udap_security_test_kit 0.11.3 → 0.11.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 03620024d784bdef2def46c35503c0291eacf4bf0f613ccc546febd4b9502066
-  data.tar.gz: fe308df520fcfe3120aacfb66cc7191ab03de1eedee46da7b9775d88bb798dba
+  metadata.gz: 93cc168a29a41ac4c22bdcb8a4124aa85c370d3a0ae8ac1851090555ab3a2e8b
+  data.tar.gz: d31eee97042a453fe3ccf6c72c1421309ff4d367eb87ff6d2f3a63a96529041d
 SHA512:
-  metadata.gz: 9482d4811cbcf5fb500b237684722e2835289470a4ffe72c3c53338aeecb433c5f5f855f88a741d346d1b614ff67a9ecb1e0c354296f85c3c40f45e4faea07d4
-  data.tar.gz: a41ee216e78fa02afec7d30e0ee1067dd306d7e72ac868c042e90efce1291d201a4347c8f73fee6b1688baba7bf50a523b37f602fed82d72d19db0f2d72f558d
+  metadata.gz: 69293481ba6a4edeca09cf992cd7b7ff97ff380636a43e1d40cb6dd2610711bb1feac263cdf887fbb7e74e8c72ed15329335b8d3b4fdd3a4d3ed1f3f73341eef
+  data.tar.gz: 90878299bfb40e53ad43ff65144d008f3793a1654c8f61ff3dd24a4a8cb6f3dcef11c092cac49ccdadb7dec165ed20134213cc56a566b8e78792e0b83c6ca872

