udap_security_test_kit 0.11.3 → 0.11.4

data/lib/udap_security_test_kit/client_suite/{client_registration_verification_test.rb → registration_request_verification.rb}

@@ -3,35 +3,24 @@ require_relative '../urls'
 require_relative '../endpoints/mock_udap_server'
 
 module UDAPSecurityTestKit
-  class UDAPClientRegistrationVerification < Inferno::Test
-    include URLs
-
-    id :udap_client_registration_verification
-    title 'Verify UDAP Registration'
-    description %(
-        During this test, Inferno will verify that the client's UDAP
-        registration request is conformant.
-      )
-    input :udap_client_uri,
-          optional: false
-
-    run do
-      omit_if udap_client_uri.blank?, # for re-use: mark the udap_client_uri input as optional when importing to enable
-              'Not configured for UDAP authentication.'
-
+  module RegistrationRequestVerification
+    def load_registration_requests_for_client_uri(client_uri)
       load_tagged_requests(UDAP_TAG, REGISTRATION_TAG)
-      skip_if requests.empty?, 'No UDAP Registration Requests made.'
+      requests.select do |reg_request|
+        registered_uri = MockUDAPServer.udap_client_uri_from_registration_payload(
+          MockUDAPServer.parsed_request_body(reg_request)
+        )
+        client_uri == registered_uri
+      end
+    end
 
-      verified_request = requests.last
+    def verify_registration_request(oauth_flow, verified_request)
       parsed_body = MockUDAPServer.parsed_request_body(verified_request)
       assert parsed_body.present?, 'Registration request body is not valid JSON.'
 
       check_request_body(parsed_body)
-      check_software_statement(parsed_body['software_statement'], verified_request.created_at)
-
-      assert messages.none? { |msg|
-        msg[:type] == 'error'
-      }, 'Invalid registration request. See messages for details.'
+      check_software_statement(oauth_flow, parsed_body['software_statement'], verified_request.created_at)
+      output udap_registration_jwt: parsed_body['software_statement']
     end
 
     def check_request_body(request_body)
@@ -46,14 +35,14 @@ module UDAPSecurityTestKit
       return unless request_body['certifications'].present?
 
       request_body['certifications'].each_with_index do |certification_jwt, index|
-        JWT.decond(certification_jwt)
+        JWT.decode(certification_jwt, nil, false)
       rescue StandardError => e
         add_message('error',
                     "Certification #{index + 1} in the registration request is not a valid signed jwt: #{e}")
       end
     end
 
-    def check_software_statement(software_statement_jwt, request_time)
+    def check_software_statement(oauth_flow, software_statement_jwt, request_time)
       unless software_statement_jwt.present?
         add_message('error',
                     'Registration is missing a `software_statement` key')
@@ -69,11 +58,11 @@ module UDAPSecurityTestKit
       end
 
       # headers checked with signature
-      check_software_statement_claims(claims, request_time)
+      check_software_statement_claims(oauth_flow, claims, request_time)
       check_jwt_signature(software_statement_jwt)
     end
 
-    def check_software_statement_claims(claims, request_time) # rubocop:disable Metrics/CyclomaticComplexity
+    def check_software_statement_claims(oauth_flow, claims, request_time) # rubocop:disable Metrics/CyclomaticComplexity
       unless claims['iss'] == udap_client_uri
         add_message('error',
                     'Registration software statement `iss` claim is incorrect: ' \
@@ -90,7 +79,7 @@ module UDAPSecurityTestKit
                     "expected '#{client_registration_url}', got '#{claims['aud']}'")
       end
 
-      check_software_statement_grant_types(claims)
+      check_software_statement_grant_types(oauth_flow, claims)
       MockUDAPServer.check_jwt_timing(claims['iat'], claims['exp'], request_time)
 
       add_message('error', 'Registration software statement `jti` claim is missing.') unless claims['jti'].present?
@@ -124,7 +113,7 @@ module UDAPSecurityTestKit
       nil
     end
 
