smart_app_launch_test_kit 0.5.1 → 0.6.1

data/lib/smart_app_launch/backend_services_authorization_request_builder.rb

@@ -7,8 +7,18 @@ module SMARTAppLaunch
       new(...).authorization_request
     end
 
-    attr_reader :encryption_method, :scope, :iss, :sub, :aud, :content_type, :grant_type, :client_assertion_type, :exp,
-                :jti, :kid
+    attr_reader :encryption_method,
+                :scope,
+                :iss,
+                :sub,
+                :aud,
+                :content_type,
+                :grant_type,
+                :client_assertion_type,
+                :exp,
+                :jti,
+                :kid,
+                :custom_jwks
 
     def initialize(
       encryption_method:,
@@ -21,7 +31,8 @@ module SMARTAppLaunch
       client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
       exp: 5.minutes.from_now,
       jti: SecureRandom.hex(32),
-      kid: nil
+      kid: nil,
+      custom_jwks: nil
     )
       @encryption_method = encryption_method
       @scope = scope
@@ -34,6 +45,7 @@ module SMARTAppLaunch
       @exp = exp
       @jti = jti
       @kid = kid
+      @custom_jwks = custom_jwks
     end
 
     def authorization_request_headers
@@ -54,13 +66,14 @@ module SMARTAppLaunch
 
     def client_assertion
       @client_assertion ||= ClientAssertionBuilder.build(
-          client_auth_encryption_method: encryption_method, 
-          iss: iss,
-          sub: sub,
-          aud: aud,
+          client_auth_encryption_method: encryption_method,
+          iss:,
+          sub:,
+          aud:,
           exp: exp.to_i,
-          jti: jti,
-          kid: kid
+          jti:,
+          kid:,
+          custom_jwks:
           )
     end
 

data/lib/smart_app_launch/backend_services_authorization_request_success_test.rb

@@ -1,8 +1,8 @@
 require_relative 'backend_services_authorization_request_builder'
 require_relative 'backend_services_authorization_group'
 
-module SMARTAppLaunch 
-  class BackendServicesAuthorizationRequestSuccessTest < Inferno::Test 
+module SMARTAppLaunch
+  class BackendServicesAuthorizationRequestSuccessTest < Inferno::Test
     id :smart_backend_services_auth_request_success
     title 'Authorization request succeeds when supplied correct information'
     description <<~DESCRIPTION
@@ -10,32 +10,40 @@ module SMARTAppLaunch
       states "If the access token request is valid and authorized, the authorization server SHALL issue an access token in response."
     DESCRIPTION
 
-    input :client_auth_encryption_method, 
-          :backend_services_requested_scope, 
-          :backend_services_client_id, 
-          :smart_token_url
-    input :backend_services_jwks_kid,
-          optional: true
-
-    output :authentication_response
-
-    http_client :token_endpoint do
-      url :smart_token_url
-    end
+    input :smart_auth_info,
+          type: :auth_info,
+          options: {
+            mode: 'auth',
+            components: [
+              {
+                name: :auth_type,
+                default: 'backend_services',
+                locked: 'true'
+              }
+            ]
+          }
+
+    output :authentication_response, :smart_auth_info
 
     run do
-      post_request_content = BackendServicesAuthorizationRequestBuilder.build(encryption_method: client_auth_encryption_method,
-                                                                scope: backend_services_requested_scope,
-                                                                iss: backend_services_client_id,
-                                                                sub: backend_services_client_id,
-                                                                aud: smart_token_url,
-                                                                kid: backend_services_jwks_kid)
-
-      authentication_response = post(**{ client: :token_endpoint }.merge(post_request_content))
+      post_request_content = BackendServicesAuthorizationRequestBuilder.build(
+        encryption_method: smart_auth_info.encryption_algorithm,
+        scope: smart_auth_info.requested_scopes,
+        iss: smart_auth_info.client_id,
+        sub: smart_auth_info.client_id,
+        aud: smart_auth_info.token_url,
+        kid: smart_auth_info.kid,
+        custom_jwks: smart_auth_info.jwks
+      )
+
+      authentication_response = post(smart_auth_info.token_url, **post_request_content)
 
       assert_response_status([200, 201])
 