data/config/presets/UDAP_RunServerAgainstClient.json.erb

@@ -95,28 +95,28 @@
       "description": "A list of one or more X.509 certificates in PEM format separated by a newline. The first (leaf) certificate MUST represent the client entity Inferno will register as, and the trust chain that will be built from the provided certificate(s) must resolve to a CA trusted by the authorization server under test.",
       "title": "Authorization Code Client Certificate(s) (PEM Format)",
       "type": "textarea",
-      "value": ""
+      "value": "-----BEGIN CERTIFICATE-----\nMIIFcjCCA1qgAwIBAgIUbdCfB3IJ9bdOPGQVtxJHhMxUWv0wDQYJKoZIhvcNAQEL\nBQAwgYYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEQMA4GA1UEBwwHQmVkZm9y\nZDEQMA4GA1UECgwHSW5mZXJubzEdMBsGA1UEAwwUSW5mZXJuby1VREFQLVJvb3Qt\nQ0ExJzAlBgkqhkiG9w0BCQEWGGluZmVybm9AZ3JvdXBzLm1pdHJlLm9yZzAeFw0y\nNDA4MTIyMzU4MTBaFw0zNDA4MTAyMzU4MTBaMGExCzAJBgNVBAYTAlVTMQswCQYD\nVQQIDAJNQTEQMA4GA1UEBwwHQmVkZm9yZDEQMA4GA1UECgwHSW5mZXJubzEhMB8G\nA1UEAwwYVURBUCBFeGFtcGxlIFRlc3QgQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEAnfqzJCyeFNRhlcsrUPiO2LQtudObDHUKj4Q7fkYPUf9X\necTMckfPKd8UJ7x8Vb5o1zmR3hsMoo1A7IkwBkmK2BXvxq243cCGO1q4w/jdL/EG\nDiIZjTr7qvkawyeh9cAaApOrBlD4gnOxB05GjingDZgiT7GqBwrpEB2XJ4tw4idS\nB3W9Rv0ynbgqPKgGw9hnEef+uNAvFIvSbfdz1n4xHNP0GuMuAX+edFCyxYFmDe74\n8pl3TH9dxkoM945r5tHmuJS9n1pXkTB9L5RVbqH77dIyOBobehHHpT4D3zjdSFmh\nfta5NnDi5/iqRcFz7FVO79jJIoAqN+mWBlVH0yyfYQIDAQABo4H7MIH4MC8GA1Ud\nEQQoMCaGJGh0dHBzOi8vaW5mZXJuby5jb20vdWRhcF9zZWN1cml0eS9hYzAxBgNV\nHSUEKjAoBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBDA6\nBgNVHR8EMzAxMC+gLaArhilodHRwczovL2luZmVybm8uY29tL21vY2tfY3JsX2Vu\nZHBvaW50LmNybDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQU6Eo2\nHE37gpSaW9zBGf0t7XfYnfIwHwYDVR0jBBgwFoAUNOqoPKju4u9y9JAuAfnSAcFb\nNKAwDQYJKoZIhvcNAQELBQADggIBACh2uQ1Krkw6F3Gq0HG3ohCm2j1ynmLSJwGE\nHvPlkiBcs8RBPxZzJOZJBMxGmjTPga2Kt6zsBlmjLg++C7C5/8JruwrMtrBuTtHx\nKky0Qw+YJm81IgATeDIU/qkJB8LcnHgkQbu3nyoyeKocx9XSW8nlEm4FkyREXxfC\nrSVCoc70GGg2vSnSkRikNjxwKGnHvmEDUOW2bBbbzvTGKlTKSIF50NiNPM3Fi7vF\nbOfi1aZh6m8IKVaI2KUXVFHco1qB3QDK5BUEimko+EyaWSZPvP83PE2+TIdapRrw\nHxQQJEr774GUNH1/hdW0qlP4u3CMMMAjS2H4dOsRYOOmgC6iEewFEBQqTRLkEfgP\npMxYhGAVAmrglLLr4t+ZF9KOmifvB6f18qF352Bj1D0TMB+oLy67kFw3s2ah21la\n3Xm6hQt+M5mZ/EYZIOUPxMHtqVt5DSJdMENHO2cjcRARyeD/BGYnJqnf6yA1LL2V\nTK+jhC/C/Dcv0hHQnVWlUGlwoFMOOzfsr2K3mXYezAuHASP8LIAyjodPpd6cLQu2\nSZTVVobSebaNmZ2UeX8Bc9bcobM2bbVb2c3UeezEJWOpt5cSOeEScEiwkaktxD5p\nix1K3KkIg2yDP176ILlVqBBA0X2FqTSSvFbTa5us3XIwkDfARJBpLnA7OfmsO61+\nIj5io7+X\n-----END CERTIFICATE-----"
     },
     {
       "name": "udap_auth_code_flow_client_private_key",
       "description": "The private key corresponding to the client certificate used for registration, in PEM format.  Used to sign registration and/or authentication JWTs.",
       "title": "Authorization Code Client Private Key (PEM Format)",
