udap_security_test_kit 0.9.2 → 0.10.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/udap_security_test_kit/authorization_code_authentication_group.rb +17 -3
- data/lib/udap_security_test_kit/authorization_code_group.rb +15 -15
- data/lib/udap_security_test_kit/authorization_code_redirect_test.rb +6 -2
- data/lib/udap_security_test_kit/authorization_code_token_exchange_test.rb +9 -10
- data/lib/udap_security_test_kit/client_credentials_authentication_group.rb +17 -3
- data/lib/udap_security_test_kit/client_credentials_group.rb +12 -12
- data/lib/udap_security_test_kit/client_credentials_token_exchange_test.rb +9 -8
- data/lib/udap_security_test_kit/redirect_uri.rb +3 -0
- data/lib/udap_security_test_kit/registration_success_contents_test.rb +27 -9
- data/lib/udap_security_test_kit/software_statement_builder.rb +2 -1
- data/lib/udap_security_test_kit/token_exchange_response_body_test.rb +10 -0
- data/lib/udap_security_test_kit/version.rb +1 -1
- data/lib/udap_security_test_kit.rb +10 -1
- metadata +6 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 43c8eabf008e3dd76265b3e455a80e27f2af665548319c7b3f8c565daf71a3d4
|
|
4
|
+
data.tar.gz: ed6ed1097c0fc02baf51392df43875ac4974dbdb49e494b5eee0595fd33dcf0e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3433cf5e7929b434de4bff0b999b455c9dd0d9fb407d0574b592ce3921ec7037cd0cf9be598319b6fdeca648d887033d842c20845ff09de0e8046ed533e4b9c8
|
|
7
|
+
data.tar.gz: 6437f00f2ceb182e454a41d5555284bb516d763cba8c2684d39dc7dcb0f7252c8a50b3f70f3c2753df75a98e72cb7a348199d42a4e6d24c994abbbb61c39bb65
|
|
@@ -20,7 +20,7 @@ module UDAPSecurityTestKit
|
|
|
20
20
|
config: {
|
|
21
21
|
requests: {
|
|
22
22
|
token_exchange: {
|
|
23
|
-
name: :
|
|
23
|
+
name: :udap_auth_code_flow_token_exchange
|
|
24
24
|
}
|
|
25
25
|
}
|
|
26
26
|
}
|
|
@@ -28,7 +28,21 @@ module UDAPSecurityTestKit
|
|
|
28
28
|
config: {
|
|
29
29
|
inputs: {
|
|
30
30
|
token_response_body: {
|
|
31
|
-
name: :
|
|
31
|
+
name: :udap_auth_code_flow_token_exchange_response_body
|
|
32
|
+
}
|
|
33
|
+
},
|
|
34
|
+
outputs: {
|
|
35
|
+
udap_access_token: {
|
|
36
|
+
name: :udap_auth_code_flow_access_token
|
|
37
|
+
},
|
|
38
|
+
udap_expires_in: {
|
|
39
|
+
name: :udap_auth_code_flow_expires_in
|
|
40
|
+
},
|
|
41
|
+
udap_received_scopes: {
|
|
42
|
+
name: :udap_auth_code_flow_received_scopes
|
|
43
|
+
},
|
|
44
|
+
udap_refresh_token: {
|
|
45
|
+
name: :udap_auth_code_flow_refresh_token
|
|
32
46
|
}
|
|
33
47
|
}
|
|
34
48
|
}
|
|
@@ -36,7 +50,7 @@ module UDAPSecurityTestKit
|
|
|
36
50
|
config: {
|
|
37
51
|
requests: {
|
|
38
52
|
token_exchange: {
|
|
39
|
-
name: :
|
|
53
|
+
name: :udap_auth_code_flow_token_exchange
|
|
40
54
|
}
|
|
41
55
|
}
|
|
42
56
|
}
|
|
@@ -45,24 +45,24 @@ module UDAPSecurityTestKit
|
|
|
45
45
|
config: {
|
|
46
46
|
inputs: {
|
|
47
47
|
udap_registration_grant_type: {
|
|
48
|
-
name: :
|
|
48
|
+
name: :udap_auth_code_flow_registration_grant_type,
