udap_security_test_kit 0.11.2 → 0.11.4

data/lib/udap_security_test_kit/client_suite/client_options.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative '../tags'
+
+module UDAPSecurityTestKit
+  module UDAPClientOptions
+    module_function
+
+    UDAP_AUTHORIZATION_CODE = "#{UDAP_TAG},#{AUTHORIZATION_CODE_TAG}".freeze
+    UDAP_CLIENT_CREDENTIALS = "#{UDAP_TAG},#{CLIENT_CREDENTIALS_TAG}".freeze
+
+    def oauth_flow(suite_options)
+      if suite_options[:client_type].include?(AUTHORIZATION_CODE_TAG)
+        AUTHORIZATION_CODE_TAG
+      elsif suite_options[:client_type].include?(CLIENT_CREDENTIALS_TAG)
+        CLIENT_CREDENTIALS_TAG
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/oidc_jwks.json

@@ -0,0 +1,32 @@
+{
+	"keys": [
+		{
+			"kty": "RSA",
+			"use": "sig",
+			"key_ops": [
+				"verify"
+			],
+			"alg": "RS256",
+			"kid": "618e76fc7eb7c3401c7fd47b9af5e94d",
+			"n": "uoYzdYZQDp7yHTfY4XL1PFCFPfijG1rP2dNgMmsqKbm9qpMjiUuXCpdoOXWE838pcu3Ahi6L3dGgGS3Aeys3YrnF6h9uRTD1DHf-UWlOq4iPCzk26a-bBuyVZDVqS7Y5HsyF7i_UvYV1W0EaHSpAF911Vo_W_FVyiSkAZP1yN0ECbbjnSqxhaa44SGw90oh6XnyNBLu7a11aLCURkaRJOKXHj_vf8UyaD-IA9YkvM80St7QF6u6LRVYmCShbpfWRmejh_Swf4zdqcPl-duUsZE-OBysoTq92FaXr605igM30Rdkx8hs-HTwZtjn5hB3XNTiG2Wka1cUXKNyH59u8Yw",
+			"e": "AQAB"
+		},
+		{
+			"kty": "RSA",
+			"use": "sig",
+			"key_ops": [
+				"sign"
+			],
+			"alg": "RS256",
+			"kid": "618e76fc7eb7c3401c7fd47b9af5e94d",
+			"d": "k2SxDVHRuXwIvuX-0EjTWZIXeF0eJuOgE_VgsvbUHpzUMBKNplTBSnFSvvUK1o_J5TPTSzVE-UhJRxxMWghQgAdlShkEPlDtk6jOou6gaBRFVQ0lQ4ys6M_TTZiYIrQgdyIPQ6Uwa4MmtbHAPQPCGhm6O2j27fdnxtNLqIJO2zF9OzF4VP5_v63bbMfwbKECvB_bbcGLmJrq2ClI1iTOw-GawQ3I8sfwf52D3mb-qDJyQwtomNxf7EhvmGBC9u_8JVY48qsCCYWr2KAauID02WtCVepxM4ltKOLJb6BL5QpKmJ8svYLWjSZvNJSdk-EoB9grqechyDOIa2DuU9g-QQ",
+			"n": "uoYzdYZQDp7yHTfY4XL1PFCFPfijG1rP2dNgMmsqKbm9qpMjiUuXCpdoOXWE838pcu3Ahi6L3dGgGS3Aeys3YrnF6h9uRTD1DHf-UWlOq4iPCzk26a-bBuyVZDVqS7Y5HsyF7i_UvYV1W0EaHSpAF911Vo_W_FVyiSkAZP1yN0ECbbjnSqxhaa44SGw90oh6XnyNBLu7a11aLCURkaRJOKXHj_vf8UyaD-IA9YkvM80St7QF6u6LRVYmCShbpfWRmejh_Swf4zdqcPl-duUsZE-OBysoTq92FaXr605igM30Rdkx8hs-HTwZtjn5hB3XNTiG2Wka1cUXKNyH59u8Yw",
+			"e": "AQAB",
+			"p": "x3syoDXXDJne_-aSeHMm3muQ1KfIGewMhklvGNZ6LVTIJWUE5UYiGshABmgn86GfS-uZc_oUo3WcXiCLUlZSBqZFTIyXgy9y979VWA0whPCYcVSLzSGOiUtv3Ys4VGYCmGSuJnyLDp0CNN63Gf_iGpjCRbaPCPdRnyBgfSEvETs",
+			"q": "718z8hC_AQXrhQxvTsCEv7FXSX0Ev10Tjdq94DcsD91g34KTbrF9K9wtPfBUQaUx5Z2rMOTdLxbtHKvP-YQ4YMoQioA9qsclcnwdvKoRcRWim9oBnLa3Iuqttdwc9U2FWEQ4wqv16rsQw7URU4qlYkiVjrHvRJb8Nx_AJsA8Tvk",
+			"dp": "waDGDVj1exfIq-ClgCFWM0N5-9E4nGDR729MVXGqemH3PMUHsX0YEaMa8p0bWpMhStJPy5GNgvTgaUVxtuRvDmFKlvlJAF-IWw7vyl5TIFdhwW_tm5nc_0uoNAW1EcdK8Z2YpWbym6avw54DYUtNr79jo8OGp49ZPPpybkNNqo0",
+			"dq": "ge3mL02Br9d7yKNAQ7niFH75Ry1yB0FJXOVPzUWFSDM84vVoe1wh-k2vzQAHa_50ABO-GXMQz_-cwsRLxj9LrtXfdp43Wtxv6h2OspqJjx1UP05tM5hF_dDua1lH6qqiZ4_YU2qtuDTD28cL2ZHXRWrqqyLQIiXmTzGPxjjwQ1k",
+			"qi": "n3fMznRlCCwuoCq0kv4tL0cravVhcg33rA-CQXlIxgqj3h1yiBJ4p76pHceV6tvYsPyX3YsUKNOBP9HcxuHK3I3kFqMN5Y4C4r8dTE4fbJK9QT_guo_k_GKijNp0NDNCCeKxU78SRYvA527VY-3Z6TUC_K6O-5Pd6aPJN1QDtoA"
+		}
+	]
+}

