udap_security_test_kit 0.11.2 → 0.11.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 16dcc359a2f590b5427665389f1a4916be275dc2be12a388d8ed7c3a17ee5e7b
-  data.tar.gz: 9089b5edef3d1a80f0dbf84dc5dee626e40ff04de325170d30a8f310e4b91ab7
+  metadata.gz: 93cc168a29a41ac4c22bdcb8a4124aa85c370d3a0ae8ac1851090555ab3a2e8b
+  data.tar.gz: d31eee97042a453fe3ccf6c72c1421309ff4d367eb87ff6d2f3a63a96529041d
 SHA512:
-  metadata.gz: 201455391e33a8f2e278fa15150fd8882c8dd27562cf7425f965431ad61c8a17d5470da3ae699515b2acd1e1d5c9b736e5c51e45bfad8446a35dafdb490787ce
-  data.tar.gz: 1abdcaa5303cb9328ce8916aa0bedf766d5c590460246a421619931c60b1b4e9ed7a069946af7c688d3f4d79cc22590946f05bbddae4690d303c8f4b0acba606
+  metadata.gz: 69293481ba6a4edeca09cf992cd7b7ff97ff380636a43e1d40cb6dd2610711bb1feac263cdf887fbb7e74e8c72ed15329335b8d3b4fdd3a4d3ed1f3f73341eef
+  data.tar.gz: 90878299bfb40e53ad43ff65144d008f3793a1654c8f61ff3dd24a4a8cb6f3dcef11c092cac49ccdadb7dec165ed20134213cc56a566b8e78792e0b83c6ca872

data/config/presets/UDAP_RunClientAgainstServer.json.erb

@@ -0,0 +1,20 @@
+{
+  "title": "Demo: Run Against the UDAP Security Server Suite",
+  "id": "udap_run_client_against_server",
+  "test_suite_id": "udap_security_client",
+  "inputs": [
+    {
+      "name": "udap_client_uri",
+      "description": "The UDAP Client URI that will be used to register with Inferno's simulated UDAP server.",
+      "optional": true,
+      "title": "UDAP Client URI",
+      "type": "text",
+      "value": "<%= Inferno::Application['base_url'] %>/custom/udap_security/fhir"
+    },
+    {
+      "name": "echoed_fhir_response",
+      "type": "text",
+      "value": "{\n  \"resourceType\": \"Patient\",\n  \"id\": \"example\",\n  \"name\": [\n    {\n      \"family\": \"Chalmers\",\n      \"given\": [\n        \"Peter\",\n        \"James\"\n      ]\n    }\n  ],\n  \"gender\": \"male\",\n  \"birthDate\": \"1974-12-25\",\n  \"address\": [\n    {\n      \"line\": [\n        \"534 Erewhon St\"\n      ],\n      \"city\": \"Ann Arbor\",\n      \"state\": \"MI\",\n      \"postalCode\": \"48108\"\n    }\n  ]\n}"
+    }
+  ]
+}

