udap_security_test_kit 0.9.0

data/lib/udap_security_test_kit/certs/InfernoCA.pem

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGDzCCA/egAwIBAgIUHwBisiqxYRNYzDtSvNRPOu09emswDQYJKoZIhvcNAQEL
+BQAwgYYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEQMA4GA1UEBwwHQmVkZm9y
+ZDEQMA4GA1UECgwHSW5mZXJubzEdMBsGA1UEAwwUSW5mZXJuby1VREFQLVJvb3Qt
+Q0ExJzAlBgkqhkiG9w0BCQEWGGluZmVybm9AZ3JvdXBzLm1pdHJlLm9yZzAeFw0y
+NDA4MTIyMzU4MDlaFw0zNDA4MTAyMzU4MDlaMIGGMQswCQYDVQQGEwJVUzELMAkG
+A1UECAwCTUExEDAOBgNVBAcMB0JlZGZvcmQxEDAOBgNVBAoMB0luZmVybm8xHTAb
+BgNVBAMMFEluZmVybm8tVURBUC1Sb290LUNBMScwJQYJKoZIhvcNAQkBFhhpbmZl
+cm5vQGdyb3Vwcy5taXRyZS5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQC3Hz72FU3I4PFztBPpeDX7augTiw5KKMzEQWoOtsyx8de0lXLDaY13SugL
+wCduDei5WYaHat3/eAWnsvGb2VQjQOpfUTvdwnmvUSTAZH+EB+IPy/Jk2AbXtgGv
+8GcLsmjpZNiePvCrcOT28j9tTAdO8gKaIOg0XpYq/Kdyyecr1jMINKgUMOyoi//R
+Qjzvx6dRq/YBegb2bEOe+YBUdo7EzAXZUAk48RelAq5b1vaqyhJeuOcxXxVCLjTi
+KN+Tje6FnmQkD/J7P05XlRFvoNxzp5X+92bcrZ+LcOjNy4wTxiT3f76e6DCMHRcM
+3QmhfU3cerv1pvb78peb0bKglzwdmquw+H6+UQrvmaCqCNWnVjmUzB1bgRxAc5YV
+p18kHzNnUAoXHMU6+ZVHqvrbtNEBHYI5NUrgOCVBpFCRf53qRtfQjSIfJrKEoKvC
+vidDeW0YWy5FILZ50g+Auo/JvPLVUzm+qENN+y/at3LZx27VEoyZpi18DqbWWYNa
++QnGow/rEf/fHRUrsTBhgttQ7/VhTr8M6KcsHLpqm7Ec6zPy6MvrFLowXsXWZGNq
+zhEb6YGHi9WzNDcsAILybRm4jDS07/1f1CJ6BJuQrPFDsVo4o0PhCsAWH5MqcL2V
+lKt/kfJxva83JoshB9zFNmtCdfuw/Mkl8i+OO5WR/vqIZNam9wIDAQABo3MwcTAd
+BgNVHQ4EFgQUNOqoPKju4u9y9JAuAfnSAcFbNKAwHwYDVR0jBBgwFoAUNOqoPKju
+4u9y9JAuAfnSAcFbNKAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAYYwEQYD
+VR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBCwUAA4ICAQCbLfJy6q2r26iyKZ3x
+MNUorDfsiTWH8TspYBm6v3h4yn9U+9qbyBwsjCu0U2ns5VqHzw25jInW5FQbwZZV
+AiUYKNpn6gIWZKpWOaDYaMWB4Jv9BMLLsENkP6PM6XxAheBVj2WNrlXaOaBql7XQ
+pkZ9TpX56Vim86Jk999o4idi4CWyaoZHXtwOGyKkOPp0xghg9VAX2y2xLYdBzgSs
+JW9P8+WIeIIbz3mpSlq0Aqh9LjneKW9wfinYEO/IxsMpOqAV54VtWJ9tMZtR8e83
+tNihJuWJvhA2rWXffh1/uPv7uA3Yge/a5vf+VfJn5MoSPn4X8ZRaJMmUFnyyvyzD
+K4fxAV2dCBjOsQtEU4pIWKwS8BopLdOcoM8Wyth+0KpxpCDTPBY0idxqU/Dg0wBe
+8YQ/mAN+cVZy2U0BoXEKlW49+czQ1wKAv4rzDJFTZUTudG+r4LmNFDPXnoiMwhni
+XkgFz1NO4YucWXBestvBSDgQ2BPFF2TkcGZl7bLk+WiGAhA/SxtLvHjIKqXwGYHG
+m8C45sJ7h0h0zdmd3/ImHWRd6D99k5eFyX5O2qNoa6v6w5rRqE7gZCe/0yZVpdth
+hhXWl1vLHPiRE5N+vRgOW1i66Ly2I7WwX965erNDxEgNCvgsP84FjbMs/2Xnb3Be
+tsGvVZ6GCrAl5XejmwQBzyZQQw==
+-----END CERTIFICATE-----

