udap_security_test_kit 0.9.0

data/lib/udap_security_test_kit/software_statement_builder.rb

@@ -0,0 +1,32 @@
+require 'jwt'
+
+module UDAPSecurityTestKit
+  class SoftwareStatementBuilder
+    def self.build_payload(iss, aud, grant_type, scope)
+      if grant_type == 'authorization_code'
+        redirect_uris = ["#{Inferno::Application['base_url']}/custom/udap_security_test_kit/redirect"]
+        response_types = ['code']
+        client_name = 'Inferno UDAP Authorization Code Test Client'
+      elsif grant_type == 'client_credentials'
+        client_name = 'Inferno UDAP Client Credentials Test Client'
+      end
+
+      {
+        iss:,
+        sub: iss,
+        aud:,
+        exp: 5.minutes.from_now.to_i,
+        iat: Time.now.to_i,
+        jti: SecureRandom.hex(32),
+        client_name:,
+        redirect_uris:,
+        contacts: ['mailto:inferno@groups.mitre.org'],
+        logo_uri: 'https://inferno-framework.github.io/assets/inferno_logo.png',
+        grant_types: [grant_type],
+        response_types:,
+        token_endpoint_auth_method: 'private_key_jwt',
+        scope:
+      }.compact
+    end
+  end
+end

data/lib/udap_security_test_kit/token_endpoint_auth_methods_supported_field_test.rb

@@ -0,0 +1,22 @@
+module UDAPSecurityTestKit
+  class TokenEndpointAuthMethodsSupportedFieldTest < Inferno::Test
+    include Inferno::DSL::Assertions
+
+    title 'token_endpoint_auth_methods_supported field'
+    id :udap_token_endpoint_auth_methods_supported_field
+    description %(
+      `token_endpoint_auth_methods_supported` must contain a fixed
+      array with one string element: `["private_key_jwt"]`
+    )
+    input :udap_well_known_metadata_json
+
+    run do
+      assert_valid_json(udap_well_known_metadata_json)
+      config = JSON.parse(udap_well_known_metadata_json)
+
+      assert config['token_endpoint_auth_methods_supported'] == ['private_key_jwt'],
+             '`token_endpoint_auth_methods_supported` field must contain an array ' \
+             "with one string element 'private_key_jwt'"
+    end
+  end
+end

data/lib/udap_security_test_kit/token_endpoint_auth_signing_alg_values_supported_field_test.rb

@@ -0,0 +1,32 @@
+require_relative 'common_assertions'
+
+module UDAPSecurityTestKit
+  extend CommonAssertions
+  class TokenEndpointAuthSigningAlgValuesSupportedFieldTest < Inferno::Test
+    include Inferno::DSL::Assertions
+
+    title 'token_endpoint_auth_signing_alg_values_supported field'
+    id :udap_token_endpoint_auth_signing_alg_values_supported_field
+    description %(
+       `token_endpoint_auth_signing_alg_values_supported` is an
+        array of one or more strings identifying signature algorithms supported by the Authorization Server for
+         validation of signed JWTs submitted to the token endpoint for client authentication.
+      )
+
+    input :udap_well_known_metadata_json
+
+    run do
+      assert_valid_json(udap_well_known_metadata_json)
+      config = JSON.parse(udap_well_known_metadata_json)
+
+      assert config.key?('token_endpoint_auth_signing_alg_values_supported'),
+             '`token_endpoint_auth_signing_alg_values_supported` is a required field'
+
+      CommonAssertions.assert_array_of_strings(config, 'token_endpoint_auth_signing_alg_values_supported')
+
+      algs_supported = config['token_endpoint_auth_signing_alg_values_supported']
+
+      assert algs_supported.present?, 'Must support at least one signature algorithm'
+    end
+  end
+end