data/config/presets/UDAP_RunServerAgainstClient.json.erb

@@ -0,0 +1,272 @@
+{
+  "title": "Demo: Run Against the UDAP Security Client Suite",
+  "id": "udap_run_server_against_client",
+  "test_suite_id": "udap_security",
+  "inputs": [
+    {
+      "name": "udap_fhir_base_url",
+      "description": "Base FHIR URL of FHIR Server. Discovery request will be sent to {baseURL}/.well-known/udap",
+      "title": "FHIR Server Base URL",
+      "type": "text",
+      "value": "<%= Inferno::Application['base_url'] %>/custom/udap_security_client/fhir"
+    },
+    {
+      "name": "udap_community_parameter",
+      "description": "If included, the designated community value will be appended as a query to the well-known           endpoint to indicate the client's trust of certificates from this trust community.",
+      "optional": true,
+      "title": "UDAP Community Parameter",
+      "type": "text",
+      "value": ""
+    },
+    {
+      "name": "flow_type_auth_code",
+      "default": [
+        "authorization_code"
+      ],
+      "description": "Which grant type(s) must be supported per the returned Discovery metadata",
+      "locked": true,
+      "options": {
+        "list_options": [
+          {
+            "label": "Authorization Code",
+            "value": "authorization_code"
+          },
+          {
+            "label": "Client Credentials",
+            "value": "client_credentials"
+          }
+        ]
+      },
+      "title": "Required OAuth2.0 Flow Type for Authorization Code Workflow",
+      "type": "checkbox",
+      "value": "[\"authorization_code\"]"
+    },
+    {
+      "name": "udap_server_trust_anchor_certs",
+      "description": "A list of one or more trust anchor root CA X.509 certificates, separated by a newline. Inferno will use these to establish trust with the authorization server's certificates provided in the discovery response signed_metadata JWT.",
+      "optional": true,
+      "title": "Auth Server Trust Anchor X509 Certificate(s) (PEM Format)",
+      "type": "textarea",
+      "value": "-----BEGIN CERTIFICATE-----\nMIIGDzCCA/egAwIBAgIUHwBisiqxYRNYzDtSvNRPOu09emswDQYJKoZIhvcNAQEL\nBQAwgYYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEQMA4GA1UEBwwHQmVkZm9y\nZDEQMA4GA1UECgwHSW5mZXJubzEdMBsGA1UEAwwUSW5mZXJuby1VREFQLVJvb3Qt\nQ0ExJzAlBgkqhkiG9w0BCQEWGGluZmVybm9AZ3JvdXBzLm1pdHJlLm9yZzAeFw0y\nNDA4MTIyMzU4MDlaFw0zNDA4MTAyMzU4MDlaMIGGMQswCQYDVQQGEwJVUzELMAkG\nA1UECAwCTUExEDAOBgNVBAcMB0JlZGZvcmQxEDAOBgNVBAoMB0luZmVybm8xHTAb\nBgNVBAMMFEluZmVybm8tVURBUC1Sb290LUNBMScwJQYJKoZIhvcNAQkBFhhpbmZl\ncm5vQGdyb3Vwcy5taXRyZS5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK\nAoICAQC3Hz72FU3I4PFztBPpeDX7augTiw5KKMzEQWoOtsyx8de0lXLDaY13SugL\nwCduDei5WYaHat3/eAWnsvGb2VQjQOpfUTvdwnmvUSTAZH+EB+IPy/Jk2AbXtgGv\n8GcLsmjpZNiePvCrcOT28j9tTAdO8gKaIOg0XpYq/Kdyyecr1jMINKgUMOyoi//R\nQjzvx6dRq/YBegb2bEOe+YBUdo7EzAXZUAk48RelAq5b1vaqyhJeuOcxXxVCLjTi\nKN+Tje6FnmQkD/J7P05XlRFvoNxzp5X+92bcrZ+LcOjNy4wTxiT3f76e6DCMHRcM\n3QmhfU3cerv1pvb78peb0bKglzwdmquw+H6+UQrvmaCqCNWnVjmUzB1bgRxAc5YV\np18kHzNnUAoXHMU6+ZVHqvrbtNEBHYI5NUrgOCVBpFCRf53qRtfQjSIfJrKEoKvC\nvidDeW0YWy5FILZ50g+Auo/JvPLVUzm+qENN+y/at3LZx27VEoyZpi18DqbWWYNa\n+QnGow/rEf/fHRUrsTBhgttQ7/VhTr8M6KcsHLpqm7Ec6zPy6MvrFLowXsXWZGNq\nzhEb6YGHi9WzNDcsAILybRm4jDS07/1f1CJ6BJuQrPFDsVo4o0PhCsAWH5MqcL2V\nlKt/kfJxva83JoshB9zFNmtCdfuw/Mkl8i+OO5WR/vqIZNam9wIDAQABo3MwcTAd\nBgNVHQ4EFgQUNOqoPKju4u9y9JAuAfnSAcFbNKAwHwYDVR0jBBgwFoAUNOqoPKju\n4u9y9JAuAfnSAcFbNKAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAYYwEQYD\nVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBCwUAA4ICAQCbLfJy6q2r26iyKZ3x\nMNUorDfsiTWH8TspYBm6v3h4yn9U+9qbyBwsjCu0U2ns5VqHzw25jInW5FQbwZZV\nAiUYKNpn6gIWZKpWOaDYaMWB4Jv9BMLLsENkP6PM6XxAheBVj2WNrlXaOaBql7XQ\npkZ9TpX56Vim86Jk999o4idi4CWyaoZHXtwOGyKkOPp0xghg9VAX2y2xLYdBzgSs\nJW9P8+WIeIIbz3mpSlq0Aqh9LjneKW9wfinYEO/IxsMpOqAV54VtWJ9tMZtR8e83\ntNihJuWJvhA2rWXffh1/uPv7uA3Yge/a5vf+VfJn5MoSPn4X8ZRaJMmUFnyyvyzD\nK4fxAV2dCBjOsQtEU4pIWKwS8BopLdOcoM8Wyth+0KpxpCDTPBY0idxqU/Dg0wBe\n8YQ/mAN+cVZy2U0BoXEKlW49+czQ1wKAv4rzDJFTZUTudG+r4LmNFDPXnoiMwhni\nXkgFz1NO4YucWXBestvBSDgQ2BPFF2TkcGZl7bLk+WiGAhA/SxtLvHjIKqXwGYHG\nm8C45sJ7h0h0zdmd3/ImHWRd6D99k5eFyX5O2qNoa6v6w5rRqE7gZCe/0yZVpdth\nhhXWl1vLHPiRE5N+vRgOW1i66Ly2I7WwX965erNDxEgNCvgsP84FjbMs/2Xnb3Be\ntsGvVZ6GCrAl5XejmwQBzyZQQw==\n-----END CERTIFICATE-----\n"
