udap_security_test_kit 0.9.2 → 0.10.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/udap_security_test_kit/authorization_code_authentication_group.rb +17 -3
- data/lib/udap_security_test_kit/authorization_code_group.rb +15 -15
- data/lib/udap_security_test_kit/authorization_code_redirect_test.rb +6 -2
- data/lib/udap_security_test_kit/authorization_code_token_exchange_test.rb +9 -10
- data/lib/udap_security_test_kit/client_credentials_authentication_group.rb +17 -3
- data/lib/udap_security_test_kit/client_credentials_group.rb +12 -12
- data/lib/udap_security_test_kit/client_credentials_token_exchange_test.rb +9 -8
- data/lib/udap_security_test_kit/redirect_uri.rb +3 -0
- data/lib/udap_security_test_kit/registration_success_contents_test.rb +27 -9
- data/lib/udap_security_test_kit/software_statement_builder.rb +2 -1
- data/lib/udap_security_test_kit/token_exchange_response_body_test.rb +10 -0
- data/lib/udap_security_test_kit/version.rb +1 -1
- data/lib/udap_security_test_kit.rb +10 -1
- metadata +6 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 43c8eabf008e3dd76265b3e455a80e27f2af665548319c7b3f8c565daf71a3d4
|
|
4
|
+
data.tar.gz: ed6ed1097c0fc02baf51392df43875ac4974dbdb49e494b5eee0595fd33dcf0e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3433cf5e7929b434de4bff0b999b455c9dd0d9fb407d0574b592ce3921ec7037cd0cf9be598319b6fdeca648d887033d842c20845ff09de0e8046ed533e4b9c8
|
|
7
|
+
data.tar.gz: 6437f00f2ceb182e454a41d5555284bb516d763cba8c2684d39dc7dcb0f7252c8a50b3f70f3c2753df75a98e72cb7a348199d42a4e6d24c994abbbb61c39bb65
|
|
@@ -20,7 +20,7 @@ module UDAPSecurityTestKit
|
|
|
20
20
|
config: {
|
|
21
21
|
requests: {
|
|
22
22
|
token_exchange: {
|
|
23
|
-
name: :
|
|
23
|
+
name: :udap_auth_code_flow_token_exchange
|
|
24
24
|
}
|
|
25
25
|
}
|
|
26
26
|
}
|
|
@@ -28,7 +28,21 @@ module UDAPSecurityTestKit
|
|
|
28
28
|
config: {
|
|
29
29
|
inputs: {
|
|
30
30
|
token_response_body: {
|
|
31
|
-
name: :
|
|
31
|
+
name: :udap_auth_code_flow_token_exchange_response_body
|
|
32
|
+
}
|
|
33
|
+
},
|
|
34
|
+
outputs: {
|
|
35
|
+
udap_access_token: {
|
|
36
|
+
name: :udap_auth_code_flow_access_token
|
|
37
|
+
},
|
|
38
|
+
udap_expires_in: {
|
|
39
|
+
name: :udap_auth_code_flow_expires_in
|
|
40
|
+
},
|
|
41
|
+
udap_received_scopes: {
|
|
42
|
+
name: :udap_auth_code_flow_received_scopes
|
|
43
|
+
},
|
|
44
|
+
udap_refresh_token: {
|
|
45
|
+
name: :udap_auth_code_flow_refresh_token
|
|
32
46
|
}
|
|
33
47
|
}
|
|
34
48
|
}
|
|
@@ -36,7 +50,7 @@ module UDAPSecurityTestKit
|
|
|
36
50
|
config: {
|
|
37
51
|
requests: {
|
|
38
52
|
token_exchange: {
|
|
39
|
-
name: :
|
|
53
|
+
name: :udap_auth_code_flow_token_exchange
|
|
40
54
|
}
|
|
41
55
|
}
|
|
42
56
|
}
|
|
@@ -45,24 +45,24 @@ module UDAPSecurityTestKit
|
|
|
45
45
|
config: {
|
|
46
46
|
inputs: {
|
|
47
47
|
udap_registration_grant_type: {
|
|
48
|
-
name: :
|
|
48
|
+
name: :udap_auth_code_flow_registration_grant_type,
