smart_app_launch_test_kit 0.6.1 → 0.6.2

data/lib/smart_app_launch/client_suite/client_descriptions.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+require 'rack/utils'
+
+module SMARTAppLaunch
+  RE_RUN_REGISTRATION_SUFFIX =
+    'Create a new session and re-run the Client Registration group if you need to change this value.'
+  INPUT_CLIENT_ID_DESCRIPTION =
+    'Testers may provide a specific value for Inferno to assign as the client id. If no value is provided, ' \
+    'the Inferno session id will be used.'
+  INPUT_CLIENT_ID_DESCRIPTION_LOCKED =
+    "The registered Client Id for use in obtaining access tokens. #{RE_RUN_REGISTRATION_SUFFIX}".freeze
+  INPUT_SMART_LAUNCH_URLS_DESCRIPTION =
+    'If the client app supports EHR launch, a comma-delimited list of one or more URLs that Inferno can ' \
+    'use to launch the app.'
+  INPUT_SMART_LAUNCH_URLS_DESCRIPTION_LOCKED =
+    'Registered Launch URLs in the form of a comma-separated list of zero or more URLs. If present, Inferno ' \
+    "will provide an option to use each to launch the app. #{RE_RUN_REGISTRATION_SUFFIX}".freeze
+  INPUT_SMART_REDIRECT_URIS_DESCRIPTION =
+    'A comma-separated list of one or more URIs that the app will sepcify as the target of the redirect for ' \
+    'Inferno to use when providing the authorization code.'
+  INPUT_SMART_REDIRECT_URIS_DESCRIPTION_LOCKED =
+    'Registered Redirect URIs in the form of a comma-separated list of one or more URIs. Redirect URIs ' \
+    "specified in authorization requests must come from this list. #{RE_RUN_REGISTRATION_SUFFIX}".freeze
+  INPUT_CLIENT_SECRET_DESCRIPTION =
+    'Provide the client secret that the confidential symmetric client will send with token requests ' \
+    'to authenticate the client to Inferno.'
+  INPUT_CLIENT_SECRET_DESCRIPTION_LOCKED =
+    'The registered client secret that will be provided during token requests to authenticate the client ' \
+    "to Inferno. #{RE_RUN_REGISTRATION_SUFFIX}".freeze
+  INPUT_CLIENT_JWKS_DESCRIPTION =
+    'The SMART client\'s JSON Web Key Set including the key(s) Inferno will need to verify signatures ' \
+    'on token requests made by the client. May be provided as either a publicly accessible url containing ' \
+    'the JWKS, or the raw JWKS JSON.'
+  INPUT_CLIENT_JWKS_DESCRIPTION_LOCKED =
+    'The SMART client\'s JSON Web Key Set in the form of either a publicly accessible url containing the ' \
+    'JWKS, or the raw JWKS JSON. Must include the key(s) Inferno will need to verify signatures on token ' \
+    "requests made by the client. #{RE_RUN_REGISTRATION_SUFFIX}".freeze
+
+  INPUT_LAUNCH_CONTEXT_DESCRIPTION =
+    'Launch context details to be included in access token responses, specified as a JSON array. If provided, ' \
+    'the contents will be merged into Inferno\'s token responses.'
+  INPUT_FHIR_USER_RELATIVE_REFERENCE =
+    'A FHIR relative reference (<resource type>/<id>) for the FHIR user record to return when the openid ' \
+    'and fhirUser scopes are requested. Include this resource in the **Available Resources** input so ' \
+    'that it can be accessed via FHIR read.'
+  INPUT_FHIR_READ_RESOURCES_BUNDLE_DESCRIPTION =
+    'Resources to make available in Inferno\'s simulated FHIR server provided as a FHIR bundle. Each entry ' \
+    'must contain a resource with the id element populated. Each instance present will be available for ' \
+    'retrieval from Inferno at the endpoint: <fhir-base>/<resource type>/<instance id>. These will only ' \
+    'be available through the read interaction.'
+  INPUT_ECHOED_FHIR_RESPONSE_DESCRIPTION =
+    'JSON representation of a default FHIR resource for Inferno to echo when a request is made to the ' \
+    'simulated FHIR server. Reads targetting resources in the **Available Resources** input will return ' \