data/lib/udap_security_test_kit/certs/TestClient.pem

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFcjCCA1qgAwIBAgIUbdCfB3IJ9bdOPGQVtxJHhMxUWv0wDQYJKoZIhvcNAQEL
+BQAwgYYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEQMA4GA1UEBwwHQmVkZm9y
+ZDEQMA4GA1UECgwHSW5mZXJubzEdMBsGA1UEAwwUSW5mZXJuby1VREFQLVJvb3Qt
+Q0ExJzAlBgkqhkiG9w0BCQEWGGluZmVybm9AZ3JvdXBzLm1pdHJlLm9yZzAeFw0y
+NDA4MTIyMzU4MTBaFw0zNDA4MTAyMzU4MTBaMGExCzAJBgNVBAYTAlVTMQswCQYD
+VQQIDAJNQTEQMA4GA1UEBwwHQmVkZm9yZDEQMA4GA1UECgwHSW5mZXJubzEhMB8G
+A1UEAwwYVURBUCBFeGFtcGxlIFRlc3QgQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAnfqzJCyeFNRhlcsrUPiO2LQtudObDHUKj4Q7fkYPUf9X
+ecTMckfPKd8UJ7x8Vb5o1zmR3hsMoo1A7IkwBkmK2BXvxq243cCGO1q4w/jdL/EG
+DiIZjTr7qvkawyeh9cAaApOrBlD4gnOxB05GjingDZgiT7GqBwrpEB2XJ4tw4idS
+B3W9Rv0ynbgqPKgGw9hnEef+uNAvFIvSbfdz1n4xHNP0GuMuAX+edFCyxYFmDe74
+8pl3TH9dxkoM945r5tHmuJS9n1pXkTB9L5RVbqH77dIyOBobehHHpT4D3zjdSFmh
+fta5NnDi5/iqRcFz7FVO79jJIoAqN+mWBlVH0yyfYQIDAQABo4H7MIH4MC8GA1Ud
+EQQoMCaGJGh0dHBzOi8vaW5mZXJuby5jb20vdWRhcF9zZWN1cml0eS9hYzAxBgNV
+HSUEKjAoBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBDA6
+BgNVHR8EMzAxMC+gLaArhilodHRwczovL2luZmVybm8uY29tL21vY2tfY3JsX2Vu
+ZHBvaW50LmNybDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQU6Eo2
+HE37gpSaW9zBGf0t7XfYnfIwHwYDVR0jBBgwFoAUNOqoPKju4u9y9JAuAfnSAcFb
+NKAwDQYJKoZIhvcNAQELBQADggIBACh2uQ1Krkw6F3Gq0HG3ohCm2j1ynmLSJwGE
+HvPlkiBcs8RBPxZzJOZJBMxGmjTPga2Kt6zsBlmjLg++C7C5/8JruwrMtrBuTtHx
+Kky0Qw+YJm81IgATeDIU/qkJB8LcnHgkQbu3nyoyeKocx9XSW8nlEm4FkyREXxfC
+rSVCoc70GGg2vSnSkRikNjxwKGnHvmEDUOW2bBbbzvTGKlTKSIF50NiNPM3Fi7vF
+bOfi1aZh6m8IKVaI2KUXVFHco1qB3QDK5BUEimko+EyaWSZPvP83PE2+TIdapRrw
+HxQQJEr774GUNH1/hdW0qlP4u3CMMMAjS2H4dOsRYOOmgC6iEewFEBQqTRLkEfgP
+pMxYhGAVAmrglLLr4t+ZF9KOmifvB6f18qF352Bj1D0TMB+oLy67kFw3s2ah21la
+3Xm6hQt+M5mZ/EYZIOUPxMHtqVt5DSJdMENHO2cjcRARyeD/BGYnJqnf6yA1LL2V
+TK+jhC/C/Dcv0hHQnVWlUGlwoFMOOzfsr2K3mXYezAuHASP8LIAyjodPpd6cLQu2
+SZTVVobSebaNmZ2UeX8Bc9bcobM2bbVb2c3UeezEJWOpt5cSOeEScEiwkaktxD5p
+ix1K3KkIg2yDP176ILlVqBBA0X2FqTSSvFbTa5us3XIwkDfARJBpLnA7OfmsO61+
+Ij5io7+X
+-----END CERTIFICATE-----

