smart_app_launch_test_kit 0.5.1 → 0.6.1

data/lib/smart_app_launch/ehr_launch_group.rb

@@ -40,23 +40,35 @@ module SMARTAppLaunch
 
     config(
       inputs: {
-        client_id: {
-          name: :ehr_client_id,
-          title: 'EHR Launch Client ID',
-          description: 'Client ID provided during registration of Inferno as an EHR launch application'
-        },
-        client_secret: {
-          name: :ehr_client_secret,
-          title: 'EHR Launch Client Secret',
-          description: 'Client Secret provided during registration of Inferno as an EHR launch application. ' \
-                       'Only for clients using confidential symmetric authentication.'
-        },
-        requested_scopes: {
-          name: :ehr_requested_scopes,
-          title: 'EHR Launch Scope',
-          description: 'OAuth 2.0 scope provided by system to enable all required functionality',
-          type: 'textarea',
-          default: 'launch openid fhirUser offline_access user/*.read'
+        smart_auth_info: {
+          name: :ehr_smart_auth_info,
+          title: 'EHR Launch Credentials',
+          options: {
+            components: [
+              {
+                name: :auth_type,
+                options: {
+                  list_options: [
+                    { label: 'Public', value: 'public' },
+                    { label: 'Confidential Symmetric', value: 'symmetric' }
+                  ]
+                }
+              },
+              {
+                name: :requested_scopes,
+                default: 'launch openid fhirUser offline_access user/*.read'
+              },
+              {
+                name: :use_discovery,
+                locked: true
+              },
+              {
+                name: :auth_request_method,
+                default: 'GET',
+                locked: true
+              }
+            ]
+          }
         },
         url: {
           title: 'EHR Launch FHIR Endpoint',
@@ -88,7 +100,8 @@ module SMARTAppLaunch
         encounter_id: { name: :ehr_encounter_id },
         received_scopes: { name: :ehr_received_scopes },
         intent: { name: :ehr_intent },
-        smart_credentials: { name: :ehr_smart_credentials }
+        smart_credentials: { name: :ehr_smart_credentials },
+        smart_auth_info: { name: :ehr_smart_auth_info }
       },
       requests: {
         launch: { name: :ehr_launch },
@@ -99,7 +112,7 @@ module SMARTAppLaunch
 
     test from: :smart_app_launch
     test from: :smart_launch_received
-    test from: :tls_version_test,
+    test from: :smart_tls,
          id: :ehr_auth_tls,
          title: 'OAuth 2.0 authorize endpoint secured by transport layer security',
          description: %(
@@ -108,14 +121,16 @@ module SMARTAppLaunch
            servers, over TLS-secured channels.
          ),
          config: {
-           inputs: { url: { name: :smart_authorization_url } },
-           options: {  minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION }
+           options: {
+             minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION,
+             smart_endpoint_key: :auth_url
+           }
          }
     test from: :smart_app_redirect do
       input :launch
     end
     test from: :smart_code_received
-    test from: :tls_version_test,
+    test from: :smart_tls,
          id: :ehr_token_tls,
          title: 'OAuth 2.0 token endpoint secured by transport layer security',
          description: %(
@@ -124,8 +139,10 @@ module SMARTAppLaunch
            servers, over TLS-secured channels.
          ),
          config: {
-           inputs: { url: { name: :smart_token_url } },
-           options: {  minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION }
+           options: {
+             minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION,
+             smart_endpoint_key: :token_url
+           }
          }
     test from: :smart_token_exchange
     test from: :smart_token_response_body