+    'that resource instead of this. Otherwise, the content here will be echoed back exactly and no check ' \
+    'will be made that it is appropriate for the request made. If nothing is provided, an OperationOutcome ' \
+    'indicating nothing to echo will be returned.'
+
+  module ClientWaitDialogDescriptions
+    def access_wait_dialog_backend_services_access_prefix(client_id, fhir_base_url)
+      <<~PREFIX
+        **Access**
+
+        Use the registered client id (#{client_id}) to obtain an access
+        token using SMART Backend Services
+        and use that token to access a FHIR endpoint under the simulated server's base URL:
+
+        `#{fhir_base_url}`
+
+      PREFIX
+    end
+
+    def access_wait_dialog_app_launch_access_prefix(client_id, authentication_approach, fhir_base_url)
+      <<~PREFIX
+        **Launch and Access**
+
+        The app has been registered with Inferno's simulated SMART server as a
+        #{authentication_approach} client with client id `#{client_id}`.
+
+        Perform a standalone launch to connect to Inferno's simulated FHIR server at:
+
+        `#{fhir_base_url}`
+
+      PREFIX
+    end
+
+    def access_wait_dialog_ehr_launch_instructions(smart_launch_urls, fhir_base_url)
+      if smart_launch_urls.present?
+        launch_key = SecureRandom.hex(32)
+        output(launch_key:)
+
+        launch_query_string = Rack::Utils.build_query({ iss: fhir_base_url, launch: launch_key })
+        ehr_launch_locations = smart_launch_urls.split(',').map { |launch_url| "#{launch_url}?#{launch_query_string}" }
+        ehr_launch_links_string = ehr_launch_locations.map { |url| "- [launch](#{url})" }.join("\n")
+
+        "\n\nOr open one of the following links in a new tab to perform an EHR launch:\n#{ehr_launch_links_string}\n\n"
+      else
+        ''
+      end
+    end
+
+    def access_wait_dialog_access_response_and_continue_suffix(client_id, resume_pass_url)
+      <<~SUFFIX
+        Inferno will respond to requests with either:
+        - A resource from the Bundle in the **Available Resources** input if the request is a read matching
+          a resource type and id found in the Bundle.
+        - Otherwise, the contents of the **Default FHIR Response** if provided.
+        - Otherwise, an OperationOutcome indicating nothing to echo.
+
+        [Click here](#{resume_pass_url}?token=#{client_id}) once the client has made a data access request.
+      SUFFIX
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/client_options.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require_relative '../tags'
+
+module SMARTAppLaunch
+  module SMARTClientOptions
+    module_function
+
+    SMART_APP_LAUNCH_PUBLIC = "#{SMART_TAG},#{AUTHORIZATION_CODE_TAG},#{PUBLIC_TAG}".freeze
+    SMART_APP_LAUNCH_CONFIDENTIAL_SYMMETRIC = 
+      "#{SMART_TAG},#{AUTHORIZATION_CODE_TAG},#{CONFIDENTIAL_SYMMETRIC_TAG}".freeze
+    SMART_APP_LAUNCH_CONFIDENTIAL_ASYMMETRIC = 
+      "#{SMART_TAG},#{AUTHORIZATION_CODE_TAG},#{CONFIDENTIAL_ASYMMETRIC_TAG}".freeze
+    SMART_BACKEND_SERVICES_CONFIDENTIAL_ASYMMETRIC =
+      "#{SMART_TAG},#{CLIENT_CREDENTIALS_TAG},#{CONFIDENTIAL_ASYMMETRIC_TAG}".freeze
+
+    def oauth_flow(suite_options)
+      if suite_options[:client_type].include?(AUTHORIZATION_CODE_TAG)
+        AUTHORIZATION_CODE_TAG
+      elsif suite_options[:client_type].include?(CLIENT_CREDENTIALS_TAG)
+        CLIENT_CREDENTIALS_TAG
+      end
+    end
+
+    def smart_authentication_approach(suite_options)
+      if suite_options[:client_type].include?(PUBLIC_TAG)
+        PUBLIC_TAG
+      elsif suite_options[:client_type].include?(CONFIDENTIAL_SYMMETRIC_TAG)
+        CONFIDENTIAL_SYMMETRIC_TAG
+      elsif suite_options[:client_type].include?(CONFIDENTIAL_ASYMMETRIC_TAG)
+        CONFIDENTIAL_ASYMMETRIC_TAG
+      end
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/oidc_jwks.json

