smart_udap_harmonization_test_kit 0.9.0

data/lib/smart_udap_harmonization_test_kit/smart_udap_fhir_context_test.rb

@@ -0,0 +1,87 @@
+require_relative 'smart_udap_context_test'
+
+module SMART_UDAP_HarmonizationTestKit
+  class SMART_UDAP_FHIR_ContextTest < SMART_UDAP_ContextTest # rubocop:disable Naming/ClassAndModuleCamelCase
+    id :smart_udap_fhir_context
+    title 'Support for "fhirContext" launch context'
+    description <<~DESCRIPTION
+      This test validates the presence and format of the "fhirContext"
+      launch context.
+    DESCRIPTION
+
+    def context_field_name
+      'fhirContext'
+    end
+
+    def context_scopes
+      [].freeze
+    end
+
+    def validate_context_field # rubocop:disable Metrics/CyclomaticComplexity
+      assert context_field.is_a?(Array),
+             "`fhirContext` field should be an Array, but found `#{context_field.class.name}`"
+
+      context_field_types = context_field.map(&:class).uniq
+
+      assert context_field_types.length == 1,
+             "Inconsistent `fhirContext` types found: #{context_field_types.map(&:name).join(', ')}"
+
+      if context_field.any? { |member| member.is_a? String }
+        assert context_field.none? { |member| member&.start_with?('Patient/') || member&.start_with?('Encounter/') },
+               'Patient and Encounter references are not permitted within fhirContext in SMART App Launch 2.0.0'
+
+        pass
+      end
+
+      non_hash_fields = context_field.reject { |member| member.is_a? Hash }
+      non_hash_fields_string = non_hash_fields.map { |member| "`#{member.class.name}`" }.join(', ')
+      assert non_hash_fields.empty?,
+             "All `fhirContext` elements should be JSON objects, but found #{non_hash_fields_string}"
+
+      field_types = {
+        'reference' => String,
+        'canonical' => String,
+        'identifier' => Hash,
+        'type' => String,
+        'role' => String
+      }
+
+      bad_fields = []
+      context_field.each do |member|
+        field_types.each do |name, type|
+          if member.key?(name) && !member[name].is_a?(type)
+            bad_fields << { name:, type: member[name].class.name, expected_type: type.name }
+          end
+        end
+      end
+
+      bad_types_list =
+        bad_fields.map do |bad_field|
+          "\n* `#{bad_field[:name]}` - Expected `#{bad_field[:expected_type]}`, but found `#{bad_field[:type]}`"
+        end
+      bad_types_message = "The following fields have incorrect types#{bad_types_list.join}"
+
+      assert bad_fields.empty?, bad_types_message
+
+      patient_and_encounter_references =
+        context_field.select do |member|
+          member['reference']&.start_with?('Patient/') || member['reference']&.start_with?('Encounter/')
+        end
+      good_patient_and_encounter_roles =
+        patient_and_encounter_references.all? do |reference|
+          reference['role'].present? && reference['role'] != 'launch'
+        end
+
+      assert good_patient_and_encounter_roles,
+             'Patient and Encounter references are not allowed unless they have a role other than `launch`'
+
+      assert context_field.all? { |member| member['role'].is_a?(String) ? member['role'].present? : true },
+             '`role` SHALL NOT be an empty string'
+
+      required_fields = ['reference', 'canonical', 'identifier']
+
+      assert context_field.all? { |member| required_fields.any? { |field| member[field].present? } },
+             'Each object in fhirContext SHALL include at least one of "reference", "canonical", or "identifier"'
+    end
+  end
+end

