RubyGems - udap_security_test_kit - Versions diffs - 0.10.0 → 0.10.1 - Mend

udap_security_test_kit 0.10.0 → 0.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: be592aff3162a459764f09b857cf2d786e141b8a46698f061db3ac4aa682d92e
-  data.tar.gz: 64288629f38cd38f6021fc67c043810a13f8011428e8300ff586babea2ea3b46
+  metadata.gz: 43c8eabf008e3dd76265b3e455a80e27f2af665548319c7b3f8c565daf71a3d4
+  data.tar.gz: ed6ed1097c0fc02baf51392df43875ac4974dbdb49e494b5eee0595fd33dcf0e
 SHA512:
-  metadata.gz: da5963362a0b8f9151bf8419461da4f465590e9a58283eb4a67a0ad310d8d3242dfd5a3f25314ee710277e17b4cd67dad00b2a9b5f4aca333f9e9db47eec2161
-  data.tar.gz: 1c9ce32de1da555027de8b1b01db398e93b7397a87270de3fcb02a36b54eb0da8398f84a8d467d91239c694cb20c6a7bc1134ebd91d463134b931546e429d99b
+  metadata.gz: 3433cf5e7929b434de4bff0b999b455c9dd0d9fb407d0574b592ce3921ec7037cd0cf9be598319b6fdeca648d887033d842c20845ff09de0e8046ed533e4b9c8
+  data.tar.gz: 6437f00f2ceb182e454a41d5555284bb516d763cba8c2684d39dc7dcb0f7252c8a50b3f70f3c2753df75a98e72cb7a348199d42a4e6d24c994abbbb61c39bb65

data/lib/udap_security_test_kit/authorization_code_redirect_test.rb CHANGED Viewed

@@ -1,3 +1,4 @@
+require_relative '../udap_security_test_kit'
 module UDAPSecurityTestKit
   class AuthorizationCodeRedirectTest < Inferno::Test
     title 'Authorization server redirects client to redirect URI'
@@ -20,8 +21,6 @@ module UDAPSecurityTestKit
     receives_request :redirect
-    config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/udap_security_test_kit/redirect" }
     def wait_message(auth_url)
       if config.options[:redirect_message_proc].present?
         return instance_exec(auth_url, &config.options[:redirect_message_proc])
@@ -49,6 +48,11 @@ module UDAPSecurityTestKit
     end
     run do
+      assert_valid_http_uri(
+        udap_authorization_endpoint,
+        "UDAP authorization endpoint '#{udap_authorization_endpoint}' is not a valid URI"
+      )
       output udap_authorization_code_state: SecureRandom.uuid
       oauth2_params = {

data/lib/udap_security_test_kit/authorization_code_token_exchange_test.rb CHANGED Viewed

@@ -62,8 +62,6 @@ module UDAPSecurityTestKit
     makes_request :token_exchange
-    config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/udap_security_test_kit/redirect" }
     run do
       client_assertion_payload = UDAPClientAssertionPayloadBuilder.build(
         udap_client_id,

data/lib/udap_security_test_kit/redirect_uri.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module UDAPSecurityTestKit
+  UDAP_REDIRECT_URI = "#{Inferno::Application['base_url']}/custom/udap_security/redirect".freeze
+end

data/lib/udap_security_test_kit/registration_success_contents_test.rb CHANGED Viewed

@@ -15,14 +15,25 @@ module UDAPSecurityTestKit
       > use by the Client App, the software statement as submitted by the Client App, and all of the registration
       > related parameters that were included in the software statement.
+      [UDAP STU 1.1](https://hl7.org/fhir/us/udap-security/STU1.1/registration.html#request-body) clarifies that,
+      in accordance with [Section 3.2.1 of RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1):
+        > The authorization server MAY reject or replace any of the client's requested metadata values submitted during
+        > the registration and substitute them with suitable values.
       This test verifies:
-      - `client_id` claim is included in the registration response and its value is not blank
-      - `software_statement` claim in the registration response matches the software statement JWT provided in the
-      original registration request
-      - The registration response includes claims for `client_name`, `grant_types`, `token_endpoint_auth_method`, and
-      `scope`, whose values match those in the originally submitted software statement
-      - If the registered grant type is `authorization_code`, then the response includes claims for `redirect_uris` and
-      `response_type` whose values match those in the originally submitted software statement
+      - `client_id` claim is present in the registration response and its value is not blank.
+      - `scope` and `client_name` claims are present in the registration response and their values are not blank.
+      - `software_statement`, `grant_types`, and `token_endpoint_auth_method` claims are present in the registration
+      response and their values match those in the originally submitted software statement.
+      - If the registered grant type is `authorization_code`, then the `redirect_uris` and `response_type` claims are
+      present in the registration response and their values match in the originally submitted software statement.
+      In order for downstream tests to succeed, it is
+      essential that the client and server are in agreement on the values of most of the software statement
+      parameters. The exception is `client_name`, which does not impact behavior. For this reason, an exact match
+      between the request and response values for `client_name` is not required.
+      Additionally, an exact match between `scope` request and response value is also not required because the
+      authorization server may grant different scopes than those orignally requested by the client.
     )
     input :udap_software_statement_json