|
|
49
49
|
default: 'authorization_code',
|
|
50
50
|
locked: true
|
|
51
51
|
},
|
|
52
52
|
udap_client_cert_pem: {
|
|
53
|
-
name: :
|
|
53
|
+
name: :udap_auth_code_flow_client_cert_pem,
|
|
54
54
|
title: 'Authorization Code Client Certificate(s) (PEM Format)'
|
|
55
55
|
},
|
|
56
56
|
udap_client_private_key_pem: {
|
|
57
|
-
name: :
|
|
57
|
+
name: :udap_auth_code_flow_client_private_key,
|
|
58
58
|
title: 'Authorization Code Client Private Key (PEM Format)'
|
|
59
59
|
},
|
|
60
60
|
udap_cert_iss: {
|
|
61
|
-
name: :
|
|
61
|
+
name: :udap_auth_code_flow_cert_iss,
|
|
62
62
|
title: 'Authorization Code JWT Issuer (iss) Claim'
|
|
63
63
|
},
|
|
64
64
|
udap_registration_requested_scope: {
|
|
65
|
-
name: :
|
|
65
|
+
name: :udap_auth_code_flow_registration_scope,
|
|
66
66
|
title: 'Authorization Code Registration Requested Scope(s)',
|
|
67
67
|
description: %(
|
|
68
68
|
String containing a space delimited list of scopes requested by the client application for use in
|
|
@@ -72,29 +72,29 @@ module UDAPSecurityTestKit
|
|
|
72
72
|
)
|
|
73
73
|
},
|
|
74
74
|
udap_registration_certifications: {
|
|
75
|
-
name: :
|
|
75
|
+
name: :udap_auth_code_flow_registration_certifications,
|
|
76
76
|
title: 'Authorization Code UDAP Registration Certifications'
|
|
77
77
|
}
|
|
78
78
|
},
|
|
79
79
|
outputs: {
|
|
80
80
|
udap_client_cert_pem: {
|
|
81
|
-
name: :
|
|
81
|
+
name: :udap_auth_code_flow_client_cert_pem
|
|
82
82
|
},
|
|
83
83
|
udap_client_private_key_pem: {
|
|
84
|
-
name: :
|
|
84
|
+
name: :udap_auth_code_flow_client_private_key
|
|
85
85
|
},
|
|
86
86
|
udap_cert_iss: {
|
|
87
|
-
name: :
|
|
87
|
+
name: :udap_auth_code_flow_cert_iss
|
|
88
88
|
}
|
|
89
89
|
}
|
|
90
90
|
} do
|
|
91
91
|
input_order :udap_registration_endpoint,
|
|
92
|
-
:
|
|
93
|
-
:
|
|
94
|
-
:
|
|
95
|
-
:
|
|
96
|
-
:
|
|
97
|
-
:udap_jwt_signing_alg, :
|
|
92
|
+
:udap_auth_code_flow_registration_grant_type,
|
|
93
|
+
:udap_auth_code_flow_client_cert_pem,
|
|
94
|
+
:udap_auth_code_flow_client_private_key,
|
|
95
|
+
:udap_auth_code_flow_cert_iss,
|
|
96
|
+
:udap_auth_code_flow_registration_scope,
|
|
97
|
+
:udap_jwt_signing_alg, :udap_auth_code_flow_registration_certifications
|
|
98
98
|
end
|
|
99
99
|
|
|
100
100
|
group from: :udap_authorization_code_authentication_group,
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
require_relative '../udap_security_test_kit'
|
|
1
2
|
module UDAPSecurityTestKit
|
|
2
3
|
class AuthorizationCodeRedirectTest < Inferno::Test
|
|
3
4
|
title 'Authorization server redirects client to redirect URI'
|
|
@@ -20,8 +21,6 @@ module UDAPSecurityTestKit
|
|
|
20
21
|
|
|
21
22
|
receives_request :redirect
|
|
22
23
|
|
|
23
|
-
config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/udap_security_test_kit/redirect" }
|
|
24
|
-
|
|
25
24
|
def wait_message(auth_url)
|
|
26
25
|
if config.options[:redirect_message_proc].present?
