RubyGems - udap_security_test_kit - Versions diffs - 0.11.5 → 0.12.0 - Mend

udap_security_test_kit 0.11.5 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (112) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8cd9e461b7c07f1562d3cd0633dad2816f6b9a93b56a4f21d82ed608386e2035
-  data.tar.gz: 636e8a27be86aaca468218ed36f8253e6ede05ef995c8cd28664636944a52b72
+  metadata.gz: 389308da43499f5da9c609232c1cc3fdaf1032878d896036c748fad5ad559e5b
+  data.tar.gz: fede0634c5887c1269335e23a43f7eafd2ead88f7023e7ddad38c461afebf14a
 SHA512:
-  metadata.gz: 8f6b32492245d75331ca03fa96a6fcd3169894e6cb09788a2e07cd851f40fcdb776133c91488e806e663e0166042e0f361ddcd59e350664c1b2ecfce316513ef
-  data.tar.gz: 4b6f85396f9dd0b4918672756471a9690f56e8b0161bd6b097baa0317728bb8491c0629792b5255dc2c25f092cfc61f0ee368ab110ca45fadf21614a8d1a3834
+  metadata.gz: '0889a1e651666db51b2e6ab9f3bea0adcfc03c0e6f63a94e485a85351f3adf145a645bc1da3f385ad488f5fa22517ab0868e005a710a6caa43be9698a3d642c2'
+  data.tar.gz: 1bdf5d418b6eb50172a0d9365b3e3013bbfd163ebec2bb68d9b4427a4fa806f31e8e7587c2c4cb018ba5dde83d70b586b881ffb58045ee542210425e484028f5

data/lib/udap_security_test_kit/authorization_code_received_test.rb CHANGED Viewed

@@ -9,12 +9,20 @@ module UDAPSecurityTestKit
     output :udap_authorization_code
     uses_request :redirect
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@133',
+                          'hl7.fhir.us.udap-security_1.0.0@134',
+                          'hl7.fhir.us.udap-security_1.0.0@138',
+                          'hl7.fhir.us.udap-security_1.0.0@190'
     run do
       code = request.query_parameters['code']
       output udap_authorization_code: code
       assert code.present?, 'No `code` parameter received'
+      state = request.query_parameters['state']
+      assert state.present?, '`state` parameter is required since it was present in client request'
       error = request.query_parameters['error']
       pass_if error.blank?

data/lib/udap_security_test_kit/authorization_code_redirect_test.rb CHANGED Viewed

@@ -52,6 +52,9 @@ module UDAPSecurityTestKit
     receives_request :redirect
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@133',
+                          'hl7.fhir.us.udap-security_1.0.0@190'
     config options: {
       redirect_uri: UDAPSecurityTestKit::UDAP_REDIRECT_URI
     }

data/lib/udap_security_test_kit/authorization_code_token_exchange_test.rb CHANGED Viewed

@@ -62,6 +62,8 @@ module UDAPSecurityTestKit
     makes_request :token_exchange
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@148'
     run do
       client_assertion_payload = UDAPClientAssertionPayloadBuilder.build(
         udap_client_id,

data/lib/udap_security_test_kit/authorization_endpoint_field_test.rb CHANGED Viewed

@@ -13,6 +13,10 @@ module UDAPSecurityTestKit
     input :udap_well_known_metadata_json
     output :udap_authorization_endpoint
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@9',
+                          'hl7.fhir.us.udap-security_1.0.0@38',
+                          'hl7.fhir.us.udap-security_1.0.0@39'
     run do
       assert_valid_json(udap_well_known_metadata_json)
       config = JSON.parse(udap_well_known_metadata_json)
@@ -29,7 +33,7 @@ module UDAPSecurityTestKit
               '`authorization_endpoint` field is only required if `authorization_code` is a supported grant type'
       assert config.key?('authorization_endpoint'),
-             '`authorization_endpoint` field is required if `authorization_endpoint` is a supported grant type'
+             '`authorization_endpoint` field is required if `authorization_code` is a supported grant type'
       endpoint = config['authorization_endpoint']

data/lib/udap_security_test_kit/client_suite/access_ac_group.rb CHANGED Viewed

@@ -17,6 +17,8 @@ module UDAPSecurityTestKit
     run_as_group
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@126'
     test from: :udap_client_access_ac_interaction
     test from: :udap_client_authorization_request_verification
     test from: :udap_client_token_request_ac_verification

data/lib/udap_security_test_kit/client_suite/authorization_request_verification_test.rb CHANGED Viewed