data/lib/udap_security_test_kit/client_suite/oidc_jwks.rb

@@ -0,0 +1,27 @@
+require 'jwt'
+
+module UDAPSecurityTestKit
+  class OIDCJWKS
+    class << self
+      def jwks_json
+        @jwks_json ||=
+          JSON.pretty_generate(
+            { keys: jwks.export[:keys].select { |key| key[:key_ops]&.include?('verify') } }
+          )
+      end
+
+      def default_jwks_path
+        @default_jwks_path ||= File.join(__dir__, 'oidc_jwks.json')
+      end
+
+      def jwks_path
+        @jwks_path ||=
+          ENV.fetch('SIMULATED_OIDC_JWKS_PATH', default_jwks_path)
+      end
+
+      def jwks
+        @jwks ||= JWT::JWK::Set.new(JSON.parse(File.read(jwks_path)))
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/registration_ac_group.rb

@@ -0,0 +1,18 @@
+require_relative 'registration_interaction_test'
+require_relative 'registration_ac_verification_test'
+
+module UDAPSecurityTestKit
+  class UDAPClientRegistrationAuthorizationCode < Inferno::TestGroup
+    id :udap_client_registration_ac
+    title 'Client Registration'
+    description %(
+      During these tests, the client system will dynamically register with Inferno's
+      simulated UDAP Server to use the authorization_code flow. At any time, the client
+      may perform UDAP discovery on the simulated Inferno UDAP server.
+    )
+    run_as_group
+
+    test from: :udap_client_registration_interaction
+    test from: :udap_client_registration_ac_verification
+  end
+end

data/lib/udap_security_test_kit/client_suite/registration_ac_verification_test.rb