|
|
49
49
|
default: 'authorization_code',
|
|
50
50
|
locked: true
|
|
51
51
|
},
|
|
52
52
|
udap_client_cert_pem: {
|
|
53
|
-
name: :
|
|
53
|
+
name: :udap_auth_code_flow_client_cert_pem,
|
|
54
54
|
title: 'Authorization Code Client Certificate(s) (PEM Format)'
|
|
55
55
|
},
|
|
56
56
|
udap_client_private_key_pem: {
|
|
57
|
-
name: :
|
|
57
|
+
name: :udap_auth_code_flow_client_private_key,
|
|
58
58
|
title: 'Authorization Code Client Private Key (PEM Format)'
|
|
59
59
|
},
|
|
60
60
|
udap_cert_iss: {
|
|
61
|
-
name: :
|
|
61
|
+
name: :udap_auth_code_flow_cert_iss,
|
|
62
62
|
title: 'Authorization Code JWT Issuer (iss) Claim'
|
|
63
63
|
},
|
|
64
64
|
udap_registration_requested_scope: {
|
|
65
|
-
name: :
|
|
65
|
+
name: :udap_auth_code_flow_registration_scope,
|
|
66
66
|
title: 'Authorization Code Registration Requested Scope(s)',
|
|
67
67
|
description: %(
|
|
68
68
|
String containing a space delimited list of scopes requested by the client application for use in
|
|
@@ -72,29 +72,29 @@ module UDAPSecurityTestKit
|
|
|
72
72
|
)
|
|
73
73
|
},
|
|
74
74
|
udap_registration_certifications: {
|
|
75
|
-
name: :
|
|
75
|
+
name: :udap_auth_code_flow_registration_certifications,
|
|
76
76
|
title: 'Authorization Code UDAP Registration Certifications'
|
|
77
77
|
}
|
|
78
78
|
},
|
|
79
79
|
outputs: {
|
|
80
80
|
udap_client_cert_pem: {
|
|
81
|
-
name: :
|
|
81
|
+
name: :udap_auth_code_flow_client_cert_pem
|
|
82
82
|
},
|
|
83
83
|
udap_client_private_key_pem: {
|
|
84
|
-
name: :
|
|
84
|
+
name: :udap_auth_code_flow_client_private_key
|
|
85
85
|
},
|
|
86
86
|
udap_cert_iss: {
|
|
87
|
-
name: :
|
|
87
|
+
name: :udap_auth_code_flow_cert_iss
|
|
88
88
|
}
|
|
89
89
|
}
|
|
90
90
|
} do
|
|
91
91
|
input_order :udap_registration_endpoint,
|
|
92
|
-
:
|
|
93
|
-
:
|
|
94
|
-
:
|
|
95
|
-
:
|
|
96
|
-
:
|
|
97
|
-
:udap_jwt_signing_alg, :
|
|
92
|
+
:udap_auth_code_flow_registration_grant_type,
|
|
93
|
+
:udap_auth_code_flow_client_cert_pem,
|
|
94
|
+
:udap_auth_code_flow_client_private_key,
|
|
95
|
+
:udap_auth_code_flow_cert_iss,
|
|
96
|
+
:udap_auth_code_flow_registration_scope,
|
|
97
|
+
:udap_jwt_signing_alg, :udap_auth_code_flow_registration_certifications
|
|
98
98
|
end
|
|
99
99
|
|
|
100
100
|
group from: :udap_authorization_code_authentication_group,
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
require_relative '../udap_security_test_kit'
|
|
1
2
|
module UDAPSecurityTestKit
|
|
2
3
|
class AuthorizationCodeRedirectTest < Inferno::Test
|
|
3
4
|
title 'Authorization server redirects client to redirect URI'
|
|
@@ -20,8 +21,6 @@ module UDAPSecurityTestKit
|
|
|
20
21
|
|
|
21
22
|
receives_request :redirect
|
|
22
23
|
|
|
23
|
-
config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/udap_security_test_kit/redirect" }
|
|
24
|
-
|
|
25
24
|
def wait_message(auth_url)
|
|
26
25
|
if config.options[:redirect_message_proc].present?