@@ -24,6 +24,11 @@ module UDAPSecurityTestKit
           locked: 'true',
           description: INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@67',
+                          'hl7.fhir.us.udap-security_1.0.0@127',
+                          'hl7.fhir.us.udap-security_1.0.0@128',
+                          'hl7.fhir.us.udap-security_1.0.0@129'
     def client_suite_id
       return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?

data/lib/udap_security_test_kit/client_suite/registration_ac_verification_test.rb CHANGED Viewed

@@ -17,6 +17,40 @@ module UDAPSecurityTestKit
     input :udap_client_uri
     output :udap_registration_jwt
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@1',
+                          'hl7.fhir.us.udap-security_1.0.0@2',
+                          'hl7.fhir.us.udap-security_1.0.0@3',
+                          'hl7.fhir.us.udap-security_1.0.0@7',
+                          'hl7.fhir.us.udap-security_1.0.0@8',
+                          'hl7.fhir.us.udap-security_1.0.0@66',
+                          'hl7.fhir.us.udap-security_1.0.0@71',
+                          'hl7.fhir.us.udap-security_1.0.0@72',
+                          'hl7.fhir.us.udap-security_1.0.0@73',
+                          'hl7.fhir.us.udap-security_1.0.0@74',
+                          'hl7.fhir.us.udap-security_1.0.0@75',
+                          'hl7.fhir.us.udap-security_1.0.0@76',
+                          'hl7.fhir.us.udap-security_1.0.0@77',
+                          'hl7.fhir.us.udap-security_1.0.0@78',
+                          'hl7.fhir.us.udap-security_1.0.0@79',
+                          'hl7.fhir.us.udap-security_1.0.0@80',
+                          'hl7.fhir.us.udap-security_1.0.0@81',
+                          'hl7.fhir.us.udap-security_1.0.0@83',
+                          'hl7.fhir.us.udap-security_1.0.0@84',
+                          'hl7.fhir.us.udap-security_1.0.0@86',
+                          'hl7.fhir.us.udap-security_1.0.0@87',
+                          'hl7.fhir.us.udap-security_1.0.0@88',
+                          'hl7.fhir.us.udap-security_1.0.0@90',
+                          'hl7.fhir.us.udap-security_1.0.0@91',
+                          'hl7.fhir.us.udap-security_1.0.0@92',
+                          'hl7.fhir.us.udap-security_1.0.0@93',
+                          'hl7.fhir.us.udap-security_1.0.0@94',
+                          'hl7.fhir.us.udap-security_1.0.0@96',
+                          'hl7.fhir.us.udap-security_1.0.0@97',
+                          'hl7.fhir.us.udap-security_1.0.0@101',
+                          'hl7.fhir.us.udap-security_1.0.0@102',
+                          'hl7.fhir.us.udap-security_1.0.0@103',
+                          'hl7.fhir.us.udap-security_1.0.0@104'
     def client_suite_id
       return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?

data/lib/udap_security_test_kit/client_suite/registration_cc_verification_test.rb CHANGED Viewed

@@ -23,6 +23,36 @@ module UDAPSecurityTestKit
       UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
     end
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@1',
+                          'hl7.fhir.us.udap-security_1.0.0@2',
+                          'hl7.fhir.us.udap-security_1.0.0@3',
+                          'hl7.fhir.us.udap-security_1.0.0@7',
+                          'hl7.fhir.us.udap-security_1.0.0@8',
+                          'hl7.fhir.us.udap-security_1.0.0@66',
+                          'hl7.fhir.us.udap-security_1.0.0@71',
+                          'hl7.fhir.us.udap-security_1.0.0@72',
+                          'hl7.fhir.us.udap-security_1.0.0@73',
+                          'hl7.fhir.us.udap-security_1.0.0@74',
+                          'hl7.fhir.us.udap-security_1.0.0@75',
+                          'hl7.fhir.us.udap-security_1.0.0@76',
+                          'hl7.fhir.us.udap-security_1.0.0@77',
+                          'hl7.fhir.us.udap-security_1.0.0@78',
+                          'hl7.fhir.us.udap-security_1.0.0@79',
+                          'hl7.fhir.us.udap-security_1.0.0@80',
+                          'hl7.fhir.us.udap-security_1.0.0@81',
+                          'hl7.fhir.us.udap-security_1.0.0@83',
+                          'hl7.fhir.us.udap-security_1.0.0@85',
+                          'hl7.fhir.us.udap-security_1.0.0@86',
+                          'hl7.fhir.us.udap-security_1.0.0@87',
+                          'hl7.fhir.us.udap-security_1.0.0@92',
+                          'hl7.fhir.us.udap-security_1.0.0@95',
+                          'hl7.fhir.us.udap-security_1.0.0@96',
+                          'hl7.fhir.us.udap-security_1.0.0@97',
+                          'hl7.fhir.us.udap-security_1.0.0@101',
+                          'hl7.fhir.us.udap-security_1.0.0@102',
+                          'hl7.fhir.us.udap-security_1.0.0@103',
+                          'hl7.fhir.us.udap-security_1.0.0@104'
     run do
       client_registration_requests = load_registration_requests_for_client_uri(udap_client_uri)
       skip_if client_registration_requests.empty?,