data/lib/udap_security_test_kit/certs/TestClientPrivateKey.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCd+rMkLJ4U1GGV
+yytQ+I7YtC2505sMdQqPhDt+Rg9R/1d5xMxyR88p3xQnvHxVvmjXOZHeGwyijUDs
+iTAGSYrYFe/GrbjdwIY7WrjD+N0v8QYOIhmNOvuq+RrDJ6H1wBoCk6sGUPiCc7EH
+TkaOKeANmCJPsaoHCukQHZcni3DiJ1IHdb1G/TKduCo8qAbD2GcR5/640C8Ui9Jt
+93PWfjEc0/Qa4y4Bf550ULLFgWYN7vjymXdMf13GSgz3jmvm0ea4lL2fWleRMH0v
+lFVuofvt0jI4Ght6EcelPgPfON1IWaF+1rk2cOLn+KpFwXPsVU7v2MkigCo36ZYG
+VUfTLJ9hAgMBAAECggEAApTpPosYHkEGQztpvs4BD5uKL8I8g2yaOpQvoLWmZHGm
+zU+hA7EWuplxq+CRq5kL/5BqSNXqU/G5AOSRC1lCUpuxKm8GWWFfEDNAV7uGadUn
+gy2de0heeoHNpSjNpcV451fgcJ78IK2hU/w8fPBEQBSfYuwFWk4cVu4U3UmTE68I
+O7PpCdTjk70IOsLT8uBagAOw92Fj0mGU7agCdWfJ+LjPRUtg+PhVvODatL3taG+l
+FAParsomiRqKGINyn8vALXNISuBYHVDUzv93P10gG5rA2sJ7953/+++Hr9DoLpmL
+SH/q/LebFzPJ2u6KzLc6bam1YX0w/MSNTJVIxA5V/QKBgQDU+iFXdShLwvEXGVtb
+FdZuRk3XsN+yfkFyM9SZrmaLF2VBALkC5pd+rYkXSaTA/cbs623VOYpoJhVmjL8d
+VvTlN/G+8TzfdsmOlAXiOSiUn3VKM/Othu5l9k0AgylU8aXBWTUv5FzmV8gMn+/s
+9oOucAVFa60LdkR2d609y/tKnwKBgQC95Gviall3E/+7drT05KxPPGDKRUjhCLBe
+BNj2+ttSt4+v+E5v3K+LSd11VfGkvLkDvkhjiJlVamf+XgLne3TLrEThAKq8ySUr
+XKBRi+nfmisUHSrMGljHw500Rx+MR/LEpfEERMosLQWTrOTz5VG2RueVHbWbD622
+Witr8tnV/wKBgGDYUNr9GlLBFXJEhIc5ueUxMOp4sm/u+4Gb0fwEEvsCq3dQhdCs
+3IytCp69TR65B4DqWWpRHP/Y+XhFXg5QYVHuC46hEeYnlOWxp69EAJD8pZAVaaQp
+rDRPOJqYCe5nZ9Ew6H+bnybbGcur2qTtP9nNdIgpu2lv4RfhubRVEjLPAoGAXqzb
+SSii8GbNMwcNU6gLbPn6e/6tRl1RqZ6bGhCadxREFIUlfko2T6kFPDIcZ3kceYxO
+hSme4WJK9RykMAtygPWj5daySauz13m4CNBMS4qO/dlI9DgSmY6i+2SWixd4J6lg
+kDNH5VyREj66bAuigNG7NrJ4UBYyEt/EFG8hQrsCgYEAyLwk7f2Wgu9ykdwSrrQE
+TBK0iOVUcwPhxj1UbFyDxPdO0EspyKtIFD5w/sbBtQbJGSUFd7ZPoCsYkT2yAsDp
+3cI/ubRxA+/GaqUo84QxvJ4Uqdu8YS8C0FCEnhXGjA60Y5HFzufJF5EqfzwNctCr
+G0cRyX/4Ut4BNUcir/CRVL0=
+-----END PRIVATE KEY-----

