RubyGems - udap_security_test_kit - Versions diffs - 0.11.4 → 0.11.6 - Mend

udap_security_test_kit 0.11.4 → 0.11.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 93cc168a29a41ac4c22bdcb8a4124aa85c370d3a0ae8ac1851090555ab3a2e8b
-  data.tar.gz: d31eee97042a453fe3ccf6c72c1421309ff4d367eb87ff6d2f3a63a96529041d
+  metadata.gz: ba9b8ab76dbc1af4171a44facc2bad0501b87d408914b1112211b4a6dd407972
+  data.tar.gz: ab96e3353c18cb382f24051c0d97869d7bd211ec21827f1389c1703f7f1827a2
 SHA512:
-  metadata.gz: 69293481ba6a4edeca09cf992cd7b7ff97ff380636a43e1d40cb6dd2610711bb1feac263cdf887fbb7e74e8c72ed15329335b8d3b4fdd3a4d3ed1f3f73341eef
-  data.tar.gz: 90878299bfb40e53ad43ff65144d008f3793a1654c8f61ff3dd24a4a8cb6f3dcef11c092cac49ccdadb7dec165ed20134213cc56a566b8e78792e0b83c6ca872
+  metadata.gz: 8901c4441f4dbc98ba53a1babdcb1bbdef421c52457627266e5faaa6602f88df692b58b1d7f788d079374bd8419a46564cf4e0a2edcf7bb67a3e9ee15a7459bb
+  data.tar.gz: 1de972b29f3c1c0ef84273d707420c379f16a9d30b9340f78b0fae573a452ad50cab6e6b5db7a3cf5497e965f7fe8aed424a0f20770c472895ed80dd9658b727

data/lib/udap_security_test_kit/authorization_code_received_test.rb CHANGED Viewed

@@ -9,12 +9,20 @@ module UDAPSecurityTestKit
     output :udap_authorization_code
     uses_request :redirect
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@133',
+                          'hl7.fhir.us.udap-security_1.0.0@134',
+                          'hl7.fhir.us.udap-security_1.0.0@138',
+                          'hl7.fhir.us.udap-security_1.0.0@190'
     run do
       code = request.query_parameters['code']
       output udap_authorization_code: code
       assert code.present?, 'No `code` parameter received'
+      state = request.query_parameters['state']
+      assert state.present?, '`state` parameter is required since it was present in client request'
       error = request.query_parameters['error']
       pass_if error.blank?

data/lib/udap_security_test_kit/authorization_code_redirect_test.rb CHANGED Viewed

@@ -52,6 +52,9 @@ module UDAPSecurityTestKit
     receives_request :redirect
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@133',
+                          'hl7.fhir.us.udap-security_1.0.0@190'
     config options: {
       redirect_uri: UDAPSecurityTestKit::UDAP_REDIRECT_URI
     }

data/lib/udap_security_test_kit/authorization_code_token_exchange_test.rb CHANGED Viewed

@@ -62,6 +62,8 @@ module UDAPSecurityTestKit
     makes_request :token_exchange
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@148'
     run do
       client_assertion_payload = UDAPClientAssertionPayloadBuilder.build(
         udap_client_id,

data/lib/udap_security_test_kit/authorization_endpoint_field_test.rb CHANGED Viewed

@@ -13,6 +13,10 @@ module UDAPSecurityTestKit
     input :udap_well_known_metadata_json
     output :udap_authorization_endpoint
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@9',
+                          'hl7.fhir.us.udap-security_1.0.0@38',
+                          'hl7.fhir.us.udap-security_1.0.0@39'
     run do
       assert_valid_json(udap_well_known_metadata_json)
       config = JSON.parse(udap_well_known_metadata_json)
@@ -29,7 +33,7 @@ module UDAPSecurityTestKit
               '`authorization_endpoint` field is only required if `authorization_code` is a supported grant type'
       assert config.key?('authorization_endpoint'),
-             '`authorization_endpoint` field is required if `authorization_endpoint` is a supported grant type'
+             '`authorization_endpoint` field is required if `authorization_code` is a supported grant type'
       endpoint = config['authorization_endpoint']