-      output authentication_response: authentication_response.response_body
+      smart_auth_info.issue_time = Time.now
+
+      output authentication_response: authentication_response.response_body,
+             smart_auth_info: smart_auth_info
     end
   end
-end
+end

data/lib/smart_app_launch/backend_services_authorization_response_body_test.rb

@@ -1,7 +1,7 @@
 require_relative 'backend_services_authorization_request_builder'
 
-module SMARTAppLaunch 
-  class BackendServicesAuthorizationResponseBodyTest < Inferno::Test 
+module SMARTAppLaunch
+  class BackendServicesAuthorizationResponseBodyTest < Inferno::Test
     id :smart_backend_services_auth_response_body
     title 'Authorization request response body contains required information encoded in JSON'
     description <<~DESCRIPTION
@@ -17,7 +17,19 @@ module SMARTAppLaunch
     DESCRIPTION
 
     input :authentication_response
-    output :bearer_token
+    input :smart_auth_info,
+          type: :auth_info,
+          options: {
+            mode: 'auth',
+            components: [
+              {
+                name: :auth_type,
+                default: 'backend_services',
+                locked: 'true'
+              }
+            ]
+          }
+    output :bearer_token, :smart_auth_info, :received_scopes
 
     run do
       skip_if authentication_response.blank?, 'No authentication response received.'
@@ -26,9 +38,15 @@ module SMARTAppLaunch
       response_body = JSON.parse(authentication_response)
 
       access_token = response_body['access_token']
+      received_scopes = response_body['scope']
+      expires_in = response_body['expires_in']
+
       assert access_token.present?, 'Token response did not contain access_token as required'
 
-      output bearer_token: access_token
+      smart_auth_info.access_token = access_token
+      smart_auth_info.expires_in = expires_in
+
+      output bearer_token: access_token, smart_auth_info: smart_auth_info, received_scopes: received_scopes
 
       required_keys = ['token_type', 'expires_in', 'scope']
 
@@ -37,4 +55,4 @@ module SMARTAppLaunch
       end
     end
   end
-end
+end

data/lib/smart_app_launch/backend_services_invalid_client_assertion_test.rb

@@ -1,45 +1,50 @@
 require_relative 'backend_services_authorization_request_builder'
 
-module SMARTAppLaunch 
-  class BackendServicesInvalidClientAssertionTest < Inferno::Test 
+module SMARTAppLaunch
+  class BackendServicesInvalidClientAssertionTest < Inferno::Test
     id :smart_backend_services_invalid_client_assertion
     title 'Authorization request fails when supplied invalid client_assertion_type'
     description <<~DESCRIPTION
       The [SMART App Launch 2.0.0 IG specification for Backend Services](https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1)
-      defines the required fields for the authorization request, made via HTTP POST to authorization 
+      defines the required fields for the authorization request, made via HTTP POST to authorization
       token endpoint.
       This includes the `client_assertion_type` parameter, where the value must be `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`.
 
-      The [OAuth 2.0 Authorization Framework Section 4.3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3.3) 
+      The [OAuth 2.0 Authorization Framework Section 4.3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3.3)
       describes the proper response for an invalid request in the client credentials grant flow:
 
       "If the request failed client authentication or is invalid, the authorization server returns an
       error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2)."
     DESCRIPTION
 
