udap_security_test_kit 0.11.5 → 0.12.0

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb

@@ -0,0 +1,45 @@
+module UDAPSecurityTestKit
+  class IDTokenValidationAttestationTest < Inferno::Test
+    title 'Validates ID Token correctly'
+    id :udap_security_id_token_validation
+    description %(
+      Data Holder validates the ID Token as per OIDC Core specifications, including:
+      - Verifying the token's signature.
+      - Checking claims such as `iss`, `aud`, and `exp`.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@282',
+                          'hl7.fhir.us.udap-security_1.0.0@289'
+
+    input :id_token_validation_correct,
+          title: 'ID Token and Access Token Validation: ID Token is validated correctly',
+          description: %(
+            I attest that the Data Holder validates the ID Token as per OIDC Core specifications, including:
+            - Verifying the token's signature.
+            - Checking claims such as `iss`, `aud`, and `exp`.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :id_token_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert id_token_validation_correct == 'true',
+             'ID Token validation is not implemented correctly as per OIDC Core specifications.'
+      pass id_token_validation_note if id_token_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb

@@ -0,0 +1,47 @@
+module UDAPSecurityTestKit
+  class TokenResponseValidationAttestationTest < Inferno::Test
+    title 'Validates token response correctly'
+    id :udap_security_token_response_validation
+    description %(
+      Client validates the Token Response as per RFC 6749 and OIDC Core specifications, including:
+      - Ensuring the presence of `access_token` and `token_type` parameters.
+      - Validating the response structure and data integrity.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@283',
+                          'hl7.fhir.us.udap-security_1.0.0@284',
+                          'hl7.fhir.us.udap-security_1.0.0@285'
+
+    input :token_response_validation_correct,
+          title: 'ID Token and Access Token Validation: Validates token response correctly',
+          description: %(
+            I attest that the Client validates the Token Response as per RFC 6749 and OIDC Core specifications,
+            including:
+            - Ensuring the presence of `access_token` and `token_type` parameters.
+            - Validating the response structure and data integrity.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :token_response_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert token_response_validation_correct == 'true',
+             'Token Response validation is not implemented correctly as per RFC 6749 and OIDC Core specifications.'
+      pass token_response_validation_note if token_response_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group.rb

@@ -0,0 +1,15 @@
+require_relative 'id_token_access_token_validation_group/id_token_validation_test'
+require_relative 'id_token_access_token_validation_group/access_token_validation_test'
+require_relative 'id_token_access_token_validation_group/token_response_validation_test'
+
+module UDAPSecurityTestKit
+  class IDTokenAccessTokenValidationAttestationGroup < Inferno::TestGroup
+    id :udap_server_v100_id_token_access_token_validation_group
+    title 'ID Token and Access Token Validation'
+
+    run_as_group
+    test from: :udap_security_id_token_validation
+    test from: :udap_security_access_token_validation
+    test from: :udap_security_token_response_validation
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb

@@ -0,0 +1,45 @@
+module UDAPSecurityTestKit
+  class IdPAuthenticationRequestAttestationTest < Inferno::Test
+    title 'Performs Authentication request to the IdP’s authorization endpoint'
+    id :udap_security_idp_authentication_request
+    description %(
+      Data Holder makes an authentication request to the IdP’s authorization endpoint when the IdP is trusted.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@245'
+
+    input :idp_authentication_request_correct,
+          title: %(
+            Interaction with Identity Providers (IdPs): Performs Authentication request to the IdP’s authorization
+            endpoint
+          ),
+          description: %(
+            I attest that the Data Holder makes an authentication request to the IdP’s authorization endpoint when the
+            IdP is trusted.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :idp_authentication_request_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert idp_authentication_request_correct == 'true',
+             'Data Holder does not make an authentication request to the IdP’s authorization endpoint when the IdP
+              is trusted.'
+      pass idp_authentication_request_note if idp_authentication_request_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb

@@ -0,0 +1,45 @@
+module UDAPSecurityTestKit
+  class IdPDynamicRegistrationAttestationTest < Inferno::Test
+    title 'Performs IdP dynamic registration if supported'
+    id :udap_security_idp_dynamic_registration
+    description %(
+      Data Holder registers as a client with the IdP if:
+      - The IdP is trusted.
+      - The IdP supports UDAP Dynamic Registration.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@239'
+
+    input :idp_dynamic_registration_correct,
+          title: 'Interaction with Identity Providers (IdPs): Performs IdP dynamic registration if supported',
+          description: %(
+            I attest that the Data Holder registers as a client with the IdP if:
+            - The IdP is trusted.
+            - The IdP supports UDAP Dynamic Registration.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :idp_dynamic_registration_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert idp_dynamic_registration_correct == 'true',
+             'Data Holder does not register as a client with the IdP when it is trusted and supports
+              UDAP Dynamic Registration.'
+      pass idp_dynamic_registration_note if idp_dynamic_registration_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb

@@ -0,0 +1,44 @@
+module UDAPSecurityTestKit
+  class IdPMetadataValidationAttestationTest < Inferno::Test
+    title 'Validates IdP metadata to determine trust'
+    id :udap_security_idp_metadata_validation
+    description %(
+      Data Holder validates the IdP’s UDAP metadata to determine trustworthiness, including:
+      - Verifying the authenticity of the metadata.
+      - Ensuring the metadata meets UDAP specifications.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@238'
+
+    input :idp_metadata_validation_correct,
+          title: 'Interaction with Identity Providers (IdPs): Validates IdP metadata to determine trust',
+          description: %(
+            I attest that the Data Holder validates the IdP’s UDAP metadata to determine trustworthiness, including:
+            - Verifying the authenticity of the metadata.
+            - Ensuring the metadata meets UDAP specifications.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :idp_metadata_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert idp_metadata_validation_correct == 'true',
+             'Data Holder does not validate the IdP’s UDAP metadata to determine trustworthiness.'
+      pass idp_metadata_validation_note if idp_metadata_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb

@@ -0,0 +1,46 @@
+module UDAPSecurityTestKit
+  class IdPTokenExchangeAttestationTest < Inferno::Test
+    title 'Exchanges code for tokens after successful authentication response'
+    id :udap_security_idp_token_exchange
+    description %(
+      Data Holder exchanges the authorization code for tokens after receiving a successful
+      authentication response from the IdP.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@279'
+
+    input :idp_token_exchange_correct,
+          title: %(
+            'Interaction with Identity Providers (IdPs): Exchanges code for tokens after successful
+             authentication response'
+          ),
+          description: %(
+            I attest that the Data Holder exchanges the authorization code for tokens after receiving a
+            successful authentication response from the IdP.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :idp_token_exchange_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert idp_token_exchange_correct == 'true',
+             'Data Holder does not exchange the authorization code for tokens after receiving a successful
+             authentication response from the IdP.'
+      pass idp_token_exchange_note if idp_token_exchange_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group.rb

@@ -0,0 +1,17 @@
+require_relative 'identity_provider_interaction_group/idp_authentication_request_test'
+require_relative 'identity_provider_interaction_group/idp_dynamic_registration_test'
+require_relative 'identity_provider_interaction_group/idp_metadata_validation_test'
+require_relative 'identity_provider_interaction_group/idp_token_exchange_test'
+
+module UDAPSecurityTestKit
+  class IdentityProviderInteractionAttestationGroup < Inferno::TestGroup
+    id :udap_server_v100_identity_provider_interaction_group
+    title 'Interaction with Identity Providers (IdPs)'
+
+    run_as_group
+    test from: :udap_security_idp_metadata_validation
+    test from: :udap_security_idp_dynamic_registration
+    test from: :udap_security_idp_authentication_request
+    test from: :udap_security_idp_token_exchange
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_certificate_chain_validation_test.rb

@@ -0,0 +1,36 @@
+module UDAPSecurityTestKit
+  class JwtCertificateChainValidationAttestationTest < Inferno::Test
+    title 'Builds and validates trusted certificate chain for x5c'
+    id :udap_security_jwt_certificate_chain_validation
+    description %(
+      The Authorization Server builds and validates a trusted certificate chain for the certificates in
+      the x5c parameter of the JOSE header on Authentication Tokens in token requests.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@176'
+
+    input :jwt_certificate_chain_validation_correct,
+          title: 'JWT/Token Validation and Security: Builds and validates trusted certificate chain for x5c',
+          description: %(
+            I attest that the Authorization Server builds and validates a trusted certificate chain for the
+            certificates in the x5c parameter of the JOSE header on Authentication Tokens in token requests.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :jwt_certificate_chain_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert jwt_certificate_chain_validation_correct == 'true',
+             'The Authorization Server does not build and validate a trusted certificate chain for x5c certificates.'
+      pass jwt_certificate_chain_validation_note if jwt_certificate_chain_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_grant_parameter_validation_test.rb

