udap_security_test_kit 0.10.0 → 0.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: be592aff3162a459764f09b857cf2d786e141b8a46698f061db3ac4aa682d92e
4
- data.tar.gz: 64288629f38cd38f6021fc67c043810a13f8011428e8300ff586babea2ea3b46
3
+ metadata.gz: 43c8eabf008e3dd76265b3e455a80e27f2af665548319c7b3f8c565daf71a3d4
4
+ data.tar.gz: ed6ed1097c0fc02baf51392df43875ac4974dbdb49e494b5eee0595fd33dcf0e
5
5
  SHA512:
6
- metadata.gz: da5963362a0b8f9151bf8419461da4f465590e9a58283eb4a67a0ad310d8d3242dfd5a3f25314ee710277e17b4cd67dad00b2a9b5f4aca333f9e9db47eec2161
7
- data.tar.gz: 1c9ce32de1da555027de8b1b01db398e93b7397a87270de3fcb02a36b54eb0da8398f84a8d467d91239c694cb20c6a7bc1134ebd91d463134b931546e429d99b
6
+ metadata.gz: 3433cf5e7929b434de4bff0b999b455c9dd0d9fb407d0574b592ce3921ec7037cd0cf9be598319b6fdeca648d887033d842c20845ff09de0e8046ed533e4b9c8
7
+ data.tar.gz: 6437f00f2ceb182e454a41d5555284bb516d763cba8c2684d39dc7dcb0f7252c8a50b3f70f3c2753df75a98e72cb7a348199d42a4e6d24c994abbbb61c39bb65
@@ -1,3 +1,4 @@
1
+ require_relative '../udap_security_test_kit'
1
2
  module UDAPSecurityTestKit
2
3
  class AuthorizationCodeRedirectTest < Inferno::Test
3
4
  title 'Authorization server redirects client to redirect URI'
@@ -20,8 +21,6 @@ module UDAPSecurityTestKit
20
21
 
21
22
  receives_request :redirect
22
23
 
23
- config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/udap_security_test_kit/redirect" }
24
-
25
24
  def wait_message(auth_url)
26
25
  if config.options[:redirect_message_proc].present?
27
26
  return instance_exec(auth_url, &config.options[:redirect_message_proc])
@@ -49,6 +48,11 @@ module UDAPSecurityTestKit
49
48
  end
50
49
 
51
50
  run do
51
+ assert_valid_http_uri(
52
+ udap_authorization_endpoint,
53
+ "UDAP authorization endpoint '#{udap_authorization_endpoint}' is not a valid URI"
54
+ )
55
+
52
56
  output udap_authorization_code_state: SecureRandom.uuid
53
57
 
54
58
  oauth2_params = {
@@ -62,8 +62,6 @@ module UDAPSecurityTestKit
62
62
 
63
63
  makes_request :token_exchange
64
64
 
65
- config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/udap_security_test_kit/redirect" }
66
-
67
65
  run do
68
66
  client_assertion_payload = UDAPClientAssertionPayloadBuilder.build(
69
67
  udap_client_id,
@@ -0,0 +1,3 @@
1
+ module UDAPSecurityTestKit
2
+ UDAP_REDIRECT_URI = "#{Inferno::Application['base_url']}/custom/udap_security/redirect".freeze
3
+ end
@@ -15,14 +15,25 @@ module UDAPSecurityTestKit
15
15
  > use by the Client App, the software statement as submitted by the Client App, and all of the registration
16
16
  > related parameters that were included in the software statement.
17
17
 
18
+ [UDAP STU 1.1](https://hl7.org/fhir/us/udap-security/STU1.1/registration.html#request-body) clarifies that,
19
+ in accordance with [Section 3.2.1 of RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1):
20
+ > The authorization server MAY reject or replace any of the client's requested metadata values submitted during
21
+ > the registration and substitute them with suitable values.
22
+
18
23
  This test verifies:
19
- - `client_id` claim is included in the registration response and its value is not blank
20
- - `software_statement` claim in the registration response matches the software statement JWT provided in the
21
- original registration request
22
- - The registration response includes claims for `client_name`, `grant_types`, `token_endpoint_auth_method`, and
23
- `scope`, whose values match those in the originally submitted software statement
24
- - If the registered grant type is `authorization_code`, then the response includes claims for `redirect_uris` and
25
- `response_type` whose values match those in the originally submitted software statement
24
+ - `client_id` claim is present in the registration response and its value is not blank.
25
+ - `scope` and `client_name` claims are present in the registration response and their values are not blank.
26
+ - `software_statement`, `grant_types`, and `token_endpoint_auth_method` claims are present in the registration
27
+ response and their values match those in the originally submitted software statement.
28
+ - If the registered grant type is `authorization_code`, then the `redirect_uris` and `response_type` claims are
29
+ present in the registration response and their values match in the originally submitted software statement.
30
+
31
+ In order for downstream tests to succeed, it is
32
+ essential that the client and server are in agreement on the values of most of the software statement
33
+ parameters. The exception is `client_name`, which does not impact behavior. For this reason, an exact match
34
+ between the request and response values for `client_name` is not required.
35
+ Additionally, an exact match between `scope` request and response value is also not required because the
36
+ authorization server may grant different scopes than those orignally requested by the client.
26
37
  )
27
38
 