-    input :client_auth_encryption_method, 
-          :backend_services_requested_scope, 
-          :backend_services_client_id, 
-          :smart_token_url
-    input :backend_services_jwks_kid, 
-          optional: true
-
-    http_client :token_endpoint do
-      url :smart_token_url
-    end
+    input :smart_auth_info,
+          type: :auth_info,
+          options: {
+            mode: 'auth',
+            components: [
+              {
+                name: :auth_type,
+                default: 'backend_services',
+                locked: 'true'
+              }
+            ]
+          }
 
     run do
-      post_request_content = BackendServicesAuthorizationRequestBuilder.build(encryption_method: client_auth_encryption_method,
-                                                                  scope: backend_services_requested_scope,
-                                                                  iss: backend_services_client_id,
-                                                                  sub: backend_services_client_id,
-                                                                  aud: smart_token_url,
-                                                                  client_assertion_type: 'not_an_assertion_type',
-                                                                  kid: backend_services_jwks_kid)
-
-      post(**{ client: :token_endpoint }.merge(post_request_content))
+      post_request_content = BackendServicesAuthorizationRequestBuilder.build(
+        encryption_method: smart_auth_info.encryption_algorithm,
+        scope: smart_auth_info.requested_scopes,
+        iss: smart_auth_info.client_id,
+        sub: smart_auth_info.client_id,
+        aud: smart_auth_info.token_url,
+        client_assertion_type: 'not_an_assertion_type',
+        kid: smart_auth_info.kid,
+        custom_jwks: smart_auth_info.jwks
+      )
+
+      post(smart_auth_info.token_url, **post_request_content)
 
       assert_response_status(400)
-    end 
+    end
   end
-end
+end

data/lib/smart_app_launch/backend_services_invalid_grant_type_test.rb

@@ -1,45 +1,51 @@
 require_relative 'backend_services_authorization_request_builder'
 
-module SMARTAppLaunch 
-  class BackendServicesInvalidGrantTypeTest < Inferno::Test 
+module SMARTAppLaunch
+  class BackendServicesInvalidGrantTypeTest < Inferno::Test
     id :smart_backend_services_invalid_grant_type
     title 'Authorization request fails when client supplies invalid grant_type'
     description <<~DESCRIPTION
       The [SMART App Launch 2.0.0 IG section on Backend Services](https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1)
-      defines the required fields for the authorization request, made via HTTP POST to authorization 
+      defines the required fields for the authorization request, made via HTTP POST to authorization
       token endpoint.
       This includes the `grant_type` parameter, where the value must be `client_credentials`.
 
-      The [OAuth 2.0 Authorization Framework Section 4.3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3.3) 
+      The [OAuth 2.0 Authorization Framework Section 4.3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3.3)
       describes the proper response for an invalid request in the client credentials grant flow:
 
       "If the request failed client authentication or is invalid, the authorization server returns an
       error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2)."
     DESCRIPTION
 
-    input :client_auth_encryption_method, 
-          :backend_services_requested_scope, 
-          :backend_services_client_id, 
-          :smart_token_url
-    input :backend_services_jwks_kid,
-          optional: true
+    input :smart_auth_info,
+          type: :auth_info,
+          options: {
+            mode: 'auth',
+            components: [
+              {
+                name: :auth_type,
+                default: 'backend_services',
+                locked: 'true'
+              }
+            ]
+          }
 
-    http_client :token_endpoint do
-      url :smart_token_url
-    end
 
     run do
-      post_request_content = BackendServicesAuthorizationRequestBuilder.build(encryption_method: client_auth_encryption_method,
-                                                              scope: backend_services_requested_scope,
-                                                              iss: backend_services_client_id,
-                                                              sub: backend_services_client_id,
-                                                              aud: smart_token_url,
-                                                              grant_type: 'not_a_grant_type',
-                                                              kid: backend_services_jwks_kid)
-
-      post(**{ client: :token_endpoint }.merge(post_request_content))
+      post_request_content = BackendServicesAuthorizationRequestBuilder.build(
+        encryption_method: smart_auth_info.encryption_algorithm,
+        scope: smart_auth_info.requested_scopes,
+        iss: smart_auth_info.client_id,
+        sub: smart_auth_info.client_id,
+        aud: smart_auth_info.token_url,
+        grant_type: 'not_a_grant_type',
+        kid: smart_auth_info.kid,
+        custom_jwks: smart_auth_info.jwks
+      )
+
+      post(smart_auth_info.token_url, **post_request_content)
 
       assert_response_status(400)
-    end 
+    end
   end
-end
+end

data/lib/smart_app_launch/backend_services_invalid_jwt_test.rb

@@ -1,15 +1,15 @@
 require_relative 'backend_services_authorization_request_builder'
 