data/lib/udap_security_test_kit/client_suite/access_ac_group.rb CHANGED Viewed

@@ -17,6 +17,8 @@ module UDAPSecurityTestKit
     run_as_group
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@126'
     test from: :udap_client_access_ac_interaction
     test from: :udap_client_authorization_request_verification
     test from: :udap_client_token_request_ac_verification

data/lib/udap_security_test_kit/client_suite/authorization_request_verification_test.rb CHANGED Viewed

@@ -24,6 +24,11 @@ module UDAPSecurityTestKit
           locked: 'true',
           description: INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@67',
+                          'hl7.fhir.us.udap-security_1.0.0@127',
+                          'hl7.fhir.us.udap-security_1.0.0@128',
+                          'hl7.fhir.us.udap-security_1.0.0@129'
     def client_suite_id
       return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?

data/lib/udap_security_test_kit/client_suite/registration_ac_verification_test.rb CHANGED Viewed

@@ -17,6 +17,40 @@ module UDAPSecurityTestKit
     input :udap_client_uri
     output :udap_registration_jwt
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@1',
+                          'hl7.fhir.us.udap-security_1.0.0@2',
+                          'hl7.fhir.us.udap-security_1.0.0@3',
+                          'hl7.fhir.us.udap-security_1.0.0@7',
+                          'hl7.fhir.us.udap-security_1.0.0@8',
+                          'hl7.fhir.us.udap-security_1.0.0@66',
+                          'hl7.fhir.us.udap-security_1.0.0@71',
+                          'hl7.fhir.us.udap-security_1.0.0@72',
+                          'hl7.fhir.us.udap-security_1.0.0@73',
+                          'hl7.fhir.us.udap-security_1.0.0@74',
+                          'hl7.fhir.us.udap-security_1.0.0@75',
+                          'hl7.fhir.us.udap-security_1.0.0@76',
+                          'hl7.fhir.us.udap-security_1.0.0@77',
+                          'hl7.fhir.us.udap-security_1.0.0@78',
+                          'hl7.fhir.us.udap-security_1.0.0@79',
+                          'hl7.fhir.us.udap-security_1.0.0@80',
+                          'hl7.fhir.us.udap-security_1.0.0@81',
+                          'hl7.fhir.us.udap-security_1.0.0@83',
+                          'hl7.fhir.us.udap-security_1.0.0@84',
+                          'hl7.fhir.us.udap-security_1.0.0@86',
+                          'hl7.fhir.us.udap-security_1.0.0@87',
+                          'hl7.fhir.us.udap-security_1.0.0@88',
+                          'hl7.fhir.us.udap-security_1.0.0@90',
+                          'hl7.fhir.us.udap-security_1.0.0@91',
+                          'hl7.fhir.us.udap-security_1.0.0@92',
+                          'hl7.fhir.us.udap-security_1.0.0@93',
+                          'hl7.fhir.us.udap-security_1.0.0@94',
+                          'hl7.fhir.us.udap-security_1.0.0@96',
+                          'hl7.fhir.us.udap-security_1.0.0@97',
+                          'hl7.fhir.us.udap-security_1.0.0@101',
+                          'hl7.fhir.us.udap-security_1.0.0@102',
+                          'hl7.fhir.us.udap-security_1.0.0@103',
+                          'hl7.fhir.us.udap-security_1.0.0@104'
     def client_suite_id
       return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?

data/lib/udap_security_test_kit/client_suite/registration_cc_verification_test.rb CHANGED Viewed

