udap_security_test_kit 0.10.1 → 0.10.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/udap_security_test_kit/authorization_code_group.rb +4 -0
- data/lib/udap_security_test_kit/authorization_code_redirect_test.rb +42 -1
- data/lib/udap_security_test_kit/client_credentials_group.rb +4 -0
- data/lib/udap_security_test_kit/dynamic_client_registration_group.rb +27 -7
- data/lib/udap_security_test_kit/registration_success_test.rb +15 -1
- data/lib/udap_security_test_kit/version.rb +1 -1
- data/lib/udap_security_test_kit/well_known_endpoint_test.rb +14 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 495e85895f4799695634ba56d645f0f5633e2df1509fd9d03137928891db20a0
|
|
4
|
+
data.tar.gz: 6d03ca44673a27baf4a013fd161643e8ab6b117018213464983df9a044c782da
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 632ba0cf8239c56b69281fa93a6199bfea02fd0e81eeb2d23552294298d17c247d68502712ac93d8e4f33aa3954c0495a3c305da20d867b93c80a3187f8ff35a
|
|
7
|
+
data.tar.gz: eaab5b47eeee7416f06bf6d9ec23db248b9f4a8deb1773f42319bbccc898c268f2a2a627db45c76077a5df1403e3cd1010576572d2803c6b08ec725408ef82b1
|
|
@@ -49,6 +49,9 @@ module UDAPSecurityTestKit
|
|
|
49
49
|
default: 'authorization_code',
|
|
50
50
|
locked: true
|
|
51
51
|
},
|
|
52
|
+
udap_client_registration_status: {
|
|
53
|
+
name: :udap_auth_code_flow_client_registration_status
|
|
54
|
+
},
|
|
52
55
|
udap_client_cert_pem: {
|
|
53
56
|
name: :udap_auth_code_flow_client_cert_pem,
|
|
54
57
|
title: 'Authorization Code Client Certificate(s) (PEM Format)'
|
|
@@ -90,6 +93,7 @@ module UDAPSecurityTestKit
|
|
|
90
93
|
} do
|
|
91
94
|
input_order :udap_registration_endpoint,
|
|
92
95
|
:udap_auth_code_flow_registration_grant_type,
|
|
96
|
+
:udap_auth_code_flow_client_registration_status,
|
|
93
97
|
:udap_auth_code_flow_client_cert_pem,
|
|
94
98
|
:udap_auth_code_flow_client_private_key,
|
|
95
99
|
:udap_auth_code_flow_cert_iss,
|
|
@@ -9,6 +9,10 @@ module UDAPSecurityTestKit
|
|
|
9
9
|
the provided client redirection URI using an HTTP redirection response.
|
|
10
10
|
)
|
|
11
11
|
|
|
12
|
+
input :udap_fhir_base_url,
|
|
13
|
+
title: 'FHIR Server Base URL',
|
|
14
|
+
description: 'Base FHIR URL of FHIR Server.'
|
|
15
|
+
|
|
12
16
|
input :udap_authorization_endpoint,
|
|
13
17
|
title: 'Authorization Endpoint',
|
|
14
18
|
description: 'The full URL from which Inferno will request an authorization code.'
|
|
@@ -17,10 +21,41 @@ module UDAPSecurityTestKit
|
|
|
17
21
|
title: 'Client ID',
|
|
18
22
|
description: 'Client ID as registered with the authorization server.'
|
|
19
23
|
|
|
24
|
+
input :udap_authorization_code_request_scopes,
|
|
25
|
+
title: 'Scope Parameter for Authorization Request',
|
|
26
|
+
description: %(
|
|
27
|
+
A list of space-separated scopes to include in the authorization request. If included, these may be equal
|
|
28
|
+
to or a subset of the scopes requested during registration.
|
|
29
|
+
If empty, scope will be omitted as a parameter to the authorization endpoint.
|
|
30
|
+
),
|
|
31
|
+
optional: true
|
|
32
|
+
|
|
33
|
+
input :udap_authorization_code_request_aud,
|
|
34
|
+
title: "Audience ('aud') Parameter for Authorization Request",
|
|
35
|
+
type: 'checkbox',
|
|
36
|
+
options: {
|
|
37
|
+
list_options: [
|
|
38
|
+
{
|
|
39
|
+
label: "Include 'aud' parameter",
|
|
40
|
+
value: 'include_aud'
|
|
41
|
+
}
|
|
42
|
+
]
|
|
43
|
+
},
|
|
44
|
+
description: %(
|
|
45
|
+
If selected, the Base FHIR URL will be used as the 'aud' parameter in the request to the authorization
|
|
46
|
+
endpoint.
