udap_security_test_kit 0.10.0 → 0.10.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: be592aff3162a459764f09b857cf2d786e141b8a46698f061db3ac4aa682d92e
-  data.tar.gz: 64288629f38cd38f6021fc67c043810a13f8011428e8300ff586babea2ea3b46
+  metadata.gz: 99975cd9d20b91185600d35dca498008f7bd4dc7cb1ae66eb59c572298f55ab0
+  data.tar.gz: 0ff38d8f44564d5fa998e1801f5dd9255613e7060ea78802194cdf8560c39596
 SHA512:
-  metadata.gz: da5963362a0b8f9151bf8419461da4f465590e9a58283eb4a67a0ad310d8d3242dfd5a3f25314ee710277e17b4cd67dad00b2a9b5f4aca333f9e9db47eec2161
-  data.tar.gz: 1c9ce32de1da555027de8b1b01db398e93b7397a87270de3fcb02a36b54eb0da8398f84a8d467d91239c694cb20c6a7bc1134ebd91d463134b931546e429d99b
+  metadata.gz: 456628c19deb09f55ab5494e719d0045ea8a19ed93e314a4e75810d688e8f0d18acb1bf1c2261750b03bd6e1128720d662c80802686ddb4cd4a2e52e40868136
+  data.tar.gz: 9a60fd1649675528705afe7a52f3d9057f411001fee1d641e9fffbd0995aad6ea6395dcb5a1d1e9ba6cd215fc5569cc78779663df479f5d67e967b66262c195c

data/lib/udap_security_test_kit/authorization_code_group.rb

@@ -49,6 +49,9 @@ module UDAPSecurityTestKit
                 default: 'authorization_code',
                 locked: true
               },
+              udap_client_registration_status: {
+                name: :udap_auth_code_flow_client_registration_status
+              },
               udap_client_cert_pem: {
                 name: :udap_auth_code_flow_client_cert_pem,
                 title: 'Authorization Code Client Certificate(s) (PEM Format)'
@@ -90,6 +93,7 @@ module UDAPSecurityTestKit
           } do
       input_order :udap_registration_endpoint,
                   :udap_auth_code_flow_registration_grant_type,
+                  :udap_auth_code_flow_client_registration_status,
                   :udap_auth_code_flow_client_cert_pem,
                   :udap_auth_code_flow_client_private_key,
                   :udap_auth_code_flow_cert_iss,

data/lib/udap_security_test_kit/authorization_code_redirect_test.rb

@@ -1,3 +1,4 @@
+require_relative '../udap_security_test_kit'
 module UDAPSecurityTestKit
   class AuthorizationCodeRedirectTest < Inferno::Test
     title 'Authorization server redirects client to redirect URI'
@@ -8,6 +9,10 @@ module UDAPSecurityTestKit
         the provided client redirection URI using an HTTP redirection response.
       )
 
+    input :udap_fhir_base_url,
+          title: 'FHIR Server Base URL',
+          description: 'Base FHIR URL of FHIR Server.'
+
     input :udap_authorization_endpoint,
           title: 'Authorization Endpoint',
           description: 'The full URL from which Inferno will request an authorization code.'
@@ -16,12 +21,37 @@ module UDAPSecurityTestKit
           title: 'Client ID',
           description: 'Client ID as registered with the authorization server.'
 
+    input :udap_authorization_code_request_scopes,
+          title: 'Scope Parameter for Authorization Request',
+          description: %(
+              A list of space-separated scopes to include in the authorization request. If included, these may be equal
+              to or a subset of the scopes requested during registration.
+              If empty, scope will be omitted as a parameter to the authorization endpoint.
+          ),
+          optional: true
+
+    input :udap_authorization_code_request_aud,
+          title: "Audience ('aud') Parameter for Authorization Request",
+          type: 'checkbox',
+          options: {
+            list_options: [
+              {
+                label: "Include 'aud' parameter",
+                value: 'include_aud'
+              }
+            ]
+          },
+          description: %(
+              If selected, the Base FHIR URL will be used as the 'aud' parameter in the request to the authorization
+              endpoint.
+          ),
+          optional: true
+
     output :udap_authorization_code_state
+    output :udap_authorization_redirect_url
 
