RubyGems - udap_security_test_kit - Versions diffs - 0.10.1 → 0.10.2 - Mend

udap_security_test_kit 0.10.1 → 0.10.2

Files changed (8) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 43c8eabf008e3dd76265b3e455a80e27f2af665548319c7b3f8c565daf71a3d4
-  data.tar.gz: ed6ed1097c0fc02baf51392df43875ac4974dbdb49e494b5eee0595fd33dcf0e
+  metadata.gz: 99975cd9d20b91185600d35dca498008f7bd4dc7cb1ae66eb59c572298f55ab0
+  data.tar.gz: 0ff38d8f44564d5fa998e1801f5dd9255613e7060ea78802194cdf8560c39596
 SHA512:
-  metadata.gz: 3433cf5e7929b434de4bff0b999b455c9dd0d9fb407d0574b592ce3921ec7037cd0cf9be598319b6fdeca648d887033d842c20845ff09de0e8046ed533e4b9c8
-  data.tar.gz: 6437f00f2ceb182e454a41d5555284bb516d763cba8c2684d39dc7dcb0f7252c8a50b3f70f3c2753df75a98e72cb7a348199d42a4e6d24c994abbbb61c39bb65
+  metadata.gz: 456628c19deb09f55ab5494e719d0045ea8a19ed93e314a4e75810d688e8f0d18acb1bf1c2261750b03bd6e1128720d662c80802686ddb4cd4a2e52e40868136
+  data.tar.gz: 9a60fd1649675528705afe7a52f3d9057f411001fee1d641e9fffbd0995aad6ea6395dcb5a1d1e9ba6cd215fc5569cc78779663df479f5d67e967b66262c195c

data/lib/udap_security_test_kit/authorization_code_group.rb CHANGED Viewed

@@ -49,6 +49,9 @@ module UDAPSecurityTestKit
                 default: 'authorization_code',
                 locked: true
               },
+              udap_client_registration_status: {
+                name: :udap_auth_code_flow_client_registration_status
+              },
               udap_client_cert_pem: {
                 name: :udap_auth_code_flow_client_cert_pem,
                 title: 'Authorization Code Client Certificate(s) (PEM Format)'
@@ -90,6 +93,7 @@ module UDAPSecurityTestKit
           } do
       input_order :udap_registration_endpoint,
                   :udap_auth_code_flow_registration_grant_type,
+                  :udap_auth_code_flow_client_registration_status,
                   :udap_auth_code_flow_client_cert_pem,
                   :udap_auth_code_flow_client_private_key,
                   :udap_auth_code_flow_cert_iss,

data/lib/udap_security_test_kit/authorization_code_redirect_test.rb CHANGED Viewed

@@ -9,6 +9,10 @@ module UDAPSecurityTestKit
         the provided client redirection URI using an HTTP redirection response.
       )
+    input :udap_fhir_base_url,
+          title: 'FHIR Server Base URL',
+          description: 'Base FHIR URL of FHIR Server.'
     input :udap_authorization_endpoint,
           title: 'Authorization Endpoint',
           description: 'The full URL from which Inferno will request an authorization code.'
@@ -17,7 +21,34 @@ module UDAPSecurityTestKit
           title: 'Client ID',
           description: 'Client ID as registered with the authorization server.'
+    input :udap_authorization_code_request_scopes,
+          title: 'Scope Parameter for Authorization Request',
+          description: %(
+              A list of space-separated scopes to include in the authorization request. If included, these may be equal
+              to or a subset of the scopes requested during registration.
+              If empty, scope will be omitted as a parameter to the authorization endpoint.
+          ),
+          optional: true
+    input :udap_authorization_code_request_aud,
+          title: "Audience ('aud') Parameter for Authorization Request",
+          type: 'checkbox',
+          options: {
+            list_options: [
+              {
+                label: "Include 'aud' parameter",
+                value: 'include_aud'
+              }
+            ]
+          },
+          description: %(
+              If selected, the Base FHIR URL will be used as the 'aud' parameter in the request to the authorization
+              endpoint.
+          ),
+          optional: true
     output :udap_authorization_code_state
+    output :udap_authorization_redirect_url
     receives_request :redirect
@@ -55,11 +86,15 @@ module UDAPSecurityTestKit
       output udap_authorization_code_state: SecureRandom.uuid
+      aud = udap_fhir_base_url if udap_authorization_code_request_aud.include? 'include_aud'
       oauth2_params = {
         'response_type' => 'code',
         'client_id' => udap_client_id,
         'redirect_uri' => config.options[:redirect_uri],
-        'state' => udap_authorization_code_state
+        'state' => udap_authorization_code_state,
+        'scope' => udap_authorization_code_request_scopes,
+        'aud' => aud
       }.compact
       authorization_url = authorization_url_builder(
@@ -69,6 +104,8 @@ module UDAPSecurityTestKit
       info("Inferno redirecting browser to #{authorization_url}.")
+      output udap_authorization_redirect_url: authorization_url
       wait(
         identifier: udap_authorization_code_state,
         message: wait_message(authorization_url)

