smart_app_launch_test_kit 0.5.1 → 0.6.0

data/lib/smart_app_launch/token_introspection_response_group.rb

@@ -13,20 +13,20 @@ module SMARTAppLaunch
       in which the access token was given to the client.
       )
 
-      input_instructions %(
-        There are two categories of input for this test group: 
+    input_instructions %(
+        There are two categories of input for this test group:
 
         1. The access token response values, which will dictate what the tests will expect to find in the token
         introspection response.  If the Request New Access Token group was run, these inputs will auto-populate.
-        
+
         2. The token introspection response bodies. If the Issue Introspection Request test group was run, these will
         auto-populate; otherwise, the tester will need to an run out-of-band INTROSPECTION requests for a. An ACTIVE
         access token, AND b. An INACTIVE OR INVALID token
 
         See [RFC-7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2) for details on active vs inactive tokens.
       )
-      
-    test do 
+
+    test do
       title 'Token introspection response for an active token contains required fields'
 
       description %(
@@ -39,29 +39,26 @@ module SMARTAppLaunch
         * `scope`, `client_id`, and `exp` claim(s) match between introspection response and access token
 
         It is not possible to know what the expected value for `exp` is in advance, so Inferno tests that the claim is
-        present and represents a time greater than or equal to 10 minutes in the past. 
+        present and represents a time greater than or equal to 10 minutes in the past.
 
         Conditionally Required:
-        * IF launch context parameter(s) included in access token, introspection response includes claim(s) for 
-        launch context parameter(s) 
+        * IF launch context parameter(s) included in access token, introspection response includes claim(s) for
+        launch context parameter(s)
           * Parameters checked for are `patient` and `encounter`
         * IF identity token was included as part of access token response, `iss` and `sub` claims are present in the
         introspection response and match those of the orignal ID token
 
         Optional but Recommended:
-        * IF identity token was included as part of access token response, `fhirUser` claim SHOULD be present in 
+        * IF identity token was included as part of access token response, `fhirUser` claim SHOULD be present in
         introspection response and should match the claim in the ID token
       )
 
-      input :standalone_client_id,
-            title: 'Access Token client_id',
-            description: 'ID of the client that requested the access token being introspected'
-
+      input :standalone_smart_auth_info, type: :auth_info, options: { mode: 'auth' }
 
       input :standalone_received_scopes,
             title: 'Expected Introspection Response Value: scope',
             description: 'A space-separated list of scopes from the original access token response body'
-      
+
       input :standalone_id_token,
             title: 'Access Token Response: id_token',
             type: 'textarea',
@@ -85,16 +82,16 @@ module SMARTAppLaunch
 
       def get_json_claim_value(json_response, claim_key)
         claim_value = json_response[claim_key]
-        assert claim_value != nil, "Failure: introspection response has no claim for '#{claim_key}'"
-        return claim_value
+        assert !claim_value.nil?, "Failure: introspection response has no claim for '#{claim_key}'"
+        claim_value
       end
-      
+
       def assert_introspection_response_match(json_response, claim_key, expected_value)
         expected_value = expected_value.strip
         claim_value = get_json_claim_value(json_response, claim_key)
         claim_value = claim_value.strip
-        assert claim_value.eql?(expected_value), 
-            "Failure: expected introspection response value for '#{claim_key}' to match expected value '#{expected_value}'"
+        assert claim_value.eql?(expected_value),
+               "Failure: expected introspection response value for '#{claim_key}' to match expected value '#{expected_value}'"
       end
 
       run do
@@ -103,47 +100,57 @@ module SMARTAppLaunch
         active_introspection_response_body_parsed = JSON.parse(active_token_introspection_response_body)
 
         # Required Fields
-        assert active_introspection_response_body_parsed['active'] == true, "Failure: expected introspection response for 'active' to be Boolean value true for valid token"
-        assert_introspection_response_match(active_introspection_response_body_parsed, 'client_id', standalone_client_id)
+        assert active_introspection_response_body_parsed['active'] == true,
+               "Failure: expected introspection response for 'active' to be Boolean value true for valid token"
+        assert_introspection_response_match(active_introspection_response_body_parsed, 'client_id',
+                                            standalone_smart_auth_info.client_id)
 
         response_scope_value = get_json_claim_value(active_introspection_response_body_parsed, 'scope')
 
