udap_security_test_kit 0.11.1 → 0.11.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 191991de0d6424f3f08d07ef03bb5609a2fad336acdde0f61e4a62de7786fdd2
-  data.tar.gz: f65208486d7cea656ce8aa10f54cffc0ec885200703ce753e7d6c179e111a533
+  metadata.gz: 03620024d784bdef2def46c35503c0291eacf4bf0f613ccc546febd4b9502066
+  data.tar.gz: fe308df520fcfe3120aacfb66cc7191ab03de1eedee46da7b9775d88bb798dba
 SHA512:
-  metadata.gz: d47d7583522b6f734d6048333dc9e127f21f503e0ed0369872a3af86f40c36d904c1ab50d00b886ff3d49158be427b6638f3f3e54f3ac24070ca5bb664276fc7
-  data.tar.gz: 868a2a47d0c8575db14b97327027b2221e19367ac6daa37376992b7bf6cbc87c905327351c7f2233b1b62507765e4a389c86e4e61e2c280e356b367f0ace89fa
+  metadata.gz: 9482d4811cbcf5fb500b237684722e2835289470a4ffe72c3c53338aeecb433c5f5f855f88a741d346d1b614ff67a9ecb1e0c354296f85c3c40f45e4faea07d4
+  data.tar.gz: a41ee216e78fa02afec7d30e0ee1067dd306d7e72ac868c042e90efce1291d201a4347c8f73fee6b1688baba7bf50a523b37f602fed82d72d19db0f2d72f558d

data/config/presets/UDAP_RunClientAgainstServer.json.erb

@@ -0,0 +1,20 @@
+{
+  "title": "Demo: Run Against the UDAP Security Server Suite",
+  "id": "udap_run_client_against_server",
+  "test_suite_id": "udap_security_client",
+  "inputs": [
+    {
+      "name": "udap_client_uri",
+      "description": "The UDAP Client URI that will be used to register with Inferno's simulated UDAP server.",
+      "optional": true,
+      "title": "UDAP Client URI",
+      "type": "text",
+      "value": "<%= Inferno::Application['base_url'] %>/custom/udap_security/fhir"
+    },
+    {
+      "name": "echoed_fhir_response",
+      "type": "text",
+      "value": "{\n  \"resourceType\": \"Patient\",\n  \"id\": \"example\",\n  \"name\": [\n    {\n      \"family\": \"Chalmers\",\n      \"given\": [\n        \"Peter\",\n        \"James\"\n      ]\n    }\n  ],\n  \"gender\": \"male\",\n  \"birthDate\": \"1974-12-25\",\n  \"address\": [\n    {\n      \"line\": [\n        \"534 Erewhon St\"\n      ],\n      \"city\": \"Ann Arbor\",\n      \"state\": \"MI\",\n      \"postalCode\": \"48108\"\n    }\n  ]\n}"
+    }
+  ]
+}

data/config/presets/UDAP_RunServerAgainstClient.json.erb

@@ -0,0 +1,272 @@
+{
+  "title": "Demo: Run Against the UDAP Security Client Suite",
+  "id": "udap_run_server_against_client",
+  "test_suite_id": "udap_security",
+  "inputs": [
+    {
+      "name": "udap_fhir_base_url",
+      "description": "Base FHIR URL of FHIR Server. Discovery request will be sent to {baseURL}/.well-known/udap",
+      "title": "FHIR Server Base URL",
+      "type": "text",
+      "value": "<%= Inferno::Application['base_url'] %>/custom/udap_security_client/fhir"
+    },
+    {
+      "name": "udap_community_parameter",
+      "description": "If included, the designated community value will be appended as a query to the well-known           endpoint to indicate the client's trust of certificates from this trust community.",
+      "optional": true,