data/lib/smart_app_launch/ehr_launch_group_stu2.rb

@@ -33,16 +33,32 @@ module SMARTAppLaunch
 
     config(
       inputs: {
-        use_pkce: {
-          default: 'true',
-          locked: true
-        },
-        pkce_code_challenge_method: {
-          default: 'S256',
-          locked: true
-        },
-        requested_scopes: {
-          default: 'launch openid fhirUser offline_access user/*.rs'
+        smart_auth_info: {
+          name: :ehr_smart_auth_info,
+          title: 'EHR Launch Credentials',
+          options: {
+            components: [
+              {
+                name: :requested_scopes,
+                default: 'launch openid fhirUser offline_access patient/*.rs'
+              },
+              {
+                name: :pkce_support,
+                default: 'enabled',
+                locked: true
+              },
+              {
+                name: :pkce_code_challenge_method,
+                default: 'S256',
+                locked: true
+              },
+              Inferno::DSL::AuthInfo.default_auth_type_component_without_backend_services,
+              {
+                name: :use_discovery,
+                locked: true
+              }
+            ]
+          }
         }
       }
     )

data/lib/smart_app_launch/ehr_launch_group_stu2_2.rb

@@ -32,22 +32,6 @@ module SMARTAppLaunch
       * [SMART EHR Launch Sequence](http://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#launch-app-ehr-launch)
     )
 
-    config(
-      inputs: {
-        use_pkce: {
-          default: 'true',
-          locked: true
-        },
-        pkce_code_challenge_method: {
-          default: 'S256',
-          locked: true
-        },
-        requested_scopes: {
-          default: 'launch openid fhirUser offline_access user/*.rs'
-        }
-      }
-    )
-
     test from: :smart_token_exchange_stu2_2
 
     token_exchange_index = children.find_index { |child| child.id.to_s.end_with? 'smart_token_exchange' }

data/lib/smart_app_launch/endpoints/echoing_fhir_responder.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require_relative '../urls'
+require_relative '../tags'
+require_relative 'mock_smart_server'
+
+module SMARTAppLaunch
+  class EchoingFHIRResponderEndpoint < Inferno::DSL::SuiteEndpoint
+    def test_run_identifier
+      MockSMARTServer.token_to_client_id(request.headers['authorization']&.delete_prefix('Bearer '))
+    end
+
+    def make_response
+      return if response.status == 401 # set in update_result (expired token handling there)
+
+      response.content_type = 'application/fhir+json'
+
+      # If the tester provided a response, echo it
+      # otherwise, operation outcome
+      echo_response = JSON.parse(result.input_json)
+        .find { |input| input['name'].include?('echoed_fhir_response') }
+        &.dig('value')
+
+      unless echo_response.present?
+        response.status = 400
+        response.body = FHIR::OperationOutcome.new(
+          issue: FHIR::OperationOutcome::Issue.new(
+            severity: 'fatal', code: 'required',
+            details: FHIR::CodeableConcept.new(text: 'No response provided to echo.')
+          )
+        ).to_json
+        return
+      end
+
+      response.status = 200
+      response.body = echo_response
+    end
+
+    def update_result
+      if MockSMARTServer.request_has_expired_token?(request)
+        MockSMARTServer.update_response_for_expired_token(response)
+        return
+      end
+
+      nil # never update for now
+    end
+
+    def tags
+      [ACCESS_TAG]
+    end
+  end
+end

data/lib/smart_app_launch/endpoints/mock_smart_server/token.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require_relative '../../urls'
+require_relative '../../tags'
+require_relative '../mock_smart_server'
+
+module SMARTAppLaunch
+  module MockSMARTServer
+    class TokenEndpoint < Inferno::DSL::SuiteEndpoint
+      def test_run_identifier
+        MockSMARTServer.client_id_from_client_assertion(request.params[:client_assertion])
+      end
+
+      def make_response
+        MockSMARTServer.make_smart_token_response(request, response, result)
+      end
+
+      def update_result
+        nil # never update for now
+      end
+
+      def tags
+        [TOKEN_TAG, SMART_TAG]
+      end
+    end
+  end
+end

