RubyGems - udap_security_test_kit - Versions diffs - 0.11.5 → 0.11.6 - Mend

udap_security_test_kit 0.11.5 → 0.11.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8cd9e461b7c07f1562d3cd0633dad2816f6b9a93b56a4f21d82ed608386e2035
-  data.tar.gz: 636e8a27be86aaca468218ed36f8253e6ede05ef995c8cd28664636944a52b72
+  metadata.gz: ba9b8ab76dbc1af4171a44facc2bad0501b87d408914b1112211b4a6dd407972
+  data.tar.gz: ab96e3353c18cb382f24051c0d97869d7bd211ec21827f1389c1703f7f1827a2
 SHA512:
-  metadata.gz: 8f6b32492245d75331ca03fa96a6fcd3169894e6cb09788a2e07cd851f40fcdb776133c91488e806e663e0166042e0f361ddcd59e350664c1b2ecfce316513ef
-  data.tar.gz: 4b6f85396f9dd0b4918672756471a9690f56e8b0161bd6b097baa0317728bb8491c0629792b5255dc2c25f092cfc61f0ee368ab110ca45fadf21614a8d1a3834
+  metadata.gz: 8901c4441f4dbc98ba53a1babdcb1bbdef421c52457627266e5faaa6602f88df692b58b1d7f788d079374bd8419a46564cf4e0a2edcf7bb67a3e9ee15a7459bb
+  data.tar.gz: 1de972b29f3c1c0ef84273d707420c379f16a9d30b9340f78b0fae573a452ad50cab6e6b5db7a3cf5497e965f7fe8aed424a0f20770c472895ed80dd9658b727

data/lib/udap_security_test_kit/authorization_code_received_test.rb CHANGED Viewed

@@ -9,12 +9,20 @@ module UDAPSecurityTestKit
     output :udap_authorization_code
     uses_request :redirect
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@133',
+                          'hl7.fhir.us.udap-security_1.0.0@134',
+                          'hl7.fhir.us.udap-security_1.0.0@138',
+                          'hl7.fhir.us.udap-security_1.0.0@190'
     run do
       code = request.query_parameters['code']
       output udap_authorization_code: code
       assert code.present?, 'No `code` parameter received'
+      state = request.query_parameters['state']
+      assert state.present?, '`state` parameter is required since it was present in client request'
       error = request.query_parameters['error']
       pass_if error.blank?

data/lib/udap_security_test_kit/authorization_code_redirect_test.rb CHANGED Viewed

@@ -52,6 +52,9 @@ module UDAPSecurityTestKit
     receives_request :redirect
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@133',
+                          'hl7.fhir.us.udap-security_1.0.0@190'
     config options: {
       redirect_uri: UDAPSecurityTestKit::UDAP_REDIRECT_URI
     }

data/lib/udap_security_test_kit/authorization_code_token_exchange_test.rb CHANGED Viewed

@@ -62,6 +62,8 @@ module UDAPSecurityTestKit
     makes_request :token_exchange
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@148'
     run do
       client_assertion_payload = UDAPClientAssertionPayloadBuilder.build(
         udap_client_id,

data/lib/udap_security_test_kit/authorization_endpoint_field_test.rb CHANGED Viewed

@@ -13,6 +13,10 @@ module UDAPSecurityTestKit
     input :udap_well_known_metadata_json
     output :udap_authorization_endpoint
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@9',
+                          'hl7.fhir.us.udap-security_1.0.0@38',
+                          'hl7.fhir.us.udap-security_1.0.0@39'
     run do
       assert_valid_json(udap_well_known_metadata_json)
       config = JSON.parse(udap_well_known_metadata_json)
@@ -29,7 +33,7 @@ module UDAPSecurityTestKit
               '`authorization_endpoint` field is only required if `authorization_code` is a supported grant type'
       assert config.key?('authorization_endpoint'),
-             '`authorization_endpoint` field is required if `authorization_endpoint` is a supported grant type'
+             '`authorization_endpoint` field is required if `authorization_code` is a supported grant type'
       endpoint = config['authorization_endpoint']

data/lib/udap_security_test_kit/client_suite/access_ac_group.rb CHANGED Viewed

@@ -17,6 +17,8 @@ module UDAPSecurityTestKit
     run_as_group
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@126'
     test from: :udap_client_access_ac_interaction
     test from: :udap_client_authorization_request_verification
     test from: :udap_client_token_request_ac_verification

data/lib/udap_security_test_kit/client_suite/authorization_request_verification_test.rb CHANGED Viewed