data/lib/udap_security_test_kit/client_suite/token_request_ac_verification_test.rb CHANGED Viewed

@@ -28,6 +28,53 @@ module UDAPSecurityTestKit
           description: INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED
     output :udap_tokens
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@1',
+                          'hl7.fhir.us.udap-security_1.0.0@2',
+                          'hl7.fhir.us.udap-security_1.0.0@3',
+                          'hl7.fhir.us.udap-security_1.0.0@7',
+                          'hl7.fhir.us.udap-security_1.0.0@8',
+                          'hl7.fhir.us.udap-security_1.0.0@67',
+                          'hl7.fhir.us.udap-security_1.0.0@69',
+                          'hl7.fhir.us.udap-security_1.0.0@140',
+                          'hl7.fhir.us.udap-security_1.0.0@141',
+                          'hl7.fhir.us.udap-security_1.0.0@142',
+                          'hl7.fhir.us.udap-security_1.0.0@143',
+                          'hl7.fhir.us.udap-security_1.0.0@145',
+                          'hl7.fhir.us.udap-security_1.0.0@151',
+                          'hl7.fhir.us.udap-security_1.0.0@152',
+                          'hl7.fhir.us.udap-security_1.0.0@153',
+                          'hl7.fhir.us.udap-security_1.0.0@154',
+                          'hl7.fhir.us.udap-security_1.0.0@155',
+                          'hl7.fhir.us.udap-security_1.0.0@156',
+                          'hl7.fhir.us.udap-security_1.0.0@157',
+                          'hl7.fhir.us.udap-security_1.0.0@158',
+                          'hl7.fhir.us.udap-security_1.0.0@160',
+                          'hl7.fhir.us.udap-security_1.0.0@161',
+                          'hl7.fhir.us.udap-security_1.0.0@163',
+                          'hl7.fhir.us.udap-security_1.0.0@165',
+                          'hl7.fhir.us.udap-security_1.0.0@166',
+                          'hl7.fhir.us.udap-security_1.0.0@167',
+                          'hl7.fhir.us.udap-security_1.0.0@168',
+                          'hl7.fhir.us.udap-security_1.0.0@169',
+                          'hl7.fhir.us.udap-security_1.0.0@170',
+                          'hl7.fhir.us.udap-security_1.0.0@171',
+                          'hl7.fhir.us.udap-security_1.0.0@175',
+                          'hl7.fhir.us.udap-security_1.0.0@177',
+                          'hl7.fhir.us.udap-security_1.0.0@178',
+                          'hl7.fhir.us.udap-security_1.0.0@179',
+                          'hl7.fhir.us.udap-security_1.0.0@180',
+                          'hl7.fhir.us.udap-security_1.0.0@185',
+                          'hl7.fhir.us.udap-security_1.0.0@192',
+                          'hl7.fhir.us.udap-security_1.0.0@193',
+                          'hl7.fhir.us.udap-security_1.0.0@194',
+                          'hl7.fhir.us.udap-security_1.0.0@195',
+                          'hl7.fhir.us.udap-security_1.0.0@196',
+                          'hl7.fhir.us.udap-security_1.0.0@197',
+                          'hl7.fhir.us.udap-security_1.0.0@222',
+                          'hl7.fhir.us.udap-security_1.0.0@232',
+                          'hl7.fhir.us.udap-security_1.0.0@233',
+                          'hl7.fhir.us.udap-security_1.0.0@234'
     def client_suite_id
       return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?