         # splitting contents and comparing values allows a scope lists with the same contents but different orders to still pass
-        response_scopes_split = response_scope_value.split()
-        expected_scopes_split = standalone_received_scopes.split()
+        response_scopes_split = response_scope_value.split
+        expected_scopes_split = standalone_received_scopes.split
 
-        assert response_scopes_split.length() == expected_scopes_split.length(), 
-          "Failure: number of scopes in introspection response, #{response_scopes_split.length()}, does not match number of scopes in access token response, #{expected_scopes_split.length()}"
+        assert response_scopes_split.length == expected_scopes_split.length,
+               "Failure: number of scopes in introspection response, #{response_scopes_split.length}, does not match number of scopes in access token response, #{expected_scopes_split.length}"
 
         expected_scopes_split.each do |scope|
-          assert response_scopes_split.include?(scope), "Failure: expected scope '#{scope}' not present in introspection response scopes"
+          assert response_scopes_split.include?(scope),
+                 "Failure: expected scope '#{scope}' not present in introspection response scopes"
         end
 
-        # Cannot verify exact value for exp, so instead ensure its value represents a time >= 10 minutes in the past 
+        # Cannot verify exact value for exp, so instead ensure its value represents a time >= 10 minutes in the past
         exp = active_introspection_response_body_parsed['exp']
-        assert exp != nil, "Failure: introspection response has no claim for 'exp'"
-        current_time = Time.now.to_i 
-        assert exp.to_i >= current_time - 600, "Failure: expired token, exp claim of #{exp} for active token is more than 10 minutes in the past"
-        
+        assert !exp.nil?, "Failure: introspection response has no claim for 'exp'"
+        current_time = Time.now.to_i
+        assert exp.to_i >= current_time - 600,
+               "Failure: expired token, exp claim of #{exp} for active token is more than 10 minutes in the past"
+
         # Conditional fields
-        assert_introspection_response_match(active_introspection_response_body_parsed, 'patient', standalone_patient_id) if standalone_patient_id.present?
-        assert_introspection_response_match(active_introspection_response_body_parsed, 'encounter', standalone_encounter_id) if standalone_encounter_id.present?
+        if standalone_patient_id.present?
+          assert_introspection_response_match(active_introspection_response_body_parsed, 'patient',
+                                              standalone_patient_id)
+        end
+        if standalone_encounter_id.present?
+          assert_introspection_response_match(active_introspection_response_body_parsed, 'encounter',
+                                              standalone_encounter_id)
+        end
 
         # ID Token Fields
         if standalone_id_token.present?
-          id_payload, id_header =
-          JWT.decode(
-            standalone_id_token,
-            nil,
-            false
-          )
-         
+          id_payload, =
+            JWT.decode(
+              standalone_id_token,
+              nil,
+              false
+            )
+
           # Required fields if ID token present
           id_token_iss = id_payload['iss']
           id_token_sub = id_payload['sub']
 
-          assert id_token_iss != nil, "Failure: ID token from access token response does not have 'iss' claim"
-          assert id_token_sub != nil, "Failure: ID token from access token response does not have 'sub' claim"
+          assert !id_token_iss.nil?, "Failure: ID token from access token response does not have 'iss' claim"
+          assert !id_token_sub.nil?, "Failure: ID token from access token response does not have 'sub' claim"
           assert_introspection_response_match(active_introspection_response_body_parsed, 'iss', id_token_iss)
           assert_introspection_response_match(active_introspection_response_body_parsed, 'sub', id_token_sub)
 
@@ -151,9 +158,14 @@ module SMARTAppLaunch
           fhirUser_id_claim = id_payload['fhirUser']
           fhirUser_intr_claim = active_introspection_response_body_parsed['fhirUser']
 
