smart_app_launch_test_kit 0.5.1 → 0.6.0

data/lib/smart_app_launch/standalone_launch_group.rb

@@ -1,5 +1,6 @@
 require_relative 'app_redirect_test'
 require_relative 'code_received_test'
+require_relative 'smart_tls_test'
 require_relative 'token_exchange_test'
 require_relative 'token_response_body_test'
 require_relative 'token_response_headers_test'
@@ -36,23 +37,35 @@ module SMARTAppLaunch
 
     config(
       inputs: {
-        client_id: {
-          name: :standalone_client_id,
-          title: 'Standalone Client ID',
-          description: 'Client ID provided during registration of Inferno as a standalone application'
-        },
-        client_secret: {
-          name: :standalone_client_secret,
-          title: 'Standalone Client Secret',
-          description: 'Client Secret provided during registration of Inferno as a standalone application. ' \
-                       'Only for clients using confidential symmetric authentication.'
-        },
-        requested_scopes: {
-          name: :standalone_requested_scopes,
-          title: 'Standalone Scope',
-          description: 'OAuth 2.0 scope provided by system to enable all required functionality',
-          type: 'textarea',
-          default: 'launch/patient openid fhirUser offline_access patient/*.read'
+        smart_auth_info: {
+          name: :standalone_smart_auth_info,
+          title: 'Standalone Launch Credentials',
+          options: {
+            components: [
+              {
+                name: :auth_type,
+                options: {
+                  list_options: [
+                    { label: 'Public', value: 'public' },
+                    { label: 'Confidential Symmetric', value: 'symmetric' }
+                  ]
+                }
+              },
+              {
+                name: :requested_scopes,
+                default: 'launch/patient openid fhirUser offline_access patient/*.read'
+              },
+              {
+                name: :use_discovery,
+                locked: true
+              },
+              {
+                name: :auth_request_method,
+                default: 'GET',
+                locked: true
+              }
+            ]
+          }
         },
         url: {
           title: 'Standalone FHIR Endpoint',
@@ -67,7 +80,6 @@ module SMARTAppLaunch
         smart_credentials: {
           name: :standalone_smart_credentials
         }
-
       },
       outputs: {
         code: { name: :standalone_code },
@@ -81,7 +93,8 @@ module SMARTAppLaunch
         encounter_id: { name: :standalone_encounter_id },
         received_scopes: { name: :standalone_received_scopes },
         intent: { name: :standalone_intent },
-        smart_credentials: { name: :standalone_smart_credentials }
+        smart_credentials: { name: :standalone_smart_credentials },
+        smart_auth_info: { name: :standalone_smart_auth_info }
       },
       requests: {
         redirect: { name: :standalone_redirect },
@@ -89,7 +102,7 @@ module SMARTAppLaunch
       }
     )
 
-    test from: :tls_version_test,
+    test from: :smart_tls,
          id: :standalone_auth_tls,
          title: 'OAuth 2.0 authorize endpoint secured by transport layer security',
          description: %(
@@ -98,12 +111,14 @@ module SMARTAppLaunch
            servers, over TLS-secured channels.
          ),
          config: {
-           inputs: { url: { name: :smart_authorization_url } },
-           options: {  minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION }
+           options: {
+             minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION,
+             smart_endpoint_key: :auth_url
+           }
          }
     test from: :smart_app_redirect
     test from: :smart_code_received
-    test from: :tls_version_test,
+    test from: :smart_tls,
          id: :standalone_token_tls,
          title: 'OAuth 2.0 token endpoint secured by transport layer security',
          description: %(
@@ -112,8 +127,10 @@ module SMARTAppLaunch
            servers, over TLS-secured channels.
          ),
          config: {
-           inputs: { url: { name: :smart_token_url } },
-           options: {  minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION }
+           options: {
+             minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION,
+             smart_endpoint_key: :token_url
+           }
          }
     test from: :smart_token_exchange
     test from: :smart_token_response_body