+      "title": "UDAP Community Parameter",
+      "type": "text",
+      "value": ""
+    },
+    {
+      "name": "flow_type_auth_code",
+      "default": [
+        "authorization_code"
+      ],
+      "description": "Which grant type(s) must be supported per the returned Discovery metadata",
+      "locked": true,
+      "options": {
+        "list_options": [
+          {
+            "label": "Authorization Code",
+            "value": "authorization_code"
+          },
+          {
+            "label": "Client Credentials",
+            "value": "client_credentials"
+          }
+        ]
+      },
+      "title": "Required OAuth2.0 Flow Type for Authorization Code Workflow",
+      "type": "checkbox",
+      "value": "[\"authorization_code\"]"
+    },
+    {
+      "name": "udap_server_trust_anchor_certs",
+      "description": "A list of one or more trust anchor root CA X.509 certificates, separated by a newline. Inferno will use these to establish trust with the authorization server's certificates provided in the discovery response signed_metadata JWT.",
+      "optional": true,
+      "title": "Auth Server Trust Anchor X509 Certificate(s) (PEM Format)",
+      "type": "textarea",
+      "value": "-----BEGIN CERTIFICATE-----\nMIIGDzCCA/egAwIBAgIUHwBisiqxYRNYzDtSvNRPOu09emswDQYJKoZIhvcNAQEL\nBQAwgYYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEQMA4GA1UEBwwHQmVkZm9y\nZDEQMA4GA1UECgwHSW5mZXJubzEdMBsGA1UEAwwUSW5mZXJuby1VREFQLVJvb3Qt\nQ0ExJzAlBgkqhkiG9w0BCQEWGGluZmVybm9AZ3JvdXBzLm1pdHJlLm9yZzAeFw0y\nNDA4MTIyMzU4MDlaFw0zNDA4MTAyMzU4MDlaMIGGMQswCQYDVQQGEwJVUzELMAkG\nA1UECAwCTUExEDAOBgNVBAcMB0JlZGZvcmQxEDAOBgNVBAoMB0luZmVybm8xHTAb\nBgNVBAMMFEluZmVybm8tVURBUC1Sb290LUNBMScwJQYJKoZIhvcNAQkBFhhpbmZl\ncm5vQGdyb3Vwcy5taXRyZS5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK\nAoICAQC3Hz72FU3I4PFztBPpeDX7augTiw5KKMzEQWoOtsyx8de0lXLDaY13SugL\nwCduDei5WYaHat3/eAWnsvGb2VQjQOpfUTvdwnmvUSTAZH+EB+IPy/Jk2AbXtgGv\n8GcLsmjpZNiePvCrcOT28j9tTAdO8gKaIOg0XpYq/Kdyyecr1jMINKgUMOyoi//R\nQjzvx6dRq/YBegb2bEOe+YBUdo7EzAXZUAk48RelAq5b1vaqyhJeuOcxXxVCLjTi\nKN+Tje6FnmQkD/J7P05XlRFvoNxzp5X+92bcrZ+LcOjNy4wTxiT3f76e6DCMHRcM\n3QmhfU3cerv1pvb78peb0bKglzwdmquw+H6+UQrvmaCqCNWnVjmUzB1bgRxAc5YV\np18kHzNnUAoXHMU6+ZVHqvrbtNEBHYI5NUrgOCVBpFCRf53qRtfQjSIfJrKEoKvC\nvidDeW0YWy5FILZ50g+Auo/JvPLVUzm+qENN+y/at3LZx27VEoyZpi18DqbWWYNa\n+QnGow/rEf/fHRUrsTBhgttQ7/VhTr8M6KcsHLpqm7Ec6zPy6MvrFLowXsXWZGNq\nzhEb6YGHi9WzNDcsAILybRm4jDS07/1f1CJ6BJuQrPFDsVo4o0PhCsAWH5MqcL2V\nlKt/kfJxva83JoshB9zFNmtCdfuw/Mkl8i+OO5WR/vqIZNam9wIDAQABo3MwcTAd\nBgNVHQ4EFgQUNOqoPKju4u9y9JAuAfnSAcFbNKAwHwYDVR0jBBgwFoAUNOqoPKju\n4u9y9JAuAfnSAcFbNKAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAYYwEQYD\nVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBCwUAA4ICAQCbLfJy6q2r26iyKZ3x\nMNUorDfsiTWH8TspYBm6v3h4yn9U+9qbyBwsjCu0U2ns5VqHzw25jInW5FQbwZZV\nAiUYKNpn6gIWZKpWOaDYaMWB4Jv9BMLLsENkP6PM6XxAheBVj2WNrlXaOaBql7XQ\npkZ9TpX56Vim86Jk999o4idi4CWyaoZHXtwOGyKkOPp0xghg9VAX2y2xLYdBzgSs\nJW9P8+WIeIIbz3mpSlq0Aqh9LjneKW9wfinYEO/IxsMpOqAV54VtWJ9tMZtR8e83\ntNihJuWJvhA2rWXffh1/uPv7uA3Yge/a5vf+VfJn5MoSPn4X8ZRaJMmUFnyyvyzD\nK4fxAV2dCBjOsQtEU4pIWKwS8BopLdOcoM8Wyth+0KpxpCDTPBY0idxqU/Dg0wBe\n8YQ/mAN+cVZy2U0BoXEKlW49+czQ1wKAv4rzDJFTZUTudG+r4LmNFDPXnoiMwhni\nXkgFz1NO4YucWXBestvBSDgQ2BPFF2TkcGZl7bLk+WiGAhA/SxtLvHjIKqXwGYHG\nm8C45sJ7h0h0zdmd3/ImHWRd6D99k5eFyX5O2qNoa6v6w5rRqE7gZCe/0yZVpdth\nhhXWl1vLHPiRE5N+vRgOW1i66Ly2I7WwX965erNDxEgNCvgsP84FjbMs/2Xnb3Be\ntsGvVZ6GCrAl5XejmwQBzyZQQw==\n-----END CERTIFICATE-----\n"
+    },
+    {
+      "name": "udap_auth_code_flow_registration_grant_type",
+      "default": "authorization_code",
+      "description": "The OAuth2.0 grant type for which this client will register itself. A given client may register as either  option, but not both.",
+      "locked": true,
+      "options": {
+        "list_options": [
+          {
+            "label": "Authorization Code",
+            "value": "authorization_code"
+          },
+          {
+            "label": "Client Credentials",
+            "value": "client_credentials"
+          }
+        ]
+      },
+      "title": "Client Registration Grant Type",
+      "type": "radio",
+      "value": "authorization_code"
+    },
+    {
+      "name": "udap_auth_code_flow_client_registration_status",
+      "default": "new",
+      "description": "If the client's iss and certificate combination has already been registered with the authorization server prior to this test run, select 'Update'.",
+      "options": {
+        "list_options": [
+          {
+            "label": "New Registration (201 Response Code Expected)",
+            "value": "new"
+          },
+          {
+            "label": "Update Registration (200 or 201 Response Code Expected)",
+            "value": "update"
+          }
+        ]
+      },
+      "title": "Client Registration Status",
+      "type": "radio",
+      "value": "new"
+    },
+    {
+      "name": "udap_auth_code_flow_client_cert_pem",
+      "description": "A list of one or more X.509 certificates in PEM format separated by a newline. The first (leaf) certificate MUST represent the client entity Inferno will register as, and the trust chain that will be built from the provided certificate(s) must resolve to a CA trusted by the authorization server under test.",
+      "title": "Authorization Code Client Certificate(s) (PEM Format)",
+      "type": "textarea",
+      "value": ""
+    },
+    {
+      "name": "udap_auth_code_flow_client_private_key",
+      "description": "The private key corresponding to the client certificate used for registration, in PEM format.  Used to sign registration and/or authentication JWTs.",
+      "title": "Authorization Code Client Private Key (PEM Format)",
+      "type": "textarea",
+      "value": ""
+    },
+    {
+      "name": "udap_auth_code_flow_cert_iss",
+      "description": "MUST correspond to a unique URI entry in the Subject Alternative Name (SAN) extension of the client certificate used for registration.",