-module SMARTAppLaunch 
-  class BackendServicesInvalidJWTTest < Inferno::Test 
+module SMARTAppLaunch
+  class BackendServicesInvalidJWTTest < Inferno::Test
     id :smart_backend_services_invalid_jwt
     title 'Authorization request fails when client supplies invalid JWT token'
     description <<~DESCRIPTION
       The [SMART App Launch 2.0.0 IG section on Backend Services](https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1)
-      defines the required fields for the authorization request, made via HTTP POST to authorization 
+      defines the required fields for the authorization request, made via HTTP POST to authorization
       token endpoint.
       This includes the `client_assertion` parameter, where the value must be
-      a valid JWT as specified in 
+      a valid JWT as specified in
       [Asymmetric (public key) Client Authentication](https://hl7.org/fhir/smart-app-launch/STU2/client-confidential-asymmetric.html#authenticating-to-the-token-endpoint)
       The JWT SHALL include the following claims, and SHALL be signed with the client’s private key.
 
@@ -21,36 +21,41 @@ module SMARTAppLaunch
       | `exp` | required | Expiration time integer for this authentication JWT, expressed in seconds since the "Epoch" (1970-01-01T00:00:00Z UTC). This time SHALL be no more than five minutes in the future. |
       | `jti` | required | A nonce string value that uniquely identifies this authentication JWT. |
 
-      The [OAuth 2.0 Authorization Framework Section 4.3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3.3) 
+      The [OAuth 2.0 Authorization Framework Section 4.3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3.3)
       describes the proper response for an invalid request in the client credentials grant flow:
 
       "If the request failed client authentication or is invalid, the authorization server returns an
       error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2)."
     DESCRIPTION
 
-    input :client_auth_encryption_method, 
-          :backend_services_requested_scope, 
-          :backend_services_client_id, 
-          :smart_token_url
-    input :backend_services_jwks_kid,
-          optional: true
+    input :smart_auth_info,
+          type: :auth_info,
+          options: {
+            mode: 'auth',
+            components: [
+              {
+                name: :auth_type,
+                default: 'backend_services',
+                locked: 'true'
+              }
+            ]
+          }
 
-    http_client :token_endpoint do
-      url :smart_token_url
-    end
-      
     run do
-      post_request_content = BackendServicesAuthorizationRequestBuilder.build(encryption_method: client_auth_encryption_method,
-                                                                scope: backend_services_requested_scope,
-                                                                iss: backend_services_client_id,
-                                                                sub: backend_services_client_id,
-                                                                aud: smart_token_url,
-                                                                client_assertion_type: 'not_an_assertion_type',
-                                                                kid: backend_services_jwks_kid)
-
-      post(**{ client: :token_endpoint }.merge(post_request_content))
+      post_request_content = BackendServicesAuthorizationRequestBuilder.build(
+        encryption_method: smart_auth_info.encryption_algorithm,
+        scope: smart_auth_info.requested_scopes,
+        iss: smart_auth_info.client_id,
+        sub: smart_auth_info.client_id,
+        aud: smart_auth_info.token_url,
+        client_assertion_type: 'not_an_assertion_type',
+        kid: smart_auth_info.kid,
+        custom_jwks: smart_auth_info.jwks
+      )
+
+      post(smart_auth_info.token_url, **post_request_content)
 