       "type": "textarea",
-      "value": ""
+      "value": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCd+rMkLJ4U1GGV\nyytQ+I7YtC2505sMdQqPhDt+Rg9R/1d5xMxyR88p3xQnvHxVvmjXOZHeGwyijUDs\niTAGSYrYFe/GrbjdwIY7WrjD+N0v8QYOIhmNOvuq+RrDJ6H1wBoCk6sGUPiCc7EH\nTkaOKeANmCJPsaoHCukQHZcni3DiJ1IHdb1G/TKduCo8qAbD2GcR5/640C8Ui9Jt\n93PWfjEc0/Qa4y4Bf550ULLFgWYN7vjymXdMf13GSgz3jmvm0ea4lL2fWleRMH0v\nlFVuofvt0jI4Ght6EcelPgPfON1IWaF+1rk2cOLn+KpFwXPsVU7v2MkigCo36ZYG\nVUfTLJ9hAgMBAAECggEAApTpPosYHkEGQztpvs4BD5uKL8I8g2yaOpQvoLWmZHGm\nzU+hA7EWuplxq+CRq5kL/5BqSNXqU/G5AOSRC1lCUpuxKm8GWWFfEDNAV7uGadUn\ngy2de0heeoHNpSjNpcV451fgcJ78IK2hU/w8fPBEQBSfYuwFWk4cVu4U3UmTE68I\nO7PpCdTjk70IOsLT8uBagAOw92Fj0mGU7agCdWfJ+LjPRUtg+PhVvODatL3taG+l\nFAParsomiRqKGINyn8vALXNISuBYHVDUzv93P10gG5rA2sJ7953/+++Hr9DoLpmL\nSH/q/LebFzPJ2u6KzLc6bam1YX0w/MSNTJVIxA5V/QKBgQDU+iFXdShLwvEXGVtb\nFdZuRk3XsN+yfkFyM9SZrmaLF2VBALkC5pd+rYkXSaTA/cbs623VOYpoJhVmjL8d\nVvTlN/G+8TzfdsmOlAXiOSiUn3VKM/Othu5l9k0AgylU8aXBWTUv5FzmV8gMn+/s\n9oOucAVFa60LdkR2d609y/tKnwKBgQC95Gviall3E/+7drT05KxPPGDKRUjhCLBe\nBNj2+ttSt4+v+E5v3K+LSd11VfGkvLkDvkhjiJlVamf+XgLne3TLrEThAKq8ySUr\nXKBRi+nfmisUHSrMGljHw500Rx+MR/LEpfEERMosLQWTrOTz5VG2RueVHbWbD622\nWitr8tnV/wKBgGDYUNr9GlLBFXJEhIc5ueUxMOp4sm/u+4Gb0fwEEvsCq3dQhdCs\n3IytCp69TR65B4DqWWpRHP/Y+XhFXg5QYVHuC46hEeYnlOWxp69EAJD8pZAVaaQp\nrDRPOJqYCe5nZ9Ew6H+bnybbGcur2qTtP9nNdIgpu2lv4RfhubRVEjLPAoGAXqzb\nSSii8GbNMwcNU6gLbPn6e/6tRl1RqZ6bGhCadxREFIUlfko2T6kFPDIcZ3kceYxO\nhSme4WJK9RykMAtygPWj5daySauz13m4CNBMS4qO/dlI9DgSmY6i+2SWixd4J6lg\nkDNH5VyREj66bAuigNG7NrJ4UBYyEt/EFG8hQrsCgYEAyLwk7f2Wgu9ykdwSrrQE\nTBK0iOVUcwPhxj1UbFyDxPdO0EspyKtIFD5w/sbBtQbJGSUFd7ZPoCsYkT2yAsDp\n3cI/ubRxA+/GaqUo84QxvJ4Uqdu8YS8C0FCEnhXGjA60Y5HFzufJF5EqfzwNctCr\nG0cRyX/4Ut4BNUcir/CRVL0=\n-----END PRIVATE KEY-----"
     },
     {
       "name": "udap_auth_code_flow_cert_iss",
       "description": "MUST correspond to a unique URI entry in the Subject Alternative Name (SAN) extension of the client certificate used for registration.",
       "title": "Authorization Code JWT Issuer (iss) Claim",
       "type": "text",
-      "value": ""
+      "value": "<%= Inferno::Application['base_url'] %>/custom/udap_security/fhir"
     },
     {
       "name": "udap_auth_code_flow_registration_scope",
       "description": "String containing a space delimited list of scopes requested by the client application for use in subsequent requests. The Authorization Server MAY consider this list when deciding the scopes that it will allow the application to subsequently request. Apps requesting the \"authorization_code\" grant type SHOULD request user or patient scopes.",
       "title": "Authorization Code Registration Requested Scope(s)",
       "type": "text",
-      "value": ""
+      "value": "patient/*.read"
     },
     {
       "name": "udap_jwt_signing_alg",

