udap_security_test_kit 0.11.3 → 0.11.4

data/lib/udap_security_test_kit/endpoints/mock_udap_server/udap_token_response_creation.rb

@@ -0,0 +1,218 @@
+require_relative '../../urls'
+require_relative '../../tags'
+require_relative '../mock_udap_server'
+require_relative '../../client_suite/oidc_jwks'
+
+module UDAPSecurityTestKit
+  module MockUDAPServer
+    module UDAPTokenResponseCreation
+      def make_udap_authorization_code_token_response # rubocop:disable Metrics/CyclomaticComplexity
+        authorization_code = request.params[:code]
+        client_id = MockUDAPServer.issued_token_to_client_id(authorization_code)
+        software_statement = MockUDAPServer.udap_registration_software_statement(test_run.test_session_id)
+        return unless udap_authenticated?(request.params[:client_assertion], software_statement)
+
+        if MockUDAPServer.token_expired?(authorization_code)
+          MockUDAPServer.update_response_for_expired_token(response, 'Authorization code')
+          return
+        end
+
+        return if request.params[:code_verifier].present? && !udap_pkce_valid?(authorization_code)
+
+        exp_min = 60
+        response_body = {
+          access_token: MockUDAPServer.client_id_to_token(client_id, exp_min),
+          token_type: 'Bearer',
+          expires_in: 60 * exp_min
+        }
+
+        launch_context =
+          begin
+            input_string = JSON.parse(result.input_json)&.find do |input|
+              input['name'] == 'launch_context'
+            end&.dig('value')
+            JSON.parse(input_string) if input_string.present?
+          rescue JSON::ParserError
+            nil
+          end
+        additional_context = udap_requested_scope_context(udap_registered_scope(software_statement), authorization_code,
+                                                          launch_context)
+
+        response.body = additional_context.merge(response_body).to_json # response body values take priority
+        response.headers['Cache-Control'] = 'no-store'
+        response.headers['Pragma'] = 'no-cache'
+        response.headers['Access-Control-Allow-Origin'] = '*'
+        response.content_type = 'application/json'
+        response.status = 200
+      end
+
+      def make_udap_refresh_token_response # rubocop:disable Metrics/CyclomaticComplexity
+        refresh_token = request.params[:refresh_token]
+        authorization_code = MockUDAPServer.refresh_token_to_authorization_code(refresh_token)
+        client_id = MockUDAPServer.issued_token_to_client_id(authorization_code)
+        software_statement = MockUDAPServer.udap_registration_software_statement(test_run.test_session_id)
+        return unless udap_authenticated?(request.params[:client_assertion], software_statement)
+
+        # no expiration checks for refresh tokens
+
+        authorization_request = MockUDAPServer.authorization_request_for_code(authorization_code,
+                                                                              test_run.test_session_id)
+        if authorization_request.blank?
+          MockUDAPServer.update_response_for_error(
+            response,
+            "no authorization request found for refresh token #{refresh_token}"
+          )
+          return
+        end
+        auth_code_request_inputs = MockUDAPServer.authorization_code_request_details(authorization_request)
+        if auth_code_request_inputs.blank?
+          MockUDAPServer.update_response_for_error(
+            response,
+            'invalid authorization request details'
+          )
+          return
+        end
+
+        exp_min = 60
+        response_body = {
+          access_token: MockUDAPServer.client_id_to_token(client_id, exp_min),
+          token_type: 'Bearer',
+          expires_in: 60 * exp_min
+        }
+
+        launch_context =
+          begin
+            input_string = JSON.parse(result.input_json)&.find do |input|
+              input['name'] == 'launch_context'
+            end&.dig('value')
+            JSON.parse(input_string) if input_string.present?
+          rescue JSON::ParserError
+            nil
+          end
+        additional_context = udap_requested_scope_context(udap_registered_scope(software_statement), authorization_code,
+                                                          launch_context)
+
+        response.body = additional_context.merge(response_body).to_json # response body values take priority
+        response.headers['Cache-Control'] = 'no-store'
+        response.headers['Pragma'] = 'no-cache'
+        response.headers['Access-Control-Allow-Origin'] = '*'
+        response.content_type = 'application/json'
+        response.status = 200
+      end
+