+      "title": "Authorization Code JWT Issuer (iss) Claim",
+      "type": "text",
+      "value": ""
+    },
+    {
+      "name": "udap_auth_code_flow_registration_scope",
+      "description": "String containing a space delimited list of scopes requested by the client application for use in subsequent requests. The Authorization Server MAY consider this list when deciding the scopes that it will allow the application to subsequently request. Apps requesting the \"authorization_code\" grant type SHOULD request user or patient scopes.",
+      "title": "Authorization Code Registration Requested Scope(s)",
+      "type": "text",
+      "value": ""
+    },
+    {
+      "name": "udap_jwt_signing_alg",
+      "default": "RS256",
+      "description": "Algorithm used to sign UDAP JSON Web Tokens (JWTs). UDAP Implementations SHALL support RS256.",
+      "locked": true,
+      "options": {
+        "list_options": [
+          {
+            "label": "RS256",
+            "value": "RS256"
+          }
+        ]
+      },
+      "title": "JWT Signing Algorithm",
+      "type": "radio",
+      "value": "RS256"
+    },
+    {
+      "name": "udap_auth_code_flow_registration_certifications",
+      "description": "Additional UDAP certifications to include in registration request, if required by the authorization server.  Include a space separated list of strings representing a Base64-encoded, signed JWT.",
+      "optional": true,
+      "title": "Authorization Code UDAP Registration Certifications",
+      "type": "textarea",
+      "value": ""
+    },
+    {
+      "name": "udap_authorization_code_request_scopes",
+      "description": "A list of space-separated scopes to include in the authorization request. If included, these may be equal to or a subset of the scopes requested during registration. If empty, scope will be omitted as a parameter to the authorization endpoint.",
+      "optional": true,
+      "title": "Scope Parameter for Authorization Request",
+      "type": "text",
+      "value": ""
+    },
+    {
+      "name": "udap_authorization_code_request_aud",
+      "description": "If selected, the Base FHIR URL will be used as the 'aud' parameter in the request to the authorization endpoint.",
+      "optional": true,
+      "options": {
+        "list_options": [
+          {
+            "label": "Include 'aud' parameter",
+            "value": "include_aud"
+          }
+        ]
+      },
+      "title": "Audience ('aud') Parameter for Authorization Request",
+      "type": "checkbox",
+      "value": "[]"
+    },
+    {
+      "name": "flow_type_client_creds",
+      "default": [
+        "client_credentials"
+      ],
+      "description": "Which grant type(s) must be supported per the returned Discovery metadata",
+      "locked": true,
+      "optional": "false",
+      "options": {
+        "list_options": [
+          {
+            "label": "Authorization Code",