     receives_request :redirect
 
-    config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/udap_security_test_kit/redirect" }
-
     def wait_message(auth_url)
       if config.options[:redirect_message_proc].present?
         return instance_exec(auth_url, &config.options[:redirect_message_proc])
@@ -49,13 +79,22 @@ module UDAPSecurityTestKit
     end
 
     run do
+      assert_valid_http_uri(
+        udap_authorization_endpoint,
+        "UDAP authorization endpoint '#{udap_authorization_endpoint}' is not a valid URI"
+      )
+
       output udap_authorization_code_state: SecureRandom.uuid
 
+      aud = udap_fhir_base_url if udap_authorization_code_request_aud.include? 'include_aud'
+
       oauth2_params = {
         'response_type' => 'code',
         'client_id' => udap_client_id,
         'redirect_uri' => config.options[:redirect_uri],
-        'state' => udap_authorization_code_state
+        'state' => udap_authorization_code_state,
+        'scope' => udap_authorization_code_request_scopes,
+        'aud' => aud
       }.compact
 
       authorization_url = authorization_url_builder(
@@ -65,6 +104,8 @@ module UDAPSecurityTestKit
 
       info("Inferno redirecting browser to #{authorization_url}.")
 
+      output udap_authorization_redirect_url: authorization_url
+
       wait(
         identifier: udap_authorization_code_state,
         message: wait_message(authorization_url)

data/lib/udap_security_test_kit/authorization_code_token_exchange_test.rb

@@ -62,8 +62,6 @@ module UDAPSecurityTestKit
 
     makes_request :token_exchange
 
-    config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/udap_security_test_kit/redirect" }
-
     run do
       client_assertion_payload = UDAPClientAssertionPayloadBuilder.build(
         udap_client_id,

data/lib/udap_security_test_kit/client_credentials_group.rb

@@ -51,6 +51,9 @@ module UDAPSecurityTestKit
                 default: 'client_credentials',
                 locked: true
               },
+              udap_client_registration_status: {
+                name: :udap_client_credentials_flow_client_registration_status
+              },
               udap_client_cert_pem: {
                 name: :udap_client_credentials_flow_client_cert_pem,
                 title: 'Client Credentials Client Certificate(s) (PEM Format)'
@@ -92,6 +95,7 @@ module UDAPSecurityTestKit
           } do
       input_order :udap_registration_endpoint,
                   :udap_client_credentials_flow_registration_grant_type,
+                  :udap_client_credentials_flow_client_registration_status,
                   :udap_client_credentials_flow_client_cert_pem,
                   :udap_client_credentials_flow_client_private_key,
                   :udap_cert_iss_client_creds_flow,

data/lib/udap_security_test_kit/dynamic_client_registration_group.rb

@@ -19,13 +19,12 @@ module UDAPSecurityTestKit
       establish a trust chain.
 
       Cancelling a UDAP client's registration is not a required server capability and as such the Inferno client has no
-      way of resetting state on the authorization server after a successful registration attempt.  Testers wishing to
-      run the Dynamic Client Registration tests more than once must do one of the following:
-      - Remove the Inferno test client's registration out-of-band before re-running tests, to register the original
-      client URI anew
-      - Specifiy a different client URI as the issuer input (if the client cert has more than one Subject Alternative
-      Name (SAN) URI entry), to register a different logical client with the original certificate
-      - Provide a different client certificate and its associated URI to register a new logical client
+      way of resetting state on the authorization server after a successful registration attempt.  If a given
+      certificate and issuer URI identity combination has already been registered with the authorization server, testers
+      whose systems support registration modifications
+      may select the "Update Registration" option under Client Registration Status. This option will accept either a
+      `200 OK` or `201 Created` return status. Registration attempts for a new client may only return `201 Created`,
+      per the [IG](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body).
     )
     end
 