@@ -0,0 +1,36 @@
+module UDAPSecurityTestKit
+  class JwtGrantParameterValidationAttestationTest < Inferno::Test
+    title 'Authorization Server validates parameters per grant mechanism'
+    id :udap_security_jwt_grant_parameter_validation
+    description %(
+      The Authorization Server validates all other parameters in the token request as per the
+      requirements of the grant mechanism identified by the grant_type value.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@182'
+
+    input :jwt_grant_parameter_validation_correct,
+          title: 'JWT/Token Validation and Security: Parameter validation per grant mechanism',
+          description: %(
+            I attest that the Authorization Server validates all other parameters in the token request
+            as per the requirements of the grant mechanism identified by the grant_type value.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :jwt_grant_parameter_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert jwt_grant_parameter_validation_correct == 'true',
+             'The Authorization Server does not validate parameters as required by the grant mechanism.'
+      pass jwt_grant_parameter_validation_note if jwt_grant_parameter_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_jti_reuse_test.rb

@@ -0,0 +1,35 @@
+module UDAPSecurityTestKit
+  class JwtJtiReuseAttestationTest < Inferno::Test
+    title 'Does not reuse JWT `jti` value before expiry'
+    id :udap_security_jwt_jti_reuse
+    description %(
+      The server does not reuse a `jti` value in another JWT before the time specified in the `exp` claim has passed.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@56'
+
+    input :jwt_jti_reuse_correct,
+          title: 'JWT/Token Validation and Security: Does not reuse JWT `jti` value before expiry',
+          description: %(
+            I attest that the server does not reuse a `jti` value in another JWT before the time specified in the `exp`
+            claim has passed.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :jwt_jti_reuse_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert jwt_jti_reuse_correct == 'true',
+             'The server reuses a `jti` value in another JWT before the `exp` time has passed.'
+      pass jwt_jti_reuse_note if jwt_jti_reuse_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_signature_validation_test.rb

@@ -0,0 +1,36 @@
+module UDAPSecurityTestKit
+  class JwtSignatureValidationAttestationTest < Inferno::Test
+    title 'Validates JWT signature using public key from x5c parameter'
+    id :udap_security_jwt_signature_validation
+    description %(
+      The Authorization Server validates the digital signature on the Authentication Token using the public key
+      extracted from the first certificate in the x5c parameter of the JOSE header.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@173'
+
+    input :jwt_signature_validation_correct,
+          title: 'JWT/Token Validation and Security: Validates JWT signature using public key from x5c parameter',
+          description: %(
+            I attest that the Authorization Server validates the digital signature on the Authentication Token
+            using the public key extracted from the first certificate in the x5c parameter of the JOSE header.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :jwt_signature_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert jwt_signature_validation_correct == 'true',
+             'The Authorization Server does not validate the JWT signature using the x5c public key.'
+      pass jwt_signature_validation_note if jwt_signature_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_token_request_validation_test.rb

@@ -0,0 +1,43 @@
+module UDAPSecurityTestKit
+  class JwtTokenRequestValidationAttestationTest < Inferno::Test
+    title 'Validates and responds to token requests per UDAP JWT-Based Client Authentication'
+    id :udap_security_jwt_token_request_validation
+    description %(
+      The Authorization Server validates and responds to token requests containing Authentication Tokens
+      as per [Sections 6 and 7 of UDAP JWT-Based Client Authentication](https://www.udap.org/udap-jwt-client-auth.html).
+    )
+    verifies_requirements(
+      'hl7.fhir.us.udap-security_1.0.0@172',
+      'hl7.fhir.us.udap-security_1.0.0@229'
+    )
+
+    input :jwt_token_request_validation_correct,
+          title: %(
+            JWT/Token Validation and Security: Validates and responds to token requests per UDAP JWT-Based
+            Client Authentication
+          ),
+          description: %(
+            I attest that the Authorization Server validates and responds to token requests containing
+            Authentication Tokens as per [Sections 6 and 7 of UDAP JWT-Based Client Authentication](https://www.udap.org/udap-jwt-client-auth.html).
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :jwt_token_request_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert jwt_token_request_validation_correct == 'true',
+             'The Authorization Server does not validate and respond to token requests as per UDAP JWT-Based
+              Client Authentication.'
+      pass jwt_token_request_validation_note if jwt_token_request_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group.rb