data/lib/udap_security_test_kit/client_suite/access_ac_group.rb

@@ -0,0 +1,25 @@
+require_relative 'access_ac_interaction_test'
+require_relative 'authorization_request_verification_test'
+require_relative 'token_request_ac_verification_test'
+require_relative 'token_use_verification_test'
+
+module UDAPSecurityTestKit
+  class UDAPClientAccessAuthorizationCode < Inferno::TestGroup
+    id :udap_client_access_ac
+    title 'Client Access'
+    description %(
+      During these tests, the client system will access Inferno's simulated
+      FHIR server by requesting an access token using UDAP's authorization_code flow
+      and making a FHIR request presenting the access token. Inferno will then verify
+      that any requests made as a part of obtaining the token were conformant and that
+      a token returned from a token request was used on an access request.
+    )
+
+    run_as_group
+
+    test from: :udap_client_access_ac_interaction
+    test from: :udap_client_authorization_request_verification
+    test from: :udap_client_token_request_ac_verification
+    test from: :udap_client_token_use_verification
+  end
+end

data/lib/udap_security_test_kit/client_suite/access_ac_interaction_test.rb

@@ -0,0 +1,59 @@
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+require_relative 'client_descriptions'
+
+module UDAPSecurityTestKit
+  class UDAPClientAccessAuthorizationCodeInteraction < Inferno::Test
+    include URLs
+    include ClientWaitDialogDescriptions
+
+    id :udap_client_access_ac_interaction
+    title 'Perform UDAP-secured Access'
+    description %(
+      During this test, Inferno will wait for the client to access data
+      using a UDAP token obtained during an earlier test.
+    )
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :launch_context,
+          title: 'Launch Context',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_LAUNCH_CONTEXT_DESCRIPTION
+    input :fhir_user_relative_reference,
+          title: 'FHIR User Relative Reference',
+          type: 'text',
+          optional: true,
+          description: INPUT_FHIR_USER_RELATIVE_REFERENCE
+    input :fhir_read_resources_bundle,
+          title: 'Available Resources',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_FHIR_READ_RESOURCES_BUNDLE_DESCRIPTION
+    input :echoed_fhir_response,
+          title: 'Default FHIR Response',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_ECHOED_FHIR_RESPONSE_DESCRIPTION
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+
+    run do
+      message =
+        wait_dialog_authorization_code_access_prefix(client_id, client_fhir_base_url) +
+        wait_dialog_access_response_and_continue_suffix(client_id, client_resume_pass_url)
+
+      wait(
+        identifier: client_id,
+        message:
+      )
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/access_cc_group.rb

@@ -0,0 +1,23 @@
+require_relative 'access_cc_interaction_test'
+require_relative 'token_request_cc_verification_test'
+require_relative 'token_use_verification_test'
+
+module UDAPSecurityTestKit
+  class UDAPClientAccessClientCredentials < Inferno::TestGroup
+    id :udap_client_access_cc
+    title 'Client Access'
+    description %(
+      During these tests, the client system will access Inferno's simulated
+      FHIR server by requesting an access token using UDAP's client_credentials flow
+      and making a FHIR request presenting the access token. Inferno will then verify
+      that any requests made as a part of obtaining the token were conformant and that
+      a token returned from a token request was used on an access request.
+    )
+
+    run_as_group
+
+    test from: :udap_client_access_cc_interaction
+    test from: :udap_client_token_request_cc_verification
+    test from: :udap_client_token_use_verification
+  end
+end

data/lib/udap_security_test_kit/client_suite/access_cc_interaction_test.rb

@@ -0,0 +1,49 @@
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+require_relative 'client_descriptions'
+
+module UDAPSecurityTestKit
+  class UDAPClientAccessClientCredentialsInteraction < Inferno::Test
+    include URLs
+    include ClientWaitDialogDescriptions
+
+    id :udap_client_access_cc_interaction
+    title 'Perform UDAP-secured Access'
+    description %(
+      During this test, Inferno will wait for the client to access data
+      using a UDAP token obtained during an earlier test.
+    )
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :fhir_read_resources_bundle,
+          title: 'Available Resources',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_FHIR_READ_RESOURCES_BUNDLE_DESCRIPTION
+    input :echoed_fhir_response,
+          title: 'Default FHIR Response',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_ECHOED_FHIR_RESPONSE_DESCRIPTION
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+
+    run do
+      message =
+        wait_dialog_client_credentials_access_prefix(client_id, client_fhir_base_url) +
+        wait_dialog_access_response_and_continue_suffix(client_id, client_resume_pass_url)
+
+      wait(
+        identifier: client_id,
+        message:
+      )
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/authorization_request_verification_test.rb