@@ -57,6 +56,27 @@ module UDAPSecurityTestKit
             ]
           }
 
+    input :udap_client_registration_status,
+          title: 'Client Registration Status',
+          description: %(
+            If the client's iss and certificate combination has already been registered with the authorization server
+            prior to this test run, select 'Update'.
+          ),
+          type: 'radio',
+          options: {
+            list_options: [
+              {
+                label: 'New Registration (201 Response Code Expected)',
+                value: 'new'
+              },
+              {
+                label: 'Update Registration (200 or 201 Response Code Expected)',
+                value: 'update'
+              }
+            ]
+          },
+          default: 'new'
+
     input :udap_client_cert_pem,
           title: 'X.509 Client Certificate(s) (PEM Format)',
           description: %(

data/lib/udap_security_test_kit/redirect_uri.rb

@@ -0,0 +1,3 @@
+module UDAPSecurityTestKit
+  UDAP_REDIRECT_URI = "#{Inferno::Application['base_url']}/custom/udap_security/redirect".freeze
+end

data/lib/udap_security_test_kit/registration_success_contents_test.rb

@@ -15,14 +15,25 @@ module UDAPSecurityTestKit
       > use by the Client App, the software statement as submitted by the Client App, and all of the registration
       > related parameters that were included in the software statement.
 
+      [UDAP STU 1.1](https://hl7.org/fhir/us/udap-security/STU1.1/registration.html#request-body) clarifies that,
+      in accordance with [Section 3.2.1 of RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1):
+        > The authorization server MAY reject or replace any of the client's requested metadata values submitted during
+        > the registration and substitute them with suitable values.
+
       This test verifies:
-      - `client_id` claim is included in the registration response and its value is not blank
-      - `software_statement` claim in the registration response matches the software statement JWT provided in the
-      original registration request
-      - The registration response includes claims for `client_name`, `grant_types`, `token_endpoint_auth_method`, and
-      `scope`, whose values match those in the originally submitted software statement
-      - If the registered grant type is `authorization_code`, then the response includes claims for `redirect_uris` and
-      `response_type` whose values match those in the originally submitted software statement
+      - `client_id` claim is present in the registration response and its value is not blank.
+      - `scope` and `client_name` claims are present in the registration response and their values are not blank.
+      - `software_statement`, `grant_types`, and `token_endpoint_auth_method` claims are present in the registration
+      response and their values match those in the originally submitted software statement.
+      - If the registered grant type is `authorization_code`, then the `redirect_uris` and `response_type` claims are
+      present in the registration response and their values match in the originally submitted software statement.
+
+      In order for downstream tests to succeed, it is
+      essential that the client and server are in agreement on the values of most of the software statement
+      parameters. The exception is `client_name`, which does not impact behavior. For this reason, an exact match
+      between the request and response values for `client_name` is not required.
+      Additionally, an exact match between `scope` request and response value is also not required because the
+      authorization server may grant different scopes than those orignally requested by the client.
     )
 
     input :udap_software_statement_json

data/lib/udap_security_test_kit/registration_success_test.rb

@@ -13,6 +13,14 @@ module UDAPSecurityTestKit
       The [UDAP IG Section 3.2.3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body) states:
       > If a new registration is successful, the Authorization Server SHALL return a registration response with a 201
       > Created HTTP response code as per Section 5.1 of UDAP Dynamic Client Registration
+
+      If the tester indicated this registration attempt represents a modification of an existing registration entry,
+      the [UDAP IG Section 3.4](https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations)
+      states:
+      > If the Authorization Server returns the same client_id in the registration response for a modification request,
+      > it SHOULD also return a 200 OK HTTP response code.
+
+      In this case, the test will require either a 201 or 200 response code to pass.
     )
 
     input :udap_client_cert_pem
@@ -20,6 +28,7 @@ module UDAPSecurityTestKit
     input :udap_cert_iss
 
     input :udap_registration_endpoint
+    input :udap_client_registration_status
     input :udap_jwt_signing_alg
     input :udap_registration_requested_scope
     input :udap_registration_grant_type
@@ -60,7 +69,12 @@ module UDAPSecurityTestKit
 
       post(udap_registration_endpoint, body: reg_body, headers: reg_headers)
 