+      def make_udap_client_credential_token_response
+        assertion = request.params[:client_assertion]
+        client_id = MockUDAPServer.client_id_from_client_assertion(assertion)
+        software_statement = MockUDAPServer.udap_registration_software_statement(test_run.test_session_id)
+        return unless udap_authenticated?(request.params[:client_assertion], software_statement)
+
+        exp_min = 60
+        response_body = {
+          access_token: MockUDAPServer.client_id_to_token(client_id, exp_min),
+          token_type: 'Bearer',
+          expires_in: 60 * exp_min
+        }
+
+        response.body = response_body.to_json
+        response.headers['Cache-Control'] = 'no-store'
+        response.headers['Pragma'] = 'no-cache'
+        response.headers['Access-Control-Allow-Origin'] = '*'
+        response.content_type = 'application/json'
+        response.status = 200
+      end
+
+      def udap_authenticated?(assertion, software_statement)
+        signature_error = MockUDAPServer.udap_token_signature_verification(assertion, software_statement)
+
+        if signature_error.present?
+          MockUDAPServer.update_response_for_error(response, signature_error)
+          return false
+        end
+
+        true
+      end
+
+      def udap_requested_scope_context(requested_scopes, authorization_code, launch_context)
+        context = launch_context.present? ? launch_context : {}
+        scopes_list = requested_scopes&.split || []
+
+        if scopes_list.include?('offline_access') || scopes_list.include?('online_access')
+          context[:refresh_token] = MockUDAPServer.authorization_code_to_refresh_token(authorization_code)
+        end
+
+        context[:id_token] = udap_construct_id_token(scopes_list.include?('fhirUser')) if scopes_list.include?('openid')
+
+        context
+      end
+
+      def udap_construct_id_token(include_fhir_user) # rubocop:disable Metrics/CyclomaticComplexity
+        client_id = JSON.parse(result.input_json)&.find do |input|
+          input['name'] == 'client_id'
+        end&.dig('value')
+        fhir_user_relative_reference = JSON.parse(result.input_json)&.find do |input|
+          input['name'] == 'fhir_user_relative_reference'
+        end&.dig('value')
+
+        subject_id = if fhir_user_relative_reference.present?
+                       fhir_user_relative_reference.downcase.gsub('/', '-')
+                     else
+                       SecureRandom.uuid
+                     end
+
+        claims = {
+          iss: client_fhir_base_url,
+          sub: subject_id,
+          aud: client_id,
+          exp: 1.year.from_now.to_i,
+          iat: Time.now.to_i
+        }
+        if include_fhir_user && fhir_user_relative_reference.present?
+          claims[:fhirUser] = "#{client_fhir_base_url}/#{fhir_user_relative_reference}"
+        end
+
+        algorithm = 'RS256'
+        private_key = OIDCJWKS.jwks
+          .select { |key| key[:key_ops]&.include?('sign') }
+          .select { |key| key[:alg] == algorithm }
+          .first
+
+        JWT.encode claims, private_key.signing_key, algorithm, { alg: algorithm, kid: private_key.kid, typ: 'JWT' }
+      end
+
+      def udap_pkce_valid?(authorization_code)
+        authorization_request = MockUDAPServer.authorization_request_for_code(authorization_code,
+                                                                              test_run.test_session_id)
+        if authorization_request.blank?
+          MockUDAPServer.update_response_for_error(
+            response,
+            "Could not check code_verifier: no authorization request found that returned code #{authorization_code}"
+          )
+          return false
+        end
+        auth_code_request_inputs = MockUDAPServer.authorization_code_request_details(authorization_request)
+        if auth_code_request_inputs.blank?
+          MockUDAPServer.update_response_for_error(
+            response,
+            "Could not check code_verifier: invalid authorization request details for code #{authorization_code}"
+          )
+          return false
+        end
+
+        verifier = request.params[:code_verifier]
+        challenge = auth_code_request_inputs&.dig('code_challenge')
+        method = auth_code_request_inputs&.dig('code_challenge_method')
+        MockUDAPServer.pkce_valid?(verifier, challenge, method, response)
+      end
+
+      def udap_registered_scope(software_statement_jwt)
+        claims, _headers = begin
+          JWT.decode(software_statement_jwt, nil, false)
+        rescue StandardError
+          return nil
+        end
+
+        claims['scope']
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/endpoints/mock_udap_server.rb

