udap_security_test_kit 0.11.5 → 0.12.0

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/resource_holder_authentication_test.rb

@@ -0,0 +1,45 @@
+module UDAPSecurityTestKit
+  class ResourceHolderTokenEndpointAuthenticationAttestationTest < Inferno::Test
+    title 'Authenticates to IdP Token Endpoint'
+    id :udap_security_resource_holder_token_endpoint_authentication
+    description %(
+      The Resource authenticates to the IdP’s token endpoint when requesting an ID token
+      and access token, as detailed in Section 5 of UDAP JWT-based Client Authentication.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@281'
+
+    input :resource_holder_token_endpoint_authentication,
+          title: 'Authenticates to IdP Token Endpoint',
+          description: %(
+            I attest that the Resource Holder authenticates to the IdP’s token endpoint when requesting an ID token
+            and access token, as detailed in Section 5 of UDAP JWT-based Client Authentication.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+
+    input :resource_holder_token_endpoint_authentication_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert resource_holder_token_endpoint_authentication == 'true',
+             'Resource Holder did not authenticate to the IdP’s token endpoint as required.'
+      if resource_holder_token_endpoint_authentication_note.present?
+        pass resource_holder_token_endpoint_authentication_note
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb

@@ -0,0 +1,49 @@
+module UDAPSecurityTestKit
+  class SoftwareStatementAndRegistrationAttestationTest < Inferno::Test
+    title 'Complies with Software Statement and Registration'
+    id :udap_security_software_statement_registration
+    description %(
+      Client application complies with the requirements for Software Statement and Registration:
+      - Ensures that the `jti` claim in the JWT is not reused in another software statement or authentication JWT
+        before the time specified in the `exp` claim has passed.
+      - Interprets a registration response containing an empty `grant_types` array as a confirmation that the
+        registration for the `client_id` listed in the response has been cancelled by the Authorization Server.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@82',
+                          'hl7.fhir.us.udap-security_1.0.0@123'
+
+    input :software_statement_registration_compliance,
+          title: 'Complies with the requirements for Software Statement and Registration',
+          description: %(
+            I attest that the client application complies with the requirements for Software Statement and Registration:
+            - Ensures that the `jti` claim in the JWT is not reused in another software statement or authentication JWT
+              before the time specified in the `exp` claim has passed.
+            - Interprets a registration response containing an empty `grant_types` array as a confirmation that the
+              registration for the `client_id` listed in the response has been cancelled by the Authorization Server.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :software_statement_registration_compliance_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert software_statement_registration_compliance == 'true',
+             'Client application did not comply with the requirements for Software Statement and Registration.'
+      pass software_statement_registration_compliance_note if software_statement_registration_compliance_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb

@@ -0,0 +1,51 @@
+module UDAPSecurityTestKit
+  class TokenRequestAuthenticationAttestationTest < Inferno::Test
+    title 'Authenticates correctly when making token requests'
+    id :udap_security_token_request_authentication
+    description %(
+      Client application authenticates correctly when making token requests as described in
+      [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1) by:
+      - Including the `client_id` parameter in the token request if the client is not authenticating with the
+        authorization server.
+      - Authenticating to the Token Endpoint using the method registered for its `client_id` if the client
+        is a Confidential Client.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@144',
+                          'hl7.fhir.us.udap-security_1.0.0@280'
+
+    input :token_request_authentication_correctly,
+          title: 'Authenticates correctly when making token requests',
+          description: %(
+            I attest that the client application authenticates correctly when making token requests as
+            described in in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1) by:
+            - Including the `client_id` parameter in the token request if the client is not authenticating
+              with the authorization server.
+            - Authenticating to the Token Endpoint using the method registered for its `client_id` if the client
+              is a Confidential Client.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :token_request_authentication_correctly_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert token_request_authentication_correctly == 'true',
+             'Client application did not demonstrate correct authentication during token requests.'
+      pass token_request_authentication_correctly_note if token_request_authentication_correctly_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb

@@ -0,0 +1,43 @@
+module UDAPSecurityTestKit
+  class TrustCommunityAndQueryParametersAttestationTest < Inferno::Test
+    title 'Complies with Trust Community and Query Parameter'
+    id :udap_security_trust_community_query_parameters
+    description %(
+      Client application ensures the value of the `community` query parameter is a valid URI as
+      determined by the trust community.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@61'
+
+    input :community_query_parameter_compliance,
+          title: 'Complies with Trust Community and Query Parameter',
+          description: %(
+            I attest that the client application ensures the value of the `community` query parameter is a valid URI
+            as determined by the trust community.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :community_query_parameter_compliance_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert community_query_parameter_compliance == 'true',
+             'Client application did not ensure the `community` query parameter value is a valid URI
+              as determined by the trust community.'
+      pass community_query_parameter_compliance_note if community_query_parameter_compliance_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb

@@ -0,0 +1,49 @@
+module UDAPSecurityTestKit
+  class ValidationAndConfidentialityAttestationTest < Inferno::Test
+    title 'Complies with Validation and Confidentiality'
+    id :udap_security_validation_confidentiality
+    description %(
+      Client applications complies with the requirements for Validation and Confidentiality:
+      - Validates the `state` parameter returned by the Resource Holder in response to an authorization request to
+        ensure it matches the value sent in the original request.
+      - Ensures confidentiality of client passwords and other client credentials by securely storing and
+        transmitting them.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@274',
+                          'hl7.fhir.us.udap-security_1.0.0@286'
+
+    input :validation_confidentiality_compliance,
+          title: 'Complies with requirements for Validation and Confidentiality',
+          description: %(
+            I attest that the client applications complies with the requirements for Validation and Confidentiality:
+            - Validates the `state` parameter returned by the Resource Holder in response to an authorization request to
+              ensure it matches the value sent in the original request.
+            - Ensures confidentiality of client passwords and other client credentials by securely storing and
+              transmitting them.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :validation_confidentiality_compliance_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert validation_confidentiality_compliance == 'true',
+             'Client application did not validate the `state` parameter returned by the Resource Holder.'
+      pass validation_confidentiality_compliance_note if validation_confidentiality_compliance_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb

@@ -0,0 +1,48 @@
+require_relative 'client/client_authorization_code_usage_test'
+require_relative 'client/b2b_authorization_extension_object_test'
+require_relative 'client/client_security_csrf_protection_test'
+require_relative 'client/cryptographic_algorithms_test'
+require_relative 'client/data_holder_auth_request_scope_test'
+require_relative 'client/idp_authentication_compliance_test'
+require_relative 'client/idp_supports_required_scopes_test'
+require_relative 'client/jti_reuse_prevention_test'
+require_relative 'client/metadata_interpretation_test'
+require_relative 'client/oauth2_protocol_compliance_test'
+require_relative 'client/preferred_identity_provider_test'
+require_relative 'client/private_key_authentication_test'
+require_relative 'client/resource_holder_authentication_test'
+require_relative 'client/software_statement_registration_test'
+require_relative 'client/token_request_authentication_test'
+require_relative 'client/trust_community_query_parameters_test'
+require_relative 'client/validation_confidentiality_test'
+
+module UDAPSecurityTestKit
+  class ClientAttestationGroup < Inferno::TestGroup
+    id :udap_client_v100_visual_inspection_and_attestation
+    title 'Visual Inspection and Attestation'
+    optional
+
+    description <<~DESCRIPTION
+      Perform visual inspections or attestations to ensure that the Client is conformant to the UDAP IG requirements.
+    DESCRIPTION
+
+    run_as_group
+    test from: :udap_security_client_auth_code_usage
+    test from: :udap_security_crypto_algorithms_and_protocols
+    test from: :udap_security_idp_supports_scopes
+    test from: :udap_security_jti_reuse_prevention
+    test from: :udap_security_metadata_interpretation
+    test from: :udap_security_preferred_idp
+    test from: :udap_security_private_key_authentication
+    test from: :udap_security_token_request_authentication
+    test from: :udap_security_oauth2_protocol_compliance
+    test from: :udap_security_resource_holder_token_endpoint_authentication
+    test from: :udap_security_software_statement_registration
+    test from: :udap_security_b2b_authorization_extension_object
+    test from: :udap_security_client_security_csrf_protection
+    test from: :udap_security_data_holder_auth_request_scope
+    test from: :udap_security_idp_authentication_compliance
+    test from: :udap_security_validation_confidentiality
+    test from: :udap_security_trust_community_query_parameters
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group/authentication_request_construction_test.rb

@@ -0,0 +1,56 @@
+module UDAPSecurityTestKit
+  class AuthenticationRequestConstructionAttestationTest < Inferno::Test
+    title 'Complies with OpenID Connect requirements in construction'
+    id :oidc_auth_request_construction
+    description %(
+      Authorization Server complies ith OpenID Connect requirements and ensures:
+      - HTTP GET and POST methods are supported at the Authorization Endpoint.
+      - The `openid` scope value is included in requests.
+      - A `scope` parameter is present and contains the `openid` scope value on an authentication request
+      - Required parameters (`response_type`, `client_id`, `redirect_uri`) are present and valid.
+      - The `redirect_uri` exactly matches pre-registered values.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@246',
+                          'hl7.fhir.us.udap-security_1.0.0@247',
+                          'hl7.fhir.us.udap-security_1.0.0@248',
+                          'hl7.fhir.us.udap-security_1.0.0@249',
+                          'hl7.fhir.us.udap-security_1.0.0@250',
+                          'hl7.fhir.us.udap-security_1.0.0@251',
+                          'hl7.fhir.us.udap-security_1.0.0@259'
+
+    input :auth_request_construction_correct,
+          title: 'Authentication Requests: Complies with OpenID Connect requirements',
+          description: %(
+            I attest that the Authorization Server complies with OpenID Connect requirements and ensures:
+            - HTTP GET and POST methods are supported at the Authorization Endpoint.
+            - The `openid` scope value is included in requests.
+            - A `scope` parameter is present and contains the `openid` scope value on an authentication request
+            - Required parameters (`response_type`, `client_id`, `redirect_uri`) are present and valid.
+            - The `redirect_uri` exactly matches pre-registered values.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :auth_request_construction_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert auth_request_construction_correct == 'true',
+             'Authentication Request Construction does not comply with OpenID Connect requirements.'
+      pass auth_request_construction_note if auth_request_construction_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group/authentication_request_validation_test.rb