|
|
47
|
+
),
|
|
48
|
+
optional: true
|
|
49
|
+
|
|
20
50
|
output :udap_authorization_code_state
|
|
51
|
+
output :udap_authorization_redirect_url
|
|
21
52
|
|
|
22
53
|
receives_request :redirect
|
|
23
54
|
|
|
55
|
+
config options: {
|
|
56
|
+
redirect_uri: UDAPSecurityTestKit::UDAP_REDIRECT_URI
|
|
57
|
+
}
|
|
58
|
+
|
|
24
59
|
def wait_message(auth_url)
|
|
25
60
|
if config.options[:redirect_message_proc].present?
|
|
26
61
|
return instance_exec(auth_url, &config.options[:redirect_message_proc])
|
|
@@ -55,11 +90,15 @@ module UDAPSecurityTestKit
|
|
|
55
90
|
|
|
56
91
|
output udap_authorization_code_state: SecureRandom.uuid
|
|
57
92
|
|
|
93
|
+
aud = udap_fhir_base_url if udap_authorization_code_request_aud.include? 'include_aud'
|
|
94
|
+
|
|
58
95
|
oauth2_params = {
|
|
59
96
|
'response_type' => 'code',
|
|
60
97
|
'client_id' => udap_client_id,
|
|
61
98
|
'redirect_uri' => config.options[:redirect_uri],
|
|
62
|
-
'state' => udap_authorization_code_state
|
|
99
|
+
'state' => udap_authorization_code_state,
|
|
100
|
+
'scope' => udap_authorization_code_request_scopes,
|
|
101
|
+
'aud' => aud
|
|
63
102
|
}.compact
|
|
64
103
|
|
|
65
104
|
authorization_url = authorization_url_builder(
|
|
@@ -69,6 +108,8 @@ module UDAPSecurityTestKit
|
|
|
69
108
|
|
|
70
109
|
info("Inferno redirecting browser to #{authorization_url}.")
|
|
71
110
|
|
|
111
|
+
output udap_authorization_redirect_url: authorization_url
|
|
112
|
+
|
|
72
113
|
wait(
|
|
73
114
|
identifier: udap_authorization_code_state,
|
|
74
115
|
message: wait_message(authorization_url)
|
|
@@ -51,6 +51,9 @@ module UDAPSecurityTestKit
|
|
|
51
51
|
default: 'client_credentials',
|
|
52
52
|
locked: true
|
|
53
53
|
},
|
|
54
|
+
udap_client_registration_status: {
|
|
55
|
+
name: :udap_client_credentials_flow_client_registration_status
|
|
56
|
+
},
|
|
54
57
|
udap_client_cert_pem: {
|
|
55
58
|
name: :udap_client_credentials_flow_client_cert_pem,
|
|
56
59
|
title: 'Client Credentials Client Certificate(s) (PEM Format)'
|
|
@@ -92,6 +95,7 @@ module UDAPSecurityTestKit
|
|
|
92
95
|
} do
|
|
93
96
|
input_order :udap_registration_endpoint,
|
|
94
97
|
:udap_client_credentials_flow_registration_grant_type,
|
|
98
|
+
:udap_client_credentials_flow_client_registration_status,
|
|
95
99
|
:udap_client_credentials_flow_client_cert_pem,
|
|
96
100
|
:udap_client_credentials_flow_client_private_key,
|
|
97
101
|
:udap_cert_iss_client_creds_flow,
|
|
@@ -19,13 +19,12 @@ module UDAPSecurityTestKit
|
|
|
19
19
|
establish a trust chain.
|
|
20
20
|
|
|
21
21
|
Cancelling a UDAP client's registration is not a required server capability and as such the Inferno client has no
|
|
22
|
-
way of resetting state on the authorization server after a successful registration attempt.
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
- Provide a different client certificate and its associated URI to register a new logical client
|
|
22
|
+
way of resetting state on the authorization server after a successful registration attempt. If a given
|
|
23
|
+
certificate and issuer URI identity combination has already been registered with the authorization server, testers
|
|
24
|
+
whose systems support registration modifications
|
|
25
|
+
may select the "Update Registration" option under Client Registration Status. This option will accept either a
|
|
26
|
+
`200 OK` or `201 Created` return status. Registration attempts for a new client may only return `201 Created`,
|
|
27
|
+
per the [IG](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body).
|
|
29
28
|
)
|
|
30
29
|
end
|
|
31
30
|
|
|
@@ -57,6 +56,27 @@ module UDAPSecurityTestKit
|
|
|
57
56
|
]
|
|
58
57
|
}
|
|
59
58
|
|
|
59
|
+
input :udap_client_registration_status,
|
|
60
|
+
title: 'Client Registration Status',
|
|
61
|
+
description: %(
|
|
62
|
+
If the client's iss and certificate combination has already been registered with the authorization server
|
|
63
|
+
prior to this test run, select 'Update'.