@@ -23,6 +23,36 @@ module UDAPSecurityTestKit
       UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
     end
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@1',
+                          'hl7.fhir.us.udap-security_1.0.0@2',
+                          'hl7.fhir.us.udap-security_1.0.0@3',
+                          'hl7.fhir.us.udap-security_1.0.0@7',
+                          'hl7.fhir.us.udap-security_1.0.0@8',
+                          'hl7.fhir.us.udap-security_1.0.0@66',
+                          'hl7.fhir.us.udap-security_1.0.0@71',
+                          'hl7.fhir.us.udap-security_1.0.0@72',
+                          'hl7.fhir.us.udap-security_1.0.0@73',
+                          'hl7.fhir.us.udap-security_1.0.0@74',
+                          'hl7.fhir.us.udap-security_1.0.0@75',
+                          'hl7.fhir.us.udap-security_1.0.0@76',
+                          'hl7.fhir.us.udap-security_1.0.0@77',
+                          'hl7.fhir.us.udap-security_1.0.0@78',
+                          'hl7.fhir.us.udap-security_1.0.0@79',
+                          'hl7.fhir.us.udap-security_1.0.0@80',
+                          'hl7.fhir.us.udap-security_1.0.0@81',
+                          'hl7.fhir.us.udap-security_1.0.0@83',
+                          'hl7.fhir.us.udap-security_1.0.0@85',
+                          'hl7.fhir.us.udap-security_1.0.0@86',
+                          'hl7.fhir.us.udap-security_1.0.0@87',
+                          'hl7.fhir.us.udap-security_1.0.0@92',
+                          'hl7.fhir.us.udap-security_1.0.0@95',
+                          'hl7.fhir.us.udap-security_1.0.0@96',
+                          'hl7.fhir.us.udap-security_1.0.0@97',
+                          'hl7.fhir.us.udap-security_1.0.0@101',
+                          'hl7.fhir.us.udap-security_1.0.0@102',
+                          'hl7.fhir.us.udap-security_1.0.0@103',
+                          'hl7.fhir.us.udap-security_1.0.0@104'
     run do
       client_registration_requests = load_registration_requests_for_client_uri(udap_client_uri)
       skip_if client_registration_requests.empty?,

data/lib/udap_security_test_kit/client_suite/token_request_ac_verification_test.rb CHANGED Viewed

@@ -28,6 +28,53 @@ module UDAPSecurityTestKit
           description: INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED
     output :udap_tokens
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@1',
+                          'hl7.fhir.us.udap-security_1.0.0@2',
+                          'hl7.fhir.us.udap-security_1.0.0@3',
+                          'hl7.fhir.us.udap-security_1.0.0@7',
+                          'hl7.fhir.us.udap-security_1.0.0@8',
+                          'hl7.fhir.us.udap-security_1.0.0@67',
+                          'hl7.fhir.us.udap-security_1.0.0@69',
+                          'hl7.fhir.us.udap-security_1.0.0@140',
+                          'hl7.fhir.us.udap-security_1.0.0@141',
+                          'hl7.fhir.us.udap-security_1.0.0@142',
+                          'hl7.fhir.us.udap-security_1.0.0@143',
+                          'hl7.fhir.us.udap-security_1.0.0@145',
+                          'hl7.fhir.us.udap-security_1.0.0@151',
+                          'hl7.fhir.us.udap-security_1.0.0@152',
+                          'hl7.fhir.us.udap-security_1.0.0@153',
+                          'hl7.fhir.us.udap-security_1.0.0@154',
+                          'hl7.fhir.us.udap-security_1.0.0@155',
+                          'hl7.fhir.us.udap-security_1.0.0@156',
+                          'hl7.fhir.us.udap-security_1.0.0@157',
+                          'hl7.fhir.us.udap-security_1.0.0@158',
+                          'hl7.fhir.us.udap-security_1.0.0@160',
+                          'hl7.fhir.us.udap-security_1.0.0@161',
+                          'hl7.fhir.us.udap-security_1.0.0@163',
+                          'hl7.fhir.us.udap-security_1.0.0@165',
+                          'hl7.fhir.us.udap-security_1.0.0@166',
+                          'hl7.fhir.us.udap-security_1.0.0@167',
+                          'hl7.fhir.us.udap-security_1.0.0@168',
+                          'hl7.fhir.us.udap-security_1.0.0@169',
+                          'hl7.fhir.us.udap-security_1.0.0@170',
+                          'hl7.fhir.us.udap-security_1.0.0@171',
+                          'hl7.fhir.us.udap-security_1.0.0@175',
+                          'hl7.fhir.us.udap-security_1.0.0@177',
+                          'hl7.fhir.us.udap-security_1.0.0@178',
+                          'hl7.fhir.us.udap-security_1.0.0@179',
+                          'hl7.fhir.us.udap-security_1.0.0@180',
+                          'hl7.fhir.us.udap-security_1.0.0@185',
+                          'hl7.fhir.us.udap-security_1.0.0@192',
+                          'hl7.fhir.us.udap-security_1.0.0@193',
+                          'hl7.fhir.us.udap-security_1.0.0@194',
+                          'hl7.fhir.us.udap-security_1.0.0@195',
+                          'hl7.fhir.us.udap-security_1.0.0@196',
+                          'hl7.fhir.us.udap-security_1.0.0@197',
+                          'hl7.fhir.us.udap-security_1.0.0@222',
+                          'hl7.fhir.us.udap-security_1.0.0@232',
+                          'hl7.fhir.us.udap-security_1.0.0@233',
+                          'hl7.fhir.us.udap-security_1.0.0@234'
     def client_suite_id
       return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?