+    },
+    {
+      "name": "udap_auth_code_flow_registration_grant_type",
+      "default": "authorization_code",
+      "description": "The OAuth2.0 grant type for which this client will register itself. A given client may register as either  option, but not both.",
+      "locked": true,
+      "options": {
+        "list_options": [
+          {
+            "label": "Authorization Code",
+            "value": "authorization_code"
+          },
+          {
+            "label": "Client Credentials",
+            "value": "client_credentials"
+          }
+        ]
+      },
+      "title": "Client Registration Grant Type",
+      "type": "radio",
+      "value": "authorization_code"
+    },
+    {
+      "name": "udap_auth_code_flow_client_registration_status",
+      "default": "new",
+      "description": "If the client's iss and certificate combination has already been registered with the authorization server prior to this test run, select 'Update'.",
+      "options": {
+        "list_options": [
+          {
+            "label": "New Registration (201 Response Code Expected)",
+            "value": "new"
+          },
+          {
+            "label": "Update Registration (200 or 201 Response Code Expected)",
+            "value": "update"
+          }
+        ]
+      },
+      "title": "Client Registration Status",
+      "type": "radio",
+      "value": "new"
+    },
+    {
+      "name": "udap_auth_code_flow_client_cert_pem",
+      "description": "A list of one or more X.509 certificates in PEM format separated by a newline. The first (leaf) certificate MUST represent the client entity Inferno will register as, and the trust chain that will be built from the provided certificate(s) must resolve to a CA trusted by the authorization server under test.",
+      "title": "Authorization Code Client Certificate(s) (PEM Format)",
+      "type": "textarea",
+      "value": "-----BEGIN CERTIFICATE-----\nMIIFcjCCA1qgAwIBAgIUbdCfB3IJ9bdOPGQVtxJHhMxUWv0wDQYJKoZIhvcNAQEL\nBQAwgYYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEQMA4GA1UEBwwHQmVkZm9y\nZDEQMA4GA1UECgwHSW5mZXJubzEdMBsGA1UEAwwUSW5mZXJuby1VREFQLVJvb3Qt\nQ0ExJzAlBgkqhkiG9w0BCQEWGGluZmVybm9AZ3JvdXBzLm1pdHJlLm9yZzAeFw0y\nNDA4MTIyMzU4MTBaFw0zNDA4MTAyMzU4MTBaMGExCzAJBgNVBAYTAlVTMQswCQYD\nVQQIDAJNQTEQMA4GA1UEBwwHQmVkZm9yZDEQMA4GA1UECgwHSW5mZXJubzEhMB8G\nA1UEAwwYVURBUCBFeGFtcGxlIFRlc3QgQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEAnfqzJCyeFNRhlcsrUPiO2LQtudObDHUKj4Q7fkYPUf9X\necTMckfPKd8UJ7x8Vb5o1zmR3hsMoo1A7IkwBkmK2BXvxq243cCGO1q4w/jdL/EG\nDiIZjTr7qvkawyeh9cAaApOrBlD4gnOxB05GjingDZgiT7GqBwrpEB2XJ4tw4idS\nB3W9Rv0ynbgqPKgGw9hnEef+uNAvFIvSbfdz1n4xHNP0GuMuAX+edFCyxYFmDe74\n8pl3TH9dxkoM945r5tHmuJS9n1pXkTB9L5RVbqH77dIyOBobehHHpT4D3zjdSFmh\nfta5NnDi5/iqRcFz7FVO79jJIoAqN+mWBlVH0yyfYQIDAQABo4H7MIH4MC8GA1Ud\nEQQoMCaGJGh0dHBzOi8vaW5mZXJuby5jb20vdWRhcF9zZWN1cml0eS9hYzAxBgNV\nHSUEKjAoBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBDA6\nBgNVHR8EMzAxMC+gLaArhilodHRwczovL2luZmVybm8uY29tL21vY2tfY3JsX2Vu\nZHBvaW50LmNybDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQU6Eo2\nHE37gpSaW9zBGf0t7XfYnfIwHwYDVR0jBBgwFoAUNOqoPKju4u9y9JAuAfnSAcFb\nNKAwDQYJKoZIhvcNAQELBQADggIBACh2uQ1Krkw6F3Gq0HG3ohCm2j1ynmLSJwGE\nHvPlkiBcs8RBPxZzJOZJBMxGmjTPga2Kt6zsBlmjLg++C7C5/8JruwrMtrBuTtHx\nKky0Qw+YJm81IgATeDIU/qkJB8LcnHgkQbu3nyoyeKocx9XSW8nlEm4FkyREXxfC\nrSVCoc70GGg2vSnSkRikNjxwKGnHvmEDUOW2bBbbzvTGKlTKSIF50NiNPM3Fi7vF\nbOfi1aZh6m8IKVaI2KUXVFHco1qB3QDK5BUEimko+EyaWSZPvP83PE2+TIdapRrw\nHxQQJEr774GUNH1/hdW0qlP4u3CMMMAjS2H4dOsRYOOmgC6iEewFEBQqTRLkEfgP\npMxYhGAVAmrglLLr4t+ZF9KOmifvB6f18qF352Bj1D0TMB+oLy67kFw3s2ah21la\n3Xm6hQt+M5mZ/EYZIOUPxMHtqVt5DSJdMENHO2cjcRARyeD/BGYnJqnf6yA1LL2V\nTK+jhC/C/Dcv0hHQnVWlUGlwoFMOOzfsr2K3mXYezAuHASP8LIAyjodPpd6cLQu2\nSZTVVobSebaNmZ2UeX8Bc9bcobM2bbVb2c3UeezEJWOpt5cSOeEScEiwkaktxD5p\nix1K3KkIg2yDP176ILlVqBBA0X2FqTSSvFbTa5us3XIwkDfARJBpLnA7OfmsO61+\nIj5io7+X\n-----END CERTIFICATE-----"
+    },
+    {
+      "name": "udap_auth_code_flow_client_private_key",
+      "description": "The private key corresponding to the client certificate used for registration, in PEM format.  Used to sign registration and/or authentication JWTs.",