@@ -0,0 +1,38 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+require_relative 'registration_request_verification'
+
+module UDAPSecurityTestKit
+  class UDAPClientRegistrationAuthorizationCodeVerification < Inferno::Test
+    include URLs
+    include RegistrationRequestVerification
+
+    id :udap_client_registration_ac_verification
+    title 'Verify UDAP Authorization Code Registration'
+    description %(
+        During this test, Inferno will verify that the client's UDAP
+        registration request is conformant.
+      )
+    input :udap_client_uri
+    output :udap_registration_jwt
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+
+    run do
+      client_registration_requests = load_registration_requests_for_client_uri(udap_client_uri)
+      skip_if client_registration_requests.empty?,
+              "No UDAP Registration Requests made for client uri '#{udap_client_uri}'."
+
+      verify_registration_request(AUTHORIZATION_CODE_TAG, client_registration_requests.last) # most recent if several
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid registration request. See messages for details.'
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/registration_cc_group.rb

@@ -0,0 +1,18 @@
+require_relative 'registration_interaction_test'
+require_relative 'registration_cc_verification_test'
+
+module UDAPSecurityTestKit
+  class UDAPClientRegistrationClientCredentials < Inferno::TestGroup
+    id :udap_client_registration_cc
+    title 'Client Registration'
+    description %(
+      During these tests, the client system will dynamically register with Inferno's
+      simulated UDAP Server to use the client_credentials flow. At any time, the client
+      may perform UDAP discovery on the simulated Inferno UDAP server.
+    )
+    run_as_group
+
+    test from: :udap_client_registration_interaction
+    test from: :udap_client_registration_cc_verification
+  end
+end

data/lib/udap_security_test_kit/client_suite/registration_cc_verification_test.rb

@@ -0,0 +1,38 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+require_relative 'registration_request_verification'
+
+module UDAPSecurityTestKit
+  class UDAPClientRegistrationClientCredentialsVerification < Inferno::Test
+    include URLs
+    include RegistrationRequestVerification
+
+    id :udap_client_registration_cc_verification
+    title 'Verify UDAP Client Credentials Registration'
+    description %(
+        During this test, Inferno will verify that the client's UDAP
+        registration request is conformant.
+      )
+    input :udap_client_uri
+    output :udap_registration_jwt
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+
+    run do
+      client_registration_requests = load_registration_requests_for_client_uri(udap_client_uri)
+      skip_if client_registration_requests.empty?,
+              "No UDAP Registration Requests made for client uri '#{udap_client_uri}'."
+
+      verify_registration_request(CLIENT_CREDENTIALS_TAG, client_registration_requests.last) # most recent if several
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid registration request. See messages for details.'
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/registration_interaction_test.rb

@@ -0,0 +1,57 @@
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+
+module UDAPSecurityTestKit
+  class UDAPClientRegistrationInteraction < Inferno::Test
+    include URLs
+
+    id :udap_client_registration_interaction
+    title 'Perform UDAP Registration'
+    description %(
+        During this test, Inferno will wait for the client to register
+        themselves as a UDAP client with Inferno's simulated UDAP server
+        using UDAP dynamic registration.
+      )
+    input :udap_client_uri,
+          title: 'UDAP Client URI',
+          type: 'text',
+          description: %(
+            The UDAP Client URI that will be used to register with Inferno's simulated UDAP server.
+          )
+
+    output :client_id
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+
+    run do
+      generated_client_id = MockUDAPServer.client_uri_to_client_id(udap_client_uri)
+      output client_id: generated_client_id
+
+      wait(
+        identifier: generated_client_id,
+        message: %(
+            **UDAP Registration**
+
+            Make a UDAP dyanmic registration request to the UDAP-protected FHIR Server at
+
+            `#{client_fhir_base_url}`
+
+            For Client URI
+
+            `#{udap_client_uri}`
+
+            Metadata on Inferno's simulated UDAP server can be found at
+
+            `#{client_udap_discovery_url}`
+
+            [Click here](#{client_resume_pass_url}?token=#{generated_client_id}) once you have
+            succesfully completed the registration.
+          )
+      )
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/registration_request_verification.rb