data/lib/udap_security_test_kit/client_credentials_authentication_group.rb

@@ -0,0 +1,40 @@
+require_relative 'client_credentials_token_exchange_test'
+require_relative 'token_exchange_response_body_test'
+require_relative 'token_exchange_response_headers_test'
+
+module UDAPSecurityTestKit
+  class ClientCredentialsAuthenticationGroup < Inferno::TestGroup
+    title 'UDAP Client Credentials Authorization & Authentication'
+    description %(
+      This group tests the use of the client_credentials grant type to authenticate to an authorization server and
+      receive an access token, as described
+      in the [business-to-business (B2B) profile requirements](https://hl7.org/fhir/us/udap-security/STU1/b2b.html).
+    )
+    id :udap_client_credentials_authentication_group
+
+    test from: :udap_client_credentials_token_exchange,
+         config: {
+           requests: {
+             token_exchange: {
+               name: :client_credentials_token_exchange
+             }
+           }
+         }
+    test from: :udap_token_exchange_response_body,
+         config: {
+           inputs: {
+             token_response_body: {
+               name: :client_credentials_token_response_body
+             }
+           }
+         }
+    test from: :udap_token_exchange_response_headers,
+         config: {
+           requests: {
+             token_exchange: {
+               name: :client_credentials_token_exchange
+             }
+           }
+         }
+  end
+end

data/lib/udap_security_test_kit/client_credentials_group.rb

@@ -0,0 +1,105 @@
+require_relative 'dynamic_client_registration_group'
+require_relative 'discovery_group'
+require_relative 'client_credentials_authentication_group'
+
+module UDAPSecurityTestKit
+  class ClientCredentialsGroup < Inferno::TestGroup
+    title 'UDAP Client Credentials Flow'
+    description %(
+      This group tests UDAP servers that support JWT authentication using an OAuth2.0 client_credentials grant flow and
+       includes the following sub-groups.
+
+      1. Discovery Group
+      2. Dynamic Client Registration
+      3. Authorization and Authentication - supports only the [Business-to-Business (B2B)](https://hl7.org/fhir/us/udap-security/STU1/b2b.html)
+      profile in the UDAP IG
+    )
+    id :udap_client_credentials_group
+
+    input_instructions %(
+      **Discovery Tests**
+
+      #{DiscoveryGroup.discovery_group_input_instructions}
+
+      **Dynamic Client Registration Tests**
+
+      #{DynamicClientRegistrationGroup.dynamic_client_registration_input_instructions}
+    )
+
+    group from: :udap_discovery_group,
+          id: :auth_code_discovery_group,
+          run_as_group: true,
+          config: {
+            inputs: {
+              required_flow_type: {
+                name: :flow_type_client_creds,
+                title: 'Required OAuth2.0 Flow Type for Client Credentials Workflow',
+                optional: 'false',
+                default: ['client_credentials'],
+                locked: true
+              }
+            }
+          }
+
+    group from: :udap_dynamic_client_registration_group,
+          id: :client_creds_dcr_group,
+          run_as_group: true,
+          config: {
+            inputs: {
+              udap_registration_grant_type: {
+                name: :reg_grant_type_client_creds,
+                default: 'client_credentials',
+                locked: true
+              },
+              udap_client_cert_pem: {
+                name: :udap_client_cert_pem_client_creds_flow,
+                title: 'Client Credentials Client Certificate(s) (PEM Format)'
+              },
+              udap_client_private_key_pem: {
+                name: :udap_client_private_key_client_creds_flow,
+                title: 'Client Credentials Client Private Key (PEM Format)'
+              },
+              udap_cert_iss: {
+                name: :udap_cert_iss_client_creds_flow,
+                title: 'Client Credentials JWT Issuer (iss) Claim'
+              },
+              udap_registration_requested_scope: {
+                name: :udap_registration_scope_client_creds_flow,
+                title: 'Client Credentials Registration Requested Scope(s)',
+                description: %(
+                  String containing a space delimited list of scopes requested by the client application for use in
+                  subsequent requests. The Authorization Server MAY consider this list when deciding the scopes that it
+                  will allow the application to subsequently request. Apps requesting the "client_credentials" grant
+                  type SHOULD request system scopes.
+                )
+              },
+              udap_registration_certifications: {
+                name: :udap_registration_certifications_client_creds_flow,
+                title: 'Client Credentials UDAP Registration Certifications'
+              }
+            },
+            outputs: {
+              udap_client_cert_pem: {
+                name: :udap_client_cert_pem_client_creds_flow
+              },
+              udap_client_private_key_pem: {
+                name: :udap_client_private_key_client_creds_flow
+              },
+              udap_cert_iss: {
+                name: :udap_cert_iss_client_creds_flow
+              }
+            }
+          } do
+      input_order :udap_registration_endpoint,
+                  :reg_grant_type_client_creds,
+                  :udap_client_cert_pem_client_creds_flow,
+                  :udap_client_private_key_client_creds_flow,
+                  :udap_cert_iss_client_creds_flow,
+                  :udap_registration_scope_client_creds_flow,
+                  :udap_jwt_signing_alg, :udap_registration_certifications_client_creds_flow
+    end
+
+    group from: :udap_client_credentials_authentication_group,
+          run_as_group: true
+  end
+end

