     run do
-      post_request_content = BackendServicesAuthorizationRequestBuilder.build(encryption_method: client_auth_encryption_method,
-                                                              scope: backend_services_requested_scope,
-                                                              iss: backend_services_client_id,
-                                                              sub: backend_services_client_id,
-                                                              aud: smart_token_url,
-                                                              grant_type: 'not_a_grant_type',
-                                                              kid: backend_services_jwks_kid)
-
-      post(**{ client: :token_endpoint }.merge(post_request_content))
+      post_request_content = BackendServicesAuthorizationRequestBuilder.build(
+        encryption_method: smart_auth_info.encryption_algorithm,
+        scope: smart_auth_info.requested_scopes,
+        iss: smart_auth_info.client_id,
+        sub: smart_auth_info.client_id,
+        aud: smart_auth_info.token_url,
+        grant_type: 'not_a_grant_type',
+        kid: smart_auth_info.kid,
+        custom_jwks: smart_auth_info.jwks
+      )
+
+      post(smart_auth_info.token_url, **post_request_content)
 
       assert_response_status(400)
-    end 
+    end
   end
-end
+end

data/lib/smart_app_launch/backend_services_invalid_jwt_test.rb

@@ -1,15 +1,15 @@
 require_relative 'backend_services_authorization_request_builder'
 
-module SMARTAppLaunch 
-  class BackendServicesInvalidJWTTest < Inferno::Test 
+module SMARTAppLaunch
+  class BackendServicesInvalidJWTTest < Inferno::Test
     id :smart_backend_services_invalid_jwt
     title 'Authorization request fails when client supplies invalid JWT token'
     description <<~DESCRIPTION
       The [SMART App Launch 2.0.0 IG section on Backend Services](https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1)
-      defines the required fields for the authorization request, made via HTTP POST to authorization 
+      defines the required fields for the authorization request, made via HTTP POST to authorization
       token endpoint.
       This includes the `client_assertion` parameter, where the value must be
-      a valid JWT as specified in 
+      a valid JWT as specified in
       [Asymmetric (public key) Client Authentication](https://hl7.org/fhir/smart-app-launch/STU2/client-confidential-asymmetric.html#authenticating-to-the-token-endpoint)
       The JWT SHALL include the following claims, and SHALL be signed with the client’s private key.
 
@@ -21,36 +21,41 @@ module SMARTAppLaunch
       | `exp` | required | Expiration time integer for this authentication JWT, expressed in seconds since the "Epoch" (1970-01-01T00:00:00Z UTC). This time SHALL be no more than five minutes in the future. |
       | `jti` | required | A nonce string value that uniquely identifies this authentication JWT. |
 
-      The [OAuth 2.0 Authorization Framework Section 4.3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3.3) 
+      The [OAuth 2.0 Authorization Framework Section 4.3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3.3)
       describes the proper response for an invalid request in the client credentials grant flow:
 
       "If the request failed client authentication or is invalid, the authorization server returns an
       error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2)."
     DESCRIPTION
 
-    input :client_auth_encryption_method, 
-          :backend_services_requested_scope, 
-          :backend_services_client_id, 
-          :smart_token_url
-    input :backend_services_jwks_kid,
-          optional: true
+    input :smart_auth_info,
+          type: :auth_info,
+          options: {
+            mode: 'auth',
+            components: [
+              {
+                name: :auth_type,
+                default: 'backend_services',
+                locked: 'true'
+              }
+            ]
+          }
 
-    http_client :token_endpoint do
-      url :smart_token_url
-    end
-      
     run do
-      post_request_content = BackendServicesAuthorizationRequestBuilder.build(encryption_method: client_auth_encryption_method,
-                                                                scope: backend_services_requested_scope,
-                                                                iss: backend_services_client_id,
-                                                                sub: backend_services_client_id,
-                                                                aud: smart_token_url,
-                                                                client_assertion_type: 'not_an_assertion_type',
-                                                                kid: backend_services_jwks_kid)
-
-      post(**{ client: :token_endpoint }.merge(post_request_content))
+      post_request_content = BackendServicesAuthorizationRequestBuilder.build(
+        encryption_method: smart_auth_info.encryption_algorithm,
+        scope: smart_auth_info.requested_scopes,
+        iss: smart_auth_info.client_id,
+        sub: smart_auth_info.client_id,
+        aud: smart_auth_info.token_url,
+        client_assertion_type: 'not_an_assertion_type',
+        kid: smart_auth_info.kid,
+        custom_jwks: smart_auth_info.jwks
+      )
+
+      post(smart_auth_info.token_url, **post_request_content)
 
