generated from inferno-framework/inferno-template
-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathtoken_introspection_group.rb
110 lines (92 loc) · 4.62 KB
/
token_introspection_group.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
require 'smart_app_launch/standalone_launch_group'
require 'smart_app_launch/discovery_stu1_group'
require 'smart_app_launch/token_introspection_group'
require_relative 'g10_options'
module ONCCertificationG10TestKit
class TokenIntrospectionGroup < SMARTAppLaunch::SMARTTokenIntrospectionGroup
id :g10_token_introspection
description <<~DESCRIPTION
This scenario verifies the ability of an authorization server to
perform token introspection in accordance with the [SMART App Launch STU2
Implementation Guide Section on Token
Introspection](https://hl7.org/fhir/smart-app-launch/STU2/token-introspection.html).
Inferno first acts as a registered SMART App Launch client to request and
receive a valid access token, and then as an authorized resource server that
queries the authorization server for information about this access token.
The system under test must perform the following in order to pass this
scenario:
* Issue a new bearer token to Inferno acting as a registered SMART App
Launch client. The tester has flexibility in deciding what type of SMART
App Launch client is used (e.g. public or confidential). This is
redundant to tests earlier in this test suite, but is performed to ensure
an active token can be introspected.
* Respond to a token introspection request from Inferno acting as a
resource server for both valid and invalid tokens. Systems have flexibility
in how access control for this service is implemented. To account for
this flexibility, the tester has the ability to add an Authorization
Header to the request (provided out-of-band of these tests), as well as
additional Introspect parameters, as allowed by the specification.
DESCRIPTION
input_instructions <<~INSTRUCTIONS
If the introspection endpoint is access controlled, testers must enter their own
HTTP Authorization header for the introspection request. See [RFC 7616 The
'Basic' HTTP Authentication
Scheme](https://datatracker.ietf.org/doc/html/rfc7617) for the most common
approach that uses client credentials. Testers may also provide any
additional parameters needed for their authorization server to complete
the introspection request.
**Note:** For both the Authorization header and request parameters, user-input
values will be sent exactly as entered and therefore the tester must
URI-encode any appropriate values.
INSTRUCTIONS
run_as_group
input :well_known_introspection_url,
title: 'Token Introspection Endpoint',
description: <<~DESCRIPTION,
The complete URL of the token introspection endpoint. This will be
populated automatically if included in the server's discovery
endpoint.
DESCRIPTION
optional: true
input_order :url,
:well_known_introspection_url,
:custom_authorization_header,
:optional_introspection_request_params,
:standalone_client_id,
:standalone_client_secret,
:authorization_method,
:use_pkce,
:pkce_code_challenge_method,
:standalone_requested_scopes,
:token_introspection_auth_type,
:client_auth_encryption_method
config(
inputs: {
client_auth_type: {
name: :token_introspection_auth_type
}
}
)
groups.first.description <<~DESCRIPTION
These tests are perform discovery and a standalone launch in order to
receive a new, active access token that will be provided for token
introspection.
DESCRIPTION
groups[1].description <<~DESCRIPTION
This group of tests executes the token introspection requests and ensures
the correct HTTP response is returned but does not validate the contents
of the token introspection response.
DESCRIPTION
# The token introspection tests are SMART v2 only, so they use v2 discovery
# and launch groups. g10 needs them for SMART v1 and v2, so this sets the
# original discovery and launch groups to only appear when using SMART v2,
# and adds the v1 groups when using v1.
groups.first.groups.each do |group|
group.required_suite_options(G10Options::SMART_2_REQUIREMENT)
end
groups.first.group from: :smart_discovery,
required_suite_options: G10Options::SMART_1_REQUIREMENT
groups.first.group from: :smart_standalone_launch,
required_suite_options: G10Options::SMART_1_REQUIREMENT
end
end