data/lib/udap_security_test_kit/client_credentials_token_exchange_test.rb

@@ -0,0 +1,130 @@
+require_relative 'udap_client_assertion_payload_builder'
+
+module UDAPSecurityTestKit
+  class ClientCredentialsTokenExchangeTest < Inferno::Test
+    title 'OAuth token exchange request succeeds when supplied correct information'
+    description %(
+      The [UDAP Security IG Section 5.2 on Obtaining an Access Token](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-access-token)
+      states the following:
+      - The client SHALL use its private key to sign an Authentication
+        Token ... and include this JWT in the
+        client_assertion parameter of its token request
+      - Client applications using the client credentials grant and
+        authenticating with a private key and
+        Authentication Token as per Section 5.2.1 SHALL submit a POST request to the Authorization Server’s token
+        endpoint
+      - An Authorization Server receiving token requests containin
+        Authentication Tokens as above SHALL validate and
+        respond to the request as per Sections 6 and 7 of UDAP JWT-Based Client Authentication.
+
+      Furthermore, the inclusion of an `extensions` claim in the Authentication JWT is required for B2B client apps
+      using the client credentials flow.  Inferno provides an extensions object with the following information:
+      - `'version'`: `'1'`
+      - `'subject_name'`: `'UDAP Test Kit'`
+      - `'organization_name'`: `'Inferno Framework'`
+      - `'organization_id'`: `'https://inferno-framework.github.io/'`
+      - `'purpose_of_use'`: `['SYSDEV']`
+
+      This test creates an authentication JWT, POSTs a token request to the server's token endpoint, and expects a 200
+      response.
+    )
+    id :udap_client_credentials_token_exchange
+
+    input :udap_client_id,
+          title: 'Client ID',
+          description: 'Client ID as registered with the authorization server.'
+
+    input :udap_token_endpoint,
+          title: 'Token Endpoint',
+          description: 'The full URL from which Inferno will request an access token'
+
+    input :udap_client_cert_pem_client_creds_flow,
+          title: 'X.509 Client Certificate(s) (PEM Format)',
+          type: 'textarea',
+          description: %(
+            A list of one or more X.509 certificates in PEM format separated by a newline. The first (leaf) certificate
+            MUST represent the client entity Inferno registered as,
+            and the trust chain that will be built from the provided certificate(s) must resolve to a CA trusted by the
+            authorization server under test.
+          )
+
+    input :udap_client_private_key_client_creds_flow,
+          type: 'textarea',
+          title: 'Client Private Key (PEM Format)',
+          description: 'The private key corresponding to the X.509 client certificate'
+
+    input :udap_jwt_signing_alg,
+          title: 'JWT Signing Algorithm',
+          description: %(
+            Algorithm used to sign UDAP JSON Web Tokens (JWTs). UDAP Implementations SHALL support
+            RS256.
+            ),
+          type: 'radio',
+          options: {
+            list_options: [
+              {
+                label: 'RS256',
+                value: 'RS256'
+              }
+            ]
+          },
+          default: 'RS256',
+          locked: true
+
+    output :token_retrieval_time
+    output :client_credentials_token_response_body
+    makes_request :token_exchange
+
+    run do
+      # SYSDEV purpose of use definition:
+      # "To perform one or more operations on information to design, develop
+      # implement, test, or deploy a healthcare system or application."
+      # See https://terminology.hl7.org/5.5.0/ValueSet-v3-PurposeOfUse.html
+      extensions = {
+        'hl7-b2b' => {
+          'version' => '1',
+          'subject_name' => 'UDAP Test Kit',
+          'organization_name' => 'Inferno Framework',
+          'organization_id' => 'https://inferno-framework.github.io/',
+          'purpose_of_use' => ['SYSDEV']
+        }
+      }
+
+      client_assertion_payload = UDAPClientAssertionPayloadBuilder.build(
+        udap_client_id,
+        udap_token_endpoint,
+        extensions.to_json
+      )
+
+      x5c_certs = UDAPJWTBuilder.split_user_input_cert_string(
+        udap_client_cert_pem_client_creds_flow
+      )
+
+      client_assertion_jwt = UDAPJWTBuilder.encode_jwt_with_x5c_header(
+        client_assertion_payload,
+        udap_client_private_key_client_creds_flow,
+        udap_jwt_signing_alg,
+        x5c_certs
+      )
+
+      token_exchange_headers, token_exchange_body = UDAPRequestBuilder.build_token_exchange_request(
+        client_assertion_jwt,
+        'client_credentials',
+        nil,
+        nil
+      )
+
+      post(udap_token_endpoint,
+           body: token_exchange_body,
+           name: :token_exchange,
+           headers: token_exchange_headers)
+
+      assert_response_status(200)
+      assert_valid_json(request.response_body)
+
+      output token_retrieval_time: Time.now.iso8601
+
+      output client_credentials_token_response_body: request.response_body
+    end
+  end
+end