|
|
27
26
|
return instance_exec(auth_url, &config.options[:redirect_message_proc])
|
|
@@ -49,6 +48,11 @@ module UDAPSecurityTestKit
|
|
|
49
48
|
end
|
|
50
49
|
|
|
51
50
|
run do
|
|
51
|
+
assert_valid_http_uri(
|
|
52
|
+
udap_authorization_endpoint,
|
|
53
|
+
"UDAP authorization endpoint '#{udap_authorization_endpoint}' is not a valid URI"
|
|
54
|
+
)
|
|
55
|
+
|
|
52
56
|
output udap_authorization_code_state: SecureRandom.uuid
|
|
53
57
|
|
|
54
58
|
oauth2_params = {
|
|
@@ -23,7 +23,7 @@ module UDAPSecurityTestKit
|
|
|
23
23
|
title: 'Token Endpoint',
|
|
24
24
|
description: 'The full URL from which Inferno will request an access token'
|
|
25
25
|
|
|
26
|
-
input :
|
|
26
|
+
input :udap_auth_code_flow_client_cert_pem,
|
|
27
27
|
title: 'X.509 Client Certificate (PEM Format)',
|
|
28
28
|
type: 'textarea',
|
|
29
29
|
description: %(
|
|
@@ -34,7 +34,7 @@ module UDAPSecurityTestKit
|
|
|
34
34
|
authorization server under test.
|
|
35
35
|
)
|
|
36
36
|
|
|
37
|
-
input :
|
|
37
|
+
input :udap_auth_code_flow_client_private_key,
|
|
38
38
|
type: 'textarea',
|
|
39
39
|
title: 'Client Private Key (PEM Format)',
|
|
40
40
|
description: 'The private key corresponding to the X.509 client certificate'
|
|
@@ -57,11 +57,10 @@ module UDAPSecurityTestKit
|
|
|
57
57
|
default: 'RS256',
|
|
58
58
|
locked: true
|
|
59
59
|
|
|
60
|
-
output :
|
|
61
|
-
|
|
62
|
-
makes_request :token_exchange
|
|
60
|
+
output :udap_auth_code_flow_token_retrieval_time,
|
|
61
|
+
:udap_auth_code_flow_token_exchange_response_body
|
|
63
62
|
|
|
64
|
-
|
|
63
|
+
makes_request :token_exchange
|
|
65
64
|
|
|
66
65
|
run do
|
|
67
66
|
client_assertion_payload = UDAPClientAssertionPayloadBuilder.build(
|
|
@@ -70,11 +69,11 @@ module UDAPSecurityTestKit
|
|
|
70
69
|
nil
|
|
71
70
|
)
|
|
72
71
|
|
|
73
|
-
x5c_certs = UDAPJWTBuilder.split_user_input_cert_string(
|
|
72
|
+
x5c_certs = UDAPJWTBuilder.split_user_input_cert_string(udap_auth_code_flow_client_cert_pem)
|
|
74
73
|
|
|
75
74
|
client_assertion_jwt = UDAPJWTBuilder.encode_jwt_with_x5c_header(
|
|
76
75
|
client_assertion_payload,
|
|
77
|
-
|
|
76
|
+
udap_auth_code_flow_client_private_key,
|
|
78
77
|
udap_jwt_signing_alg,
|
|
79
78
|
x5c_certs
|
|
80
79
|
)
|
|
@@ -95,9 +94,9 @@ module UDAPSecurityTestKit
|
|
|
95
94
|
assert_response_status(200)
|
|
96