@@ -0,0 +1,242 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+
+module UDAPSecurityTestKit
+  module RegistrationRequestVerification
+    def load_registration_requests_for_client_uri(client_uri)
+      load_tagged_requests(UDAP_TAG, REGISTRATION_TAG)
+      requests.select do |reg_request|
+        registered_uri = MockUDAPServer.udap_client_uri_from_registration_payload(
+          MockUDAPServer.parsed_request_body(reg_request)
+        )
+        client_uri == registered_uri
+      end
+    end
+
+    def verify_registration_request(oauth_flow, verified_request)
+      parsed_body = MockUDAPServer.parsed_request_body(verified_request)
+      assert parsed_body.present?, 'Registration request body is not valid JSON.'
+
+      check_request_body(parsed_body)
+      check_software_statement(oauth_flow, parsed_body['software_statement'], verified_request.created_at)
+      output udap_registration_jwt: parsed_body['software_statement']
+    end
+
+    def check_request_body(request_body)
+      if request_body['udap'].blank?
+        add_message('error', '`udap` key with a value of `1` missing in the registration request')
+      elsif request_body['udap'] != '1'
+        add_message('error',
+                    'The registration request contained an incorrect `udap` value: expected `1`, ' \
+                    "got `#{request_body['udap']}`")
+      end
+
+      return unless request_body['certifications'].present?
+
+      request_body['certifications'].each_with_index do |certification_jwt, index|
+        JWT.decode(certification_jwt, nil, false)
+      rescue StandardError => e
+        add_message('error',
+                    "Certification #{index + 1} in the registration request is not a valid signed jwt: #{e}")
+      end
+    end
+
+    def check_software_statement(oauth_flow, software_statement_jwt, request_time)
+      unless software_statement_jwt.present?
+        add_message('error',
+                    'Registration is missing a `software_statement` key')
+        return
+      end
+
+      claims, _headers = begin
+        JWT.decode(software_statement_jwt, nil, false)
+      rescue StandardError => e
+        add_message('error',
+                    "Registration software statement does not follow the jwt structure: #{e}")
+        return
+      end
+
+      # headers checked with signature
+      check_software_statement_claims(oauth_flow, claims, request_time)
+      check_jwt_signature(software_statement_jwt)
+    end
+
+    def check_software_statement_claims(oauth_flow, claims, request_time) # rubocop:disable Metrics/CyclomaticComplexity
+      unless claims['iss'] == udap_client_uri
+        add_message('error',
+                    'Registration software statement `iss` claim is incorrect: ' \
+                    "expected '#{udap_client_uri}', got '#{claims['iss']}'")
+      end
+      unless claims['sub'] == udap_client_uri
+        add_message('error',
+                    'Registration software statement `sub` claim is incorrect: ' \
+                    "expected '#{udap_client_uri}', got '#{claims['sub']}'")
+      end
+      unless claims['aud'] == client_registration_url
+        add_message('error',
+                    'Registration software statement `aud` claim is incorrect: ' \
+                    "expected '#{client_registration_url}', got '#{claims['aud']}'")
+      end
+
+      check_software_statement_grant_types(oauth_flow, claims)
+      MockUDAPServer.check_jwt_timing(claims['iat'], claims['exp'], request_time)
+
+      add_message('error', 'Registration software statement `jti` claim is missing.') unless claims['jti'].present?
+      unless claims['client_name'].present?
+        add_message('error', 'Registration software statement `client_name` claim is missing.')
+      end
+      check_software_statement_contacts(claims['contacts'])
+      unless claims['token_endpoint_auth_method'] == 'private_key_jwt'
+        add_message('error', 'Registration software statement `token_endpoint_auth_method` claim is incorrect: ' \
+                             "expected `token_endpoint_auth_method`, got #{claims['token_endpoint_auth_method']}.")
+      end
+      add_message('error', 'Registration software statement `scope` claim is missing.') unless claims['scope'].present?
+
+      nil
+    end
+
+    def check_software_statement_contacts(contacts)
+      unless contacts.present?
+        add_message('error', 'Registration software statement `contacts` claim is missing.')
+        return
+      end
+      unless contacts.is_a?(Array)
+        add_message('error', 'Registration software statement `contacts` claim is missing.')
+        return
+      end
+      unless contacts.find { |contact| valid_uri?(contact, required_scheme: 'mailto') }.present?
+        add_message('error', 'Registration software statement `contacts` claim has no ' \
+                             'valid `mailto` uri entry.')
+      end
+
+      nil
+    end
+
+    def check_software_statement_grant_types(oauth_flow, claims) # rubocop:disable Metrics/CyclomaticComplexity
+      unless claims['grant_types'].present?
+        add_message('error', 'Registration software statement `grant_types` claim is missing')
+        return
+      end
+
+      unless claims['grant_types'].is_a?(Array)
+        add_message('error', 'Registration software statement `grant_types` claim must be a list.')
+        return
+      end
+
+      has_client_credentials = claims['grant_types'].include?('client_credentials')
