udap_security_test_kit 0.11.6 → 0.12.0

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group.rb

@@ -0,0 +1,17 @@
+require_relative 'identity_provider_interaction_group/idp_authentication_request_test'
+require_relative 'identity_provider_interaction_group/idp_dynamic_registration_test'
+require_relative 'identity_provider_interaction_group/idp_metadata_validation_test'
+require_relative 'identity_provider_interaction_group/idp_token_exchange_test'
+
+module UDAPSecurityTestKit
+  class IdentityProviderInteractionAttestationGroup < Inferno::TestGroup
+    id :udap_server_v100_identity_provider_interaction_group
+    title 'Interaction with Identity Providers (IdPs)'
+
+    run_as_group
+    test from: :udap_security_idp_metadata_validation
+    test from: :udap_security_idp_dynamic_registration
+    test from: :udap_security_idp_authentication_request
+    test from: :udap_security_idp_token_exchange
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_certificate_chain_validation_test.rb

@@ -0,0 +1,36 @@
+module UDAPSecurityTestKit
+  class JwtCertificateChainValidationAttestationTest < Inferno::Test
+    title 'Builds and validates trusted certificate chain for x5c'
+    id :udap_security_jwt_certificate_chain_validation
+    description %(
+      The Authorization Server builds and validates a trusted certificate chain for the certificates in
+      the x5c parameter of the JOSE header on Authentication Tokens in token requests.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@176'
+
+    input :jwt_certificate_chain_validation_correct,
+          title: 'JWT/Token Validation and Security: Builds and validates trusted certificate chain for x5c',
+          description: %(
+            I attest that the Authorization Server builds and validates a trusted certificate chain for the
+            certificates in the x5c parameter of the JOSE header on Authentication Tokens in token requests.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :jwt_certificate_chain_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert jwt_certificate_chain_validation_correct == 'true',
+             'The Authorization Server does not build and validate a trusted certificate chain for x5c certificates.'
+      pass jwt_certificate_chain_validation_note if jwt_certificate_chain_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_grant_parameter_validation_test.rb

@@ -0,0 +1,36 @@
+module UDAPSecurityTestKit
+  class JwtGrantParameterValidationAttestationTest < Inferno::Test
+    title 'Authorization Server validates parameters per grant mechanism'
+    id :udap_security_jwt_grant_parameter_validation
+    description %(
+      The Authorization Server validates all other parameters in the token request as per the
+      requirements of the grant mechanism identified by the grant_type value.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@182'
+
+    input :jwt_grant_parameter_validation_correct,
+          title: 'JWT/Token Validation and Security: Parameter validation per grant mechanism',
+          description: %(
+            I attest that the Authorization Server validates all other parameters in the token request
+            as per the requirements of the grant mechanism identified by the grant_type value.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :jwt_grant_parameter_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert jwt_grant_parameter_validation_correct == 'true',
+             'The Authorization Server does not validate parameters as required by the grant mechanism.'
+      pass jwt_grant_parameter_validation_note if jwt_grant_parameter_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_jti_reuse_test.rb

@@ -0,0 +1,35 @@
+module UDAPSecurityTestKit
+  class JwtJtiReuseAttestationTest < Inferno::Test
+    title 'Does not reuse JWT `jti` value before expiry'
+    id :udap_security_jwt_jti_reuse
+    description %(
+      The server does not reuse a `jti` value in another JWT before the time specified in the `exp` claim has passed.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@56'
+
+    input :jwt_jti_reuse_correct,
+          title: 'JWT/Token Validation and Security: Does not reuse JWT `jti` value before expiry',
+          description: %(
+            I attest that the server does not reuse a `jti` value in another JWT before the time specified in the `exp`
+            claim has passed.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :jwt_jti_reuse_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert jwt_jti_reuse_correct == 'true',
+             'The server reuses a `jti` value in another JWT before the `exp` time has passed.'
+      pass jwt_jti_reuse_note if jwt_jti_reuse_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_signature_validation_test.rb

@@ -0,0 +1,36 @@
+module UDAPSecurityTestKit
+  class JwtSignatureValidationAttestationTest < Inferno::Test
+    title 'Validates JWT signature using public key from x5c parameter'
+    id :udap_security_jwt_signature_validation
+    description %(
+      The Authorization Server validates the digital signature on the Authentication Token using the public key
+      extracted from the first certificate in the x5c parameter of the JOSE header.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@173'
+
+    input :jwt_signature_validation_correct,
+          title: 'JWT/Token Validation and Security: Validates JWT signature using public key from x5c parameter',
+          description: %(
+            I attest that the Authorization Server validates the digital signature on the Authentication Token
+            using the public key extracted from the first certificate in the x5c parameter of the JOSE header.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :jwt_signature_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert jwt_signature_validation_correct == 'true',
+             'The Authorization Server does not validate the JWT signature using the x5c public key.'
+      pass jwt_signature_validation_note if jwt_signature_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_token_request_validation_test.rb