@@ -0,0 +1,60 @@
+module UDAPSecurityTestKit
+  class AuthenticationRequestValidationAttestationTest < Inferno::Test
+    title 'Complies with OpenID Connect requirements in validation'
+    id :oidc_auth_request_validation
+    description %(
+      Authorization Server complies with OpenID Connect requirements and ensures:
+      - Validation of all OAuth 2.0 parameters.
+      - Verification that the `scope` parameter contains the `openid` value.
+      - Required parameters are present and conform to the specification.
+      - Proper handling of the `sub` Claim, `id_token_hint`, and `prompt` parameter.
+      - Implementation of CSRF and Clickjacking protections.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@258',
+                          'hl7.fhir.us.udap-security_1.0.0@259',
+                          'hl7.fhir.us.udap-security_1.0.0@260',
+                          'hl7.fhir.us.udap-security_1.0.0@261',
+                          'hl7.fhir.us.udap-security_1.0.0@262',
+                          'hl7.fhir.us.udap-security_1.0.0@263',
+                          'hl7.fhir.us.udap-security_1.0.0@264',
+                          'hl7.fhir.us.udap-security_1.0.0@265',
+                          'hl7.fhir.us.udap-security_1.0.0@266',
+                          'hl7.fhir.us.udap-security_1.0.0@267',
+                          'hl7.fhir.us.udap-security_1.0.0@269'
+
+    input :auth_request_validation_correct,
+          title: 'Authentication Requests: Complies with OpenID Connect requirements in validation',
+          description: %(
+            I attest that the Authorization Server complies with OpenID Connect requirements and ensures:
+            - Validation of all OAuth 2.0 parameters.
+            - Verification that the `scope` parameter contains the `openid` value.
+            - Required parameters are present and conform to the specification.
+            - Proper handling of the `sub` Claim, `id_token_hint`, and `prompt` parameter.
+            - Implementation of CSRF and Clickjacking protections.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :auth_request_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert auth_request_validation_correct == 'true',
+             'Authentication Request Validation does not comply with OpenID Connect requirements.'
+      pass auth_request_validation_note if auth_request_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group.rb

@@ -0,0 +1,13 @@
+require_relative 'authentication_requests_group/authentication_request_construction_test'
+require_relative 'authentication_requests_group/authentication_request_validation_test'
+
+module UDAPSecurityTestKit
+  class OpenIDConnectAuthenticationRequestsAttestationGroup < Inferno::TestGroup
+    id :udap_server_v100_authentication_requests_group
+    title 'Authentication Requests'
+
+    run_as_group
+    test from: :oidc_auth_request_construction
+    test from: :oidc_auth_request_validation
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb

@@ -0,0 +1,42 @@
+module UDAPSecurityTestKit
+  class AccessTokenLifetimeAttestationTest < Inferno::Test
+    title 'Limits lifetime of access tokens to no longer than 60 minutes'
+    id :udap_security_access_token_lifetime
+    description %(
+      The Authorization Server issues access tokens with a lifetime no longer than 60 minutes for all successful
+      token requests.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@184'
+
+    input :access_token_lifetime_correct,
+          title: 'Authorization Code and Token Requests: Limits lifetime of access tokens to no longer than 60 minutes',
+          description: %(
+            I attest that the Authorization Server issues access tokens with a lifetime no longer than 60 minutes for
+            all successful token requests.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :access_token_lifetime_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert access_token_lifetime_correct == 'true',
+             'Authorization Server did not issue access tokens with a lifetime no longer than 60 minutes.'
+      pass access_token_lifetime_note if access_token_lifetime_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb

@@ -0,0 +1,51 @@
+module UDAPSecurityTestKit
+  class AccessTokenRequestValidationAttestationTest < Inferno::Test
+    title 'Validates access token requests correctly'
+    id :udap_security_access_token_request_validation
+    description %(
+      The Authorization Server validates access token requests by:
+      - Requiring client authentication for confidential clients or clients issued credentials.
+      - Authenticating the client if client authentication is included.
+      - Verifying that the authorization code is valid.
+      - Ensuring the `redirect_uri` parameter is present and matches the initial authorization request.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@146',
+                          'hl7.fhir.us.udap-security_1.0.0@147',
+                          'hl7.fhir.us.udap-security_1.0.0@149',
+                          'hl7.fhir.us.udap-security_1.0.0@150'
+
+    input :access_token_request_validation_correct,
+          title: 'Authorization Code and Token Requests: Validates access token requests correctly',
+          description: %(
+            I attest that the Authorization Server validates access token requests by:
+            - Requiring client authentication for confidential clients or clients issued credentials.
+            - Authenticating the client if client authentication is included.
+            - Verifying that the authorization code is valid.
+            - Ensuring the `redirect_uri` parameter is present and matches the initial authorization request.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :access_token_request_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert access_token_request_validation_correct == 'true',
+             'Authorization Server did not validate access token requests correctly.'
+      pass access_token_request_validation_note if access_token_request_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb

@@ -0,0 +1,45 @@
+module UDAPSecurityTestKit
+  class AuthorizationCodeUsageAttestationTest < Inferno::Test
+    title 'Ensures authorization code is used correctly'
+    id :udap_security_auth_code_usage
+    description %(
+      The Authorization Server ensures that:
+      - Authorization codes are not used more than once.
+      - Authorization codes expire shortly after issuance to mitigate the risk of leaks.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@135',
+                          'hl7.fhir.us.udap-security_1.0.0@137'
+
+    input :authorization_code_usage_correct,
+          title: 'Authorization Code and Token Requests: Ensures Authorization Code is used correctly',
+          description: %(
+            I attest that the Authorization Server ensures:
+            - Authorization codes are not used more than once.
+            - Authorization codes expire shortly after issuance to mitigate the risk of leaks.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :authorization_code_usage_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert authorization_code_usage_correct == 'true',
+             'Authorization Server did not ensure correct usage of authorization codes.'
+      pass authorization_code_usage_note if authorization_code_usage_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/resource_holder_authorization_flow_test.rb

@@ -0,0 +1,37 @@
+module UDAPSecurityTestKit
+  class AuthorizationCodeFlowAttestationTest < Inferno::Test
+    title 'Resource Holder uses the authorization code flow'
+    id :udap_security_authorization_code_flow
+    description %(
+      The Resource Holder uses the authorization code flow when redirecting the user
+      to the IdP’s authorization endpoint.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@253'
+
+    input :authorization_code_flow_correct,
+          title: 'Authorization Code and Token Requests: Resource Holder uses authorization code flow',
+          description: %(
+            I attest that the Resource Holder uses the authorization code flow when redirecting
+            the user to the IdP’s authorization endpoint.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :authorization_code_flow_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert authorization_code_flow_correct == 'true',
+             'Resource Holder does not use the authorization code flow when redirecting the user to the
+             IdP’s authorization endpoint.'
+      pass authorization_code_flow_note if authorization_code_flow_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group.rb

@@ -0,0 +1,17 @@
+require_relative 'authorization_code_token_requests_group/authorization_code_usage_test'
+require_relative 'authorization_code_token_requests_group/access_token_request_validation_test'
+require_relative 'authorization_code_token_requests_group/access_token_lifetime_test'
+require_relative 'authorization_code_token_requests_group/resource_holder_authorization_flow_test'
+
+module UDAPSecurityTestKit
+  class AuthorizationCodeTokenRequestsAttestationGroup < Inferno::TestGroup
+    id :udap_server_v100_authorization_code_token_requests_group
+    title 'Authorization Code and Token Requests'
+
+    run_as_group
+    test from: :udap_security_auth_code_usage
+    test from: :udap_security_access_token_request_validation
+    test from: :udap_security_access_token_lifetime
+    test from: :udap_security_authorization_code_flow
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group/client_certificate_storage_test.rb

@@ -0,0 +1,36 @@
+module UDAPSecurityTestKit
+  class ClientCertificateStorageAttestationTest < Inferno::Test
+    title 'Authorization Server stores client certificate for authentication'
+    id :udap_security_client_certificate_storage
+    description %(
+      The Authorization Server stores the certificate provided by the Client for
+      use in validating subsequent client authentication attempts.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@112'
+
+    input :client_certificate_storage_correct,
+          title: 'Client Authentication: Authorization Server stores client certificate',
+          description: %(
+            I attest that the Authorization Server stores the certificate provided by the Client for
+            use in validating subsequent client authentication attempts.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :client_certificate_storage_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert client_certificate_storage_correct == 'true',
+             'Authorization Server does not store the client certificate for use in subsequent authentication attempts.'
+      pass client_certificate_storage_note if client_certificate_storage_note.present?
+    end
+  end
+end