+      "title": "Authorization Code Client Private Key (PEM Format)",
+      "type": "textarea",
+      "value": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCd+rMkLJ4U1GGV\nyytQ+I7YtC2505sMdQqPhDt+Rg9R/1d5xMxyR88p3xQnvHxVvmjXOZHeGwyijUDs\niTAGSYrYFe/GrbjdwIY7WrjD+N0v8QYOIhmNOvuq+RrDJ6H1wBoCk6sGUPiCc7EH\nTkaOKeANmCJPsaoHCukQHZcni3DiJ1IHdb1G/TKduCo8qAbD2GcR5/640C8Ui9Jt\n93PWfjEc0/Qa4y4Bf550ULLFgWYN7vjymXdMf13GSgz3jmvm0ea4lL2fWleRMH0v\nlFVuofvt0jI4Ght6EcelPgPfON1IWaF+1rk2cOLn+KpFwXPsVU7v2MkigCo36ZYG\nVUfTLJ9hAgMBAAECggEAApTpPosYHkEGQztpvs4BD5uKL8I8g2yaOpQvoLWmZHGm\nzU+hA7EWuplxq+CRq5kL/5BqSNXqU/G5AOSRC1lCUpuxKm8GWWFfEDNAV7uGadUn\ngy2de0heeoHNpSjNpcV451fgcJ78IK2hU/w8fPBEQBSfYuwFWk4cVu4U3UmTE68I\nO7PpCdTjk70IOsLT8uBagAOw92Fj0mGU7agCdWfJ+LjPRUtg+PhVvODatL3taG+l\nFAParsomiRqKGINyn8vALXNISuBYHVDUzv93P10gG5rA2sJ7953/+++Hr9DoLpmL\nSH/q/LebFzPJ2u6KzLc6bam1YX0w/MSNTJVIxA5V/QKBgQDU+iFXdShLwvEXGVtb\nFdZuRk3XsN+yfkFyM9SZrmaLF2VBALkC5pd+rYkXSaTA/cbs623VOYpoJhVmjL8d\nVvTlN/G+8TzfdsmOlAXiOSiUn3VKM/Othu5l9k0AgylU8aXBWTUv5FzmV8gMn+/s\n9oOucAVFa60LdkR2d609y/tKnwKBgQC95Gviall3E/+7drT05KxPPGDKRUjhCLBe\nBNj2+ttSt4+v+E5v3K+LSd11VfGkvLkDvkhjiJlVamf+XgLne3TLrEThAKq8ySUr\nXKBRi+nfmisUHSrMGljHw500Rx+MR/LEpfEERMosLQWTrOTz5VG2RueVHbWbD622\nWitr8tnV/wKBgGDYUNr9GlLBFXJEhIc5ueUxMOp4sm/u+4Gb0fwEEvsCq3dQhdCs\n3IytCp69TR65B4DqWWpRHP/Y+XhFXg5QYVHuC46hEeYnlOWxp69EAJD8pZAVaaQp\nrDRPOJqYCe5nZ9Ew6H+bnybbGcur2qTtP9nNdIgpu2lv4RfhubRVEjLPAoGAXqzb\nSSii8GbNMwcNU6gLbPn6e/6tRl1RqZ6bGhCadxREFIUlfko2T6kFPDIcZ3kceYxO\nhSme4WJK9RykMAtygPWj5daySauz13m4CNBMS4qO/dlI9DgSmY6i+2SWixd4J6lg\nkDNH5VyREj66bAuigNG7NrJ4UBYyEt/EFG8hQrsCgYEAyLwk7f2Wgu9ykdwSrrQE\nTBK0iOVUcwPhxj1UbFyDxPdO0EspyKtIFD5w/sbBtQbJGSUFd7ZPoCsYkT2yAsDp\n3cI/ubRxA+/GaqUo84QxvJ4Uqdu8YS8C0FCEnhXGjA60Y5HFzufJF5EqfzwNctCr\nG0cRyX/4Ut4BNUcir/CRVL0=\n-----END PRIVATE KEY-----"
+    },
+    {
+      "name": "udap_auth_code_flow_cert_iss",
+      "description": "MUST correspond to a unique URI entry in the Subject Alternative Name (SAN) extension of the client certificate used for registration.",
+      "title": "Authorization Code JWT Issuer (iss) Claim",
+      "type": "text",
+      "value": "<%= Inferno::Application['base_url'] %>/custom/udap_security/fhir"
+    },
+    {
+      "name": "udap_auth_code_flow_registration_scope",
+      "description": "String containing a space delimited list of scopes requested by the client application for use in subsequent requests. The Authorization Server MAY consider this list when deciding the scopes that it will allow the application to subsequently request. Apps requesting the \"authorization_code\" grant type SHOULD request user or patient scopes.",
+      "title": "Authorization Code Registration Requested Scope(s)",
+      "type": "text",
+      "value": "patient/*.read"
+    },
+    {
+      "name": "udap_jwt_signing_alg",
+      "default": "RS256",
+      "description": "Algorithm used to sign UDAP JSON Web Tokens (JWTs). UDAP Implementations SHALL support RS256.",
+      "locked": true,
+      "options": {
+        "list_options": [
+          {
+            "label": "RS256",
+            "value": "RS256"
+          }
+        ]
+      },
+      "title": "JWT Signing Algorithm",
+      "type": "radio",
+      "value": "RS256"
+    },
+    {
+      "name": "udap_auth_code_flow_registration_certifications",
+      "description": "Additional UDAP certifications to include in registration request, if required by the authorization server.  Include a space separated list of strings representing a Base64-encoded, signed JWT.",
+      "optional": true,
+      "title": "Authorization Code UDAP Registration Certifications",
+      "type": "textarea",
+      "value": ""
+    },
+    {
+      "name": "udap_authorization_code_request_scopes",
+      "description": "A list of space-separated scopes to include in the authorization request. If included, these may be equal to or a subset of the scopes requested during registration. If empty, scope will be omitted as a parameter to the authorization endpoint.",
+      "optional": true,
+      "title": "Scope Parameter for Authorization Request",
+      "type": "text",
+      "value": ""
+    },
+    {
+      "name": "udap_authorization_code_request_aud",
+      "description": "If selected, the Base FHIR URL will be used as the 'aud' parameter in the request to the authorization endpoint.",