@@ -24,6 +24,11 @@ module UDAPSecurityTestKit
           locked: 'true',
           description: INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@67',
+                          'hl7.fhir.us.udap-security_1.0.0@127',
+                          'hl7.fhir.us.udap-security_1.0.0@128',
+                          'hl7.fhir.us.udap-security_1.0.0@129'
     def client_suite_id
       return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?

data/lib/udap_security_test_kit/client_suite/registration_ac_verification_test.rb CHANGED Viewed

@@ -17,6 +17,40 @@ module UDAPSecurityTestKit
     input :udap_client_uri
     output :udap_registration_jwt
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@1',
+                          'hl7.fhir.us.udap-security_1.0.0@2',
+                          'hl7.fhir.us.udap-security_1.0.0@3',
+                          'hl7.fhir.us.udap-security_1.0.0@7',
+                          'hl7.fhir.us.udap-security_1.0.0@8',
+                          'hl7.fhir.us.udap-security_1.0.0@66',
+                          'hl7.fhir.us.udap-security_1.0.0@71',
+                          'hl7.fhir.us.udap-security_1.0.0@72',
+                          'hl7.fhir.us.udap-security_1.0.0@73',
+                          'hl7.fhir.us.udap-security_1.0.0@74',
+                          'hl7.fhir.us.udap-security_1.0.0@75',
+                          'hl7.fhir.us.udap-security_1.0.0@76',
+                          'hl7.fhir.us.udap-security_1.0.0@77',
+                          'hl7.fhir.us.udap-security_1.0.0@78',
+                          'hl7.fhir.us.udap-security_1.0.0@79',
+                          'hl7.fhir.us.udap-security_1.0.0@80',
+                          'hl7.fhir.us.udap-security_1.0.0@81',
+                          'hl7.fhir.us.udap-security_1.0.0@83',
+                          'hl7.fhir.us.udap-security_1.0.0@84',
+                          'hl7.fhir.us.udap-security_1.0.0@86',
+                          'hl7.fhir.us.udap-security_1.0.0@87',
+                          'hl7.fhir.us.udap-security_1.0.0@88',
+                          'hl7.fhir.us.udap-security_1.0.0@90',
+                          'hl7.fhir.us.udap-security_1.0.0@91',
+                          'hl7.fhir.us.udap-security_1.0.0@92',
+                          'hl7.fhir.us.udap-security_1.0.0@93',
+                          'hl7.fhir.us.udap-security_1.0.0@94',
+                          'hl7.fhir.us.udap-security_1.0.0@96',
+                          'hl7.fhir.us.udap-security_1.0.0@97',
+                          'hl7.fhir.us.udap-security_1.0.0@101',
+                          'hl7.fhir.us.udap-security_1.0.0@102',
+                          'hl7.fhir.us.udap-security_1.0.0@103',
+                          'hl7.fhir.us.udap-security_1.0.0@104'
     def client_suite_id
       return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?

data/lib/udap_security_test_kit/client_suite/registration_cc_verification_test.rb CHANGED Viewed