data/lib/smart_udap_harmonization_test_kit/smart_udap_intent_context_test.rb

@@ -0,0 +1,25 @@
+require_relative 'smart_udap_context_test'
+
+module SMART_UDAP_HarmonizationTestKit
+  class SMART_UDAP_IntentContextTest < SMART_UDAP_ContextTest # rubocop:disable Naming/ClassAndModuleCamelCase
+    id :smart_udap_intent_context
+    title 'Support for "intent" launch context'
+    description <<~DESCRIPTION
+      This test validates the presence and format of the "intent"
+      launch context.
+    DESCRIPTION
+
+    def context_field_name
+      'intent'
+    end
+
+    def context_scopes
+      [].freeze
+    end
+
+    def validate_context_field
+      assert context_field.is_a?(String),
+             "Expected `#{context_field_name}` to be a String, but found: `#{context_field.class.name}`"
+    end
+  end
+end

data/lib/smart_udap_harmonization_test_kit/smart_udap_launch_context_group.rb

@@ -0,0 +1,86 @@
+require_relative 'smart_udap_encounter_context_test'
+require_relative 'smart_udap_fhir_context_test'
+require_relative 'smart_udap_intent_context_test'
+require_relative 'smart_udap_need_patient_banner_context_test'
+require_relative 'smart_udap_patient_context_test'
+require_relative 'smart_udap_smart_style_url_context_test'
+require_relative 'smart_udap_tenant_context_test'
+require_relative 'smart_udap_openid_connect_group'
+
+module SMART_UDAP_HarmonizationTestKit
+  class SMART_UDAP_LaunchContextGroup < Inferno::TestGroup # rubocop:disable Naming/ClassAndModuleCamelCase
+    title 'SMART/UDAP Launch Context'
+    id :smart_udap_launch_context
+    description ''
+
+    test from: :smart_udap_patient_context,
+         optional: true,
+         config: {
+           inputs: {
+             token_response_body: {
+               name: :udap_auth_code_flow_token_exchange_response_body
+             }
+           }
+         }
+
+    test from: :smart_udap_encounter_context,
+         optional: true,
+         config: {
+           inputs: {
+             token_response_body: {
+               name: :udap_auth_code_flow_token_exchange_response_body
+             }
+           }
+         }
+
+    test from: :smart_udap_fhir_context,
+         optional: true,
+         config: {
+           inputs: {
+             token_response_body: {
+               name: :udap_auth_code_flow_token_exchange_response_body
+             }
+           }
+         }
+
+    test from: :smart_udap_need_patient_banner_context,
+         optional: true,
+         config: {
+           inputs: {
+             token_response_body: {
+               name: :udap_auth_code_flow_token_exchange_response_body
+             }
+           }
+         }
+
+    test from: :smart_udap_intent_context,
+         optional: true,
+         config: {
+           inputs: {
+             token_response_body: {
+               name: :udap_auth_code_flow_token_exchange_response_body
+             }
+           }
+         }
+
+    test from: :smart_udap_smart_style_url_context,
+         optional: true,
+         config: {
+           inputs: {
+             token_response_body: {
+               name: :udap_auth_code_flow_token_exchange_response_body
+             }
+           }
+         }
+
+    test from: :smart_udap_tenant_context,
+         optional: true,
+         config: {
+           inputs: {
+             token_response_body: {
+               name: :udap_auth_code_flow_token_exchange_response_body
+             }
+           }
+         }
+  end
+end

data/lib/smart_udap_harmonization_test_kit/smart_udap_need_patient_banner_context_test.rb

@@ -0,0 +1,25 @@
+require_relative 'smart_udap_context_test'
+
+module SMART_UDAP_HarmonizationTestKit
+  class SMART_UDAP_NeedPatientBannerContextTest < SMART_UDAP_ContextTest # rubocop:disable Naming/ClassAndModuleCamelCase
+    id :smart_udap_need_patient_banner_context
+    title 'Support for "need_patient_banner" launch context'
+    description <<~DESCRIPTION
+      This test validates the presence and format of the "need_patient_banner"
+      launch context.
+    DESCRIPTION
+
+    def context_field_name
+      'need_patient_banner'
+    end
+
+    def context_scopes
+      [].freeze
+    end
+
+    def validate_context_field
+      assert context_field == true || context_field == false,
+             "Expected `#{context_field_name}` to be a boolean, but found `#{context_field.class.name}`"
+    end
+  end
+end

