udap_security_test_kit 0.11.2 → 0.11.4

data/lib/udap_security_test_kit/endpoints/echoing_fhir_responder_endpoint.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+require_relative '../urls'
+require_relative '../tags'
+require_relative 'mock_udap_server'
+
+module UDAPSecurityTestKit
+  class EchoingFHIRResponderEndpoint < Inferno::DSL::SuiteEndpoint
+    def test_run_identifier
+      MockUDAPServer.issued_token_to_client_id(request.headers['authorization']&.delete_prefix('Bearer '))
+    end
+
+    def make_response
+      return if response.status == 401 # set in update_result (expired token handling there)
+
+      response.content_type = 'application/fhir+json'
+      response.headers['Access-Control-Allow-Origin'] = '*'
+      response.status = 200
+
+      # look for read of provided resources
+      read_response = tester_provided_read_response_body
+      if read_response.present?
+        response.body = read_response.to_json
+        return
+      end
+
+      # If the tester provided a response, echo it
+      # otherwise, operation outcome
+      echo_response = JSON.parse(result.input_json)
+        .find { |input| input['name'].include?('echoed_fhir_response') }
+        &.dig('value')
+      if echo_response.present?
+        response.body = echo_response
+        return
+      end
+
+      response.status = 400
+      response.body = FHIR::OperationOutcome.new(
+        issue: FHIR::OperationOutcome::Issue.new(
+          severity: 'fatal', code: 'required',
+          details: FHIR::CodeableConcept.new(text: 'No response provided to echo.')
+        )
+      ).to_json
+    end
+
+    def update_result
+      if MockUDAPServer.request_has_expired_token?(request)
+        MockUDAPServer.update_response_for_expired_token(response, 'Bearer token')
+        return
+      end
+
+      nil # never update for now
+    end
+
+    def tags
+      [ACCESS_TAG]
+    end
+
+    def tester_provided_read_response_body
+      resource_type = request.params[:one]
+      id = request.params[:two]
+
+      return unless resource_type.present? && id.present?
+
+      resource_type_class =
+        begin
+          FHIR.const_get(resource_type)
+        rescue NameError
+          nil
+        end
+      return unless resource_type_class.present?
+
+      resource_bundle = ehr_input_bundle
+      return unless resource_bundle.present?
+
+      find_resource_in_bundle(resource_bundle, resource_type_class, id)
+    end
+
+    def ehr_input_bundle
+      ehr_bundle_input =
+        JSON.parse(result.input_json).find { |input| input['name'] == 'fhir_read_resources_bundle' }&.dig('value')
+      ehr_bundle = FHIR.from_contents(ehr_bundle_input) if ehr_bundle_input.present?
+      return ehr_bundle if ehr_bundle.is_a?(FHIR::Bundle)
+
+      nil
+    rescue StandardError
+      nil
+    end
+
+    def find_resource_in_bundle(bundle, resource_type_class, id)
+      bundle.entry&.find do |entry|
+        entry.resource.is_a?(resource_type_class) && entry.resource.id == id
+      end&.resource
+    end
+  end
+end

data/lib/udap_security_test_kit/endpoints/mock_udap_server/authorization_endpoint.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require_relative '../../tags'
+require_relative 'udap_authorization_response_creation'
+
+module UDAPSecurityTestKit
+  module MockUDAPServer
+    class AuthorizationEndpoint < Inferno::DSL::SuiteEndpoint
+      include UDAPAuthorizationResponseCreation
+
+      def test_run_identifier
+        request.params[:client_id]
+      end
+
+      def make_response
+        make_udap_authorization_response
+      end
+
+      def update_result
+        nil # never update for now
+      end
+
+      def tags
+        [AUTHORIZATION_TAG, AUTHORIZATION_CODE_TAG, UDAP_TAG]
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/endpoints/mock_udap_server/registration_endpoint.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require_relative '../../tags'
+require_relative '../mock_udap_server'
+require_relative 'udap_registration_response_creation'
+
+module UDAPSecurityTestKit
+  module MockUDAPServer
+    class RegistrationEndpoint < Inferno::DSL::SuiteEndpoint
+      include UDAPRegistrationResponseCreation
+
+      def test_run_identifier
+        MockUDAPServer.client_uri_to_client_id(
+          MockUDAPServer.udap_client_uri_from_registration_payload(MockUDAPServer.parsed_io_body(request))
+        )
+      end
+
+      def make_response