@@ -23,6 +23,36 @@ module UDAPSecurityTestKit
       UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
     end
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@1',
+                          'hl7.fhir.us.udap-security_1.0.0@2',
+                          'hl7.fhir.us.udap-security_1.0.0@3',
+                          'hl7.fhir.us.udap-security_1.0.0@7',
+                          'hl7.fhir.us.udap-security_1.0.0@8',
+                          'hl7.fhir.us.udap-security_1.0.0@66',
+                          'hl7.fhir.us.udap-security_1.0.0@71',
+                          'hl7.fhir.us.udap-security_1.0.0@72',
+                          'hl7.fhir.us.udap-security_1.0.0@73',
+                          'hl7.fhir.us.udap-security_1.0.0@74',
+                          'hl7.fhir.us.udap-security_1.0.0@75',
+                          'hl7.fhir.us.udap-security_1.0.0@76',
+                          'hl7.fhir.us.udap-security_1.0.0@77',
+                          'hl7.fhir.us.udap-security_1.0.0@78',
+                          'hl7.fhir.us.udap-security_1.0.0@79',
+                          'hl7.fhir.us.udap-security_1.0.0@80',
+                          'hl7.fhir.us.udap-security_1.0.0@81',
+                          'hl7.fhir.us.udap-security_1.0.0@83',
+                          'hl7.fhir.us.udap-security_1.0.0@85',
+                          'hl7.fhir.us.udap-security_1.0.0@86',
+                          'hl7.fhir.us.udap-security_1.0.0@87',
+                          'hl7.fhir.us.udap-security_1.0.0@92',
+                          'hl7.fhir.us.udap-security_1.0.0@95',
+                          'hl7.fhir.us.udap-security_1.0.0@96',
+                          'hl7.fhir.us.udap-security_1.0.0@97',
+                          'hl7.fhir.us.udap-security_1.0.0@101',
+                          'hl7.fhir.us.udap-security_1.0.0@102',
+                          'hl7.fhir.us.udap-security_1.0.0@103',
+                          'hl7.fhir.us.udap-security_1.0.0@104'
     run do
       client_registration_requests = load_registration_requests_for_client_uri(udap_client_uri)
       skip_if client_registration_requests.empty?,

data/lib/udap_security_test_kit/client_suite/token_request_ac_verification_test.rb CHANGED Viewed

@@ -28,6 +28,53 @@ module UDAPSecurityTestKit
           description: INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED
     output :udap_tokens
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@1',
+                          'hl7.fhir.us.udap-security_1.0.0@2',
+                          'hl7.fhir.us.udap-security_1.0.0@3',
+                          'hl7.fhir.us.udap-security_1.0.0@7',
+                          'hl7.fhir.us.udap-security_1.0.0@8',
+                          'hl7.fhir.us.udap-security_1.0.0@67',
+                          'hl7.fhir.us.udap-security_1.0.0@69',
+                          'hl7.fhir.us.udap-security_1.0.0@140',
+                          'hl7.fhir.us.udap-security_1.0.0@141',
+                          'hl7.fhir.us.udap-security_1.0.0@142',
+                          'hl7.fhir.us.udap-security_1.0.0@143',
+                          'hl7.fhir.us.udap-security_1.0.0@145',
+                          'hl7.fhir.us.udap-security_1.0.0@151',
+                          'hl7.fhir.us.udap-security_1.0.0@152',
+                          'hl7.fhir.us.udap-security_1.0.0@153',
+                          'hl7.fhir.us.udap-security_1.0.0@154',
+                          'hl7.fhir.us.udap-security_1.0.0@155',
+                          'hl7.fhir.us.udap-security_1.0.0@156',
+                          'hl7.fhir.us.udap-security_1.0.0@157',
+                          'hl7.fhir.us.udap-security_1.0.0@158',
+                          'hl7.fhir.us.udap-security_1.0.0@160',
+                          'hl7.fhir.us.udap-security_1.0.0@161',
+                          'hl7.fhir.us.udap-security_1.0.0@163',
+                          'hl7.fhir.us.udap-security_1.0.0@165',
+                          'hl7.fhir.us.udap-security_1.0.0@166',
+                          'hl7.fhir.us.udap-security_1.0.0@167',
+                          'hl7.fhir.us.udap-security_1.0.0@168',
+                          'hl7.fhir.us.udap-security_1.0.0@169',
+                          'hl7.fhir.us.udap-security_1.0.0@170',
+                          'hl7.fhir.us.udap-security_1.0.0@171',
+                          'hl7.fhir.us.udap-security_1.0.0@175',
+                          'hl7.fhir.us.udap-security_1.0.0@177',
+                          'hl7.fhir.us.udap-security_1.0.0@178',
+                          'hl7.fhir.us.udap-security_1.0.0@179',
+                          'hl7.fhir.us.udap-security_1.0.0@180',
+                          'hl7.fhir.us.udap-security_1.0.0@185',
+                          'hl7.fhir.us.udap-security_1.0.0@192',
+                          'hl7.fhir.us.udap-security_1.0.0@193',
+                          'hl7.fhir.us.udap-security_1.0.0@194',
+                          'hl7.fhir.us.udap-security_1.0.0@195',
+                          'hl7.fhir.us.udap-security_1.0.0@196',
+                          'hl7.fhir.us.udap-security_1.0.0@197',
+                          'hl7.fhir.us.udap-security_1.0.0@222',
+                          'hl7.fhir.us.udap-security_1.0.0@232',
+                          'hl7.fhir.us.udap-security_1.0.0@233',
+                          'hl7.fhir.us.udap-security_1.0.0@234'
     def client_suite_id
       return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?

