udap_security_test_kit 0.10.1 → 0.10.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 43c8eabf008e3dd76265b3e455a80e27f2af665548319c7b3f8c565daf71a3d4
4
- data.tar.gz: ed6ed1097c0fc02baf51392df43875ac4974dbdb49e494b5eee0595fd33dcf0e
3
+ metadata.gz: 495e85895f4799695634ba56d645f0f5633e2df1509fd9d03137928891db20a0
4
+ data.tar.gz: 6d03ca44673a27baf4a013fd161643e8ab6b117018213464983df9a044c782da
5
5
  SHA512:
6
- metadata.gz: 3433cf5e7929b434de4bff0b999b455c9dd0d9fb407d0574b592ce3921ec7037cd0cf9be598319b6fdeca648d887033d842c20845ff09de0e8046ed533e4b9c8
7
- data.tar.gz: 6437f00f2ceb182e454a41d5555284bb516d763cba8c2684d39dc7dcb0f7252c8a50b3f70f3c2753df75a98e72cb7a348199d42a4e6d24c994abbbb61c39bb65
6
+ metadata.gz: 632ba0cf8239c56b69281fa93a6199bfea02fd0e81eeb2d23552294298d17c247d68502712ac93d8e4f33aa3954c0495a3c305da20d867b93c80a3187f8ff35a
7
+ data.tar.gz: eaab5b47eeee7416f06bf6d9ec23db248b9f4a8deb1773f42319bbccc898c268f2a2a627db45c76077a5df1403e3cd1010576572d2803c6b08ec725408ef82b1
@@ -49,6 +49,9 @@ module UDAPSecurityTestKit
49
49
  default: 'authorization_code',
50
50
  locked: true
51
51
  },
52
+ udap_client_registration_status: {
53
+ name: :udap_auth_code_flow_client_registration_status
54
+ },
52
55
  udap_client_cert_pem: {
53
56
  name: :udap_auth_code_flow_client_cert_pem,
54
57
  title: 'Authorization Code Client Certificate(s) (PEM Format)'
@@ -90,6 +93,7 @@ module UDAPSecurityTestKit
90
93
  } do
91
94
  input_order :udap_registration_endpoint,
92
95
  :udap_auth_code_flow_registration_grant_type,
96
+ :udap_auth_code_flow_client_registration_status,
93
97
  :udap_auth_code_flow_client_cert_pem,
94
98
  :udap_auth_code_flow_client_private_key,
95
99
  :udap_auth_code_flow_cert_iss,
@@ -9,6 +9,10 @@ module UDAPSecurityTestKit
9
9
  the provided client redirection URI using an HTTP redirection response.
10
10
  )
11
11
 
12
+ input :udap_fhir_base_url,
13
+ title: 'FHIR Server Base URL',
14
+ description: 'Base FHIR URL of FHIR Server.'
15
+
12
16
  input :udap_authorization_endpoint,
13
17
  title: 'Authorization Endpoint',
14
18
  description: 'The full URL from which Inferno will request an authorization code.'
@@ -17,10 +21,41 @@ module UDAPSecurityTestKit
17
21
  title: 'Client ID',
18
22
  description: 'Client ID as registered with the authorization server.'
19
23
 
24
+ input :udap_authorization_code_request_scopes,
25
+ title: 'Scope Parameter for Authorization Request',
26
+ description: %(
27
+ A list of space-separated scopes to include in the authorization request. If included, these may be equal
28
+ to or a subset of the scopes requested during registration.
29
+ If empty, scope will be omitted as a parameter to the authorization endpoint.
30
+ ),
31
+ optional: true
32
+
33
+ input :udap_authorization_code_request_aud,
34
+ title: "Audience ('aud') Parameter for Authorization Request",
35
+ type: 'checkbox',
36
+ options: {
37
+ list_options: [
38
+ {
39
+ label: "Include 'aud' parameter",
40
+ value: 'include_aud'
41
+ }
42
+ ]
43
+ },
44
+ description: %(
45
+ If selected, the Base FHIR URL will be used as the 'aud' parameter in the request to the authorization
46
+ endpoint.
47
+ ),
48
+ optional: true
49
+
20
50
  output :udap_authorization_code_state
51
+ output :udap_authorization_redirect_url
21
52
 