+            "value": "authorization_code"
+          },
+          {
+            "label": "Client Credentials",
+            "value": "client_credentials"
+          }
+        ]
+      },
+      "title": "Required OAuth2.0 Flow Type for Client Credentials Workflow",
+      "type": "checkbox",
+      "value": "[\"client_credentials\"]"
+    },
+    {
+      "name": "udap_client_credentials_flow_registration_grant_type",
+      "default": "client_credentials",
+      "description": "The OAuth2.0 grant type for which this client will register itself. A given client may register as either  option, but not both.",
+      "locked": true,
+      "options": {
+        "list_options": [
+          {
+            "label": "Authorization Code",
+            "value": "authorization_code"
+          },
+          {
+            "label": "Client Credentials",
+            "value": "client_credentials"
+          }
+        ]
+      },
+      "title": "Client Registration Grant Type",
+      "type": "radio",
+      "value": "client_credentials"
+    },
+    {
+      "name": "udap_client_credentials_flow_client_registration_status",
+      "default": "new",
+      "description": "If the client's iss and certificate combination has already been registered with the authorization server prior to this test run, select 'Update'.",
+      "options": {
+        "list_options": [
+          {
+            "label": "New Registration (201 Response Code Expected)",
+            "value": "new"
+          },
+          {
+            "label": "Update Registration (200 or 201 Response Code Expected)",
+            "value": "update"
+          }
+        ]
+      },
+      "title": "Client Registration Status",
+      "type": "radio",
+      "value": "new"
+    },
+    {
+      "name": "udap_client_credentials_flow_client_cert_pem",
+      "description": "A list of one or more X.509 certificates in PEM format separated by a newline. The first (leaf) certificate MUST represent the client entity Inferno will register as, and the trust chain that will be built from the provided certificate(s) must resolve to a CA trusted by the authorization server under test.",
+      "title": "Client Credentials Client Certificate(s) (PEM Format)",
+      "type": "textarea",
+      "value": "-----BEGIN CERTIFICATE-----\nMIIFcjCCA1qgAwIBAgIUbdCfB3IJ9bdOPGQVtxJHhMxUWv0wDQYJKoZIhvcNAQEL\nBQAwgYYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEQMA4GA1UEBwwHQmVkZm9y\nZDEQMA4GA1UECgwHSW5mZXJubzEdMBsGA1UEAwwUSW5mZXJuby1VREFQLVJvb3Qt\nQ0ExJzAlBgkqhkiG9w0BCQEWGGluZmVybm9AZ3JvdXBzLm1pdHJlLm9yZzAeFw0y\nNDA4MTIyMzU4MTBaFw0zNDA4MTAyMzU4MTBaMGExCzAJBgNVBAYTAlVTMQswCQYD\nVQQIDAJNQTEQMA4GA1UEBwwHQmVkZm9yZDEQMA4GA1UECgwHSW5mZXJubzEhMB8G\nA1UEAwwYVURBUCBFeGFtcGxlIFRlc3QgQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEAnfqzJCyeFNRhlcsrUPiO2LQtudObDHUKj4Q7fkYPUf9X\necTMckfPKd8UJ7x8Vb5o1zmR3hsMoo1A7IkwBkmK2BXvxq243cCGO1q4w/jdL/EG\nDiIZjTr7qvkawyeh9cAaApOrBlD4gnOxB05GjingDZgiT7GqBwrpEB2XJ4tw4idS\nB3W9Rv0ynbgqPKgGw9hnEef+uNAvFIvSbfdz1n4xHNP0GuMuAX+edFCyxYFmDe74\n8pl3TH9dxkoM945r5tHmuJS9n1pXkTB9L5RVbqH77dIyOBobehHHpT4D3zjdSFmh\nfta5NnDi5/iqRcFz7FVO79jJIoAqN+mWBlVH0yyfYQIDAQABo4H7MIH4MC8GA1Ud\nEQQoMCaGJGh0dHBzOi8vaW5mZXJuby5jb20vdWRhcF9zZWN1cml0eS9hYzAxBgNV\nHSUEKjAoBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBDA6\nBgNVHR8EMzAxMC+gLaArhilodHRwczovL2luZmVybm8uY29tL21vY2tfY3JsX2Vu\nZHBvaW50LmNybDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQU6Eo2\nHE37gpSaW9zBGf0t7XfYnfIwHwYDVR0jBBgwFoAUNOqoPKju4u9y9JAuAfnSAcFb\nNKAwDQYJKoZIhvcNAQELBQADggIBACh2uQ1Krkw6F3Gq0HG3ohCm2j1ynmLSJwGE\nHvPlkiBcs8RBPxZzJOZJBMxGmjTPga2Kt6zsBlmjLg++C7C5/8JruwrMtrBuTtHx\nKky0Qw+YJm81IgATeDIU/qkJB8LcnHgkQbu3nyoyeKocx9XSW8nlEm4FkyREXxfC\nrSVCoc70GGg2vSnSkRikNjxwKGnHvmEDUOW2bBbbzvTGKlTKSIF50NiNPM3Fi7vF\nbOfi1aZh6m8IKVaI2KUXVFHco1qB3QDK5BUEimko+EyaWSZPvP83PE2+TIdapRrw\nHxQQJEr774GUNH1/hdW0qlP4u3CMMMAjS2H4dOsRYOOmgC6iEewFEBQqTRLkEfgP\npMxYhGAVAmrglLLr4t+ZF9KOmifvB6f18qF352Bj1D0TMB+oLy67kFw3s2ah21la\n3Xm6hQt+M5mZ/EYZIOUPxMHtqVt5DSJdMENHO2cjcRARyeD/BGYnJqnf6yA1LL2V\nTK+jhC/C/Dcv0hHQnVWlUGlwoFMOOzfsr2K3mXYezAuHASP8LIAyjodPpd6cLQu2\nSZTVVobSebaNmZ2UeX8Bc9bcobM2bbVb2c3UeezEJWOpt5cSOeEScEiwkaktxD5p\nix1K3KkIg2yDP176ILlVqBBA0X2FqTSSvFbTa5us3XIwkDfARJBpLnA7OfmsO61+\nIj5io7+X\n-----END CERTIFICATE-----"
+    },
+    {
+      "name": "udap_client_credentials_flow_client_private_key",
+      "description": "The private key corresponding to the client certificate used for registration, in PEM format.  Used to sign registration and/or authentication JWTs.",
+      "title": "Client Credentials Client Private Key (PEM Format)",
+      "type": "textarea",
+      "value": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCd+rMkLJ4U1GGV\nyytQ+I7YtC2505sMdQqPhDt+Rg9R/1d5xMxyR88p3xQnvHxVvmjXOZHeGwyijUDs\niTAGSYrYFe/GrbjdwIY7WrjD+N0v8QYOIhmNOvuq+RrDJ6H1wBoCk6sGUPiCc7EH\nTkaOKeANmCJPsaoHCukQHZcni3DiJ1IHdb1G/TKduCo8qAbD2GcR5/640C8Ui9Jt\n93PWfjEc0/Qa4y4Bf550ULLFgWYN7vjymXdMf13GSgz3jmvm0ea4lL2fWleRMH0v\nlFVuofvt0jI4Ght6EcelPgPfON1IWaF+1rk2cOLn+KpFwXPsVU7v2MkigCo36ZYG\nVUfTLJ9hAgMBAAECggEAApTpPosYHkEGQztpvs4BD5uKL8I8g2yaOpQvoLWmZHGm\nzU+hA7EWuplxq+CRq5kL/5BqSNXqU/G5AOSRC1lCUpuxKm8GWWFfEDNAV7uGadUn\ngy2de0heeoHNpSjNpcV451fgcJ78IK2hU/w8fPBEQBSfYuwFWk4cVu4U3UmTE68I\nO7PpCdTjk70IOsLT8uBagAOw92Fj0mGU7agCdWfJ+LjPRUtg+PhVvODatL3taG+l\nFAParsomiRqKGINyn8vALXNISuBYHVDUzv93P10gG5rA2sJ7953/+++Hr9DoLpmL\nSH/q/LebFzPJ2u6KzLc6bam1YX0w/MSNTJVIxA5V/QKBgQDU+iFXdShLwvEXGVtb\nFdZuRk3XsN+yfkFyM9SZrmaLF2VBALkC5pd+rYkXSaTA/cbs623VOYpoJhVmjL8d\nVvTlN/G+8TzfdsmOlAXiOSiUn3VKM/Othu5l9k0AgylU8aXBWTUv5FzmV8gMn+/s\n9oOucAVFa60LdkR2d609y/tKnwKBgQC95Gviall3E/+7drT05KxPPGDKRUjhCLBe\nBNj2+ttSt4+v+E5v3K+LSd11VfGkvLkDvkhjiJlVamf+XgLne3TLrEThAKq8ySUr\nXKBRi+nfmisUHSrMGljHw500Rx+MR/LEpfEERMosLQWTrOTz5VG2RueVHbWbD622\nWitr8tnV/wKBgGDYUNr9GlLBFXJEhIc5ueUxMOp4sm/u+4Gb0fwEEvsCq3dQhdCs\n3IytCp69TR65B4DqWWpRHP/Y+XhFXg5QYVHuC46hEeYnlOWxp69EAJD8pZAVaaQp\nrDRPOJqYCe5nZ9Ew6H+bnybbGcur2qTtP9nNdIgpu2lv4RfhubRVEjLPAoGAXqzb\nSSii8GbNMwcNU6gLbPn6e/6tRl1RqZ6bGhCadxREFIUlfko2T6kFPDIcZ3kceYxO\nhSme4WJK9RykMAtygPWj5daySauz13m4CNBMS4qO/dlI9DgSmY6i+2SWixd4J6lg\nkDNH5VyREj66bAuigNG7NrJ4UBYyEt/EFG8hQrsCgYEAyLwk7f2Wgu9ykdwSrrQE\nTBK0iOVUcwPhxj1UbFyDxPdO0EspyKtIFD5w/sbBtQbJGSUFd7ZPoCsYkT2yAsDp\n3cI/ubRxA+/GaqUo84QxvJ4Uqdu8YS8C0FCEnhXGjA60Y5HFzufJF5EqfzwNctCr\nG0cRyX/4Ut4BNUcir/CRVL0=\n-----END