udap_security_test_kit 0.10.1 → 0.10.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 43c8eabf008e3dd76265b3e455a80e27f2af665548319c7b3f8c565daf71a3d4
-  data.tar.gz: ed6ed1097c0fc02baf51392df43875ac4974dbdb49e494b5eee0595fd33dcf0e
+  metadata.gz: 495e85895f4799695634ba56d645f0f5633e2df1509fd9d03137928891db20a0
+  data.tar.gz: 6d03ca44673a27baf4a013fd161643e8ab6b117018213464983df9a044c782da
 SHA512:
-  metadata.gz: 3433cf5e7929b434de4bff0b999b455c9dd0d9fb407d0574b592ce3921ec7037cd0cf9be598319b6fdeca648d887033d842c20845ff09de0e8046ed533e4b9c8
-  data.tar.gz: 6437f00f2ceb182e454a41d5555284bb516d763cba8c2684d39dc7dcb0f7252c8a50b3f70f3c2753df75a98e72cb7a348199d42a4e6d24c994abbbb61c39bb65
+  metadata.gz: 632ba0cf8239c56b69281fa93a6199bfea02fd0e81eeb2d23552294298d17c247d68502712ac93d8e4f33aa3954c0495a3c305da20d867b93c80a3187f8ff35a
+  data.tar.gz: eaab5b47eeee7416f06bf6d9ec23db248b9f4a8deb1773f42319bbccc898c268f2a2a627db45c76077a5df1403e3cd1010576572d2803c6b08ec725408ef82b1

data/lib/udap_security_test_kit/authorization_code_group.rb

@@ -49,6 +49,9 @@ module UDAPSecurityTestKit
                 default: 'authorization_code',
                 locked: true
               },
+              udap_client_registration_status: {
+                name: :udap_auth_code_flow_client_registration_status
+              },
               udap_client_cert_pem: {
                 name: :udap_auth_code_flow_client_cert_pem,
                 title: 'Authorization Code Client Certificate(s) (PEM Format)'
@@ -90,6 +93,7 @@ module UDAPSecurityTestKit
           } do
       input_order :udap_registration_endpoint,
                   :udap_auth_code_flow_registration_grant_type,
+                  :udap_auth_code_flow_client_registration_status,
                   :udap_auth_code_flow_client_cert_pem,
                   :udap_auth_code_flow_client_private_key,
                   :udap_auth_code_flow_cert_iss,

data/lib/udap_security_test_kit/authorization_code_redirect_test.rb

@@ -9,6 +9,10 @@ module UDAPSecurityTestKit
         the provided client redirection URI using an HTTP redirection response.
       )
 
+    input :udap_fhir_base_url,
+          title: 'FHIR Server Base URL',
+          description: 'Base FHIR URL of FHIR Server.'
+
     input :udap_authorization_endpoint,
           title: 'Authorization Endpoint',
           description: 'The full URL from which Inferno will request an authorization code.'
@@ -17,10 +21,41 @@ module UDAPSecurityTestKit
           title: 'Client ID',
           description: 'Client ID as registered with the authorization server.'
 
+    input :udap_authorization_code_request_scopes,
+          title: 'Scope Parameter for Authorization Request',
+          description: %(
+              A list of space-separated scopes to include in the authorization request. If included, these may be equal
+              to or a subset of the scopes requested during registration.
+              If empty, scope will be omitted as a parameter to the authorization endpoint.
+          ),
+          optional: true
+
+    input :udap_authorization_code_request_aud,
+          title: "Audience ('aud') Parameter for Authorization Request",
+          type: 'checkbox',
+          options: {
+            list_options: [
+              {
+                label: "Include 'aud' parameter",
+                value: 'include_aud'
+              }
+            ]
+          },
+          description: %(
+              If selected, the Base FHIR URL will be used as the 'aud' parameter in the request to the authorization
+              endpoint.
+          ),
+          optional: true
+
     output :udap_authorization_code_state
+    output :udap_authorization_redirect_url
 
     receives_request :redirect
 
+    config options: {
+      redirect_uri: UDAPSecurityTestKit::UDAP_REDIRECT_URI
+    }
+
     def wait_message(auth_url)
       if config.options[:redirect_message_proc].present?
         return instance_exec(auth_url, &config.options[:redirect_message_proc])
@@ -55,11 +90,15 @@ module UDAPSecurityTestKit
 
       output udap_authorization_code_state: SecureRandom.uuid
 
+      aud = udap_fhir_base_url if udap_authorization_code_request_aud.include? 'include_aud'
+
       oauth2_params = {
         'response_type' => 'code',
         'client_id' => udap_client_id,
         'redirect_uri' => config.options[:redirect_uri],
-        'state' => udap_authorization_code_state
+        'state' => udap_authorization_code_state,
+        'scope' => udap_authorization_code_request_scopes,
+        'aud' => aud
       }.compact
 
       authorization_url = authorization_url_builder(
@@ -69,6 +108,8 @@ module UDAPSecurityTestKit
 
       info("Inferno redirecting browser to #{authorization_url}.")
 
+      output udap_authorization_redirect_url: authorization_url
+
       wait(
         identifier: udap_authorization_code_state,
         message: wait_message(authorization_url)

data/lib/udap_security_test_kit/client_credentials_group.rb

@@ -51,6 +51,9 @@ module UDAPSecurityTestKit
                 default: 'client_credentials',
                 locked: true
               },
+              udap_client_registration_status: {
+                name: :udap_client_credentials_flow_client_registration_status
+              },
               udap_client_cert_pem: {
                 name: :udap_client_credentials_flow_client_cert_pem,
                 title: 'Client Credentials Client Certificate(s) (PEM Format)'
@@ -92,6 +95,7 @@ module UDAPSecurityTestKit
           } do
       input_order :udap_registration_endpoint,
                   :udap_client_credentials_flow_registration_grant_type,
+                  :udap_client_credentials_flow_client_registration_status,
                   :udap_client_credentials_flow_client_cert_pem,
                   :udap_client_credentials_flow_client_private_key,
                   :udap_cert_iss_client_creds_flow,

data/lib/udap_security_test_kit/dynamic_client_registration_group.rb

@@ -19,13 +19,12 @@ module UDAPSecurityTestKit
       establish a trust chain.
 