95
|
assert_valid_json(request.response_body)
|
|
97
96
|
|
|
98
|
-
output
|
|
97
|
+
output udap_auth_code_flow_token_retrieval_time: Time.now.iso8601
|
|
99
98
|
|
|
100
|
-
output
|
|
99
|
+
output udap_auth_code_flow_token_exchange_response_body: request.response_body
|
|
101
100
|
end
|
|
102
101
|
end
|
|
103
102
|
end
|
|
@@ -16,7 +16,7 @@ module UDAPSecurityTestKit
|
|
|
16
16
|
config: {
|
|
17
17
|
requests: {
|
|
18
18
|
token_exchange: {
|
|
19
|
-
name: :
|
|
19
|
+
name: :udap_client_credentials_flow_token_exchange
|
|
20
20
|
}
|
|
21
21
|
}
|
|
22
22
|
}
|
|
@@ -24,7 +24,21 @@ module UDAPSecurityTestKit
|
|
|
24
24
|
config: {
|
|
25
25
|
inputs: {
|
|
26
26
|
token_response_body: {
|
|
27
|
-
name: :
|
|
27
|
+
name: :udap_client_credentials_flow_token_exchange_response_body
|
|
28
|
+
}
|
|
29
|
+
},
|
|
30
|
+
outputs: {
|
|
31
|
+
udap_access_token: {
|
|
32
|
+
name: :udap_client_credentials_flow_access_token
|
|
33
|
+
},
|
|
34
|
+
udap_expires_in: {
|
|
35
|
+
name: :udap_client_credentials_flow_expires_in
|
|
36
|
+
},
|
|
37
|
+
udap_received_scopes: {
|
|
38
|
+
name: :udap_client_credentials_flow_received_scopes
|
|
39
|
+
},
|
|
40
|
+
udap_refresh_token: {
|
|
41
|
+
name: :udap_client_credentials_flow_refresh_token
|
|
28
42
|
}
|
|
29
43
|
}
|
|
30
44
|
}
|
|
@@ -32,7 +46,7 @@ module UDAPSecurityTestKit
|
|
|
32
46
|
config: {
|
|
33
47
|
requests: {
|
|
34
48
|
token_exchange: {
|
|
35
|
-
name: :
|
|
49
|
+
name: :udap_client_credentials_flow_token_exchange
|
|
36
50
|
}
|
|
37
51
|
}
|
|
38
52
|
}
|
|
@@ -47,16 +47,16 @@ module UDAPSecurityTestKit
|
|
|
47
47
|
config: {
|
|
48
48
|
inputs: {
|
|
49
49
|
udap_registration_grant_type: {
|
|
50
|
-
name: :
|
|
50
|
+
name: :udap_client_credentials_flow_registration_grant_type,
|
|
51
51
|
default: 'client_credentials',
|
|
52
52
|
locked: true
|
|
53
53
|
},
|
|
54
54
|
udap_client_cert_pem: {
|
|
55
|
-
name: :
|
|
55
|
+
name: :udap_client_credentials_flow_client_cert_pem,
|
|
56
56
|
title: 'Client Credentials Client Certificate(s) (PEM Format)'
|
|
57
57
|
},
|
|
58
58
|
udap_client_private_key_pem: {
|
|
59
|
-
name: :
|
|
59
|
+
name: :udap_client_credentials_flow_client_private_key,
|
|
60
60
|
title: 'Client Credentials Client Private Key (PEM Format)'
|
|
61
61
|
},
|
|
62
62
|
udap_cert_iss: {
|
|