data/lib/udap_security_test_kit/client_suite/token_request_cc_verification_test.rb CHANGED Viewed

@@ -28,6 +28,31 @@ module UDAPSecurityTestKit
           description: INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED
     output :udap_tokens
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@1',
+                          'hl7.fhir.us.udap-security_1.0.0@2',
+                          'hl7.fhir.us.udap-security_1.0.0@3',
+                          'hl7.fhir.us.udap-security_1.0.0@7',
+                          'hl7.fhir.us.udap-security_1.0.0@8',
+                          'hl7.fhir.us.udap-security_1.0.0@67',
+                          'hl7.fhir.us.udap-security_1.0.0@69',
+                          'hl7.fhir.us.udap-security_1.0.0@186',
+                          'hl7.fhir.us.udap-security_1.0.0@192',
+                          'hl7.fhir.us.udap-security_1.0.0@193',
+                          'hl7.fhir.us.udap-security_1.0.0@194',
+                          'hl7.fhir.us.udap-security_1.0.0@195',
+                          'hl7.fhir.us.udap-security_1.0.0@196',
+                          'hl7.fhir.us.udap-security_1.0.0@197',
+                          'hl7.fhir.us.udap-security_1.0.0@198',
+                          'hl7.fhir.us.udap-security_1.0.0@202',
+                          'hl7.fhir.us.udap-security_1.0.0@212',
+                          'hl7.fhir.us.udap-security_1.0.0@214',
+                          'hl7.fhir.us.udap-security_1.0.0@215',
+                          'hl7.fhir.us.udap-security_1.0.0@223',
+                          'hl7.fhir.us.udap-security_1.0.0@225',
+                          'hl7.fhir.us.udap-security_1.0.0@226',
+                          'hl7.fhir.us.udap-security_1.0.0@227',
+                          'hl7.fhir.us.udap-security_1.0.0@228'
     def client_suite_id
       return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?

data/lib/udap_security_test_kit/client_suite.rb CHANGED Viewed

@@ -8,6 +8,7 @@ require_relative 'client_suite/registration_ac_group'
 require_relative 'client_suite/registration_cc_group'
 require_relative 'client_suite/access_ac_group'
 require_relative 'client_suite/access_cc_group'
+require_relative 'visual_inspection_and_attestation/client_attestation_group'
 module UDAPSecurityTestKit
   class UDAPSecurityClientTestSuite < Inferno::TestSuite
@@ -15,6 +16,14 @@ module UDAPSecurityTestKit
     title 'UDAP Security Client'
     description File.read(File.join(__dir__, 'docs', 'udap_client_suite_description.md'))
+    requirement_sets(
+      {
+        identifier: 'hl7.fhir.us.udap-security_1.0.0',
+        title: 'Security for Scalable Registration, Authentication, and Authorization (UDAP)',
+        actor: 'Client'
+      }
+    )
     links [
       {
         type: 'source_code',
@@ -105,5 +114,7 @@ module UDAPSecurityTestKit
           required_suite_options: {
             client_type: UDAPClientOptions::UDAP_CLIENT_CREDENTIALS
           }
+    group from: :udap_client_v100_visual_inspection_and_attestation
   end
 end

data/lib/udap_security_test_kit/discovery_group.rb CHANGED Viewed

@@ -61,6 +61,8 @@ module UDAPSecurityTestKit
     output :udap_registration_endpoint
     output :udap_registration_grant_type
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@15'
     test from: :udap_well_known_endpoint
     test from: :udap_versions_supported_field
     test from: :udap_grant_types_supported_field

data/lib/udap_security_test_kit/dynamic_client_registration_group.rb CHANGED Viewed

@@ -141,6 +141,9 @@ module UDAPSecurityTestKit
           type: 'textarea',
           optional: true
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@68',
+                          'hl7.fhir.us.udap-security_1.0.0@105'
     test from: :udap_registration_failure_invalid_contents
     test from: :udap_registration_failure_invalid_jwt_signature
     test from: :udap_registration_success

data/lib/udap_security_test_kit/endpoints/mock_udap_server.rb CHANGED Viewed

@@ -159,7 +159,7 @@ module UDAPSecurityTestKit
     def decode_token(token)
       token_to_decode =
-        if issued_token_is_refresh_token(token)
+        if issued_token_is_refresh_token?(token)
           refresh_token_to_authorization_code(token)
         else
           token
@@ -175,7 +175,7 @@ module UDAPSecurityTestKit
       decode_token(token)&.dig('client_id')
     end
-    def issued_token_is_refresh_token(token)
+    def issued_token_is_refresh_token?(token)
       token.end_with?('_rt')
     end

data/lib/udap_security_test_kit/grant_types_supported_field_test.rb CHANGED Viewed