data/lib/udap_security_test_kit/client_suite/token_request_cc_verification_test.rb CHANGED Viewed

@@ -28,6 +28,31 @@ module UDAPSecurityTestKit
           description: INPUT_UDAP_REGISTRATION_JWT_DESCRIPTION_LOCKED
     output :udap_tokens
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@1',
+                          'hl7.fhir.us.udap-security_1.0.0@2',
+                          'hl7.fhir.us.udap-security_1.0.0@3',
+                          'hl7.fhir.us.udap-security_1.0.0@7',
+                          'hl7.fhir.us.udap-security_1.0.0@8',
+                          'hl7.fhir.us.udap-security_1.0.0@67',
+                          'hl7.fhir.us.udap-security_1.0.0@69',
+                          'hl7.fhir.us.udap-security_1.0.0@186',
+                          'hl7.fhir.us.udap-security_1.0.0@192',
+                          'hl7.fhir.us.udap-security_1.0.0@193',
+                          'hl7.fhir.us.udap-security_1.0.0@194',
+                          'hl7.fhir.us.udap-security_1.0.0@195',
+                          'hl7.fhir.us.udap-security_1.0.0@196',
+                          'hl7.fhir.us.udap-security_1.0.0@197',
+                          'hl7.fhir.us.udap-security_1.0.0@198',
+                          'hl7.fhir.us.udap-security_1.0.0@202',
+                          'hl7.fhir.us.udap-security_1.0.0@212',
+                          'hl7.fhir.us.udap-security_1.0.0@214',
+                          'hl7.fhir.us.udap-security_1.0.0@215',
+                          'hl7.fhir.us.udap-security_1.0.0@223',
+                          'hl7.fhir.us.udap-security_1.0.0@225',
+                          'hl7.fhir.us.udap-security_1.0.0@226',
+                          'hl7.fhir.us.udap-security_1.0.0@227',
+                          'hl7.fhir.us.udap-security_1.0.0@228'
     def client_suite_id
       return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?

data/lib/udap_security_test_kit/client_suite.rb CHANGED Viewed

@@ -15,6 +15,14 @@ module UDAPSecurityTestKit
     title 'UDAP Security Client'
     description File.read(File.join(__dir__, 'docs', 'udap_client_suite_description.md'))
+    requirement_sets(
+      {
+        identifier: 'hl7.fhir.us.udap-security_1.0.0',
+        title: 'Security for Scalable Registration, Authentication, and Authorization (UDAP)',
+        actor: 'Client'
+      }
+    )
     links [
       {
         type: 'source_code',

data/lib/udap_security_test_kit/discovery_group.rb CHANGED Viewed

@@ -61,6 +61,8 @@ module UDAPSecurityTestKit
     output :udap_registration_endpoint
     output :udap_registration_grant_type
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@15'
     test from: :udap_well_known_endpoint
     test from: :udap_versions_supported_field
     test from: :udap_grant_types_supported_field

data/lib/udap_security_test_kit/dynamic_client_registration_group.rb CHANGED Viewed