data/lib/smart_app_launch/endpoints/mock_smart_server.rb

@@ -0,0 +1,217 @@
+require 'jwt'
+require 'faraday'
+require 'time'
+require_relative '../urls'
+require_relative '../tags'
+
+module SMARTAppLaunch
+  module MockSMARTServer
+    SUPPORTED_SCOPES = ['openid', 'system/*.read', 'user/*.read', 'patient/*.read'].freeze
+
+    module_function
+
+    def smart_server_metadata(suite_id)
+      base_url = "#{Inferno::Application['base_url']}/custom/#{suite_id}"
+      response_body = {
+        token_endpoint_auth_signing_alg_values_supported: ['RS384', 'ES384'],
+        capabilities: ['client-confidential-asymmetric'],
+        code_challenge_methods_supported: ['S256'],
+        token_endpoint_auth_methods_supported: ['private_key_jwt'],
+        issuer: base_url + FHIR_PATH,
+        grant_types_supported: ['client_credentials'],
+        scopes_supported: SUPPORTED_SCOPES,
+        token_endpoint: base_url + TOKEN_PATH
+      }.to_json
+
+      [200, { 'Content-Type' => 'application/json', 'Access-Control-Allow-Origin' => '*' }, [response_body]]
+    end
+
+    def make_smart_token_response(request, response, result)
+      assertion = request.params[:client_assertion]
+      client_id = client_id_from_client_assertion(assertion)
+
+      key_set_input = JSON.parse(result.input_json)&.find do |input|
+        input['name'] == 'smart_jwk_set'
+      end&.dig('value')
+      signature_error = smart_assertion_signature_verification(assertion, key_set_input)
+
+      if signature_error.present?
+        update_response_for_invalid_assertion(response, signature_error)
+        return
+      end
+
+      exp_min = 60
+      response_body = {
+        access_token: client_id_to_token(client_id, exp_min),
+        token_type: 'Bearer',
+        expires_in: 60 * exp_min,
+        scope: request.params[:scope]
+      }
+
+      response.body = response_body.to_json
+      response.headers['Cache-Control'] = 'no-store'
+      response.headers['Pragma'] = 'no-cache'
+      response.headers['Access-Control-Allow-Origin'] = '*'
+      response.content_type = 'application/json'
+      response.status = 200
+    end
+
+    def client_id_from_client_assertion(client_assertion_jwt)
+      return unless client_assertion_jwt.present?
+
+      jwt_claims(client_assertion_jwt)&.dig('iss')
+    end
+
+    def parsed_request_body(request)
+      JSON.parse(request.request_body)
+    rescue JSON::ParserError
+      nil
+    end
+
+    def parsed_io_body(request)
+      parsed_body = begin
+        JSON.parse(request.body.read)
+      rescue JSON::ParserError
+        nil
+      end
+      request.body.rewind
+
+      parsed_body
+    end
+
+    def jwt_claims(encoded_jwt)
+      JWT.decode(encoded_jwt, nil, false)[0]
+    end
+
+    def client_uri_to_client_id(client_uri)
+      Base64.urlsafe_encode64(client_uri, padding: false)
+    end
+
+    def client_id_to_client_uri(client_id)
+      Base64.urlsafe_decode64(client_id)
+    end
+
+    def client_id_to_token(client_id, exp_min)
+      token_structure = {
+        client_id:,
+        expiration: exp_min.minutes.from_now.to_i,
+        nonce: SecureRandom.hex(8)
+      }.to_json
+
+      Base64.urlsafe_encode64(token_structure, padding: false)
+    end
+
+    def decode_token(token)
+      JSON.parse(Base64.urlsafe_decode64(token))
+    rescue JSON::ParserError
+      nil
+    end
+
+    def token_to_client_id(token)
+      decode_token(token)&.dig('client_id')
+    end
+