+      has_authorization_code = claims['grant_types'].include?('authorization_code')
+
+      unless has_client_credentials || has_authorization_code
+        add_message('error', 'Registration software statement `grant_types` claim must contain one of ' \
+                             "'authorization_code' or 'client_credentials'")
+        return
+      end
+
+      if has_client_credentials && has_authorization_code
+        add_message('error', 'Registration software statement `grant_types` claim cannot contain both ' \
+                             "'authorization_code' and 'client_credentials'")
+      end
+
+      extra_grants = claims['grant_types'].reject do |grant|
+        ['client_credentials', 'authorization_code', 'refresh_token'].include?(grant)
+      end
+      unless extra_grants.blank?
+        add_message('error', 'Registration software statement `grant_types` claim cannot contain values beyond ' \
+                             "'authorization_code', 'client_credentials', and 'refresh_token")
+      end
+
+      if oauth_flow == CLIENT_CREDENTIALS_TAG && !has_client_credentials
+        add_message('error', 'Registration software statement `grant_types` must contain ' \
+                             "''client_credentials' when testing the client credentials flow.")
+      end
+      if oauth_flow == AUTHORIZATION_CODE_TAG && !has_authorization_code
+        add_message('error', 'Registration software statement `grant_types` must contain ' \
+                             "''authorization_code' when testing the authorization code flow.")
+      end
+      check_client_credentials_software_statement(claims) if has_client_credentials
+      check_authorization_code_software_statement(claims) if has_authorization_code
+
+      nil
+    end
+
+    def check_authorization_code_software_statement(claims) # rubocop:disable Metrics/CyclomaticComplexity
+      if claims['redirect_uris'].blank?
+        add_message('error', 'Registration software statement `redirect_uris` must be present when ' \
+                             "the 'authorization_code' `grant_type` is requested.")
+      elsif !claims['redirect_uris'].is_a?(Array)
+        add_message('error', 'Registration software statement `redirect_uris` must be a list when ' \
+                             "the 'authorization_code' `grant_type` is requested.")
+      else
+        claims['redirect_uris'].each_with_index do |redirect_uri, index|
+          unless valid_uri?(redirect_uri, required_scheme: 'https')
+            add_message('error', "Registration software statement `redirect_uris` entry #{index + 1} is invalid: " \
+                                 "'#{redirect_uri}' is not a valid https uri.")
+          end
+        end
+      end
+
+      if claims['logo_uri'].blank?
+        add_message('error', 'Registration software statement `logo_uri` must be present when ' \
+                             "the 'authorization_code' `grant_type` is requested.")
+      else
+        unless valid_uri?(claims['logo_uri'], required_scheme: 'https')
+          add_message('error', 'Registration software statement `logo_uri` is invalid: ' \
+                               "'#{claims['logo_uri']}' is not a valid https uri.")
+        end
+        unless ['gif', 'jpg', 'jpeg', 'png'].include?(claims['logo_uri'].split('.').last.downcase)
+          add_message('error', 'Registration software statement `logo_uri` is invalid: it must point to a ' \
+                               'PNG, JPG, or GIF file.')
+        end
+      end
+
+      if claims['response_types'].blank?
+        add_message('error', 'Registration software statement `response_types` must be present when ' \
+                             "the 'authorization_code' `grant_type` is requested.")
+      else
+        unless claims['response_types'].is_a?(Array) &&
+               claims['response_types'].size == 1 &&
+               claims['response_types'][0] == 'code'
+          add_message('error', 'Registration software statement `response_types` claim is invalid: ' \
+                               "must contain exactly one entry with the value 'code'.")
+        end
+      end
+
+      nil
+    end
+
+    def check_client_credentials_software_statement(claims)
+      unless claims['redirect_uris'].nil?
+        add_message('error', 'Registration software statement `redirect_uris` must not be present when ' \
+                             "the 'client_credentials' `grant_type` is requested.")
+      end
+
+      unless claims['response_types'].nil?
+        add_message('error', 'Registration software statement `response_types` must not be present when ' \
+                             "the 'client_credentials' `grant_type` is requested.")
+      end
+
+      if claims['grant_types'].include?('refresh_token')
+        add_message('error', "Registration software statement `response_types` cannot contain 'refresh_token' when " \
+                             "the 'client_credentials' `grant_type` is requested.")
+      end
+
+      nil
+    end
+
+    def check_jwt_signature(jwt)
+      error = MockUDAPServer.udap_reg_signature_verification(jwt)
+
+      return unless error.present?
+
+      add_message('error', "Signature validation failed on registration request: #{error}")
+    end
+
+    def valid_uri?(url, required_scheme: nil)
+      uri = URI.parse(url)
+      required_scheme.blank? || uri.scheme == required_scheme
+    rescue URI::InvalidURIError
+      false
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/token_request_ac_verification_test.rb