data/lib/udap_security_test_kit/token_endpoint_field_test.rb

@@ -0,0 +1,30 @@
+module UDAPSecurityTestKit
+  class TokenEndpointFieldTest < Inferno::Test
+    include Inferno::DSL::Assertions
+
+    title 'token_endpoint field'
+    id :udap_token_endpoint_field
+    description %(
+       `token_endpoint` is a string containing the URL of
+        the Authorization Server's token endpoint
+      )
+
+    input :udap_well_known_metadata_json
+    output :udap_token_endpoint
+
+    run do
+      assert_valid_json(udap_well_known_metadata_json)
+      config = JSON.parse(udap_well_known_metadata_json)
+
+      assert config.key?('token_endpoint'), '`token_endpoint` is a required field'
+
+      endpoint = config['token_endpoint']
+
+      assert endpoint.is_a?(String),
+             "`token_endpoint` should be a String, but found #{endpoint.class.name}"
+      assert_valid_http_uri(endpoint, "`#{endpoint}` is not a valid URI")
+
+      output udap_token_endpoint: endpoint
+    end
+  end
+end

data/lib/udap_security_test_kit/token_exchange_response_body_test.rb

@@ -0,0 +1,30 @@
+module UDAPSecurityTestKit
+  class TokenExchangeResponseBodyTest < Inferno::Test
+    title 'Token exchange response body contains required information encoded in JSON'
+    description %(
+      The [UDAP JWT-Based Client Authentication Profile, Section 7.1](https://www.udap.org/udap-jwt-client-auth.html)
+      states:
+      > If the (token exchange) request is approved, the Authorization Server returns a token response as per Section
+      5.1 of RFC 6749.
+
+      [RFC 6749 OAuth 2.0 Authorization Framework, Section 5.1](https://datatracker.ietf.org/doc/html/rfc6749#section-5.1)
+      lists the `access_token` and `token_type` parameters as REQUIRED.
+    )
+
+    id :udap_token_exchange_response_body
+
+    input :token_response_body
+
+    run do
+      assert_valid_json(token_response_body)
+      token_response_body_parsed = JSON.parse(token_response_body)
+
+      required_keys = ['access_token', 'token_type']
+
+      required_keys.each do |key|
+        assert token_response_body_parsed.key?(key), "Token exchange response does not contain key #{key}"
+        assert token_response_body_parsed[key].present?, "Value for key #{key} cannot be empty"
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/token_exchange_response_headers_test.rb

@@ -0,0 +1,30 @@
+module UDAPSecurityTestKit
+  class TokenExchangeResponseHeadersTest < Inferno::Test
+    title 'Response includes correct HTTP Cache-Control and Pragma headers'
+    description %(
+      [RFC 6749 OAuth 2.0 Authorization Framework Section 5.1](https://datatracker.ietf.org/doc/html/rfc6749#section-5.1)
+      states the following:
+      > The authorization server MUST include the HTTP "Cache-Control" response
+        header field with a value of
+      > "no-store" in any response containing tokens, credentials, or other
+        sensitive information, as well as the "Pragma" response header field with a value of "no-cache".
+    )
+    id :udap_token_exchange_response_headers
+
+    uses_request :token_exchange
+
+    run do
+      skip_if request.status != 200, 'Token exchange was unsuccessful'
+
+      cc_header = request.response_header('Cache-Control')&.value
+
+      assert cc_header&.downcase&.include?('no-store'),
+             'Token response must have `Cache-Control` header containing `no-store`.'
+
+      pragma_header = request.response_header('Pragma')&.value
+
+      assert pragma_header&.downcase&.include?('no-cache'),
+             'Token response must have `Pragma` header containing `no-cache`.'
+    end
+  end
+end

data/lib/udap_security_test_kit/udap_auth_extensions_required_field_test.rb

@@ -0,0 +1,38 @@
+module UDAPSecurityTestKit
+  class UDAPAuthExtensionsRequiredFieldTest < Inferno::Test
+    include Inferno::DSL::Assertions
+
+    title 'udap_authorization_extensions_required field'
+    id :udap_auth_extensions_required_field
+    description %(
+        `udap_authorization_extensions_required field` is an array of zero or more recognized key names for
+         Authorization Extension Objects required by the Authorization Server in every token request.
+          This metadata parameter SHALL be present if the value of the `udap_authorization_extensions_supported`
+           parameter is not an empty array.
+      )
+
+    input :udap_well_known_metadata_json
+
+    run do
+      assert_valid_json(udap_well_known_metadata_json)
+      config = JSON.parse(udap_well_known_metadata_json)
+
+      skip_if !config.key?('udap_authorization_extensions_supported'),
+              'Cannot access data needed to assess `udap_authorization_extensions_required` field:
+               `udap_authorization_extensions_supported` field is not present'
+
+      skip_if !config['udap_authorization_extensions_supported'].is_a?(Array),
+              'Cannot access data needed to assess `udap_authorization_extensions_required` field:
+               `udap_authorization_extensions_supported` field is not present'
+
+      omit_if config['udap_authorization_extensions_supported'].blank?, 'No UDAP authorization extensions are supported'
+
+      assert config.key?('udap_authorization_extensions_required'),
+             '`udap_authorization_extensions_required` field must be present because
+              `udap_authorization_extensions_supported field is not empty'
+
+      assert config['udap_authorization_extensions_required'].is_a?(Array),
+             '`udap_authorization_extensions_required` must be an array'
+    end
+  end
+end