+    def jwk_set(jku, warning_messages = []) # rubocop:disable Metrics/CyclomaticComplexity
+      jwk_set = JWT::JWK::Set.new
+
+      if jku.blank?
+        warning_messages << 'No key set input.'
+        return jwk_set
+      end
+
+      jwk_body = # try as raw jwk set
+        begin
+          JSON.parse(jku)
+        rescue JSON::ParserError
+          nil
+        end
+
+      if jwk_body.blank?
+        retrieved = Faraday.get(jku) # try as url pointing to a jwk set
+        jwk_body =
+          begin
+            JSON.parse(retrieved.body)
+          rescue JSON::ParserError
+            warning_messages << "Failed to fetch valid json from jwks uri #{jwk_set}."
+            nil
+          end
+      else
+        warning_messages << 'Providing the JWK Set directly is strongly discouraged.'
+      end
+
+      return jwk_set if jwk_body.blank?
+
+      jwk_body['keys']&.each_with_index do |key_hash, index|
+        parsed_key =
+          begin
+            JWT::JWK.new(key_hash)
+          rescue JWT::JWKError => e
+            id = key_hash['kid'] | index
+            warning_messages << "Key #{id} invalid: #{e}"
+            nil
+          end
+        jwk_set << parsed_key unless parsed_key.blank?
+      end
+
+      jwk_set
+    end
+
+    def request_has_expired_token?(request)
+      return false if request.params[:session_path].present?
+
+      token = request.headers['authorization']&.delete_prefix('Bearer ')
+      decoded_token = decode_token(token)
+      return false unless decoded_token&.dig('expiration').present?
+
+      decoded_token['expiration'] < Time.now.to_i
+    end
+
+    def update_response_for_expired_token(response)
+      response.status = 401
+      response.format = :json
+      response.body = FHIR::OperationOutcome.new(
+        issue: FHIR::OperationOutcome::Issue.new(severity: 'fatal', code: 'expired',
+                                                 details: FHIR::CodeableConcept.new(text: 'Bearer token has expired'))
+      ).to_json
+    end
+
+    def smart_assertion_signature_verification(token, key_set_input) # rubocop:disable Metrics/CyclomaticComplexity
+      encoded_token = nil
+      if token.is_a?(JWT::EncodedToken)
+        encoded_token = token
+      else
+        begin
+          encoded_token = JWT::EncodedToken.new(token)
+        rescue StandardError => e
+          return "invalid token structure: #{e}"
+        end
+      end
+      return 'invalid token' unless encoded_token.present?
+      return 'missing `alg` header' if encoded_token.header['alg'].blank?
+      return 'missing `kid` header' if encoded_token.header['kid'].blank?
+
+      jwk = identify_smart_signing_key(encoded_token.header['kid'], encoded_token.header['jku'], key_set_input)
+      return "no key found with `kid` '#{encoded_token.header['kid']}'" if jwk.blank?
+
+      begin
+        encoded_token.verify_signature!(algorithm: encoded_token.header['alg'], key: jwk.verify_key)
+      rescue StandardError => e
+        return e
+      end
+
+      nil
+    end
+
+    def identify_smart_signing_key(kid, jku, key_set_input)
+      key_set = jku.present? ? jku : key_set_input
+      parsed_key_set = jwk_set(key_set)
+      parsed_key_set&.find { |key| key.kid == kid }
+    end
+
+    def update_response_for_invalid_assertion(response, error_message)
+      response.status = 401
+      response.format = :json
+      response.body = { error: 'invalid_client', error_description: error_message }.to_json
+    end
+  end
+end