data/lib/smart_udap_harmonization_test_kit/smart_udap_openid_connect_group.rb

@@ -0,0 +1,66 @@
+require 'smart_app_launch/openid_connect_group'
+
+module SMART_UDAP_HarmonizationTestKit
+  class SMART_UDAP_OpenIDConnectGroup < SMARTAppLaunch::OpenIDConnectGroup # rubocop:disable Naming/ClassAndModuleCamelCase
+    id :smart_udap_openid_connect
+    title 'Support for OpenID Connect'
+    description <<~DESCRIPTION
+      This group verifies support for OpenID Connect.
+    DESCRIPTION
+
+    run_as_group
+
+    config(
+      inputs: {
+        client_id: {
+          name: :udap_client_id,
+          title: 'UDAP Client ID'
+        },
+        token_response_body: {
+          name: :udap_auth_code_flow_token_exchange_response_body
+        },
+        requested_scopes: {
+          name: :udap_auth_code_flow_registration_scope,
+          title: 'Requested Scopes',
+          description: 'Scopes client requested from the authorization server during the authorization step.'
+        },
+        url: {
+          name: :udap_fhir_base_url,
+          title: 'FHIR Server URL'
+        }
+      }
+    )
+
+    test do
+      id :smart_udap_openid_connect_setup
+      title 'OpenID Connect Test Setup'
+
+      input :token_response_body,
+            title: 'Token Exchange Response Body',
+            description: 'JSON response body returned by the authorization server during the token exchange step'
+
+      input :udap_auth_code_flow_token_retrieval_time,
+            title: 'Token Retrieval Time'
+
+      output :id_token,
+             :access_token,
+             :smart_credentials
+
+      run do
+        assert_valid_json(token_response_body)
+
+        token_response = JSON.parse(token_response_body)
+
+        output id_token: token_response['id_token'],
+               access_token: token_response['access_token'],
+               smart_credentials: {
+                 access_token: token_response_body['access_token'],
+                 expires_in: token_response_body['expires_in'],
+                 udap_auth_code_flow_token_retrieval_time:
+               }.to_json
+      end
+    end
+
+    children.unshift children.pop
+  end
+end

data/lib/smart_udap_harmonization_test_kit/smart_udap_patient_context_test.rb

@@ -0,0 +1,58 @@
+require_relative 'smart_udap_context_test'
+
+module SMART_UDAP_HarmonizationTestKit
+  class SMART_UDAP_PatientContextTest < SMART_UDAP_ContextTest # rubocop:disable Naming/ClassAndModuleCamelCase
+    id :smart_udap_patient_context
+    title 'Support for "patient" launch context'
+    description <<~DESCRIPTION
+      This test validates the presence of the "patient" launch context field if
+      the `launch` or `launch/patient` scopes were granted.
+
+      If the "patient" field is present, this test will the verify that it can
+      retrieve that Patient resource using the granted access token.
+    DESCRIPTION
+
+    FHIR_ID_REGEX = /[A-Za-z0-9\-\.]{1,64}/
+
+    input :access_token,
+          title: 'Access Token',
+          description: 'Access token granted by authorization server.'
+    input :udap_fhir_base_url,
+          title: 'FHIR Server URL'
+
+    fhir_client do
+      url :udap_fhir_base_url
+      bearer_token :access_token
+    end
+
+    def context_field_name
+      'patient'
+    end
+
+    def context_scopes
+      ['launch', 'launch/patient'].freeze
+    end
+
+    def missing_requested_context_scopes?
+      context_scopes.none? { |scope| requested_scopes_list.include? scope }
+    end
+
+    def missing_received_context_scopes?
+      context_scopes.none? { |scope| received_scopes_list.include? scope }
+    end
+
+    def validate_context_field
+      assert context_field.is_a?(String),
+             "Expected `#{context_field_name}` to be a String, but found: `#{context_field.class.name}`"
+
+      warn do
+        assert context_field.match?(FHIR_ID_REGEX), "`#{context_field}` is not a valid FHIR resource id."
+      end
+
+      fhir_read(:patient, context_field)
+
+      assert_response_status(200)
+      assert_resource_type(:patient)
+    end
+  end
+end