data/lib/udap_security_test_kit/udap_auth_extensions_supported_field_test.rb

@@ -0,0 +1,31 @@
+module UDAPSecurityTestKit
+  class UDAPAuthExtensionsSupportedFieldTest < Inferno::Test
+    include Inferno::DSL::Assertions
+
+    title 'udap_authorization_extensions_supported field'
+    id :udap_auth_extensions_supported_field
+    description %(
+        `udap_authorization_extensions_supported` is an array of zero or more recognized key names for Authorization
+         Extension Objects supported by the Authorization Server.
+      )
+
+    input :udap_well_known_metadata_json
+    input :required_flow_type
+
+    run do
+      assert_valid_json(udap_well_known_metadata_json)
+      config = JSON.parse(udap_well_known_metadata_json)
+
+      assert config.key?('udap_authorization_extensions_supported'),
+             '`udap_authorization_extensions_supported` is a required field'
+
+      assert config['udap_authorization_extensions_supported'].is_a?(Array),
+             '`udap_authorization_extensions_supported` must be an array'
+
+      if required_flow_type.include? 'client_credentials'
+        assert config['udap_authorization_extensions_supported'].include?('hl7-b2b'),
+               'Must support hl7-b2b authorization extension for client credentials workflow'
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/udap_certifications_required_field_test.rb

@@ -0,0 +1,45 @@
+require_relative 'common_assertions'
+
+module UDAPSecurityTestKit
+  extend CommonAssertions
+  class UDAPCertificationsRequiredFieldTest < Inferno::Test
+    include Inferno::DSL::Assertions
+
+    title 'udap_certifications_required field'
+    id :udap_certifications_required_field
+    description %(
+        If `udap_certifications_supported` is not empty, then `udap_certifications_required` is an array of zero or more
+        certification URIs
+      )
+
+    input :udap_well_known_metadata_json
+    output :udap_certifications_required
+
+    run do
+      assert_valid_json(udap_well_known_metadata_json)
+      config = JSON.parse(udap_well_known_metadata_json)
+
+      skip_if !config.key?('udap_certifications_supported'),
+              'Assessment of `udap_certifications_required` field is dependent on values in
+               `udap_certifications_supported`field, which is not present'
+
+      omit_if config['udap_certifications_supported'].blank?, 'No UDAP certifications are supported'
+
+      CommonAssertions.assert_array_of_strings(config, 'udap_certifications_required')
+
+      if config['udap_certifications_required'].blank?
+        output udap_certifications_required: 'false'
+      else
+        output udap_certifications_required: 'true'
+      end
+
+      non_uri_values =
+        config['udap_certifications_required']
+          .grep_v(URI::DEFAULT_PARSER.make_regexp)
+
+      assert non_uri_values.blank?,
+             '`udap_certifacations_required` should be an Array of ' \
+             "URI strings but found #{non_uri_values.map(&:class).map(&:name).join(', ')}"
+    end
+  end
+end