@@ -64,7 +64,7 @@ module UDAPSecurityTestKit
|
|
|
64
64
|
title: 'Client Credentials JWT Issuer (iss) Claim'
|
|
65
65
|
},
|
|
66
66
|
udap_registration_requested_scope: {
|
|
67
|
-
name: :
|
|
67
|
+
name: :udap_client_credentials_flow_registration_scope,
|
|
68
68
|
title: 'Client Credentials Registration Requested Scope(s)',
|
|
69
69
|
description: %(
|
|
70
70
|
String containing a space delimited list of scopes requested by the client application for use in
|
|
@@ -74,16 +74,16 @@ module UDAPSecurityTestKit
|
|
|
74
74
|
)
|
|
75
75
|
},
|
|
76
76
|
udap_registration_certifications: {
|
|
77
|
-
name: :
|
|
77
|
+
name: :udap_client_creds_flow_registration_certifications,
|
|
78
78
|
title: 'Client Credentials UDAP Registration Certifications'
|
|
79
79
|
}
|
|
80
80
|
},
|
|
81
81
|
outputs: {
|
|
82
82
|
udap_client_cert_pem: {
|
|
83
|
-
name: :
|
|
83
|
+
name: :udap_client_credentials_flow_client_cert_pem
|
|
84
84
|
},
|
|
85
85
|
udap_client_private_key_pem: {
|
|
86
|
-
name: :
|
|
86
|
+
name: :udap_client_credentials_flow_client_private_key
|
|
87
87
|
},
|
|
88
88
|
udap_cert_iss: {
|
|
89
89
|
name: :udap_cert_iss_client_creds_flow
|
|
@@ -91,12 +91,12 @@ module UDAPSecurityTestKit
|
|
|
91
91
|
}
|
|
92
92
|
} do
|
|
93
93
|
input_order :udap_registration_endpoint,
|
|
94
|
-
:
|
|
95
|
-
:
|
|
96
|
-
:
|
|
94
|
+
:udap_client_credentials_flow_registration_grant_type,
|
|
95
|
+
:udap_client_credentials_flow_client_cert_pem,
|
|
96
|
+
:udap_client_credentials_flow_client_private_key,
|
|
97
97
|
:udap_cert_iss_client_creds_flow,
|
|
98
|
-
:
|
|
99
|
-
:udap_jwt_signing_alg, :
|
|
98
|
+
:udap_client_credentials_flow_registration_scope,
|
|
99
|
+
:udap_jwt_signing_alg, :udap_client_creds_flow_registration_certifications
|
|
100
100
|
end
|
|
101
101
|
|
|
102
102
|
group from: :udap_client_credentials_authentication_group,
|
|
@@ -38,7 +38,7 @@ module UDAPSecurityTestKit
|
|
|
38
38
|
title: 'Token Endpoint',
|
|
39
39
|
description: 'The full URL from which Inferno will request an access token'
|
|
40
40
|
|
|
41
|
-
input :
|
|
41
|
+
input :udap_client_credentials_flow_client_cert_pem,
|
|
42
42
|
title: 'X.509 Client Certificate(s) (PEM Format)',
|
|
43
43
|
type: 'textarea',
|
|
44
44
|
description: %(
|
|
@@ -48,7 +48,7 @@ module UDAPSecurityTestKit
|
|
|
48
48
|
authorization server under test.