data/lib/udap_security_test_kit/client_suite/token_request_cc_verification_test.rb CHANGED Viewed

@@ -28,6 +28,31 @@ module UDAPSecurityTestKit
           description: INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED
     output :udap_tokens
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@1',
+                          'hl7.fhir.us.udap-security_1.0.0@2',
+                          'hl7.fhir.us.udap-security_1.0.0@3',
+                          'hl7.fhir.us.udap-security_1.0.0@7',
+                          'hl7.fhir.us.udap-security_1.0.0@8',
+                          'hl7.fhir.us.udap-security_1.0.0@67',
+                          'hl7.fhir.us.udap-security_1.0.0@69',
+                          'hl7.fhir.us.udap-security_1.0.0@186',
+                          'hl7.fhir.us.udap-security_1.0.0@192',
+                          'hl7.fhir.us.udap-security_1.0.0@193',
+                          'hl7.fhir.us.udap-security_1.0.0@194',
+                          'hl7.fhir.us.udap-security_1.0.0@195',
+                          'hl7.fhir.us.udap-security_1.0.0@196',
+                          'hl7.fhir.us.udap-security_1.0.0@197',
+                          'hl7.fhir.us.udap-security_1.0.0@198',
+                          'hl7.fhir.us.udap-security_1.0.0@202',
+                          'hl7.fhir.us.udap-security_1.0.0@212',
+                          'hl7.fhir.us.udap-security_1.0.0@214',
+                          'hl7.fhir.us.udap-security_1.0.0@215',
+                          'hl7.fhir.us.udap-security_1.0.0@223',
+                          'hl7.fhir.us.udap-security_1.0.0@225',
+                          'hl7.fhir.us.udap-security_1.0.0@226',
+                          'hl7.fhir.us.udap-security_1.0.0@227',
+                          'hl7.fhir.us.udap-security_1.0.0@228'
     def client_suite_id
       return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?