data/lib/udap_security_test_kit/udap_certifications_supported_field_test.rb

@@ -0,0 +1,33 @@
+require_relative 'common_assertions'
+module UDAPSecurityTestKit
+  extend CommonAssertions
+  class UDAPCertificationsSupportedFieldTest < Inferno::Test
+    include Inferno::DSL::Assertions
+
+    title 'udap_certifications_supported field'
+    id :udap_certifications_supported_field
+    description %(
+        `udap_certifications_supported` is an array of zero or more
+        certification URIs
+      )
+
+    input :udap_well_known_metadata_json
+
+    run do
+      assert_valid_json(udap_well_known_metadata_json)
+      config = JSON.parse(udap_well_known_metadata_json)
+
+      assert config.key?('udap_certifications_supported'), '`udap_certifications_supported` is a required field'
+
+      CommonAssertions.assert_array_of_strings(config, 'udap_certifications_supported')
+
+      non_uri_values =
+        config['udap_certifications_supported']
+          .grep_v(URI::DEFAULT_PARSER.make_regexp)
+
+      error_message = '`udap_certifacations_supported` should be an Array of URI strings, but found
+       #{non_uri_values.map(&:class).map(&:name).join(', ')}'
+      assert non_uri_values.blank?, error_message
+    end
+  end
+end

data/lib/udap_security_test_kit/udap_client_assertion_payload_builder.rb

@@ -0,0 +1,15 @@
+module UDAPSecurityTestKit
+  class UDAPClientAssertionPayloadBuilder
+    def self.build(iss, aud, extensions)
+      {
+        iss:,
+        sub: iss,
+        aud:,
+        exp: 5.minutes.from_now.to_i,
+        iat: Time.now.to_i,
+        jti: SecureRandom.hex(32),
+        extensions:
+      }.compact
+    end
+  end
+end

data/lib/udap_security_test_kit/udap_jwt_builder.rb

@@ -0,0 +1,30 @@
+require 'jwt'
+require 'base64'
+
+module UDAPSecurityTestKit
+  class UDAPJWTBuilder
+    def self.generate_private_key(pkey_string)
+      OpenSSL::PKey.read(pkey_string)
+    end
+
+    def self.split_user_input_cert_string(user_input_string)
+      regex = /-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m
+      user_input_string.scan(regex)
+    end
+
+    def self.encode_jwt_no_x5c_header(payload, private_key, alg)
+      JWT.encode payload, private_key, alg
+    end
+
+    def self.encode_jwt_with_x5c_header(payload, private_key_pem_string, alg, x5c_certs_pem_string)
+      private_key = OpenSSL::PKey.read(private_key_pem_string)
+
+      x5c_certs_encoded = x5c_certs_pem_string.map do |cert|
+        cert_pem = OpenSSL::X509::Certificate.new(cert)
+        Base64.urlsafe_encode64(cert_pem.to_der)
+      end
+
+      JWT.encode payload, private_key, alg, { x5c: x5c_certs_encoded }
+    end
+  end
+end

data/lib/udap_security_test_kit/udap_jwt_validator.rb

@@ -0,0 +1,71 @@
+require 'jwt'
+
+module UDAPSecurityTestKit
+  class UDAPJWTValidator
+    def self.validate_signature(signed_metadata_jwt, algorithm, cert)
+      JWT.decode(
+        signed_metadata_jwt,
+        cert.public_key,
+        true,
+        algorithm:
+      )
+      {
+        success: true,
+        error_message: nil
+      }
+    rescue JWT::DecodeError => e
+      {
+        success: false,
+        error_message: e.full_message
+      }
+    end
+
+    def self.validate_trust_chain(x5c_header_encoded, trust_anchor_certs)
+      cert_chain = x5c_header_encoded.map do |cert|
+        cert_der = Base64.urlsafe_decode64(cert)
+        OpenSSL::X509::Certificate.new(cert_der)
+      end
+      crl_uris = cert_chain.map(&:crl_uris).compact.flatten
+      crl_uris_anchors = trust_anchor_certs.map(&:crl_uris).compact.flatten
+      crl_uris.concat(crl_uris_anchors)
+      begin
+        crls = crl_uris.map do |uri|
+          get_crl_from_uri(uri)
+        end
+      rescue OpenSSL::X509::CRLError => e
+        return {
+          success: false,
+          error_message: e.message
+        }
+      end
+
+      begin
+        # JWT library can validate the trust chain while decoding the provided
+        # JWT/verifying its signature, but we don't have currently have access
+        # to certs that satisfy both prerequisites to doing this. We have:
+        # A) client certs that can establish a legitimate trust chain (but don't
+        # have access to private key needed to create a valid, signed JWT with them)
+        # B) client certs that have a valid private key (but which cannot
+        # establish a legitimate trust chain)
+        # As a result, these capabilities are decoupled for testing purposes
+        JWT::X5cKeyFinder.new(trust_anchor_certs,
+                              crls).from(x5c_header_encoded)
+        {
+          success: true,
+          error_message: nil
+        }
+      rescue JWT::VerificationError => e
+        {
+          success: false,
+          error_message: e.full_message
+        }
+      end
+    end
+
+    def self.get_crl_from_uri(crl_uri)
+      uri = URI(crl_uri)
+      crl = Net::HTTP.get(uri)
+      OpenSSL::X509::CRL.new(crl)
+    end
+  end
+end