-    def check_software_statement_grant_types(claims) # rubocop:disable Metrics/CyclomaticComplexity
+    def check_software_statement_grant_types(oauth_flow, claims) # rubocop:disable Metrics/CyclomaticComplexity
       unless claims['grant_types'].present?
         add_message('error', 'Registration software statement `grant_types` claim is missing')
         return
@@ -157,6 +146,14 @@ module UDAPSecurityTestKit
                              "'authorization_code', 'client_credentials', and 'refresh_token")
       end
 
+      if oauth_flow == CLIENT_CREDENTIALS_TAG && !has_client_credentials
+        add_message('error', 'Registration software statement `grant_types` must contain ' \
+                             "''client_credentials' when testing the client credentials flow.")
+      end
+      if oauth_flow == AUTHORIZATION_CODE_TAG && !has_authorization_code
+        add_message('error', 'Registration software statement `grant_types` must contain ' \
+                             "''authorization_code' when testing the authorization code flow.")
+      end
       check_client_credentials_software_statement(claims) if has_client_credentials
       check_authorization_code_software_statement(claims) if has_authorization_code
 
@@ -165,35 +162,36 @@ module UDAPSecurityTestKit
 
     def check_authorization_code_software_statement(claims) # rubocop:disable Metrics/CyclomaticComplexity
       if claims['redirect_uris'].blank?
-        add_message('error', 'Registration software statement `redirect_uris` must be present when' \
+        add_message('error', 'Registration software statement `redirect_uris` must be present when ' \
                              "the 'authorization_code' `grant_type` is requested.")
       elsif !claims['redirect_uris'].is_a?(Array)
-        add_message('error', 'Registration software statement `redirect_uris` must be a list when' \
+        add_message('error', 'Registration software statement `redirect_uris` must be a list when ' \
                              "the 'authorization_code' `grant_type` is requested.")
       else
-        claims['redirect_uris'].each do |redirect_uri|
+        claims['redirect_uris'].each_with_index do |redirect_uri, index|
           unless valid_uri?(redirect_uri, required_scheme: 'https')
             add_message('error', "Registration software statement `redirect_uris` entry #{index + 1} is invalid: " \
-                                 'it is not a valid https uri.')
+                                 "'#{redirect_uri}' is not a valid https uri.")
           end
         end
       end
 
       if claims['logo_uri'].blank?
-        add_message('error', 'Registration software statement `logo_uri` must be present when' \
+        add_message('error', 'Registration software statement `logo_uri` must be present when ' \
                              "the 'authorization_code' `grant_type` is requested.")
       else
         unless valid_uri?(claims['logo_uri'], required_scheme: 'https')
-          add_message('error', 'Registration software statement `logo_uri` is invalid: it is not a valid https uri.')
+          add_message('error', 'Registration software statement `logo_uri` is invalid: ' \
+                               "'#{claims['logo_uri']}' is not a valid https uri.")
         end
-        unless ['gif', 'jpg', 'jpeg', 'png'].include?(claims['logo_uri'].split['.'].last.downcase)
+        unless ['gif', 'jpg', 'jpeg', 'png'].include?(claims['logo_uri'].split('.').last.downcase)
           add_message('error', 'Registration software statement `logo_uri` is invalid: it must point to a ' \
                                'PNG, JPG, or GIF file.')
         end
       end
 
       if claims['response_types'].blank?
-        add_message('error', 'Registration software statement `response_types` must be present when' \
+        add_message('error', 'Registration software statement `response_types` must be present when ' \
                              "the 'authorization_code' `grant_type` is requested.")
       else
         unless claims['response_types'].is_a?(Array) &&
@@ -209,17 +207,17 @@ module UDAPSecurityTestKit
 
     def check_client_credentials_software_statement(claims)
       unless claims['redirect_uris'].nil?
-        add_message('error', 'Registration software statement `redirect_uris` must not be present when' \
+        add_message('error', 'Registration software statement `redirect_uris` must not be present when ' \
                              "the 'client_credentials' `grant_type` is requested.")
       end
 