-          info do 
-            assert fhirUser_intr_claim != nil, "Introspection response SHOULD include claim for fhirUser because ID token present in access token response" if fhirUser_id_claim != nil
-            assert fhirUser_intr_claim.eql?(fhirUser_id_claim), "Introspection response claim for fhirUser SHOULD match value in ID token" if fhirUser_id_claim != nil
+          info do
+            unless fhirUser_id_claim.nil?
+              assert !fhirUser_intr_claim.nil?,
+                     'Introspection response SHOULD include claim for fhirUser because ID token present in access token response'
+
+              assert fhirUser_intr_claim.eql?(fhirUser_id_claim),
+                     'Introspection response claim for fhirUser SHOULD match value in ID token'
+            end
           end
         end
       end
@@ -180,12 +192,15 @@ module SMARTAppLaunch
             description: 'The JSON body of the token introspection response when provided an INVALID token'
 
       run do
-        skip_if invalid_token_introspection_response_body.nil?, 'No invalid introspection response available to validate.'
+        skip_if invalid_token_introspection_response_body.nil?,
+                'No invalid introspection response available to validate.'
         assert_valid_json(invalid_token_introspection_response_body)
         invalid_token_introspection_response_body_parsed = JSON.parse(invalid_token_introspection_response_body)
-        assert invalid_token_introspection_response_body_parsed['active'] == false, "Failure: expected introspection response for 'active' to be Boolean value false for invalid token"
-        assert invalid_token_introspection_response_body_parsed.size == 1, "Failure: expected only 'active' field to be present in introspection response for invalid token"
+        assert invalid_token_introspection_response_body_parsed['active'] == false,
+               "Failure: expected introspection response for 'active' to be Boolean value false for invalid token"
+        assert invalid_token_introspection_response_body_parsed.size == 1,
+               "Failure: expected only 'active' field to be present in introspection response for invalid token"
       end
     end
   end
-end
+end

data/lib/smart_app_launch/token_refresh_body_test.rb

@@ -15,7 +15,8 @@ module SMARTAppLaunch
       Scopes returned must be a strict subset of the scopes granted in the original launch.
     )
     input :received_scopes
-    output :refresh_token, :access_token, :token_retrieval_time, :expires_in, :received_scopes
+    input :smart_auth_info, type: :auth_info, options: { mode: 'auth' }
+    output :refresh_token, :access_token, :token_retrieval_time, :expires_in, :received_scopes, :smart_auth_info
     uses_request :token_refresh
 
     run do
@@ -25,16 +26,22 @@ module SMARTAppLaunch
 
       body = JSON.parse(response[:body])
       output refresh_token: body['refresh_token'] if body.key? 'refresh_token'
+      smart_auth_info.refresh_token = refresh_token if refresh_token.present?
 
       required_fields = ['access_token', 'token_type', 'expires_in', 'scope']
       validate_required_fields_present(body, required_fields)
 
       old_received_scopes = received_scopes
+      smart_auth_info.issue_time = Time.now
       output access_token: body['access_token'],
-             token_retrieval_time: Time.now.iso8601,
+             token_retrieval_time: smart_auth_info.issue_time.iso8601,
              expires_in: body['expires_in'],
              received_scopes: body['scope']
 
+      smart_auth_info.access_token = access_token
+      smart_auth_info.expires_in = expires_in
+      output smart_auth_info: smart_auth_info
+
       validate_token_field_types(body)
       validate_token_type(body)
 

data/lib/smart_app_launch/token_refresh_stu2_test.rb

@@ -16,30 +16,23 @@ module SMARTAppLaunch
       the Pragma response header field with a value of no-cache to be
       consistent with the requirements of the inital access token exchange.
     )
-    input :client_auth_type
-    input :client_auth_encryption_method, optional: true
-    input :client_secret, optional: true
 
-    def add_credentials_to_request(oauth2_headers, oauth2_params)
-      case client_auth_type
-      when 'public'
-        oauth2_params['client_id'] = client_id
-      when 'confidential_symmetric'
-        assert client_secret.present?,
-               "A client secret must be provided when using confidential symmetric client authentication."
+    input :smart_auth_info, type: :auth_info, options: { mode: 'auth' }
 