|
|
27
26
|
return instance_exec(auth_url, &config.options[:redirect_message_proc])
|
|
@@ -49,6 +48,11 @@ module UDAPSecurityTestKit
|
|
|
49
48
|
end
|
|
50
49
|
|
|
51
50
|
run do
|
|
51
|
+
assert_valid_http_uri(
|
|
52
|
+
udap_authorization_endpoint,
|
|
53
|
+
"UDAP authorization endpoint '#{udap_authorization_endpoint}' is not a valid URI"
|
|
54
|
+
)
|
|
55
|
+
|
|
52
56
|
output udap_authorization_code_state: SecureRandom.uuid
|
|
53
57
|
|
|
54
58
|
oauth2_params = {
|
|
@@ -23,7 +23,7 @@ module UDAPSecurityTestKit
|
|
|
23
23
|
title: 'Token Endpoint',
|
|
24
24
|
description: 'The full URL from which Inferno will request an access token'
|
|
25
25
|
|
|
26
|
-
input :
|
|
26
|
+
input :udap_auth_code_flow_client_cert_pem,
|
|
27
27
|
title: 'X.509 Client Certificate (PEM Format)',
|
|
28
28
|
type: 'textarea',
|
|
29
29
|
description: %(
|
|
@@ -34,7 +34,7 @@ module UDAPSecurityTestKit
|
|
|
34
34
|
authorization server under test.
|
|
35
35
|
)
|
|
36
36
|
|
|
37
|
-
input :
|
|
37
|
+
input :udap_auth_code_flow_client_private_key,
|
|
38
38
|
type: 'textarea',
|
|
39
39
|
title: 'Client Private Key (PEM Format)',
|
|
40
40
|
description: 'The private key corresponding to the X.509 client certificate'
|
|
@@ -57,11 +57,10 @@ module UDAPSecurityTestKit
|
|
|
57
57
|
default: 'RS256',
|
|
58
58
|
locked: true
|
|
59
59
|
|
|
60
|
-
output :
|
|
61
|
-
|
|
62
|
-
makes_request :token_exchange
|
|
60
|
+
output :udap_auth_code_flow_token_retrieval_time,
|
|
61
|
+
:udap_auth_code_flow_token_exchange_response_body
|
|
63
62
|
|
|
64
|
-
|
|
63
|
+
makes_request :token_exchange
|
|
65
64
|
|
|
66
65
|
run do
|
|
67
66
|
client_assertion_payload = UDAPClientAssertionPayloadBuilder.build(
|
|
@@ -70,11 +69,11 @@ module UDAPSecurityTestKit
|
|
|
70
69
|
nil
|
|
71
70
|
)
|
|
72
71
|
|
|
73
|
-
x5c_certs = UDAPJWTBuilder.split_user_input_cert_string(
|
|
72
|
+
x5c_certs = UDAPJWTBuilder.split_user_input_cert_string(udap_auth_code_flow_client_cert_pem)
|
|
74
73
|
|
|
75
74
|
client_assertion_jwt = UDAPJWTBuilder.encode_jwt_with_x5c_header(
|
|
76
75
|
client_assertion_payload,
|
|
77
|
-
|
|
76
|
+
udap_auth_code_flow_client_private_key,
|
|
78
77
|
udap_jwt_signing_alg,
|
|
79
78
|
x5c_certs
|
|
80
79
|
)
|
|
@@ -95,9 +94,9 @@ module UDAPSecurityTestKit
|
|
|
95
94
|
assert_response_status(200)
|
|
96