@@ -141,6 +141,9 @@ module UDAPSecurityTestKit
           type: 'textarea',
           optional: true
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@68',
+                          'hl7.fhir.us.udap-security_1.0.0@105'
     test from: :udap_registration_failure_invalid_contents
     test from: :udap_registration_failure_invalid_jwt_signature
     test from: :udap_registration_success

data/lib/udap_security_test_kit/endpoints/mock_udap_server.rb CHANGED Viewed

@@ -159,7 +159,7 @@ module UDAPSecurityTestKit
     def decode_token(token)
       token_to_decode =
-        if issued_token_is_refresh_token(token)
+        if issued_token_is_refresh_token?(token)
           refresh_token_to_authorization_code(token)
         else
           token
@@ -175,7 +175,7 @@ module UDAPSecurityTestKit
       decode_token(token)&.dig('client_id')
     end
-    def issued_token_is_refresh_token(token)
+    def issued_token_is_refresh_token?(token)
       token.end_with?('_rt')
     end

data/lib/udap_security_test_kit/grant_types_supported_field_test.rb CHANGED Viewed

@@ -13,6 +13,9 @@ module UDAPSecurityTestKit
     input :required_flow_type
     output :udap_registration_grant_type
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@36',
+                          'hl7.fhir.us.udap-security_1.0.0@37'
     run do
       assert_valid_json(udap_well_known_metadata_json)
       config = JSON.parse(udap_well_known_metadata_json)

data/lib/udap_security_test_kit/reg_endpoint_jwt_signing_alg_values_supported_field_test.rb CHANGED Viewed

@@ -16,6 +16,9 @@ module UDAPSecurityTestKit
     input :udap_well_known_metadata_json
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@4',
+                          'hl7.fhir.us.udap-security_1.0.0@45'
     run do
       assert_valid_json(udap_well_known_metadata_json)
       config = JSON.parse(udap_well_known_metadata_json)
@@ -24,6 +27,9 @@ module UDAPSecurityTestKit
               '`registration_endpoint_jwt_signing_alg_values_supported` field is recommended but not required'
       CommonAssertions.assert_array_of_strings(config, 'registration_endpoint_jwt_signing_alg_values_supported')
+      assert config['registration_endpoint_jwt_signing_alg_values_supported'].include?('RS256'),
+             'All UDAP implementations must support RS256 signature algorithm'
     end
   end
 end

data/lib/udap_security_test_kit/registration_endpoint_field_test.rb CHANGED Viewed

@@ -12,6 +12,9 @@ module UDAPSecurityTestKit
     input :udap_well_known_metadata_json
     output :udap_registration_endpoint
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@11',
+                          'hl7.fhir.us.udap-security_1.0.0@43'
     run do
       assert_valid_json(udap_well_known_metadata_json)
       config = JSON.parse(udap_well_known_metadata_json)

data/lib/udap_security_test_kit/registration_failure_invalid_contents_test.rb CHANGED Viewed

@@ -35,6 +35,9 @@ module UDAPSecurityTestKit
     input :udap_registration_certifications,
           optional: true
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@106',
+                          'hl7.fhir.us.udap-security_1.0.0@114'
     run do
       software_statement_payload = SoftwareStatementBuilder.build_payload(
         'invalid_iss',

data/lib/udap_security_test_kit/registration_failure_invalid_jwt_signature_test.rb CHANGED Viewed

@@ -36,6 +36,8 @@ module UDAPSecurityTestKit
     input :udap_registration_certifications,
           optional: true
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@114'
     run do
       software_statement_payload = SoftwareStatementBuilder.build_payload(
         udap_cert_iss,

data/lib/udap_security_test_kit/registration_success_contents_test.rb CHANGED Viewed

@@ -43,6 +43,9 @@ module UDAPSecurityTestKit
     output :udap_client_id
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@111',
+                          'hl7.fhir.us.udap-security_1.0.0@113'
     run do
       assert_valid_json(udap_registration_response)
       registration_response = JSON.parse(udap_registration_response)

data/lib/udap_security_test_kit/registration_success_test.rb CHANGED Viewed

@@ -39,6 +39,9 @@ module UDAPSecurityTestKit
     output :udap_software_statement_json
     output :udap_registration_response
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@110',
+                          'hl7.fhir.us.udap-security_1.0.0@119'
     run do
       software_statement_payload = SoftwareStatementBuilder.build_payload(
         udap_cert_iss,