@@ -0,0 +1,83 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+require_relative 'client_descriptions'
+
+module UDAPSecurityTestKit
+  class UDAPClientAppLaunchAuthorizationRequestVerification < Inferno::Test
+    include URLs
+
+    id :udap_client_authorization_request_verification
+    title 'Verify UDAP Authorization Requests'
+    description %(
+      Check that UDAP authorization requests made are conformant.
+    )
+
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :udap_registration_jwt,
+          title: 'Registered UDAP Software Statement',
+          type: 'textarea',
+          locked: 'true',
+          description: INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+
+    run do
+      load_tagged_requests(AUTHORIZATION_TAG, UDAP_TAG)
+      skip_if requests.blank?, 'No UDAP authorization requests made.'
+
+      requests.each_with_index do |authorization_request, index|
+        auth_code_request_params = MockUDAPServer.authorization_code_request_details(authorization_request)
+        check_request_params(auth_code_request_params, index + 1)
+      end
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid authorization requests detected. See messages for details.'
+    end
+
+    def check_request_params(params, request_num) # rubocop:disable Metrics/CyclomaticComplexity
+      if params['response_type'] != 'code'
+        add_message('error',
+                    "Authorization request #{request_num} had an incorrect `response_type`: expected 'code', " \
+                    "but got '#{params['response_type']}'")
+      end
+      if params['client_id'] != client_id
+        add_message('error',
+                    "Authorization request #{request_num} had an incorrect `client_id`: expected #{client_id}, " \
+                    "but got '#{params['client_id']}'")
+      end
+      registration_body, _registration_header = JWT.decode(udap_registration_jwt, nil, false)
+      if params['redirect_uri'].present?
+        # must be a registered redirect_uri
+        unless registration_body['redirect_uris']&.include?(params['redirect_uri'])
+          add_message('error',
+                      "Authorization request #{request_num} had an invalid `redirect_uri`: expected one of " \
+                      "'#{registration_body['redirect_uris']&.join(', ')}', but got '#{params['redirect_uri']}'")
+        end
+      else
+        # can only be one registered redirect_uri
+        unless registration_body['redirect_uris']&.length == 1
+          add_message('error',
+                      "Authorization request #{request_num} had an invalid `redirect_uri`: expected one of " \
+                      "'#{registration_body['redirect_uris']&.join(', ')}', but got none")
+        end
+      end
+
+      if params['state'].blank?
+        add_message('warning',
+                    "Authorization request #{request_num} is missing the recommended `state` element")
+      end
+
+      nil
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/client_descriptions.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require 'rack/utils'
+
+module UDAPSecurityTestKit
+  RE_RUN_REGISTRATION_SUFFIX =
+    'Create a new session and re-run the Client Registration group if you need to change this value.'
+  INPUT_CLIENT_ID_DESCRIPTION_LOCKED =
+    "The registered Client Id for use in obtaining access tokens. #{RE_RUN_REGISTRATION_SUFFIX}".freeze
+  INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED =
+    "The software statement JWT provided during UDAP client registration. #{RE_RUN_REGISTRATION_SUFFIX}".freeze
+
+  INPUT_LAUNCH_CONTEXT_DESCRIPTION =
+    'Launch context details to be included in access token responses, specified as a JSON array. If provided, ' \