@@ -0,0 +1,32 @@
+{
+	"keys": [
+		{
+			"kty": "RSA",
+			"use": "sig",
+			"key_ops": [
+				"verify"
+			],
+			"alg": "RS256",
+			"kid": "618e76fc7eb7c3401c7fd47b9af5e94d",
+			"n": "uoYzdYZQDp7yHTfY4XL1PFCFPfijG1rP2dNgMmsqKbm9qpMjiUuXCpdoOXWE838pcu3Ahi6L3dGgGS3Aeys3YrnF6h9uRTD1DHf-UWlOq4iPCzk26a-bBuyVZDVqS7Y5HsyF7i_UvYV1W0EaHSpAF911Vo_W_FVyiSkAZP1yN0ECbbjnSqxhaa44SGw90oh6XnyNBLu7a11aLCURkaRJOKXHj_vf8UyaD-IA9YkvM80St7QF6u6LRVYmCShbpfWRmejh_Swf4zdqcPl-duUsZE-OBysoTq92FaXr605igM30Rdkx8hs-HTwZtjn5hB3XNTiG2Wka1cUXKNyH59u8Yw",
+			"e": "AQAB"
+		},
+		{
+			"kty": "RSA",
+			"use": "sig",
+			"key_ops": [
+				"sign"
+			],
+			"alg": "RS256",
+			"kid": "618e76fc7eb7c3401c7fd47b9af5e94d",
+			"d": "k2SxDVHRuXwIvuX-0EjTWZIXeF0eJuOgE_VgsvbUHpzUMBKNplTBSnFSvvUK1o_J5TPTSzVE-UhJRxxMWghQgAdlShkEPlDtk6jOou6gaBRFVQ0lQ4ys6M_TTZiYIrQgdyIPQ6Uwa4MmtbHAPQPCGhm6O2j27fdnxtNLqIJO2zF9OzF4VP5_v63bbMfwbKECvB_bbcGLmJrq2ClI1iTOw-GawQ3I8sfwf52D3mb-qDJyQwtomNxf7EhvmGBC9u_8JVY48qsCCYWr2KAauID02WtCVepxM4ltKOLJb6BL5QpKmJ8svYLWjSZvNJSdk-EoB9grqechyDOIa2DuU9g-QQ",
+			"n": "uoYzdYZQDp7yHTfY4XL1PFCFPfijG1rP2dNgMmsqKbm9qpMjiUuXCpdoOXWE838pcu3Ahi6L3dGgGS3Aeys3YrnF6h9uRTD1DHf-UWlOq4iPCzk26a-bBuyVZDVqS7Y5HsyF7i_UvYV1W0EaHSpAF911Vo_W_FVyiSkAZP1yN0ECbbjnSqxhaa44SGw90oh6XnyNBLu7a11aLCURkaRJOKXHj_vf8UyaD-IA9YkvM80St7QF6u6LRVYmCShbpfWRmejh_Swf4zdqcPl-duUsZE-OBysoTq92FaXr605igM30Rdkx8hs-HTwZtjn5hB3XNTiG2Wka1cUXKNyH59u8Yw",
+			"e": "AQAB",
+			"p": "x3syoDXXDJne_-aSeHMm3muQ1KfIGewMhklvGNZ6LVTIJWUE5UYiGshABmgn86GfS-uZc_oUo3WcXiCLUlZSBqZFTIyXgy9y979VWA0whPCYcVSLzSGOiUtv3Ys4VGYCmGSuJnyLDp0CNN63Gf_iGpjCRbaPCPdRnyBgfSEvETs",
+			"q": "718z8hC_AQXrhQxvTsCEv7FXSX0Ev10Tjdq94DcsD91g34KTbrF9K9wtPfBUQaUx5Z2rMOTdLxbtHKvP-YQ4YMoQioA9qsclcnwdvKoRcRWim9oBnLa3Iuqttdwc9U2FWEQ4wqv16rsQw7URU4qlYkiVjrHvRJb8Nx_AJsA8Tvk",
+			"dp": "waDGDVj1exfIq-ClgCFWM0N5-9E4nGDR729MVXGqemH3PMUHsX0YEaMa8p0bWpMhStJPy5GNgvTgaUVxtuRvDmFKlvlJAF-IWw7vyl5TIFdhwW_tm5nc_0uoNAW1EcdK8Z2YpWbym6avw54DYUtNr79jo8OGp49ZPPpybkNNqo0",
+			"dq": "ge3mL02Br9d7yKNAQ7niFH75Ry1yB0FJXOVPzUWFSDM84vVoe1wh-k2vzQAHa_50ABO-GXMQz_-cwsRLxj9LrtXfdp43Wtxv6h2OspqJjx1UP05tM5hF_dDua1lH6qqiZ4_YU2qtuDTD28cL2ZHXRWrqqyLQIiXmTzGPxjjwQ1k",
+			"qi": "n3fMznRlCCwuoCq0kv4tL0cravVhcg33rA-CQXlIxgqj3h1yiBJ4p76pHceV6tvYsPyX3YsUKNOBP9HcxuHK3I3kFqMN5Y4C4r8dTE4fbJK9QT_guo_k_GKijNp0NDNCCeKxU78SRYvA527VY-3Z6TUC_K6O-5Pd6aPJN1QDtoA"
+		}
+	]
+}