data/lib/udap_security_test_kit/client_suite.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 require_relative 'endpoints/mock_udap_server/registration_endpoint'
 require_relative 'endpoints/mock_udap_server/authorization_endpoint'
 require_relative 'endpoints/mock_udap_server/token_endpoint'
+require_relative 'endpoints/mock_udap_server/introspection_endpoint'
 require_relative 'endpoints/echoing_fhir_responder_endpoint'
 require_relative 'urls'
 require_relative 'client_suite/registration_ac_group'
@@ -14,6 +15,14 @@ module UDAPSecurityTestKit
     title 'UDAP Security Client'
     description File.read(File.join(__dir__, 'docs', 'udap_client_suite_description.md'))
+    requirement_sets(
+      {
+        identifier: 'hl7.fhir.us.udap-security_1.0.0',
+        title: 'Security for Scalable Registration, Authentication, and Authorization (UDAP)',
+        actor: 'Client'
+      }
+    )
     links [
       {
         type: 'source_code',
@@ -61,6 +70,7 @@ module UDAPSecurityTestKit
     suite_endpoint :post, REGISTRATION_PATH, MockUDAPServer::RegistrationEndpoint
     suite_endpoint :get, AUTHORIZATION_PATH, MockUDAPServer::AuthorizationEndpoint
     suite_endpoint :post, AUTHORIZATION_PATH, MockUDAPServer::AuthorizationEndpoint
+    suite_endpoint :post, INTROSPECTION_PATH, MockUDAPServer::IntrospectionEndpoint
     suite_endpoint :post, TOKEN_PATH, MockUDAPServer::TokenEndpoint
     suite_endpoint :get, FHIR_PATH, EchoingFHIRResponderEndpoint
     suite_endpoint :post, FHIR_PATH, EchoingFHIRResponderEndpoint

data/lib/udap_security_test_kit/discovery_group.rb CHANGED Viewed

@@ -61,6 +61,8 @@ module UDAPSecurityTestKit
     output :udap_registration_endpoint
     output :udap_registration_grant_type
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@15'
     test from: :udap_well_known_endpoint
     test from: :udap_versions_supported_field
     test from: :udap_grant_types_supported_field

data/lib/udap_security_test_kit/dynamic_client_registration_group.rb CHANGED Viewed

@@ -141,6 +141,9 @@ module UDAPSecurityTestKit
           type: 'textarea',
           optional: true
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@68',
+                          'hl7.fhir.us.udap-security_1.0.0@105'
     test from: :udap_registration_failure_invalid_contents
     test from: :udap_registration_failure_invalid_jwt_signature
     test from: :udap_registration_success

data/lib/udap_security_test_kit/endpoints/mock_udap_server/introspection_endpoint.rb ADDED Viewed

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+require_relative '../../tags'
+require_relative '../mock_udap_server'
+require_relative 'udap_introspection_response_creation'
+module UDAPSecurityTestKit
+  module MockUDAPServer
+    class IntrospectionEndpoint < Inferno::DSL::SuiteEndpoint
+      include UDAPIntrospectionResponseCreation
+      def test_run_identifier
+        MockUDAPServer.issued_token_to_client_id(request.params[:token])
+      end
+      def make_response
+        response.body = make_udap_introspection_response.to_json
+        response.headers['Cache-Control'] = 'no-store'
+        response.headers['Pragma'] = 'no-cache'
+        response.headers['Access-Control-Allow-Origin'] = '*'
+        response.content_type = 'application/json'
+        response.status = 200
+      end
+      def update_result
+        nil # never update for now
+      end
+      def tags
+        [INTROSPECTION_TAG, UDAP_TAG]
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/endpoints/mock_udap_server/udap_introspection_response_creation.rb ADDED Viewed