PRIVATE KEY-----"
+    },
+    {
+      "name": "udap_cert_iss_client_creds_flow",
+      "description": "MUST correspond to a unique URI entry in the Subject Alternative Name (SAN) extension of the client certificate used for registration.",
+      "title": "Client Credentials JWT Issuer (iss) Claim",
+      "type": "text",
+      "value": "<%= Inferno::Application['base_url'] %>/custom/udap_security/fhir"
+    },
+    {
+      "name": "udap_client_credentials_flow_registration_scope",
+      "description": "String containing a space delimited list of scopes requested by the client application for use in subsequent requests. The Authorization Server MAY consider this list when deciding the scopes that it will allow the application to subsequently request. Apps requesting the \"client_credentials\" grant type SHOULD request system scopes.",
+      "title": "Client Credentials Registration Requested Scope(s)",
+      "type": "text",
+      "value": "system/*.read"
+    },
+    {
+      "name": "udap_client_creds_flow_registration_certifications",
+      "description": "Additional UDAP certifications to include in registration request, if required by the authorization server.  Include a space separated list of strings representing a Base64-encoded, signed JWT.",
+      "optional": true,
+      "title": "Client Credentials UDAP Registration Certifications",
+      "type": "textarea",
+      "value": ""
+    }
+  ]
+}

data/lib/udap_security_test_kit/client_credentials_token_exchange_test.rb

@@ -94,7 +94,7 @@ module UDAPSecurityTestKit
       client_assertion_payload = UDAPClientAssertionPayloadBuilder.build(
         udap_client_id,
         udap_token_endpoint,
-        extensions.to_json
+        extensions
       )
 
       x5c_certs = UDAPJWTBuilder.split_user_input_cert_string(

data/lib/udap_security_test_kit/client_suite/client_access_group.rb

@@ -0,0 +1,22 @@
+require_relative 'client_access_interaction_test'
+require_relative 'client_token_request_verification_test'
+require_relative 'client_token_use_verification_test'
+
+module UDAPSecurityTestKit
+  class UDAPClientAccess < Inferno::TestGroup
+    id :udap_client_access
+    title 'Client Access'
+    description %(
+      During these tests, the client system will access Inferno's simulated
+      FHIR server by requesting an access token and making a FHIR request.
+      Inferno will then verify that any token requests made were conformant
+      and that a token returned from a token request was used on an access request.