data/lib/udap_security_test_kit/software_statement_builder.rb CHANGED Viewed

@@ -1,10 +1,11 @@
 require 'jwt'
+require_relative 'redirect_uri'
 module UDAPSecurityTestKit
   class SoftwareStatementBuilder
     def self.build_payload(iss, aud, grant_type, scope)
       if grant_type == 'authorization_code'
-        redirect_uris = ["#{Inferno::Application['base_url']}/custom/udap_security_test_kit/redirect"]
+        redirect_uris = [UDAPSecurityTestKit::UDAP_REDIRECT_URI]
         response_types = ['code']
         client_name = 'Inferno UDAP Authorization Code Test Client'
       elsif grant_type == 'client_credentials'

data/lib/udap_security_test_kit/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module UDAPSecurityTestKit
-  VERSION = '0.10.0'.freeze
+  VERSION = '0.10.1'.freeze
 end

data/lib/udap_security_test_kit.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 require_relative 'udap_security_test_kit/authorization_code_group'
 require_relative 'udap_security_test_kit/client_credentials_group'
 require_relative 'udap_security_test_kit/version'
+require_relative 'udap_security_test_kit/redirect_uri'
 module UDAPSecurityTestKit
   class Suite < Inferno::TestSuite
@@ -17,7 +18,8 @@ module UDAPSecurityTestKit
       2. Dynamic Client Registration
       3. Authorization & Authentication
-      These steps are grouped by the OAuth2.0 flow being tested:
+      In this test suite, Inferno acts as a mock UDAP client to test *server conformance* to the HL7 UDAP IG. Tests are
+      grouped according to the OAuth2.0 flow used in the authorization and authentication step:
       1. Authorization Code flow, which supports
         [Consumer-Facing](https://hl7.org/fhir/us/udap-security/STU1/consumer.html) or [Business-to-Business (B2B)](https://hl7.org/fhir/us/udap-security/STU1/b2b.html)
         use cases
@@ -25,6 +27,9 @@ module UDAPSecurityTestKit
       [B2B](https://hl7.org/fhir/us/udap-security/STU1/b2b.html) use case
       Testers may test one or both flows based on their system under test.
+      This test suite does NOT assess [Tiered OAuth for User Authentication](https://hl7.org/fhir/us/udap-security/STU1/user.html)
+      (which is not a required capability) or client conformance to the HL7 UDAP IG.
     )
     input_instructions %(
@@ -57,6 +62,10 @@ module UDAPSecurityTestKit
       request.query_parameters['state']
     end
+    config options: {
+      redirect_uri: UDAPSecurityTestKit::UDAP_REDIRECT_URI
+    }
     links [
       {
         label: 'Report Issue',

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: udap_security_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.10.1
 platform: ruby
 authors:
 - Stephen MacVicar
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-04 00:00:00.000000000 Z
+date: 2024-12-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core
@@ -17,14 +17,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.4.2
+        version: 0.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.4.2
+        version: 0.5.1
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -67,6 +67,7 @@ files:
 - lib/udap_security_test_kit/dynamic_client_registration_group.rb
 - lib/udap_security_test_kit/generate_client_certs_test.rb
 - lib/udap_security_test_kit/grant_types_supported_field_test.rb
+- lib/udap_security_test_kit/redirect_uri.rb
 - lib/udap_security_test_kit/reg_endpoint_jwt_signing_alg_values_supported_field_test.rb
 - lib/udap_security_test_kit/registration_endpoint_field_test.rb
 - lib/udap_security_test_kit/registration_failure_invalid_contents_test.rb