+    'the contents will be merged into Inferno\'s token responses.'
+  INPUT_FHIR_USER_RELATIVE_REFERENCE =
+    'A FHIR relative reference (<resource type>/<id>) for the FHIR user record to return when the openid ' \
+    'and fhirUser scopes are requested. Include this resource in the **Available Resources** input so ' \
+    'that it can be accessed via FHIR read.'
+  INPUT_FHIR_READ_RESOURCES_BUNDLE_DESCRIPTION =
+    'Resources to make available in Inferno\'s simulated FHIR server provided as a FHIR bundle. Each entry ' \
+    'must contain a resource with the id element populated. Each instance present will be available for ' \
+    'retrieval from Inferno at the endpoint: <fhir-base>/<resource type>/<instance id>. These will only ' \
+    'be available through the read interaction.'
+  INPUT_ECHOED_FHIR_RESPONSE_DESCRIPTION =
+    'JSON representation of a default FHIR resource for Inferno to echo when a request is made to the ' \
+    'simulated FHIR server. Reads targetting resources in the **Available Resources** input will return ' \
+    'that resource instead of this. Otherwise, the content here will be echoed back exactly and no check ' \
+    'will be made that it is appropriate for the request made. If nothing is provided, an OperationOutcome ' \
+    'indicating nothing to echo will be returned.'
+
+  module ClientWaitDialogDescriptions
+    def wait_dialog_client_credentials_access_prefix(client_id, fhir_base_url)
+      <<~PREFIX
+        **Access**
+
+        Use the registered client id (#{client_id}) to obtain an access
+        token using the [UDAP B2B client credentials flow](https://hl7.org/fhir/us/udap-security/STU1/b2b.html)
+        and use that token to access a FHIR endpoint under the simulated server's base URL
+
+        `#{fhir_base_url}`
+      PREFIX
+    end
+
+    def wait_dialog_authorization_code_access_prefix(client_id, fhir_base_url)
+      <<~PREFIX
+        **Access**
+
+        Use the registered client id (#{client_id}) to obtain an access
+        token using the UDAP [consumer-facing](https://hl7.org/fhir/us/udap-security/STU1/consumer.html)
+        or [B2B authorization code flow](https://hl7.org/fhir/us/udap-security/STU1/b2b.html)
+        and use that token to access a FHIR endpoint under the simulated server's base URL
+
+        `#{fhir_base_url}`
+      PREFIX
+    end
+
+    def wait_dialog_access_response_and_continue_suffix(client_id, resume_pass_url)
+      <<~SUFFIX
+        Inferno will respond to requests with either:
+        - A resource from the Bundle in the **Available Resources** input if the request is a read matching
+          a resource type and id found in the Bundle.
+        - Otherwise, the contents of the **Default FHIR Response** if provided.
+        - Otherwise, an OperationOutcome indicating nothing to echo.
+
+        [Click here](#{resume_pass_url}?token=#{client_id}) once you performed the data access.
+      SUFFIX
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/client_options.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative '../tags'
+
+module UDAPSecurityTestKit
+  module UDAPClientOptions
+    module_function
+
+    UDAP_AUTHORIZATION_CODE = "#{UDAP_TAG},#{AUTHORIZATION_CODE_TAG}".freeze
+    UDAP_CLIENT_CREDENTIALS = "#{UDAP_TAG},#{CLIENT_CREDENTIALS_TAG}".freeze
+
+    def oauth_flow(suite_options)
+      if suite_options[:client_type].include?(AUTHORIZATION_CODE_TAG)
+        AUTHORIZATION_CODE_TAG
+      elsif suite_options[:client_type].include?(CLIENT_CREDENTIALS_TAG)
+        CLIENT_CREDENTIALS_TAG
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/oidc_jwks.json