@@ -1,6 +1,7 @@
 require 'jwt'
 require 'faraday'
 require 'time'
+require 'rack/utils'
 require_relative '../urls'
 require_relative '../tags'
 require_relative '../udap_jwt_builder'
@@ -20,44 +21,33 @@ module UDAPSecurityTestKit
         udap_authorization_extensions_required: [],
         udap_certifications_supported: [],
         udap_certifications_required: [],
-        grant_types_supported: ['client_credentials'],
+        grant_types_supported: ['authorization_code', 'client_credentials', 'refresh_token'],
         scopes_supported: SUPPORTED_SCOPES,
+        registration_endpoint: base_url + REGISTRATION_PATH,
+        registration_endpoint_jwt_signing_alg_values_supported: ['RS256', 'RS384', 'ES384'],
+        authorization_endpoint: base_url + AUTHORIZATION_PATH,
         token_endpoint: base_url + TOKEN_PATH,
         token_endpoint_auth_methods_supported: ['private_key_jwt'],
         token_endpoint_auth_signing_alg_values_supported: ['RS256', 'RS384', 'ES384'],
-        registration_endpoint: base_url + REGISTRATION_PATH,
-        registration_endpoint_jwt_signing_alg_values_supported: ['RS256', 'RS384', 'ES384'],
         signed_metadata: udap_signed_metadata_jwt(base_url)
       }.to_json
 
       [200, { 'Content-Type' => 'application/json', 'Access-Control-Allow-Origin' => '*' }, [response_body]]
     end
 
-    def make_udap_token_response(request, response, test_session_id)
-      assertion = request.params[:client_assertion]
-      client_id = client_id_from_client_assertion(assertion)
-
-      software_statement = udap_registration_software_statement(test_session_id)
-      signature_error = udap_token_signature_verification(assertion, software_statement)
-
-      if signature_error.present?
-        update_response_for_invalid_assertion(response, signature_error)
-        return
-      end
-
-      exp_min = 60
+    def openid_connect_metadata(suite_id)
+      base_url = "#{Inferno::Application['base_url']}/custom/#{suite_id}"
       response_body = {
-        access_token: client_id_to_token(client_id, exp_min),
-        token_type: 'Bearer',
-        expires_in: 60 * exp_min
-      }
+        issuer: base_url + FHIR_PATH,
+        authorization_endpoint: base_url + AUTHORIZATION_PATH,
+        token_endpoint: base_url + TOKEN_PATH,
+        jwks_uri: base_url + OIDC_JWKS_PATH,
+        response_types_supported: ['code', 'id_token', 'token id_token'],
+        subject_types_supported: ['pairwise', 'public'],
+        id_token_signing_alg_values_supported: ['RS256']
+      }.to_json
 
-      response.body = response_body.to_json
-      response.headers['Cache-Control'] = 'no-store'
-      response.headers['Pragma'] = 'no-cache'
-      response.headers['Access-Control-Allow-Origin'] = '*'
-      response.content_type = 'application/json'
-      response.status = 200
+      [200, { 'Content-Type' => 'application/json', 'Access-Control-Allow-Origin' => '*' }, [response_body]]
     end
 
     def udap_signed_metadata_jwt(base_url)
@@ -68,6 +58,7 @@ module UDAPSecurityTestKit
         iat: Time.now.to_i,
         jti: SecureRandom.hex(32),
         token_endpoint: base_url + TOKEN_PATH,
+        authorization_endpoint: base_url + AUTHORIZATION_PATH,
         registration_endpoint: base_url + REGISTRATION_PATH
       }.compact
 