28
39
  input :udap_software_statement_json
@@ -1,10 +1,11 @@
1
1
  require 'jwt'
2
+ require_relative 'redirect_uri'
2
3
 
3
4
  module UDAPSecurityTestKit
4
5
  class SoftwareStatementBuilder
5
6
  def self.build_payload(iss, aud, grant_type, scope)
6
7
  if grant_type == 'authorization_code'
7
- redirect_uris = ["#{Inferno::Application['base_url']}/custom/udap_security_test_kit/redirect"]
8
+ redirect_uris = [UDAPSecurityTestKit::UDAP_REDIRECT_URI]
8
9
  response_types = ['code']
9
10
  client_name = 'Inferno UDAP Authorization Code Test Client'
10
11
  elsif grant_type == 'client_credentials'
@@ -1,3 +1,3 @@
1
1
  module UDAPSecurityTestKit
2
- VERSION = '0.10.0'.freeze
2
+ VERSION = '0.10.1'.freeze
3
3
  end
@@ -1,6 +1,7 @@
1
1
  require_relative 'udap_security_test_kit/authorization_code_group'
2
2
  require_relative 'udap_security_test_kit/client_credentials_group'
3
3
  require_relative 'udap_security_test_kit/version'
4
+ require_relative 'udap_security_test_kit/redirect_uri'
4
5
 
5
6
  module UDAPSecurityTestKit
6
7
  class Suite < Inferno::TestSuite
@@ -17,7 +18,8 @@ module UDAPSecurityTestKit
17
18
  2. Dynamic Client Registration
18
19
  3. Authorization & Authentication
19
20
 
20
- These steps are grouped by the OAuth2.0 flow being tested:
21
+ In this test suite, Inferno acts as a mock UDAP client to test *server conformance* to the HL7 UDAP IG. Tests are
22
+ grouped according to the OAuth2.0 flow used in the authorization and authentication step:
21
23
  1. Authorization Code flow, which supports
22
24
  [Consumer-Facing](https://hl7.org/fhir/us/udap-security/STU1/consumer.html) or [Business-to-Business (B2B)](https://hl7.org/fhir/us/udap-security/STU1/b2b.html)
23
25
  use cases
@@ -25,6 +27,9 @@ module UDAPSecurityTestKit
25
27
  [B2B](https://hl7.org/fhir/us/udap-security/STU1/b2b.html) use case
26
28
 
27
29
  Testers may test one or both flows based on their system under test.
30
+
31
+ This test suite does NOT assess [Tiered OAuth for User Authentication](https://hl7.org/fhir/us/udap-security/STU1/user.html)
32
+ (which is not a required capability) or client conformance to the HL7 UDAP IG.
28
33
  )
29
34
 
30
35
  input_instructions %(
@@ -57,6 +62,10 @@ module UDAPSecurityTestKit
57
62
  request.query_parameters['state']
58
63
  end
59
64
 
65
+ config options: {
66
+ redirect_uri: UDAPSecurityTestKit::UDAP_REDIRECT_URI
67
+ }
68
+
60
69
  links [
61
70
  {
62
71
  label: 'Report Issue',
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: udap_security_test_kit
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.10.0
4
+ version: 0.10.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Stephen MacVicar
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2024-11-04 00:00:00.000000000 Z
12
+ date: 2024-12-06 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: inferno_core
@@ -17,14 +17,14 @@ dependencies:
17
17
  requirements:
18
18
  - - ">="
19
19
  - !ruby/object:Gem::Version
20
- version: 0.4.2
20
+ version: 0.5.1
21
21
  type: :runtime
22
22
  prerelease: false
23
23
  version_requirements: !ruby/object:Gem::Requirement
24
24
  requirements:
25
25
  - - ">="
26
26
  - !ruby/object:Gem::Version
27
- version: 0.4.2
27
+ version: 0.5.1
28
28
  - !ruby/object:Gem::Dependency
29
29
  name: jwt
30
30
  requirement: !ruby/object:Gem::Requirement
@@ -67,6 +67,7 @@ files:
67
67
  - lib/udap_security_test_kit/dynamic_client_registration_group.rb
68
68
  - lib/udap_security_test_kit/generate_client_certs_test.rb
69
69
  - lib/udap_security_test_kit/grant_types_supported_field_test.rb
70
+ - lib/udap_security_test_kit/redirect_uri.rb
70
71
  - lib/udap_security_test_kit/reg_endpoint_jwt_signing_alg_values_supported_field_test.rb
71
72
  - lib/udap_security_test_kit/registration_endpoint_field_test.rb
72
73
  - lib/udap_security_test_kit/registration_failure_invalid_contents_test.rb