+        make_udap_registration_response
+      end
+
+      def update_result
+        nil # never update for now
+      end
+
+      def tags
+        [REGISTRATION_TAG, UDAP_TAG]
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/endpoints/mock_udap_server/token_endpoint.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require_relative '../../tags'
+require_relative '../../urls'
+require_relative '../mock_udap_server'
+require_relative 'udap_token_response_creation'
+
+module UDAPSecurityTestKit
+  module MockUDAPServer
+    class TokenEndpoint < Inferno::DSL::SuiteEndpoint
+      include UDAPTokenResponseCreation
+      include URLs
+
+      def test_run_identifier
+        case request.params[:grant_type]
+        when CLIENT_CREDENTIALS_TAG
+          MockUDAPServer.client_id_from_client_assertion(request.params[:client_assertion])
+        when AUTHORIZATION_CODE_TAG
+          MockUDAPServer.issued_token_to_client_id(request.params[:code])
+        when REFRESH_TOKEN_TAG
+          MockUDAPServer.issued_token_to_client_id(
+            MockUDAPServer.refresh_token_to_authorization_code(request.params[:refresh_token])
+          )
+        end
+      end
+
+      def make_response
+        case request.params[:grant_type]
+        when CLIENT_CREDENTIALS_TAG
+          make_udap_client_credential_token_response
+        when AUTHORIZATION_CODE_TAG
+          make_udap_authorization_code_token_response
+        when REFRESH_TOKEN_TAG
+          make_udap_refresh_token_response
+        else
+          MockUDAPServer.update_response_for_error(
+            response,
+            "unsupported grant_type: #{request.params[:grant_type]}"
+          )
+        end
+      end
+
+      def update_result
+        nil # never update for now
+      end
+
+      def tags
+        tags = [TOKEN_TAG, UDAP_TAG]
+        if [CLIENT_CREDENTIALS_TAG, AUTHORIZATION_CODE_TAG, REFRESH_TOKEN_TAG].include?(request.params[:grant_type])
+          tags << request.params[:grant_type]
+        end
+        tags
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/endpoints/mock_udap_server/udap_authorization_response_creation.rb

@@ -0,0 +1,63 @@
+require 'jwt'
+require_relative '../mock_udap_server'
+
+module UDAPSecurityTestKit
+  module MockUDAPServer
+    module UDAPAuthorizationResponseCreation
+      def make_udap_authorization_response
+        redirect_uri = request.params[:redirect_uri]
+        registered_redirect_uri_list = udap_registered_redirect_uris
+
+        if redirect_uri.blank?
+          # need one from the registered list
+          if registered_redirect_uri_list.blank?
+            response.status = 400
+            response.body = {
+              error: 'Bad request',
+              message: 'Missing required redirect_uri parameter with no default provided in the registration.'
+            }.to_json
+            response.content_type = 'application/json'
+            return
+          elsif registered_redirect_uri_list.length > 1
+            response.status = 400
+            response.body = {
+              error: 'Bad request',
+              message: 'Missing required redirect_uri parameter with multiple options provided in the registration.'
+            }.to_json
+            response.content_type = 'application/json'
+            return
+          else
+            redirect_uri = registered_redirect_uri_list.first
+          end
+        end
+
+        client_id = request.params[:client_id]
+        state = request.params[:state]
+
+        exp_min = 10
+        token = MockUDAPServer.client_id_to_token(client_id, exp_min)
+        code_query_string = "code=#{ERB::Util.url_encode(token)}"
+        query_string =
+          if state.present?
+            "#{code_query_string}&state=#{ERB::Util.url_encode(state)}"
+          else
+            code_query_string
+          end
+        response.headers['Location'] = "#{redirect_uri}#{redirect_uri.include?('?') ? '&' : '?'}#{query_string}"
+        response.status = 302
+      end
+
+      def udap_registered_redirect_uris
+        registered_software_statement = MockUDAPServer.udap_registration_software_statement(test_run.test_session_id)
+        return unless registered_software_statement.present?
+
+        registration_jwt_body, _registration_jwt_header = JWT.decode(registered_software_statement, nil, false)
+        return [] unless registration_jwt_body['redirect'].present?