@@ -132,6 +123,21 @@ module UDAPSecurityTestKit
       JWT.decode(encoded_jwt, nil, false)[0]
     end
 
+    def udap_client_uri_from_registration_payload(reg_body)
+      udap_claim_from_registration_payload(reg_body, 'iss')
+    end
+
+    def udap_claim_from_registration_payload(reg_body, claim_key)
+      software_statement_jwt = udap_software_statement_jwt(reg_body)
+      return unless software_statement_jwt.present?
+
+      jwt_claims(software_statement_jwt)&.dig(claim_key)
+    end
+
+    def udap_software_statement_jwt(reg_body)
+      reg_body&.dig('software_statement')
+    end
+
     def client_uri_to_client_id(client_uri)
       Base64.urlsafe_encode64(client_uri, padding: false)
     end
@@ -151,31 +157,56 @@ module UDAPSecurityTestKit
     end
 
     def decode_token(token)
+      token_to_decode =
+        if issued_token_is_refresh_token(token)
+          refresh_token_to_authorization_code(token)
+        else
+          token
+        end
+      return unless token_to_decode.present?
+
       JSON.parse(Base64.urlsafe_decode64(token))
     rescue JSON::ParserError
       nil
     end
 
-    def token_to_client_id(token)
+    def issued_token_to_client_id(token)
       decode_token(token)&.dig('client_id')
     end
 
+    def issued_token_is_refresh_token(token)
+      token.end_with?('_rt')
+    end
+
+    def authorization_code_to_refresh_token(code)
+      "#{code}_rt"
+    end
+
+    def refresh_token_to_authorization_code(refresh_token)
+      refresh_token[..-4]
+    end
+
     def request_has_expired_token?(request)
       return false if request.params[:session_path].present?
 
       token = request.headers['authorization']&.delete_prefix('Bearer ')
+      token_expired?(token)
+    end
+
+    def token_expired?(token, check_time = nil)
       decoded_token = decode_token(token)
       return false unless decoded_token&.dig('expiration').present?
 
-      decoded_token['expiration'] < Time.now.to_i
+      check_time = Time.now.to_i unless check_time.present?
+      decoded_token['expiration'] < check_time
     end
 
-    def update_response_for_expired_token(response)
+    def update_response_for_expired_token(response, type)
       response.status = 401
       response.format = :json
       response.body = FHIR::OperationOutcome.new(
         issue: FHIR::OperationOutcome::Issue.new(severity: 'fatal', code: 'expired',
-                                                 details: FHIR::CodeableConcept.new(text: 'Bearer token has expired'))
+                                                 details: FHIR::CodeableConcept.new(text: "#{type}has expired"))
       ).to_json
     end
 
@@ -244,7 +275,7 @@ module UDAPSecurityTestKit
       parsed_body&.dig('software_statement')
     end
 
-    def update_response_for_invalid_assertion(response, error_message)
+    def update_response_for_error(response, error_message)
       response.status = 401
       response.format = :json
       response.body = { error: 'invalid_client', error_description: error_message }.to_json
@@ -297,5 +328,55 @@ module UDAPSecurityTestKit
 