data/lib/smart_app_launch/client_suite/oidc_jwks.rb

@@ -0,0 +1,27 @@
+require 'jwt'
+
+module SMARTAppLaunch
+  class OIDCJWKS
+    class << self
+      def jwks_json
+        @jwks_json ||=
+          JSON.pretty_generate(
+            { keys: jwks.export[:keys].select { |key| key[:key_ops]&.include?('verify') } }
+          )
+      end
+
+      def default_jwks_path
+        @default_jwks_path ||= File.join(__dir__, 'oidc_jwks.json')
+      end
+
+      def jwks_path
+        @jwks_path ||=
+          ENV.fetch('SIMULATED_OIDC_JWKS_PATH', default_jwks_path)
+      end
+
+      def jwks
+        @jwks ||= JWT::JWK::Set.new(JSON.parse(File.read(jwks_path)))
+      end
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/registration_alca_group.rb

@@ -0,0 +1,15 @@
+require_relative 'registration_alca_verification_test'
+
+module SMARTAppLaunch
+  class SMARTClientRegistrationAppLaunchConfidentialAsymmetric < Inferno::TestGroup
+    id :smart_client_registration_alca
+    title 'SMART App Launch Confidential Symmetric Client Registration'
+    description %(
+      During these tests, Inferno will verify the provided registration details for the
+      SMART App Launch client using Confidential Asymmetric authentication.
+    )
+    run_as_group
+
+    test from: :smart_client_registration_alca_verification
+  end
+end

data/lib/smart_app_launch/client_suite/registration_alca_verification_test.rb

@@ -0,0 +1,57 @@
+require_relative '../tags'
+require_relative '../endpoints/mock_smart_server'
+require_relative 'client_options'
+require_relative 'registration_verification'
+require_relative 'client_descriptions'
+
+module SMARTAppLaunch
+  class SMARTClientRegistrationAppLaunchConfidentialAsymmetricVerification < Inferno::Test
+    include RegistrationVerification
+
+    id :smart_client_registration_alca_verification
+    title 'Verify SMART App Launch Confidential Asymmetric Client Registration'
+    description %(
+      During this test, Inferno will verify that the registration details
+      provided for a [SMART App Launch](https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html)
+      confidential client using [asymmetric authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html) 
+      are conformant.
+    )
+    
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          optional: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION
+    input :smart_launch_urls,
+          title: 'SMART App Launch URL(s)',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_SMART_LAUNCH_URLS_DESCRIPTION
+    input :smart_redirect_uris,
+          title: 'SMART App Launch Redirect URI(s)',
+          type: 'textarea',
+          description: INPUT_SMART_REDIRECT_URIS_DESCRIPTION
+    input :smart_jwk_set,
+          title: 'SMART Confidential Asymmetric JSON Web Key Set (JWKS)',
+          type: 'textarea',
+          description: INPUT_CLIENT_JWKS_DESCRIPTION
+    
+    output :client_id
+    output :smart_launch_urls # normalized
+    output :smart_redirect_uris # normalized
+
+    run do
+      if client_id.blank?
+        client_id = test_session_id
+        output(client_id:)
+      end
+
+      verify_registered_launch_urls(smart_launch_urls)
+      verify_registered_redirect_uris(smart_redirect_uris)
+      verify_registered_jwks(smart_jwk_set)
+
+      assert messages.none? { |msg| msg[:type] == 'error' },
+             'Invalid registration details provided. See messages for details'
+    end    
+  end
+end