data/lib/smart_app_launch/metadata.rb

@@ -64,12 +64,12 @@ module SMARTAppLaunch
       section](https://github.com/inferno-framework/smart-app-launch-test-kit/issues)
       of the repository.
     DESCRIPTION
-    suite_ids [:smart, :smart_stu2, :smart_stu2_2, :smart_access_brands]
+    suite_ids [:smart, :smart_stu2, :smart_stu2_2, :smart_access_brands, :smart_client_stu2_2]
     tags ['SMART App Launch', 'Endpoint Publication']
     last_updated LAST_UPDATED
     version VERSION
     maturity 'Medium'
-    authors ['Stephen MacVicar']
+    authors ['Stephen MacVicar', 'Karl Naden']
     repo 'https://github.com/inferno-framework/smart-app-launch-test-kit'
   end
 end

data/lib/smart_app_launch/openid_fhir_user_claim_test.rb

@@ -8,18 +8,19 @@ module SMARTAppLaunch
       the url for a Patient, Practitioner, RelatedPerson, or Person resource
     )
 
-    input :id_token_payload_json, :requested_scopes, :url
-    input :smart_credentials, type: :oauth_credentials
+    input :id_token_payload_json, :url
+    input :smart_auth_info, type: :auth_info
+
     output :id_token_fhir_user
 
     fhir_client do
       url :url
-      oauth_credentials :smart_credentials
+      auth_info :smart_auth_info
     end
 
     run do
       skip_if id_token_payload_json.blank?
-      skip_if !requested_scopes&.include?('fhirUser'), '`fhirUser` scope not requested'
+      skip_if !smart_auth_info.requested_scopes&.include?('fhirUser'), '`fhirUser` scope not requested'
 
       assert_valid_json(id_token_payload_json)
       payload = JSON.parse(id_token_payload_json)

data/lib/smart_app_launch/openid_token_payload_test.rb

@@ -22,16 +22,14 @@ module SMARTAppLaunch
       REQUIRED_CLAIMS.dup
     end
 
-    input :id_token,
-          :openid_configuration_json,
-          :id_token_jwk_json,
-          :client_id
+    input :id_token, :openid_configuration_json, :id_token_jwk_json
+    input :smart_auth_info, type: :auth_info, options: { mode: 'auth' }
 
     run do
       skip_if id_token.blank?, 'No ID Token'
       skip_if openid_configuration_json.blank?, 'No OpenID Configuration found'
       skip_if id_token_jwk_json.blank?, 'No ID Token jwk found'
-      skip_if client_id.blank?, 'No Client ID'
+      skip_if smart_auth_info.client_id.blank?, 'No Client ID'
 
       begin
         configuration = JSON.parse(openid_configuration_json)
@@ -44,7 +42,7 @@ module SMARTAppLaunch
             algorithms: ['RS256'],
             exp_leeway: 60,
             iss: configuration['issuer'],
-            aud: client_id,
+            aud: smart_auth_info.client_id,
             verify_not_before: false,
             verify_iat: false,
             verify_jti: false,
@@ -57,8 +55,8 @@ module SMARTAppLaunch
       end
 
       sub_value = payload['sub']
-      assert !sub_value.blank?, "ID token `sub` claim is blank"
-      assert sub_value.length < 256, "ID token `sub` claim exceeds 255 characters in length"
+      assert !sub_value.blank?, 'ID token `sub` claim is blank'
+      assert sub_value.length < 256, 'ID token `sub` claim exceeds 255 characters in length'
 
       missing_claims = required_claims - payload.keys
       missing_claims_string = missing_claims.map { |claim| "`#{claim}`" }.join(', ')

data/lib/smart_app_launch/smart_stu1_suite.rb

@@ -58,16 +58,22 @@ module SMARTAppLaunch
 
       run_as_group
 
-      group from: :smart_discovery
+      group from: :smart_discovery,
+            config: {
+              inputs: {
+                smart_auth_info: { name: :standalone_smart_auth_info }
+              },
+              outputs: {
+                smart_auth_info: { name: :standalone_smart_auth_info }
+              }
+            }
       group from: :smart_standalone_launch
 
       group from: :smart_openid_connect,
             config: {
               inputs: {
                 id_token: { name: :standalone_id_token },
-                client_id: { name: :standalone_client_id },
-                requested_scopes: { name: :standalone_requested_scopes },
-                access_token: { name: :standalone_access_token },
+                smart_auth_info: { name: :standalone_smart_auth_info },
                 smart_credentials: { name: :standalone_smart_credentials }
               }
             }
@@ -77,9 +83,7 @@ module SMARTAppLaunch
             title: 'SMART Token Refresh Without Scopes',
             config: {
               inputs: {
-                refresh_token: { name: :standalone_refresh_token },
-                client_id: { name: :standalone_client_id },
-                client_secret: { name: :standalone_client_secret },
+                smart_auth_info: { name: :standalone_smart_auth_info },
                 received_scopes: { name: :standalone_received_scopes }
               },
               outputs: {
@@ -88,7 +92,8 @@ module SMARTAppLaunch
                 access_token: { name: :standalone_access_token },
                 token_retrieval_time: { name: :standalone_token_retrieval_time },
                 expires_in: { name: :standalone_expires_in },
-                smart_credentials: { name: :standalone_smart_credentials }
+                smart_credentials: { name: :standalone_smart_credentials },
+                smart_auth_info: { name: :standalone_smart_auth_info }
               }
             }
 