data/lib/smart_udap_harmonization_test_kit/smart_udap_request_builder.rb

@@ -0,0 +1,27 @@
+require 'uri'
+
+module SMART_UDAP_HarmonizationTestKit
+  class SMART_UDAP_RequestBuilder # rubocop:disable Naming/ClassAndModuleCamelCase
+    # Client MUST authenticate to auth server during token refresh per RFC 6749
+    # Section 6 https://datatracker.ietf.org/doc/html/rfc6749#section-6
+    # Assuming auth mechanism is same as it was for token exchange, i.e.,
+    # signed client assertion JWT
+    def self.build_token_refresh_request(client_assertion_jwt, refresh_token, requested_scopes)
+      token_refresh_headers = {
+        'Accept' => 'application/json',
+        'Content-Type' => 'application/x-www-form-urlencoded'
+      }
+
+      token_refresh_body = {
+        'grant_type' => 'refresh_token',
+        'refresh_token' => refresh_token,
+        'scope' => requested_scopes,
+        'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+        'client_assertion' => client_assertion_jwt,
+        'udap' => '1'
+      }.compact
+
+      [token_refresh_headers, URI.encode_www_form(token_refresh_body)]
+    end
+  end
+end

data/lib/smart_udap_harmonization_test_kit/smart_udap_smart_style_url_context_test.rb

@@ -0,0 +1,33 @@
+require_relative 'smart_udap_context_test'
+
+module SMART_UDAP_HarmonizationTestKit
+  class SMART_UDAP_SmartStyleUrlContextTest < SMART_UDAP_ContextTest # rubocop:disable Naming/ClassAndModuleCamelCase
+    id :smart_udap_smart_style_url_context
+    title 'Support for "smart_style_url" launch context'
+    description <<~DESCRIPTION
+      This test validates the presence and format of the "smart_style_url"
+      launch context. It then makes a GET request to the "smart_style_url" and
+      verifies that the response is valid JSON.
+    DESCRIPTION
+
+    def context_field_name
+      'smart_style_url'
+    end
+
+    def context_scopes
+      [].freeze
+    end
+
+    def validate_context_field
+      assert context_field.is_a?(String),
+             "Expected `#{context_field_name}` to be a String, but found: `#{context_field.class.name}`"
+
+      assert_valid_http_uri context_field
+
+      get(token_response['smart_style_url'])
+
+      assert_response_status(200)
+      assert_valid_json(response[:body])
+    end
+  end
+end

data/lib/smart_udap_harmonization_test_kit/smart_udap_tenant_context_test.rb

@@ -0,0 +1,25 @@
+require_relative 'smart_udap_context_test'
+
+module SMART_UDAP_HarmonizationTestKit
+  class SMART_UDAP_TenantContextTest < SMART_UDAP_ContextTest # rubocop:disable Naming/ClassAndModuleCamelCase
+    id :smart_udap_tenant_context
+    title 'Support for "tenant" launch context'
+    description <<~DESCRIPTION
+      This test validates the presence and format of the "tenant"
+      launch context.
+    DESCRIPTION
+
+    def context_field_name
+      'tenant'
+    end
+
+    def context_scopes
+      [].freeze
+    end
+
+    def validate_context_field
+      assert context_field.is_a?(String),
+             "Expected `#{context_field_name}` to be a String, but found: `#{context_field.class.name}`"
+    end
+  end
+end