@@ -0,0 +1,49 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+require_relative 'client_descriptions'
+require_relative 'client_options'
+require_relative 'token_request_verification'
+
+module UDAPSecurityTestKit
+  class UDAPClientTokenRequestAuthorizationCodeVerification < Inferno::Test
+    include URLs
+    include TokenRequestVerification
+
+    id :udap_client_token_request_ac_verification
+    title 'Verify UDAP Authorization Code Token Requests'
+    description %(
+      Check that UDAP token requests are conformant.
+    )
+
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :udap_registration_jwt,
+          title: 'Registered UDAP Software Statement',
+          type: 'textarea',
+          locked: 'true',
+          description: INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED
+    output :udap_tokens
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+
+    run do
+      load_tagged_requests(TOKEN_TAG, UDAP_TAG, AUTHORIZATION_CODE_TAG)
+      skip_if requests.blank?, 'No UDAP token requests made.'
+      load_tagged_requests(TOKEN_TAG, UDAP_TAG, REFRESH_TOKEN_TAG) # verify refresh_requests as well
+
+      verify_token_requests(AUTHORIZATION_CODE_TAG)
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid token requests received. See messages for details.'
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/token_request_cc_verification_test.rb

@@ -0,0 +1,49 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+require_relative 'client_descriptions'
+require_relative 'client_options'
+require_relative 'token_request_verification'
+
+module UDAPSecurityTestKit
+  class UDAPClientTokenRequestClientCredentialsVerification < Inferno::Test
+    include URLs
+    include TokenRequestVerification
+
+    id :udap_client_token_request_cc_verification
+    title 'Verify UDAP Client Credentials Token Requests'
+    description %(
+      Check that UDAP token requests are conformant.
+    )
+
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :udap_registration_jwt,
+          title: 'Registered UDAP Software Statement',
+          type: 'textarea',
+          locked: 'true',
+          description: INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED
+    output :udap_tokens
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+
+    run do
+      load_tagged_requests(TOKEN_TAG, UDAP_TAG, CLIENT_CREDENTIALS_TAG)
+      skip_if requests.blank?, 'No UDAP token requests made.'
+      load_tagged_requests(TOKEN_TAG, UDAP_TAG, REFRESH_TOKEN_TAG) # verify refresh_requests as well (shouldn't be any)
+
+      verify_token_requests(CLIENT_CREDENTIALS_TAG)
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid token requests received. See messages for details.'
+    end
+  end
+end