@@ -0,0 +1,19 @@
+require_relative 'jwt_security_group/jwt_certificate_chain_validation_test'
+require_relative 'jwt_security_group/jwt_grant_parameter_validation_test'
+require_relative 'jwt_security_group/jwt_jti_reuse_test'
+require_relative 'jwt_security_group/jwt_signature_validation_test'
+require_relative 'jwt_security_group/jwt_token_request_validation_test'
+
+module UDAPSecurityTestKit
+  class JWTSecurityGroup < Inferno::TestGroup
+    id :udap_server_v100_jwt_security_group
+    title 'JWT/Token Validation and Security'
+
+    run_as_group
+    test from: :udap_security_jwt_token_request_validation
+    test from: :udap_security_jwt_signature_validation
+    test from: :udap_security_jwt_jti_reuse
+    test from: :udap_security_jwt_grant_parameter_validation
+    test from: :udap_security_jwt_certificate_chain_validation
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb

@@ -0,0 +1,43 @@
+module UDAPSecurityTestKit
+  class UDAPAuthorizationExtensionsRequiredAttestationTest < Inferno::Test
+    title 'Includes required authorization extensions'
+    id :udap_security_authorization_extensions_required
+    description %(
+      Server's UDAP metadata includes the `udap_authorization_extensions_required` list with `["hl7-b2b"]`
+      if the Authorization Server requires the B2B Authorization Extension Object.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@32'
+
+    input :udap_authorization_extensions_required_correct,
+          title: 'UDAP Metadata and Server Capabilities: Includes required authorization extensions',
+          description: %(
+            I attest that the server's UDAP metadata includes the `udap_authorization_extensions_required` list
+            with `["hl7-b2b"]` if the Authorization Server requires the B2B Authorization Extension Object.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :udap_authorization_extensions_required_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert udap_authorization_extensions_required_correct == 'true',
+             'Server metadata does not include the `udap_authorization_extensions_required` list with `["hl7-b2b"]`
+              when required.'
+      pass udap_authorization_extensions_required_note if udap_authorization_extensions_required_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb

@@ -0,0 +1,44 @@
+module UDAPSecurityTestKit
+  class CommunityParameterSupportAttestationTest < Inferno::Test
+    title 'Supports community parameter correctly'
+    id :udap_security_community_parameter_support
+    description %(
+      Server supports the `community` parameter correctly by selecting a certificate intended for use within the
+      identified trust community when generating the signed JWT for the `signed_metadata` element.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@62'
+
+    input :community_parameter_support_correct,
+          title: 'UDAP Metadata and Server Capabilities: Supports community parameter correctly',
+          description: %(
+            I attest that the server supports the `community` parameter correctly by selecting a certificate intended
+            for use within the identified trust community when generating the signed JWT for the `signed_metadata`
+            element.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :community_parameter_support_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert community_parameter_support_correct == 'true',
+             'Server does not correctly support the `community` parameter when generating the signed JWT for the
+             `signed_metadata` element.'
+      pass community_parameter_support_note if community_parameter_support_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb

@@ -0,0 +1,43 @@
+module UDAPSecurityTestKit
+  class UDAPMetadataEndpointErrorHandlingAttestationTest < Inferno::Test
+    title 'Handles unsupported workflows correctly'
+    id :udap_security_metadata_error_handling
+    description %(
+      Server's UDAP metadata endpoint correctly handles unsupported workflows by returning a `404 Not Found` response
+      when no UDAP workflows are supported.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@19'
+
+    input :udap_metadata_error_handling_correct,
+          title: 'UDAP Metadata and Server Capabilities: Handles unsupported workflows correctly',
+          description: %(
+            I attest that the server's UDAP metadata endpoint correctly handles unsupported workflows by returning a
+            `404 Not Found` response when no UDAP workflows are supported.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :udap_metadata_error_handling_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert udap_metadata_error_handling_correct == 'true',
+             'Server metadata endpoint did not correctly handle unsupported workflows by returning a
+             `404 Not Found` response.'
+      pass udap_metadata_error_handling_note if udap_metadata_error_handling_note.present?
+    end
+  end
+end