data/lib/smart_udap_harmonization_test_kit/smart_udap_token_refresh_test.rb

@@ -0,0 +1,129 @@
+require 'udap_security_test_kit/udap_client_assertion_payload_builder'
+require 'udap_security_test_kit/udap_jwt_builder'
+require_relative 'smart_udap_request_builder'
+module SMART_UDAP_HarmonizationTestKit
+  class SMART_UDAP_TokenRefreshTest < Inferno::Test # rubocop:disable Naming/ClassAndModuleCamelCase
+    title 'Server successfully refreshes the access token'
+    id :smart_udap_token_refresh
+
+    description %(
+      This test will attempt to exchange the refresh token received in the original token exchange for a new access
+      token. The test will skip if no refresh token was granted during the token exchange test.
+
+      The [HL7 UDAP STU1.0 IG Section on Refresh Tokens](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#refresh-tokens)
+      defers to the refresh token exchange requirements outlined in [Section 6 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-6),
+      which states:
+      > If the client type is confidential or
+        the client was issued client credentials (or assigned other
+        authentication requirements), the client MUST authenticate with the
+        authorization server as described in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1).
+
+      RFC 6749 section 3.2.1 references [section 2.3](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3), which
+      states:
+      > The client and authorization
+        server establish a client authentication method suitable for the
+        security requirements of the authorization server.  The authorization
+        server MAY accept any form of client authentication meeting its
+        security requirements.
+
+      Therefore, Inferno will authenticate to the authorization server using the same UDAP authentication method
+      described in the [HL7 UDAP Consumer Facing Authentication Section 4.2](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-access-token),
+      with the following changes:
+      * `code` and `redirect_uri` parameters are omitted
+      * `grant_type` is set to `refresh_token` per [Section 6 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-6)
+      * `refresh_token` is included
+    )
+
+    input :udap_client_id,
+          title: 'Client ID'
+
+    input :udap_token_endpoint,
+          title: 'Token Endpoint',
+          description: 'The full URL from which Inferno will request to exchange a refresh token for a new access token'
+
+    input :udap_refresh_token,
+          title: 'Refresh Token',
+          type: 'textarea'
+
+    input :udap_received_scopes,
+          title: 'Requested Scopes',
+          description: 'A list of scopes that will be requested during token exchange.'
+
+    input :udap_auth_code_flow_client_cert_pem,
+          title: 'X.509 Client Certificate (PEM Format)',
+          type: 'textarea',
+          description: %(
+            A list of one or more X.509 certificates in PEM format separated by a newline.
+            The first (leaf) certificate MUST
+            represent the client entity Inferno registered as,
+            and the trust chain that will be built from the provided certificate(s) must resolve to a CA trusted by the
+            authorization server under test.
+          )
+
+    input :udap_auth_code_flow_client_private_key,
+          type: 'textarea',
+          title: 'Client Private Key (PEM Format)',
+          description: 'The private key corresponding to the X.509 client certificate'
+
+    input :udap_jwt_signing_alg,
+          title: 'JWT Signing Algorithm',
+          description: %(
+            Algorithm used to sign UDAP JSON Web Tokens (JWTs). UDAP Implementations SHALL support
+            RS256.
+            ),
+          type: 'radio',
+          options: {
+            list_options: [
+              {
+                label: 'RS256',
+                value: 'RS256'
+              }
+            ]
+          },
+          default: 'RS256',
+          locked: true
+
+    output :smart_udap_refresh_token_retrieval_time,
+           :smart_udap_token_refresh_response_body
+
+    makes_request :smart_udap_token_refresh_request
+
+    run do
+      client_assertion_payload = UDAPSecurityTestKit::UDAPClientAssertionPayloadBuilder.build(
+        udap_client_id,
+        udap_token_endpoint,
+        nil
+      )
+
+      x5c_certs = UDAPSecurityTestKit::UDAPJWTBuilder.split_user_input_cert_string(udap_auth_code_flow_client_cert_pem)
+
+      client_assertion_jwt = UDAPSecurityTestKit::UDAPJWTBuilder.encode_jwt_with_x5c_header(
+        client_assertion_payload,
+        udap_auth_code_flow_client_private_key,
+        udap_jwt_signing_alg,
+        x5c_certs
+      )
+
+      requested_scopes = (udap_received_scopes if config.options[:include_scopes])
+
+      token_refresh_headers, token_refresh_body =
+        SMART_UDAP_RequestBuilder.build_token_refresh_request(
+          client_assertion_jwt,
+          udap_refresh_token,
+          requested_scopes
+        )
+
+      post(udap_token_endpoint,
+           body: token_refresh_body,
+           name: :token_exchange,
+           headers: token_refresh_headers)
+
+      assert_response_status(200)
+      assert_valid_json(request.response_body)
+
+      output smart_udap_refresh_token_retrieval_time: Time.now.iso8601
+
+      output smart_udap_token_refresh_response_body: request.response_body
+    end
+  end
+end