@@ -98,9 +103,7 @@ module SMARTAppLaunch
             config: {
               options: { include_scopes: true },
               inputs: {
-                refresh_token: { name: :standalone_refresh_token },
-                client_id: { name: :standalone_client_id },
-                client_secret: { name: :standalone_client_secret },
+                smart_auth_info: { name: :standalone_smart_auth_info },
                 received_scopes: { name: :standalone_received_scopes }
               },
               outputs: {
@@ -109,7 +112,8 @@ module SMARTAppLaunch
                 access_token: { name: :standalone_access_token },
                 token_retrieval_time: { name: :standalone_token_retrieval_time },
                 expires_in: { name: :standalone_expires_in },
-                smart_credentials: { name: :standalone_smart_credentials }
+                smart_credentials: { name: :standalone_smart_credentials },
+                smart_auth_info: { name: :standalone_smart_auth_info }
               }
             }
     end
@@ -128,7 +132,15 @@ module SMARTAppLaunch
 
       run_as_group
 
-      group from: :smart_discovery
+      group from: :smart_discovery,
+            config: {
+              inputs: {
+                smart_auth_info: { name: :ehr_smart_auth_info }
+              },
+              outputs: {
+                smart_auth_info: { name: :ehr_smart_auth_info }
+              }
+            }
 
       group from: :smart_ehr_launch
 
@@ -136,9 +148,7 @@ module SMARTAppLaunch
             config: {
               inputs: {
                 id_token: { name: :ehr_id_token },
-                client_id: { name: :ehr_client_id },
-                requested_scopes: { name: :ehr_requested_scopes },
-                access_token: { name: :ehr_access_token },
+                smart_auth_info: { name: :ehr_smart_auth_info },
                 smart_credentials: { name: :ehr_smart_credentials }
               }
             }
@@ -148,9 +158,7 @@ module SMARTAppLaunch
             title: 'SMART Token Refresh Without Scopes',
             config: {
               inputs: {
-                refresh_token: { name: :ehr_refresh_token },
-                client_id: { name: :ehr_client_id },
-                client_secret: { name: :ehr_client_secret },
+                smart_auth_info: { name: :ehr_smart_auth_info },
                 received_scopes: { name: :ehr_received_scopes }
               },
               outputs: {
@@ -159,7 +167,8 @@ module SMARTAppLaunch
                 access_token: { name: :ehr_access_token },
                 token_retrieval_time: { name: :ehr_token_retrieval_time },
                 expires_in: { name: :ehr_expires_in },
-                smart_credentials: { name: :ehr_smart_credentials }
+                smart_credentials: { name: :ehr_smart_credentials },
+                smart_auth_info: { name: :ehr_smart_auth_info }
               }
             }
 
@@ -169,9 +178,7 @@ module SMARTAppLaunch
             config: {
               options: { include_scopes: true },
               inputs: {
-                refresh_token: { name: :ehr_refresh_token },
-                client_id: { name: :ehr_client_id },
-                client_secret: { name: :ehr_client_secret },
+                smart_auth_info: { name: :ehr_smart_auth_info },
                 received_scopes: { name: :ehr_received_scopes }
               },
               outputs: {
@@ -180,7 +187,8 @@ module SMARTAppLaunch
                 access_token: { name: :ehr_access_token },
                 token_retrieval_time: { name: :ehr_token_retrieval_time },
                 expires_in: { name: :ehr_expires_in },
-                smart_credentials: { name: :ehr_smart_credentials }
+                smart_credentials: { name: :ehr_smart_credentials },
+                smart_auth_info: { name: :ehr_smart_auth_info }
               }
             }
     end