|
|
49
49
|
)
|
|
50
50
|
|
|
51
|
-
input :
|
|
51
|
+
input :udap_client_credentials_flow_client_private_key,
|
|
52
52
|
type: 'textarea',
|
|
53
53
|
title: 'Client Private Key (PEM Format)',
|
|
54
54
|
description: 'The private key corresponding to the X.509 client certificate'
|
|
@@ -71,8 +71,9 @@ module UDAPSecurityTestKit
|
|
|
71
71
|
default: 'RS256',
|
|
72
72
|
locked: true
|
|
73
73
|
|
|
74
|
-
output :
|
|
75
|
-
|
|
74
|
+
output :udap_client_credentials_flow_token_retrieval_time,
|
|
75
|
+
:udap_client_credentials_flow_token_exchange_response_body
|
|
76
|
+
|
|
76
77
|
makes_request :token_exchange
|
|
77
78
|
|
|
78
79
|
run do
|
|
@@ -97,12 +98,12 @@ module UDAPSecurityTestKit
|
|
|
97
98
|
)
|
|
98
99
|
|
|
99
100
|
x5c_certs = UDAPJWTBuilder.split_user_input_cert_string(
|
|
100
|
-
|
|
101
|
+
udap_client_credentials_flow_client_cert_pem
|
|
101
102
|
)
|
|
102
103
|
|
|
103
104
|
client_assertion_jwt = UDAPJWTBuilder.encode_jwt_with_x5c_header(
|
|
104
105
|
client_assertion_payload,
|
|
105
|
-
|
|
106
|
+
udap_client_credentials_flow_client_private_key,
|
|
106
107
|
udap_jwt_signing_alg,
|
|
107
108
|
x5c_certs
|
|
108
109
|
)
|
|
@@ -122,9 +123,9 @@ module UDAPSecurityTestKit
|
|
|
122
123
|
assert_response_status(200)
|
|
123
124
|
assert_valid_json(request.response_body)
|
|
124
125
|
|
|
125
|
-
output
|
|
126
|
+
output udap_client_credentials_flow_token_retrieval_time: Time.now.iso8601
|
|
126
127
|
|
|
127
|
-
output
|
|
128
|
+
output udap_client_credentials_flow_token_exchange_response_body: request.response_body
|
|
128
129
|
end
|
|
129
130
|
end
|
|
130
131
|
end
|
|
@@ -15,14 +15,25 @@ module UDAPSecurityTestKit
|
|
|
15
15
|
> use by the Client App, the software statement as submitted by the Client App, and all of the registration
|
|
16
16
|
> related parameters that were included in the software statement.
|
|
17
17
|
|
|
18
|
+
[UDAP STU 1.1](https://hl7.org/fhir/us/udap-security/STU1.1/registration.html#request-body) clarifies that,
|
|
19
|
+
in accordance with [Section 3.2.1 of RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1):
|
|
20
|
+
> The authorization server MAY reject or replace any of the client's requested metadata values submitted during
|
|
21
|
+
> the registration and substitute them with suitable values.
|
|
22
|
+
|
|
18
23
|
This test verifies:
|
|
19
|
-
- `client_id` claim is
|
|
20
|
-
- `
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
24
|
+
- `client_id` claim is present in the registration response and its value is not blank.
|
|
25
|
+
- `scope` and `client_name` claims are present in the registration response and their values are not blank.
|
|
26
|
+
- `software_statement`, `grant_types`, and `token_endpoint_auth_method` claims are present in the registration
|
|
27
|
+
response and their values match those in the originally submitted software statement.
|
|
28
|
+
- If the registered grant type is `authorization_code`, then the `redirect_uris` and `response_type` claims are
|
|
29
|
+
present in the registration response and their values match in the originally submitted software statement.
|
|
30
|
+
|
|
31
|
+
In order for downstream tests to succeed, it is
|
|
32
|
+
essential that the client and server are in agreement on the values of most of the software statement
|
|
33
|
+
parameters. The exception is `client_name`, which does not impact behavior. For this reason, an exact match
|
|
34
|
+
between the request and response values for `client_name` is not required.
|
|
35
|
+
Additionally, an exact match between `scope` request and response value is also not required because the
|
|
36
|
+
authorization server may grant different scopes than those orignally requested by the client.
