udap_security_test_kit 0.10.0 → 0.10.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/udap_security_test_kit/authorization_code_redirect_test.rb +6 -2
- data/lib/udap_security_test_kit/authorization_code_token_exchange_test.rb +0 -2
- data/lib/udap_security_test_kit/redirect_uri.rb +3 -0
- data/lib/udap_security_test_kit/registration_success_contents_test.rb +18 -7
- data/lib/udap_security_test_kit/software_statement_builder.rb +2 -1
- data/lib/udap_security_test_kit/version.rb +1 -1
- data/lib/udap_security_test_kit.rb +10 -1
- metadata +5 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 43c8eabf008e3dd76265b3e455a80e27f2af665548319c7b3f8c565daf71a3d4
|
|
4
|
+
data.tar.gz: ed6ed1097c0fc02baf51392df43875ac4974dbdb49e494b5eee0595fd33dcf0e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3433cf5e7929b434de4bff0b999b455c9dd0d9fb407d0574b592ce3921ec7037cd0cf9be598319b6fdeca648d887033d842c20845ff09de0e8046ed533e4b9c8
|
|
7
|
+
data.tar.gz: 6437f00f2ceb182e454a41d5555284bb516d763cba8c2684d39dc7dcb0f7252c8a50b3f70f3c2753df75a98e72cb7a348199d42a4e6d24c994abbbb61c39bb65
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
require_relative '../udap_security_test_kit'
|
|
1
2
|
module UDAPSecurityTestKit
|
|
2
3
|
class AuthorizationCodeRedirectTest < Inferno::Test
|
|
3
4
|
title 'Authorization server redirects client to redirect URI'
|
|
@@ -20,8 +21,6 @@ module UDAPSecurityTestKit
|
|
|
20
21
|
|
|
21
22
|
receives_request :redirect
|
|
22
23
|
|
|
23
|
-
config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/udap_security_test_kit/redirect" }
|
|
24
|
-
|
|
25
24
|
def wait_message(auth_url)
|
|
26
25
|
if config.options[:redirect_message_proc].present?
|
|
27
26
|
return instance_exec(auth_url, &config.options[:redirect_message_proc])
|
|
@@ -49,6 +48,11 @@ module UDAPSecurityTestKit
|
|
|
49
48
|
end
|
|
50
49
|
|
|
51
50
|
run do
|
|
51
|
+
assert_valid_http_uri(
|
|
52
|
+
udap_authorization_endpoint,
|
|
53
|
+
"UDAP authorization endpoint '#{udap_authorization_endpoint}' is not a valid URI"
|
|
54
|
+
)
|
|
55
|
+
|
|
52
56
|
output udap_authorization_code_state: SecureRandom.uuid
|
|
53
57
|
|
|
54
58
|
oauth2_params = {
|
|
@@ -62,8 +62,6 @@ module UDAPSecurityTestKit
|
|
|
62
62
|
|
|
63
63
|
makes_request :token_exchange
|
|
64
64
|
|
|
65
|
-
config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/udap_security_test_kit/redirect" }
|
|
66
|
-
|
|
67
65
|
run do
|
|
68
66
|
client_assertion_payload = UDAPClientAssertionPayloadBuilder.build(
|
|
69
67
|
udap_client_id,
|
|
@@ -15,14 +15,25 @@ module UDAPSecurityTestKit
|
|
|
15
15
|
> use by the Client App, the software statement as submitted by the Client App, and all of the registration
|
|
16
16
|
> related parameters that were included in the software statement.
|
|
17
17
|
|
|
18
|
+
[UDAP STU 1.1](https://hl7.org/fhir/us/udap-security/STU1.1/registration.html#request-body) clarifies that,
|
|
19
|
+
in accordance with [Section 3.2.1 of RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1):
|
|
20
|
+
> The authorization server MAY reject or replace any of the client's requested metadata values submitted during
|
|
21
|
+
> the registration and substitute them with suitable values.
|
|
22
|
+
|
|
18
23
|
This test verifies:
|
|
19
|
-
- `client_id` claim is
|
|
20
|
-
- `
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
24
|
+
- `client_id` claim is present in the registration response and its value is not blank.
|
|
25
|
+
- `scope` and `client_name` claims are present in the registration response and their values are not blank.
|
|
26
|
+
- `software_statement`, `grant_types`, and `token_endpoint_auth_method` claims are present in the registration
|
|
27
|
+
response and their values match those in the originally submitted software statement.
|
|
28
|
+
- If the registered grant type is `authorization_code`, then the `redirect_uris` and `response_type` claims are
|
|
29
|
+
present in the registration response and their values match in the originally submitted software statement.
|
|
30
|
+
|
|
31
|
+
In order for downstream tests to succeed, it is
|
|
32
|
+
essential that the client and server are in agreement on the values of most of the software statement
|
|
33
|
+
parameters. The exception is `client_name`, which does not impact behavior. For this reason, an exact match
|
|
34
|
+
between the request and response values for `client_name` is not required.
|
|
35
|
+
Additionally, an exact match between `scope` request and response value is also not required because the
|
|
36
|
+
authorization server may grant different scopes than those orignally requested by the client.