@@ -0,0 +1,32 @@
+{
+	"keys": [
+		{
+			"kty": "RSA",
+			"use": "sig",
+			"key_ops": [
+				"verify"
+			],
+			"alg": "RS256",
+			"kid": "618e76fc7eb7c3401c7fd47b9af5e94d",
+			"n": "uoYzdYZQDp7yHTfY4XL1PFCFPfijG1rP2dNgMmsqKbm9qpMjiUuXCpdoOXWE838pcu3Ahi6L3dGgGS3Aeys3YrnF6h9uRTD1DHf-UWlOq4iPCzk26a-bBuyVZDVqS7Y5HsyF7i_UvYV1W0EaHSpAF911Vo_W_FVyiSkAZP1yN0ECbbjnSqxhaa44SGw90oh6XnyNBLu7a11aLCURkaRJOKXHj_vf8UyaD-IA9YkvM80St7QF6u6LRVYmCShbpfWRmejh_Swf4zdqcPl-duUsZE-OBysoTq92FaXr605igM30Rdkx8hs-HTwZtjn5hB3XNTiG2Wka1cUXKNyH59u8Yw",
+			"e": "AQAB"
+		},
+		{
+			"kty": "RSA",
+			"use": "sig",
+			"key_ops": [
+				"sign"
+			],
+			"alg": "RS256",
+			"kid": "618e76fc7eb7c3401c7fd47b9af5e94d",
+			"d": "k2SxDVHRuXwIvuX-0EjTWZIXeF0eJuOgE_VgsvbUHpzUMBKNplTBSnFSvvUK1o_J5TPTSzVE-UhJRxxMWghQgAdlShkEPlDtk6jOou6gaBRFVQ0lQ4ys6M_TTZiYIrQgdyIPQ6Uwa4MmtbHAPQPCGhm6O2j27fdnxtNLqIJO2zF9OzF4VP5_v63bbMfwbKECvB_bbcGLmJrq2ClI1iTOw-GawQ3I8sfwf52D3mb-qDJyQwtomNxf7EhvmGBC9u_8JVY48qsCCYWr2KAauID02WtCVepxM4ltKOLJb6BL5QpKmJ8svYLWjSZvNJSdk-EoB9grqechyDOIa2DuU9g-QQ",
+			"n": "uoYzdYZQDp7yHTfY4XL1PFCFPfijG1rP2dNgMmsqKbm9qpMjiUuXCpdoOXWE838pcu3Ahi6L3dGgGS3Aeys3YrnF6h9uRTD1DHf-UWlOq4iPCzk26a-bBuyVZDVqS7Y5HsyF7i_UvYV1W0EaHSpAF911Vo_W_FVyiSkAZP1yN0ECbbjnSqxhaa44SGw90oh6XnyNBLu7a11aLCURkaRJOKXHj_vf8UyaD-IA9YkvM80St7QF6u6LRVYmCShbpfWRmejh_Swf4zdqcPl-duUsZE-OBysoTq92FaXr605igM30Rdkx8hs-HTwZtjn5hB3XNTiG2Wka1cUXKNyH59u8Yw",
+			"e": "AQAB",
+			"p": "x3syoDXXDJne_-aSeHMm3muQ1KfIGewMhklvGNZ6LVTIJWUE5UYiGshABmgn86GfS-uZc_oUo3WcXiCLUlZSBqZFTIyXgy9y979VWA0whPCYcVSLzSGOiUtv3Ys4VGYCmGSuJnyLDp0CNN63Gf_iGpjCRbaPCPdRnyBgfSEvETs",
+			"q": "718z8hC_AQXrhQxvTsCEv7FXSX0Ev10Tjdq94DcsD91g34KTbrF9K9wtPfBUQaUx5Z2rMOTdLxbtHKvP-YQ4YMoQioA9qsclcnwdvKoRcRWim9oBnLa3Iuqttdwc9U2FWEQ4wqv16rsQw7URU4qlYkiVjrHvRJb8Nx_AJsA8Tvk",
+			"dp": "waDGDVj1exfIq-ClgCFWM0N5-9E4nGDR729MVXGqemH3PMUHsX0YEaMa8p0bWpMhStJPy5GNgvTgaUVxtuRvDmFKlvlJAF-IWw7vyl5TIFdhwW_tm5nc_0uoNAW1EcdK8Z2YpWbym6avw54DYUtNr79jo8OGp49ZPPpybkNNqo0",
+			"dq": "ge3mL02Br9d7yKNAQ7niFH75Ry1yB0FJXOVPzUWFSDM84vVoe1wh-k2vzQAHa_50ABO-GXMQz_-cwsRLxj9LrtXfdp43Wtxv6h2OspqJjx1UP05tM5hF_dDua1lH6qqiZ4_YU2qtuDTD28cL2ZHXRWrqqyLQIiXmTzGPxjjwQ1k",
+			"qi": "n3fMznRlCCwuoCq0kv4tL0cravVhcg33rA-CQXlIxgqj3h1yiBJ4p76pHceV6tvYsPyX3YsUKNOBP9HcxuHK3I3kFqMN5Y4C4r8dTE4fbJK9QT_guo_k_GKijNp0NDNCCeKxU78SRYvA527VY-3Z6TUC_K6O-5Pd6aPJN1QDtoA"
+		}
+	]
+}