       unless claims['response_types'].nil?
-        add_message('error', 'Registration software statement `response_types` must not be present when' \
+        add_message('error', 'Registration software statement `response_types` must not be present when ' \
                              "the 'client_credentials' `grant_type` is requested.")
       end
 
       if claims['grant_types'].include?('refresh_token')
-        add_message('error', "Registration software statement `response_types` cannot contain 'refresh_token' when" \
+        add_message('error', "Registration software statement `response_types` cannot contain 'refresh_token' when " \
                              "the 'client_credentials' `grant_type` is requested.")
       end
 

data/lib/udap_security_test_kit/client_suite/token_request_ac_verification_test.rb

@@ -0,0 +1,49 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+require_relative 'client_descriptions'
+require_relative 'client_options'
+require_relative 'token_request_verification'
+
+module UDAPSecurityTestKit
+  class UDAPClientTokenRequestAuthorizationCodeVerification < Inferno::Test
+    include URLs
+    include TokenRequestVerification
+
+    id :udap_client_token_request_ac_verification
+    title 'Verify UDAP Authorization Code Token Requests'
+    description %(
+      Check that UDAP token requests are conformant.
+    )
+
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :udap_registration_jwt,
+          title: 'Registered UDAP Software Statement',
+          type: 'textarea',
+          locked: 'true',
+          description: INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED
+    output :udap_tokens
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+
+    run do
+      load_tagged_requests(TOKEN_TAG, UDAP_TAG, AUTHORIZATION_CODE_TAG)
+      skip_if requests.blank?, 'No UDAP token requests made.'
+      load_tagged_requests(TOKEN_TAG, UDAP_TAG, REFRESH_TOKEN_TAG) # verify refresh_requests as well
+
+      verify_token_requests(AUTHORIZATION_CODE_TAG)
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid token requests received. See messages for details.'
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/token_request_cc_verification_test.rb

@@ -0,0 +1,49 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+require_relative 'client_descriptions'
+require_relative 'client_options'
+require_relative 'token_request_verification'
+
+module UDAPSecurityTestKit
+  class UDAPClientTokenRequestClientCredentialsVerification < Inferno::Test
+    include URLs
+    include TokenRequestVerification
+
+    id :udap_client_token_request_cc_verification
+    title 'Verify UDAP Client Credentials Token Requests'
+    description %(
+      Check that UDAP token requests are conformant.
+    )
+
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :udap_registration_jwt,
+          title: 'Registered UDAP Software Statement',
+          type: 'textarea',
+          locked: 'true',
+          description: INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED
+    output :udap_tokens
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+
+    run do
+      load_tagged_requests(TOKEN_TAG, UDAP_TAG, CLIENT_CREDENTIALS_TAG)
+      skip_if requests.blank?, 'No UDAP token requests made.'
+      load_tagged_requests(TOKEN_TAG, UDAP_TAG, REFRESH_TOKEN_TAG) # verify refresh_requests as well (shouldn't be any)
+
+      verify_token_requests(CLIENT_CREDENTIALS_TAG)
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid token requests received. See messages for details.'
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/{client_token_request_verification_test.rb → token_request_verification.rb}

@@ -1,59 +1,34 @@
-require_relative '../tags'
-require_relative '../urls'
-require_relative '../endpoints/mock_udap_server'
-
 module UDAPSecurityTestKit
-  class UDAPClientTokenRequestVerification < Inferno::Test
-    include URLs
-
-    id :udap_client_token_request_verification
-    title 'Verify UDAP Token Requests'
-    description %(
-      Check that UDAP token requests are conformant.
-    )
-
-    output :udap_demonstrated
-    output :udap_tokens
-
-    run do
-      load_tagged_requests(REGISTRATION_TAG, UDAP_TAG)
-      output udap_demonstrated: requests.present? ? 'Yes' : 'No'
-      omit_if requests.blank?, 'UDAP Authentication not demonstrated as a part of this test session.'
-      registration_request = requests.last
-      registration_assertion = MockUDAPServer.parsed_request_body(registration_request)['software_statement']
+  module TokenRequestVerification
+    def verify_token_requests(oauth_flow)
       registration_token =
         begin
-          JWT::EncodedToken.new(registration_assertion)
+          JWT::EncodedToken.new(udap_registration_jwt)
         rescue StandardError => e
           assert false, "Registration request parsing failed: #{e}"
         end
-      registered_client_id = JSON.parse(registration_request.response_body)['client_id']
-
-      requests.clear
-      load_tagged_requests(TOKEN_TAG, UDAP_TAG)
-      skip_if requests.blank?, 'No UDAP token requests made.'
 