+      "optional": true,
+      "options": {
+        "list_options": [
+          {
+            "label": "Include 'aud' parameter",
+            "value": "include_aud"
+          }
+        ]
+      },
+      "title": "Audience ('aud') Parameter for Authorization Request",
+      "type": "checkbox",
+      "value": "[]"
+    },
+    {
+      "name": "flow_type_client_creds",
+      "default": [
+        "client_credentials"
+      ],
+      "description": "Which grant type(s) must be supported per the returned Discovery metadata",
+      "locked": true,
+      "optional": "false",
+      "options": {
+        "list_options": [
+          {
+            "label": "Authorization Code",
+            "value": "authorization_code"
+          },
+          {
+            "label": "Client Credentials",
+            "value": "client_credentials"
+          }
+        ]
+      },
+      "title": "Required OAuth2.0 Flow Type for Client Credentials Workflow",
+      "type": "checkbox",
+      "value": "[\"client_credentials\"]"
+    },
+    {
+      "name": "udap_client_credentials_flow_registration_grant_type",
+      "default": "client_credentials",
+      "description": "The OAuth2.0 grant type for which this client will register itself. A given client may register as either  option, but not both.",
+      "locked": true,
+      "options": {
+        "list_options": [
+          {
+            "label": "Authorization Code",
+            "value": "authorization_code"
+          },
+          {
+            "label": "Client Credentials",
+            "value": "client_credentials"
+          }
+        ]
+      },
+      "title": "Client Registration Grant Type",
+      "type": "radio",
+      "value": "client_credentials"
+    },
+    {
+      "name": "udap_client_credentials_flow_client_registration_status",
+      "default": "new",
+      "description": "If the client's iss and certificate combination has already been registered with the authorization server prior to this test run, select 'Update'.",
+      "options": {
+        "list_options": [
+          {
+            "label": "New Registration (201 Response Code Expected)",
+            "value": "new"
+          },
+          {
+            "label": "Update Registration (200 or 201 Response Code Expected)",
+            "value": "update"
+          }
+        ]
+      },
+      "title": "Client Registration Status",
+      "type": "radio",
+      "value": "new"
+    },
+    {
+      "name": "udap_client_credentials_flow_client_cert_pem",
+      "description": "A list of one or more X.509 certificates in PEM format separated by a newline. The first (leaf) certificate MUST represent the client entity Inferno will register as, and the trust chain that will be built from the provided certificate(s) must resolve to a CA trusted by the authorization server under test.",
+      "title": "Client Credentials Client Certificate(s) (PEM Format)",
+      "type": "textarea",
+      "value": "-----BEGIN CERTIFICATE-----\nMIIFcjCCA1qgAwIBAgIUbdCfB3IJ9bdOPGQVtxJHhMxUWv0wDQYJKoZIhvcNAQEL\nBQAwgYYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEQMA4GA1UEBwwHQmVkZm9y\nZDEQMA4GA1UECgwHSW5mZXJubzEdMBsGA1UEAwwUSW5mZXJuby1VREFQLVJvb3Qt\nQ0ExJzAlBgkqhkiG9w0BCQEWGGluZmVybm9AZ3JvdXBzLm1pdHJlLm9yZzAeFw0y\nNDA4MTIyMzU4MTBaFw0zNDA4MTAyMzU4MTBaMGExCzAJBgNVBAYTAlVTMQswCQYD\nVQQIDAJNQTEQMA4GA1UEBwwHQmVkZm9yZDEQMA4GA1UECgwHSW5mZXJubzEhMB8G\nA1UEAwwYVURBUCBFeGFtcGxlIFRlc3QgQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEAnfqzJCyeFNRhlcsrUPiO2LQtudObDHUKj4Q7fkYPUf9X\necTMckfPKd8UJ7x8Vb5o1zmR3hsMoo1A7IkwBkmK2BXvxq243cCGO1q4w/jdL/EG\nDiIZjTr7qvkawyeh9cAaApOrBlD4gnOxB05GjingDZgiT7GqBwrpEB2XJ4tw4idS\nB3W9Rv0ynbgqPKgGw9hnEef+uNAvFIvSbfdz1n4xHNP0GuMuAX+edFCyxYFmDe74\n8pl3TH9dxkoM945r5tHmuJS9n1pXkTB9L5RVbqH77dIyOBobehHHpT4D3zjdSFmh\nfta5NnDi5/iqRcFz7FVO79jJIoAqN+mWBlVH0yyfYQIDAQABo4H7MIH4MC8GA1Ud\nEQQoMCaGJGh0dHBzOi8vaW5mZXJuby5jb20vdWRhcF9zZWN1cml0eS9hYzAxBgNV\nHSUEKjAoBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBDA6\nBgNVHR8EMzAxMC+gLaArhilodHRwczovL2luZmVybm8uY29tL21vY2tfY3JsX2Vu\nZHBvaW50LmNybDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQU6Eo2\nHE37gpSaW9zBGf0t7XfYnfIwHwYDVR0jBBgwFoAUNOqoPKju4u