|
|
64
|
+
),
|
|
65
|
+
type: 'radio',
|
|
66
|
+
options: {
|
|
67
|
+
list_options: [
|
|
68
|
+
{
|
|
69
|
+
label: 'New Registration (201 Response Code Expected)',
|
|
70
|
+
value: 'new'
|
|
71
|
+
},
|
|
72
|
+
{
|
|
73
|
+
label: 'Update Registration (200 or 201 Response Code Expected)',
|
|
74
|
+
value: 'update'
|
|
75
|
+
}
|
|
76
|
+
]
|
|
77
|
+
},
|
|
78
|
+
default: 'new'
|
|
79
|
+
|
|
60
80
|
input :udap_client_cert_pem,
|
|
61
81
|
title: 'X.509 Client Certificate(s) (PEM Format)',
|
|
62
82
|
description: %(
|
|
@@ -13,6 +13,14 @@ module UDAPSecurityTestKit
|
|
|
13
13
|
The [UDAP IG Section 3.2.3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body) states:
|
|
14
14
|
> If a new registration is successful, the Authorization Server SHALL return a registration response with a 201
|
|
15
15
|
> Created HTTP response code as per Section 5.1 of UDAP Dynamic Client Registration
|
|
16
|
+
|
|
17
|
+
If the tester indicated this registration attempt represents a modification of an existing registration entry,
|
|
18
|
+
the [UDAP IG Section 3.4](https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations)
|
|
19
|
+
states:
|
|
20
|
+
> If the Authorization Server returns the same client_id in the registration response for a modification request,
|
|
21
|
+
> it SHOULD also return a 200 OK HTTP response code.
|
|
22
|
+
|
|
23
|
+
In this case, the test will require either a 201 or 200 response code to pass.
|
|
16
24
|
)
|
|
17
25
|
|
|
18
26
|
input :udap_client_cert_pem
|
|
@@ -20,6 +28,7 @@ module UDAPSecurityTestKit
|
|
|
20
28
|
input :udap_cert_iss
|
|
21
29
|
|
|
22
30
|
input :udap_registration_endpoint
|
|
31
|
+
input :udap_client_registration_status
|
|
23
32
|
input :udap_jwt_signing_alg
|
|
24
33
|
input :udap_registration_requested_scope
|
|
25
34
|
input :udap_registration_grant_type
|
|
@@ -60,7 +69,12 @@ module UDAPSecurityTestKit
|
|
|
60
69
|
|
|
61
70
|
post(udap_registration_endpoint, body: reg_body, headers: reg_headers)
|
|
62
71
|
|
|
63
|
-
|
|
72
|
+
if udap_client_registration_status == 'new'
|
|
73
|
+
assert_response_status(201)
|
|
74
|
+
elsif udap_client_registration_status == 'update'
|
|
75
|
+
assert_response_status([200, 201])
|
|
76
|
+
end
|
|
77
|
+
|
|
64
78
|
assert_valid_json(response[:body])
|
|
65
79
|
output udap_registration_response: response[:body]
|
|
66
80
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
require 'uri'
|
|
1
2
|
module UDAPSecurityTestKit
|
|
2
3
|
class WellKnownEndpointTest < Inferno::Test
|
|
3
4
|
include Inferno::DSL::Assertions
|
|
@@ -18,11 +19,23 @@ module UDAPSecurityTestKit
|
|
|
18
19
|
title: 'FHIR Server Base URL',
|
|
19
20
|
description: 'Base FHIR URL of FHIR Server. Discovery request will be sent to {baseURL}/.well-known/udap'
|
|
20
21
|
|
|
22
|
+
input :udap_community_parameter,
|
|
23
|
+
title: 'UDAP Community Parameter',
|
|
24
|
+
description: "If included, the designated community value will be appended as a query to the well-known
|
|
25
|
+
endpoint to indicate the client's trust of certificates from this trust community.",
|
|
26
|
+
optional: true
|
|
27
|
+
|
|
21
28
|
output :udap_well_known_metadata_json
|
|
22
29
|
makes_request :config
|
|
23
30
|
|
|
24
31
|
run do
|
|
25
|
-
|
|
32
|
+
uri = URI.parse("#{udap_fhir_base_url.strip.chomp('/')}/.well-known/udap")
|
|
33
|
+
unless udap_community_parameter.blank?
|
|
34
|
+
queries = URI.decode_www_form(uri.query || '') << ['community', udap_community_parameter]
|
|
35
|
+
uri.query = URI.encode_www_form(queries)
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
get(uri.to_s, name: :udap_well_known_metadata_json)
|
|
26
39
|
assert_response_status(200)
|
|
27
40
|
assert_valid_json(response[:body])
|
|
28
41
|
output udap_well_known_metadata_json: response[:body]
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: udap_security_test_kit
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.10.
|
|
4
|
+
version: 0.10.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Stephen MacVicar
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2025-01-09 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: inferno_core
|