95
|
assert_valid_json(request.response_body)
|
|
97
96
|
|
|
98
|
-
output
|
|
97
|
+
output udap_auth_code_flow_token_retrieval_time: Time.now.iso8601
|
|
99
98
|
|
|
100
|
-
output
|
|
99
|
+
output udap_auth_code_flow_token_exchange_response_body: request.response_body
|
|
101
100
|
end
|
|
102
101
|
end
|
|
103
102
|
end
|
|
@@ -16,7 +16,7 @@ module UDAPSecurityTestKit
|
|
|
16
16
|
config: {
|
|
17
17
|
requests: {
|
|
18
18
|
token_exchange: {
|
|
19
|
-
name: :
|
|
19
|
+
name: :udap_client_credentials_flow_token_exchange
|
|
20
20
|
}
|
|
21
21
|
}
|
|
22
22
|
}
|
|
@@ -24,7 +24,21 @@ module UDAPSecurityTestKit
|
|
|
24
24
|
config: {
|
|
25
25
|
inputs: {
|
|
26
26
|
token_response_body: {
|
|
27
|
-
name: :
|
|
27
|
+
name: :udap_client_credentials_flow_token_exchange_response_body
|
|
28
|
+
}
|
|
29
|
+
},
|
|
30
|
+
outputs: {
|
|
31
|
+
udap_access_token: {
|
|
32
|
+
name: :udap_client_credentials_flow_access_token
|
|
33
|
+
},
|
|
34
|
+
udap_expires_in: {
|
|
35
|
+
name: :udap_client_credentials_flow_expires_in
|
|
36
|
+
},
|
|
37
|
+
udap_received_scopes: {
|
|
38
|
+
name: :udap_client_credentials_flow_received_scopes
|
|
39
|
+
},
|
|
40
|
+
udap_refresh_token: {
|
|
41
|
+
name: :udap_client_credentials_flow_refresh_token
|
|
28
42
|
}
|
|
29
43
|
}
|
|
30
44
|
}
|
|
@@ -32,7 +46,7 @@ module UDAPSecurityTestKit
|
|
|
32
46
|
config: {
|
|
33
47
|
requests: {
|
|
34
48
|
token_exchange: {
|
|
35
|
-
name: :
|
|
49
|
+
name: :udap_client_credentials_flow_token_exchange
|
|
36
50
|
}
|
|
37
51
|
}
|
|
38
52
|
}
|
|
@@ -47,16 +47,16 @@ module UDAPSecurityTestKit
|
|
|
47
47
|
config: {
|
|
48
48
|
inputs: {
|
|
49
49
|
udap_registration_grant_type: {
|
|
50
|
-
name: :
|
|
50
|
+
name: :udap_client_credentials_flow_registration_grant_type,
|
|
51
51
|
default: 'client_credentials',
|
|
52
52
|
locked: true
|
|
53
53
|
},
|
|
54
54
|
udap_client_cert_pem: {
|
|
55
|
-
name: :
|
|
55
|
+
name: :udap_client_credentials_flow_client_cert_pem,
|
|
56
56
|
title: 'Client Credentials Client Certificate(s) (PEM Format)'
|
|
57
57
|
},
|
|
58
58
|
udap_client_private_key_pem: {
|
|
59
|
-
name: :
|
|
59
|
+
name: :udap_client_credentials_flow_client_private_key,
|
|
60
60
|
title: 'Client Credentials Client Private Key (PEM Format)'
|
|
61
61
|
},
|
|
62
62
|
udap_cert_iss: {
|
|
