RubyGems - udap_security_test_kit - Versions diffs - 0.10.1 → 0.10.2 - Mend

udap_security_test_kit 0.10.1 → 0.10.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 43c8eabf008e3dd76265b3e455a80e27f2af665548319c7b3f8c565daf71a3d4
-  data.tar.gz: ed6ed1097c0fc02baf51392df43875ac4974dbdb49e494b5eee0595fd33dcf0e
+  metadata.gz: 99975cd9d20b91185600d35dca498008f7bd4dc7cb1ae66eb59c572298f55ab0
+  data.tar.gz: 0ff38d8f44564d5fa998e1801f5dd9255613e7060ea78802194cdf8560c39596
 SHA512:
-  metadata.gz: 3433cf5e7929b434de4bff0b999b455c9dd0d9fb407d0574b592ce3921ec7037cd0cf9be598319b6fdeca648d887033d842c20845ff09de0e8046ed533e4b9c8
-  data.tar.gz: 6437f00f2ceb182e454a41d5555284bb516d763cba8c2684d39dc7dcb0f7252c8a50b3f70f3c2753df75a98e72cb7a348199d42a4e6d24c994abbbb61c39bb65
+  metadata.gz: 456628c19deb09f55ab5494e719d0045ea8a19ed93e314a4e75810d688e8f0d18acb1bf1c2261750b03bd6e1128720d662c80802686ddb4cd4a2e52e40868136
+  data.tar.gz: 9a60fd1649675528705afe7a52f3d9057f411001fee1d641e9fffbd0995aad6ea6395dcb5a1d1e9ba6cd215fc5569cc78779663df479f5d67e967b66262c195c

data/lib/udap_security_test_kit/authorization_code_group.rb CHANGED Viewed

@@ -49,6 +49,9 @@ module UDAPSecurityTestKit
                 default: 'authorization_code',
                 locked: true
               },
+              udap_client_registration_status: {
+                name: :udap_auth_code_flow_client_registration_status
+              },
               udap_client_cert_pem: {
                 name: :udap_auth_code_flow_client_cert_pem,
                 title: 'Authorization Code Client Certificate(s) (PEM Format)'
@@ -90,6 +93,7 @@ module UDAPSecurityTestKit
           } do
       input_order :udap_registration_endpoint,
                   :udap_auth_code_flow_registration_grant_type,
+                  :udap_auth_code_flow_client_registration_status,
                   :udap_auth_code_flow_client_cert_pem,
                   :udap_auth_code_flow_client_private_key,
                   :udap_auth_code_flow_cert_iss,

data/lib/udap_security_test_kit/authorization_code_redirect_test.rb CHANGED Viewed

@@ -9,6 +9,10 @@ module UDAPSecurityTestKit
         the provided client redirection URI using an HTTP redirection response.
       )
+    input :udap_fhir_base_url,
+          title: 'FHIR Server Base URL',
+          description: 'Base FHIR URL of FHIR Server.'
     input :udap_authorization_endpoint,
           title: 'Authorization Endpoint',
           description: 'The full URL from which Inferno will request an authorization code.'
@@ -17,7 +21,34 @@ module UDAPSecurityTestKit
           title: 'Client ID',
           description: 'Client ID as registered with the authorization server.'
+    input :udap_authorization_code_request_scopes,
+          title: 'Scope Parameter for Authorization Request',
+          description: %(
+              A list of space-separated scopes to include in the authorization request. If included, these may be equal
+              to or a subset of the scopes requested during registration.
+              If empty, scope will be omitted as a parameter to the authorization endpoint.
+          ),
+          optional: true
+    input :udap_authorization_code_request_aud,
+          title: "Audience ('aud') Parameter for Authorization Request",
+          type: 'checkbox',
+          options: {
+            list_options: [
+              {
+                label: "Include 'aud' parameter",
+                value: 'include_aud'
+              }
+            ]
+          },
+          description: %(
+              If selected, the Base FHIR URL will be used as the 'aud' parameter in the request to the authorization
+              endpoint.
+          ),
+          optional: true
     output :udap_authorization_code_state
+    output :udap_authorization_redirect_url
     receives_request :redirect
@@ -55,11 +86,15 @@ module UDAPSecurityTestKit
       output udap_authorization_code_state: SecureRandom.uuid
+      aud = udap_fhir_base_url if udap_authorization_code_request_aud.include? 'include_aud'
       oauth2_params = {
         'response_type' => 'code',
         'client_id' => udap_client_id,
         'redirect_uri' => config.options[:redirect_uri],
-        'state' => udap_authorization_code_state
+        'state' => udap_authorization_code_state,
+        'scope' => udap_authorization_code_request_scopes,
+        'aud' => aud
       }.compact
       authorization_url = authorization_url_builder(
@@ -69,6 +104,8 @@ module UDAPSecurityTestKit
       info("Inferno redirecting browser to #{authorization_url}.")
+      output udap_authorization_redirect_url: authorization_url
       wait(
         identifier: udap_authorization_code_state,
         message: wait_message(authorization_url)