@@ -13,6 +13,9 @@ module UDAPSecurityTestKit
     input :required_flow_type
     output :udap_registration_grant_type
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@36',
+                          'hl7.fhir.us.udap-security_1.0.0@37'
     run do
       assert_valid_json(udap_well_known_metadata_json)
       config = JSON.parse(udap_well_known_metadata_json)

data/lib/udap_security_test_kit/reg_endpoint_jwt_signing_alg_values_supported_field_test.rb CHANGED Viewed

@@ -16,6 +16,9 @@ module UDAPSecurityTestKit
     input :udap_well_known_metadata_json
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@4',
+                          'hl7.fhir.us.udap-security_1.0.0@45'
     run do
       assert_valid_json(udap_well_known_metadata_json)
       config = JSON.parse(udap_well_known_metadata_json)
@@ -24,6 +27,9 @@ module UDAPSecurityTestKit
               '`registration_endpoint_jwt_signing_alg_values_supported` field is recommended but not required'
       CommonAssertions.assert_array_of_strings(config, 'registration_endpoint_jwt_signing_alg_values_supported')
+      assert config['registration_endpoint_jwt_signing_alg_values_supported'].include?('RS256'),
+             'All UDAP implementations must support RS256 signature algorithm'
     end
   end
 end

data/lib/udap_security_test_kit/registration_endpoint_field_test.rb CHANGED Viewed

@@ -12,6 +12,9 @@ module UDAPSecurityTestKit
     input :udap_well_known_metadata_json
     output :udap_registration_endpoint
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@11',
+                          'hl7.fhir.us.udap-security_1.0.0@43'
     run do
       assert_valid_json(udap_well_known_metadata_json)
       config = JSON.parse(udap_well_known_metadata_json)

data/lib/udap_security_test_kit/registration_failure_invalid_contents_test.rb CHANGED Viewed

@@ -8,7 +8,7 @@ module UDAPSecurityTestKit
     description %(
       The [UDAP IG Section 3.1](https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement) states:
       > The unique client URI used for the iss claim SHALL match the uriName entry in the Subject Alternative Name
-      > extension of the client app operator’s X.509 certificate, and SHALL uniquely identify a single client app
+      > extension of the client app operator’s X.509 certificate, and SHALL uniquelys identify a single client app
       > operator and application over time
       The [UDAP IG Section 3.2.3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body) states:
@@ -35,6 +35,9 @@ module UDAPSecurityTestKit
     input :udap_registration_certifications,
           optional: true
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@106',
+                          'hl7.fhir.us.udap-security_1.0.0@114'
     run do
       software_statement_payload = SoftwareStatementBuilder.build_payload(
         'invalid_iss',

data/lib/udap_security_test_kit/registration_failure_invalid_jwt_signature_test.rb CHANGED Viewed

@@ -36,6 +36,8 @@ module UDAPSecurityTestKit
     input :udap_registration_certifications,
           optional: true
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@114'
     run do
       software_statement_payload = SoftwareStatementBuilder.build_payload(
         udap_cert_iss,

data/lib/udap_security_test_kit/registration_success_contents_test.rb CHANGED Viewed

@@ -43,6 +43,9 @@ module UDAPSecurityTestKit
     output :udap_client_id
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@111',
+                          'hl7.fhir.us.udap-security_1.0.0@113'
     run do
       assert_valid_json(udap_registration_response)
       registration_response = JSON.parse(udap_registration_response)

data/lib/udap_security_test_kit/registration_success_test.rb CHANGED Viewed

@@ -39,6 +39,9 @@ module UDAPSecurityTestKit
     output :udap_software_statement_json
     output :udap_registration_response
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@110',
+                          'hl7.fhir.us.udap-security_1.0.0@119'
     run do
       software_statement_payload = SoftwareStatementBuilder.build_payload(
         udap_cert_iss,