       nil
     end
+
+    def pkce_error(verifier, challenge, method)
+      if verifier.blank?
+        'pkce check failed: no verifier provided'
+      elsif challenge.blank?
+        'pkce check failed: no challenge code provided'
+      elsif method == 'S256'
+        return nil unless challenge != calculate_s256_challenge(verifier)
+
+        "invalid S256 pkce verifier: got '#{calculate_s256_challenge(verifier)}' " \
+          "expected '#{challenge}'"
+      else
+        "invalid pkce challenge method '#{method}'"
+      end
+    end
+
+    def pkce_valid?(verifier, challenge, method, response)
+      pkce_error = pkce_error(verifier, challenge, method)
+
+      if pkce_error.present?
+        update_response_for_error(response, pkce_error)
+        false
+      else
+        true
+      end
+    end
+
+    def calculate_s256_challenge(verifier)
+      Base64.urlsafe_encode64(Digest::SHA256.digest(verifier), padding: false)
+    end
+
+    def authorization_request_for_code(code, test_session_id)
+      authorization_requests = Inferno::Repositories::Requests.new.tagged_requests(test_session_id, [AUTHORIZATION_TAG])
+      authorization_requests.find do |request|
+        location_header = request.response_headers.find { |header| header.name.downcase == 'location' }
+        if location_header.present? && location_header.value.present?
+          Rack::Utils.parse_query(URI(location_header.value)&.query)&.dig('code') == code
+        else
+          false
+        end
+      end
+    end
+
+    def authorization_code_request_details(inferno_request)
+      if inferno_request.verb.downcase == 'get'
+        Rack::Utils.parse_query(URI(inferno_request.url)&.query)
+      elsif inferno_request.verb.downcase == 'post'
+        Rack::Utils.parse_query(inferno_request.request_body)
+      end
+    end
   end
 end

data/lib/udap_security_test_kit/metadata.rb

@@ -9,7 +9,7 @@ module UDAPSecurityTestKit
       STU 1.0 IG](https://hl7.org/fhir/us/udap-security/STU1/index.html)
       <!-- break -->
       Specifically, this test
-      kit assesses the required capabilities from the following sections:
+      kit assesses the required capabilities for clients and servers from the following sections:
       - [JSON Web Token (JWT) Requirements](https://hl7.org/fhir/us/udap-security/STU1/index.html)
       - [Discovery](https://hl7.org/fhir/us/udap-security/STU1/discovery.html)
       - [Dynamic Client Registration](https://hl7.org/fhir/us/udap-security/STU1/registration.html)

data/lib/udap_security_test_kit/tags.rb

@@ -2,7 +2,11 @@
 
 module UDAPSecurityTestKit
   REGISTRATION_TAG = 'registration'
+  AUTHORIZATION_TAG = 'authorization'
   TOKEN_TAG = 'token'
   UDAP_TAG = 'udap'
   ACCESS_TAG = 'access'
+  CLIENT_CREDENTIALS_TAG = 'client_credentials'
+  AUTHORIZATION_CODE_TAG = 'authorization_code'
+  REFRESH_TOKEN_TAG = 'refresh_token'
 end

data/lib/udap_security_test_kit/urls.rb

@@ -2,12 +2,15 @@
 
 module UDAPSecurityTestKit
   FHIR_PATH = '/fhir'
-  RESUME_PASS_PATH = '/resume_pass'
-  RESUME_FAIL_PATH = '/resume_fail'
-  AUTH_SERVER_PATH = '/auth'
+  OIDC_DISCOVERY_PATH = "#{FHIR_PATH}/.well-known/openid-configuration".freeze
+  OIDC_JWKS_PATH = "#{FHIR_PATH}/.well-known/jwks.json".freeze
   UDAP_DISCOVERY_PATH = "#{FHIR_PATH}/.well-known/udap".freeze
-  TOKEN_PATH = "#{AUTH_SERVER_PATH}/token".freeze
+  AUTH_SERVER_PATH = '/auth'
   REGISTRATION_PATH = "#{AUTH_SERVER_PATH}/register".freeze
+  AUTHORIZATION_PATH = "#{AUTH_SERVER_PATH}/authorization".freeze
+  TOKEN_PATH = "#{AUTH_SERVER_PATH}/token".freeze
+  RESUME_PASS_PATH = '/resume_pass'
+  RESUME_FAIL_PATH = '/resume_fail'
 
   module URLs
     def client_base_url
@@ -30,14 +33,18 @@ module UDAPSecurityTestKit
       @client_udap_discovery_url ||= client_base_url + UDAP_DISCOVERY_PATH
     end
 