       jti_list = []
       token_list = []
       requests.each_with_index do |token_request, index|
         request_params = URI.decode_www_form(token_request.request_body).to_h
-        check_request_params(request_params, index + 1)
-        check_client_assertion(request_params['client_assertion'], index + 1, jti_list, registration_token,
-                               registered_client_id, token_request.created_at)
+        if request_params['grant_type'] == 'refresh_token'
+          check_refresh_request_params(oauth_flow, request_params, index + 1)
+        else
+          check_request_params(oauth_flow, request_params, index + 1)
+        end
+        check_client_assertion(oauth_flow, request_params['client_assertion'], index + 1, jti_list, registration_token,
+                               client_id, token_request.created_at)
         token_list << extract_token_from_response(token_request)
       end
 
       output udap_tokens: token_list.compact.join("\n")
-
-      assert messages.none? { |msg|
-        msg[:type] == 'error'
-      }, 'Invalid token requests detected. See messages for details.'
     end
 
-    def check_request_params(params, request_num)
-      if params['grant_type'] != 'client_credentials'
+    def check_request_params(oauth_flow, params, request_num)
+      if params['grant_type'] != oauth_flow
         add_message('error',
-                    "Token request #{request_num} had an incorrect `grant_type`: expected 'client_credentials', " \
+                    "Token request #{request_num} had an incorrect `grant_type`: expected '#{oauth_flow}', " \
                     "but got '#{params['grant_type']}'")
       end
       if params['client_assertion_type'] != 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
@@ -62,15 +37,52 @@ module UDAPSecurityTestKit
                     "expected 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer', " \
                     "but got '#{params['client_assertion_type']}'")
       end
-      return unless params['udap'].to_s != '1'
+      unless params['udap'].to_s == '1'
+        add_message('error',
+                    "Token request #{request_num} had an incorrect `udap`: " \
+                    "expected '1', " \
+                    "but got '#{params['udap']}'")
+      end
+
+      check_authorization_code_request_params(params, request_num) if oauth_flow == AUTHORIZATION_CODE_TAG
+
+      nil
+    end
+
+    def check_authorization_code_request_params(params, request_num)
+      if params['code'].present?
+
+        authorization_request = MockUDAPServer.authorization_request_for_code(params['code'], test_session_id)
+
+        if authorization_request.present?
+          authorization_body = MockUDAPServer.authorization_code_request_details(authorization_request)
+
+          if params['redirect_uri'] != authorization_body['redirect_uri']
+            add_message('error', "Authorization code token request #{request_num} included an incorrect " \
+                                 "`redirect_uri` value: expected '#{authorization_body['redirect_uri']} " \
+                                 "but got '#{params['redirect_uri']}'")
+          end
 
-      add_message('error',
-                  "Token request #{request_num} had an incorrect `udap`: " \
-                  "expected '1', " \
-                  "but got '#{params['udap']}'")
+          return unless params['code_verifier'].present? # optional in UDAP
+
+          pkce_error = MockUDAPServer.pkce_error(params['code_verifier'],
+                                                 authorization_body['code_challenge'],
+                                                 authorization_body['code_challenge_method'])
+          if pkce_error.present?
+            add_message('error', 'Error performing pkce verification on the `code_verifier` value in ' \
+                                 "authorization code token request #{request_num}: #{pkce_error}")
+          end
+        else
+          add_message('error', "Authorization code token request #{request_num} included a code not " \
+                               "issued during this test session: '#{params['code']}'")
+        end
+      else
+        add_message('error', "Authorization code token request #{request_num} missing a `code`")
+      end
     end
 