data/lib/udap_security_test_kit/udap_profiles_supported_field_test.rb

@@ -0,0 +1,47 @@
+require_relative 'common_assertions'
+
+module UDAPSecurityTestKit
+  extend CommonAssertions
+  class UDAPProfilesSupportedFieldTest < Inferno::Test
+    include Inferno::DSL::Assertions
+
+    title 'udap_profiles_supported field'
+    id :udap_profiles_supported_field
+    description %(
+        `udap_profiles_supported` is an array of two or more strings identifying the core UDAP profiles supported by the
+         Authorization Server. The array SHALL include:
+        `udap_dcr` for UDAP Dynamic Client Registration, and
+        `udap_authn` for UDAP JWT-Based Client Authentication.
+        If the `grant_types_supported` parameter includes the string `client_credentials`, then the array SHALL also
+         include:
+        `udap_authz` for UDAP Client Authorization Grants using JSON Web Tokens to indicate support for
+         Authorization Extension Objects.
+      )
+
+    input :udap_well_known_metadata_json
+
+    run do
+      assert_valid_json(udap_well_known_metadata_json)
+      config = JSON.parse(udap_well_known_metadata_json)
+
+      assert config.key?('udap_profiles_supported'), '`udap_profiles_supported` is a required field'
+
+      CommonAssertions.assert_array_of_strings(config, 'udap_profiles_supported')
+
+      profiles_supported = config['udap_profiles_supported']
+
+      assert profiles_supported.include?('udap_dcr'),
+             'Array must include `udap_dcr` to indicate support for required UDAP Dynamic Client Registration profile'
+
+      assert profiles_supported.include?('udap_authn'),
+             'Array must include `udap_authn` value to indicate support for required UDAP JWT-Based Client
+              Authentication profile'
+
+      if config['grant_types_supported']&.include?('client_credentials')
+        assert profiles_supported.include?('udap_authz'),
+               '`client_credentials` grant type is supported, so array must include `udap_authz` to indicate support for
+                UDAP Client Authorization Grants using JSON Web Tokens'
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/udap_request_builder.rb

@@ -0,0 +1,43 @@
+require 'uri'
+module UDAPSecurityTestKit
+  class UDAPRequestBuilder
+    def self.build_registration_request(software_statement_jwt, certifications_jwt)
+      registration_headers = {
+        'Accept' => 'application/json',
+        'Content-Type' => 'application/json'
+      }
+
+      certifications = if certifications_jwt.nil?
+                         []
+                       else
+                         certifications_jwt.split
+                       end
+
+      registration_body = {
+        'software_statement' => software_statement_jwt,
+        'certifications' => certifications,
+        'udap' => '1'
+      }.compact
+
+      [registration_headers, registration_body.to_json]
+    end
+
+    def self.build_token_exchange_request(client_assertion_jwt, grant_type, authorization_code, redirect_uri)
+      token_exchange_headers = {
+        'Accept' => 'application/json',
+        'Content-Type' => 'application/x-www-form-urlencoded'
+      }
+
+      token_exchange_body = {
+        'grant_type' => grant_type,
+        'code' => authorization_code,
+        'redirect_uri' => redirect_uri,
+        'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+        'client_assertion' => client_assertion_jwt,
+        'udap' => '1'
+      }.compact
+
+      [token_exchange_headers, URI.encode_www_form(token_exchange_body)]
+    end
+  end
+end