+        return registration_jwt_body['redirect'] if registration_jwt_body['redirect'].is_a?(Array)
+
+        # invalid registration, but we'll succeed here and fail during registration verification
+        [registration_jwt_body['redirect']]
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/endpoints/mock_udap_server/udap_registration_response_creation.rb

@@ -0,0 +1,28 @@
+require_relative '../mock_udap_server'
+
+module UDAPSecurityTestKit
+  module MockUDAPServer
+    module UDAPRegistrationResponseCreation
+      def make_udap_registration_response
+        parsed_body = MockUDAPServer.parsed_io_body(request)
+        client_id = MockUDAPServer.client_uri_to_client_id(
+          MockUDAPServer.udap_client_uri_from_registration_payload(parsed_body)
+        )
+        ss_jwt = MockUDAPServer.udap_software_statement_jwt(parsed_body)
+
+        response_body = {
+          client_id:,
+          software_statement: ss_jwt
+        }
+        response_body.merge!(MockUDAPServer.jwt_claims(ss_jwt).except(['iss', 'sub', 'exp', 'iat', 'jti']))
+
+        response.body = response_body.to_json
+        response.headers['Cache-Control'] = 'no-store'
+        response.headers['Pragma'] = 'no-cache'
+        response.headers['Access-Control-Allow-Origin'] = '*'
+        response.content_type = 'application/json'
+        response.status = 201
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/endpoints/mock_udap_server/udap_token_response_creation.rb

@@ -0,0 +1,218 @@
+require_relative '../../urls'
+require_relative '../../tags'
+require_relative '../mock_udap_server'
+require_relative '../../client_suite/oidc_jwks'
+
+module UDAPSecurityTestKit
+  module MockUDAPServer
+    module UDAPTokenResponseCreation
+      def make_udap_authorization_code_token_response # rubocop:disable Metrics/CyclomaticComplexity
+        authorization_code = request.params[:code]
+        client_id = MockUDAPServer.issued_token_to_client_id(authorization_code)
+        software_statement = MockUDAPServer.udap_registration_software_statement(test_run.test_session_id)
+        return unless udap_authenticated?(request.params[:client_assertion], software_statement)
+
+        if MockUDAPServer.token_expired?(authorization_code)
+          MockUDAPServer.update_response_for_expired_token(response, 'Authorization code')
+          return
+        end
+
+        return if request.params[:code_verifier].present? && !udap_pkce_valid?(authorization_code)
+
+        exp_min = 60
+        response_body = {
+          access_token: MockUDAPServer.client_id_to_token(client_id, exp_min),
+          token_type: 'Bearer',
+          expires_in: 60 * exp_min
+        }
+
+        launch_context =
+          begin
+            input_string = JSON.parse(result.input_json)&.find do |input|
+              input['name'] == 'launch_context'
+            end&.dig('value')
+            JSON.parse(input_string) if input_string.present?
+          rescue JSON::ParserError
+            nil
+          end
+        additional_context = udap_requested_scope_context(udap_registered_scope(software_statement), authorization_code,
+                                                          launch_context)
+
+        response.body = additional_context.merge(response_body).to_json # response body values take priority
+        response.headers['Cache-Control'] = 'no-store'
+        response.headers['Pragma'] = 'no-cache'
+        response.headers['Access-Control-Allow-Origin'] = '*'
+        response.content_type = 'application/json'
+        response.status = 200
+      end
+
+      def make_udap_refresh_token_response # rubocop:disable Metrics/CyclomaticComplexity
+        refresh_token = request.params[:refresh_token]
+        authorization_code = MockUDAPServer.refresh_token_to_authorization_code(refresh_token)
+        client_id = MockUDAPServer.issued_token_to_client_id(authorization_code)
+        software_statement = MockUDAPServer.udap_registration_software_statement(test_run.test_session_id)
+        return unless udap_authenticated?(request.params[:client_assertion], software_statement)
+
+        # no expiration checks for refresh tokens
+
+        authorization_request = MockUDAPServer.authorization_request_for_code(authorization_code,
+                                                                              test_run.test_session_id)
+        if authorization_request.blank?
+          MockUDAPServer.update_response_for_error(
+            response,
+            "no authorization request found for refresh token #{refresh_token}"
+          )
+          return
+        end
+        auth_code_request_inputs = MockUDAPServer.authorization_code_request_details(authorization_request)
+        if auth_code_request_inputs.blank?
+          MockUDAPServer.update_response_for_error(
+            response,
+            'invalid authorization request details'
+          )
+          return
+        end
+
+        exp_min = 60
+        response_body = {
+          access_token: MockUDAPServer.client_id_to_token(client_id, exp_min),
+          token_type: 'Bearer',
+          expires_in: 60 * exp_min
+        }
+
+        launch_context =
+          begin
+            input_string = JSON.parse(result.input_json)&.find do |input|
+              input['name'] == 'launch_context'
+            end&.dig('value')
+            JSON.parse(input_string) if input_string.present?