+    )
+
+    run_as_group
+
+    test from: :udap_client_access_interaction
+    test from: :udap_client_token_request_verification
+    test from: :udap_client_token_use_verification
+  end
+end

data/lib/udap_security_test_kit/client_suite/client_access_interaction_test.rb

@@ -0,0 +1,53 @@
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+
+module UDAPSecurityTestKit
+  class UDAPClientAccessInteraction < Inferno::Test
+    include URLs
+
+    id :udap_client_access_interaction
+    title 'Perform UDAP-secured Access'
+    description %(
+      During this test, Inferno will wait for the client to access data
+      using a UDAP token obtained during an earlier test.
+    )
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: %(
+            The registered Client Id for use in obtaining access tokens.
+            Create a new session if you need to change this value.
+          )
+    input :echoed_fhir_response,
+          title: 'FHIR Response to Echo',
+          type: 'textarea',
+          description: %(
+            JSON representation of a FHIR resource for Inferno to echo when a request
+            is made to the simulated FHIR server. The provided content will be echoed
+            back exactly and no check will be made that it is appropriate for the request
+            made. If nothing is provided, an OperationOutcome will be returned.
+          ),
+          optional: true
+
+    run do
+      wait(
+        identifier: client_id,
+        message: %(
+            **Access**
+
+            Use the registered client id (#{client_id}) to obtain an access
+            token using the [UDAP B2B client credentials flow](https://hl7.org/fhir/us/udap-security/STU1/b2b.html)
+            and use that token to access a FHIR endpoint under the simulated server's base URL
+
+            `#{client_fhir_base_url}`
+
+            Inferno will echo the response provided in the **FHIR Response to Echo** input.
+
+            [Click here](#{client_resume_pass_url}?token=#{client_id}) once you performed
+            the access.
+          )
+      )
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/client_registration_group.rb

@@ -0,0 +1,26 @@
+require_relative 'client_registration_interaction_test'
+require_relative 'client_registration_verification_test'
+
+module UDAPSecurityTestKit
+  class UDAPClientRegistration < Inferno::TestGroup
+    id :udap_client_registration
+    title 'Client Registration'
+    description %(
+      During these tests, the client system will dynamically register with Inferno's
+      simulated UDAP Server with the capabilities to perform the **UDAP B2B client credentials flow**.
+      At any time, the client may perform UDAP discovery on the simulated Inferno UDAP server.
+    )
+    run_as_group
+
+    input :udap_client_uri,
+          title: 'UDAP Client URI',
+          type: 'text',
+          description: %(
+            The UDAP Client URI that will be used to register with Inferno's simulated UDAP server.
+          ),
+          optional: false
+
+    test from: :udap_client_registration_interaction
+    test from: :udap_client_registration_verification
+  end
+end

data/lib/udap_security_test_kit/client_suite/client_registration_interaction_test.rb

@@ -0,0 +1,50 @@
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+
+module UDAPSecurityTestKit
+  class UDAPClientRegistrationInteraction < Inferno::Test
+    include URLs
+
+    id :udap_client_registration_interaction
+    title 'Perform UDAP Registration'
+    description %(
+        During this test, Inferno will wait for the client to register
+        themselves as a UDAP client with Inferno's simulated UDAP server
+        using UDAP dynamic registration.
+      )
+    input :udap_client_uri,
+          optional: false
+
+    output :client_id
+
+    run do
+      omit_if udap_client_uri.blank?, # for re-use: mark the udap_client_uri input as optional when importing to enable
+              'Not configured for UDAP authentication.'
+
+      generated_client_id = MockUDAPServer.client_uri_to_client_id(udap_client_uri)
+      output client_id: generated_client_id
+
+      wait(
+        identifier: generated_client_id,
+        message: %(
+            **UDAP Registration**
+
+            Make a UDAP dyanmic registration request to the UDAP-protected FHIR Server at
+
+            `#{client_fhir_base_url}`
+
+            For Client URI
+
+            `#{udap_client_uri}`
+
+            Metadata on Inferno's simulated UDAP server can be found at
+
+            `#{client_udap_discovery_url}`
+
+            [Click here](#{client_resume_pass_url}?token=#{generated_client_id}) once you have
+            succesfully completed the registration.
+          )
+      )
+    end
+  end
+end