       assert_response_status(400)
-    end 
+    end
   end
-end
+end

data/lib/smart_app_launch/client_assertion_builder.rb

@@ -17,7 +17,8 @@ module SMARTAppLaunch
                 :iss,
                 :jti,
                 :sub,
-                :kid
+                :kid,
+                :custom_jwks
 
     def initialize(
       client_auth_encryption_method:,
@@ -26,7 +27,8 @@ module SMARTAppLaunch
       aud:,
       exp: 5.minutes.from_now.to_i,
       jti: SecureRandom.hex(32),
-      kid: nil
+      kid: nil,
+      custom_jwks: nil
     )
       @client_auth_encryption_method = client_auth_encryption_method
       @iss = iss
@@ -37,14 +39,25 @@ module SMARTAppLaunch
       @client_assertion_type = client_assertion_type
       @exp = exp
       @jti = jti
-      @kid = kid
+      @kid = kid.presence
+      @custom_jwks = custom_jwks
+    end
+
+    def jwks
+      @jwks ||=
+        if custom_jwks.present?
+          JWT::JWK::Set.new(JSON.parse(custom_jwks))
+        else
+          JWKS.jwks
+        end
     end
 
     def private_key
-      @private_key ||= JWKS.jwks
-        .select { |key| key[:key_ops]&.include?('sign') }
-        .select { |key| key[:alg] == client_auth_encryption_method }
-        .find { |key| !kid || key[:kid] == kid }
+      @private_key ||=
+        jwks
+          .select { |key| key[:key_ops]&.include?('sign') }
+          .select { |key| key[:alg] == client_auth_encryption_method }
+          .find { |key| !kid || key[:kid] == kid }
     end
 
     def jwt_payload
@@ -52,11 +65,12 @@ module SMARTAppLaunch
     end
 
     def signing_key
-      private_key()
-      if @private_key.nil?
-        raise Inferno::Exceptions::AssertionException, "No signing key found for inputs: encryption method = '#{client_auth_encryption_method}' and kid = '#{kid}'"
+      if private_key.nil?
+        raise Inferno::Exceptions::AssertionException,
+              "No signing key found for inputs: encryption method = '#{client_auth_encryption_method}' and kid = '#{kid}'"
       end
-      return @private_key.signing_key
+
+      @private_key.signing_key
     end
 
     def key_id
@@ -65,7 +79,8 @@ module SMARTAppLaunch
 
     def client_assertion
       @client_assertion ||=
-        JWT.encode jwt_payload, signing_key, client_auth_encryption_method, { alg: client_auth_encryption_method, kid: key_id, typ: 'JWT' }
+        JWT.encode jwt_payload, signing_key, client_auth_encryption_method,
+                   { alg: client_auth_encryption_method, kid: key_id, typ: 'JWT' }
     end
   end
 end