-    def client_token_url
-      @client_token_url ||= client_base_url + TOKEN_PATH
-    end
-
     def client_registration_url
       @client_registration_url ||= client_base_url + REGISTRATION_PATH
     end
 
+    def client_authorization_url
+      @client_authorization_url ||= client_base_url + AUTHORIZATION_PATH
+    end
+
+    def client_token_url
+      @client_token_url ||= client_base_url + TOKEN_PATH
+    end
+
     def client_suite_id
       UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
     end

data/lib/udap_security_test_kit/version.rb

@@ -1,4 +1,4 @@
 module UDAPSecurityTestKit
-  VERSION = '0.11.3'.freeze
-  LAST_UPDATED = '2025-04-07'.freeze
+  VERSION = '0.11.4'.freeze
+  LAST_UPDATED = '2025-05-02'.freeze
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: udap_security_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.11.3
+  version: 0.11.4
 platform: ruby
 authors:
 - Stephen MacVicar
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-04-07 00:00:00.000000000 Z
+date: 2025-05-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core
@@ -65,23 +65,39 @@ files:
 - lib/udap_security_test_kit/client_credentials_group.rb
 - lib/udap_security_test_kit/client_credentials_token_exchange_test.rb
 - lib/udap_security_test_kit/client_suite.rb
-- lib/udap_security_test_kit/client_suite/client_access_group.rb
-- lib/udap_security_test_kit/client_suite/client_access_interaction_test.rb
-- lib/udap_security_test_kit/client_suite/client_registration_group.rb
-- lib/udap_security_test_kit/client_suite/client_registration_interaction_test.rb
-- lib/udap_security_test_kit/client_suite/client_registration_verification_test.rb
-- lib/udap_security_test_kit/client_suite/client_token_request_verification_test.rb
-- lib/udap_security_test_kit/client_suite/client_token_use_verification_test.rb
+- lib/udap_security_test_kit/client_suite/access_ac_group.rb
+- lib/udap_security_test_kit/client_suite/access_ac_interaction_test.rb
+- lib/udap_security_test_kit/client_suite/access_cc_group.rb
+- lib/udap_security_test_kit/client_suite/access_cc_interaction_test.rb
+- lib/udap_security_test_kit/client_suite/authorization_request_verification_test.rb
+- lib/udap_security_test_kit/client_suite/client_descriptions.rb
+- lib/udap_security_test_kit/client_suite/client_options.rb
+- lib/udap_security_test_kit/client_suite/oidc_jwks.json
+- lib/udap_security_test_kit/client_suite/oidc_jwks.rb
+- lib/udap_security_test_kit/client_suite/registration_ac_group.rb
+- lib/udap_security_test_kit/client_suite/registration_ac_verification_test.rb
+- lib/udap_security_test_kit/client_suite/registration_cc_group.rb
+- lib/udap_security_test_kit/client_suite/registration_cc_verification_test.rb
+- lib/udap_security_test_kit/client_suite/registration_interaction_test.rb
+- lib/udap_security_test_kit/client_suite/registration_request_verification.rb
+- lib/udap_security_test_kit/client_suite/token_request_ac_verification_test.rb
+- lib/udap_security_test_kit/client_suite/token_request_cc_verification_test.rb
+- lib/udap_security_test_kit/client_suite/token_request_verification.rb
+- lib/udap_security_test_kit/client_suite/token_use_verification_test.rb
 - lib/udap_security_test_kit/common_assertions.rb
 - lib/udap_security_test_kit/default_cert_file_loader.rb
 - lib/udap_security_test_kit/discovery_group.rb
 - lib/udap_security_test_kit/docs/demo/FHIR Request.postman_collection.json
 - lib/udap_security_test_kit/docs/udap_client_suite_description.md
 - lib/udap_security_test_kit/dynamic_client_registration_group.rb
-- lib/udap_security_test_kit/endpoints/echoing_fhir_responder.rb
+- lib/udap_security_test_kit/endpoints/echoing_fhir_responder_endpoint.rb
 - lib/udap_security_test_kit/endpoints/mock_udap_server.rb
-- lib/udap_security_test_kit/endpoints/mock_udap_server/registration.rb
-- lib/udap_security_test_kit/endpoints/mock_udap_server/token.rb
+- lib/udap_security_test_kit/endpoints/mock_udap_server/authorization_endpoint.rb
+- lib/udap_security_test_kit/endpoints/mock_udap_server/registration_endpoint.rb
+- lib/udap_security_test_kit/endpoints/mock_udap_server/token_endpoint.rb
+- lib/udap_security_test_kit/endpoints/mock_udap_server/udap_authorization_response_creation.rb
+- lib/udap_security_test_kit/endpoints/mock_udap_server/udap_registration_response_creation.rb
+- lib/udap_security_test_kit/endpoints/mock_udap_server/udap_token_response_creation.rb
 - lib/udap_security_test_kit/grant_types_supported_field_test.rb
 - lib/udap_security_test_kit/igs/put_ig_package_dot_tgz_here
 - lib/udap_security_test_kit/metadata.rb