       assert_response_status(400)
-    end 
+    end
   end
-end
+end

data/lib/smart_app_launch/client_assertion_builder.rb

@@ -17,7 +17,8 @@ module SMARTAppLaunch
                 :iss,
                 :jti,
                 :sub,
-                :kid
+                :kid,
+                :custom_jwks
 
     def initialize(
       client_auth_encryption_method:,
@@ -26,7 +27,8 @@ module SMARTAppLaunch
       aud:,
       exp: 5.minutes.from_now.to_i,
       jti: SecureRandom.hex(32),
-      kid: nil
+      kid: nil,
+      custom_jwks: nil
     )
       @client_auth_encryption_method = client_auth_encryption_method
       @iss = iss
@@ -37,14 +39,25 @@ module SMARTAppLaunch
       @client_assertion_type = client_assertion_type
       @exp = exp
       @jti = jti
-      @kid = kid
+      @kid = kid.presence
+      @custom_jwks = custom_jwks
+    end
+
+    def jwks
+      @jwks ||=
+        if custom_jwks.present?
+          JWT::JWK::Set.new(JSON.parse(custom_jwks))
+        else
+          JWKS.jwks
+        end
     end
 
     def private_key
-      @private_key ||= JWKS.jwks
-        .select { |key| key[:key_ops]&.include?('sign') }
-        .select { |key| key[:alg] == client_auth_encryption_method }
-        .find { |key| !kid || key[:kid] == kid }
+      @private_key ||=
+        jwks
+          .select { |key| key[:key_ops]&.include?('sign') }
+          .select { |key| key[:alg] == client_auth_encryption_method }
+          .find { |key| !kid || key[:kid] == kid }
     end
 
     def jwt_payload
@@ -52,11 +65,12 @@ module SMARTAppLaunch
     end
 
     def signing_key
-      private_key()
-      if @private_key.nil?
-        raise Inferno::Exceptions::AssertionException, "No signing key found for inputs: encryption method = '#{client_auth_encryption_method}' and kid = '#{kid}'"
+      if private_key.nil?
+        raise Inferno::Exceptions::AssertionException,
+              "No signing key found for inputs: encryption method = '#{client_auth_encryption_method}' and kid = '#{kid}'"
       end
-      return @private_key.signing_key
+
+      @private_key.signing_key
     end
 
     def key_id
@@ -65,7 +79,8 @@ module SMARTAppLaunch
 
     def client_assertion
       @client_assertion ||=
-        JWT.encode jwt_payload, signing_key, client_auth_encryption_method, { alg: client_auth_encryption_method, kid: key_id, typ: 'JWT' }
+        JWT.encode jwt_payload, signing_key, client_auth_encryption_method,
+                   { alg: client_auth_encryption_method, kid: key_id, typ: 'JWT' }
     end
   end
 end

data/lib/smart_app_launch/cors_openid_fhir_user_claim_test.rb

@@ -16,11 +16,11 @@ module SMARTAppLaunch
     optional
 
     input :url, :id_token_fhir_user
-    input :smart_credentials, type: :oauth_credentials
+    input :smart_auth_info, type: :auth_info
 
     fhir_client do
       url :url
-      oauth_credentials :smart_credentials
+      auth_info :smart_auth_info
       headers 'Origin' => Inferno::Application['inferno_host']
     end
 

data/lib/smart_app_launch/cors_token_exchange_test.rb

@@ -15,10 +15,10 @@ module SMARTAppLaunch
 
     uses_request :cors_token_request
 
-    input :client_auth_type
+    input :smart_auth_info, type: :auth_info, options: { mode: 'auth' }
 
     run do
-      omit_if client_auth_type != 'public', %(
+      omit_if smart_auth_info.auth_type != 'public', %(
         Client type is not public, Cross-Origin Resource Sharing (CORS) is not required to be supported for
         non-public client types
       )

data/lib/smart_app_launch/discovery_stu1_group.rb

@@ -40,8 +40,12 @@ module SMARTAppLaunch
       * [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html)
     )
 
-    test from: :well_known_endpoint,
-         id: 'Test01'
+    test from: :well_known_endpoint do
+      id 'Test01'
+      input :smart_auth_info,
+            type: :auth_info
+    end
+
     test from: :well_known_capabilities_stu1,
          id: 'Test02'
 