9y9JAuAfnSAcFb\nNKAwDQYJKoZIhvcNAQELBQADggIBACh2uQ1Krkw6F3Gq0HG3ohCm2j1ynmLSJwGE\nHvPlkiBcs8RBPxZzJOZJBMxGmjTPga2Kt6zsBlmjLg++C7C5/8JruwrMtrBuTtHx\nKky0Qw+YJm81IgATeDIU/qkJB8LcnHgkQbu3nyoyeKocx9XSW8nlEm4FkyREXxfC\nrSVCoc70GGg2vSnSkRikNjxwKGnHvmEDUOW2bBbbzvTGKlTKSIF50NiNPM3Fi7vF\nbOfi1aZh6m8IKVaI2KUXVFHco1qB3QDK5BUEimko+EyaWSZPvP83PE2+TIdapRrw\nHxQQJEr774GUNH1/hdW0qlP4u3CMMMAjS2H4dOsRYOOmgC6iEewFEBQqTRLkEfgP\npMxYhGAVAmrglLLr4t+ZF9KOmifvB6f18qF352Bj1D0TMB+oLy67kFw3s2ah21la\n3Xm6hQt+M5mZ/EYZIOUPxMHtqVt5DSJdMENHO2cjcRARyeD/BGYnJqnf6yA1LL2V\nTK+jhC/C/Dcv0hHQnVWlUGlwoFMOOzfsr2K3mXYezAuHASP8LIAyjodPpd6cLQu2\nSZTVVobSebaNmZ2UeX8Bc9bcobM2bbVb2c3UeezEJWOpt5cSOeEScEiwkaktxD5p\nix1K3KkIg2yDP176ILlVqBBA0X2FqTSSvFbTa5us3XIwkDfARJBpLnA7OfmsO61+\nIj5io7+X\n-----END CERTIFICATE-----"
+    },
+    {
+      "name": "udap_client_credentials_flow_client_private_key",
+      "description": "The private key corresponding to the client certificate used for registration, in PEM format.  Used to sign registration and/or authentication JWTs.",
+      "title": "Client Credentials Client Private Key (PEM Format)",
+      "type": "textarea",
+      "value": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCd+rMkLJ4U1GGV\nyytQ+I7YtC2505sMdQqPhDt+Rg9R/1d5xMxyR88p3xQnvHxVvmjXOZHeGwyijUDs\niTAGSYrYFe/GrbjdwIY7WrjD+N0v8QYOIhmNOvuq+RrDJ6H1wBoCk6sGUPiCc7EH\nTkaOKeANmCJPsaoHCukQHZcni3DiJ1IHdb1G/TKduCo8qAbD2GcR5/640C8Ui9Jt\n93PWfjEc0/Qa4y4Bf550ULLFgWYN7vjymXdMf13GSgz3jmvm0ea4lL2fWleRMH0v\nlFVuofvt0jI4Ght6EcelPgPfON1IWaF+1rk2cOLn+KpFwXPsVU7v2MkigCo36ZYG\nVUfTLJ9hAgMBAAECggEAApTpPosYHkEGQztpvs4BD5uKL8I8g2yaOpQvoLWmZHGm\nzU+hA7EWuplxq+CRq5kL/5BqSNXqU/G5AOSRC1lCUpuxKm8GWWFfEDNAV7uGadUn\ngy2de0heeoHNpSjNpcV451fgcJ78IK2hU/w8fPBEQBSfYuwFWk4cVu4U3UmTE68I\nO7PpCdTjk70IOsLT8uBagAOw92Fj0mGU7agCdWfJ+LjPRUtg+PhVvODatL3taG+l\nFAParsomiRqKGINyn8vALXNISuBYHVDUzv93P10gG5rA2sJ7953/+++Hr9DoLpmL\nSH/q/LebFzPJ2u6KzLc6bam1YX0w/MSNTJVIxA5V/QKBgQDU+iFXdShLwvEXGVtb\nFdZuRk3XsN+yfkFyM9SZrmaLF2VBALkC5pd+rYkXSaTA/cbs623VOYpoJhVmjL8d\nVvTlN/G+8TzfdsmOlAXiOSiUn3VKM/Othu5l9k0AgylU8aXBWTUv5FzmV8gMn+/s\n9oOucAVFa60LdkR2d609y/tKnwKBgQC95Gviall3E/+7drT05KxPPGDKRUjhCLBe\nBNj2+ttSt4+v+E5v3K+LSd11VfGkvLkDvkhjiJlVamf+XgLne3TLrEThAKq8ySUr\nXKBRi+nfmisUHSrMGljHw500Rx+MR/LEpfEERMosLQWTrOTz5VG2RueVHbWbD622\nWitr8tnV/wKBgGDYUNr9GlLBFXJEhIc5ueUxMOp4sm/u+4Gb0fwEEvsCq3dQhdCs\n3IytCp69TR65B4DqWWpRHP/Y+XhFXg5QYVHuC46hEeYnlOWxp69EAJD8pZAVaaQp\nrDRPOJqYCe5nZ9Ew6H+bnybbGcur2qTtP9nNdIgpu2lv4RfhubRVEjLPAoGAXqzb\nSSii8GbNMwcNU6gLbPn6e/6tRl1RqZ6bGhCadxREFIUlfko2T6kFPDIcZ3kceYxO\nhSme4WJK9RykMAtygPWj5daySauz13m4CNBMS4qO/dlI9DgSmY6i+2SWixd4J6lg\nkDNH5VyREj66bAuigNG7NrJ4UBYyEt/EFG8hQrsCgYEAyLwk7f2Wgu9ykdwSrrQE\nTBK0iOVUcwPhxj1UbFyDxPdO0EspyKtIFD5w/sbBtQbJGSUFd7ZPoCsYkT2yAsDp\n3cI/ubRxA+/GaqUo84QxvJ4Uqdu8YS8C0FCEnhXGjA60Y5HFzufJF5EqfzwNctCr\nG0cRyX/4Ut4BNUcir/CRVL0=\n-----END PRIVATE KEY-----"
+    },
+    {
+      "name": "udap_cert_iss_client_creds_flow",
+      "description": "MUST correspond to a unique URI entry in the Subject Alternative Name (SAN) extension of the client certificate used for registration.",
+      "title": "Client Credentials JWT Issuer (iss) Claim",
+      "type": "text",
+      "value": "<%= Inferno::Application['base_url'] %>/custom/udap_security/fhir"
+    },
+    {
+      "name": "udap_client_credentials_flow_registration_scope",
+      "description": "String containing a space delimited list of scopes requested by the client application for use in subsequent requests. The Authorization Server MAY consider this list when deciding the scopes that it will allow the application to subsequently request. Apps requesting the \"client_credentials\" grant type SHOULD request system scopes.",
+      "title": "Client Credentials Registration Requested Scope(s)",
+      "type": "text",
+      "value": "system/*.read"
+    },
+    {
+      "name": "udap_client_creds_flow_registration_certifications",
+      "description": "Additional UDAP certifications to include in registration request, if required by the authorization server.  Include a space separated list of strings representing a Base64-encoded, signed JWT.",
+      "optional": true,
+      "title": "Client Credentials UDAP Registration Certifications",
+      "type": "textarea",
+      "value": ""
+    }
+  ]
+}