-        credentials = Base64.strict_encode64("#{client_id}:#{client_secret}")
-        oauth2_headers['Authorization'] = "Basic #{credentials}"
-      when 'confidential_asymmetric'
+    def add_credentials_to_request(oauth2_headers, oauth2_params)
+      if smart_auth_info.asymmetric_auth?
         oauth2_params.merge!(
           client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
           client_assertion: ClientAssertionBuilder.build(
-            iss: client_id,
-            sub: client_id,
-            aud: smart_token_url,
-            client_auth_encryption_method: client_auth_encryption_method
+            iss: smart_auth_info.client_id,
+            sub: smart_auth_info.client_id,
+            aud: smart_auth_info.token_url,
+            client_auth_encryption_method: smart_auth_info.encryption_algorithm,
+            custom_jwks: smart_auth_info.jwks
           )
         )
+      else
+        super
       end
     end
   end

data/lib/smart_app_launch/token_refresh_test.rb

@@ -16,17 +16,18 @@ module SMARTAppLaunch
       the Pragma response header field with a value of no-cache to be
       consistent with the requirements of the inital access token exchange.
     )
-    input :smart_token_url, :refresh_token, :client_id, :received_scopes
-    input :client_secret, optional: true
-    output :smart_credentials, :token_retrieval_time
+    input :received_scopes
+    input :smart_auth_info, type: :auth_info, options: { mode: 'auth' }
+
+    output :smart_credentials, :token_retrieval_time, :smart_auth_info
     makes_request :token_refresh
 
     def add_credentials_to_request(oauth2_headers, oauth2_params)
-      if client_secret.present?
-        credentials = Base64.strict_encode64("#{client_id}:#{client_secret}")
+      if smart_auth_info.symmetric_auth?
+        credentials = Base64.strict_encode64("#{smart_auth_info.client_id}:#{smart_auth_info.client_secret}")
         oauth2_headers['Authorization'] = "Basic #{credentials}"
       else
-        oauth2_params['client_id'] = client_id
+        oauth2_params['client_id'] = smart_auth_info.client_id
       end
     end
 
@@ -35,11 +36,11 @@ module SMARTAppLaunch
     end
 
     run do
-      skip_if refresh_token.blank?
+      skip_if smart_auth_info.refresh_token.blank?
 
       oauth2_params = {
         'grant_type' => 'refresh_token',
-        'refresh_token' => refresh_token
+        'refresh_token' => smart_auth_info.refresh_token
       }
       oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }
 
@@ -47,23 +48,21 @@ module SMARTAppLaunch
 
       add_credentials_to_request(oauth2_headers, oauth2_params)
 
-      make_auth_token_request(smart_token_url, oauth2_params, oauth2_headers)
+      make_auth_token_request(smart_auth_info.token_url, oauth2_params, oauth2_headers)
 
       assert_response_status(200)
       assert_valid_json(request.response_body)
 
-      output token_retrieval_time: Time.now.iso8601
-
+      smart_auth_info.issue_time = Time.now
       token_response_body = JSON.parse(request.response_body)
-      output smart_credentials: {
-        refresh_token: token_response_body['refresh_token'].presence || refresh_token,
-        access_token: token_response_body['access_token'],
-        expires_in: token_response_body['expires_in'],
-        client_id:,
-        client_secret:,
-        token_retrieval_time:,
-        token_url: smart_token_url
-      }.to_json
+
+      smart_auth_info.refresh_token = token_response_body['refresh_token'].presence || smart_auth_info.refresh_token
+      smart_auth_info.access_token = token_response_body['access_token']
+      smart_auth_info.expires_in = token_response_body['expires_in']
+
+      output smart_credentials: smart_auth_info,
+             token_retrieval_time: smart_auth_info.issue_time.iso8601,
+             smart_auth_info: smart_auth_info
     end
   end
 end

data/lib/smart_app_launch/token_response_body_test.rb

@@ -16,7 +16,7 @@ module SMARTAppLaunch
     )
     id :smart_token_response_body
 
-    input :requested_scopes
+    input :smart_auth_info, type: :auth_info, options: { mode: 'auth' }
     output :id_token,
            :refresh_token,
            :access_token,
@@ -24,7 +24,9 @@ module SMARTAppLaunch
            :patient_id,
            :encounter_id,
            :received_scopes,
-           :intent
+           :intent,
+           :smart_auth_info
+
     uses_request :token
 
     run do
@@ -33,6 +35,10 @@ module SMARTAppLaunch
       assert_valid_json(request.response_body)
       token_response_body = JSON.parse(request.response_body)
 