data/lib/udap_security_test_kit/udap_versions_supported_field_test.rb

@@ -0,0 +1,21 @@
+module UDAPSecurityTestKit
+  class UDAPVersionsSupportedFieldTest < Inferno::Test
+    include Inferno::DSL::Assertions
+
+    title 'udap_versions_supported field'
+    id :udap_versions_supported_field
+    description %(
+        `udap_versions_supported` must contain a fixed array with one string
+        element: `["1"]`
+      )
+
+    input :udap_well_known_metadata_json
+
+    run do
+      assert_valid_json(udap_well_known_metadata_json)
+      config = JSON.parse(udap_well_known_metadata_json)
+      assert config['udap_versions_supported'] == ['1'],
+             "`udap_versions_supported` field must contain an array with one string element '1'"
+    end
+  end
+end

data/lib/udap_security_test_kit/udap_x509_certificate.rb

@@ -0,0 +1,42 @@
+module UDAPSecurityTestKit
+  class UDAPX509Certificate
+    attr_reader :san, :cert_private_key, :cert
+
+    def initialize(issuer_cert_pem_string, issuer_private_key_pem_string, include_san_extension: true)
+      issuer_private_key = OpenSSL::PKey.read(issuer_private_key_pem_string)
+      issuer_cert = OpenSSL::X509::Certificate.new(issuer_cert_pem_string)
+
+      @cert_private_key = OpenSSL::PKey::RSA.new 2048
+      cert = OpenSSL::X509::Certificate.new
+
+      # must be v3 or above to allow extensions
+      # x509 versions are zero-based, so '2' means version 3
+      cert.version = 2
+
+      # X.509 serial numbers can be up to 20 bytes (2**(8*20))
+      cert.serial = SecureRandom.random_number(2**32)
+      cert.subject = OpenSSL::X509::Name.parse '/C=US/ST=MA/L=Bedford/O=Inferno/CN=UDAP-Test-Client'
+      cert.issuer = issuer_cert.subject
+      cert.public_key = cert_private_key.public_key
+      cert.not_before = Time.now
+      cert.not_after = cert.not_before + (1 * 365 * 24 * 60 * 60) # 1 years validity
+      ef = OpenSSL::X509::ExtensionFactory.new
+      ef.subject_certificate = cert
+      ef.issuer_certificate = issuer_cert
+
+      if include_san_extension
+        # SAN must be unique for each cert
+        @san = "https://inferno.org/udap_security_test_kit/#{cert.serial}"
+        unique_uri_entry = "URI:#{@san}"
+        cert.add_extension(ef.create_extension('subjectAltName', unique_uri_entry, false))
+      end
+
+      # TODO: add in any other relevant extensions?
+      cert.add_extension(ef.create_extension('keyUsage', 'digitalSignature, nonRepudiation', true))
+      cert.add_extension(ef.create_extension('subjectKeyIdentifier', 'hash', false))
+      cert.sign(issuer_private_key, OpenSSL::Digest.new('SHA256'))
+
+      @cert = cert
+    end
+  end
+end

data/lib/udap_security_test_kit/version.rb

@@ -0,0 +1,3 @@
+module UDAPSecurityTestKit
+  VERSION = '0.9.0'.freeze
+end

data/lib/udap_security_test_kit/well_known_endpoint_test.rb

@@ -0,0 +1,31 @@
+module UDAPSecurityTestKit
+  class WellKnownEndpointTest < Inferno::Test
+    include Inferno::DSL::Assertions
+
+    title 'UDAP Well-Known configuration is available'
+    id :udap_well_known_endpoint
+    description %(
+      The [UDAP Discovery IG Section 2.1 Discovery Endpoints](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints)
+      states:
+      > Servers SHALL allow access to the following metadata URL to unregistered client applications and without
+      > requiring client authentication, where {baseURL} represents the base FHIR URL for the FHIR server:
+      > `{baseURL}/.well-known/udap`
+
+      This test ensures the discovery endpoint returns a 200 status and valid JSON body.
+    )
+
+    input :udap_fhir_base_url,
+          title: 'FHIR Server Base URL',
+          description: 'Base FHIR URL of FHIR Server. Discovery request will be sent to {baseURL}/.well-known/udap'
+
+    output :udap_well_known_metadata_json
+    makes_request :config
+
+    run do
+      get("#{udap_fhir_base_url.strip.chomp('/')}/.well-known/udap", name: :udap_well_known_metadata_json)
+      assert_response_status(200)
+      assert_valid_json(response[:body])
+      output udap_well_known_metadata_json: response[:body]
+    end
+  end
+end