data/lib/udap_security_test_kit/client_credentials_token_exchange_test.rb

@@ -94,7 +94,7 @@ module UDAPSecurityTestKit
       client_assertion_payload = UDAPClientAssertionPayloadBuilder.build(
         udap_client_id,
         udap_token_endpoint,
-        extensions.to_json
+        extensions
       )
 
       x5c_certs = UDAPJWTBuilder.split_user_input_cert_string(

data/lib/udap_security_test_kit/client_suite/access_ac_group.rb

@@ -0,0 +1,25 @@
+require_relative 'access_ac_interaction_test'
+require_relative 'authorization_request_verification_test'
+require_relative 'token_request_ac_verification_test'
+require_relative 'token_use_verification_test'
+
+module UDAPSecurityTestKit
+  class UDAPClientAccessAuthorizationCode < Inferno::TestGroup
+    id :udap_client_access_ac
+    title 'Client Access'
+    description %(
+      During these tests, the client system will access Inferno's simulated
+      FHIR server by requesting an access token using UDAP's authorization_code flow
+      and making a FHIR request presenting the access token. Inferno will then verify
+      that any requests made as a part of obtaining the token were conformant and that
+      a token returned from a token request was used on an access request.
+    )
+
+    run_as_group
+
+    test from: :udap_client_access_ac_interaction
+    test from: :udap_client_authorization_request_verification
+    test from: :udap_client_token_request_ac_verification
+    test from: :udap_client_token_use_verification
+  end
+end

data/lib/udap_security_test_kit/client_suite/access_ac_interaction_test.rb

@@ -0,0 +1,59 @@
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+require_relative 'client_descriptions'
+
+module UDAPSecurityTestKit
+  class UDAPClientAccessAuthorizationCodeInteraction < Inferno::Test
+    include URLs
+    include ClientWaitDialogDescriptions
+
+    id :udap_client_access_ac_interaction
+    title 'Perform UDAP-secured Access'
+    description %(
+      During this test, Inferno will wait for the client to access data
+      using a UDAP token obtained during an earlier test.
+    )
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :launch_context,
+          title: 'Launch Context',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_LAUNCH_CONTEXT_DESCRIPTION
+    input :fhir_user_relative_reference,
+          title: 'FHIR User Relative Reference',
+          type: 'text',
+          optional: true,
+          description: INPUT_FHIR_USER_RELATIVE_REFERENCE
+    input :fhir_read_resources_bundle,
+          title: 'Available Resources',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_FHIR_READ_RESOURCES_BUNDLE_DESCRIPTION
+    input :echoed_fhir_response,
+          title: 'Default FHIR Response',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_ECHOED_FHIR_RESPONSE_DESCRIPTION
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+
+    run do
+      message =
+        wait_dialog_authorization_code_access_prefix(client_id, client_fhir_base_url) +
+        wait_dialog_access_response_and_continue_suffix(client_id, client_resume_pass_url)
+
+      wait(
+        identifier: client_id,
+        message:
+      )
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/access_cc_group.rb

@@ -0,0 +1,23 @@
+require_relative 'access_cc_interaction_test'
+require_relative 'token_request_cc_verification_test'
+require_relative 'token_use_verification_test'
+
+module UDAPSecurityTestKit
+  class UDAPClientAccessClientCredentials < Inferno::TestGroup
+    id :udap_client_access_cc
+    title 'Client Access'
+    description %(
+      During these tests, the client system will access Inferno's simulated
+      FHIR server by requesting an access token using UDAP's client_credentials flow
+      and making a FHIR request presenting the access token. Inferno will then verify
+      that any requests made as a part of obtaining the token were conformant and that
+      a token returned from a token request was used on an access request.
+    )
+
+    run_as_group
+
+    test from: :udap_client_access_cc_interaction
+    test from: :udap_client_token_request_cc_verification
+    test from: :udap_client_token_use_verification
+  end
+end

data/lib/udap_security_test_kit/client_suite/access_cc_interaction_test.rb

@@ -0,0 +1,49 @@
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+require_relative 'client_descriptions'
+
+module UDAPSecurityTestKit
+  class UDAPClientAccessClientCredentialsInteraction < Inferno::Test
+    include URLs
+    include ClientWaitDialogDescriptions
+
+    id :udap_client_access_cc_interaction
+    title 'Perform UDAP-secured Access'
+    description %(
+      During this test, Inferno will wait for the client to access data
+      using a UDAP token obtained during an earlier test.
+    )
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :fhir_read_resources_bundle,
+          title: 'Available Resources',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_FHIR_READ_RESOURCES_BUNDLE_DESCRIPTION
+    input :echoed_fhir_response,
+          title: 'Default FHIR Response',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_ECHOED_FHIR_RESPONSE_DESCRIPTION
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+
+    run do
+      message =
+        wait_dialog_client_credentials_access_prefix(client_id, client_fhir_base_url) +
+        wait_dialog_access_response_and_continue_suffix(client_id, client_resume_pass_url)
+
+      wait(
+        identifier: client_id,
+        message:
+      )
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/authorization_request_verification_test.rb