|
|
26
37
|
)
|
|
27
38
|
|
|
28
39
|
input :udap_software_statement_json
|
|
@@ -1,10 +1,11 @@
|
|
|
1
1
|
require 'jwt'
|
|
2
|
+
require_relative 'redirect_uri'
|
|
2
3
|
|
|
3
4
|
module UDAPSecurityTestKit
|
|
4
5
|
class SoftwareStatementBuilder
|
|
5
6
|
def self.build_payload(iss, aud, grant_type, scope)
|
|
6
7
|
if grant_type == 'authorization_code'
|
|
7
|
-
redirect_uris = [
|
|
8
|
+
redirect_uris = [UDAPSecurityTestKit::UDAP_REDIRECT_URI]
|
|
8
9
|
response_types = ['code']
|
|
9
10
|
client_name = 'Inferno UDAP Authorization Code Test Client'
|
|
10
11
|
elsif grant_type == 'client_credentials'
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
require_relative 'udap_security_test_kit/authorization_code_group'
|
|
2
2
|
require_relative 'udap_security_test_kit/client_credentials_group'
|
|
3
3
|
require_relative 'udap_security_test_kit/version'
|
|
4
|
+
require_relative 'udap_security_test_kit/redirect_uri'
|
|
4
5
|
|
|
5
6
|
module UDAPSecurityTestKit
|
|
6
7
|
class Suite < Inferno::TestSuite
|
|
@@ -17,7 +18,8 @@ module UDAPSecurityTestKit
|
|
|
17
18
|
2. Dynamic Client Registration
|
|
18
19
|
3. Authorization & Authentication
|
|
19
20
|
|
|
20
|
-
|
|
21
|
+
In this test suite, Inferno acts as a mock UDAP client to test *server conformance* to the HL7 UDAP IG. Tests are
|
|
22
|
+
grouped according to the OAuth2.0 flow used in the authorization and authentication step:
|
|
21
23
|
1. Authorization Code flow, which supports
|
|
22
24
|
[Consumer-Facing](https://hl7.org/fhir/us/udap-security/STU1/consumer.html) or [Business-to-Business (B2B)](https://hl7.org/fhir/us/udap-security/STU1/b2b.html)
|
|
23
25
|
use cases
|
|
@@ -25,6 +27,9 @@ module UDAPSecurityTestKit
|
|
|
25
27
|
[B2B](https://hl7.org/fhir/us/udap-security/STU1/b2b.html) use case
|
|
26
28
|
|
|
27
29
|
Testers may test one or both flows based on their system under test.
|
|
30
|
+
|
|
31
|
+
This test suite does NOT assess [Tiered OAuth for User Authentication](https://hl7.org/fhir/us/udap-security/STU1/user.html)
|
|
32
|
+
(which is not a required capability) or client conformance to the HL7 UDAP IG.
|
|
28
33
|
)
|
|
29
34
|
|
|
30
35
|
input_instructions %(
|
|
@@ -57,6 +62,10 @@ module UDAPSecurityTestKit
|
|
|
57
62
|
request.query_parameters['state']
|
|
58
63
|
end
|
|
59
64
|
|
|
65
|
+
config options: {
|
|
66
|
+
redirect_uri: UDAPSecurityTestKit::UDAP_REDIRECT_URI
|
|
67
|
+
}
|
|
68
|
+
|
|
60
69
|
links [
|
|
61
70
|
{
|
|
62
71
|
label: 'Report Issue',
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: udap_security_test_kit
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.10.
|
|
4
|
+
version: 0.10.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Stephen MacVicar
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2024-
|
|
12
|
+
date: 2024-12-06 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: inferno_core
|
|
@@ -17,14 +17,14 @@ dependencies:
|
|
|
17
17
|
requirements:
|
|
18
18
|
- - ">="
|
|
19
19
|
- !ruby/object:Gem::Version
|
|
20
|
-
version: 0.
|
|
20
|
+
version: 0.5.1
|
|
21
21
|
type: :runtime
|
|
22
22
|
prerelease: false
|
|
23
23
|
version_requirements: !ruby/object:Gem::Requirement
|
|
24
24
|
requirements:
|
|
25
25
|
- - ">="
|
|
26
26
|
- !ruby/object:Gem::Version
|
|
27
|
-
version: 0.
|
|
27
|
+
version: 0.5.1
|
|
28
28
|
- !ruby/object:Gem::Dependency
|
|
29
29
|
name: jwt
|
|
30
30
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -67,6 +67,7 @@ files:
|
|
|
67
67
|
- lib/udap_security_test_kit/dynamic_client_registration_group.rb
|
|
68
68
|
- lib/udap_security_test_kit/generate_client_certs_test.rb
|
|
69
69
|
- lib/udap_security_test_kit/grant_types_supported_field_test.rb
|
|
70
|
+
- lib/udap_security_test_kit/redirect_uri.rb
|
|
70
71
|
- lib/udap_security_test_kit/reg_endpoint_jwt_signing_alg_values_supported_field_test.rb
|
|
71
72
|
- lib/udap_security_test_kit/registration_endpoint_field_test.rb
|
|
72
73
|
- lib/udap_security_test_kit/registration_failure_invalid_contents_test.rb
|