@@ -64,7 +64,7 @@ module UDAPSecurityTestKit
|
|
|
64
64
|
title: 'Client Credentials JWT Issuer (iss) Claim'
|
|
65
65
|
},
|
|
66
66
|
udap_registration_requested_scope: {
|
|
67
|
-
name: :
|
|
67
|
+
name: :udap_client_credentials_flow_registration_scope,
|
|
68
68
|
title: 'Client Credentials Registration Requested Scope(s)',
|
|
69
69
|
description: %(
|
|
70
70
|
String containing a space delimited list of scopes requested by the client application for use in
|
|
@@ -74,16 +74,16 @@ module UDAPSecurityTestKit
|
|
|
74
74
|
)
|
|
75
75
|
},
|
|
76
76
|
udap_registration_certifications: {
|
|
77
|
-
name: :
|
|
77
|
+
name: :udap_client_creds_flow_registration_certifications,
|
|
78
78
|
title: 'Client Credentials UDAP Registration Certifications'
|
|
79
79
|
}
|
|
80
80
|
},
|
|
81
81
|
outputs: {
|
|
82
82
|
udap_client_cert_pem: {
|
|
83
|
-
name: :
|
|
83
|
+
name: :udap_client_credentials_flow_client_cert_pem
|
|
84
84
|
},
|
|
85
85
|
udap_client_private_key_pem: {
|
|
86
|
-
name: :
|
|
86
|
+
name: :udap_client_credentials_flow_client_private_key
|
|
87
87
|
},
|
|
88
88
|
udap_cert_iss: {
|
|
89
89
|
name: :udap_cert_iss_client_creds_flow
|
|
@@ -91,12 +91,12 @@ module UDAPSecurityTestKit
|
|
|
91
91
|
}
|
|
92
92
|
} do
|
|
93
93
|
input_order :udap_registration_endpoint,
|
|
94
|
-
:
|
|
95
|
-
:
|
|
96
|
-
:
|
|
94
|
+
:udap_client_credentials_flow_registration_grant_type,
|
|
95
|
+
:udap_client_credentials_flow_client_cert_pem,
|
|
96
|
+
:udap_client_credentials_flow_client_private_key,
|
|
97
97
|
:udap_cert_iss_client_creds_flow,
|
|
98
|
-
:
|
|
99
|
-
:udap_jwt_signing_alg, :
|
|
98
|
+
:udap_client_credentials_flow_registration_scope,
|
|
99
|
+
:udap_jwt_signing_alg, :udap_client_creds_flow_registration_certifications
|
|
100
100
|
end
|
|
101
101
|
|
|
102
102
|
group from: :udap_client_credentials_authentication_group,
|
|
@@ -38,7 +38,7 @@ module UDAPSecurityTestKit
|
|
|
38
38
|
title: 'Token Endpoint',
|
|
39
39
|
description: 'The full URL from which Inferno will request an access token'
|
|
40
40
|
|
|
41
|
-
input :
|
|
41
|
+
input :udap_client_credentials_flow_client_cert_pem,
|
|
42
42
|
title: 'X.509 Client Certificate(s) (PEM Format)',
|
|
43
43
|
type: 'textarea',
|
|
44
44
|
description: %(
|
|
@@ -48,7 +48,7 @@ module UDAPSecurityTestKit
|
|
|
48
48
|
authorization server under test.