data/lib/smart_app_launch/client_suite/registration_alcs_group.rb

@@ -0,0 +1,15 @@
+require_relative 'registration_alcs_verification_test'
+
+module SMARTAppLaunch
+  class SMARTClientRegistrationAppLaunchConfidentialSymmetric < Inferno::TestGroup
+    id :smart_client_registration_alcs
+    title 'SMART App Launch Confidential Symmetric Client Registration'
+    description %(
+      During these tests, Inferno will verify the provided registration details for the
+      SMART App Launch client using Confidential Symmetric authentication. 
+    )
+    run_as_group
+
+    test from: :smart_client_registration_alcs_verification
+  end
+end

data/lib/smart_app_launch/client_suite/registration_alcs_verification_test.rb

@@ -0,0 +1,56 @@
+require_relative '../tags'
+require_relative '../endpoints/mock_smart_server'
+require_relative 'client_options'
+require_relative 'registration_verification'
+require_relative 'client_descriptions'
+
+module SMARTAppLaunch
+  class SMARTClientRegistrationAppLaunchConfidentialSymmetricVerification < Inferno::Test
+    include RegistrationVerification
+
+    id :smart_client_registration_alcs_verification
+    title 'Verify SMART App Launch Confidential Symmetric Client Registration'
+    description %(
+      During this test, Inferno will verify that the registration details
+      provided for a [SMART App Launch](https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html)
+      confidential client using [symmetric authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html) 
+      are conformant.
+    )
+    
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          optional: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION
+    input :smart_launch_urls,
+          title: 'SMART App Launch URL(s)',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_SMART_LAUNCH_URLS_DESCRIPTION
+    input :smart_redirect_uris,
+          title: 'SMART App Launch Redirect URI(s)',
+          type: 'textarea',
+          description: INPUT_SMART_REDIRECT_URIS_DESCRIPTION
+    input :smart_client_secret,
+          title: 'SMART Confidential Symmetric Client Secret',
+          type: 'text',
+          description: INPUT_CLIENT_SECRET_DESCRIPTION
+    
+    output :client_id
+    output :smart_launch_urls # normalized
+    output :smart_redirect_uris # normalized
+
+    run do
+      if client_id.blank?
+        client_id = test_session_id
+        output(client_id:)
+      end
+
+      verify_registered_launch_urls(smart_launch_urls)
+      verify_registered_redirect_uris(smart_redirect_uris)
+
+      assert messages.none? { |msg| msg[:type] == 'error' },
+             'Invalid registration details provided. See messages for details'
+    end    
+  end
+end

data/lib/smart_app_launch/client_suite/registration_alp_group.rb

@@ -0,0 +1,16 @@
+
+require_relative 'registration_alp_verification_test'
+
+module SMARTAppLaunch
+  class SMARTClientRegistrationAppLaunchPublic < Inferno::TestGroup
+    id :smart_client_registration_alp
+    title 'SMART App Launch Public Client Registration'
+    description %(
+      During these tests, Inferno will verify the provided registration details for the
+      SMART App Launch client using Confidential Symmetric authentication.
+    )
+    run_as_group
+
+    test from: :smart_client_registration_alp_verification
+  end
+end