@@ -0,0 +1,43 @@
+module UDAPSecurityTestKit
+  class JwtTokenRequestValidationAttestationTest < Inferno::Test
+    title 'Validates and responds to token requests per UDAP JWT-Based Client Authentication'
+    id :udap_security_jwt_token_request_validation
+    description %(
+      The Authorization Server validates and responds to token requests containing Authentication Tokens
+      as per [Sections 6 and 7 of UDAP JWT-Based Client Authentication](https://www.udap.org/udap-jwt-client-auth.html).
+    )
+    verifies_requirements(
+      'hl7.fhir.us.udap-security_1.0.0@172',
+      'hl7.fhir.us.udap-security_1.0.0@229'
+    )
+
+    input :jwt_token_request_validation_correct,
+          title: %(
+            JWT/Token Validation and Security: Validates and responds to token requests per UDAP JWT-Based
+            Client Authentication
+          ),
+          description: %(
+            I attest that the Authorization Server validates and responds to token requests containing
+            Authentication Tokens as per [Sections 6 and 7 of UDAP JWT-Based Client Authentication](https://www.udap.org/udap-jwt-client-auth.html).
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :jwt_token_request_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert jwt_token_request_validation_correct == 'true',
+             'The Authorization Server does not validate and respond to token requests as per UDAP JWT-Based
+              Client Authentication.'
+      pass jwt_token_request_validation_note if jwt_token_request_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group.rb

@@ -0,0 +1,19 @@
+require_relative 'jwt_security_group/jwt_certificate_chain_validation_test'
+require_relative 'jwt_security_group/jwt_grant_parameter_validation_test'
+require_relative 'jwt_security_group/jwt_jti_reuse_test'
+require_relative 'jwt_security_group/jwt_signature_validation_test'
+require_relative 'jwt_security_group/jwt_token_request_validation_test'
+
+module UDAPSecurityTestKit
+  class JWTSecurityGroup < Inferno::TestGroup
+    id :udap_server_v100_jwt_security_group
+    title 'JWT/Token Validation and Security'
+
+    run_as_group
+    test from: :udap_security_jwt_token_request_validation
+    test from: :udap_security_jwt_signature_validation
+    test from: :udap_security_jwt_jti_reuse
+    test from: :udap_security_jwt_grant_parameter_validation
+    test from: :udap_security_jwt_certificate_chain_validation
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb

@@ -0,0 +1,43 @@
+module UDAPSecurityTestKit
+  class UDAPAuthorizationExtensionsRequiredAttestationTest < Inferno::Test
+    title 'Includes required authorization extensions'
+    id :udap_security_authorization_extensions_required
+    description %(
+      Server's UDAP metadata includes the `udap_authorization_extensions_required` list with `["hl7-b2b"]`
+      if the Authorization Server requires the B2B Authorization Extension Object.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@32'
+
+    input :udap_authorization_extensions_required_correct,
+          title: 'UDAP Metadata and Server Capabilities: Includes required authorization extensions',
+          description: %(
+            I attest that the server's UDAP metadata includes the `udap_authorization_extensions_required` list
+            with `["hl7-b2b"]` if the Authorization Server requires the B2B Authorization Extension Object.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :udap_authorization_extensions_required_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert udap_authorization_extensions_required_correct == 'true',
+             'Server metadata does not include the `udap_authorization_extensions_required` list with `["hl7-b2b"]`
+              when required.'
+      pass udap_authorization_extensions_required_note if udap_authorization_extensions_required_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb

@@ -0,0 +1,44 @@
+module UDAPSecurityTestKit
+  class CommunityParameterSupportAttestationTest < Inferno::Test
+    title 'Supports community parameter correctly'
+    id :udap_security_community_parameter_support
+    description %(
+      Server supports the `community` parameter correctly by selecting a certificate intended for use within the
+      identified trust community when generating the signed JWT for the `signed_metadata` element.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@62'
+
+    input :community_parameter_support_correct,
+          title: 'UDAP Metadata and Server Capabilities: Supports community parameter correctly',
+          description: %(
+            I attest that the server supports the `community` parameter correctly by selecting a certificate intended
+            for use within the identified trust community when generating the signed JWT for the `signed_metadata`
+            element.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :community_parameter_support_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert community_parameter_support_correct == 'true',
+             'Server does not correctly support the `community` parameter when generating the signed JWT for the
+             `signed_metadata` element.'
+      pass community_parameter_support_note if community_parameter_support_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb

@@ -0,0 +1,43 @@
+module UDAPSecurityTestKit
+  class UDAPMetadataEndpointErrorHandlingAttestationTest < Inferno::Test
+    title 'Handles unsupported workflows correctly'
+    id :udap_security_metadata_error_handling
+    description %(
+      Server's UDAP metadata endpoint correctly handles unsupported workflows by returning a `404 Not Found` response
+      when no UDAP workflows are supported.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@19'
+
+    input :udap_metadata_error_handling_correct,
+          title: 'UDAP Metadata and Server Capabilities: Handles unsupported workflows correctly',
+          description: %(
+            I attest that the server's UDAP metadata endpoint correctly handles unsupported workflows by returning a
+            `404 Not Found` response when no UDAP workflows are supported.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :udap_metadata_error_handling_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert udap_metadata_error_handling_correct == 'true',
+             'Server metadata endpoint did not correctly handle unsupported workflows by returning a
+             `404 Not Found` response.'
+      pass udap_metadata_error_handling_note if udap_metadata_error_handling_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb

@@ -0,0 +1,42 @@
+module UDAPSecurityTestKit
+  class UDAPMetadataRepresentationAttestationTest < Inferno::Test
+    title 'Represents server capabilities correctly'
+    id :udap_security_metadata_representation
+    description %(
+      Server's UDAP metadata endpoint correctly represents the server’s capabilities with respect to the UDAP
+      workflows described in the guide.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@18'
+
+    input :udap_metadata_representation_correct,
+          title: 'UDAP Metadata and Server Capabilities: Represents server capabilities correctly',
+          description: %(
+            I attest that the server's UDAP metadata endpoint correctly represents the server’s capabilities with
+            respect to the UDAP workflows described in the guide.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :udap_metadata_representation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert udap_metadata_representation_correct == 'true',
+             'Server metadata does not correctly represent the server’s capabilities with respect to UDAP workflows.'
+      pass udap_metadata_representation_note if udap_metadata_representation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb

@@ -0,0 +1,43 @@
+module UDAPSecurityTestKit
+  class UDAPProfilesSupportedAttestationTest < Inferno::Test
+    title 'Includes supported profiles'
+    id :udap_security_profiles_supported
+    description %(
+      Server's UDAP metadata includes the `udap_profiles_supported` element with `udap_to` if the
+      server supports the user authentication workflow described in Section 6.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@27'
+
+    input :udap_profiles_supported_correct,
+          title: 'UDAP Metadata and Server Capabilities: Includes supported profiles',
+          description: %(
+            I attest that the server's UDAP metadata includes the `udap_profiles_supported` element with `udap_to`
+            if the server supports the user authentication workflow described in Section 6.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :udap_profiles_supported_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert udap_profiles_supported_correct == 'true',
+             'Server metadata does not include the `udap_profiles_supported` element with `udap_to` for UDAP
+             Tiered OAuth for User Authentication.'
+      pass udap_profiles_supported_note if udap_profiles_supported_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group.rb

@@ -0,0 +1,19 @@
+require_relative 'metadata_server_capabilities_group/udap_authorization_extensions_required_test'
+require_relative 'metadata_server_capabilities_group/udap_community_parameter_support_test'
+require_relative 'metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test'
+require_relative 'metadata_server_capabilities_group/udap_metadata_representation_test'
+require_relative 'metadata_server_capabilities_group/udap_profiles_supported_test'
+
+module UDAPSecurityTestKit
+  class MetadataServerCapabilitiesAttestationGroup < Inferno::TestGroup
+    id :udap_server_v100_metadata_server_capabilities_group
+    title 'UDAP Metadata and Server Capabilities'
+
+    run_as_group
+    test from: :udap_security_authorization_extensions_required
+    test from: :udap_security_community_parameter_support
+    test from: :udap_security_metadata_error_handling
+    test from: :udap_security_metadata_representation
+    test from: :udap_security_profiles_supported
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb

@@ -0,0 +1,49 @@
+module UDAPSecurityTestKit
+  class CSRFProtectionAttestationTest < Inferno::Test
+    title 'Implements CSRF and Clickjacking protection'
+    id :udap_security_csrf_protection
+    description %(
+      Authorization Server implements CSRF and Clickjacking protection as
+      described in [RFC6749](https://openid.net/specs/openid-connect-core-1_0.html#RFC6749),
+      including:
+      - Use of anti-CSRF tokens.
+      - Validation of `state` parameter to prevent cross-site request forgery.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@278',
+                          'hl7.fhir.us.udap-security_1.0.0@269'
+
+    input :csrf_protection_implemented,
+          title: 'Security Measures: Implements CSRF and Clickjacking protection',
+          description: %(
+            I attest that the Authorization Server implements CSRF and Clickjacking protection as
+            described in [RFC6749](https://openid.net/specs/openid-connect-core-1_0.html#RFC6749),
+            including:
+            - Use of anti-CSRF tokens.
+            - Validation of `state` parameter to prevent cross-site request forgery.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :csrf_protection_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert csrf_protection_implemented == 'true',
+             'Authorization Server does not implement CSRF protection as described in RFC6749.'
+      pass csrf_protection_note if csrf_protection_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/obtain_authorization_scopes_test.rb

@@ -0,0 +1,44 @@
+module UDAPSecurityTestKit
+  class ObtainAuthorizationScopesAttestationTest < Inferno::Test
+    title 'Obtains user authorization for requested scopes'
+    id :udap_security_user_authorization
+    description %(
+      Resource Holder, after mapping the authenticated user, obtains authorization from the user for the scopes
+      requested by the client app, if such authorization is required, as per Section [4.5 of UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html),
+      returning to the workflow defined in [Section 4.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code)
+      or [Section 5.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code) of this
+      guide, for consumer-facing or B2B apps, respectively.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@297'
+
+    input :user_authorization_correct,
+          title: 'Security Measures: Obtains user authorization for requested scopes',
+          description: %(
+            I attest that the Resource Holder, after mapping the authenticated user, obtains authorization from the
+            user for the scopes requested by the client app, if such authorization is required, as per Section
+            [4.5 of UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html), returning to the workflow
+            defined in [Section 4.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code)
+            or [Section 5.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code) of
+            this guide, for consumer-facing or B2B apps, respectively.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :user_authorization_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert user_authorization_correct == 'true',
+             'Resource Holder does not obtain user authorization for the requested scopes after mapping the
+              authenticated user.'
+      pass user_authorization_note if user_authorization_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/state_parameter_test.rb

@@ -0,0 +1,48 @@
+module UDAPSecurityTestKit
+  class StateParameterAttestationTest < Inferno::Test
+    title 'Manages state parameter securely'
+    id :udap_security_state_parameter_management
+    description %(
+      The Resource Holder:
+      - Generates its own random value for the state parameter (does not reuse the value provided by the Client App).
+      - Validates that the value of the state parameter in the query string matches the value it generated when the
+        user is redirected back from the IdP.
+      - Validates the value of the state parameter when receiving an error response from the IdP.
+    )
+    verifies_requirements(
+      'hl7.fhir.us.udap-security_1.0.0@254',
+      'hl7.fhir.us.udap-security_1.0.0@255',
+      'hl7.fhir.us.udap-security_1.0.0@270',
+      'hl7.fhir.us.udap-security_1.0.0@272'
+    )
+
+    input :state_parameter_management_correct,
+          title: 'Security Measures: Manages state parameter securely',
+          description: %(
+            I attest that the Resource Holder:
+            - Generates its own random value for the state parameter and does not reuse the value provided by the
+              Client App.
+            - Validates that the value of the state parameter in the query string matches the value it generated
+              when the user is redirected back from the IdP.
+            - Validates the value of the state parameter when receiving an error response from the IdP.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :state_parameter_management_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert state_parameter_management_correct == 'true',
+             'Resource Holder does not properly generate or validate the state parameter as required.'
+      pass state_parameter_management_note if state_parameter_management_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb

@@ -0,0 +1,47 @@
+module UDAPSecurityTestKit
+  class UnauthenticatedClientSecurityAttestationTest < Inferno::Test
+    title 'Considers security measures for unauthenticated clients'
+    id :udap_security_unauthenticated_clients
+    description %(
+        I attest that the Authorization Server considers security implications when interacting with unauthenticated
+        clients, including:
+        - Restricting access to sensitive endpoints.
+        - Implementing rate limiting or other protective measures.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@288'
+
+    input :unauthenticated_client_security_measures,
+          title: 'Security Measures: Considers security measures for unauthenticated clients',
+          description: %(
+            I attest that the Authorization Server considers security implications when interacting with unauthenticated
+            clients, including:
+            - Restricting access to sensitive endpoints.
+            - Implementing rate limiting or other protective measures.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :unauthenticated_client_security_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert unauthenticated_client_security_measures == 'true',
+             'Authorization Server does not consider security implications when interacting with unauthenticated
+              clients.'
+      pass unauthenticated_client_security_note if unauthenticated_client_security_note.present?
+    end
+  end
+end