data/lib/udap_security_test_kit/client_suite/oidc_jwks.rb

@@ -0,0 +1,27 @@
+require 'jwt'
+
+module UDAPSecurityTestKit
+  class OIDCJWKS
+    class << self
+      def jwks_json
+        @jwks_json ||=
+          JSON.pretty_generate(
+            { keys: jwks.export[:keys].select { |key| key[:key_ops]&.include?('verify') } }
+          )
+      end
+
+      def default_jwks_path
+        @default_jwks_path ||= File.join(__dir__, 'oidc_jwks.json')
+      end
+
+      def jwks_path
+        @jwks_path ||=
+          ENV.fetch('SIMULATED_OIDC_JWKS_PATH', default_jwks_path)
+      end
+
+      def jwks
+        @jwks ||= JWT::JWK::Set.new(JSON.parse(File.read(jwks_path)))
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/registration_ac_group.rb

@@ -0,0 +1,18 @@
+require_relative 'registration_interaction_test'
+require_relative 'registration_ac_verification_test'
+
+module UDAPSecurityTestKit
+  class UDAPClientRegistrationAuthorizationCode < Inferno::TestGroup
+    id :udap_client_registration_ac
+    title 'Client Registration'
+    description %(
+      During these tests, the client system will dynamically register with Inferno's
+      simulated UDAP Server to use the authorization_code flow. At any time, the client
+      may perform UDAP discovery on the simulated Inferno UDAP server.
+    )
+    run_as_group
+
+    test from: :udap_client_registration_interaction
+    test from: :udap_client_registration_ac_verification
+  end
+end

data/lib/udap_security_test_kit/client_suite/registration_ac_verification_test.rb

@@ -0,0 +1,38 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+require_relative 'registration_request_verification'
+
+module UDAPSecurityTestKit
+  class UDAPClientRegistrationAuthorizationCodeVerification < Inferno::Test
+    include URLs
+    include RegistrationRequestVerification
+
+    id :udap_client_registration_ac_verification
+    title 'Verify UDAP Authorization Code Registration'
+    description %(
+        During this test, Inferno will verify that the client's UDAP
+        registration request is conformant.
+      )
+    input :udap_client_uri
+    output :udap_registration_jwt
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+
+    run do
+      client_registration_requests = load_registration_requests_for_client_uri(udap_client_uri)
+      skip_if client_registration_requests.empty?,
+              "No UDAP Registration Requests made for client uri '#{udap_client_uri}'."
+
+      verify_registration_request(AUTHORIZATION_CODE_TAG, client_registration_requests.last) # most recent if several
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid registration request. See messages for details.'
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/registration_cc_group.rb

@@ -0,0 +1,18 @@
+require_relative 'registration_interaction_test'
+require_relative 'registration_cc_verification_test'
+
+module UDAPSecurityTestKit
+  class UDAPClientRegistrationClientCredentials < Inferno::TestGroup
+    id :udap_client_registration_cc
+    title 'Client Registration'
+    description %(
+      During these tests, the client system will dynamically register with Inferno's
+      simulated UDAP Server to use the client_credentials flow. At any time, the client
+      may perform UDAP discovery on the simulated Inferno UDAP server.
+    )
+    run_as_group
+
+    test from: :udap_client_registration_interaction
+    test from: :udap_client_registration_cc_verification
+  end
+end

data/lib/udap_security_test_kit/client_suite/registration_cc_verification_test.rb

@@ -0,0 +1,38 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_udap_server'
+require_relative 'registration_request_verification'
+
+module UDAPSecurityTestKit
+  class UDAPClientRegistrationClientCredentialsVerification < Inferno::Test
+    include URLs
+    include RegistrationRequestVerification
+
+    id :udap_client_registration_cc_verification
+    title 'Verify UDAP Client Credentials Registration'
+    description %(
+        During this test, Inferno will verify that the client's UDAP
+        registration request is conformant.
+      )
+    input :udap_client_uri
+    output :udap_registration_jwt
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+
+    run do
+      client_registration_requests = load_registration_requests_for_client_uri(udap_client_uri)
+      skip_if client_registration_requests.empty?,
+              "No UDAP Registration Requests made for client uri '#{udap_client_uri}'."
+
+      verify_registration_request(CLIENT_CREDENTIALS_TAG, client_registration_requests.last) # most recent if several
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid registration request. See messages for details.'
+    end
+  end
+end

data/lib/udap_security_test_kit/client_suite/{client_registration_interaction_test.rb → registration_interaction_test.rb}

@@ -13,14 +13,21 @@ module UDAPSecurityTestKit
         using UDAP dynamic registration.
       )
     input :udap_client_uri,
-          optional: false
+          title: 'UDAP Client URI',
+          type: 'text',
+          description: %(
+            The UDAP Client URI that will be used to register with Inferno's simulated UDAP server.
+          )
 
     output :client_id
 
-    run do
-      omit_if udap_client_uri.blank?, # for re-use: mark the udap_client_uri input as optional when importing to enable
-              'Not configured for UDAP authentication.'
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
 
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+
+    run do
       generated_client_id = MockUDAPServer.client_uri_to_client_id(udap_client_uri)
       output client_id: generated_client_id