data/lib/smart_app_launch/client_stu2_2_suite.rb

@@ -0,0 +1,79 @@
+require_relative 'endpoints/mock_smart_server/token'
+require_relative 'endpoints/echoing_fhir_responder'
+require_relative 'urls'
+require_relative 'client_suite/client_registration_group'
+require_relative 'client_suite/client_access_group'
+
+module SMARTAppLaunch
+  class SMARTClientSTU22Suite < Inferno::TestSuite
+    id :smart_client_stu2_2 # rubocop:disable Naming/VariableNumber
+    title 'SMART App Launch STU2.2 Client'
+    description File.read(File.join(__dir__, 'docs', 'smart_stu2_2_client_suite_description.md'))
+
+    links [
+      {
+        type: 'source_code',
+        label: 'Open Source',
+        url: 'https://github.com/inferno-framework/smart-app-launch-test-kit/'
+      },
+      {
+        type: 'report_issue',
+        label: 'Report Issue',
+        url: 'https://github.com/inferno-framework/smart-app-launch-test-kit/issues/'
+      },
+      {
+        type: 'download',
+        label: 'Download',
+        url: 'https://github.com/inferno-framework/smart-app-launch-test-kit/releases/'
+      },
+      {
+        type: 'ig',
+        label: 'Implementation Guide',
+        url: 'https://hl7.org/fhir/smart-app-launch/STU2.2/'
+      }
+    ]
+
+    route(:get, SMART_DISCOVERY_PATH, ->(_env) {MockSMARTServer.smart_server_metadata(id) }) 
+    suite_endpoint :post, TOKEN_PATH, MockSMARTServer::TokenEndpoint
+    suite_endpoint :get, FHIR_PATH, EchoingFHIRResponderEndpoint
+    suite_endpoint :post, FHIR_PATH, EchoingFHIRResponderEndpoint
+    suite_endpoint :put, FHIR_PATH, EchoingFHIRResponderEndpoint
+    suite_endpoint :delete, FHIR_PATH, EchoingFHIRResponderEndpoint
+    suite_endpoint :get, "#{FHIR_PATH}/:one", EchoingFHIRResponderEndpoint
+    suite_endpoint :post, "#{FHIR_PATH}/:one", EchoingFHIRResponderEndpoint
+    suite_endpoint :put, "#{FHIR_PATH}/:one", EchoingFHIRResponderEndpoint
+    suite_endpoint :delete, "#{FHIR_PATH}/:one", EchoingFHIRResponderEndpoint
+    suite_endpoint :get, "#{FHIR_PATH}/:one/:two", EchoingFHIRResponderEndpoint
+    suite_endpoint :post, "#{FHIR_PATH}/:one/:two", EchoingFHIRResponderEndpoint
+    suite_endpoint :put, "#{FHIR_PATH}/:one/:two", EchoingFHIRResponderEndpoint
+    suite_endpoint :delete, "#{FHIR_PATH}/:one/:two", EchoingFHIRResponderEndpoint
+    suite_endpoint :get, "#{FHIR_PATH}/:one/:two/:three", EchoingFHIRResponderEndpoint
+    suite_endpoint :post, "#{FHIR_PATH}/:one/:two/:three", EchoingFHIRResponderEndpoint
+    suite_endpoint :put, "#{FHIR_PATH}/:one/:two/:three", EchoingFHIRResponderEndpoint
+    suite_endpoint :delete, "#{FHIR_PATH}/:one/:two/:three", EchoingFHIRResponderEndpoint
+
+    resume_test_route :get, RESUME_PASS_PATH do |request|
+      request.query_parameters['token']
+    end
+
+    resume_test_route :get, RESUME_FAIL_PATH, result: 'fail' do |request|
+      request.query_parameters['token']
+    end
+
+    group do
+      title 'SMART Backend Services'
+      description %(
+        During these tests, the client will use SMART Backend Services
+        to access a FHIR API. Clients will provide registeration details,
+        obtain an access token, and use the access token when making a
+        request to a FHIR API.
+      )
+
+      input :smart_jwk_set,
+            optional: false
+
+      group from: :smart_client_registration
+      group from: :smart_client_access
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/client_access_group.rb

@@ -0,0 +1,26 @@
+require_relative 'client_access_interaction_test'
+require_relative 'client_token_request_verification_test'
+require_relative 'client_token_use_verification_test'
+
+module SMARTAppLaunch
+  class SMARTClientAccess < Inferno::TestGroup
+    id :smart_client_access
+    title 'Client Access'
+    description %(
+      During these tests, the client system will access Inferno's simulated
+      FHIR server by requesting an access token and making a FHIR request.
+      Inferno will then verify that any token requests made were conformant
+      and that a token returned from a token request was used on an access request.
+    )
+
+    run_as_group
+
+    input :smart_jwk_set,
+          optional: true,
+          locked: true
+
+    test from: :smart_client_access_interaction
+    test from: :smart_client_token_request_verification
+    test from: :smart_client_token_use_verification
+  end
+end