-    def check_client_assertion(assertion, request_num, jti_list, registration_token, registered_client_id, request_time)
+    def check_client_assertion(oauth_flow, assertion, request_num, jti_list, registration_token, registered_client_id,
+                               request_time)
       decoded_token =
         begin
           JWT::EncodedToken.new(assertion)
@@ -82,11 +94,11 @@ module UDAPSecurityTestKit
       return unless decoded_token.present?
 
       # header checked with signature
-      check_jwt_payload(decoded_token.payload, request_num, jti_list, registered_client_id, request_time)
+      check_jwt_payload(oauth_flow, decoded_token.payload, request_num, jti_list, registered_client_id, request_time)
       check_jwt_signature(decoded_token, registration_token, request_num)
     end
 
-    def check_jwt_payload(claims, request_num, jti_list, registered_client_id, request_time) # rubocop:disable Metrics/CyclomaticComplexity
+    def check_jwt_payload(oauth_flow, claims, request_num, jti_list, registered_client_id, request_time) # rubocop:disable Metrics/CyclomaticComplexity
       if claims['iss'] != registered_client_id
         add_message('error', "client assertion jwt on token request #{request_num} has an incorrect `iss` claim: " \
                              "expected '#{registered_client_id}', got '#{claims['iss']}'")
@@ -113,6 +125,8 @@ module UDAPSecurityTestKit
         jti_list << claims['jti']
       end
 
+      return unless oauth_flow == CLIENT_CREDENTIALS_TAG
+
       if claims['extensions'].present?
         if claims['extensions'].is_a?(Hash)
           check_b2b_auth_extension(claims.dig('extensions', 'hl7-b2b'), request_num)
@@ -174,5 +188,36 @@ module UDAPSecurityTestKit
     rescue StandardError
       nil
     end
+
+    def check_refresh_request_params(oauth_flow, params, request_num)
+      if oauth_flow == CLIENT_CREDENTIALS_TAG
+        add_message('error',
+                    "Invalid refresh request #{request_num} found during client_credentials flow.")
+        return
+      end
+
+      if params['grant_type'] != 'refresh_token'
+        add_message('error',
+                    "Refresh request #{request_num} had an incorrect `grant_type`: expected 'refresh_token', " \
+                    "but got '#{params['grant_type']}'")
+      end
+      if params['client_assertion_type'] != 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
+        add_message('error',
+                    "Token refresh request #{request_num} had an incorrect " \
+                    "`client_assertion_type`: expected 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer', " \
+                    "but got '#{params['client_assertion_type']}'")
+      end
+
+      authorization_code = MockUDAPServer.refresh_token_to_authorization_code(params['refresh_token'])
+      authorization_request = MockUDAPServer.authorization_request_for_code(authorization_code, test_session_id)
+      if authorization_request.present?
+        # TODO: - check that the scope is a subset of the original authorization code request
+      else
+        add_message('error', "Authorization code token refresh request #{request_num} included a refresh token not " \
+                             "issued during this test session: '#{params['refresh_token']}'")
+      end
+
+      nil
+    end
   end
 end

data/lib/udap_security_test_kit/client_suite/{client_token_use_verification_test.rb → token_use_verification_test.rb}

@@ -10,7 +10,6 @@ module UDAPSecurityTestKit
         authentication.
       )
 
-    input :udap_demonstrated # from test :udap_client_token_request_verification based on registrations
     input :udap_tokens,
           optional: true
 