|
|
49
49
|
)
|
|
50
50
|
|
|
51
|
-
input :
|
|
51
|
+
input :udap_client_credentials_flow_client_private_key,
|
|
52
52
|
type: 'textarea',
|
|
53
53
|
title: 'Client Private Key (PEM Format)',
|
|
54
54
|
description: 'The private key corresponding to the X.509 client certificate'
|
|
@@ -71,8 +71,9 @@ module UDAPSecurityTestKit
|
|
|
71
71
|
default: 'RS256',
|
|
72
72
|
locked: true
|
|
73
73
|
|
|
74
|
-
output :
|
|
75
|
-
|
|
74
|
+
output :udap_client_credentials_flow_token_retrieval_time,
|
|
75
|
+
:udap_client_credentials_flow_token_exchange_response_body
|
|
76
|
+
|
|
76
77
|
makes_request :token_exchange
|
|
77
78
|
|
|
78
79
|
run do
|
|
@@ -97,12 +98,12 @@ module UDAPSecurityTestKit
|
|
|
97
98
|
)
|
|
98
99
|
|
|
99
100
|
x5c_certs = UDAPJWTBuilder.split_user_input_cert_string(
|
|
100
|
-
|
|
101
|
+
udap_client_credentials_flow_client_cert_pem
|
|
101
102
|
)
|
|
102
103
|
|
|
103
104
|
client_assertion_jwt = UDAPJWTBuilder.encode_jwt_with_x5c_header(
|
|
104
105
|
client_assertion_payload,
|
|
105
|
-
|
|
106
|
+
udap_client_credentials_flow_client_private_key,
|
|
106
107
|
udap_jwt_signing_alg,
|
|
107
108
|
x5c_certs
|
|
108
109
|
)
|
|
@@ -122,9 +123,9 @@ module UDAPSecurityTestKit
|
|
|
122
123
|
assert_response_status(200)
|
|
123
124
|
assert_valid_json(request.response_body)
|
|
124
125
|
|
|
125
|
-
output
|
|
126
|
+
output udap_client_credentials_flow_token_retrieval_time: Time.now.iso8601
|
|
126
127
|
|
|
127
|
-
output
|
|
128
|
+
output udap_client_credentials_flow_token_exchange_response_body: request.response_body
|
|
128
129
|
end
|
|
129
130
|
end
|
|
130
131
|
end
|
|
@@ -15,14 +15,25 @@ module UDAPSecurityTestKit
|
|
|
15
15
|
> use by the Client App, the software statement as submitted by the Client App, and all of the registration
|
|
16
16
|
> related parameters that were included in the software statement.
|
|
17
17
|
|
|
18
|
+
[UDAP STU 1.1](https://hl7.org/fhir/us/udap-security/STU1.1/registration.html#request-body) clarifies that,
|
|
19
|
+
in accordance with [Section 3.2.1 of RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1):
|
|
20
|
+
> The authorization server MAY reject or replace any of the client's requested metadata values submitted during
|
|
21
|
+
> the registration and substitute them with suitable values.
|
|
22
|
+
|
|
18
23
|
This test verifies:
|
|
19
|
-
- `client_id` claim is
|
|
20
|
-
- `
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
24
|
+
- `client_id` claim is present in the registration response and its value is not blank.
|
|
25
|
+
- `scope` and `client_name` claims are present in the registration response and their values are not blank.
|
|
26
|
+
- `software_statement`, `grant_types`, and `token_endpoint_auth_method` claims are present in the registration
|
|
27
|
+
response and their values match those in the originally submitted software statement.
|
|
28
|
+
- If the registered grant type is `authorization_code`, then the `redirect_uris` and `response_type` claims are
|
|
29
|
+
present in the registration response and their values match in the originally submitted software statement.
|
|
30
|
+
|
|
31
|
+
In order for downstream tests to succeed, it is
|
|
32
|
+
essential that the client and server are in agreement on the values of most of the software statement
|
|
33
|
+
parameters. The exception is `client_name`, which does not impact behavior. For this reason, an exact match
|
|
34
|
+
between the request and response values for `client_name` is not required.
|
|
35
|
+
Additionally, an exact match between `scope` request and response value is also not required because the
|
|
36
|
+
authorization server may grant different scopes than those orignally requested by the client.