|
|
26
37
|
)
|
|
27
38
|
|
|
28
39
|
input :udap_software_statement_json
|
|
@@ -48,16 +59,23 @@ module UDAPSecurityTestKit
|
|
|
48
59
|
|
|
49
60
|
original_software_statement = JSON.parse(udap_software_statement_json)
|
|
50
61
|
|
|
51
|
-
expected_claims = ['
|
|
62
|
+
expected_claims = ['scope', 'client_name', 'grant_types', 'token_endpoint_auth_method']
|
|
52
63
|
auth_code_claims = ['redirect_uris', 'response_types']
|
|
53
64
|
|
|
65
|
+
# For this subset, authorization server may return a different value than
|
|
66
|
+
# the one originally provided in client software statement
|
|
67
|
+
mutable_claims = ['scope', 'client_name']
|
|
68
|
+
|
|
54
69
|
expected_claims.concat auth_code_claims if udap_registration_grant_type == 'authorization_code'
|
|
55
70
|
|
|
56
71
|
expected_claims.each do |claim|
|
|
57
72
|
assert registration_response.key?(claim), "Successful registration response must include #{claim} claim"
|
|
73
|
+
assert registration_response[claim].present?, "`#{claim}` value cannot be blank"
|
|
74
|
+
next if mutable_claims.include?(claim)
|
|
75
|
+
|
|
58
76
|
assert registration_response[claim] == original_software_statement[claim],
|
|
59
77
|
"Registration response value for #{claim} does not match " \
|
|
60
|
-
'in client-submitted software statement'
|
|
78
|
+
'value in client-submitted software statement'
|
|
61
79
|
end
|
|
62
80
|
end
|
|
63
81
|
end
|
|
@@ -1,10 +1,11 @@
|
|
|
1
1
|
require 'jwt'
|
|
2
|
+
require_relative 'redirect_uri'
|
|
2
3
|
|
|
3
4
|
module UDAPSecurityTestKit
|
|
4
5
|
class SoftwareStatementBuilder
|
|
5
6
|
def self.build_payload(iss, aud, grant_type, scope)
|
|
6
7
|
if grant_type == 'authorization_code'
|
|
7
|
-
redirect_uris = [
|
|
8
|
+
redirect_uris = [UDAPSecurityTestKit::UDAP_REDIRECT_URI]
|
|
8
9
|
response_types = ['code']
|
|
9
10
|
client_name = 'Inferno UDAP Authorization Code Test Client'
|
|
10
11
|
elsif grant_type == 'client_credentials'
|
|
@@ -15,10 +15,20 @@ module UDAPSecurityTestKit
|
|
|
15
15
|
|
|
16
16
|
input :token_response_body
|
|
17
17
|
|
|
18
|
+
output :udap_access_token,
|
|
19
|
+
:udap_expires_in,
|
|
20
|
+
:udap_received_scopes,
|
|
21
|
+
:udap_refresh_token
|
|
22
|
+
|
|
18
23
|
run do
|
|
19
24
|
assert_valid_json(token_response_body)
|
|
20
25
|
token_response_body_parsed = JSON.parse(token_response_body)
|
|
21
26
|
|
|
27
|
+
output udap_access_token: token_response_body_parsed['access_token'],
|
|
28
|
+
udap_expires_in: token_response_body_parsed['expires_in'],
|
|
29
|
+
udap_received_scopes: token_response_body_parsed['scope'],
|
|
30
|
+
udap_refresh_token: token_response_body_parsed['refresh_token']
|
|
31
|
+
|
|
22
32
|
required_keys = ['access_token', 'token_type']
|
|
23
33
|
|
|
24
34
|
required_keys.each do |key|
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
require_relative 'udap_security_test_kit/authorization_code_group'
|
|
2
2
|
require_relative 'udap_security_test_kit/client_credentials_group'
|
|
3
3
|
require_relative 'udap_security_test_kit/version'
|
|
4
|
+
require_relative 'udap_security_test_kit/redirect_uri'
|
|
4
5
|
|
|
5
6
|
module UDAPSecurityTestKit
|
|
6
7
|
class Suite < Inferno::TestSuite
|
|
@@ -17,7 +18,8 @@ module UDAPSecurityTestKit
|
|
|
17
18
|
2. Dynamic Client Registration
|
|
18
19
|
3. Authorization & Authentication
|
|
19
20
|
|
|
20
|
-
|
|
21
|
+
In this test suite, Inferno acts as a mock UDAP client to test *server conformance* to the HL7 UDAP IG. Tests are
|
|
22
|
+
grouped according to the OAuth2.0 flow used in the authorization and authentication step:
|
|
21
23
|
1. Authorization Code flow, which supports
|
|
22
24
|
[Consumer-Facing](https://hl7.org/fhir/us/udap-security/STU1/consumer.html) or [Business-to-Business (B2B)](https://hl7.org/fhir/us/udap-security/STU1/b2b.html)
|
|
23
25
|
use cases
|
|
@@ -25,6 +27,9 @@ module UDAPSecurityTestKit
|
|
|
25
27
|
[B2B](https://hl7.org/fhir/us/udap-security/STU1/b2b.html) use case
|
|
26
28
|
|
|
27
29
|
Testers may test one or both flows based on their system under test.