+          rescue JSON::ParserError
+            nil
+          end
+        additional_context = udap_requested_scope_context(udap_registered_scope(software_statement), authorization_code,
+                                                          launch_context)
+
+        response.body = additional_context.merge(response_body).to_json # response body values take priority
+        response.headers['Cache-Control'] = 'no-store'
+        response.headers['Pragma'] = 'no-cache'
+        response.headers['Access-Control-Allow-Origin'] = '*'
+        response.content_type = 'application/json'
+        response.status = 200
+      end
+
+      def make_udap_client_credential_token_response
+        assertion = request.params[:client_assertion]
+        client_id = MockUDAPServer.client_id_from_client_assertion(assertion)
+        software_statement = MockUDAPServer.udap_registration_software_statement(test_run.test_session_id)
+        return unless udap_authenticated?(request.params[:client_assertion], software_statement)
+
+        exp_min = 60
+        response_body = {
+          access_token: MockUDAPServer.client_id_to_token(client_id, exp_min),
+          token_type: 'Bearer',
+          expires_in: 60 * exp_min
+        }
+
+        response.body = response_body.to_json
+        response.headers['Cache-Control'] = 'no-store'
+        response.headers['Pragma'] = 'no-cache'
+        response.headers['Access-Control-Allow-Origin'] = '*'
+        response.content_type = 'application/json'
+        response.status = 200
+      end
+
+      def udap_authenticated?(assertion, software_statement)
+        signature_error = MockUDAPServer.udap_token_signature_verification(assertion, software_statement)
+
+        if signature_error.present?
+          MockUDAPServer.update_response_for_error(response, signature_error)
+          return false
+        end
+
+        true
+      end
+
+      def udap_requested_scope_context(requested_scopes, authorization_code, launch_context)
+        context = launch_context.present? ? launch_context : {}
+        scopes_list = requested_scopes&.split || []
+
+        if scopes_list.include?('offline_access') || scopes_list.include?('online_access')
+          context[:refresh_token] = MockUDAPServer.authorization_code_to_refresh_token(authorization_code)
+        end
+
+        context[:id_token] = udap_construct_id_token(scopes_list.include?('fhirUser')) if scopes_list.include?('openid')
+
+        context
+      end
+
+      def udap_construct_id_token(include_fhir_user) # rubocop:disable Metrics/CyclomaticComplexity
+        client_id = JSON.parse(result.input_json)&.find do |input|
+          input['name'] == 'client_id'
+        end&.dig('value')
+        fhir_user_relative_reference = JSON.parse(result.input_json)&.find do |input|
+          input['name'] == 'fhir_user_relative_reference'
+        end&.dig('value')
+
+        subject_id = if fhir_user_relative_reference.present?
+                       fhir_user_relative_reference.downcase.gsub('/', '-')
+                     else
+                       SecureRandom.uuid
+                     end
+
+        claims = {
+          iss: client_fhir_base_url,
+          sub: subject_id,
+          aud: client_id,
+          exp: 1.year.from_now.to_i,
+          iat: Time.now.to_i
+        }
+        if include_fhir_user && fhir_user_relative_reference.present?
+          claims[:fhirUser] = "#{client_fhir_base_url}/#{fhir_user_relative_reference}"
+        end
+
+        algorithm = 'RS256'
+        private_key = OIDCJWKS.jwks
+          .select { |key| key[:key_ops]&.include?('sign') }
+          .select { |key| key[:alg] == algorithm }
+          .first
+
+        JWT.encode claims, private_key.signing_key, algorithm, { alg: algorithm, kid: private_key.kid, typ: 'JWT' }
+      end
+
+      def udap_pkce_valid?(authorization_code)
+        authorization_request = MockUDAPServer.authorization_request_for_code(authorization_code,
+                                                                              test_run.test_session_id)
+        if authorization_request.blank?
+          MockUDAPServer.update_response_for_error(
+            response,
+            "Could not check code_verifier: no authorization request found that returned code #{authorization_code}"
+          )
+          return false
+        end
+        auth_code_request_inputs = MockUDAPServer.authorization_code_request_details(authorization_request)
+        if auth_code_request_inputs.blank?
+          MockUDAPServer.update_response_for_error(
+            response,
+            "Could not check code_verifier: invalid authorization request details for code #{authorization_code}"
+          )
+          return false
+        end
+
+        verifier = request.params[:code_verifier]
+        challenge = auth_code_request_inputs&.dig('code_challenge')
+        method = auth_code_request_inputs&.dig('code_challenge_method')
+        MockUDAPServer.pkce_valid?(verifier, challenge, method, response)
+      end
+
+      def udap_registered_scope(software_statement_jwt)
+        claims, _headers = begin
+          JWT.decode(software_statement_jwt, nil, false)
+        rescue StandardError
+          return nil
+        end
+
+        claims['scope']
+      end
+    end
+  end
+end