|
|
26
37
|
)
|
|
27
38
|
|
|
28
39
|
input :udap_software_statement_json
|
|
@@ -48,16 +59,23 @@ module UDAPSecurityTestKit
|
|
|
48
59
|
|
|
49
60
|
original_software_statement = JSON.parse(udap_software_statement_json)
|
|
50
61
|
|
|
51
|
-
expected_claims = ['
|
|
62
|
+
expected_claims = ['scope', 'client_name', 'grant_types', 'token_endpoint_auth_method']
|
|
52
63
|
auth_code_claims = ['redirect_uris', 'response_types']
|
|
53
64
|
|
|
65
|
+
# For this subset, authorization server may return a different value than
|
|
66
|
+
# the one originally provided in client software statement
|
|
67
|
+
mutable_claims = ['scope', 'client_name']
|
|
68
|
+
|
|
54
69
|
expected_claims.concat auth_code_claims if udap_registration_grant_type == 'authorization_code'
|
|
55
70
|
|
|
56
71
|
expected_claims.each do |claim|
|
|
57
72
|
assert registration_response.key?(claim), "Successful registration response must include #{claim} claim"
|
|
73
|
+
assert registration_response[claim].present?, "`#{claim}` value cannot be blank"
|
|
74
|
+
next if mutable_claims.include?(claim)
|
|
75
|
+
|
|
58
76
|
assert registration_response[claim] == original_software_statement[claim],
|
|
59
77
|
"Registration response value for #{claim} does not match " \
|
|
60
|
-
'in client-submitted software statement'
|
|
78
|
+
'value in client-submitted software statement'
|
|
61
79
|
end
|
|
62
80
|
end
|
|
63
81
|
end
|
|
@@ -1,10 +1,11 @@
|
|
|
1
1
|
require 'jwt'
|
|
2
|
+
require_relative 'redirect_uri'
|
|
2
3
|
|
|
3
4
|
module UDAPSecurityTestKit
|
|
4
5
|
class SoftwareStatementBuilder
|
|
5
6
|
def self.build_payload(iss, aud, grant_type, scope)
|
|
6
7
|
if grant_type == 'authorization_code'
|
|
7
|
-
redirect_uris = [
|
|
8
|
+
redirect_uris = [UDAPSecurityTestKit::UDAP_REDIRECT_URI]
|
|
8
9
|
response_types = ['code']
|
|
9
10
|
client_name = 'Inferno UDAP Authorization Code Test Client'
|
|
10
11
|
elsif grant_type == 'client_credentials'
|
|
@@ -15,10 +15,20 @@ module UDAPSecurityTestKit
|
|
|
15
15
|
|
|
16
16
|
input :token_response_body
|
|
17
17
|
|
|
18
|
+
output :udap_access_token,
|
|
19
|
+
:udap_expires_in,
|
|
20
|
+
:udap_received_scopes,
|
|
21
|
+
:udap_refresh_token
|
|
22
|
+
|
|
18
23
|
run do
|
|
19
24
|
assert_valid_json(token_response_body)
|
|
20
25
|
token_response_body_parsed = JSON.parse(token_response_body)
|
|
21
26
|
|
|
27
|
+
output udap_access_token: token_response_body_parsed['access_token'],
|
|
28
|
+
udap_expires_in: token_response_body_parsed['expires_in'],
|
|
29
|
+
udap_received_scopes: token_response_body_parsed['scope'],
|
|
30
|
+
udap_refresh_token: token_response_body_parsed['refresh_token']
|
|
31
|
+
|
|
22
32
|
required_keys = ['access_token', 'token_type']
|
|
23
33
|
|
|
24
34
|
required_keys.each do |key|
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
require_relative 'udap_security_test_kit/authorization_code_group'
|
|
2
2
|
require_relative 'udap_security_test_kit/client_credentials_group'
|
|
3
3
|
require_relative 'udap_security_test_kit/version'
|
|
4
|
+
require_relative 'udap_security_test_kit/redirect_uri'
|
|
4
5
|
|
|
5
6
|
module UDAPSecurityTestKit
|
|
6
7
|
class Suite < Inferno::TestSuite
|
|
@@ -17,7 +18,8 @@ module UDAPSecurityTestKit
|
|
|
17
18
|
2. Dynamic Client Registration
|
|
18
19
|
3. Authorization & Authentication
|
|
19
20
|
|
|
20
|
-
|
|
21
|
+
In this test suite, Inferno acts as a mock UDAP client to test *server conformance* to the HL7 UDAP IG. Tests are
|
|
22
|
+
grouped according to the OAuth2.0 flow used in the authorization and authentication step:
|
|
21
23
|
1. Authorization Code flow, which supports
|
|
22
24
|
[Consumer-Facing](https://hl7.org/fhir/us/udap-security/STU1/consumer.html) or [Business-to-Business (B2B)](https://hl7.org/fhir/us/udap-security/STU1/b2b.html)
|
|
23
25
|
use cases
|
|
@@ -25,6 +27,9 @@ module UDAPSecurityTestKit
|
|
|
25
27
|
[B2B](https://hl7.org/fhir/us/udap-security/STU1/b2b.html) use case
|
|
26
28
|
|
|
27
29
|
Testers may test one or both flows based on their system under test.