data/lib/smart_app_launch/ehr_launch_group.rb

@@ -40,23 +40,35 @@ module SMARTAppLaunch
 
     config(
       inputs: {
-        client_id: {
-          name: :ehr_client_id,
-          title: 'EHR Launch Client ID',
-          description: 'Client ID provided during registration of Inferno as an EHR launch application'
-        },
-        client_secret: {
-          name: :ehr_client_secret,
-          title: 'EHR Launch Client Secret',
-          description: 'Client Secret provided during registration of Inferno as an EHR launch application. ' \
-                       'Only for clients using confidential symmetric authentication.'
-        },
-        requested_scopes: {
-          name: :ehr_requested_scopes,
-          title: 'EHR Launch Scope',
-          description: 'OAuth 2.0 scope provided by system to enable all required functionality',
-          type: 'textarea',
-          default: 'launch openid fhirUser offline_access user/*.read'
+        smart_auth_info: {
+          name: :ehr_smart_auth_info,
+          title: 'EHR Launch Credentials',
+          options: {
+            components: [
+              {
+                name: :auth_type,
+                options: {
+                  list_options: [
+                    { label: 'Public', value: 'public' },
+                    { label: 'Confidential Symmetric', value: 'symmetric' }
+                  ]
+                }
+              },
+              {
+                name: :requested_scopes,
+                default: 'launch openid fhirUser offline_access user/*.read'
+              },
+              {
+                name: :use_discovery,
+                locked: true
+              },
+              {
+                name: :auth_request_method,
+                default: 'GET',
+                locked: true
+              }
+            ]
+          }
         },
         url: {
           title: 'EHR Launch FHIR Endpoint',
@@ -88,7 +100,8 @@ module SMARTAppLaunch
         encounter_id: { name: :ehr_encounter_id },
         received_scopes: { name: :ehr_received_scopes },
         intent: { name: :ehr_intent },
-        smart_credentials: { name: :ehr_smart_credentials }
+        smart_credentials: { name: :ehr_smart_credentials },
+        smart_auth_info: { name: :ehr_smart_auth_info }
       },
       requests: {
         launch: { name: :ehr_launch },
@@ -99,7 +112,7 @@ module SMARTAppLaunch
 
     test from: :smart_app_launch
     test from: :smart_launch_received
-    test from: :tls_version_test,
+    test from: :smart_tls,
          id: :ehr_auth_tls,
          title: 'OAuth 2.0 authorize endpoint secured by transport layer security',
          description: %(
@@ -108,14 +121,16 @@ module SMARTAppLaunch
            servers, over TLS-secured channels.
          ),
          config: {
-           inputs: { url: { name: :smart_authorization_url } },
-           options: {  minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION }
+           options: {
+             minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION,
+             smart_endpoint_key: :auth_url
+           }
          }
     test from: :smart_app_redirect do
       input :launch
     end
     test from: :smart_code_received
-    test from: :tls_version_test,
+    test from: :smart_tls,
          id: :ehr_token_tls,
          title: 'OAuth 2.0 token endpoint secured by transport layer security',
          description: %(
@@ -124,8 +139,10 @@ module SMARTAppLaunch
            servers, over TLS-secured channels.
          ),
          config: {
-           inputs: { url: { name: :smart_token_url } },
-           options: {  minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION }
+           options: {
+             minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION,
+             smart_endpoint_key: :token_url
+           }
          }
     test from: :smart_token_exchange
     test from: :smart_token_response_body

data/lib/smart_app_launch/ehr_launch_group_stu2.rb

@@ -33,16 +33,32 @@ module SMARTAppLaunch
 
     config(
       inputs: {
-        use_pkce: {
-          default: 'true',
-          locked: true
-        },
-        pkce_code_challenge_method: {
-          default: 'S256',
-          locked: true
-        },
-        requested_scopes: {
-          default: 'launch openid fhirUser offline_access user/*.rs'
+        smart_auth_info: {
+          name: :ehr_smart_auth_info,
+          title: 'EHR Launch Credentials',
+          options: {
+            components: [
+              {
+                name: :requested_scopes,
+                default: 'launch openid fhirUser offline_access patient/*.rs'
+              },
+              {
+                name: :pkce_support,
+                default: 'enabled',
+                locked: true
+              },
+              {
+                name: :pkce_code_challenge_method,
+                default: 'S256',
+                locked: true
+              },
+              Inferno::DSL::AuthInfo.default_auth_type_component_without_backend_services,
+              {
+                name: :use_discovery,
+                locked: true
+              }
+            ]
+          }
         }
       }
     )

data/lib/smart_app_launch/ehr_launch_group_stu2_2.rb

@@ -32,22 +32,6 @@ module SMARTAppLaunch
       * [SMART EHR Launch Sequence](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#launch-app-ehr-launch)
     )
 
-    config(
-      inputs: {
-        use_pkce: {
-          default: 'true',
-          locked: true
-        },
-        pkce_code_challenge_method: {
-          default: 'S256',
-          locked: true
-        },
-        requested_scopes: {
-          default: 'launch openid fhirUser offline_access user/*.rs'
-        }
-      }
-    )
-
     test from: :smart_token_exchange_stu2_2
 
     token_exchange_index = children.find_index { |child| child.id.to_s.end_with? 'smart_token_exchange' }