       Cancelling a UDAP client's registration is not a required server capability and as such the Inferno client has no
-      way of resetting state on the authorization server after a successful registration attempt.  Testers wishing to
-      run the Dynamic Client Registration tests more than once must do one of the following:
-      - Remove the Inferno test client's registration out-of-band before re-running tests, to register the original
-      client URI anew
-      - Specifiy a different client URI as the issuer input (if the client cert has more than one Subject Alternative
-      Name (SAN) URI entry), to register a different logical client with the original certificate
-      - Provide a different client certificate and its associated URI to register a new logical client
+      way of resetting state on the authorization server after a successful registration attempt.  If a given
+      certificate and issuer URI identity combination has already been registered with the authorization server, testers
+      whose systems support registration modifications
+      may select the "Update Registration" option under Client Registration Status. This option will accept either a
+      `200 OK` or `201 Created` return status. Registration attempts for a new client may only return `201 Created`,
+      per the [IG](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body).
     )
     end
 
@@ -57,6 +56,27 @@ module UDAPSecurityTestKit
             ]
           }
 
+    input :udap_client_registration_status,
+          title: 'Client Registration Status',
+          description: %(
+            If the client's iss and certificate combination has already been registered with the authorization server
+            prior to this test run, select 'Update'.
+          ),
+          type: 'radio',
+          options: {
+            list_options: [
+              {
+                label: 'New Registration (201 Response Code Expected)',
+                value: 'new'
+              },
+              {
+                label: 'Update Registration (200 or 201 Response Code Expected)',
+                value: 'update'
+              }
+            ]
+          },
+          default: 'new'
+
     input :udap_client_cert_pem,
           title: 'X.509 Client Certificate(s) (PEM Format)',
           description: %(

data/lib/udap_security_test_kit/registration_success_test.rb

@@ -13,6 +13,14 @@ module UDAPSecurityTestKit
       The [UDAP IG Section 3.2.3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body) states:
       > If a new registration is successful, the Authorization Server SHALL return a registration response with a 201
       > Created HTTP response code as per Section 5.1 of UDAP Dynamic Client Registration
+
+      If the tester indicated this registration attempt represents a modification of an existing registration entry,
+      the [UDAP IG Section 3.4](https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations)
+      states:
+      > If the Authorization Server returns the same client_id in the registration response for a modification request,
+      > it SHOULD also return a 200 OK HTTP response code.
+
+      In this case, the test will require either a 201 or 200 response code to pass.
     )
 
     input :udap_client_cert_pem
@@ -20,6 +28,7 @@ module UDAPSecurityTestKit
     input :udap_cert_iss
 
     input :udap_registration_endpoint
+    input :udap_client_registration_status
     input :udap_jwt_signing_alg
     input :udap_registration_requested_scope
     input :udap_registration_grant_type
@@ -60,7 +69,12 @@ module UDAPSecurityTestKit
 
       post(udap_registration_endpoint, body: reg_body, headers: reg_headers)
 
-      assert_response_status(201)
+      if udap_client_registration_status == 'new'
+        assert_response_status(201)
+      elsif udap_client_registration_status == 'update'
+        assert_response_status([200, 201])
+      end
+
       assert_valid_json(response[:body])
       output udap_registration_response: response[:body]
     end

data/lib/udap_security_test_kit/version.rb

@@ -1,3 +1,3 @@
 module UDAPSecurityTestKit
-  VERSION = '0.10.1'.freeze
+  VERSION = '0.10.3'.freeze
 end

data/lib/udap_security_test_kit/well_known_endpoint_test.rb

@@ -1,3 +1,4 @@
+require 'uri'
 module UDAPSecurityTestKit
   class WellKnownEndpointTest < Inferno::Test
     include Inferno::DSL::Assertions
@@ -18,11 +19,23 @@ module UDAPSecurityTestKit
           title: 'FHIR Server Base URL',
           description: 'Base FHIR URL of FHIR Server. Discovery request will be sent to {baseURL}/.well-known/udap'
 
+    input :udap_community_parameter,
+          title: 'UDAP Community Parameter',
+          description: "If included, the designated community value will be appended as a query to the well-known
+          endpoint to indicate the client's trust of certificates from this trust community.",
+          optional: true
+
     output :udap_well_known_metadata_json
     makes_request :config
 
     run do
-      get("#{udap_fhir_base_url.strip.chomp('/')}/.well-known/udap", name: :udap_well_known_metadata_json)
+      uri = URI.parse("#{udap_fhir_base_url.strip.chomp('/')}/.well-known/udap")
+      unless udap_community_parameter.blank?
+        queries = URI.decode_www_form(uri.query || '') << ['community', udap_community_parameter]
+        uri.query = URI.encode_www_form(queries)
+      end
+
+      get(uri.to_s, name: :udap_well_known_metadata_json)
       assert_response_status(200)
       assert_valid_json(response[:body])
       output udap_well_known_metadata_json: response[:body]

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: udap_security_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.10.1
+  version: 0.10.3
 platform: ruby
 authors:
 - Stephen MacVicar
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-06 00:00:00.000000000 Z
+date: 2025-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core