22
53
  receives_request :redirect
23
54
 
55
+ config options: {
56
+ redirect_uri: UDAPSecurityTestKit::UDAP_REDIRECT_URI
57
+ }
58
+
24
59
  def wait_message(auth_url)
25
60
  if config.options[:redirect_message_proc].present?
26
61
  return instance_exec(auth_url, &config.options[:redirect_message_proc])
@@ -55,11 +90,15 @@ module UDAPSecurityTestKit
55
90
 
56
91
  output udap_authorization_code_state: SecureRandom.uuid
57
92
 
93
+ aud = udap_fhir_base_url if udap_authorization_code_request_aud.include? 'include_aud'
94
+
58
95
  oauth2_params = {
59
96
  'response_type' => 'code',
60
97
  'client_id' => udap_client_id,
61
98
  'redirect_uri' => config.options[:redirect_uri],
62
- 'state' => udap_authorization_code_state
99
+ 'state' => udap_authorization_code_state,
100
+ 'scope' => udap_authorization_code_request_scopes,
101
+ 'aud' => aud
63
102
  }.compact
64
103
 
65
104
  authorization_url = authorization_url_builder(
@@ -69,6 +108,8 @@ module UDAPSecurityTestKit
69
108
 
70
109
  info("Inferno redirecting browser to #{authorization_url}.")
71
110
 
111
+ output udap_authorization_redirect_url: authorization_url
112
+
72
113
  wait(
73
114
  identifier: udap_authorization_code_state,
74
115
  message: wait_message(authorization_url)
@@ -51,6 +51,9 @@ module UDAPSecurityTestKit
51
51
  default: 'client_credentials',
52
52
  locked: true
53
53
  },
54
+ udap_client_registration_status: {
55
+ name: :udap_client_credentials_flow_client_registration_status
56
+ },
54
57
  udap_client_cert_pem: {
55
58
  name: :udap_client_credentials_flow_client_cert_pem,
56
59
  title: 'Client Credentials Client Certificate(s) (PEM Format)'
@@ -92,6 +95,7 @@ module UDAPSecurityTestKit
92
95
  } do
93
96
  input_order :udap_registration_endpoint,
94
97
  :udap_client_credentials_flow_registration_grant_type,
98
+ :udap_client_credentials_flow_client_registration_status,
95
99
  :udap_client_credentials_flow_client_cert_pem,
96
100
  :udap_client_credentials_flow_client_private_key,
97
101
  :udap_cert_iss_client_creds_flow,
@@ -19,13 +19,12 @@ module UDAPSecurityTestKit
19
19
  establish a trust chain.
20
20
 
21
21
  Cancelling a UDAP client's registration is not a required server capability and as such the Inferno client has no
22
- way of resetting state on the authorization server after a successful registration attempt. Testers wishing to
23
- run the Dynamic Client Registration tests more than once must do one of the following:
24
- - Remove the Inferno test client's registration out-of-band before re-running tests, to register the original
25
- client URI anew
26
- - Specifiy a different client URI as the issuer input (if the client cert has more than one Subject Alternative
27
- Name (SAN) URI entry), to register a different logical client with the original certificate
28
- - Provide a different client certificate and its associated URI to register a new logical client
22
+ way of resetting state on the authorization server after a successful registration attempt. If a given
23
+ certificate and issuer URI identity combination has already been registered with the authorization server, testers
24
+ whose systems support registration modifications
25
+ may select the "Update Registration" option under Client Registration Status. This option will accept either a
26
+ `200 OK` or `201 Created` return status. Registration attempts for a new client may only return `201 Created`,
27
+ per the [IG](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body).
29
28
  )
30
29
  end
31
30
 