data/lib/smart_app_launch/client_suite/registration_alp_verification_test.rb

@@ -0,0 +1,50 @@
+require_relative '../tags'
+require_relative '../endpoints/mock_smart_server'
+require_relative 'client_options'
+require_relative 'registration_verification'
+
+module SMARTAppLaunch
+  class SMARTClientRegistrationAppLaunchPublicVerification < Inferno::Test
+    include RegistrationVerification
+
+    id :smart_client_registration_alp_verification
+    title 'Verify SMART App Launch Public Client Registration'
+    description %(
+      During this test, Inferno will verify that the registration details
+      provided for a [SMART App Launch](https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html)
+      public client using are conformant.
+    )
+    
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          optional: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION
+    input :smart_launch_urls,
+          title: 'SMART App Launch URL(s)',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_SMART_LAUNCH_URLS_DESCRIPTION
+    input :smart_redirect_uris,
+          title: 'SMART App Launch Redirect URI(s)',
+          type: 'textarea',
+          description: INPUT_SMART_REDIRECT_URIS_DESCRIPTION
+    
+    output :client_id
+    output :smart_launch_urls # normalized
+    output :smart_redirect_uris # normalized
+
+    run do
+      if client_id.blank?
+        client_id = test_session_id
+        output(client_id:)
+      end
+
+      verify_registered_launch_urls(smart_launch_urls)
+      verify_registered_redirect_uris(smart_redirect_uris)
+
+      assert messages.none? { |msg| msg[:type] == 'error' },
+             'Invalid registration details provided. See messages for details'
+    end    
+  end
+end

data/lib/smart_app_launch/client_suite/registration_bsca_group.rb

@@ -0,0 +1,15 @@
+require_relative 'registration_bsca_verification_test'
+
+module SMARTAppLaunch
+  class SMARTClientRegistrationBackendServicesConfidentialAsymmetric < Inferno::TestGroup
+    id :smart_client_registration_bsca
+    title 'Backend Services Confidential Asymmetric Client Registration'
+    description %(
+      During these tests, Inferno will verify the provided registration details  for the
+      SMART Backend Services client using Confidential Asymmetric authentication.
+    )
+    run_as_group
+
+    test from: :smart_client_registration_bsca_verification
+  end
+end

data/lib/smart_app_launch/client_suite/registration_bsca_verification_test.rb

@@ -0,0 +1,40 @@
+require_relative '../tags'
+require_relative '../endpoints/mock_smart_server'
+require_relative 'registration_verification'
+
+module SMARTAppLaunch
+  class SMARTClientBackendServicesRegistrationVerification < Inferno::Test
+    include RegistrationVerification
+
+    id :smart_client_registration_bsca_verification
+    title 'Verify SMART Backend Services Confidential Asymmetric Client Registration'
+    description %(
+      During this test, Inferno will verify that the registration details
+      provided for a [SMART Backend Services](https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html)
+      client using [asymmetric authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html)
+      are valid.
+    )
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          optional: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION
+    input :smart_jwk_set,
+          title: 'SMART Confidential Asymmetric JSON Web Key Set (JWKS)',
+          type: 'textarea',
+          description: INPUT_CLIENT_JWKS_DESCRIPTION
+
+    output :client_id
+
+    run do
+      if client_id.blank?
+        client_id = test_session_id
+        output(client_id:)
+      end
+
+      verify_registered_jwks(smart_jwk_set)
+
+      assert messages.none? { |msg| msg[:type] == 'error' }, 'Invalid key set provided. See messages for details'
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/registration_verification.rb