data/lib/smart_app_launch/standalone_launch_group_stu2.rb

@@ -31,16 +31,32 @@ module SMARTAppLaunch
 
     config(
       inputs: {
-        use_pkce: {
-          default: 'true',
-          locked: true
-        },
-        pkce_code_challenge_method: {
-          default: 'S256',
-          locked: true
-        },
-        requested_scopes: {
-          default: 'launch/patient openid fhirUser offline_access patient/*.rs'
+        smart_auth_info: {
+          name: :standalone_smart_auth_info,
+          title: 'Standalone Launch Credentials',
+          options: {
+            components: [
+              {
+                name: :requested_scopes,
+                default: 'launch/patient openid fhirUser offline_access patient/*.rs'
+              },
+              {
+                name: :pkce_support,
+                default: 'enabled',
+                locked: true
+              },
+              {
+                name: :pkce_code_challenge_method,
+                default: 'S256',
+                locked: true
+              },
+              Inferno::DSL::AuthInfo.default_auth_type_component_without_backend_services,
+              {
+                name: :use_discovery,
+                locked: true
+              }
+            ]
+          }
         }
       }
     )

data/lib/smart_app_launch/standalone_launch_group_stu2_2.rb

@@ -30,22 +30,6 @@ module SMARTAppLaunch
       * [Standalone Launch Sequence](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#launch-app-standalone-launch)
     )
 
-    config(
-      inputs: {
-        use_pkce: {
-          default: 'true',
-          locked: true
-        },
-        pkce_code_challenge_method: {
-          default: 'S256',
-          locked: true
-        },
-        requested_scopes: {
-          default: 'launch/patient openid fhirUser offline_access patient/*.rs'
-        }
-      }
-    )
-
     test from: :smart_token_exchange_stu2_2
 
     token_exchange_index = children.find_index { |child| child.id.to_s.end_with? 'token_exchange' }

data/lib/smart_app_launch/token_exchange_stu2_2_test.rb

@@ -4,26 +4,14 @@ module SMARTAppLaunch
   class TokenExchangeSTU22Test < TokenExchangeSTU2Test
     id :smart_token_exchange_stu2_2
 
-    def add_credentials_to_request(oauth2_params, oauth2_headers)
-      if client_auth_type == 'confidential_symmetric'
-        assert client_secret.present?,
-               'A client secret must be provided when using confidential symmetric client authentication.'
+    input :smart_auth_info, type: :auth_info, options: { mode: 'auth' }
 
-        client_credentials = "#{client_id}:#{client_secret}"
-        oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
-      elsif client_auth_type == 'public'
-        oauth2_params[:client_id] = client_id
+    def add_credentials_to_request(oauth2_params, oauth2_headers)
+      if smart_auth_info.public_auth?
+        oauth2_params[:client_id] = smart_auth_info.client_id
         oauth2_headers['Origin'] = Inferno::Application['inferno_host']
       else
-        oauth2_params.merge!(
-          client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
-          client_assertion: ClientAssertionBuilder.build(
-            iss: client_id,
-            sub: client_id,
-            aud: smart_token_url,
-            client_auth_encryption_method:
-          )
-        )
+        super
       end
     end
   end

data/lib/smart_app_launch/token_exchange_stu2_test.rb

@@ -13,79 +13,20 @@ module SMARTAppLaunch
     )
     id :smart_token_exchange_stu2
 