@@ -57,6 +56,27 @@ module UDAPSecurityTestKit
57
56
  ]
58
57
  }
59
58
 
59
+ input :udap_client_registration_status,
60
+ title: 'Client Registration Status',
61
+ description: %(
62
+ If the client's iss and certificate combination has already been registered with the authorization server
63
+ prior to this test run, select 'Update'.
64
+ ),
65
+ type: 'radio',
66
+ options: {
67
+ list_options: [
68
+ {
69
+ label: 'New Registration (201 Response Code Expected)',
70
+ value: 'new'
71
+ },
72
+ {
73
+ label: 'Update Registration (200 or 201 Response Code Expected)',
74
+ value: 'update'
75
+ }
76
+ ]
77
+ },
78
+ default: 'new'
79
+
60
80
  input :udap_client_cert_pem,
61
81
  title: 'X.509 Client Certificate(s) (PEM Format)',
62
82
  description: %(
@@ -13,6 +13,14 @@ module UDAPSecurityTestKit
13
13
  The [UDAP IG Section 3.2.3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body) states:
14
14
  > If a new registration is successful, the Authorization Server SHALL return a registration response with a 201
15
15
  > Created HTTP response code as per Section 5.1 of UDAP Dynamic Client Registration
16
+
17
+ If the tester indicated this registration attempt represents a modification of an existing registration entry,
18
+ the [UDAP IG Section 3.4](https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations)
19
+ states:
20
+ > If the Authorization Server returns the same client_id in the registration response for a modification request,
21
+ > it SHOULD also return a 200 OK HTTP response code.
22
+
23
+ In this case, the test will require either a 201 or 200 response code to pass.
16
24
  )
17
25
 
18
26
  input :udap_client_cert_pem
@@ -20,6 +28,7 @@ module UDAPSecurityTestKit
20
28
  input :udap_cert_iss
21
29
 
22
30
  input :udap_registration_endpoint
31
+ input :udap_client_registration_status
23
32
  input :udap_jwt_signing_alg
24
33
  input :udap_registration_requested_scope
25
34
  input :udap_registration_grant_type
@@ -60,7 +69,12 @@ module UDAPSecurityTestKit
60
69
 
61
70
  post(udap_registration_endpoint, body: reg_body, headers: reg_headers)
62
71
 
63
- assert_response_status(201)
72
+ if udap_client_registration_status == 'new'
73
+ assert_response_status(201)
74
+ elsif udap_client_registration_status == 'update'
75
+ assert_response_status([200, 201])
76
+ end
77
+
64
78
  assert_valid_json(response[:body])
65
79
  output udap_registration_response: response[:body]
66
80
  end
@@ -1,3 +1,3 @@
1
1
  module UDAPSecurityTestKit
2
- VERSION = '0.10.1'.freeze
2
+ VERSION = '0.10.3'.freeze
3
3
  end
@@ -1,3 +1,4 @@
1
+ require 'uri'
1
2
  module UDAPSecurityTestKit
2
3
  class WellKnownEndpointTest < Inferno::Test
3
4
  include Inferno::DSL::Assertions
@@ -18,11 +19,23 @@ module UDAPSecurityTestKit
18
19
  title: 'FHIR Server Base URL',
19
20
  description: 'Base FHIR URL of FHIR Server. Discovery request will be sent to {baseURL}/.well-known/udap'
20
21
 
22
+ input :udap_community_parameter,
23
+ title: 'UDAP Community Parameter',
24
+ description: "If included, the designated community value will be appended as a query to the well-known
25
+ endpoint to indicate the client's trust of certificates from this trust community.",
26
+ optional: true
27
+
21
28
  output :udap_well_known_metadata_json
22
29
  makes_request :config
23
30
 
24
31
  run do
25
- get("#{udap_fhir_base_url.strip.chomp('/')}/.well-known/udap", name: :udap_well_known_metadata_json)
32
+ uri = URI.parse("#{udap_fhir_base_url.strip.chomp('/')}/.well-known/udap")
33
+ unless udap_community_parameter.blank?
34
+ queries = URI.decode_www_form(uri.query || '') << ['community', udap_community_parameter]
35
+ uri.query = URI.encode_www_form(queries)
36
+ end
37
+
38
+ get(uri.to_s, name: :udap_well_known_metadata_json)
26
39
  assert_response_status(200)
27
40
  assert_valid_json(response[:body])
28
41
  output udap_well_known_metadata_json: response[:body]
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: udap_security_test_kit
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.10.1
4
+ version: 0.10.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Stephen MacVicar
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2024-12-06 00:00:00.000000000 Z
12
+ date: 2025-01-09 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: inferno_core