@@ -0,0 +1,58 @@
+module SMARTAppLaunch
+  module RegistrationVerification
+    def verify_registered_jwks(jwks_input)
+
+      jwks_warnings = []
+      parsed_smart_jwk_set = MockSMARTServer.jwk_set(smart_jwk_set, jwks_warnings)
+      jwks_warnings.each { |warning| add_message('warning', warning) }
+
+      # TODO: add key-specific verification per end of https://build.fhir.org/ig/HL7/smart-app-launch/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys
+
+      unless parsed_smart_jwk_set.length.positive?
+        add_message(
+          'error',
+          'JWKS content for Confidential Asymmetric authentication does not include any valid keys.'
+        )
+      end
+    end
+
+    def verify_registered_launch_urls(launch_urls)
+      return unless launch_urls.present?
+
+      normalized_launch_urls = normalize_urls(launch_urls, 'launch URL')
+      output smart_launch_urls: normalized_launch_urls.join(',').strip
+    end
+
+    def verify_registered_redirect_uris(redirect_uris)
+      return unless redirect_uris.present?
+
+      normalized_redirect_uris = normalize_urls(redirect_uris, 'redirect URI')
+
+      output smart_redirect_uris: normalized_redirect_uris.join(',').strip
+    end
+
+    def normalize_urls(url_list, type_for_error)
+      url_list.split(',').map(&:strip).each_with_object([]) do |url, normalized_urls|
+        next if url.blank?
+
+        parsed_uri =
+          begin
+            URI.parse(url)
+          rescue URI::InvalidURIError
+            add_message('error', "Registered #{type_for_error} '#{url}' is not a valid URI.")
+            nil
+          end
+        next unless parsed_uri.present?
+        unless parsed_uri.scheme == 'https' || parsed_uri.scheme == 'http'
+          add_message('error', "Registered #{type_for_error} '#{url}' is not a valid http address.")
+          next
+        end
+
+        normalized_urls << url
+        unless parsed_uri.scheme == 'https'
+          add_message('error', "Registered #{type_for_error} '#{url}' is not a valid https URI.")
+        end
+      end
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/token_request_alca_verification_test.rb

@@ -0,0 +1,53 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_smart_server'
+require_relative 'authentication_verification'
+require_relative 'client_descriptions'
+require_relative 'client_options'
+require_relative 'token_request_verification'
+
+module SMARTAppLaunch
+  class SMARTClientTokenRequestAppLaunchConfidentialAsymmetricVerification < Inferno::Test
+    include URLs
+    include AuthenticationVerification
+    include TokenRequestVerification
+
+    id :smart_client_token_request_alca_verification
+    title 'Verify SMART Token Requests'
+    description %(
+      Check that SMART token requests are conformant.
+    )
+
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          optional: false,
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :smart_jwk_set,
+          title: 'JSON Web Key Set (JWKS)',
+          type: 'textarea',
+          locked: true,
+          description: INPUT_CLIENT_JWKS_DESCRIPTION_LOCKED
+    
+    output :smart_tokens
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      SMARTAppLaunch::SMARTClientSTU22Suite.id
+    end
+
+    run do
+      load_tagged_requests(TOKEN_TAG, SMART_TAG, AUTHORIZATION_CODE_TAG)
+      skip_if requests.blank?, 'No SMART authorization code token requests made.'
+      load_tagged_requests(TOKEN_TAG, SMART_TAG, REFRESH_TOKEN_TAG) # verify refresh_requests as well
+
+      verify_token_requests(AUTHORIZATION_CODE_TAG, CONFIDENTIAL_ASYMMETRIC_TAG)
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid token requests received. See messages for details.'
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/token_request_alcs_verification_test.rb

@@ -0,0 +1,53 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_smart_server'
+require_relative 'authentication_verification'
+require_relative 'client_descriptions'
+require_relative 'client_options'
+require_relative 'token_request_verification'
+
+module SMARTAppLaunch
+  class SMARTClientTokenRequestAppLaunchConfidentialSymmetricVerification < Inferno::Test
+    include URLs
+    include AuthenticationVerification
+    include TokenRequestVerification
+
+    id :smart_client_token_request_alcs_verification
+    title 'Verify SMART Token Requests'
+    description %(
+      Check that SMART token requests are conformant.
+    )
+
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          optional: false,
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :smart_client_secret,
+          title: 'SMART Confidential Symmetric Client Secret',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_SECRET_DESCRIPTION_LOCKED
+    
+    output :smart_tokens
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      SMARTAppLaunch::SMARTClientSTU22Suite.id
+    end
+
+    run do
+      load_tagged_requests(TOKEN_TAG, SMART_TAG, AUTHORIZATION_CODE_TAG)
+      skip_if requests.blank?, 'No SMART authorization code token requests made.'
+      load_tagged_requests(TOKEN_TAG, SMART_TAG, REFRESH_TOKEN_TAG) # verify refresh_requests as well
+
+      verify_token_requests(AUTHORIZATION_CODE_TAG, CONFIDENTIAL_SYMMETRIC_TAG)
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid token requests received. See messages for details.'
+    end
+  end
+end