+      smart_auth_info.refresh_token = token_response_body['refresh_token']
+      smart_auth_info.access_token = token_response_body['access_token']
+      smart_auth_info.expires_in = token_response_body['expires_in']
+
       output id_token: token_response_body['id_token'],
              refresh_token: token_response_body['refresh_token'],
              access_token: token_response_body['access_token'],
@@ -40,12 +46,16 @@ module SMARTAppLaunch
              patient_id: token_response_body['patient'],
              encounter_id: token_response_body['encounter'],
              received_scopes: token_response_body['scope'],
-             intent: token_response_body['intent']
+             intent: token_response_body['intent'],
+             smart_auth_info: smart_auth_info
 
       validate_required_fields_present(token_response_body, ['access_token', 'token_type', 'expires_in', 'scope'])
       validate_token_field_types(token_response_body)
       validate_token_type(token_response_body)
-      check_for_missing_scopes(requested_scopes, token_response_body) unless config.options[:ignore_missing_scopes_check]
+      unless config.options[:ignore_missing_scopes_check]
+        check_for_missing_scopes(smart_auth_info.requested_scopes,
+                                 token_response_body)
+      end
 
       assert access_token.present?, 'Token response did not contain an access token'
       assert token_response_body['token_type']&.casecmp('Bearer')&.zero?,

data/lib/smart_app_launch/token_response_body_test_stu2_2.rb

@@ -14,7 +14,7 @@ module SMARTAppLaunch
     )
     id :smart_token_response_body_stu2_2
 
-    input :requested_scopes
+    input :smart_auth_info, type: :auth_info, options: { mode: 'auth' }
     output :id_token,
            :refresh_token,
            :access_token,
@@ -22,7 +22,8 @@ module SMARTAppLaunch
            :patient_id,
            :encounter_id,
            :received_scopes,
-           :intent
+           :intent,
+           :smart_auth_info
     uses_request :token
 
     def validate_fhir_context(fhir_context)

data/lib/smart_app_launch/version.rb

@@ -1,4 +1,4 @@
 module SMARTAppLaunch
-  VERSION = '0.5.1'.freeze
-  LAST_UPDATED = '2025-03-07'.freeze
+  VERSION = '0.6.0'.freeze
+  LAST_UPDATED = '2025-03-14'.freeze
 end

data/lib/smart_app_launch/well_known_endpoint_test.rb

@@ -13,6 +13,8 @@ module SMARTAppLaunch
     input :url,
           title: 'FHIR Endpoint',
           description: 'URL of the FHIR endpoint used by SMART applications'
+    input :smart_auth_info,
+          type: :auth_info
 
     output :well_known_configuration,
            :well_known_authorization_url,
@@ -20,7 +22,8 @@ module SMARTAppLaunch
            :well_known_management_url,
            :well_known_registration_url,
            :well_known_revocation_url,
-           :well_known_token_url
+           :well_known_token_url,
+           :smart_auth_info
     makes_request :smart_well_known_configuration
 
     run do
@@ -46,6 +49,13 @@ module SMARTAppLaunch
              well_known_revocation_url: make_url_absolute(base_url, config['revocation_endpoint']),
              well_known_token_url: make_url_absolute(base_url, config['token_endpoint'])
 
+      if smart_auth_info.use_discovery
+        smart_auth_info.auth_url = well_known_authorization_url
+        smart_auth_info.token_url = well_known_token_url
+
+        output smart_auth_info: smart_auth_info
+      end
+
       content_type = request.response_header('Content-Type')&.value
 
       assert content_type.present?, 'No `Content-Type` header received.'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smart_app_launch_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 0.6.0
 platform: ruby
 authors:
 - Stephen MacVicar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-03-07 00:00:00.000000000 Z
+date: 2025-03-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.6.2
+        version: 0.6.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.6.2
+        version: 0.6.3
 - !ruby/object:Gem::Dependency
   name: json-jwt
   requirement: !ruby/object:Gem::Requirement
@@ -203,6 +203,7 @@ files:
 - lib/smart_app_launch/smart_stu1_suite.rb
 - lib/smart_app_launch/smart_stu2_2_suite.rb
 - lib/smart_app_launch/smart_stu2_suite.rb
+- lib/smart_app_launch/smart_tls_test.rb
 - lib/smart_app_launch/standalone_launch_group.rb
 - lib/smart_app_launch/standalone_launch_group_stu2.rb
 - lib/smart_app_launch/standalone_launch_group_stu2_2.rb