@@ -0,0 +1,71 @@
+require_relative '../../tags'
+require_relative '../mock_udap_server'
+module UDAPSecurityTestKit
+  module MockUDAPServer
+    module UDAPIntrospectionResponseCreation
+      def make_udap_introspection_response # rubocop:disable Metrics/CyclomaticComplexity
+        target_token = request.params[:token]
+        introspection_inactive_response_body = { active: false }
+        return introspection_inactive_response_body if MockUDAPServer.token_expired?(target_token)
+        token_requests = Inferno::Repositories::Requests.new.tagged_requests(test_run.test_session_id, [TOKEN_TAG])
+        original_response_body = nil
+        original_token_request = token_requests.find do |request|
+          next unless request.status == 200
+          original_response_body = JSON.parse(request.response_body)
+          original_response_body['access_token'] == target_token
+        end
+        return introspection_inactive_response_body unless original_token_request.present?
+        decoded_token = MockUDAPServer.decode_token(target_token)
+        introspection_active_response_body = {
+          active: true,
+          client_id: decoded_token['client_id'],
+          exp: decoded_token['expiration']
+        }
+        original_response_body.each do |element, value|
+          next if ['access_token', 'refresh_token', 'token_type', 'expires_in'].include?(element)
+          next if introspection_active_response_body.key?(element)
+          introspection_active_response_body[element] = value
+        end
+        unless introspection_active_response_body.key?('scope')
+          introspection_active_response_body['scope'] = requested_scope(original_token_request)
+        end
+        if original_response_body.key?('id_token')
+          user_claims, _header = JWT.decode(original_response_body['id_token'], nil, false)
+          introspection_active_response_body['iss'] = user_claims['iss']
+          introspection_active_response_body['sub'] = user_claims['sub']
+          introspection_active_response_body['fhirUser'] = user_claims['fhirUser'] if user_claims['fhirUser'].present?
+        end
+        introspection_active_response_body
+      end
+      def requested_scope(token_request)
+        # token request
+        original_request_body = Rack::Utils.parse_query(token_request.request_body)
+        return original_request_body['scope'] if original_request_body['scope'].present?
+        # authorization request
+        authorization_request = MockUDAPServer.authorization_request_for_code(original_request_body['code'],
+                                                                              test_run.test_session_id)
+        auth_code_request_inputs = MockUDAPServer.authorization_code_request_details(authorization_request)
+        return auth_code_request_inputs['scope'] if auth_code_request_inputs&.dig('scope').present?
+        # registration request
+        # not looking in registration response since the simulation currently echoes the requested scopes
+        registered_software_statement = MockUDAPServer.udap_registration_software_statement(test_run.test_session_id)
+        if registered_software_statement.present?
+          registration_body, _registration_header = JWT.decode(registered_software_statement, nil, false)
+          return registration_body['scope'] if registration_body['scope'].present?
+        end
+        nil
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/endpoints/mock_udap_server.rb CHANGED Viewed

@@ -29,6 +29,7 @@ module UDAPSecurityTestKit
         token_endpoint: base_url + TOKEN_PATH,
         token_endpoint_auth_methods_supported: ['private_key_jwt'],
         token_endpoint_auth_signing_alg_values_supported: ['RS256', 'RS384', 'ES384'],
+        introspection_endpoint: base_url + INTROSPECTION_PATH,
         signed_metadata: udap_signed_metadata_jwt(base_url)
       }.to_json
@@ -158,15 +159,15 @@ module UDAPSecurityTestKit
     def decode_token(token)
       token_to_decode =
-        if issued_token_is_refresh_token(token)
+        if issued_token_is_refresh_token?(token)
           refresh_token_to_authorization_code(token)
         else
           token
         end
       return unless token_to_decode.present?
-      JSON.parse(Base64.urlsafe_decode64(token))
-    rescue JSON::ParserError
+      JSON.parse(Base64.urlsafe_decode64(token_to_decode))
+    rescue StandardError
       nil
     end
@@ -174,7 +175,7 @@ module UDAPSecurityTestKit
       decode_token(token)&.dig('client_id')
     end
-    def issued_token_is_refresh_token(token)
+    def issued_token_is_refresh_token?(token)
       token.end_with?('_rt')
     end
@@ -206,7 +207,7 @@ module UDAPSecurityTestKit
       response.format = :json
       response.body = FHIR::OperationOutcome.new(
         issue: FHIR::OperationOutcome::Issue.new(severity: 'fatal', code: 'expired',
-                                                 details: FHIR::CodeableConcept.new(text: "#{type}has expired"))
+                                                 details: FHIR::CodeableConcept.new(text: "#{type} has expired"))
       ).to_json
     end
@@ -372,6 +373,8 @@ module UDAPSecurityTestKit
     end
     def authorization_code_request_details(inferno_request)
+      return unless inferno_request.present?
       if inferno_request.verb.downcase == 'get'
         Rack::Utils.parse_query(URI(inferno_request.url)&.query)
       elsif inferno_request.verb.downcase == 'post'