data/lib/udap_security_test_kit/common_assertions.rb

@@ -0,0 +1,16 @@
+# Module for assertion methods that are used across multiple tests
+module CommonAssertions
+  extend Inferno::DSL::Assertions
+
+  def self.assert_array_of_strings(config, field)
+    values = config[field]
+
+    assert values.is_a?(Array), "`#{field}` should be an Array, but found #{values.class.name}"
+
+    non_string_values = values.reject { |value| value.is_a?(String) }
+
+    assert non_string_values.blank?,
+           "`#{field}` should be an Array of strings, but found
+            #{non_string_values.map(&:class).map(&:name).join(', ')}"
+  end
+end

data/lib/udap_security_test_kit/default_cert_file_loader.rb

@@ -0,0 +1,27 @@
+module UDAPSecurityTestKit
+  class DefaultCertFileLoader
+    def self.load_default_ca_pem_file
+      raw_cert = File.read(File.join(File.dirname(__FILE__), 'certs/InfernoCA.pem'))
+      cert = OpenSSL::X509::Certificate.new raw_cert
+      cert.to_pem
+    end
+
+    def self.load_default_ca_private_key_file
+      raw_key = File.read(File.join(File.dirname(__FILE__), 'certs/InfernoCA.key'))
+      private_key = OpenSSL::PKey::RSA.new raw_key
+      private_key.to_pem
+    end
+
+    def self.load_test_client_cert_pem_file
+      raw_cert = File.read(File.join(File.dirname(__FILE__), 'certs/TestClient.pem'))
+      cert = OpenSSL::X509::Certificate.new raw_cert
+      cert.to_pem
+    end
+
+    def self.load_test_client_private_key_file
+      raw_key = File.read(File.join(File.dirname(__FILE__), 'certs/TestClientPrivateKey.key'))
+      key = OpenSSL::PKey::RSA.new raw_key
+      key.to_pem
+    end
+  end
+end