data/lib/smart_udap_harmonization_test_kit/smart_udap_token_refresh_with_scopes_group.rb

@@ -0,0 +1,81 @@
+require_relative 'smart_udap_token_refresh_test'
+require_relative 'smart_udap_token_response_scope_test'
+require 'udap_security_test_kit/token_exchange_response_body_test'
+require 'udap_security_test_kit/token_exchange_response_headers_test'
+
+module SMART_UDAP_HarmonizationTestKit
+  class SMART_UDAP_TokenRefreshWithScopesGroup < Inferno::TestGroup # rubocop:disable Naming/ClassAndModuleCamelCase
+    title 'Support for Token Refresh With Scopes'
+    id :smart_udap_token_refresh_with_scopes
+
+    def self.token_refresh_group_description
+      %(
+      This group tests the ability of the system to successfully
+      exchange a refresh token for an access token. Refresh tokens are typically
+      longer lived than access tokens and allow client applications to obtain a
+      new access token Refresh tokens themselves cannot provide access to
+      resources on the server.
+
+      Per the [HL7 UDAP STU1.0 IG Section on Refresh Tokens](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#refresh-tokens)
+      authorization server support for refresh tokens is optional:
+      >This guide supports the use of refresh tokens, as described in [Section 1.5 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-1.5).
+      >Authorization Servers **MAY** issue refresh tokens to consumer-facing client applications as per
+      >[Section 5 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-5).
+      >Client apps that have been issued refresh tokens **MAY** make refresh requests to the token endpoint as per
+      >[Section 6 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-6).
+
+      These tests will execute if the authorization server granted a refresh token during the authorization and
+      authentication tests. They will attempt to exchange the refresh token for a new access token via a POST request
+      to the token exchange endpoint and then verify the information returned as done in Section 1.3 tests 4-6.
+    )
+    end
+
+    scopes_included_description = %(
+      In the token exchange request, the optional `scope` parameter will be included. The requested scopes will default
+      to those granted by the authorization server in the initial token exchange request.
+    )
+
+    description %(
+      #{token_refresh_group_description}
+      #{scopes_included_description}
+    )
+
+    run_as_group
+
+    test from: :smart_udap_token_refresh,
+         config: {
+           options: { include_scopes: true }
+         }
+
+    test from: :udap_token_exchange_response_body,
+         config: {
+           inputs: {
+             token_response_body: {
+               name: :smart_udap_token_refresh_response_body
+             }
+           }
+         }
+
+    test from: :smart_udap_token_response_scope,
+         config: {
+           inputs: {
+             udap_auth_code_flow_token_exchange_response_body: {
+               name: :smart_udap_token_refresh_response_body
+             },
+             udap_auth_code_flow_registration_scope: {
+               name: :udap_received_scopes
+             },
+             udap_auth_code_flow_token_retrieval_time: {
+               name: :smart_udap_refresh_token_retrieval_time
+             }
+           }
+         }
+
+    test from: :udap_token_exchange_response_headers,
+         config: {
+           requests: {
+             name: :smart_udap_token_refresh_request
+           }
+         }
+  end
+end