-      assert_response_status(201)
+      if udap_client_registration_status == 'new'
+        assert_response_status(201)
+      elsif udap_client_registration_status == 'update'
+        assert_response_status([200, 201])
+      end
+
       assert_valid_json(response[:body])
       output udap_registration_response: response[:body]
     end

data/lib/udap_security_test_kit/software_statement_builder.rb

@@ -1,10 +1,11 @@
 require 'jwt'
+require_relative 'redirect_uri'
 
 module UDAPSecurityTestKit
   class SoftwareStatementBuilder
     def self.build_payload(iss, aud, grant_type, scope)
       if grant_type == 'authorization_code'
-        redirect_uris = ["#{Inferno::Application['base_url']}/custom/udap_security_test_kit/redirect"]
+        redirect_uris = [UDAPSecurityTestKit::UDAP_REDIRECT_URI]
         response_types = ['code']
         client_name = 'Inferno UDAP Authorization Code Test Client'
       elsif grant_type == 'client_credentials'

data/lib/udap_security_test_kit/version.rb

@@ -1,3 +1,3 @@
 module UDAPSecurityTestKit
-  VERSION = '0.10.0'.freeze
+  VERSION = '0.10.2'.freeze
 end

data/lib/udap_security_test_kit.rb

@@ -1,6 +1,7 @@
 require_relative 'udap_security_test_kit/authorization_code_group'
 require_relative 'udap_security_test_kit/client_credentials_group'
 require_relative 'udap_security_test_kit/version'
+require_relative 'udap_security_test_kit/redirect_uri'
 
 module UDAPSecurityTestKit
   class Suite < Inferno::TestSuite
@@ -17,7 +18,8 @@ module UDAPSecurityTestKit
       2. Dynamic Client Registration
       3. Authorization & Authentication
 
-      These steps are grouped by the OAuth2.0 flow being tested:
+      In this test suite, Inferno acts as a mock UDAP client to test *server conformance* to the HL7 UDAP IG. Tests are
+      grouped according to the OAuth2.0 flow used in the authorization and authentication step:
       1. Authorization Code flow, which supports
         [Consumer-Facing](https://hl7.org/fhir/us/udap-security/STU1/consumer.html) or [Business-to-Business (B2B)](https://hl7.org/fhir/us/udap-security/STU1/b2b.html)
         use cases
@@ -25,6 +27,9 @@ module UDAPSecurityTestKit
       [B2B](https://hl7.org/fhir/us/udap-security/STU1/b2b.html) use case
 
       Testers may test one or both flows based on their system under test.
+
+      This test suite does NOT assess [Tiered OAuth for User Authentication](https://hl7.org/fhir/us/udap-security/STU1/user.html)
+      (which is not a required capability) or client conformance to the HL7 UDAP IG.
     )
 
     input_instructions %(
@@ -57,6 +62,10 @@ module UDAPSecurityTestKit
       request.query_parameters['state']
     end
 
+    config options: {
+      redirect_uri: UDAPSecurityTestKit::UDAP_REDIRECT_URI
+    }
+
     links [
       {
         label: 'Report Issue',

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: udap_security_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.10.2
 platform: ruby
 authors:
 - Stephen MacVicar
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-04 00:00:00.000000000 Z
+date: 2024-12-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core
@@ -17,14 +17,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.4.2
+        version: 0.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.4.2
+        version: 0.5.1
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -67,6 +67,7 @@ files:
 - lib/udap_security_test_kit/dynamic_client_registration_group.rb
 - lib/udap_security_test_kit/generate_client_certs_test.rb
 - lib/udap_security_test_kit/grant_types_supported_field_test.rb
+- lib/udap_security_test_kit/redirect_uri.rb
 - lib/udap_security_test_kit/reg_endpoint_jwt_signing_alg_values_supported_field_test.rb
 - lib/udap_security_test_kit/registration_endpoint_field_test.rb
 - lib/udap_security_test_kit/registration_failure_invalid_contents_test.rb