data/lib/udap_security_test_kit/grant_types_supported_field_test.rb CHANGED Viewed

@@ -13,6 +13,9 @@ module UDAPSecurityTestKit
     input :required_flow_type
     output :udap_registration_grant_type
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@36',
+                          'hl7.fhir.us.udap-security_1.0.0@37'
     run do
       assert_valid_json(udap_well_known_metadata_json)
       config = JSON.parse(udap_well_known_metadata_json)

data/lib/udap_security_test_kit/reg_endpoint_jwt_signing_alg_values_supported_field_test.rb CHANGED Viewed

@@ -16,6 +16,9 @@ module UDAPSecurityTestKit
     input :udap_well_known_metadata_json
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@4',
+                          'hl7.fhir.us.udap-security_1.0.0@45'
     run do
       assert_valid_json(udap_well_known_metadata_json)
       config = JSON.parse(udap_well_known_metadata_json)
@@ -24,6 +27,9 @@ module UDAPSecurityTestKit
               '`registration_endpoint_jwt_signing_alg_values_supported` field is recommended but not required'
       CommonAssertions.assert_array_of_strings(config, 'registration_endpoint_jwt_signing_alg_values_supported')
+      assert config['registration_endpoint_jwt_signing_alg_values_supported'].include?('RS256'),
+             'All UDAP implementations must support RS256 signature algorithm'
     end
   end
 end

data/lib/udap_security_test_kit/registration_endpoint_field_test.rb CHANGED Viewed

@@ -12,6 +12,9 @@ module UDAPSecurityTestKit
     input :udap_well_known_metadata_json
     output :udap_registration_endpoint
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@11',
+                          'hl7.fhir.us.udap-security_1.0.0@43'
     run do
       assert_valid_json(udap_well_known_metadata_json)
       config = JSON.parse(udap_well_known_metadata_json)

data/lib/udap_security_test_kit/registration_failure_invalid_contents_test.rb CHANGED Viewed

@@ -35,6 +35,9 @@ module UDAPSecurityTestKit
     input :udap_registration_certifications,
           optional: true
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@106',
+                          'hl7.fhir.us.udap-security_1.0.0@114'
     run do
       software_statement_payload = SoftwareStatementBuilder.build_payload(
         'invalid_iss',

data/lib/udap_security_test_kit/registration_failure_invalid_jwt_signature_test.rb CHANGED Viewed

@@ -36,6 +36,8 @@ module UDAPSecurityTestKit
     input :udap_registration_certifications,
           optional: true
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@114'
     run do
       software_statement_payload = SoftwareStatementBuilder.build_payload(
         udap_cert_iss,

data/lib/udap_security_test_kit/registration_success_contents_test.rb CHANGED Viewed

@@ -43,6 +43,9 @@ module UDAPSecurityTestKit
     output :udap_client_id
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@111',
+                          'hl7.fhir.us.udap-security_1.0.0@113'
     run do
       assert_valid_json(udap_registration_response)
       registration_response = JSON.parse(udap_registration_response)

data/lib/udap_security_test_kit/registration_success_test.rb CHANGED Viewed

@@ -39,6 +39,9 @@ module UDAPSecurityTestKit
     output :udap_software_statement_json
     output :udap_registration_response
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@110',
+                          'hl7.fhir.us.udap-security_1.0.0@119'
     run do
       software_statement_payload = SoftwareStatementBuilder.build_payload(
         udap_cert_iss,