|
|
30
|
+
|
|
31
|
+
This test suite does NOT assess [Tiered OAuth for User Authentication](https://hl7.org/fhir/us/udap-security/STU1/user.html)
|
|
32
|
+
(which is not a required capability) or client conformance to the HL7 UDAP IG.
|
|
28
33
|
)
|
|
29
34
|
|
|
30
35
|
input_instructions %(
|
|
@@ -57,6 +62,10 @@ module UDAPSecurityTestKit
|
|
|
57
62
|
request.query_parameters['state']
|
|
58
63
|
end
|
|
59
64
|
|
|
65
|
+
config options: {
|
|
66
|
+
redirect_uri: UDAPSecurityTestKit::UDAP_REDIRECT_URI
|
|
67
|
+
}
|
|
68
|
+
|
|
60
69
|
links [
|
|
61
70
|
{
|
|
62
71
|
label: 'Report Issue',
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: udap_security_test_kit
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.10.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Stephen MacVicar
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2024-
|
|
12
|
+
date: 2024-12-06 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: inferno_core
|
|
@@ -17,14 +17,14 @@ dependencies:
|
|
|
17
17
|
requirements:
|
|
18
18
|
- - ">="
|
|
19
19
|
- !ruby/object:Gem::Version
|
|
20
|
-
version: 0.
|
|
20
|
+
version: 0.5.1
|
|
21
21
|
type: :runtime
|
|
22
22
|
prerelease: false
|
|
23
23
|
version_requirements: !ruby/object:Gem::Requirement
|
|
24
24
|
requirements:
|
|
25
25
|
- - ">="
|
|
26
26
|
- !ruby/object:Gem::Version
|
|
27
|
-
version: 0.
|
|
27
|
+
version: 0.5.1
|
|
28
28
|
- !ruby/object:Gem::Dependency
|
|
29
29
|
name: jwt
|
|
30
30
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -67,6 +67,7 @@ files:
|
|
|
67
67
|
- lib/udap_security_test_kit/dynamic_client_registration_group.rb
|
|
68
68
|
- lib/udap_security_test_kit/generate_client_certs_test.rb
|
|
69
69
|
- lib/udap_security_test_kit/grant_types_supported_field_test.rb
|
|
70
|
+
- lib/udap_security_test_kit/redirect_uri.rb
|
|
70
71
|
- lib/udap_security_test_kit/reg_endpoint_jwt_signing_alg_values_supported_field_test.rb
|
|
71
72
|
- lib/udap_security_test_kit/registration_endpoint_field_test.rb
|
|
72
73
|
- lib/udap_security_test_kit/registration_failure_invalid_contents_test.rb
|
|
@@ -117,7 +118,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
117
118
|
- !ruby/object:Gem::Version
|
|
118
119
|
version: '0'
|
|
119
120
|
requirements: []
|
|
120
|
-
rubygems_version: 3.
|
|
121
|
+
rubygems_version: 3.3.7
|
|
121
122
|
signing_key:
|
|
122
123
|
specification_version: 4
|
|
123
124
|
summary: UDAP Security IG Test Kit
|