@@ -21,8 +20,6 @@ module UDAPSecurityTestKit
     end
 
     run do
-      omit_if udap_demonstrated == 'No', 'UDAP Authentication not demonstrated as a part of this test session.'
-
       access_requests = access_request_tags.map do |access_request_tag|
         load_tagged_requests(access_request_tag).reject { |access| access.status == 401 }
       end.flatten

data/lib/udap_security_test_kit/client_suite.rb

@@ -1,9 +1,12 @@
-require_relative 'endpoints/mock_udap_server/registration'
-require_relative 'endpoints/mock_udap_server/token'
-require_relative 'endpoints/echoing_fhir_responder'
+require_relative 'endpoints/mock_udap_server/registration_endpoint'
+require_relative 'endpoints/mock_udap_server/authorization_endpoint'
+require_relative 'endpoints/mock_udap_server/token_endpoint'
+require_relative 'endpoints/echoing_fhir_responder_endpoint'
 require_relative 'urls'
-require_relative 'client_suite/client_registration_group'
-require_relative 'client_suite/client_access_group'
+require_relative 'client_suite/registration_ac_group'
+require_relative 'client_suite/registration_cc_group'
+require_relative 'client_suite/access_ac_group'
+require_relative 'client_suite/access_cc_group'
 
 module UDAPSecurityTestKit
   class UDAPSecurityClientTestSuite < Inferno::TestSuite
@@ -34,8 +37,30 @@ module UDAPSecurityTestKit
       }
     ]
 
+    suite_option :client_type,
+                 title: 'UDAP Client Type',
+                 list_options: [
+                   {
+                     label: 'UDAP Authorization Code Client',
+                     value: UDAPClientOptions::UDAP_AUTHORIZATION_CODE
+                   },
+                   {
+                     label: 'UDAP Client Credentials Client',
+                     value: UDAPClientOptions::UDAP_CLIENT_CREDENTIALS
+                   }
+                 ]
+
     route(:get, UDAP_DISCOVERY_PATH, ->(_env) { MockUDAPServer.udap_server_metadata(id) })
+    route(:get, OIDC_DISCOVERY_PATH, ->(_env) { MockUDAPServer.openid_connect_metadata(id) })
+    route(
+      :get,
+      OIDC_JWKS_PATH,
+      ->(_env) { [200, { 'Content-Type' => 'application/json' }, [OIDCJWKS.jwks_json]] }
+    )
+
     suite_endpoint :post, REGISTRATION_PATH, MockUDAPServer::RegistrationEndpoint
+    suite_endpoint :get, AUTHORIZATION_PATH, MockUDAPServer::AuthorizationEndpoint
+    suite_endpoint :post, AUTHORIZATION_PATH, MockUDAPServer::AuthorizationEndpoint
     suite_endpoint :post, TOKEN_PATH, MockUDAPServer::TokenEndpoint
     suite_endpoint :get, FHIR_PATH, EchoingFHIRResponderEndpoint
     suite_endpoint :post, FHIR_PATH, EchoingFHIRResponderEndpoint
@@ -62,17 +87,21 @@ module UDAPSecurityTestKit
       request.query_parameters['token']
     end
 
-    group do
-      title 'UDAP Client Credentials Flow'
-      description %(
-        During these tests, the client will use the UDAP Client Credentials
-        flow as specified in the [B2B section of the IG](https://hl7.org/fhir/us/udap-security/STU1/b2b.html)
-        to access a FHIR API. Clients will register, obtain an access token,
-        and use the access token when making a request to a FHIR API.
-      )
-
-      group from: :udap_client_registration
-      group from: :udap_client_access
-    end
+    group from: :udap_client_registration_ac,
+          required_suite_options: {
+            client_type: UDAPClientOptions::UDAP_AUTHORIZATION_CODE
+          }
+    group from: :udap_client_registration_cc,
+          required_suite_options: {
+            client_type: UDAPClientOptions::UDAP_CLIENT_CREDENTIALS
+          }
+    group from: :udap_client_access_ac,
+          required_suite_options: {
+            client_type: UDAPClientOptions::UDAP_AUTHORIZATION_CODE
+          }
+    group from: :udap_client_access_cc,
+          required_suite_options: {
+            client_type: UDAPClientOptions::UDAP_CLIENT_CREDENTIALS
+          }
   end
 end