data/lib/udap_security_test_kit/client_suite/client_access_group.rb

@@ -1,22 +0,0 @@
-require_relative 'client_access_interaction_test'
-require_relative 'client_token_request_verification_test'
-require_relative 'client_token_use_verification_test'
-
-module UDAPSecurityTestKit
-  class UDAPClientAccess < Inferno::TestGroup
-    id :udap_client_access
-    title 'Client Access'
-    description %(
-      During these tests, the client system will access Inferno's simulated
-      FHIR server by requesting an access token and making a FHIR request.
-      Inferno will then verify that any token requests made were conformant
-      and that a token returned from a token request was used on an access request.
-    )
-
-    run_as_group
-
-    test from: :udap_client_access_interaction
-    test from: :udap_client_token_request_verification
-    test from: :udap_client_token_use_verification
-  end
-end

data/lib/udap_security_test_kit/client_suite/client_access_interaction_test.rb

@@ -1,53 +0,0 @@
-require_relative '../urls'
-require_relative '../endpoints/mock_udap_server'
-
-module UDAPSecurityTestKit
-  class UDAPClientAccessInteraction < Inferno::Test
-    include URLs
-
-    id :udap_client_access_interaction
-    title 'Perform UDAP-secured Access'
-    description %(
-      During this test, Inferno will wait for the client to access data
-      using a UDAP token obtained during an earlier test.
-    )
-    input :client_id,
-          title: 'Client Id',
-          type: 'text',
-          locked: true,
-          description: %(
-            The registered Client Id for use in obtaining access tokens.
-            Create a new session if you need to change this value.
-          )
-    input :echoed_fhir_response,
-          title: 'FHIR Response to Echo',
-          type: 'textarea',
-          description: %(
-            JSON representation of a FHIR resource for Inferno to echo when a request
-            is made to the simulated FHIR server. The provided content will be echoed
-            back exactly and no check will be made that it is appropriate for the request
-            made. If nothing is provided, an OperationOutcome will be returned.
-          ),
-          optional: true
-
-    run do
-      wait(
-        identifier: client_id,
-        message: %(
-            **Access**
-
-            Use the registered client id (#{client_id}) to obtain an access
-            token using the [UDAP B2B client credentials flow](https://hl7.org/fhir/us/udap-security/STU1/b2b.html)
-            and use that token to access a FHIR endpoint under the simulated server's base URL
-
-            `#{client_fhir_base_url}`
-
-            Inferno will echo the response provided in the **FHIR Response to Echo** input.
-
-            [Click here](#{client_resume_pass_url}?token=#{client_id}) once you performed
-            the access.
-          )
-      )
-    end
-  end
-end