data/lib/udap_security_test_kit/discovery_group.rb

@@ -0,0 +1,90 @@
+require 'jwt'
+require_relative 'authorization_endpoint_field_test'
+require_relative 'grant_types_supported_field_test'
+require_relative 'reg_endpoint_jwt_signing_alg_values_supported_field_test'
+require_relative 'registration_endpoint_field_test'
+require_relative 'scopes_supported_field_test'
+require_relative 'signed_metadata_contents_test'
+require_relative 'signed_metadata_field_test'
+require_relative 'token_endpoint_auth_methods_supported_field_test'
+require_relative 'token_endpoint_auth_signing_alg_values_supported_field_test'
+require_relative 'token_endpoint_field_test'
+require_relative 'udap_auth_extensions_required_field_test'
+require_relative 'udap_auth_extensions_supported_field_test'
+require_relative 'udap_certifications_required_field_test'
+require_relative 'udap_certifications_supported_field_test'
+require_relative 'udap_profiles_supported_field_test'
+require_relative 'udap_versions_supported_field_test'
+require_relative 'well_known_endpoint_test'
+require_relative 'signed_metadata_trust_verification_test'
+module UDAPSecurityTestKit
+  class DiscoveryGroup < Inferno::TestGroup
+    include Inferno::DSL::Assertions
+
+    title 'UDAP Discovery'
+    description %(
+      Verify that server configuration is made available and conforms with [the
+      discovery
+      requirements](https://hl7.org/fhir/us/udap-security/STU1/discovery.html).
+    )
+    id :udap_discovery_group
+
+    input :required_flow_type,
+          title: 'Required Supported OAuth2.0 Grant Type(s)',
+          description: 'Which grant type(s) must be supported per the returned Discovery metadata',
+          type: 'checkbox',
+          optional: 'true',
+          options: {
+            list_options: [
+              {
+                label: 'Authorization Code',
+                value: 'authorization_code'
+              },
+              {
+                label: 'Client Credentials',
+                value: 'client_credentials'
+              }
+            ]
+          }
+
+    def self.discovery_group_input_instructions
+      %(
+      Inferno currently does not support the use of the Authority Information Access (AIA) extension to access issuing
+      certificates.  As such, Inferno must be provided any intermediate server certificates needed to establish a
+      trust chain.  If the intermediate CAs are not included in the x5c header of the server's signed metadata JWT,
+      testers may include them along with the root CA as a trust anchor input.
+    )
+    end
+    input_instructions discovery_group_input_instructions
+
+    output :udap_registration_certficiations_required
+    output :udap_registration_endpoint
+    output :udap_registration_grant_type
+
+    test from: :udap_well_known_endpoint
+    test from: :udap_versions_supported_field
+    test from: :udap_grant_types_supported_field
+    test from: :udap_profiles_supported_field
+    test from: :udap_auth_extensions_supported_field
+    test from: :udap_auth_extensions_required_field
+    test from: :udap_certifications_supported_field
+    test from: :udap_certifications_required_field
+    test from: :udap_scopes_supported_field
+    test from: :udap_authorization_endpoint_field
+    test from: :udap_token_endpoint_field
+    test from: :udap_token_endpoint_auth_methods_supported_field
+    test from: :udap_token_endpoint_auth_signing_alg_values_supported_field
+    test from: :udap_registration_endpoint_field
+    test from: :udap_reg_endpoint_jwt_signing_alg_values_supported_field
+    test from: :udap_signed_metadata_field
+    test from: :udap_signed_metadata_contents
+    test from: :udap_signed_metadata_trust_verification, optional: true,
+         config: {
+           inputs: {
+             udap_server_trust_anchor_certs: {
+               optional: true
+             }
+           }
+         }
+  end
+end