data/lib/udap_security_test_kit/client_credentials_group.rb CHANGED Viewed

@@ -51,6 +51,9 @@ module UDAPSecurityTestKit
                 default: 'client_credentials',
                 locked: true
               },
+              udap_client_registration_status: {
+                name: :udap_client_credentials_flow_client_registration_status
+              },
               udap_client_cert_pem: {
                 name: :udap_client_credentials_flow_client_cert_pem,
                 title: 'Client Credentials Client Certificate(s) (PEM Format)'
@@ -92,6 +95,7 @@ module UDAPSecurityTestKit
           } do
       input_order :udap_registration_endpoint,
                   :udap_client_credentials_flow_registration_grant_type,
+                  :udap_client_credentials_flow_client_registration_status,
                   :udap_client_credentials_flow_client_cert_pem,
                   :udap_client_credentials_flow_client_private_key,
                   :udap_cert_iss_client_creds_flow,

data/lib/udap_security_test_kit/dynamic_client_registration_group.rb CHANGED Viewed

@@ -19,13 +19,12 @@ module UDAPSecurityTestKit
       establish a trust chain.
       Cancelling a UDAP client's registration is not a required server capability and as such the Inferno client has no
-      way of resetting state on the authorization server after a successful registration attempt.  Testers wishing to
-      run the Dynamic Client Registration tests more than once must do one of the following:
-      - Remove the Inferno test client's registration out-of-band before re-running tests, to register the original
-      client URI anew
-      - Specifiy a different client URI as the issuer input (if the client cert has more than one Subject Alternative
-      Name (SAN) URI entry), to register a different logical client with the original certificate
-      - Provide a different client certificate and its associated URI to register a new logical client
+      way of resetting state on the authorization server after a successful registration attempt.  If a given
+      certificate and issuer URI identity combination has already been registered with the authorization server, testers
+      whose systems support registration modifications
+      may select the "Update Registration" option under Client Registration Status. This option will accept either a
+      `200 OK` or `201 Created` return status. Registration attempts for a new client may only return `201 Created`,
+      per the [IG](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body).
     )
     end
@@ -57,6 +56,27 @@ module UDAPSecurityTestKit
             ]
           }
+    input :udap_client_registration_status,
+          title: 'Client Registration Status',
+          description: %(
+            If the client's iss and certificate combination has already been registered with the authorization server
+            prior to this test run, select 'Update'.
+          ),
+          type: 'radio',
+          options: {
+            list_options: [
+              {
+                label: 'New Registration (201 Response Code Expected)',
+                value: 'new'
+              },
+              {
+                label: 'Update Registration (200 or 201 Response Code Expected)',
+                value: 'update'
+              }
+            ]
+          },
+          default: 'new'
     input :udap_client_cert_pem,
           title: 'X.509 Client Certificate(s) (PEM Format)',
           description: %(

data/lib/udap_security_test_kit/registration_success_test.rb CHANGED Viewed

@@ -13,6 +13,14 @@ module UDAPSecurityTestKit
       The [UDAP IG Section 3.2.3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body) states:
       > If a new registration is successful, the Authorization Server SHALL return a registration response with a 201
       > Created HTTP response code as per Section 5.1 of UDAP Dynamic Client Registration
+      If the tester indicated this registration attempt represents a modification of an existing registration entry,
+      the [UDAP IG Section 3.4](https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations)
+      states:
+      > If the Authorization Server returns the same client_id in the registration response for a modification request,
+      > it SHOULD also return a 200 OK HTTP response code.
+      In this case, the test will require either a 201 or 200 response code to pass.
     )
     input :udap_client_cert_pem
@@ -20,6 +28,7 @@ module UDAPSecurityTestKit
     input :udap_cert_iss
     input :udap_registration_endpoint
+    input :udap_client_registration_status
     input :udap_jwt_signing_alg
     input :udap_registration_requested_scope
     input :udap_registration_grant_type
@@ -60,7 +69,12 @@ module UDAPSecurityTestKit
       post(udap_registration_endpoint, body: reg_body, headers: reg_headers)
-      assert_response_status(201)
+      if udap_client_registration_status == 'new'
+        assert_response_status(201)
+      elsif udap_client_registration_status == 'update'
+        assert_response_status([200, 201])
+      end
       assert_valid_json(response[:body])
       output udap_registration_response: response[:body]
     end

data/lib/udap_security_test_kit/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module UDAPSecurityTestKit
-  VERSION = '0.10.1'.freeze
+  VERSION = '0.10.2'.freeze
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: udap_security_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.10.1
+  version: 0.10.2
 platform: ruby
 authors:
 - Stephen MacVicar
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-06 00:00:00.000000000 Z
+date: 2024-12-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core