@@ -0,0 +1,83 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+require_relative 'client_descriptions'
+
+module UDAPSecurityTestKit
+  class UDAPClientAppLaunchAuthorizationRequestVerification < Inferno::Test
+    include URLs
+
+    id :udap_client_authorization_request_verification
+    title 'Verify UDAP Authorization Requests'
+    description %(
+      Check that UDAP authorization requests made are conformant.
+    )
+
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :udap_registration_jwt,
+          title: 'Registered UDAP Software Statement',
+          type: 'textarea',
+          locked: 'true',
+          description: INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+
+    run do
+      load_tagged_requests(AUTHORIZATION_TAG, UDAP_TAG)
+      skip_if requests.blank?, 'No UDAP authorization requests made.'
+
+      requests.each_with_index do |authorization_request, index|
+        auth_code_request_params = MockUDAPServer.authorization_code_request_details(authorization_request)
+        check_request_params(auth_code_request_params, index + 1)
+      end
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid authorization requests detected. See messages for details.'
+    end
+
+    def check_request_params(params, request_num) # rubocop:disable Metrics/CyclomaticComplexity
+      if params['response_type'] != 'code'
+        add_message('error',
+                    "Authorization request #{request_num} had an incorrect `response_type`: expected 'code', " \
+                    "but got '#{params['response_type']}'")
+      end
+      if params['client_id'] != client_id
+        add_message('error',
+                    "Authorization request #{request_num} had an incorrect `client_id`: expected #{client_id}, " \
+                    "but got '#{params['client_id']}'")
+      end
+      registration_body, _registration_header = JWT.decode(udap_registration_jwt, nil, false)
+      if params['redirect_uri'].present?
+        # must be a registered redirect_uri
+        unless registration_body['redirect_uris']&.include?(params['redirect_uri'])
+          add_message('error',
+                      "Authorization request #{request_num} had an invalid `redirect_uri`: expected one of " \
+                      "'#{registration_body['redirect_uris']&.join(', ')}', but got '#{params['redirect_uri']}'")
+        end
+      else
+        # can only be one registered redirect_uri
+        unless registration_body['redirect_uris']&.length == 1
+          add_message('error',
+                      "Authorization request #{request_num} had an invalid `redirect_uri`: expected one of " \
+                      "'#{registration_body['redirect_uris']&.join(', ')}', but got none")
+        end
+      end
+
+      if params['state'].blank?
+        add_message('warning',
+                    "Authorization request #{request_num} is missing the recommended `state` element")
+      end
+
+      nil
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/client_descriptions.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require 'rack/utils'
+
+module UDAPSecurityTestKit
+  RE_RUN_REGISTRATION_SUFFIX =
+    'Create a new session and re-run the Client Registration group if you need to change this value.'
+  INPUT_CLIENT_ID_DESCRIPTION_LOCKED =
+    "The registered Client Id for use in obtaining access tokens. #{RE_RUN_REGISTRATION_SUFFIX}".freeze
+  INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED =
+    "The software statement JWT provided during UDAP client registration. #{RE_RUN_REGISTRATION_SUFFIX}".freeze
+
+  INPUT_LAUNCH_CONTEXT_DESCRIPTION =
+    'Launch context details to be included in access token responses, specified as a JSON array. If provided, ' \
+    'the contents will be merged into Inferno\'s token responses.'
+  INPUT_FHIR_USER_RELATIVE_REFERENCE =
+    'A FHIR relative reference (<resource type>/<id>) for the FHIR user record to return when the openid ' \
+    'and fhirUser scopes are requested. Include this resource in the **Available Resources** input so ' \
+    'that it can be accessed via FHIR read.'
+  INPUT_FHIR_READ_RESOURCES_BUNDLE_DESCRIPTION =
+    'Resources to make available in Inferno\'s simulated FHIR server provided as a FHIR bundle. Each entry ' \
+    'must contain a resource with the id element populated. Each instance present will be available for ' \
+    'retrieval from Inferno at the endpoint: <fhir-base>/<resource type>/<instance id>. These will only ' \
+    'be available through the read interaction.'
+  INPUT_ECHOED_FHIR_RESPONSE_DESCRIPTION =
+    'JSON representation of a default FHIR resource for Inferno to echo when a request is made to the ' \
+    'simulated FHIR server. Reads targetting resources in the **Available Resources** input will return ' \
+    'that resource instead of this. Otherwise, the content here will be echoed back exactly and no check ' \
+    'will be made that it is appropriate for the request made. If nothing is provided, an OperationOutcome ' \
+    'indicating nothing to echo will be returned.'
+
+  module ClientWaitDialogDescriptions
+    def wait_dialog_client_credentials_access_prefix(client_id, fhir_base_url)
+      <<~PREFIX
+        **Access**
+
+        Use the registered client id (#{client_id}) to obtain an access
+        token using the [UDAP B2B client credentials flow](https://hl7.org/fhir/us/udap-security/STU1/b2b.html)
+        and use that token to access a FHIR endpoint under the simulated server's base URL
+
+        `#{fhir_base_url}`
+      PREFIX
+    end
+
+    def wait_dialog_authorization_code_access_prefix(client_id, fhir_base_url)
+      <<~PREFIX
+        **Access**
+
+        Use the registered client id (#{client_id}) to obtain an access
+        token using the UDAP [consumer-facing](https://hl7.org/fhir/us/udap-security/STU1/consumer.html)
+        or [B2B authorization code flow](https://hl7.org/fhir/us/udap-security/STU1/b2b.html)
+        and use that token to access a FHIR endpoint under the simulated server's base URL
+
+        `#{fhir_base_url}`
+      PREFIX
+    end
+
+    def wait_dialog_access_response_and_continue_suffix(client_id, resume_pass_url)
+      <<~SUFFIX
+        Inferno will respond to requests with either:
+        - A resource from the Bundle in the **Available Resources** input if the request is a read matching
+          a resource type and id found in the Bundle.
+        - Otherwise, the contents of the **Default FHIR Response** if provided.
+        - Otherwise, an OperationOutcome indicating nothing to echo.
+
+        [Click here](#{resume_pass_url}?token=#{client_id}) once you performed the data access.
+      SUFFIX
+    end
+  end
+end