|
|
30
|
+
|
|
31
|
+
This test suite does NOT assess [Tiered OAuth for User Authentication](https://hl7.org/fhir/us/udap-security/STU1/user.html)
|
|
32
|
+
(which is not a required capability) or client conformance to the HL7 UDAP IG.
|
|
28
33
|
)
|
|
29
34
|
|
|
30
35
|
input_instructions %(
|
|
@@ -57,6 +62,10 @@ module UDAPSecurityTestKit
|
|
|
57
62
|
request.query_parameters['state']
|
|
58
63
|
end
|
|
59
64
|
|
|
65
|
+
config options: {
|
|
66
|
+
redirect_uri: UDAPSecurityTestKit::UDAP_REDIRECT_URI
|
|
67
|
+
}
|
|
68
|
+
|
|
60
69
|
links [
|
|
61
70
|
{
|
|
62
71
|
label: 'Report Issue',
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: udap_security_test_kit
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.10.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Stephen MacVicar
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2024-
|
|
12
|
+
date: 2024-12-06 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: inferno_core
|
|
@@ -17,14 +17,14 @@ dependencies:
|
|
|
17
17
|
requirements:
|
|
18
18
|
- - ">="
|
|
19
19
|
- !ruby/object:Gem::Version
|
|
20
|
-
version: 0.
|
|
20
|
+
version: 0.5.1
|
|
21
21
|
type: :runtime
|
|
22
22
|
prerelease: false
|
|
23
23
|
version_requirements: !ruby/object:Gem::Requirement
|
|
24
24
|
requirements:
|
|
25
25
|
- - ">="
|
|
26
26
|
- !ruby/object:Gem::Version
|
|
27
|
-
version: 0.
|
|
27
|
+
version: 0.5.1
|
|
28
28
|
- !ruby/object:Gem::Dependency
|
|
29
29
|
name: jwt
|
|
30
30
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -67,6 +67,7 @@ files:
|
|
|
67
67
|
- lib/udap_security_test_kit/dynamic_client_registration_group.rb
|
|
68
68
|
- lib/udap_security_test_kit/generate_client_certs_test.rb
|
|
69
69
|
- lib/udap_security_test_kit/grant_types_supported_field_test.rb
|
|
70
|
+
- lib/udap_security_test_kit/redirect_uri.rb
|
|
70
71
|
- lib/udap_security_test_kit/reg_endpoint_jwt_signing_alg_values_supported_field_test.rb
|
|
71
72
|
- lib/udap_security_test_kit/registration_endpoint_field_test.rb
|
|
72
73
|
- lib/udap_security_test_kit/registration_failure_invalid_contents_test.rb
|
|
@@ -117,7 +118,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
117
118
|
- !ruby/object:Gem::Version
|
|
118
119
|
version: '0'
|
|
119
120
|
requirements: []
|
|
120
|
-
rubygems_version: 3.
|
|
121
|
+
rubygems_version: 3.3.7
|
|
121
122
|
signing_key:
|
|
122
123
|
specification_version: 4
|
|
123
124
|
summary: UDAP Security IG Test Kit
|