-    input :client_auth_encryption_method,
-      title: 'Encryption Method (Confidential Asymmetric Client Auth Only)',
-      type: 'radio',
-      default: 'ES384',
-      options: {
-        list_options: [
-          {
-            label: 'ES384',
-            value: 'ES384'
-          },
-          {
-            label: 'RS384',
-            value: 'RS384'
-          }
-        ]
-      }
-
-    input :client_auth_type,
-          title: 'Client Authentication Method',
-          type: 'radio',
-          default: 'public',
-          options: {
-            list_options: [
-              {
-                label: 'Public',
-                value: 'public'
-              },
-              {
-                label: 'Confidential Symmetric',
-                value: 'confidential_symmetric'
-              },
-              {
-                label: 'Confidential Asymmetric',
-                value: 'confidential_asymmetric'
-              }
-            ]
-          }
-
-    config(
-      inputs: {
-        use_pkce: {
-          default: 'true',
-          options: {
-            list_options: [
-              {
-                label: 'Enabled',
-                value: 'true'
-              }
-            ]
-          }
-        }
-      }
-    )
-
     def add_credentials_to_request(oauth2_params, oauth2_headers)
-      if client_auth_type == 'confidential_symmetric'
-        assert client_secret.present?,
-               "A client secret must be provided when using confidential symmetric client authentication."
-
-        client_credentials = "#{client_id}:#{client_secret}"
-        oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
-      elsif client_auth_type == 'public'
-        oauth2_params[:client_id] = client_id
-      else
+      if smart_auth_info.asymmetric_auth?
         oauth2_params.merge!(
           client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
           client_assertion: ClientAssertionBuilder.build(
-            iss: client_id,
-            sub: client_id,
-            aud: smart_token_url,
-            client_auth_encryption_method: client_auth_encryption_method
+            iss: smart_auth_info.client_id,
+            sub: smart_auth_info.client_id,
+            aud: smart_auth_info.token_url,
+            client_auth_encryption_method: smart_auth_info.encryption_algorithm,
+            custom_jwks: smart_auth_info.jwks
           )
         )
+      else
+        super
       end
     end
   end

data/lib/smart_app_launch/token_exchange_test.rb

@@ -9,30 +9,12 @@ module SMARTAppLaunch
       RFC6749](https://tools.ietf.org/html/rfc6749#section-4.1.3).
     )
     id :smart_token_exchange
-
-    input :code,
-          :smart_token_url,
-          :client_id
-    input :client_secret, optional: true
-    input :use_pkce,
-          title: 'Proof Key for Code Exchange (PKCE)',
-          type: 'radio',
-          default: 'false',
-          options: {
-            list_options: [
-              {
-                label: 'Enabled',
-                value: 'true'
-              },
-              {
-                label: 'Disabled',
-                value: 'false'
-              }
-            ]
-          }
+    input :code
     input :pkce_code_verifier, optional: true
-    output :token_retrieval_time
-    output :smart_credentials
+    input :smart_auth_info, type: :auth_info, options: { mode: 'auth' }
+
+    output :token_retrieval_time, :smart_credentials, :smart_auth_info
+
     uses_request :redirect
     makes_request :token
 
@@ -45,11 +27,11 @@ module SMARTAppLaunch
     end
 
     def add_credentials_to_request(oauth2_params, oauth2_headers)
-      if client_secret.present?
-        client_credentials = "#{client_id}:#{client_secret}"
+      if smart_auth_info.symmetric_auth?
+        client_credentials = "#{smart_auth_info.client_id}:#{smart_auth_info.client_secret}"
         oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
       else
-        oauth2_params[:client_id] = client_id
+        oauth2_params[:client_id] = smart_auth_info.client_id
       end
     end
 
@@ -65,26 +47,24 @@ module SMARTAppLaunch
 
       add_credentials_to_request(oauth2_params, oauth2_headers)
 
-      oauth2_params[:code_verifier] = pkce_code_verifier if use_pkce == 'true'
+      oauth2_params[:code_verifier] = pkce_code_verifier if smart_auth_info.pkce_enabled?
 