data/lib/udap_security_test_kit/dynamic_client_registration_group.rb

@@ -0,0 +1,129 @@
+require_relative 'registration_failure_invalid_contents_test'
+require_relative 'registration_failure_invalid_jwt_signature_test'
+require_relative 'registration_success_test'
+require_relative 'registration_success_contents_test'
+
+module UDAPSecurityTestKit
+  class DynamicClientRegistrationGroup < Inferno::TestGroup
+    title 'UDAP Dynamic Client Registration'
+    description %(
+     Generate and sign a software statement to register the client with the authorization server as described in the
+     [dynamic client registration requirements](https://hl7.org/fhir/us/udap-security/STU1/registration.html).
+    )
+    id :udap_dynamic_client_registration_group
+
+    def self.dynamic_client_registration_input_instructions
+      %(
+      Testers must provide a client certificate and any additional CAs needed for the authorization server under test to
+      establish a trust chain.
+
+      Cancelling a UDAP client's registration is not a required server capability and as such the Inferno client has no
+      way of resetting state on the authorization server after a successful registration attempt.  Testers wishing to
+      run the Dynamic Client Registration tests more than once must do one of the following:
+      - Remove the Inferno test client's registration out-of-band before re-running tests, to register the original
+      client URI anew
+      - Specifiy a different client URI as the issuer input (if the client cert has more than one Subject Alternative
+      Name (SAN) URI entry), to register a different logical client with the original certificate
+      - Provide a different client certificate and its associated URI to register a new logical client
+    )
+    end
+
+    input_instructions dynamic_client_registration_input_instructions
+
+    input :udap_registration_endpoint,
+          title: 'UDAP Dynamic Client Registration Endpoint',
+          description: %(
+            The absolute URL of the dynamic client registration endpoint.
+          )
+
+    input :udap_registration_grant_type,
+          title: 'Client Registration Grant Type',
+          description: %(
+            The OAuth2.0 grant type for which this client will register itself. A given client may register as either
+             option, but not both.
+          ),
+          type: 'radio',
+          options: {
+            list_options: [
+              {
+                label: 'Authorization Code',
+                value: 'authorization_code'
+              },
+              {
+                label: 'Client Credentials',
+                value: 'client_credentials'
+              }
+            ]
+          }
+
+    input :udap_client_cert_pem,
+          title: 'X.509 Client Certificate(s) (PEM Format)',
+          description: %(
+            A list of one or more X.509 certificates in PEM format separated by a newline. The first (leaf) certificate
+            MUST represent the client entity Inferno will register as,
+            and the trust chain that will be built from the provided certificate(s) must resolve to a CA trusted by the
+            authorization server under test.
+          ),
+          type: 'textarea',
+          optional: false
+
+    input :udap_client_private_key_pem,
+          title: 'Client Private Key (PEM Format)',
+          description: %(
+          The private key corresponding to the client certificate used for registration, in PEM format.  Used to sign
+          registration and/or authentication JWTs.
+          ),
+          type: 'textarea',
+          optional: false
+
+    input :udap_cert_iss,
+          title: 'JWT Issuer (iss) Claim',
+          description: %(
+            MUST correspond to a unique URI entry in the Subject Alternative Name (SAN) extension of the client
+            certificate used for registration.
+          ),
+          optional: false
+
+    input :udap_jwt_signing_alg,
+          title: 'JWT Signing Algorithm',
+          description: %(
+            Algorithm used to sign UDAP JSON Web Tokens (JWTs). UDAP Implementations SHALL support
+            RS256.
+            ),
+          type: 'radio',
+          options: {
+            list_options: [
+              {
+                label: 'RS256',
+                value: 'RS256'
+              }
+            ]
+          },
+          default: 'RS256',
+          locked: true
+
+    input :udap_registration_requested_scope,
+          title: 'Scope(s) Requested',
+          description: %(
+            String containing a space delimited list of scopes requested by the client application for use in
+             subsequent requests. The Authorization Server MAY consider this list when deciding the scopes that it will
+            allow the application to subsequently request. Apps requesting the "client_credentials" grant type SHOULD
+            request system scopes; apps requesting
+            the "authorization_code" grant type SHOULD request user or patient scopes.
+          )
+
+    input :udap_registration_certifications,
+          title: 'UDAP Certifications',
+          description: %(
+            Additional UDAP certifications to include in registration request, if required by the authorization server.
+             Include a space separated list of strings representing a Base64-encoded, signed JWT.
+            ),
+          type: 'textarea',
+          optional: true
+
+    test from: :udap_registration_failure_invalid_contents
+    test from: :udap_registration_failure_invalid_jwt_signature
+    test from: :udap_registration_success
+    test from: :udap_registration_success_contents
+  end
+end