data/lib/udap_security_test_kit/client_credentials_group.rb CHANGED Viewed

@@ -51,6 +51,9 @@ module UDAPSecurityTestKit
                 default: 'client_credentials',
                 locked: true
               },
+              udap_client_registration_status: {
+                name: :udap_client_credentials_flow_client_registration_status
+              },
               udap_client_cert_pem: {
                 name: :udap_client_credentials_flow_client_cert_pem,
                 title: 'Client Credentials Client Certificate(s) (PEM Format)'
@@ -92,6 +95,7 @@ module UDAPSecurityTestKit
           } do
       input_order :udap_registration_endpoint,
                   :udap_client_credentials_flow_registration_grant_type,
+                  :udap_client_credentials_flow_client_registration_status,
                   :udap_client_credentials_flow_client_cert_pem,
                   :udap_client_credentials_flow_client_private_key,
                   :udap_cert_iss_client_creds_flow,

data/lib/udap_security_test_kit/dynamic_client_registration_group.rb CHANGED Viewed

@@ -19,13 +19,12 @@ module UDAPSecurityTestKit
       establish a trust chain.
       Cancelling a UDAP client's registration is not a required server capability and as such the Inferno client has no
-      way of resetting state on the authorization server after a successful registration attempt.  Testers wishing to
-      run the Dynamic Client Registration tests more than once must do one of the following:
-      - Remove the Inferno test client's registration out-of-band before re-running tests, to register the original
-      client URI anew
-      - Specifiy a different client URI as the issuer input (if the client cert has more than one Subject Alternative
-      Name (SAN) URI entry), to register a different logical client with the original certificate
-      - Provide a different client certificate and its associated URI to register a new logical client
+      way of resetting state on the authorization server after a successful registration attempt.  If a given
+      certificate and issuer URI identity combination has already been registered with the authorization server, testers
+      whose systems support registration modifications
+      may select the "Update Registration" option under Client Registration Status. This option will accept either a
+      `200 OK` or `201 Created` return status. Registration attempts for a new client may only return `201 Created`,
+      per the [IG](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body).
     )
     end
@@ -57,6 +56,27 @@ module UDAPSecurityTestKit
             ]
           }
+    input :udap_client_registration_status,
+          title: 'Client Registration Status',
+          description: %(
+            If the client's iss and certificate combination has already been registered with the authorization server
+            prior to this test run, select 'Update'.
+          ),
+          type: 'radio',
+          options: {
+            list_options: [
+              {
+                label: 'New Registration (201 Response Code Expected)',
+                value: 'new'
+              },
+              {
+                label: 'Update Registration (200 or 201 Response Code Expected)',
+                value: 'update'
+              }
+            ]
+          },
+          default: 'new'
     input :udap_client_cert_pem,
           title: 'X.509 Client Certificate(s) (PEM Format)',
           description: %(

data/lib/udap_security_test_kit/registration_success_test.rb CHANGED Viewed

@@ -13,6 +13,14 @@ module UDAPSecurityTestKit
       The [UDAP IG Section 3.2.3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body) states:
       > If a new registration is successful, the Authorization Server SHALL return a registration response with a 201
       > Created HTTP response code as per Section 5.1 of UDAP Dynamic Client Registration
+      If the tester indicated this registration attempt represents a modification of an existing registration entry,
+      the [UDAP IG Section 3.4](https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations)
+      states:
+      > If the Authorization Server returns the same client_id in the registration response for a modification request,
+      > it SHOULD also return a 200 OK HTTP response code.
+      In this case, the test will require either a 201 or 200 response code to pass.
     )
     input :udap_client_cert_pem
@@ -20,6 +28,7 @@ module UDAPSecurityTestKit
     input :udap_cert_iss
     input :udap_registration_endpoint
+    input :udap_client_registration_status
     input :udap_jwt_signing_alg
     input :udap_registration_requested_scope
     input :udap_registration_grant_type
@@ -60,7 +69,12 @@ module UDAPSecurityTestKit
       post(udap_registration_endpoint, body: reg_body, headers: reg_headers)
-      assert_response_status(201)
+      if udap_client_registration_status == 'new'
+        assert_response_status(201)
+      elsif udap_client_registration_status == 'update'
+        assert_response_status([200, 201])
+      end
       assert_valid_json(response[:body])
       output udap_registration_response: response[:body]
     end

data/lib/udap_security_test_kit/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module UDAPSecurityTestKit
-  VERSION = '0.10.1'.freeze
+  VERSION = '0.10.2'.freeze
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: udap_security_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.10.1
+  version: 0.10.2
 platform: ruby
 authors:
 - Stephen MacVicar
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-06 00:00:00.000000000 Z
+date: 2024-12-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core