-      post(smart_token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
+      post(smart_auth_info.token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
 
       assert_response_status(200)
       assert_valid_json(request.response_body)
 
-      output token_retrieval_time: Time.now.iso8601
+      smart_auth_info.issue_time = Time.now
 
       token_response_body = JSON.parse(request.response_body)
 
-      output smart_credentials: {
-        refresh_token: token_response_body['refresh_token'],
-        access_token: token_response_body['access_token'],
-        expires_in: token_response_body['expires_in'],
-        client_id:,
-        client_secret:,
-        token_retrieval_time:,
-        token_url: smart_token_url
-      }.to_json
+      smart_auth_info.refresh_token = token_response_body['refresh_token']
+      smart_auth_info.access_token = token_response_body['access_token']
+      smart_auth_info.expires_in = token_response_body['expires_in']
+
+      output smart_credentials: smart_auth_info,
+             token_retrieval_time: smart_auth_info.issue_time.iso8601,
+             smart_auth_info: smart_auth_info
     end
   end
 end

data/lib/smart_app_launch/token_introspection_access_token_group.rb

@@ -15,12 +15,20 @@ module SMARTAppLaunch
       These tests are currently designed such that the token introspection URL must be present in the SMART well-known endpoint.
 
     )
-    
+
     input_instructions %(
       Register Inferno as a Standalone SMART App and provide the registration details below.
     )
-    
-    group from: :smart_discovery_stu2
+
+    group from: :smart_discovery_stu2,
+          config: {
+            inputs: {
+              smart_auth_info: { name: :standalone_smart_auth_info }
+            },
+            outputs: {
+              smart_auth_info: { name: :standalone_smart_auth_info }
+            }
+          }
     group from: :smart_standalone_launch_stu2
   end
-end
+end

data/lib/smart_app_launch/token_introspection_access_token_group_stu2_2.rb

@@ -20,7 +20,15 @@ module SMARTAppLaunch
       Register Inferno as a Standalone SMART App and provide the registration details below.
     )
 
-    group from: :smart_discovery_stu2_2
+    group from: :smart_discovery_stu2_2,
+          config: {
+            inputs: {
+              smart_auth_info: { name: :standalone_smart_auth_info }
+            },
+            outputs: {
+              smart_auth_info: { name: :standalone_smart_auth_info }
+            }
+          }
     group from: :smart_standalone_launch_stu2_2
   end
 end

data/lib/smart_app_launch/token_introspection_group.rb

@@ -44,11 +44,9 @@ module SMARTAppLaunch
     group from: :smart_token_introspection_request_group
     group from: :smart_token_introspection_response_group
 
-    input_order :url, :standalone_client_id, :standalone_client_secret,
-                :authorization_method, :use_pkce, :pkce_code_challenge_method,
-                :standalone_requested_scopes, :client_auth_encryption_method,
-                :client_auth_type, :custom_authorization_header,
+    input_order :url, :standalone_smart_auth_info, :custom_authorization_header,
                 :optional_introspection_request_params
+
     input_instructions %(
       Executing tests at this level will run all three Token Introspection groups back-to-back.  If test groups need
       to be run independently, exit this window and select a specific test group instead.

data/lib/smart_app_launch/token_introspection_request_group.rb

@@ -66,9 +66,7 @@ module SMARTAppLaunch
       body are returned in the response.
       )
 
-      input :standalone_access_token,
-            title: 'Access Token',
-            description: 'The access token to be introspected. MUST be active.'
+      input :standalone_smart_auth_info, type: :auth_info, options: { mode: 'access' }
 
       output :active_token_introspection_response_body
 
@@ -77,7 +75,7 @@ module SMARTAppLaunch
         skip_if well_known_introspection_url.nil?, 'No introspection URL present in SMART well-known endpoint.'
 
         headers = { 'Accept' => 'application/json', 'Content-Type' => 'application/x-www-form-urlencoded' }
-        body = "token=#{standalone_access_token}"
+        body = "token=#{standalone_smart_auth_info.access_token}"
 
         if custom_authorization_header.present?
           custom_headers = custom_authorization_header.split("\n")